The FTC released a 100-page staff report this past November that assesses evolving business models relying on internet and app-based “sharing economy” platforms, such as those providing peer-to-peer services, and their effects on more traditional industries. To read more, click here.
Ask any 1L – personal jurisdiction has always been a tricky issue. But in the internet era, even courts have grappled with how to determine whether an online presence is sufficient to establish personal jurisdiction over a party. Recently, the Eastern District of Louisiana ruled that an internet presence consisting of a website as well as Facebook, Twitter, YouTube, and LinkedIn pages could not sufficiently demonstrate the “foreseeability or awareness” that a product would reach a forum state’s market required to establish personal jurisdiction. The decision reaffirmed that even in the age of social media, defendants must still directly target a forum to be subject to personal jurisdiction there. Continue Reading
Just four months after its adoption by the European Commission, the EU-U.S. Privacy Shield is facing its first formal legal challenge.
The challenge comes from the Irish advocacy group Digital Rights Ireland, who is joined by French privacy advocacy group La Quadrature du Net and non-profit internet service provider French Data Network. Continue Reading
LinkedIn has become the first major company to have access to its website in Russia blocked by the Russian Data Protection Authority, Roskomnadzor, following earlier Moscow Court decisions on 4 August and 10 November.
Russia’s data localisation law came into effect in September 2015 and requires websites collecting personal data of Russian citizens to store the data on servers located on Russian soil. (See our earlier blog here.) The law also granted Roskomnadzor a new power to block access within Russia to the website(s) of companies found to be in breach of requirements such as localised data storage.
On 17 November, Roskomnadzor exercised its new enforcement power by blocking access to LinkedIn throughout Russia. Reports suggest that LinkedIn argued that the data localisation law should not apply to its platform because LinkedIn itself does not have a presence in Russia and, in any event, its activity is directed internationally, not specifically to Russia so not “directed to” Russian users. The Russian language version of the website, which is available by default for users accessing the site from Russia, appears to have been influential in the platform being held to be subject to Russian law.
LinkedIn’s experience appears to herald the start of more concerted action by the Russian regulator. Roskomnadzor’s enforcement focus has just taken a seasonal turn (if not a festive spirit) with the prosecution of over 70 foreign websites offering children a chance to send an email addressed to Santa Claus.
These court rulings and subsequent enforcements will be of interest (if not concern) to many global businesses that engage with the Russian market. Some companies have already responded to the law by establishing servers in Russia; however, for others that had been taking a ‘wait and see’ approach, it may be time to add a few servers to the Christmas list (and 2017 IT budgets)!
With the election of current California Attorney General Kamala Harris to the U.S. Senate, Governor Jerry Brown was tasked with appointing her replacement. On December 1, he announced that his pick is U.S. Representative Xavier Becerra, head of the House Democratic caucus.
Becerra was first elected to the House in 1992 and has also served as deputy attorney general for California.
As we have previously pointed out, California is a very active state in privacy regulation. AG Harris has engaged with consumer privacy protection and the regulatory scheme, including advocating for harmonization of state data breach laws in her February 2016 Data Breach Report. We will see whether Becerra, as California attorney general, maintains the state’s involvement in this area. This handoff will occur at the same time that a new chairperson of the Federal Trade Commission takes over, a transition that is also raising questions of how the new leadership of the agency will handle privacy.
With the apparent shift in activity at the federal level following the election of Donald Trump, we expect states to be more active in a variety of areas, including privacy. Stay tuned for developments.
Responding to news reports that journalists were able to purchase advertising on Facebook targeted to ethnic groups, Facebook announced several new changes to the company’s advertising products. The move highlights heightened scrutiny of advertising practices surrounding the increasing use of big data in many aspects of marketing and advertising.
