Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

Internet Sweep Days: Focus on Children’s Data

Posted in EU Data Protection, International Privacy, Privacy and Data Security, Technology and Commercial

Between May 12 and May 15, 2015, as part of the annual Internet Sweep Days, nearly 30 Data Protection Authorities (“DPAs”) audited child-oriented websites and mobile apps to check compliance with data privacy rules. Results are expected in Q3 2015.

The Global Privacy Enforcement Network (“GPEN”), which brings together numerous countries’ DPAs from across the world, regularly initiates and coordinates global audits. The 2014 Internet Sweep days revealed that many websites and mobile apps collecting personal data do not properly inform users on how this data will be collected and used — for example, insufficient privacy notices or none at all, poor accessibility or visibility of notices, etc.

In 2015, GPEN focused on websites and mobile apps targeted at or used by children. These are principally social networks, educational services, school support and game-oriented websites. The DPAs notably checked whether these websites and apps:

  • require parental consent prior to use of the relevant services or collection of personal data,
  • facilitate the deletion of personal data submitted by children,
  • make young users aware of data privacy issues, and
  • provide information on personal data protection suitable to young users (e.g., simple language, animations).

Children’s personal data, a specific concern in the draft EU General Data Protection Regulation

This year’s sweep days were held as the Council is working on its proposal for an EU General Data Protection Regulation. This proposal emphasizes the necessity of protecting children’s personal data such “the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorized by the child’s parent or guardian.” The proposal states that DPAs are encouraged to “draw up Codes of Conduct on the information and protection of children and the way to collect the parent’s and guardian’s consent,” and that DPAs must “grant specific attention to activities addressed specifically to children“. In proposing a bright-line test for consent at 13, the EU is moving to the US standard, which is inconsistent with civil law principles by which the general age of majority — and for giving lawful consent — is 18.

For further information please contact Carol Umhoefer at carol.umhoefer@dlapiper.com

DRONES IN THE UAE: THE LEGAL PITFALLS

Posted in International Privacy, Technology and Commercial

Written by Eamon Holley, Legal Director, and Mohamed Moussallati, Legal Consultant, both based in Dubai, UAE

Drones (also known as unmanned aerial vehicles, or UAVs) of different shapes, sizes and specifications are definitely one of ‘the’ gadgets of the year and over the last few years have become increasingly available and affordable in the UAE. Their use for both personal and professional activity, ranging from filming special events such as weddings through to security protection details, is on the increase – but at what cost and at what impact to safety and privacy?

The UAE government has identified drones as a technology to assist with law enforcement and service delivery, and at the Government Summit (February 2014) launched the “Drones for Good” award to encourage the development of drone-related technology. There has been reported investment in the development of drones for delivery of small and time-sensitive items (such as medicines and identification documents), and Dubai Customs using drones for surveillance of suspicious activity and inspection of trade vessels in Dubai Creek.

However, reports at the end of January also surfaced of air traffic at Dubai Airport being brought to a standstill as a result of recreational drones flown by members of the public, and similar incidents were reported in the UAE in 2014. With this in mind, the General Civil Aviation Authority (GCAA) is widely reported to be in the process of drafting regulations relating to the use of drones in the UAE, with different categories and licencing requirements depending on the weight of the drone and the type of user (individual, corporate or governmental), and with restrictions on how and where drones can be used. It is also anticipated that authorities will issue regulations that control the import and distribution of drones into the local market, including mooted plans of the Dubai police to require all drones to be registered at the point of sale. More recently (11 March 2015), according to online news sources, the Abu Dhabi Business Centre, affiliated to the Department of Economic Development, announced a ban in Abu Dhabi on the sale of drones to the public until new laws to control drone use are issued.

But what regulations are already in place today that may apply to the use of drones and what are the key legal issues in the UAE that drone operators should be mindful of?

