Pre-Christmas Update on the ePrivacy Regulation

The General Data Protection Regulation (“GDPR”) will enter into force 25 May 2018, and will provide new general data protection standards. In its draft ePrivacy Regulation of 10 January 2017 (“ePrivacy Regulation”), which includes specific provisions for electronic communications, the European Commission sought to ensure that both sets of rules will enter into force at the same time.

Current legislative status of the ePrivacy Regulation

The European Council published its first revisions to the ePrivacy Regulation (read more on our blog here) on 8 September 2017, and European Data Protection Supervisor Giovanni Buttarelli issued recommendations on specific aspects of the ePrivacy Regulation on 5 October 2017 (read more on our blog here). The European Parliament adopted a report, including its draft resolution on the ePrivacy Regulation (“Report”), on 23 October 2017. Adhering to the requirements for processing personal data under the ePrivacy Regulation, the Report does not allow further data processing for compatible purposes or on the basis of legitimate interest. On 5 December 2017, the European Council released a consolidated version of the ePrivacy Regulation (“Consolidated Version”) which summarizes the work done so far in the European Council as a basis for its future work. The Consolidated Version also outlines that further internal discussions will be necessary, i.e., on Art. 6, 7, 9 ePrivacy Regulation as well as on further grounds for processing.

Continue Reading

Morrisons found vicariously liable for a data breach committed by one of its employees

Following a recent ruling by the High Court against WM Morrisons Supermarket PLC (“Morrisons”), employers may now find themselves vicariously liable for data breaches perpetrated by their employees (https://www.judiciary.gov.uk/judgments/various-claimants-v-wm-morrisons-supermarket-plc/).

Background

In 2014, it was discovered that a file containing the pay roll data of 99,998 Morrisons’ employees had been uploaded to a file sharing website. This data included names, dates of birth, addresses, national insurance numbers, and details of employees’ salaries and bank accounts.

Following an investigation, it was revealed that one of Morrisons’ employees, Andrew Skelton – a senior IT auditor – had copied the data which he was supposed to send to KPMG, Morrisons’ external auditors, to a personal USB drive. Mr Skelton then uploaded this data to a file-sharing website.

Mr Skelton’s actions were reportedly the result of a grudge that he held against his employer following an earlier, unrelated disciplinary incident. As a result, Mr Skelton was subsequently arrested and sentenced to eight years in prison pursuant to the Computer Misuse Act 1990 and the Data Protection Act 1998 (the “DPA”).

Now, in what is the first-ever group action case involving a data breach, 5,518 of the affected employees have bought a group class action against Morrisons for breach of its statutory duty under the DPA and at common law.

The claim was made on the basis that Morrisons was (i) directly liable for breaching its statutory duty; and (ii) in the alternative, vicariously liable for the breach in its capacity as Mr Skelton’s employer. Continue Reading

ENISA publishes report on recommendations for data protection certification mechanisms under the GDPR

On 27 November 2017, the European Union Agency for Network and Information Security (“ENISA”) published a report on Recommendations on European Data Protection Certification (“Report”). The aim of the Report is to identify and analyse challenges and opportunities of data protection certification mechanisms, as introduced by the General Data Protection Regulation (“GDPR”).

The Report provides an overview of existing data protection certification mechanisms, and looks at the terminology and clarifying concepts that are relevant to GDPR certification, as established in Articles 42 and 43 of the GDPR. The Report also presents research and analysis on various certification schemes, including the ePrivacyseal EU, EuroPrise, CNIL Labels and the ICO Privacy Seal. It further focuses on some of the questions relating to successful take-up of certifications, as well as the role of certification as a transparency and accountability instrument under the GDPR. The Report additionally notes that data protection certification mechanisms under the GDPR are likely to face challenges, given the diversity of existing data protection certifications.

