jfgilbert

Yelp to pay $450,000 penalty for COPPA violation

Francoise Gilbert

Yelp to pay $450,000 penalty for COPPA violation

The Federal Trade Commission has announced a proposed settlement with Yelp, Inc. for COPPA violations. The FTC alleged that, for five years, Yelp illegally collected and used the personal information of children under 13 who registered on its mobile app service. According to the FTC complaint, Yelp collected personal information from children through the Yelp app without first notifying parents and obtaining their consent. The Yelp app registration process required individuals to provide their date of birth. Several thousand registrants provided a date of birth showing they were under 13 years old. Even though it had knowledge that these registrants were children, Yelp did not follow the requirements of the COPPA Rule and collected their personal information without proper notice to, and consent from, their parents. Information collected included name, e-mail address, geolocation, and any other any information that these children posted on Yelp. In addition, the complaint alleges that Yelp did not adequately test its app to ensure that users under 13 were prohibited from registering. Under the terms of the proposed settlement agreement, among other things, Yelp must:

  • pay a $450,000 civil penalty;
  • delete information it collected from individuals who stated they were 13 or younger at the time they registered for the service; and
  • submit a compliance report to the FTC in one year outlining its COPPA compliance program.

In a separate action, FTC alleged that TinyCo also improperly collected Children information in violation of COPPA. Under the settlement agreement between TinyCo and the FTC, TinyCo will pay a $300,000 civil penalty.

Read More

The Brazilian Law on the Rights of Internet Users

Esther Nunes and Paulo Bonomo

The Brazilian Law on the Rights of Internet Users – Law No. 12,965, of April 23, 2014 (“Law No. 12,965/2014”)

After a time-consuming legislative process that lead to several discussions and postponements in recent years, Law No. 12,965/2014, known as the Brazilian “Marco Civil da Internet, was published on April 24, 2014. The law will take in effect within sixty (60) days from such date.

The objective of the Marco Civil da Internet is to establish the principles, guarantees, rights and obligations for the use of the Internet. In order to assure its enforceability, Law No. 12,965/2014 establishes several concrete requirements that will have to be observed by different Internet players.

Fundamental Rights of Internet Users

The Marco Civil da Internet creates a very extensive list of fundamental rights of Internet users. The law specifically identifies these rights whereas previously they were found to derive from the Brazil Federal Constitution concerning the fundamental right to privacy, as well as the Civil and Consumer Protection Codes.

(more…)

Read More

Internet Marketing and Crowdsourcing: What are the Limits?

Eric Barbry

Internet Marketing and Crowdsourcing: What are the Limits?

The Internet marketing industry is exploring various strategies to try to influence the behaviors of Internet users as how they behave has now become integral to the operation of a growing number of services offered by search engines (e.g. Google Suggest) and more generally social networks.

Crowdsourcing is one of the avenues used to achieve their goals: via crowdsourcing platforms, companies can pay Internet users to complete a variety of microtasks ranging from performing image recognition to translating content, clicking on “like” or posting comments.

One can easily imagine how crowdsourcing platforms can be misused to produce fake comments or harm someone’s online reputation. In France, this type of behavior constitutes unfair trade practices and is actionable under Article L 120-1 of the French Consumer Code.

If a website experienced an unexplained drop in traffic or begins to be associated with negative search suggestions or comments, it is worth taking a closer look at these platforms. In France, to record evidence and build a case, companies should have the litigious practices recorded by a competent member of the legal profession (in France a huissier will draft their findings in a report called constat).

Link: Article L 120-1 of the French Consumer Code (in French)

Read More

Civilian Drones and Privacy Protection

Alain Bensoussan

Civilian Drones and Privacy Protection

Drones, also known as UAVs (Unmanned Aerial Vehicles) have long been confined to the military sector. But today their civilian use is growing exponentially in many areas. E-commerce giant Amazon’s recent announcement of the launch of a 30-minute package delivery service via small drones (Micro Aerial Vehicles) in the US within the next five years demonstrates the benefits of drones and showcases how enormous their potential can be.

