A defamation suit brought by one reality television star against another—and naming Discovery Communications as a defendant—could determine to what extent (if any) media companies may be held responsible for what their talent posts on social media.

In a move characterized as setting legal precedent, UK lawyers served an injunction against “persons unknown” via an email account linked to someone who was posting allegedly defamatory “fake news” stories on social media.

European regulators fined Google $2.7 billion for violating antitrust law by allegedly tailoring algorithms for product-related queries to promote its own comparison shopping service. If the search company doesn’t change how its search engine works in the EU in the next few months, it risks fines of up to 5% of its parent company Alphabet Inc.’s daily revenue.

A newly formed trade group, called the Influencer Marketing Council, is representing social influencers in discussions with regulators and Internet platforms, and is leading an effort to outline best practices for complying with the FTC’s endorsement guidelines.

Pinterest’s commercial progress has reportedly been hampered by several factors, including the format of its advertisements, which must mimic user posts—something that requires brands to design content specifically for the platform.

Members of law enforcement have expressed concerns regarding the safety risks posed by a Snapchat update that lets users see the exact location of their Snapchat “friends.” An article on The Verge has some useful tips on how to use the function, which is called Snap Map, and how to turn it off.

Because the First Amendment limits the ability of the U.S. government to regulate search companies’ and social media platforms’ policies and guidelines, companies like Google and Twitter might eventually be de facto regulated even within the United States by foreign nations whose governments are entitled to regulate what happens on the Internet in order to protect their citizens according to their own laws.

Several A-list musicians have stepped away from social media at least partly because their incredible popularity has made them an attractive target for trolls.

Here are tips on how to limit online service providers from collecting information about you in using social media and surfing the web.

On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap. Continue Reading German Parliament Enacts Wide-ranging Surveillance Powers Allowing End User Devices to Be Hacked by Authorities

03_April_SociallyAware_thumbnailThe latest issue of our Socially Aware newsletter is now available here.

In this edition, we explore the threat to U.S. jobs posed by rapid advances in emerging technologies; we examine a Federal Trade Commission report on how companies engaging in cross-device tracking can stay on the right side of the law; we take a look at a Second Circuit opinion that fleshes out the “repeat infringer” requirement online service providers must fulfill to qualify for the Digital Millennium Copyright Act’s safe harbors; we discuss a state court decision holding that Section 230 of the Communications Decency Act immunizes Snapchat from liability for a car wreck that was allegedly caused by the app’s “speed filter” feature; we describe a recent decision by the District Court of the Hague confirming that an app provider could be subject to the privacy laws of a country in the European Union merely by making its app available on mobile phones in that country; and we review a federal district court order requiring Google to comply with search warrants for foreign stored user data.

All this—plus an infographic illustrating how emerging technology will threaten U.S. jobs.

Read our newsletter.

GettyImages-169937464_SMALLCan the mere offering of a mobile app subject the provider of such app to the privacy laws of countries in the European Union (EU)—even if the provider does not have any establishments or presence in the EU? The answer from the District Court of The Hague to that question is yes. The court confirmed on November 22, 2016, that app providers are subject to the Dutch Privacy Act by virtue of the mere offering of an app that is available on phones of users in the Netherland, even if they don’t have an establishment or employees there.

Context. EU privacy laws generally apply on the basis of two triggers: (i) if a company has a physical presence in the EU (in the form of an establishment or office or otherwise) and that physical presence is involved in the collection or other handling of personal information; or (ii) if a company doesn’t have a physical presence but makes use of equipment and means located in the EU to handle personal information.

Continue Reading The Hague District Court’s WhatsApp Decision Creates Concerns for Mobile App Developers

A federal district court judge refused to grant summary judgment to the copyright owners of the Star Trek franchise in the infringement suit they brought against the team behind a fan-made, crowdfunded prequel to the original Star Trek television series.

Strict new European Union privacy rules will restrict Internet companies’ access to consumers’ data.

Brands might soon be able to place video ads within Instagram Stories.

Driving while Snapchatting (or holding your cell phone in your hand for any other possible reason) is now illegal in California.

