Tag: European Union

Fleeing Ukrainians to Get More Help From United States

The United States has joined many European countries that are opening their doors and offering humanitarian assistance to fleeing Ukrainians.

Ireland, Great Britain and Canada have all started private sponsorship programs for Ukrainians. That assistance is not necessarily a one-way street. Easing the way for incoming Ukrainians may help those nations deal with their own labor shortages.

Ukraine is known for its skilled workforce, including tech engineers, and some companies in Europe are specifically targeting jobs for Ukrainians, offering everything from language training to child care to attract the refugees. Even temporary employment agencies are involved and new companies are being founded for the purpose of matching Ukrainians to jobs across Europe – jobs that run the gamut from highly skilled tech work, to healthcare aids, to retail and hospitality positions.

U.S. employers are generously offering humanitarian aid and donations to help Ukrainian refugees, but now those employers may be able to offer jobs to displaced Ukrainians seeking refuge. The Biden Administration will open various legal pathways that could include the refugee admissions program (which can lead to permanent residence through asylum, but is a long process), visas, and humanitarian parole (a temporary solution). The focus will be on Ukrainians with family in the United States or others considered to be particularly vulnerable. Approximately 1,000,000 people of Ukrainian descent currently live in the United States.

The administration originally believed that most Ukrainians did not want to flee to the United States because it was too far away from other family members who have remained in Ukraine. Secretary of State Antony Blinken had stated that the priority was to help European countries who are the dealing with huge waves for migration instead. But advocates have been arguing that the administration could create special status for Ukrainians to allow them to enter the U.S. or stay with family members.

In early March, the Biden Administration established Temporary Protected Status (TPS) for Ukrainians who have been in the United States continuously since March 1, 2022, but that did not help those who are still abroad. Visitor visas are hard to come by because applicants for visitor visas need to be able to show that their stay will be temporary and that they have a home to return to in Ukraine, and such temporary nonimmigrant visas may not meet that criterion or be practical in most of these situations. Moreover, consulates abroad are already overwhelmed and understaffed due to COVID-19.

While small numbers of Ukrainians have made it to the United States by finding private or family sponsors, this new policy should at least open the doors to some Ukrainians and likely make it possible for U.S. companies to hire some of the incoming refugees. They will need and want employment, but they will also need support.

Article By Forrest G. Read IV of Jackson Lewis P.C.

For more immigration-related legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2022

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

  • “Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
  • Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
  • Expectation – Processing should correspond with data subjects’ reasonable expectations.
  • Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
  • Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
  • No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
  • Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” (emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

  • For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
  • To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

  • Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
  • Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
  • Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
  • Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
  • Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
  • Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

  • Structure and ease of access:
    • Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
    • Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
    • Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
    • Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
  • Transparency:
    • Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
    • Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
    • Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
  • Terminology & explanations:
    • Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
    • Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
    • Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
    • Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
  • Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
  • Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
  • Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

Article By Peter Craddock, Sheila A. Millar, and Tracy P. Marshall of Keller and Heckman LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

Google to Launch Google Analytics 4 in an Attempt to Address EU Privacy Concerns

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities (“DPAs”) regarding the use of Google Analytics by various companies. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through the use of cookies is permitted under the EU General Data Protection Regulation (“GDPR”), following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie is unlawful.

Google’s New Solution

According to Google’s press release, Google Analytics 4 “is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

The most impactful change from an EU privacy standpoint is that Google Analytics 4 will no longer store IP address, thereby limiting the data transfers resulting from the use of Google Analytics that were under scrutiny in the EU following the Schrems II ruling. It remains to be seen whether this change will ease EU DPAs’ concerns about Google Analytics’ compliance with the GDPR.

Google’s previous analytics solution, Universal Analytics, will no longer be available beginning July 2023. In the meantime, companies are encouraged to transition to Google Analytics 4.

Read Google’s press release.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review. 

