New Tool in Calif. AG’s Privacy Enforcement Efforts: Consumers

California Attorney General Kamala Harris is enlisting new enforcers in her efforts to get companies to comply with the state’s privacy policy requirements: members of the public.

On October 14, Harris released an online form enabling consumers to report websites, mobile applications, and other online services that are violating the California Online Privacy Protection Act (CalOPPA) by failing to post a privacy policy or by posting an incomplete or inadequate privacy policy. The move comes shortly after the release of a Future of Privacy Form study that concluded that the number of apps with privacy policies has risen from 30 percent to 80 percent since 2012, but that many apps and websites are still not in compliance.

In a press release, Harris emphasized that companies doing business in California must prioritize transparency and privacy with their consumers. Bringing in consumers as watchdogs will increase the likelihood that companies observe the laws requiring privacy safeguards, she said.

“By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge,” Harris said.

CalOPPA, passed in 2003, was the first law in the nation to require commercial websites and online services to post privacy policies. Any operator in the world that collects personally identifiable information, such as name, address, email address, phone number, or Social Security number from California consumers, is required to comply. The privacy policy must include the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the effective date of the private policy. The law was further expanded in 2013, requiring privacy policies to include information on how the operator responds to ‘Do Not Track’ signals or similar mechanisms, and mandating that privacy policies state whether third parties can collect personally identifiable information about the site’s users.

Compliance with CalOPPA is a law that should be on the radar of any company doing business on the Internet. Enforcement of the law has been a priority for the AG in recent years, and the latest move to empower consumers to make privacy “citizen’s arrests” serves as a reminder that California is serious about the law’s requirements. Noncompliant websites and apps are getting fewer and farther between, according to the FPF study, but that statistic makes it all the more important that a company not be caught red-handed as a violator.

The form is available at

YouTube Boosts Transparency with New Option to Disclose Paid Ads

As companies increasingly implement voluntary measures to enhance transparency among their user base, this month, YouTube introduced the option for creators to feature paid promotion disclosures on video content.

Click here to read more on our sister blog AdLaw By Request.

Update from the French Data Protection Authority on the compliance package for connected vehicles

The market of the so-called “connected vehicles” has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.

To operate properly, connected vehicles collect much personal data, notably by connecting to drivers’ phones. Aware of the potential data protection issues that might arise, the French Data Protection Authority (“CNIL”) in March 2016 initiated work on a compliance package (“pack de conformité”) for connected vehicles, which is to be achieved next spring.

This compliance package, which is currently elaborated in consultation with the automobile industry, and innovative companies from the insurance and telecommunications sectors, as well as public authorities, will contain guidelines on the responsible use of personal data in connected vehicles.

On 3 October 2016, at the International Motor Show in Paris (“Mondial de l’Automobile”), the CNIL provided an update on the progress of the compliance package for connected vehicles.

The CNIL, which stressed that personal data issues should be taken into account right from the design phase of the vehicles, contemplated three different scenarios:

  • In-In scenario: Personal data collected within the vehicle remains in that vehicle without external transmission to a service provider
  • In-Out scenario: Personal data collected within the vehicle is transmitted outside the vehicle to a service provider in order to provide a service to the driver
  • In-Out-In scenario: Personal data collected within the vehicle is transmitted outside the vehicle in order to trigger an automatic action in the vehicle

The CNIL expressly encouraged market participants to favor the In-In scenario, under which personal data is processed within the vehicle without any external transmission to a service provider. According to the CNIL, this scenario appropriately protects the drivers’ personal data, and will trigger softer obligations for data controllers.

The CNIL also reminded the following:

  • First, all data that may be attributed to an identified or identifiable individual, notably number plates or vehicle serial numbers, is to be regarded as personal data subject to the French Data Protection Act (“Loi Informatique et Libertés”) and the General Data Protection Regulation (“GDPR”)
  • Second, the compliance package aims to raise market participants’ awareness on the transparency and fair data collection principles. According to the CNIL, those principles command that personal data shall not be collected without at least informing the data subjects, and even possibly seeking their consent.
  • Third, the CNIL favors a “privacy by design” approach, which will notably result in the implementation of easily customizable dashboards, allowing the driver to keep control over his personal data

The principles set out by the CNIL should ensure adequate protection for personal data collected in connected vehicles, while not inhibiting innovation in the automobile industry.

