Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

FTC Publishes revised COPPA FAQs, clarifies parental consent methods

Posted in Children, Privacy and Data Security, US Federal Law

The FTC has issued three new FAQs clarifying the “verifiable parental consent” requirements under the COPPA Rule.

In one of the revised FAQs, the FTC reiterates that the COPPA Rule’s list of parental consent methods is not exhaustive and that operators are free to use other “reasonably calculated methods” to obtain consent.  According the revised FAQ, another “reasonably calculated” form of consent, under certain circumstances, could include collection of a credit card number without an accompanying monetary transaction, if other steps are taken as well (such as asking questions that only parents would know the answers to and finding a “supplemental way”to contact the parent).  The FTC also amended two other FAQs that address the interplay between app stores and app developers in the COPPA context , explaining when an app developer may rely on app stores and other third parties to get verifiable parental consent, and whether an app store may be liable for app developers’ COPPA violations.

The amended FAQs are included below, and can be found here:

H.5.    I would like to get consent by collecting a credit card or debit card number from the parent, but I don’t want to engage in a monetary transaction.  Is this ok?

It depends.  The general rule is that any parental consent mechanism “must be reasonably calculated, in light of available technology, to ensure that the parent providing consent is the child’s parent.”  The Rule lists several methods that automatically meet this standard, one of which is the use of a credit card, debit card, or other online payment system in connection with a monetary transaction.  However, the listed methods aren’t exhaustive; you may use other methods as long as they are “reasonably calculated” to ensure that the consent is being provided by the parent.  Although collecting a 16-digit credit or debit card number alone would not satisfy this standard, there may be circumstances in which collection of the card number – in conjunction with implementing other safeguards – would suffice.  For example, you could supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent.

H.10.    I am the developer of an app directed to kids.  Can I use a third party, such as one of the app stores, to get parental consent on my behalf?

Yes, as long as you ensure that COPPA requirements are being met.  For example, you must make sure that the third party is obtaining consent in a way that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.  The mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government identification), does not provide sufficient assurance that the person entering the account or password information is the parent, and not the child.  You must also provide parents with a direct notice outlining your information collection practices before the parent provides his or her consent.

H.16.   I run an app store, and would like to help app developers that operate on my platform by providing a verifiable parental consent mechanism for them to use.  Under what circumstances will this expose me to liability under COPPA?

Because you are not an “operator” under COPPA in this circumstance, you will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom you obtain consent.  As the Commission stated in the Statement of Basis and Purpose accompanying the final COPPA Rule, the term “operator” is not intended to encompass platforms, “such as Google Play or the App Store, when such stores merely offer the public access to someone else’s child-directed content.”   At the same time, you should also evaluate your potential liability under Section 5 of the FTC Act.  For example, it could be a deceptive practice to misrepresent the level of oversight you provide for a child-directed app.

Florida Information Protection Act of 2014 Goes Into Effect; Regulator Notification Required

Posted in Privacy and Data Security, Security Breaches, US State Law

Effective July 1, 2014, Florida has repealed its existing data breach law in favor of a new, more stringent, law. Florida has joined the list of states requiring notice to regulators:  specifically, an entity must notify the Department of Legal Affairs of any breach affecting 500 or more Florida residents as soon as possible, but no later than 30 days after determining that a breach has occurred or having reason to believe that a breach has occurred. The new law also specifies the content of that notification (e.g., description of the breach, number of Florida residents affected, services offered to individuals, copy of the notice to be provided to the individual, and contact person to field questions regarding the breach).

Florida also has expanded the definition of personal information. Under the prior law, Florida had defined personal information to include name plus a social security number, a driver’s license (or other government identification number), or certain financial account information. The new Florida law also includes the following in the definition of personal information:  (1) name plus an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify an individual; and (2) user name or email address, plus a password or answer to security question that would enable access to an online account.

 

DLA Piper Sourcing Reference Guide

Posted in Commercial Contracting, Strategic Sourcing, Technology and Commercial

NEW RELEASE: CHAPTERS 11 AND 12 COMPLIANCE AND DATA PROTECTION

DLA Piper’s award-winning global Technology and Sourcing team is pleased to release the 11th and 12th chapters of the Sourcing Reference Guide, our handbook to conducting successful sourcing transactions.