The Report sets out several recommendations that are intended to provide high-level guidance to data protection authorities, certification bodies, and data controllers/processors. The main recommendations include: Continue Reading

CJEU rules Digital Rights Ireland’s Privacy Shield invalidation action inadmissible

Background

On 22 November 2017, the Court of Justice of the European Union (“CJEU”) gave judgment in a case taken by the not-for-profit company, Digital Rights Ireland Limited (“DRIL”). DRIL sought an annulment of the European Commission’s Privacy Shield decision. This decision states that the US ensures an adequate level of protection for personal data transferred from the EU to companies in the US under the EU-US Privacy Shield (the “Contested Decision”).

The CJEU ruled that DRIL’s annulment request was inadmissible for two reasons; (1) it cannot show that it is sufficiently affected by the Contested Decision to bring proceedings in its own name; and (2) a lack of standing to bring proceedings in the name of its members, supporters and the general public.

In this case, the DRIL acted as the applicant and the European Commission was the defendant.

Admissibility of the action brought by DRIL in its own name

DRIL presented three arguments to demonstrate the admissibility of the action brought in its own name.

Argument 1: DRIL argued that, given that it possesses a mobile phone and a computer, its own personal data is liable to be transferred to the US pursuant to the Contested Decision. The CJEU rejected this argument. The CJEU ruled that in its capacity as a legal person, DRIL does not possess personal data. The Data Protection Directive only provides for the protection of personal data of natural persons, not legal entities.

Continue Reading

Anticipating Risks From and Responding to Cryptocurrency Theft

On November 20-21, 2017, Tether, the company behind USDT, a digital token backed by fiat currencies like the dollar and euro, disclosed that a hack resulted in the loss of $30.95 million worth of tokens. The Tether hack illuminates the privacy, reputational, financial and recovery risks associated with issuing, owning and storing digital currencies. These risks and events are likely to repeat themselves as more initial coin offerings (“ICO”) come to the market and the prices of digital currencies continue to soar.”  Click here to view the issued Client Alert.

Sixth Circuit Suggests Liability for Copyright Infringement May Justify Reduced First Amendment Protection for Anonymous Speech, But Recommends Consideration of Context and ‘Practical Need’ for Unmasking

Ruling on what it characterized as an issue of first impression, the U.S. Court of Appeals for the Sixth Circuit suggested that a judgment of liability in a copyright infringement case may be a tipping point justifying the unmasking of anonymous internet users. The Sixth Circuit remanded Signature Mgmt. Team v. Doe, No. 16-2188 (6th Cir. Nov. 28, 2017) to the district court with instructions to reconsider unmasking the anonymous defendant, finding it had “failed to recognize the presumption in favor of open judicial records,” which is particularly strong at the judgment phase.  However, the 2-1 majority pointed out reasons why unmasking still might not be necessary, triggering a dissent suggesting the majority didn’t go far enough.

In Signature Mgmt. Team, the plaintiff, a multi-level marketing company, sued defendant Doe after he posted on his blog a link to the entirety of a book copyrighted by plaintiff.  Among other relief, the plaintiff moved to compel the identity of Doe.  The district court required Doe to reveal his identity to the court and plaintiff, but found that unmasking Doe was “unnecessary to ensure that defendant would not engage in future infringement.”  Further, the district court found that, because Doe declared that he had destroyed all copies of the infringed work in his possession, no further injunctive relief was necessary.  Plaintiff appealed, arguing in part that the district court improperly disregarded the strong presumption in favor of openness of judicial records.

Continue Reading

Sears Petitions to Change Its 8-Year-Old FTC Privacy Settlement Order

On October 30, 2017, Sears Holding Management Corporation (“Sears”) petitioned the Federal Trade Commission (“FTC”) to reopen and modify the settlement to which they agreed in 2009.  At that time, Sears agreed to a consent order to resolve the FTC’s complaint that Sears allegedly did not adequately disclose the scope of its collection of “online browsing” data collected from users of Sears’ desktop software application.  This landmark enforcement action was one of the FTC’s first uses of its section 5 authority to regulate privacy-related disclosures and the tracking of users’ online activity.

