Changes on the horizon for the e-commerce sector?

On 15 September 2016, the European Commission published its Preliminary Report on the e-commerce sector inquiry.

The report provides an overview of the prevailing market trends of e-commerce in goods and digital content, and the likely impact this will have on competition and consumer choice. While that is the focus of the report, the outcome of the inquiry – and any resulting change to the way the sector operates – will undoubtedly have an impact on online privacy, particularly as many e-commerce sites collect and retain personal data about their customers. Complying with data protection laws should therefore be high on the agenda.

Reed Smith has prepared a client alert that addresses the key provisional findings of the report.  Please click here to read our briefing in full.

Bavarian Data Protection Authority issues new guidance paper on handling personal data breaches under the General Data Protection Regulation

On 19 September 2016, the Bavarian Data Protection Authority (“DPA”) issued a new guidance paper on handling personal data breaches under the new EU General Data Protection Regulation (“GDPR”) in the course of a series of non-binding guidance papers on selected topics in relation to the GDPR, which the DPA publishes periodically.  The papers can be found on the DPA’s official website.

Starting Point: Current Legal Framework

The DPA states that there are a number of ways how personal data might fall into unauthorized hands. Already under the current legal framework, unauthorized access to personal data – colloquially: “data breaches” – has to be notified; however, only under certain circumstances. Pursuant to Section 42a of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), two requirements need to be fulfilled in order to trigger the obligation to notify:

  1. The personal data affected must be very sensitive data, such as bank and health data.
  2. There must be a high risk for the data subject affected, i.e., there must be a threat of severe obstructions.

In the view of the DPA, those requirements lead to the result that to date, only a very low number of breaches are notified. The yearly amount of such notifications is in a two-digit range. However, the DPA takes the view that it is very likely that a considerable number of undetected, and therefore non-notified, breaches exists. If a breach that triggers the obligation to notify has occurred, the affected data subject also needs to be informed.

Legal Framework under the GDPR: Clearly Lower Thresholds

The GDPR regulates handling of personal data breaches in Articles 33 and 34. Under the GDPR, a graduated system of notification obligations exists:

  1. The general rule is that a personal data breach shall be notified to the competent supervisory authority, “unless the personal data breach is unlikely to result in a risk” of natural persons.
  2. However, the communication of the relevant personal data breach to the data subject is only required if the personal data breach is likely to result in a “high risk” for the right in freedoms of natural persons.

Further, a communication to the data subject shall not be required if the controller has implemented appropriate technical and organizational protection measures, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.

The same shall apply, if the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms, which existed at the time of the data breach, is no longer likely to materialize. The DPA emphasizes that the supervisory authorities have to clarify how this scenario can be handled in daily practise.

Should each Personal Data Breach be Notified to the Supervisory Authority?

The DPA has compared the English and the German version of the GDPR. In the DPA’s view, this comparison leads to the conclusion that as a general rule, each data breach shall be notified to the competent supervisory authority, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” (German version: “es sei denn, dass die Verletzung des Schutzes personenbezogener Daten voraussichtlich nicht zu einem Risiko für die Rechte und Freiheiten natürlicher Personen führt”).

The DPA presumes that the correct assessment of this requirement might be challenging for enterprises, since in the majority of cases it cannot be ruled out that such risk exists. Accordingly, the DPA expects that the supervisory authorities will coordinate the criteria for a proper risk analysis and the obligation to notify.

Scope and Date of the Notification

The notification needs to be filed with the competent supervisory authority within 72 hours. An extension of this deadline shall be possible only in justified cases. A notification pursuant to Article 33 GDPR shall comprise inter alia the following:

  • The nature of the personal data breach
  • The categories of personal data records concerned
  • The number of data subjects and data records
  • An estimate of the consequences for the data subject, as well as the measures to be taken or proposed to be taken by the controller to address the personal data breach, or measures to mitigate its possible adverse effects

Companies are Called-on to Comply with Obligation to Notify

The DPA emphasizes that companies should observe the obligation to notify. This shall be true in particular in the light of the fact that administrative fines might be imposed on the company in case of non-compliance. The administrative fines might amount up to EUR 10 million or 2% of the relevant company’s turnover (see our blog on the DPA’s guidance paper on sanctions under the GDPR).

