The recent showdown over renewal of certain provisions of the USA Patriot Act (often called simply the Patriot Act) and the subsequent enactment of the USA Freedom Act have raised a number of questions about the ongoing impact of these laws on data traversing or being stored in the United States. While the new law takes the NSA out of the direct business of maintaining metadata (which includes phone number called, the time and duration of the call, and location

On Wednesday, April 8, the Federal Communications Commission (FCC) entered a consent decree and levied a $25 million civil penalty against AT&T to settle a data breach that exposed the information of nearly 280,000 customers.  This order comes on the heels of other recent FCC enforcement actions for privacy violations, demonstrating an invigorated effort by the FCC to “exercise its full authority” against companies that fail to secure customer data.

Until last week’s AT&T decision, the October 2014

This week the Court of Justice of the European Union (‘CJEU’) heard a case that could destabilise data flows between the US and EU under the EU-US Safe Harbor Decision. In Schrems v Data Protection Commissioner(C-362/14), the same court that last year approved the “right to be forgotten” online heard evidence about the adequacy of US data protection regulations for EU citizens’ data and considered whether recent revelations about the NSA and PRISM programmes should affect determinations

The State of California, long the most proactive U.S. state in enacting data privacy laws, has again modified its breach notification and data protection laws.  This week, Governor Jerry Brown signed two privacy bills into law:  SOPIPA (SB 1177), aimed at regulating the use of student data, and AB 1710, targeting data protection more broadly.  Taken together, these bills highlight the continuing compliance challenges facing American businesses which must conform not only to state-specific privacy standards, but also monitor

A Stored Communications Act (SCA) search warrant case arising out of a New York federal  narcotics trafficking investigation is being closely watched by EU data protection authorities, privacy advocates, multinational internet service providers, and law enforcement, among others, as the  parties pursue an expedited appeal to the Second Circuit Court of Appeals. Captioned In re Search Warrant, No. 13 Mag. 2814, M9-150, the case involves  a U.S. law enforcement request for the contents of an Outlook.com email box,

On July 17th, the Data Retention and Investigatory Powers Act (DRIPA) came into effect in the United Kingdom reinstating the Government’s powers to require communication providers to retain traffic data (also known as metadata) and enabling the Government to serve warrants to intercept communications data on companies outside of the United Kingdom to the extent they were providing services to UK users.  DRIPA became law following emergency “fast-tracked” procedures on the basis that its enactment was essential to ensure continued

By Kevin Boyle and Alex Stout

On Wednesday, the Attorney General of California released a new privacy guide, titled Making Your Privacy Practices Public.  The guide doesn’t purport to be a restatement of California law (or other law) and expressly disclaims that, but it does present what the AG’s office views as a best practice approach to crafting privacy disclosure materials while covering some unique California requirements.  It also highlights recent revisions to California’s online privacy law (known as

By Larry Cohen and Gail Crawford

While the popular press has been full of stories about the European Court of Justice’s (“ECJ”) ruling creating a “right to be forgotten” (ahead of the still pending Data Protection Regulation), we will focus on both the ruling as well as the specific questions referred to the ECJ that have far-reaching ramifications for global companies such as the test for applicability of national data protection laws. 

First, some background on the facts of the

By Matthew Murchison & Matthew Brill

By all accounts, the number of class action lawsuits brought under the Telephone Consumer Protection Act against companies communicating by telephone, text, and fax has exploded in recent years.  These lawsuits—which rely on the private right of action at 47 U.S.C. § 227(b)(3) for violations of the statutory prohibitions in Section 227(b) “or the regulations prescribed thereunder”—often seek tens or hundreds of millions of dollars in damages under the statute’s uncapped, $500-per-violation liability provision. 

Guest Blogger Jillian Chia from Skrine, Kuala Lumpur, Malaysia & Gail Crawford

With the Malaysian Personal Data Protection Act 2013 (“PDPA”) having come into force on 15 November 2013, Jillian Chia, Senior Associate at Skrine, provides an overview of the salient provisions in the Regulations and Orders.

She notes that that there is a grace period for compliance with the PDPA. where a data user has collected personal data before 15th November 2013. However, this appears