Chapter 11 looks at Compliance and Chapter 12 looks at Data Protection.

The complimentary Sourcing Reference Guide combines best practices from our leading global team, covering a range of sourcing transactions – ITO, AD/AM, BPO, F&A, HRO, FM, infrastructure, networks and more.

Following are the chapters included to date – the newest chapters are in bold face:

1. Sourcing Structures
2. Sourcing Agreement Structures
3. The Services Description
4. Offshoring
5. Timing, Delivery and Delay
6. Service Levels
7. Service Credits
8. Charging Models
9. Tax
10. Benchmarking
11. Compliance
12. Data Protection

We will be adding additional chapters to the Sourcing Reference Guide throughout the year and will keep you abreast of new updates.

For more information, please contact sourcingreferenceguide@dlapiper.com.

Access the Guide Here:  http://www.dlapiperoutsourcing.com/tools/sourcing-reference-guide.html

Doping Tests and Privacy Rights in Spain: a Key Court Decision

Posted in EU Data Protection, International Privacy, Privacy and Data Security

By Diego Ramos

No one can deny that, over the last decade, Spain has taken the fight against Sports’ doping networks very seriously. In 2006 and 2013, two demanding laws for the health protection of federated sportsmen and the prosecution of fraud in sports competition have been passed by the Spanish Parliament. New and stringent regulations developing both laws were rapidly drafted by the local Sports authorities. Enforcement of the laws and the regulations has been particularly tough. In fact a bit too much, as one Spanish court recently ruled.

The facts are simple. The Spanish High Council for Sports (CSD) issued a regulation requiring certain federated sportsmen (e.g. the ones recovering from injuries) to be available to undergo doping tests “permanently”. This meant at any time, workdays or weekends, holidays or working periods, day or night, in public or private life. They need to report where they are at all times (hence the term “permanently”). The Spanish Association of Professional Cyclists (ACP) filed a claim against that regulation for this and other legal grounds in front of Spanish Audiencia Nacional, a central court based in Madrid that handles serious crime like terrorism, the lawfulness checking of regulations and other matters like privacy rights.

The Audiencia Nacional, in a decision that has just been made public, dismissed most of the arguments of the claim, supporting strongly the views of CSD against doping. The Audiencia Nacional even ruled that, since doping in sports is a matter of public concern, sports professionals are obliged to accept regular doping tests at unusual periods of time. However, the Audiencia Nacional also found that the Regulation went too far when requiring some federated sportsmen to report “permanently” where they are. They shall report where they can be “usually” found for undergoing a test (the law actually employs the term “usually”, rather than “permanently”, the court says, so the CSD went too far extending the scope of the legal authorization, especially when a constitutional right like privacy is at stake). The court could have stopped there. However, it went into detail on the merits of the case, analyzing whether the duty to report “permanently” the whereabouts of an individual breaches the constitutional right to privacy. It does, according to Audiencia Nacional. Every individual, also federated sportsmen, has the right to a minimum quality of life and a minimum of dignity. By making privacy zero that goal is not achieved.

The decision could still be appealed in front of the Spanish Supreme Court. Reporting where someone is “usually” may be only slightly different from reporting where s/he is at every single second. However, the decision is important, and not only because it shall improve slightly the lives of Spanish federated sportsmen and sportswomen. First of all, the court that issued this decision handles normally the legal review of the decisions made by the Spanish Data Protection Commissioner. So it is likely to have a very strong impact on any future court decision on privacy in Spain. Second, the court used for deciding a sports’ case arguments borrowed from the Spanish data protection practice, the Spanish Data Protection Commissioner and the European Data Protection Authorities (Art 29 Working Party) in geo-localization cases (i.a. AEPD reports of 28 June 2012 and 25 May 2009, AEPD Resolution of 6 June 2013, WP Art 29 Opinion of 16 May 2011). The special legal concept of “proportionality” that made up the core of privacy authorities’ and experts’ position in all these instances is the one that also boasts the new court decision. People like policemen and sportsmen can be obliged, for different reasons, to be geo-localized on a regular basis. Personal safety, public security, personal health and sports’ cleanness entail risks that justify such burden. Nevertheless, forcing them to surrender their privacy at all times in all contexts is probably not proportional to those risks that the law tries to mitigate. A life that shall be worth living requires a minimum of dignity, and privacy is a key part of it.

