Public comment for private matters: NTIA receives over 200 comments on proposed approach to protecting consumer privacy informed by GDPR, CCPA & more

On November 13, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) released comments it received from over 200 government, non-profit, academic, and private sector organizations on developing the Administration’s approach to consumer privacy.[1]

Since September, the NTIA has sought public comments to specifically address a number of questions that focused on the outcomes, goals, risks, and implementation of its proposed high-level framework for consumer privacy protection. The Administration’s framework articulated a set of organizational practices focused on data transparency, minimization of collection, the storage, use, and sharing of data, security, and risk management, in addition to broader goals to reconcile a disparate regulatory patchwork and ensure that resources for privacy protections and enforcement are properly allocated. If a few of these concepts sound familiar, it’s because they loosely mirror elements of existing privacy frameworks established at the industry, state, and international levels, and the sources and arbiters of those frameworks took this opportunity to urge the Administration to follow these examples more closely. As the Executive Branch agency principally responsible by law for advising the president on information policy issues, the goal of the NTIA’s request for comment is to inform the Administration’s approach to consumer privacy. As such, the Administration’s consideration and reaction to the comments received is likely to affect future discussions and proposals in the ongoing debate regarding federal privacy legislation. As expected, many of the comments are framed against the backdrop of recent, related changes in law, with particular focus on the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Here, we summarize some of the significant comments and proposals received by the NTIA.

Continue Reading

Singapore data protection commission issues warning for “heat of the moment” disclosure of personal data

On November 28, 2018, Singapore’s Personal Data Protection Commission (commission) issued its grounds of decision against Big Bubble Centre (respondent), a sole-proprietorship in the scuba-diving business.

The facts of the case were as follows:

  • The complainant was an individual who had worked for the respondent and claimed that he was not paid wages for such work. He resigned and decided to take some diving equipment, which he claims to have paid for.
  • The respondent refuted the complainant’s claim, and instead asserted that the complainant had owed it money for participating in and logging dives organized by the respondent for the purposes of obtaining his PADI Dive Master Certification. Further, it alleged that the complainant had stolen its diving equipment as well as the respondent’s documents.
  • The complainant in turn claimed that the respondent had sent text messages to some of its customers informing them about the respondent’s allegations against the complainant.
  • The complainant himself wrote a Facebook post detailing his angst with the respondent and its owner. In that same post, he also warned other divers from joining the respondent.
  • The respondent posted two Facebook posts of its own, detailing the money that was allegedly owed to it by the complainant, and disclosed the following personal data in these posts:
    1. the complainant’s name, national registration identity card number, date of birth, passport number and expiry date, mobile phone number, email address, residential address; and
    2. the complainant’s female friend’s name and residential address, as well as the make of her car.

Continue Reading

SEC settles two ICO enforcement actions

The U.S. Securities and Exchange Commission (SEC) recently settled two initial coin offering (ICO) enforcement actions grounded on the sale of unregistered securities. The two settlements, one with CarrierEQ Inc. (or AirFox) and the other with Paragon Coin Inc., are the first time the SEC has imposed civil penalties on companies solely for offering digital tokens in an ICO. Notably, the settlements signal the SEC’s intent to enforce the securities laws against sellers of cryptocurrencies, regardless of whether a seller engages in fraudulent activity. To read more about the settlements, click here.

European Data Protection Board update

The European Data Protection Board (EDPB) met for its fourth plenary session on 16 November 2018. The session covered many areas of discussion, outlined in the session’s agenda.

The EDPB published a press release, highlighting the three main areas of discussion.

  1. EU-Japan draft adequacy decision. The EDPB discussed the draft adequacy decision, which it received in September from Commissioner Věra Jourová. The EDPB believes in guaranteeing a high level of data protection for transfers from the European Union to Japan.
  2. The interplay between the General Data Protection Regulation and the Clinical Trials Regulation. The EDPB has agreed to provide guidance on the interplay between the General Data Protection Regulation 2017/679 (GDPR) and the Clinical Trials Regulation. This will feed into the European Commission’s draft Clinical Trials Questions and Answers guidance.
  3. Guidelines on territorial scope. The EDPB aims to provide a common interpretation of the GDPR’s territorial scope, in particular where a party is established outside of the EU. In September, the EDPB adopted new draft guidelines that address this and were discussed further during the November session. The guidelines were published by the EDPB on 23 November 2018.

The next plenary session is due to take place on 4 and 5 December 2018.

Regulatory framework for free flow of non-personal data formally adopted by European Parliament and the Council of the European Union

In September 2017, we published a blog that outlined the Commission’s proposal for a framework on this subject (you can view our blog here). In June 2018, we further reported that the European Parliament, Council of the European Union and the European Commission had reached a political agreement on the rules for the free flow of non-personal data (which is available here).

