copyright infringement

The 2019 Guide To Avoiding Copyright Infringement

/0 Comments/in /by

Protecting Your Company From Copyright Issues in 2019

As 2019 begins to swing into gear, it can be a good idea to review your company’s potential liability for copyright disputes and possible copyright infringement issues in order to avoid big surprises later on. Here are a number of issues to think about this year:

Avoiding Copyright Infringement: Knowing Who Owns What

Knowing who owns what is an important component of avoiding copyright infringement. Under the current US framework, a work automatically receives copyright protection when it is created. The question of “who owns the work” can be simple or complicated depending on the employment relationship, or lack thereof, between the creator and the person paying for the creation.

For example, Jill is an accountant. In her free time, she enjoys taking photographs of her dogs. Jill owns the copyright for every photograph she takes. If her boss asks her to take some photographs of the office, however, these photographs may be considered works for hire because they were created within the scope of Jill’s employment, and therefore may be owned by the firm.

On the other hand, Jack is a professional photographer and videographer. Jill’s accounting firm hires Jack to take photographs of all the employees to put on the firm’s website and to assist in creating a series of YouTube videos advertising the firm’s service. Because Jack may be considered an independent contractor, as opposed to an employee of the firm, if the contract hiring Jack does not specifically lay out whether the photographs and videos are works for hire, Jack may retain ultimate ownership of the works.

One way to avoid potential confusion is to clearly lay out ownership before any work is created. Including language in the employee handbook and any employment contracts you offer can educate and remind your employees of the company’s ownership of copyrighted materials. You can also include language in any vendor contracts clearly specifying ownership of any copyrighted works created by the contractor. This will assist in avoiding confusion down the road.

Additionally, if you are working with a creative team in a non-employment relationship, it is important to have a contract specifically laying out copyright ownership before the work is actually created. Otherwise, you may find that only one person actually owns the work. That person may agree to assign ownership to the rest of the team, but is not obligated to.

Auditing Your Website’s Images to Ensure You Have the Proper Licenses

If you use some form of stock imagery on your website, you should do an audit of all the images, even if you outsource web development to a professional graphic designer. Remember – just because something is available online does not mean that it is available for free.

Placing copyrighted material on your website that you do not have permission to use can lead to being asked by the copyright holder to remove the work via a DMCA takedown notice, or even a copyright infringement lawsuit.

Instead, it is much better to use images whose owners give explicit permission for you to use them, even if you have to pay a fee.

When reviewing your existing images or investing in new ones, you should review the image license to understand the terms. What kind of attribution do you need to include on the image? What limitations are there, if any, on using the website in online or printed marketing materials? Is there a one-time licensing fee, or will you owe additional fees as your website brings in more traffic?

While there are some sites that allow certain images to be used at no cost, using them may still come with terms and conditions. For example, some are available for non-profit or educational uses, but not for commercial uses. It is important to read the fine print before you open your company up to potential liability.

Avoiding Copyright Trolls by Limiting Access to Your Company’s Internet

Finally, if your company offers internet to your employees, customers, or the general public, you may be opening yourself to liability for copyright infringement.

If someone uses a BitTorrent program such as Popcorn Time on their smartphone, tablet, or computer while connected to your internet, you may find yourself on the receiving end of a copyright lawsuit. Copyright trolls are owners of copyrighted material, who files hundreds if not thousands of lawsuits against alleged infringers, but rarely, if ever, litigate these cases. They are able to trace downloads of their material to specific locations through an IP address, on the theory that the person paying the bill for the internet account is either the infringer or knows who the infringer is.

Even if neither you nor your employees downloaded copyrighted material without permission, if the bill is in your name, you can get dragged into these suits while the copyright troll pursues the true infringer.

This type of copyright lawsuits were on the rise in 2018, with a handful of copyright holders filing thousands of suits in order to obtain IP records from your internet service provider. Typically, these copyright holders are looking to settle cases outside of court for thousands of dollars, rather than go through a long and arduous litigation process.

One way to limit your exposure to these types of cases is to limit access to your company’s internet by putting in a strong password on the Wi-Fi and reminding your employees about what is, and is not, appropriate use of company resources. However, other businesses find it essential to have open Wi-Fi for customers. This is increasingly common in restaurants, bars, and coffee shops. These companies may need to spend some time defending themselves in court from these cases, to the extent of demonstrating that it is impossible to find the true infringer.

This article is for informational purposes only and does not contain legal advice. If you have questions regarding copyright protection, copyright infringement, or other intellectual property matters, contact our experienced IP attorneys today with the form on this page, or call us at 888-725-5822.

Trademark Registration of Marijuana, CBD, and Hemp Products

Trademark Registration of Marijuana Products

/0 Comments/in /by

Trademark Registration of Marijuana, Cannabidoil, and Hemp Products

A trademark is any word, slogan, logo, symbol, or design that identifies an organization’s goods or services as unique from another set of goods or services. Trademarks serve two important functions. First, they are a source identifier, allowing one company to distinguish its goods or services from its competitors’, and preventing infringers from benefiting from the public perception earned through the sweat, blood, and tears of the trademark owner. Second, they are an indicator of quality, allowing consumers to know where they bought their products.

Because branding comes into play in every industry, we are seeing interesting developments from a variety of different sectors. For example, in 2017, we saw heavy metal bands challenging long-standing rules on disparagement, and our own Detroit Red Wings look at a potential infringement case against a hate group.

One area in which we will see opportunities for growth in the coming months is in marijuana-related products due to potential changes in definitions at the federal level.

Definitions Under the Controlled Substances Act (CSA)

Although marijuana and related products are legally available to various degrees in 47 states, including Michigan, under the CSA, marijuana is still a Schedule 1 controlled substance, meaning that it has a high potential for abuse with no currently accepted medical value.

Previously, the CSA defined marijuana to include the entire Cannabis Sativa L. plant, not making any distinction between its different parts. However, on January 4, the 2018 Farm Bill was signed into law, which brings about major changes to how the federal government regulates cannabis. 

This bill has created a new, separate definition for “hemp,” defining it as any plant with a tetrahydrocannabinol (THC) level below 0.3%. Hemp produces cannabidiol (CBD) oil, which is promoted as a wellness drug that does not get users high. Instead, it may be useful for treatment of epilepsy, anxiety, as well as for other medical problems.

Due to this new definition, certain strains of cannabis are now legal at the federal level – a major change to the previous drug enforcement regime.

Trademarks for Cannabis, Marijuana, and Related Products

There are a number of provisions under the current statutes and regulations that apply to the trademark registration of marijuana related products.

First, 15 USC 1051 and 15 USC 1127 allow owners of trademarks used in lawful commerce to seek trademark protection. Again, trademarks allow companies to avoid unfair competition, so it makes sense that Congress would not allow companies conducting illegal transactions on the black market to seek legal trademark protection.

