Last month, bankrupt company RadioShack settled with a coalition of seventeen attorneys general to destroy most of the company’s customer data in its files. The agreement was part of a Bankruptcy Court-approved $26.2 million sale of RadioShack’s assets.
After filing for bankruptcy, RadioShack offered to sell data on 117 million customers. Attorneys General of Texas, Tennessee, Pennsylvania, and Oregon objected to RadioShack’s plans to sell the data, arguing that such a sale would violate the company’s privacy policies as well as state consumer protection statutes. More than thirty other state Attorneys General wrote letters supporting the effort.
The Federal Trade Commission (“FTC”) has published new guidance that “summarizes lessons learned” from the FTC’s 50-plus data security settlements while also announcing a series of data security conferences. In the new guidance titled “Start With Security: A Guide for Business,” the FTC acknowledges that the data security requirements contained in the settlements apply only to the affected companies. However, the settlements—and the FTC’s distillation of them—reveal regulatory expectations and identify risks that can affect companies of all types and sizes. In this post, we summarize the FTC’s new guidance and provide details on the FTC’s data security conferences happening this fall.
Addressing the expectations revealed in the guidance may not eliminate all data security risk, but the guidance is a useful resource for assessing data security programs. For those looking to explore the FTC’s data security materials on their own, the FTC announced a new “at-a-glance” site where key FTC materials are available.
As many of our readers know, on July 10, the Federal Communications Commission (FCC) released a highly anticipated decision regarding the Telephone Consumer Protection Act (TCPA) and related FCC rules involving autodialed and prerecorded telephone calls and text messages. Although the order became effective upon release, in less than a week, three parties (ACA International, Professional Association for Customer Engagement, Inc., and Sirius XM Radio) appealed the decision. A brief summary of some of the key issues discussed in the decision is included below, along with information on the steps that companies can take to comply while the appeals are pending.
Across the country, we’re in the midst of “Unmanned Aircraft Systems (“UAS”) fever” – industries from media, agriculture and energy to insurance, real estate and construction are seeking FAA approvals to fly UAS in the United States. UAS technology has improved at a rapid pace, and offer a vast array of safety and efficiency benefits to companies for a wide variety of uses.
But while the benefits from commercial uses of UAS are great, many have also been vocal with their privacy concerns. It may very well be that for industry to succeed, various stakeholders will need to engage in a national conversation surrounding these issues.
Can “second-hand” e-books and other digital works such as downloaded audio-books and music be resold? In recent years this question has repeatedly proved to be controversial. The increasing digitization of works poses ever-new challenges to copyright law. The question whether “second-hand” digital works such as e-books or music downloads can be resold like analogue works, is just one such challenge.
Read our assessment of this matter, related recent cases and the corresponding Directive, published in the Journal of Intellectual Property Law & Practice here.
Relevance of employee data protection
Data privacy in an employment context remains
an important challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance; few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a legitimate expectation of privacy – including at their workplace. This inherent conflict of interests has created a considerable volume of case law regarding employee monitoring in several member states, relating to the permissibility of internal investigations and compliance controls.
One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution.
On 27 May the District Court in Cracow ruled that chomikuj.pl, a hosting provider with over 5 million users, is obligated, once a month, to monitor the Internet through keyword searches for content uploaded by users, with respect to three Polish films “Dzień świra”, “Katyń” and “Wenecja”. Chomikuj.pl will be required to block access to all pirated files which appear on the first five pages of the search results as files uploaded to chomikuj.pl. The main objection against chomikuj.pl was that it did not act as regular hosting provider, but it also encouraged users to upload files that will generate large amount of downloads. The ruling is not final yet and it is most likely that it will be appealed against to the Appellate Court.
What’s the deal?
The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses to destinations outside the EEA.
Recap on current framework
Transfers of personal data to a third country outside the EEA are allowed under the current Data Protection Directive only if:
On 9 July 2015, the German Federal Supreme Court ruled, once again, on the case of Bestwater. You may already know this case as both the German Federal Supreme Court and the CJEU already released decisions on it before.
The case concerns the claim of Bestwater, a German company manufacturing and distributing water purification systems, that its rights were infringed by an unauthorised use of a promotional video. The video was created on behalf of the plaintiff who holds the exclusive exploitation rights. The video was uploaded to YouTube, the plaintiff claims, without its consent when two self-employed commercial agents implemented the video on their website via “Framing”.
“Framing” refers to the practice of linking to content in a way that does not use the usual hyperlinks consisting of words, but where the linked content is actually already visible on the website which contains the link. The linked content is therefore “framed” by original content of the website.