We are pleased to provide you with our Group’s January newsletter, featuring leading cyber, privacy and copyright regulation, case-law and related developments in Israel and Europe. In this edition of our newsletter you’ll find the following items:

  • The EU is Re-evaluating the Recognition of Israel’s Adequacy for Cross-Border Data Transfers
  • U.S. Court Holds Web Scraping of Publicly Accessible Content Does Not Violate Computer Laws
  • The UK Privacy Regulator Imposes an Unprecedented Fine for Inadequate Data Security
  • Israel Tax Authority Clarifies Taxation Rules for ICOs (Initial Coin Offerings)
  • European Court Says Consumers Can Sue Facebook in any EU Country, But Not by Class Action
  • Israeli Government Promotes Far-Reaching Enforcement Powers to the Privacy Regulator

January 30, 2018

The EU is Re-evaluating the Recognition of Israel’s Adequacy for Cross-Border Data Transfers

The European Union is reexamining its 2011 adequacy finding of Israel which had cleared the path for cross-border transfers of personal data from the EU to Israel, the Head of the Israeli Privacy Protection Authority, Adv. Alon Bachar, revealed at a conference held by Pearl Cohen’s Internet, Cyber and Copyright Group on "Europe and Israel: The Data Protection Revolution is Here”. The conference explored the new Israeli data security regulations, the forthcoming GDPR and privacy and data protection related developments in case law and regulatory enforcement.

Bachar indicated that all countries that have been recognized in the past in an EU adequacy decision are undergoing a similar reexamination process, yet Israel is one of the first countries to be reexamined. The head of Israel’s privacy watchdog noted that “we are doing all we can to ensure that this status, which has had very significant economic implications, is preserved."

Speaking at the event, Adv. Haim Ravia, Senior Partner and head of Pearl Cohen’s Internet, Cyber and copyright group, warned that new data security threats materialize in manners that traditional data protection laws, including the new Israeli Regulations, did not foresee. According to Adv. Ravia, "modern threats to data security originate from robust sources such as super-powers and state actors. Israel is threatened by Iran, China and Russia as well as state-sponsored terrorist organizations like Hezbollah and Hamas. These threats are directed not only against the privacy of individuals but against national security, economic interests and in some cases civil liberties.” Ravia expressed concern that the objective of safeguarding data protection for national security interests will ultimately serve the state to encroach on privacy, as was done with the Israeli Biometric Database Law and the Telecom Data Law.

January 8, 2018

U.S. Court Holds Web Scraping of Publicly Accessible Content Does Not Violate Computer Laws

The U.S. federal Court of Appeals for the Ninth Circuit has held that taking data from a website by scraping, crawling or other automated means, does not violate computer abuse state statutes in California and Nevada, even if the method of taking is prohibited by the website’s terms of use, as long as the taking itself, putting aside the method, generally is permitted in the first instance.

The ruling was delivered in a dispute between Oracle and Rimini Street, a provider of third-party support for Oracle’s enterprise software. Rimini Street used automated tools to download publicly accessible software from Oracle’s website, although the website’s terms of use prohibited use of automated methods to obtain content.

This landmark holding may have important implications on one of the unsettled questions of computer law in the United States: whether taking data from a website by automated means violates the U.S. federal Computer Fraud and Abuse Act (CFAA). Although the Ninth Circuit did not address the applicability of its holding to the CFAA (as opposed to computer abuse state laws), its reasoning may be equally applicable to the CFAA. Pending before the Ninth Circuit is another computer scraping dispute with CFAA applicability, HIQ Labs v. LinkedIn, which may be the Ninth Circuit’s next opportunity to extend its present holding to the CFAA.

January 8, 2018

The UK Privacy Regulator Imposes an Unprecedented Fine for Inadequate Data Security

The United Kingdom’s Information Commissioner’s Office (ICO), the UK privacy regulator, has imposed an unprecedented fine of £400,000 against the British telecommunications retailer Carphone Warehouse. The action was taken as an aftermath of a cyber-attack that compromised personal data of more than three million Carphone Warehouse consumers and 1,000 employees. The ICO found that Carphone Warehouse violated the UK Data Protection Act’s requirement to implement appropriate technical and organizational measures to prevent unauthorized and unlawful access to personal data.