Second, if an applicant is requesting a trademark on a service or product that is regulated under another law, 37 CFR 2.69 allows the Trademark Office to determine if the applicant is complying with the applicable standard because use of a mark in commerce must be lawful.

In a 2017 Trademark Trial and Appeal Board case, the Trademark Office refused to issue trademarks that would protect branding on “dispensaries selling marijuana” and “dispensary services.” These actions are illegal, under the CSA’s prohibition on manufacturing distributing, and dispensing controlled substances, including marijuana. As a result, the Board could not register the mark due to the then-definitions in the CSA.

This decision did foresee the reclassification of certain strains of cannabis. Due to the new definition in the 2018 Farm Bill, excluding hemp and CBD from Schedule 1 drugs, we will almost certainly see new trademark applications for these products in the coming months.

Tips for Protecting Your Cannabis-Related Trademarks

Register Early

Now that hemp and Cannabidoil have been removed from the list of controlled substances, if your business is part of the cannabis industry, you should consider filing for trademark protection in order to protect your brand sooner rather than later. Due to the long timeline for trademark registration, it often makes sense to begin the process early.

Canada legalized recreational marijuana in 2018, but already their Intellectual Property Office is facing a bottleneck of cannabis-related brand names. Companies who delayed attempts at registration may be looking at a wait time of over a year before their brand is protected.

A similar “green rush” to register trademarks in the US is expected, so don’t delay getting your application in to avoid potential bottlenecks.

Work With a Lawyer to Get Your Application Right the First Time

At the moment, not all cannabis is legal in the U.S. – only certain strands. This is a new development in a new industry. The attorneys at the Trademark Office may not be aware of the different definitions in what is legal under federal law and what is not. This will not result in an automatic rejection, but it could delay your application.

An experienced trademark attorney will be able to craft your application in a way that clearly demonstrates that the goods or services your company provides are legal under current federal definitions. A clear, technical explanation at the outset can go a long way to smoothing the path to approval and could save months in further office review.

It is also useful to note that the trademark office has approved more than 300 marks specifically related to marijuana that do not involve actions currently prohibited by the CSA. For example, “Professional Marijuana Grower” owns a word mark on the title of their magazine that specifically protects their printed publication. There is a lot of room for business development in the cannabis region that does not involve manufacturing or dispensing the product.

Contact Your Elected Officials

While this last step does not specifically relate to brand protection, it is a smart move for any business in this new industry. If you are involved at all in the marijuana industry, you should contact your Senators and House Representatives to urge their support of changes to the law toward full legalization.

Marijuana is a huge industry, projected to generate $75 billion in sales, if it is fully legal by 2030. This alone should make your elected officials take note of the importance of having their constituents enjoy the full benefits of the law.

This article is for informational purposes only and does not contain legal advice. If you are interested in seeking trademark protection for your marijuana-related product or have other intellectual property questions, our experienced IP attorneys today with the form on this page, or call us at 855-473-8474.

cryptocurrency scams

How to Avoid Getting Scammed With Cryptocurrencies

/0 Comments/in /by

The rise of cryptocurrencies has been fascinating to watch, but there are a number of common scams associated with with this form of digital currency.

Cryptocurrencies are incredibly exciting and it can be a roller coaster to watch your investment grow and shrink. However, unlike traditional currencies and stocks, cryptocurrency is unregulated. While there are many legitimate companies out there, there are nearly 1,000 dead cryptocurrencies whose coins have no value or were nothing more than scams or Ponzi schemes to begin with.

In Japan, for example, eight men were arrested who collected more than $68 million in cryptocurrency from around 6,000 people as part of a pyramid scheme.

If you are getting started in the world of cryptocurrency investment and trading, here are some areas where you should conduct due diligence before moving forward:

Initial Coin Offerings (ICOs)

ICOs, like IPOs, offer an opportunity to get in at the ground level. The Securities and Exchanges Committee (SEC) has issued a warning against them, stating: “They also bring increased risk of fraud and manipulation because the markets for these assets are less regulated than traditional capital markets.”

In the United States, many ICOs qualify as securities, and must be registered with the SEC. This agency actively investigates companies promoting digital assets and cryptocurrency ICOs that have not registered and are not eligible for an exception. Registration ensures that securities make financial disclosures to investors. It also works to prohibit deceit, misrepresentation, and fraud in the sale and exchange of securities. Information from registered companies is publicly available online to promote truth in securities.

Other countries have taken an even harsher approach against ICOs. For example, South Korea and China have banned ICO fundraising altogether due to the risks involved. Unlike more traditional IPO and stocks, which give investors equity in a company, ICOs give investors tokens that increase in value as more people invest in the company.

Governments are right to be worried – one study suggests that 80% of 2017 ICOs were scams, receiving $1.34 billion in funding. The good news is that, despite the large number of ICO scams out there, they received only 11% of funding given that year. This means that the majority of projects were legitimate, which is good news for the future of this industry.

One way to vet an ICO is to look at the supporting documents and examine the company, as you would for any IPO or similar investment. In addition to researching the company, make sure you look at its whitepaper. Ask yourself, does the whitepaper make sense, or is it full of jargon? Does it sound like it is written by someone who understands the company, or by a freelancer who recycles the same generic blockchain explanation from a dozen other papers?

Moreover, when you ask questions to the company, do they provide real answers that you can understand, or is every answer a regurgitation of empty buzzwords? Play devil’s advocate and question the feasibility of the project. Transparent companies with a legitimate ICO will demonstrate their faith in their companies.

Cryptocurrency Offers

One of the defining features of a cryptocurrency is the potential for anonymity. Is anyone on the internet really who they say they are?

Most people are able to recognize scams in spam email – what are the odds that a Nigerian prince is actually reaching out to you for assistance with his financial issues? However, people sometimes lose their common sense when it comes to new technology that they may not quite understand. In London, for example, nine people invested a combined £150,000 from cold-callers purporting to sell non-existent cryptocurrency over the phone. Do not let this be you!

There is real danger in investing without knowing to whom you are giving money. Do not let the promise of instant riches sway your better judgment. As the SEC warns:

“If an investment sounds too good to be true, be cautious.”

As with any other type of potential investment, if a promoter guarantees returns, if an opportunity sounds too good to be true, or if you are pressured to act quickly, please exercise extreme caution and be aware of the risk that your investment may be lost.”

When you go to the company’s website, does it feel like a real company website, or is the same person doing all the work? Are all the photos of the company stock photos, or is there a real office with real people, not just models? Again, use your judgment. Do not be afraid to turn down an offer if it does not feel right.

Cryptocurrency Exchanges

Finally, you should be cautious about the exchange you use to buy cryptocurrency. Even if you do all your due diligence on a cryptocurrency and feel confident in purchasing the tokens, you should turn an inquiring eye on the exchange you want to use as well.

