We are pleased to provide you with our Group’s newsletter for January, featuring leading Cyber, Privacy and Copyright regulation, case-law and related developments in the United States, Europe and Israel.
This edition features the following items:
- French Privacy Regulator Imposes 50 Million Euro Fine on Google for GDPR Violations
- Israel Amends Copyright Law with Additional Enforcement Measures
- EU Commission and Japan Mutually Recognize Each Other as Adequate for Cross-Border Data Transfers
- US Federal Court Says Gov’t Can’t Compel Suspects to Unlock Phones with Biometrics
- Illinois Supreme Court Finds Unconsented Processing of Biometric Data Actionable for Liquidated Damages
January 21, 2019
FRENCH PRIVACY REGULATOR IMPOSES 50 MILLION EURO FINE ON GOOGLE FOR GDPR VIOLATIONS
The first significant fine in the GDPR-era was imposed by the French data protection authority (CNIL) on Google LLC, for the Internet’s giant’s alleged violations of the GDPR’s rules on user transparency and consent in Google’s Android operating system for smartphones.
The CNIL alleges that Google’s Android system does not provide sufficiently transparent notices to users about the processing activities that Google conducts, in regard to the purposes of processing, retention periods and the types of data used for targeted advertising purposes. CNIL found that information on these issues is provided in vague terms and is scattered across a number of locations and documents.
The CNIL also alleges that Google does not properly explain to its users the implications of consenting to processing personal data for targeted advertising purposes and that user accounts are set to consent to such processing by default, rather than by having users explicitly opting-in as the GDPR requires.
The CNIL justified the massive fine due to the scope of Google’s non-compliance in terms of the invasive form of processing for behavioral advertising purposes and the number of data subjects potentially impacted. It also noted Google’s “prominent place in the market for operating systems and the seriousness of the deficiencies” that the CNIL found in terms of the violation of the “fundamental guarantees enabling people to maintain control of their data”.
The decision also addresses CNIL’s jurisdiction over Google LCC, a Delaware company headquartered in Mountain View, California. The CNIL found that Google’s subsidiary in Ireland, which is under the jurisdiction of the Irish data protection authority, does not have sufficient decision-making power as to the data processing activities on Android. Therefore, Google Ireland cannot be considered the principal place of business for EU data protection matters on Android, which in turn enables the CNIL to exercise its jurisdiction over Google LLC on the basis of Google’s subsidiary in France.
Google is likely to file an appeal against the CNIL’s decision and the fine.
CLICK HERE to read the French regulator’s decisions (in French).
January 1, 2019
ISRAEL AMENDS ITS COPYRIGHT LAW WITH ADDITIONAL ENFORCEMENT MEASURES
The Knesset (the Israeli legislature), in one of its last legislative moves before the upcoming general elections in Israel, has approved a major amendment to Israel's Copyright Law of 2007. The amendment is aimed at enhancing the rights of copyright holders due to the difficulties they face in enforcing infringements committed on or through the internet, especially with regard to online piracy.
Rights owners can now initiate court proceedings for the removal of copyright infringing content on the internet, if it is hosted in Israel. Israeli Courts can now also order Israeli internet access providers (IAPs) to block and restrict access to copyright-infringing websites. The amendment lays down the procedure and factors the Court must weigh when issuing such orders, including the necessity of the order, the severity of the alleged infringement, the privacy of internet users and whether an order will affect other online sources.
The Amendment also introduces John Doe subpoenas which for the first time in Israeli statutory law enable copyright holders to seek a District court order compelling disclosure of the identity of anonymous infringers.
The amendment extends the prohibitions on vicarious (indirect) infringements. It provides that commercially facilitating online access to or use of existing infringing content shall be actionable both civilly and criminally, if the person doing so knew or had reason to know that the content posted online (to which they have facilitated access) infringes copyrights. The amendment also regulates the use of "orphan works", where the copyright owner is unknown, and provides some reliefs for non-commercial infringements.