China is reportedly testing a system that assigns potentially life-altering “scores” to people based on their online activity.

How much about the future of the Internet do you think Bill Gates was able to predict 20 years ago?

The 58th Presidential Inaugural Committee website’s privacy policy apparently contains language suggesting it was lifted from a casino website.  

A small neighborhood restaurant turned the tables on a Yelp critic.

Concerned about the post-mortem fate of your property, legacy and reputation? Don’t forget your digital assets. This New York Times article explains how to make sure your wishes are carried out.

If you spot these apps on your significant other’s phone, it might be time to worry.

As part of the European Commission’s Digital Single Market initiative, the European Commission has published a draft Regulation aimed at preventing traders from discriminating against customers located in other EU Member States by denying those customers access to e-commerce sites, or by redirecting those customers to websites that offer inferior goods or sales conditions—a practice known as geo-blocking. The proposed new rules will benefit both consumers and businesses that purchase goods or services within the EU (excluding resellers).

The European Commission believes that geo-blocking and discriminatory practices undermine online shopping and cross-border sales within the EU.

The Regulation, which must still undergo review by the European Parliament and the Council of the EU, may change and is expected to be in force in 2017 (except the ban on discriminating against customers of electronically supplied services, which is expected to be effective beginning July 2018). When it is adopted, the Regulation will automatically take effect in all Member States without each Member State having to implement it into national law. Continue Reading European Commission Publishes Draft Regulation Prohibiting Geo-Blocking by Online Traders and Content Publishers

Instagram now allows users to hide offensive comments posted to their feeds. Take that trolls!

Soon you’ll be able to watch Twitter content like NFL Thursday Night Football on a Twitter app on Apple TV, Xbox One and Amazon Fire TV.

“Ballot selfie” laws—laws that prohibit posting online photos of completed election ballots—are being challenged in Michigan and New Hampshire.

Google may be recording you regularly.

YouTube content creators can now communicate with their followers in real time.

AdBlock Plus has launched a service that allows website operators to display “acceptable” ads to visitors using the popular ad blocking software. Irony, anyone?

The EU might soon require the same things of chat apps like Skype that it requires of telecom businesses.

A controversial proposal aims to give the EU’s 500 million consumers more digital streaming content choices.

An Austrian teen whose parents overshared on social media looks to the law for recourse.

Baltimore County officials warned government employees to watch what they say on social media.

With so many alternative content providers around these days, why do we still watch so much TV?

Here’s a list of 50 Snapchat marketing influencers who Mashable says are worth following.

iStock_91726351_600pxAs the entire world knows, the United Kingdom has voted by a narrow majority to leave the European Union (“Brexit”). But the Brexit process will take time, and the implications for businesses will also unfold over time. In this blog post, we take a look at the potential privacy and data security implications of Brexit.

No Changes in the Short Term

For the time being, the UK remains a member of the EU; and the Data Protection Directive (“Directive”) and e-Privacy Directive as currently implemented in UK law continue to apply. The Directive will be replaced by the EU General Data Protection Regulation (GDPR) in May 2018, and in the coming period the e-Privacy Directive will be updated to reflect the changes that the GDPR will bring. Given the time that will elapse before Brexit actually occurs, it may well be the case that the GDPR will come into force before the UK formally exits the EU.

As the GDPR has the form of an EU regulation, it will be directly applicable in all EU Member States, and no steps need to be taken by the UK for it to be implemented in the national law of the UK. Further, it may well be the case that the UK will have to implement the amended e-Privacy Directive into UK law before Brexit takes place. Until the UK formally exits the EU, data transfers between the UK and the other countries in the EU may continue to occur because the EU data transfer rules do not apply to transfers of personal data within the EU.

Changes After Brexit

The situation will change when UK leaves the EU. From that moment on, the GDPR will no longer be applicable in the UK. The national laws implementing EU directives (including the e-Privacy Directive) will, however, remain in force until they are amended or repealed. Thus, the UK will become a “third country” under the data transfer rules in the GDPR. In this case, personal data can only be exported by a business established in the EU to a third country, such as the UK, if there is an “adequate level of protection” for such data, unless certain conditions have been met.

