European Commission outlines blockchain development plans, calls for a feasibility study and unveils FinTech Action Plan.

The EU Commission continues to show its support and investment in new technologies in the digital economy. On February 1, 2018, the Commission and the European Parliament launched the EU Blockchain Observatory and Forum, and earlier this month, the Commission also unveiled its FinTech Action Plan.

The Blockchain Observatory

The observatory is designed to be a comprehensive repository of blockchain expertise and a source of innovation and development. It brings together policymakers, technology experts, regulators, businesses and users with the goal of building on new opportunities offered by the blockchain technology. The initiative forms part of the drive towards the digital single market, a Commission strategy to boost e-commerce, modernize regulations and promote the digital economy. The observatory also aims to support the interoperability of blockchain, which is the ability of computer systems and software to exchange and utilize information without restrictions. It also seeks to address the varied challenges in the blockchain ecosystem – such as trust, compliance, security, traceability by design, among other issues.

The EU Commission has also called for a feasibility study on the opportunity of an EU blockchain infrastructure, with tenders closed in January. The study will research the opportunity, benefits and challenges of an enabling framework supporting blockchain-based services, and whether EU services could run on such an infrastructure.

Continue Reading

New Jersey Appellate Division allows some video surveillance claims to proceed, even though plaintiffs cannot identify themselves in the recovered recording

In a published decision, a unanimous panel of the Appellate Division rejected “the notion that plaintiffs – in alleging an invasion of privacy in an office building’s bathroom – could only claim the presence of a hidden recording device by demonstrating their images were actually captured.” Jaime Friedman et al. v. Teodoro Martinez et al., case number A-4896-15T1.  In so doing, the panel rejected a lower court ruling and allowed plaintiffs to survive summary judgment on the basis of more circumstantial evidence.

The plaintiffs in Friedman alleged that a janitor placed hidden recording devices in a women’s restroom and recorded private activities for six months to a year. The police recovered footage of about eight hours of such illicit surveillance. The plaintiffs, sixty women, sued the janitor and his employer, as well as the owner of the building and the company managing the building. Each plaintiff alleged that she had used that women’s restroom while the hidden camera had been activated.

In discovery, the trial court required each plaintiff to identify one or more images of herself on the recovered recording. Thirty-five of the plaintiffs were unable to do so. As to those plaintiffs, the trial court granted defendants’ summary judgment.

Continue Reading

State attorneys general advocate continuing state leadership in privacy enforcement, denounce federal preemption of state breach and security laws

Illinois Attorney General Lisa Madigan is leading a coalition of 32 attorneys general (Agreements) in opposition to federal preemption in the area of data breaches, identity theft, and data security.

Specifically, the group wrote a bipartisan letter on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit regarding the proposed Data Acquisition and Technology Accountability and Security Act, a draft bill introduced in the House last month. They are concerned that the bill, among other things, places consumer reporting agencies and financial institutions out of the reach of state enforcement. The AGs cite recent breaches as examples of the increasing threat and evolving nature of data security risks, and argue that the states have consistently proven themselves capable of rapidly and effectively responding to and protecting consumers at the state level through their own laws.

In particular, the letter points out three key shortcomings of the Act beyond the preemption of state laws: (1) it allows entities themselves to judge whether to notify consumers of a breach, which reduces the transparency afforded by state notification requirements; (2) it allows entities that decide to notify consumers to notify after the harm has already occurred, preventing the opportunity consumers currently have under state law to take proactive steps upon timely notification; and (3) it addresses breaches that affect 5,000 or more consumers, leaving attorneys general without the ability to redress the majority of breaches affecting consumers today that do not occur on a national scale. Continue Reading

FTC report looks to improve mobile device security for businesses

On February 28, 2018, the Federal Trade Commission (FTC) released a report about security update practices for businesses providing mobile phones and other connected devices. The report recommends that manufacturers and carriers provide security updates that are consistent with consumer expectations, provide better information regarding their security practices and educate consumers on their role in the update process. While the report is framed as offering recommendations, businesses should keep in mind that such reports often convey the FTC’s view on reasonableness in security practices and influence the agency’s enforcement activities. To read more, click here.

Binding corporate rules – Article 29 Working Party issues revised guidelines

On 6 February 2018, the Article 29 Working Party (WP29) adopted revised guidelines on binding corporate rules (BCRs). These were issued following a period of public consultation that concluded on 17 January 2018. Technology Law Dispatch previously covered the issuing of the draft guidelines last December, in a blog setting out the key elements of both guidelines. 

In simple terms, BCRs are a business-specific framework that allows intra-organisational cross-border transfers of data from organisations within the European Union to their affiliates outside of the EU. BCRs underpin shared data processing standards compatible with the General Data Protection Regulation (GDPR) and wider EU data protection law. The GDPR incorporates BCRs into legislation and sets out various conditions at article 47 that must be met when businesses utilise them.

The revised guidelines (WP256 for Controllers and WP257 for Processors) address the principles and elements businesses should incorporate in their BCRs. The guidelines have revised the original guidance, although they remain largely similar to what was published in draft last year.

Continue Reading

Will EU data protection authorities ‘consistency mechanism’ be ready in time for the GDPR?

During an Article 29 Working Party (WP29) press conference on 7 February 2018, the outgoing chair and French privacy chief, Isabelle Falque-Pierrotin, expressed concerns that EU data protection authorities (DPAs) may not be able to enforce the General Data Protection Regulation (GDPR) effectively and in a unified manner in accordance with the consistency mechanism, by 25 May 2018.

