By a new decision of sanction rendered on 28 May 2019, the French data protection authority Commission nationale de l’informatique et des libertés (CNIL) imposed a €400,000 fine on French property management company Sergic for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This €400,000 euros fine is the first sanction imposed on a French company under the General Data Protection Regulation (GDPR) and is also the most significant financial penalty imposed on a French company for data breaches to date. It represents close to 1 per cent of the yearly turnover of the fined company. Continue Reading
Britain’s data protection and broadcasting regulators, the Information Commissioner’s Office and Ofcom, have published a joint Report looking into internet users’ concerns about online harms. The British government’s recently published White Paper, which outlined its approach for regulating the internet to tackle online harms, was informed by this Report.
Over 3,000 interviews were conducted with children and adults earlier this year. Demographic quotas were set to control for age, gender, region, social grade and urbanity.
The Report found that nearly three in five British adults and four in five 12–15 year olds suffered at least one potential harm online in the previous 12 months. There were some differences between the harms experienced. Adults identified spam emails, fake news and scams/fraud as the main harms they face online. 12-15 year olds identified offensive language, spam emails, unwelcome friend requests and bullying as the harms they most commonly encounter.
The key concern raised by adult and teenage respondents concerned the exposure of children to bullying, abusive behaviour or threats online.
Adults were most concerned about the safety of children online, but other key concerns included:
- data being stolen,
- scams/frauds, and
- their data being processed without consent.
Despite this, the majority of internet users – 61% of 12–15 year olds and 59% of adults – believe that the benefits of the internet outweigh the risks they face.
Interestingly, fake news and spam emails were two online harms where responses revealed a disparity between experiences and perceived threat. More adults identified these two harms as harms they have experienced, but, despite this, adults were less concerned about these harms.
Sources of online harm
Social media sites constitute the main sources of potential online harm identified by respondents. Nearly a quarter of respondents who use social media do not trust these sites to remove illegal, offensive or harmful material quickly. Once social media was taken into account, the sources of online harm also diverged between groups. Adults were more likely to experience online harm on search engines or instant messengers. Children were more likely to experience online harm on instant messengers, video-sharing sites/apps and while gaming.
Incidence of harm
12-15 year olds were found to be significantly more exposed to online harms than adults. The incidence of online harms experienced also dropped significantly for adults over 55.
Respondents perceive online media to be less regulated than other traditional media. Most adults believed that regulation for social media should be maintained or increased.
This Report and the recent White Paper provide helpful insight into the attitudes and motivations of internet users. The approach set out in the White Paper of creating a statutory duty of care by digital service providers is one of a number of regulatory initiatives under consideration. We expect further developments as the findings of this Report undergo further analysis and inform future regulatory proposals. In the meantime, keep an eye on this blog for further updates on this and other developments in relation to privacy regulation.
“The internet’s not written in pencil, it’s written in ink.”
Advocate General (AG) Szpunar commenced his opinion dated 4 June 2019 in Case C-18/18 (Opinion, available here) with the above quote from the movie The Social Network. In the Opinion the AG analysed the substantive scope of injunctions, in particular if social network providers “may be required to delete, with the help of a metaphorical ink eraser, certain content placed online by users of that platform”, as well as its territorial scope.
An Austrian politician applied at the Vienna Commercial Court (Austria) for an injunction requiring a social network provider to cease the publication of a – in her view – defamatory comment about her. A user of the social network shared an article from a news website on their personal page on the network, whereupon the social network generated a ‘thumbnail’ of that post, containing the title, a brief summary of the article and a photograph of the politician. The user also published a disparaging comment about the politician alongside the post (Content in Question). Any user of the social network was able to access the Content in Question.
The Vienna Commercial Court issued the requested injunction and ordered the social network provider to delete and to stop disseminating the Content in Question. Subsequently, the social network provider disabled access to the content in Austria, but not for other countries. After the Vienna Higher Regional Court upheld the injunction, the case was brought to the Austrian Supreme Court. The Austrian Supreme Court referred to the Court of Justice of the European Union (CJEU) the questions of whether the injunction can be extended (i) worldwide, and (ii) to statements with identical wording and/or equivalent content. The Austrian Supreme Court ultimately asked the CJEU to interpret the Directive on electronic commerce (eCommerce Directive) in this context.