In the age of Big Data, the EDPS issues an Opinion on enforcement and upholding fundamental rights

The European Data Protection Supervisor (“EDPS”) issued an Opinion on coherent enforcement of fundamental rights in the age of big data”. This is an update to the EDPS’ Preliminary Opinion in 2014 on “Privacy and competitiveness in the age of big data”. The Preliminary Opinion observed a tendency for EU rules of data protection, consumer protection, and antitrust enforcement and merger control to be applied in “silos”. The new Opinion develops the notion and suggests that the Digital Single Market Strategy provides an opportunity for a “coherent approach”, and makes recommendations to support this.

New data-driven technologies and services are important for economic growth, which have become reliant on the “covert tracking” of individuals who are likely unaware of the tracking. There is the danger that larger companies may be able to block smaller companies from entering the market. This might also have the knock-on effect of creating an imbalance between the providers and consumers which may ultimately impact on choice, innovation and the protection of their personal data.

When considering the rights and freedoms set out in the Charter of Fundamental Rights of the EU – including the right to privacy, the protection of personal data and freedom of expression – it has been recognised that these rights are “threatened by normative behaviour and standards that now prevail in cyberspace.” So the latest Opinion encourages regulators to engage in dialogue and share lessons learned to work collaboratively and uphold the interests of individuals and society in the ever-growing digital environment. Continue Reading

Despite Plaintiffs Satisfying Standing Requirements, Barnes & Noble Closes the Book on Data Breach Class Action

In data breach class actions, standing is often the major obstacle, and has taken on renewed focus following the U.S. Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016). See, e.g., Federal Court Finds Intangible Harm Caused by Robocalls Sufficient for Post-Spokeo Standing in TCPA Claim Alleging Privacy Invasion, Technology Law Dispatch (July 6, 2016); Wisconsin Federal Court Finds Spokeo Spells the End for Consumer Privacy Class Action, Technology Law Dispatch (June 21, 2016).  However, as a recent decision from the U.S. District Court for the Northern District of Illinois indicates, prevailing on standing is just one battle, but is far from winning the war.  Earlier this week, Barnes & Noble escaped a data breach class action after the court found plaintiffs cleared the standing hurdle but could not survive the retailer’s motion to dismiss because of a lack of out-of-pocket damages. Continue Reading

Does Brexit mean Brexit for data protection in the UK?

Three months on from the landmark Brexit vote 23 June, the Information Commissioner’s Office is setting out its position regarding data protection laws in a post-Brexit UK. Elizabeth Denham, the new Information Commissioner, told the BBC that she believed the UK should adopt the General Data Protection Regulation (GDPR) regardless of Brexit.

Denham stressed that the UK will want to continue to do business with Europe, and to do so it will need to comply with EU data protection laws as, “In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.”

Not afraid to tread the somewhat charged political ground, Denham made her views clear that leaving the EU did not mean leaving behind European regulations where they concern data protection. In an unmistakeable reference to Prime Minister Theresa May’s catchphrase “Brexit means Brexit,” Denham has pointedly stated, “I don’t think that Brexit should mean Brexit when it comes to standards of data protection.”

With May recently revealing her plan to trigger Article 50 by March 2017, and the GDPR scheduled to come into effect in May 2018, the UK will have to abide by the GDPR from at least May 2018 until its EU exit. In that regard, the commissioner raised concerns about a start-and-stop regulatory environment before emphasising the integral role that the UK played in the formation of the GDPR.

Additionally, Denham confirmed that an investigation had been launched into the controversial plans announced by WhatsApp to share its users’ data with its parent company Facebook, given that in 2014 when Facebook bought WhatsApp, there had been a commitment between the two that they would not share information.

While the new commissioner appears to be in tune with the public’s anger on these issues, it remains to be seen what actions, if any, will be taken.


Changes on the horizon for the e-commerce sector?

On 15 September 2016, the European Commission published its Preliminary Report on the e-commerce sector inquiry.

The report provides an overview of the prevailing market trends of e-commerce in goods and digital content, and the likely impact this will have on competition and consumer choice. While that is the focus of the report, the outcome of the inquiry – and any resulting change to the way the sector operates – will undoubtedly have an impact on online privacy, particularly as many e-commerce sites collect and retain personal data about their customers. Complying with data protection laws should therefore be high on the agenda.