Exchanges are where cryptocurrencies are traded. They make good money on transaction fees from these trades and are not regulated or secured.

One infamous example is Mt. Gox, one of the original bitcoin exchanges that hosted 70% of all transactions. In 2014, the exchange was hacked and 850,000 bitcoins were lost or had been stolen, valued at $473 million at the time.

Due to the potential for hacks on less-than-secure exchanges, many experts recommend storing your own cryptocurrency in your own wallet, not on the exchange. 

When choosing a cryptocurrency exchange, your due diligence should include the history of the exchange, the number of transactions that occur on the exchange, what kind of security systems are in place to prevent hacks, and how it is insured.

Final Thoughts

You may have noticed a common theme running through this post – the importance of treating cryptocurrency investments and transactions the same way you would treat any other business or financial transaction. At the end of the day, investing in cryptocurrencies can yield great rewards. However, the new technology should not make you forget the common sense you would utilize in any other situation.

This article does not provide legal advice. If you seek an Internet lawyer who understands your business and technology, contact the Internet lawyers at Revision Legal today at 855-4-REVISION.

Bitcoin 101

One of the most exciting internet trends in the past few years has been the rise and decline of bitcoin. Although the currency has been around for a decade, in December 2017 it reached its record high of nearly $20,000 per coin. While the coin’s value has dropped considerably in 2018 – it is currently less than $4,000 per coin – it is likely that we will be hearing more about the currency in 2019 and beyond.

Here is what you should know about bitcoin right now.

What is Bitcoin?

As much as bitcoin has been in the news, it can be a difficult concept to wrap your head around.

Bitcoin is a cryptocurrency, meaning that it can be used to buy products and services. Many businesses, including Revision Legal, have been accepting bitcoin payments for a number of years. Like paper currency, it has value because the people who use it believe it has value and pay money for it, or accept it in exchange for goods or services.

Bitcoin is unregulated by design; there are no government currency controls. Instead, all transactions are publicly stored in a ledger called “blockchain,” which is stored on a peer-to-peer network. All transactions are open and public, but users’ identities are anonymous.

Data miners track and encrypt bitcoin transactions, and save this data in the blockchain, in a similar manner as a family keeps track of expenses in a checkbook. The blockchain records every bitcoin transaction between any two parties in a public record, stored on every data mining system. This makes many people say that the blockchain is indisputable, and argue that bitcoin has a technologically secure system.

New bitcoins are created through data mining. In a nutshell, data miners use software that generates code and verifies bitcoin transactions in the blockchain ledger. In exchange, data miners are eligible to receive bitcoin as payment for their work.

Bitcoins are traded on public or private exchanges. In order to access your coins, you need to store unique private keys – passwords – in a wallet.

How can I Get Rich With Bitcoin?

There are two ways that people can make money off of bitcoin and other cryptocurrencies – data mining and investing in the currency.

Data miners can invest in either hardware systems or in cloud services. If you decide to invest in a hardware system, it will need to be more powerful than typical home or business systems. Basic set-ups begin at $500, but can easily cost thousands of dollars. Many miners today choose to join mining pools, which pool their computing power in order to increase their chances of earning bitcoin, and then split the profits.

While data mining was incredibly profitable years ago, it is becoming less so today due to competition. Data mining also requires a great deal of energy, which also can be a significant investment.

On the other hand, investors buy and trade bitcoin as if it is a stock rather than cash. Some may actively invest in the currency, while others may accept it in lieu of payment for services rendered. For example, in January 2018, rapper 50 cent announced that he had accepted 700 bitcoin for a 2014 album and forgotten about it for several years. He then discovered the account, which was worth $7.8 million.

Anyone who wants to invest in bitcoin can do so. You can buy and sell bitcoin on any of dozens of exchanges. When investing in bitcoin, you should remember:

  • Not every bank allows cryptocurrency purchases, so check with yours to make sure it does before trying to make a purchase.
  • Store your pass keys in a secure wallet. This is the only way you will be able to access your investment. While many exchanges offer wallet services, some experts recommend keeping your passcodes in your personal wallet for maximum security, even going as far as to print your keys, to avoid the possibility of being hacked.

There are also several business opportunities that run parallel to bitcoin, blockchain, and cryptocurrency. For example, IBM has created its own open source blockchain technology called Hyperledger. It is designed to increase data security and streamline transactions. This technology is adaptable to a variety of industries ranging from finance to healthcare, travel, and entertainment.

App developers can create secure wallet storage solutions or a payment platform that makes it easier to use cryptocurrency to purchase goods or services. Data security experts will be needed to monitor and neutralize threats to companies partaking in cryptocurrency transactions.

As the interest in bitcoin grows, there may be more demand from people who want a piece of the action. Bitcoin ATMs and vending machines, which connect to exchanges and allow investors to purchase bitcoin with cash, are popping up around the world. They offer opportunities for developers, designers, and marketers to create, distribute, and maintain these boxes across the country and around the world.

Criticisms of Bitcoin

Although bitcoin is widely praised in the technology community and gaining support in financial districts, there are many concerns about it.

One criticism is that bitcoin is a bubble waiting to burst. As more and more people jump on board, prices increase. However, there is concern that there is only so much growth possible. People may be making money now due to the increased interest and growth in cryptocurrencies, but at some point, further growth may be impossible.

Another concern is that there is nothing backing bitcoin. Even though the US Dollar has not been redeemable by gold or silver in decades, Federal Reserve banks hold collateral equal to the currency in circulation and the Fed stabilizes the market for dollars to avoid extreme fluctuation in value. On the other hand, bitcoin acts more like a stock than currency. It has no intrinsic value and the market can change drastically in a matter of hours.

Additionally, there are many aspects of cryptocurrencies, including the complicated technology and anonymous nature that make it easy for scammers to take advantage of buyers – a topic we will explore in the future.

This article does not provide legal advice. If you seek an Internet lawyer who understands your business and technology, contact the Internet lawyers at Revision Legal today at 855-473-8474.

dmca

Digital Millennium Copyright Act and Internet Service Providers

/0 Comments/in /by

Digital Millennium Copyright Act and Internet Service Providers

The Digital Millennium Copyright Act (DMCA) was enacted in 1998 to bring the United States up to date with technology and with international intellectual property treaties.

While there are many aspects of the DMCA, one of the most important to web hosts and internet service providers (ISPs) involves the “safe harbor” provisions. Under this provision, if a content provider:

  • Does not have actual knowledge that the material was infringing another’s copyright;
  • Is not aware of facts or circumstances where infringing activity is apparent; and
  • Acts quickly to remove the content, once made aware of it,

Then the content provider will not be liable for monetary damages for copyright infringement.

