Legal & Government Affairs Update April 2021
General Counsel at FAST
Covered in this update
In this newsletter we explore some of the most prevalent stories in recent months, including the European Commission’s draft data adequacy decision and the high profile dispute between the Duchess of Sussex and Associated Newspapers. The remaining articles focus on notable privacy cases relating to Google and Zoom, as well as legislative developments within the digital sector. As ever, dear reader, if there is anything you would like me to focus on in the coming months please let me know
Case Law Update: Privacy!
European Commission releases draft adequacy decisions on UK data regime
As previously discussed in our January 2021 newsletter, the European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection under article 45 of Regulation (EU) 2016/679. The effect of this decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. When making an adequacy decision, the Commission has to gauge whether the third country offers an equivalent level of protection to personal data within their law and practices as the EU.
The UK provided the Commission with a comprehensive legal framework that underpins their data protection standard back in March 2020. Since then, the Commission has held discussions with the DCMS to fully understand and analyse the UK’s framework and prove, beyond doubt, that they fulfil the adequacy requirements under the GDPR and Law Enforcement Directive. Namely, these requirements include rules on data importing as well as safeguarding mechanisms implemented by public authorities.
We are now anticipating the outcome from the Commission, which will be of major significance to both the UK and the EU. Without an adequacy decision in place, the transfer of personal data between Europe and the UK would be put in jeopardy, causing potentially many businesses to cease international operations.
In February 2021, the European Commission published their draft decision, recognising the UK’s data protection standards as adequate. Unlike other non-EU countries such as New Zealand and Canada, the UK is in a unique position as EU law has been the mould for its data protection legislation for decades, making the decision of adequacy most likely a simple one. However, now that the UK is not bound by EU privacy legislation, there is the possibility for this stance to change years down the line. The Commission therefore has stressed that this adequacy decision must be future proofed, and therefore it is only valid for a period of four years, during which they will monitor developments to UK legislation.
Didier Reynders, Commissioner for Justice, said: “A flow of secure data between the EU and the UK is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the UK after it has left the EU. Now European Data Protection Authorities will thoroughly examine the draft texts. EU citizens' fundamental right to data protection must never be compromised when personal data travel across the Channel. The adequacy decisions, once adopted, would ensure just that.
The UK is now waiting for the EU to provide technical confirmation of the adequacy decision, which will provide much needed certainty to businesses that personal data can continue to safely flow between the UK and Europe. The Secretary of State for Digital, Oliver Dowden, emphasized this point: “I now urge the EU to fulfil their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits”.
This draft decision will then be presented to the European Data Protection Board for a ‘non-binding opinion’ and once this has been finalized, it will be presented to EU member states for the ‘comitology procedure’. This requires the Member States to provide a formal opinion, in the form of a vote, for the proposed decision of the Commission. If successful, the Commission can finally adopt the adequacy decision for the UK.
Elizabeth Denham, the current Information Commissioner, commented:” The draft adequacy decisions are an important milestone in securing the continued frictionless data transfers from the EU to the UK. Today’s announcement gets us a step closer to having a clear picture for organisations processing personal data from the EU and I welcome the progress that has been made.”
Duchess of Sussex – Private Letters and Freedom of Expression
The High Court has issued a judgment, in HRH the Duchess of Sussex v Associated Newspapers Ltd  EWHC 669 (Ch), on the details of orders arising from the Duchess of Sussex's successful claim for summary judgment in her copyright infringement and privacy claim against Associated Newspapers.
The dispute concerned the publication of a “personal and private” handwritten letter to the Duchess’ estranged father, Thomas Markle, from August 2019. The letter’s existence was first made known in early February 2019 by reference made in an article published by US magazine, People. According to Thomas Markle, this article misrepresented the content and tone of the letter and he consequently contacted the US editor of the Mail on Sunday requesting they publish extracts of the letter more accurately.
Following this contact, Associated Newspapers ran news stories and coverage on the letter. This was spread across five articles in the print edition of the Mail on Sunday and MailOnline. The publishing of the letter was front page news and marketed as a “world exclusive” concerning a “sensational letter”.