The Federal Trade Commission’s (FTC) recently announced settlement with background check provider SecurTest, Inc. shows the agency remains vigilant regarding businesses’ claims that they comply with the EU-U.S. Privacy Shield Framework (Privacy Shield). Privacy Shield provides U.S. businesses with a legally recognized mechanism for receiving personal data in the United States from the EU. In its complaint against SecurTest, the FTC alleges that for several months SecurTest falsely claimed on its website that it complied with Privacy Shield when in fact it had not self-certified its Privacy Shield compliance with the U.S. Department of Commerce. The terms of the FTC’s decision and order prohibit SecureTest from misrepresenting its Privacy Shield compliance status and require it to submit to compliance monitoring and recordkeeping requirements.
Along with announcing its settlement with SecurTest, the FTC noted that, rather than beginning enforcement proceedings, it has issued a number of warning letters to businesses over similar alleged inaccurate statements about compliance with cross-border privacy and data security transfer programs like Privacy Shield:
The UK government recently published its response (Government Response) to a House of Lords committee report (Committee Report) discussing prospective regulation of digital services facilitated by the internet.
The Government Response largely accepts the key recommendations of the Committee Report, and finds the Committee Report is closely aligned with the government’s preferred approach. The Government Response also refers to the objectives identified in its recently published Online Harms White Paper.
We summarise some of the key recommendations of the Government Response and the differences between the Government Response and Committee Report:
- The Government Response reaffirms the principles set out in the Digital Charter.
- The Government Response also confirms that the government will establish a central regulatory body which will coordinate internet regulation and oversee and enforce a new statutory duty of care.
- An additional duty of care will be imposed on online platforms to ensure that they have adequate risk management procedures in place. The duty is designed to make companies take more responsibility for user safety online and tackle harm caused by content or activity on their services.
- The principles set out in the Committee Report are affirmed. In particular, the Government Response draws attention to initiatives in place to increase digital literacy and sets out the role of the newly created Centre for Data Ethics and Innovation in shaping future guidance for industry.
- The Committee Report suggested that companies should keep a record of the time each user spends using their services. The Government Response does not go so far as the Committee Report. The Government Response finds insufficient evidence to link screen-based activities and negative effects. However, the Government Response does leave the door open for future regulatory intervention in this area. In the meantime, companies will be expected to support the development of research in this area by providing anonymised data to researchers.
- Similarly, the Government Response on market concentration did not go as far as the Committee Report recommendation. The Committee Report recommended the introduction of a public-interest test when assessing possible mergers between digital service providers. This will sit alongside the Competition and Markets Authority’s existing tests when assessing possible mergers. The new test would focus on the accumulation of data in order to prevent the creation of data monopolies.
- The Government Response disagrees with the Committee Report recommendation for companies to publish annual data transparency statements. The Government Response states that it is sufficient for companies to publish GDPR-compliant privacy notices.
- One of the headline recommendations in the Committee Report was the prospective use of a labelling scheme for social media in order to moderate content. This labelling scheme would have been overseen by Ofcom, the UK’s broadcasting and telecommunications regulator. The Government Response is not clear about whether it agrees with this approach. However, the government has not ruled out the potential use of a labelling scheme in the future.
As we indicated in our post on the Committee Report, many of the initial recommendations are already achieved by existing laws or present serious implementation issues. The Government Response has helped modulate many of the Committee Report’s recommendations although more detail will be required before pen is put to statute paper. The Committee Report and Government Response offer an interesting insight into potential regulatory developments that all companies in the online space need to be aware of. We will keep you posted on future developments.
The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), which we discussed in a previous blog, became applicable from 28 May 2019. Together with the General Data Protection Regulation (EU) 2016/679 (GDPR), the two regulations now provide a “comprehensive framework for a common European data space and free movement of all data within the European Union”. The European Commission has published practical guidance to help users understand the interaction between these two regulations.
On 7 June 2019, Regulation (EU) 2019/881 on ENISA (the European Union Agency for Network and Information Security) and on information and communications technology cybersecurity certification, also known as the Cybersecurity Act, was given the final go-ahead and published in the Official Journal of the European Union. The Cybersecurity Act will come into force on 27 June 2019.