If your company is a web service provider who wishes to take advantage of the “safe harbor” provisions, you will need to ensure that your organization is registered with the Copyright Office’s DMCA website. This way, you will have a designated agent on file in a public database, so that you will be able to receive notices of copyright infringement, otherwise known as “takedown notices.”

DCMA Takedown Notices

One of the most common ways we see the DMCA’s “safe harbor” provisions in use today is through takedown notices submitted to service providers. If a copyrighted work is being hosted on a website against the wishes of the copyright holder, the copyright holder can send a takedown notice to the website.

This notice should include:

  • The identity and contact information of the person who is requesting the copyrighted material being removed
  • Information of how the individual is related to the copyrighted material. For example, does this person own the copyright, or were they assigned the right to enforce it?
  • Information about the copyrighted material being infringed, including what the copyrighted material is comprised of and a link to the page it is hosted on
  • A statement that this information is accurate, under penalty of perjury, and
  • A physical or digital signature

Once a service provider receives a takedown notice, they must investigate the claims in a timely fashion. Responses to a takedown notice may include:

  • Removal of the copyrighted material, or
  • Disabling access to the copyrighted material, such as deactivating links

If a third-party user is the subject of multiple verified takedown notices, a service provider may decide to terminate that individual’s ability to access their site.

Because copyright is automatically granted, you will be able to enforce certain rights with a DMCA takedown notice, even if it is not registered with the US Copyright Office. This has led to the DMCA to be a useful tool in controlling the spread of “revenge porn” – compromising selfies sent by one individual to another in confidence, which are later posted to websites and visible to anyone online.

Because the individual who took the picture is the copyright owner, that person is able to contact websites like Google or Tumblr and ask for the material to be removed under the DMCA.

Penalties for ISPs That Ignore a DMCA Takedown Notice

If you receive a DCMA takedown notice but fail to act accordingly, you may lose protection of the “safe harbor” provision and can be found liable for copyright infringement.

In 2014 and 2015, the safe harbor provision was put to the test. BMG Rights Management, LLC, filed a lawsuit against Cox Communications Inc., an internet service provider.

BMG’s enforcement arm, Rightscorp, attempts to pursue individuals who download music online without paying for it. Rightscorp will send emails requesting individuals settle these claims for $20-30 per song. However, the only way to trace these individuals is through the ISP. BMG sends copyright notices to ISP providers with messages to pass along to the users. Other ISP providers would simply forward these emails as instructed. However, Cox did not.

BMG then sued Cox, and won $25 million. Cox’s refusal to forward these messages – a reasonable step, according to the judge, to implement a policy to terminate repeat infringers – meant that it was no longer protected by the “safe harbor” provisions, and would therefore be liable for the copyright infringement of its users.

This was the first case of its kind, and it may embolden other copyright holders or enforcement agencies to be more aggressive in ensuring their messages reach their intended audience.

If you receive a DMCA notice and have questions about determining the proper course of action to ensure your organization is eligible for the DMCA’s “safe harbor” provisions, contact an experienced internet attorney today to understand your legal obligations.

Creating a DMCA Compliance Policy

You should create a DMCA compliance policy if your organization:

  • Has a website that allows third-parties to post content, such as social media posts or blog comments;
  • Hosts websites; or
  • Provides internet services to users.

This policy should include:

  • Notice and takedown procedures for receiving, processing, investigating, and acting when a DMCA takedown notice is received;
  • Provisions to routinely monitor your site and automatically remove copyrighted material; and
  • A policy to terminate accounts of or access by repeat infringers.

Many companies have gone one step further, and made their DMCA reporting and compliance policies exceedingly user-friendly and easy to understand.

For example, social media sites like Facebook, Twitter, and Pinterest have streamlined their DMCA compliance policy by creating easy to use fillable forms for copyright holders who believe their work was uploaded without permission.

Similarly, web hosting company A2 Hosting’s DMCA policy walks its users through the elements of a proper takedown notice, listing very clearly the elements needed for an actionable request.

When you create your company policy, you should remember that many people seeking to enforce their copyrights online through the DMCA are not lawyers and may have limited understanding of how the act works. Creating a user-friendly system will make your process of sorting out the real notices significantly easier.

If you have questions regarding how to stay compliant with the DMCA, contact Revision Legal’s team of experienced copyright and internet attorneys through the form on this page, or call 855-473-8474.

FOSTA-SESTA

FOSTA-SESTA for Internet Service Providers

/0 Comments/in /by

FOSTA-SESTA for Internet Service Providers

The Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA) and the Stop Enabling Sex Traffickers Act of 2017 (SESTA) are two bills that were passed by the House and Senate. The combination of the bills, referred to as FOSTA-SETSA was signed into law in April 2018. This law represents an important change to the way internet content will be policed moving forward.

Previous Requirements Under the Community Decency Act

Before the enactment of FOSTA-SESTA, Section 230 of the Community Decency Act (CDA) stated:

“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

In other words, websites like Craigslist or Reddit, which encourage anonymous users to engage in discussion, debate, and commerce, would not be liable for the content on these sites, even if they edited or moderated the content, so long as the meaning did not change. This law, which was described as “the law that gave us the internet,” was capable of shielding Google and Facebook from liability for defamation lawsuits, or even criminal investigations.

For a long time, this law was also used to protect Backpage.com, which a Senate Subcommittee Report discovered was involved in 73% of all child trafficking reports. The owners of the site argued that Section 230 of the CDA shielded them from liability. However, the Senate discovered that Backpage was actively facilitating child sex trafficking by editing ads so they would pass community standards and teaching its users on how to post “clean” ads for illegal transactions.

This level of editing went beyond the safety net of Section 230, and in April 2018, the Department of Justice issued a 93-count indictment against seven people involved with Backpage.com. The FBI seized the website.

What FOSTA-SESTA Changes

Under FOSTA-SESTA, websites can be civilly liable and prosecuted in criminal court for any sex trafficking discussions that are viewable on their platform.

Specifically, someone who “owns, manages, or operates an interactive computer service (or attempts or conspires to do so) to promote or facilitate the prostitution of another person” can face up to 10 years in prison and hefty fines.

This law removes the Section 230 shields for web hosts, internet service providers (ISPs), and social media sites specifically when it comes to sex trafficking. The shields on liability will remain in place for other matters, such as defamation lawsuits.

However, FOSTA-SETSA does represent a major change to the duties and responsibilities with regard to monitoring and enforcing their content. After the law passed, many sites took steps to remove material for which they could be found liable. Craigslist, for example, took down its entire personals section, while Redditt removed several popular subreddits.

ISP Compliance Under the New Laws

If your company provides any online services, there are a number of steps you can take to ensure you are in compliance with FOSTA-SETSA.

First, you should take a look at services your organization currently provides. If you have classified ads, dating apps or services, social media forums, or accept third-party ads on your site, you should update your terms of service to specifically reflect what you will, and will not allow to be posted.

