“Pokémon Go” Developer feels the heat over data collection; 2nd Circuit Ruling limits government’s access to data stored overseas; 9th Circuit CFAA Ruling increases Facebook’s control over its Users’ Data; Dutch Study reveals tension between EU Trade Deals and Data Protection

“Pokémon Go” Developer in Hot Water over Extensive Data Collection Practices

In early July, mobile game developer Niantic released “Pokémon Go,” a free-to-download “augmented reality” game for Android and iOS devices. In less than a week, the game had been downloaded by more than 15 million unique users, making the game’s launch one of the most widely-adopted in history. Privacy advocates soon raised serious questions about the game and its accompanying privacy policy, which until July 12 granted full access to users’ Google account data unless users opted-out of such permissions—prompting Niantic to issue its first update resolving the permissions issue.

On July 12, Senator Al Franken (D-MN) sent a letter to Niantic CEO John Hanke demanding the company explain in detail the types of data Niantic collects from players, why that data “in necessary for the provision or improvement of services,” and how the company plans to use the data gathered. Franken’s letter also questioned the company’s opt-out data collection practices, suggesting that “Niantic consider making this collection/access opt-in.”  Franken, who serves as the Ranking Member on the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law, has in the past spoken out against similar practices by other mobile app developers, including Uber and Lyft. Mr. Hanke has until August 12 to respond to Sen. Franken’s questions.

2nd Circuit: Government Cannot Use Warrant to Access U.S. Companies’ Data Stored Overseas

On July 14, the Second Circuit ruled that American companies are not required to hand over user data stored overseas, even when confronted with a government search warrant.   This decision overturned a 2014 civil contempt citation issued against Microsoft for refusing to turn over personal email data the firm stored in Ireland.

For more information about this notable ruling, refer to Crowell & Moring’s Data Law Blog Post on the subject, located here.

9th Circuit: Social Media Aggregators Violate CFAA by Accessing Facebook Users’ Data against Facebook’s Wishes

On July 12, the Ninth Circuit provided a mixed ruling for Facebook in its CFAA suit against Power Ventures, a social media aggregator that used Facebook users’ information to promote its website. In December 2008, Power Ventures hosted a promotion in which “First 100 people who bring 100 new friends to Power.com [would] win $100.”  When those users agreed to do so, Power Ventures posted an event, photo, or status on the user’s Facebook profile or automatically generated a Facebook message to the user’s contacts.  That same month, Facebook sent Power Ventures a cease-and-desist letter telling the company to halt such activities, but the company persisted.

The district court granted summary judgment for Facebook on two counts: (1) Power Ventures violated the CAN-SPAM Act of 2003 that grants a private cause of action for ISPs adversely affected by emails with false or misleading headers and (2) Power Ventures violated the CFAA by “access[ing] Facebook’s computers without permission” after Power Ventures received Facebook’s cease-and-desist letter. Pursuant to the CAN-SPAM violation, the court granted Facebook a $3 million damages award.  In its July 12 ruling, the Ninth Circuit upheld Facebook’s CFAA claims, but dismissed the CAN-SPAM claims—and the accompanying $3 million award—after finding the email messages’ headlines were neither false nor misleading.

This decision is particularly notable Power Ventures faced liability merely because it acted against Facebook’s wishes, even though the individual Facebook users granted permission to Power Ventures to access information.

Dutch Study reveals tension between EU Trade Deals and Data Protection

The provisions of some EU trade agreements might allow for the dilution of the EU’s high standards of data protection, according to a study carried out by researchers from the University of Amstersdam’s (UvA) Institute for Information Law.

The study, which has been published on 13 July 2016, identifies critical issues where EU data protection law and free trade agreements may collide. According to the researchers, trade agreements may increasingly allow for unrestricted transfers of data, including personal data, between countries. Agreements analyzed included the WTO agreement on trade in services, the EU-Canada agreement, the future EU-US TTIP agreement and the planned Trade in Services Agreement (in particular with regard to the TTIP negotiations, is should however be mentioned that this issue is still one major point of contention and remains pretty much open, so that the TTIP could still very well be concluded with provisions that do not dilute EU data protection standards).

“New free trade agreements should contain a comprehensive and legally binding provision which fully exempts the existing and future EU legal framework for the protection of personal data from the scope of this agreement, without any conditions that it must be consistent with other parts of the [deal],” the study says. “As long as this is not granted, the EU should not enter into additional commitments concerning free data flows in new and enhanced disciplines that lack any reference to the party’s privacy and data protection laws.”