New Media and Technology Law Blog

EU Releases “A European Strategy for Data”

As 2019 came to a close, we looked ahead into 2020 and noted that data would continue to be a huge issue for the digital economy.  We have not been disappointed. On February 19, 2020, the European Commission (the “Commission”) released its 35-page document entitled “A European strategy for data,” becoming just the latest of many developments in that area.

The document lays out a vision as to how – through legislation, technical standards and public-private initiatives – the EU can become a future leader in data and create a more permissive data economy.

The Commission’s goal is to create a single European data space – “a genuine single market for data, open to data from across the world – where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data, boosting growth and creating value, while minimising the human carbon and environmental footprint.” The Commission envisions common European rules to ensure:

  • data can flow within the EU and across sectors;
  • European rules and values, in particular personal data protection, consumer protection legislation and competition law, are fully respected;
  • rules for access to and use of data are fair, practical and clear, and there are clear and trustworthy data governance mechanisms in place;
  • there is an open, but assertive approach to international data flows, based on European values.

The strategy document lays out a number of concerns, problems and obstacles to achieving its vision. One theme that runs throughout is the need to create common interoperable data platforms offering small and medium enterprises (SMEs) access to a host of cloud services and advanced data processing capabilities. As the Commission sees the current state of the data environment as dominated by the big tech companies, it noted that such a high degree of market power can “enable large players to set the rules on the platform and unilaterally impose conditions for access and use of data.”  But what incentives would exist for companies to share certain data to an EU platform?  The Commission states that organizations contributing data “would get a return in the form of increased access to data of other contributors, analytical results from the data pool, services such as predictive maintenance services, or licence fees.”

Generally speaking, the Commission’s data strategy includes a number of elements:

  • A cross-sectoral governance framework for data access and use. The Commission’s proposal for legislation would include a framework for a common European data space that would “support decisions on what data can be used in which situations, facilitate cross-border data use, and prioritise interoperability requirements and standards within and across sectors.”   This would also include facilitating decisions on “which data can be used, how and by whom for scientific research purposes in a manner compliant with the GDPR.”
  • The opening of key public sector data sets. The Commission would work on making more high-quality public sector data available for reuse, in particular in view of its potential for SMEs.
  • Legislative action on issues that affect relations between actors in the data-agile economy. The Commission would seek legislative solutions to provide incentives for horizontal data sharing across sectors, in particular “addressing issues related to usage rights for co-generated data (such as IoT data in industrial settings), typically laid down in private contracts.”  Notably, the Commission stated it would also seek to identify and address “any undue existing hurdles hindering data sharing and to clarify rules for the responsible use of data (such as legal liability).”
  • Legislation regarding limited circumstances where access to data should be made compulsory.

Ultimately, it appears that a number of forces will be concurrently seeking to reshape the future of the global digital economy.  In the EU, the efforts described above, as well as the EU’s proposed Digital Services Act, which will impact content on digital platforms, and continuing GDPR enforcement will be influential in this area. In the U.S., regulators are considering antitrust enforcement efforts in the technology sector, legislators are calling for major changes to the immunities under Section 230 of the Communications Decency Act, and privacy and data security legislation and enforcement are impacting data-oriented businesses.  Other global initiatives are ongoing as well, such as a sweeping personal data privacy bill recently introduced in India and the prior passage of Brazil’s general data protection law which is set to go into effect later this year. In the meantime, investment in “big data” is growing at double digit rates. With all these ingredients placed into the pressure cooker of the global economy, what will be the result? Stay tuned!

Court Enforces Arbitration Clause in Online Terms of Service Accepted by a Minor

Epic Games, Inc. (“Epic”) is the publisher of the popular online multiplayer videogame Fortnite, released in 2017. In recent years, Fortnight has gained worldwide popularity with gamers and esports followers (culminating in July 2019 when a sixteen-year-old player won the $3 million prize for winning the Fortnite World Cup).  Players, in one version of the game, are dropped onto a virtual landscape and compete in a battle royale to survive.  In the real world, Epic recently survived its own encounter – not with the help of scavenged weapons or shield potions – but through its well-drafted end user license agreement (“EULA” or “terms”).

