With the effective date of the EU’s General Data Protection Regulation (GDPR) less than one month away, companies subject to the GDPR are racing to comply with the regulation’s data privacy laws. But, for those companies, May 25 doesn’t represent a finish line as much as it does a starting gate.

In the coming months, as the most thorough and efficient methods of complying with the GDPR’s requirements come to light, the compliance processes that companies rushed to implement will need to evolve and change.

Do your company’s GDPR-compliance practices require an overhaul or just a few minor tweaks? Find out at Morrison & Foerster’s Data Protection Masterclass, a webinar that will help you to avoid wasting your organization’s precious resources by busting GDPR myths.

Join Socially Aware contributors Miriam Wugmeister, Christine Lyon, Alex van der Wolk, and Alja Poler De Zwart on Tuesday, June 19, from 12:00 pm until 1:00 pm ET to learn about data processors’ obligations, the GDPR’s impact on outsourcing and vendor agreements,  and more. If you are interested in attending this webinar, please register here. There is no charge to attend.

Geo-blocking is the practice of preventing Internet users in one jurisdiction from accessing services elsewhere based on the user’s geographic location. The European Commission wants to eliminate geo-blocking within the EU—and has taken a significant step forward in its plans to do so by clearing key votes in the EU legislative process.

By the end of 2018, we expect that online retailers will need to ensure that they phase out the use of geo-blocking across the EU except in limited circumstances.

These changes are part of a wider programme of reform affecting all businesses operating in the Technology, Media, and Telecoms sectors in Europe.

Background

The European Commission launched its Digital Single Market (“DSM”) strategy in May 2015. We have written a number of articles following the DSM’s progress: at its inception, one year in, and in 2017 following a mid-term review.

Continue Reading EU Regulation Reform—Unjustified Geo-Blocking to Be Phased Out by End of 2018

The European Union (EU) has made reform of the e-commerce rules in Europe one of its main priorities for 2018.

The European Commission has already published two proposed Directives relating to cross-border e-commerce but legislative progress has been slow—a situation that the Commission plans to correct in 2018.

The Commission’s stated aim is to establish a more harmonised set of rules for the supply of digital content and sale of online goods across the EU, and to make it easier and less costly for businesses to engage in cross-border commerce. But what most e-commerce providers will focus on is the increased rights for EU consumers, particularly in the context of defects. The new rules will apply to online e-commerce providers, whether EU-based or not.

These changes are part of a wider programme of reform affecting all businesses operating in the Technology, Media and Telecoms (TMT) sectors in Europe.

Background

The European Union’s 2018 Work Programme sets out a challenging agenda of legislative and regulatory change for the TMT sectors, to be delivered in conjunction with the EU’s Digital Single Market (DSM) strategy. The Work Programme includes a list of the pending legislation that the Commission wants to have delivered most swiftly to European citizens as part of the DSM strategy. Any business with digital or technology operations in the EU will need to monitor and react to the EU’s planned changes.

The Commission launched its DSM strategy in May 2015. We have written a number of articles following the DSM’s progress: at its inception, one year in and in 2017 following a mid-term review. With the Commission still waiting for a number of its proposals to be delivered, 2018 is a key year in the life of the DSM.

The DSM strategy is broken down into three “pillars” and 16 Key Actions. The first “Key Action” is to develop rules to make cross-border e-commerce easier, including harmonised rules on contracts with consumers and other consumer protection when buying online. Two proposed Directives relating to cross-border e-commerce were issued relatively quickly – firstly, a proposed Directive on the supply of digital content (Digital Content Directive) and, secondly, a proposed Directive on online and other distance sales of goods (Online Goods Directive) (together, the “Proposed Directives”).

In a 2016 blog post we explored the scope, content and likely impact of the Proposed Directives across the EU generally (and in the UK and Germany specifically). In this alert, we review the progress that has been made so far and look ahead at the likely impact of these Directives in 2018.

The Digital Content Directive

At present, some EU Member States (such as the UK, the Netherlands and Ireland) have introduced legislation to govern the sale of digital content to consumers; other member states apply existing rules on the sale of goods or services that were not intended for digital content. That makes it very hard to apply EU-wide principles on the sale of digital content. Depending on the member state, the sales contract could be considered as a sales contract, as a services contract or as a rental contract. And then there’s the question of whether consumer sales law is applicable to digital content: in Germany and in Italy, a consumer is protected under consumer sales law when it comes to digital content, and the courts qualify intangible goods as a moveable object; whereas in Norway, the online supply of digital content is considered a service contract, and consumer sales law is not applicable.

