“Sorry, Santa, the Kids’ Data Is Stuck In Russia!” ~ Plus LinkedIn Not Feeling the Love from Russia

LinkedIn has become the first major company to have access to its website in Russia blocked by the Russian Data Protection Authority, Roskomnadzor, following earlier Moscow Court decisions on 4 August and 10 November.

Russia’s data localisation law came into effect in September 2015 and requires websites collecting personal data of Russian citizens to store the data on servers located on Russian soil. (See our earlier blog here.)  The law also granted Roskomnadzor a new power to block access within Russia to the website(s) of companies found to be in breach of requirements such as localised data storage.

On 17 November, Roskomnadzor exercised its new enforcement power by blocking access to LinkedIn throughout Russia. Reports suggest that LinkedIn argued that the data localisation law should not apply to its platform because LinkedIn itself does not have a presence in Russia and, in any event, its activity is directed internationally, not specifically to Russia so not “directed to” Russian users.  The Russian language version of the website, which is available by default for users accessing the site from Russia, appears to have been influential in the platform being held to be subject to Russian law.

LinkedIn’s experience appears to herald the start of more concerted action by the Russian regulator. Roskomnadzor’s enforcement focus has just taken a seasonal turn (if not a festive spirit) with the prosecution of over 70 foreign websites offering children a chance to send an email addressed to Santa Claus.

These court rulings and subsequent enforcements will be of interest (if not concern) to many global businesses that engage with the Russian market. Some companies have already responded to the law by establishing servers in Russia; however, for others that had been taking a ‘wait and see’ approach, it may be time to add a few servers to the Christmas list (and 2017 IT budgets)!

New California AG Appointed with Possibilities for Privacy Enforcement

With the election of current California Attorney General Kamala Harris to the U.S. Senate, Governor Jerry Brown was tasked with appointing her replacement. On December 1, he announced that his pick is U.S. Representative Xavier Becerra, head of the House Democratic caucus.

Becerra was first elected to the House in 1992 and has also served as deputy attorney general for California.

As we have previously pointed out, California is a very active state in privacy regulation. AG Harris has engaged with consumer privacy protection and the regulatory scheme, including advocating for harmonization of state data breach laws in her February 2016 Data Breach Report. We will see whether Becerra, as California attorney general, maintains the state’s involvement in this area. This handoff will occur at the same time that a new chairperson of the Federal Trade Commission takes over, a transition that is also raising questions of how the new leadership of the agency will handle privacy.

With the apparent shift in activity at the federal level following the election of Donald Trump, we expect states to be more active in a variety of areas, including privacy. Stay tuned for developments.

Facebook Implements Additional Measures to Prevent Discriminatory Practices in Targeted Advertisements

Responding to news reports that journalists were able to purchase advertising on Facebook targeted to ethnic groups, Facebook announced several new changes to the company’s advertising products. The move highlights heightened scrutiny of advertising practices surrounding the increasing use of big data in many aspects of marketing and advertising.

Facebook’s response grew out of a ProPublica report published on October 28, 2015 detailing how journalists were able to purchase ads targeted to house hunters on Facebook,, all while excluding specific “Ethnic Affinities,” such as African-American, Asian-American or Hispanic people.  The report raised significant ethical and legal questions on how the features that enable advertisers to target their ads can be misused for discriminatory purposes.  The potential for interactive computer service providers to violate anti-discrimination laws has drawn attention for several years, especially following the decision of the Ninth Circuit Court of Appeals in the Roommates decision, which held that the that immunity provided by the Communications Decency Act (CDA) for online operators did not apply to an online service that offered questionnaires and selections to online participants that could facilitate discrimination against protected classes. See Fair Hous. Council v. Roommates.com, LLC, 521 F.3d 1157, 1166 (9th Cir.2008) (en banc). Continue Reading

Michigan AG Steps In to Defend State Privacy Law

The Michigan attorney general intervened November 22 in a suit brought under a Michigan privacy law, making it one of the first times a state attorney general has weighed in on a case involving data use.

Michigan AG Bill Schuette defended the constitutionality of the Michigan Preservation of Personal Privacy Act, otherwise known as the Video Rental Privacy Act, citing the rights of Michigan residents to privacy in the video, audio, and reading materials they borrow or purchase. A Michigan resident had brought suit against Consumers Union of United States, alleging that the company had disclosed information, including his address and the names of magazines to which he subscribed, to “data mining” companies and other third parties, without obtaining his consent or providing him notice of the disclosure.

The Michigan law prohibits the release of information on customer’s purchase, rental, or borrowing of videos, books, and sound recordings that identify the customer unless the customer consents or unless the release is for the exclusive purpose of marketing directly to the customer, as long as the customer is given written notice and an opportunity to have their name removed, among other exceptions.

Significantly, the law was amended in July 2016 to stipulate that only a customer who suffers actual damages may sue. The law no longer allows for statutory damages of $5,000 per plaintiff. The question of what harm qualifies for standing in privacy cases is a key issue in privacy litigation today. Absent the amendment, this law was poised to be used repeatedly by plaintiffs seeking sizeable monetary damages with limited showing of harm.

