- Bad chords. A European musician’s attempt to stop a negative concert review from continuing to appear in Internet search results is raising questions about whether the EU’s “right to be forgotten” ruling could prevent the Internet from being a source of objective truth. Established in May by the European Court of Justice, the right to be forgotten ruling requires search engines like Google to remove “inadequate, irrelevant or… excessive” links that appear as a result of searches of an EC member’s name. Pursuant to the ruling, European pianist Dejan Lazic asked the Washington Post to remove a tepid review of one of his Kennedy Center concerts from Google search results. Lazic’s request was denied because it was posed to the wrong party—the right to be forgotten ruling applies to Internet search engines, not publishers—but it nevertheless serves as an example of a request that could be granted under the right to be forgotten rule, and that, argues Washington Post Internet culture columnist Caitlin Dewey, is “terrifying.” Dewey writes that such a result “torpedoes the very foundation of arts criticism… essentially invalidates the primary function of journalism,” and “undermines the greatest power of the Web as a record and a clearinghouse for our vast intellectual output.”
- A tall tale. The FBI has admitted to fabricating an Associated Press story and sending its link to the MySpace page of a high-school-bombing-threat suspect in 2007 to lure him into downloading malware that revealed his location and Internet Protocol address. Agents arrested the suspect, a 15-year-old Seattle-area boy, within days of learning his whereabouts as the result of the malware, which downloaded automatically when the suspect clicked the link to a fabricated story bearing the headline “Technology savvy student holds Timberline High School hostage.” Civil libertarians are concerned about the FBI’s impersonation of news organizations to send malware to suspects, and an AP spokesman said the organization finds it “unacceptable that the FBI misappropriated the name of The Associated Press and published a false story attributed to AP.”
- Suspicious expulsions. An Alabama school district recently expelled more than a dozen students after a review of their social media accounts revealed signs of gang involvement or gun possession. The investigation into the students’ social media accounts was conducted by a former FBI agent whom the school district had hired for $157,000 as a security consultant. Since 12 of the 14 expelled students were African-American, a county commissioner accused the investigation of “effectively targeting or profiling black children in terms of behavior and behavioral issues.”
Socially Aware will be sponsoring a free webinar on cybersecurity-related legal issues on December 2, 2014. As part of the webinar, privacy and data security lawyers from Morrison & Foerster LLP – including a number of Socially Aware contributors – will discuss the cybersecurity trends and challenges, addressing current and pending laws and regulations in various jurisdictions, how to work with regulators around the world, and critical action items before, during and after a security incident. For more information on Morrison & Foerster’s privacy and data security practice group, please follow them on Twitter @MoFoPrivacy. More information regarding the webinar, including how to register for the event, please click here.
As technology becomes ever more complex, the scope and scale of cyber-attacks and risks are increasing at an unprecedented rate. Cyber issues are high on the agenda for boards of directors and senior management. We all know that cybercrime is no longer just an issue for the IT department or an issue relating only to U.S. state laws. Governments around the world are working to educate businesses about the risk of cybercrime and are taking a much more active role in law enforcement. Privacy practitioners are increasingly being called upon to address boards of directors regarding the need to moderate the demands of corporate and national security according to fundamental privacy rights and the requirements of various regulations and enforcement activity in the U.S., Asia, and Europe.
Although it will never be possible for data security to be perfect, there are many steps that companies can take to address and mitigate the risks and respond appropriately when a compromise occurs. Security incidents can present significant risks to companies in a number of different ways, including negative brand and reputation attention, loss of sales or customer churn, financial penalties, and legal exposure.
During this program, you will receive practical guidance on the multiple challenges posed by cybersecurity issues. Topics to be addressed will include:
- Current and upcoming rules in various jurisdictions, including the U.S., Europe, and Asia
- How to work with regulators around the world in response to enforcement actions
- Crucial action items before, during, and after a security incident
- Karin Retzer, partner, Morrison & Foerster, Brussels
- Andrew Serwin, partner, Morrison & Foerster, San Diego
- Hanno Timner, partner, Morrison & Foerster, Berlin
- Miriam Wugmeister, partner, Morrison & Foerster, New York
- December 2, 2014
- 04:30 PM-06:00 PM GST
Not to be outdone by Florida, California has yet again amended its data security breach law and again in groundbreaking (yet confusing) fashion. On September 30, 2014, California Governor Brown signed into law a bill (“AB 1710”) that appears to impose the country’s first requirement to provide free identity theft protection services to consumers in connection with certain data security breaches. The law also amends the state’s personal information safeguards law and Social Security number (“SSN”) law. The amendments will become effective on January 1, 2015.