With Sears’ petition, a company under a privacy-related consent order has for the first time asked the FTC to scale back the breadth of the order’s applicability because of changes in technology, consumer expectations, and the marketplace.

Changes in Mobile App Ecosystem and Consumer Expectations. In its petition, Sears argued that the current online marketplace demonstrates that the consent order is too broad and “does not align with today’s mobile application ecosystem and consumer expectations.”  Sears explained that the consent order requires handling consumer notices in its mobile applications in a way different from other companies’ industry-standard mobile apps, and the order’s prescriptive manner does not fit with how consumers obtain mobile applications through app stores.  According to Sears, more recent FTC orders recognized exceptions to certain consumer notices for normal functioning of mobile applications that are expected by consumers, e.g., notices related to application configurations, crash monitoring, and usage activity.  Sears seeks an order more in-line with the new FTC orders that include the exceptions.

Continue Reading

German FCO launches sector inquiry into online price comparison websites

The German Federal Cartel Office (”FCO“) has launched a sector inquiry into “online price comparison websites.” This sector inquiry is the first specific proceeding in which the FCO applies its new competencies in the area of consumer protection given to it by the 9th amendment to the German Act against Restraints of Competition (“ARC”). Another sector inquiry concerning consumer protection issues in everyday digital life might follow next year.

Background

Sector inquiries are not targeted against individual companies. Their purpose is to thoroughly examine the conditions on a general market in order to identify potential infringements of legal provisions. The FCO will summarise the results of its investigation in a report. If infringements by individual companies are detected in the course of the sector inquiry, this might subsequently lead to the initiation of proceedings against individual companies. In the past, this was only possible in relation to infringements of competition law.

By the amendment to the ARC, which entered into force on 9 June 2017, the FCO has also been given such competencies in the area of consumer protection and has set up a new division for this specific purpose. The new competencies should be seen as a supplement and back-up to the well-established system of privately enforced consumer protection. Currently, the FCO has only investigative powers, but it has not yet been granted decision making and enforcement powers in relation to consumer protection issues.

Its new investigation powers allow the FCO to launch a sector inquiry whenever there are indications for a severe violation of consumer protection laws or the legal requirements for general terms and conditions that affect a large group of customers.

The FCO has identified the so-called “digital economy” as an area where one infringement by one company could harm millions of customers. Therefore, it decided to focus on this area for its first sector inquiry by its new division for consumer protection.

Continue Reading

Right of communication: German Federal Supreme Court applies GS Media to internet search engines

In Thumbnails III, the German Federal Supreme Court (‘BGH’) held that the depiction of so-called thumbnails of pictures available from the internet does not constitute an act of copyright infringement, unless the search engine operator had knowledge of the fact that the copyrighted material had been illegally uploaded. The BGH further stressed that, with regard to search engine operators, there is no room for a presumption of infringement. Against the background of previous case-law of the European Court of Justice in hyperlinking cases such as GS Media, this constitutes a significant development. The decision was based on balancing the rights of copyright holders on the one hand, and those of potential users on the other. Also considered was the impact on the functionality of the internet, and the need for a ‘search pictures’ option.  Please refer to the full article by Dr. Anette Gärtner and Iris Kruse for further commentary.

Get your update on IT & Privacy Law

The Fall 2017 Edition of the quarterly IT & Privacy Newsletter by Reed Smith Germany has just been released.

We cover the regulation on cross-border portability of online content services and new case law on employee monitoring, marketing consent, influencer advertising, choice of law and venue clauses in T&Cs, and platform provider liability.

You can also find further information on our upcoming GDPR breakfast roundtable in London, as well as our workshop, “Website and app audit,” in Düsseldorf, Frankfurt and Munich.

We hope you enjoy reading it.

LexBlog