We use cookies to customise content for your subscription and for analytics.
If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.
Lexology Newsfeed
  • Blog
  • Events
  • Popular
  • Awards
  • About
  • Login
  • Register
  • Blog
  • Events
  • Popular
  • Awards
  • About
  • Login
  • Register
  • Newsfeed
  • Navigator
  • Hubs
  • Webinars
  • Learn
  • Store
  • Analytics
  • Insights
  • Track
  • Create
  • My Lexology
  • Newsfeed
  • Navigator
  • Hubs
  • Webinars
  • Learn
  • Store
  • Analytics
  • Insights
  • Track
  • Create
  • My Lexology
Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Register now for your free, tailored, daily legal newsfeed service.

Questions? Please contact customerservices@lexology.com

Register

HFN Technology & Regulation Client Update - June 2018

Herzog Fox & Neeman

To view this article you need a PDF viewer such as Adobe Reader. Download Adobe Acrobat Reader

If you can't read this PDF, you can view its text here. Go back to the PDF .

European Union, Israel, USA June 27 2018

 

 

HFN Technology & Regulation Client Update

 

 

June 2018

 

Dear Clients and Friends,

 

We are pleased to present our June edition of the Technology & Regulation Client Update,

which includes several notable regulatory and industry compliance developments in the fields

of data protection, digital advertising, content, security and app compliance.

 

These include the following: 

 Facebook Page Administrator Responsible for Data Processing;   

 The new European Data Protection Board Updated Guidelines on GDPR; 

 Apple's Revised Guidelines for App Store on Cryptocurrency and Contacts Data; 

 Google Blocks Inline Installation of Chrome Extensions; 

 The Israeli Prime Minister's Office Presentation of a New Cybersecurity Bill; and  

 The US Supreme Court's Ruling on Digital Privacy. 

 

 

Kind regards,

Ariel Yosefi, Partner

Co-Head - Technology & Regulation Department

Herzog Fox & Neeman

 

 

 

 

 

If you have an important regulatory or industry compliance update you would like to share with the industry, please let us know 

 

 

 

 

 

 

Facebook Page Administrator Responsible for Data Processing   

TOPICS: Data Protection, Facebook, Court Ruling, Court of Justice, General Data Protection Regulation,

European Union 

 

The EU Court of Justice (ECJ) ruled that the administrator of a Facebook page is jointly

responsible, together with Facebook, as joint data controllers. 

 

In this case, a German company was the administrator of its fan page on Facebook. As the

administrator, this company could obtain anonymous statistical data on visitors to its fan page

via the "Facebook Insights" function, which enables the storage of cookies on visitors’ hard

drives in order to collect data about them. 

 

The German Supervisory Authority ordered the administrator to deactivate the page due to

lack of transparency for the users. Although the company argued that it was not responsible,

the ECJ ruled that the page administrator was a data controller since it takes part in the

determination of the purposes and the means of processing of the visitors' personal data.

Accordingly, the ECJ found both Facebook and the page administrator responsible, as joint

data controllers.

 

The ECJ also noted that via Facebook Insights tool, administrators could ask for information

which helps them decide which offers they should make based on the users' information. The

fact that an administrator of a fan page uses Facebook's platform in order to benefit from

its services, cannot absolve it from any liability with respect to the protection of personal

data. 

 

Although this judgment was based on an analysis of the EU's Privacy Directive 95/46, which

has now been replaced with the General Data Protection Regulation ("GDPR"), the terms and

concepts in this area remain unchanged, and consequently, it adds important details with

regard to the roles of a data controller and data processor.

 

We would be happy to advise our clients and clarify the implications arising from this court

decision. 

 

 

 

 

 

European Data Protection Board Updated Guidelines on GDPR 

TOPICS: Data Protection, General Data Protection Regulation, ePrivacy Regulation, European Data

Protection Board, European Union 

 

With the GDPR having come into force, the European Data Protection Board (EDPB) replaced

Article 29 Data Protection Working Party ("WP29") (for more information concerning this

replacement, see our related update here) as the EU data protection advisory regulator.

 

The EDPB is an independent European body, whose purpose is to ensure the consistent

application of the GDPR and the EU Law Enforcement Directive, as well as promoting

cooperation between the EU's data protection authorities. The EDPB can adopt general

guidance in order to clarify the EU data protection laws, and unlike WP29, it is also

empowered to make binding decisions in order to ensure consistent compliance accordingly.

 

Immediately after the GDPR came into force, the EDPB came into effect and took the following

steps:

 

Endorsing WP29 position

 

The EDPB endorsed many of the previous positions of WP29 on the GDPR, such as:

 Guidelines on consent under the GDPR;

 Guidelines on transparency under the GDPR;

 Automated individual decision-making and profiling guidelines for the purpose of the

GDPR;

 Personal data breach notification guidelines under the GDPR; 

 The right to data portability guidelines under the GDPR; and

 Data protection impact assessment (DPIA) guidelines and determining whether

processing is "likely to result in a high risk" for the purposes of the GDPR.

