Sights on Online Search Advertising: FTC Finds Practices by 1-800 Contacts to Unlawfully Harm Competition and Restrict the Availability of Truthful Advertising to Consumers

By Rebecca Yergin on December 14, 2018 Posted in Federal Trade Commission

Last month in In the Matter of 1-800 Contacts, Inc., the Federal Trade Commission (“FTC”) provided insight into the circumstances under which retail price competition may take place in the 21st century internet economy. In the Opinion authored by Chairman Joseph J. Simons (“Commission’s Opinion”) the Commission decided that 1-800 Contacts, the country’s largest online retailer of contact lenses, unlawfully entered into anticompetitive agreements with 14 rival online sellers (“Agreements”). The Agreements, which, in most cases were trademark litigation settlements, required the parties, when bidding as part of search engine advertising auctions, to take measures ensuring their advertisements do not appear in response to searches for the other party’s trademark terms. According to the Commission’s Opinion, approved 3-1-1, the “decision will affect not only the price that consumers pay for some contact lenses but also the very manner in which substantial parts of price competition will occur throughout consumer markets today and tomorrow.” This week, 1-800 Contacts filed an application with the FTC for a partial stay pending review by the U.S. Court of Appeals.

The Agreements between 1-800 Contacts and Rival Retailers

By way of background, more than a decade ago, 1-800 Contacts began bringing trademark infringement actions against rival contact retailers, who were selling lenses at lower prices. The infringement claims were based on the retailers’ online advertisements appearing in response to consumers’ searches for “1-800 Contacts.” The Agreements, which resulted from the litigation, restricted the parties’ ability to bid on certain “keywords” in search engine auctions. “Keywords” are words or phrases that trigger the display of a party’s advertisements as “sponsored links” on a search engine when the words or phrases “match” a user’s search. As relevant here, the Agreements specifically prohibited each party from bidding on keywords that allegedly infringe upon the other party’s trademarks and additionally required the parties to employ “negative” keywords to prevent their advertisements from displaying whenever a search included the other party’s trademarks. Continue Reading

Standing Issues in Data Breach Litigation: An Overview

By Priscilla Fasoro and Lauren Wiseman on December 7, 2018 Posted in Data Breaches

As many data breach litigation cases have demonstrated over recent years, the question of a plaintiff’s standing can be quite important to the outcome of each case. While the Supreme Court has addressed standing issues in several cases with potential applicability in the data breach litigation context, most recently in Spokeo, Inc. v. Robins and Clapper v. Amnesty International, the Court has not yet addressed head-on the question of standing requirements for plaintiffs in data breach litigation. More recently, a cert petition in another data breach standing case (In re Zappos.com), discussed below, has been distributed for conference this Friday, December 7, 2018. As the Court considers whether to grant cert and address this issue, this post provides an overview of the circuit split on standing in data breach litigation cases and efforts to convince the Court to revisit the issue and provide more precise guidance. Continue Reading

FTC Solicits Public Comment on Identity Theft Detection Rules

By Burr Eckstut on December 6, 2018 Posted in Cybersecurity, Data Privacy, Federal Trade Commission, Financial Institutions

On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top consumer complaints to the FTC, and has been an enforcement priority for the FTC’s Bureau of Consumer Protection.

German Courts Decide Whether an Infringement of the GDPR also Qualifies as Unfair-Competitive Behavior

By Kristof Van Quathem and Anna Oberschelp de Meneses on November 27, 2018 Posted in Data Privacy, EU Data Protection, European Union, Uncategorized

Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”). Since the entry into force of the GDPR, three German courts have been asked to decide whether an infringement of the GDPR can similarly serve as a basis for such claims. While the first two decisions were issued by courts of first instance, the third and most recent decision was decided by the High Court of Hamburg.