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Europol: More Than Half of Counterfeits Originate in China

On March 7, 2022, the European Union Agency for Law Enforcement Cooperation (Europol) and the European Union Intellectual Property Office (EUIPO) jointly released the Intellectual Property Crime Threat Assessment 2022. Per the Assessment, China (including Hong Kong) was the main source of counterfeits based on number of counterfeits and by value of the counterfeits seized at the EU external borders.  Almost 76% of the fake goods detained were for trademark infringement; design infringement was the second most reported at 23% while copyright was third with 15%.

China and Turkey remain the main countries of origins for counterfeit clothing, shoes, bags, watches, and jewelry seized at the EU’s border. These goods are mostly ordered online and discovered as part of postal shipments or on passengers entering the EU.

Similarly, China is the country of origin for most of the seized counterfeit electrical/electronic and computer equipment, mobile phones and accessories. With respect to mobile phones, the Assessment states,

…the visual appearance of the counterfeit devices is very convincing, closely mimicking the external characteristics of the original phones. However, typically some features and software characteristics are missing and the International Mobile Equipment Identity (IMEI) is often fake.  The use of cheap and substandard electric components, which can be found in fake batteries, headphones or chargers, pose safety risks.

“China and Turkey were among the most frequently reported non-EU countries of origin for counterfeit food and drink seized at the EU’s external border.” Similarly, counterfeit perfumes and cosmetic products often originate from China and Turkey.

In addition to ready-to-use IPR-infringing goods, product components, such as aroma compounds, fixatives and solvents, are increasingly being seized. These components are used to create the final counterfeit products in the EU.

More worrisome, China and Turkey were the main origin of counterfeit pharmaceutical products.

Toys round out the top 10 counterfeits with China also being main point of origin.

The full Assessment is available here: IP_Crime_Threat_Assessment_2022_FullR_en.

Article By Aaron Wininger of Schwegman, Lundberg & Woessner, P.A.

For more intellectual property legal news, click here to visit the National Law Review.

© 2022 Schwegman, Lundberg & Woessner, P.A. All Rights Reserved.

GDPR Privacy Rules: The Other Shoe Drops

Four years after GDPR was implemented, we are seeing the pillars of the internet business destroyed. Given two new EU decisions affecting the practical management of data, all companies collecting consumer data in the EU are re-evaluating their business models and will soon be considering wholesale changes.

On one hand, the GDPR is creating the world its drafters intended – a world where personal data is less of a commodity exploited and traded by business. On the other hand, GDPR enforcement has taken the form of a wrecking ball, leading to data localization in Europe and substitution of government meddling for consumer choice.

For years we have watched the EU courts and enforcement agencies apply GDPR text to real-life cases, wondering if the legal application would be more of a nip and tuck operation on ecommerce or something more bloody and brutal. In 2022, we received our answer, and the bodies are dropping.

In January Austrian courts decided that companies can’t use Google Analytics to study their own site’s web traffic. The same conclusion was reached last week by French regulators. While Google doesn’t announce statistics about product usage, website tracker BuiltWith published that 29.3 million websites use Google Analytics, including 69.5 percent of Quantcast’s Top 10,000 sites, and that is more than ten times the next most popular option. So vast numbers of companies operating in Europe will need to change their platform analytics provider – if the Euro-crats will allow them to use site analytics at all.

But these decisions were not based on the functionality of Google Analytics, a tool that does not even capture personally identifiable information – no names, no home or office address, no phone numbers. Instead, these decisions that will harm thousands of businesses were a result of the Schrems II decision, finding fault in the transfer of this non-identifiable data to a company based in the United States. The problem here for European decision-makers is that US law enforcement may have access to this data if courts allow them. I have written before about this illogical conclusion and won’t restate the many arguments here, other than to say that EU law enforcement behaves the same way.

The effects of this decision will be felt far beyond the huge customer base of Google Analytics.  The logic of this decision effectively means that companies collecting data from EU citizens can no longer use US-based cloud services like Amazon Web Services, IBM, Google, Oracle or Microsoft. I would anticipate that huge cloud player Alibaba Cloud could suffer the same proscription if Europe’s privacy panjandrums decide that China’s privacy protection is as threatening as the US.