In Ruppel v. Consumers Union, brought in the Southern District of New York, Consumers Union argued that the law unconstitutionally violated its right to free speech. AG Schuette contended that the law permissibly regulates commercial speech and withstands intermediate scrutiny.

While many state attorneys general have been involved in data breach cases that affect residents of their states, few have weighed in on laws governing data use. AG Schuette’s intervention in this case signals that more state AGs will likely become involved in substantive privacy legal issues beyond breach in the future.

Preparing for the GDPR: what you need to know

Data protection procedures will require an overhaul for any company that offers goods and services, or tracks individuals, in the EU under the European General Data Protection Regulation (GDPR) to take effect from 25 May 2018. Given the changes in compliance requirements that the GDPR entails, it is vital that you use 2017 to audit your current policies and processes and make any necessary changes in readiness for the GDPR.

Please click here to read our briefing and download the guidance materials we have prepared to assist in preparations for the GDPR.

Leveraging the Blockchain to Provide an Unalterable, Distributed Ledger for Transactions, Supply Chains and Other Corporate Processes

On Monday, November 14, 2016, the Securities and Exchange Commission (SEC) hosted a forum to discuss financial technology (FinTech) innovation in the financial services industry. The summit discussed several topics, but the second panel, titled “Impact of Recent Innovation on Trading, Settlement, and Clearance Activities,” specifically addressed blockchain-enabled distributed ledger technology and its applicability in corporate environments. The panel provided an opportunity for the SEC to highlight blockchain’s potential for assisting companies in meeting compliance requirements, cutting costs with respect to record keeping and tracking assets, and disintermediating transactions.

Corporations have begun to seriously examine the opportunities made available by blockchain-enabled distributed ledger technology beyond digital currency, in areas ranging from financial services and retail supply chains to art and music. Unlike Bitcoin, where the blockchain provides a transfer mechanism and ledger for the intangible currency, digital ledger technology also may provide a distributed, often a privately managed system of records for a wide variety of transactions. Continue Reading

Data Protection Authorities gather for the 38th International Privacy Conference

Data Protection Authorities (“DPAs”) from across the world gathered in Marrakesh for the 38th International Privacy Conference. This event is held annually for the purpose of debating topical data protection issues.

The debates this year centred on data privacy being central to: sustainable development, government access to personal data, the role of technology, adequacy, localisation and differing cultural and political frameworks. Continue Reading

A Gentle Reminder from the FCC: Autodialed Text Messages Fall Under TCPA Restrictions

Last week, the FCC’s Enforcement Bureau issued an enforcement advisory reiterating its position that autodialed text messages must comply with requirements set forth in the Telephone Consumer Protection Act (TCPA).  Though it is unclear what prompted this specific advisory (perhaps, the upcoming holiday season), the Enforcement Bureau issued the warning in order to promote understanding of the clear limits on the use of autodialed text messages, also known as “robotexts.”

The FCC has previously articulated in its 2015 Declaratory Ruling and Order that restrictions on making autodialed calls to cell phones encompass both voice calls and texts.  The TCPA bars autodialed calls or texts to mobile devices without prior express written consent, unless they are (i) made for emergency purposes; (ii) free to the end user and have been exempted by the Commission; or (iii) made solely to collect on debts “owed to or guaranteed by the United States” (i.e., federal debt collection calls).  Further, the term “automatic telephone dialing system” (i.e., “ATDS” or “autodialer”) covers any equipment that has the capacity to store or produce numbers to be dialled and dial them without human intervention, but does not need to have the present ability to do so.

Takeaway: Text message campaigns by advertisers have been the subject of FCC actions in the past few months. Prior express written consent may be required for autodialed texts that include or introduce an advertisement. Advertisers which engage in such campaigns should keep a record of consent provided by consumers, as companies bear the burden of proving that they obtained such consent.

Article 29 Working Party issues results of GDPR Fablab workshop

Ahead of the forthcoming General Data Protection Regulation (GDPR), the Article 29 Working Party earlier this year organised the Fablab workshop.

Meeting in Brussels, more than 90 participants gathered to discuss certain operational and practical issues linked to the GDPR with representatives of industry, civil society, academics and relevant associations.

Fablab’s objective was to generate a discussion that would feed into the Article 29 Working Party’s best practices and guidelines due out at the end of the year. Four components of the GDPR were prioritized: Continue Reading

FTC’s New Guidelines Provide Agency View on Data Breach Response

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for many companies to identify in these pronouncements.

Although the Guide is not a regulation, the Commission has historically used such guidance to help signal where its enforcement efforts might focus as it evaluates companies’ conduct. The introduction suggests that the FTC considers following its advice to be at least one way to “make smart, sound decisions.”

The Guide outlines tasks for companies affected by a breach:

  • Secure Your Operation
  • Fix Vulnerabilities
  • Notify Appropriate Parties

Continue Reading

LexBlog