A federal district court in Wisconsin struck down the first law in the country requiring augmented-reality-game makers to go through a complicated permit-application process before their apps could be used in county parks.

The U.S. Supreme Court on Nov. 13 will implement an electronic filing system, making all new documents available to the public for free. In another attempt to advance its use of technology, SCOTUS updated its website.

Approximately 40% of the world’s population is now active on social media.

Researchers who tried to identify people suffering from depression by examining their Instagram photos had a 70% success rate.

DoNotPay, a chatbot that has helped drivers to overturn 375,000 parking tickets so far, is expanding to help consumers tackle nearly one thousand other legal issues without the help of an attorney.

The number of Internet-of-Things-related companies is fast multiplying. This Forbes piece lists the IoT categories that are attracting the most interest from entrepreneurs and investors.

Companies that allow hiring managers to check out job candidates’ social media accounts could be exposing themselves to legal trouble.

Beware requests to connect on social media from people you don’t actually know. A known hacker group used a fake LinkedIn profile to connect with people working at certain companies and trick them into installing malware on their company computers.

Using blockchain, companies organized as Decentralized Autonomous Organizations do away with the need for senior executives and managers by allowing stakeholders to vote on every decision the company faces—including the fate of employees who underperform.

A survey of 2,000 Britons about their pet social-media-peeves showed that bragging about your kids might hurt your popularity online. Read the full list of cyber activities that most people consider Facebook faux pas.

The U.S. Supreme Court unanimously held that a North Carolina law that the state has used to prosecute more than 1,000 sex offenders for posting on social media is unconstitutional because it violates the First Amendment.

The U.S. Supreme Court denied certiorari in what has become known as the  “dancing baby” case—a lawsuit brought by a woman who sued Universal Music Group for directing YouTube to take down a video of her toddler-age son dancing to Prince’s “Let’s Go Crazy.” The high court’s decision leaves in place the decision of the Ninth Circuit Court of Appeals holding that copyright owners must consider the possibility of fair use before sending a DMCA takedown notice.

Queen Elizabeth II proposed to Parliament a law that would require social networking sites to honor Internet users’ requests to remove anything the users shared before turning 18. The European Union already requires search engines to abide by users’ requests to remove information as part of the “right to be forgotten,” but the information must fulfill several criteria to qualify for removal.

In an effort to minimize the extent to which social bots can manipulate public opinion, Germany plans to update its communication laws to require the operators of social media platforms to identify when posts were generated by social bots and not actual people. And, yes, the name in German for this labeling requirement is Kennzeichnungspflicht.

In other German social-media-news, police in that country raided the homes of 36 people accused of posting on social media hate speech that included threats and harassment based on race and sexual orientation, and left-wing and right-wing extremist content.

Making Texas one of 18 states to pass a bill on self-driving cars, Lone Star State governor Greg Abbott signed a bill confirming that car manufacturers may test autonomous vehicles on Texas roads and highways.

Bitcoin’s price might be surging, but it has yet to achieve widespread usage.

Motivated in part by her desire to avoid real-estate-agent fees, a London homeowner plans to sell her house by hosting a viewing on Facebook Live and receiving offers through Facebook Messenger.

SociallyAware_Vol8Issue1_Thumb2The latest issue of our Socially Aware newsletter is now available here.

In this edition,we examine a spate of court decisions that appear to rein in the historically broad scope of the Communications Decency Act’s Section 230 safe harbor for website operators; we outline ten steps companies can take to be better prepared for a security breach incident; we describe the implications of the Second Circuit’s recent opinion in Microsoft v. United States regarding the U.S. government’s efforts to require Microsoft to produce email messages stored outside the country; we explore the EU’s draft regulation prohibiting geo-blocking; and we take a look at UK Consumer Protection regulators’ efforts to combat undisclosed endorsements on social media.

All this—plus an infographic highlighting the most popular social-media-post topics in 2016.

Read our newsletter.

The Internet Movie Database (IMDb) has filed suit to overturn a law that requires the popular entertainment website to remove the ages or birth dates of people in the entertainment industry upon request.

Vine might not be history after all.

Twitter users posted more than one billion election-related tweets between the first presidential debate and Election Day.

Facebook is testing a feature that allows company Page administrators to post job ads and receive applications from candidates.

People who create or encourage others to use “derogatory hashtags” on social media could be prosecuted in England and Wales.

