The Queen’s Speech 2017: The future for UK data protection regulation

The Queen’s Speech was delivered 21 June 2017, setting out the government’s legislative plans. Key proposals from a data protection perspective include:

  • The introduction of a new Data Protection Bill, which will incorporate the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), and the new Directive which applies to law enforcement data processing into UK law; and
  • A new Digital Charter, to ensure that the United Kingdom is the safest place to be online.

These proposals will cover a two-year period, as the Queen’s Speech has been cancelled for next year to allow both Houses of Parliament more time to discuss Brexit legislation.

Data Protection Bill

A new law is being proposed to ensure the UK “retains its world-class regime protecting personal data” with a data protection framework that is suitable for our new digital age, and to cement the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data.

The Data Protection Bill will replace the Data Protection Act 1998, and is intended to incorporate the GDPR into national UK law so that the rules continue to apply in the UK post-Brexit. This will help to put the UK in the best position to maintain its ability to share data with other EU member states and internationally after leaving the EU. The Bill will also modernise and update the regime for data processing by law enforcement agencies, and will cover both domestic processing and cross-border transfers of personal data.

The Bill will include new rules to strengthen rights and empower individuals to have more control over their personal data, including:

  • A right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it; and
  • The ability to require major social media platforms to delete information held about individuals at the age of 18.

The Bill will also update the powers and sanctions available to the Information Commissioner’s Office.

Digital Charter

A new Digital Charter is being proposed with two core objectives – making the UK the best place to start and run a digital business, and the safest place in the world to be online.

The government has indicated that it will work with technology companies, charities, communities and international partners to develop the Charter, and that it will be underpinned by a regulatory framework which balances users’ and businesses’ freedom and security online. It has also stressed that it will make sure that technology companies do more to protect their users and to improve safety online.

Next steps

The proposal for this new data protection law means that businesses currently preparing for the GDPR should continue to do so, as they will need to comply with the same rules under UK legislation after the UK leaves the EU.

Get your update on IT & Privacy Law (Germany)

The Summer 2017 Edition of the quarterly IT & Privacy Newsletter by Reed Smith Germany has just been released.

We cover the German GDPR Implementation Act, new case law on processing on the basis of legitimate interests, marketing consent, and provider liability, as well as the paper on Google Analytics by the Hamburg data protection authority.

We hope you enjoy reading it.

Second Circuit Provides Businesses with a Powerful Defense to TCPA Revocation Claims

In a watershed ruling for businesses facing the recent onslaught of Telephone Consumer Protection Act (TCPA) claims, the Second Circuit Court of Appeals held that consumers cannot revoke their consent to receive automated or prerecorded cell phone calls if they previously consented to receive those calls as part of a binding contract. See Reyes v. Lincoln Automotive Fin. Servs., No. 16-2104-cv, slip op. (2d Cir. June 22, 2017).

In Reyes, the plaintiff entered into a binding auto lease agreement, which contained a provision stating that he expressly consented to be contacted using “prerecorded or artificial voice messages, text messages, emails and/or automatic telephone dialing systems” at the cell phone number he had provided on his application.  When the plaintiff defaulted on his car lease and he started receiving collection calls on his cell phone, he allegedly mailed a letter revoking his consent to receive further calls, but they continued.

The New York federal district court granted summary judgment to the defendant in part on the basis that “the TCPA does not permit a party to a legally binding contract to unilaterally revoke bargained-for consent to be contacted by telephone.” On appeal, the Second Circuit affirmed the district court’s decision, holding that “the TCPA does not permit a party who agrees to be contacted as part of a bargained-for exchange to unilaterally revoke that consent, and we decline to read such a provision into the act.”