In April 2012, France adopted regulations governing the use of drones. These regulations are implemented through the French Directorate General of Civil Aviation (DGAC).

In addition, drones equipped with a camera or a video camera must take account of the French Data Protection Act, which governs the processing of personal data and privacy rights.

CNIL, the French data protection authority, has especially been looking into UAVs that integrate different kinds of sensor as they can be powerful tools to observe, store and analyze personal data. In December 2013 it devoted a special issue of its newsletter to the topic “Drones, Innovations, Privacy and Individual Freedoms”, in which it examined the possible new forms of surveillance of individual behaviors and movements, and hence — more generally— their impact on privacy.

This gives food for thought not only about the civilian use of UAVs, but also on the broader issue of roboethics. The CNIL’s analysis could lead to future recommendations in this area.

Link: Cnil 6th Newsletter on Innovation & Foresight (in French)

Read More

SCC Strikes Down Alberta Privacy Legislation on Speech Grounds

Barry Sookman, Daniel Glover, Roland Hung and Keith Rose

SCC Strikes Down Alberta Privacy Legislation on Speech Grounds

This morning, the Supreme Court of Canada released Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, an important decision relating to the intersection of freedom of expression and protection of privacy and, in the process, struck down Alberta’s Personal Information Protection Act, SA 2003, c. P-6.5 ( “PIPA”). At issue were the privacy rights created by the PIPA and the right to free expression, which is constitutionally enshrined as section 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”).

The case arose from a strike in 2006, at the Palace Casino in Edmonton.  Both the union and the employer videotaped the picket line, which was located in a shopping mall.  The evidence on record suggests that recording picket lines was standard practice in Alberta at the time.  The union posted notices at the site that recordings of people crossing the picket line might be posted to a web site.

Certain individuals, including officers of the employer, employees, and other members of the public, filed complaints with Alberta’s Information and Privacy Commissioner, under PIPA.  The record indicates that the complainants were recorded crossing the picket line, but that no such recordings of any of the complainants were ever posted on the web site.

The Adjudicator concluded that the union did not have the right to collect and use the recordings.  The union applied for judicial review and the chambers judge struck down certain portions of PIPA.  [United Food and Commercial Workers, Local 401 v Alberta (Information and Privacy Commissioner), 2011 ABQB 415.]  The Alberta Court of Appeal upheld the conclusion that portions of the Act were unconstitutional.  [United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130.]

(more…)

Read More

Amended Draft EU Regulation Approved by LIBE Committee on October 21

Francoise Gilbert

A revised draft of the proposed EU Data Protection Regulation was approved by the EU Committee on Civil Liberties, Justice, and Home Affairs on October 21, 2013.

Overall, the amendments strengthen privacy rights of EU residents. The most significant amendment is probably that which sets the maximum fine in case of a violation of the new law. The original draft regulation had set the maximum fine at 1,000,000 Euros or 2% of a company’s worldwide income and had adopted a tiered approach. After this recent set of amendments, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.

 

(more…)

Read More

Manitoba Joins the Ranks of Other Provinces in Enacting its own Private Sector Privacy Legislation

Daniel Glover, Roland Hung and Shannel Rajan

Manitoba Joins the Ranks of Other Provinces in Enacting its own Private Sector Privacy Legislation

The Government of Manitoba recently enacted the Personal Information Protection and Identity Theft Prevention Act (PIPITPA) to regulate the collection, use and disclosure of personal information by the private sector in Manitoba.[1] The statute has not come into force, but this enactment is momentous, as it will enable Manitoba to join the ranks of Alberta, British Columbia and Quebec, which all have their own private sector privacy legislation that is “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).[2] Manitoba is also the first province to move in this direction with an all‑encompassing private sector law since 2004.