Threat to air navigation and passengers, and breach of aviation regulations

The potential for serious damage caused by even a small drone crashing into a flying commercial aircraft, and associated dangers to those on board, is well documented. The Civil Aviation Regulations, issued by the GCAA, prohibits “any man-made object” entering the area of airspace above 200 feet above the ground within 8km of an airport or 300 feet above the ground elsewhere in the UAE, unless approved by the appropriate Emirate Department of Civil Aviation. Contravention of these regulations may result in a fine and/or imprisonment.

Injury to the public and property damage

Drones can, of course, fall out of the sky and crash into people or property. This could be due to, for example, a flat battery, defects or poor navigation or control by the operator. Drone operators should therefore apply the appropriate level of care as any damage or injury caused could render them liable to pay the victim compensation (“to make good the harm”) under various sections of the Civil Code.

You can find a number of reports of incidents involving drones crashing into people and causing injury (see, for example, the video available online of a drone recording a bull run in Virginia, USA, crashing into and injuring spectators).

Government property

The filming and/or photography of government buildings, military installations and other designated sites is generally not allowed in the UAE. In fact, in October 2014, an American tourist attending a conference in the UAE was reportedly arrested and charged with “photographing within a restricted area”. The court ultimately found that his actions were committed “without ill intention”, although he was fined AED 500. Individuals who have been found guilty of similar offences have in the past reportedly received fines of up to AED 3,000 and prison sentences of up to three months.

Breach of privacy

In the UAE, an individual’s right to private and family life is considered paramount, with various protections enshrined across a number of UAE laws. Furthermore, local custom frowns upon the capturing of images of individuals (particularly woman and children) without consent, even in public places.

Under the UAE Copyright Law, for example, any person who takes a photograph of another, by any means, unless the individual agrees to it, is not permitted to “keep, show, publish or distribute” the images. There are certain exceptions, for example, where publication relates to public events or where permitted by authorities in favour of the public interest, but this is generally subject to the proviso that such photography should not prejudice the position or stature of any individual.

Under the UAE Penal Code, it is also an offence (unless permitted by law or by consent) to “prejudice the privacy of [an] individual or family life”, including by eavesdropping, recording or transmitting a conversation in a private place, or taking or transmitting “by any device of any kind whatsoever a photo of a person in a private place”. Similarly, “assaulting the privacy of a person” by “capturing pictures of [a] third party” is one of a number of offences under the UAE Cybercrime Law. The penalties for these offences generally include a fine and/or imprisonment and may also include the confiscation of the drone and any other associated equipment.

Operators should also check for specific regulations that may apply to drone use in individual Emirates, and also taking into consideration the activities involved. For example, in Dubai, there are licensing requirements (under Dubai Executive Council Resolution No. 50 of 2014 concerning the Dubai Film and TV Commission) associated with various filming activities for media production purposes (including, for example, advertising).

The economic benefits of drone technology have been embraced by the UAE government and businesses across the UAE, and the commercial and recreational use of drones is becoming more and more prevalent with increasing availability and affordability. However, the proliferation of these devices and recent incidents have placed emphasis on the need for a regulatory regime to control drone use, and indeed it is anticipated that dedicated regulations will be in place shortly. In the meantime, drone operators are well advised to make themselves aware of the existing legal regime (which is continually evolving and will no doubt include other regulatory bodies in time), and the legal implications of their actions.

Spokeo v. Robins: The Case That Has Silicon Valley Buzzing, Even Though Plaintiffs Likely Don’t Have a Leg To “Stand” On