In reaching this ruling, the Second Circuit reasoned that the “text of the TCPA evidences no intent to deviate from common law rules in defining ‘consent.’” The court distinguished between (i) “gratuitous actions” under the tort law, such as voluntarily providing one’s cell phone number on a loan application without exchanging any consideration, versus (ii) providing consent “as an express provision of a contract to lease an automobile.”  In the former case, where the consent was purely voluntary, revocation is allowed at any time.  But in the latter case, where consent is provided as a term of a binding agreement, that consent “become[s] irrevocable” because “one party may not alter a bilateral contract by revoking a term without the consent of the counterparty.”  Given Congress’ silence about revocation in the TCPA, the Second Circuit was not willing to conclude that “Congress intended to alter the common law of contracts.”  The Second Circuit further rejected the plaintiff’s argument that any ambiguities should be construed in the consumers’ favor because the statute contained no ambiguity on the revocation point.

Take-away:  Businesses face thousands of TCPA lawsuits each year based on alleged revocations of prior express consent.  This Second Circuit decision creates a powerful defense to these claims as long as the defendant can show that the plaintiff’s prior express consent to receive automated or prerecorded calls was given as part of a binding contractual agreement.  If so, the plaintiff cannot unilaterally revoke that consent as a matter of law.  While this decision only is binding in the Second Circuit, it can and should be used by defendants as persuasive precedent across the entire country.

New State Blockchain Legislation Clarifies Legal Status of the Technology

Nevada is the latest state to clarify blockchain’s legal status under state law. The law, Senate Bill 398, was signed by the governor June 5, and prohibits local governments from imposing taxes or fees on the use of a blockchain; requiring a certificate, license, or permit to use a blockchain; or imposing any other requirement relating to the use of blockchain. Additionally, the Nevada law states that “if a law requires a record to be in writing, submission of a blockchain which electronically contains the record satisfies the law.” To close a perceived gap in federal enforcement, states are using their authorities to provide consumer protection within their states.

To read our full client alert on this development, please click here.

CJEU: Operation of peer-to-peer sharing platform may qualify as copyright infringement

In a preliminary judgment of 14 June 2017, Case C-610/15, the Court of Justice of the European Union (‘CJEU’) held that the making available and management of a peer-to-peer sharing platform may constitute a copyright infringement.

Facts of the case

In the underlying main proceedings before the Supreme Court of the Netherlands, Stichting Brein, a Dutch foundation which safeguards the interests of copyright holders, sued two internet access providers to block the domain names and IP addresses of a certain online platform called The Pirate Bay (‘TPB’), in order to prevent the services of the internet access providers from being used to infringe the copyright and related rights of the right holders.

TPB is an ‘indexer’ of torrent files. BitTorrent is a protocol through which users can share files. The essential characteristic of BitTorrent is that it divides files for sharing into segments, thus removing the need to rely on a central server to store those files. This lessens the burden on individual servers during the sharing process.

In order to share files, TPB users must first download specific software (‘BitTorrent Client’), which is not provided by TPB. BitTorrent Client is software which allows the creation of torrent files. Users who wish to make a file on their computer available to other users have to create a torrent file through their BitTorrent Client. Torrent files refer to a central server which identifies the users available to share a particular torrent file, as well as the underlying media file. These torrent files were uploaded by the users to TPB, which then proceeded to index them so that they can be found by the TPB users, and the works to which those torrent files refer can be downloaded onto the users’ computers in several segments through their BitTorrent Client.

According to the CJEU, the torrent files offered on TPB relate mainly to copyright-protected works, without the right holders having given their consent to the operators or users of that platform to carry out the sharing acts in question.

The CJEU’s decision

Pursuant to Article 3(1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001, on the harmonisation of certain aspects of copyright and related rights in the information society (‘Copyright Directive’), Member States shall provide authors with the exclusive right to authorise or prohibit any communication to the public of their works, by wire or wireless means, including making available to the public their works in such a way that members of the public may access them from a place and at a time individually chosen by them (‘Concept of Communication to the Public’).

The CJEU held that the Concept of Communication to the Public must be interpreted as covering TPB’s sharing platform, i.e., the “making available and management, on the internet, of a sharing platform which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users of that platform to locate those works and to share them in the context of a peer-to-peer network”.

The CJEU expressly referred to its recent preliminary ruling of 26 April 2017, Case C-527/15, where the Concept of Communication to the Public was assessed in the light of a multimedia player, enabling streaming of content without the right holder’s consent.

