In privacy we (anti)trust: Regulators worldwide consider competition law as tool for consumer protection

On February 26, 2019, the Federal Trade Commission’s (FTC) Bureau of Competition announced a new Technology Task Force, which will monitor anticompetitive conduct in U.S. technology markets “to ensure consumers benefit from free and fair competition.” With the consumer protection agency already a chief arbiter of privacy enforcement in the tech sector, the new task force increases the likelihood that the continued convergence between competition and consumer protection policy, which began in earnest at the dawn of the current century, may be gaining momentum.

German approach. The announcement comes just a few weeks after Germany’s antitrust regulator used its competition authority to enforce principles of data privacy and processing. On February 7, 2019, the Bundeskartellamt issued a decision against Facebook, ruling that the practice of combining user personal data from different sources by a dominant market participant violated EU data protection law. This was a noteworthy decision from a competition authority being influenced by and seeking to enforce the General Data Protection Regulation, which would otherwise be enforced by data protection authorities. The decision is not yet final, but if upheld it could have the notable impact of limiting the data footprint used to inform advertising, and may influence regulators’ willingness to use competition law to buttress limitations placed on the flexibility of data collectors and processors. Please see our previous client alert on the Facebook ruling. If this approach informs the FTC’s position on competition and privacy enforcement, it could extend a trend of regulators outside the data protection sphere using broader authority as a bridge to enforce privacy issues against companies they view to have a dominant market position.

Continue Reading

State Attorneys General and the data economy: lead, protect, enforce

With the passage of the California Consumer Privacy Act but no clear federal consumer privacy law on the imminent horizon, state Attorneys General (AGs) continue to investigate and analyze how best to protect their consumers. To further that goal, the National Association of Attorneys General hosted a panel entitled Emerging Issues in the Data Economy at its Winter Meeting in Washington, D.C. The panel was convened to discuss the role AGs can and should play in data privacy in an ever-changing economy. Doug Peterson, Nebraska’s AG, moderated the panel, which included Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the Federal Trade Commission (FTC), Ryan Krieger, Assistant AG, Public Protection Division of the Vermont Attorney General’s Office, and Daniel Castro, Vice President of the Information Technology and Innovation Foundation.

As with recent House and Senate Hearings addressing these topics, the focus remained on balance: what the legal landscape should look like, who should be doing the enforcing and how that enforcement should work, and how to protect consumers without stifling innovation and entrepreneurship.

Continue Reading

Regulating digital services – UK parliament weighs in

The Select Committee on Communications of the House of Lords (Committee) published a report discussing UK regulation of ‘digital services facilitated by the internet’.

We summarise some of the key recommendations of the report, which was published on 9 March 2019:

1. A central regulatory body called the Digital Authority should be set up to co-ordinate internet regulation.

2. All future internet regulation should be informed by 10 common principles:

  • Parity: ensuring online and offline regulation offer equivalent protection for individuals.
  • Accountability: digital actors are to be held to account.
  • Transparency: powerful digital actors should be open to scrutiny.
  • Openness: facilitate innovation and choice for users.
  • Privacy: ensure that regulation closes the gap between policy and user expectations about data protection and data privacy.
  • Ethical design: ethical standards should be incorporated into the design of technology and delivered by default.
  • Recognition of childhood: protect children and ensure accessibility.
  • Respect for human rights and equality: safeguard freedom of expression.
  • Education and awareness-raising: promote digital literacy.
  • Democratic accountability, proportionality and evidence-based approach: ensure that regulation is evidence based and prevents harm while balancing against the right to freedom of expression.

Continue Reading

Must online traders provide consumers with a contact telephone number? Advocate General says no…t necessarily

In a recent request for a preliminary ruling in a case concerning Amazon, the Advocate General Pitruzzella (AG) has given his opinion that the Consumer Rights Directive (2011/83/EU) (CRD) requires traders to offer their consumers a choice of means of communication, but this is not confined to the trader’s telephone number. The CRD includes the trader’s telephone number, fax number and e-mail address, “where available, to enable the consumer to contact the trader quickly and communicate with him efficiently”. The AG clarified that this is therefore not limited to a telephone number, and accordingly traders may use other means of communication with consumers as long as they are consistent with the technical means of the transaction being made.

Online trades imply sufficient knowledge of interacting over the internet

The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband) brought a claim asserting that Amazon did not offer sufficient contact channels to its consumers before the conclusion of an online sale – in spite of the online sales platform’s automated call-back facility and online chat service. There was a particular concern that consumers were not provided with the company’s fax number and were also prompted to follow an identity-verification process before they could have access to Amazon’s general helpline telephone number.

Continue Reading

Get your update on IT & Data Protection Law in our Newsletter (Winter 2019 edition)

The Winter 2019 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We provide updates on Facebook Custom Audiences, social plug-ins, influencer advertising, withdrawal right information, the EU copyright law reform and more. The newsletter also includes multiple recommended reads on the GDPR.