As highlighted in our previous blog on the Cybersecurity Act, cyberattacks are becoming more and more sophisticated and most often occur across borders. There is a growing need for effective and coordinated responses and crisis management at the EU level. The Cybersecurity Act aims to build a safer cyber environment through an EU-wide framework for businesses to achieve cybersecurity certification for their information and communications technology (ICT) products, processes and services.
ENISA will assume the key role of supervising and advancing cooperation and information sharing across EU member states, EU institutions and international organisations.
The past two years have seen cybersecurity turning into a high priority on the Brussels agenda. The Cybersecurity Act forms part of a set of measures across the board intended to promote more robust cybersecurity within the EU by establishing the first EU-wide cybersecurity certification framework across a broad range of products (e.g. the Internet of Things) and services.
The Cybersecurity Act works alongside both:
- the EU General Data Protection Regulation, which requires security measures to be implemented when processing personal data; and
- the EU Network and Information Security Directive (NIS Directive), which aims to protect critical national infrastructure.
While the NIS Directive applies only to operators of essential services and digital service providers, the Cybersecurity Act encourages all businesses to invest more in cybersecurity and to build it into their ICT devices. Ultimately, the collective framework of legislation is designed to counteract cyberattacks and to raise consumers’ and industry players’ trust in ICT solutions.
The European Data Protection Board (EDPB) has published a survey of European Economic Area (EEA) regulators setting out General Data Protection Regulation (GDPR) enforcement trends. The report makes for interesting reading. It sets out how:
- the GDPR’s “one stop shop” mechanism has been bedding down; and
- the number of data subject complaints and data breach notifications have increased since GDPR came into force.
What do the statistics show?
During GDPR’s first year, the EDPB case register logged 446 cross-border cases. 205 of these (46 per cent) have been dealt with under the one stop shop procedure. The one stop shop is designed to enable companies that process the personal data of people in more than one EEA state to deal with a single EEA regulator. This regulator is known as a company’s lead supervisory authority (LSA). An LSA must be identified by a company in its EU place of central administration.
Most EEA regulators have seen significant increases in the number of complaints received from data subjects and data breach notifications submitted by companies. More than 144,000 queries and complaints have been made by individuals. Over 89,000 data breach notifications have been made by companies. The increase in queries and complaints substantiate the EDPB’s findings that data protection awareness is on the rise across Europe. The EDPB’s research found that 67 per cent of EU citizens have heard of GDPR. This is an increase of 20 per cent when compared to 2015.
The one stop shop: what’s in it for companies?
As highlighted in our recent article about GDPR’s first year, companies involved in cross-border personal data processing should prioritise identifying their LSA. Knowing your LSA at a time of crisis – for example, a pan-EEA personal data breach – is important. It will save you time and money and massively reduce your administrative burden. Instead of having to deal with upwards of 45 EEA regulators, you only have to liaise with your LSA. Your LSA will coordinate its investigation and response with other regulators, if necessary. Personal data breaches are difficult enough to respond to without having to coordinate responses for an impossibly large number of regulators.
The past year has been challenging for privacy professionals. It has been a year of increased privacy and data protection awareness. The statistics published by the EDPB are a helpful snapshot. They provide quantitative proof that privacy and data protection are more prominent now than they ever have been. The EDPB’s stated intention is to continue to listen to and cooperate with people and businesses involved in daily data processing. GDPR’s year two will, most likely, involve ever greater cooperation between regulators. Companies should take note and plan accordingly.
May was a busy month for state privacy law updates and amendments. In addition to amendments made by Texas to its breach notification law, both Oregon and Nevada expanded their privacy-related laws this month, while Illinois’s CCPA-like law failed to pass after a variety of amendments related to whether the law would allow for a private right of action.
In Oregon, the legislature expanded its data breach notification statute (ORS §§ 646A.600 et seq.). Oregon’s updated data breach law, which was signed by Governor Kate Brown on May 24, 2019 and goes into effect on January 1, 2020, expands breach notification requirements to cover “vendors,” which it defines as “a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.” Under the new law, a vendor must notify Oregon’s Attorney General when subject to a security breach affecting the personal information of over 250 Oregon consumers, or when the number cannot be determined. Vendors do not need to notify the Attorney General if the covered entity has already made the notification. Vendors must also notify their business customers of the breach within 10 days – a change from previous language mandating notification “as soon as practicable.” The law also expands Oregon’s definition of personal information to include usernames, but only when combined with authentication factors.