A new “tried it” checkmark on pins will allow Pinterest users to share the products and projects they’ve purchased or attempted.

Did social media ads allow political campaigns to circumvent state laws prohibiting the visible promotion of candidates within a certain distance of polling places?

The Eight Circuit held that a college has the right to expel a student from its nursing program for inappropriate social media posts about his classmates, including the suggestion that he would inflict on one of them a “hemopneumothorax”—a lung puncture.

Law enforcement officials are increasing their use of social media to locate missing persons.

An unemployed single mother in California is facing several misdemeanor charges for selling her ceviche over social media.

Coming soon to a vending machine near you: Snapchat Spectacles (but only if you live in a densely populated area like New York or Los Angeles).

Social media analytics firms claim that social media did a better job at predicting Trump’s win than the polls.

Because it bases its assesments on job title, location and industry, LinkedIn’s new Salary feature might be more accurate than are other online compensation estimation tools.

States are trying to pass laws that balance bereaved people’s desire to access their deceased loved ones’ social media accounts with the privacy interests of the account holders and the people with whom they corresponded. Without such laws, access to a deceased person’s digital assets might depend on the various social media platforms’ terms of use.

In lawsuits, social media has occasionally made it easier to serve process on adverse parties, but it has also made it more difficult to ensure that jurors remain unbiased.

A UK company wants to set car insurance premiums using an algorithm that analyzes car owners’ Facebook posts for pertinent personality traits?! The plan likely won’t go far; it violates Facebook’s platform policy.

Kenya deported a registered refugee for posting to social media his support of the U.N. secretary-general’s firing of a Kenyan commander of a peacekeeping mission in South Sudan, the refugee’s native country.

Thinking of posting a photo of yourself in the voting booth on Tuesday? Not so fast. In many states it’s illegal to share on social media photos of completed ballots and photos of yourself inside a voting booth. Courts all over the U.S. are hearing challenges to these so-called “ballot selfie” laws.

Does a lawyer violate ethics rules by purchasing the names of competing lawyers or law firms as keywords that improve the purchasing lawyer’s own rank in Google search results?

In the three years since its launch, an app called Scholly, which matches students with a personalized list of scholarships, has been downloaded over a million times. Here’s some advice for other social entrepreneurs from the company’s 25-year-old founder and CEO.

Some researchers believe the likes, status updates and photos posted to social media platforms will someday be the source material for breakthroughs in the field of psychiatry.

A UK solicitor was fined by a professional conduct regulator for posting a series of “unprofessional and offensive” tweets bragging about his victory over vulnerable adversaries.

Thumbs Up on Social Technology and Internet Set

Social media is reportedly rife with influencers promoting or reviewing products or services without disclosing compensation or other consideration that they’ve received for such endorsements. The Competition and Markets Authority (CMA), the UK’s consumer protection regulator, is stepping up efforts to combat such undisclosed endorsements.

Following a ruling against an influencer marketing company, Social Chain Ltd, the CMA has warned 15 companies and 43 “social media personalities” who used Social Chain to publish content on social media that they could be in breach of UK consumer protection laws.

As we have discussed many times in Socially Aware, the advertising landscape has undergone a dramatic transformation over the past decade. The rise of social media and ever-increasing levels of Internet access across the world have made social media advertising a strong challenger to more traditional—and expensive—advertising methods, such as television advertising.

Of course, there is nothing novel in companies seeking to use celebrities to attract attention to and create excitement for their brand messages. But what has changed is the medium; when a consumer follows a celebrity on YouTube, Instagram, Facebook, Snapchat or Twitter (especially a social media personality who has become famous as a result of being on YouTube, Instagram, etc.), it’s not always easy to distinguish between a genuine opinion and an advertisement. Continue Reading UK Consumer Protection Regulator Cracks Down on Undisclosed Endorsements and “Cherry Picking” Reviews on Social Media

The UK wants to use the blockchain to track the spending of welfare recipients.

Some believe that a recent Ninth Circuit holding could turn sharing passwords into a federal crime under the Computer Fraud and Abuse Act.

And another Ninth Circuit opinion sided with Facebook in a closely-watched case interpreting the same federal law, this time involving unauthorized access to Facebook’s website.

The fashion world is embroiled in a rocky romance with social media.