There are three options under which the UK may obtain the required “adequacy status,” with the third being the most likely:

Becoming an EEA member: The UK may (like Norway, Liechtenstein and Iceland) become a member of the European Economic Area by becoming a signatory to the EEA Agreement. Under Article 7 of the EEA Agreement, the UK would still need to accept being bound directly by relevant EU laws relating to the four freedoms, including the GDPR. This option is unlikely to be pursued by the UK government in the form adopted by Norway, Liechtenstein and Iceland, in view of the fact that the UK would need to agree to be bound by many of the rules of the EU that have been unpopular with Brexit supporters, including the free movement of people.

The Swiss solution: Switzerland is not part of the EU or EEA (although it has bilateral agreements with the EU allowing access to the single market). Although not bound by it, Switzerland has fully implemented the Directive into its domestic legislation and, on that basis, has received an “adequacy finding” from the European Commission. Switzerland has already indicated its wish to update Swiss legislation to reflect the application of the GDPR and retain its adequacy status. Also, although Switzerland is not subject to the jurisdiction of the European Court of Justice (ECJ), the ECJ’s case law has had a significant influence on Swiss legislation.

For instance, after the ECJ struck down the EU-US Safe Harbor Decision of the Commission, the Swiss also declared that the Swiss-US Safe Harbor did not provide a sufficient legal basis for exporting data from Switzerland to the U.S. As with becoming a member of the EEA, the Swiss model would require the UK to adopt the GDPR as it stands now and any further EU legislation on data protection, without having any right to participate in EU rule-making. This option is unlikely to be pursued by the UK government in the form adopted by Switzerland because it would entail the UK agreeing to be bound by many of the rules of the EU which have been unpopular with Brexit supporters, including the free movement of people.

Full adequacy finding: Under this option, he UK would implement its own data protection laws and would then request the Commission to issue a decision that its legal regime is “adequate” when assessed against the standard set by EU data protection law. At first glance, this seems to be the preferred option because it enables the UK to relax some of the rules in order to facilitate trade (as it advocated in the negotiations over the GDPR). However, if the UK wishes to obtain a quick adequacy decision to continue to facilitate data transfers between the UK and the EU also upon exit, it will likely have to implement provisions that are close to the GDPR. Any other approach could set the UK back in getting a quick adequacy decision.

The EU may well be averse to any softening of the rules that would give the UK an advantage over EU Member States, or enable some sort of forum shopping. It is therefore not surprising that the UK Information Commissioner’s Office (ICO) has already issued a statement that UK data protection standards would have to be equivalent to the GDPR. We note that the UK has been a long-standing advocate of data protection (e.g., it had a law more than 10 years before the Directive was adopted) and there is solid public awareness of privacy laws. The UK has further ratified Convention 108 (which sets core principles for data protection) as well as the European Convention on Human Rights (“ECHR” – which, in article 8, provides for the right to privacy), and the UK is subject to the European Court of Human Right’s competence. The ICO is a member of the Global Privacy Enforcement Network (GPEN), intended to strengthen cross-border information sharing and co-operation in cross-border enforcement among privacy authorities around the world. This all seems to point into the direction of adequacy.

We highlight, however, that the recent Schrems judgment of the ECJ may also have implications for the UK. In the Schrems judgment, the ECJ invalidated the decision of the Commission that approved the Safe Harbor Framework facilitating data transfer to U.S. companies that adhered to this framework, because the privacy of European citizens was not considered to be adequately protected (in short) because the powers of the U.S. intelligence services went beyond what was strictly necessary and proportionate to the protection of national security and individuals did not have adequate means of judicial redress to protect their privacy. The concern that the intelligence services have overly broad surveillance powers may well also apply to the UK intelligence services. More clarity may come from three cases pending before the European Court of Human Rights, which were instigated by the UK Bureau of Investigative Journalism and a number of civil rights organizations, and claim that the generic surveillance powers of the UK intelligence services violate Article 8 of the European Convention on Human Rights.

