Munich Court of Appeal prohibits Facebook from deleting a post that does not fall under the German Hate Speech Act

On 24 August 2018, the Munich Court of Appeal (“Court”) issued a preliminary injunction against Facebook that prohibits Facebook from deleting a certain user’s post (docket no. 18 W 1294/18, available in German here).

Facts of the case

The claimant is a Facebook user who had taken part in a discussion on the Facebook page of a renowned German news journal on Austria’s announcement of border controls. In the course of a controversial discussion, in particular with another Facebook user, the claimant posted a quotation of the German poet Wilhelm Busch, combined with a provocative statement against another Facebook user:

Original German wording English convenience translation:
… Gar sehr verzwickt ist diese Welt, mich wundert’s daß sie wem gefällt. Wilhelm Busch (18321908)

Wusste bereits Wilhelm Busch 1832 zu sagen:-D Ich kann mich argumentativ leider nicht mehr mit Ihnen messen, Sie sind unbewaffnet und das wäre nicht besonders fair von mir.

… This world is very tricky, I wonder who likes it. Wilhelm Busch (1832–1908)

Wilhelm Busch already knew in 1832 to say :-D Unfortunately, I can no longer compete with you argumentatively, you are unarmed and that wouldn’t be particularly fair of me.

Facebook deleted the claimant’s post. Continue Reading

The UK responds to NISD consultation

The government has published its response to the April 2018 targeted consultation on the Security of Network and Information Systems Directive (NISD). The targeted consultation specifically addressed how NISD will apply to Digital Service Providers (DSPs) in the UK, focusing on the identification of DSPs, security measures and further guidance. This follows the government’s public consultation in August 2017see our recent blog on this here.

The targeted consultation received 12 responses that largely showed support for the government’s overall approach. Concerns were expressed, however, regarding the uncertainty over who falls within NISD’s scope and the subject of costs recovery.

As the Network and Information System Regulations 2018 (the NIS Regulations) are already in force, the targeted consultation process will be used to assist the Information Commissioner’s Office (ICO) in providing updated guidance to DSPs. The government’s response, therefore, provides a useful insight into the future guidance on this topic, which will directly affect the regulation of DSPs in the UK.

Continue Reading

When do organisations need to carry out a data protection impact assessment? German authorities provide guidance

The German data protection authorities (German DPAs) have jointly released a list of processing activities (List) that are subject to a data protection impact assessment (DPIA). The List contains 16 examples.

What is a DPIA?

DPIAs shall help identifying, assessing and minimising the data protection risks of a project in which personal data are processed. Especially broader risks to the rights and freedoms of individuals, resulting from the processing, shall be assessed and mitigated by appropriate countermeasures.

DPIAs also support the General Data Protection Regulation’s (GDPR) accountability principle, helping organisations to prove that they have taken appropriate measures as required by GDPR, so that a compliant processing is possible.

Art. 35 GDPR provides that a DPIA is generally required where the processing of personal data, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR lists three examples where a DPIA is required:

  • Systematic and extensive profiling
  • Processing of special categories of personal data or criminal offence data on a large scale
  • Systematic monitoring of publicly accessible places on a large scale

Art. 35 (4) GDPR calls on supervisory authorities to release lists that further specify those cases where a DPIA is mandatory.

Continue Reading

September 4, 2018: NYDFS Cybersecurity Regulation Compliance date arrives

As of today, Covered Entities are expected to be compliant with additional provisions under the New York State Department of Financial Services (NYDFS) cybersecurity regulation. A “Covered Entity” is any individual or non-governmental entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR 500.01. The cybersecurity regulation became effective March 1, 2017, and Covered Entities had 180 days to become compliant, unless otherwise specified.

A year later, on March 1, 2018, Covered Entities were expected to be in compliance with requirements related to annual reporting by the Chief Information Security Officer (CISO) on the cybersecurity program and material cybersecurity risks, continuous monitoring or periodic penetration testing and vulnerability assessments, periodic risk assessments, multi-factor or risk-based authentication, and regular cybersecurity awareness training for all personnel. Continue Reading

ICO issues new guidance on international data transfers under GDPR

The Information Commissioner’s Office (ICO) has published new guidance on international data transfers (the guidance) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

Ex-EU personal data transfers

The GDPR restricts the transfer of personal data to non-EU countries or international organisations.