Second, you will need to double down on efforts to moderate these third-party messages. You should understand the language used in sex trafficking in order to do this properly. If you need to, hire and train additional moderators to do this job correctly. You should also update your parameters periodically in order to catch new language and phrases used in these communications.

Finally, decide what level of risk your company wants to take. While some companies may decide to challenge the law if pursued, many are taking a conservative approach. For example, Craigslist made the decision to completely remove its Personals section to avoid liability under the law. Recent news of Tumblr’s decision to remove adult content from its site has also been linked to this new legislation.

Remember, your company may or may not actually be subject to FOSTA-SETSA. For example, ProtonMail, a Switzerland-based email service, issued a statement explaining how it is not governed by US laws. Because activities such as gambling and sex work are not illegal in Switzerland, a Swiss court would be unlikely to acquiesce to a government request for data related to these activities.

Praise and Criticism for FOSTA-SESTA

FOSTA-SESTA received praise from a number of sectors. Many industry leaders who are members of the Internet Association, including Amazon, Microsoft, Uber, and Netflix, supported the new legislation, stating that it is “committed to combating sexual exploitation and sex trafficking online.” Another proponent of the new law argued that this change is needed to “deal with a 21st century problem.”

The Department of Justice (DOJ) also largely supported the change in legislation, as it gives additional tools to fight trafficking. However, the DOJ asked that language be amended to focus on trafficking, rather than consenting adults. It also raised a constitutional concern, in that FOSTA-SESTA allowed for criminal punishments on behavior that occurred before the law passed. This sort of ex post facto law is unconstitutional, and is a highly criticized element of the law.

Advocates for sex worker safety believe that this law does more harm than good. The law will prevent people from using sites like Craigslist to advertise their services, which is a safer alternative than being on the street. Instead, because of this law, women and men may need to put themselves back in dangerous situations to make their livings.

Freedom Network USA, which provides services to trafficking victims – the group the law is designed to help – also argues that this law will drive the sex trade further underground.

Removing references to sex trafficking and prostitution will not make their victims or participants disappear. Under current enforcement models, investigatory agencies are able to track victims online through IP address and photographs. If these sites are shut down, victims will be less likely to be identified and face more threats of violence.

Free speech advocates, including the ACLU, also argue that FOSTA-SESTA requires online platforms to spend more energy on policing content, which can have a chilling effect on free expression online. Perhaps the most vocal opponent to the new law is the Electronic Frontier Foundation (EFF), which believes that Congress is now censoring the internet and preventing the development of new technologies.

For more information on ISP disclosures or compliance requirements with federal and state laws, contact Revision Legal’s team of experienced internet attorneys through the form on this page or call 855-473-8474.

report child pornography

Internet Server Provider Requirements to Report Child Pornography

/0 Comments/in /by

Internet Server Provider Requirements to Report Child Pornography

Internet service providers (ISPs) occupy a unique place in modern society. They provide internet access to millions of people across the United States, which allows instantaneous communication, exchange of ideas, and, unfortunately, a new haven for criminal activity.

Because of their unique role in facilitating online communication and commerce, ISPs are subject to certain federal laws regarding child pornography and child sex trafficking.

Revision Legal’s internet and privacy attorneys have experience drafting website and software privacy policies, advising on privacy law compliance, and enforcing state law privacy torts. Our privacy law attorneys can advise you or your business on compliance with:

  • State privacy law
  • The Children’s Online Privacy Protection Act
  • California’s Shine the Light law
  • The European Union’s Data Protection Directive

Child Pornography

Under Federal law, it is illegal to produce, distribute, import, receive, or possess any image of child pornography. Images do not need to depict sexual activity. Instead, a picture of a naked child can be considered child pornography if it is sexually explicit. Minors under the age of 18 can not consent to be in these images.

While adult pornography that is not “obscene” is protected by the First Amendment free speech protections, child pornography is not protected. Individuals violating federal child pornography laws are subject to strict criminal punishments, including harsh jail sentences.

Child Sex Trafficking

Child sex trafficking is the recruitment, harboring, transportation, provision, obtaining, or advertising of a minor child for the purpose of a commercial sex transaction. Being convicted of this crime can result in serious criminal penalties. Federal laws also provide for civil asset forfeiture of property owners who ignore human smuggling on their land.

The internet is the major hub for facilitating human sex trafficking. A recent study of child sex trafficking survivors reported that 75% were advertised online. Additionally, the FBI estimates that at any given moment, 750,000 child predators are online.

ISP Requirements For Reporting Child Pornography

ISPs are required by 18 USC §2258A to issue a report to the National Center of Missing or Exploited Children (NCMEC) when they obtain knowledge of facts or circumstances involving:

  • Sexual exploitation of children;
  • Selling or buying of children;
  • Production or distribution of child pornography; and
  • Websites designed to trick minors into viewing pornography or other obscene material.

This report must contain information regarding:

  • The individual user, including his or her email address or IP address
  • The history of the transmission, including when and how it occurred
  • The geographic area of the involved individual, including the IP address, or the verified billing address

ISPs must also provide any images of apparent child pornography, as well as the complete communication regarding any images of apparent child pornography, including any digital files contained in or attached to the communication.

ISPs are not required to actively search their systems for information regarding sex trafficking or child pornography, nor are they required to monitor individuals for these types of communications.

Failure to make reports can result in fines up to $150,000 for the first offense, and up to $300,000 for subsequent offenses.

The NCMEC will forward these reports to appropriate local, state, federal, or international law enforcement agencies and relevant attorney general for investigation. This collaboration across domestic and international jurisdictional lines is important because a significant amount of child pornography and sex trafficking is done between jurisdictions.

Contacting the NCMEC

The NCMEC’s website is http://www.missingkids.com/home, and its CyberTipline can be contacted at 1-800-THE-LOST (1-800-843-5678) or online at https://report.cybertip.org/.

Other Efforts to Stop Child Pornography and Child Sex Trafficking

Due to the widespread, international nature of child pornography and child sex trafficking, it must be tackled on a number of different fronts.

Because of the serious nature of these crimes, both the US government and private ISPs have undertaken efforts to curb the distribution and production of child pornography and end child sex trafficking.

Private Internet Provider Efforts to Block Child Pornography

In addition to the federal government’s efforts to curb these practices, private internet service providers have reformed their services to block child pornography.

In 2008, Comcast and NetZero joined Verizon and Sprint in taking steps to block child pornography. These companies block bulletin boards where images are disseminated, as well as child porn news and web sites. These efforts to remove old images from circulation will allow law enforcement to focus on more recent images of children who are more likely to still be victimized.

Search engines, such as Google and Bing, are also blocking searches for restricted material, and are working to tackle peer-to-peer sharing of these images. A study analyzing data between 2011 and 2014 showed that these efforts reduced this type of search traffic by 70%.

