We are pleased to provide you with our Group’s newsletter for November, featuring leading Cyber, Privacy and Copyright regulation, case-law and related developments in the United States, Europe and Israel. This edition features the following items:
- Draft Guidelines on the Extra-Territorial Scope of the GDPR
- US Securities Commission Requires ICO Companies to Register Tokens as Securities
- French Privacy Regulator Warns about Improper Mobile Notice and Consent Mechanisms
- Names and Email Addresses Constitute a Database Subject to Israeli Data Protection Law
- UK Privacy Regulator Issues Guidelines on Passwords and Encryption under GDPR
November 23, 2018
DRAFT GUIDELINES ON THE EXTRA-TERRITORIAL SCOPE OF THE GDPR
The European Data Protection Board (EDPB) – the panel of EU privacy regulators – has published long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR). The draft guidelines explain that according to Article 3 of the GDPR, the GDPR’s applicability is triggered into effect on one of two criteria – the “establishment” criterion and the “targeting” criterion.
Under the “establishment” criterion, the GDPR applies when an organization exercises real and effective activities through stable arrangements within the European Union, such as an EU branch, subsidiary or even just an agent. Yet merely having a website that is accessible to EU audience does not amount to an ‘establishment’ in the EU. If the processing of personal data is done in connection with the EU establishment, then the ‘establishment’ criterion is triggered into effect and the GDPR applies to the organization.
Under the “targeting” criterion, the GDPR applies to non-EU organizations that process personal data, either in relation to the offering of good or services (regardless of payment) to individuals who are in the EU at the time of the offering, or in relation to the monitoring of the behavior of individuals who are in the EU at the time of monitoring. According to the “offering of goods or services” prong, the GDPR will apply where there is a clear intention of the organization to offer goods or services to individuals in the EU. The guidelines suggest a number of factors that may indicate such intention, including marketing campaigns directed at EU audience, the use of a website with top-level domain names attributable to the EU (such as .DE); Use of a language or a currency of an EU country.
Under the “monitoring” prong, the GDPR will apply when the organization has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU, such as online tracking, behavioral advertising, and CCTV.
The draft guidelines are open for public comments until January 18, 2019.
CLICK HERE to read the draft guidelines.
November 16, 2018
US SECURITIES COMMISSION REQUIRES ICO COMPANIES TO REGISTER TOKENS AS SECURITIES
The United States Securities and Exchange Commission (SEC) has settled charges against two companies for not registering their Initial Coin Offerings (ICO) of digital tokens as securities pursuant to the federal securities laws.
These settlements are part of the first enforcement proceedings brought by the SEC that impose civil penalties on companies solely for ICO securities registration violations. Previous cases involving penalties also involved fraud charges. These two new cases demonstrate the SEC’s position in relation to all ICOs. They emphasize the obligation of ICO companies to register tokens as securities pursuant to the federal securities laws and to comply with existing statutes and rules governing the registration of securities. The co-director of the SEC’s enforcement division stated that the SEC is vigilant against violations of the federal securities laws with respect to digital assets.
The settlement requires the companies to return funds to harmed investors, register their tokens as securities, file periodic reports with SEC and pay a fine of a quarter of a million dollars each.
CLICK HERE to read the SEC’s press release.
November 9, 2018
FRENCH PRIVACY REGULATOR WARNS ABOUT IMPROPER MOBILE NOTICE AND CONSENT MECHANISMS
The French data protection authority (Commission Nationale de l'informatique et des Libertés – CNIL) published a warning it issued to the French AdTech company Vectaury, that collects and processes geolocation data for targeted advertising purposes through an SDK that is integrated into third party mobile applications.
Vectaury had based its processing of the data for targeted ad purposes, on the users’ informed consent. According to the CNIL, in order for a privacy notice to support the required informed consent under EU data protection law, it must directly inform users of the identity of the companies responsible for processing their data. Vectaury’s user interface design on this issue was found to be lacking, because in order for users to be informed of these companies they would have to explore a preferences menu and then scroll down to a further link.
Additionally, all granular data processing purposes in Vectaury’s privacy notice were pre-accepted by default. Users’ action was therefore required in order to opt-out, by unchecking, one after the other, the pre-ticked boxes corresponding to the different data processing purposes. The CNIL found this opt-out practice to be in violation of the requirement to obtain affirmative opt-in and granular user consent for each data processing purpose.
The CNIL chose not to impose a penalty on Vectaury at this time, has given it a three-months grace period for corrective action and has made the warning publicly known.
CLICK HERE to read the CNIL’s warning against Vectaury (in French).
November 28, 2018
NAMES AND EMAIL ADDRESSES CONSTITUTE A DATABASE SUBJECT TO ISRAELI DATA PROTECTION LAW
The Privacy Protection Authority (PPA) – Israel's regulatory and enforcement authority for personal data – has published a public statement laying out the PPA’s interpretation of the Israeli Privacy Protection Law regarding email addresses.
The statement discusses whether a list containing merely names and email addresses is considered a "Database" under the Israeli Privacy Protection Law. The PPA's position is that in the present digital era, an email address may be indicative of various personal information and cannot be considered merely as means of communication. The statement argues that a lot can be learned about a person just from their email address, such as their occupation, marital status, age and more. In addition, email addresses are commonly used as credentials to login to many digital services.
Section 7 of the Privacy Protection Law excludes from the definition of ‘database’ "a collection that includes only names, addresses and means of communicating… ". The PPA's statement explains that a list containing only names and email addresses will nevertheless be considered a ‘database’ and as a result will be subject to the obligations a database owner must comply with, such as data security obligations and registration of the database with the PPA in certain cases.
CLICK HERE to read the Israeli Protection of Privacy Authority’s statement (in Hebrew)
UK PRIVACY REGULATOR ISSUES GUIDELINES ON PASSWORDS AND ENCRYPTION UNDER GDPR
The UK Information Commissioner’s Office (ICO) – the UK privacy regulator – issued new information security guidelines on encryption methods and passwords, within its guide to the General Data Protection Regulation (GDPR).
The GDPR does not particularize what security measures organizations are required to implement in order to comply with the obligation to process personal data securely. The ICO’s guidance on password security recommends implementing a password policy within an organization, including the following:
- Password storage. Do not store passwords in plaintext; Use a suitable hashing algorithm.
- Password entry. Protect login pages with HTTPS; Prevent users from pasting passwords into the password field.
- Password requirements. Minimum password length should be no less than 10 characters; Allow the use of special characters, but don’t mandate it; Do not set restrictions on how users should create a password; Monitor passwords against a ‘password blacklist’ of the most commonly used passwords, leaked passwords from website breaches and common words or phrases that relate to the service; Remind users that they should not reuse passwords from other websites or services;
- Password defense. Rate-limit the number and frequency of incorrect login attempts.
With respect to encryption, the ICO recommends using it when storing and transmitting personal data. The ICO explains that the damage and distress caused by data breaches could be reduced or even avoided if personal data is encrypted.
Organizations should have a policy in place governing the use of encryption, including appropriate staff education. When implementing encryption, the ICO urges to consider the right algorithm, the right key size, the right software and the safekeeping of the key.