Posted in Privacy and Data Security, US Federal Law

Written by Elliot Katz and Monica Scott

On April 27, 2015, the United States Supreme Court granted certiorari in Spokeo v. Robins and will soon decide whether a plaintiff must allege more than just the bare violation of a federal statute in order to invoke Article III jurisdiction. Some of Silicon Valley’s top companies have observed in a brief to the Court in support of cert. that if the Ninth Circuit’s ruling stands, “plaintiffs may pursue suits against [companies] even where they are not actually harmed by an alleged statutory violation.” While single-plaintiff lawsuits are problematic, the real problem arises when these types of cases are brought as class actions, seeking “billions” in statutory damages creating an “immense pressure to settle” even the cases that may be “baseless on the merits.” Silicon Valley companies are monitoring this case carefully because of the impact it will have on data breach and privacy-related class actions, which are often brought by plaintiffs alleging violations of federal statutes that are enforced through statutory damages. It is not an understatement to say that the Supreme Court’s decision could radically change the landscape for these types of class actions for years to come. Put simply, if the Supreme Court does not reverse the Ninth Circuit, it is likely that there will be a significant increase in the volume of data breach and other privacy-related lawsuits filed in moving forward. Conversely, if the Ninth Circuit is reversed then the volume of privacy class action lawsuits may decline. If the Supreme Court’s decision in Clapper v. Amnesty International USA, 133 S.Ct. 1138 (2013) is any indication, then the latter may be true.

  • The Underlying Litigation

In the underlying lawsuit, Thomas Robins brought a class action lawsuit against Spokeo for allegedly violating the Fair Credit Reporting Act (“FCRA”), 15 U.S.C § 1681. Specifically, Mr. Robins alleged that Spokeo, a website “that provides users with information about other individuals, including contact data, marital status, age, occupation, economic health, and wealth level,” generates reports containing “inaccurate consumer information that is marketed to entities performing background checks.” Mr. Robins alleged that, as a result of Spokeo’s FCRA violations, he was “concerned that his ability to obtain credit, employment, insurance and the like will be adversely affected.” Notably, Mr. Robins did not allege that, at the time of the filing of the lawsuit, he had been denied credit, a job, or insurance because of the alleged inaccurate information. Spokeo moved to dismiss based on Mr. Robins lack of standing to sue, among other reasons.

In federal court, a plaintiff must have Article III standing to sue, which requires a showing that he or she has suffered an “injury in fact” that is “fairly traceable” to the defendant’s conduct at issue. The injury must also be “concrete and particularized,” meaning no hypotheticals, or what ifs. Importantly, because Article III standing is constitutional, “[i]t is settled that Congress cannot erase Article III’s standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.” Raines v. Byrd, 521 U.S. 811, 820 n. 3 (1997).

Mr. Robins argued that he met the requirements of standing simply by alleging that Spokeo is in violation of the FCRA, which grants individuals a private right of action to sue for statutory damages without any proof of injury. 15 U.S.C. § 1681n(a). The district court disagreed, ruling that Mr. Robins did not have standing to sue because his “concern that he will be adversely affected by [Spokeo’s] website in the future, is an insufficient injury to confer standing” (emphasis in original).

The Ninth Circuit reversed. The Ninth Circuit ruled that Mr. Robins did have standing to sue because (1) the “violation of a statutory right is usually a sufficient injury in fact to confer standing”, and (2) the FCRA does not require a showing of actual harm when a plaintiff sues for statutory damages in certain circumstances. Spokeo subsequently petitioned the Supreme Court for cert. on the standing issues, and, on April 27, 2015, Spokeo’s request was granted.

  • The Issue

In Spokeo, the Supreme Court will decide “[w]hether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of federal court, by authorizing a private right of action based on a bare violation of a federal statute.” In other words, can Congress authorize an individual to sue by alleging that a company violated a federal statute without also alleging that he or she has actually suffered any injury? This question affects not only cases brought under the FCRA, but other privacy-related cases as well, which are often brought under statutes passed by Congress authorizing statutory damages without requiring a plaintiff to demonstrate harm, such as the Telephone Consumer Protection Act, 47 U.S.C. § 227 et seq. and Electronic Communications Privacy Act, 18 U.S.C. § 2510, et seq.

  • What Is The Likely Outcome?

To support his position that he does have standing to sue, Robins cited Warth v. Seldin, a 1975 Supreme Court decision which states: “The actual or threatened injury required by Art. III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.” Interestingly, the Ninth Circuit quoted the above portion of Warth in its opinion holding that Robins did have Article III standing, despite the fact that six sentences later, Warth states: “Of course, Art. III’s requirement remains: the plaintiff still must allege a distinct and palpable injury to himself….” Given that one of the opening lines in the Ninth Circuit’s opinion was “Robins’s allegations of injury were sparse”, the above-quoted portion of Warth – puzzlingly absent from the Ninth Circuit opinion – may not bode well for Robins’ chances before the Supreme Court.