Senate Fact Finding Into Online Criminal Activity

Finally, the federal government has many investigative tools that can be utilized to expose criminal activity online.

The leading online marketplace for commercial sex is Backpage.com. According to a 2017 Senate Subcommittee Report, this website is involved in 73% of all child traffic reports received by the NCMEC.

This investigation looked into whether Backpage.com was merely a conduit for criminal activity, or if the site was actually involved in promoting the criminal activity. If, as Backpage.com claimed, it was merely a conduit, it would be immune from liability under the Community Decency Act (CDA), which provides certain levels of immunity for ISPs and websites that make content available online and have good-faith screening processes to block offensive material. However, if Backpage.com was actively participant in criminal activity, the site could have criminal and civil liability.

Over the course of a nearly two-year investigation, the Senate discovered that not only was Backpage.com editing customer ads for child trafficking or pornography in order to remove words suggesting criminal activity, but also that it was coaching customers how to post “sanitized” versions of the ads to avoid detection.

Backpage.com had previously avoided liability for criminal activity under the CDA because the extent of its involvement with the criminal activity had not been known. The Senate subcommittee’s fact finding helped exposed Backpage.com’s practices, paving the way for lawsuits from victims of sexual exploitation. One such lawsuit was filed in June 2017 (1:17-cv-11069).

From the aggressive pursuit of Backpage.com by the US Senate, it is evident that the government is willing to utilize all the tools in its toolbox to seek out this sort of criminal activity online.

For more information on ISP disclosures or compliance requirements with federal and state laws, contact Revision Legal’s team of experienced internet attorneys through the form on this page or call 855-473-8474.

data privacy news

2018’s Biggest Data Privacy News Stories

/0 Comments/in /by

2018’s Biggest Data Privacy News Stories

As the year draws to a close, we wanted to take a moment to review the biggest data privacy news stories of 2018 and discuss what we can learn from them as we move into the new year.

1.   Europe’s GDPR

Probably the biggest news story is the European Union’s Global Data Privacy Regulation (GDPR). This regulation, which came into effect in May 2018, places significant limits on how companies must collect and store data.

In addition to outlining what companies must do when they process personal data, the GDPR has new regulations relating to how companies must handle data breaches. Businesses are now required to notify their relevant data protection authority within 72 hours of becoming aware of a breach. Depending on the type of data, the company must also notify impacted individuals, if the breach involves a high risk to their rights and freedoms.

Perhaps the most shocking aspect of the GDRP are the high fines a company faces for failure to comply with the regulation. Severe breaches can carry fines up to €20 million ($22.5 million), or 4% of a company’s annual revenue, whichever is greater. As a result, companies like Amazon.com, which took in just under US $178 billion in revenue in 2017, could be looking at multiple billions of dollars in fines for noncompliance.

If your company is subject to the GDRP, you should be looking closely at this regulation to ensure you are complying with all aspects of it. Remember: even if your company is attached by hackers, you can still be fined.

In order to ensure you are fully compliant with the regulation, speak with an attorney who specializes in internet privacy law.

2.   Huge Data Breaches

It seems like every week, we get data privacy news stories. In July, the Identity Theft Research Center reported that over 22 million records were exposed in the first half of the year alone.

Companies like Under Armour faced off against hackers who broke into the MyFitnessPal app, affecting over 150,000,000 users. While there were enough data protections in place to secure sensitive identifying information and credit card numbers, Under Armour’s password protection system was partially protected under a weaker hashing system that was easier to compromise. The stolen passwords could then be sold or used in online scams.

Perhaps the biggest data breach story was the Cambridge Analytica / Facebook scandal. This spring, it came to light that 50 million profiles were harvested data from user’s profile pages to analyze and influence election results, including the 2016 presidential election.

The program collected information about each individual user who completed a personality test, but also information from those user’s online friends. The usage violated Facebook policies, which allowed collection of data only to improve in-app experiences, not for advertising or other purposes. This breach led the UK to issue a £500,000 fine on Facebook (approximately US$644,000), which Facebook has recently appealed.

Facebook is taking a number of steps internally to prevent another Cambridge Analytica scandal, including reviewing apps that have access to large amounts of user data, and turning off the app’s access to someone’s data if it has not been used in the past three months. Imposing and adhering to this sort of internal policy may help limit this type of data misuse. The increased GDPR data privacy protections may also help prevent another Cambridge Analytica scandal, although Facebook previously failed to adhere to an agreement with the Federal Trade Commission (FTC) regarding its users’ data privacy.

Foreign operatives also attempted to steal intellectual property from universities. In March, the US Department of Justice filed charges against an Iranian company and nine individuals for hacking into hundreds of universities around the world, including 144 in the US. The attacks involved sending phishing emails to professors in order to gain access to university data.

These attacks began in 2013, and are estimated to have stolen 31 terabytes of academic data and intellectual property.

What can Your Company Learn From These Sensational Headlines?

In the Under Armour example, the company had many protections in place to protect user’s passwords, but its hashing protocols were flawed. Regularly reviewing and updating the security of your data encryption can help you stay one step ahead of hackers.

You should store data separately, as Under Armour did, to ensure that financial information, including credit card numbers, are kept separately from login data.

To avoid inadvertently allowing third parties to have access to your customer’s personal data, as in the Facebook case, you can follow GDPR guidance on appropriate limitations. You should also routinely audit third party use, to ensure they are adhering to your company’s privacy policies.

If you believe a third party is misusing your customer’s data, you can shut them out and ensure they dispose of the data, including backups, properly. You can also offer rewards to people who find holes in your security system.

Finally, as the Iran-University breach demonstrates, hackers do not always target automated systems. Sometimes the weakest links in data protection are humans.

You should routinely remind anyone who has access to your network – from first semester freshmen to tenured professors – to be wary of emails from unknown sources, even emails that make it through spam filtering. Your employees should exercise extreme caution before clicking on links in these emails.

3.   Data Leaks

A data leak may not seem as serious as a data breach, because it may be inadvertent disclosure, rather than a malicious attempt at hacking into your company’s data. However, a data leak can cause as much harm as a deliberate breach.

In 2018, an employee discovered that Panera Bread’s website included plain text personal data from users who ordered food online. It is estimated that millions of customers’ names, addresses, credit card numbers, and birth dates were vulnerable to automated tools searching for this type of data.

Making matters worse, the leak went on at least eight months after Panera’s head of information security was made aware of the problem.

To avoid putting your company in this situation, you should continue to conduct internal audits of your company’s website and security system. You should take reports of data leaks seriously and investigate them in a timely fashion when they are brought to your attention. Most importantly, you should not let the leak continue especially if there is a quick fix to stop it.