For further information, please contact Diego Ramos (diego.ramos@dlapiper.com).

 

MVNO – trends and contracts

Posted in Telecoms

By Amanda Pilkington, Legal Director (UK) and Mike Conradi, Partner (UK)

Today’s news that the Post Office is to launch a Mobile Virtual Network Operator (MVNO) in partnership with EE has led us to put together a few thoughts about the market and about MVNO contracts.

Market trends

Recent months have seen perhaps an increasing number of smaller MVNOs ceasing trading – often citing the prohibitive tariffs offered by wholesale providers as the key determining factor (eg the ad-funded networks Ovivo Mobile and Samba Mobile). Similarly Vodafone’s MVNA partner Cognatel announced recently they would focus only on larger-scale MVNOs going forward.

Interestingly this trend is against a back drop of more new MVNO joint ventures between larger established players such as the Post Office one referred-to at the start of this blog and also the BT and EE MVNO (albeit that BT’s focus has not been on the consumer mobile market since the days of BT Cellnet). Other larger MVNOs, especially those with a clear cost advantage in terms of distribution (such as Lebara or Tesco Mobile) seem to be continuing their success and growth.

We also note the emergence of new entrants utilising new innovative platforms. For example, Now Mobile has launched a new MVNO service in the UK based on the prepaid mobile solution from DIGITALK, a global vendor of prepaid service platforms.

In the press release about its new MVNO BT outlined details of the basis on which EE will provide various MVNO services to BT’s customers and employees based in the UK, strengthening the existing relationship between the companies.  The arrangement will see BT’s mobile customers accessing 2G, 3G and 4G services via the EE network. We think it likely that BT may also be planning to combine its EE MVNO with its newly-acquired slice of high-frequency 2.6GHz spectrum, which it won for £186m in the auction last year, and which is suitable for high bandwidth but low range services -so may be especially useful in urban areas.

It seems, then, that whilst smaller MVNOS may struggle there is no shortage of innovation and interest in the sector, and larger players with established brands in other areas, like the Post Office, continue to see possibilities in the MVNO business model.

It will be interesting to see whether these trends continue for the remainder of 2014 in light of the race to provide 4G offerings.

Introducing flexibility in MVNO contracts

The MVNO market is constantly changing and evolving with new technologies, platforms and service propositions. The contract between the MVNO and its Mobile Network Operator (MNO) can at times be a blunt tool in the race to adapt to and remain competitive in the face of these changes and the MVNOs can be in the weaker position because of the difficulties they would face in switching from one MNO to another. However, there are ways in which a degree of flexibility can be introduced into the contractual terms (assuming a convention wholesale-priced model for the arrangement with the MNO).

One of the most commonly used tool is a benchmarking mechanism. This enables the wholesale prices in the contract to be tested at regular intervals against what is market practice, with the ability to adjust prices should the wholesale prices be found to be out of kilter (usually within agreed parameters). The contract can even provide that the benchmarker can look at retail prices offered by competitors to the MVNO as a likely indicator of their underlying wholesale prices. Although, of course, retail prices could be offered below cost as some kind of “loss leader” if, in the long term, retail prices offered by the MVNO’s competitors are below the wholesale prices in the contract this would seem to suggest that the wholesale prices in the contract are too high.

The appropriateness of benchmarking provisions will of course vary as between jurisdictions. In heavily regulated markets with strict controls on wholesale pricing benchmarking provisions may be less important. Likewise in countries where the MNO has a monopoly there is effectively no market to benchmark. However, it is prudent to include the right to benchmark in any event should the in territory’s circumstances changes; benchmarking is a right but not an obligation, this right does not need to be exercised.

