03_April_SociallyAware_thumbnailThe latest issue of our Socially Aware newsletter is now available here.

In this edition, we explore the threat to U.S. jobs posed by rapid advances in emerging technologies; we examine a Federal Trade Commission report on how companies engaging in cross-device tracking can stay on the right side of the law; we take a look at a Second Circuit opinion that fleshes out the “repeat infringer” requirement online service providers must fulfill to qualify for the Digital Millennium Copyright Act’s safe harbors; we discuss a state court decision holding that Section 230 of the Communications Decency Act immunizes Snapchat from liability for a car wreck that was allegedly caused by the app’s “speed filter” feature; we describe a recent decision by the District Court of the Hague confirming that an app provider could be subject to the privacy laws of a country in the European Union merely by making its app available on mobile phones in that country; and we review a federal district court order requiring Google to comply with search warrants for foreign stored user data.

All this—plus an infographic illustrating how emerging technology will threaten U.S. jobs.

Read our newsletter.

GettyImages-169937464_SMALLCan the mere offering of a mobile app subject the provider of such app to the privacy laws of countries in the European Union (EU)—even if the provider does not have any establishments or presence in the EU? The answer from the District Court of The Hague to that question is yes. The court confirmed on November 22, 2016, that app providers are subject to the Dutch Privacy Act by virtue of the mere offering of an app that is available on phones of users in the Netherland, even if they don’t have an establishment or employees there.

Context. EU privacy laws generally apply on the basis of two triggers: (i) if a company has a physical presence in the EU (in the form of an establishment or office or otherwise) and that physical presence is involved in the collection or other handling of personal information; or (ii) if a company doesn’t have a physical presence but makes use of equipment and means located in the EU to handle personal information.

Continue Reading The Hague District Court’s WhatsApp Decision Creates Concerns for Mobile App Developers

A federal district court judge refused to grant summary judgment to the copyright owners of the Star Trek franchise in the infringement suit they brought against the team behind a fan-made, crowdfunded prequel to the original Star Trek television series.

Strict new European Union privacy rules will restrict Internet companies’ access to consumers’ data.

Brands might soon be able to place video ads within Instagram Stories.

Driving while Snapchatting (or holding your cell phone in your hand for any other possible reason) is now illegal in California.

China is reportedly testing a system that assigns potentially life-altering “scores” to people based on their online activity.

How much about the future of the Internet do you think Bill Gates was able to predict 20 years ago?

The 58th Presidential Inaugural Committee website’s privacy policy apparently contains language suggesting it was lifted from a casino website.  

A small neighborhood restaurant turned the tables on a Yelp critic.

Concerned about the post-mortem fate of your property, legacy and reputation? Don’t forget your digital assets. This New York Times article explains how to make sure your wishes are carried out.

If you spot these apps on your significant other’s phone, it might be time to worry.

As part of the European Commission’s Digital Single Market initiative, the European Commission has published a draft Regulation aimed at preventing traders from discriminating against customers located in other EU Member States by denying those customers access to e-commerce sites, or by redirecting those customers to websites that offer inferior goods or sales conditions—a practice known as geo-blocking. The proposed new rules will benefit both consumers and businesses that purchase goods or services within the EU (excluding resellers).

The European Commission believes that geo-blocking and discriminatory practices undermine online shopping and cross-border sales within the EU.

The Regulation, which must still undergo review by the European Parliament and the Council of the EU, may change and is expected to be in force in 2017 (except the ban on discriminating against customers of electronically supplied services, which is expected to be effective beginning July 2018). When it is adopted, the Regulation will automatically take effect in all Member States without each Member State having to implement it into national law. Continue Reading European Commission Publishes Draft Regulation Prohibiting Geo-Blocking by Online Traders and Content Publishers

Instagram now allows users to hide offensive comments posted to their feeds. Take that trolls!

Soon you’ll be able to watch Twitter content like NFL Thursday Night Football on a Twitter app on Apple TV, Xbox One and Amazon Fire TV.

“Ballot selfie” laws—laws that prohibit posting online photos of completed election ballots—are being challenged in Michigan and New Hampshire.

Google may be recording you regularly.

YouTube content creators can now communicate with their followers in real time.

AdBlock Plus has launched a service that allows website operators to display “acceptable” ads to visitors using the popular ad blocking software. Irony, anyone?

The EU might soon require the same things of chat apps like Skype that it requires of telecom businesses.

A controversial proposal aims to give the EU’s 500 million consumers more digital streaming content choices.

An Austrian teen whose parents overshared on social media looks to the law for recourse.

Baltimore County officials warned government employees to watch what they say on social media.

With so many alternative content providers around these days, why do we still watch so much TV?

