By Serrin Turner

Typically, the process for amending the Federal Rules of Criminal Procedure is a sleepy affair. Proposed amendments wend their way through a series of judicial committees and, if approved by the Supreme Court, take effect automatically by the end of the year. Theoretically, Congress may choose to intervene and block the change – but it does so rarely. This year, however, a proposed amendment has caught the congressional eye.

Over the past several days, legislators in both the Senate and the House of Representatives have introduced legislation to block a proposed change to Rule 41 of the Federal Rules of Criminal Procedure, which regulates the issuance of search warrants in federal criminal investigations. Law enforcement already uses Rule 41 routinely to obtain warrants to search computers recovered from physical premises or otherwise taken into law enforcement custody. The proposed amendment addresses a different scenario: when law enforcement has identified a computer being used to perpetrate a crime but cannot determine where it is located. With the proliferation of anonymizing technologies used by hackers and other criminals operating on the Internet, this fact pattern is increasingly common. The rule change under consideration would enable law enforcement to obtain a warrant in such circumstances to search the target computer “remotely” – that is, by hacking into it.

By Gail Crawford and Lore Leitner

Today, after more than four years of debate, the General Data Protection Regulation (GDPR, or the Regulation) enters into force. The GDPR will introduce a rigorous, far-reaching privacy framework for businesses that operate, target customers or monitor individuals in the EU. The Regulation sets out a suite of new obligations and substantial fines for noncompliance. Businesses need to act now to ensure that they are ready for when the Regulation becomes enforceable after the

By Serrin Turner

Last week saw action on two fronts regarding the Stored Communications Act (SCA) – the US federal statute regulating government searches of online accounts in criminal investigations. In Congress, a proposal to reform the SCA advanced in the House; and in the courts, Microsoft sued to challenge a provision of the SCA as unconstitutional. Although the reform bill has been portrayed as a major piece of privacy legislation, the version now under consideration is quite modest and would not substantially change how the SCA is applied in practice. However, the Microsoft lawsuit, if successful, could significantly reshape and restrict how the SCA is used by law enforcement.

What is the Stored Communications Act?

The SCA sets forth the procedures by which US law enforcement authorities can compel electronic communications service providers to disclose the contents of (and other records pertaining to) user accounts. While the SCA is applied most often in the context of email accounts, it applies equally to social-networking accounts, cloud-storage accounts, web-hosting accounts, and any other type of account where a user may store electronic communications. Like everyone else, criminals are increasingly communicating over the Internet, and as a result the SCA is now routinely used by law enforcement to obtain the contents of online accounts used by criminal suspects to communicate and do business.

By Amanda Potter and Alex Stout

As we highlighted in a post last month, the FCC has proposed sweeping new privacy rules on broadband providers. Since our last post, the FCC has released its proposal in the form of a Notice of Proposed Rulemaking. This proposal would institute new customer privacy and data breach rules on broadband providers and follows the Commission’s landmark Open Internet proceeding, in which the Commission imposed common-carrier telecommunications rules on broadband. The public has until May 27 to submit initial comments and June 27 to submit reply comments.

While the proposal includes updates to existing FCC rules, the focus is on broadband providers. The proposed rules would express exclude providers of “edge services” (like search engines, video streaming, and mobile applications), reasoning that consumers can readily avoid edge services and that broadband providers act as “gateways” that could potentially track consumers across the Internet.

The proposed rules would cover two categories of information. First, the rules would apply to “customer proprietary network information” (CPNI), a type of data defined by the Section 222 of the Communications Act to include a customer’s technical usage or billing data. For broadband, the FCC proposes to include, at minimum, Internet service plan and pricing, geo-location data, MAC address, Device ID, IP address, and traffic statistics. Second, the rules would protect personally identifiable information (PII). The FCC only recently began to use the term PII, which it defines here

By Mikhail Turetsky, Ksenia Koroleva and Lore Leitner

On July 13, 2015, the Russian President signed Federal Law No. 264-FZ (the Law), which introduced a range of amendments into Russian legislation (the Amendments). In particular, the principle of the “right to be forgotten”, a concept not previously recognized under Russian law came into effect on January 1, 2016.

