New Draft ePrivacy Regulation Released

The Council of EU Member States – one of the two main EU lawmaking bodies – recently released a new draft version of the ePrivacy Regulation (“EPR”).  Negotiations on the regulation have been deadlocked for a while, but seem to be gathering new momentum under the Finnish Presidency.  Below we highlight some selected topics that may be of interest to readers.

  • Users will have to be reminded (probably every 12 months) of their right to withdraw their consent to the processing of electronic communications content or metadata, unless users request not to receive these reminders. This does not apply to consent for cookies or direct marketing by e-mail or SMS.
  • Member States continue to reserve the right to implement data retention obligations, for example, for law enforcement purposes. This remains a controversial topic in light of past and pending CJEU case law.
  • The consent requirements for cookies do not materially change, although the derogations are more clearly defined; they now include audience measuring and software updates, among others, under certain conditions. In the draft, it is clear that the consent must be a GDPR-consent, which is in line with the recent CJEU Planet49 decision, but the draft also explicitly indicates that consent can be obtained by “appropriate” technical settings of software.
  • Recital 21 addresses the issue of cookie walls (e., subjecting a service to consent for cookies used for advertising purposes). The current draft suggests that this is indeed possible and that the required consent (users must “accept such use”) should not be considered an invalid (tied) consent under Art. 7(4) GDPR when the processing for advertising is “necessary” for the performance of the service.  In other words the acceptance is freely given.  However, the tortured language of the recital demonstrates its political sensitivity – e.g., the recital refers to accept, not “consent”.
  • Direct marketing by e-mail or SMS for own products and services to existing customers would still be based on legitimate interest with a right to opt-out. However, Member States could set an expiration time on this, following which the relevant party would presumably have to seek an opt-in consent if it wants to continue sending advertising.  This risks creating a patchwork of un-harmonized marketing rules across the EU, despite having an EU-wide regulation.
  • Electronic communications metadata can be used for scientific research, without consent, under certain conditions. Interestingly, under the most recent version of the EPR, these conditions no longer require that the research be based on Union or Member State law ( a contrario Art. 9(2)(j) GDPR).  This is a welcome change, given that these laws do not exist in most cases.

U.S. and U.K. Sign CLOUD Act Agreement

On October 3, 2019, the United States and United Kingdom signed an agreement on cross-border law enforcement demands for data from service providers (“Agreement”). The Agreement is the first bilateral agreement to be entered under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It obligates each Party to remove barriers in their domestic laws so that U.S. and U.K. national security and law enforcement agencies may obtain certain electronic data directly from Communications Service Providers (“CSPs”) located in the jurisdiction of the other Party. The Agreement will go into effect 180 days after its transmission to Congress by the Attorney General, unless Congress disapproves by joint resolution.

Continue Reading

CJEU Issues Decision on Consent for Cookies and Intersection with the GDPR

On September 10, 2019, the Court of Justice of the European Union (“CJEU“) issued its decision in the Planet 49 case.  The case centers on the consent requirements for the use of cookies.

Planet49 GmbH offered an online lottery service for which interested users had to register.  The registration form asked users to tick a box allowing Planet49 GmbH to share their data with commercial partners.  Ticking this box was mandatory to participate in the lottery.  A second pre-ticked box allowed users to opt out from the use of cookies (by unticking the box).  If they chose to opt out, they could still participate in the lottery. Users were asked to click on the button “participate” in order to submit their registration form.

The CJEU decision focuses on the second pre-ticked box used to obtain consent for cookies and, in particular, on whether it met the requirements for unambiguous and specific consent.

The CJEU decided that consent obtained using a pre-ticked box is not valid because it does not meet the requirement for an affirmative consent imposed by the ePrivacy Directive, the Data Protection Directive and, now, the GDPR. According to the CJEU, the use of a pre-ticked box makes it “practically impossible to clarify in an objective manner whether the user of a website has actually given his consent to the processing of his personal data (…),” and “[i]t cannot be ruled out that the user may not have read the information attached to the checkbox or that he may not have noticed this box before continuing his activity on the website he visited” (Para. 55).

On the specificity of the consent, the CJEU decided that the consent could not be obtained by actively clicking on the “participate” button, since from that action one cannot “assume that the user has given his effective consent to the storage of cookies” (Para. 59).  This suggests that the CJEU would also consider implied consents (such as consents derived from a continued use of the service) to be unacceptable.

The CJEU expressly declined to decide on the “freely given” nature of the consent since this was not included in the questions submitted by the German Federal Court of Justice.

The CJEU was also asked to decide on whether the requirement to obtain consent for cookies applied only if these cookies were used to collect personal data.  In this regard, the CJEU clarified that the requirement under the ePrivacy Directive to obtain consent applies “to ‘the storage of information’ and ‘access to information already stored’ without specifying that information or specifying that it must be personal data”. However, the CJEU noted that in the case at hand, the collected data was personal data because the cookies stored in the terminal equipment of a user assigned a number to each user which was linked to the registration data.

Finally, the court decided that, as part of the “comprehensive information” that must be provided to users, such users must be informed of the duration of the cookies and about whether third parties can access them. The court did not say that all the third parties must be individually identified.

European Parliamentary Research Service issues a briefing paper on implementing EU’s ethical guidelines on AI

On 19 September 2019, the European Parliamentary Research Service (“EPRS”)—the European Parliament’s in-house research service—released a briefing paper that summarizes the current status of the EU’s approach to developing a regulatory framework for ethical AI.  Although not a policymaking body, the EPRS can provide useful insights into the direction of EU policy on an issue.  The paper summarises recent calls in the EU for adopting legally binding instruments to regulate AI, in particular to set common rules on AI transparency, set common requirements for fundamental rights impact assessments, and provide an adequate legal framework for facial recognition technology.

