This week, the European Commission released its proposal to repeal the existing Regulation on Privacy and Electronic Communication (the ePrivacy Directive (Directive 2002/58/EC)) and to replace it with a new Regulation. Unlike the current EU Data Directive and the new General Data Protection Regulation (GDPR) effective May 2018, the ePrivacy Directive primarily addressed practices of traditional telecommunication providers and new providers of electronic communication services (e.g., Gmail, and others listed below). The reason behind the proposal is to catch up the existing law to the realities of the technological evolution that occurred since the passage of the ePrivacy Directive. The proposal is also expected to ensure consistency in the protections afforded by the ePrivacy Directive, particularly with respect to confidentiality of communications, with the General Data Protection Regulation (GDPR), which will take effect in May 2018.

The two most impactful proposed changes are: (1) extension of the application of privacy rules from traditional telecommunications operators to the new providers of electronic communications services, such as Gmail, Facebook Messenger, WhatsApp, and others, and (2) simplification of the rules on cookies. The former proposal would prevent email services, such as Gmail, from scanning the contents of their users’ email for the purposes of delivering targeted advertising, without obtaining the users’ explicit consent. Obviously, this could significantly impact ad revenue of online email and messaging services that rely on targeted advertising for their funding.

The simplification of cookie rules, however, is a welcome relief to business. Article 5(3) of the current ePrivacy Directive requires websites to obtain prior informed consent from a user before storing cookies and similar technologies (e.g., web beacons, Flash cookies, etc.) or accessing information stored on the user’s terminal equipment. For consent to be valid, it must be informed, specific, freely given, and must constitute a real indication of the individual’s wishes. Certain cookies are exempt from the consent requirement, including user-input cookies (session ID first-party cookies), authentication cookies (to identify the user for the duration of a session), user-interface customization cookies (e.g., language or font preferences, for the duration of a session), and third-party social plug-in content-sharing cookies (for logged-in members of a social network). In other words, cookies that are used for the sole purpose of carrying out the transmission of a communication, or are necessary to provide the requested service are likely to be exempt. Some businesses, however, read this exemption narrowly and request user consent even for the use of these “experience-enhancing” cookies.Continue Reading Goodbye Cookie Banners? The European Commission Proposes to Simplify the Cookie Law

The Irish Data Protection Commissioner (DPC) has issued guidance on compliance with the General Data Protection Regulation (GDPR), which will come into force on May 25, 2018 and replace the existing European data protection framework under the EU Data Protection Directive.  The new data privacy regime is expected to result in enhanced transparency, accountability, and individuals’ rights, while optimizing organizational approach to governance and management of data protection as a corporate issue.

The guidance, titled “The GDPR and You, General Data Protection Regulation, Preparing for 2018,” urges all organizations to not delay the preparation for the GDPR and to “immediately start preparing for the implementation of GDPR by carrying out a ‘review and enhance’ analysis of all current or envisaged processing in line with GDPR.”  Proper preparation for the GDPR may help avoid regulatory fines, which can range up to €20,000,000 or 4% of total annual global turnover, whichever is greater.

The guidance consists of a checklist that aims to provide clear direction on how organizations can prepare for compliance with the GDPR in Ireland.  However, organizations will find it useful when preparing for the GDPR anywhere in Europe.  The checklist is organized around the following twelve points.

Continue Reading The Irish Data Protection Commissioner Issues the GDPR Preparation Checklist

Last Friday, Russia blocked LinkedIn based on a Russian court’s finding that LinkedIn violated Russian “localization” law that requires companies holding personal data of Russian citizens to store it on servers located within Russian borders.  This law came as an amendment to Russian data privacy laws, “Regarding information, information technologies and the protection of information,” “Regarding telecommunications,” and the Codex of Administrative Violations. The amendments, which came into law in September 2015, required websites and telecommunications providers to begin storing “on the territory of the Russian Federation information regarding the receipt, transfer, sending and/or processing of voice information, written text, images, sounds or other electronic messages of the users of Internet,” within six months after the law went into effect.

Russia took the position that the new requirements were necessary to ensure personal data on Russian consumers is properly protected, something the Russian government said can only be done if the servers are within Russian jurisdiction. The penalty for violating the law by companies was established at 500,000 roubles (approximately $8,000). The law also contemplated a punishment much worse than the monetary penalty. Specifically, the amendment empowered Roskomnadzor, the Russian federal agency charged with overseeing telecommunications services and information technologies, to investigate violations of the new law and to petition courts to block websites who refuse to comply.

Following the adoption of this law, many companies that collect and process Russian citizens’ information began working toward achieving compliance by ensuring that this data stayed on Russian soil. Some, however, decried the law as forcing businesses to needlessly invest in servers in Russia and rework established data workflows.

