The High Court considers the right to be forgotten

On 13 April 2018, the High Court, in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), ruled against Google, in favour of two businessmen advocating for the right to be forgotten. You can find the full judgment here, but in this blog we explore the reasoning behind the Court’s decision.

Right to be forgotten/right to erasure

The Court of Justice of the EU confirmed the right to be forgotten as an existing right under data protection laws, in Google Spain SL v Agencia Espanola de Protección de Datos Case of 2014: 317. The right to be forgotten is made explicit in the EU General Data Protection Regulation 2016/679 (GDPR) text. Essentially, in the GDPR the right is an enhanced right of erasure. The right is not absolute, which means that a controller does not need to comply with the request if there is a legitimate reason for continuing to process the personal data.

Case summary

Two separate businessmen brought cases, which were consolidated. Each case centred on the reporting of business-related criminal convictions that were spent and over a decade old:

  • NT1 was convicted of conspiracy to commit false accounting and tax evasion; and
  • NT2 pleaded guilty to conspiracy to tap phones and hack computers of environmental activists who had made threats against him and his business.

Continue Reading

Trade secret litigation – is Germany next?

In anticipation of the implementation of the Trade Secrets Directive, the topic of know-how protection has been widely discussed. Dr Anette Gärtner, along with Sabrina Gossler, has written an article which explores the current legal situation in Germany, analyses the relevant provisions of the Directive and explains the immediate next steps for companies operating in Germany. Key messages to take from the article include the need for companies to take objective measures to safeguard confidentiality and the introduction of the Confidentiality Club, which will lead to an increase in German trade secret litigation. Please refer to the full article by Dr Anette Gärtner and Sabrina Gossler in the May issue of Mitteilungen der dt. Patentanwälte for further commentary.

Article 29 Working Party issues final guidelines on consent

On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data.

Technology Law Dispatch looked at the WP29’s draft guidelines on consent earlier this year. This article examines the differences between the draft and final guidelines.

Conditions for valid consent – freely given

Under the GDPR, consent must be freely given, specific, informed and unambiguous. Where a controller wants to process personal data for additional purposes other than the provision of a requested service, individuals should be given the option to separately consent to or reject such processing.

WP29 states that consent will not be freely given where a controller argues that a choice exists between: (1) its service that include processing for additional purposes; and (2) an equivalent service offered by a different controller.

WP29 states that an individual’s freedom of choice is dependent on: (1) the practices of market competitors; and (2) whether a data subject finds other controllers’ services to be genuinely equivalent. Such an approach would imply an obligation for controllers to monitor market developments to ensure continued validity of consent for their processing activities, as competitors could always alter their services. This would not be a realistic or pragmatic approach, and WP29 has now rejected it.

Continue Reading

Article 29 Working Party adopts finalized guidelines on transparency under GDPR

The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), following its public consultation.

Technology Law Dispatch looked at the draft guidance on transparency earlier this year, so this blog focuses on the key issues and what is new in the final guidelines.

Information being “intelligible”

The updated guidelines link the requirement for information to be intelligible, using plain and clear language, and accountable. The guidelines now state that an “accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.” This includes, for example, assuming working professionals have a higher understanding of certain issues than children or non-specialists. In other words, the data controller is expected to customize its notices and information as appropriate to the applicable audience. The final guidelines also suggest mechanisms by which controllers can test their interfaces, notices and policies for intelligibility and transparency – including the use of industry groups, consumer advocacy groups, readability tests and regulatory bodies.

Continue Reading

D.C. federal court rules that web scraping does not violate the CFAA and may be protected by the First Amendment

On March 30, 2018, a D.C. federal district court denied a motion to dismiss an ACLU case filed against the government to challenge the constitutionality of the Computer Fraud and Abuse Act (CFAA), which makes it a federal crime to access a computer in a manner that “exceeds authorized access.” Sandvig v. Sessions, No. 1:16-cv-01368, Dkt. 24 (D.D.C. Mar. 30, 2018). The court held that the plaintiffs could proceed with their claim that the Free Speech and Free Press Clauses of the First Amendment, as applied, bar prosecution under the CFAA because it would restrict the plaintiffs’ ability to report on publicly available information, and even information available only following user registration on a site is generally available to the public.

The particular facts of the Sandvig case are unsurprisingly aimed at highlighting a potentially extreme application of the CFAA. The named plaintiffs are four professors and a media organization investigating whether automated decision-making and ad targeting technologies employed by various websites would result in potentially discriminatory practices against protected classes. For example, they want to analyze whether a real estate or employment website would discriminate against a user based on race. To perform the necessary analysis, they intend to use web scraping, bots, fake accounts (“sock puppets”) and other data collection techniques to conduct outcomes-based audit testing of websites and uncover such practices. These activities are typically prohibited by websites’ terms of service (TOS) and therefore unauthorized activity.

Continue Reading

Article 29 Working Party consultation on guidelines for accrediting certification bodies under the GDPR

The Article 29 Working Party (WP29) published a consultation on guidelines for the accreditation of certification bodies under the General Data Protection Regulation (GDPR), which closed at the end of March.