The Austrians held that all the sophisticated measures taken by Google to encrypt analytic data meant nothing, because if Google could decrypt it, so could the US government. By this logic, no US cloud provider – the world’s primary business data support network – could “safely” hold EU data. Which means that the Euro-crats are preparing to fine any EU company that uses a US cloud provider. Max Schrems saw this decision in stark terms, stating, “The bottom line is: Companies can’t use US cloud services in Europe anymore.”

This decision will ultimately support the Euro-crats’ goal of data localization as companies try to organize local storage/processing solutions to avoid fines. Readers of this blog have seen coverage of the EU’s tilt toward data localization (for example, here and here) and away from the open internet that European politicians once held as the ideal. The Euro-crats are taking serious steps toward forcing localized data processing and cutting US businesses out of the ecommerce business ecosystem. The Google Analytics decision is likely to be seen as a tipping point in years to come.

In a second major practical online privacy decision, earlier this month the Belgian Data Protection Authority ruled that the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF), a widely-used technical standard built for publishers, advertisers, and technology vendors to obtain user consent for data processing, does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own expensive technical solutions, and creating a consistent experience for consumers. Now the TCF is considered per-se illegal under EU privacy rules, casting thousands of businesses to search for or design their own alternatives, and removing online choices for European residents.

The Belgian privacy authority reached this conclusion by holding that the Interactive Advertising Bureau was a “controller” of all the data managed under its proposed framework. As stated by the Center for Data Innovation, this decision implies “that any good-faith effort to implement a common data protection protocol by an umbrella organization that wants to uphold GDPR makes said organization liable for the data processing that takes place under this protocol.” No industry group will want to put itself in this position, leaving businesses to their own devices and making ecommerce data collection much less consistent and much more expensive – even if that data collection is necessary to fulfill the requests of consumers.

For years companies thought that informed consumer consent would be a way to personalize messaging and keep consumer costs low online, but the EU has thrown all online consent regimes into question. EU regulators have effectively decided that people can’t make their own decisions about allowing data to be collected. If TCF – the consent system used by 80% of the European internet and a system designed specifically to meet the demands of the GDPR – is now illegal, then, for a second time in a month, all online consumer commerce is thrown into confusion. Thousands were operating websites with TCF and Google Analytics, believing they were following the letter of the law.  That confidence has been smashed.

We are finally seeing the practical effects of the GDPR beyond its simple utility for fining US tech companies.  Those effects are leading to a closed-border internet around Europe and a costlier, less customizable internet for EU citizens. The EU is clearly harming businesses around the world and making its internet a more cramped place. I have trouble seeing the logic and benefit of these decisions, but the GDPR was written to shake the system, and privacy benefits may emerge.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles about international privacy, visit the NLR Cybersecurity, Media & FCC section.

UK Withdrawal Agreement Becomes Law

On January 23, the European Union (Withdrawal Agreement) Bill became an Act of Parliament and is now legally binding in the UK. The purpose of this legislation is to give binding force to the withdrawal agreement that was made between the UK and the EU on October 19, 2019.

The next step will be for the withdrawal agreement to be ratified by the European Parliament, which is scheduled for January 29. If this vote is passed, the UK will leave the EU on January 31, 2020. The UK will then enter an ‘implementation period,’ during which all EU laws will continue to apply in the UK, while the UK and the EU negotiate their future relationship. This implementation period is scheduled to end on December 31.

©2020 Katten Muchin Rosenman LLP

For more Brexit developments, see the Global Law section of the National Law Review.

FCA Publishes “Brexit Special” Market Watch

On October 7, the Financial Conduct Authority (FCA) published a “Brexit Special” of its monthly Market Watch newsletter, in which it summarized some recent developments and publications in connection with the regulated sector’s preparedness for the forthcoming departure of the UK from the EU on November 1.

