State attorneys general advocate continuing state leadership in privacy enforcement, denounce federal preemption of state breach and security laws

Illinois Attorney General Lisa Madigan is leading a coalition of 32 attorneys general (Agreements) in opposition to federal preemption in the area of data breaches, identity theft, and data security.

Specifically, the group wrote a bipartisan letter on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit regarding the proposed Data Acquisition and Technology Accountability and Security Act, a draft bill introduced in the House last month. They are concerned that the bill, among other things, places consumer reporting agencies and financial institutions out of the reach of state enforcement. The AGs cite recent breaches as examples of the increasing threat and evolving nature of data security risks, and argue that the states have consistently proven themselves capable of rapidly and effectively responding to and protecting consumers at the state level through their own laws.

In particular, the letter points out three key shortcomings of the Act beyond the preemption of state laws: (1) it allows entities themselves to judge whether to notify consumers of a breach, which reduces the transparency afforded by state notification requirements; (2) it allows entities that decide to notify consumers to notify after the harm has already occurred, preventing the opportunity consumers currently have under state law to take proactive steps upon timely notification; and (3) it addresses breaches that affect 5,000 or more consumers, leaving attorneys general without the ability to redress the majority of breaches affecting consumers today that do not occur on a national scale. Continue Reading

FTC report looks to improve mobile device security for businesses

On February 28, 2018, the Federal Trade Commission (FTC) released a report about security update practices for businesses providing mobile phones and other connected devices. The report recommends that manufacturers and carriers provide security updates that are consistent with consumer expectations, provide better information regarding their security practices and educate consumers on their role in the update process. While the report is framed as offering recommendations, businesses should keep in mind that such reports often convey the FTC’s view on reasonableness in security practices and influence the agency’s enforcement activities. To read more, click here.

Binding corporate rules – Article 29 Working Party issues revised guidelines

On 6 February 2018, the Article 29 Working Party (WP29) adopted revised guidelines on binding corporate rules (BCRs). These were issued following a period of public consultation that concluded on 17 January 2018. Technology Law Dispatch previously covered the issuing of the draft guidelines last December, in a blog setting out the key elements of both guidelines. 

In simple terms, BCRs are a business-specific framework that allows intra-organisational cross-border transfers of data from organisations within the European Union to their affiliates outside of the EU. BCRs underpin shared data processing standards compatible with the General Data Protection Regulation (GDPR) and wider EU data protection law. The GDPR incorporates BCRs into legislation and sets out various conditions at article 47 that must be met when businesses utilise them.

The revised guidelines (WP256 for Controllers and WP257 for Processors) address the principles and elements businesses should incorporate in their BCRs. The guidelines have revised the original guidance, although they remain largely similar to what was published in draft last year.

Continue Reading

Will EU data protection authorities ‘consistency mechanism’ be ready in time for the GDPR?

During an Article 29 Working Party (WP29) press conference on 7 February 2018, the outgoing chair and French privacy chief, Isabelle Falque-Pierrotin, expressed concerns that EU data protection authorities (DPAs) may not be able to enforce the General Data Protection Regulation (GDPR) effectively and in a unified manner in accordance with the consistency mechanism, by 25 May 2018.

On 25 May 2018, the WP29 will be replaced by the European Data Protection Board (EDPB), which will invoke the consistency mechanism to streamline the enforcement of data protection laws throughout the region. According to Falque-Pierrotin, 26 of the 28 EU member states (with Germany and Austria being the exceptions) are yet to align their national laws with the GDPR. This is concerning because if one member state’s supervisory authority is unable to take part in the consistency mechanism, the whole system of regulation and enforcement under the GDPR could be undermined. Continue Reading

Get your update on IT and data protection law in our newsletter

The Winter 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We cover new case law on marketing consent, cookie consent, the liability of platform providers, employee data protection, sales of address data and the right to be forgotten. The newsletter also includes multiple recommended reads on the General Data Protection Regulation (GDPR).

You can also find more information on our next ‘Data Date’, the GDPR seminar series hosted by  our Munich office.

We hope you enjoy reading it.


German court issues important judgment on consent and transparency in Facebook case

The Regional Court of Berlin held in a judgment of 16 January 2018 (docket no. 16 O 341/15, German language version of the judgment available here) that Facebook’s default privacy settings and parts of their terms and conditions were invalid. This judgment provides important guidance on consent and transparency.


The Federation of German Consumer Organizations (Federation) sued Facebook and requested cease and desist regarding some of its default settings and terms and conditions.

The Federation argued that Facebook’s default settings violated the requirement of explicit consent. For example, the default settings included a location service in Facebook’s mobile app revealing the location of the person that the user is chatting to. In addition, boxes were pre-activated allowing search engines to link to the user’s timeline.

The Federation also argued that various clauses in the terms and conditions of Facebook were invalid, including clauses that provide consent of the user (i) to transferring personal data to and processing personal data in the U.S. and (ii) using the name and profile picture of the user for commercial, sponsored or related content.

Continue Reading

New data protection fees for UK businesses – Draft Data Protection (Charges and Information) Regulations 2018 and ICO guide published

On 20 February 2018, The Data Protection (Charges and Information) Regulations 2018 (the Regulations) were laid before the UK parliament. The Regulations affect what businesses have to pay when registering their data protection arrangements with the Information Commissioner’s Office (ICO). On 21 February 2018, the ICO issued a guide for data controllers about the proposed data protection fees that the Regulations will levy.

