Legal & Government Affairs Update September 2020
General Counsel at FAST
Covered in this update
In this month's newsletter we look at the highly anticipated judgement in Schrems II and the plethora of consequences it will have on UK, US and EU data transfers. Elsewhere we consider:
- Global privacy expectation on video teleconference providers in the wake of Covid-19
- TikTok signs copyright licensing agreements with music publishers
- Software copyright infringement summary judgement application dismissed by the High Court
- Book recommendation: The Road to Conscious Machines: The Story of AI
If there is anything you would like me to focus on in the coming months please let me know.
Schrems II – Privacy Shield declared invalid in long-awaited CJEU judgement
The European Union’s Charter of Fundamental Rights grants EU citizens various rights in relation to the processing of their personal data. This materialised in the General Data Protection Regulation (EU) 2016/679 (GDPR), which, amongst many other rights, states that ‘restricted transfers’ of data to countries outside the European Economic Area are conditional on the data being adequately protected by ‘appropriate safeguards’. One of these international data transfer mechanisms is standard contractual clauses (SCCs) which have been adopted by the European Commission with the aim of protecting personal data through pre-agreed contractual obligations that are GDPR compliant.
The other key transfer mechanism, up until 2015, was the EU-U.S. data flow arrangement known as the Safe Harbour Framework between the US Department of Commerce and the European Union. It regulated all cross-Atlantic data transfers and was deemed an ‘appropriate safeguard’ by the EU. However, this was famously brought down by Austrian privacy activist, Max Schrems, who questioned the validity of this Safe Harbour Framework. He complained to the Irish Data Protection Commissioner about Facebook Ireland’s reliance on the Framework when transferring his personal data to their US server. Whilst his initial compliant was rejected, the European Court of Justice (CJEU) found the Safe Harbour Framework to be inadequate in protecting EU citizen’s personal data, in a ruling colloquially known as ‘Schrems I’.
The EU and U.S. subsequently negotiated the EU - U.S. Privacy Shield as a like-for-like replacement with the Safe Harbour Framework. This maintained the core principles of the Safe Harbour Framework, such as companies being able to self-certify their compliance with certain privacy principles and standards. Whilst this was viewed as a major improvement, concerns still lingered over its adequacy, and within a few months of its inception, data protection experts and activists were criticising the Privacy Shield for not providing adequate protection.
Following Schrems I, Facebook had to change their international data transfer mechanism and began to rely on the SCC’s as an adequate safeguard instead of the Safe Harbour Framework. Schrems submitted yet another complaint in response to this with similar reasoning to his initial challenge. This became the basis of the Schrems II case, and was brought in front of the Irish Data Protection Commissioner. Having been referred to the Irish High Court, they in turn referred questions to the CJEU in 2018, asking for clarification relating to the validity of the SCC’s, as well as the Privacy Shield.
Whilst the CJEU ruled that the SCC’s remain a valid international data transfer mechanism for EEA personal data, it has now comes with significant caveats. For instance, EU data exporters (The EEA-based party) can only rely on SCC’s when they are satisfied with the appropriate levels of protection in the country where the importer is based. The CJEU state that:
‘it is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.’
Data importers also have a new obligation to inform the data exporter if they become aware of circumstances that will prevent them from reaching this threshold. Upon receiving notification of this, the exporter must cease data transfers to that country unless ‘additional safeguards’ can be implemented to ensure this standard is upheld. This is explained by the court:
‘Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned’.
In a shocking judgement, the CJEU decided not to follow the Attorney-Generals suggested approach and instead ruled that the Privacy Shield would no longer be a valid mechanism for transferring personal data from the EEA to the US. The reasoning behind this judgement was twofold:
Firstly, the court found that the broad powers of US national security, such as the FBI, to access the personal data of US corporations conflicted with the Privacy Shield as it could not be deemed ‘strictly necessary’. The CJEU states: ‘the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country’. Secondly, the CJEU found that the ombudsman complaint mechanism within the Privacy Shield failed to provide adequate compensation for EU data subjects who were at odds with how their data was processed in the U.S.
These reasons were sufficient for the CJEU to invalidate the Privacy Shield on the grounds that it fails to satisfy the necessary level of protection.
The Impact of the Decision
This judgement will have a significant impact for both EU and UK data exporters and their respective third country importers. If an organisation such as yourselves is currently transferring data from the EEA to the US via the Privacy Shield, alternative transfer mechanisms must now be considered. It remains to be seen whether the authorities will allow for a grace period for this transition, similar to the one given when Safe Harbour provisions were declared invalid in 2015. There are also no current indications that a replacement to the Privacy Shield will be introduced.
Whilst use of the SCC’s remains valid, implementation of this mechanism will now require constant analysis of the importing countries data regime to ensure that it provides appropriate level of protection. All current data transfers will require a re-assessment to ensure this high standard is met, and it is likely many countries will struggle to meet this criteria. It will also be difficult for organisations to rely on this until the CJEU clarifies what qualifies as an ‘additional safeguards’ in circumstances where third countries fail to reach the required threshold.
