Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

Mobile apps – increasing privacy transparency is on top of your to-do list!

Posted in Behavioral Advertising, EU Data Protection, International Privacy, Mobile Privacy

Mobile apps: increasing privacy transparency is on top of your to-do list!

Patrick Van Eecke & Elisabeth Verbrugge

As previously announced, the Global Privacy Enforcement Network (GPEN) recently released the results of the global privacy sweep of mobile applications it conducted in May 2014.

More than 25 privacy commissions around the world examined a total of 1,211 mobile apps. The sweep targeted both Apple and Android apps, both free and paying apps, both public and private sector apps and covered a variety of different types of apps, ranging from games over health apps to banking apps. The privacy commissions’ reviews focused in particular on transparency and consent.

Key findings

GPEN’s key findings include the following:

  • Three quarters of the apps requested at least one permission from its users, usually relating to location, device ID, access to other accounts, camera and contacts;
  • Nearly one third of the apps appeared to request access to information which seemed irrelevant to the functionalities of the app;
  • In almost 60% of the cases, it was difficult to find any privacy related information before installing the app;
  • Over 40% of the apps’ privacy policies were not easily readable on small screens;
  • The majority of apps, 85%) fails to provide clear information on the collection, use and disclosure of personal data.
  • The report praises the use of pop-ups, layered information (putting important information up front with links embedded to more details) and just-in-time notification (informing the users of potential collections or uses of information when they are about to happen).

The most popular apps were among those that received the best ratings. This confirms the general conclusion of the sweep: clear, concise privacy language builds consumer trust and is good for business.

Top tips for your mobile apps

The Office of the Privacy Commissioner of Canada, which coordinated the sweep, released ten tips for communicating privacy practices to app users. They can be summarised in the following three commandments:

  • Be transparent

Privacy information should be specific, comprehensible and easily readable. In practice, this implies that rather than providing long legalistic privacy policies, specific notifications should be given at key decision points, e.g. the moment of purchase. Any information should be written in an understandable manner, taking into account the language and level of sophistication of your audience. Also, any information should be presented in a way that takes into account the mobile device context, including smaller screens.

  • Explain the data you are requesting and collecting

Secondly, sufficient information must be given to allow users to make an informed consent decision. Specific information should be given on how the app will use the permissions it seeks. Information should also cover data collected through social media logins such as Facebook, and the manner in which such externally collected data will be used. When asking permission, you should also make sure that you ask permission for all data usage envisaged: permission to access information does not as such imply permission to collect, use or disclose such information.

  • Make, and keep, privacy information accessible

Users should not be left guessing if and to which extent an app collects personal data. Even if your app does not collect any personal data, the user should be informed of this. You should also avoid users having to exit the app to access privacy information as this is an unnecessary and cumbersome extra step. It is indeed preferable to make privacy information available via integration with the app’s functions. When using pop-ups or similar mechanisms at key decision points, make sure you do not forget to include a functionality that allows users to re-visit the information after the pop-up is dismissed.

For more information, please contact patrick.van.eecke@dlapiper.com or elisabeth.verbrugge@dlapiper.com


Belgium: Gaming Commission calls for blacklisting of free gambling apps

Posted in Gambling & Gaming

Patrick Van Eecke and Antoon Dierick (DLA Piper, Brussels) discuss the Belgian Gaming Commission’s call for restricting the offering of free gambling apps.

By Patrick Van Eecke and Antoon Dierick

In today’s Belgian national media, the Belgian Gaming Commission has pleaded to restrict the offering of free gambling applications (“apps”) which allow persons to gamble for free on their mobile device. The Commission for example refers to free blackjack and poker games. According to the Gaming Commission, such free apps lower the bar for persons to participate in paying gambling services, which is deemed problematic in case the operator of the application does not verify the participant’s age. The Commission’s concerns thus seem primarily to be directed towards participation by minors. More specifically, the Commission asks for a blacklist to be adopted containing gambling apps, the offering of which is prohibited towards minors and to agree on the integration of age verification tools with the industry. The BGC thus seems to wish to repeat its already well-known blacklisting efforts, but applied this time to operators offering gambling apps (including several major app stores).