In the newsletter, the FCA noted that Andrew Bailey, FCA CEO, gave a speech in September at Bloomberg London on the Brexit “state of play”. Mr. Bailey outlined recent developments and the outstanding issues, such as the desire for an equivalence agreement for the Share Trading Obligation (STO). (For more information, please see the June 14 edition of Corporate & Financial Weekly Digest).

The FCA explained that transaction reporting rules under the Markets in Financial Instruments Regulation (MiFIR) will not be subject to the temporary transitional power. (For more information, please see the September 27 edition of Corporate & Financial Weekly Digest). Therefore, firms, trading venues and approved reporting mechanisms will need to take “reasonable steps to comply with the changes to their regulatory obligations”. Firms who cannot comply on the day that the UK leaves the EU will need to back-report missing, incomplete or inaccurate transaction reports as soon as possible thereafter.

The FCA provided an updated statement on the operation of the Markets in Financial Instruments Directive (MiFID) transparency regime following Brexit. The FCA published a statement on this topic in March 2019 (please see the March 8 edition of Corporate & Financial Weekly Digest), and the main purpose of this update was to change dates to reflect the extension of the departure date from March to October 2019.

The FCA’s MiFID transparency regime update also reflects a statement made on October 7 from the European Securities and Markets Authority (ESMA). In addition to other updates, ESMA described how reference data submitted by UK trading venues and systematic internalisers will be phased out of EU calculations. ESMA will “freeze” the quarterly calculations until Q1 2020, during which time the EU will re-determine the relevant competent authority (RCA) for all financial instruments that remain available for trading in the EU, for which the FCA is currently the RCA.

Finally, the FCA announced that industry testing for the FCA Financial Instruments Transparency Systems (FITRS) would start on October 10 and noted that it continues to update the Brexit material available on its website.

The Market Watch newsletter is available here.

Andrew Bailey’s speech is available here.

The FCA’s updated statement is available here.

ESMA’s statement is available here.

©2019 Katten Muchin Rosenman LLP

World Trade Organization Approves U.S. Tariffs on European Union Goods to Counteract Civil Aviation Subsidies

The World Trade Organization (WTO) has approved U.S. duties on $7.5 billion in products from the European Union (EU) after ruling that the EU had unfairly subsidized the production of large civil aircraft, such as those produced by Airbus. The U.S. Trade Representative (USTR) will enforce 10 percent duties on imports of certain aircraft and 25 percent duties on imports of other goods (including agricultural products, apparel, machinery, and other products) beginning October 18, 2019.

The EU plans to impose retaliatory tariffs on $20 billion of U.S. exports in response to subsidies allegedly provided to American plane manufacturer Boeing. However, the EU will have to wait for WTO approval in separate proceedings. The United States and the EU have been involved in WTO dispute settlement proceedings regarding subsidies for large civil aircraft since 2004.

Duties of 10 percent apply to imports of passenger and cargo aircraft from France, Germany, Spain, and the United Kingdom (where the majority of Airbus production is based), provided that they have an unladen weight exceeding 30,000 kg.1

Duties of 25 percent apply to imports of other products from all EU member states (or a subset of these member states, depending on the product category). These products include certain cheeses, pork, coffee, seafood, fruit, dairy spreads, wine, whisky, apparel, bedding, optical instruments, appliances, tools, folding knives, and magnets.

Military aircraft, civil helicopters, and parts or components of civil aircraft are not subject to the duties.2

1 Examples of subject aircraft over 30,000 kg are regional jets capable of seating more than 100 passengers (such as the Airbus A220) and any larger aircraft (including long-haul, wide-body jets). Smaller aircraft, including recreational aircraft, private jets, most turboprop aircraft, and most regional jets with a capacity of fewer than 100 passenger, have an unladen weight of less than 30,000 kg and are excluded.

2 Airbus has production facilities in the United States, that rely on components imported from the EU. Additionally, some EU companies produce certain components of military aircraft for export to the United States.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved

For more on international trade, see the National Law Review Antitrust & Trade Regulation or Global law pages.

Can We Really Forget?

I expected this post would turn out differently.

