Mobile

On March 15, 2019, the State Administration for Market Regulation and the Cyberspace Administration of China (“CAC”) jointly issued the Announcement on the Implementation of App Security Certification (the “Announcement”), creating a voluntary (but state-sanctioned) security certification scheme for mobile applications (“Security Certification Scheme”).

Operators of mobile applications are encouraged to obtain this certification to demonstrate their compliance with China’s national standard, GB/T 35273 Information Security Technology — Personal Information Security Specification (“the Standard”), in terms of their collection and use of personal data (our previous blogpost about the Standard can be found here).  Search engines and mobile application stores are encouraged to recommend certified applications to users.

The Implementation Rules on Security Certification of Mobile Internet Application (“Implementing Rules”), which set out detailed procedural requirements for the Security Certification Scheme, were also released at the same time as an annex to the Announcement.

Although not mandatory, as the state-sanctioned certification scheme for personal information protection, the creation of this program illustrates the Chinese regulators’ willingness to use soft tools to encourage best practices in the marketplace.
Continue Reading China Introduces Mobile Application Security Certification Scheme

On February 28, 2018, the Federal Trade Commission (“FTC”) issued a report discussing security updates for mobile devices.  The report stems from information the FTC collected from eight mobile device manufacturers — Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung — and from information the Federal Communications Commission (“FCC”) collected from mobile carriers in May 2016. 
Continue Reading FTC Issues Report on Mobile Device Security Updates

In a speech delivered at the United States Naval Academy on October 10, Deputy Attorney General Rod Rosenstein waded into the public debate between data privacy and law enforcement interests.  As part of a discussion moderated by former Covington cybersecurity attorney Jeff Kosseff, Rosenstein’s remarks discussed cyber issues facing law enforcement with a particular focus on the advent of “warrant-proof” encryption.  In his view, warrant-proof encrypted data and devices are unable to be intercepted or unlocked by law enforcement, even with a court order.

Noting that “[p]rivate sector entities are crucial partners” in the fight against cyber threats, Rosenstein expressed concerns about the role played by tech companies in advancing warrant-proof encryption.  While recognizing the need to balance important privacy interests against law enforcement priorities, Rosenstein argued that “[w]arrant-proof encryption defeats the constitutional balance by elevating privacy above public safety.”  He emphasized the threat posed to public safety when technology developers deprive law enforcement of “crucial investigative tools.”  Rosenstein advocated for “responsible encryption,” recognizing that this approach would not be one-size-fits-all and that solutions would likely look different depending on the company and technology at issue. 
Continue Reading Deputy Attorney General Rod Rosenstein Warns Against Warrant-Proof Encryption

The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the EU – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.

This first salvo of GDPR-focused guidance concerns:

  1. the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);
  2. the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance / FAQ); and
  3. the new “One Stop Shop” mechanism – helping companies identify which “lead” data protection authority will be their main point of contact for multi-country regulatory procedures (guidance / FAQ).

Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017.  Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.
Continue Reading New EU GDPR Guidance: Data Portability, Data Protection Officers, and the One Stop Shop

The Digital Advertising Alliance (DAA), a consortium of the nation’s largest media and marketing associations that has established self-regulatory standards for online behavioral advertising, announced on October 13 that the Council of Better Business Bureaus and the Direct Marketing Association will begin enforcement of the Application of the DAA Principles of Transparency and Control to

On September 16, 2016, the Federal Trade Commission (“FTC”) hosted a workshop on the factors that may contribute to the effect disclosures have on consumer behavior. The workshop, “Putting Disclosures to the Test,” included speakers from a wide range of disciplines and industries, who remarked on aspects of disclosure such as consumer cognition, recognition, and comprehension, methodologies for measuring disclosure effectiveness, the impact of disclosures on consumer decision-making, and disclosure design.

In her introductory remarks, Lorrie Cranor, Chief Technologist at the FTC, espoused the benefits to privacy disclosures of studying research in other areas. Edith Ramirez, Chairwoman of the FTC, then opened the workshop with remarks on issues that are important to the FTC. The FTC’s primary task, she stated, is to ensure consumers have access to truthful and accurate information, to enable them to make decisions in the marketplace. Their focus, with respect to disclosure of information, is on the effect of disclosure on consumer welfare. They consider some disclosures necessary to prevent deception in advertising, or to communicate the risks of products, or choices consumers may have. With respect to privacy, the FTC encourages companies to disclose their data practices, so consumers have greater control over how their data is used. They require disclosures to be clear and conspicuous, so consumers can understand them and make informed decisions.
Continue Reading FTC Hosts “Putting Disclosures to the Test” Workshop

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with online payment systems operator Dwolla, Inc., based on allegations that Dwolla deceived consumers about its data security practices and the safety of its online payment system. The CFPB brought this action under its authority in Sections 1031(a) and 1036(a)(1)

Last week, the Federal Communications Commission (FCC) released the text of its long-awaited order addressing certain aspects of the Telephone Consumer Protection Act (TCPA) and related FCC rules.  The order addressed a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages.

Although the order purports only to “clarify” existing FCC precedent, there is widespread debate over whether the order imposed new requirements on entities that transmit automated calls and text messages.  The order already has been appealed by one party and other appeals are expected.  Nevertheless, because the FCC claims the order only clarifies existing precedent, its provisions became effective when the order was released on July 10, 2015.

The order focuses on ten key areas, which are summarized after the jump.
Continue Reading Ten Key Takeaways From Last Week’s TCPA Order

On June 1, the Northern District of California dismissed a putative TCPA class action against AOL, finding that the plaintiff had failed to allege that AOL utilized an automated telephone dialing system (ATDS), as required to state a cause of action under the TCPA.  In dismissing the plaintiff’s complaint in Derby v. AOL, the court rejected the plaintiff’s arguments that AOL Instant Messenger (AIM), which allows individuals to send instant messages as text messages to cell phones, constitutes an ATDS.  Instead, the court agreed with AOL’s argument that AIM relied on “human intervention” to send the messages at issue, which foreclosed the possibility of potential TCPA liability.  (Covington represented AOL in this case.)  The decision should be beneficial to a variety of services that enable their users to send text messages to cell phones.
Continue Reading Court Dismisses Text-Message TCPA Suit Against AOL, Finding Instant Messaging Service Does Not Constitute an ATDS

The Digital Advertising Alliance (DAA), a consortium of the nation’s largest media and marketing associations that has established self-regulatory standards for online behavioral advertising, announced on May 7 that the Council of Better Business Bureaus and the Direct Marketing Association will begin enforcement of the Application of Self-Regulatory Principles to the Mobile Environment (DAA Mobile