• Since launching its Google+ social network three years ago, Google has insisted that Google+ users use only their real names on the network — no pseudonyms.  Perhaps in an effort to attract more users to Google+, the company has now abandoned its real-name policy — but has this change arrived too late to have an

  • A St. Louis juror’s use of Google to learn something about punitive damages during a trial, while qualifying as “knucklehead misconduct,” was not a sufficient basis for overturning the jury’s verdict, a judge has held.
  • A new report on the “sharing economy” indicates that peer-to-peer sites such as Airbnb that facilitate private accommodation rentals are

The latest issue of our Socially Aware newsletter is now available here.

Welcome to a special privacy issue of Socially Aware, focusing on recent privacy law developments relating to social media and the Internet. In this issue, we analyze a controversial European ruling that strengthens the right to be forgotten; we examine a

Google Glass (“Glass”) is the most high profile of the new wearable technologies that commentators predict will transform how we live and work.

Until now, the Android-powered glasses were only available in the U.S.  However, as of this week, Glass has been launched in the UK. Now, if you are 18 years old, have a UK credit card and address and a spare £1,000, you can purchase your own Glass and see what the fuss is all about.

Google has stated that it selected the UK for its second market because “[the UK] has a history of embracing technology, design and fashion and … there’s a resurgence happening in technology in the UK”.  But perhaps it is also because the UK’s data protection regulator, the Information Commissioner’s Office (ICO), has a reputation for being one of the more pragmatic privacy regulators in Europe. Because, for all its exciting technological benefits, Glass raises some thorny legal issues, in particular in relation to privacy.  In this alert we will address some of those key issues.

WHAT IS GOOGLE GLASS?

As many readers will already be aware, Glass is a form of wearable technology that gives its users hands-free access to a variety of smartphone features by attaching a highly compact head-mounted display system to a pair of specially designed eyeglass frames. The display system connects to a smartphone via Bluetooth. Glass can run specialised Android apps known as “Glassware”. In its current form, Glass can pull information from the web, take photographs, record videos, make and receive phone calls (via the Bluetooth smartphone connection), send messages via email or SMS, notify its user about messages and upcoming events, and provide navigation directions via GPS.  Although Glass is still in the testing stage and boasts only a modest set of features, the prototype device has already caused quite a stir. In particular, it has some triggered significant privacy concerns.

PRIVACY

In terms of privacy, Glass throws up a variety of issues. Due to its functionality, Glass is likely to process two types of data relating to individuals: (i) personal data and meta data relating to the wearer of the Glass (“Glass User”) and (ii) personal data and meta data relating to any member of the general public who may be photographed or recorded by the Glass User (“Public”).  In June 2013, a group of regulators and the Article 29 Working Party, wrote to Google inviting Google to enter into a dialogue over the privacy issues relating to Glass. The letter pointed out that the authorities have long emphasised the importance of privacy by design, but added that most of the authorities had not been approached by Google to discuss privacy issues in detail. In Google’s response it stated that protecting the security and privacy of users was one of its top priorities. Google also identified various steps that it has taken to address privacy concerns, including a ban on facial-recognition Glassware.

PERSONAL DATA OF GLASS USER

As with any smartphone, Google will collect personal data and other meta-data relating to each Glass User. Google will need to comply with its obligations under the UK’s Data Protection Act 1998 (DPA). A key element of such compliance will be putting in place an appropriate privacy policy for Glass Users. However, to date, Google has encountered some difficulties in this regard.

Indeed, in July 2013, the ICO wrote to Google confirming that Google’s updated privacy policy raised serious questions about its compliance with the DPA. In particular, the ICO believed that the updated policy did not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products. It stated that Google must amend its privacy policy, and failure to take necessary action would leave the company open to the possibility of formal enforcement action.

Google has argued consistently that its privacy policy complies with EU data protection law. To date, no formal action has been taken by the UK, although Google has faced action elsewhere in Europe (e.g. in Spain).


