St. Louis was named after Louis IX (born in 1214!), hosted a World Fair (technically, the 1904 Louisiana Purchase Exposition), the fleur-de-lis is ubiquitous, and we love soccer and football, although we have neither major league football nor soccer teams (St. Louis FC, our USL minor league soccer team, has a crest which features, you guessed it, a fleur-de-lis). However, St. Louis is known as the “Gateway to the West” – directionally away from Europe. Every once in a while, St. Louisans, like the rest of America, need to heed to what is going on over the pond, particularly when it comes to privacy and data security developments. Below is a brief update on a few foreign issues to begin the New Year.

GDPR.  Much has been written about the General Data Protection Regulation (GDPR), including on this blog, which becomes effective May 25, 2018 and replaces the EU Data Protection Directive. We provide a link to our recent article which discusses the expanded territorial scope, definition of “personal data” and individual rights, more difficult burden to obtain consent, greater sanctions, heightened breach notification obligations of the GDPR, and the likelihood the UK will honor GDPR notwithstanding continuing BREXIT negotiations.

More recently the Article 29 Working Party released Guidance on both consent and transparency (“Guidances”). The Guidances total 65 pages and detailed study is necessary to assure compliance moving forward. The Guidances are also good reads for domestic privacy/security issues as each contains some best practice pointers. Transparency Guidance (WP 260) details how companies must fairly process your personal data and how companies must inform individuals of GDPR rights and how to exercise same. This information should be expressed plainly, clearly, concisely, intelligibly, and free(ly) and must be easily accessible (particularly in regard to children). This information should generally be in writing, although other methods may be acceptable.

Consent “remains one of the six lawful bases to process personal data” under the GDPR, so understanding Consent Guidance (WP 259) is critical. The elements of consent require it should be freely given, specific, informed, and unambiguous. Bundling, tying or other instances demonstrating an imbalance of power are “highly undesirable.” The individual should know the data controller’s identity, the purpose for which consent is sought, the data that will be collected, and the right to withdraw consent. Previously obtained consent must be examined to insure it complies with the GDPR after May 25, 2018. Finally, consent should be observed in light of other fundamental GDPR principles such as fairness, necessity, proportionality, and data quality.

The Courts. EU courts have been quite busy in the last few years handing down decisions tightening an employer’s ability to monitor employees, found and expanded upon the “right to be forgotten”, and cancelled the Safe Harbor data sharing agreements to name a few.

What can we expect in 2018? Since the GDPR changes so much regarding personal data, more privacy litigation in general is a given. We suspect how much litigation will depend on how the data protectors assess fines, particularly against the larger US-based search engines and social media providers. The Irish High Court has already asked the Court of Justice of the European Union about whether data protection mechanisms (in this instance by Facebook) violate the Privacy Shield when EU individuals’ data is transferred to the US.

Regulatory Response. Data protection regulators will continue to be more active in the EU. IoT devices seem to be a particular target. In December, several IoT toys made by Genesis Toys were found to record and collect conversations without parental consent and lacked reasonable security features (read “easily hacked”). Germany banned some of the toys and urged those who purchased same to destroy them. France is taking action against Genesis under its data protection act. The US? The FTC is considering action and has warned toy makers that IoT devices must comply with COPPA. The FTC recently brought and settled its first toy IoT action against VTech for COPPA and §5 violations.

Increasingly EU member governments are requesting that providers “block accounts”, generally on the basis of “hate speech”. For instance, Twitter blocked 1,700 accounts in the 4th quarter of 2017, primarily upon request of the governments of Germany and France. We expect to see an uptick in governmental curtailment requests of social media platforms.

Byte Back thanks you for a wonderful 2017 and looks forward to providing you timely and useful information in 2018.