April 3 Panel 5

Yali Hu



N.S.A. documents provided by the former contractor Edward J. Snowden indicate that N.S.A. has been conducted surveillance on the Chinese telecommunications giant, Huawei, a private company, since at least 2010 FISA cannot be applied as it is designed to govern the collection of “foreign intelligence” within the United States. Here, N.S.A. snooped into Huawei’s servers located in Shenzhen, a city in the southeast of China. Under common law, this is an obvious trespass into a private company’s property and thus intrudes the company’s privacy and of course infringes the company’s trade secret.

However, it seems that the U.S. government does not have effective rules to protect non-US entity’s privacy. First of all, since FISA is designed for the surveillance occurred in the U.S., FISA is not applicable. Even if FISA is going to be applied provided the surveillance took place in the U.S. (supposing FISA is going to be adjusted in response to this demand), evidence showing Huawei has connection to the military authorities or the government and thus is an agent of a foreign power is not available. Further, NSA lacks the evidence showing Huawei is of suspicious source of terrorism as well. Finally, as such warrantless surveillance has been conducted from 2007 or at least from 2004, it significantly exceeds reasonable surveillance time limit.

Under the pressure from foreign governments who have been wiretapped or penned according to Snowden’s disclosure, U.S. government may be trying to adapt its privacy regulations to meet the demands from non-US entities for their privacy protection and it is claiming that it already has



Emily Kenison


This article discusses the recent consumer watchdog organization, Center for Digital Democracy’s (CDD), complaint to the FTC. The CDD argues that Marvelkids.com, a Disney owned website, privacy policy violates the New Children’s Online Privacy Protection Act (the Act).

The Act, which became effective in July 2013, prohibits ad networks and operators of websites that target children, from using behavioral targeting techniques on children under the age of 13, without their parent’s consent. Thus, according to the Act, companies can no longer use unique cookies to serve children ads based on their Web activity without parental consent. However, companies can continue to use cookies for other purposes, such as frequency capping and site analysis.   The CDD’s complaint argues that several aspects of the Marvelkid.com privacy policy, which was posted late last year, are inconsistent with the Act.

First, the CDD notes that Disney’s policy is that it collects and uses persistent identifiers “principally” for internal purposes. The CDD argues in the complaint that this is inconsistent with the Act, since the Act mandates that persistent identifiers may not be collected for any other purposes other than internal purpose.  Secondly, the CDD highlights that Disney’s policy states that it collects data from children in order to “generate anonymous reporting” for use by the Walt Disney Family of Companies. The CDD argues that the Act prohibits this type of “unspecified use” of children’s data. And lastly, the CDD notes that this privacy policy allows a dozen companies to collect data from the site, including companies that engage in behavioral advertising. The CDD argues that this is prohibited under the Act, since websites aimed at children, like Marvelkids.com, are not allowed to engage in behavioral targeting without parental consent.

The complaint was sent to the FTC on Thursday of this past week.



Martha Fitzgerald


This New York Times article by James Kanter provides an update on proposed legislation to revamp the E.U.’s digital privacy protection laws. While there is considerable momentum behind this (very protective) legislation, especially in the wake of the Snowden revelations, the E.U.’s diverse political landscape, complicated legislation process, and looming elections could ultimately prevent enactment.

Kanter’s article briefly summarizes the positions of groups relevant to the ongoing debate—from individual European countries and the E.U. as a whole, to the U.S. and private industry. For example, within the Union, member states recognize harmonization problems with existing privacy laws and their enforcement, but struggle to agree on the appropriate solution. Furthermore, it’s clear that there is lingering international tension between the U.S. and the E.U. when it comes to digital privacy.

Kanter also highlights some of the proposed legislation’s more controversial elements, including an individual’s right of erasure, the potentially exorbitant fines companies would face for noncompliance, and the requirement that a company gain permission from the E.U. before it complies with U.S. court warrants for private data.

It looks to be a big week for internet-related law in Europe. The article also points out that the European Parliament is set to vote on separate net neutrality measures this Thursday.




David Benhamou

[0] http://privacylawblog.ffw.com/2014/history-in-the-making-the-first-cookie-rule-fines-in-europe

[1] http://www.nytimes.com/2014/04/02/business/international/a-nudge-on-digital-privacy-law-from-eu-official.html

The Spanish Data Protection Regulator (the “DPA”) has recently fined two companies for violating the so-called EU “Cookie” laws (introduced in 2011 as an amendment to the Privacy and Electronic Communications Directive). The fines are the first under the Cookie laws, and were levied in response to consumer complaints and findings that the companies had failed to provide clear and comprehensive information about the cookies they used.[0] The Cookie laws require companies with EU customers to obtain informed consent from their website visitors before placing cookies on their machines. While the total fines were low (3,5000 Euros), interestingly, the decision paints a picture of cooperative companies that tried to improve their compliance with the law as the investigation proceeded. Furthermore, while consent had been obtained, the DPA found that the consent was not legally obtained insofar as the information provided about the cookies was insufficient for the consent to be considered informed. This case illustrates the difficulties companies have in complying with the EU’s extensive, and at times vague, privacy regulations.