To keep pace with the changing technologies and capabilities, the MVNO needs to have sight of the MNO’s roadmap plans for its network so that it can adapt its customer products accordingly. This can be achieved in the commercial terms by including a requirement on the MNO to produce and provide to the MVNO a technical development plan to allow the MVNO to plan its retail offerings and market campaigns

Finally there is often a discussion about service levels in MVNO contracts. The MNO may argue that since customers of the MVNO are on the same network as their own customers there is no reason to agree specific service levels and service credits. This may be so but in many cases the profile of the MVNO’s customers will be different from those of the underlying MNO – they may for example be more concentrated geographically, or make more international calls. If so then it may not be sufficient for the MVNO simply to rely on the MNOs general interest in fixing their own network if it breaks – the MVNO may instead want some sort of specific reassurance about the areas which are especially important to it. This could take the form of a specific service level regime or else could be something simpler like a right to be informed and consulted on decisions or issues having a particular impact in the critical areas.

See also Mike’s blog piece Top 6 Issues to Consider for an MVNO access contract

EU: European Commission launches cloud SLA standardisation guidelines

Posted in Uncategorized

DLA Piper has played a key role in the launch of guidelines issued by the European Commission intended to help businesses save money and get the most out of cloud computing services.  The guidelines aim to ensure contracts between professional cloud users and cloud providers are written plainly, boosting confidence in the digital market.

The guidelines are widely recognised as the first step towards standardised building blocks for Service Level Agreements (SLAs) terminology and metrics. An SLA is a part of a service contract that defines the technical and legal aspects of the service offered.

The guidelines were developed as part of the Commission’s European Cloud Strategy to increase trust in these services, and were shaped by a Cloud Select Industry Group (C-SIG) which included lawyers Patrick van Eecke, Mark O’Conor and Antoon Dierick of DLA Piper. Other major cloud providers including Amazon, Google, Microsoft, Oracle and IBM were also part of the C-SIG.

It is hoped that this will inspire standardisation of SLAs at an international level. Internet service providers commonly include SLAs in contracts with customers to define the levels of service being sold, and they form an important component of the contractual relationship between a customer and a cloud provider. Given the global nature of the cloud, cloud contracts often span different jurisdictions, with varying applicable legal requirements, in particular with respect to the protection of personal data hosted in the cloud.

Patrick van Eecke commented: “The lack of a common contracting template has been a real stumbling block to the roll-out of cloud computing in Europe. For this reason, a standardised Service Level Agreement that can be adopted by both providers and users is hugely welcome.

“We were pleased to play a significant role in the development of the guidance, and look forward to continuing the industry-wide dialogue to remove the barriers to the adoption of cloud computing”

European Commission Vice-President Neelie Kroes said: “This is the first time cloud suppliers have agreed on common guidelines for service level agreements. I think small businesses in particular will benefit from having these guidelines at hand when searching for cloud services.”

Vice-President Viviane Reding added: “The new guidelines will help generate trust in innovative computing solutions and help EU citizens save money. More trust means more revenue for companies in Europe’s digital single market.

“This is the same spirit as the EU data protection reform which aims at boosting trust. A competitive digital single market needs high standards of data protection. EU consumers and small firms want safe and fair contract terms. Today’s new guidelines are a step in the right direction.”  

 

 

EU: Update on Google’s Right to be forgotten

Posted in EU Data Protection, International Privacy, New Privacy Laws, Privacy and Data Security, Technology and Commercial

Written by Patrick Van Eecke and Anthony Cornette

June 15, 2014

In an earlier blog post, Patrick Van Eecke and Anthony Cornette discussed the impact of the ECJ Case C-131/12. The authors now provide some further insight on the latest developments relating to the ECJ case on the ‘Right to be Forgotten’

Privacy Commissioners’ Guidelines

On June 3rd, the data protections authorities of the 28 European Member States gathered in Brussels. During the meeting, they discussed common guidelines for the interpretation of the Google Spain SL decision of the European Court of Justice on May 13th, which affirmed a ‘right to be forgotten’. The guidelines are anticipated to be released around September, and are expected to provide additional information on a consistent process to request removals, the criteria to be applied and the appeals process if requests are rejected. The data protection authorities in each country are expected to follow these guidelines across Europe.

