Global Privacy & Security Compliance Law Blog

Anonymous or Not: Court of Justice Issues Ruling on IP Addresses

Posted in Privacy, Security

By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users. Continue Reading

“Yarovaya” Law – New Data Retention Obligations for Telecom Providers and Arrangers in Russia

Posted in Legislative & Regulatory Developments, Privacy, Security

By Ksenia Koroleva

On July 6, 2016, Russian President Vladimir Putin signed Federal Law No 374-FZ. This law is also known as the “Yarovaya” law (named after a Russian senator who was the main driving force for the law to come into existence).

The Yarovaya law introduces amendments to certain Russian federal laws. The majority of the amendments came into effect on July 20, 2016, however, some of the requirements relating to storage of metadata, as described below, will only come into force starting from July 1, 2018. A draft law which aims to postpone the effective date of such requirements due to their technical complexity from July 1, 2018 to July 1, 2023 is currently being considered by the Russian State Duma.

The Yarovaya law, which is political and primarily aimed at combating terrorism, contains new rules on data retention which need to be taken into account by telecom companies and other persons operating or assisting in the operation of communications services. Continue Reading

BREXIT – What does this mean for UK Data Protection law?

Posted in Legislative & Regulatory Developments

By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states. Continue Reading

“Hacking” Warrants: A Question of Procedure or Substance?

Posted in Legislative & Regulatory Developments

By Serrin Turner

Typically, the process for amending the Federal Rules of Criminal Procedure is a sleepy affair. Proposed amendments wend their way through a series of judicial committees and, if approved by the Supreme Court, take effect automatically by the end of the year. Theoretically, Congress may choose to intervene and block the change – but it does so rarely. This year, however, a proposed amendment has caught the congressional eye.

Over the past several days, legislators in both the Senate and the House of Representatives have introduced legislation to block a proposed change to Rule 41 of the Federal Rules of Criminal Procedure, which regulates the issuance of search warrants in federal criminal investigations. Law enforcement already uses Rule 41 routinely to obtain warrants to search computers recovered from physical premises or otherwise taken into law enforcement custody. The proposed amendment addresses a different scenario: when law enforcement has identified a computer being used to perpetrate a crime but cannot determine where it is located. With the proliferation of anonymizing technologies used by hackers and other criminals operating on the Internet, this fact pattern is increasingly common. The rule change under consideration would enable law enforcement to obtain a warrant in such circumstances to search the target computer “remotely” – that is, by hacking into it. Continue Reading

The Countdown to the General Data Protection in Europe Has Begun

Posted in Legislative & Regulatory Developments, Privacy

By Gail Crawford and Lore Leitner

Today, after more than four years of debate, the General Data Protection Regulation (GDPR, or the Regulation) enters into force. The GDPR will introduce a rigorous, far-reaching privacy framework for businesses that operate, target customers or monitor individuals in the EU. The Regulation sets out a suite of new obligations and substantial fines for noncompliance. Businesses need to act now to ensure that they are ready for when the Regulation becomes enforceable after the expiry of a two-year transition period, i.e., from 25 May 2018.

Will this affect your business? What’s next? For a detailed look at the likely impact of the GDPR, read our client alert: Europe Counts Down to the General Data Protection Regulation

Are Changes in Store for the Stored Communications Act?

Posted in Legislative & Regulatory Developments, Privacy

By Serrin Turner

Last week saw action on two fronts regarding the Stored Communications Act (SCA) – the US federal statute regulating government searches of online accounts in criminal investigations. In Congress, a proposal to reform the SCA advanced in the House; and in the courts, Microsoft sued to challenge a provision of the SCA as unconstitutional. Although the reform bill has been portrayed as a major piece of privacy legislation, the version now under consideration is quite modest and would not substantially change how the SCA is applied in practice. However, the Microsoft lawsuit, if successful, could significantly reshape and restrict how the SCA is used by law enforcement.

What is the Stored Communications Act?