However, the call by the Gaming Commission is noteworthy, as Belgian regulations on games of chance (encompassing traditional casino and arcade games next to betting activities) only apply to games where participants need to make a stake in order to participate. In other words, free games of chance do not fall under the ambit of the Belgian Games of Chance Act. In case the user of the gambling app needs to pay for certain app upgrades, but does not have to make a stake to participate in the game itself, this game will likely not be qualified as a regulated game of chance.

In this sense, taking action against such applications seems to surpass the Commission’s regulatory competences as the Commission is competent only for regulating games of chance falling under the Games of Chance Act. This is probably also why the Commission has publicly appealed to other government institutions (e.g. those competent for the well-being of children) to take initiatives in this respect.

We will of course further report on any further developments on this issue, possibly from government institutions in Belgium or from other stakeholders in the industry.

For more information, please contact patrick.van.eecke@dlapiper.com or antoon.dierick@dlapiper.com

Internet of Things: European privacy recommendations

Posted in EU Data Protection, Mobile Privacy, Privacy and Data Security

By Patrick Van Eecke and Julie De Bruyn

Call it a coincidence or not: exactly one week after the Apple Watch was officially introduced by Apple CEO Tim Cook on 9 September 2014, the European data protection advisory body – Article 29 Data Protection Working Party (‘Working Party 29′) – adopted its Opinion 8/2014 on the Recent Development on the Internet of Things.

While the Working Party 29 acknowledges the potential of these ‘smart’ devices monitoring and communicating (in) our daily lives, it stresses that the privacy and security challenges generated by this should not be overlooked. The key to support trust and innovation – and to being successful on the market of the Internet of Things – is to keep the individuals concerned informed, free and safe.

Continue Reading

So You Think You Have a Point of Sale Terminal Problem?

Posted in Cybersecurity, Privacy and Data Security, Security Breaches, Technology and Commercial

Written by Tara Swaminatha and Aravind Swaminathan

If your company has a Point of Sale (POS) terminal anywhere in its infrastructure, you are no doubt aware from the active media coverage that malware attacks have been plaguing POS systems across the country.

Just within the past week, the New York Times has reported that:

  • Companies are often slow to disclose breaches, often because of the time involved in immediately-required investigations;
  • Congress is beginning to make inquiries of data breach victim companies; and
  • Even those companies who have conducted cybersecurity risk assessments still get attacked, often during the course of implementing new solutions to mitigate potential problems and protect their customers’ payment cards or other personal information.
  • Former employees can be a source of information to the media about your efforts to investigate and secure your POS systems.

No Quick Fix

Even the best intentions, most competent efforts and unlimited budgets cannot fix a problem such as this overnight.  These fixes take time, and have become an unavoidable symptom of having POS terminals.

What should your company do?

(1) Launch a cybersecurity risk assessment, if you have not yet done so.

(2) Protect your risk calculations by engaging outside counsel and qualified cybersecurity experts to provide legal risk advice protected by the attorney-client privilege.  Keep C-suite executives and Boards of Directors informed.  The outside counsel, together with experts, should:

  • educate and advise directors and executives on legal and business risks associated with your company’s particular threats and vulnerabilities;
  • engage a qualified, experienced external cybersecurity team to review technical infrastructure and identify vulnerabilities stratified and prioritized by risk, likelihood of being exploited, and costs and time involved in remedying each one;
  • review  operational procedures across a multi-disciplinary team in your company, which are often overlooked and can have the greatest impact on the overall health of your risk profile;
  • help identify the most sensitive categories of information in your organization and develop data governance procedures tailored to your organization to add yet another layer of protection for your most sensitive assets;
  • regularly remind your team members, including from your third-party vendors engaged by counsel, about privilege and confidentiality obligations.

(3) Treat cybersecurity risk assessments and remediation efforts as an iterative process.  Constantly review your multi-disciplinary team’s recommendations as they change week by week or day by day.  Re-evaluate the spend allocated based on updated information about your risk landscape as the investigation and assessment progresses.

(4) Stay informed about updated regulatory requirements and case law on cybersecurity and privacy.  Ensure stakeholders understand these updates and charge them with implementing appropriate changes in their domains.

