Social, Mobile, Analytics & Cloud (SMAC)

The UK Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online products and services provided by information society services (ISS). The consultation closes on 31 May 2019. The draft code sets out principles for any online service accessed by children under the age of 18.

Best interests of the child at the core

This code of practice is based on the key principle in the United Nations Convention on the Rights of the Child that the best interests of the child should be a primary consideration in all actions concerning children. In the context of today’s myriad of online services, it has become increasingly difficult for both parents and children to make informed choices or exercise control over the way services use children’s personal data. The code aims to respect the rights and duties of the parents but also the children’s evolving capacity to make their own choices.

16 headline ‘standards of age-appropriate design’

The code requires ISS providers to abide by 16 cumulative standards when processing personal data of children through their services:
Continue Reading Protection of children’s online space: ICO issues code of practice on age-appropriate design

On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (“Marketing Checkbox”)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (“Cookie Checkbox”)

Cookie consent

Article 4(11) of the General Data Protection Regulation (“GDPR”) defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The AG stated that there was no active consent in this instance because the Cookie Checkbox was pre-ticked. It is not sufficient to be considered active consent if the user must object (by un-ticking the checkbox) to the use of cookies.Continue Reading Planet49: Advocate General’s opinion on cookies and consent bundling

The Winter 2019 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We provide updates on Facebook Custom Audiences, social plug-ins, influencer advertising, withdrawal right information, the EU copyright law reform and more. The newsletter also includes multiple recommended reads on the GDPR.

We hope you enjoy

In today’s digital age, brands are increasingly utilising the platforms of celebrities, vloggers, bloggers and other social media personalities (Influencers) to reach their target audiences and boost sales. Social media platforms are now coming under scrutiny for their unregulated space. To assist influencers and brands to comply with the law, the Competition and Markets Authority

The President has made artificial intelligence technology a policy priority. On February 11, 2019, the President issued an Executive Order to direct most federal executive agencies to promote and protect American advancements in artificial intelligence while working with private industry. The order recognized that public trust in artificial intelligence is an important factor in the development and use of the technologies, and highlights the need to “protect civil liberties, privacy, and American values in their application in order to fully realize the potential of AI technologies for the American people.”>

Specifically, the President ordered the agencies to consider artificial intelligence as a research and development priority and

  • Invest in artificial intelligence (for example, machine learning) research and development.
  • Enhance access to data, models, algorithms, and computing resources to promote artificial intelligence research and development (consistent with obligations to maintain safety, security, privacy, and confidentiality).
  • Reduce barriers to the use of artificial intelligence (for example, machine learning) technologies.
  • Help develop technical standards that minimize vulnerability to attacks and “reflect Federal priorities for innovation, public trust, and public confidence in systems that use AI technologies.”
  • Train a workforce that can develop and take advantage of developments in artificial intelligence.
  • Develop an action plan to “to protect the advantage of the United States in AI and technology critical to United States economic and national security interests against strategic competitors and foreign adversaries.”

Continue Reading President prioritizes research, development, and deployment of artificial intelligence technology

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used thirdparty tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent. Continue Reading German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant

Singapore has set up a new Telecom Cybersecurity Strategic Committee (TCSC) to develop a plan to tackle ‘next-generation cyber threats’ in the telecommunications sector.

The committee is expected to publish a strategy report and outline a roadmap for telecommunications operators to develop cybersecurity capabilities later in 2019. The report and roadmap will include recommendations for new initiatives such as capability development, technology innovation, regulation and international partnerships.

In his opening address at the inaugural Infocomm Media Cybersecurity Conference on 25 January 2018, Dr Janil Puthucheary, senior minister of state for the Ministry of Communications and Information, highlighted the following points.

As “Singapore aims to be a Smart Nation and a leading digital economy”, there is a vital need for cybersecurity. He added that the telecom industry is key and fundamental to secure Singapore’s connectivity infrastructure and services.

The government and telecommunication industry players should collaborate on cybersecurity matters. To date, some examples of such collaborative efforts include:

  • The Infocomm Media Development Authority of Singapore (IMDA)’s launch of the Infocomm Singapore Computer Emergency Response Team in 2015 to respond to cybersecurity threats within the telecommunications and media sectors; and
  • IMDA’s revision in 2018 of the Telecommunications Cybersecurity Code of Practice to ensure that best practices from the industry can be applied to the telecom space.
  • The TCSC will identify challenges, key telecommunication technologies and market developments that will shape the cyber threat landscape. This is to ensure that Singapore keeps up to date on global, technological and industry trends.

Continue Reading Singapore announces series of initiatives to boost cybersecurity in the telecoms sector

Tuesday, December 4, is officially “E-Discovery Day” and Reed Smith is doing its part to participate. Join us as we host a free onehour webinar: “Discovery crossfire: Debating the controversial issues in E-Discovery.”

The program, scheduled for 12-1 p.m. ET, will feature debates on five controversial e-discovery

On November 28, 2018, Singapore’s Personal Data Protection Commission (commission) issued its grounds of decision against Big Bubble Centre (respondent), a sole-proprietorship in the scuba-diving business.

The facts of the case were as follows:

  • The complainant was an individual who had worked for the respondent and claimed that he was not paid wages for such work. He resigned and decided to take some diving equipment, which he claims to have paid for.
  • The respondent refuted the complainant’s claim, and instead asserted that the complainant had owed it money for participating in and logging dives organized by the respondent for the purposes of obtaining his PADI Dive Master Certification. Further, it alleged that the complainant had stolen its diving equipment as well as the respondent’s documents.
  • The complainant in turn claimed that the respondent had sent text messages to some of its customers informing them about the respondent’s allegations against the complainant.
  • The complainant himself wrote a Facebook post detailing his angst with the respondent and its owner. In that same post, he also warned other divers from joining the respondent.
  • The respondent posted two Facebook posts of its own, detailing the money that was allegedly owed to it by the complainant, and disclosed the following personal data in these posts:
    1. the complainant’s name, national registration identity card number, date of birth, passport number and expiry date, mobile phone number, email address, residential address; and
    2. the complainant’s female friend’s name and residential address, as well as the make of her car.

Continue Reading Singapore data protection commission issues warning for “heat of the moment” disclosure of personal data