The draft Digital Content Directive will harmonise the rules that apply to the provision of digital content to EU consumers, including rules on the remedies to which consumers are entitled for allegedly defective content. If any digital content is defective, firstly the EU consumer will be able to request that the defect be fixed – with no time limit on the ability to make that request—and, secondly, the burden of proof is reversed so that it will be the supplier’s responsibility to prove that the defect did not exist at the time of supply. See a more detailed summary here.

The rules would apply: (i) regardless of the method of sale, and (ii) to both digital content sold to the consumer (i.e., licensed on a perpetual basis) and digital content supplied under a temporary licence on a subscription basis. Currently, most EU Member States do not have national consumer protection legislation specifically concerning sales or subscription of digital content to consumers (the issue tends to be covered by sales of goods or services rules).

European Council: General Approach

After the Commission issued the draft Digital Content Directive in December 2015, there was steady progress through 2016 and various committees debated or “took stock” of the proposal.

In March 2017, the European Data Protection Supervisor raised concerns with the proposal – namely that the provision of data as “counter-performance” was problematic (as discussed further below) and that there was a potential overlap in scope with the incoming General Data Protection Regulation.

However, the first major development on the Digital Content Directive took place in June 2017, when the European Council clarified the EU’s position on the proposal as follows:

  • Scope. The scope of the Digital Content Directive includes so-called “over-the-top” interpersonal communication services (such as voice and video calling, text messaging, email and social networking), bundle contracts and the processing of personal data. However, the Council recommended that embedded digital content (meaning, digital content or services that are pre-installed in goods such as smart fridges) should be excluded, leaving these issues to be governed by the rules on the sale of goods. Additionally, the Council explicitly stated that the proposal would not affect existing national and EU laws on copyright and related rights.
  • Non-conformity. The Digital Content Directive, as initially drafted, allowed subjective conformity criteria (i.e., criteria that are agreed in an individual contract) to prevail over objective conformity criteria (i.e., criteria that are stipulated by law). The Council rejected the idea that subjective conformity takes priority, requiring compliance with both subjective and objective criteria for conformity, unless the latter is expressly waived in advance by the consumer.
  • Remedies. The Council suggests that suppliers should have a second chance to supply the digital content or service in certain situations and proposes eliminating the strict hierarchy of remedies for lack of conformity that were initially proposed by the Commission.
  • Time limits. The Council proposes both that there should be a one-year time limit in relation to the reversed burden of proof on suppliers and also that any warranty or limitation period relating to the liability of the supplier must be at least two years under applicable domestic law. It stopped short of suggesting that warranty periods should be mandatorily harmonised across the EU.

European Parliament: Joint Report

The next key development took place in November 2017 when the two committees within the European Parliament that are responsible for progressing the proposed Digital Content Directive (being the Internal Market and Consumer Protection Committee (IMCO) and Legal Affairs (JURI)) adopted a joint report on the proposal. A number of compromise amendments to the draft Digital Content Directive were prepared on the basis of the report, of which the main ones were:

  • Emphasis on data protection. The provisions on data protection in the draft Digital Content Directive should be prioritised over the contract law provisions.
  • Provision of data as counter-performance. The Digital Content Directive was drafted to cover digital content that is provided for non-monetary consideration, such as when a consumer provides his/her data to a supplier in exchange for access to content. The compromise amendment suggested in the report is to limit the provision of data as counter-performance to only personal data.
  • Latent defects. The draft provisions on a supplier’s liability for latent defects were removed, allowing Member States to retain or introduce domestic laws on liability for such defects.
  • Non-conformity. Consistent with the Council’s approach, the report suggests that all subjective and objective criteria for conformity must be met, unless the consumer expressly consents to waive compliance with such objective criteria in advance.
  • Time limits. Also in keeping with the Council’s approach, a time limit was introduced in connection with the proposed reversal of the burden of proof. However, the report suggests a time limit of two years (rather than the Council’s proposal of one year) and introduces an additional time limit relating to trader liability for defects of one or two years.
  • Embedded digital content. The scope of the draft Digital Content Directive was expanded to cover digital content embedded in tangible goods, in contrast to the amendment proposed by the Council.

Next Steps

The report was referred to the European Parliament, Council and Commission to commence informal trialogue talks, which are now expected to take place in the first part of 2018.

The Online Goods Directive

The draft Online Goods Directive will apply new rules to goods sold online or otherwise at a distance to EU consumers. Face-to-face sales are not covered, nor are contracts for the supply of services.