Earlier this month, the District Court for the Eastern District of North Carolina granted Epic’s motion to compel individual arbitration of the claims of a putative class action.  The action arose in connection with a cyber vulnerability that allowed hackers to breach user accounts. The court concluded that the arbitration provision contained in the EULA was enforceable in this case, even where a minor was the person who ultimately assented to the terms. (Heidbreder v. Epic Games, Inc., No. 19-348 (E.D.N.C. Feb. 3, 2020)).    Continue Reading

FCC Enforcement Coming over Alleged Privacy Violations for Disclosure of Consumers’ Geolocation Data

On January 31st, FCC Chairman Ajit Pai transmitted a letter in response to a prior inquiry from a number of House members regarding the status of the Commission’s investigation into reports that the major wireless carriers were allegedly disclosing consumers’ real time geolocation data to data aggregators.  The aggregators were, in turn, were selling location-based data and services to other companies or individuals, purportedly without the mobile user’s knowledge or consent.  In the letter, Chairman Pai stated that the agency had completed its investigation and concluded that at least one carrier had violated federal law.  Pai also stated that he and his fellow commissioners will be considering possible penalties against “one or more” carriers, which can contest any Notice of Apparent Liability for Forfeiture.

Public awareness and general scrutiny over the collection, selling and packaging of geolocation data has heightened in recent years.  The issue has earned the attention of both federal and state regulators and legislatures. Regardless of the outcome of the FCC’s enforcement in this matter, entities that rely on anonymized geolocation data for analytical products and services should be aware of the focus in this area.

Final CFIUS Regulations Impact Foreign Non-Control Investment Transactions Involving Critical Technologies/Infrastructure or Sensitive Data

In 2018, Congress passed the Foreign Investment Risk Review Modernization Act (FIRRMA) to modernize the Committee on Foreign Investment in the United States (CFIUS). CFIUS is chaired by the Secretary of the Treasury and is empowered to review certain transactions involving foreign investment in the U.S. that may affect national security.  On January 23, 2020, the U.S. Department of the Treasury (“Treasury”) released final regulations that implement FIRRMA.

Prior to the enactment of FIRRMA, the authority of CFIUS to conduct national security reviews of foreign investment in the U.S. was generally limited to “control” investments by “foreign persons” in U.S. businesses (with such terms defined under applicable statutes and regulations).  Under the regulations implementing FIRRMA, which take effect on February 13, 2020, CFIUS now has within its purview, among other things, non-controlling foreign investments in U.S. businesses that: (a) develop critical technologies, (b) own, operate, manufacture, supply or provide services to critical infrastructure; or (c) maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security.

CFIUS review should be a relevant consideration in shaping foreign investments in U.S. companies. Today, as “every company is a technology company,” it is possible that foreign investments involving technology, communications, media, mobile systems, advertising, e-commerce, social media and other internet-based business or data-intensive industries may fall under CFIUS’s jurisdiction. Indeed, last year, CFIUS’s scrutiny compelled a Chinese company to sell its majority stake in dating app Grindr and agree to avoid sending any sensitive user data to China.

Parties involved in foreign investments in U.S. businesses must be aware of the issue of CFIUS review.  For an in-depth discussion of the new regulations, please see our Client Alert posted on Proskauer’s website.

Members of Congress Request FTC Investigation of Financial Data Company’s Collection and Privacy Practices

Last week, Democratic Senators Ron Wyden and Sherrod Brown and Congresswoman Anna Eshoo sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Envestnet, Inc. (which operates Yodlee) was violating the FTC Act.

According to the letter, Yodlee is the largest consumer financial data aggregator in the United States.  It aggregates financial information from banks, credit card companies and other financial services providers with consumer consent, and maintains a database of credit and debit card transactions of tens of millions of consumers. The letter asserts that Yodlee is used by over 1,200 companies to offer online personal finance tools to consumers.  Yodlee offers its software and platform to fintech providers, banks, financial apps, consumers and others to help process financial data from various sources.