The legislative process has now taken a further step forward. On October 4, 2018, the European Parliament formally adopted, at first reading, the Commission’s proposal for a regulation on a framework for the free flow of non-personal data in the EU (the Regulation). This was followed, on November 9, 2018, by formal adoption of the Regulation by the Council without further amendments.

What is non-personal data?

Non-personal data is essentially any data that does not relate to an identified, or identifiable, natural person. Examples of non-personal data are set out in the recitals to the Regulation, which include aggregated and anonymised data sets used for big data analytics, data on precision farming that could help to monitor and optimise the use of pesticides and water, and data on maintenance needs for industrial machines.

What is the purpose of the Regulation?

As highlighted in our earlier blogs, a number of obstacles had previously been identified that were thought to impede the free flow of data in the European Digital Single Market. The Regulation aims to ensure the free flow of non-personal data within the EU by specifically addressing these obstacles.

Key provisions of the Regulation

  • Free flow of data across borders: The Regulation prohibits data localisation restrictions, thereby permitting organisations to store data anywhere in the EU. Member States have specified time limits to communicate to the Commission any remaining or planned data localisation restrictions that are justified on grounds of public security.
  • Data availability for regulatory control: The Regulation allows competent authorities to access data – for scrutiny and supervisory control – despite where it is stored and/or processed in the EU. It also allows Member States to sanction users that do not provide access to data stored in another Member State.
  • Portability of data: The Regulation encourages the creation of codes of conduct for service providers who process data (for example, cloud service providers) in order to facilitate switching between providers in a structured and transparent manner.

Next steps

The Regulation is being adopted under the ordinary legislative procedure – the EU’s main process for adopting new legislative acts. Once the Regulation has been signed by both the European Parliament and the Council of the European Union and published in the Official Journal of the European Union, it will become directly applicable in all Member States six months after publication.

German State Media Authorities issue new guidance paper on marking adverts on social media

Recently, the German media regulators, the State Media Authorities (Landesmedienanstalten), issued a joint guidance paper on marking adverts on social media, which is available in German language here (Leitfaden der Medienanstalten, Werbekennzeichnung bei Social Media-Angeboten; “Guidance Paper”). The Guidance Paper replaces the State Media Authorities’ earlier FAQs. It is intended to help organisations and individuals to comply with the applicable statutory provisions on marking adverts and separating adverts from other content on social media, taking into consideration the different legal regimes that apply to different media: While video content is mainly covered by the German Interstate Broadcasting Treaty (Rundfunkstaatsvertrag – RStV), posts containing text and pictures are subject to the provisions of the Federal Telemedia Act (Telemediengesetz – TMG).

What content needs to be marked as an advert?

The Guidance Paper deals with different types of content and the question of whether each type should qualify as advertising. The general recommendations of the State Media Authorities are as follows:

Advertising an organisation’s own products and services. Posts/descriptions of an organisation that advertise the organisation’s own products, services or brands shall not be covered by any specific marking obligation as long as the organisation that advertises its own products and services is clearly identifiable for the relevant users. In the view of the State Media Authorities, this shall in particular apply to social media channels of renowned brands, online shops or to channels that, by their name, are clearly recognizable as commercial channels. The same holds true for artists who promote their new album or actors who promote their new movie. Where the organisation is not clearly identifiable for users, the content will need to be marked as an advert.

Affiliate links and other commercial links generally trigger a marking obligation, while linking friends to the organisation’s own products/brands/services shall not require a specific marking. Discount codes shall trigger a marking obligation.

Influencers. Where influencers receive any type of consideration – in cash or in kind – for mentioning certain brands, companies or groups of companies, organisations, products, services, geographic regions or journeys in their posts, the influencers will be required to mark their posts as adverts. As long as there is no cooperation with the organisation responsible for the products and services that are mentioned in the influencers’ posts and the posts are based on the influencers’ own decisions and free from any commercial incentive, no specific marking will be required.

However, where, in the perception of other users, the influencer’s post is intended to increase product sales, this may also trigger a marking obligation for the influencer, even in the scenario where no contractual arrangement exists between the influencer and the brand owner or organisation. In order to assess whether such scenario is given, certain criteria may be taken into account, such as (i) extremely positive ratings of certain products and/or services, (ii) invitations to buy, (iii) repeatedly posting about the same products and/or services from one and the same brand, (iv) combination of the posts with affiliate links, and/or (v) indicating of prices and buying sources.