Continue Reading Google Glass Into Europe – A Small Step or a Giant Leap?

Earlier this year, the French consumer association UFC-Que Choisir initiated proceedings before the Paris District Court against Google Inc., Facebook Inc. and Twitter Inc., accusing these companies of using confusing and unlawful online privacy policies and terms of use agreements in the French versions of their social media platforms; in particular, the consumer association argued that these online policies and agreements provide the companies with too much leeway to collect and share user data.

In a press release published (in French) on its website, UFC-Que Choisir explains that the three Internet companies ignored a letter that the group had delivered to them in June 2013, containing recommendations on how to modify their online policies and agreements. The group sought to press the companies to modify their practices as part of a consumer campaign entitled “Je garde la main sur mes données” (or, in English, “I keep my hand on my data”).

According to the press release, the companies’ refusal to address UFC-Que Choisir’s concerns prompted it to initiate court proceedings. The group has requested that the court suppress or modify a “myriad of contentious clauses,” and alleged that one company had included 180 such “contentious clauses” in its user agreement.

The group has also invited French consumers to sign a petition calling for rapid adoption of the EU Data Protection Reform that will replace the current Directive on data protection with a Regulation with direct effects on the 28 EU Member States. UFC-Que Choisir published two possibly NSFW videos depicting a man and a woman being stripped bare while posting to their Google Plus, Facebook and Twitter accounts. A message associated with each video states: “Sur les réseaux sociaux, vous êtes vite à poil” (or, in English, “On social networks, you will be quickly stripped bare”).
Continue Reading French Consumer Association Takes on Internet Giants

The European Court of Justice (ECJ) issued a quite surprising decision against Google which has significant implications for global companies.

On May 13, 2014 the ECJ issued a ruling which did not follow the rationale or the conclusions of its Advocate General, but instead sided with the Spanish data protection authority (DPA) and found that:

  • Individuals have a right to request from the search engine provider that content that was legitimately published on websites should not be searchable by name if the personal information published is inadequate, irrelevant or no longer relevant;
  • Google’s search function resulted in Google acting as a data controller within the meaning of the Data Protection Directive 95/46, despite the fact that Google did not control the data appearing on webpages of third party publishers;
  • Spanish law applied because Google Inc. processed data that was closely related to Google Spain’s selling of advertising space, even where Google Spain did not process any of the data. In doing so, it derogated from earlier decisions, arguing the services were targeted at the Spanish market, and such broad application was required for the effectiveness of the Directive.

The ruling will have significant implications for search engines, social media operators and businesses with operations in Europe generally. While the much debated “right to be forgotten” is strengthened, the decision may open the floodgates for people living in the 28 countries in the EU to demand that Google and other search engine operators remove links from search results. The problem is that the ECJ mentions a broad range of data that may be erased. Not only should incorrect or unlawful data be erased, but also all those data which are “inadequate, irrelevant, or no longer relevant”, as well as those which are “excessive or not kept up to date” in relation to the purposes for which they were processed. It is left to the companies to decide when data falls into these categories.

In that context, the ruling will likely create new costs for companies and possibly thousands of individual complaints. What is more, companies operating search engines for users in the EU will have the difficult task of assessing each complaint they process and whether the rights of the individuals prevail over the rights of the public. Internet search engines with operations in the EU will have to handle requests from individuals who want the deletion of search results that link to pages containing their personal data.

That said, the scope of the ruling is limited to name searches. While search engines will have to de-activate the name search, the data can still be available in relation to other keyword searches. The ECJ did not impose new requirements relating to the content of webpages, in an effort to maintain the freedom of expression, and more particularly, press freedom. But this will still result in a great deal of information legally published to be available only to a limited audience.

Below we set out the facts of the case and the most significant implications of the decision, and address its possible consequences on all companies operating search engines.
Continue Reading European Court of Justice Strengthens Right to Be Forgotten