Conclusions

In the short term, until the UK ceases to be a member of the EU, nothing changes and data transfers may continue as they currently do.

Whichever of the three options the UK ultimately follows to obtain adequacy status, the end result will be UK data protection legislation that is very much aligned with the upcoming GDPR and other EU privacy rules.

Next Steps for Businesses

• While it is expected that the Commission will eventually confirm “adequacy status” for whatever data protection laws the UK puts in place post-Brexit, it is possible that this may not have been done at the precise time of exit. This situation would require businesses to put in place alternative data transfer arrangements for transfers from within the EU to the UK, such as the entering into of standard contractual clauses (SCCs). Controllers and processors can also “adduce appropriate safeguards” for their intra-group transfers by adopting binding corporate rules (“BCRs”). In any case, in the aftermath of the Schrems judgement, we see a trend of companies moving to implement BCRs in order to be less dependent on the adequacy decisions of the Commission and the negotiations of the EU and US in respect of the terms of the new Privacy Shield.

• Given the lead time it takes to implement the GDPR requirements into business processes, businesses in the UK should continue their GDPR readiness programs. As indicated above, the rules that the UK will ultimately implement in all likelihood will closely resemble the GDPR. Note further that the GDPR may continue to apply to the data processing activities of UK companies where they offer goods or services to citizens in other EU countries, or otherwise monitor their behavior. The same will apply to UK companies with offices in other EU countries operating central data processing systems.

• The ICO has acted as the lead data protection authority (“DPA”) in approving BCRs in many instances. After the exit, the ICO will no longer be authorized to act as lead DPA. Companies with BCRs where the ICO is lead DPA will therefore have to approach another EU DPA to act as their lead DPA. Businesses applying for BCRs and having to select a lead DPA and co-leads should consider taking this into account.

 

*          *        *

For more insights regarding the potential legal implications of the recent Brexit vote, please see our MoFo Brexit Briefings page on the Morrison & Foerster website.

 

 

 

 

 

In a fascinating, must-read article, a Google design ethicist explains the techniques that engineers and entrepreneurs employ to keep us hooked on the web.

A majority of U.S. adults—62%—now get their news on social media.

An apartment complex in Utah is trying to force its residents to “friend” the complex.

Will the next head of state take over the vast online infrastructure that the Obama administration created as the first administration to digitally engage with its constituency?

Get ready for 74 new emojis.

Tired of being reminded about potentially painful past social media posts? Here’s how to turn off Facebook’s “On This Day” notifications.

Texas inmates are now barred from using social media.

Participating in online social networks in Russia has become risky business.

To comply with a new code of conduct in the European Union, the biggest social media platforms have agreed to remove hate speech within 24 hours.

Are websites a dying business?

Instagram’s mobile app has a new dashboard that allows small businesses to measure the reach of their posts.

Periscope users can now moderate comments during their broadcasts.

Stop telling people there’s a dot in your Gmail address—it doesn’t matter.

Hootsuite CEO Ryan Holmes says it’s important to hop on the Snapchat bandwagon, no matter how old you are. Here’s why.

04_21_Apr_SociallyAware_v6_Page_01The latest issue of our Socially Aware newsletter is now available here.

In this issue of Socially Aware, our Burton Award winning guide to the law and business of social media. In this edition, we discuss what a company can do to help protect the likes, followers, views, tweets and shares that constitute its social media “currency”; we review a federal district court opinion refusing to enforce an arbitration clause included in online terms and conditions referenced in a “wet signature” contract; we highlight the potential legal risks associated with terminating an employee for complaining about her salary on social media; we explore the need for standardization and interoperability in the Internet of Things world; we examine the proposed EU-U.S. Privacy Shield’s attempt to satisfy consumers’ privacy concerns, the European Court of Justice’s legal requirements, and companies’ practical considerations; and we take a look at the European Commission’s efforts to harmonize the digital sale of goods and content throughout Europe.

All this—plus an infographic illustrating the growing popularity and implications of ad blocking software.

Read our newsletter.