Here’s a list of 50 Snapchat marketing influencers who Mashable says are worth following.

iStock_91726351_600pxAs the entire world knows, the United Kingdom has voted by a narrow majority to leave the European Union (“Brexit”). But the Brexit process will take time, and the implications for businesses will also unfold over time. In this blog post, we take a look at the potential privacy and data security implications of Brexit.

No Changes in the Short Term

For the time being, the UK remains a member of the EU; and the Data Protection Directive (“Directive”) and e-Privacy Directive as currently implemented in UK law continue to apply. The Directive will be replaced by the EU General Data Protection Regulation (GDPR) in May 2018, and in the coming period the e-Privacy Directive will be updated to reflect the changes that the GDPR will bring. Given the time that will elapse before Brexit actually occurs, it may well be the case that the GDPR will come into force before the UK formally exits the EU.

As the GDPR has the form of an EU regulation, it will be directly applicable in all EU Member States, and no steps need to be taken by the UK for it to be implemented in the national law of the UK. Further, it may well be the case that the UK will have to implement the amended e-Privacy Directive into UK law before Brexit takes place. Until the UK formally exits the EU, data transfers between the UK and the other countries in the EU may continue to occur because the EU data transfer rules do not apply to transfers of personal data within the EU.

Changes After Brexit

The situation will change when UK leaves the EU. From that moment on, the GDPR will no longer be applicable in the UK. The national laws implementing EU directives (including the e-Privacy Directive) will, however, remain in force until they are amended or repealed. Thus, the UK will become a “third country” under the data transfer rules in the GDPR. In this case, personal data can only be exported by a business established in the EU to a third country, such as the UK, if there is an “adequate level of protection” for such data, unless certain conditions have been met.

There are three options under which the UK may obtain the required “adequacy status,” with the third being the most likely:

Becoming an EEA member: The UK may (like Norway, Liechtenstein and Iceland) become a member of the European Economic Area by becoming a signatory to the EEA Agreement. Under Article 7 of the EEA Agreement, the UK would still need to accept being bound directly by relevant EU laws relating to the four freedoms, including the GDPR. This option is unlikely to be pursued by the UK government in the form adopted by Norway, Liechtenstein and Iceland, in view of the fact that the UK would need to agree to be bound by many of the rules of the EU that have been unpopular with Brexit supporters, including the free movement of people.

The Swiss solution: Switzerland is not part of the EU or EEA (although it has bilateral agreements with the EU allowing access to the single market). Although not bound by it, Switzerland has fully implemented the Directive into its domestic legislation and, on that basis, has received an “adequacy finding” from the European Commission. Switzerland has already indicated its wish to update Swiss legislation to reflect the application of the GDPR and retain its adequacy status. Also, although Switzerland is not subject to the jurisdiction of the European Court of Justice (ECJ), the ECJ’s case law has had a significant influence on Swiss legislation.

For instance, after the ECJ struck down the EU-US Safe Harbor Decision of the Commission, the Swiss also declared that the Swiss-US Safe Harbor did not provide a sufficient legal basis for exporting data from Switzerland to the U.S. As with becoming a member of the EEA, the Swiss model would require the UK to adopt the GDPR as it stands now and any further EU legislation on data protection, without having any right to participate in EU rule-making. This option is unlikely to be pursued by the UK government in the form adopted by Switzerland because it would entail the UK agreeing to be bound by many of the rules of the EU which have been unpopular with Brexit supporters, including the free movement of people.

Full adequacy finding: Under this option, he UK would implement its own data protection laws and would then request the Commission to issue a decision that its legal regime is “adequate” when assessed against the standard set by EU data protection law. At first glance, this seems to be the preferred option because it enables the UK to relax some of the rules in order to facilitate trade (as it advocated in the negotiations over the GDPR). However, if the UK wishes to obtain a quick adequacy decision to continue to facilitate data transfers between the UK and the EU also upon exit, it will likely have to implement provisions that are close to the GDPR. Any other approach could set the UK back in getting a quick adequacy decision.

The EU may well be averse to any softening of the rules that would give the UK an advantage over EU Member States, or enable some sort of forum shopping. It is therefore not surprising that the UK Information Commissioner’s Office (ICO) has already issued a statement that UK data protection standards would have to be equivalent to the GDPR. We note that the UK has been a long-standing advocate of data protection (e.g., it had a law more than 10 years before the Directive was adopted) and there is solid public awareness of privacy laws. The UK has further ratified Convention 108 (which sets core principles for data protection) as well as the European Convention on Human Rights (“ECHR” – which, in article 8, provides for the right to privacy), and the UK is subject to the European Court of Human Right’s competence. The ICO is a member of the Global Privacy Enforcement Network (GPEN), intended to strengthen cross-border information sharing and co-operation in cross-border enforcement among privacy authorities around the world. This all seems to point into the direction of adequacy.