On May 29, 2019, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220), a California Consumer Privacy Act (CCPA)-like law which goes into effect on October 1, 2019. This law, which amends a prior Nevada law covering consumer privacy disclosures, requires operators to allow consumers to submit verified requests through a designated request address directing operators not to sell any covered information that the operators have collected or will collect about a person. Because SB-220 goes into effect in 2019, before the January 1, 2020 effective date of CCPA, Nevada will be the first state to provide consumers with the right to opt out of the sale of their personal information. The Nevada law, however, is much narrower than the CCPA:
- “Sale” is defined as “the exchange of covered information for monetary considerations to a person for the person to license or sell the covered information to additional persons,” a narrower definition than “for monetary or other valuable consideration.”
- Sale also excludes disclosures to data processors, to operators providing a service requested by the consumer, for purposes consistent with the reasonable expectation of the consumer, to affiliates, and as part of a transfer of assets.
- Like the CCPA, SB-220 specifically excludes entities subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. SB-220 also excludes vehicle manufacturers and repairers who collect information related to a motor vehicle’s technology or service.
SB-220 authorizes the Nevada Attorney General to seek an injunction or civil penalty of up to $5,000 for each violation of the law.
Although many other proposed laws were not enacted this year, data breach and data privacy laws remain priorities for many state legislatures. In the absence of an omnibus federal data privacy or breach law, states will continue enacting varied laws governing these issues. Companies should be aware that these laws are constantly changing and that it is crucial to stay apprised of these changes to ensure compliance with a patchwork of state laws. Because these laws ultimately will be enforced by State Attorneys General, companies also should consider an effective attorney-general outreach strategy as part of their broader approach to government relations.
The UK Jurisdiction Taskforce (UKJT) recently published a consultation paper requesting submissions from stakeholders working with, or interested in, cryptoassets, distributed ledger technology (DLT) and smart contracts. Submissions will inform a legal statement by UKJT which will aim to settle questions on the legal status of cryptoassets and smart contracts. UKJT is drawn from industry, government and the judiciary and was formed to facilitate the growth of the UK legal sector.
UKJT seeks to clarify whether cryptoassets, DLT and smart contracts are compatible with, and can be relied upon with sufficient legal certainty in, English private law. UKJT’s legal statement should also provide clarification on any areas of uncertainty in the interaction of English law with cryptoassets, DLT and smart contracts.
The consultation paper identifies the legal uncertainty surrounding the status of cryptoassets as an important area in need of clarification. The consultation paper requests input on when a cryptoasset and a private key should be characterised as personal property. UKJT has limited the scope of its investigation to focus on property law rather than include other areas such as tax or data protection law. This is in order to resolve the central question of whether cryptoassets should be considered personal property in the hope of facilitating the appropriate future development of cryptoassets. The current approach of English property law is not fully compatible with the various understandings of cryptoassets. In particular, English property law has difficulties characterising cryptoassets in terms of whether they may be seen as a physical thing or a right (chattel, chose in action or chose in possession) or as property (whether personal or intellectual), and determining where they are located.
UKJT is interested in determining the enforceability of smart contracts and the circumstances under which a smart contract is capable of giving rise to binding legal obligations. The consultation paper highlights the need to clarify how the general principles of contractual interpretation by a court may need to be recalibrated when applied to smart contracts. There are also concerns over how parties may be able to enforce their rights and rely on smart contracts in the event that the technology malfunctions or does not perform as expected.
The consultation paper identifies the difficulty in defining DLT, an area that is constantly evolving and with developing terminology and taxonomy, meaning that any recommendations may quickly require reconsideration. However, understanding DLT is key to informing any future regulation of cryptoassets or smart contracts. The consultation paper, therefore, requests input on whether DLT could be considered to be a register for the purposes of evidencing, constituting and transferring title to assets.
This consultation paper is the latest addition in a recent trend by regulators in the UK, Europe and the U.S. seeking to recalibrate their approach to regulating these emerging sectors and products. If you are interested in finding out more on cryptoassets, DLT and smart contracts, we recently published a white paper on Blockchain which can be found here.
If you would like to respond to the UKJT consultation, we would be happy to assist you to do so by the deadline of 21 June 2019. Responses can be submitted electronically here.