Further, the CJEU relied on the fact that the operators of TPB, by making available and managing TPB, intervene, with full knowledge of the consequences of their conduct, to provide access to protected works. The CJEU emphasised that, without making available and managing TPB, the works could not be shared by the users or, at the very least, that sharing them on the internet would prove to be more complex. Therefore, in the view of the CJEU, the operators of TPB shall be regarded as “playing an essential role in making the works in question available”.

Comment

The decision will be welcomed by right holders. It confirms the CJEU’s broad interpretation of the Concept of Communication to the Public, as developed in the CJEU’s recent case law.

The UK FCA Publish Discussion Paper on Distributed Ledger Technology

The UK FCA Publish Discussion Paper on Distributed Ledger Technology
Regulators globally are focused on understanding industry consumers’ views on distributed ledger technology’s (DLT) potential risks and opportunities. On 10 April 2017, the UK Financial Conduct Authority (FCA) published a discussion paper DP17/3 on DLT, and followed it with a speech at the Innovate Finance Global Summit by the Executive Director of Strategy and Competition at the FCA, Christopher Woolard.

The FCA’s Project Innovate is a leading driver of its initiative on DLT. Project Innovate was part of the FCA’s ‘regulatory sandbox’ where firms, including those developing DLT platforms, have been able to test pioneering products and solutions in regulated financial services. The FCA Discussion Paper is aimed at users and providers of DLT technology in the FCA’s financial services sector.

The tone of the FCA Discussion Paper is generally positive. It refers to the benefits of DLT, while recognising that DLT is a emerging technology and its uptake will ultimately depend on the willingness of firms to adopt it. As discussed in our alert of 2 March 2017, global regulators are paying increasing attention to DLT. The FCA encourages market participants to send their comments by 17 July 2017, for them to review and publish a summary of responses or a formal consultation paper.

To learn about the issues being considered by the FCA, click here.

South Korea joins APEC’s Cross Border Privacy Rules system

This week, it was officially announced that South Korea has become the fifth country to join the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system. This system was developed by APEC in 2011 to “build consumer, business and regulator trust in cross border flows of personal information” and thus facilitate e-commerce among APEC countries. The Ministry of Interior and the Korea Communications Commission stated on Monday that approval for joining the CBPR had been secured. In order for countries to opt in to the system, their legal systems and privacy protection must meet APEC’s standards.

APEC is an economic forum comprised of countries throughout Asia-Pacific. APEC’s importance should be noted: its 21 member economies comprise 54 per cent of the world’s GDP and 40 per cent of world trade. It exists to assist in trade through faster customs procedures and initiatives to synchronise regulatory systems across its member countries. The CBPR is a voluntary accountability-based system that facilitates the safe transfer of personal information across the APEC region.

South Korea joins the U.S., Mexico, Japan and Canada in the CBPR system; and so far, 20 companies, including Apple and IBM, have been CBPR-certified. Following the admission of South Korea, over 500 million internet users are now represented under the CBPR system, with additional countries, including Singapore and the Philippines, planning to join in the near future.

There are some similarities between the CBPR and the EU’s Binding Corporate Rules (BCRs), but the main difference is that the BCRs apply to inter-company overseas data transfers while the CBPR defines geographical spaces between which data transfers may occur. We reported on the Article 29 Working Party’s review of the CBPR system in 2015, which resulted in long-term aims to map the two systems together and create a common application which may allow companies, if successful, to become dual-certified under the regulatory requirements of both the BCRs and CBPR. While numerous companies have now become dual-certified, the process for approval for both the BCRs and CBPR remains as two entirely separate applications.

ICO’s Strategic Plan for the ‘New Frontier’ of Data Protection

The ICO recently published its Information Rights Strategic Plan for 2017 – 2021  (the ‘Plan’). Within it, the ICO Commissioner, Elizabeth Denham, asserts that we are on the “edge of a new frontier,” and that the data protection landscape is about to be reshaped by the “game changing” General Data Protection Regulation (the ‘GDPR’). Noting the significant changes for organisations, the public and regulators, the Commissioner sets the key aim of ensuring that data protection regulators stay relevant. According to the Commissioner’s opening statement, this entails increasing the public’s trust in government, public bodies and the private sector in terms of not only transparency, but also their involvement in the digital economy and digital public services.