Soon after the law went into effect, Roskomnadzor began exercising its investigative powers and taking suspected violators to court. To keep track of the adjudicated violators, Roskomnadzor created a special registry of websites marked for blocking in case of continued noncompliance following the adjudication. LinkedIn, which has over 6 million registered Russian users, made Roskomnadzor’s “black list” registry and, on Friday, November 18, became the first website to be blocked in Russia for the violations of the localization law.Continue Reading Russia Blocks LinkedIn

The Article 29 Working Party has issued a statement about the so-called EU-U.S. Umbrella Agreement, which, while not providing legal basis for any data transfers, sets forth a high-level data protection framework for transatlantic cooperation on criminal law enforcement. The Agreement covers all personal data, including names, addresses, and criminal records, exchanged between the EU and the U.S. for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The Umbrella Agreement, signed by EU and the U.S. on June 2, 2016, after five years of negotiations, requires the consent of the European Parliament to be ratified.

In its statement, the Working Party cautiously welcomed the conclusion of the Umbrella Agreement. The Working Party expressed hope that the Agreement will complement the existing law enforcement treaties between the U.S. and EU and its Member States, aid the negotiation of future data sharing agreements, and set forth the minimum data protection standard for data transfers between criminal law enforcement in the U.S. and EU.Continue Reading Article 29 Working Party Issues Statement on the EU-U.S. Umbrella Agreement

According to a recent global survey commissioned by Dell and conducted by Dimensional Research, fewer than 1 in 3 companies are prepared for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will become effective on May 25, 2018. The GDPR will carry hefty fines that will be based on case-specific multi-factor analysis. Depending on the type of infringement, GDRP violators can be fined up to €10 – €20 million, or up to 2% – 4% of total worldwide annual turnover, whichever is higher.

Among key survey results are the following findings:

  • Approximately 31 percent of respondents were aware of the GDPR but knew no details and approximately 38 percent knew some details. Only 4 percent of respondents said they were very knowledgeable about the details of the GDPR.
  • More than half as many business executives compared to IT executives did not know any details about the GDPR. Most companies also expect IT to take the primary responsibility for data protection and compliance with the GDPR.
  • Only 3 percent of respondents reported having in place a clear plan to prepare for the GDPR; 27 percent were still figuring out who needs to be involved in putting such a plan together and 33 percent have not started their planning at all.
  • Only 31 percent of respondents reported that they are prepared for the GDPR today.
  • Only 9 percent of respondents were confident that their company will be fully ready for the GDPR when it comes into force in May 2018.

Continue Reading Survey Finds Few Companies Are Prepared for the New European Data Protection Regulation

At the Paris Motor Show earlier this month, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “ CNIL”) provided an update on the progress of its development of a “compliance package on connected vehicles.” The work began on March 23, 2016, and the finalized “compliance package” is expected to be delivered next spring.

The CNIL undertook this task to provide the auto-industry, the insurance and telecommunications sector, and the public authorities with guidance on the treatment of personal data collected by connected vehicles about their drivers and the interaction of the vehicle with the road environment. The guidance is expected to bring companies in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will become effective on May 25, 2018.

The CNIL noted that the challenge is to weave “data protection” into the product design “to ensure transparency and control by individuals of their data.” Doing so would address the Privacy by Design principle codified in the GDPR.

In preparing its guidance, the CNIL is using the following scenarios as its analytical framework.Continue Reading CNIL Calling for “Privacy by Design” for Connected Vehicles

On April 14, 2016, Microsoft sued the United States Department of Justice to challenge the search and seizure provisions of the 30-year old ECPA, because its customers “have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them.”  (Microsoft v. DOJ, No. 2:16-cv-00538-JLR, Complaint (W.D. Wash. Apr. 14, 2016).)

On September 2, several prominent tech companies, including Apple, Amazon, and Google, filed amici briefs that echo and reinforce Microsoft’s position.  (Accessible here and here).

Microsoft’s suit challenges the constitutionality of the antiquated Electronic Communications Privacy Act (ECPA).  Specifically, Microsoft argues that Section 2705(b) of the ECPA violates the Fourth Amendment right of its customers to be notified that the government searches or seizes their property, and it violates the company’s First Amendment right to freely speak to its customers.

Microsoft’s suit, unlike Apple’s public fight with the FBI over access to a password-protected iPhone, does not center on just one dispute.

Rather, every year, the government conducts thousands of investigations into the contents of communications stored in the cloud,  using  the ECPA as authority.  At the same time, the government places Microsoft and other service providers under “gag orders” that prohibit disclosure to the affected customers.Continue Reading Powerful Tech Companies Lend Support to Microsoft’s Protest Against “Secrecy Orders”

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into effect requiring companies that process personally identifiable information of EU residents to comply with a significant number of enhanced data-protection requirements. One of these requirements is an individual’s “right to explanation” of an algorithmic decision made about him or her by a machine.
Continue Reading European Restrictions on Computer Profiling

Michael Coscia, the first person convicted as a “spoofer” under the 2010 Dodd-Frank Act, has been sentenced to 3 years in prison. Coscia is not a young hacker kid or even a computer whiz, he is a fifty-four-year-old commodities trader and owner of New Jersey-based Panther Energy Trading.

Coscia was convicted in November 2015 for artificially bumping up commodities prices by using computer algorithms to quickly place large orders through commodity markets in Chicago and London which he then cancelled within milliseconds.  These placed-then-cancelled trades were alleged to have had effects on the pricing of the commodities that benefitted Coscia to the tune of more than $100,000 per month in 2011.
Continue Reading Federal Court Sentences First Convicted Spoofer Under Dodd-Frank to 3 Years