Blog

United States–Mexico–Canada Agreement: Digital Trade Provisions NAFTA 2.0 meets the Internet

The United States–Mexico–Canada Agreement (USMCA) enters into effect on July 1, 2020. Nicknamed “NAFTA 2.0” because it replaces the North America Free Trade Agreement (NAFTA), the USMCA addresses a number issues that had not been tackled by its predecessor, conceived and negotiated almost 30 years ago, at the down of the commercial Internet. In its Chapter 19 – Digital Trade, the USMCA focuses on the trading of digital products, such as computer programs, image, text, video, sound recording or other products that are digitally encoded and can be transmitted electronically. Several Articles focus on cybersecurity, privacy, data localization, and cross-border data transfers, which should be of interest to cloud providers and cloud users.  Other areas of interest include, protection against unsolicited commercial communication, source code protection, prohibition against the application of customs duties, and internet platform liability for third party content.

(more…)
Read More

New Data Protection Law Enacted in Dubai Emirate

Dubai has enacted a new data protection law that replaces the current privacy law, law N. 1 of 2007. The new 50-page law, which modernizes the current data protection law, will come into effect on July 1, 2020, at which time the pre-existing law and all related regulations will be repealed.

The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DIFC Law No. 5 of 2020) was enacted on June 1, 2020 by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, in capacity as the Ruler of Dubai. Like its predecessor, the geographic scope of the law is limited to the Dubai International Financial Centre (DIFC) rather than the entire territory of the Dubai emirate.

The new law introduces concepts of accountability, and enhances individuals’ control over their personal data. It also provides for fines for data breaches. According to its Article 5, the purpose of the law is to provide standards and controls for the processing and free movement of personal data, and to protect the fundamental rights of the data subjects. Interestingly, Article 5 also specifies that the purpose of the law is to protect the fundamental rights of data subject “including how such rights apply to the protection of personal data in emerging technologies.”

Overview

DIFC Law No. 5 of 2020 takes into accounts principles found it other well-known data protection laws, such as the EU General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law (LGPD), and the California Consumer Privacy Act (CCPA). According to the official press release, the modernization of the data protection legal landscape of the DIFC signals its ambition to apply for adequacy recognition by the European Commission and other jurisdictions, which would ease global data transfers for DIFC-based businesses.

(more…)

Read More

Proposed Principles for Artificial Intelligence Published by the White House

A draft memorandum outlining a proposed Guidance on Regulation of Artificial Intelligence Application(“Memorandum“) for agencies to follow when regulating and taking non-regulatory actions affecting artificial intelligence was published by the White House on January 7, 2020. The proposed document addresses the objective identified in an Executive Order 13859 on Maintaining American Leadership in Artificial Intelligence, (“Executive Order 13859”) published by the White House in February 2019.2 

The Memorandum sets out policy considerations that should guide oversight of artificial intelligence (AI) applications developed and deployed outside the Federal government. It is intended to inform the development of regulatory and non-regulatory approaches regarding technologies and industrial sectors that are empowered or enabled by artificial intelligence and consider ways to reduce barriers to the development and adoption of AI technologies.

(more…)
Read More

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

Francoise Gilbert

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

The abundance of storage space and the increased pressure to keep interacting with current or former customers prompt businesses to collect large amounts of data, and retain as much of this data as possible, often well beyond actual useful period. Too often, businesses may not spend the time and resources necessary to periodically audit their practices and evaluate the nature of the data collected or to be collected, how the data is used, or why it is needed in view their then-current needs. And they may neglect to purge their databases and securely dispose of this data.

(more…)

Read More

Legal barriers for drones

Dr. Ursula Widmer

Legal Barriers for Drones

The use of drones for various purposes, such as image recording, surveys, scientific studies, surveillance or transport, is spreading rapidly. However, certain legal barriers must be observed for reasons of security, and protection of privacy and personality rights. The Federal Office for Civil Aviation (FOCA) recently adopted more stricter regulations for the use of drones and model aircraft in order to take better account of the security risks.

(more…)

Read More

Are cookies currently regulated in South Africa?

Olivia Smith & John Giles

What is the cookie law in South Africa? Many people ask because the law relating to cookies is such a big issue in many other countries. Do you need to get a user’s (aka data subject’s) consent before using cookies? Are there any specific regulations?

What are cookies and why are they used?

