Photo of Lauren Myers

Email
(202) 342-8473
Bio

Less than one week after replacing the now defunct Article 29 Working Party (WP29), the European Data Protection Board (EDPB) has adopted new guidelines on the EU General Data Protection Regulation (GDPR) and issued a statement on the ePrivacy Regulation revision.

What is the European Data Protection Board? How is It Different from the Article 29 Working Party?

The EDPB is made up of the head/representative of each of the EU national supervisory authorities, the European Data Protection Supervisor, and a non-voting member of the European Commission. The Board is tasked with ensuring the consistent application of GDPR by monitoring and ensuring the correct application of the GDPR, issuing guidelines, recommendations, and best practices regarding GDPR requirements, and approving data protection certification mechanisms encouraged under the GDPR, among other things. While the structure of the EDPB resembles that of the WP29, unlike the WP29, the EDPB has the power to adopt binding decisions to ensure the correct and consistent application of the GDPR.

What’s New on the European Data Protection Board Front?

The EDPB is carrying out its mandate to ensure a consistent level of data protection for individuals and the consistent application of GDPR by taking following steps:

  • Endorsing GDPR material issued by the WP29 (i.e., WP29 guidelines, recommendations, working documents, and referential).
  • Adopting a draft version of the Guideline on certification, which explains key concepts of certification provisions under GDPR Articles 42 and 43 as well as the scope and purpose of certification. The deadline for comments (which should be sent to EDPB@edpb.europa.eu) is July 12, 2018.
  • Adopting the final version of the Guidelines on derogations applicable to international transfers, which provides guidance on the application of GDPR Article 49 on derogations when transferring personal data to third countries or international organizations.
  • Releasing a statement on the revision to the ePrivacy Regulation, supporting the swift adoption of the new ePrivacy Regulation and offering insights and clarifications on key issues including, preventing the processing of electronic communications on the basis of “legitimate interest” or the general purpose of performance of a contract, ensuring that the new regulation maintains at least the current level of protection under the ePrivacy Directive, providing protection for all electronic communications, encouraging the use of anonymized electronic communication data, and ensuring that consent is obtained for websites and mobile apps.

How Do These European Data Protection Board Developments Impact My Business?

Now that GDPR is effective, the EDPB is moving swiftly to provide implementation guidance and compliance recommendations. All businesses with an EU footprint should familiarize themselves with and monitor the EDPB website for GDPR guidelines and public consultations.  Given the anticipated end of 2018 entry into force of the ePrivacy Regulation, which will complement the GDPR, companies should likewise scrutinize the EDPB’s recent ePrivacy Regulation statement in relation to their electronic communications practices.

You’ve probably heard of the dreaded four-letter word – GDPR.  Companies around the globe had been preparing for the May 25th implementation date for quite some time.  But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them.  Let’s face it, we have enough federal and state laws here in the U.S. to worry about.  But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR.  [click here for a primer on GDPR]

Continue Reading GDPR SIDEBAR: Should You Be Complying with the New Data Protection Law?

Earlier this week, the FTC settled its case with BLU Products, Inc., a cell phone company the FTC claimed misled consumers about its privacy and data security practices. According to the agency, the company represented that it did not collect unnecessary personal information and that it imposed specific data security procedures to protect consumers’ personal information. But the FTC claimed not so fast, alleging that BLU allowed one of its partners, an advertising software company, to collect sensitive consumer information such as text message contents and call logs with full telephone numbers. The FTC also alleged that BLU failed to implement the security features it represented to consumers, allowing the company’s devices to be subject to security vulnerabilities that could allow third parties to gain full access to the devices.

In settling the case, BLU agreed not to misrepresent its data collection or data security practices. The order also requires BLU to clearly and conspicuously disclose: (1) all of the “covered information” that the company collects, uses, or shares; (2) any third parties that will receive this “covered information”; and (3) all purposes for collecting, using, or sharing such information. This disclosure must be separate from the company’s privacy policy or terms of use and the company must obtain the consumer’s affirmative express consent to the collection, use, and sharing of such information. “Covered Information” is defined as geolocation information, text message content, audio conversations, photographs, or video communications from or about a consumer or their device. Continue Reading Why So BLU?: FTC Settles Privacy and Data Security Claims with Mobile Company; Fencing-In Relief Requires Consumer Opt-In to Data Sharing

In the world of social media, a person’s power is often measured in terms of followers. More followers means the ability to influence more people. Companies who work with influencers understand this and often base compensation on this metric. For example, according to data collected by Captiv8, an influencer with a thousand followers might earn an average of $2,000 for a promotional tweet, while an influencer with a million followers might earn ten times that.

A new article in the New York Times suggests that companies may want to think twice about blindly focusing on follower counts. The authors report that a company named Devumi has sold Twitter followers to over 200,000 customers, including celebrities and other influencers. According to the article, Devumi has a stock of about 3.5 million accounts, at least 55,000 of the which use the names, profile pictures, hometowns, and other personal details of real Twitter users.

Robot Hands

The use of real people’s information to power these bots caught the attention of the New York Attorney General. In a tweet last week, Eric Schneiderman wrote: “Impersonation and deception are illegal under New York law. We’re opening an investigation into Devumi and its apparent sale of bots using stolen identities.” The investigation is the latest in a series of federal and state inquiries into the commercial and political abuse of fake accounts on social media.

How can you protect yourself from social media bots? Beyond the obvious advice that you should not buy fake followers, we recommend that companies and influencers both exercise some due diligence when it comes to followers. For example:

  • If your company pays influencers based on the number of followers they have, investigate whether those followers are real people. It may not always be possible to know for sure, but the New York Times article suggests some signs that could indicate fraud.
  • If you’re an influencer, and you’ve hired a PR company or agent to help boost your image, take steps to ensure that they aren’t doing that fraudulently. (Some of the examples in the article involved purchases that were made by third parties.)

We’ll keep an eye on this issue, as it develops. In the meantime, if you want to learn more about the dangers of risks posed by bots, read our previous post on the subject.