Reed Smith has prepared a client alert that addresses the key provisional findings of the report.  Please click here to read our briefing in full.

Bavarian Data Protection Authority issues new guidance paper on handling personal data breaches under the General Data Protection Regulation

On 19 September 2016, the Bavarian Data Protection Authority (“DPA”) issued a new guidance paper on handling personal data breaches under the new EU General Data Protection Regulation (“GDPR”) in the course of a series of non-binding guidance papers on selected topics in relation to the GDPR, which the DPA publishes periodically.  The papers can be found on the DPA’s official website.

Starting Point: Current Legal Framework

The DPA states that there are a number of ways how personal data might fall into unauthorized hands. Already under the current legal framework, unauthorized access to personal data – colloquially: “data breaches” – has to be notified; however, only under certain circumstances. Pursuant to Section 42a of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), two requirements need to be fulfilled in order to trigger the obligation to notify:

  1. The personal data affected must be very sensitive data, such as bank and health data.
  2. There must be a high risk for the data subject affected, i.e., there must be a threat of severe obstructions.

In the view of the DPA, those requirements lead to the result that to date, only a very low number of breaches are notified. The yearly amount of such notifications is in a two-digit range. However, the DPA takes the view that it is very likely that a considerable number of undetected, and therefore non-notified, breaches exists. If a breach that triggers the obligation to notify has occurred, the affected data subject also needs to be informed.

Legal Framework under the GDPR: Clearly Lower Thresholds

The GDPR regulates handling of personal data breaches in Articles 33 and 34. Under the GDPR, a graduated system of notification obligations exists:

  1. The general rule is that a personal data breach shall be notified to the competent supervisory authority, “unless the personal data breach is unlikely to result in a risk” of natural persons.
  2. However, the communication of the relevant personal data breach to the data subject is only required if the personal data breach is likely to result in a “high risk” for the right in freedoms of natural persons.

Further, a communication to the data subject shall not be required if the controller has implemented appropriate technical and organizational protection measures, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.

The same shall apply, if the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms, which existed at the time of the data breach, is no longer likely to materialize. The DPA emphasizes that the supervisory authorities have to clarify how this scenario can be handled in daily practise.

Should each Personal Data Breach be Notified to the Supervisory Authority?

The DPA has compared the English and the German version of the GDPR. In the DPA’s view, this comparison leads to the conclusion that as a general rule, each data breach shall be notified to the competent supervisory authority, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” (German version: “es sei denn, dass die Verletzung des Schutzes personenbezogener Daten voraussichtlich nicht zu einem Risiko für die Rechte und Freiheiten natürlicher Personen führt”).

The DPA presumes that the correct assessment of this requirement might be challenging for enterprises, since in the majority of cases it cannot be ruled out that such risk exists. Accordingly, the DPA expects that the supervisory authorities will coordinate the criteria for a proper risk analysis and the obligation to notify.

Scope and Date of the Notification

The notification needs to be filed with the competent supervisory authority within 72 hours. An extension of this deadline shall be possible only in justified cases. A notification pursuant to Article 33 GDPR shall comprise inter alia the following:

  • The nature of the personal data breach
  • The categories of personal data records concerned
  • The number of data subjects and data records
  • An estimate of the consequences for the data subject, as well as the measures to be taken or proposed to be taken by the controller to address the personal data breach, or measures to mitigate its possible adverse effects

Companies are Called-on to Comply with Obligation to Notify

The DPA emphasizes that companies should observe the obligation to notify. This shall be true in particular in the light of the fact that administrative fines might be imposed on the company in case of non-compliance. The administrative fines might amount up to EUR 10 million or 2% of the relevant company’s turnover (see our blog on the DPA’s guidance paper on sanctions under the GDPR).


The DPA explains that the consequences of personal data breaches are very difficult to calculate and might not only result in a loss of confidence by customers and reputation by business partners, but might also lead to a high risk of financial losses. Accordingly, the DPA takes the view that an active and comprehensive collaboration with the supervisory authority does not only contribute to mitigation of such losses, but also ensures that the affected data subjects will be properly informed.