With over 5,000 companies relying on the Privacy Shield, many will inevitably have to move away from transfers to the US altogether until further guidance is published.
The UK’s position in light of Brexit
As of September 2020, the UK remains in the transition period, meaning all data transfers from the UK are to be treated identically to the rest of the EU. The EU and UK are currently negotiating an adequacy decision for the end of this transition period, to determine whether the UK will, itself, become a third country on 31st December 2020.
The status quo is summarised by the International Association of Privacy Professionals (IAPP):
‘While the adequacy assessment for the U.K. is currently underway, a U.K. adequacy finding is by no means a given. Given that the EU-U.S. Privacy Shield appears to have been invalidated primarily because of concerns about U.S. law and practice on government surveillance, similar arguments could be made in relation to the U.K. adequacy assessment. This is particularly so in view of the broad powers of the U.K. authorities to intercept communications and require access to data under the Investigatory Powers Act 2016’.
The UK’s approach to data transfers with the US will also have an influence on the EU’s findings of UK adequacy. If it implements its own Privacy Shield-type arrangement, or even declares the US valid for data transfers, it is likely that it will fail the adequacy test.
On the 27th July 2020, the ICO provided an updated statement on the judgement made by the CJEU in Schrems II. This includes guidance from the European Data Protection Board (EDPB), who recommends that companies affected should conduct a risk assessment as to whether the SCC’s provide enough protection within the local legal framework.
The EDPB have also issued FAQ’s in relation to the invalidation of the privacy shield and implications for SCC’s: https://edpb.europa.eu/our-work-tools/our-documents/ovrigt/frequently-asked-questions-judgment-court-justice-european-union_en
Global Privacy Expectations of Video Teleconference Providers
Whilst the use of Video Teleconferencing (VTC) services isn’t novel or ground-breaking, we have seen an exponential growth in their usage across all sectors in the wake of COVID-19. Greater usage has resulted in increased sharing of personal information, which is particularly pertinent in the healthcare sector where that data relates to vulnerable people.
In light of this, an open letter has been published by six Authorities to all companies that provide VTC services, but has been sent directly to Microsoft, Zoom, Cisco, House Party and Google. Namely, the six Authorities are the Office of the Australian Information Commissioner, the Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority, the Hong Kong Privacy Commissioner for Personal Data, the Switzerland Federal Data Protection and Information Commissioner and the UK Information Commissioner’s Office.
The purpose of this letter is explain their key concerns in relation to the protection of privacy rights and establish the expectations they have of VTC companies to effectively mitigate these concerns, which will be discussed below:
The constant evolution of cyber-threats means our current security measures are never far away from becoming outdated. This has been highlighted during the pandemic with multiple VTC products suffering from leaks of personal data due to their security being exposed.
As a result, Authorities expect VTC providers to ensure ‘adequate safeguards’ are in place to prevent unauthorised to this data access, including effective end-to-end encryption for all data communicated, two-factor authentication and strong passwords. They note that this is particularly relevant for organisations that provide VTC services for sectors that regularly process sensitive information.
Finally, the Authorities remind companies to remain constantly aware of new security risks and ensure their users have up-to-date patches and security upgrades.
Privacy-by-design and Default
The Authorities explain that data protection and privacy cannot be an afterthought in the design of VTC platforms as it will lead to falling short of the expectations users demand in upholding their rights. Instead, they require companies to take a ‘privacy by design’ approach and consider the ‘principle of least privilege’ by making privacy-friendly settings the default.
The letter provides tangible measures which will help companies achieve this, including: implementing strong access controls as default, clearly announcing new callers, setting video and/or audio feeds as mute on entry and minimising personal information of data captured, used and disclosed by your product to only that necessary to provide the service.
Know your Audience
As a result of Covid-19, VTC platforms are now used for an array of circumstances which could never have been anticipated. The letter demands that companies become aware of the variety of contexts for which their services are now used, whether it be children and education, or vulnerable people and healthcare. Once aware of all contexts for which your platform is used, companies are required to identify and implement appropriate measures accordingly.
Transparency and Fairness
As readers of this newsletter will be aware, there have been multiple high profile privacy breaches in recent years which has led to an increased awareness of how personal data is handled by organisations. The Authorities have highlighted that these obligations are no different for VTC platforms, and companies must inform data subjects what information you collect, how you use it, who you share it with amongst many other GDPR requirements.
They urge companies to consider how future updates to VTC platforms will affect their current data regime and ensure platform users are informed of these changes so they make informed decisions about how they use your platform accordingly.
The Authorities point out that VTC platforms may ‘raise the risk of covert of unexpected monitoring’ in circumstances such as virtual schooling. To mitigate this risk, the Authorities require VTC providers to ensure all end-users are provided with appropriate information and controls relating to monitoring features. For example, introducing opt out mechanisms so that an end users can prevent the VTC platform from collecting location data or recording the transcript of calls etc.
The Authorities appreciate that VTC companies ‘offer a valuable service’ by keeping us connected during the Covid-19 pandemic, but are clear in their message that the ‘ease of staying in touch must not come at the expense of people’s data protection and privacy rights’.