The crux of the letter claims that Envestnet sells access to such consumer data without meaningful notice to consumers of such sale.  The members of Congress reject Envestment’s position that consumer privacy is protected because the data it sells is anonymized, and claim that Envestnet does not inform consumers that their personal financial data is being sold, but rather relies on its partners to make such disclosures in privacy policies or terms of service. The letter asserts that this is not sufficient, as Envestnet does not appear to take any steps to ensure that its partners give such notice, and even if they did, such practices place the burden on consumers to find such a notice “buried in small print” and then search for a way to opt out of such data sharing. Continue Reading

Repeal of CDA Section 230?

In an interview with the editorial board of the New York Times, published today, former Vice President Joe Biden advocated for repeal of Section 230 of the Communications Decency Act (CDA).  As readers of this blog may know, the CDA offers service providers protections that underpin the hosting of much of the user-generated content (both good and bad) on the web and social media.

The CDA expressly treats online providers that host or “publish” third party content differently than their offline counterparts, and frees online providers from certain obligations associated with moderating the flood of user-generated content that is uploaded to their servers. The immunities under CDA Section 230 have facilitated the growth of e-commerce and social media, but at the same time has also allowed for the proliferation of fake content and hateful speech. In recent years, the CDA has reached a crossroads of sorts, with the passage of FOSTA in 2018 and with more and more federal legislators on both sides of the aisle calling for “Silicon Valley” to be reined in and Section 230 to be curtailed or amended. One wonders, however, how curtailing the CDA would affect the vibrancy of the internet.  If the present or future Congress reaches some consensus and tinkers with CDA Section 230, would that intentionally (or unintentionally) change the online “rules” that many entities have come to rely on since the CDA was passed over 20 years ago?

In Outlining Its 2020 Examination Priorities, SEC Expresses Interest in Alternative Data and Cybersecurity Risks

On January 7, 2019, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) announced its 2020 examination priorities. In doing so, OCIE identified certain areas of technology-related concern, and in particular, on the issue of alternative data and cybersecurity. [For a more detailed review of OCIE’s exam priorities, see the Client Alert posted on our firm’s website].

  • Alternative Data: For the first time, OCIE has publicly listed alternative data as an examination priority, stating that “examinations will focus on firms’ use of these data sets and technologies to interact with and provide services to investors, firms, and other service providers and assess the effectiveness of related compliance and control functions.”

Buy-side funds using alternative data should expect a heightened level of scrutiny from OCIE on this issue. Such entities should be ready to explain, among other things, its due diligence procedures for evaluating and vetting alternative data vendors and their techniques and contractual approaches used with such vendors, as well as protections against receipt of personally identifiable information (PII) and other potential MNPI considerations.

  • Cybersecurity: Following the SEC’s 2018 updated guidance on public company cybersecurity disclosures, information security remains a prominent focus of OCIE across its entire examination program. Specifically, OCIE stated that examinations will center on things such as “proper configuration of network storage devices, information security governance generally, and retail trading information security.” Moreover, OCIE announced that it would focus on vendor oversight practices, including cloud storage relationships, including “the controls surrounding online access and mobile application access to customer brokerage account information.” Lastly, the OCIE referenced that one of its priorities would be to examine the safeguards surrounding data disposal, specifically, the risks of retired hardware containing client information.

Expect a heightened level of scrutiny from OCIE on all of the foregoing.  Entities should review their cybersecurity practices, including their agreements with third party vendors and service providers, in anticipation of the questions OCIE is likely to ask.

  • Blockchain and Digital Currency: OCIE stated that the rapid growth of digital assets present various risks, and that it would continue to “examine SEC-registered market participants” engaged in certain cryptocurrency activities and transfer agents developing blockchain technology, among other things. For a more thorough discussion of the blockchain and digital currency-related issues outlined by OCIE, please see the post on our Blockchain and the Law blog.

White House Releases Proposed Guidance for the Regulation of AI

On January 7, 2019, the federal Office of Management and Budget (OMB) released a draft of a memorandum setting forth guidance to assist federal agencies in developing regulatory and non-regulatory approaches regarding artificial intelligence (AI).  This draft guidance will be available for public comment for sixty days, after which it will be finalized and issued to federal agencies.