Notably, the State Media Authorities’ approach appears to be rather relaxed, compared to the approach taken by German courts: Recently, several German courts ruled against influencers who did not sufficiently mark their posts as adverts, even if no commercial agreement was in place with the organisation responsible for the products and/or services mentioned in their posts.

How are adverts to be marked?
The Guidance Paper contains a certain “advertising marking matrix” (Kennzeichnungs-Matrix; “Matrix”) that provides an overview of the State Media Authorities’ recommendations on how to properly mark adverts. The recommendations are given separately for (i) video content (YouTube, Facebook etc.), (ii) pictures/text (Instagram, Facebook, Twitter, etc.) and (iii) blogs. The Matrix contains the State Media Authorities’ recommended wording that may be used for the marking of posts, depending on the relevant content.

Notably, the State Media Authorities take the view that using only the promotion disclosure tools offered by YouTube and Facebook shall not be sufficient to comply with the German law requirements for properly marking posts as adverts. Rather, the State Media Authorities stress that these tools may be used as an additional means to properly mark the adverts.

Where posts containing adverts are made on German language channels, English language disclosures/markings, such as “ad”, “sponsored by” or “PR Sample” shall not be sufficient.


The Guidance Paper is a useful source for all market participants who utilize social media as part of their marketing activities. Furthermore, it is more likely than unlikely that the Guidance Paper will be taken into account by the German courts. Therefore, it should be considered carefully, even though its terms are not legally binding.

Update on Facebook fan pages: What should organisations do after the release of Facebook’s co-controller agreement?

After another statement by the German Data Protection Authorities (German DPAs) of 5 September 2018 (Statement, available in English here), stating that the operation of a fan page as offered by Facebook was illegal, Facebook reacted “overnight” and released a co-controller agreement, the “Page Insights Controller Addendum” (Insights Addendum, available here). In a press release of 16 November 2018 (Press Release, available in German here), the Berlin Data Protection Authority (Berlin DPA) announced that it has been auditing organisations concerning the use of Facebook fan pages since early November. In this blog, we provide recommendations as to what organisations should do next.


On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its judgment (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the fan page. Only a day later, the German DPAs released their first statement on the consequences of the judgment, arguing that organisations do not meet data protection standards when operating a fan page on Facebook, leaving marketers in Germany and Europe with lots of uncertainty (for more background, please review our previous blog How big is the risk to operate Facebook fan pages in Germany?). Three months then passed without Facebook providing any solution to the operators of fan pages.

Continue Reading

ICO brings criminal prosecution for data misuse

The Information Commissioner’s Office (ICO) has prosecuted an individual under the Computer Misuse Act 1990 (CMA 1990), resulting in a six-month prison sentence. This prosecution is the first of its kind by the ICO.

The facts

The defendant was a man named Mustafa Kasim. Mr Kasim was employed in the motor repair industry and had used a colleague’s log-in details to access a software system. This allowed Mr Kasim to access the personal data of customers, such as their names, phone numbers, and vehicle and accident information, without permission. Mr Kasim continued to access the software after moving to a different organisation. Continue Reading

ICC updates marketing and advertising code to account for the digital world

The International Chamber of Commerce (ICC) has revised its code of conduct for advertising and marketing (the ICC code) to keep up with the “rapid evolution of technology and technologically-enhanced marketing communications and techniques”.

The revised ICC code considers emerging digital marketing and advertising practices, in order to set a “gold standard for modern rule-making in our digital world”.

The ICC code

The ICC code is a framework for self-regulation, which applies across the global advertising and marketing industry.

The basic principle of the ICC code is that all marketing communication should be “legal, honest, decent and truthful”. Other key principles include respecting human dignity, being transparent, fair competition, social responsibility, making the marketer’s identity apparent, and taking special care where communications are directed at children and teenagers under 18.

What’s new?

Continue Reading

Guiding principles for AI development

A meeting of data protection authorities from around the world has highlighted the development of artificial intelligence and machine learning technologies (AI) as a global phenomenon with the potential to affect all of humanity. A coordinated international effort was called for to develop common governance principles on the development and use of AI in accordance with ethics, human values and respect for human dignity.

The 40th International Conference of Data Protection and Privacy Commissioners (conference) released a declaration on ethics and data protection in artificial intelligence (declaration). While recognising that AI systems may bring significant benefits for users and society, the conference noted that AI systems often rely on the processing of large quantities of personal data for their development. In addition, it noted that some data sets used to train AI systems have been found to contain inherent biases, resulting in decisions which unfairly discriminate against certain individuals or groups.

To counter this, the declaration endorses six guiding principles as its core values to preserve human rights in the development of AI. In summary, the guiding principles state: Continue Reading