VTC companies are invited by the Authorities to respond to this open letter by the 30th September, to demonstrate how they are implementing the aforementioned principles in the design and delivery of their services.
VTC services have been subject to an exponential rise in popularity during Covid-19, and this rapidly increasing user base is showing no signs of slowing down as businesses adapt to managing a more digital workforce. Whilst this increased level of expectation on VTC companies may seem onerous, they will be key players in this new era of communication and must address data privacy adequately.
The open letter can be read in full here: https://ico.org.uk/media/about-the ico/documents/2618022/vtc-open-letter-20200721.pdf
TikTok signs major copyright licensing agreements with music publishers
Social media platform TikTok allows users to upload short clips of themselves, often lip-syncing or dancing to music. With its popularity reaching unprecedented levels, major concerns have arisen over the platforms unlicensed use of music. In October 2019 the CEO of the National Music Publishers Association, David Israelite, claimed that legal action against TikTok was ‘a likely future step’ as he estimated that more than 50% of the music publishing market was unlicensed. Whilst TikTok has undoubtedly helped music rights-holders gain newfound popularity, the industry demand that they benefit directly from the usage of their music by way of royalty payments.
This standoff is seemingly coming to a close in the wake of the EU Copyright Directive. Upon its implementation in June 2021, TikTok will become liable for their user base uploading protected works into the public sphere. Perhaps unsurprisingly, this has led to an increased number of negotiations for licensing deals with TiKTok in recent months. Universal, Warner and Sony have all agreed short term licensing deals with the social media giants, alongside Believe who distribute more than a third of the world’s digital music. Most notably, TikTok have agreed a licensing deal with the UK National Music Publishers Association (NMPA). This gives their members the ability to opt-in to a framework that will see them benefit from royalties when their protected works are being published on the TikTok platform.
Are TikTok videos parodies?
In an article written by Hayleigh Bosher, the question is asked whether protected works uploaded to the TikTok app can benefit from being categorised as parody. As per UK law: ‘fair dealing with a performance or a recording of a performance for the purposes of caricature, parody or pastiche does not infringe the rights conferred by this Chapter in the performance or recording’. Guidelines give the example that ‘a comedian may use a few lines from a film or song for a parody sketch’.
However, as the article references, Sabine Jacques’ states that ‘a parody is something distinct from a mere re-working or altered copy. A parody communicates a new distinctive message from the earlier work it reproduces, and typically results in the creation of a new expression which may be eligible for copyright protection’. This seems to be a clear distinction from the lip-syncing on TikTok.
The article can be found here: http://ipkitten.blogspot.com/2020/07/tiktok-signs-copyright-licensing.html
Case Law Updates
Software copyright infringement summary judgement application dismissed by the High Court
An interesting judgement has been handed down by Douglas Campbell QC in Oysterware Ltd v Intentor Ltd and others .
The claimant supplied digital signage services to the defendant in the form of software, hardware and IT support. The agreement was later terminated and the claimant brought proceedings against the defendant for various claims including, copyright infringement.
The claimant alleged that the defendant copied the ‘design’ of the claimants product which was said to be a ‘single homogenous runtime image’ that comprised of coding owned by Microsoft, the claimant and other third parties. He also alleged the defendant changed the password and gained unauthorised access to the product.
The defendant claimed the product was merely a ‘general purpose computer with a Windows XP operating system’ and therefore the claimant owned no copyright in the operating system, and no copyright subsisted in the design of the ‘product’.
The claimant’s application for a summary judgement on claim for copyright infringement against the defendant was refused by Douglas Campbell QC on the various grounds:
Whilst the claimant believed that copyright subsisted in the design of the product, the court struggled to understand what he was specifically referring to. Expert evidence suggested that the product could not be stripped back and judged compartmentally, but rather its design had to be considered as a whole. As the claimant’s argument relied on copyright subsisting in the ‘single homogenous runtime image’ alone, the courts looked unfavourably at the claimant’s plea. The expert evidence went on to state that what could be interpreted as ‘design’ depended on ‘skilled choices’ and was ‘a matter of opinion’.
The question for the court was to determine whether the defendant had copied what conferred originality on the product. When assessing originality of the product, the defendant’s expert said that 70% of it lacked originality. Whilst the claimant deemed this irrelevant, it lead back the questions about the claimant failing to identify exactly what the product structure was, and indecision about what they were specifically trying to protect in the product.
The Road to Conscious Machines: The Story of AI – Michael Wooldridge
Michael Wooldridge has been researching AI since 1989, and was the President of the European Association for AI from 2014 to 2016. He has published over 400 articles on the topic, and is also a computer science researcher at the University of Oxford.
This book is an all-encompassing exploration into AI, from the highly detailed technical elements of design, to the highly debated social and ethical issues surrounding its existence. Through clear words he debunks common myths surrounding dystopian concepts of machines replacing humans.
For anyone who wishes to have a clear grasp of the past, present and future of AI, there is no better starting point than this book.