In a stunning victory, an administrative law judge has recommended the dismissal of a long-pending US Federal Trade Commission (FTC) complaint against LabMD, Inc. (LabMD). In a strongly worded opinion in a case that had become highly politicized following 2014 congressional hearings, ALJ D. Michael Chappell found that the agency had failed to satisfy its burden of proving that LabMD had engaged in unfair trade practices by providing insufficient data security.
On October 26, 2015, Raja Al Mazrouei, the Commissioner for Data Protection for the Dubai International Financial Centre (the DIFC), issued guidance on the adequacy of US Safe Harbor for the purpose of exporting personal data from the DIFC. The guidance is significant for organisations that transfer personal data from the DIFC to the US and such organisations should urgently review the basis upon which they transfer personal data from the DIFC to the US to ensure that they continue to comply with the DIFC Data Protection Law (No 1 of 2007).
The guidance follows the decision of the European Court of Justice (the ECJ) in Case C-362/14 – Maximillian Schrems v Data Protection Commissioner that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid.
The key message from the guidance is that:
“the invalidation of the Adequacy Decision by the ECJ provides cause for the Commissioner to reconsider the adequacy status previously afforded under the Law to US Safe Harbor Recipients. However, the Commissioner also understands that there are ongoing negotiations between Europe and US authorities towards an improved Safe Harbor framework and that these negotiations are well advanced.
On October 26, the European Commissioner Věra Jourová addressed the Parliament Committee on Civil Liberties, Justice and Home Affairs to discuss the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ).
Jourová commented on the status of the negotiations with the US to find a new solution for data transfers: “There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She plans to visit the US mid-November and hopes to make further progress on a new arrangement with the US.
An early Position Paper of the German data protection authority of Schleswig-Holstein on the Schrems Judgment of the Court of Justice of the European Union (ECJ) gave little hope for practical alternatives to Safe Harbor. On October 26, all German data protection authorities published a more reasoned joint Statement that follows the approach taken by the Article 29 Working Party. It still includes some surprises in the details, but also offers hope for Model Contracts to be able to serve at least as an interim solution.
The Statement of the German data protection authorities (GDPA) starts with the unsurprising conclusion that data transfers cannot rely on the Safe Harbor Decision anymore. It continues to mention that the Schrems Judgment also puts data transfers under other instruments (like BCRs or Model Contracts) in question. The GDPAs announcement that they will not approve new BCRs or contractual solutions for data transfers in the US and have also requested that the German government allow data protection authorities to bring claims to courts (as required by the ECJ in the Schrems Judgment). The Statement of the GDPAs is short and obviously a compromise between differing views.
The so called Article 29 Working Party met on October 15, 2015 to discuss the consequences of the Schrems Judgment of the European Court of Justice (ECJ). On October 16, 2015, the Working Party published a Statement summarizing their initial conclusions. The Working Party includes representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission.
The Working Party states that data transfers made under Safe Harbor are unlawful following the Judgment. However, enforcement actions of the national data protection authorities shall only take place, if no other solution is found by the end of January 2016. In the opinion of the Working Party, such solution could include an intergovernmental agreement between the EU and US with reference to a revised Safe Harbor framework. It will be seen whether the US government will be able to agree to limit law enforcement access and to provide remedies for data subjects as required by the European Court of Justice, to the satisfaction of the EU. Due to this uncertainty, businesses will not be able to wait until January 2016, because they will not be able to implement alternative solutions in time, if the governments do not agree.
On October 6, the European Court of Justice ruled that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid (Case C-362/14 – Maximillian Schrems v [Irish] Data Protection Commissioner). The judgment is immediately effective without a grace period. The Data Protection Authorities of the EU Member States (Article 29 Working Party) have already scheduled a working group emergency meeting to discuss the consequences of the judgment, but it is unlikely that the meeting will lead to a simple solution for the 4,000+ US companies who rely on Safe Harbor. The European Commission has also published a press release with a short set of guidelines.
The Reasoning of the Court
In its judgment of 6 October 2015, the Court stated that
- “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”
On July 10, the Federal Communications Commission (“FCC”) released the text of a Declaratory Ruling and Order, initially adopted on June 18, that provides various clarifications regarding the Telephone Consumer Protection Act of 1991 (“TCPA”) and the FCC’s existing rules. The proceeding that led to the Order attracted widespread attention and was the result of nearly two dozen petitions filed by organizations representing healthcare, banking, retail, and telecommunications interests. The broad interest in this proceeding is the direct result of the sweeping impact that the TCPA has had on when and how businesses may contact consumers, as well as the multiplicity of consumer class actions threatened and filed against advertisers, debt collectors, and others making automated calls or sending automated text messages.
What is an “Automatic Telephone Dialing System” (ATDS)?
The first clarification made by the Order is with respect to “autodialers” (or, in the wording of the statute, an “automatic telephone dialing system”). The TCPA and the FCC’s existing rules prohibit making non-emergency calls to a wireless number without prior express consent when those calls are made using an autodialer or an artificial or prerecorded voice. Accordingly, there has been significant controversy over what kinds of dialing systems qualify as autodialers, which the TCPA defines as equipment that has the “capacity” to “store or produce telephone numbers to be called, using a random or sequential number generator,” and to “dial such numbers.” See, e.g., Satterfield v. Simon & Shuster, Inc., 569 F.3d 946, 951 (9th Cir. 2009) (A “system need not actually store, produce, or call randomly or sequentially generated telephone numbers, it need only have the capacity to do it” for the TCPA to apply.).[i]
June is proving to be a very active month for the US Federal Communications Commission (FCC) in construing the Telephone Consumer Protection Act, including what sorts of consumer interactions are sufficient to meet the requirements for consent to receive marketing or other messages. This post reports on an extraordinary warning letter issued to PayPal, criticizing a user-agreement based approach to collecting consent. Next week, we will report on a series of TCPA interpretative guidance which was adopted yesterday by a vote of 3 to 2.
On June 11, the FCC publicly released a warning letter sent to PayPal, Inc., by the FCC’s Enforcement Bureau, stating that PayPal’s new user agreement “may violate” a federal law called the Telephone Consumer Protection Act, or TCPA. The TCPA requires a consumer’s consent before a business may make certain types of phone calls or send automated text messages. PayPal had released a modification of its existing user agreement (set to go into effect on July 1) that would authorize the company to make “autodialed or prerecorded calls and text messages” for a variety of purposes and at any telephone number PayPal associates with the customer.
The recent showdown over renewal of certain provisions of the USA Patriot Act (often called simply the Patriot Act) and the subsequent enactment of the USA Freedom Act have raised a number of questions about the ongoing impact of these laws on data traversing or being stored in the United States. While the new law takes the NSA out of the direct business of maintaining metadata (which includes phone number called, the time and duration of the call, and location…
This week the Court of Justice of the European Union (‘CJEU’) heard a case that could destabilise data flows between the US and EU under the EU-US Safe Harbor Decision. In Schrems v Data Protection Commissioner(C-362/14), the same court that last year approved the “right to be forgotten” online heard evidence about the adequacy of US data protection regulations for EU citizens’ data and considered whether recent revelations about the NSA and PRISM programmes should affect determinations…