The Regulations replace the previous system of notification under the Data Protection Act 1998. They will come into effect simultaneously with the General Data Protection Regulation on 25 May 2018.

Under the Regulations, data controllers who have a current registration or notification with the ICO will not need to pay the new fees until their existing registration expires. Registration does not automatically expire on 25 May 2018.

1. How the fees are calculated

The Regulations set out three tiers of organisations with accompanying fee levels for each tier. The tier an organisation falls into depends on: (i) how many staff members it has; (ii) its annual turnover; (iii) whether it is a public authority; (iv) whether it is a charity; and (v) whether it is a small occupational pension scheme.

These tiers are clarified below:

Tier 1 – Micro Organisations

  • Maximum turnover of £632,000 for the financial year OR no more than 10 members of staff.
  • Tier 1 fee = £40.

Tier 2 – Small and Medium Organisations

  • Maximum turnover of £36 million for the financial year OR no more than 250 members of staff.
  • Tier 2 fee = £60.

Tier 3 – Large Organisations

  • Organisations that exceed the caps of the Tier 1 or Tier 2 criteria.
  • Tier 3 fee = £2,900.

Importantly, all data controllers are to be regarded as Tier 3 unless they tell the ICO otherwise.

Continue Reading

Ninth Circuit calls common carrier exception “activity-based”

On February 26, 2018, an en banc federal appeals court held that the common carrier exception in the Federal Trade Commission (FTC) Act that preempts FTC jurisdiction is “activity-based” rather than “status-based” and therefore applies only to the extent an entity engages in common-carrier services. See FTC v. AT&T Mobility LLC, No. 15-16585, D.C. No. 3:14-cv-04785EMC (Opinion) (9th Cir. Feb. 26, 2018). The decision affirmed the Northern District of California’s denial of AT&T Mobility LLC’s motion to dismiss.

In 2010, AT&T switched its mobile data plan offering from “unlimited” to “tiered” but allowed existing customers to retain their unlimited data plans. In 2011, AT&T reduced unlimited customers’ broadband data speed without regard to actual network congestion if they exceeded a preset limit. The FTC filed an action in October 2014 under section 5 of the FTC Act, alleging AT&T’s data-throttling plan was unfair and deceptive. AT&T moved to dismiss, arguing it was exempt due to common carrier status.

Section 5 exempts “common carriers subject to the Acts to regulate commerce.” 15 U.S.C. § 45(a)(1), (2). Although providing mobile data was not a “common carrier service” at the time the FTC filed suit, the Federal Communications Commission (FCC) reclassified mobile data as a common-carriage service in 2015 while AT&T’s motion to dismiss was pending. See In the Matter of Protecting and Promoting the Open Internet, 30 F.C.C. Rcd. 5601, 5734 n.792 (2015) (Reclassification Order). The FCC reversed the Reclassification Order in early 2018. See In the Matter of Restoring Internet Freedom, W.C. Dkt. No. 17-108, 2018 WL 305638, at *1 (Jan 4, 2018).

Continue Reading

Territorial applicability of the GDPR

The GDPR is just around the corner and will be effective in less than three months – on 25 May 2018. Organizations are therefore in the midst of preparations to comply with the new Regulation in order to avoid the potentially high fines. Non-EU organizations have to assess whether the GDPR is applicable to them and whether they must prepare accordingly. The answer to this question is provided in Article 3 GDPR, which regulates the territorial scope of the Regulation.

Sven Schonhofen and Friederike Detmering recently published an article on the “Territorial applicability of the GDPR” in the Business Law Magazine, which is available here.

This article explains the establishment rule and the market rule provided in Article 3 GDPR and gives practical advice on how to avoid GDPR applicability.

Are OTT services telecommunications services? German court asks European Court of Justice for preliminary ruling | Gmail Case

According to a press release dated 26 February 2018, the Administrative Court of Appeal Munster (Oberverwaltungsgericht Münster) asked the European Court of Justice (ECJ) for a preliminary ruling on the question whether Over-the-Top (OTT) services shall be caught by the European regulatory framework on telecommunications services.


By way of administrative orders, the German Federal Network Authority (Bundesnetzagentur – BNetzA) enforced a specific notification obligation pursuant to section 6 of the German Telecommunications Act (Telekommunikationsgesetz – TKG), which applies to operators of telecommunications services, against Google in relation to its free-of-charge Gmail service. Google took the view that Gmail would not qualify as “operation of telecommunication services” in the meaning of the TKG and, therefore, Google had not notified the Gmail service with the BNetzA.

Google challenged the administrative orders by legal action before the Administrative Court Cologne (Verwaltungsgericht Köln). Google argued that the transmission of emails through the Internet is technically not under Google’s control since it is conducted by access providers and not by Google. The Administrative Court Cologne regarded these arguments as irrelevant. By contrast, the transmission services provided by the access providers involved shall be attributed to Google. As a consequence, the Administrative Court Cologne found that Google would qualify as “operator” of the whole communication process. In its judgment of 11 November 2015, case no. 21 K 450/15, the Administrative Court Cologne dismissed Google’s action. As a consequence, Gmail would indeed be covered by the notification obligation under section 6 TKG.

Continue Reading