We are pleased to provide you with our Group’s newsletter for December, featuring leading Cyber, Privacy and Copyright regulation, case-law and related developments in the United States, Europe and Israel. This edition features the following items:
- United Kingdom Makes Data Protection Plans for ‘No Deal’ Brexit
- New York Attorney General Imposes Unprecedented Fine for COPPA Violations
- EU Commission Sets Deadline for the U.S. to Cure Privacy Shield Deficiencies
- Israeli Privacy Authority Publishes Draft Guidelines on the Use of Drones and Smart City Guidance
- Second Circuit Prohibits a Company’s Marketplace for Resale of Digital Music
- Law.co.il is on Telegram!
We also take this opportunity to wish everyone a terrific new year in 2019!
December 13, 2018 UNITED KINGDOM MAKES DATA PROTECTION PLANS FOR ‘NO DEAL’ BREXIT The Government of the United Kingdom has published guidance discussing the impact on UK data protection law if the UK leaves the EU without a deal on Brexit Day – March 29, 2019. At the outset, the EU’s GDPR will cease to apply in the UK on Brexit Day. Therefore, the UK plans that its EU (Withdrawal) Act of 2018 will include provisions that retain the GDPR in UK law.
In order to allow for seamless transfers of personal data from the UK to Europe, the UK will recognize the EU member states, Norway, Liechtenstein, Iceland and Gibraltar as ‘adequate’. Contrarily, allowing personal data from the EU to flow to the UK requires a formal EU driven procedure, which the UK cannot control.
In order to preserve the other permissible data flows into the UK as they currently exist under the GDPR, the UK will also recognize the same territories that the EU Commission has recognized as adequate for data flows: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the Privacy Shield certified organizations in the U.S. The UK will similarly recognize the EU’s Standard Contractual Clauses as well as Binding Corporate Rules that have already been approved prior to Brexit Day, so that UK organizations that transfer personal data on the basis of these EU recognized mechanisms, can continue to rely on them.
Finally, the UK’s version of the GDPR will require that non-UK organizations that are subject to the UK GDPR appoint a local UK representative, similar to the EU’s GDPR requirement for non-EU organizations to appoint an EU representative.
CLICK HERE to read the UK Government’s Guidance on the data protection implications of a ‘No Deal’ Brexit.
December 4, 2018 NEW YORK ATTORNEY GENERAL IMPOSES UNPRECEDENTED FINE FOR COPPA VIOLATIONS The Attorney General (AG) for the State of New York imposed the largest-ever penalty for violations of the U.S. federal Children’s Online Privacy Protection Act (COPPA) – 4.95 million dollars – in a settlement reached with Oath, Inc., the successor of AOL.
The AG alleged that AOL knowingly provided online advertising services to a website directed to children under the age of 13, which services involved the collection of personally identifying information from those underaged children using cookies. The information collected was also shared onward with other companies in the online advertising chain.
The AG found evidence that AOL intentionally ignored notices it received from a dozen websites that informed AOL that they are subject to COPPA and its restrictions. AOL allegedly continued to collect and process personal information from children visiting those websites, despite the notifications.
The AG also found that AOL itself had reviewed hundreds of websites and concluded that they were directed to children yet continued to collect and process information from children visiting those websites.
The settlement also required Oath to destroy the personal information of children in its possession, establish, maintain and implement a rigorous COPPA compliance program and designate an officer to oversee the program.
December 19, 2018 EU COMMISSION SETS DEADLINE FOR THE U.S. TO CURE PRIVACY SHIELD DEFICIENCY The EU Commission published its second annual review of the EU-US Privacy Shield program which is designed to allow personal data flows from the EU to organizations in the U.S. that are certified under the Privacy Shield program.
The review found that the U.S. Department of Commerce, which administers the Privacy Shield program, has further strengthened the Privacy Shield certification process and introduced new oversight procedures, such as random spot-checks for certified organizations. The report also found that the U.S. Federal Trade Commission (FTC), which is primarily responsible for regulatory enforcement of the Privacy Shield program, has been taking more a proactive approach to compliance monitoring.
On the basis of the annual review, the EU Commission concluded that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield, but that there are a number of gaps that the EU Commission will closely monitor.
The highest priority gap that the EU Commission has highlighted in the report is the appointment of a permanent U.S. Privacy Shield Ombudsperson, which is tasked with investigating complaints by EU data subjects on alleged privacy violations by U.S. law enforcement, security and intelligence agencies. One such complaint from a Croatian data subject is pending and the Commission’s report states that it expects the U.S. government to identify a nominee to permanently fill the Ombudsperson position by February 28, 2019. The report threatens that if the U.S. does not comply, “the Commission will then consider taking appropriate measures”, although it did not explain what those measure might entail.
CLICK HERE to read the EU Commission’s Report.
