Will EU data protection authorities ‘consistency mechanism’ be ready in time for the GDPR?

During an Article 29 Working Party (WP29) press conference on 7 February 2018, the outgoing chair and French privacy chief, Isabelle Falque-Pierrotin, expressed concerns that EU data protection authorities (DPAs) may not be able to enforce the General Data Protection Regulation (GDPR) effectively and in a unified manner in accordance with the consistency mechanism, by 25 May 2018.

On 25 May 2018, the WP29 will be replaced by the European Data Protection Board (EDPB), which will invoke the consistency mechanism to streamline the enforcement of data protection laws throughout the region. According to Falque-Pierrotin, 26 of the 28 EU member states (with Germany and Austria being the exceptions) are yet to align their national laws with the GDPR. This is concerning because if one member state’s supervisory authority is unable to take part in the consistency mechanism, the whole system of regulation and enforcement under the GDPR could be undermined. Continue Reading

Get your update on IT and data protection law in our newsletter

The Winter 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We cover new case law on marketing consent, cookie consent, the liability of platform providers, employee data protection, sales of address data and the right to be forgotten. The newsletter also includes multiple recommended reads on the General Data Protection Regulation (GDPR).

You can also find more information on our next ‘Data Date’, the GDPR seminar series hosted by  our Munich office.

We hope you enjoy reading it.


German court issues important judgment on consent and transparency in Facebook case

The Regional Court of Berlin held in a judgment of 16 January 2018 (docket no. 16 O 341/15, German language version of the judgment available here) that Facebook’s default privacy settings and parts of their terms and conditions were invalid. This judgment provides important guidance on consent and transparency.


The Federation of German Consumer Organizations (Federation) sued Facebook and requested cease and desist regarding some of its default settings and terms and conditions.

The Federation argued that Facebook’s default settings violated the requirement of explicit consent. For example, the default settings included a location service in Facebook’s mobile app revealing the location of the person that the user is chatting to. In addition, boxes were pre-activated allowing search engines to link to the user’s timeline.

The Federation also argued that various clauses in the terms and conditions of Facebook were invalid, including clauses that provide consent of the user (i) to transferring personal data to and processing personal data in the U.S. and (ii) using the name and profile picture of the user for commercial, sponsored or related content.

Continue Reading

New data protection fees for UK businesses – Draft Data Protection (Charges and Information) Regulations 2018 and ICO guide published

On 20 February 2018, The Data Protection (Charges and Information) Regulations 2018 (the Regulations) were laid before the UK parliament. The Regulations affect what businesses have to pay when registering their data protection arrangements with the Information Commissioner’s Office (ICO). On 21 February 2018, the ICO issued a guide for data controllers about the proposed data protection fees that the Regulations will levy.

The Regulations replace the previous system of notification under the Data Protection Act 1998. They will come into effect simultaneously with the General Data Protection Regulation on 25 May 2018.

Under the Regulations, data controllers who have a current registration or notification with the ICO will not need to pay the new fees until their existing registration expires. Registration does not automatically expire on 25 May 2018.

1. How the fees are calculated

The Regulations set out three tiers of organisations with accompanying fee levels for each tier. The tier an organisation falls into depends on: (i) how many staff members it has; (ii) its annual turnover; (iii) whether it is a public authority; (iv) whether it is a charity; and (v) whether it is a small occupational pension scheme.

These tiers are clarified below:

Tier 1 – Micro Organisations

  • Maximum turnover of £632,000 for the financial year OR no more than 10 members of staff.
  • Tier 1 fee = £40.

Tier 2 – Small and Medium Organisations

  • Maximum turnover of £36 million for the financial year OR no more than 250 members of staff.
  • Tier 2 fee = £60.

Tier 3 – Large Organisations

  • Organisations that exceed the caps of the Tier 1 or Tier 2 criteria.
  • Tier 3 fee = £2,900.

Importantly, all data controllers are to be regarded as Tier 3 unless they tell the ICO otherwise.

Continue Reading

Ninth Circuit calls common carrier exception “activity-based”

On February 26, 2018, an en banc federal appeals court held that the common carrier exception in the Federal Trade Commission (FTC) Act that preempts FTC jurisdiction is “activity-based” rather than “status-based” and therefore applies only to the extent an entity engages in common-carrier services. See FTC v. AT&T Mobility LLC, No. 15-16585, D.C. No. 3:14-cv-04785EMC (Opinion) (9th Cir. Feb. 26, 2018). The decision affirmed the Northern District of California’s denial of AT&T Mobility LLC’s motion to dismiss.

In 2010, AT&T switched its mobile data plan offering from “unlimited” to “tiered” but allowed existing customers to retain their unlimited data plans. In 2011, AT&T reduced unlimited customers’ broadband data speed without regard to actual network congestion if they exceeded a preset limit. The FTC filed an action in October 2014 under section 5 of the FTC Act, alleging AT&T’s data-throttling plan was unfair and deceptive. AT&T moved to dismiss, arguing it was exempt due to common carrier status.

Section 5 exempts “common carriers subject to the Acts to regulate commerce.” 15 U.S.C. § 45(a)(1), (2). Although providing mobile data was not a “common carrier service” at the time the FTC filed suit, the Federal Communications Commission (FCC) reclassified mobile data as a common-carriage service in 2015 while AT&T’s motion to dismiss was pending. See In the Matter of Protecting and Promoting the Open Internet, 30 F.C.C. Rcd. 5601, 5734 n.792 (2015) (Reclassification Order). The FCC reversed the Reclassification Order in early 2018. See In the Matter of Restoring Internet Freedom, W.C. Dkt. No. 17-108, 2018 WL 305638, at *1 (Jan 4, 2018).

