Privacy & Information Security Law Blog

On November 9, 2015, U.S. District Judge Richard J. Leon issued a preliminary injunction ordering the National Security Agency to stop its bulk telephony metadata program. The preliminary injunction was issued in favor of subscribers of Verizon Wireless Business Network and comes 20 days before the program was set to expire under the USA Freedom Act. The case is Klayman v. Obama et al. (1:13-cv-00851) in the U.S. District Court for the District of Columbia.

The House of Representatives passed two complimentary bills related to cybersecurity, the “Protecting Cyber Networks Act” (H.R. 1560) and the “National Cybersecurity Protection Advancement Act of 2015” (H.R. 1731). These bills provide, among other things, liability protection for (1) the use of monitoring and defensive measures to protect information systems, and (2) the sharing of cybersecurity threat information amongst non-federal entities and with the federal government. With the Senate having just recently overcome disagreement on sex trafficking legislation and the Attorney General nomination, that body is now expected to consider similar information sharing legislation entitled the “Cybersecurity Information Sharing Act” (S. 754) in the coming weeks. Assuming S. 754 also is passed by the Senate, the two Chambers of Congress will convene a Conference Committee to draft a single piece of legislation which will be then voted on by the House and Senate, before heading to the President’s desk. The White House has not committed to signing any resulting legislation, but has signaled some positive support.

In a flurry of activity on cybersecurity in the waning days of the 113th Congress, Congress unexpectedly approved, largely without debate and by voice vote, four cybersecurity bills that: (1) clarify the role of the Department of Homeland Security (“DHS”) in private-sector information sharing, (2) codify the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework, (3) reform oversight of federal information systems, and (4) enhance the cybersecurity workforce. The President is expected to sign all four bills. The approved legislation is somewhat limited as it largely codifies agency activity already underway. With many observers expecting little legislative activity on cybersecurity before the end of the year, however, that Congress has passed and sent major cybersecurity legislation to the White House for the first time in 12 years may signal Congress’ intent to address systems protection issues more thoroughly in the next Congress.

On July 2, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) held a public meeting to finalize the release of a report concluding that the National Security Agency’s (“NSA’s”) collection of electronic communications from targets reasonably believed to be non-U.S. persons located outside the United States has operated lawfully within its statutory limitations.

On May 22, 2014, the United States House of Representatives passed H.R. 3361, a bill aimed at limiting the federal government’s ability to collect bulk phone records and increasing transparency regarding decisions by the Foreign Intelligence Surveillance Court (“FISC”). The bill was approved by a vote of 323-121 by majorities of both Democrat and Republican members of the United States House of Representatives. It now moves to the Senate where it is likely to pass.

On January 29, 2014, the National Security Agency (“NSA”) announced that Rebecca Richards has been appointed to serve as the NSA’s new Civil Liberties and Privacy Officer. Ms. Richards, who previously worked as the Senior Director for Privacy Compliance at the Department of Homeland Security, will advise the NSA Director on civil liberties and privacy issues and implement reforms in those areas.

On January 28, 2014, Data Protection Day, Vice-President of the European Commission and Commissioner for Justice Fundamental Rights and Citizenship Viviane Reding gave a speech in Brussels proposing a new data protection compact for Europe. She focused on three key themes: (1) the need to rebuild trust in data processing, (2) the current state of data protection in the EU, and (3) a new data protection compact for Europe.

On January 23, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) released a report (the “Report”) concluding that the National Security Agency (“NSA”) does not have a valid legal basis for its bulk telephone records collection program. The NSA’s bulk collection of consumer telephone records has been under increased scrutiny since Edward Snowden leaked information about the program in June 2013, and recently has faced legal challenges. According to the Report, the NSA’s program exceeded its statutory parameters.

The EU-U.S. Safe Harbor Framework is an important cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. Recently, however, the Safe Harbor’s future has been thrown into doubt. In an article published on October 30, 2013 by Practical Law, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, partner Bridget Treacy and associate Naomi McBride, examine the Safe Harbor Framework and its future ...

On December 16, 2013, the United States District Court for the District of Columbia granted a preliminary injunction barring the federal government from collecting and analyzing metadata related to two consumers’ mobile phone accounts. The court held that the two individual plaintiffs were entitled to a preliminary injunction because they had standing to challenge the government’s data collection practices and were substantially likely to succeed on the merits of their claim. The court has stayed issuance of the injunction pending appeal to the D.C. Circuit Court.

On November 2, 2013, Hunton & Williams partner Paul M. Tiao was featured on the Voice of America discussing the importance of the National Security Agency restoring trust among industry and foreign government allies. In the feature, “Next NSA Chief to Face Challenges, Change,” Tiao talked about some of the difficulties that will confront the NSA Director’s successor, and why government surveillance is likely to continue.

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

On July 24, 2013, the Conference of the German Data Protection Commissioners at both the Federal and State levels issued a press release stating that surveillance activities by foreign intelligence and security agencies threaten international data traffic between Germany and countries outside the EEA.

On February 26, 2013, the United States Supreme Court decided in Clapper v. Amnesty International that U.S. persons who engage in communications with individuals who may be potential targets of surveillance under the Foreign Intelligence Surveillance Act (“FISA”) lack standing to challenge the statute’s constitutionality. The Supreme Court determined that the plaintiffs’ alleged injuries were not “certainly impending” and that the measures they claimed to have taken to avoid surveillance were not “fairly traceable” to the challenged statute. Although this 5-4 decision would not be considered a “privacy” or “data breach” case, the Court’s analysis will have a significant impact on such cases going forward, and may thwart the ability of individuals affected by data breaches to assert standing based on possible future harm.