EDPB releases guidelines on relevant and reasoned objection

On 8 October 2020, the European Data Protection Board (EDPB) published new guidelines on relevant and reasoned objection under the General Data Protection Regulation (GDPR). The guidelines cover the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which supervisory authorities have a duty to exchange all relevant information with each other and cooperate in an endeavor to reach consensus when they coordinate investigations that cross borders in the European Union (EU).

 Background

Under Article 60 of the GDPR, the lead supervisory authority (LSA) is required to submit draft decisions to the concerned supervisory authorities, who may then raise a “relevant and reasoned objection” to the LSA within a specific timeframe of four weeks. On review of the relevant and reasoned objection, the LSA can either follow the suggestions of the concerned supervisory authorities and produce a revised draft decision, or disagree with the objections and submit the matter to the EDPB for consideration under the GDPR’s consistency mechanism. Continue Reading

Is the third time the charm for the Washington Privacy Act?

On September 9, Senator Reuven Carlyle (D-WA) presented an updated draft of the Washington Privacy Act (WPA), suggesting that the WPA will be up for consideration in Washington State’s 2021 legislative session. The next legislative session is scheduled to convene on January 11, 2021, at which point the fate of the WPA will again be in the hands of the Washington State Legislature’s Senate and House of Representatives. By introducing the WPA draft into the 2021 legislative session, this will be Washington’s third attempt to pass a comprehensive state-level privacy law after the bill died in the legislature for two consecutive years.

Please see our recent client alert for an overview of Senator Carlyle’s proposed draft of the WPA.

EDPB releases draft guidelines on the targeting of social media users

In September 2020, the European Data Protection Board (EDPB) released new guidelines on the targeting of social media users (Guidelines) for consultation.

Background

The Guidelines address the privacy risks and legal issues that arise when social media services are used to direct specific messages to users based on particular criteria, such as the users’ perceived interests, preferences and socio-demographic characteristics.

 A typical example of this is when a brand (or ‘advertiser’) advertises their products or services on individuals’ social media platforms. Through programmatic advertising (the automated buying and selling of online advertising) and the process of ‘real-time bidding’ (the automated bidding of display advertising inventory in real-time) in particular, advertisers can place personalised adverts on individuals’ social media platforms (e.g. through content feeds or ‘stories’). This process usually involves processing personal data in bid requests, which can include individuals’ web browsing history, age, gender, location and network connections. Advertisers submit bids to have their adverts placed on individuals’ social media pages based on the perceived likelihood that the individual will be interested. Generally, the more detailed the bid request, the higher the bids are likely to be, so there is more incentive for the parties involved to collect as much personal data as possible through the use of tracking technologies or otherwise. Further, parties within the ad tech ecosystem (such as data brokers) may augment the data collected from the bid request with information from other sources (including offline sources), which they might sell to other stakeholders involved in the targeting process.

The Guidelines split the types of actors involved in the targeting process into four different groups, namely: (1) social media providers; (2) social media users; (3)  targeters (e.g. advertisers); and (4) ‘other actors’ which may be involved (e.g. supply side platforms (SSPs), demand side platforms (DSPs), data management platforms (DMPs), data brokers, ad networks and ad exchanges).

The Guidelines identify the potential risks of targeting for social media users, such as loss of control over personal data, potential discrimination and potential manipulation of individuals (as targeting mechanisms seek to influence individuals’ behaviour and choices).

The Guidelines also seek to clarify the roles, responsibilities and relationships between social media providers and targeters and explain the key data protection requirements and documentation that should be in place.

Continue Reading

Singapore’s amended Personal Data Protection Act to come into force before year end

The Personal Data Protection (Amendment) Bill (Bill) was introduced and read for the first time in Parliament on October 5, 2020

The Bill proposes significant changes to Singapore’s Personal Data Protection Act 2012 (PDPA). The amendments seek to keep Singapore’s data protection laws up to date with evolving technology developments, as well as global regulatory trends, and to enhance its relevancy and attractiveness as a digital business hub for the region.

After two further readings in Parliament and the president’s assent the Bill will come into force, which is currently expected to be before the end of 2020.

Our recent client alert summarizes the proposed changes.

 

Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, “Reed Smith”). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.