Continue Reading

Territorial applicability of the GDPR

The GDPR is just around the corner and will be effective in less than three months – on 25 May 2018. Organizations are therefore in the midst of preparations to comply with the new Regulation in order to avoid the potentially high fines. Non-EU organizations have to assess whether the GDPR is applicable to them and whether they must prepare accordingly. The answer to this question is provided in Article 3 GDPR, which regulates the territorial scope of the Regulation.

Sven Schonhofen and Friederike Detmering recently published an article on the “Territorial applicability of the GDPR” in the Business Law Magazine, which is available here.

This article explains the establishment rule and the market rule provided in Article 3 GDPR and gives practical advice on how to avoid GDPR applicability.

Are OTT services telecommunications services? German court asks European Court of Justice for preliminary ruling | Gmail Case

According to a press release dated 26 February 2018, the Administrative Court of Appeal Munster (Oberverwaltungsgericht Münster) asked the European Court of Justice (ECJ) for a preliminary ruling on the question whether Over-the-Top (OTT) services shall be caught by the European regulatory framework on telecommunications services.


By way of administrative orders, the German Federal Network Authority (Bundesnetzagentur – BNetzA) enforced a specific notification obligation pursuant to section 6 of the German Telecommunications Act (Telekommunikationsgesetz – TKG), which applies to operators of telecommunications services, against Google in relation to its free-of-charge Gmail service. Google took the view that Gmail would not qualify as “operation of telecommunication services” in the meaning of the TKG and, therefore, Google had not notified the Gmail service with the BNetzA.

Google challenged the administrative orders by legal action before the Administrative Court Cologne (Verwaltungsgericht Köln). Google argued that the transmission of emails through the Internet is technically not under Google’s control since it is conducted by access providers and not by Google. The Administrative Court Cologne regarded these arguments as irrelevant. By contrast, the transmission services provided by the access providers involved shall be attributed to Google. As a consequence, the Administrative Court Cologne found that Google would qualify as “operator” of the whole communication process. In its judgment of 11 November 2015, case no. 21 K 450/15, the Administrative Court Cologne dismissed Google’s action. As a consequence, Gmail would indeed be covered by the notification obligation under section 6 TKG.

Continue Reading

Utah AG and FTC Associate Director discuss emerging regulatory and enforcement trends at Reed Smith

The International Association of Privacy Professionals and Reed Smith’s Washington, D.C. office co-hosted the Association’s KnowledgeNet Chapter meeting, “Key Federal and State Regulatory and Enforcement Trends in Privacy to Watch in 2018 – Direct from the Regulators” on February 27, 2018.

Reed Smith partner Divonne Smoyer moderated a panel discussion featuring Utah Attorney General Sean Reyes and Associate Director of the Federal Trade Commission’s Division of Privacy and Identity Protection Maneesha Mithal. Participants discussed the potential for harmonized state data breach laws and the utility of policies that embrace emerging technologies. The panel also highlighted the importance of comprehensive business practice resources that explain key data privacy principles for small businesses. A question from the audience prompted a discussion about whether the tenets of international policies such as the European Union’s General Data Protection Regulation (GDPR) are practicable in the United States. The panel agreed that cultural distinctions render regulations like the GDPR unfeasible stateside, but noted that American policies embrace similar legislative intent and serve complementary purposes.

In January, Divonne Smoyer and associate Kimberly Chow published a Q&A with AG Reyes. The article is available on the IAPP website.

Guiding light: SEC adopts updated cybersecurity guidance

Last week, the Securities and Exchange Commission (SEC) unanimously adopted new cybersecurity guidance aimed at assisting public companies in their preparation of cybersecurity risk and incident disclosures. In its new Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures, the SEC is aiming to apply lessons learned from the many major data security incidents that have occurred since the Commission first issued cybersecurity guidance in 2011. The 2011 Guidance was some of the first of its kind as almost no guidance relating to disclosure requirements and cybersecurity issues existed at the time. The updated Guidance serves to provide the SEC’s views on public companies’ disclosure obligations as they relate to data breaches and other cybersecurity incidents.

The new Guidance encourages public companies to be transparent and disclose any potential cybersecurity risks before breaches or attacks occur. To make such pre-breach risk disclosure possible, the Guidance suggests that companies develop robust cybersecurity risk assessment policies. The Guidance also cautions companies to prevent executives or other insiders from trading company shares during the internal investigation of a data security incident or before such information is made available to the public. This prohibition on trading is specifically directed to curb behaviors such as those evident during one 2017 date breach involving a major credit-reporting agency.

Continue Reading

GDPR: Three months to go

On February 22, 2018, Reed Smith’s IP, Tech & Data Group hosted a webinar discussing key priorities and strategies for compliance during the final three months remaining before the General Data Protection Regulation (GDPR) comes into force on May 25, 2018. We have prepared a benchmarking report based on the data of more than 250 respondents spanning a variety of industry sectors.

The survey results show that there is still a mixed picture in relation to compliance with the GDPR with over 30 percent of participants either minimally prepared or not prepared at all. Interestingly, the trend and percent of those fully and moderately prepared were closely aligned to organizations with moderate to high senior management engagement. When it comes to the compliance tasks, the percentages show that companies are on the path to compliance over the next three months, but over 50 percent of participants still need to agree on strategy and implement the changes to the supply contracts, and nearly 36 percent of companies are still trying to understand requirements and to agree on a strategy for compliance.

To ensure clients are prepared for the changes being ushered in under the GDPR, our team has also prepared a suite of materials for your use, comprising:

  • Flyer with the headline information you need to know, as an introduction to the Regulation
  • Booklet providing a detailed look at the new obligations and changes from the previous legislation
  • Fold-out guide listing the steps on the path to compliance
  • Guide for compliance considerations in the final three months
  • Client alert outlining the EU countries that have already implemented local GDPR laws