The SCA sets forth the procedures by which US law enforcement authorities can compel electronic communications service providers to disclose the contents of (and other records pertaining to) user accounts. While the SCA is applied most often in the context of email accounts, it applies equally to social-networking accounts, cloud-storage accounts, web-hosting accounts, and any other type of account where a user may store electronic communications. Like everyone else, criminals are increasingly communicating over the Internet, and as a result the SCA is now routinely used by law enforcement to obtain the contents of online accounts used by criminal suspects to communicate and do business. Continue Reading

Analysis of the FCC’s Proposed Broadband Privacy Regulations

Posted in Privacy

By Amanda Potter and Alex Stout

As we highlighted in a post last month, the FCC has proposed sweeping new privacy rules on broadband providers. Since our last post, the FCC has released its proposal in the form of a Notice of Proposed Rulemaking. This proposal would institute new customer privacy and data breach rules on broadband providers and follows the Commission’s landmark Open Internet proceeding, in which the Commission imposed common-carrier telecommunications rules on broadband. The public has until May 27 to submit initial comments and June 27 to submit reply comments.

While the proposal includes updates to existing FCC rules, the focus is on broadband providers. The proposed rules would express exclude providers of “edge services” (like search engines, video streaming, and mobile applications), reasoning that consumers can readily avoid edge services and that broadband providers act as “gateways” that could potentially track consumers across the Internet.

The proposed rules would cover two categories of information. First, the rules would apply to “customer proprietary network information” (CPNI), a type of data defined by the Section 222 of the Communications Act to include a customer’s technical usage or billing data. For broadband, the FCC proposes to include, at minimum, Internet service plan and pricing, geo-location data, MAC address, Device ID, IP address, and traffic statistics. Second, the rules would protect personally identifiable information (PII). The FCC only recently began to use the term PII, which it defines here Continue Reading

Recent Amendments to the Russian Personal Data Protection Legislation: The Right to be Forgotten

Posted in Legislative & Regulatory Developments, Privacy

By Mikhail Turetsky, Ksenia Koroleva and Lore Leitner

On July 13, 2015, the Russian President signed Federal Law No. 264-FZ (the Law), which introduced a range of amendments into Russian legislation (the Amendments). In particular, the principle of the “right to be forgotten”, a concept not previously recognized under Russian law came into effect on January 1, 2016.


The Law introduced the right for individuals to request that search engine operators delete links to certain information relating to the individuals from searches run on the individuals’ names or surnames. The Law applies only to individuals and does not mention legal entities. Continue Reading

Privacy Shield is on its Way

Posted in Privacy

By Ulrich Wuermeling, Jennifer Archie & Lore Leitner

On March 17, 2016, the Civil Liberties Committee convened to discuss whether the Privacy Shield framework that will replace Safe Harbor provides adequate protection to the data of EU citizens. A number of experts were questioned including: the US lead negotiator, the EU Data Protection Supervisor, members of the Article 29 Working Party and Max Schrems, whose court case against Facebook led to Safe Harbor’s downfall.

The meeting of the Civil Liberties Committee follows on from the European Commission’s publication last month of the legal texts that will form the basis of the EU-US Privacy Shield and a Communication summarizing the action taken to rebuild trust in the data flows from the EU to the US. The European Commission also made public a draft “adequacy decision” establishing that the safeguards provided under the Privacy Shield are equivalent to the EU data protection standards. The documents provide a better idea of the substance and structure of the Privacy Shield, announced by the European Commission on February 2, 2016 and confirm the US commitment to ensuring that there will be no indiscriminate mass surveillance by its national security authorities.

Focus areas of the Privacy Shield

From the material made public, the new framework focuses on four areas: Continue Reading

FCC Proposes Broad Privacy Regulations for Broadband Providers

Posted in Privacy

By Matt Murchison and Alex Stout

Last week, the FCC announced that Chairman Tom Wheeler had circulated a Notice of Proposed Rulemaking (NPRM) on implementing Section 222’s privacy obligations for broadband providers. Section 222’s requirements were originally crafted for telephone companies, and were first applied to broadband providers as part of the 2015 Open Internet Order, which reclassified broadband providers as telecommunications carriers. However, the FCC expressly forbore from applying to broadband providers the rules it had adopted over the years implementing Section 222 in the telephone context. The upcoming NPRM, which the full Commission will vote on at its March 31 Open Meeting, will, for the first time, propose specific requirements implementing Section 222’s privacy obligations in the broadband context.

The FCC’s fact sheet about the NPRM reiterates the three guiding principles that the Chairman has identified in recent weeks—choice, transparency, and security—and provides some new details on the specific proposals under consideration. Continue Reading