Outlook

The DPA explains that the consequences of personal data breaches are very difficult to calculate and might not only result in a loss of confidence by customers and reputation by business partners, but might also lead to a high risk of financial losses. Accordingly, the DPA takes the view that an active and comprehensive collaboration with the supervisory authority does not only contribute to mitigation of such losses, but also ensures that the affected data subjects will be properly informed.

The DPA eagerly awaits the further developments in this context. In particular, it remains to be seen whether data controllers will comply with the new notification requirements, and how the supervisory authorities will deal with the likely increase of notifications and workload.

Finally, the DPA announces that it is in the course of developing an online service for data controllers that shall enable an efficient notification procedure.

A supply of software can be a sale of goods

The High Court held, in The Software Incubator v Computer Associates [2016] EWHC 1587 (QB), that a supply of commoditised software is a sale of goods for the purposes of the Commercial Agents (Council Directive) Regulations 1993 (“Regulations”).

Background

Computer Associates UK Ltd (“CA”) entered into a non-exclusive agreement with The Software Incubator Limited (“TSI”). TSI agreed to provide software consulting and promotion services in return for a fixed monthly fee and commission on sales.

TSI’s director was unhappy with the relationship and decided to become an agent for another company (“the company”), which led to TSI signing an agreement with them. TSI intended to terminate the agreement with CA, but CA served three months’ notice of termination on TSI in September 2013. However, CA then decided to terminate the agreement earlier and with immediate effect, alleging that TSI’s work for the company amounted to a repudiatory breach.  TSI claimed compensation under the Regulations, commission on post-termination sales, and damages.

Continue Reading

Bavarian Data Protection Authority issues new guidance paper on sanctions under the General Data Protection Regulation

On 1 September 2016, the Bavarian Data Protection Authority (“DPA”) issued a new guidance paper on sanctions under the new EU General Data Protection Regulation (“GDPR”) in the course of a series of non-binding guidance papers on selected topics in relation to the GDPR, which the DPA publishes periodically, and which can be found on the DPA’s official website.

Starting Point: Article 83 GDPR

The DPA’s first finding is that, compared to the current legal framework under the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), the GDPR, i.e. Article 83, does provide for a much wider array of infringements that are subject to sanctions. Most breaches might result in administrative fines, whereas exceptions shall apply only in cases of minor infringements or if the fine likely to be imposed would constitute a disproportionate burden (recital 148 of the GDPR).

Technical and Organisational Measures

The DPA also expressly notes that under the GDPR, infringements regarding technical and organisational measures can result in administrative fines, which the DPA deems to be an important innovation as compared to the current legal situation in Germany. Another key change is that the GDPR also provides for administrative fines concerning infringements of the obligation to implement the legal principles of privacy by design and privacy by default; the DPA takes the view that this evidences the grate value attributed to these items.

Potential Addressees of Administrative Fines

The DPA emphasizes that administrative fines can be imposed upon both data controllers and data processors. Further, certification bodies and bodies accredited to monitor compliance with a code of conduct might be subject to administrative fines.

The DPA assumes that undertakings shall be liable for infringements which are committed by the undertaking’s employees. The question whether administrative fines can also be imposed upon employees is not regulated by the GDPR. The DPA concludes that it remains to be seen whether the implementations on a national level will address this open issue.

Increased Amount of Fines

Article 83(1) GDPR sets forth that administrative fines “shall in each individual case be effective, proportioned and dissuasive”. The DPA highlights that under the GDPR certain infringements might result in fines up to EUR 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The DPA states that, when determining the relevant worldwide annual turnover, not only the individual company, but the whole group of companies, shall be taken into account. In the view of the DPA this shall result from recital 150 of the GDPR, which expressly makes reference to the “economic concept of undertakings” contained in Articles 101 and 102 of the Treaty on the Functioning of the European Union.

Relevant Factors for Determining the Amount of Fines

A number of criteria need to be considered when determining the amount of the relevant administrative fine, in particular previous infringements, and / or the scope of collaboration with the competent supervisory authority. If an undertaking provides, in the course of pending investigations, the supervisory authority with incorrect or incomplete information, this shall be regarded as an aggravating factor. The DPA takes the position that this is a general rule which has also been acknowledged by the Court of Justice of the European Union regarding violations of competition law.

