Yesterday was a big day for the Court of Justice of the European Union! The fifteen-year-old regime governing EU-U.S. data transfers has been struck down. Specifically, the CJEU declared invalid the safe harbour framework (the “Safe Harbor Framework” or the “Framework”) that thousands of U.S. companies have relied upon to facilitate data transfers from the EU to the United States. To read the entire article published by our Pillsbury London and U.S. teams click here.
Global Sourcing attorney Sarah Atkinson, who are based in Pillsbury’s London office, have recently published the article, The payment services market under the eye of the regulator , in Banking Technology. The article considers criticisms of the payment services industry and how the new Payment Services Regulator is hoping to address these. In particular, they consider the issue of technical barriers (including technology barriers) and how these currently inhibit direct access to payment systems. To read the full article on the Banking Technology website click here.
Last year we wrote about the EU’s adoption of an individual’s “right to be forgotten”, which gives Europeans the right to require search engines to remove information about them from search results for their own names, if the information is inaccurate, inadequate, irrelevant or excessive. We also wrote that neither Congress nor the U.S. courts have shown much of an appetite for adopting a stance similar to the EU, so there was little chance that the right to be forgotten would be established in the United States. This is still the case, but there appears to be some (albeit small) momentum building among consumer groups and companies to take steps toward the EU approach.
On July 7th, a consumer advocacy group, Consumer Watchdog, filed a formal complaint with the Federal Trade Commission, arguing that Internet users in the United States should also have a similar right as EU citizens have available to them. Consumer Watchdog argues that Google’s current practices are both “unfair and deceptive, violating Section 5 of the Federal Trade Commission Act.” The letter urges the FTC to “investigate and act” on Google’s practices.
Separately, Google already has taken steps in the U.S. to remove certain types of information at the request of users. However, the types of information are fairly limited and in most cases it is very clear when the information should be removed in compliance with Google’s policies. For example, social security numbers can be removed. Google also has a policy that permits the removal of offensive images, which is more subjective but it is set at such a base level of “offensive” that it still offers a fairly bright line test (e.g., child sexual abuse imagery and, more recently, “revenge porn”). At the time of our post last year, Google had received 91,000 requests to remove links in the EU. Since then Google has evaluated over 1,000,000 URLs, which does not include the number of requests from individuals that require more information in order for Google to even perform the evaluation. The volume of links that Google is evaluating is not slowing down, and it would no doubt spike tremendously if the “right to be forgotten” was implemented in the United States.
Any company that uses information technology is a potential target for data theft, advanced malware and other cyber threats. Cyber threats have emerged as a growing systemic risk particularly to the financial sector in which Financial Market Infrastructures (“FMIs”) are increasingly under attack from a wide range of players, at greater frequency and growing levels of sophistication. Regulators, standards bodies and other authorities around the world are giving a high priority to cybersecurity for these reasons. This post summarizes what regulators are doing in the Europe to address these threats and describes some of the actions companies everywhere can take to minimize their exposure.
What are EU regulators proposing to improve FMI cybersecurity?
The European Commission has initiated a push to “protect open internet and online freedom and opportunity” by 2020. This initiative includes combatting cyber-attacks against information systems, establishing an EU cybercrime centre and coordinating Emergency Response teams, cyber-attack simulations and national alerts among all EU Member States. These efforts are also intended to align with the international fight against cybercrime. The next five years will see an increase in costs as FMIs and regulators pay to rapidly update single FMIs and solidify an EU-wide cybersecurity structure.
A recent survey of over 1,200 of the top mobile apps in 19 countries by the Global Privacy Enforcement Network (“GPEN”) has found that 85% of the apps reviewed were non-compliant, failing to provide even the most basic privacy information to users.
In addition, 43% failed in their obligation to tailor privacy notices to smaller screens and almost 30% unlawfully requested excessive personal data from users.
Concerns for users are compounded given the lightning speed at which new apps are hitting the market. Last year, for example, in excess of 1 million apps were reported to be available via Apple’s iOS App Store.
Should developers care about these findings?
