Blog

The Right to be Forgotten Tsunami: What Effect for US Companies

Francoise Gilbert

The so-called Right to Be Forgotten or right of erasure (RTBF) has been the subject of much debate and attention since the publication of the Court of Justice of the European Union (CJEU) opinion in May 2014, in the Costeja v. Google case. The CJEU held that, under certain conditions, a European citizen has the right to demand that a search engine remove links to information pertaining to him that is “inaccurate, inadequate, irrelevant, or excessive,” even if the information is truthful.

Since the publication of the CJEU opinion, search engines have been flooded by delisting requests. According to the Google Transparency Report, as of the end of February 2015, Google has received over 220,000 delisting requests, and has evaluated over 800,000 URLs.

The topic has also garnered the attention of the Article 29 Working Party (A29), which published Guidelines, in late November 2014, to explain the position of the EU Data Protection Authorities. Among other things, the Guidelines provide that delisting requests, when accepted, must be implemented on all domains operated, worldwide, by the entity receiving the delisting request, and not just only on its EU domains.

Interest in RTBF has also expanded outside the European Economic Area (EEA). Cases similar to the Costeja case have been brought in Asia and the Americas. It is clear that a strong current is building. The CJEU Costeja ruling and its aftermath are significant for businesses around the world in many respects. The genie is out of the bottle, and may be sneaking into, and disrupting many businesses.

(more…)

Read More

Right to be Forgotten – Casting a Wider Net

Francoise Gilbert

The Article 29 Working Party (WP29) has published, in its document WP 225, Guidelines on the Implementation of the Court of Justice of the European Union (CJEU) Judgment on Google Spain and Inc. v. Agencia Espanola de Proteccion des Datos (AEPD) and Mario Costeja GonzalezC-131/12 (Guidelines) to provide its interpretation of the CJEU’s ruling, and identify the criteria that will be used by the EU/EEA Member States Data Protection Authorities when addressing complaints from individuals following a denial of de-listing requests.

(more…)

Read More

People-tracking and Swiss Data Protection Law

Dr. Ursula Widmer

People-tracking and Swiss Data Protection Law

People-tracking systems are being used increasingly, e.g. for optimizing flows of traffic and people or for analysis of customer behavior. Since these systems can also be used for processing sensitive data and personal profiles, the Swiss Federal Data Protection and Information Commissioner (FDPIC) considers that caution is called for and that closer scrutiny of the data protection conditions is necessary. The FDPIC has published comments on people-tracking, which are available its website.

(more…)

Read More

Yelp to pay $450,000 penalty for COPPA violation

Francoise Gilbert

Yelp to pay $450,000 penalty for COPPA violation

The Federal Trade Commission has announced a proposed settlement with Yelp, Inc. for COPPA violations. The FTC alleged that, for five years, Yelp illegally collected and used the personal information of children under 13 who registered on its mobile app service. According to the FTC complaint, Yelp collected personal information from children through the Yelp app without first notifying parents and obtaining their consent. The Yelp app registration process required individuals to provide their date of birth. Several thousand registrants provided a date of birth showing they were under 13 years old. Even though it had knowledge that these registrants were children, Yelp did not follow the requirements of the COPPA Rule and collected their personal information without proper notice to, and consent from, their parents. Information collected included name, e-mail address, geolocation, and any other any information that these children posted on Yelp. In addition, the complaint alleges that Yelp did not adequately test its app to ensure that users under 13 were prohibited from registering. Under the terms of the proposed settlement agreement, among other things, Yelp must:

  • pay a $450,000 civil penalty;
  • delete information it collected from individuals who stated they were 13 or younger at the time they registered for the service; and
  • submit a compliance report to the FTC in one year outlining its COPPA compliance program.

In a separate action, FTC alleged that TinyCo also improperly collected Children information in violation of COPPA. Under the settlement agreement between TinyCo and the FTC, TinyCo will pay a $300,000 civil penalty.

Read More

The Brazilian Law on the Rights of Internet Users

Esther Nunes and Paulo Bonomo

The Brazilian Law on the Rights of Internet Users – Law No. 12,965, of April 23, 2014 (“Law No. 12,965/2014”)

After a time-consuming legislative process that lead to several discussions and postponements in recent years, Law No. 12,965/2014, known as the Brazilian “Marco Civil da Internet, was published on April 24, 2014. The law will take in effect within sixty (60) days from such date.

The objective of the Marco Civil da Internet is to establish the principles, guarantees, rights and obligations for the use of the Internet. In order to assure its enforceability, Law No. 12,965/2014 establishes several concrete requirements that will have to be observed by different Internet players.

Fundamental Rights of Internet Users

The Marco Civil da Internet creates a very extensive list of fundamental rights of Internet users. The law specifically identifies these rights whereas previously they were found to derive from the Brazil Federal Constitution concerning the fundamental right to privacy, as well as the Civil and Consumer Protection Codes.

(more…)

Read More

Internet Marketing and Crowdsourcing: What are the Limits?

Eric Barbry

Internet Marketing and Crowdsourcing: What are the Limits?

The Internet marketing industry is exploring various strategies to try to influence the behaviors of Internet users as how they behave has now become integral to the operation of a growing number of services offered by search engines (e.g. Google Suggest) and more generally social networks.

Crowdsourcing is one of the avenues used to achieve their goals: via crowdsourcing platforms, companies can pay Internet users to complete a variety of microtasks ranging from performing image recognition to translating content, clicking on “like” or posting comments.