The ICO has clarified that a transfer is restricted if:

  • The GDPR applies to the processing of in-scope personal data. GDPR Articles 2 and 3 set out the GDPR’s scope. The ICO states that the GDPR generally applies “if you are processing personal data in the EU”. The GDPR may also apply “in specific circumstances if you are outside the EU and processing personal data about individuals in the EU”.
  • An organisation sends personal data, or makes it accessible, to a receiver to which the GDPR does not apply. This will usually be because the receiver is located outside of the EU.
  • The receiver is a separate organisation or individual. The receiver could be an affiliate or subsidiary company, but not an employee of the transferring organization.

Transfer or transit?

The ICO states that transit of personal data is not the same as a transfer of personal data. If personal data is just electronically routed between EU countries via a non-EU country, no restricted transfer has taken place. The ICO gives the example of personal data transferring between Irish and French controllers through a server in Australia. No restricted transfer occurs where there is no intention that the personal data can be accessed or manipulated during transit.

Continue Reading

AGs emphasize consumer protection and privacy expertise in FTC comments

The Federal Trade Commission (FTC) will be holding a series of hearings this fall on “Competition and Consumer Protection in the 21st Century,” with the goal of reflecting on the agency’s powers, and state attorneys general (AGs) want to make sure their voices are heard.

A bipartisan group of 29 state AGs filed comments with the FTC on August 20, 2018, asking it to consider their unique viewpoints and expertise as state regulators who are “in the forefront of consumer protection.” The FTC hearings begin on September 13 with a schedule that includes a panel on “The Regulation of Consumer Data” featuring former acting chair Maureen Ohlhausen and former FTC staff members and academics. As the FTC opens its doors for a public discussion on how its enforcement priorities and policies affecting consumers might change, especially with a new slate of commissioners, the AGs want to be seen as partners. In particular, they want be part of the conversation on privacy and data security, as has been a strong trend in recent years.

“In our experiences, consumer privacy and data security is an afterthought in product and service development. Industry often does not adequately invest in privacy and security. Consumer data has inherent value and the free market alone does not adequately protect sensitive data. Consumers have voiced concerns to us about what personal information industry collects, how industry informs consumers about data collection, and how industry uses and shares consumers’ data. Industry must place privacy and security front and center in its research and development of products and services,” the comment stated.

Continue Reading

California toughens law governing subscription auto-renewals

Since California enacted its Automatic Purchase Renewals Law (APRL) in 2010, the plaintiffs’ class action bar has been active in suing companies with subscription-based services for their alleged failures to comply with the APRL requirements. The lawsuits stem from the alleged failure to comply with the disclosure, consent, and acknowledgment requirements applicable to many types of subscriptions. Non-compliance has resulted in million-dollar class action settlements and government civil penalties. This summer, the APRL got tougher.

The APRL applies to companies that charge payment cards of California consumers as part of using “automatic renewals” or providing “continuous services.” An “automatic renewal” is an arrangement to automatically renew and charge for a subscription at the end of its term. A “continuous service” is an arrangement where subscription continues and charges are initiated until the consumer cancels the service.

Generally, and even before the amendment, the APRL requirements include:

  • Presenting the terms of the automatic renewal offer or continuous service in a clear and conspicuous manner where or when the offer is made.
  • Obtaining consumer’s affirmative consent before charging a consumer for the automatic renewal or continuous service.
  • Providing an acknowledgment of key terms, including cancellation instructions, to the consumer.
  • Implementing a method to cancel (as described in the acknowledgment) by toll-free phone, email, mail, or other “cost-effective, timely, and easy-to-use” method, and permitting consumers to cancel prior to charging at the end of a free trial.
  • Notifying the consumer in a clear and conspicuous manner prior to any material changes to the original terms.