Overview

This significant moment in privacy law in Canada cannot escape a historic parallel. Despite its title, the PIPITPA is almost identical to the 2009 version of Alberta’s Personal Information Protection Act (2009 Alberta PIPA), with word-for-word similarities in many places.[3] Similar to the 2009 Alberta PIPA, the PIPITPA is organized by divisions of purpose, protection, access and care, regulation, as well as general provisions. The key differences are that the Alberta legislation takes a different approach on breach notification and on the role of the Privacy Commissioner. Accordingly, many of the experiences under the Alberta Personal Information Protection Act (Alberta PIPA)[4] will help guide organizations in Manitoba as to their risks and obligations. Likewise, the case law in Alberta should guide Manitoba courts whenever privacy litigation arises.[5]

This article will focus on how these two statutes compare and provide commentary on what organizations can do to prepare for the coming into force of the PIPITPA.

(more…)

Read More

US and Foreign Laws Regulating Government Access to Data

Francoise Gilbert

Cloud service providers and users are becoming aware that data or communications held in the cloud may be subject to requests for access by third parties such as a government conducting an investigation, or a party involved in a lawsuit. Requests for access by law enforcement, intelligence and secret services are governed by very complex rules, and predictably, these rules differ from country to country.

A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, in a discussion of the laws that regulate government access to cloud data. (more…)

Read More

Hot Issues in Data Privacy and Security

Francoise Gilbert

Data privacy and security issues, laws and regulations are published, modified and superseded at a rapid pace around the world. The past ten years, in particular, have seen a significant uptake in the number of laws and regulations that address data privacy or security on all continents. On March 1, 2013, a program held at Santa Clara University’s Markkula Center for Applied Ethics, titled “Hot Issues in Global Privacy and Security”, featured attorneys practicing on all continents who provided an update on the privacy, security and data protection laws in their countries.

The second half of the program featured a panel moderated by Francoise Gilbert, where the chief privacy counsel or chief privacy official of McAfee, Symantec and VMWare talked about how to drive a global privacy and security program in multinational organizations.

Videos of the program are available by clicking here.

The program was the second part of a two-day series of events. The first program was held in San Francisco on February 28, 2013, and was sponsored by Box, Inc. and the Cloud Security Alliance. This program focused on Government Access to Cloud Data and started with an overview of the laws that regulate US government access to data, presented by Francoise Gilbert. A panel featuring European and North American attorneys followed; they discussed the equivalent laws in effect in their respective countries. The program concluded with a presentation by the general counsel of Box, Inc., who spoke about the way in which his company responds to government requests to access to data stored by his company.

Videos of this program are available by clicking here.

Read More

Use of Spyware at the Workplace Ruled Inadmissible

Ursula Widmer

In a recent judgment the Swiss Federal Supreme Court ruled that it is inadmissible for an employer to use spy- ware to monitor employees. Evidence obtained in this way may not be used.

The case concerned the commander of a regional civil defense organization in the canton of Ticino. He was suspected of making extensive use of the Internet for private purposes during working hours. The employer therefore secretly monitored the use of the man’s workplace computer for three months using spyware. On the basis of the usage data thus obtained, it was possible to ascertain that the employee was spending a significant proportion of his working time on private matters. This led to his summary dismissal.

This action by the employer was deemed by the Federal Court to be inadmissible and the summary dismissal to be unjustified. The court considered that the employer breached employee protection laws by using spyware. These prohibit the use of surveillance and control systems designed to monitor the behavior of employees at the workplace.

Surveillance systems may be used for other purposes, but must be configured so that they interfere as little as possible with employees. For example, if room surveillance is necessary for security reasons, the field of view must be set so that, where possible, employees, e.g., working at a checkout or counter, are not recorded.

The employer’s action also contravened the requirement for proportionality. Even though it is acknowledged that the employer has a legitimate interest in monitoring work output and preventing the misuse of working time for private activities, the court considers that this can be achieved by less radical means than spyware. One possible method is to block access to certain websites. It is also permissible to log Internet use and to analyze these records with reference to individuals if there are specific reasons to suspect misuse. The Federal Data Protection and Information Commissioner has issued guidelines for this purpose, to which reference was made by the court.

Read More