January 01, 2018

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Cybersecurity

Aftershocks from the “WannaCry” Cyber-attack

By Sherri Marie Carr, The S. M. Carr Law Firm, Ltd. Co.

The WannaCry cyberattack that began May 12, 2017, impacted 150 countries and “hundreds of thousands of computers[.]” On December 18, 2017, Thomas Bossert, the White House Homeland Security advisor, informed the public, in an article published by The Wall Street Journal, that the United States blamed North Korea for the worldwide WannaCry ransom attack, alleging that the United States had proof of North Korea’s involvement in the attack. Further corroborating the content from his article, Bossert held a White House press briefing on December 19, 2017, where he reiterated this information and stated that “[t]he United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.” The United States government has provided no information on any upcoming action it is considering against North Korea for the cyberattack, but Bossert stressed that the United States must lead the way in these efforts. Microsoft, Facebook, and others have intentionally disrupted activity from “North Korean regime hackers” based on information that they were “still infecting computers” globally.

Data Privacy

Ninth Circuit Dismisses Privacy Claim under VPPA

By Heidi Kuffel, Skarzynski Black LLC

In Eichenberger v. ESPN, Inc., the Ninth Circuit Court of Appeals recently affirmed dismissal for failure to state a claim in a case alleging that ESPN violated the Video Privacy Protection Act of 1988 (VPPA) by knowingly disclosing personally identifiable information in the form of a streaming device serial number and information about certain videos the plaintiff watched. Plaintiff used the WatchESPN channel on his Roku device, which shared data with Adobe. Adobe allegedly used this data, along with other data it already possessed, to provide aggregate data to ESPN; ESPN in turn allegedly provided this aggregate data to advertisers for demographic and other analytics. Although the court held that the plaintiff had standing, since “the VPPA identifies a substantive right to privacy that suffers any time a video service provider discloses otherwise private information,” the Ninth Circuit held that the information disclosed did not constitute personally identifiable information within the meaning of the VPPA, because the information transmitted by the app could not “identify an individual unless it is combined with other data in Adobe’s possession.”

International Law

EU Advocate General: Schrems Can’t Bring Class Action Against Facebook

By David Sella-Villa

Maximilian Schrems, the Austrian privacy activist famous for bringing the lawsuit that ended the U.S.-EU Safe Harbor, may have less success with his current case. Schrems filed a class action in Austria alleging Facebook’s violation of his privacy and data-protection rights under EU law. The Austrian high court asked the European Court of Justice (ECJ) to rule on (1) whether Schrems was still in fact a “consumer,” and (2) whether he could bring a class action under these claims. On November 14, 2017, EU Advocate General Michal Bobek advised the ECJ that (1) Schrems is still a consumer, but (2) he may not bring class actions for these claims, citing concerns about forum shopping. The ECJ typically follows the Advocate General’s advice, and will likely decide the case next year.

French Regulators Give Facebook and WhatsApp 30 Days to Comply with French Data Protection Act

By Michael Silvestro, Skarzynski Black LLC

The CNIL, France’s data privacy regulator, has issued formal notices to Facebook and WhatsApp alleging that Facebook, WhatsApp’s owner, has violated the French Data Protection Act by sharing WhatsApp’s user data with Facebook. The CNIL alleges that data transfers between WhatsApp and Facebook for “business intelligence” purposes lack a legal foundation and that user content was not “validly” collected because the purpose of the collection was not sufficiently specified. The CNIL further alleged that users could not opt out of the transfers; rather, the only other option would be to uninstall the application. Per the CNIL, failure to comply may result in a significant fine. This is not the first time that European regulators have intervened with Facebook and WhatsApp; in May, the European Commission fined Facebook 110 million euros for providing “incorrect or misleading” information regarding its acquisition of WhatsApp.

Germany’s Antitrust Regulator Challenges Facebook Data Collection

By Michael Silvestro, Skarzynski Black LLC

Germany’s antitrust regulator, the Federal Cartel Office (FCO), has alleged that Facebook collects user data in a manner that violates German competition law. The FCO alleges that, with more than 90 percent market share, Facebook is the dominant social network in Germany, leaving users with no alternative but to accept terms of service that include consent for collection of third-party data. The FCO challenges that due to its market position, Facebook users have not effectively consented to Facebook’s data tracking of users beyond its social network—or the merging of that data into Facebook user accounts for advertising purposes. The FCO’s actions signal a potential expansion of antitrust enforcement. If European antitrust laws are enforced with regard to big data collection, it could ultimately create issues for many companies whose business models rely on data collection, analytics, or associated advertising.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.