Supreme Court drops hints about upcoming privacy decision in Carpenter

Todd KimKelley ChittendenBy Todd Kim and Kelley Chittenden on Posted in In the Courts, Privacy & Data Protection

As previously reported, the Supreme Court on November 29 heard arguments in Carpenter v. United States, an important privacy case about the Fourth Amendment’s application to 127 days’ worth of a criminal suspect’s cell-site location information. While the Court has yet to decide the case, its decisions last week in Byrd v. United States and earlier this Term in District of Columbia v. Wesby (argued by one of this post’s authors) hint of trouble ahead for the government.

Byrd and Wesby: A practical rather than technical reading of the Fourth Amendment

While the facts were quite different in Byrd and Wesby, the decisions share a common theme. In both, the Supreme Court rejected analytical shortcuts that did not reflect the real world.

Byrd involved a police search of a rental car trunk yielding contraband, including forty-nine bricks of heroin. The lower courts accepted the government’s argument that the driver could not object to the search under the Fourth Amendment because “drivers who are not listed on rental agreements always lack an expectation of privacy in the automobile based on the rental company’s lack of authorization alone.” The Supreme Court decisively rejected this “per se rule.” It noted how there are “countless innocuous reasons why an unauthorized driver might get behind the wheel of a rental car and drive it” and how “car-rental agreements are filled with long lists of restrictions.” A breach of an agreement would not automatically mean the driver lacked even the reasonable expectation of privacy necessary to claim Fourth Amendment protection. (The same might be argued of email providers’ fine-print-laden Terms of Service, as the Electronic Frontier Foundation and Orin Kerr have noted.) But the Court also rejected the competing argument that the sole occupant of a rental car “always” has an expectation of privacy, and so it remanded for a ruling based on the precise facts rather than categorical rules. Continue Reading

Network and Information Systems Regulations 2018 come into force in the UK and government cybersecurity survey is published

Cynthia O’DonoghueKaren Lee LustBy Cynthia O’Donoghue and Karen Lee Lust on Posted in Privacy & Data Protection, Regulatory

On 10 May 2018, the Network and Information Systems Regulations 2018 (NISR) came into force in the UK. NISR stems from the Network Information Systems Directive 2016 of the EU, which has been covered by this blog previously. Relatedly, on 25 April 2018, the UK government’s Department for Digital, Culture, Media and Sport (DCMS) published the Cyber Security Breaches Survey 2018. This survey details business and charity action on cybersecurity and the impact of cyberattacks.

Summary of NISR

These regulations outline measures to protect critical IT systems in economic sectors like energy, banking, transport and health. NISR applies to “operators of essential services” (OESs) and “digital service providers” (DSPs). It focuses on network and systems security and interruption to services.

The UK government has the power to designate which organisations are OEPs, and therefore within scope of the new laws – providing certain criteria is met. DSPs are directly subject to the new regulations, although micro and small businesses are exempt. OESs and DSPs are required to keep their networks and information secure, and to notify competent authorities of security incidents. Competent authorities vary by sector and include the Information Commissioner’s Office, Ofcom and various regulatory bodies.

NISR contains a tiered system of fines for breaches, dependent on the severity of their consequences:

  • Up to £3.4 million where a security incident has or could cause a reduction in the provision of services for a significant period of time
  • Up to £8.5 million where services have or could be disrupted for significant period of time
  • Up to £17 million for serious cases where a security incident has or could cause “an immediate threat to life or significant adverse impact on the United Kingdom economy.

Comment

NISR appears to have been overshadowed by the General Data Protection Regulation, which comes into force on 25 May 2018. However, NISR should be closely examined by any potential OES or DSP, especially given the notification obligations and potentially large fines. The DCMS provided important clarity that operators who assess risks adequately, take appropriate security measures and engage with regulations can avoid fines, which should only be used as a last resort.

Cyber Security Breaches Survey 2018

The messaging around the survey is that UK businesses need to do more to protect themselves against cybercrime. The statistics in the survey show that 43 per cent of business and 19 per cent of charities suffered a cyber breach or attack in the past 12 months. For large businesses, the figure rises to 72 per cent.

Common breaches involve fraudulent emails, scammers impersonating the organisation, viruses, ransomware and malware. The impact of breaches and attack can range from temporary or permanent file loss, to reduced website functionality, to theft of money, assets and intellectual property. The survey urges businesses to consider their “organisational cultures”, seek guidance, engage in staff training and deploy cybersecurity policies, and undertake audits and monitoring regarding the efficacy of such policies.