We hope you enjoy reading it.

FCA and ICO strengthen cooperation in renewed memorandum of understanding

On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing.

Cooperation and information sharing

The ICO and FCA have set out what matters they will communicate with each other and the exchange of information between them. Subject to legal restrictions on the disclosure of information, the ICO and FCA have agreed to: Continue Reading

First annual report of the European Data Protection Supervisor since GDPR

On 26 February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first annual report since the General Data Protection Regulation (GDPR) came into force last year.

This is a short overview of some of the key themes in the EDPS’s annual report:

  1. Overview of 2018:
  • GDPR: This is the first annual report of the EDPS since the GDPR ((EU) 2016/679) came into force on 25 May 2018, bringing in new data protection legislation for a new era.
  • Establishing the European Data Protection Board: The GDPR established the European Data Protection Board (EDPB), replacing the Article 29 Working Party. The EDPB took over the Article 29 Working Party’s responsibilities in issuing guidelines, recommendations and statements of best practice. The EDPB is also tasked with ensuring the consistent application of the GDPR in each EU member state.
  • Publishing opinions: The EDPS publishes opinions to inform how EU institutions make decisions about personal data ranging from big data and fundamental rights to consumer and data protection law. In particular, the latter opinion was identified by the EDPS as a highlight for him last year.
  • The ePrivacy Directive (ePR): The proposed ePR will align the EU’s ePrivacy regime more closely with the GDPR. The EDPS continues to support the efforts of EU legislators in reaching agreement on the final text of the ePR. Progress was made last year with the Council of the European Union publishing amendments to the draft ePR. It is hoped that the ePR will come into force in 2019.

Continue Reading

Court changes course in enforcement action against cryptocurrency company

The United States District Court for the Southern District of California recently changed course in an enforcement action brought by the U.S. Securities and Exchange Commission (SEC) against cryptocurrency company Blockvest, LLC and its founder. In doing so, the court granted the SEC’s request to preliminarily enjoin the defendants from violating the securities laws and analyzed what exactly it means to “offer” securities in the context of crypto-tokens.

To review the full article on our FinTech Update blog, click here.

German Interstate Treaty on Gambling under revision: Additional sports betting licenses may be available soon

Recently, a draft for the 3rd Amendment to the German Interstate Treaty on Gambling (Staatsvertrag zum Glücksspielwesen in Deutschland – “GlueStV”) has been published (“3rd Amendment”). The draft for the 3rd Amendment is available in German here.

Proposed changes under the draft for the 3rd Amendment

The key changes under the proposed 3rd Amendment are as follows:

  • The current version of the GlueStV contains a rather restrictive quota for governmental sports betting licenses in Germany. According thereto, only 20 licenses are available for all of Germany and only for a certain experimental period expiring on 30 June 2019. This 20-licenses-quota is currently subject to pending court proceedings before German administrative courts which led to a de facto suspension of the quota. A key change under the 3rd Amendment is the intended complete removal of the 20-licenses-quota for the deration of the experimental period.
  • At the same time, the experimental period shall be extended until 30 June 2021. A further consecutive extension until 30 June 2024 may be possible.
  • The 3rd Amendment to the GlueStV shall enter into force on 1 January 2020.

Continue Reading

New guidelines for building management corporations in Singapore

On 11 March 2019, the Personal Data Protection Commission of Singapore (PDPC) issued a set of advisory guidelines for management corporations of strata title plans (MCSTs), which were developed in consultation with Singapore’s Building and Construction Authority.

The guidelines provide guidance to MCSTs on complying with Singapore’s Personal Data Protection Act (PDPA), and some key aspects are as follows:

  • As an MCST comprises the subsidiary proprietors of all lots within the strata title plan of a residential or commercial building in Singapore, it is an “organization” as defined in the PDPA.
  • MCSTs are required to comply with other laws such as the Building Maintenance and Strata Management Act (BMSMA) and its subsidiary legislation including the Building Maintenance (Strata Management) Regulations 2005 (BMSMR), and the Land Titles (Strata) Act. For instance, they may be required under these laws to collect and use certain personal data, such as that of the subsidiary proprietors and mortgagee names or for preparing and maintaining a strata roll.
  • The PDPA does not affect these other laws, and if there is any inconsistency among them, the other laws will prevail over the PDPA. Hence, where an MCST is required or authorised to collect, use or disclose personal data without consent under other laws, it may do so without the need for consent under the PDPA.
  • Where MCSTs appoint managing agents to carry out their duties or functions on their behalf, such managing agents may be considered data intermediaries under the PDPA. MCSTs retain primary responsibility to comply with the PDPA, and they must undertake appropriate due diligence to ensure that the managing agents are able to comply with the PDPA. They can also enter into suitable data processing agreements with such agents.

Continue Reading

LexBlog