January 23, 2019
EU COMMISSION AND JAPAN MUTUALLY RECOGNIZE EACH OTHER AS ADEQUATE FOR CROSS-BORDER DATA TRANSFERS
The European Commission and Japan have mutually recognized each other’s data protection laws as providing an adequate level of data protection. This mutual adequacy decision allows personal data to flow freely between EU countries and Japan, in accordance with European data protection law which generally restrict the transfer of personal data to destinations outside of the EU. The adequacy decision is also the first such decision adopted by the European Commission under the new and stricter rules of the GDPR.
With this decision, Japan joins 12 other countries - including Canada, New Zealand, the United States (with regard to the Privacy Shield) and Israel – that have been recognized over the years as adequate by the European Commission. However, this is the first time the EU and a third country agreed on a mutual recognition of the adequate level of data protection.
Before the Commission adopted its adequacy decision, Japan had established additional safeguards to guarantee that data transferred from the EU enjoys protection up to par with European standards, including:
- Special Japanese rules on the protection of sensitive data, the exercise of rights by data subjects and the conditions under which EU data can be transferred from Japan onward to another country.
- Japanese government assurances regarding safeguards concerning the access to personal data by Japanese public authorities for criminal law enforcement and national security purposes, designed to ensure that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms.
- A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities.
The first Japan and EU joint review of the functioning of the adopted framework will take place in two years.
CLICK HERE to read the EU Commission’s Adequacy Decision regarding Japan.
January 10, 2019
US FEDERAL COURT SAYS GOV’T CAN’T COMPEL SUSPECTS TO UNLOCK PHONES WITH BIOMETRICS
A federal District Court in California has decided that police cannot force individuals to unlock their smartphones by using their biometric features. The decision was delivered in the court’s denial of a request for a search warrant, as part of an investigation of an alleged blackmail scheme carried out through the use of Facebook. The court was asked to order those present at a given residential property to unlock their phones by face recognition, fingerprint or iris scan.
Although the court found sufficient probable cause to issue a warrant to search the property, it determined that the police does not have the right to open the smartphones held in the property by forcing those present to use their biometric identification features. The court noted that forcing suspects to incriminate themselves by unlocking their devices constitutes a violation of their Fifth Amendment rights. The court relied on Supreme Court decisions holding that the Fifth Amendment privilege against self-incrimination bars compelling a suspect to provide testimonial evidence. The court’s decision takes those Supreme Court holdings a step further by determining that just like a person cannot be compelled to disclose a smartphone passcode because it is testimonial in nature, a person cannot be compelled to provide their finger for the same purpose of unlocking the smartphone.
The Court also explained that despite the obvious investigative interest of the authorities in gaining access to the phones’ content, there are other ways to gain such information that “do not trample on the Fifth Amendment". The court suggested obtaining a warrant for the communications made in the course of the suspected blackmail from Facebook.
January 25, 2019
ILLINOIS SUPREME COURT FINDS UNCONSENTED PROCESSING OF BIOMETRIC DATA ACTIONABLE FOR LIQUIDATED DAMAGES
In a landmark decision, the Supreme Court of Illinois unanimously held that unlawful collection and processing of biometric data, in violation of the Illinois Biometric Information Privacy Act of 2008 (BIPA) is actionable per se for liquidated damages of up to 5,000 dollars and can be asserted in a class action suit.
Illinois is one of only three states in the US to enact a biometric information privacy law and is the only one with a private right of action. The Illinois’ court decision was delivered in a dispute between a teenager and his mom who filed a class action suit against the amusement park operator Six Flags, for allegedly collecting and processing the son’s fingerprints without complying with the notice and consent requirements of BIPA.
One of Six Flags’ defense arguments was that even if they had violated BIPA’s notice and consent requirements, the teenager was not aggrieved by any actual and concrete injury beyond the mere statutory violation, thus barring the plaintiff’s demand for damages. The Supreme Court of Illinois rejected the defense, finding that when a company fails to comply with BIPA’s requirement “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized. This is no mere “technicality.” The injury is real and significant.”
The Illinois Supreme Court also found that its interpretation of BIPA is consistent with the legislature’s intent to give the only enforcement mechanism in BIPA substantial force. It explained that “when private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone."
CLICK HERE to read the court’s decision.