The online world is increasingly shaped by forces beyond our control.  Algorithmic processing agents are used by a wide range of web publishers, online retailers and social media companies to determine the kinds of stories that are feature to online readers, the advertisements that are targeted to online shoppers, and the search results they see, to name just a few of the ways in which these hidden programs predict the shape and content of our online experience.

US and EU privacy regulators have developed different models for managing the potential negative impacts of online profiling. In a recent article for the ABA Journal of Media, Information and Communications Law, Ballard Partner Phil Yannella examines these differing approaches.

What happened?

Today the EU General Data Protection Regulation (GDPR) goes into effect, ending the data protection landscape as we know it. This comprehensive privacy law applies directly to the 28 EU countries and companies established in or doing business in those countries. Unlike its predecessor, the GDPR applies to companies established outside of the EU that offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU, such as through the use of cookies. The GDPR imposes a number new of requirements on companies and raises the stakes by imposing potential maximum fines up to 4% of worldwide revenue. Continue Reading GDPR is Now Effective – How Will Regulators Enforce It?

In April, we blogged about the potential impact of the GDPR—which goes into effect this week (May 25)—on the public availability of WHOIS data. Ballard Spahr Intellectual Property attorney Tyler Marandola continues the discussion about WHIOS data in a recent interview with the CyberLaw and Business Report. Listen to it here.

One practical takeaway: if you have WHOIS searching to do, you should do it this week and save the results. WHOIS is likely to look very different (essentially just Organization Name and State/Province) as early as mid-next week.

With the European Union’s General Data Protection Regulation (GDPR) set to go into effect on May 25, 2018, many questions remain as to what entities that control and process data from EU citizens must do to comply. One such issue is the ongoing effort by the Internet Corporation for Assigned Names and Numbers (ICANN) to ensure that the WHOIS service (an online database of identity and contact information for registrants of web domains) complies with GDPR. Continue Reading GDPR And The Future of WHOIS Data

The GDPR’s impact on the ability of U.S. litigants to conduct discovery of EU personal data is an issue that has received scant legal analysis. In a recent article for The Legal Intelligencer, Philip N. Yannella discusses the challenges, and potential costs, awaiting U.S. litigants as they attempt to conduct EU discovery under the GDPR.

You can check out the article here.

The lawsuit by Austrian lawyer and serial plaintiff, Max Schrems, against Facebook suffered a setback in a ruling by the Court of Justice of the European Union (CJEU) last week. Schrems sought to bring class action-type claims on behalf of 25,000 participants worldwide in his home country of Austria, alleging that Facebook violated European Union privacy law when it assisted the United States National Security Agency’s PRISM surveillance program. Specifically, Schrems alleged that there is no adequate level of protection of European citizens’ Facebook data when it is transferred to the United States, because it could be accessed by US authorities without individualized suspicion. According to Schrems, Facebook’s collaboration with US authorities violated the Austrian data protection law of 2000, the Irish Data Protection Act of 1998, and Directive 95/46/EC of the European Parliament. Continue Reading CJEU Issues Mixed Ruling for Schrems’ Class Action Against Facebook

Among the more significant changes under the GDPR are new limitations on the use of consent to permit the processing of personal data. Recent WP29 guidelines on consent expand on previous opinions (for example Opinion 15/2011 regarding the definition of consent or Opinion 06/2014 regarding the legitimate interests of data controllers) and confirm that the use of consent must pass a very high bar to be effective under the GDPR.

Consent is one of six lawful bases to process personal data under the GDPR.  Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Continue Reading Analysis: WP29 Guidelines on Consent Under the GDPR