This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws, and manage data breaches when they occur. To discuss your data privacy needs, contact Revision Legal’s internet attorneys with the contact form on this page, or call us at 855-473-8474.

manage data breaches

How to Manage Data Breaches Under GDPR

/0 Comments/in /by

How to Manage Data Breaches Under GDPR

In recent weeks, we have posted about the requirements of personal data protection under Europe’s General Data Protection Regulation (GDPR) that companies must now follow. Today we will look into what a company must do in the event of a data breach under this regulation.

Over the past few years, we have seen some truly impressive data leaks around the world.

Between May and July 2017, Equifax was hacked, which compromised data for 143 million people, including names, social security numbers, birthdates, and home addresses. In 2018, a number of online retailers, such as Macy’s and Adidas, suffered from data breaches. Even Facebook faced a major data breach that affected as many as 50 million people. Because data breaches are, unfortunately, a fact of life, businesses and consumers must be prepared for them.

If your internet business is subject to the GDPR, here is what you should know:

What is a Data Breach?

Article 4 of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

Under the GDPR, you are required to “implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principals, such as data minimization, in an effective manner and to integrate the necessary safeguards in the processing.” (Article 25)

These requirements include having appropriate levels of security, limiting access to personal data so it can only be accessed on an as-needed basis, and conducting tests on a regular basis to ensure that you catch security breaches before they occur. You must also have an appropriate backup system in the event that the data is lost.

You may also be required to have a qualified data protection officer, who will be in charge of overseeing data security. This position is especially important if you are processing a significant amount of sensitive data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or information related to genetic or biometric data.

Government data protection authorities are available for consultation, especially when there is a high risk in processing, or there are no measures in place to mitigate potential risks.

How Your Company Should Manage Data Breaches

You are not required to disclose every data breach. However, you must make an assessment as to whether or not the breach is likely to cause a significant detrimental effect to individuals.

If the breach is likely to be significantly detrimental, you must notify your country’s data protection authority within 72 hours of becoming aware of the breach. This notification must include:

  • The nature of the breach, including what type of data was taken and how many people’s information was compromised;
  • The likely consequences of the data breach;
  • What measures you have taken, or propose to take in order to address the breach; and
  • What measures, if any, that can mitigate adverse effects of the breach.

Additionally, if the data breach is likely to involve a high risk to the rights and freedoms of individuals, you must disclose the breach to the individuals at risk without undue delay. The GDPR allows you to make this communication by issuing an effective public communication, if contacting individuals would require disproportionate effort. Companies that have implemented measures, such as encryption, that would render the data unintelligible are allowed to forgo public notification.

Manage Data Breaches: Fines for Non-Compliance

If a company fails to comply with the GDPR’s data breach rules, specifically the requirement to notify your customers within 72 hours of the breach, you can also be fined a significant amount of money.

Less severe breaches carry fines up to €10 million ($11.2 million) or 2% of a company’s annual revenue, whichever is greater. More severe breaches can carry fines up to €20 million ($22.5 million), or 4% of a company’s annual revenue, whichever is greater.

In 2016, the year before Equifax had its major data breach, it reported $3.1 billion in revenue, meaning that it could have been liable for a fine up to $124 million due to its failure to report the breach within 72 hours.

Fines are discretionary, rather than mandatory, meaning that each country’s enforcement agency will assess the situation before imposing fines.

Factors that will be considered include:

  • The nature of the infringement;
  • The number of people affected by it;
  • Whether the breach was intentional or merely negligent;
  • What steps were taken to protect the data; and
  • History of noncompliance, if any.

Additionally, you may be required to compensate individuals for any damages they suffer as a result of the breach.

If You are a Consumer Whose Data has Been Breached

As a consumer, if your data was breached, there are a number of steps you should take.

If the data breach was for non-financial data, like an email or social media account, you should change your passwords. You should also monitor for suspicious activity, such as strange messages being sent or strange posts to your feed.

If the data breach was for a financial account, such as a credit or debit card or bank account, you have a couple more steps to take after changing passwords. Depending on the severity of the breach, you should place a credit freeze or a fraud alert on your accounts at Equifax, Experian, and TransUnion. You can also check your credit report for free at annualcreditreport.com. You should also monitor your financial accounts to look for unauthorized transactions.

Finally, if the GDPR applies to your situation, you can file a lawsuit against the company that violated our data protection rights, and make a claim with your national data protection authority.

This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s attorneys with the contact form on this page, or call us at 855-473-8474.

 

gdpr processing personal data

When is it “Necessary” to Process Personal Data Under GDPR?

/0 Comments/in /by

Last week I wrote about the EU’s new General Data Protection Regulation (GDPR) consumer-friendly approach to personal data collection and storage.

This regulation, which went into effect earlier this year, requires that companies only collect, store, or process personal data when there is consent or when it is necessary. Companies are often surprised at the broad definition of “necessary” under the regulation. Often, they do not need an individual’s consent to collect, store or process their personal data.

The GDPR provides five lawful bases outlining when it is “necessary” to process someone’s data. If your use falls into one of these five categories, then you do not have to worry about obtaining, or losing, consent.

Article 6(1)(b): Contracts

If the processing is “necessary for the performance of a contract” to which the individual is a party, or if the individual requested the company to do something prior to entering into a contract, the processing is necessary and therefore lawful under GDPR.

Here are some transactions that would fall under this category:

  • Paul purchases a t-shirt from an online store, which creates a contract between Paul and the store. The store needs to collect data from Paul, including his shipping address and payment information, in order to complete the contract and hold up its end of the deal.
  • Karen is having brochures printed for her office, and contacts a printing company for a quote. The printing company needs to collect Karen’s email address to send her the official quote. If Karen decides to work with the printing company, the company will need additional information in order to complete the transaction.

Contractual obligation will cover many transactions. However, an important part of the GDPR is that the data is collected for a specific and limited purpose, and that collection is limited to what is necessary for the original purpose. If you want to continue to use the customer’s information for marketing purposes after the transaction has completed, you may need to find a different lawful basis.

Article 6(1)(c): Legal Obligation

If a legal obligation requires you to process an individual’s information, you must do so.

Examples of legal obligation include:

  • A court order requiring a business to turn over information on an individual
  • A financial institution noticing suspicious account activity that could be money laundering reports this activity under relevant criminal statutes
  • Businesses collecting and reporting required information about their employees to relevant government agencies.

As these examples demonstrate, a company’s legal obligations to collect, distribute, or otherwise process personal data are typically spelled out in statutes, regulations, or court orders.

Article 6(1)(d): Vital Interests

The GDPR requires disclosure of personal data in situations when it is necessary to save someone’s life. This typically refers to sharing medical records between doctors, hospitals, and emergency rooms. Sharing information about the patient is permitted, but it is also permitted to share information about parents in order to save a child’s life.

Rule 46 of the GDPR also considers “protecting an interest which is essential” to the life of individuals to fall under this category, such as if processing data is necessary for emergencies, like fighting disease outbreaks, recovering from natural or man-made disasters, or other humanitarian emergencies.