The guidelines will be an important step in answering some questions regarding the application of the right to be forgotten. The guidelines may bring clarity on the concrete criteria to be taken into account for the removal of links. There are many questions surrounding the European Court of Justice’s ruling, including: the territorial scope of application of the ruling, the processing of special categories of data by search engines, how links should be handled that become relevant again in the future (e.g. in the event of repeated conduct), what criteria should be used regarding the balance with the public’s right to access of information, the scope of application of the ruling when it comes to social media and news search engines run by media companies.

Google Advisory Board

While waiting for the expected guidelines from the data protection authorities, Google has set up a special advisory board to help guide the processing of the ‘right to be forgotten’ requests it receives. Google also released an online form on May 29th to request the removal of links from its search results. It is noteworthy that Google asks to identify specific links to be removed, the country of origin of the requester, and a reason for their request. Google has indicated that it received over 12.000 removal requests on day one and over 41.000 requests by day four. By comparison, according to Google’s transparency report, it received 23 million URL removal requests in the past month for copyright infringements.

Other search engines (as well as other Internet companies) are closely following these developments surrounding the implementation of ‘right to be forgotten’ requests, when assessing their own compliance with the European Court of Justice’s ruling.

Fraudulent use of a service by hackers – a lesson for service providers

Posted in E-Commerce and Social Media, Gambling & Gaming, Privacy and Data Security, Security Breaches, Telecoms

A recent case contains some salutary lessons for service providers concerning liability for fraudulent use of their services. It appears that unless the contract has clear terms to the contrary then the service provider, not the end user, will pay for fraudulent use of a service by hackers even if the end user has not properly secured their network. .

In the case of Frontier Systems Ltd trading as Voiceflex v Frip Finishing Ltd [2014] EWHC 1907 (TCC), 10 June 2014 the claimant, a provider of voice-over-internet protocol (VoIP) services, brought a breach of contract and damages claim against the defendant, one of the claimant’s end-users, in 2011 when an unknown third party hacked into the defendant’s computers and accumulated charges of £35,000 for numerous calls made to a premium rate telephone number in Poland.

The claim was rejected by the Technology and Construction Court which did not find any breach of contract on the following grounds: (i) the end-user’s obligations to secure its system was not set out in the contract, and (ii) there was no obligation under the contract for the end-user to pay for the unauthorised calls (only for the authorised ones).

The judge also rejected the claimant’s argument that the defendant breached an implied term in the contract by failing to use reasonable endeavours to secure their username and password. The judge accepted on bringing expert opinion that an 8-digit password was strong enough and the defendant had no obligation to take additional precautions as the contract did not specify what the defendant should or should not have done.

On proper construction of the contract, the judge concluded, the defendant was only obliged to pay for calls it had actually made and not for fraudulent calls, as long as the defendant did not disclose its password. Also, the fact that the claimant added a provision that passed liability for fraud to its customers in 2012 suggested that this was not intended in the earlier contract with the defendant.

The decision highlights the need for VoIP service providers to set out system security requirements and also liability for fraudulent calls in their contracts It may also be prudent to oblige end-users to maintain their username and passwords by using a more robust password combination and by changing it regularly.

EU: Update on Google’s Right to be forgotten

Posted in E-Commerce and Social Media, EU Data Protection, International Privacy

By Patrick Van Eecke and Anthony Cornette

In an earlier blog post, Patrick Van Eecke and Anthony Cornette discussed the impact of the ECJ Case C-131/12. The authors now provide some further insight on the latest developments relating to the ECJ case on the ‘Right to be Forgotten’

Continue Reading

Belgium: Gaming Commission pleads for a further restriction and rationalization of the gaming industry

Posted in Gambling & Gaming

By Patrick Van Eecke and Raf Schoefs

Patrick Van Eecke and Raf Schoefs (DLA Piper, Brussels) discuss recent media coverage in relation to the Belgian Gaming Commission’s (BGC) open letter to the next government in which it requests for a further restriction of the gaming industry and for a tightening of the legal framework.

Continue Reading

Back to Top of Page