The Consumer Review Fairness Act (CRFA) began to take effect yesterday, March 14, 2017. One aim of the CRFA is to protect consumers’ ability to publicly review services and vendors without being subject to restrictions or fines imposed by form contracts. It does so by voiding provisions within form contracts
Online Privacy
CJEU holds that mass surveillance must not be general and indiscriminate
The CJEU (the European Union Court of Justice) has handed down a decision which makes clear that general and indiscriminate retention of electronic communications is unlawful. National legislation of each European Member State should ensure that mass surveillance only occurs where it is strictly necessary in order to combat serious crime as well as terrorism and meets other stringent requirements.
The references were made by the Swedish and UK courts and concerned the interpretation of the Privacy and Electronic Communications Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) (the “Directive”), in light of the rights granted by the Charter of Fundamental Rights of the European Union (the “Charter”), particularly, the right to privacy (Article 7) and the right to protection of personal data (Article 8), and the decision of the CJEU in Digital Rights Ireland (C‑293/12 and C‑594/12).
The Clock Has Started: What ISPs Need to Do and When to Comply with the FCC’s Broadband Privacy Rules
On December 2, 2016, the Federal Communications Commission (“FCC”) published its Report and Order entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (the “Order”) as a final rule in the Federal Register, adopting rules applicable to Internet service providers (“ISPs”) intended to protect the privacy of broadband consumers. Despite the publication of the rules in the Federal Register, uncertainty remains regarding when ISPs must be in compliance with some of these newly established privacy obligations. Although the rules are effective January 3, 2017, the FCC has made exceptions to the January 3, 2017 effective date for provisions which have not yet been approved by the Office of Management and Budget (“OMB”).[1] This includes many of the operative provisions of the new rules regarding ISPs’ data collection and use. Once such provisions are approved by the OMB, notice will be published in the Federal Register announcing their approval and corresponding effective dates.
Despite the uncertainty regarding the effective dates of many sections, the publication of the Order puts ISPs on notice of the new rules, and ISPs should begin revising their practices so that they are able to meet the earliest possible effective dates. Here is what ISPs need to know regarding compliance with the new rules:
FTC: LabMD Tests Positive for “Unfair” Security Practices
LabMD’s lack of data security measures resulted in the FTC Commission overturning an Administrative Law Judge (“ALJ”) decision that previously dismissed charges against the company in November. LabMD performed laboratory medical testing for over 750,000 patients since 2001, before going out of business in 2014, partly due to fighting this case. The FTC brought the action under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” An act that causes or is likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition may be deemed unfair.
Are Dynamic IP Addresses Personal Data? A Primer
Last month, one of the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”), Manuel Campos Sánchez-Bordona, issued an opinion suggesting that dynamic IP addresses should be recognized as “personal data” under EU law. If the CJEU adopts this reasoning, it would represent a landmark decision that would resolve a contentious issue that has been plaguing EU data protection law for years. This post delves into the AG’s decision and its potential consequences.
Regulators Offer Guidance on Privacy and Security for Health App Developers
This month, the Federal Trade Commission (FTC) issued guidance on privacy and security best practices for health-related mobile apps, such as fitness apps connected with wearables, diet and weight loss apps, and health insurance portals. At the same time, the FTC unveiled an interactive tool designed to direct health app developers to federal laws and regulations that may apply to their apps. The Mobile Health Apps Interactive Tool, which is the product of collaboration among the FTC, Department of Health and Human Services’ Office of National Coordinator for Health Information Technology (ONC), Office for Civil Rights (OCR), and the Food and Drug Administration (FDA), seeks to unify guidance in a space governed by a complicated web of legal requirements. It also signals the continued focus of regulators on the protection of consumer health information in this rapidly evolving space.
French Data Protection Wants to Force Google to Extend the Right To Be Delisted to All the Search Engine’s Extensions
Co-authored by Geoffrey Roche
On March 10, 2016, the French data protection agency (« CNIL ») pronounced a €100.000 ($111,715) fine against Google Inc. for failure to comply with its formal injunction of May, 2015 ordering the company to extend delisting to all the search engine’s extensions.
Fiduciary Access to Digital Assets and Accounts: Revised Model Statute Adopted in Oregon
Oregon became the first state to adopt the Revised Uniform Fiduciary Access to Digital Assets Act (“Revised UFADAA”) when Governor Kate Brown signed Oregon Senate Bill 1554 into law on March 3, 2016. The law will become effective on January 1, 2017.