Additionally, an important footnote on the final page of the Ninth Circuit opinion states: “Because we determine that Robins has standing by virtue of the alleged violations of his statutory rights, we do not decide whether harm to his employment prospects or related anxiety could be sufficient injuries in fact.” Given that Warth states a plaintiff must allege a “distinct and palpable injury to himself,” this case will most likely ultimately hinge on the Supreme Court’s 2013 defendant-friendly Clapper v. Amnesty International USA decision. In Clapper, a case that is virtually always cited by defendants in motions to dismiss data breach and privacy-related lawsuits, the Supreme Court held that mere concern or fear of future harm cannot manufacture standing. Under Clapper, Mr. Robins’ alleged future harm to his employment prospects and related anxiety – similar to plaintiffs’ fear that they could be harmed by a bad actor who may utilize their financial information post-data breach – will likely not suffice to confer standing.

Whether the Supreme Court decides the case along the lines of previous opinions like Warth and Clapper or decides to go a different direction, Spokeo will most certainly be one of the most closely watched cases in Silicon Valley.

EUROPE: Security and privacy must go hand in hand, not head-to-head, says European Privacy Supervisor

Posted in EU Data Protection

by Patrick Van Eecke & Julie De Bruyn

At a 29 April Cybersecurity and Privacy conference in Brussels, Keynote Speaker and recently appointed European Data Protection Supervisor (EDPS) Giovanni Buttarelli was given the opportunity to comment on his 5-year strategy, published last month.

Particular attention was paid to cybersecurity and the challenges posed by it on a technical and policy level. While acknowledging the importance of cybersecurity for the sustainability of our digitally supported economy and society, Buttarelli stated that the privacy challenges cybersecurity entails are not to be minimalized, and that its objective is not to be misused to justify measures weakening the protection of data protection rights.

Buttarelli explicity addressed the tension between cybersecurity and data protection, stating that “The rights to privacy and data protection have long been perceived as conflicting with the objective of cybersecurity. I believe this is a misperception.” The EDPS believes that instead, the momentum of contemplating about measures for ensuring a high level of cybersecurity should be grasped to ensure that such measures help improve the security of all the information processed, including personal data. Work on cybersecurity can play a fundamental role in contributing to ensuring the protection of individuals’ rights to privacy and data protection in online and networked environments.

He continued by warning that “cybersecurity must not become an excuse for disproportionate processing of personal data“. To find the right balance, data protection principles such as necessity and proportionality can be applied to help guide privacy-by-design and privacy-by-default for cybersecurity solutions.

Buttarelli also addressed the ongoing efforts to reform the EU data protection framework, noting that a key plank of the reform is data security. While under the current legal framework, (i) the risk of the processing, (ii) the state of the art, and (iii) the cost of the measures are the three elements to determine the selection of adequate technical and organization measures, he noted that the third element must not be overstated given the importance of appropriate data security. “A proper cost benefit analysis would demonstrate that data security benefits not only individuals whose personal information is processed, but also the professional reputation of the organization processing the data.

Reference was made in this respect to the ruling of the ECJ last year regarding the invalidity of the Data Retention Directive, and the interpretation by some that the ruling advocated a stricter determination of the storage location of data. Buttarelli disagreed with such interpretation, noting that “Phyical location is not the determining factor in security. Rather, it is the degree of control, accountability and responsibility which data controllers demonstrate when processing personal information. They must take full responsibility for all the measures they implement, regardless of the technology they use. As we put it in our opinion around the time of the judgment, ‘responsibility must not vanish in the clouds’.”

Sectors which were explicitly mentioned as expected to needing to deal with cybersecurity more intensively were the banking and health sector, and IT fields such as the Internet of Things, Bring Your Own Devices and wearables, as these attacks would have a significant impact on privacy and the protection of personal data.

