Get your Update on IT & Data Protection Law in our Newsletter (Summer 2018 Edition)

The Summer 2018 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We provide updates on Facebook fan pages, cookie consent, influencer marketing, liability of platform providers, framing and more. The newsletter also includes multiple recommended reads on the GDPR.

We hope you enjoy reading it.

Proposed amendments to the ePrivacy Regulation

On 10 July 2018, the Council of the European Union has published a draft of revisions to the proposed ePrivacy Regulation (ePR). The ePR is likely to come into force in 2019.

The ePR will repeal and replace the Privacy and Electronic Communications Directive 2002/58/EC. The ePR will align Europe’s ePrivacy regime more closely with privacy regime set out in the General Data Protection Regulation (GDPR). The GDPR took effect on 25 May 2018.

Objectives

The ePR focuses on the confidentiality of users’ electronic communications. It will also regulate activities such as:

  • direct marketing,
  • website audience measurement,
  • the transmission of communications across devices and browsers, and
  • cookies set on users’ machines.

According to ePR Recital 2, it intends to “particularise and complement the provisions for personal data laid down by the GDPR by “translating its principles into specific rules”.

Continue Reading

Upper Tribunal says “small data” is not exempt under FOIA

The Upper Tribunal (Administrative Appeals Chamber) in IC v Miller [2018] UKUT 229 (AAC) has rejected an appeal brought by the Information Commissioner (IC), which was in relation to a First-Tier Tribunal (FTT) decision finding that “small data” (i.e., data concerning five or fewer individuals or households) was not exempt from disclosure under the Freedom of Information Act 2000 (FOIA).

The FTT decision

A request for disclosure under FOIA was made to the Ministry of Housing, Communities and Local Government (MHCLG) (then named Department for Communities and Local Government (DCLG)). The request for information concerned data held by local authorities with regards to homelessness between 2009 and 2012, which had not been published by the MHCLG. The MHCLG refused to disclose the data.

The matter went to the FTT, which found that the small data did not constitute “personal data”, as defined by section 1(1) of the DPA 1998, and it was not exempt from disclosure under section 40(2) of FOIA.

The IC appealed the FTT’s decision on various grounds, including that in relation to small data, the information was exempt from disclosure under section 40(2) of FOIA.

Continue Reading

CJEU decides on re-posting of protected content

On 7 August 2018, the Court of Justice of the European Union (“CJEU”) has released another judgment (surprisingly its first copyright judgment of 2018) on the interpretation of the right of communication to the public (case no. C-161/17 – “Judgment”). The CJEU held that the unauthorised re-posting of copyright protected works may constitute an act of communication to the public under Article 3(1) of Directive 2001/29/EC (InfoSoc Directive).

Facts

The fact pattern was very specific. A copyright protected photograph of the city of Cordoba was uploaded to an online travel portal with the consent of the photographer. The photo was freely accessible without any restrictive measures preventing it from being downloaded. A student downloaded the photograph and used it for a written assignment, which was then uploaded to the school’s website.

The photographer brought the underlying main proceedings before the German courts claiming copyright infringement. The German Federal Court of Justice (Bundesgerichtshof) referred the case to the CJEU and asked whether the posting on one website of a photograph that has been previously published without restriction and with the consent of the right holder on another website qualifies as communication to the public.

Opinion of the Advocate General

The Advocate General Sánchez-Bordona (“AG”) took the view that the use of the photograph in this case does not infringe the right of communication to the public. He argued that both the school’s website and the online travel portal addressed the same general internet public. Considering that the original upload was accessible without technical restrictions or a copyright notice, the AG concluded that internet users could assume the right holder does not object to further uploads of the work.

The AG suggested a ‘notice and takedown’ procedure in which right holders have to actively opt out of the use of protected works by means of downloading and uploading.

Continue Reading

“Privacy First Policy” to be on November ballot in San Francisco

San Francisco voters will decide on November 6, 2018, whether to enact the city’s “Privacy First Policy” that intends to protect the personal information of residents and visitors from misuse by companies doing business in San Francisco. The policy builds upon the California Consumer Privacy Act passed in June 2018, which gives consumers various rights, such as the right to know what information is being collected about them and whether it is being sold and the right to opt out of the sale of their personal information. The proposed policy sets out 11 principles for the city’s government to abide by when adopting privacy laws and regulations.

If San Francisco voters approve the policy, business will be required to disclose their data collection policies and obtain input from communities impacted when drafting those policies. San Francisco lawmakers will then have to negotiate a data collection ordinance by May 31, 2019, that would apply to any entity that contracts, leases or signs permits with the city government. San Francisco is the second major city, following Chicago, that has taken expansive action to protect residents from the misuse and misappropriation of their personal data.

Read more on our issued Client Alert here.

Court of Appeals Berlin decides on the obligation to provide technical protection against framing

In a judgment of 18 June 2018, case 24 U 146/17, the Berlin Court of Appeals (Kammergericht Berlin – Court of Appeals) held that collecting societies shall grant the right of use of their picture inventory as thumbnails even if these pictures can be ‘framed’ by third parties and the prospective licensee does not commit to prevent this use by technical means. This case will most likely now go to Germany’s Federal Supreme Court of Justice (Bundesgerichtshof – BGH).

Background

The judgment is based on a legal conflict that occurred in 2013. A German collecting society and its prospective licensee negotiated the granting of the right to use works of visual arts on the licensee’s website as well as websites of the licensee’s partners. In 2014, when a license agreement was almost concluded, the collecting society refused to grant the licensee rights to use because of an earlier judgment of the Court of Justice of the European Union (CJEU) on framing (CJEU, BestWater International, judgment of 21 October 2014, case C-348/13). This judgment stated that framing a protected work that was made available on a publicly and freely accessible website did not constitute communication to the public under European copyright law.