In a first decision of August 7, 2018 (available here), a company asked for injunctive relief against a competing company because the competing company’s website privacy policy failed to comply with the information requirements under Art. 13 GDPR. The court stressed in its decision that it is still disputed under German law, whether a violation of the GDPR can serve as a claim against a competitor under the UWG. The court refused to grant injunctive relief in that case on the grounds that the GDPR does not allow competitors to claim infringements of data protection law – only the data subjects and, under certain conditions, non-profit bodies can do this. The court concluded that “the EU legislature did not intend to extend [a similar] possibility to competitors of an infringer.”

The second decision of September 13, 2018 (available here) also relates to a claim for injunctive relief regarding a company’s website privacy policy that did not comply with Art. 13 of the GDPR. The court decided that this constituted a violation of “a [data protection] statutory provision that is also intended to regulate market conduct in the interests of market participants and [that] the infringement [of this data protection provision] is likely to significantly prejudice the interests of consumers, other market participants or competitors” – i.e., a violation of Art. 3a of the German Act Against Unfair Competition. On this basis, the court granted the injunctive relief.

Finally, in the most recent decision of October 25, 2018 (available here), the High Court of Hamburg was asked by a pharma company to grant injunctive relief against a competing pharma company because it erroneously relied on a provision of the old German Data Protection Act allowing for the processing of health data for health care and medical diagnosis. According to the court, that provision did not apply to the pharma company, which should have obtained the patients’ consent similar to its competitors. However, the court held that to determine whether an infringement of a data protection provision could serve as the ground for an anti-competition claim, the provision allegedly infringed must be assessed on a case-by-case basis looking at its “market behavior regulating character”. In this case, the norm that requires the company to obtain consent does not have a “market behavior regulating character” and therefore the claim was rejected.

The above judgments show that, at this moment, the question of whether a GDPR violation can serve as the basis for anti-competition claims remains unsettled in Germany. In an attempt to resolve this issue, the German Region of Bavaria proposed a bill before the German Federal Parliament in June 2018 (available here), which excludes data protection provisions from the scope of the UWG. If adopted, violations of data protection law could no longer serve as a basis to bring claims against competitors under the UWG.

European Data Protection Board Issues Draft Guidelines on Extra-Territorial Application of the GDPR

By Kristof Van Quathem and Nicholas Shepherd on November 26, 2018 Posted in Data Privacy, EU Data Protection, European Union, International

On November 23, 2018, the European Data Protection Board (“EDPB”) issued draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”). As per standard procedure, the EDPB has published this first version of the Guidelines to allow for public consultation about its contents over the next several months. At the conclusion of the consultation period on January 18, 2019, the EDPB will issue a final version incorporating any changes or amendments made on the basis of comments received from stakeholders. Parties may submit comments to the EDPB by sending an email to: EDPB@edpb.europa.eu.

The Guidelines are divided into four sections. The first three give interpretive analysis on Articles 3(1), 3(2) and 3(3) of the GDPR, respectively. The final section provides additional clarification about the possible duty to appoint a representative within the EU for controllers and processors not established in the EU. The Guidelines analyze specific provisions of the GDPR, make reference to existing EU case law, and offer practical examples that illustrate how to apply the provisions of Article 3 in everyday situations.

With regards to Article (3)1, the EDPB examines the broad concept of an “establishment” under EU law, and specifically its application to personal data processing which may take place “in the context of the activities” of an establishment. The EDPB points to landmark cases such as Google Spain and Weltimmo to show how these concepts have been applied by EU courts. The EDPB also notes that this broad notion of an “establishment” is not unlimited and recommends a case-by-case analysis.

With regards to Article 3(2) – which is perhaps the most controversial of the GDPR, potentially triggering its extraterritorial application to parties with no EU establishment – the EDPB provides some helpful clarifications. The Guidelines emphasize the importance of considering (i) whether targeted data subjects are in the EU (regardless of nationality, residency or legal status), and (ii) whether the processing relates to offering them goods/services or monitoring them in the EU.

“Targeting” by offering goods and services. The EDPB emphasizes that a controller or processor with no establishment in the EU must show a clear intention of doing business with EU customers to be considered “targeting” individuals in the EU with goods or services. Again, this requires a case-by-case analysis involving a range of different factors (e.g., whether the EU or a specific Member State is mentioned on a website, whether search engines are paid to market to a specific EU country audience, or the use of EU-specific languages or currencies).