In September 2019, the Duchess of Sussex took legal and filed a claim against Associated Newspapers. The claim alleged amongst other things: misuse of her private information, breach of duties owed to her under the General Data Protection Act, and infringement of her copyright.
The Privacy Claim
The Claimant argued that the contents of this letter was private due to its contents surrounding her personal and family life, rather than her public life as the Duchess of Sussex. She claimed that this distinction meant that she held a ‘reasonable expectation’ that the letter would remain private. The Defendant argued against the point of reasonable expectations by claiming that Thomas Markle initially provided them with the letter to try to amend the errors found in the People article, and the Claimant had also released similar material to that found in the letter within the biography, Finding Freedom. The Defendant went on to claim that in any event the Claimant’s reasonable expectations of privacy would be superseded by the right to freedom of expression enjoyed by the publisher and their audiences.
Whilst finding merit in the argument made by the Defendant, the court found that the Claimant’s reasonable expectation of privacy (under Article 8 of the Human Rights Act 1998) outweighed the freedom of expression enjoyed by the publisher and their audiences (under Article 10). Thus finding the Defendant as having no real prospect of success at trial as neither they, nor the general public, had a legitimate interest in the matter. Mr Justice Warby underlined the Duchess’ right to a reasonable expectation that the contents of the letter would remain private.
Within his judgement he stated: “It has long been established that a public figure does not, by joining that select group, give up her right to a private life, or open up every aspect of her private and family life or correspondence to examination in the press.”
The Copyright Claim
The Claimant argued that the Defendant had infringed her copyright by releasing substantial parts of the letter. This is due to the claim the letter (and an electronic working draft stored on her phone) were original literary works which copyright subsisted in. The Defendant argued that the Claimant was not the sole author; it was not an original literary work and relied upon the principle of fair dealing as their justification.
The court agreed with the Claimant and held that the letter was deemed to be a sufficiently original work to qualify for copyright protection. Copying of the letter by the Defendant would not be exempt as fair dealing for the purposes of reporting current events. However, the copyright aspects of the case are yet to be completely settled and therefore the issues regarding copyright will be assessed at trial with a particular focus on whether the Claimant can be considered as the sole author of the letter or conversely, whether she was a co-author alongside her former communications secretary.
This case will now proceed with a limited hearing on the authorship of the letter, damages and remedies. Whilst this case will inevitably make the headlines the legal questions adjudicated on appear to be a relatively straightforward: a restatement of a legitimate expectation of a right to privacy in private correspondence under Article 8, and a rejection of the fair dealing defence for copyright purposes in relation to the publication of a private letter.
Calhoun v Google – Second Google Privacy Case Gains Momentum
Google are facing a second set of privacy proceedings in quick succession centring around claims that Google have been misleading users that their data will not be collected unless the ‘sync’ function is activated whilst searching the internet on Google Chrome.
Within her judgement, U.S. District Court Judge Lucy Koh explained that Google ‘failed to notify users that it engages in the alleged data collection.’ and therefore their representations might have misled the ‘reasonable user’ by collecting personal data when the sync function was inactive.
Google claimed that independent websites agreed to participate in Google’s tracking program, and they did not violate the Wiretap Act, which stipulates that parties must be unaware of data interception. The point of contention is whether this agreement extended to those users not synced. The main issue is that Google tracked the information of its users, rather than unlawfully disclosed information to third parties. Ultimately, this tracking of Chrome users may be considered a violation of federal law and the California Consumer Privacy Act (CCPA). The forthcoming rulings on Google may have widespread implications on websites using Google Analytics or Google Ad Manager without relevant disclosures and obtaining valid consent.
Zoombombing – Zoom Escapes from Allegations of Compromised Privacy Rights
In Zoom Video Communications Inc Privacy Litigation, in the U.S. District Court, Northern District of California, No. 20-02155, Web-conferencing provider, Zoom Video Communications Inc. has been subject to allegations of compromised user privacy due to ‘Zoombombing’, whereby an intruder may join other private Zoom meetings without the consent of the hosting party. Wider allegations of compromised privacy rights have been made regarding the sharing of personal information with Facebook, Google and LinkedIn.