The collecting society did not enter into the agreement as the licensee did not agree to provide appropriate technical measures to protect against framing on its website. The collecting society argued that authors shall be protected against the framing of copyrighted pictures on third parties’ websites without remuneration.

The licensee brought an action for a declaratory judgment in front of the Berlin Regional Court (Landgericht Berlin, 15 July 2017, 15 U 251/16) in 2016 on whether collecting societies may impose the obligation that licensees implement technical measures to prevent framing. The Berlin Regional Court dismissed the action as inadmissible in the first instance.

Continue Reading

EU to create a cybersecurity certification framework

To enhance cyber resilience, the EU is building a certification framework for information and communication technology (ICT) products, services and processes. On 8 June 2018, the Council agreed a Proposal (known as the Cybersecurity Act) to prepare for negotiations with the European Parliament to finalise the text.

One of the effects of the Proposal is that it will upgrade the current European Union Agency for Network and Information Security (ENISA) into a more stable EU agency for cybersecurity.

Cybersecurity certification

The Proposal introduces a tool to create a more comprehensive regulatory framework for specific ICT processes, products and services designed to help ensure compliance with specified cybersecurity requirements.

Certificates issued under the scheme will be recognised, legally, across the EU. This will therefore have the dual effect of building trust in users – given the technology certification will mean the technology has received the European-security stamp – and enabling businesses to carry out their business cross-border. The resilience behind the technology in relation to accidental or malicious data loss or alteration will be certified.

This certification scheme addresses the barriers in the EU where Member States have implemented different standards to one another, for example Member States have issued regulations which improve country-specific requirements around security.

The details of this certification scheme and its requirements will, in particular, be important to network and data service operators, including cloud computing service providers.

The certification will be optional unless it is specified as a legal requirement under an EU law or Member State law.

Continue Reading

ICO publishes its 2017/2018 Annual Report

The Information Commissioner’s Office (‘ICO’) has published its 2017/2018 Annual Report, covering the 12 months leading up to 31 March 2018. The report is the ICO’s annual report to Parliament as required by the Data Protection Act 1998 (‘DPA’), and outlines the achievements and work of the ICO. Among the findings reported are the number of self-reported personal data breaches and a summary of fines issued by the ICO.

Upward trends

The ICO received a huge increase in telephone, live chat and written queries from the public and organisations. In the last quarter of 2017, it received 30,000 more such calls than in the previous three months. The report claims 235,672 calls were received by the ICO’s helpline, an increase of 24.1 per cent year-on-year, while 30,469 live chats were requested, up 31.5 per cent. Of the queries received, the majority of concerns related to data subject access (39 per cent), the disclosure of data (16 per cent), the inaccuracy of data (11 per cent) and securing the right to prevent processing (9 per cent).

With regards to personal data breaches, the number of self-reported cases increased significantly: 3,172 incidents were reported to the ICO over the course of 2017/2018, a 29.6 per cent increase. It is anticipated that the number of self-reported data breaches is likely to increase further during the 2018/2019 report period, to reflect the new mandatory data breach notification requirements under GDPR. This position was confirmed during an ICO webinar, where it was revealed that there were 1,792 personal data breaches notified to the ICO in June, a 173 per cent rise on the 657 reports received in May 2018, and an almost fivefold increase compared to April, when just 367 notifications were received.

Continue Reading

ICO issues guidance on hiring and supporting DPOs

The UK Information Commissioner’s Office (ICO) has issued a resource for organizations to utilise when hiring and structuring the roles of data protection officers (DPO) under the General Data Protection Regulation (GDPR). This blog summarises several key elements of these resources.

DPO checklist

The checklist contains four sections which include:

  1. Appointing a DPO – across situations where a DPO is required to be appointed, and also where one is not expressly required but one has been voluntarily appointed.
  2. Position of the DPO – outlining the reporting structure, involvement in all issues relating to data protection, resources available to a DPO, and independence and freedom from conflicts in one’s capacity in the DPO role.
  3. Tasks of the DPO – setting out the roles and responsibilities of the DPO, including compliance, training and audits, as well as acting as a contact point for the ICO.
  4. Accessibility of the DPO – announcing the DPO as the accessible point of contact for employees, individuals, the ICO, and stating that the DPO should have their contact details published and communicated to the ICO.

DPO appointment

An organisation must appoint a DPO if:

  • It is a public authority or body (other than a court acting in a judicial capacity); or
  • Its core activities require regular and systematic monitoring of individuals on a large scale (which include tracking online behaviours); or
  • Its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

Continue Reading

California’s unanimously passed privacy bill takes its cues from the EU’s GDPR and may significantly shift the legal landscape in the U.S.

California’s new privacy law, the California Consumer Privacy Act of 2018 (AB 375), will go into effect on January 1, 2020. The law expands privacy rights, provides California consumers with more control over the personal information that businesses collect on them, and includes civil penalties and statutory damages for noncompliance. While the new privacy law will likely have a ripple effect on other states exploring increased privacy protections, even on a standalone basis, the California law will have an enormous impact given the number of businesses that operate in California and offer consistent websites, apps and online services to residents of California and the other 49 states. The law reflects a growing public interest in protecting personal information and, along with the adoption of policies similar to the European Union’s General Data Protection Regulation by many global companies, suggests that heightened debate, additional legislation and increased high-stakes litigation may be inevitable. Read more on our issued Client Alert here.

LexBlog