As Russia’s internet law imposes new obligations on technology and infrastructure companies, the Russian government considers subordinate legislation.

By Tim Wybitul, Ulrich Wuermeling, and Ksenia Koroleva

On November 1, 2019, the majority of provisions of Russia’s internet law (RuNet Law) entered into force. Its principal purpose is to ensure the independent operation, safety, and security of the Russian segment of the internet. However, the overall effect of the RuNet Law is expected to be similar to China’s Great Firewall, a system of legal and technical measures employed by the Chinese government to monitor and restrict the use of the internet.

UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms.

By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford

On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to combat online harms. The regime is designed to force online platforms to move away from self-regulation and sets out a legal framework to tackle users’ illegal and socially harmful activity. Although the regime appears to target larger social media platforms, the proposals technically extend to all organisations that provide online platforms allowing user interaction or user-generated content (not limited to social media companies or even ‘service providers’ in the traditional sense) and set out a potentially onerous and punitive compliance and enforcement regime for a broad set of online providers.

By Ulrich Wuermeling

On January 10, 2017, the European Commission proposed a new ePrivacy Regulation (Proposal). Compared to the internal draft that was leaked in December, the official Proposal has been substantially modified. However, the general approach taken by the European Commission has not changed. The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices and all data stored on a device.

In the internal draft, the European Commission suggested

By Ulrich Wuermeling

An internal Commission draft of a new ePrivacy Regulation (Draft) has been leaked to the public. The Commission plans to propose it in early 2017, but the content of the Draft does not seem near a final proposal. It is either older or still needs some time to be finalized. The Draft reveals the Commission’s priorities of extending the scope of the Regulation, reducing the number of consent notices for first party cookies, increasing privacy and confidentiality of user data and applying higher fines.

If the approach proposed by the Draft were to pass, the commercial rules for the Internet could change substantially in the EU. The ability of internet service providers to monetize services with marketing would be hampered and the users would have to pick up the bill. The economic impact analysis of the Draft simply ignores these consequences by stating that website publishers would have “small” adoption costs and not mentioning any economic impact for users. Furthermore, the Regulation would in parts isolate the EU market from global innovations by fostering data localization. The approach might shield EU based companies from unwanted competition, but would ultimately slow down the development of the digital market in the EU.

By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users.

By Ksenia Koroleva

On July 6, 2016, Russian President Vladimir Putin signed Federal Law No 374-FZ. This law is also known as the “Yarovaya” law (named after a Russian senator who was the main driving force for the law to come into existence).

The Yarovaya law introduces amendments to certain Russian federal laws. The majority of the amendments came into effect on July 20, 2016, however, some of the requirements relating to storage of metadata, as described below, will only come into force starting from July 1, 2018. A draft law which aims to postpone the effective date of such requirements due to their technical complexity from July 1, 2018 to July 1, 2023 is currently being considered by the Russian State Duma.

The Yarovaya law, which is political and primarily aimed at combating terrorism, contains new rules on data retention which need to be taken into account by telecom companies and other persons operating or assisting in the operation of communications services.

By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states.

On July 17th, the Data Retention and Investigatory Powers Act (DRIPA) came into effect in the United Kingdom reinstating the Government’s powers to require communication providers to retain traffic data (also known as metadata) and enabling the Government to serve warrants to intercept communications data on companies outside of the United Kingdom to the extent they were providing services to UK users.  DRIPA became law following emergency “fast-tracked” procedures on the basis that its enactment was essential to ensure continued

By Kevin Boyle and Aryeh Richmond

Here is a reminder that the Federal Trade Commission’s revisions to its Children’s Online Privacy Protection Rule become effective on July 1.  If you haven’t already, now is the time to make sure you have revisions to meet the rule in place as FTC and state attorney general inquiries and formal investigations are sure to follow the extensive public notices about the new rule as well as the need to comply on time. 

First

Recently Jan Philipp Albrecht, rapporteur for the Civil Liberties, Justice and Home Affairs (LIBE) Committee, the lead committee considering the proposed draft General Data Protection Regulation, published the committee’s suggested amendments to the original draft regulation.  The reports runs to over 200 pages and contains over 350 separate amendments.

Since the original draft regulation was published in January of last year, businesses, industry bodies and regulators have been lobbying the European Commission, Council and Parliament to try and change some