On 25 May 2018, the WP29 will be replaced by the European Data Protection Board (EDPB), which will invoke the consistency mechanism to streamline the enforcement of data protection laws throughout the region. According to Falque-Pierrotin, 26 of the 28 EU member states (with Germany and Austria being the exceptions) are yet to align their national laws with the GDPR. This is concerning because if one member state’s supervisory authority is unable to take part in the consistency mechanism, the whole system of regulation and enforcement under the GDPR could be undermined. Continue Reading

Get your update on IT and data protection law in our newsletter

The Winter 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We cover new case law on marketing consent, cookie consent, the liability of platform providers, employee data protection, sales of address data and the right to be forgotten. The newsletter also includes multiple recommended reads on the General Data Protection Regulation (GDPR).

You can also find more information on our next ‘Data Date’, the GDPR seminar series hosted by  our Munich office.

We hope you enjoy reading it.


German court issues important judgment on consent and transparency in Facebook case

The Regional Court of Berlin held in a judgment of 16 January 2018 (docket no. 16 O 341/15, German language version of the judgment available here) that Facebook’s default privacy settings and parts of their terms and conditions were invalid. This judgment provides important guidance on consent and transparency.


The Federation of German Consumer Organizations (Federation) sued Facebook and requested cease and desist regarding some of its default settings and terms and conditions.

The Federation argued that Facebook’s default settings violated the requirement of explicit consent. For example, the default settings included a location service in Facebook’s mobile app revealing the location of the person that the user is chatting to. In addition, boxes were pre-activated allowing search engines to link to the user’s timeline.

The Federation also argued that various clauses in the terms and conditions of Facebook were invalid, including clauses that provide consent of the user (i) to transferring personal data to and processing personal data in the U.S. and (ii) using the name and profile picture of the user for commercial, sponsored or related content.

Continue Reading

New data protection fees for UK businesses – Draft Data Protection (Charges and Information) Regulations 2018 and ICO guide published

On 20 February 2018, The Data Protection (Charges and Information) Regulations 2018 (the Regulations) were laid before the UK parliament. The Regulations affect what businesses have to pay when registering their data protection arrangements with the Information Commissioner’s Office (ICO). On 21 February 2018, the ICO issued a guide for data controllers about the proposed data protection fees that the Regulations will levy.

The Regulations replace the previous system of notification under the Data Protection Act 1998. They will come into effect simultaneously with the General Data Protection Regulation on 25 May 2018.

Under the Regulations, data controllers who have a current registration or notification with the ICO will not need to pay the new fees until their existing registration expires. Registration does not automatically expire on 25 May 2018.

1. How the fees are calculated

The Regulations set out three tiers of organisations with accompanying fee levels for each tier. The tier an organisation falls into depends on: (i) how many staff members it has; (ii) its annual turnover; (iii) whether it is a public authority; (iv) whether it is a charity; and (v) whether it is a small occupational pension scheme.

These tiers are clarified below:

Tier 1 – Micro Organisations

  • Maximum turnover of £632,000 for the financial year OR no more than 10 members of staff.
  • Tier 1 fee = £40.

Tier 2 – Small and Medium Organisations

  • Maximum turnover of £36 million for the financial year OR no more than 250 members of staff.
  • Tier 2 fee = £60.

Tier 3 – Large Organisations

  • Organisations that exceed the caps of the Tier 1 or Tier 2 criteria.
  • Tier 3 fee = £2,900.

Importantly, all data controllers are to be regarded as Tier 3 unless they tell the ICO otherwise.

Continue Reading

Ninth Circuit calls common carrier exception “activity-based”

On February 26, 2018, an en banc federal appeals court held that the common carrier exception in the Federal Trade Commission (FTC) Act that preempts FTC jurisdiction is “activity-based” rather than “status-based” and therefore applies only to the extent an entity engages in common-carrier services. See FTC v. AT&T Mobility LLC, No. 15-16585, D.C. No. 3:14-cv-04785EMC (Opinion) (9th Cir. Feb. 26, 2018). The decision affirmed the Northern District of California’s denial of AT&T Mobility LLC’s motion to dismiss.

In 2010, AT&T switched its mobile data plan offering from “unlimited” to “tiered” but allowed existing customers to retain their unlimited data plans. In 2011, AT&T reduced unlimited customers’ broadband data speed without regard to actual network congestion if they exceeded a preset limit. The FTC filed an action in October 2014 under section 5 of the FTC Act, alleging AT&T’s data-throttling plan was unfair and deceptive. AT&T moved to dismiss, arguing it was exempt due to common carrier status.

Section 5 exempts “common carriers subject to the Acts to regulate commerce.” 15 U.S.C. § 45(a)(1), (2). Although providing mobile data was not a “common carrier service” at the time the FTC filed suit, the Federal Communications Commission (FCC) reclassified mobile data as a common-carriage service in 2015 while AT&T’s motion to dismiss was pending. See In the Matter of Protecting and Promoting the Open Internet, 30 F.C.C. Rcd. 5601, 5734 n.792 (2015) (Reclassification Order). The FCC reversed the Reclassification Order in early 2018. See In the Matter of Restoring Internet Freedom, W.C. Dkt. No. 17-108, 2018 WL 305638, at *1 (Jan 4, 2018).

Continue Reading