The key provisions of the Draft Online Goods Directive include a reversal of the burden of proof (i.e., the onus will be on the seller to prove that any defect didn’t exist at the time of sale) for two years; consumers won’t lose their rights if they don’t inform the seller of a defect within a certain period of time (as is currently the case in some Member States); if the seller is unable or fails to repair or replace a defective product, consumers will have the right to terminate the contract and be reimbursed also in cases of minor defects. See a more detailed summary here.

The draft Directive replaced the Commission’s previous attempt at harmonisation, which took the form of a proposed Regulation on a Common European Sales Law. The EU Parliament’s IMCO published its draft report on the Directive in November 2016, supporting the full harmonisation measures envisaged, but suggesting an expansion of the scope of the Directive to cover offline sales. This was driven by the desire for consistency – the idea that a common set of rules across Member States would be valuable for online, distance and face-to-face sales alike, rather than having a fragmented legislative framework that would vary depending on the method of sale.

After publishing its draft report, IMCO tabled over 200 amendments to the draft Online Goods Directive during a committee meeting in January 2017, and more in July 2017 (mostly relating to the expansion of the scope of the draft Directive to offline sales).

The Commission subsequently released an amended proposal on 31 October 2017. Although the main elements of the Online Goods Directive were unaltered, the amended proposal did provide for the following noteworthy changes:

  • Offline sales. In alignment with the suggestions in the draft report, the scope of the proposed Directive was expanded to cover offline sales. As a result, Directive 1999/44/EC on consumer sales and guarantees would be fully repealed (whereas before, it would have been only partially amended).
  • Second-hand goods. Member States will have the option of narrowing the scope of the Online Goods Directive to exclude contracts for the sale of second-hand goods sold at public auction.

Next Steps

The amended proposal has been resubmitted to the European Parliament and Council. We await a decision from the European Economic and Social Committee, after which the European Parliament will need to vote on the proposal at first reading.

What Should We Expect in 2018?

We will be keeping tabs on the Proposed Directives as they progress under the ordinary legislative procedure, although, because there is no time limit on the first reading stage, it is difficult to predict exactly when we will see movement.

It is also difficult to predict the impact of the Proposed Directives on the UK. The UK is, of course, due to leave the EU in March 2019, which is likely to be before the Proposed Directives are implemented. It will therefore be for the UK to decide the extent to which it wishes to reflect the provisions of the final Proposed Directives in national law, if at all. The commercial benefits of harmonisation with EU Member States will need to be weighed carefully against the drawbacks of overhauling consumer laws so soon after the changes introduced by the UK Consumer Rights Act 2015.

Happy 2018 to our readers! It has become a Socially Aware tradition to start the New Year with some predictions from our editors and contributors. With smart contracts on the horizon, the Internet of Things and cryptocurrencies in the spotlight, and a number of closely watched lawsuits moving toward resolution, 2018 promises to be an exciting year in the world of emerging technology and Internet law.

Here are some of our predictions regarding tech-related legal developments over the next twelve months. As always, the views expressed are not to be attributed to Morrison & Foerster or its clients.

From John Delaney, Co-Founder and Co-Editor, Socially Aware, and Partner at Morrison & Foerster:
Regarding Web Scraping

Web scraping is an increasingly common activity among businesses (by one estimate, web-scraping bots account for as much as 46% of Internet traffic), and is helping to fuel the “Big Data” revolution. Despite the growing popularity of web scraping, courts have been generally unsympathetic to web scrapers. Last August, however, web scrapers finally received a huge victory, as the U.S. District Court for the Northern District of California enjoined LinkedIn from blocking hiQ Labs’ scraping of publicly available user profiles from the LinkedIn website in the hiQ Labs, Inc. v. LinkedIn Corp. litigation. The case is now on appeal to the Ninth Circuit; although my sense is that the Ninth Circuit will reject the broad scope and rationale of the lower court’s ruling, if the Ninth Circuit nevertheless ultimately sides with hiQ Labs, the web scraper, the decision could be a game changer, bringing online scraping out of the shadows and perhaps spurring more aggressive uses of scraping tools and scraped data. On the other hand, if the Ninth Circuit reverses, we may see companies reexamining and perhaps curtailing their scraping initiatives. Either way, 2018 promises to bring greater clarity to this murky area of the law.

