It is being reported that the EU and the US have reached an agreement in principle on the revised cross-border data transfer framework, commonly referred to as Safe Harbor 2.0. Both sides expect further progress on the specifics in November of this year. Some of the thornier issues, however,regarding US surveillance activities, that are critical to addressing the concerns the ECJ raised in Schrems, are yet to be firmed up with verifiable compliance commitments.

The European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015.  In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing negotiations to update the Safe Harbor framework, and raise questions about the interpretation of the proposed General Data Protection Regulation, which is currently being finalized in trialogue negotiations among the EU’s Council, Parliament and Commission.  If the ECJ chooses not to take the bait – whether on substantive or procedural ground — and to preserve the Safe Harbor status quo, that decision may actually strengthen the Safe Harbor by intimating that the ECJ believes the Safe Harbor to be valid in its current form, and significantly weaken the position of certain DPAs and other European regulators and legislators who have been assailing the framework over the years.  

Setting aside the practicalities of the decision and its politics, however, there appear to be strong legal grounds for the ECJ not to follow the Advocate General’s recommendation to declare the Safe Harbor invalid.  Most importantly, the Advocate General’s recommendation went far beyond the questions the Irish High Court referred to the ECJ, and his grounds for recommending that the Safe Harbor be declared invalid are legally suspect.

The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of the NLRA. These provisions of the NLRA mandate collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment.”

We have long recognized that effects of cyber-attacks are not limited to the virtual space, and can affect our physical environment. For example, a stolen trade secret may lead to a competitor who copies the design, to lost sales, to

In a recent case involving a breach of patients’ privacy rights — Hopkins v Kay,[i] — the Ontario Court of Appeal ruled that a proposed class action could proceed based on allegations of violation of patients’ common law privacy rights, concluding that those rights were not preempted by the Personal Health Information Protection Act (PHIPA). Specifically, the court determined that PHIPA is not a “complete code” and therefore did not “oust” the plaintiff’s common law tort claim for breach of privacy (the tort of intrusion upon seclusion). Hopkins provides important guidance in the fields of privacy law and class actions, as well as with respect to the sustainability of privacy claims that touch upon areas governed by legislation.

On February 13, 2015, President Obama spoke forcefully on cybersecurity threats at the Cybersecurity and Consumer Protection Summit, and signed an Executive Order designed to encourage the sharing of cyber-threat information through the formation of “hubs” – Information Sharing and Analysis Organizations (ISAOs).

The President observed that much of the United States’ critical infrastructure runs on networks connected to the Internet, resulting in vulnerabilities that foreign governments and criminals are probing every day. The President outlined four basic principles that should guide the efforts to combat cyber threats:

  • A shared mission between the private sector and the government;
  • Focus by private and public sectors on their unique strengths;
  • Flexibility in the approach to cybersecurity; and
  • Protection for the privacy and civil liberty of the American people.

The President called the protection against cyber-threats a shared mission because neither government nor the private sector can defend against cyber-attacks alone. While the government has many capabilities, it is neither appropriate nor possible for the government to secure the networks of the private sector. On the other hand, the private sector is at the cutting edge of technology, but does not always have the situational awareness, the ability to warn other companies in real time, or the capacity to coordinate a response across companies to a cyber-attack.