 

Draft guidelines on certification and identifying certification criteria under the GDPR

 

The purpose of these draft guidelines is to explain the key concepts of the certification

provisions under the GDPR Articles 42 and 43, their scope and purpose and to explore the

rationale for certification as an accountability tool. 

 

Inter alia, the guidelines state that the term "certification" under Articles 42 and 43 of the

GDPR, shall refer to third party attestation which relates to processing operations by

controllers and processors, as well as providing a definition of the terms "certification

mechanisms, seals or marks", not defined by the GDPR. In addition, the guidelines explain

the obligations of a Supervisory Authority when acting as a certification body, and 

 

 

compliance aspects that shall be taken into account when drafting certification criteria,

which include the lawfulness of processing, the data subjects' rights and the obligation to

notify data breaches.

 

Adopting the final version of the guidelines on transferring personal data outside of the EEA

under the GDPR

 

These guidelines are aimed at providing guidance as to the application of Article 49 of the

GDPR with regard to derogations within the context of transfers of personal data to countries

outside of the European Economic Area (“EEA”), an international organisation (if an adequate

level of data protection is provided for in that country or by that international organisation),

if appropriate safeguards have been put in place and unclear data subjects' rights at the level

of protection, as guaranteed by the GDPR.

 

The guidelines, which were founded on the previous work carried out by the WP29, provide

clarification as to the following derogations:

 

 The data subject has explicitly consented to the proposed transfer, after having been

informed of the possible risks of such transfers due to the absence of an adequacy

decision and appropriate safeguards: The guidelines focus on the specific elements

required for such consent to be valid: consent must be explicit, specific for the particular

data transfer/set of transfers and the data subject must be properly informed,

particularly as to the possible risks of the transfer;

 

 Transfer necessary for the performance of a contract between the data subject and the

controller or for the implementation of pre-contractual measures taken at the data

subject’s request: The guidelines explain the criterion of “necessity” and of “occasional

transfers” which have to be taken into account. The guidelines state that this requires a

close and substantial connection between the transfer of data and the purposes of the

contract and that whether or not the transfer can be deemed as occasional, will have to

be determined on a case by case basis. In this regard, the guidelines set out some

examples;

 

 Transfer necessary for the conclusion or performance of a contract concluded in the

interest of the data subject between the controller and another natural or legal person:

Similar to the above derogation, the guidelines explain the terms "necessity" and

“occasional transfers” within the context of this derogation.

 

 

 

 Transfer is necessary for important reasons of public interest: The guidelines state that

this derogation only applies when it can be deduced from EU law or the law of the

member state to which the controller is subject;

 

 Transfer is necessary for the establishment, exercise or defence of legal claims: The

guidelines explain the range of activities that are covered by the term "establishment,

exercise or defence of legal claims" and the "necessity" requirement, adding that such

transfers should only be made if they are occasional;

 

 Transfer is necessary in order to protect the vital interests of the data subject or of

other persons, where the data subject is physically or legally incapable of giving

consent: The guidelines provide several examples to better explain this derogation. For

example, the guidelines state that it is possible to transfer personal data if the data

subject, whilst outside the EU, is unconscious and in need of urgent medical care, then

only an external party (known as a “exporter”) – normally the person’s usual doctor and

who is established in an EU Member State – would be authorised to supply the data;

 

 Transfer made from a public register: The guidelines state that the register must be open

to consultation by the public in general or by any person who can demonstrate a

legitimate interest. In addition, according to the guidelines, data controllers and data

processors who wish to transfer personal data under this derogation must be aware that

a transfer cannot include the detailed personal data or entire categories of the personal

data contained in the register, and that in each case, data exporters would have to

consider the interests and rights of the data subject; and

 

 Compelling legitimate interests: The guidelines explain that this derogation can be used

only if the derogations referred to above, cannot be applied. Furthermore, the guidelines

provide an explanation of the remaining requirements, such as applying additional

measures as safeguards, informing the data subject of the transfer and of the compelling

legitimate interests pursued and that only interests that can be recognised as

“compelling” are relevant to the scope of this derogation. 

 

Statement on the revision of the ePrivacy Regulation and its impact on the protection of

individuals with regard to the privacy and confidentiality of their communications

 

The statement supports the quick adoption of the proposed ePrivacy Regulation in light of

the increased usage of IP-based communications and the need to ensure end-users' 

confidentiality of communications. In the statement, the EDPB offers insights and 

clarifications on key issues, including preventing the processing of electronic

communications on the "legitimate interest" of the data controller or on the general 

 

 

purpose of the performance of a contract, and arguing that the use of anonymised electronic

communication data should be encouraged.

