International

E-Commerce Businesses Beware: The Freedom to Contract does not Trump Reasonable Privacy Expectations

The EDPB’s new Guidelines on Article 6(1)(b) may severely limit e-commerce business’ ability to enhance data processing by unilaterally defining contractual services.

On October 8, 2019, the European Data Protection Board (“EDPB”) released the “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” (the “Guidelines”) after public consultation. The text of the Guidelines is available here. Largely in line with previous guidance, the EDPB takes the view that companies cannot expand legal justifications for data processing operations based on broader definitions of their services. The legal justification of a processing for performing a contract does not cover processing operations, which, reasonably, the individuals would not expect when entering into the contract. Businesses should thus carefully review the legal justifications for the processing operations and be prepared to consider limitations on certain data processing should individuals object. READ MORE

No Consent, No Cookie! CJEU Issues Far-Reaching Decision on Cookie Consent

In its long-awaited judgment, the European Court of Justice (CJEU) decided the data protection requirements for obtaining consent when using cookies. The court held that “passive” acceptance of cookies through prechecked boxes, or by posting a banner and assuming consent with continued browsing of the website, is not an acceptable form of consent. According to the CJEU, “consent” requires active behavior in the form of interaction with the banner, or some other affirmative action indicating consent. The court held that website operators must ensure this level of consent prior to placing any cookies that require consent for storing or accessing information stored on the user’s device. The court’s decision removes all legal ambiguities on the level of consent required for cookies, and website operators are wise to review their use of cookies as a result.

This alert will analyze the CJEU’s decision, provide a summary of the current regulators’ views and give practical guidance on what website operators should do. READ MORE

New law decreases the number of companies required to designate a Data Protection Officer in Germany

On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act (“BDSG”).  Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer (“DPO”). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.

READ MORE

Google to Pay $57 Million for GDPR Violations

 

On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE

Guidance on Direct Marketing Issued by the German Data Protection Supervisory Authorities

In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) (“DSK”) published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR. READ MORE

The CLOUD Act, Explained

The Clarifying Lawful Overseas Use of Data (“CLOUD”) Act was enacted into law on March 23, 2018. The Act provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries – a key question in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27.[1] Both the government and Microsoft recently agreed that the closely watched case is now moot following the CLOUD Act. READ MORE

European Court Restricts Employer Access to Employee’s Private Communications

(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)

With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.

Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE

Orrick Launches Automated GDPR Readiness Tool for Companies

Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE

10 German Data Privacy Supervisory Authorities Investigating Potential Unlawful International Data Transfers

German Data Privacy Supervisory Authorities Investigating Potential Unalwful International Data Transfers Global Data Transfer Map

According to a press release of the Data Protection Supervisory Authority in the Land Mecklenburg Vorpommern of November 3, German supervisory authorities have randomly selected 500 companies in Germany and sent them requests for information on their international data transfers. The German supervisory authorities are undertaking this coordinated action in order to increase awareness among companies of the need to ensure data privacy compliance of international data transfers.

READ MORE

A New Chapter in Cybersecurity? Is There a Role for Active Deterrence?

A new chapter in cybersecurity? Is there a role for active deterrence? Butch Cassidy Wanted Dead or Alive Poster

In the 1969 film Butch Cassidy and the Sundance Kid, after Butch and Sundance rob Union Pacific Railroad (“Union Pacific”) the first time, Union Pacific employs a stronger safe.  After Butch and Sundance rob Union Pacific a second time, Union Pacific forgoes the safe and hires a posse of unrelenting gunmen, hell bent on capturing and/or killing the duo.  The posse ultimately forces Butch and Sundance to flee to Bolivia—where they resume their bank-robbing antics.  Ultimately, it takes the Bolivian army to stop them. In their case, albeit fictional, the active deterrent (the posse) was more effective at protecting Union Pacific’s money than the passive deterrent (the safe), in part, because Butch and Sundance were highly-motivated actors.

READ MORE