Snapchat filed a patent application for image-recognition technology that may help the platform’s ad sales.

Scientists think they’ve found a way to tackle virtual reality sickness.

What’s going on at Vine? First a bunch of influencers cut ties with the platform. Now a group of its top executives have jumped ship.

Livestreaming services are giving cable TV networks a run for their money.

You didn’t think we’d ignore the Pokémon Go craze, did you? Here’s advice on how to protect your privacy when you’re using the app. We’re also preparing an article describing the game and the business and legal issues that are arising from it. Stay tuned.

iStock_91726351_600pxAs the entire world knows, the United Kingdom has voted by a narrow majority to leave the European Union (“Brexit”). But the Brexit process will take time, and the implications for businesses will also unfold over time. In this blog post, we take a look at the potential privacy and data security implications of Brexit.

No Changes in the Short Term

For the time being, the UK remains a member of the EU; and the Data Protection Directive (“Directive”) and e-Privacy Directive as currently implemented in UK law continue to apply. The Directive will be replaced by the EU General Data Protection Regulation (GDPR) in May 2018, and in the coming period the e-Privacy Directive will be updated to reflect the changes that the GDPR will bring. Given the time that will elapse before Brexit actually occurs, it may well be the case that the GDPR will come into force before the UK formally exits the EU.

As the GDPR has the form of an EU regulation, it will be directly applicable in all EU Member States, and no steps need to be taken by the UK for it to be implemented in the national law of the UK. Further, it may well be the case that the UK will have to implement the amended e-Privacy Directive into UK law before Brexit takes place. Until the UK formally exits the EU, data transfers between the UK and the other countries in the EU may continue to occur because the EU data transfer rules do not apply to transfers of personal data within the EU.

Changes After Brexit

The situation will change when UK leaves the EU. From that moment on, the GDPR will no longer be applicable in the UK. The national laws implementing EU directives (including the e-Privacy Directive) will, however, remain in force until they are amended or repealed. Thus, the UK will become a “third country” under the data transfer rules in the GDPR. In this case, personal data can only be exported by a business established in the EU to a third country, such as the UK, if there is an “adequate level of protection” for such data, unless certain conditions have been met.

There are three options under which the UK may obtain the required “adequacy status,” with the third being the most likely:

Becoming an EEA member: The UK may (like Norway, Liechtenstein and Iceland) become a member of the European Economic Area by becoming a signatory to the EEA Agreement. Under Article 7 of the EEA Agreement, the UK would still need to accept being bound directly by relevant EU laws relating to the four freedoms, including the GDPR. This option is unlikely to be pursued by the UK government in the form adopted by Norway, Liechtenstein and Iceland, in view of the fact that the UK would need to agree to be bound by many of the rules of the EU that have been unpopular with Brexit supporters, including the free movement of people.

The Swiss solution: Switzerland is not part of the EU or EEA (although it has bilateral agreements with the EU allowing access to the single market). Although not bound by it, Switzerland has fully implemented the Directive into its domestic legislation and, on that basis, has received an “adequacy finding” from the European Commission. Switzerland has already indicated its wish to update Swiss legislation to reflect the application of the GDPR and retain its adequacy status. Also, although Switzerland is not subject to the jurisdiction of the European Court of Justice (ECJ), the ECJ’s case law has had a significant influence on Swiss legislation.

For instance, after the ECJ struck down the EU-US Safe Harbor Decision of the Commission, the Swiss also declared that the Swiss-US Safe Harbor did not provide a sufficient legal basis for exporting data from Switzerland to the U.S. As with becoming a member of the EEA, the Swiss model would require the UK to adopt the GDPR as it stands now and any further EU legislation on data protection, without having any right to participate in EU rule-making. This option is unlikely to be pursued by the UK government in the form adopted by Switzerland because it would entail the UK agreeing to be bound by many of the rules of the EU which have been unpopular with Brexit supporters, including the free movement of people.

Full adequacy finding: Under this option, he UK would implement its own data protection laws and would then request the Commission to issue a decision that its legal regime is “adequate” when assessed against the standard set by EU data protection law. At first glance, this seems to be the preferred option because it enables the UK to relax some of the rules in order to facilitate trade (as it advocated in the negotiations over the GDPR). However, if the UK wishes to obtain a quick adequacy decision to continue to facilitate data transfers between the UK and the EU also upon exit, it will likely have to implement provisions that are close to the GDPR. Any other approach could set the UK back in getting a quick adequacy decision.