In short, yes, especially given that the UK privacy regulator, the Information Commissioner’s Office (“ICO”), has recently conducted research that demonstrates that around half of app users have decided against downloading an app due to privacy concerns at some point in time.
Risk for developers does not stop there either.
In July, the Financial Conduct Authority (FCA – the financial regulatory body in the United Kingdom) issued a paper titled “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions” (the Considerations). The Considerations contain about five pages of checklist “Areas of interest” and related notes, which are stated to be things a firm subject to regulation by the FCA should consider when procuring ‘off the shelf’ technology solutions.
When do the Considerations apply?
We view the application of the Considerations as two-fold. First, they supplement the existing IT-related banking regulations. Second, they are intended to apply to procurements where firms might not ordinarily consider applying FCA-originating guidelines.
The UK financial services regulator, the Financial Conduct Authority (FCA), has launched a guidance consultation in order to clarify and confirm its approach to the supervision of financial promotions in social media, including the use of character-limited forms (Examples of character-limited formats are Twitter (which limits tweets to 120 characters) and Vine (which limits videos to six-second loops).
The FCA has identified an increase in the use of character-limited social media (and social media generally) and warned of confusion among firms over the inclusion of regulatory information such as risk warnings (in compliance with the financial promotion rules) when communicating through social sites such as Twitter, Pinterest and Vine. And, as the FCA makes clear, every communication (e.g. each tweet, Facebook page or insertion) must be considered individually and comply with the relevant rules.
In May earlier this year, the European Union’s top court held in favor of an individual who requested that Google remove the search results associated with his name. In this particular case, a Spanish citizen requested that Google Spain remove an auction notice of his repossessed home from its search results, as the proceedings had been resolved for a number of years. The court held that individuals have the right to require search engines to remove personal information about them if the information is “inaccurate, inadequate, irrelevant or excessive.” This precedent established the “right to be forgotten,” which gives Europeans the right to require search engines to remove information about them from search results for their own names. The ruling has not been met with universal applause, and in fact a U.K. House of Lords subcommittee recently declared the right to be forgotten misguided in principle and unworkable in practice.
Ofcom has published a call for input, entitled “Promoting investment and innovation in the Internet of Things“, regarding issues that might affect the development of the emerging Internet of Things (IoT) sector in the United Kingdom. Ofcom is the UK’s independent regulator and competition authority for the UK communications industry. It regulates the TV and radio sectors, fixed line telecoms, mobile devices, postal services, plus the airwaves over which wireless devices operate. It operates under a number of Acts of Parliament, in particular the Communications Act 2003.
IoT (which is also referred to as Cloud of Things or CoT) describes the interconnection of multiple machine to machine (M2M) applications and covers a variety of protocols, domains and applications (see J. Höller, V. Tsiatsis, C. Mulligan, S. Kamouskos, S. Avesand, D. Boyle: From Machine-to-Machine to the Internet of Things: Introduction to a New Age of Intelligence. Elsevier, 2014). These technologies and methodologies underpin smart applications and embedded devices that enable the exchange of data across multiple industry sectors, such as heart monitoring implants, factory automation sensors, industrial robotics applications, automotive sensors and biochip transponders. A 2013 report by Gartner suggested that by 2020 there will be nearly 26 billion connected IoT devices.
The General Affairs Council, on 23 July 2013, adopted a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the Internal Market. Until the new regulation, the E-Signatures Directive (1999/93/EC) provided the only EU rules relating to e-signatures and said nothing about trust services. The E-Signatures Directive is to be repealed with effect from July 2016 when, with some exceptions, the new regulation will start to apply.
The new regulation sets out rules for cross-border electronic trust services (electronic identification schemes) within the EU (the new rules will only cover cross-border aspects of electronic identification; issuing means of electronic identification remains a national prerogative. The general position at English law remains unchanged – sophisticated electronic signatures are not necessary for the formation of a binding contract) and creates a legal framework for:
- electronic signatures,
- seals and time stamps,
- electronic documents,
- electronic registered delivery services, and
- certificate services for website authentication.