The DPA eagerly awaits the further developments in this context. In particular, it remains to be seen whether data controllers will comply with the new notification requirements, and how the supervisory authorities will deal with the likely increase of notifications and workload.

Finally, the DPA announces that it is in the course of developing an online service for data controllers that shall enable an efficient notification procedure.

A supply of software can be a sale of goods

The High Court held, in The Software Incubator v Computer Associates [2016] EWHC 1587 (QB), that a supply of commoditised software is a sale of goods for the purposes of the Commercial Agents (Council Directive) Regulations 1993 (“Regulations”).


Computer Associates UK Ltd (“CA”) entered into a non-exclusive agreement with The Software Incubator Limited (“TSI”). TSI agreed to provide software consulting and promotion services in return for a fixed monthly fee and commission on sales.

TSI’s director was unhappy with the relationship and decided to become an agent for another company (“the company”), which led to TSI signing an agreement with them. TSI intended to terminate the agreement with CA, but CA served three months’ notice of termination on TSI in September 2013. However, CA then decided to terminate the agreement earlier and with immediate effect, alleging that TSI’s work for the company amounted to a repudiatory breach.  TSI claimed compensation under the Regulations, commission on post-termination sales, and damages.

Continue Reading

Bavarian Data Protection Authority issues new guidance paper on sanctions under the General Data Protection Regulation

On 1 September 2016, the Bavarian Data Protection Authority (“DPA”) issued a new guidance paper on sanctions under the new EU General Data Protection Regulation (“GDPR”) in the course of a series of non-binding guidance papers on selected topics in relation to the GDPR, which the DPA publishes periodically, and which can be found on the DPA’s official website.

Starting Point: Article 83 GDPR

The DPA’s first finding is that, compared to the current legal framework under the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), the GDPR, i.e. Article 83, does provide for a much wider array of infringements that are subject to sanctions. Most breaches might result in administrative fines, whereas exceptions shall apply only in cases of minor infringements or if the fine likely to be imposed would constitute a disproportionate burden (recital 148 of the GDPR).

Technical and Organisational Measures

The DPA also expressly notes that under the GDPR, infringements regarding technical and organisational measures can result in administrative fines, which the DPA deems to be an important innovation as compared to the current legal situation in Germany. Another key change is that the GDPR also provides for administrative fines concerning infringements of the obligation to implement the legal principles of privacy by design and privacy by default; the DPA takes the view that this evidences the grate value attributed to these items.

Potential Addressees of Administrative Fines

The DPA emphasizes that administrative fines can be imposed upon both data controllers and data processors. Further, certification bodies and bodies accredited to monitor compliance with a code of conduct might be subject to administrative fines.

The DPA assumes that undertakings shall be liable for infringements which are committed by the undertaking’s employees. The question whether administrative fines can also be imposed upon employees is not regulated by the GDPR. The DPA concludes that it remains to be seen whether the implementations on a national level will address this open issue.

Increased Amount of Fines

Article 83(1) GDPR sets forth that administrative fines “shall in each individual case be effective, proportioned and dissuasive”. The DPA highlights that under the GDPR certain infringements might result in fines up to EUR 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The DPA states that, when determining the relevant worldwide annual turnover, not only the individual company, but the whole group of companies, shall be taken into account. In the view of the DPA this shall result from recital 150 of the GDPR, which expressly makes reference to the “economic concept of undertakings” contained in Articles 101 and 102 of the Treaty on the Functioning of the European Union.

Relevant Factors for Determining the Amount of Fines

A number of criteria need to be considered when determining the amount of the relevant administrative fine, in particular previous infringements, and / or the scope of collaboration with the competent supervisory authority. If an undertaking provides, in the course of pending investigations, the supervisory authority with incorrect or incomplete information, this shall be regarded as an aggravating factor. The DPA takes the position that this is a general rule which has also been acknowledged by the Court of Justice of the European Union regarding violations of competition law.

Since the GDPR’s aim is to create a uniform level of fines across the European Union, the DPA calls on the European Data Protection Board, as established by the GDPR, to develop guidelines for determination of the amount of administrative fines.


The DPA concludes that the relevant provisions of the GDPR on sanctions are an expression of the legislator’s intention to consequently and seriously sanction infringements. This shall be a clear message for enterprises which should take data protection issues seriously.