Free Identity Theft Protection Services Required for Certain Breaches
Most significantly, AB 1710 appears to amend the California breach law to require that a company offer a California resident “appropriate identity theft prevention and mitigation” services, at no cost, if a breach involves that individual’s name and SSN, driver’s license number or California identification card number. Specifically, AB 1710 provides, in pertinent part, that if a company providing notice of such a breach was “the source of the breach”:
an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached.
The drafting of this requirement is far from clear and open to multiple readings. In particular, the use of the phrase “if any” can be read in multiple ways. For example, the phrase “if any” can be read to modify the phrase “appropriate identity theft prevention and mitigation services.” Under this reading, the law would impose an obligation to provide free identity theft protection services if any such services are appropriate. The phrase “if any,” however, could be read to modify the “offer” itself. Under this alternate reading, the law would provide that if a company intends to offer identity theft protection services, those services must be at no cost to the consumer. It is difficult to know how the California Attorney General (“AG”) or California courts will interpret this ambiguity. One thing is clear: until the AG or courts opine, the standard will remain unclear.
The drafting of the requirement also is not clear in other ways. For example, the statute does not specify what type of services would qualify as “appropriate identity theft prevention and mitigation services.” For example, would a credit monitoring product alone be sufficient to meet the requirement? Or would the law require something in addition to credit monitoring, such as an identity theft insurance element?
Nonetheless, state AGs historically have encouraged companies to provide free credit monitoring to consumers following breaches. In addition, even though not legally required, free credit monitoring has become a common practice, particularly for breaches involving SSNs and also increasingly for high-profile breaches. Nonetheless, California appears to be the first state to legally require that companies offer some type of a free identity theft protection service for certain breaches.
AB 1710 is particularly notable in its approach. First, the offer of free identity theft protection services will only be required for breaches involving SSNs, driver’s licenses or California identification card numbers. In this regard, an offer of free identity theft protection services will not be required for breaches involving other types of covered personal information, such as payment card information or usernames and passwords. This approach endorses a position that many companies have long held—that credit monitoring is appropriate only when the breach creates an actual risk of new account identity theft (as opposed to fraud on existing accounts). In addition, the offer of free identity theft protection services will only be required for a period of one year (as opposed to, for example, two years). The length of the offer of free credit monitoring has always been an issue of debate, and California has now endorsed a position that a one-year offer is sufficient.
The “selfie” is now so ubiquitous that the word is in the Oxford English Dictionary, you can use it in Scrabble and it has spawned a whole new lexicon. Selfies are no longer the preserve of teens and reality stars; you now have politicians, royalty and companies getting in on the act. Selfies can mean big business—indeed, it was recently announced that Kim Kardashian, the reality star and “queen of the selfie,” will publish a book of 352 of her favorite snaps next year at $19.95 a pop.
But unfortunately for our simian friends, it seems that selfies are simply not monkey business.
In 2011, British wildlife photographer David J. Slater was in Indonesia taking photos of macaque monkeys. Some of the monkeys began playing with his digital camera and a female monkey managed to take a particularly excellent self-portrait, reproduced below.
The photo was published in various magazines and on websites around the world. It eventually was added to Wikimedia Commons, a collection of images that are free for public use.
Slater asked Wikimedia to remove the image or pay for its use; Wikimedia did neither. Last week it came to light that Wikimedia had denied a notice-and-takedown request regarding the photograph on the basis that there was no copyright in the monkey’s photo.
The latest issue of our Socially Aware newsletter is now available here.