Since the GDPR’s aim is to create a uniform level of fines across the European Union, the DPA calls on the European Data Protection Board, as established by the GDPR, to develop guidelines for determination of the amount of administrative fines.

Outlook

The DPA concludes that the relevant provisions of the GDPR on sanctions are an expression of the legislator’s intention to consequently and seriously sanction infringements. This shall be a clear message for enterprises which should take data protection issues seriously.

VPPA Suit Over Sharing Users’ Video-Viewing Data Continues as Gannett’s Motion to Dismiss Is Denied

In a case demonstrating the ongoing difficulties of applying the Spokeo decision to interpret injury-in-fact, a Massachusetts federal court last week denied a motion to dismiss by USA Today parent company, Gannett Satellite Information Network Inc., where the company allegedly disclosed personal data about a user’s video-viewing history to a third-party analytics firm.

The putative class action was brought in 2014 by a man who alleges Gannett violated the Video Privacy Protection Act (“VPPA”) by recording the titles of videos he viewed on the USA Today app, his Android ID, and the GPS coordinates of his device at the time videos were watched, and sending that information to Adobe, its analytics vendor, without his permission. Continue Reading

Q&A with Massachusetts AG Maura Healey

Attorney General Maura Healey of Massachusetts has held her office since January 2015. Massachusetts has established itself as being on the cutting edge of data privacy regulations that call for robust written information security program and computer system requirements, and the attorney general’s office continues to be on the forefront of enforcement since its security breach notification law was passed in 2007. Healey was no stranger to the work of the office, having also served as chief of the Public Protection & Advocacy Bureau and chief of the Business and Labor Bureau, in addition to working as a special assistant district attorney and in private practice. Healey talks to The Privacy Advisor about her work in targeting healthcare-related privacy violations as well as the future of enforcement in our data-driven economy.

Click here to view the recent Q&A published in the IAPP Privacy Advisor.

Third Circuit Dismissal Affirmance Based on Economic Loss Doctrine Shows Spokeo Shouldn’t Be Your Only Data Breach Class Action Exit Strategy

While the United States Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (2016), has garnered much attention after being cited by numerous courts as a means to dismiss data privacy class actions, defendants should never count out any potential avenues for exiting such a suit; in Pennsylvania (and in many other states following the same legal principle), the economic loss doctrine can also provide summary relief.  As demonstrated in Longenecker-Wells, et al. v. Benecard Services, Inc., et al., No. 15-3538, 2016 WL 4474701 (3d Cir. Aug. 25, 2016), even in data breach suits where actual harm exists and plaintiffs have standing, a quick dismissal is still possible.

The Benecard suit was initiated by former employees and customer members of Benecard Services Inc., which provides medical and vision supply services to public and private organizations.  Plaintiffs sued after unknown third parties breached Benecard’s computer system and accessed plaintiffs’ personal and confidential information.  The hackers then used that information to file fraudulent tax returns, which caused the IRS to issue tax refunds to the third parties rather than to the plaintiffs.  Continue Reading

ICO Reminds Organisations of EU-U.S. Personal Data Transfer Obligations

The Interim Deputy Commissioner at the Information Commissioner’s Office (“ICO”), Steve Wood, has published a blog reminding organisations of their obligations when transferring personal data to the United States, pursuant to the case brought by Max Schrems in 2015, which led to the Safe Harbor framework being declared immediately invalid. Wood reminds organisations that continued reliance on Safe Harbor as a means to provide an adequate level of protection for the rights and freedoms of data subjects “is not an option.” Although it is accepted that implementation of the required changes may take time, the ICO, in certain circumstances, will contemplate enforcement action against companies that fail to comply with the provisions of the Data Protection Act 1998 (“DPA”). It is recommended that organisations do not delay.

One method of providing an adequate level of protection, and thereby complying with the provisions of the DPA, is to transfer personal data to Privacy Shield certified companies. Adopted 12 July, the Privacy Shield framework replaces Safe Harbor and introduces stronger protections for personal data, such as greater transparency requirements and more robust redress mechanisms. On its adoption date, the Privacy Shield entered into force immediately in the EU. In the United States, it became effective 1 August, and since then, several U.S. organisations have certified to the framework. Other options include the implementation of the EU Model Clauses and Binding Contractual Rules.