(5) Recognize that there is no such thing as perfect security, but that there is a tipping point over which your company will move outside the category of high-risk operations and into a safe zone.

(6) Allocate the necessary resources to get the job done – and done well.  If your company goes an extra mile in building security policies, procedures and technology that are better than industry standard, you can use your low risk profile as a market differentiator.  In addition to reducing litigation and reputational risks, validated strong security will increase customer confidence and loyalty.

(7) Review your insurance policies for adequate coverage to address interim risks.  While reputational risk cannot be insured against, insurance can be very valuable in the event of a breach.

In the retail industry in particular, the widespread compromises in Point of Sale Terminals resulting in staggering amounts of payment card theft is a hallmark of 2014.   A decrease in brand reputation alone is too high a cost to ignore.   If your company is – very understandably – not equipped to tackle the daunting task of finding and prioritizing vulnerabilities and choosing the best cybersecurity governance and technical plans, find someone who is.

FRANCE: Cookies Sweep Day Is Here

Posted in Cookies, EU Data Protection, Privacy and Data Security

September 18, 2014

The CNIL announced today that it is conducting its Cookies Sweep today and tomorrow (September 18-19). The CNIL will review 100 French websites and will check the following:

  • the number and type of cookies set on the website users’ devices;
  • the way website users are informed about cookies;
  • the visibility and quality of such information;
  • how user consent is collected;
  • the consequences if the website user refuses to be tracked;
  • the cookies’ lifespan.

For further information, please contact Carol Umhoefer (Carol.Umhoefer@dlapiper.com) or Jeanne Dauzier (Jeanne.Dauzier@dlapiper.com).

FRANCE: The French Data Protection Authority (CNIL) Orders a French Company to Pay a EUR 5,000 Fine for the Non-compliance of its Customer Geolocation System with French Data Protection Law

Posted in Privacy and Data Security

By Carol Umhoefer & Mathilde Hallé

On July 22, 2014, the French Data Protection Authority (“CNIL”) found that a luxury car rental company had failed to comply with the French data protection law with respect to the implementation of a customer geolocation system. In particular, the CNIL considered that the rental company had failed (i) to fulfill the formalities required prior to processing customer geolocation data, (ii) to limit the collection of geolocation data to cases of non-return or theft of vehicles, (iii) to inform its customers of the aforementioned processing, and (iv) to ensure the security of the data.

In October 2012, a customer filed a complaint with the CNIL regarding the geolocation system implemented in connection with its rental luxury cars. In December 2012, the CNIL sent a first letter to the rental company summarizing the provisions of the French Data Protection Law pertaining to the implementation of a geolocation system. This letter remained unanswered, which led the CNIL to send two successive letters in January and March 2013. Likewise, these letters remained unanswered and the CNIL decided to conduct an on-site inspection in June 2013. Following such inspection, the CNIL sent a cease and desist letter to the rental company, requiring the latter to comply with applicable data protection law. However, the rental company failed to ensure such compliance, which was brought to light following a subsequent investigation. As a result of the foregoing, the CNIL ordered the rental company to pay a EUR 5,000 fine.

The CNIL’s decision was based on the following legal grounds:

  • First, the rental company had failed to file with the CNIL the required declarations prior to processing personal data in connection with (i) the geolocation of cars rented to customers, and (ii) customer management.
  • Second, the CNIL considered that the rental company had failed to comply with the principles of adequacy, relevance and non-excessive nature of the data. Indeed, the geolocation system was set for a 24/7 use and could not be deactivated, and therefore the car rented by customers could be located at any time by the rental company. The system thus enabled the collection and processing of various numerous data, including time and location-related data, that the CNIL considered as excessive in relation to the purposes for which it had been collected. The CNIL found that the rental company should have limited the collection of geolocation data to cases where the vehicle is stolen or not returned.
  • In addition, the CNIL considered that the rental company had failed to fulfill its obligation to give adequate notice to customers. In this respect, the rental company claimed that customers were verbally informed of the geolocation system. However, the CNIL noted that the rental company had not provided any evidence to support its claim. The CNIL thus considered that the rental company had not demonstrated that its customers were duly informed. It has to be noted that in its decision the CNIL does not consider that the customers’ consent would have been required. The CNIL further ruled that the rental company had failed to demonstrate its compliance that it had notified customers regarding the processing of their data for customer management generally.
  • Last, the CNIL stated that the rental company had failed to comply with its obligation to ensure the security of customers’ data. During on-site inspection, the CNIL had accessed the geolocation software at issue from a computer located at the reception desk of the company, and noted that the authentication process to access this software only required a user name and a password that had not been renewed since it had been set up (more than two years prior), as no password management policy was in place.