The briefing paper follows publication of the European Commission’s high-level expert group’s Ethics Guidelines for Trustworthy Artificial Intelligence (the “Guidelines”), and the announcement by incoming Commission President Ursula von der Leyen that she will put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within her first 100 days in office.

Continue Reading

GDPR’s right to be forgotten limited to EU websites

On September 24, 2019, the Court of Justice of the European Union (“CJEU”) adopted a decision on the geographical scope of the right to erasure under the GDPR (decision available here).  The court decided, in line with the opinion of Advocate General Szpunar, that a US-based search engine does not have to remove (de-reference) search results displayed on all the search engine’s versions.  According to the court, it suffices for search results to be deleted from the search engine’s EU versions (i.e., EU domain name extensions, such as .eu, .fr or .de).  For more information on the Advocate General’s opinion, see our prior blog post here.

Continue Reading

Italian Supervisory Authority approves Code of Conduct under the GDPR

On September 12, 2019, the Italian Supervisory Authority (“Garante”) approved a code of conduct for consumer credit agencies (the “Code”), pursuant to Art. 40 GDPR (see here in Italian).

The Code already existed prior to the GDPR, but it had to be amended to meet the requirements of the GDPR and be approved by the Garante in accordance with the GDPR procedures. The Code was submitted for approval by the Italian associations AISREC, CTC and ASSILEA on March 19, 2019, after a consultation with representatives of the relevant data subjects and the sector.

The Code regulates the processing of personal data of individuals located in Italy. It can be adhered to by entities located in Italy that professionally manage credit information systems (e.g., banks, financial intermediaries and other entities offering credit services).

The Code’s structure follows the requirements of Art. 40(2) of the GDPR.  The Code installs a monitoring body, composed by three members: a representative of the Italian National Consumer and User Council, a person designated unanimously by the entities adhering to the Code and a person appointed by the two other members, who will also serve as president.

The Code provides that the legal basis for processing the personal data contained in credit information systems for credit scoring purposes is the legitimate interest of the credit agencies, hence it is not necessary to obtain consent.  Nevertheless, data subjects must receive a complete and clear information notice – Annex 3 of the Code contains a template notice.  The Code itself does not serve as a legal basis for international transfers.

The Code’s approval is made conditional on the accreditation of the monitoring body by the Garante which, according to the Garante, is not yet possible because of the lack of uniform criteria for accreditation at EU level. Pending the accreditation, Code members shall “carry out the processing operations of personal data in compliance with the rules and principles governed by it as well as any other applicable legislation”.

NIST Releases Preliminary Draft of Privacy Framework

The U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) now has released the preliminary draft of the “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.”  NIST is seeking comments on the preliminary draft of the Privacy Framework and plans to use these comments to develop version 1.0 of the Privacy Framework.  Comments are due by 5:00 p.m. ET on October 24, 2019.

Continue Reading

California Legislature Passes CCPA Amendments and Privacy Bills

Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”).  This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020.  California Governor Gavin Newsom has until October 13 to sign the bills into law.  Separately, the Attorney General’s office is expected to release a draft of proposed CCPA regulations for public input later this Fall.

  • Exemption for employees and job applicants: AB 25 (Chau) generally exempts from the CCPA—for one year—personal information collected from job applicants, employees, owners, directors, officers, medical staff members, or contractors, as well as their emergency contacts and their beneficiaries.  However, employers must provide these individuals with general notice of the types of personal information collected about them and the purposes for which the information is used.  Employers may be liable if certain types of unredacted or unencrypted personal information are breached due to unreasonable data security.
  • Exemption for business customers and other technical corrections: AB 1355 (Chau) exempts from the CCPA—also for one year—personal information reflecting a communication or transaction with a natural person who is acting as an employee, owner, director, officer or contractor of another company or legal entity in most circumstances.  This language generally creates an exemption for personal information about business customers.  The bill clarifies that the CCPA’s private right of action does not apply if personal information is either encrypted or redacted.  The bill also makes certain technical corrections, including revising the exemption for activities involving consumer reports that are regulated under the Fair Credit Reporting Act and clarifying that de-identified or aggregate consumer information is excluded from the definition of “personal information.”
  • Definitions of “personal information” and “publicly available information:” AB 874 (Irwin) includes several helpful clarifications with respect to the scope of “personal information” regulated under the statute.  Previously, “personal information” was defined to include all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  The amended definition of “personal information” clarifies that information must be “reasonably capable of being associated with” a particular consumer or household.  Separately, the bill clarifies that “publicly available information” means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available.  Further, the bill revises the definition of “personal information” to clarify that it does not include de-identified or aggregate information.
  • Required methods for receiving consumer requests: The CCPA provides that a covered business is required to make available to consumers two or more reasonably accessible methods for submitting requests under the CCPA, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address.  AB 1564 (Berman) would amend this requirement to provide that a business which (1) operates exclusively online and (2) has a direct relationship with the customer from whom it collects personal information needs to provide only an email address.  If the business also maintains a website, the bill requires the business to make the website available to consumers to submit requests.  Finally, the bill expressly permits a business to require a consumer who maintains an account with the business to submit a request through the account.
  • Exemption for vehicle warranty/recall purposes: AB 1146 (Berman) exempts, from the CCPA’s right to opt out and right to delete, vehicle or owner information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purposes of vehicle repair covered by a warranty or recall.

Continue Reading