Two sets of regulations aimed at readying UK data protection law for a post-Brexit world have been promulgated in recent weeks. These regulations, which were made pursuant to the EU (Withdrawal) Act 2018 (EUWA), will only come into force in most respects upon the UK’s withdrawal from the EU. Broadly speaking, these regulations are intended to preserve the status quo post-Brexit by (1) amending certain provisions of the GDPR to allow it to be retained as UK domestic law and (2) transitionally adopting certain key decisions of the EU institutions that, collectively, would allow for the continued lawfulness of personal data flows out of the United Kingdom where currently permitted under EU law. In both regards, these regulations are consistent with prior guidance from the UK Information Commissioner’s Office (discussed here). Continue Reading
EU Advocate General Issues Opinion on Consent for Cookies and Intersection with the GDPR
On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU). The case centers on the use of consent for the processing of personal data and consent for the use of cookies.
Planet49 GmbH offered an online lottery service for which interested users had to register. The registration form asked users to tick a box allowing Planet49 GmbH to share their data with commercial partners. Ticking this box was mandatory to participate in the lottery. A second pre-ticked box allowed users to opt-out from the use of cookies (by unticking the box). If they chose to opt-out, they could still participate in the lottery.
In the Advocate General’s view, the pre-ticked box for cookies does not provide a valid active consent under the GDPR nor under the ePrivacy Directive. Moreover, he considers that the ePrivacy Directive’s consent requirement for cookies applies irrespective of whether the collected data qualify as personal data. Furthermore, the consent here is not “separate” because, unless users uncheck the cookie box, they grant consent for cookies merely by clicking the “participate” button. This argument is reinforced by the fact that users are apparently not informed of the option to uncheck that box. According to the Advocate General, the cookie consent is presented as an ancillary consent that users have to go through if they wish to participate, when in fact the two separate consents – for cookies and for participation to the lottery – should be presented on an equal footing. The Advocate General concludes that the German “Telemediengesetz” does not appear to accurately transpose the ePrivacy Directive by allowing the use of pseudonymized cookie data for advertising purposes on the basis of an opt-out rather than an opt-in consent.
In respect of the data-sharing tick box, the Advocate General accepts – despite some doubts about the way it is presented – that the consent is an opt-in consent, given that it is not pre-ticked. Importantly, however, he accepts that users can be forced to provide their consent in order to participate in the lottery. Since the underlying purpose of the lottery is to sell personal data to commercial partners, consent is necessary for participation in the lottery (para 99). In other words, this is not a prohibited bundling of consent per Art. 7(4) of the GDPR. The collection and use of data in exchange for a (free) service can thus be based on a mandatory consent. (Note that the referring court did not ask questions about this data-sharing tick box, so the CJEU does not have to address this point in its final decision.) This begs the question: why can’t the use of cookies for a commercial purpose also be “necessary” for the provision of a service? If that were the case, no consent would be required and the validity of the cookie tick box becomes irrelevant. And even if consent were required, why could the cookie consent not also be bundled with the participation in the lottery, if the cookies serve a similarly essential commercial purpose?
Finally, the Advocate General explains that users must receive clear information about the use of cookies. This means that the information must indicate the life span of each cookie and identify all third parties that have access to the cookies.
Supreme Court Remands Google Privacy Settlement on Standing Grounds
The U.S. Supreme Court issued a per curiam opinion today vacating a Ninth Circuit judgment in Frank v. Gaos. The decision remands the privacy class action settlement claims involving Google for further proceedings consistent with the Court’s Article III standing ruling in Spokeo, Inc. v. Robins.
German Supervisory Authority (re-)issues guidance on data processing in the employment context
The Supervisory Authority of Baden-Württemberg (“SA”), Germany, has published a new version of its guidance document on data protection issues in the employment context on March 12, 2019 (available here in German).
The guidance document specifically addresses issues such as the use of e-mail and IT systems by employees, urine drug tests, personal data collected during job interviews, pre-employment background checks, the retention of data on rejected applicants, the provision of information on job applicants to authorities, the use of tracking systems and video surveillance, and the transfer of employee data to other group companies.
The SA noted that, prior to the GDPR, data protection law was often “unknown” or seen as only consisting of non-binding recommendations and added that “this unfortunately common misconception will – hopefully – disappear now due to the potentially heavy fines that may be imposed [under the GDPR]“.
National laws continue to play a significant role in the employment context post-GDPR. Germany used the opening clause in Art. 88 GDPR to essentially ensure that the status quo pre-GDPR remains unchanged. The key provision is sec. 26 of the new Data Protection Act (BDSG), but the relevant rules are dispersed over various laws. Together, the rules continue to be both vague and fragmented. An attempt to codify more detailed data privacy rules in the employment context failed in 2013 due to disagreements between employer and employee associations.