The survey forms part of the UK’s broader National Cyber Security Programme, linking in with the introduction of NISR, the GDPR coming into force on 25 May 2018 and continued government investment in this area.

 

The High Court considers the right to be forgotten

Cynthia O’DonoghueCurtis McCluskeyBy Cynthia O’Donoghue and Curtis McCluskey on Posted in In the Courts, Privacy & Data Protection

On 13 April 2018, the High Court, in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), ruled against Google, in favour of two businessmen advocating for the right to be forgotten. You can find the full judgment here, but in this blog we explore the reasoning behind the Court’s decision.

Right to be forgotten/right to erasure

The Court of Justice of the EU confirmed the right to be forgotten as an existing right under data protection laws, in Google Spain SL v Agencia Espanola de Protección de Datos Case of 2014: 317. The right to be forgotten is made explicit in the EU General Data Protection Regulation 2016/679 (GDPR) text. Essentially, in the GDPR the right is an enhanced right of erasure. The right is not absolute, which means that a controller does not need to comply with the request if there is a legitimate reason for continuing to process the personal data.

Case summary

Two separate businessmen brought cases, which were consolidated. Each case centred on the reporting of business-related criminal convictions that were spent and over a decade old:

  • NT1 was convicted of conspiracy to commit false accounting and tax evasion; and
  • NT2 pleaded guilty to conspiracy to tap phones and hack computers of environmental activists who had made threats against him and his business.

Continue Reading

Trade secret litigation – is Germany next?

Anette GaertnerBy Anette Gaertner on Posted in Privacy & Data Protection, Regulatory

In anticipation of the implementation of the Trade Secrets Directive, the topic of know-how protection has been widely discussed. Dr Anette Gärtner, along with Sabrina Gossler, has written an article which explores the current legal situation in Germany, analyses the relevant provisions of the Directive and explains the immediate next steps for companies operating in Germany. Key messages to take from the article include the need for companies to take objective measures to safeguard confidentiality and the introduction of the Confidentiality Club, which will lead to an increase in German trade secret litigation. Please refer to the full article by Dr Anette Gärtner and Sabrina Gossler in the May issue of Mitteilungen der dt. Patentanwälte for further commentary.

Article 29 Working Party issues final guidelines on consent

Cynthia O’DonoghueJohn O'BrienBy Cynthia O’Donoghue and John O'Brien on Posted in Privacy & Data Protection, Regulatory

On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data.

Technology Law Dispatch looked at the WP29’s draft guidelines on consent earlier this year. This article examines the differences between the draft and final guidelines.

Conditions for valid consent – freely given

Under the GDPR, consent must be freely given, specific, informed and unambiguous. Where a controller wants to process personal data for additional purposes other than the provision of a requested service, individuals should be given the option to separately consent to or reject such processing.

WP29 states that consent will not be freely given where a controller argues that a choice exists between: (1) its service that include processing for additional purposes; and (2) an equivalent service offered by a different controller.

WP29 states that an individual’s freedom of choice is dependent on: (1) the practices of market competitors; and (2) whether a data subject finds other controllers’ services to be genuinely equivalent. Such an approach would imply an obligation for controllers to monitor market developments to ensure continued validity of consent for their processing activities, as competitors could always alter their services. This would not be a realistic or pragmatic approach, and WP29 has now rejected it.

Continue Reading

Article 29 Working Party adopts finalized guidelines on transparency under GDPR

Cynthia O’DonoghueKaren Lee LustBy Cynthia O’Donoghue and Karen Lee Lust on Posted in Privacy & Data Protection, Regulatory

The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), following its public consultation.

Technology Law Dispatch looked at the draft guidance on transparency earlier this year, so this blog focuses on the key issues and what is new in the final guidelines.

Information being “intelligible”

The updated guidelines link the requirement for information to be intelligible, using plain and clear language, and accountable. The guidelines now state that an “accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.” This includes, for example, assuming working professionals have a higher understanding of certain issues than children or non-specialists. In other words, the data controller is expected to customize its notices and information as appropriate to the applicable audience. The final guidelines also suggest mechanisms by which controllers can test their interfaces, notices and policies for intelligibility and transparency – including the use of industry groups, consumer advocacy groups, readability tests and regulatory bodies.