“Targeting” by monitoring behavior. A controller or processor is “targeting” individuals in the EU by monitoring their behavior if the monitored behavior (i) relates to an individual in the EU and (ii) takes place in the EU. Once again, the EDPB offers several criteria to consider when making this determination (e.g., behavioral advertising, geo-localization activities, online tracking using cookies, CCTV, and so forth) . However, the EDPB does not hold that all online collection or analysis of personal data of individuals in the EU counts as “monitoring”. Rather, it is necessary to consider the controller’s purpose in processing the data, and particularly any behavioral analysis or profiling techniques used.

Finally, in the last section of the Guidelines, the EDPB clarifies certain issues related to the appointment of a representative in the EU by non-EU controllers and processors subject to the GDPR. The Guidelines discuss, among other things, the need to have a contract in place with the representative, the fact that the role is incompatible with that of a Data Protection Officer (and thus the two should not be combined), and, furthermore, that the GDPR may be enforced against a non-EU controller by way of its EU representative.

Right to be forgotten controversially introduced into Maltese law

By Inside Privacy on November 26, 2018 Posted in Data Privacy

A recent press release from November 16, 2018 revealed that Malta’s Justice Minister introduced the right to be forgotten through a ministerial decree. Since 2013, 86 out of 131 judgments have either been anonymized or removed from the courts’ public database. The information came as a surprise to Malta’s legal community, as there had been no public announcement regarding the new right. The exact date the new right was introduced has not been confirmed.

Dutch Supervisory Authority Imposes GDPR Security Standard for Processing Broadly Defined Health Data

By Kristof Van Quathem on November 21, 2018 Posted in Data Security, EU Data Protection, European Union, Health Privacy

In early November, the Dutch Supervisory Authority released an injunction imposed against the public insurance body Uitvoeringsinstituut Werkgeversverzekering (“UWV”) last July.

The UWV allows employers to submit data about their employees for social security purposes. The data includes dates of employee absences due to general illness (and when an employee is pregnant or gave birth, including dates of associated absences and parental leave). While the actual illness is not disclosed, the Supervisory Authority held that the data must be qualified as health data because the mere fact that someone is ill is indicative of their health.

In addition, the Supervisory Authority holds that the UWV violated the security standard of the GDPR by only applying one-factor authentication (e-mail address and password) on its portal. According to the Authority, state-of-the-art security for a platform with this level of risk requires multi-factor authentication. The Authority relies on Dutch guidelines for public authorities offering digital services and the Dutch NEN-7510 security standard for the health sector.

The UWV was ordered to conduct a new privacy impact assessment by October 1, 2018, and to implement appropriate security by October 31, 2019, with a penalty of €150,000 for each month delay (with a maximum of €900,000). The long transition period for improving its security is explained by delays in the roll-out of a standardized authentication tool for public bodies.

Illinois Supreme Court to Decide Statutory Standing Requirements Under the Illinois Biometric Information Privacy Act

By Inside Privacy on November 21, 2018 Posted in Data Privacy

On November 20, 2018, the Illinois Supreme Court heard oral arguments in Rosenbach v. Six Flags Entertainment Corporation et al., a case arising under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). BIPA provides a private right of action for persons “aggrieved by a violation of [the] Act.” The crux of the issue presented to the Illinois Supreme Court is the meaning of “aggrieved by” under BIPA–in other words, what harm is sufficient to satisfy statutory standing requirements underlying BIPA’s private right of action?

NTIA Publishes Stakeholder Comments on Consumer Privacy Proposal

By Inside Privacy on November 19, 2018 Posted in Data Privacy

Last week, the National Telecommunications and Information Administration (“NTIA”) released submissions it had received from the Federal Trade Commission (“FTC”) staff and many other parties on NTIA’s proposed framework for advancing consumer privacy while protecting innovation. Although NTIA did not request comments on a possible federal privacy bill, most submissions took the opportunity to inform NTIA of what such a federal privacy bill should look like.