Regarding the Growing Challenges for Social Media Platforms

2017 was a tough year for social media platforms. After years of positive press, immense consumer goodwill and a generally “hands off” attitude from regulators, last year saw a growing backlash against social media due to a number of reasons: the continued rise of trolling creating an ever-more toxic online environment; criticism of social media’s role in the dissemination of fake news; the growing concern over social media “filter bubbles” and “echo chambers”; and worries about the potential societal impact of social media’s algorithm-driven effectiveness in attracting and keeping a grip on our attention. Expect to see in 2018 further efforts by social media companies to get out ahead of most if not all of these issues, in the hopes of winning over critics and discouraging greater governmental regulation.

Regarding the DMCA Safe Harbor for Hosting of User-Generated Content

The backlash against social media noted in my prior item may also be reflected to some extent in several 2017 court decisions regarding the DMCA safe harbor shielding website operators and other online service providers from copyright damages in connection with user-generated content (and perhaps in the CDA Section 230 case law discussed by Aaron Rubin below). After nearly two decades of court decisions generally taking an ever more expansive approach to this particular DMCA safe harbor, the pendulum begun to swing in the other direction in 2016, and this trend picked up steam in 2017, culminating in the Ninth Circuit’s Mavrix decision, which found an social media platform provider’s use of volunteer curators to review user posts to deprive the provider of DMCA safe harbor protection. Expect to see the pendulum continue to swing in favor of copyright owners in DMCA safe harbor decisions over the coming year.

Regarding Smart Contracts

Expect to see broader, mainstream adoption of “smart contracts,” especially in the B2B context—and perhaps litigation over smart contracts in 2019 . . . .

From Aaron Rubin, Co-Editor, Socially Aware, and Partner at Morrison & Foerster:
Regarding the CDA Section 230 Safe Harbor

We noted previously that 2016 was a particularly rough year for Section 230 of the Communications Decency Act and the immunity that the statute provides website operators against liability arising from third-party or user-generated content. Now that 2017 is in the rear view mirror, Section 230 is still standing but its future remains imperiled. We have seen evidence of Section 230’s resiliency in recent cases where courts rejected plaintiffs’ creative attempts to find chinks in the immunity’s armor by arguing, for example, that websites lose immunity when they use data analytics to direct users to content, or when they fail to warn users of potential dangers, or when they share ad revenue with content developers. Nonetheless, it is clear that the knives are still out for Section 230, including in Congress, where a number of bills are under consideration that would significantly limit the safe harbor in the name of combatting sex trafficking. I predict that 2018 will only see these efforts to rein in Section 230 increase. Continue Reading 2018: Predictions From Socially Aware’s Editors and Contributors

In 2016, brands spent $570 million on social influencer endorsements on Instagram alone. This recode article takes a looks at how much influencers with certain followings can command, and whether they’re worth the investment.

And don’t overlook the legal issues associated with the use of social media influencers; the FTC just settled its first complaint against social media influencers individually. The case involved two online gamers who posted videos of themselves promoting a gaming site that they failed to disclose they jointly owned.

In a precedent setting opinion, the European Court of Human Rights held that the right to privacy of a Romanian man, Bogdan Bărbulescu, was violated when Bărbulescu’s employer, without explicitly notifying Bărbulescu, read personal messages that Bărbulescu sent from an online account that Bărbulescu had been asked to set up for work purposes.

In other European news, the attorney general for England and Wales, Jeremy Wright, MP, has begun an inquiry into whether that jurisdiction needs to impose restrictions on social media in order to help ensure criminal defendants there get a fair trial.

More than half of Americans 50 or older now get their news from social media sites, Pew Research Center’s 2017 social media survey shows.

Celebrities who promote initial coin offerings (ICOs) on social media risk violating laws that apply to the public promotion of securities.

Facebook developed an artificial intelligence robot that can express emotion by making realistic facial expressions at appropriate times.

A college student has sued Snapchat and the Daily Mail for alleged defamation and invasion of privacy arising from the use of the student’s name and image on Discover, Snapchat’s social news feature, under the headline, “Sex, Drugs and Spring Break—College Students Descent on Miami to Party in Oceans of Booze and Haze of Pot Smoke.”

Is the threat of artificial intelligence disrupting a slew of industries less imminent than we thought?

Google created a website that uses fun illustrations to show which “how to” queries its users entered into the search engine most.

The popularity of online videos that viewers can appreciate with the sound turned off has led to striking similarities between early silent film and modern social video.

A defamation suit brought by one reality television star against another—and naming Discovery Communications as a defendant—could determine to what extent (if any) media companies may be held responsible for what their talent posts on social media.