 

We would be happy to provide further advice and recommendations concerning the new

EDPB Guidelines and their implementation. 

 

 

Apple Revises Guidelines for App Store on Cryptocurrency and Contact Info 

TOPICS: Data Protection, Cryptocurrency, Initial Coin Offerings, App Industry Compliance, Apple 

 

Apple has recently released an updated version of its App Store Review Guidelines in which

two significant changes have been implemented:

 

Cryptocurrency mining 

 

The updated guidelines were revised to explicitly ban apps that mine cryptocurrency on

Apple's devices. 

 

By doing so, Apple joins Google, which updated its Chrome Web Store policy to include

prohibitions regarding extensions that mine cryptocurrency (see our related update here),

and Microsoft, which published that by July 2018, its Bing search engine will ban

cryptocurrency advertisements on its platform, as is the case with other internet giants (see

our additional related reports regarding similar policy changes by Facebook and Twitter).

 

The revision includes five rules:

 Apple will allow virtual-currency wallet apps, provided they are offered by developers

who are enrolled as an organisation;

 The only cryptocurrency-mining apps allowed are apps that mine outside the device

(such as cloud-based mining);

 Apps may help users make transactions or transmissions of cryptocurrency on an

approved exchange, as long as they are offered by the exchange itself;

 Apps facilitating Initial Coin Offerings ("ICOs"), cryptocurrency futures trading, and other

crypto-securities or quasi-securities trading need to be from established banks,

securities firms, futures commission merchants, or other approved financial

institutions and must be lawful; and

 Cryptocurrency apps may not offer users virtual coins for completing tasks, such as

downloading other apps, encouraging other users to download or posting to social

networks.

 

 

 

Phone contacts

 

In addition, the guidelines were revised to prevent app developers from obtaining data from

phone contacts. 

 

The change is aimed at ending the common practice by which developers have asked users

for access to their phone contact list, which contains phone numbers, email addresses and

profile photos. The developers used this information for marketing, and in some cases even

shared or sold the information without having obtained any permission to do so from these

persons. 

 

The changes in the guidelines explicitly state that developers cannot build a contact database

using information gathered from users' contacts or contact people using information

collected through accessing a user's contacts list.

 

We would be happy to advise on any questions that may arise from the new Apple's App

Store Guidelines changes. 

 

 

Google Blocks Inline Installation of Chrome Extensions   

TOPICS: Unwanted Extensions, App Industry Compliance, Google Chrome 

 

Google has recently announced that it will stop support for inline installations of Chrome

extensions from outside websites. This means that users will only be able to install extensions

from the Chrome Web Store. This step was taken by Google as part of an ongoing attempt to

ensure choice and transparency to its users.

 

Google stated that the descriptions displayed alongside extensions in the Chrome Web Store

are instrumental in helping people make informed decisions on whether or not they wish to

install an extension. Google found that when comparing extensions installed through inline

installation, users are less likely to uninstall or complain with regard to a confusing or

deceptive description if the installation came from the Chrome Web Store.

 

Google has begun to enforce the new rule by automatically blocking the inline installation

function for all extensions initially published on the 12

 

of September 2018, inline installation will be disabled for existing Chrome extensions, and

finally, in early December 2018, Google will have completely disabled the inline install API

method from Chrome 71. 

th

 of June 2018 or later. After the 12

th

 

 

 

The Israeli Prime Minister's Office Presented a New Cybersecurity Bill  

TOPICS: Cybersecurity, Israeli National Cyber Directorate, Israel 

 

The Israeli Ministry of Justice has published a memorandum of a proposed National

Cybersecurity Bill ("the Bill") for public comments, following which it will be presented to a

vote in the Israeli Parliament (the Knesset). 

 

The preamble to the Bill states that there is a significant increase in the frequency of cyber

threats the aim of which is to harm public safety, the economy and homeland security, and

accordingly, national involvement is needed. The Bill establishes the foundations for

cooperation between the Israeli Government and civil organisations in order to protect

cyber-space and will apply to government offices, critical infrastructures, and civilian entities.

The Bill emphasises the importance of the balance between protection of the public in the

cybersecurity sphere, and avoiding overloading the economy with a layer of bureaucracy. 

 

The Bill also establishes a framework for the roles and powers of the Israeli National Cyber

Directorate, defining it as a security organisation within the Prime Minister's Office, the

purposes of which are to protect the Israeli cyber-space and promote Israel as a world leader

in the cyber field. Inter alia, the National Cyber Directorate will manage and operate national

defense actions against cyber-attacks and promote international cooperation in the cyber

field. According to the Bill, the National Cyber Directorate will be authorised to instruct

organisations on how to act in cases of data breach or if there is a suspicion of hacking, and

that in any event, those organisations will be required to maintain the confidentiality of those

instructions.