U.S. District Judge Lucy Koh dismissed large parts of these claims, stating that the Claimant has failed to prove any of these allegations, and at best they can allege that Zoom has ‘disclosed certain other people’s data, not necessarily the Plaintiff’s data”. Koh held that Zoom is protected under Section 230 of the Communications Decency Act 1996.
Section 230 of the Communications Decency Act (CDA 230) says: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider" (47 U.S.C. § 230).” The section has been interpreted very widely and is often held up in the USA as the legal basis for free speech online. Twitter, Facebook and online social media platforms more generally rely upon being an “interactive computer service” in order to avoid being held liable as publisher for third party content published on their platform.
CDA 230 therefore operates not only to protect established Internet Service Providers (ISPs), but also any "interactive computer service”. This would now appear to include video conferencing platforms such as Zoom as well as online social media platforms. On the application of the CDA section 230 Judge Lucy Koh she held that “Appalling as this content is, Zoom’s failure to edit or block user-generated content is the very activity Congress sought to immunize”.
However Judge Koh also went onto invite the Plaintiffs to re-plead their dismissed claims so we can expect Zoombombing to continue to be litigated but will have to wait to see what legal argments are developed by the Plaintiffs’ lawyers. For a useful summary of how CDA 230 has been applied in practice see this article by the EFF: https://www.eff.org/issues/cda230.
CooperStealer Malware Designed to steal Facebook, Google and Apple passwords
Proofpoint researchers have discovered malware known as CooperStealer that steals user credentials from Google, Facebook, Amazon and Apple. The malware is capable of stealing passwords and cookies, and contains a very advanced feature enabling its operators to download malicious payloads onto a victim’s device.
The perpetrators responsible for this malware strain have used compromised accounts to run malicious ads and deliver other malware in ‘malvertising’ campaigns. Whilst the earliest findings of CooperStealer malware date back to 2019, it’s identification on major social media platforms including Facebook, Instagram, PayPal, Tumblr and Twitter is a much greater cause for concern. Proofpoint is continuing to investigate the malware strain and works to combat its spread via sinkholing.
It is recommended that users take precautions to defend themselves against CooperStealer malware, particularly by avoiding visiting KeyGen and crack sites to pirate software.
For more on this please see a more detailed report provided by Techradar: https://www.techradar.com/uk/news/this-vicious-malware-will-steal-your-facebook-google-and-apple-passwords
Legislation Developments and Consultations
PIMFA Demands for Online Safety Bill to Include Principle of Economic Harm
The Personal Investment Management & Financial Advice Association (PIMFA) is calling on the UK government to include ‘economic harm’ in the Online Safety Bill as members report a rise in sophisticated online scams. Evidence suggests that online scams increased in January 2021 and as a result, PIMFA suggests the only solution is to enshrine additional consumer protections in law.
Significant 2020 Action Fraud statistics include:
- 356,649 reported cases of fraud within the UK.
- £2.1 billion lost to fraudsters.
- £501 million (25% of losses) is attributed to investment fraud.
PIMFA argue that a structured legal framework and a rigid enforcement procedure are necessary to fight against widespread online fraud. The COVID-19 pandemic has seemingly exacerbated this problem with the increased use of digital platforms during nationwide lockdown and a move towards working from home for most businesses. According to PIMFA, including economic harm within the Online Safety Bill will increase the accountability and cooperation of Domain Name Registration Services, Internet Service Providers and online platforms.
Please see the press release by PIMFA for more detail on this: https://www.pimfa.co.uk/press-release/pimfa-calls-on-government-to-include-economic-harm-in-online-safety-bill-as-members-report-rise-in-increasingly-sophisticated-online-scams/
Proposed Legislative Development: Digital Services Act and the Digital Markets Act
In the EU, a new legislative development has been proposed by the European Data Protection Supervisor (EDPS) to help protect individuals when it comes to content moderation, online targeted advertising and recommender systems used by online social media platforms. They propose these measures are legislated within the Digital Services Act (DSA) and Digital Markets Act (DMA) to help create a ‘secure, transparent and safe online environment’.
An example of these proposed measure is be strictly prohibited profiling for purposes of content moderation, unless the measures are proven necessary to prevent the risks that are identified within the DSA. Ultimately, the EDPS aims to create a fair and open digital markets and the fair processing of personal data by regulating large online platforms acting as gatekeepers.
