Legal Tech News Review Week 2-8 November 2020, by Eleni Kozari

ePrivacy Draft Regulation amendment includes metadata processing

Amid controversies and disagreements over the long-awaited ePrivacy Regulation, the German EU Council presidency has issued a new draft, including certain amendments in particular regarding the lawful conditions for the processing of metadata.

According to a leaked text, the processing of electronic communication metadata by telecommunication providers may be lawful when it is necessary to protect vital interests of the end-users, such as for the monitoring of epidemics and other humanitarian purposes or in case of natural and/or human-made disasters. Drawing from the GDPR’s legal ground of ‘vital interest’, the processing of location data, data related to time of communications and the persons involved, may be lawful even without the consent of the end-user.

On the other hand, the German presidency’s text aims to exclude the processing of metadata based on the legal ground of ‘legitimate interests’ of the telecommunication providers. Such cases involve processing for the detection of fraud or abusive behaviour, invoicing and billing purposes as well as scientific research. Against this proposal, certain telecom providers have already expressed concerns about potential chilling effects on data innovation within the EU.

While the ePrivacy Regulation process is still ongoing, the Commission is expected to publish a data governance act on 11 November, initiating new rules on the sharing of non-personal data.

See more here


EU Council adopts position on collective redress for the protection of consumers, including data protection


On 4th November 2020, the Council adopted its position at first reading on a draft directive regarding collective redress actions for the protection of the consumers’ interests within the EU. The agreement as reached within the Council signals the enactment of collective judicial protection for consumers against infringements of EU law.

In particular, Member States will be mandated to enact a system of representative actions, including both injunction and redress mechanisms, for the protection of consumers’ collective interests. Redress actions include both compensation and replacement. The consumers’ collective interests arise from a series of EU legal acts, which are articulated in the annex of the directive and cover, inter alia, energy, financial services, telecommunications and data protection.

According to the draft, Member States may designate qualified entities to pursue collective judicial protection on behalf of the harmed consumers. Such entities may have domestic competence- i.e. entitled to bring domestic representative actions in the state where have been designated, or cross-border competence. In the latter case, such qualified entities should meet the harmonised criteria as articulated in the directive while any qualified entity should fulfil specific transparency requirements.

See more here



Privacy Advocacy Groups appeal ICO’s investigation on adtech industry


A group of British privacy campaigners has filed a legal challenge against the UK’s data protection authority regarding how the latter handled their complaint on the data processing activities taking place in the context of the adtech industry.

The appeal was filed after the ICO informed the campaigners that it concluded with its investigation. However, the Commissioner stated that it will continue with its own separate enquiry into adtech companies, which stopped in May due to the COVID-19 pandemic, without clarifying though when will reopen the investigation. Albeit the resolution of the legal action is expected to take place within the next year, it is likely to force the re-opening of the ICO’s separate investigation.

The ICO’s initial approach on online advertising was focused on the public’s diminished control over which data is collected in the adtech ecosystem and who are the recipients of them. To this end, the Commissioner had ordered last year the involved companies to get in line with data protection requirements within 6 months but never proceeded with the imposition of fines and/or remedies.

See more here


FTC settles with Zoom over security issues


After the FTC’s allegations and investigation over Zoom’s security practices, regarding its videoconference platform, the Authority has reached a settlement with the company. The settlement mandates the company to implement a comprehensive information security program and adopt measures in order to address the specific problems pointed out by the FCA.

According to the FCA, the company had engaged in several deceptive and unfair practices that undermined the security of the end-users. Inter alia, Zoom has misled users by claiming that it offered end-to-end encryption (256-bit) in order to secure communications conducted over its platform. However, the company had held the cryptographic key and hence, it could have access to the content of the communication. Such declarations created a false sense of security, affecting in particular the users that deployed the platform for sensitive discussions, such as health.

Furthermore, the company also misled certain users by claiming that meetings were encrypted immediately after their end, in case they wanted to store them in the cloud. However, the FCA noted that some recordings remained unencrypted for up to sixty days on the company’s servers before stored in the cloud.

In the context of the information security program, Zoom is required, inter alia, to adopt and implement a vulnerability management program and report annually external and internal risks along with the corresponding safeguards. According to the settlement, Zoom is also required to abstain from any privacy and security-related misrepresentation over its practices. Accordingly, the FCA will collect biennial reports on the company’s security program though independent third parties, approved by the Authority.

See more here


Proposition 24 of the CCPA passed by voters


On November 3rd, proposition 24 of the California Consumer Privacy Act was passed by voters. The proposition is expected to extend the scope of the CCPA and foster consumers’ protection.

Proposition 24 aims to empower the state’s privacy law by forbidding legislators to amend it unless such amendments will strengthen privacy protection afforded to consumers. In addition, the proposition stipulates the establishment of a state agency delegated with the enforcement of privacy protection. Furthermore, consumers can now prohibit businesses from sharing and selling more categories of information, including health data, genetics and precise location.

Albeit eventually passed by voters, the proposition faced opposition not only by tech firms but by privacy campaigners and the ACLU as well. Privacy advocates focused on the lack of ability for low-income citizens to exercise their rights while the ACLU reiterated its concerns over the CCPA’s provision on ‘pay for privacy’, which eventually inflict higher costs to consumers that have opted out of the selling of their personal data.

See more here