All this–plus a collection of thought-provoking statistics about online privacy…
In a press release published (in French) on its website, UFC-Que Choisir explains that the three Internet companies ignored a letter that the group had delivered to them in June 2013, containing recommendations on how to modify their online policies and agreements. The group sought to press the companies to modify their practices as part of a consumer campaign entitled “Je garde la main sur mes données” (or, in English, “I keep my hand on my data”).
According to the press release, the companies’ refusal to address UFC-Que Choisir’s concerns prompted it to initiate court proceedings. The group has requested that the court suppress or modify a “myriad of contentious clauses,” and alleged that one company had included 180 such “contentious clauses” in its user agreement.
The group has also invited French consumers to sign a petition calling for rapid adoption of the EU Data Protection Reform that will replace the current Directive on data protection with a Regulation with direct effects on the 28 EU Member States. UFC-Que Choisir published two possibly NSFW videos depicting a man and a woman being stripped bare while posting to their Google Plus, Facebook and Twitter accounts. A message associated with each video states: “Sur les réseaux sociaux, vous êtes vite à poil” (or, in English, “On social networks, you will be quickly stripped bare”). Continue Reading French Consumer Association Takes on Internet Giants
The European Court of Justice (ECJ) issued a quite surprising decision against Google which has significant implications for global companies.
On May 13, 2014 the ECJ issued a ruling which did not follow the rationale or the conclusions of its Advocate General, but instead sided with the Spanish data protection authority (DPA) and found that:
- Individuals have a right to request from the search engine provider that content that was legitimately published on websites should not be searchable by name if the personal information published is inadequate, irrelevant or no longer relevant;
- Google’s search function resulted in Google acting as a data controller within the meaning of the Data Protection Directive 95/46, despite the fact that Google did not control the data appearing on webpages of third party publishers;
- Spanish law applied because Google Inc. processed data that was closely related to Google Spain’s selling of advertising space, even where Google Spain did not process any of the data. In doing so, it derogated from earlier decisions, arguing the services were targeted at the Spanish market, and such broad application was required for the effectiveness of the Directive.
The ruling will have significant implications for search engines, social media operators and businesses with operations in Europe generally. While the much debated “right to be forgotten” is strengthened, the decision may open the floodgates for people living in the 28 countries in the EU to demand that Google and other search engine operators remove links from search results. The problem is that the ECJ mentions a broad range of data that may be erased. Not only should incorrect or unlawful data be erased, but also all those data which are “inadequate, irrelevant, or no longer relevant”, as well as those which are “excessive or not kept up to date” in relation to the purposes for which they were processed. It is left to the companies to decide when data falls into these categories.
In that context, the ruling will likely create new costs for companies and possibly thousands of individual complaints. What is more, companies operating search engines for users in the EU will have the difficult task of assessing each complaint they process and whether the rights of the individuals prevail over the rights of the public. Internet search engines with operations in the EU will have to handle requests from individuals who want the deletion of search results that link to pages containing their personal data.
That said, the scope of the ruling is limited to name searches. While search engines will have to de-activate the name search, the data can still be available in relation to other keyword searches. The ECJ did not impose new requirements relating to the content of webpages, in an effort to maintain the freedom of expression, and more particularly, press freedom. But this will still result in a great deal of information legally published to be available only to a limited audience.
Below we set out the facts of the case and the most significant implications of the decision, and address its possible consequences on all companies operating search engines. Continue Reading European Court of Justice Strengthens Right to Be Forgotten
Cisco estimates that 25 billion devices will be connected in the Internet of Things (IoT) by 2015, and 50 billion by 2020. Analyst firm IDC makes an even bolder prediction: 212 billion connected devices by 2020. This massive increase in connectedness will drive a wave of innovation and could generate up to $19 trillion in savings over the next decade, according to Cisco’s estimates.
In the first part of this two-part post, we examined the development of, and practical challenges facing businesses implementing, IoT solutions. In this second part, we will look at the likely legal and regulatory issues associated with the IoT, especially from an EU and U.S. perspective.