In Germany, in particular, works council agreements are a permissible legal basis for the processing of employee personal data provided they comply with Art. 88 GDPR. The SA estimates that most collective agreements signed prior to the entry into application of the GDPR must be brought into compliance with the requirements of the GDPR, such as with the novel requirements on transparency.
China Introduces Mobile Application Security Certification Scheme
On March 15, 2019, the State Administration for Market Regulation and the Cyberspace Administration of China (“CAC”) jointly issued the Announcement on the Implementation of App Security Certification (the “Announcement”), creating a voluntary (but state-sanctioned) security certification scheme for mobile applications (“Security Certification Scheme”).
Operators of mobile applications are encouraged to obtain this certification to demonstrate their compliance with China’s national standard, GB/T 35273 Information Security Technology — Personal Information Security Specification (“the Standard”), in terms of their collection and use of personal data (our previous blogpost about the Standard can be found here). Search engines and mobile application stores are encouraged to recommend certified applications to users.
The Implementation Rules on Security Certification of Mobile Internet Application (“Implementing Rules”), which set out detailed procedural requirements for the Security Certification Scheme, were also released at the same time as an annex to the Announcement.
Although not mandatory, as the state-sanctioned certification scheme for personal information protection, the creation of this program illustrates the Chinese regulators’ willingness to use soft tools to encourage best practices in the marketplace. Continue Reading
European Parliament Approves EU Cybersecurity Act
Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here).
In addition to reinforcing the mandate of ENISA — now to be known as the EU Agency for Cybersecurity — the new regulation establishes an EU cybersecurity certification framework. This framework is intended to increase the transparency of the cybersecurity assurance of ICT products, services and processes, and thereby improve trust and help end users make informed choices. Another key reason for the framework is to avoid the multiplication of conflicting or overlapping national certifications and thus reduce costs.
Under the regulation, the Commission is empowered to adopt European cybersecurity certification schemes, prepared by ENISA, concerning specific groups of ICT products, services and processes. The schemes could cover, for example, ICT products, services and processes that are used in cars, airplanes, power plants, medical devices, as well as Internet-connected consumer devices.
Among many other details, each certification scheme will set out the subject matter and scope of the scheme, including the type or categories of ICT products, services and processes covered; a clear description of the purpose of the scheme; references to the international, European or national standards applied in the evaluation or other technical specifications; information on assurance levels (explained in more detail below); and an indication of whether conformity self-assessment is permitted under the scheme (also explained in more detail below). Continue Reading
Senate Reintroduces IoT Cybersecurity Improvement Act
On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
Dutch Supervisory Authority Prohibits “Cookie Walls” under GDPR
On March 7, 2019, the Dutch Supervisory Authority for data protection issued guidance prohibiting the use of “cookie walls” on websites. Cookie walls require website users to consent to the placing of tracking cookies or similar technologies before allowing them access to the website. According to the regulator, it received many complaints about this practice.
The regulator explains that this practice is not compliant with the GDPR. The (required) consent obtained in this way is not a freely given, because withholding consent has negative consequences for the user (i.e., the user is barred from accessing the website). Instead, websites should offer users a real choice to accept or reject cookies. User who decide not to consent to the placing of tracking cookies should still be granted access to the website, for example, against the payment.
The Supervisory Authority addressed a letter to the companies about whom it received the most complaints. The authority also announced that it will carry out further verifications to ensure that the GDPR is correctly applied in this area.
The guidance of the Dutch authority is in line with an earlier decision of the Austrian Supervisory Authority discussed here.
Florida Legislature Proposes State Biometric Information Privacy Act
The regular session of the Florida Legislature began on March 5, 2019. Over the course of the 60 day session, the Legislature will consider a number of bills on a variety of topics. Among the measures that will be considered are two bills that address biometric information privacy: one from House Representative Bobby DuBose (D) (HB1153) and one from Senator Gary Farmer, Jr. (D) (SB 1270).
FTC Proposes to Add Detailed Cybersecurity Requirements to the GLBA Safeguards Rule
On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”). Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.
In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.” Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.
Proposed Revisions to the Safeguards Rule’s Information Security Program Requirements
The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction. The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program. As currently drafted, the Safeguards Rule has few prescriptive requirements, but instead generally directs financial institutions to take reasonable steps to protect customer information.
The FTC’s proposed revisions would add substantially more detail to these requirements. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is “to better protect consumers and provide more certainty for business.” The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners. Continue Reading