I had intended to commend the European Court of Justice for placing sensible limits on the extraterritorial enforcement of the EU’s Right to be Forgotten. They did, albeit in a limited way,[1] and it was a good decision. There.  I did it. In 154 words.

Now for the remaining 1400 or so words.

But reading the decision pushes me back into frustration at the entire Right to be Forgotten regime and its illogical and destructive basis. The fact that a court recognizes the clear fact that the EU cannot (generally) force foreign companies to violate the laws of their own countries in internet sites that are intended for use within those countries (and NOT the EU), does not come close to offsetting the logical, practical and societal problems with the way the EU perceives and enforces the Right to be Forgotten.

As a lawyer, with all decisions grounded in the U.S. Constitution, I am comfortable with the First Amendment’s protection of Freedom of Speech – that nearly any truthful utterance or publication is inviolate, and that the foundation of our political and social system depends on open exposure of facts to sunlight. Intentionally shoving those true facts into the dark is wrong in our system and openness will be protected by U.S. courts.

Believe it or not, the European Union also has such a concept at the core of its foundation too. Article 10 of the European Convention on Human Rights states that:

“Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.”

So we have the same values, right? In both jurisdictions the right to impart information can be exercised without interference by public authority.  Not so fast.  The EU contains a litany of restrictions on this right, including a limitation of your right to free speech by the policy to protect the reputation of others.

This seems like a complete evisceration of a right to open communication if a court can force obfuscation of facts just to protect someone’s reputation.  Does this person deserve a bad reputation? Has he or she committed a crime, failed to pay his or her debts, harmed animals or children, stalked an ex-lover, or violated an oath of office, marriage, priesthood or citizenship? It doesn’t much matter in the EU. The right of that person to hide his/her bad or dangerous behavior outweighs both the allegedly fundamental right to freedom to impart true information AND the public’s right to protect itself from someone who has proven himself/herself to be a risk to the community.

So how does this tension play out over the internet? In the EU, it is law that Google and other search engines must remove links to true facts about any wrongdoer who feels his/her reputation may be tarnished by the discovery of the truth about that person’s behavior. Get into a bar fight?  Don’t worry, the EU will put the entire force of law behind your request to wipe that off your record. Stiff your painting contractors for tens of thousands of Euros despite their good performance? Don’t worry, the EU will make sure nobody can find out . Get fired, removed from office or defrocked for dishonesty? Don’t worry, the EU has your back.

And that undercutting of speech rights has now been codified in Article 17 of Regulation 2016/679, the Right to be Forgotten.

And how does this new decision affect the rule? In the past couple weeks, the Grand Chamber of the EU Court of Justice issued an opinion limiting the extraterritorial reach of the Right to be Forgotten. (Google vs CNIL, Case C‑507/17) The decision confirms that search engines must remove links to certain embarrassing instances of true reporting, but must only do so on the versions of the search engine that are intentionally servicing the EU, and not necessarily in versions of the search engines for non-EU jurisdictions.

The problems with appointing Google to be an extrajudicial magistrate enforcing vague EU-granted rights under a highly ambiguous set of standards and then fining them when you don’t like a decision you forced them to make, deserve a separate post.

Why did we even need this decision? Because the French data privacy protection agency, known as CNIL, fined Google for not removing presumably true data from non-EU search results concerning, as Reuters described, “a satirical photomontage of a female politician, an article referring to someone as a public relations officer of the Church of Scientology, the placing under investigation of a male politician and the conviction of someone for sexual assaults against minors.”  So, to be clear, while the official French agency believes it should enforce a right for people to obscure that they have been convicted of sexual assault against children from the whole world, the Grand Chamber of the European Court of Justice believes that the people convicted child sexual assault should be protected in their right to obscure these facts only from people in Europe. This is progress.

Of course, in the U.S., politicians and other public figures, under investigation or subject to satire or people convicted of sexual assault against children do not have a right to protect their reputations by forcing Google to remove links to public records or stories in news outlets. We believe both that society is better when facts are allowed to be reported and disseminated and that society is protected by reporting on formal allegations against public figures or criminal convictions of private ones.