Amendments

The Law introduced the right for individuals to request that search engine operators delete links to certain information relating to the individuals from searches run on the individuals’ names or surnames. The Law applies only to individuals and does not mention legal entities.

By Ulrich Wuermeling, Jennifer Archie & Lore Leitner

On March 17, 2016, the Civil Liberties Committee convened to discuss whether the Privacy Shield framework that will replace Safe Harbor provides adequate protection to the data of EU citizens. A number of experts were questioned including: the US lead negotiator, the EU Data Protection Supervisor, members of the Article 29 Working Party and Max Schrems, whose court case against Facebook led to Safe Harbor’s downfall.

The meeting of the Civil Liberties Committee follows on from the European Commission’s publication last month of the legal texts that will form the basis of the EU-US Privacy Shield and a Communication summarizing the action taken to rebuild trust in the data flows from the EU to the US. The European Commission also made public a draft “adequacy decision” establishing that the safeguards provided under the Privacy Shield are equivalent to the EU data protection standards. The documents provide a better idea of the substance and structure of the Privacy Shield, announced by the European Commission on February 2, 2016 and confirm the US commitment to ensuring that there will be no indiscriminate mass surveillance by its national security authorities.

Focus areas of the Privacy Shield

From the material made public, the new framework focuses on four areas:

By Matt Murchison and Alex Stout

Last week, the FCC announced that Chairman Tom Wheeler had circulated a Notice of Proposed Rulemaking (NPRM) on implementing Section 222’s privacy obligations for broadband providers. Section 222’s requirements were originally crafted for telephone companies, and were first applied to broadband providers as part of the 2015 Open Internet Order, which reclassified broadband providers as telecommunications carriers. However, the FCC expressly forbore from applying to broadband providers the rules it had adopted over the years implementing Section 222 in the telephone context. The upcoming NPRM, which the full Commission will vote on at its March 31 Open Meeting, will, for the first time, propose specific requirements implementing Section 222’s privacy obligations in the broadband context.

The FCC’s fact sheet about the NPRM reiterates the three guiding principles that the Chairman has identified in recent weeks—choice, transparency, and security—and provides some new details on the specific proposals under consideration.

By Ulrich Wuermeling, Gail Crawford and Jennifer Archie

Earlier this week, the European Commission announced that a “political” agreement has been reached on a new framework for data flows from the EU to the US. The announcement highlights a few changes from the old Safe Harbor regime, such as more direct and active oversight by US regulators, more stringent privacy protections, and establishing an ombudsman at the State Department for EU citizens who wish to complain about data protection matters. However, as a legal and compliance matter, US companies who previously relied upon Safe Harbor to transfer EU data take significant compliance risk if they do nothing in anticipation of newly branded EU-US Privacy Shield framework being formally approved, given it is not yet documented and will be subject to review by the EU data protection supervisory authorities in the so-called Article 29 Working Party as well as representatives of the Member States and the European Parliament.

By Ulrich Wuermeling

A political compromise has been reached on the new European Data Protection Regulation. On December 15, 2015, the negotiators in the so-called “informal trilogue” between the Council, the Parliament and the European Commission closed the final issues. Meanwhile, the Luxembourg Presidency informed the LIBE-Committee of the Parliament as well as the Permanent Representatives Committee of the Member States about the outcome. The LIBE-Committee will review the final changes on December 17, 2015, but the aim is not

By Gail Crawford and Andrea Stout

On December 7th, members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers provisionally agreed to the text of the long awaited network and information security directive also known as the cybersecurity directive (Directive).

While the text of the proposed Directive has yet to be released publicly, press releases indicate that the Directive will introduce new requirements for certain organizations to implement security measures to prevent