On March 23, 2017, the New York Attorney General’s office announced that it has settled with the developers of three mobile health (mHealth) applications (apps) for, among other things, alleged misleading commercial claims. This settlement highlights for mHealth app developers the importance of systematically gathering sufficient evidence to support their commercial claims.
On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.
The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.
The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.
It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.
The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.
In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.
This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.
The Federal Trade Commission (FTC) recently accused the operator of www.Jerk.com (Jerk) of misrepresenting to users the source of the personal content that Jerk used for its purported social networking website and the benefits derived from a user’s purchase of a Jerk membership. According to the FTC, Jerk improperly accessed personal information about consumers from Facebook, used the information to create millions of unique profiles identifying subjects as either “Jerk” or “Not a Jerk” and falsely represented that a user could dispute the Jerk/Not a Jerk label and alter the information posted on the website by paying a $30 subscription fee. The interesting issue in this case is not the name of the defendant or its unsavory business model; rather, what’s interesting is the FTC’s tacit enforcement of Facebook’s privacy policies governing the personal information of Facebook’s own users.
Misrepresenting the Source of Personal Information
Although Jerk represented that its profile information was created by its users and reflected those users’ views of the profiled individuals, Jerk in fact obtained the profile information from Facebook. In its complaint, the FTC alleges that Jerk accessed Facebook’s data through Facebook’s application programming interfaces (API), which are tools developers can use to interact with Facebook, and downloaded the names and photographs of millions of Facebook users without consent. The FTC used Facebook’s various policies as support for its allegation that Jerk improperly obtained the personal information of Facebook’s users and, in turn, misrepresented the source of the information. The FTC noted that developers accessing the Facebook platform must agree to Facebook’s policies, which include (1) obtaining users’ explicit consent to share certain Facebook data; (2) deleting information obtained through Facebook once Facebook disables the developers’ Facebook access; (3) providing an easily accessible mechanism for consumers to request the deletion of their Facebook data; and (4) deleting information obtained from Facebook upon a consumer’s request. Jerk used the data it collected from Facebook not to interact with Facebook but to create unique Jerk profiles for its own commercial advantage. Jerk’s misappropriation of user data from Facebook was the actual source of the data contrary to Jerk’s representation that the data had been provided by Jerk’s users.
Misrepresenting the Benefit of the Bargain
According to the FTC, Jerk represented that purchase of a $30 subscription would enable users to obtain “premium features,” including the ability to dispute information posted on Jerk and alter or delete their Jerk profile and dispute the false information on their profile. Users who paid the subscription often received none of the promised benefits. The FTC noted that contacting Jerk with complaints was difficult for consumers: Jerk charged $25 for users to email the customer service department.
A hearing is scheduled for January 2015. Notably, the FTC’s proposed Order, among other prohibitions, enjoins Jerk from using in any way the personal information that Jerk obtained prior to the FTC’s action – meaning the personal information that was obtained illegally from Facebook.
In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet. Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection. You may download the presentation slides here.
We hope you find our presentation materials informative. Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.
LinkedIn, the social networking site popular among professionals, recently filed suit in the US District Court for the Northern District of California against unknown users who deployed automated software programs known as “bots” to register thousands of fake LinkedIn profiles and “scrape” LinkedIn’s servers for member data.
The complaint alleges that the bot users scraped LinkedIn’s member data to create a service that would compete with LinkedIn Recruiter, a service used by 16,000 clients and companies, including 90 of the Fortune 100 companies to search for job candidates. LinkedIn alleges that the fake member profiles damages “the integrity and effectiveness of LinkedIn’s professional network,” including the “accuracy and integrity” of the information contained on the site. LinkedIn argues that members trust LinkedIn and expect that members’ professional profiles are legitimate.
One of LinkedIn’s claims is that the unknown users who created and deployed the bots users “willfully, repeatedly, and systematically” breached the LinkedIn User Agreement by registering thousands of fake LinkedIn profiles and copying data from many member profile pages. As is typical of most online services, a LinkedIn user must, as part of creating an account, affirmatively agree to the User Agreement: “By clicking Join LinkedIn, you agree to LinkedIn’s User Agreement, Privacy Policy and Cookie Policy”. The User Agreement expressly states that it is a “legally binding agreement with LinkedIn Corporation” and includes provisions that specifically bar members from owning multiple accounts, creating false identities or using any “means or processes” to harvest data from LinkedIn’s website and services. In addition to its presentation on the “Join” webpage, the User Agreement is displayed through a link on LinkedIn’s homepage.
While the facts of the complaint seem to clearly indicate that the bot creators violated LinkedIn’s User Agreement, we are interested to see how the court treats the breach of contract claim because it may shed light on how businesses can help to ensure the enforceability of their online agreements. We will further explore the enforceability of online agreements in future posts.