However, it is also clear from the rules that if another lawful basis is available, someone controlling personal data should operate under that basis. Operating under a vital interest basis should be used only as a last resort.

Article 6(1)(e): Public Task

You are allowed to process data if doing so is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority.”

If you work for a government agency, it is often necessary to process personal data. For example, immigration officials working at airports must process data of people at border crossings. This differs from the “legal obligation” basis, in that the data processing activity does not need to be specifically listed in a statute or regulation. However, there must be a clear source of law you can point to when processing data under the public task basis.

Additionally, organizations that are not specifically government agencies but serve a public function may also operate under the public task legal basis. If a private company is charged with parking meter enforcement by a city, then that company may collect data on illegally parked vehicles. If a private company has been hired by a city to test water after a potential contamination, they are permitted to act under the public task legal basis.

Article 6(1)(f): Legitimate Interests

The GDPR also allows a company to process personal data when it is in a company’s legitimate interests to do so, as long as the interest is not outweighed by the interests or fundamental rights in an individual’s data.

This is the broadest of the categories with the most room for interpretation. Although this basis may seem flexible, it is not meant to be a free-for-all. As a company, you should ask:

  • Are you pursuing a legitimate interest?
  • Is the data processing necessary for this purpose?
  • Do the individual’s interests override the legitimate interest?

Legitimate interests include using employee and client data for, marketing, IT security, or fraud prevention. For example, a credit card company might monitor its customers data to prevent identity theft. An email server may analyze incoming mail to weed out spam or potential viruses. Companies can also use information within the realm of “legitimate interests,” meaning that sending mail or emails out to former and current customers can be lawful.

Even though it might be easy to say that every data processing activity falls under the “legitimate interest” lawful basis, your company should not rely on this category as a catch-all. Instead, carefully review your data processing activities to ensure you are operating under the necessary basis that best matches your intentions.

This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s attorneys with the contact form on this page, or call us at 855-473-8474.

 

 

personal data processing

Personal Data Processing Under the GDPR

/0 Comments/in /by

In May 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. To read the regulation in its entirety, visit click here. The GDPR standardized personal data protection requirements across the 28 EU countries. Although the regulation is broad, advocates for GDPR applaud its consumer-friendly approach to personal data collection and storage.

What are the Governing Principles of GDPR?

GDPR provides a number of general principles relating to processing personal data, namely that it should be:

  • Collected and processed lawfully, fairly, and in a transparent manner;
  • Collected for a specific and legitimate purpose, as well as limited to what is necessary for the collection purpose
  • Kept only as long as necessary for the initial purpose;
  • Processed securely and protected against unlawful processing.

What are Personal Data and Personal Data Processing?

Article 4 of GDPR defines personal data as any information relating to an identified or identifiable natural person, who can be identified by reference to identifiers such as a name, ID number, location data, an online ID, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Examples of personal data include:

  • Real names and online usernames;
  • Mailing, work, email, and IP addresses;
  • Photographs; and
  • Genetic and biometric data, including DNA

Article 9 prohibits the processing of data regarding racial or ethnic origin, political opinions, religious beliefs, or trade union membership except in certain specific situations and provides further limitations related to the use of genetic, biometric, and general health data.

Personal data processing refers to personal data that is collected, recorded, organized, structured, stored, adapted or altered, retrieved, consulted, used, disclosed by transmission, disseminated or otherwise made available, aligned or combined, restricted, or erased or destroyed. GDPR applies to processing of personal data through automated, partially automated, as well as non-automated means if it is part of a structured filing system.

Examples of personal data processing include:

  • Staff management and payroll administration;
  • Sending promotional emails to an email listserv;
  • Shredding documents containing medical records or bank records; and
  • Posting a picture of someone online.

The business or person who determines the means and purposes of personal data processing is known as the controller of the data. The controller is responsible for adhering to the GDPR and can be penalized for failing to meet the regulation’s requirements.

What are GDPR’s Requirements for Personal Data Processing?

The GDPR permits processing personal data when a user consents to the processing, or when it is necessary to process data.

Consent to Process Personal Data

In order for an individual to consent to a controller processing personal data, the controller must fully inform them about what they are consenting to. Best practices to obtain consent include making the request prominent and separate from terms and conditions of a site.

Consent must also be positively given – users must have an opportunity to affirmatively agree that the controller may process their data. Users must be able to revoke consent in the future, and consent should not be a precondition of the controller providing a service to the user.

People who are 16 years old or older are capable of consenting on their own. Children under 16 must have a parent or guardian consent on their behalf.

Necessary Personal Data Processing

GDPR also list five times when it is necessary for controllers to process data without explicit consent:

  • Contracts: If a controller has a contractual obligation to the data subject, and data processing is necessary to complete contractual obligations, the controller may process the data. Additionally, the controller may process data if doing so is a necessary prerequisite for entering into a contract.
  • Controller’s legal obligation: If the controller has an obligation to report data to a regulatory body, or is under a court order to provide information, they are under a legal obligation to provide it, regardless of consent.
  • Vital interests: If personal data disclosure is required to save someone’s life, the controller is obligated to do so. This situation will almost always involve health data.
  • Public task: This category of necessary processing relates to tasks carried out by an official government agency, on behalf of an official agency, or a task that is carried out in the public interest. This will often relate to government agencies, but government contractors or private water companies may also operate under this umbrella.
  • Legitimate interests pursued by the controller: This category is very broad. It requires the controller to pursue a legitimate interest, that the processing be necessary for the purpose, and that the controller’s legitimate interest does not outweigh the individual’s fundamental rights or freedoms.

Praise and Criticism for GDPR’s Data Processing Requirements

GDPR has drawn praise from tech leaders, including Apple CEO Tim Cook, who recently expressed support for a similar regulation in the US. Cook listed four areas of the GDPR he believed should be legislated in America:

  • The right to have personal data collection be minimized (Article 5(1)(c));
  • The right for users to know what data is collected on them (Article 15);
  • The right to access that data (Article 13); and
  • The right for data to be kept securely (Article 5(1)(f).

Critics of the regulation believe that it can be too burdensome for businesses to comply with or that limitations will stymie growth of artificial intelligence systems, which rely on individuals’ personal data to grow. Others argue that large companies like Facebook and Google who currently offer free services in exchange for the ability to collect and utilize user data may limit free options due to new limitations on data processing.

What are the Penalties for Failure to Comply With GDPR?

Failure to comply with GDPR’s data processing requirements can lead to a number of different penalties, including warnings, bans on data processing, audits, orders to restrict or delete data, and monetary fines up to €20 million or 4% of a company’s worldwide net sales. You should take compliance with GDPR very seriously.

Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s internet lawyers with the contact form on this page, or call us at 855-473-8474.