The Plan specifies five clear goals:

  1. Increase the public’s trust and confidence in how data is used and made available;
  2. Improve standards of information rights practice through clear, inspiring and targeted engagement and influence;
  3. Maintain and develop influence within the global information rights regulatory community;
  4. Stay relevant, provide excellent public service and keep abreast of evolving technology; and
  5. Enforce the laws the ICO helps to shape and oversee

The Plan also emphasises the ICO’s commitment to achieving the aforementioned goals by: (i) exploring innovative and technologically agile ways to protect privacy; (ii) leading the implementation of the GDPR and other data protection reforms; (iii) strengthening transparency and accountability by promoting good information governance; and (iv) protecting the public in a digital world.

The highest priorities for the ICO for the first two years of this five-year plan will be preparing business processes and guidance for the GDPR, the Law Enforcement Directive and the ePrivacy Regulation, in order to avoid the ICO’s biggest risk: not being prepared in time.

The Plan is ambitious; it requires a cultural shift not only within organisations that process data, but for the public as a whole. The ICO has been working to prepare guidance for organisations and the public on all forthcoming data protection legislation, and we will continue to report on this as and when guidance is released. The pivotal path towards achieving this cultural shift will be ensuring that organisations and the public are aware of the new rules and how they apply.

 

Legitimate interests: a balancing act

The Court of Justice of the European Union (CJEU) recently gave its preliminary ruling on the interpretation of the legitimate interests condition under Article 7(f) of the Data Protection Directive 95/46/EC (the Directive) in the context of processing by a public authority.

A collision

In 2012, a passenger in a taxi in Latvia suddenly opened the door to get out, and proceeded to damage a passing tram owned by Rīgas satiksme (Rīgas). Rīgas requested the personal details of the passenger (full name, ID number and address) in order to sue for damages so as to repair the tram. It was unknown at this stage that the passenger was a minor. The Latvian police provided the passenger’s full name only, on the basis that Latvian law does not provide for the disclosure of other data to people who are not a party to administrative proceedings leading to sanctions. Rīgas challenged this decision, stating that it required further information to enable it to locate the passenger. This challenge was upheld before later being appealed by the police. Eventually, the Latvian Supreme Court, noting doubts as to the meaning of ‘necessity’ in relation to the interpretation of ‘legitimate interests’ under the Directive, requested an opinion as to whether: (i) the Directive imposed an obligation to disclose personal data to a third party to enable it to bring an action for damages; and (ii) the age of the individual had any bearing as to interpretation.

The CJEU held that under the Directive, a third party may require an individual’s personal data in order to commence civil proceedings against such an individual, and this may satisfy the third party’s legitimate interest; however, it does not impose an obligation to disclose such personal data. Such an obligation would have to originate from national law. Furthermore, the refusal to disclose a minor’s personal data was not justified as the minor had caused the damage. The ruling echoed an earlier opinion by Advocate General Bobek.

Tipping the scales

So what is required for an interest to be legitimate? The Directive requires that personal data must be adequate, relevant and not excessive at the point of collection as well as at the point of processing. Although national law determines the scope of data to be provided, only “necessary and sufficient”  data to further a third party’s legitimate interests should be provided. A balance should be sought between effective judicial protection and privacy. Rīgas’ request for the passenger’s address and ID number was deemed necessary for its prospective claim. The ruling also confirmed that if the data belonged to a minor, this fact alone is not enough to render the individual immune from civil liability.

Legitimate interests under the GDPR

Article 6(f) GDPR states that public authorities cannot rely on the legitimate interests ground to legitimise their processing when performing their tasks; this differs from the current position under the Directive. Additionally, it creates a new provision that where the individual concerned is a child, this should be given particular weight.

Going forward, controllers should consider the legitimate interests ground prior to commencing their processing operations to ensure that they are processing only what is necessary and legitimate for their business purposes. Considering legitimate interests could contribute to effective data protection impact assessments, and reflects the principle of accountability under the GDPR.