Continue Reading

Federal Appeals courts decline to exclude cell phone location information collected without warrants pre-Carpenter, but Carpenter’s future impact still unclear

In his dissent in Carpenter v. United States, 138 S. Ct. 2206 (2018), Justice Kennedy observed that “the Cyber Age has vast potential both to expand and restrict individual freedoms in dimensions not contemplated in earlier times.” Justice Kennedy worried that the ruling, which held that a warrant is generally required for police to access cell site location information, would hamstring law enforcement by “transform[ing]” prior precedent into “an unprincipled and unworkable doctrine.” The Carpenter majority insisted, however, that its June 2018 decision was “a narrow one.” Future decisions will determine how far Carpenter will in fact reach, but recent decisions from the U.S. Courts of Appeals for the Second and Seventh Circuits demonstrate one important limit: the “good faith” exception to the exclusionary rule. While acknowledging Carpenter’s holding, both courts rejected the respective defendant-appellants’ appeals of suppression motion denials relating to searches predating Carpenter based on that exception.

Most recently, in United States v. Curtis, No. 17-1833, 2018 WL 4042631 (7th Cir. Aug. 24, 2018), the Seventh Circuit held that “even though it is now established that the Fourth Amendment requires a warrant for the type of cell-phone data present [t]here, exclusion of that information was not required because it was collected in good faith.” In Curtis, the appellant challenged the district court’s denial of his motion to suppress cell phone location information collected pursuant to the Stored Communications Act (SCA). Mr. Curtis did not dispute that the government had complied with the SCA, but argued he had a reasonable expectation of privacy in the location information and thus a search warrant was required. The district court denied the motion and permitted the location information to be offered as evidence, and Mr. Curtis was convicted of various crimes.

On appeal, the Seventh Circuit agreed that, per Carpenter, a warrant was required for the information, but that the Supreme Court “has not spoken to what should happen next.” According to the Curtis court, the answer was clear: the evidence did not have to be excluded because it was obtained in good-faith reliance on pre-Carpenter precedent.

Continue Reading

What big data, political advertising and big fines have in common

On 10 July 2018, the Information Commissioner’s Office (ICO) announced its intent to fine Facebook £500,000 for two breaches of the Data Protection Act 1998, the maximum permitted under the pre-GDPR regime. If the penalty is enforced, it will be the biggest issued by the ICO in its history. For some perspective, had the breach occurred following the implementation of the General Data Protection Legislation 2016/679 (GDPR), the social network could have faced a fine of up to £359 million. Facebook now has a chance to respond to the ICO’s Notice of Intent, after which a final decision will be made.

Less than 30 days after issuing a Notice of Intent to fine Facebook, the ICO issued a further penalty as a result of the investigation, this time directed at Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, a data broking company which provides advice on pregnancy and childcare. The ICO issued a £140,000 fine against Emma’s Diary for illegally collecting and selling personal information belonging to more than one million people.

Background

Facebook, alongside Cambridge Analytica, has been the focus of an ICO investigation for over a year. The investigation centred around the use data analytics in political campaigns and was spearheaded by Information Commissioner, Elizabeth Denham. The investigation was formally commenced in May 2017 following the unearthing of evidence that personal data from over 87 million Facebook accounts had been illegally harvested. The ICO described it as one of the largest investigations ever undertaken by a data protection authority, this being reflected in the most recent estimate of the cost of the investigation, which has been put at almost three times the level of the fine with which Facebook has been issued. In addition to the fine, the ICO announced its intent to bring a criminal prosecution against SCL Elections Ltd, the parent company of Cambridge Analytica, for being too slow to adequately respond to an enforcement notice issued in May of this year.

Continue Reading

Commission publishes factsheet on Digital Single Market strategy

On 22 June 2018, the European Commission published a factsheet that provides a visual summary of the actions taken to date to implement its Digital Single Market strategy. The Digital Single Market strategy refers to the European Commission’s mission to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues.

The factsheet sets out a timeline, which shows the status of each of the Digital Single Market strategy initiatives presented by the Commission since its announcement of the Digital Single Market strategy in 2015. The factsheet shows that 29 legislative initiatives have been presented, of which 17 have been agreed by the European Parliament, the Council of the EU and the Commission.

There remain 12 Commission legislative initiatives that the European Parliament and the Council are yet to reach agreement on. Notably, the forthcoming ePrivacy Regulation initially envisaged as coming into force at the same time as the General Protection Regulation 2016/679 remains very much in the negotiation process. With the upcoming European elections in 2019 looming ever closer, there is a very real danger that unless rapid progress is made, the whole adoption process could find itself put on hold.

Continue Reading

LexBlog