To implement this Act effectively, the EDPS has requested a ‘clear legal basis and structure for closer cooperation between the relevant oversight authorities’.
Wojciech Wiewiórowski, EDPS, said: “Competition, consumer protection and data protection law are three inextricably linked policy areas in the context of the online platform economy. Therefore, the relationship between these three areas should be one of complementarity, not friction.”
Please see the EDPS press release for more detail: https://edps.europa.eu/press-publications/press-news/press-releases/2021/edps-opinions-digital-services-act-and-digital_en
Top 10 Tech Priorities & New Government Artificial Intelligence Strategy
The Government intends on driving the UK as a global trendsetter for the development, commercialisation and adoption of responsible AI. As per their press release, the new strategy will focus on:
- growth of the economy through widespread use of AI technologies;
- ethical, safe and trustworthy development of responsible AI; and
- resilience in the face of change through an emphasis on skills, talent and research and development.
The UK strives to lead the AI revolution ahead of its European counterparts. In 2020, UK firms that were adopting or creating AI-based technologies received £1.78bn in funding, whereas £525m and £386m was raised by French and German companies respectively.
Digital Secretary, Oliver Dowden, outlined 10 top tech priorities as part of this revolution:
- Rolling out world-class digital infrastructure nationwide
This will require gigabit broadband and 5G within digital infrastructure, enabling the UK to connect at lightning speeds and providing vulnerable people with adequate access to digital connectivity.
- Unlocking the power of data
This will require removing barriers to responsible data sharing and use to drive the economy. The UK’s aim is to become the world’s number one data destination: combining innovation and freedom with security.
- Building a tech-savvy nation
The target is for all adults to have a base level of digital and cyber skills through apprenticeships, digital boot camps and the Digital Entitlement. The £520 million Help-to-Grow scheme will empower approximately 100,000 businesses to adopt the latest technology.
- Keeping the UK safe and secure online
With the implementation of online harms legislation, the UK aims to create a secure online presence for citizens in which social media companies are accountable for both the safety and freedom of their users.
- Fuelling a new era of start-ups
The UK is aiming to build momentum within the tech space by opening up the market to new and innovative tech companies. By offering funding to companies at every stage of their growth cycle, the UK will cultivate an environment for companies to flourish in and build a reputation of being the ideal hub to grow a digital business.
- Unleashing the transformational power of tech and AI
Later this year, the UK is releasing the National Artificial Intelligence Strategy, which will help build on the pre-existing world-class research and cement their spot as a trendsetter in the AI space.
- Championing free and fair digital trade
The UK’s target is to lead the way in a new age of digital trade. Following the trade deal with Japan, the UK continues to pursue new and productive digital partnerships.
- Leading the global conversation on tech
The UK is helping to set the new rules on technology, leading global efforts to boost digital competition, whilst reinforcing our reputation as a pro-tech, pro-innovation business environment.
- Endorsing digital prosperity across the UK
The target is long-term digital prosperity UK wide, creating a de-centralisation of tech towards London and a drive towards more country-wide focus.
- Using digital innovation to reach Net-Zero
Climate and conservation technology will be pivotal in the fight against climate change. With a look towards COP26, the government will support technologies that reduce carbon emissions and provide British businesses with the necessities to work towards net zero emissions.
You can read more about the strategy here: https://dcms.shorthandstories.com/Our-Ten-Tech-Priorities/index.htm
Global Mandatory Fair, the Nature and Scope of the Right to Quote Copyright Works
Tanya Aplin of King's College London and Lionel Bently of University of Cambridge focus on the quotation exception to copyright, as cited in Article 10 of the Berne Convention. They suggest that the quotation exemption in the Berne Convention effectively provides for a global and mandatory fair use exemption to copyright.
When assessing fair use, both Aplin and Bentley propose that mandatory ‘fair use’ already exists globally within the often-overlooked Article 10(1) of the Berne Convention. This book explores this belief and its significance through examples of permitted uses of copyright material. A critical aspect of the discussion centres on the actual meaning of quotation, and the applicability of the quotation exception.
In an age of screenshotting and reproducing material, this book provides topical insights into fair use of authorship, distributive justice and freedom of expression.