The EDPS concluded on a positive note, mentioning that there is more awareness of security issues in the world and more investment in cybersecurity than ever before, as companies and organization realize what is at stake.

For the EDPS’ 5-year strategy, please click here: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2015/15-04-28_Keynote_Cybsersecurity_EN.pdf

For the full keynote speech of the EDPS, please click here: https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/Strategy2015

For more information, please contact Patrick.VanEecke@dlapiper.com or Julie.DeBruyn@dlapiper.com

New US sanctions program to combat cybercrimes – 3 action steps for tech companies

Posted in Cybersecurity, Privacy and Data Security, Technology and Commercial, US Federal Law

Written by Tara Swaminatha and Sydney White, et al.

The new sanctions in President Barack Obama’s Executive Order 13694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” target individuals and organizations overseas who engage in cyberattacks or commercial espionage outside the US that are likely to result in a threat to national security or financial stability of the US.

Specifically, EO 13694 expands the US government’s arsenal of authorities to reach cybercriminals and those that steal intellectual property, trade secrets and sensitive information by imposing blocking sanctions on them.

Continue Reading

Internet of Things industry questioned by Italian privacy regulator

Posted in Internet of Things

The Internet of Things (IoT) is becoming exponentially reviewed by regulators.  After the report from the Italian telecom regulator (AgCom), the Italian privacy authority just launched a consultation seeking inputs from the industry on how to regulate the IoT. Continue Reading

Zero rating and Internet.org

Posted in Telecoms

I have written about the perverse effects of “strong” net neutrality already  but a recent story  prompts me to add a few further thoughts.

Internet.org is a project led by Facebook to offer a completely free sub-set of the internet (including, presumably, Facebook itself) to people in emerging markets who might otherwise not be able to afford it. Continue Reading

Cloudy Days….Where Next for Outsourcing?

Posted in Cloud Computing, Strategic Sourcing, Technology and Commercial

Written by Kit Burden

In recent times, we have seen an increasing number of deals where the required services have been delivered from the cloud, i.e., from remotely hosted solutions, usually (albeit not always) offered on a “one to many” basis and on a subscription/usage based model. This is obviously a trend that has been building over the last few years in any event, but what is particularly interesting at this point is the way in which the size and sophistication of the cloud-based offerings has developed so as to encompass the kinds of services which might hitherto have been the subject of some form of outsourced service solution.

One can readily see why this might be the case. A driver for many outsourcing projects is the desire of the customer to “transform” its legacy IT infrastructure and to create additional flexibility….and this is clearly something which can be well facilitated by a shift to a cloud solution, where the need for the customer’s own infrastructure can be largely done away with. Even if the entirety of the outsourced solution cannot be shifted into the cloud, it is possible that elements of it at least can be.

So what then will the impact of this be upon the wider outsourcing market? Time will tell, but for the time being, there are at least two obvious consequences:

(1) Customer expectations on contract provisions are being challenged. Cloud service providers have – until recently at least – been able to promulgate some highly restrictive standard contract terms, relying in particular on the argument that their “one to many” service delivery model means that they cannot accept many of the traditional obligations and liabilities which a customer might expect. Customers who are therefore now looking to procure cloud based solutions for services which they might previously have outsourced can therefore get a nasty surprise when they see the contract provisions which are proposed to underpin the services. However, as the market matures (and in particular as competition grows and the size of the deals get larger), we see a more flexible approach developing from many if not all of the major cloud suppliers.

(2) There is increased pressure on those outsource service providers who have made best advantage of their offshore delivery capabilities and so as to make use of the labour arbitrage that offshoring provides. This has however in no small part been dependent upon the end customer having its own infrastructure and set of applications which needed support, even if to be done remotely. Clearly, the more that the customers embrace cloud solutions, the less of their own infrastructure and application stacks they will need….and the less demand in turn they will have for the “traditional” offshore outsource model.

Pandora’s Box is well and truly open in this regard.

Back to Top of Page