We highlight, however, that the recent Schrems judgment of the ECJ may also have implications for the UK. In the Schrems judgment, the ECJ invalidated the decision of the Commission that approved the Safe Harbor Framework facilitating data transfer to U.S. companies that adhered to this framework, because the privacy of European citizens was not considered to be adequately protected (in short) because the powers of the U.S. intelligence services went beyond what was strictly necessary and proportionate to the protection of national security and individuals did not have adequate means of judicial redress to protect their privacy. The concern that the intelligence services have overly broad surveillance powers may well also apply to the UK intelligence services. More clarity may come from three cases pending before the European Court of Human Rights, which were instigated by the UK Bureau of Investigative Journalism and a number of civil rights organizations, and claim that the generic surveillance powers of the UK intelligence services violate Article 8 of the European Convention on Human Rights.

Conclusions

In the short term, until the UK ceases to be a member of the EU, nothing changes and data transfers may continue as they currently do.

Whichever of the three options the UK ultimately follows to obtain adequacy status, the end result will be UK data protection legislation that is very much aligned with the upcoming GDPR and other EU privacy rules.

Next Steps for Businesses

• While it is expected that the Commission will eventually confirm “adequacy status” for whatever data protection laws the UK puts in place post-Brexit, it is possible that this may not have been done at the precise time of exit. This situation would require businesses to put in place alternative data transfer arrangements for transfers from within the EU to the UK, such as the entering into of standard contractual clauses (SCCs). Controllers and processors can also “adduce appropriate safeguards” for their intra-group transfers by adopting binding corporate rules (“BCRs”). In any case, in the aftermath of the Schrems judgement, we see a trend of companies moving to implement BCRs in order to be less dependent on the adequacy decisions of the Commission and the negotiations of the EU and US in respect of the terms of the new Privacy Shield.

• Given the lead time it takes to implement the GDPR requirements into business processes, businesses in the UK should continue their GDPR readiness programs. As indicated above, the rules that the UK will ultimately implement in all likelihood will closely resemble the GDPR. Note further that the GDPR may continue to apply to the data processing activities of UK companies where they offer goods or services to citizens in other EU countries, or otherwise monitor their behavior. The same will apply to UK companies with offices in other EU countries operating central data processing systems.

• The ICO has acted as the lead data protection authority (“DPA”) in approving BCRs in many instances. After the exit, the ICO will no longer be authorized to act as lead DPA. Companies with BCRs where the ICO is lead DPA will therefore have to approach another EU DPA to act as their lead DPA. Businesses applying for BCRs and having to select a lead DPA and co-leads should consider taking this into account.

 

*          *        *

For more insights regarding the potential legal implications of the recent Brexit vote, please see our MoFo Brexit Briefings page on the Morrison & Foerster website.

 

 

 

 

 

In a fascinating, must-read article, a Google design ethicist explains the techniques that engineers and entrepreneurs employ to keep us hooked on the web.

A majority of U.S. adults—62%—now get their news on social media.

An apartment complex in Utah is trying to force its residents to “friend” the complex.

Will the next head of state take over the vast online infrastructure that the Obama administration created as the first administration to digitally engage with its constituency?

Get ready for 74 new emojis.

Tired of being reminded about potentially painful past social media posts? Here’s how to turn off Facebook’s “On This Day” notifications.

Texas inmates are now barred from using social media.

Participating in online social networks in Russia has become risky business.

To comply with a new code of conduct in the European Union, the biggest social media platforms have agreed to remove hate speech within 24 hours.

Are websites a dying business?

Instagram’s mobile app has a new dashboard that allows small businesses to measure the reach of their posts.

Periscope users can now moderate comments during their broadcasts.

Stop telling people there’s a dot in your Gmail address—it doesn’t matter.

Hootsuite CEO Ryan Holmes says it’s important to hop on the Snapchat bandwagon, no matter how old you are. Here’s why.

04_21_Apr_SociallyAware_v6_Page_01The latest issue of our Socially Aware newsletter is now available here.

In this issue of Socially Aware, our Burton Award winning guide to the law and business of social media. In this edition, we discuss what a company can do to help protect the likes, followers, views, tweets and shares that constitute its social media “currency”; we review a federal district court opinion refusing to enforce an arbitration clause included in online terms and conditions referenced in a “wet signature” contract; we highlight the potential legal risks associated with terminating an employee for complaining about her salary on social media; we explore the need for standardization and interoperability in the Internet of Things world; we examine the proposed EU-U.S. Privacy Shield’s attempt to satisfy consumers’ privacy concerns, the European Court of Justice’s legal requirements, and companies’ practical considerations; and we take a look at the European Commission’s efforts to harmonize the digital sale of goods and content throughout Europe.

