On 10 January 2018, the European Court of Human Rights (ECtHR) ruled that the Republic of Azerbaijan violated Articles 8 and 10 of the European Convention on Human Rights (ECHR) by failing to adequately investigate claims by an Azerbaijani journalist that she had been the victim of political blackmail. The ECtHR’s ruling follows upon reports of rising concern in the Council of Europe about government mistreatment of journalists across Europe, and in Azerbaijan in particular. Continue Reading
On January 10, 2019, Advocate General Szpunar of the Court of Justice of the European Union (CJEU) released his opinion regarding a 2016 enforcement action carried out by the French Supervisory Authority (CNIL) against Google. In that case, the CNIL ordered Google to de-reference links to webpages containing personal data. According to the CNIL, the de-referencing had to be effective worldwide. Google challenged the CNIL’s decision before the French administrative court, which then referred this matter to the CJEU.
In his opinion, Advocate General Szpunar disagrees with the CNIL’s view on a worldwide application of the “right to be forgotten.” According to Szpunar, the EU Charter’s right to data protection must be balanced against other Charter rights, such as the right of access to information. These rights must be applied with a territorial link to the EU, and cannot be broadly interpreted to apply across the whole world. To that end, Spuznar emphasizes that EU regulators cannot reasonably be expected to make this balancing test for the entire world. Moreover, a worldwide application of the de-referencing obligation would send a “fatal signal” to third countries eager to limit access to information. It could lead to a race to the bottom at the expense of freedom of information in the EU and worldwide. This does not mean that EU data protection law can never have an extra-territorial dimension, but not in this case.
While a worldwide obligation to de-reference is not desirable, Szpunar does believe that Google should be required to make every effort to de-reference the relevant links across the EU (and not just in France). This includes by means of “geo-blocking”, irrespective of the search engine domain used – i.e., a user of Google.com, Google.fr or Google.de should not see the relevant links if it can be established that the user is in the EU (for example, on the basis of the user’s IP address).
The opinion of the Advocate General will now be considered by the CJEU, who is expected to render a decision in a couple of months. The CJEU often follows the general analysis of the Advocate General.
On December 29, 2018, the Northern District of Illinois dismissed a case brought against Google under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) on standing grounds. Plaintiffs, Lindabeth Rivera and Joseph Weiss, alleged that Google violated BIPA by failing to obtain informed consent from users prior to collecting, storing, and utilizing their biometric information to create “face-geometry scans” from photos uploaded on Google Photos.
Starting next week, the California Department of Justice will hold six public forums on how the state should implement its landmark privacy law, the California Consumer Privacy Act (“CCPA”). Although California enacted the CCPA in June 2018, the state is still in the process of implementing the new legislation, and the public forums “will provide an initial opportunity for the public to participate in the CCPA rulemaking process,” California Attorney General Xavier Becerra announced in a December 19 press release.
Recent years have seen significant amounts of legislative activity related to state data breach notification laws, and 2018 was no exception. Not only did South Dakota and Alabama enact new data breach notification laws in 2018, becoming the last of 50 U.S. states to enact such laws, but other states also enacted changes to existing data breach notification laws during 2018 to expand their scope and implement additional notification requirements. Following up on our global year-end review of major privacy and cybersecurity developments, we’ve summarized the major developments and trends observed with regards to state data breach notification laws over the past year. Continue Reading
On 30 November 2018, the Austrian Data Protection Authority (“DPA”) decided that the website of an online media publisher – which offers users the option to either consent to advertising cookies or pay for a subscription – gives users a free choice that is compatible with the requirements of consent under the GDPR. (The decision is available in German here.)
Background. The Austrian publisher in question set up a functionality on its website whereby users are given the option to either: (i) consent to advertising cookies and receive full access to website’s content; (ii) refuse consent and receive partial access to the website’s content; or, (iii) pay for a subscription to receive full access to the website’s content for 6 euros/ month and not be tracked by any advertising cookies, third-party scripts, or social media plug-ins (unless the user chooses to personally re-activate these features).
Complaint. The complainant argued that the website did not meet the requirements for voluntary consent under the GDPR because (i) the provision of the service was subject to the user’s consent to process personal data, and (ii) the tracking of personal data was technically not necessary for the provision of the service, since the publisher also offered a paid version with no tracking. The complainant further argued that his right to oppose the tracking had been violated since, even after refusing to give consent, a non-essential cookie still operated and could not be opted-out.
Austrian DPA’s Decision and Analysis. The Austrian DPA dismissed the complaint. In its decision, the DPA pointed out that media companies have relied on advertising as a source of revenue for decades, and in the context of online publishing this is often the only source of revenue. The DPA also took note of the fact that the publisher had developed a privacy-conscious product that offered a pay-for-subscription/ tracking-free option for users. Notably, the DPA stated that:
“The requirement of voluntary consent could not lead to media companies having to provide their services free of charge, especially since online advertising without data-based control would not allow refinancing in the current market environment.”
The DPA further explained that involuntary consent occurs when a data subject is placed at a disadvantage. Referring to the Article 29 Working Party’s Guidelines on Consent, the DPA considered the criteria for “disadvantage” in this context, which may exist when there is a risk of deception, intimidation, coercion or significant negative consequences. The DPA found that the subscription option for 6 euros/ month was not a disproportionately expensive alternative, and in any event, users are free to simply choose another online publisher. In the view of the DPA, neither of these possible outcomes constituted a “significant negative consequence.”
Finally, the DPA also addressed the complainant’s argument about the non-essential cookie script which continued to operate after consent was revoked. The DPA found this point was moot because the publisher had fixed this issue during the course of the DPA’s review of the case.
It has been a busy year for privacy and cybersecurity. Here is a look back at the highlights of 2018 and a preview of what 2019 may have in store in the United States, Europe, and China:
On December 12, 2018, Senator Brian Schatz (D-HI) led a group of fifteen Democratic senators in introducing the “Data Care Act of 2018,” which would impose duties of care, loyalty, and confidentiality on online service providers with respect to processing and securing user data. The bill would also provide the FTC with rulemaking authority and the ability to levy substantial civil penalties for noncompliance with its provisions.
This bill comes on the heels of Senator Ron Wyden’s release of a draft “Consumer Data Protection Act,” which also expanded FTC authority and created significant civil fines. (See analysis of Senator Wyden’s bill here, and related coverage on the Senate’s approach to data privacy here and here.) Several other privacy frameworks have already been introduced this year by both Democratic and Republican lawmakers, and additional bills may be introduced in 2019.
On December 11, 2018, the Vermont Office of the Attorney General published new guidance on the state’s data broker law (Act 171 of 2018), which imposes new data breach notification requirements on “data brokers” and takes effect on January 1, 2019. The new guidance clarifies the definitions of key statutory terms and the scope of the law’s various requirements.
Earlier this week, the European Commission (“Commission”) published its Report on the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document). The Report concludes that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States. The Commission also found that the implementation of a number of the recommendations following the first annual review last year improved several aspects of the Privacy Shield, but that certain recommendations still required implementation and/or monitoring.
In another Privacy Shield-related development this week, the International Trade Administration’s Privacy Shield Team announced new guidance on the applicability of the Privacy Shield to the United Kingdom following the UK’s pending withdrawal from the EU. Continue Reading