First official guidance on international data transfers post Schrems II – German data protection authority publishes checklist and action items on international data transfers

The German data protection authority of the federal state of Baden-Württemberg (LfDI BW) has issued detailed guidance (Guidance) on international data transfers this August and September. This is the first official guidance by a data protection authority following the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) that contains some solid guidance and suggestions for next steps.

Summary of the Guidance: (i) Checklist plus (ii) action items

The LfDI BW iterates that international data transfers shall be subject to an adequacy assessment and, where necessary, additional safeguards must be implemented that supplement the transfer mechanism relied upon. For this assessment, the LfDI BW proposes a checklist and specific action items for the amendment of the SCCs and potentially other data transfers mechanisms. Continue Reading

The Law Commission is looking at smart contracts and digital assets: Is the law ready?

Smart contracts and digital assets are becoming increasingly common in a variety of industries. Nevertheless, is the law ready for them? Following the publication of the Legal statement on the status of cryptoassets and smart contracts by the LawTech Delivery Panel, the Law Commission has launched two projects to analyse how English law can be reformed to accommodate these emerging technologies.

Smart contracts

English contract law has developed on the presumption that contracts are written by individuals in ordinary language. Smart contracts, on the other hand, are drafted by a computer code, without the need for human intervention. They can either be in natural language generated through computer code, a hybrid of coded terms and natural language or wholly written in code. These developments raise a number of questions and challenges for English contract law, particularly in relation to what circumstances a contract written in code would be considered legally binding and how they can be interpreted by courts.

The UK Government asked the Law Commission to undertake a study on smart contracts, which will focus on:

  • Formation and enforceability;
  • Interpretation;
  • Performance of the contract;
  • Remedies; and
  • Vitiating factors

Continue Reading

Federal judge dismisses data-related antitrust claims in hiQ Labs, Inc. v. LinkedIn Corp.

On September 9, a federal judge in California dismissed claims brought by hiQ Labs, Inc. (hiQ) against LinkedIn Corp. (LinkedIn) that alleged that LinkedIn’s attempts to prevent hiQ from accessing public information on its website violated various antitrust laws. In an opinion that will continue to fuel debate over the relationship between antitrust and privacy, the court held that hiQ’s data-related antitrust claims were deficient because they failed to properly define the relevant market.

Our recent client alert details the case and highlights the increasing likelihood of disputes regarding the use of data by commercial parties and the potential for restrictions on data access to generate competition claims.

The rise of data protection group litigation actions in England and Wales

Class actions are widely known for their popularity in the United States. These types of actions are now developing in the UK because of recent data breach litigations.

In the UK, group litigation can arise in two different scenarios: Group Litigation Order (“GLO”) or representative actions. GLOs are orders given by the Courts to manage collectively different claims that give rise to “common or related issues of fact or law”. The claimants in a GLO need to opt-in to join the GLO; however, all claims remain separate. A representative action, on the other hand, allows a representative to bring an action on behalf of a class of claimants who have the “same interests” in the claim. Any judgment in a representative action will be binding on all class members represented, unless they actively opt-out’of the claim. It is worth noting that the English Courts have discretion to allow any group litigations to proceed. Continue Reading

Illinois Attorney General Kwame Raoul talks to Reed Smith about consumer privacy, biometrics, and data breaches

In a recent Q&A with Illinois Attorney General Kwame Raoul, the first term AG discusses potential changes to data breach laws in Illinois and whether his state could implement a privacy statue similar to the California Consumer Privacy Act (CCPA), the effectiveness of federal data breach legislation, and reasonable steps that businesses could take to protect consumer privacy. Additionally, the interview explores the Illinois’ requirements for biometric data collection under the Illinois Biometric Information Privacy Act (BIPA) and its applicability towards preventing the spread of COVID-19. Read more in the IAPP Privacy Advisor article here.

EDPB publishes new guidelines on the concepts of controller and processor

On 2 September 2020, the European Data Protection Board (‘EDPB’) published new guidelines on the concepts of controller and processor in the General Data Protection Regulation (‘GDPR’). These guidelines are open for public consultation until 19 October 2020. The new guidelines will replace the previous guidelines on the same concepts, which were issued by the Article 29 Working Party in 2010.

The first part of the new guidelines analyses the concepts of controller and processor, providing relevant examples. The second part analyses the consequences of, and relationship between, the different roles. Continue Reading

LexBlog