Cybersecurity
Aftershocks from the “WannaCry” Cyber-attack
By Sherri Marie Carr, The S. M. Carr Law Firm, Ltd. Co.
The WannaCry cyberattack that began May 12, 2017, impacted 150 countries and “hundreds of thousands of computers[.]” On December 18, 2017, Thomas Bossert, the White House Homeland Security advisor, informed the public, in an article published by The Wall Street Journal, that the United States blamed North Korea for the worldwide WannaCry ransom attack, alleging that the United States had proof of North Korea’s involvement in the attack. Further corroborating the content from his article, Bossert held a White House press briefing on December 19, 2017, where he reiterated this information and stated that “[t]he United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.” The United States government has provided no information on any upcoming action it is considering against North Korea for the cyberattack, but Bossert stressed that the United States must lead the way in these efforts. Microsoft, Facebook, and others have intentionally disrupted activity from “North Korean regime hackers” based on information that they were “still infecting computers” globally.
Data Privacy
Ninth Circuit Dismisses Privacy Claim under VPPA
By Heidi Kuffel, Skarzynski Black LLC
In Eichenberger v. ESPN, Inc., the Ninth Circuit Court of Appeals recently affirmed dismissal for failure to state a claim in a case alleging that ESPN violated the Video Privacy Protection Act of 1988 (VPPA) by knowingly disclosing personally identifiable information in the form of a streaming device serial number and information about certain videos the plaintiff watched. Plaintiff used the WatchESPN channel on his Roku device, which shared data with Adobe. Adobe allegedly used this data, along with other data it already possessed, to provide aggregate data to ESPN; ESPN in turn allegedly provided this aggregate data to advertisers for demographic and other analytics. Although the court held that the plaintiff had standing, since “the VPPA identifies a substantive right to privacy that suffers any time a video service provider discloses otherwise private information,” the Ninth Circuit held that the information disclosed did not constitute personally identifiable information within the meaning of the VPPA, because the information transmitted by the app could not “identify an individual unless it is combined with other data in Adobe’s possession.”
International Law
EU Advocate General: Schrems Can’t Bring Class Action Against Facebook
By David Sella-Villa
Maximilian Schrems, the Austrian privacy activist famous for bringing the lawsuit that ended the U.S.-EU Safe Harbor, may have less success with his current case. Schrems filed a class action in Austria alleging Facebook’s violation of his privacy and data-protection rights under EU law. The Austrian high court asked the European Court of Justice (ECJ) to rule on (1) whether Schrems was still in fact a “consumer,” and (2) whether he could bring a class action under these claims. On November 14, 2017, EU Advocate General Michal Bobek advised the ECJ that (1) Schrems is still a consumer, but (2) he may not bring class actions for these claims, citing concerns about forum shopping. The ECJ typically follows the Advocate General’s advice, and will likely decide the case next year.
French Regulators Give Facebook and WhatsApp 30 Days to Comply with French Data Protection Act
By Michael Silvestro, Skarzynski Black LLC
The CNIL, France’s data privacy regulator, has issued formal notices to Facebook and WhatsApp alleging that Facebook, WhatsApp’s owner, has violated the French Data Protection Act by sharing WhatsApp’s user data with Facebook. The CNIL alleges that data transfers between WhatsApp and Facebook for “business intelligence” purposes lack a legal foundation and that user content was not “validly” collected because the purpose of the collection was not sufficiently specified. The CNIL further alleged that users could not opt out of the transfers; rather, the only other option would be to uninstall the application. Per the CNIL, failure to comply may result in a significant fine. This is not the first time that European regulators have intervened with Facebook and WhatsApp; in May, the European Commission fined Facebook 110 million euros for providing “incorrect or misleading” information regarding its acquisition of WhatsApp.
Germany’s Antitrust Regulator Challenges Facebook Data Collection
By Michael Silvestro, Skarzynski Black LLC
Germany’s antitrust regulator, the Federal Cartel Office (FCO), has alleged that Facebook collects user data in a manner that violates German competition law. The FCO alleges that, with more than 90 percent market share, Facebook is the dominant social network in Germany, leaving users with no alternative but to accept terms of service that include consent for collection of third-party data. The FCO challenges that due to its market position, Facebook users have not effectively consented to Facebook’s data tracking of users beyond its social network—or the merging of that data into Facebook user accounts for advertising purposes. The FCO’s actions signal a potential expansion of antitrust enforcement. If European antitrust laws are enforced with regard to big data collection, it could ultimately create issues for many companies whose business models rely on data collection, analytics, or associated advertising.