 

The Bill also establishes a regulatory authority dedicated to the cybersecurity field, since the

State has a great responsibility in the prevention and preparation for cyber-attacks, as

explained in the preamble. Among its other responsibilities, the Bill states that this authority

will classify the organisations under its supervision according to the damage to which they are

exposed in cyber-attack scenarios, and instruct them to carry out certain actions in order to

minimise it.

 

The Bill has been widely criticised for two main reasons: first, this Bill gives the National Cyber

Directorate extended powers to search and seize private computers from private companies

and even from individuals' private houses without a court order, in order to foil or deal with a

cyberattack. Secondly, it enables the Government to collect private data from companies

that are responsible for critical portions of Israel’s digital and physical infrastructure, such

as internet providers. Critics claim that the Bill raises serious concerns as to the potential of

harm to the privacy of Israeli citizens, as well as to trade secrets of private organisations. 

 

 

 

US Supreme Court's Ruling on Digital Privacy 

TOPICS: Data Protection, US Supreme Court, United States 

 

A new Supreme Court ruling in Carpenter v. United States case imposes limits on police,

stating that police must generally obtain a warrant to seize cellphone tower location

records.

 

This case was dealing with the question of whether or not there was a reasonable expectation

of privacy when location records were held by third party, such as a phone carrier. The

Supreme Court ruled that obtaining this kind of private data without a warrant from wireless

carriers, as police usually do, would be considered as an unreasonable search and seizure

under the US Constitution's Fourth Amendment. The court noted that these records are

highly sensitive, in that they provide information as to where a person is located, every day,

every moment, and over several years.

 

Fourteen of the largest US tech companies, including Google, Apple, Facebook and

Microsoft were also involved in this case, as they filed a brief in support of neither party. In

this brief, they argued that the Fourth Amendment needs to be amended for the digital era.

Although the brief was not officially filed in support of either party, in practice, their opinion

was in favour of Carpenter's position, stating that the court should reconsider whether the

Government should easily be able to obtain access to that data.

 

 

 

 

 

Herzog Fox & Neeman - Ariel Yosefi
Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Filed under

  • European Union
  • Israel
  • USA
  • Internet & Social Media
  • IT & Data Protection
  • Litigation
  • Herzog Fox & Neeman

Tagged with

  • Information privacy
  • Facebook
  • Google
  • GDPR
  • Cryptocurrency
  • Article 29 Data Protection Working Party
  • Initial coin offering

Popular articles from this firm

  1. Delays in U.S. visa issuance – a tal order for the high-tech and scientific applicant *
  2. Case study: Sony, Zurich and the PlayStation data breach *
  3. Litigation: Enforcement of foreign judgments in Israel *
  4. The EU's Article 29 Working Party New Guidelines on GDPR *
  5. Keep your Finger on the Pulse: A New Court Ruling Regarding Fingerprints and Biometric Attendance Clocks *

If you would like to learn how Lexology can drive your content marketing strategy forward, please email enquiries@lexology.com.

Send to Create
Powered by Lexology

Related topic hubs

  1. Google
  2. Facebook
  3. European Union
  4. Israel
  5. Internet & Social Media
  6. IT & Data Protection

Related European Union articles

  1. HFN Technology & Regulation Client Update - October 2018 *
  2. HFN Technology & Regulation Client Update - November 2018 *
  3. New Watchdog, New Tricks: European Data Protection Board Adopts GDPR Guidelines and Releases Statement on ePrivacy Regulation *

Related international articles

  1. New User Data Policy for Google Chrome Web Store * - Israel
  2. HFN Technology & Regulation Client Update - July 2018 * - USA
  3. Australian organisations beware you could be caught by EU's new General Data Protection Regulation * - Australia

Lexology Navigator Q&A

Compare jurisdictions:Arbitration

  1. USA
  2. Greece
  3. Canada
  4. View more
Philip I. Weis
Director and Senior Counsel
Boehringer Ingelheim
What our clients say

 “The new ACC Newsstand is one of the best e-resources that I have encountered in 21 years of practicing Employment Law. The information is timely, helpful and easy to navigate. Thank you for offering it and please continue it indefinitely!!”

Back to Top
  • Terms of use
  • Cookies
  • Disclaimer
  • Privacy policy
  • GDPR Compliance
  • RSS feeds
  • Contact
  • Submissions
  • About
  • Login
  • Register
  • Follow on Twitter
  • Search
Globe Business Media Group

© Copyright 2006 - 2019 Globe Business Media Group