Facebook’s response grew out of a ProPublica report published on October 28, 2015 detailing how journalists were able to purchase ads targeted to house hunters on Facebook,, all while excluding specific “Ethnic Affinities,” such as African-American, Asian-American or Hispanic people. The report raised significant ethical and legal questions on how the features that enable advertisers to target their ads can be misused for discriminatory purposes. The potential for interactive computer service providers to violate anti-discrimination laws has drawn attention for several years, especially following the decision of the Ninth Circuit Court of Appeals in the Roommates decision, which held that the that immunity provided by the Communications Decency Act (CDA) for online operators did not apply to an online service that offered questionnaires and selections to online participants that could facilitate discrimination against protected classes. See Fair Hous. Council v. Roommates.com, LLC, 521 F.3d 1157, 1166 (9th Cir.2008) (en banc). Continue Reading
The Michigan attorney general intervened November 22 in a suit brought under a Michigan privacy law, making it one of the first times a state attorney general has weighed in on a case involving data use.
Michigan AG Bill Schuette defended the constitutionality of the Michigan Preservation of Personal Privacy Act, otherwise known as the Video Rental Privacy Act, citing the rights of Michigan residents to privacy in the video, audio, and reading materials they borrow or purchase. A Michigan resident had brought suit against Consumers Union of United States, alleging that the company had disclosed information, including his address and the names of magazines to which he subscribed, to “data mining” companies and other third parties, without obtaining his consent or providing him notice of the disclosure.
The Michigan law prohibits the release of information on customer’s purchase, rental, or borrowing of videos, books, and sound recordings that identify the customer unless the customer consents or unless the release is for the exclusive purpose of marketing directly to the customer, as long as the customer is given written notice and an opportunity to have their name removed, among other exceptions.
Significantly, the law was amended in July 2016 to stipulate that only a customer who suffers actual damages may sue. The law no longer allows for statutory damages of $5,000 per plaintiff. The question of what harm qualifies for standing in privacy cases is a key issue in privacy litigation today. Absent the amendment, this law was poised to be used repeatedly by plaintiffs seeking sizeable monetary damages with limited showing of harm.
In Ruppel v. Consumers Union, brought in the Southern District of New York, Consumers Union argued that the law unconstitutionally violated its right to free speech. AG Schuette contended that the law permissibly regulates commercial speech and withstands intermediate scrutiny.
While many state attorneys general have been involved in data breach cases that affect residents of their states, few have weighed in on laws governing data use. AG Schuette’s intervention in this case signals that more state AGs will likely become involved in substantive privacy legal issues beyond breach in the future.
Data protection procedures will require an overhaul for any company that offers goods and services, or tracks individuals, in the EU under the European General Data Protection Regulation (GDPR) to take effect from 25 May 2018. Given the changes in compliance requirements that the GDPR entails, it is vital that you use 2017 to audit your current policies and processes and make any necessary changes in readiness for the GDPR.
On Monday, November 14, 2016, the Securities and Exchange Commission (SEC) hosted a forum to discuss financial technology (FinTech) innovation in the financial services industry. The summit discussed several topics, but the second panel, titled “Impact of Recent Innovation on Trading, Settlement, and Clearance Activities,” specifically addressed blockchain-enabled distributed ledger technology and its applicability in corporate environments. The panel provided an opportunity for the SEC to highlight blockchain’s potential for assisting companies in meeting compliance requirements, cutting costs with respect to record keeping and tracking assets, and disintermediating transactions.
Corporations have begun to seriously examine the opportunities made available by blockchain-enabled distributed ledger technology beyond digital currency, in areas ranging from financial services and retail supply chains to art and music. Unlike Bitcoin, where the blockchain provides a transfer mechanism and ledger for the intangible currency, digital ledger technology also may provide a distributed, often a privately managed system of records for a wide variety of transactions. Continue Reading
Data Protection Authorities (“DPAs”) from across the world gathered in Marrakesh for the 38th International Privacy Conference. This event is held annually for the purpose of debating topical data protection issues.
The debates this year centred on data privacy being central to: sustainable development, government access to personal data, the role of technology, adequacy, localisation and differing cultural and political frameworks. Continue Reading