I am glad that the EU Court of Justice is willing to restrict rules to remain within its jurisdiction where they openly conflict with the basic laws of other jurisdictions. The Court sensibly held,

“The idea of worldwide de-referencing may seem appealing on the ground that it is radical, clear, simple and effective. Nonetheless, I do not find that solution convincing, because it takes into account only one side of the coin, namely the protection of a private person’s data.[2] . . . [T]he operator of a search engine is not required, when granting a request for de-referencing, to operate that de-referencing on all the domain names of its search engine in such a way that the links at issue no longer appear, regardless of the place from which the search on the basis of the requester’s name is carried out.”

Any other decision would be wildly overreaching. Believe me, every country in the EU would be howling in protest if the US decided that its views of personal privacy must be enforced in Europe by European companies due to operations aimed only to affect Europe. It should work both ways. So this was a well-reasoned limitation.

But I just cannot bring myself to be complimentary of a regime that I find so repugnant – where nearly any bad action can be swept under the rug in the name of protecting a person’s reputation.

As I have written in books and articles in the past, government protection of personal privacy is crucial for the clean and correct operation of a democracy.  However, privacy is also the obvious refuge of scoundrels – people prefer to keep the bad things they do private. Who wouldn’t? But one can go overboard protecting this right, and it feels like the EU has institutionalized its leap overboard.

I would rather err on the side of sunshine, giving up some privacy in the service of revealing the truth, than err on the side of darkness, allowing bad deeds to be obscured so that those who commit them can maintain their reputations.  Clearly, the EU doesn’t agree with me.

[1] The Court, in this case, wrote, “The issues at stake therefore do not require that the provisions of Directive 95/46 be applied outside the territory of the European Union. That does not mean, however, that EU law can never require a search engine such as Google to take action at worldwide level. I do not exclude the possibility that there may be situations in which the interest of the European Union requires the application of the provisions of Directive 95/46 beyond the territory of the European Union; but in a situation such as that of the present case, there is no reason to apply the provisions of Directive 95/46 in such a way.”

[2] EU Court of Justice case C-136/17, which states, “While the data subject’s rights [to privacy] override, as a general rule, the freedom of information of internet users, that balance may, however, depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information. . . .”

 

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more EU’s GDPR enforcement, see the National Law Review Communications, Media & Internet law page.

Brexit: Can the Remainers Stop a No-Deal Brexit?

Brexit has driven fault lines through British politics as seen at no time since the 1680s. Fervent ‘leavers’ and fervent ‘remainers’ can be found in both of the main political parties, although most favour various compromise options in between.

This is reflected in the composition of the UK Parliament and has resulted in an impasse, with Parliament rejecting both the transitional ‘deal’ to leave the EU negotiated by former Prime Minister Theresa May at the end of 2018 and the prospect of leaving the EU without a deal – a ‘no deal’ Brexit. The election of Boris Johnson as the new UK prime minister and his appointment of a government leaning firmly towards leaving the EU, with or without a deal on October 31, 2019, throws up some distinctive legal challenges: If a new deal cannot be struck with the EU, is a no-deal Brexit inevitable, or can the remainer MPs stop it?

Concluding a new deal with the EU by October 31 is challenging, not least given the limited time available for negotiating it and having it approved by the European and UK Parliaments. This is compounded by the complexity of the issues the UK government seeks to renegotiate, particularly the Irish backstop, and the EU’s no-renegotiation stance – although it has indicated willingness to revisit the nature of the future relationship between the EU and UK.

The legal position on a no-deal Brexit is set out in the European Union (Withdrawal) Act 2018, as amended in April 2019. This Act sets Brexit date at October 31, 2019. It also requires Parliament to approve any withdrawal agreement with the EU. What it does not require is that there should, in fact, be a withdrawal agreement. Consequently, the Act does not require parliamentary consent for a ‘no deal’ Brexit. Prime Minister Johnson does not, accordingly, need to secure any parliamentary majority for this. And since the Act will prevail over any parliamentary vote to reject a no-deal Brexit, he does not have to comply with any vote passed to the contrary.