Wood, however, warns of uncertainty in the law governing international transfers. He highlights the report on the Privacy Shield published by the Article 29 Working Party, and the fact that several cases are currently being considered by the Court of Justice of the European Union, which may affect the current legal bases for international personal data transfers, and lead to the scrutiny of the other mechanisms for international transfers, e.g., the EU Model Clauses. The collapse of Safe Harbor certainly left choppy waters in its wake, and organisations would do well to consider the guidance and materials provided by both the ICO and the U.S. Department of Commerce.

ICO Responds to the ePrivacy Directive Consultation

In April, we reported that the European Commission had opened a public consultation seeking the views of various stakeholders on the current wording of, and possible changes to, the Privacy and Electronic Communications Directive (2002/58/EC as amended) (“ePrivacy Directive”). The retrospective evaluation was necessary to ensure the ePrivacy Directive is fit for the digital age, and remains valuable and effective once the General Data Protection Regulation (2016/679) (“GDPR”) is introduced. The Information Commissioner’s Office (“ICO”) published its response to the consultation, outlining its view that the ePrivacy Directive has achieved its objectives to a “moderate” degree, and providing feedback on a range of specific points. The response revealed the following ICO opinions: 

  • Having specific rules for the electronic communications sector for the confidentiality of communications, unsolicited electronic marketing communications, itemised billing invoices, and presentation and restriction of calling and connected lines, adds value.
  • Having specific rules for the electronic communications sector for personal data breaches and traffic and location data will not add value, as these areas will be dealt with by the GDPR.
  • The definitions contained in the ePrivacy Directive often lacked clarity.
  • The scope of the ePrivacy Directive should be broadened, in part, to include Over-The-Top services, such as Voice over IP, instant messaging, and emailing over social networks, but only if accompanied by a clear definition of such services.
  • Strong protections for individuals’ privacy rights (such as requiring manufacturers to ship products with strong privacy settings as the default) should be introduced with great care, and should be balanced with the legitimate interests of business so as not to stifle innovation.
  • A requirement to obtain opt-in consent should be applied to all instances of direct marketing on the basis that one consistent rule is “simpler to understand and to enforce”. The ICO does, however, recognise the inevitable challenges that occur with this approach. Amending the provisions on confidentiality of communications and of the terminal equipment, unsolicited communications, and governance (competent national authorities, cooperation, fines, etc.), were highlighted as priorities when revising the ePrivacy Directive.

The ICO confirmed that EU data protection laws will still be relevant after the UK’s withdrawal from the European Union, validating its contribution to the ePrivacy Directive consultation.

High Court Permits University’s Contravention of Its Own Privacy Policy

The High Court in Bangura v Loughborough University [2016] EWHC 1503 (QB) ruled 19 May that Loughborough University acted lawfully under the Data Protection Act 1998 (“DPA”) in supplying Leicestershire Police with the registration form of a student suspected of sexual assault and rape. In contravention of the university’s data protection policy, the registration form was supplied to Leicestershire Police before a written request for the form was received.

The claimant, Mr Bangura (who had been a student at the university), appealed an earlier summary judgment against him, arguing that the university’s disclosure of his personal data to the police – prior to receiving a written request – was an action which contravened its data protection policy. The claimant asserted that the policy formed part of his contract with the university, and sought permission to re-open his application for permission to appeal against an earlier order, and various other relief.

The court refused the application on the basis that it had no realistic prospect of success. Specifically:

  1. The claim under the DPA was rejected on the basis that Section 29 does not state that a request for information must be made in writing, and that the test for legitimate interests had been met.
  2. Section 29(3) permits a data controller to disclose personal data without an individual’s knowledge or consent (an exemption from Principle 1 of the DPA), where the disclosure is for the prevention or detection of crime, or the apprehension or prosecution of offenders.
  3. The disclosure of the claimant’s registration form was not a breach of contract, as the policy was not incorporated into the contract between the claimant and the university by either the policy itself, or the registration document.

The Information Commissioner’s Office provides guidance in both its data sharing code of practice and its checklist for data sharing, for organisations that disclose personal data. Organisations are advised to: (i) consider whether the sharing would be justified; (ii) consider whether it has the power to share; and (ii) record the decision to share. Organisations could avoid the administrative burden of court proceedings by including express wording in their data protection policies specifying the extent to which the policy has contractual force, and the potential of disclosure for criminal, fraudulent or legal purposes.

LexBlog