ISRAELI PRIVACY AUTHORITY PUBLISHES DRAFT GUIDELINES ON THE USE OF DRONES AND SMART CITY GUIDANCE The Privacy Protection Authority (PPA) – Israel's regulatory and enforcement authority for personal data – has published draft guidelines on the use of drones and guidance for municipalities on privacy aspects of smart cities.
The draft guidelines, which do not apply to drones that collect information "for personal use that is not for business purposes", establish the following principles:
- Preconditions for the use of drones. Use of drones should be made based on an informed decision, following examination of the need for and possible alternatives to the use of drones.
- Proportionality. Drones must be operated in a proportionate manner that minimizes the scope of personal information collected, in accordance with the specific purpose for its use.
- Transparency. The public must be informed of the use of drones. This may be done, for example, by informing individuals in geographically covered areas on the use of droned by means of online advertising.
- Information security. The data security obligations set out in the Privacy Protection (Data Security) Regulations apply to the collection and processing of information through drones.
The PPA also issued guidance for local authorities on protection of privacy in smart cities. The guidance clarifies the obligations of local authorities in this context, including the following principles:
- Purpose of processing. Local authorities must process residents’ information only for the purpose for which the information was collected.
- Notification. Local authorities must inform residents, prior to collecting their information, whether they have a legal duty to provide the information, the purpose for which the information was collected, to whom the information will be provided and for what purpose.
- Right to access. Local authorities are obligated to allow residents to review the information collected about them and rectify such information if it is not up-to-date or inaccurate.
- Confidentiality. Local authorities and their employees must maintain the confidentiality of the information disclosed in the course of their work.
- Information Security. Local authorities have an obligation to protect their databases and to comply with the Privacy Protection (Data Security) Regulations.
The guidelines focus on the use of surveillance and security cameras in the smart cities. Local authorities are required to, among others, explicitly define the purpose for placing surveillance cameras, ensure that the surveillance cameras’ footage is used solely for the purpose it was collected and inform the public about the placement of the surveillance cameras. The guidelines also prohibit transferring the surveillance cameras’ footage to third parties and the continued retention of such footage when it is no longer needed.
CLICK HERE to read the Israeli Protection of Privacy Authority’s Draft Guidelines on Drones (in Hebrew)
CLICK HERE to read the Israeli Protection of Privacy Authority’s Smart Cities Guidance (in Hebrew)
December 12, 2018 SECOND CIRCUIT PROHIBITS A COMPANY’S MARKETPLACE FOR RESALE OF DIGITAL MUSIC The United States Federal Court of Appeals for the Second Circuit affirmed a prior ruling by the district court, holding that ReDigi, an online platform for the resale of lawfully purchased digital music files, infringes copyrighted music.
ReDigi sought to create a technology and marketplace for resale of music files. A ReDigi user seeking to resell music would use the ReDigi technology to transfer the music files to ReDigi’s server. The technology was designed so that once the file is transferred to ReDigi’s server, the copy on the user’s device is deleted. However, ReDigi’s technology allows the new purchaser of the music files to store the purchased file on ReDigi’s server and also subsequently receive and store a copy on the new purchaser’s device.
The Second Circuit found that ReDigi’s technology involved a reproduction of music files. Since such reproduction of copies is not authorized by the copyright owners, ReDigi’s technology was found to be infringing. The Court also dismissed ReDigi’s argument that the copies made are permissible under the fair use doctrine, because it lacks any ‘transformative’ objective that is different in meaning, context or character from the original music file, and because it directly competes with the copyright owners in their primary market.
The Court’s decision noted, as an aside, that a legally viable secondary market can be imagined for “those who cost‐effectively place 50 or 100 (or more) songs on an inexpensive device such as a thumb drive and sell it”, and that “other technology may exist or be developed that could lawfully effectuate a digital first sale”.
CLICK HERE to read the Second Circuit’s Decision in Capitol Records LLC v. ReDigi, Inc.
December 18, 2018 ISRAELI REGULATORS LAUNCH AN INTER-REGULATORY PANEL ON VIRTUAL ASSETS The Bank of Israel announced the establishment of an inter-regulatory panel for the purpose of strengthening the cooperation on the regulation of cryptocurrencies and virtual assets. The panel includes representatives from the Capital Market Authority, the Securities Authority, the Ministry of Finance, the National Economic Council, the Tax Authority, the Ministry of Justice, the Money Laundering and Terrorism Financing Prohibition Authority, the National Cyber Directorate and the Bank of Israel. The panel will examine issues relating to the application of regulation on uses of technology relating to virtual assets and their implications on economic activity, financial markets and financial stability.
The panel is seeking public comments on what issues ought to be considered when developing a regulatory framework for virtual assets. Among other issues, the panel intends to examine the following: the main barriers Israeli stakeholders face when they use virtual assets - in general, and in investments and fundraising activities; the risks inherent to the use of virtual assets; the opportunities for the financial sector with this technology; and how technology can help address challenges in the prevention of money laundering and terrorism financing.
CLICK HERE to read the Bank of Israel press release (in Hebrew)
Law.co.il is on Telegram