Planet49: Advocate General’s opinion on cookies and consent bundling

On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (“Marketing Checkbox”)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (“Cookie Checkbox”)

Cookie consent

Article 4(11) of the General Data Protection Regulation (“GDPR”) defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The AG stated that there was no active consent in this instance because the Cookie Checkbox was pre-ticked. It is not sufficient to be considered active consent if the user must object (by un-ticking the checkbox) to the use of cookies.

Continue Reading

e-Privacy meets GDPR – the European Data Protection Board shines some light

The European Data Protection Board (EDPB) published an opinion (Opinion) on the interplay between the ePrivacy Directive (Directive 2002/58/EC) and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The Opinion responds to questions submitted by the Belgian data protection authority, specifically:

  1. whether data protection authorities (DPAs) are competent to regulate processing that triggers both GDPR and the ePrivacy Directive;
  2. whether DPAs should take the ePrivacy Directive (and/or its national implementing legislation) into account when exercising their powers under GDPR;
  3. whether the cooperation and consistency mechanisms should apply to processing that triggers both GDPR and the ePrivacy Directive; and
  4. the extent to which processing can be governed by provisions of both the ePrivacy Directive and GDPR.

The EDPB also provided more general guidance on the interplay between the ePrivacy Directive and GDPR. This blog sets out key takeaways of the Opinion.

Continue Reading

The European Parliament adopts first stance to proposed EU Cybersecurity Act

On 12 March 2019, the European Parliament issued its first position on the text proposed by the European Commission for a Regulation of the European Parliament and of the Council on ENISA (the European Union Agency for Network and Information Security), also known as the EU Cybersecurity Act.

Initiatives to build strong EU-wide cybersecurity

The EU Cybersecurity Act was proposed in 2017 to:

i) Provide a permanent mandate for ENISA (to replace its limited mandate that would have expired in 2020);

ii) Allocate more resources to ENISA to enable it to fulfil its goals; and

iii) Establish an EU framework for cybersecurity certification for products, processes and services that will be valid throughout the EU.

The European Parliament, Council and Commission reached an informal trialogue agreement on the proposal of the EU Cybersecurity Act in December last year. Now that the European Parliament adopted its first-reading position, it is expected that the European Council will adopt the proposed Regulation without further amendments. The Regulation will then be published into the EU Official Journal and will enter into force 20 days following that publication.

Continue Reading

In privacy we (anti)trust: Regulators worldwide consider competition law as tool for consumer protection

On February 26, 2019, the Federal Trade Commission’s (FTC) Bureau of Competition announced a new Technology Task Force, which will monitor anticompetitive conduct in U.S. technology markets “to ensure consumers benefit from free and fair competition.” With the consumer protection agency already a chief arbiter of privacy enforcement in the tech sector, the new task force increases the likelihood that the continued convergence between competition and consumer protection policy, which began in earnest at the dawn of the current century, may be gaining momentum.

German approach. The announcement comes just a few weeks after Germany’s antitrust regulator used its competition authority to enforce principles of data privacy and processing. On February 7, 2019, the Bundeskartellamt issued a decision against Facebook, ruling that the practice of combining user personal data from different sources by a dominant market participant violated EU data protection law. This was a noteworthy decision from a competition authority being influenced by and seeking to enforce the General Data Protection Regulation, which would otherwise be enforced by data protection authorities. The decision is not yet final, but if upheld it could have the notable impact of limiting the data footprint used to inform advertising, and may influence regulators’ willingness to use competition law to buttress limitations placed on the flexibility of data collectors and processors. Please see our previous client alert on the Facebook ruling. If this approach informs the FTC’s position on competition and privacy enforcement, it could extend a trend of regulators outside the data protection sphere using broader authority as a bridge to enforce privacy issues against companies they view to have a dominant market position.

Continue Reading

State Attorneys General and the data economy: lead, protect, enforce

With the passage of the California Consumer Privacy Act but no clear federal consumer privacy law on the imminent horizon, state Attorneys General (AGs) continue to investigate and analyze how best to protect their consumers. To further that goal, the National Association of Attorneys General hosted a panel entitled Emerging Issues in the Data Economy at its Winter Meeting in Washington, D.C. The panel was convened to discuss the role AGs can and should play in data privacy in an ever-changing economy. Doug Peterson, Nebraska’s AG, moderated the panel, which included Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the Federal Trade Commission (FTC), Ryan Krieger, Assistant AG, Public Protection Division of the Vermont Attorney General’s Office, and Daniel Castro, Vice President of the Information Technology and Innovation Foundation.

