As Russia’s internet law imposes new obligations on technology and infrastructure companies, the Russian government considers subordinate legislation.

By Tim Wybitul, Ulrich Wuermeling, and Ksenia Koroleva

On November 1, 2019, the majority of provisions of Russia’s internet law (RuNet Law) entered into force. Its principal purpose is to ensure the independent operation, safety, and security of the Russian segment of the internet. However, the overall effect of the RuNet Law is expected to be similar to China’s Great Firewall, a system of legal and technical measures employed by the Chinese government to monitor and restrict the use of the internet.

China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences.

By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen

On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection of Personal Information of Children (儿童个人信息网络保护规定)(PCPPIC). The regulation will come into effect on October 1, 2019, and will apply within the People’s Republic of China (PRC).The PCPPIC’s stated purpose is “protecting the security of children’s personal information and promoting the healthy growth of children in the PRC.” In 29 Articles, the PCPPIC sets forth high-level requirements for the collection, storage, use, transfer, and disclosure of the personal information of children within PRC territory.

UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit.

By Gail E. Crawford, Fiona Maclean, and Amy Smyth

Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and online marketplaces — that provide services into the UK to nominate a UK representative following Brexit. The representative will also have to be registered with the UK Information Commissioner’s Office (ICO).

Non-UK-based digital services providers will remain liable for breaches, notwithstanding the appointment of a representative. A representative will be required to act on behalf of a provider, but it is not currently clear whether a representative maybe be liable for a provider’s breach; whether the updated UK NIS Regulations will address this point explicitly remains to be seen.

The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt.

By Myria Saarinen and Camille Dorval

On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance (Guidance). A corrective version followed on 19 July 2019.

The Guidance clarifies “consent” under Article 82 of the French Data Protection Act (Article 82). Article 82 implements the ePrivacy Directive’s cookies rule and constitutes the foundation of the French rules requiring organizations placing non-essential cookies to provide “clear and complete” information to users and to obtain their consent to the use of cookies.

The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance.

By Fiona M. Maclean, Laura Holden, and Grace E. Erskine

The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the General Data Protection Regulation (GDPR) applies to cookies and similar technologies. The new guidance makes it clear that under the GDPR, consents cannot be the default or blind setting, and consents cannot be bundled, as had been the common “wait and see” practice among many online businesses and sites. Organisations subject to the ICO jurisdiction will want to pay immediate attention to this guidance, including some helpful, pragmatic tips.

The European law on cookies can be found in the European Directive 2002/58/EC (ePrivacy Directive) (as amended by Directive 2009/136/EC), as implemented into UK law by the Privacy and Electronic Communications Regulation 2003 (as amended) (PECR). Regulation 6 PECR constitutes the foundation of the UK rules requiring organisations setting non-essential cookies on websites to provide “clear and comprehensive information” to users and to obtain their consent to the use of cookies. 

Healthcare entities should immediately assess whether Federal Law No. 2 of 2019 applies to their practices.

By Brian A. Meenagh

On 6 February 2019, the President of the United Arab Emirates (UAE) in conjunction with the UAE Minister of Health and Prevention (the Minister) issued a new law on the use of information and communications technology (ICT) in health fields in the UAE. Federal Law No. 2 of 2019 (the Law) entered into effect in May 2019 and will likely affect the activities of a number of entities operating in the healthcare sector in the UAE, including healthcare service providers, life sciences companies, cloud service providers, healthcare IT systems suppliers, and medical insurance providers.

Broadly written rules would allow the Russian government greater central control over content and data flows, and greater access to users’ information.

By Fiona M. Maclean and Ksenia Koroleva

On May 1, 2019, the Russian President signed draft law No. 608767-7, commonly referred to as the Russian Internet Law, or “RuNet Law” (Federal Law No. 90-FZ “On Amending Federal Law ‘On Communications’ and Federal Law ‘On Information, Information Technology and Information Protection’”). The majority of RuNet Law amendments will come into effect on November 1, 2019.

The RuNet Law’s principal provisions include:

  • Introducing rules for the centralization and control of data traffic (g., the RuNet Law establishes a centralised Russian Internet data traffic routing system)
  • Requiring entities involved in the transfer of data to install additional equipment and comply with new obligations that aim to ensure such centralization

UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms.

By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford

On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to combat online harms. The regime is designed to force online platforms to move away from self-regulation and sets out a legal framework to tackle users’ illegal and socially harmful activity. Although the regime appears to target larger social media platforms, the proposals technically extend to all organisations that provide online platforms allowing user interaction or user-generated content (not limited to social media companies or even ‘service providers’ in the traditional sense) and set out a potentially onerous and punitive compliance and enforcement regime for a broad set of online providers.

The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance.

By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout

In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. Under the Children’s Online Privacy Protection Act (COPPA), even seemingly straightforward online data collection and storage practices such as logging an IP address or storing an email address are subject to strict requirements, such as providing notice and obtaining advanced parental consent prior to collection or storage.

Under COPPA, obtaining proper consent can be technically or administratively burdensome, expectations shift with technological advancement, regulatory exceptions are vague, and penalties are calculated on a per-violation basis. COPPA is enforced by the Federal Trade Commission (FTC) and state attorneys general, both of which are very active in this area. Although the FTC maintains a website with answers to frequently asked questions, the law is complicated, and companies should consult with an attorney.

The Guidance provides helpful clarifications for service providers and their customers on both sides of the Atlantic.

By Robert Blamires, Fiona M. Maclean, and Danielle van der Merwe

Long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR) has been published by the European Data Protection Board (EDPB) for public consultation (Guidance). Under Article 3, the GDPR applies to the processing of personal data which meets the “establishment” test (Article 3(1)), or, failing that, meets the “targeting” test (Article 3(2))[i].

“Establishment” Test

The GDPR applies to the processing of personal data by a controller or processor established in the EU in the context of activities of that establishment, regardless of whether the processing itself takes place in the EU. “Establishment” is not defined in the GDPR, but the Guidance refers to pre-GDPR case law to assist with its interpretation.