The ICO determined that the cyber-attack was made possible due to security vulnerabilities and inadequacies in Carphone Warehouse's systems that were not addressed, even though the company could have known of the significant risk to its customers’ personal data. According to the ICO, the company violated the DPA in various ways such as:

  • At the time of the attack, Carphone Warehouse had no web Application Firewall (WAF) for monitoring and filtering traffic to and from its web application
  • Carphone Warehouse did not enforce password policies that would prevent the use of the same administrator password by employees
  • Carphone Warehouse retained large amount of unnecessary personal data
  • Carphone Warehouse’s encryption keys were stored in the plaintext of the source code, an deficient practice in terms of data security.

January 16, 2018

Israel Tax Authority Clarifies Taxation Rules for ICOs (Initial Coin Offerings)

The Israel Tax Authority has published a circular draft on taxation applicable to companies that raise money through ICOs (Initial Coin Offerings) and to those who hold ICO tokens. The circular is intended to apply only to the issuance of Utility Tokens, namely tokens issued by a central entity that represent an obligation of the issuing entity to provide the token holder a service or a product under development.

According to the circular draft, the consideration received from the issuance will be considered taxable income of the issuing company. The sale of tokens by their holders in the secondary market will be considered taxable capital income, or if the seller's activity is considered a business – as taxable business revenue. In addition, the issuance of tokens to employees will be considered taxable income for the employees according to the value of the token.

January 25, 2018

European Court Says Consumers Can Sue Facebook in any EU Country, But Not by Class Action

The Court of Justice of the European Union (CJEU) has held that Facebook users in Europe may file consumer lawsuit against the social network in their home countries rather than in Facebook’s headquarters in Ireland, but may do so only in their individual capacity and not by class action suits. The decision was delivered in the continuing legal battle between the Austrian digital activist Maximilian Schrems and Facebook. Schrems sued Facebook in a local court in Austria alleging that the social network violated data protection laws. In an attempt to circumvent the absence of a class action instrument in Austria, Schrems added thousands of other Facebook users from Austria and other EU states as additional plaintiffs to the suit.

Facebook asserted that Schrems cannot utilize consumer protection laws to file suit in his local venue in Austria because he was active on Facebook in a professional capacity as a digital activist rather than in an individual capacity as a consumer. The CJUE rejected Facebook’s contention and held that Schrems did not lose his capacity as a consumer even where he incidentally uses his Facebook account to promote himself as an expert speaker, author and digital activist. However, the CJEU held that a consumer lawsuit asserted in the consumer’s local jurisdiction cannot be used as a vehicle to join additional aggrieved consumers, whether or not they are domiciled in the same jurisdiction or elsewhere in the EU.

CLICK HERE to read the CJEU’s decision in Case C‑498/16 Maximilian Schrems v. Facebook Ireland Limited.

January 23, 2018

Israeli Government Promotes Far-Reaching Enforcement Powers to the Privacy Regulator

The Israeli Ministerial Committee for Legislation has approved to promote legislation of a 2011 bill introducing comprehensive amendments to the Protection of Privacy Law giving far-reaching enforcement powers to the Israeli privacy regulator. The bill will now head to the Knesset, the Israeli legislature, for first reading.

According to the bill’s version from 2011, the Israeli privacy regulator will be granted much broader and more rigorous powers of supervision, power to investigate when suspicion of criminal conduct arises, and the authority to impose higher monetary sanctions of up to 6.4 million NIS (approximately 1.8 million Dollars). The 2011 bill also sought to indirectly expand the definition of "Information" to which data protection rules apply so that it would include genetic, biometric and location data not currently captured by the definition of “Information” in the Protection of Privacy Law.

CLICK HERE to read the Protection of Privacy Bill (Amendment No. 12) (Enforcement Powers), 5772-2011 (in Hebrew).