Social, Mobile, Analytics & Cloud (SMAC)

On February 13, 2020, the German Federal Ministry of Justice and Consumer Protection (BMJV) published a proposal to soften the regulatory requirements for influencers for labeling their posts as advertising (Proposal). Under the Proposal, statements posted on social media about products for which no consideration was given – either in the form of monetary compensation

The Winter 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. ECJ decision on the use of cookies (“Planet49”) does not provide clarity
  2. ECJ: Global take-down duties of hosting providers
  3. ECJ on the territorial

The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:Continue Reading Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

Social media users may soon be able to easily transfer their personal information to competing platforms. On October 22, 2019, a bipartisan group of U.S. senators (Mark R. Warner (D-VA), Josh Hawley (R-MO), and Richard Blumenthal (D-CT)) introduced the Augmenting Compatibility and Competition by Enabling Service Switching Act (ACCESS Act), a bill aimed at encouraging market-based competition among today’s major social media platforms by requiring the largest of these tech companies to allow users to move their data from one service to another.

The bill, should it become law, would be regulated and enforced by the Federal Trade Commission (FTC), and would require large communications platforms (products or services with over 100 million monthly active users in the U.S.) to:

  • Make users’ personal data portable, by allowing users to retrieve and/or transfer their personal data in a structure and machine-readable format.
  • Maintain interoperability with other platforms, including competing companies.
  • Give users the ability to designate a trusted third-party service to manage their privacy, content, online interactions, and account settings.

Continue Reading Bipartisan social media data portability bill introduced in U.S. Senate

In Singapore, private sector organisations must generally comply with the transfer limitation obligation in the Personal Data Protection Act (the Act). Any transfer of personal data outside Singapore must be in accordance with the Act’s requirements, to ensure that a comparable standard of protection is accorded to that data.

However, where an organisation is a data intermediary, i.e., it processes personal data on behalf of and for the purposes of another pursuant to a written contract, that intermediary is not subject to the transfer limitation obligation, as specified in section 4(2) of the Act.Continue Reading Guidance given on Singapore cross-border data transfer obligation for intermediaries and cloud providers

Given the vast challenges California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), poses for digital marketing, the Interactive Advertising Bureau (IAB) released for public comment a draft of its proposed Compliance Framework for Publishers & Technology Companies (the Framework) on October 22.

“Selling” and CCPA challenges for digital. Those who have been actively preparing for CCPA’s implementation on January 1 know by now that pursuant to section 1798.115(d) of the CCPA, a company that has personal information about a consumer may not onward “sell” (as defined in the CCPA) such information to another party without the consumer (1) having received explicit notice of the sale of the personal information and (2) being given the right to opt out pursuant to section 1798.120. Under the CCPA, even if consumers opt out of having their personal information sold, the information may be shared with third parties acting as “service providers” for limited purposes, but the party disclosing the personal information (that is, the “business”) is very specifically limited in its ability to use any data it received that is deemed “personal information.”

Current information sharing practices. Currently, in the programmatic advertising ecosystem, publishers may pass personal information about visitors to their website to downstream participants (the Downstream Participants) who then may pass such information on to others in the supply chain. These Downstream Participants include providers such as:

  • supply-side platforms (SSPs)
  • demand-side platforms (DSPs)
  • ad exchanges
  • ad networks
  • ad tech platforms
  • data management platforms (DMPs)

Downstream Participants also include the advertiser who ultimately purchases the ad, funds the ecosystem, and, in many cases, expects to have ready and trusted access to information associated with its advertising activity and consumer behavior in response to such advertising.Continue Reading IAB issues CCPA compliance framework for public comment

In its judgment of 1 October 2019, the European Court of Justice (ECJ) decided on cookie consent requirements under the General Data Protection Regulation 2016/679/EU (GDPR) and the Cookie Directive 2002/58/EC (Cookie Directive) (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Judgment)).

The ECJ set clear requirements on what cookie consent must look like. However, the requirements for when websites must ask for cookie consent may vary from one EU member state to another as some member states, such as Germany, have not implemented the Cookie Directive and the Judgment, therefore, does not apply directly.

As a rule of thumb, it can be said that, at minimum, websites must ask for cookie consent for all cookies other than cookies that are technically required to operate the website or to provide the website service to the user. In other words, tracking, marketing and analytics cookies may only be used with explicit, clear, informed (Art. 13 GDPR) and prior consent.

Background

The case involved a promotional lottery, which was presented with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (Marketing Checkbox)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (Cookie Checkbox)

Continue Reading Compliant use of cookies in the EU is still a secret recipe: ECJ decides on Planet49, but does not provide clarity

The Summer 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. ECJ and GDPR: Another decision hitting social media activities by companies
  2. EDPB does not opt for changes to EU standard contractual clauses
  3. EU

In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy Regulation:

“Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”

German government’s assessment of the ePrivacy Regulation

The Inquiry sought, among other things, the German government’s responses on (i) whether “tracking” should be regulated more extensively at an EU level and (ii) what specific amendments have to be made to the ePrivacy Regulation.
Continue Reading Update on ePrivacy Regulation: “Current draft does not guarantee high level of protection and cannot be supported”, German government states

The Spring 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We provide updates on cookies and tracking tools, Facebook fan pages, fines under GDPR, influencer marketing, email encryption, platform provider obligations, framing, the new German Trade Secrets Act, and more. The newsletter also includes multiple