The consultation guidelines would require a certification body under the GDPR to be accredited by either the competent supervisory authority or the national accreditation body, or both. The guidelines aim to establish a harmonised baseline for certification.

General overview

In brief, the guidelines:

  • set out the purpose of accreditation and include a list of definitions;
  • explain routes to accredit certification bodies;
  • give a framework for additional accreditation requirements, when accreditation is handled on the national level;
  • stress they are not a procedural manual, or a new technical standard;
  • highlight that the final form document will include an annex outlining a framework for identifying accreditation criteria.

Continue Reading

Brexit sectoral analysis – ICT report

In November 2017, the House of Commons Committee on Exiting the European Union (the Committee) published impact assessment reports of Brexit on various UK business sectors. The Report on the Technology (ICT) Sector (the Report) is a mix of qualitative and quantitative analysis. For each business sector, the Report includes: (i) a description of the sector; (ii) the current EU regulatory regime in which the sector operates; and (iii) an explanation of the frameworks governing how trade is facilitated between countries in the sector. Information provided by the government to the Committee about specific sector views has been withheld by the Committee.

Sector overview

The UK digital sector is vast. It covers digital goods, digital services and digitally enabled transactions of goods and services. It includes the following services and products: (i) audio-visual; (ii) e-commerce; (iii) telecommunications; (iv) data; (v) emerging industries, such as artificial intelligence; (vi) FinTech (dealt with in a separate report); (vii) the Internet of Things; and (viii) cybersecurity. Though London is a prominent hub, digital companies are spread across the UK. Several other cities have highly ranked digital clusters.

The Report highlights:

  • the extent of the UK’s investment in the digital sector;
  • how tech companies are investing in the UK since the Brexit referendum; and
  • information about the value added by the ICT industry, including its contribution to national economy statistics, employment, national balance of trade and international trade.

Continue Reading

Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors

On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government in March 2017.[2]

 The SEC’s administrative proceeding order pointed to Altaba’s delayed disclosure of the 2013–2014 security incident as well as the company’s public filing of multiple reports with the SEC, which commented on the risks and consequences of a breach in general, but did not notify investors that such a threat had already been realized in 2013 and 2014.[3] Unlike previous high-profile fines for improper incident response arising from failures to disclose to affected customers or subjects of breached data, the $35 million fine levied against Altaba is the first of its kind to focus on disclosure to investors of a public company that has suffered a breach, and should encourage companies to direct commensurate focus to their data breach response plans to meet responsibilities to shareholders.

Continue Reading

Arizona emerges as privacy innovator as its AG and Governor lead the charge

Arizona and its Attorney General’s office have emerged as key players in the effort to prioritize data security on the national stage. Since his inauguration in 2015, Arizona Attorney General Mark Brnovich has struck a balance between supporting innovation and protecting Arizonans’ privacy rights. With the support of Governor Doug Ducey, Arizona is taking active steps to broaden the scope of state privacy protection initiatives.

As the current Chair of the Conference of Western Attorneys General (CWAG), AG Brnovich will host CWAG’s 2018 Chair Initiative in Scottsdale, Arizona on May 3 and 4, focusing specifically on data privacy, cybersecurity, and digital piracy. The meeting will bring together AGs from around the country as well as thought leaders and key stakeholders in the private sector to tackle new horizons on issues such as breach notification, the European Union’s data protection regulations, national security, and FinTech. To read more about AG Brnovich’s 2018 Chair Initiative, and his take on how attorneys generals are tackling privacy and data security issues, check out Reed Smith Partner Divonne Smoyer and Associate Kimberly Chow’s recent Q&A with AG Brnovich on the website of the International Association of Privacy Professionals.

Continue Reading

Article 29 Working Party update on GDPR implementation

The Article 29 Working Party (WP29) discussed a number of important issues during its April plenary meeting on 17 April 2018. In its summary press release, the WP29 gave an update on the issues it discussed.

Implementation of the General Data Protection Regulation (GDPR) and adopted guidelines

WP29 formally adopted guidelines on consent and transparency following a public consultation of six weeks. WP29 additionally formally adopted revised Binding Corporate Rules application forms, an updated working document on the Binding Corporate Rules approval procedure and revised guidelines on the GDPR urgency procedure.

WP29 also highlighted that it had adopted a position paper on GDPR Article 30(5). GDPR Article 30(5) generally exempts organisations employing fewer than 250 people from having to keep records of personal data processing.

WP29 further stated that it will continue working on guidelines about GDPR certification, territorial scope and codes of conduct.

It was also stated that WP29 has been granted a mandate to develop guidance in relation to GDPR Article 6(1)(b) in the context of the provision of ‘free’ online services. GDPR Article 6(1)(b) enables organisations to process personal data where such processing is necessary for the performance of a contract to which a data subject is party.

A discussion was also had on the European Data Protection Board and how its rules of procedure, budget, technical set-up and meetings timetable in 2019 will be structured. Continue Reading