The EU may well be averse to any softening of the rules that would give the UK an advantage over EU Member States, or enable some sort of forum shopping. It is therefore not surprising that the UK Information Commissioner’s Office (ICO) has already issued a statement that UK data protection standards would have to be equivalent to the GDPR. We note that the UK has been a long-standing advocate of data protection (e.g., it had a law more than 10 years before the Directive was adopted) and there is solid public awareness of privacy laws. The UK has further ratified Convention 108 (which sets core principles for data protection) as well as the European Convention on Human Rights (“ECHR” – which, in article 8, provides for the right to privacy), and the UK is subject to the European Court of Human Right’s competence. The ICO is a member of the Global Privacy Enforcement Network (GPEN), intended to strengthen cross-border information sharing and co-operation in cross-border enforcement among privacy authorities around the world. This all seems to point into the direction of adequacy.

We highlight, however, that the recent Schrems judgment of the ECJ may also have implications for the UK. In the Schrems judgment, the ECJ invalidated the decision of the Commission that approved the Safe Harbor Framework facilitating data transfer to U.S. companies that adhered to this framework, because the privacy of European citizens was not considered to be adequately protected (in short) because the powers of the U.S. intelligence services went beyond what was strictly necessary and proportionate to the protection of national security and individuals did not have adequate means of judicial redress to protect their privacy. The concern that the intelligence services have overly broad surveillance powers may well also apply to the UK intelligence services. More clarity may come from three cases pending before the European Court of Human Rights, which were instigated by the UK Bureau of Investigative Journalism and a number of civil rights organizations, and claim that the generic surveillance powers of the UK intelligence services violate Article 8 of the European Convention on Human Rights.

Conclusions

In the short term, until the UK ceases to be a member of the EU, nothing changes and data transfers may continue as they currently do.

Whichever of the three options the UK ultimately follows to obtain adequacy status, the end result will be UK data protection legislation that is very much aligned with the upcoming GDPR and other EU privacy rules.

Next Steps for Businesses

• While it is expected that the Commission will eventually confirm “adequacy status” for whatever data protection laws the UK puts in place post-Brexit, it is possible that this may not have been done at the precise time of exit. This situation would require businesses to put in place alternative data transfer arrangements for transfers from within the EU to the UK, such as the entering into of standard contractual clauses (SCCs). Controllers and processors can also “adduce appropriate safeguards” for their intra-group transfers by adopting binding corporate rules (“BCRs”). In any case, in the aftermath of the Schrems judgement, we see a trend of companies moving to implement BCRs in order to be less dependent on the adequacy decisions of the Commission and the negotiations of the EU and US in respect of the terms of the new Privacy Shield.

• Given the lead time it takes to implement the GDPR requirements into business processes, businesses in the UK should continue their GDPR readiness programs. As indicated above, the rules that the UK will ultimately implement in all likelihood will closely resemble the GDPR. Note further that the GDPR may continue to apply to the data processing activities of UK companies where they offer goods or services to citizens in other EU countries, or otherwise monitor their behavior. The same will apply to UK companies with offices in other EU countries operating central data processing systems.

• The ICO has acted as the lead data protection authority (“DPA”) in approving BCRs in many instances. After the exit, the ICO will no longer be authorized to act as lead DPA. Companies with BCRs where the ICO is lead DPA will therefore have to approach another EU DPA to act as their lead DPA. Businesses applying for BCRs and having to select a lead DPA and co-leads should consider taking this into account.

 

*          *        *

For more insights regarding the potential legal implications of the recent Brexit vote, please see our MoFo Brexit Briefings page on the Morrison & Foerster website.

 

 

 

 

 

iStock_000086819927_SmallWith 1.65 billion users on Facebook, 332 million users on Twitter and 400 million on Instagram, it is unsurprising that many companies are seeking to increase brand awareness and customer engagement by running competitions via social media. If you want to avoid attracting the scrutiny of UK regulatory authorities, however, you will want to ensure that your social media competition complies with the Committee of Advertising Practice Code (CAP Code).