According to the draft, the guidance was developed with the intent to reduce barriers to innovation while also balancing privacy and security concerns and respect for IP. The proposed guidance features ten principles to guide regulatory approaches to AI applications.  In addition, in what may be a boon for those in the private sector developing AI infrastructure, the OMB reinforces the objective of making federal data and models generally available to the private sector for non-federal use in developing AI systems.

Initial responses to the proposed guidance has been mixed, and it remains to be seen how the principles in the guidance (when finalized) will be put in practice. Notably, however, those who intend to invest significant resources in AI-based infrastructure should be aware of what may prove to be the emerging blueprint for AI regulation in the near future. Continue Reading

Reflections on 2019 in Technology Law, and a Peek into 2020

It is that time of year when we look back to see what tech-law issues took up most of our time this year and look ahead to see what the emerging issues are for 2020.

Data: The Issues of the Year

Data presented a wide variety of challenging legal issues in 2019. Data is solidly entrenched as a key asset in our economy, and as a result, the issues around it demanded a significant level of attention.

  • Clearly, privacy and data security-related data issues were dominant in 2019. The GDPR, CCPA and other privacy regulations garnered much consideration and resources, and with GDPR enforcement ongoing and CCPA enforcement right around the corner, the coming year will be an important one to watch. As data generation and collection technologies continued to evolve, privacy issues evolved as well.  In 2019, we saw many novel issues involving mobile, biometric and connected cars. Facial recognition technology generated a fair amount of litigation, and presented concerns regarding the possibility of intrusive governmental surveillance (prompting some municipalities, such as San Francisco, to ban its use by government agencies).
  • Because data has proven to be so valuable, innovators continue to develop new and sometimes controversial technological approaches to collecting data. The legal issues abound.  For example, in the past year, we have been advising on the implications of an ongoing dispute between the City Attorney of Los Angeles and an app operator over geolocation data collection, as well as a settlement between the FTC and a personal email management service over access to “e-receipt” data.  We have entertained multiple questions from clients about the unsettled legal terrain surrounding web scraping and have been closely following developments in this area, including the blockbuster hiQ Ninth Circuit ruling from earlier this year. As usual, the pace of technological innovation has outpaced the ability for the law to keep up.
  • Data security is now regularly a boardroom and courtroom issue, with data breaches, phishing, ransomware attacks and identity theft (and cyberinsurance) the norm. Meanwhile, consumers are experiencing deeper and deeper “breach fatigue” with every breach notice they receive. While the U.S. government has not yet been able to put into place general national data security legislation, states and certain regulators are acting to compel data collectors to take reasonable measures to protect consumer information (e.g., New York’s newly-enacted SHIELD Act) and IoT device manufacturers to equip connected devices with certain security features appropriate to the nature and function of the devices secure (e.g., California’s IoT security law, which becomes effective January 1, 2020). Class actions over data breaches and security lapses are filed regularly, with mixed results.
  • Many organizations have focused on the opportunistic issues associated with new and emerging sources of data. They seek to use “big data” – either sourced externally or generated internally – to advance their operations.  They are focused on understanding the sources of the data and their lawful rights to use such data.  They are examining new revenue opportunities offered by the data, including the expansion of existing lines, the identification of customer trends or the creation of new businesses (including licensing anonymized data to others).
  • Moreover, data was a key asset in many corporate transactions in 2019. Across the board in M&A, private equity, capital markets, finance and some real estate transactions, data was the subject of key deal points, sometimes intensive diligence, and often difficult negotiations. Consumer data has even become a national security issue, as the Committee on Foreign Investment in the United States (CFIUS), expanded under a 2018 law, began to scrutinize more and more technology deals involving foreign investment, including those involving sensitive personal data.
  • For more information about developments over the past year on data-related issues, and to keep abreast on new developments in the future, you may want to subscribe to Proskauer’s privacy blog, privacylaw.proskauer.com. You may also want to review our Practical Law article “Trends in Privacy and Data Security:2018” and get a hold of our update that will publish in winter 2020.

I am not going out on a limb in saying that 2020 and beyond promise many interesting developments in “big data,” privacy and data security. Continue Reading

LexBlog