At the Paris Motor Show earlier this month, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “ CNIL”) provided an update on the progress of its development of a “compliance package on connected vehicles.” The work began on March 23, 2016, and the finalized “compliance package” is expected to be delivered next spring.

The CNIL undertook this task to provide the auto-industry, the insurance and telecommunications sector, and the public authorities with guidance on the treatment of personal data collected by connected vehicles about their drivers and the interaction of the vehicle with the road environment. The guidance is expected to bring companies in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will become effective on May 25, 2018.

The CNIL noted that the challenge is to weave “data protection” into the product design “to ensure transparency and control by individuals of their data.” Doing so would address the Privacy by Design principle codified in the GDPR.

In preparing its guidance, the CNIL is using the following scenarios as its analytical framework.


Continue Reading

On April 14, 2016, Microsoft sued the United States Department of Justice to challenge the search and seizure provisions of the 30-year old ECPA, because its customers “have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them.”  (Microsoft v. DOJ, No. 2:16-cv-00538-JLR, Complaint (W.D. Wash. Apr. 14, 2016).)

On September 2, several prominent tech companies, including Apple, Amazon, and Google, filed amici briefs that echo and reinforce Microsoft’s position.  (Accessible here and here).

Microsoft’s suit challenges the constitutionality of the antiquated Electronic Communications Privacy Act (ECPA).  Specifically, Microsoft argues that Section 2705(b) of the ECPA violates the Fourth Amendment right of its customers to be notified that the government searches or seizes their property, and it violates the company’s First Amendment right to freely speak to its customers.

Microsoft’s suit, unlike Apple’s public fight with the FBI over access to a password-protected iPhone, does not center on just one dispute.

Rather, every year, the government conducts thousands of investigations into the contents of communications stored in the cloud,  using  the ECPA as authority.  At the same time, the government places Microsoft and other service providers under “gag orders” that prohibit disclosure to the affected customers.


Continue Reading

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into effect requiring companies that process personally identifiable information of EU residents to comply with a significant number of enhanced data-protection requirements. One of these requirements is an individual’s “right to explanation” of an algorithmic decision made about him or her by a machine.
Continue Reading

Michael Coscia, the first person convicted as a “spoofer” under the 2010 Dodd-Frank Act, has been sentenced to 3 years in prison. Coscia is not a young hacker kid or even a computer whiz, he is a fifty-four-year-old commodities trader and owner of New Jersey-based Panther Energy Trading.

Coscia was convicted in November 2015 for artificially bumping up commodities prices by using computer algorithms to quickly place large orders through commodity markets in Chicago and London which he then cancelled within milliseconds.  These placed-then-cancelled trades were alleged to have had effects on the pricing of the commodities that benefitted Coscia to the tune of more than $100,000 per month in 2011.
Continue Reading