The CAP Code acts as the rulebook for non-broadcast advertisements in the UK and requires that promotions (including those on social media) be legal, decent, honest and truthful. The Cap Code is enforced by the Advertising Standards Authority, the independent regulator responsible for advertising content in the UK. Given the particular challenges posed by social media, CAP has some useful guidance on sales promotions: prize draws in social media (Guidance).

If you are running a prize promotion in the UK, it’s important to become familiar with the CAP Code and Guidance to ensure that your competition doesn’t run into legal problems. Here’s a quick overview of some of the key principles set out in the Guidance.

Key Principles Under the Guidance

 If you’re organising a promotion on social media, be sure that:

  • the promotion is run equitably, promptly and efficiently;
  • you deal fairly and honourably with participants;
  • you avoid causing unnecessary disappointment; and
  • any marketing communications connected with the promotion are not misleading.

In addition, the Guidance advises promoters to comply with the following practices:

  1. Include significant information in the initial advert.

Significant information includes the closing date, instructions on how to enter and any other restrictions on entry. Depending on the circumstances, other key information could include the start date, the number and nature of the gifts and/or prizes and the promoter’s name and address.

There is an exemption for platforms that severely restrict the space of the initial ad, such as Twitter, which limits posts to 140 characters. However, you are expected to include as much information as is practicable.

  1. Include a link to the full T&Cs.

All participants must be able to access the full terms and conditions (T&Cs) that apply to the promotion before entry. These T&Cs must provide certain information, which participants must be able to access easily during the promotion period.

  1. Include all eligible entrants when selecting winners.

You must be able to demonstrate that a reliable method was used to collect all eligible entries (particularly where the method of entering requires using some feature of the applicable social media platform, such as re-tweeting a post on Twitter).

  1. Select prize draw winners at random.

This must be done in a verifiably unbiased way, for example, through the use of a computer process or in the presence of an independent person.

  1. (You would think that it goes without saying but…) Actually award the prize.

In addition to awarding any advertised prizes, adequate steps must be taken to ensure that the winner is notified. Calling a winner once, or only announcing the winner once via social media, is not sufficient.

If you are running a prize promotion you will need to keep in mind legal issues that may affect the competition in addition to the ones addressed by the CAP Code, such as:

  • GamblingEnsure that the promotion does not constitute an unlawful lottery under the Gambling Act 2005. Prize draws that are free to enter (or offer at least one free method of entry), generally avoid being so classified under the Act.
  • Data Protection Your collection and use of participants’ personal data must comply with data protection law. Ensure that your data processing is compliant, and include a link to the applicable privacy policy in your T&Cs for the promotion.
Platform-Specific Rules

The social media platform that you are using to run your prize promotion likely has its own rules regarding prize promotions. Make sure that you check the platform’s rules before you run your promotion (the rules are regularly updated). If you breach the platform’s rules, then you risk having your account disabled.

Here are some of the rules governing prize promotions that you will find in Facebook’s, Twitter’s and Instagram’s terms of use.

Facebook

  • Promotions must include an acknowledgement that the promotion is not affiliated with or endorsed by Facebook.
  • Personal timelines or friend connections can’t be used to administer promotions. For example, you can’t require participants to share posts on their timelines, or their friends’ timelines, or tag their friends in posts in order to participate in the promotion.
  • Pages promoting the private sale of certain goods, such as alcohol, tobacco and adult products, must restrict access to those aged 18 and older.
  • Promotion of online gambling, casinos, lotteries and other related activities require prior authorisation from Facebook and are only permitted in certain countries.

Twitter

  • Discourage the creation of multiple Twitter accounts, for example, by including a rule stating that participants using multiple accounts will be ineligible to enter.
  • The Twitter rules prohibit the posting of duplicate, or near duplicate, Tweets, links or updates, so don’t encourage participants to duplicate tweets. Play it safe by having your competition’s rules state that multiple entries submitted in a single day will not be accepted.
  • To help ensure that all entries are counted, ask participants to include an @reply in their updates. This will help ensure that all tweeted entries show up in public searches.

Instagram

  • Don’t inaccurately tag, or encourage users to inaccurately tag, any content. This includes requesting users tag themselves in photos when they are not in the photo.
  • Promotions must include an acknowledgement that the promotion is not affiliated with or endorsed by Instagram.
Conclusion

Running a social media competition can be an effective way to generate attention for your brand. By following the rules, you can help ensure that your brand is trending on Twitter, Facebook or other social media platform for all of the right reasons.