In the new world of the IoT, the problem is, in many cases, the old problem squared. Contractually, the explosion of devices and platforms will create the need for a web of inter-dependent providers and alliances, with consequent issues such as liability, intellectual property ownership and compliance with consumer protection regulations. Continue Reading The Internet of Things Part 2: The Old Problem Squared
On January 24, 2014, in a case filed against Facebook by German consumer protection association VZBV, the Berlin Court of Appeal (“Court”) upheld a lower court ruling that Facebook’s “Friend Finder” function is unlawful. The Court agreed with the Berlin Regional Court’s 2012 decision that the Friend Finder function violates both German data protection law and unfair trade law, and re-affirmed the invalidity of several clauses in Facebook’s privacy notice and other online terms and conditions. VZBV has reported the ruling as a consumer victory, stating that the ruling recognizes that privacy is a consumer protection issue.
At the time of the original complaint, Facebook’s Friend Finder function invited users to “find friends from different parts of [their] life” by providing various pieces of information to the Facebook site, such as the schools their friends attended or the names of their friends’ current employers. Friend Finder also invited users to upload personal contacts from other platforms, including Skype and MSN, which enabled Facebook to add those contacts to its database and send them emails inviting them to join the social media platform. The complaint alleged that once Facebook had gathered this data, it could be used for other purposes, including commercial purposes. The Court held that Facebook had failed to provide adequate notice to users regarding this data import, and that its importing of non-users’ contact information constituted the collection of personal data of individuals who were not registered Facebook users without their knowledge or consent.
First, the Court established that German law applies to Facebook in this case because, although the social network’s European headquarters are based in Ireland, the U.S. parent company processes the applicable data and sets cookies on users’ computers located in Germany. The Court also pointed out that Facebook’s use of German service providers results in the application of German law. These facts distinguished the case from a recent ruling of the Schleswig-Holstein Administrative Court, which stated that Irish law—not German or U.S. law—applied to certain Facebook marketing activities in Germany because those activities were controlled from Ireland.
Turning to Friend Finder, the Court found that a breach of data protection law also constitutes a breach of the German Unfair Trade Act (“Unfair Trade Act”). More specifically, according to the Court, the fact that the Friend Finder function collected certain data without informing users or obtaining their consent, breached Germany’s Data Protection Act and Telemedia Act, and the subsequent use of such data for commercial purposes without notice or consent violated the Unfair Trade Act.
The Court also found that Facebook’s email invitations to non-users asking them to register with Facebook, without recipients’ prior explicit consent, amounted to unlawful email marketing under the Unfair Trade Act. The Court highlighted that Facebook itself was the sender of these emails, not Facebook’s users (as might be the case with other companies’ “tell-a-friend” marketing functions), and that Facebook users were deceived because they were unaware that the contact information they had uploaded to the service would be used to send emails to their contacts.
Finally, the Court found certain clauses in Facebook’s terms and conditions (Allgemeine Geschäftsbedingungen) and privacy terms (Datenschutzrichtlinien) to be invalid, for a variety of reasons. For example, Facebook’s terms and conditions granted the company a worldwide license to use works such as photographs and videos uploaded by users, and the wording of the terms would have permitted the marketing and sale of such materials to other companies for commercial use. The Court found such license to be invalid without obtaining users’ specific consent based on “clear” and “easy to understand” language. Various other provisions, including those that gave Facebook the right to unilaterally modify its privacy terms and other terms and conditions, were also found to be unclear and therefore invalid.
Facebook’s mechanism for obtaining consent to its privacy terms turned out to be critical to this case. Currently, consumer associations are only permitted to bring actions in Germany regarding privacy terms that are considered to be “general terms and conditions” and thereby subject to certain rules concerning standard terms and conditions. Where those rules apply, Germany’s unfair trade provisions are applied. For several years now, VZBV has been lobbying the German government to pass legislation permitting actions related to data protection to be brought directly, and indeed, the German government announced in February 2014 that a draft bill amending the German Injunctions Act is expected in April 2014.
The amendments to the German Injunctions Act are anticipated to extend the scope of certain of its provisions that permit consumer associations to initiate summary proceedings to defend individuals’ rights, so that such provisions cover data protection laws. If these amendments are made, then the Injunctions Act would provide a new legal basis for litigation in Germany related to privacy and data protection.