All this—plus an infographic illustrating the growing popularity and implications of ad blocking software.

Read our newsletter.

Defense lawyers who checked out the Facebook page of a plaintiff suing their client can be prosecuted for attorney misconduct, New Jersey judge rules.

Norwegian band changes its name to avoid “social media censorship.”

Can public agencies control their employees’ social media posts?

Google has complete discretion over whether or not to grant “right to be forgotten” requests. Some people question the sense of that.

This U.K. bar offers to save its customers from bad Tinder dates.

Why are boys at lower risk for the toxic effects of social media than girls?

New data indicates that choice of social channel, headlines and post length can maximize shares on social media.

Will the new Down to Lunch networking app continue to grow in popularity despite hitting some all-too-common social media snags?

The NYPD’s anti-encryption #UnlockJustice social media campaign fails. Big time.

These puppies earn HOW MUCH per Instagram post?! They’d better be in compliance with the FTC’s disclosure rules.

To stay abreast of social media-related legal developments, please subscribe to our free newsletter.

The European Commission (the “Commission”) and the U.S. Department of Commerce issued the draft legal texts for the much anticipated EU-U.S. Privacy Shield (the “Shield”), set to replace the currently inoperative Safe Harbor program (“Safe Harbor”). The new agreement is aimed at restoring the trust of individuals in the transatlantic partnership and the digital economy, and putting an end to months of compliance concerns of U.S. and EU companies alike. The draft will be discussed with EU data protection authorities (“DPAs”) and adopted by Member States representatives before it becomes binding.

The publication of the Shield documents, on February 29, 2015, came at a time of high expectations and a certain tension. Last October, the European Court of Justice (the “ECJ”) invalidated the Commission’s decision 2000/520/EC and effectively shut down the Safe Harbor framework, which until then allowed thousands of European companies to send personal information to U.S. companies that had committed to protecting personal information.   As a result, thousands of U.S. and EU companies were suddenly left in a legal limbo.  In response to the risk of enforcement against companies relying on Safe Harbor, and to address the concerns raised by EU DPAs, the Commission announced in early February that a new political agreement had indeed been reached with the U.S. government. It also made good on its promise to make the details of the agreement public by month’s end.

At first glance, the Shield bears a strong resemblance to Safe Harbor, which misled some commentators to denounce it as a mere duplicate in disguise.  However, the Shield introduces substantial changes for data protection, including additional rights for EU individuals, stricter compliance requirements for U.S. organizations, and further limitations on government access to personal data. From the perspective of U.S. companies, it appears that the Shield may actually signify a shift to heavily monitored compliance. In this sense, the question may no longer be “How good is the Privacy Shield for privacy?” but rather “How burdensome will it become for businesses?”

This alert takes a closer look at the Shield and highlights some of the key differences from the Safe Harbor and other available data transfer mechanisms.

Some of the key takeaways include:

  • Safeguards related to intelligence activities will extend to all data transferred to the U.S., regardless of the transfer mechanism used.
  • The Shield’s dispute resolution framework provides multiple avenues for individuals to lodge complaints, more than those available under the Safe Harbor and alternative transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
  • An organization’s compliance with the Privacy Shield will be directly and indirectly monitored by a wider array of authorities in the U.S. and the EU, possibly increasing regulatory risks and compliance costs for participating organizations.
  • The Department of Commerce will significantly expand its role in monitoring and supervising compliance, including by carrying out ex officio compliance reviews and investigations of participating organizations.
  • Participating organizations will be subjected to additional compliance and reporting obligations, some of which will continue even after they withdraw from the Privacy Shield.

Overview

The Commission made public all the documents that will constitute the new agreement, namely: a draft Adequacy Decision, FAQs, a Factsheet, Annexes detailing the principles and various compliance mechanisms, and a Commission Communication describing the current developments in the broader context of transatlantic discussions of the past few years.

In its press release, the Commission stated that the Shield “reflects the requirements” set by the ECJ in its ruling from October 6, 2015 (the “Schrems ruling”). As a reminder, key concerns of the Schrems ruling included: (1) the indiscriminate and excessive government access to EU citizens’ personal information, and (2) the lack of judicial redress mechanisms for EU citizens for privacy related complaints.

According to the Commission, the Shield will provide for “strong obligations on US companies” as well as “robust enforcement” mechanisms to ensure that such obligations are complied with. It will lay down “clear safeguards and transparency obligations on US government access.” Thirdly, it will ensure effective redress of EU Citizens’ rights by means of “several redress possibilities.” Finally, an annual joint review mechanism will allow the Commission, the U.S. Department of Commerce, and the European DPAs to monitor how well the Shield functions. Continue Reading Privacy Shield vs. Safe Harbor: A Different Name for an Improved Agreement?