One can easily imagine how crowdsourcing platforms can be misused to produce fake comments or harm someone’s online reputation. In France, this type of behavior constitutes unfair trade practices and is actionable under Article L 120-1 of the French Consumer Code.

If a website experienced an unexplained drop in traffic or begins to be associated with negative search suggestions or comments, it is worth taking a closer look at these platforms. In France, to record evidence and build a case, companies should have the litigious practices recorded by a competent member of the legal profession (in France a huissier will draft their findings in a report called constat).

Link: Article L 120-1 of the French Consumer Code (in French)

Read More

Civilian Drones and Privacy Protection

Alain Bensoussan

Civilian Drones and Privacy Protection

Drones, also known as UAVs (Unmanned Aerial Vehicles) have long been confined to the military sector. But today their civilian use is growing exponentially in many areas. E-commerce giant Amazon’s recent announcement of the launch of a 30-minute package delivery service via small drones (Micro Aerial Vehicles) in the US within the next five years demonstrates the benefits of drones and showcases how enormous their potential can be.

In April 2012, France adopted regulations governing the use of drones. These regulations are implemented through the French Directorate General of Civil Aviation (DGAC).

In addition, drones equipped with a camera or a video camera must take account of the French Data Protection Act, which governs the processing of personal data and privacy rights.

CNIL, the French data protection authority, has especially been looking into UAVs that integrate different kinds of sensor as they can be powerful tools to observe, store and analyze personal data. In December 2013 it devoted a special issue of its newsletter to the topic “Drones, Innovations, Privacy and Individual Freedoms”, in which it examined the possible new forms of surveillance of individual behaviors and movements, and hence — more generally— their impact on privacy.

This gives food for thought not only about the civilian use of UAVs, but also on the broader issue of roboethics. The CNIL’s analysis could lead to future recommendations in this area.

Link: Cnil 6th Newsletter on Innovation & Foresight (in French)

Read More

SCC Strikes Down Alberta Privacy Legislation on Speech Grounds

Barry Sookman, Daniel Glover, Roland Hung and Keith Rose

SCC Strikes Down Alberta Privacy Legislation on Speech Grounds

This morning, the Supreme Court of Canada released Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, an important decision relating to the intersection of freedom of expression and protection of privacy and, in the process, struck down Alberta’s Personal Information Protection Act, SA 2003, c. P-6.5 ( “PIPA”). At issue were the privacy rights created by the PIPA and the right to free expression, which is constitutionally enshrined as section 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”).

The case arose from a strike in 2006, at the Palace Casino in Edmonton.  Both the union and the employer videotaped the picket line, which was located in a shopping mall.  The evidence on record suggests that recording picket lines was standard practice in Alberta at the time.  The union posted notices at the site that recordings of people crossing the picket line might be posted to a web site.

Certain individuals, including officers of the employer, employees, and other members of the public, filed complaints with Alberta’s Information and Privacy Commissioner, under PIPA.  The record indicates that the complainants were recorded crossing the picket line, but that no such recordings of any of the complainants were ever posted on the web site.

The Adjudicator concluded that the union did not have the right to collect and use the recordings.  The union applied for judicial review and the chambers judge struck down certain portions of PIPA.  [United Food and Commercial Workers, Local 401 v Alberta (Information and Privacy Commissioner), 2011 ABQB 415.]  The Alberta Court of Appeal upheld the conclusion that portions of the Act were unconstitutional.  [United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130.]

(more…)

Read More

Amended Draft EU Regulation Approved by LIBE Committee on October 21

Francoise Gilbert

A revised draft of the proposed EU Data Protection Regulation was approved by the EU Committee on Civil Liberties, Justice, and Home Affairs on October 21, 2013.

Overall, the amendments strengthen privacy rights of EU residents. The most significant amendment is probably that which sets the maximum fine in case of a violation of the new law. The original draft regulation had set the maximum fine at 1,000,000 Euros or 2% of a company’s worldwide income and had adopted a tiered approach. After this recent set of amendments, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.

 

(more…)

Read More

Manitoba Joins the Ranks of Other Provinces in Enacting its own Private Sector Privacy Legislation

Daniel Glover, Roland Hung and Shannel Rajan

Manitoba Joins the Ranks of Other Provinces in Enacting its own Private Sector Privacy Legislation

The Government of Manitoba recently enacted the Personal Information Protection and Identity Theft Prevention Act (PIPITPA) to regulate the collection, use and disclosure of personal information by the private sector in Manitoba.[1] The statute has not come into force, but this enactment is momentous, as it will enable Manitoba to join the ranks of Alberta, British Columbia and Quebec, which all have their own private sector privacy legislation that is “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).[2] Manitoba is also the first province to move in this direction with an all‑encompassing private sector law since 2004.

Overview

This significant moment in privacy law in Canada cannot escape a historic parallel. Despite its title, the PIPITPA is almost identical to the 2009 version of Alberta’s Personal Information Protection Act (2009 Alberta PIPA), with word-for-word similarities in many places.[3] Similar to the 2009 Alberta PIPA, the PIPITPA is organized by divisions of purpose, protection, access and care, regulation, as well as general provisions. The key differences are that the Alberta legislation takes a different approach on breach notification and on the role of the Privacy Commissioner. Accordingly, many of the experiences under the Alberta Personal Information Protection Act (Alberta PIPA)[4] will help guide organizations in Manitoba as to their risks and obligations. Likewise, the case law in Alberta should guide Manitoba courts whenever privacy litigation arises.[5]

This article will focus on how these two statutes compare and provide commentary on what organizations can do to prepare for the coming into force of the PIPITPA.

(more…)

Read More