 

J. Crew Credit Card Digit Class Action Dismissed Again Because of Overly Speculative Identity Theft, Fraud Risks

As courts continue to grapple with close calls on standing following the U.S. Supreme Court’s seminal decision in Spokeo v. Robins, another court has given defendants a win for intangible injuries and risk of future harm.  On June 6, the District of New Jersey dismissed – for the second time – a putative class action lodged against J. Crew for a technical violation of the Fair and Accurate Credit Transactions Act (“FACTA”) because the alleged damages were too speculative to establish Article III standing.  In Kamal v. J. Crew, et al., 2017 WL 2443062 (D.N.J. June 6, 2017), U.S. District Judge William Martini granted J. Crew’s motion to dismiss plaintiff Ahmed Kamal’s Second Amended Complaint alleging the retailer printed too many credit card digits on receipts because – pursuant to Spokeo and a 2017 Third Circuit decision applying Spokeo – plaintiff failed to allege a sufficiently concrete injury.

Plaintiff alleged that J. Crew wilfully violated FACTA by printing the first six and last four digits of plaintiff’s credit card number on receipts, as FACTA directs that businesses shall not “print more than the last 5 digits of the card number.” As described by Judge Martini, the Complaint’s allegations boiled down to two distinct injuries: (1) disclosure of information considered “intrinsically private” by law; and (2) increased risk of future credit card fraud or identity theft.  Ultimately, though, neither injury was a “concrete” harm, and thus plaintiff failed to establish constitutional standing, leading to the dismissal.

Injury to Privacy Rights                                                                                  

Analyzing plaintiff’s first theory, the court noted that “[t]here is no meaningful relationship between J. Crew’s conduct and any privacy interest historically recognized at common law.” Contrary to the situation leading to the In re Horizon Healthcare Servs. Data Breach Litig. ruling from the Third Circuit earlier this year, where information was disclosed to third parties or used to perpetuate credit-card or tax fraud, J. Crew did not disclose plaintiff’s personal information.  Further, where no unauthorized access to personal information was alleged, the digit printing “does not implicate the historic ‘right to be let alone,’ particularly when the first six digits do not pertain to the customer’s individual bank account,” the court noted.

Turning to the “judgment of Congress” factor identified in Spokeo, Judge Martini observed that while Congress “undoubtedly hoped that FACTA would reduce identity theft,” that didn’t mean it contemplated “private actions by individuals who have not sustained any actual harm.”  Rather, the legislative history indicated that the filing and appealing of such cases was a “significant burden” on the companies sued.  Thus, this factor indicated the injury was not sufficient to establish standing.

Material Risk of Future Harm

Next, the court concluded that the degree of potential risk for future identity theft was too low to constitute a concrete harm. Because the first six digits of a credit card number refer to the card issuer and the last 10 refer to the specific account, J. Crew’s printing of the first six and last four digits didn’t provide any more information to potential identity thieves than permitted by statute; in fact, the practice arguably provided less information than FACTA’s last-five-digits limit.

While the Complaint noted risks from both “dumpster divers” and more sophisticated thieves, the court found the threat from the former to be based on an overly speculative chain of events because of the requirement that the third party would need to obtain the remaining digits as well as the expiration date, security code, and/or zip code to actually make purchases. Accordingly, that risk was insufficient to confer standing. The court found plaintiff’s allegations as to sophisticated thieves to be vague and unsupported, with plaintiff’s only exhibits allegedly supporting the theory concerning conditions in which the entire credit card number was already obtained.

Thus, based on Spokeo and Horizon, the intangible harms pleaded by plaintiff could not be elevated to the standard of concrete injuries, and the court dismissed the complaint for lack of standing.

Conclusion

As this latest example of post-Spokeo defense victories indicates, defendants overlooking potential standing arguments do so at their peril.  Where a Complaint alleges intangible injuries and bare statutory violations paired with potential risks of future harm, a motion to dismiss for lack of subject matter jurisdiction may be viable.  As shown in Judge Martini’s analysis, defendants should look to Congressional intent, historical common-law, and practical wisdom in crafting dismissal arguments.

 

LexBlog