The first legal route open to remainer MPs is to seek to amend the 2018 Act. The problem that they would have is timing. Parliament is in recess until September 3. There is usually a further recess from mid-September to the second week in October for the party conference season. Even if the second recess were to be abandoned, there is insufficient time for an amending bill to be passed before October 31 using normal parliamentary procedures. There is provision for emergency legislation to be passed very quickly, but this would require a consensus among all parties and the support of the government, both of which seem unlikely given the split between remainers and leavers within the main parties and the new government’s express intention to achieve Brexit by October 31.

The second legal route open to remainer MPs is to force a general election. Under the terms of the UK Fixed-term Parliaments Act 2011, Leader of the Opposition Jeremy Corbyn would need to propose a motion of no confidence in Prime Minister Johnson’s government. At present, the Conservatives have a majority of one in Parliament, but only with the support of the Democratic Unionist Party from Northern Ireland. However, a number of Conservative MPs have indicated that they would be prepared to bring their own government down on this issue. An unknown factor is whether leaver MPs in the Labour Party are prepared to abstain or even vote against such a motion.

A motion of no confidence under the 2011 Act requires only a simple majority of MPs voting in favour. However, there are still timing issues. The earliest that such a motion can be proposed is September 3. If passed, it would trigger a cooling-off period of 14 days for an alternative government to be formed. At the end of this period, if, as he would be entitled to do, Mr Johnson were to remain prime minister, UK electoral law would require him to announce the date for a general election within a further 25 days. However, there is no requirement for the election actually to be held within a particular time. Although the Queen must be consulted about the date, this is a formality. Prime Minister Johnson would, therefore, be within his constitutional rights to call an election only after the October 31 Brexit deadline has passed and the UK has left the EU.

Remain supporters have indicated that their strategy, if they are able to force an election, would be to rely on the legal status of the ‘standstill’ or status quo convention to prevent a no-deal Brexit on October 31. When an election is called, the government immediately becomes a caretaker administration. By parliamentary convention (‘convention’ in the sense of accepted practice), this administration should not embark on any major new projects and may not use the UK civil service for such a purpose. Cabinet Secretary Sir Mark Sedwill, the head of the civil service, is reported as having expressed the view that the ‘standstill’ in this situation would be that the UK remains in the EU. However, government spokespersons have said that this would involve the civil service effectively acting in contravention of the 2018 Withdrawal Act.

It seems likely, if this scenario develops, that the matter will be referred to the UK Supreme Court. The British constitution is not written down and relies on many traditions and convention, some of considerable antiquity. However, there is precedent in a December 2018 Supreme Court case, which decided that the legislative consent motions passed by the Scottish Parliament under the Scotland Act 1998 could not be used to affect the validity of the 2018 Withdrawal Act. It had been argued that the convention requiring the Scottish government to be consulted on any UK legislation that involved matters devolved to Scotland was absolute. The Supreme Court disagreed, on the basis that a convention could not take precedence over a statute. On this basis, any reference to the Supreme Court seeking to block the operation of the 2018 Act through convention would likely fail.

It is often said ‘a week is a very long time in politics’. Prime Minister Johnson may be able to secure some last-minute concessions from the EU negotiators enabling a withdrawal agreement to be approved by Parliament, but this looks challenging. Legal routes to block Brexit are also likely to meet several hurdles. Consequently, at this stage, Britain’s exit from the EU on October 31 looks the more likely outcome. Whether that means an abrupt departure from the EU, or whether a managed ‘no-deal’ Brexit could be achieved through negotiation and agreement on key matters, remains to be seen.

©2019 Greenberg Traurig, LLP. All rights reserved.
This article was written by Gillian Sproul at Greenberg Traurig, LLP.
For more Brexit developments, please see the Global Law page on the National Law Review.