As with recent House and Senate Hearings addressing these topics, the focus remained on balance: what the legal landscape should look like, who should be doing the enforcing and how that enforcement should work, and how to protect consumers without stifling innovation and entrepreneurship.

Continue Reading

Regulating digital services – UK parliament weighs in

The Select Committee on Communications of the House of Lords (Committee) published a report discussing UK regulation of ‘digital services facilitated by the internet’.

We summarise some of the key recommendations of the report, which was published on 9 March 2019:

1. A central regulatory body called the Digital Authority should be set up to co-ordinate internet regulation.

2. All future internet regulation should be informed by 10 common principles:

  • Parity: ensuring online and offline regulation offer equivalent protection for individuals.
  • Accountability: digital actors are to be held to account.
  • Transparency: powerful digital actors should be open to scrutiny.
  • Openness: facilitate innovation and choice for users.
  • Privacy: ensure that regulation closes the gap between policy and user expectations about data protection and data privacy.
  • Ethical design: ethical standards should be incorporated into the design of technology and delivered by default.
  • Recognition of childhood: protect children and ensure accessibility.
  • Respect for human rights and equality: safeguard freedom of expression.
  • Education and awareness-raising: promote digital literacy.
  • Democratic accountability, proportionality and evidence-based approach: ensure that regulation is evidence based and prevents harm while balancing against the right to freedom of expression.

Continue Reading

Must online traders provide consumers with a contact telephone number? Advocate General says no…t necessarily

In a recent request for a preliminary ruling in a case concerning Amazon, the Advocate General Pitruzzella (AG) has given his opinion that the Consumer Rights Directive (2011/83/EU) (CRD) requires traders to offer their consumers a choice of means of communication, but this is not confined to the trader’s telephone number. The CRD includes the trader’s telephone number, fax number and e-mail address, “where available, to enable the consumer to contact the trader quickly and communicate with him efficiently”. The AG clarified that this is therefore not limited to a telephone number, and accordingly traders may use other means of communication with consumers as long as they are consistent with the technical means of the transaction being made.

Online trades imply sufficient knowledge of interacting over the internet

The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband) brought a claim asserting that Amazon did not offer sufficient contact channels to its consumers before the conclusion of an online sale – in spite of the online sales platform’s automated call-back facility and online chat service. There was a particular concern that consumers were not provided with the company’s fax number and were also prompted to follow an identity-verification process before they could have access to Amazon’s general helpline telephone number.

Continue Reading

Get your update on IT & Data Protection Law in our Newsletter (Winter 2019 edition)

The Winter 2019 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We provide updates on Facebook Custom Audiences, social plug-ins, influencer advertising, withdrawal right information, the EU copyright law reform and more. The newsletter also includes multiple recommended reads on the GDPR.

We hope you enjoy reading it.

FCA and ICO strengthen cooperation in renewed memorandum of understanding

On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing.

Cooperation and information sharing

The ICO and FCA have set out what matters they will communicate with each other and the exchange of information between them. Subject to legal restrictions on the disclosure of information, the ICO and FCA have agreed to: Continue Reading

First annual report of the European Data Protection Supervisor since GDPR

On 26 February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first annual report since the General Data Protection Regulation (GDPR) came into force last year.

This is a short overview of some of the key themes in the EDPS’s annual report:

  1. Overview of 2018:
  • GDPR: This is the first annual report of the EDPS since the GDPR ((EU) 2016/679) came into force on 25 May 2018, bringing in new data protection legislation for a new era.
  • Establishing the European Data Protection Board: The GDPR established the European Data Protection Board (EDPB), replacing the Article 29 Working Party. The EDPB took over the Article 29 Working Party’s responsibilities in issuing guidelines, recommendations and statements of best practice. The EDPB is also tasked with ensuring the consistent application of the GDPR in each EU member state.
  • Publishing opinions: The EDPS publishes opinions to inform how EU institutions make decisions about personal data ranging from big data and fundamental rights to consumer and data protection law. In particular, the latter opinion was identified by the EDPS as a highlight for him last year.
  • The ePrivacy Directive (ePR): The proposed ePR will align the EU’s ePrivacy regime more closely with the GDPR. The EDPS continues to support the efforts of EU legislators in reaching agreement on the final text of the ePR. Progress was made last year with the Council of the European Union publishing amendments to the draft ePR. It is hoped that the ePR will come into force in 2019.

Continue Reading

LexBlog