For further information, please contact Carol Umhoefer (Carol.Umhoefer@dlapiper.com) or Mathilde Hallé (Mathilde.Halle@dlapiper.com).

Is Your Browsewrap Terms of Use Agreement Enforceable?

Posted in Technology and Commercial

Written by Bahareh Samsami

Many websites use browsewrap terms of use agreements, which say that by virtue of using or making a purchase on the website, the user agrees to those terms of use.  However, the 9th Circuit’s recent opinion raises questions about the enforceability of those agreements.

On August 18, 2014, the 9th Circuit Court of Appeals affirmed the unenforceability of Barnes & Nobel’s (“B&N”) browsewrap website terms of use agreement.  In Nguyen v. Barnes & Nobel, Inc., 2014 U.S. App. LEXIS 15868 (9th Cir. August 18, 2014), the plaintiff had placed an online order for B&N’s discounted tablets that B&N later cancelled.  Nguyen brought a suit against B&N, claiming that as a result of B&N’s representation and the delay in informing him that B&N would not honor the sale, Nguyen was forced to purchase a higher priced tablet instead.

B&N moved to compel arbitration, arguing that Nguyen was bound by the arbitration agreement in B&N’s website terms of use.  The B&N’s website terms of use was available as a hyperlink at the bottom left-hand corner of every page on the B&N’s website in the online check out process, underlined and set in green typeface and was presented on the user’s screen without the need to scroll down.  Nguyen claimed that he was not aware of the existence of the terms of use, so he had not agreed to them, and the court agreed.  The court found no evidence that Nguyen had actual notice of the terms of use, nor was Nguyen required to affirmatively acknowledge the terms of use before making his online purchase.  As a result, the court held that the website did not put a reasonably prudent person on notice of the existence of the terms of the agreement.

In light of Nguyen, whenever possible, we advise that you require the user to agree to a click-through terms of use agreement, particularly if the website is targeted at consumers.  If that is not practicable, it is possible to form a binding agreement if the design and the content of the website make the terms of use link conspicuous prominently on the page where a reasonable user is certain to see it and be on notice.  But the question remains if a green and underlined hyperlink that appears on every page without needing the user to scroll down didn’t work, what will?


Posted in Cookies, EU Data Protection, International Privacy, Privacy and Data Security, Technology and Commercial

Written By Carol Umhoefer, Jeanne Dauzier and Mathilde Hallé

Starting in October, France’s Data Protection Authority (the CNIL) will verify compliance with its December 2013 Recommendation on the use of cookies and tracking technologies.

The CNIL’s inspections will follow “cookies sweep day,” planned to take place the week of September 15, 2014, during which European Union Data Protection Authorities will review how Internet users are notified of the use of cookies, and how their consent to such use is obtained.

The CNIL recently announced that, from October 2014, it will verify compliance with its recommendation on cookies and tracking technologies issued on December 5, 2013. Compliance checks will be conducted through on-site and online inspections.

Find out more.

FRANCE: The French Media Authority Refuses to Authorize TF1 to Swap the LCI News Channel From Pay to Free DTT

Posted in Technology and Commercial

By Florence Guthfreund-Roland & Mathilde Hallé

The TF1 group has petitioned the French media authority (the “CSA”) to swap its LCI news channel from pay to free DTT, based on the provisions of a new law adopted on November 15, 2013 which granted the CSA the power to authorize a pay DTT channel to migrate to free DTT, upon request from the broadcaster. In case of such a request, the CSA must consider whether a migration to free DTT would jeopardize (i) the principle of pluralism, (ii) the quality and diversity of TV programs, and (iii) the stability of the television sector. In a decision rendered on July 29, 2014, the CSA formally refused to approve the migration requested by TF1.