The EU’s approach to privacy issues is likely to only strengthen in the coming years, as the top data protection officials are continuing to attempt to push through a comprehensive reform to the Data Protection Directive, a privacy law that’s complementary to the Privacy and Electronic Communications Directive under which the Cookie laws fall.[1] The reformed regulations are set to strengthen many aspects of the EU’s privacy regime, including the addition of a “right to be forgotten”, which will force companies to allow users to request the deletion of their data, as well as large and significant fines for violations of the law, of up to 5% of worldwide turnover, or 100MM Euros.




Tzu-Hsuan Chen



Data privacy protection is worldwide issue now. However, every country and economic areas have different philosophy about the regulation mechanism.  Therefore, for the international company, how to follow the local privacy regulation becomes the hot issue. On the other hand, when the privacy regulation of the local government is strict, that will become another type of trade barrier for companies.

Europe’s privacy regulation focuses on the human right perspective, so the regulation is strict and complex. For example, transferring the personal data cross the EU border is not allowed, unless the third country is recognized “which has adequacy of the protection of personal data” by the commission of EU. (The commission lists several countries which is recognized. The list is here. http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm)    Take the U.S. as an example, because there is a safe harbor agreement between the U.S. and EU, so America is recognized by EU.

After Snowden leak, EU is skeptical the safe harbor regulation between U.S. and the EU. Also, the commission rise several concerns of U.S. privacy regulation. The U.S. government needs to face this challenge in order to meet the EU privacy requirements. Otherwise, the international U.S. companies may face difficulties when they want to transfer personal data from EU to U.S.





Maxwell Kelly



Since May 2013, the Electronic Freedom Frontier and the American Civil Liberties Union of Southern California have been seeking the release data collected by Automated License Plate Readers (ALPRs) used by the Los Angeles Sheriff’s Department. Last month, the Sheriff’s Department advanced a novel argument in response to the EFF and ACLU Freedom of Information Act requests: The data resulting from the automatic reading and recording of all license plates “fall squarely under” a statutory exemption for records of investigation.

While the argument is convenient, this broad definition of “investigation,” stretched to cover the drag net tactics used by the LA Sheriff’s Department, seems likely to run afoul of Fourth Amendment privacy protections, if the court deems the photographing of all license plates on all cars to be a search. Moreover, the argument that every car seen by the police is under investigation seems ridiculous on its face, a reaction noted in the reason.com piece:

“We can’t tell you, the cops replied, because every car we see is under investigation, which makes it a (sshhhh) secret. Every car. Over two years.”



Mathieu Relange

US to strengthen Safe Harbour framework for personal data transfers from EU by summer
Data privacy is currently at the center of the EU-US relationships.  The law blog Out-law recalls us that the application of the EU-US Safe Harbor Framework recently gave rise to some issues, which were discussed during the EU-US summit in March 2014.  At the end of the summit, the leaders of the European Union and the United States made a 10-page joint statement. This joint statement sets principles of general cooperation on numerous points: it generally restates joint positions of the EU and the US, especially in foreign affairs.  Compared with those statements, the paragraphs relating to digital economy sound different: they show, among other things, that data protection raise some disagreements on which negotiations are continuing; they also announce some modification of the Safe Harbor Framework.
Out-law recalls the source of the potential misunderstanding between the EU and the US on this subject.  It does not recall the EU’s reaction to the intense lobbying made by US companies (with the support of the US government) against the proposed General Data Protection Regulation.  But it recalls that Edward Snowden’s revelations on the US surveillance practices led to some EU reactions, especially as regards the Safe Harbor.
In June 2013, the EU and the US set up an ad hoc Working Group, which made a final report on November 27, 2013.  On the same day, the European Commission issued a communication in which it cited “deficiencies in transparency and enforcement” in how the Safe Harbor was applied, and made 13 recommendations for the US companies and authorities.  Besides transparency and dispute resolutions issues, those recommendations mostly dealt with the lack of actions brought by the US authorities against companies that do not comply with the Safe Harbor requirements, and the access to data granted by companies to US authorities.  This could have also threatened negotiations on other international agreements: the European Parliament also denounced the US practices leaked by Edward Snowden, and said that this could have an impact on the negotiation of the Transatlantic Trade and Investment Partnership.  At the beginning of the year 2014, the FTC already reached settlements with several US companies regarding the way they applied the Safe Harbor.
In paragraph 14 of the joint statement, the EU and the US restates the two aspects of digital economy for which they have to work together.  Firstly, on national security and legal enforcement issues, they recall how important the Mutual Legal Assistance Agreement can be, and they commit to negotiate a new partnership in the field of police and judicial cooperation in criminal matters.  Secondly they agree to review the enforcement of the Safe Harbor Framework in terms that are unusual in this kind of joint statement: “we are committed to strengthening the Safe Harbour Framework in a comprehensive manner by summer 2014…”  Such terms seem to imply that further FTC actions and changes of the Framework are to be expected in the near future.