NHTSA Issues Voluntary Driverless Car Guidelines; European Privacy Supervisor proposes Digital Clearing House for coherent handling of Big Data cases; Facebook and Power Ventures Battle Over the Scope of the CFAA; Arizona Supreme Court: Police Cannot Search Unlocked, Unattended Phone; German consumer group urges Whatsapp to stop sharing data with Facebook; German DPA issues guidelines on Privacy Shield
NHTSA Issues Voluntary Driverless Car Guidelines
On Tuesday, September 20th, NHTSA issued its long-awaited voluntary automated vehicles policy. The voluntary guidelines include provisions for all levels of autonomous vehicles – from fully automated to semi-automated – and are divided into four parts: (1) Vehicle Performance Guidelines (VPG), (2) Model State Policy, (3) NHTSA’s Current Regulatory Tools, and (4) Modern Regulatory Tools. The first two parts of the guidance contain the bulk of NHTSA’s recommendations.
The VPG address both privacy and cybersecurity, incorporating many recommendations from other privacy and cybersecurity standards. For example, the recommendations explicitly incorporate the White House Consumer Privacy Bill of Rights. Not surprisingly, the recommendations encourage manufacturers to incorporate cybersecurity best practices from across several industries. The VPG also requests that manufacturers voluntarily provide a Safety Assessment Letter to NHTSA, certifying compliance with the VPG. This Letter will likely become a mandatory reporting requirement once manufacturers release autonomous vehicles for use on public roads.
The Model State Policy makes clear that NHTSA hopes for uniform regulation in this area. It explicitly encourages states to allow the Department of Transportation alone to regulate here. However, with an eye towards uniformity, NHTSA has included the Model State Policy. The latter two portions of the guidance highlight that regulation in this area is in its infancy and will evolve over time.
Manufacturers should expect that these guidelines, or a regime that is similar to them, will become mandatory in the near future and plan accordingly. Moreover, especially where cybersecurity is so closely tied to physical safety, as it is with automated vehicles, plaintiffs will be keen to point to these voluntary standards as the “standard of care” in future class actions.
European Privacy Supervisor proposes Digital Clearing House for coherent handling of Big Data cases
The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, has announced in a non-binding opinion of September 23, 2016 that he proposes setting up a ‘Digital Clearing House’ in order to better protect the rights of individuals in Big Data mergers.
According to Buttarelli, the ‘Digital Clearing House’ should be set up as a voluntary network of regulators working together more closely by sharing information and ideas. This should help protect individuals’ rights to privacy, to freedom of expression and non-discrimination by making sure that web-based services providers are more accountable for their conduct.
Buttarelli’s approach is in line with the policy discussions and ongoing investigations of the EU and national competition law authorities, who are already trying to assess privacy issues in competition-law contexts: among others, the German Federal Cartel Office is currently looking into Facebook’s Privacy Policy and Competition Commissioner Vestager is having a second look into the Facebook-Whatsapp merger due to WhatsApp’s data sharing plans.
For data-related businesses, this means both an increased need for awareness of potential privacy and/or consumer law obstacles when preparing the notification of a proposed transaction to the competition authorities, but also with regard to potential antitrust infringements.
Facebook and Power Ventures Battle Over the Scope of the CFAA
Power Ventures, Inc., a media aggregation company, pushed for a rehearing of a 9th Circuit ruling in its dispute with Facebook over the Computer Fraud and Abuse Act (CFAA), a statute that provides for both civil and criminal liability. Power Ventures runs a service that allows users to see all of their social media activity in one place. To execute this service, Power Ventures accessed users’ Facebook accounts in violation of Facebook’s terms of use and a cease and desist letter that the social media giant sent Power Ventures. Power Ventures argues that by holding that this type of behavior violates the CFAA, the 9th Circuit could create criminal and civil liability for a couple that shares an online bank account or academic researchers studying an online platform. Facebook disagrees. It argues that Power Ventures’ conduct is easily distinguishable from these scenarios.
The outcome of this case will further define the notoriously ambiguous CFAA. It also solidifies the 9th Circuit’s status as one of the key interpreters of the law. Further, it will establish how far the 9th Circuit is willing to take its holding in Nosal, a 2012 en banc decision that held that an employee violating the scope of his access could not face criminal liability under the statute. Given the criminal reach of the CFAA, the court may be cautious about interpreting it broadly.
Arizona Supreme Court: Police Cannot Search Unlocked, Unattended Phone
The Arizona Supreme Court in Peoples v. Arizona has ruled that a person has a limited expectation of privacy in his or her mobile phone, even when it is unlocked and not in the same room as the person. Because of this reasonable expectation of privacy, police must secure a search warrant before searching the phone. The reasoning in Peoples closely tracks the reasoning in Riley v. California, where the Supreme Court held that police could not search a mobile phone without a warrant in a search incident to arrest. Generally, courts have taken a harder look at law enforcement’s ability to search mobile devices. The Arizona case here could be part of a wave of court decisions providing expanded Fourth Amendment protection.
German consumer group urges Whatsapp to stop sharing data with Facebook
The German Federation of Consumer Organisations (VZBW) has given WhatsApp a September 21 deadline to sign a cease and desist declaration and to discontinue the company’s plans to share data (more precisely: mobile phone numbers of its users) with Facebook. If Whatsapp doesn’t comply, the organization is planning to look into legal action.
A potential claim of VZBW would be based on a new consumer litigation law, which complements the German Act on Applications for an injunction and gives consumer organizations such as VZBW the right to sue companies for unlawful use of consumer data, and privacy issues related to relationships with consumers. It also allows for legal actions related to consent disputes, unauthorized advertising or market research.
The German Press statement of VZBW can be found here.
Regardless of how the current action of the VZBW continues, it certainly shows that companies with huge customer groups have to be aware of the risk of consumer group claims when planning their privacy law compliance. Such claims are currently possible under i.a. German or Austrian law. This will in particular apply once the new European General Data Protection Regulation will apply, which will grant increased rights to individuals.
German DPA issues guidelines on Privacy Shield
The German Data Protection Authority of North Rhine Westphalia (LDI) has issued a guidance paper (German only) which outlines and explains what companies and/or affiliates established in the German state have to take into account when transferring Data to a ‘Privacy Shield’-certified U.S. company.
The paper first stresses that apart from the legitimization of the transfer as such, the transfer, which constitutes a processing action, also has to be legitimized under Article 4 of the German Data Protection Act. Additionally, according to the LDI, the exporter has additional due diligence obligations related to the Privacy Shield. These obligations involve an “assessment of whether the data importer is duly certified and whether it actually complies with its obligations”. In addition, companies are also recommended to ask for “proof, that the US-company is fulfilling its information duties towards the data subjects” [translations by author].
Strictly speaking this means that, in the view of the LDI, German businesses cannot just enter into data processing agreement with Privacy Shield certified companies, but that they have to carry out additional due diligence efforts. Apart from that, the LDI has made clear that it reserves the right to suspend data transfers based on Privacy Shield if the annual reviews raise doubts as to the compliance of Privacy Shield with European Fundamental Rights.
It remains to be seen how other German state DPAs will see these issues. However, the paper of the LDI yet seems to confirm former consistent assessments and interpretations of all German DPAs raised in the course of the Safe Harbor debates, so it might be expected that other German DPAs will issue similar papers.