In support of its request, TF1 mainly contended that the decrease of LCI’s turnover partly results from a reduction in the fees paid to broadcasters by subscription-based television service providers (notably including cable/platforms operators). TF1 also claimed that LCI’s audience has substantially decreased, as have LCI’s annual net advertising revenues. On that basis, switching from pay to free DTT is, for TF1, the only option left to ensure LCI’s viability in the near future.

However, the CSA rejected TF1′s request based on the following arguments:

  • According to the CSA, LCI’s swap from pay to free DTT is not necessary to ensure pluralism on the free DTT market. Indeed, the LCI news channel is similar to two existing French free news channels, being BFM TV and i>Télé;
  • In addition, LCI’s migration to free DTT would lead to a decline in viewers for existing free news channels;
  • As a consequence, LCI’s migration to free DTT would likely jeopardize the balance of the advertising market considering that: (i) this market is already down and the level of advertising expenses has reached its lowest point in more than 10 years; and (ii) given the significant position of TF1 in the market, the latter would still be able to create advertising revenues for LCI (notably via cross-selling practices). Moreover, according to the CSA a prohibition of tied sales of advertising space between LCI and other channels belonging to TF1 would not compensate the channeling by LCI of part of the advertising resources specific to other news channels;
  • Based on the above, LCI’s migration to free DTT would materially affect the economic and financial situation of existing free news channels. Indeed, the CSA considered that neither competitive measures nor measures pertaining to the content of TV programs would be sufficient to thwart the transfer of audience shares from existing free news channels to LCI on the one hand, and the channeling of advertising resources by LCI on the other hand. In particular, the effects on the quality and diversity of the programs that would result from the offer of an additional free news channel would not compensate the detrimental impact on the economic and financial viability of existing free news channels, thus jeopardizing compliance with the principle of pluralism.

On the basis of similar considerations, the CSA, on the same day. rejected requests from the M6 group and the Canal + group to swap their respective channels Paris Première and Planète+ from pay to free DTT.

TF1 has two months to appeal the decision of the CSA before the French Administrative Supreme Court (the “Conseil d’Etat“). It can be noted that, in case of appeal by TF1, the decision of the CSA would remain applicable until the Conseil d’Etat rules on such decision.

For further information, please contact Florence Guthfreund-Roland (Florence.Guthfreund-Roland@dlapiper.com) or Mathilde Hallé (Mathilde.Halle@dlapiper.com).


FRANCE: Orange receives a public warning from the French Data Protection Authority (CNIL) following a security breach in a sub-subcontractor’s database

Posted in Privacy and Data Security

By Carol Umhoefer & Patrick Cookson

The CNIL’s decision provides useful guidance on security measures that the CNIL considers must be taken by data controllers.

Earlier this year, Orange discovered that the database of one of its sub-subcontractors had suffered a server malfunction that led to a security breach. The sub-subcontractor’s database contained the personal data of more than 1.3 million Orange customers (including name, date of birth, e-mail address, and landline and mobile phone numbers) and was used for sending promotional email campaigns.

In compliance with its obligations as an electronic communications operator, Orange notified the CNIL of the security breach in April 2014. On-site inspections conducted by the CNIL in May 2014 showed that the sub-subcontractor’s database had become publicly accessible by modifying the URL address of “unsubscribe” links in emails sent to customers, and that an unidentified third party had collected customers’ personal data a few months before.

Under French law, data controllers must use best efforts to ensure that the confidentiality of customers’ and prospects’ personal data is adequately secured. In issuing its warning, the CNIL cited three facts:

  • First, Orange did not carry out any security audit of the sub-subcontractor’s proprietary technology after it was implemented in November 2013;  the solution had been specifically adapted for Orange;
  • Second, Orange regularly sent updates of its customer database to its service providers by email, without any additional security measures;
  • Finally, although Orange and the subcontractor had entered into a contract setting forth security and confidentiality obligations for the subcontractor, those obligations were not passed through to the sub-subcontractor.

The decision serves as a timely reminder of the CNIL’s expectations as concerns personal data security.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com) or Patrick Cookson (patrick.cookson@dlapiper.com).

Back to Top of Page