By Ulrich Wuermeling

On January 10, 2017, the European Commission proposed a new ePrivacy Regulation (Proposal). Compared to the internal draft that was leaked in December, the official Proposal has been substantially modified. However, the general approach taken by the European Commission has not changed. The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices and all data stored on a device.

In the internal draft, the European Commission suggested

By Ulrich Wuermeling

An internal Commission draft of a new ePrivacy Regulation (Draft) has been leaked to the public. The Commission plans to propose it in early 2017, but the content of the Draft does not seem near a final proposal. It is either older or still needs some time to be finalized. The Draft reveals the Commission’s priorities of extending the scope of the Regulation, reducing the number of consent notices for first party cookies, increasing privacy and confidentiality of user data and applying higher fines.

If the approach proposed by the Draft were to pass, the commercial rules for the Internet could change substantially in the EU. The ability of internet service providers to monetize services with marketing would be hampered and the users would have to pick up the bill. The economic impact analysis of the Draft simply ignores these consequences by stating that website publishers would have “small” adoption costs and not mentioning any economic impact for users. Furthermore, the Regulation would in parts isolate the EU market from global innovations by fostering data localization. The approach might shield EU based companies from unwanted competition, but would ultimately slow down the development of the digital market in the EU.

By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users.

On July 10, the Federal Communications Commission (“FCC”) released the text of a Declaratory Ruling and Order, initially adopted on June 18, that provides various clarifications regarding the Telephone Consumer Protection Act of 1991 (“TCPA”) and the FCC’s existing rules. The proceeding that led to the Order attracted widespread attention and was the result of nearly two dozen petitions filed by organizations representing healthcare, banking, retail, and telecommunications interests. The broad interest in this proceeding is the direct result of the sweeping impact that the TCPA has had on when and how businesses may contact consumers, as well as the multiplicity of consumer class actions threatened and filed against advertisers, debt collectors, and others making automated calls or sending automated text messages.

What is an “Automatic Telephone Dialing System” (ATDS)?

The first clarification made by the Order is with respect to “autodialers” (or, in the wording of the statute, an “automatic telephone dialing system”). The TCPA and the FCC’s existing rules prohibit making non-emergency calls to a wireless number without prior express consent when those calls are made using an autodialer or an artificial or prerecorded voice. Accordingly, there has been significant controversy over what kinds of dialing systems qualify as autodialers, which the TCPA defines as equipment that has the “capacity” to “store or produce telephone numbers to be called, using a random or sequential number generator,” and to “dial such numbers.” See, e.g., Satterfield v. Simon & Shuster, Inc., 569 F.3d 946, 951 (9th Cir. 2009) (A “system need not actually store, produce, or call randomly or sequentially generated telephone numbers, it need only have the capacity to do it” for the TCPA to apply.).[i]

June is proving to be a very active month for the US Federal Communications Commission (FCC) in construing the Telephone Consumer Protection Act, including what sorts of consumer interactions are sufficient to meet the requirements for consent to receive marketing or other messages. This post reports on an extraordinary warning letter issued to PayPal, criticizing a user-agreement based approach to collecting consent. Next week, we will report on a series of TCPA interpretative guidance which was adopted yesterday by a vote of 3 to 2.

On June 11, the FCC publicly released a warning letter sent to PayPal, Inc., by the FCC’s Enforcement Bureau, stating that PayPal’s new user agreement “may violate” a federal law called the Telephone Consumer Protection Act, or TCPA. The TCPA requires a consumer’s consent before a business may make certain types of phone calls or send automated text messages. PayPal had released a modification of its existing user agreement (set to go into effect on July 1) that would authorize the company to make “autodialed or prerecorded calls and text messages” for a variety of purposes and at any telephone number PayPal associates with the customer.

By Matthew Murchison & Matthew Brill

By all accounts, the number of class action lawsuits brought under the Telephone Consumer Protection Act against companies communicating by telephone, text, and fax has exploded in recent years.  These lawsuits—which rely on the private right of action at 47 U.S.C. § 227(b)(3) for violations of the statutory prohibitions in Section 227(b) “or the regulations prescribed thereunder”—often seek tens or hundreds of millions of dollars in damages under the statute’s uncapped, $500-per-violation liability provision. 

Guest Blogger Jillian Chia from Skrine, Kuala Lumpur, Malaysia & Gail Crawford

With the Malaysian Personal Data Protection Act 2013 (“PDPA”) having come into force on 15 November 2013, Jillian Chia, Senior Associate at Skrine, provides an overview of the salient provisions in the Regulations and Orders.

She notes that that there is a grace period for compliance with the PDPA. where a data user has collected personal data before 15th November 2013. However, this appears

By Kevin Boyle and Aryeh Richmond

Here is a reminder that the Federal Trade Commission’s revisions to its Children’s Online Privacy Protection Rule become effective on July 1.  If you haven’t already, now is the time to make sure you have revisions to meet the rule in place as FTC and state attorney general inquiries and formal investigations are sure to follow the extensive public notices about the new rule as well as the need to comply on time. 

First

The Office of Hong Kong’s Privacy Commissioner for Personal Data (PCPD) recently announced the results of compliance checks on the collection of “cookies” by local banks in response to earlier media reports and a survey by the Hong Kong Monetary Authority (HKMA).

According to media reports from September 2010, some local banks in Hong Kong required their customers to accept cookies for use of Internet banking services without informing customers of the type of data to

Focus on Mobile App Transparency

Pursuant to the Obama Administration’s blueprint for consumer privacy released in February (and in accord with a request for comments published in March), the National Telecommunications and Information Administration (NTIA) has issued a notice setting July 12, 2012, as the date for the first meeting in its privacy multistakeholder process. Mobile app transparency will be the focus of the first meeting.

The process “will encourage stakeholders to develop a code of conduct that promotes transparent disclosures