Cookies are text files transferred from your browser to your computer’s hard drive. They store information about your activity on a browser. Companies worldwide use cookies to monitor customer behavior and to improve interactivity with a website.

You will notice when you search for a specific product, ads relating to that product appear on other sites you visit.  When you log into a website that uses cookies and later re-visit it, the cookies allow the website to ‘remember’ you.

Cookies make your life as a website user much easier because you do not have to log in every time you visit the same page. Your online experiences will be personalized to your preferences. (more…)

Read More

The Right to be Forgotten Tsunami: What Effect for US Companies

Francoise Gilbert

The so-called Right to Be Forgotten or right of erasure (RTBF) has been the subject of much debate and attention since the publication of the Court of Justice of the European Union (CJEU) opinion in May 2014, in the Costeja v. Google case. The CJEU held that, under certain conditions, a European citizen has the right to demand that a search engine remove links to information pertaining to him that is “inaccurate, inadequate, irrelevant, or excessive,” even if the information is truthful.

Since the publication of the CJEU opinion, search engines have been flooded by delisting requests. According to the Google Transparency Report, as of the end of February 2015, Google has received over 220,000 delisting requests, and has evaluated over 800,000 URLs.

The topic has also garnered the attention of the Article 29 Working Party (A29), which published Guidelines, in late November 2014, to explain the position of the EU Data Protection Authorities. Among other things, the Guidelines provide that delisting requests, when accepted, must be implemented on all domains operated, worldwide, by the entity receiving the delisting request, and not just only on its EU domains.

Interest in RTBF has also expanded outside the European Economic Area (EEA). Cases similar to the Costeja case have been brought in Asia and the Americas. It is clear that a strong current is building. The CJEU Costeja ruling and its aftermath are significant for businesses around the world in many respects. The genie is out of the bottle, and may be sneaking into, and disrupting many businesses.

(more…)

Read More

Right to be Forgotten – Casting a Wider Net

Francoise Gilbert

The Article 29 Working Party (WP29) has published, in its document WP 225, Guidelines on the Implementation of the Court of Justice of the European Union (CJEU) Judgment on Google Spain and Inc. v. Agencia Espanola de Proteccion des Datos (AEPD) and Mario Costeja GonzalezC-131/12 (Guidelines) to provide its interpretation of the CJEU’s ruling, and identify the criteria that will be used by the EU/EEA Member States Data Protection Authorities when addressing complaints from individuals following a denial of de-listing requests.

(more…)

Read More

People-tracking and Swiss Data Protection Law

Dr. Ursula Widmer

People-tracking and Swiss Data Protection Law

People-tracking systems are being used increasingly, e.g. for optimizing flows of traffic and people or for analysis of customer behavior. Since these systems can also be used for processing sensitive data and personal profiles, the Swiss Federal Data Protection and Information Commissioner (FDPIC) considers that caution is called for and that closer scrutiny of the data protection conditions is necessary. The FDPIC has published comments on people-tracking, which are available its website.

(more…)

Read More

Yelp to pay $450,000 penalty for COPPA violation

Francoise Gilbert

Yelp to pay $450,000 penalty for COPPA violation

The Federal Trade Commission has announced a proposed settlement with Yelp, Inc. for COPPA violations. The FTC alleged that, for five years, Yelp illegally collected and used the personal information of children under 13 who registered on its mobile app service. According to the FTC complaint, Yelp collected personal information from children through the Yelp app without first notifying parents and obtaining their consent. The Yelp app registration process required individuals to provide their date of birth. Several thousand registrants provided a date of birth showing they were under 13 years old. Even though it had knowledge that these registrants were children, Yelp did not follow the requirements of the COPPA Rule and collected their personal information without proper notice to, and consent from, their parents. Information collected included name, e-mail address, geolocation, and any other any information that these children posted on Yelp. In addition, the complaint alleges that Yelp did not adequately test its app to ensure that users under 13 were prohibited from registering. Under the terms of the proposed settlement agreement, among other things, Yelp must:

  • pay a $450,000 civil penalty;
  • delete information it collected from individuals who stated they were 13 or younger at the time they registered for the service; and
  • submit a compliance report to the FTC in one year outlining its COPPA compliance program.

In a separate action, FTC alleged that TinyCo also improperly collected Children information in violation of COPPA. Under the settlement agreement between TinyCo and the FTC, TinyCo will pay a $300,000 civil penalty.

Read More