In a move characterized as setting legal precedent, UK lawyers served an injunction against “persons unknown” via an email account linked to someone who was posting allegedly defamatory “fake news” stories on social media.

European regulators fined Google $2.7 billion for violating antitrust law by allegedly tailoring algorithms for product-related queries to promote its own comparison shopping service. If the search company doesn’t change how its search engine works in the EU in the next few months, it risks fines of up to 5% of its parent company Alphabet Inc.’s daily revenue.

A newly formed trade group, called the Influencer Marketing Council, is representing social influencers in discussions with regulators and Internet platforms, and is leading an effort to outline best practices for complying with the FTC’s endorsement guidelines.

Pinterest’s commercial progress has reportedly been hampered by several factors, including the format of its advertisements, which must mimic user posts—something that requires brands to design content specifically for the platform.

Members of law enforcement have expressed concerns regarding the safety risks posed by a Snapchat update that lets users see the exact location of their Snapchat “friends.” An article on The Verge has some useful tips on how to use the function, which is called Snap Map, and how to turn it off.

Because the First Amendment limits the ability of the U.S. government to regulate search companies’ and social media platforms’ policies and guidelines, companies like Google and Twitter might eventually be de facto regulated even within the United States by foreign nations whose governments are entitled to regulate what happens on the Internet in order to protect their citizens according to their own laws.

Several A-list musicians have stepped away from social media at least partly because their incredible popularity has made them an attractive target for trolls.

Here are tips on how to limit online service providers from collecting information about you in using social media and surfing the web.

On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap. Continue Reading German Parliament Enacts Wide-ranging Surveillance Powers Allowing End User Devices to Be Hacked by Authorities

03_April_SociallyAware_thumbnailThe latest issue of our Socially Aware newsletter is now available here.

In this edition, we explore the threat to U.S. jobs posed by rapid advances in emerging technologies; we examine a Federal Trade Commission report on how companies engaging in cross-device tracking can stay on the right side of the law; we take a look at a Second Circuit opinion that fleshes out the “repeat infringer” requirement online service providers must fulfill to qualify for the Digital Millennium Copyright Act’s safe harbors; we discuss a state court decision holding that Section 230 of the Communications Decency Act immunizes Snapchat from liability for a car wreck that was allegedly caused by the app’s “speed filter” feature; we describe a recent decision by the District Court of the Hague confirming that an app provider could be subject to the privacy laws of a country in the European Union merely by making its app available on mobile phones in that country; and we review a federal district court order requiring Google to comply with search warrants for foreign stored user data.

All this—plus an infographic illustrating how emerging technology will threaten U.S. jobs.

Read our newsletter.

GettyImages-169937464_SMALLCan the mere offering of a mobile app subject the provider of such app to the privacy laws of countries in the European Union (EU)—even if the provider does not have any establishments or presence in the EU? The answer from the District Court of The Hague to that question is yes. The court confirmed on November 22, 2016, that app providers are subject to the Dutch Privacy Act by virtue of the mere offering of an app that is available on phones of users in the Netherland, even if they don’t have an establishment or employees there.

Context. EU privacy laws generally apply on the basis of two triggers: (i) if a company has a physical presence in the EU (in the form of an establishment or office or otherwise) and that physical presence is involved in the collection or other handling of personal information; or (ii) if a company doesn’t have a physical presence but makes use of equipment and means located in the EU to handle personal information.

Continue Reading The Hague District Court’s WhatsApp Decision Creates Concerns for Mobile App Developers

A federal district court judge refused to grant summary judgment to the copyright owners of the Star Trek franchise in the infringement suit they brought against the team behind a fan-made, crowdfunded prequel to the original Star Trek television series.

Strict new European Union privacy rules will restrict Internet companies’ access to consumers’ data.

Brands might soon be able to place video ads within Instagram Stories.

Driving while Snapchatting (or holding your cell phone in your hand for any other possible reason) is now illegal in California.

China is reportedly testing a system that assigns potentially life-altering “scores” to people based on their online activity.

How much about the future of the Internet do you think Bill Gates was able to predict 20 years ago?

The 58th Presidential Inaugural Committee website’s privacy policy apparently contains language suggesting it was lifted from a casino website.  

A small neighborhood restaurant turned the tables on a Yelp critic.

Concerned about the post-mortem fate of your property, legacy and reputation? Don’t forget your digital assets. This New York Times article explains how to make sure your wishes are carried out.

If you spot these apps on your significant other’s phone, it might be time to worry.