Continue Reading

D.C. federal court rules that web scraping does not violate the CFAA and may be protected by the First Amendment

Mark H. FrancisBy Mark H. Francis on Posted in Big Data, In the Courts

On March 30, 2018, a D.C. federal district court denied a motion to dismiss an ACLU case filed against the government to challenge the constitutionality of the Computer Fraud and Abuse Act (CFAA), which makes it a federal crime to access a computer in a manner that “exceeds authorized access.” Sandvig v. Sessions, No. 1:16-cv-01368, Dkt. 24 (D.D.C. Mar. 30, 2018). The court held that the plaintiffs could proceed with their claim that the Free Speech and Free Press Clauses of the First Amendment, as applied, bar prosecution under the CFAA because it would restrict the plaintiffs’ ability to report on publicly available information, and even information available only following user registration on a site is generally available to the public.

The particular facts of the Sandvig case are unsurprisingly aimed at highlighting a potentially extreme application of the CFAA. The named plaintiffs are four professors and a media organization investigating whether automated decision-making and ad targeting technologies employed by various websites would result in potentially discriminatory practices against protected classes. For example, they want to analyze whether a real estate or employment website would discriminate against a user based on race. To perform the necessary analysis, they intend to use web scraping, bots, fake accounts (“sock puppets”) and other data collection techniques to conduct outcomes-based audit testing of websites and uncover such practices. These activities are typically prohibited by websites’ terms of service (TOS) and therefore unauthorized activity.

Continue Reading

Article 29 Working Party consultation on guidelines for accrediting certification bodies under the GDPR

Cynthia O’DonoghueBy Cynthia O’Donoghue on Posted in Privacy & Data Protection, Regulatory

The Article 29 Working Party (WP29) published a consultation on guidelines for the accreditation of certification bodies under the General Data Protection Regulation (GDPR), which closed at the end of March.

The consultation guidelines would require a certification body under the GDPR to be accredited by either the competent supervisory authority or the national accreditation body, or both. The guidelines aim to establish a harmonised baseline for certification.

General overview

In brief, the guidelines:

  • set out the purpose of accreditation and include a list of definitions;
  • explain routes to accredit certification bodies;
  • give a framework for additional accreditation requirements, when accreditation is handled on the national level;
  • stress they are not a procedural manual, or a new technical standard;
  • highlight that the final form document will include an annex outlining a framework for identifying accreditation criteria.

Continue Reading

Brexit sectoral analysis – ICT report

Cynthia O’DonoghueJohn O'BrienBy Cynthia O’Donoghue and John O'Brien on Posted in Privacy & Data Protection, Regulatory

In November 2017, the House of Commons Committee on Exiting the European Union (the Committee) published impact assessment reports of Brexit on various UK business sectors. The Report on the Technology (ICT) Sector (the Report) is a mix of qualitative and quantitative analysis. For each business sector, the Report includes: (i) a description of the sector; (ii) the current EU regulatory regime in which the sector operates; and (iii) an explanation of the frameworks governing how trade is facilitated between countries in the sector. Information provided by the government to the Committee about specific sector views has been withheld by the Committee.

Sector overview

The UK digital sector is vast. It covers digital goods, digital services and digitally enabled transactions of goods and services. It includes the following services and products: (i) audio-visual; (ii) e-commerce; (iii) telecommunications; (iv) data; (v) emerging industries, such as artificial intelligence; (vi) FinTech (dealt with in a separate report); (vii) the Internet of Things; and (viii) cybersecurity. Though London is a prominent hub, digital companies are spread across the UK. Several other cities have highly ranked digital clusters.

The Report highlights:

  • the extent of the UK’s investment in the digital sector;
  • how tech companies are investing in the UK since the Brexit referendum; and
  • information about the value added by the ICT industry, including its contribution to national economy statistics, employment, national balance of trade and international trade.

Continue Reading

Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors

Mark S. MelodiaGerard StegmaierPaul BondKimberly ChowJim BarbutoBy Mark S. Melodia, Gerard Stegmaier, Paul Bond, Kimberly Chow and Jim Barbuto on Posted in Data & Cyber Security

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors

On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government in March 2017.[2]

 The SEC’s administrative proceeding order pointed to Altaba’s delayed disclosure of the 2013–2014 security incident as well as the company’s public filing of multiple reports with the SEC, which commented on the risks and consequences of a breach in general, but did not notify investors that such a threat had already been realized in 2013 and 2014.[3] Unlike previous high-profile fines for improper incident response arising from failures to disclose to affected customers or subjects of breached data, the $35 million fine levied against Altaba is the first of its kind to focus on disclosure to investors of a public company that has suffered a breach, and should encourage companies to direct commensurate focus to their data breach response plans to meet responsibilities to shareholders.

Continue Reading

LexBlog