Berry Picks in IT Law #3

Sena Kontoğlu Taştan Weekly Picks

We’re back with Berry Picks #3 and I feel like at this point in time, I should just go ahead and change the name of the blog to The Data Protection Berry. The slice of the IT pie this topic has is overwhelmingly evident here. Intrigued?

🔏 Data Protection & Privacy

The proposed European Media Freedom Act has been evaluated by the European Data Protection Supervisor. The Act had been published back in November. Sadly back then, this blog was still just a speck at the back of my mind. The summary of the opinion has recently been published, so I now have the excuse to go back in time. The opinion included that:

  • Protection of media workers against the use of spyware may fall short, and the ban of the development and deployment of advanced military-grade spyware, save for very limited exceptions, is the way to go.
  • The scope of the Act should be clarified, *i.e. who is a journalist, please?
  • Transparency obligations on media service providers should be clarified – The EDPS recommends clarification on the specific public interest grounds for data processing per these requirements.
  • Authorities assigned to handle complaints regarding provisions on spyware and surveillance should be given more specific guarantees of independence, and collaboration between relevant authorities should be ensured.

Calling all public bodies ☎️: you are not exempt from data protection rules. The Portuguese Supervisory Authority (“CNPD”) fined, last month, the Portuguese National Statistics Institutes €4.3 million. The National Statistics Institute had conducted a nationwide online survey that had to be completed by logging in with a specially provided password. The CNPD found:

  • Lack of lawfulness for the processing of special categories of data: religion and health data were optional per law, but not flagged us such, thus preventing respodents’ free will to reply.
  • Lack of compliance with transparency obligations: privacy policies, please.
  • Lack of a data protection impact assessment: present, but found to be insufficient.
  • Lack of due diligence concerning the choice of processor: standard contracts are seldom adequate or appropriate, folks.
  • Lack of compliance with legal requirements for international data transfers: Data transfers to the US without any supplementary measures, and the authorisation of the processor to engage with other (sub)processors in third countries that do not provide an equivalent level of protection as in the EU: two sentence horror story re. GDPR.

Hot from the oven: COOKIES (decision, and not the choc-chip kind but still). The French Supervisory Authority (“CNIL”) fined Microsoft Ireland €60 million. The CNIL decision found:

  • Deposit of cookies without prior consent: cookies for the purposes of fight against advertising fraud and advertising purposes (among others) can be deposited only after users have expressed their consent.
  • Absence of a compliant means of collecting consent for the deposit of cookies: one click to accept cookies but two to refuse them (tuts profusely). It shall be as easy to withdraw as to give consent, anyone?
Seasons Greetings from the CNIL?

The Irish Data Protection Commission and Big-Tech saga continue. The European Ombudsman issued her decision on whether the EC collects sufficient information to monitor Ireland’s implementation of the GDPR. The bottom line: bi-monthly overviews from the Irish Data Protection Commission on the big-tech cases are sufficient, any less and it would raise concern.

Some news from the other side of the pond: regarding children’s protection and dark patterns. An IT lawyer’s dream case. The Federal Trade Commission’s (“FTC”) two actions against Fortnite video game maker Epic Games is secured in record-breaking settlements:

  • The first sees Epic Games subject to a $275 million penalty –largest ever– for the violation of Children’s Online Privacy Protection Rule (“COPPA”). The violation stemmed from the failure of Epic Games to notify parents and obtain consent, and providing default settings that harmed children and teens. The proposed federal court order will prohibit Epic Games from enabling voice and text communications without parental consent under 13 years of age, and own consent for those above.
  • Epic Games has also been under scrutiny for the use of illegal dark patterns and a proposed administrative order with the FTC has been issued. Epic Games must pay $245 million to be used for refunds to customers, is prohibited from charging consumers through the use of dark patterns or without obtaining their consent, and cannot block consumers from accessing their accounts for disputing unauthorised charges.

Ah, sort-of-justice.

🎩 Competition

The European Commission’s investigations on Meta continue with the Statement of Objections, setting out the Commission’s position before the adoption of a final decision. The Commission preliminarily found that Meta abused its dominant positions. First, by tying its online classified ads service Facebook Marketplace, which may give Facebook Marketplace a substantial distribution advantage that competitors cannot match. Second, by imposing unfair trading conditions on competing online classified ads services advertising on Facebook and Instagram. The investigation follows the CMA’s, in a joint effort. We’ll be watching this space.

The Amazon investigations seem to be winding down with the agreement reached with the European Commission. Amazon will be addressing data use concerns through the cease of using non-public data from independent sellers’ activity, and not using this data to benefit Amazon’s own marketplace listings. Amazon will also commit to treating all sellers equally when determining to whom to give top placements to. Similar commitments follow for Prime concerns.

👩🏼‍🎨 Intellectual Property

The CJEU surprised some, or me at least, with its latest Louboutin/Amazon decision (available in German) on online marketplace liability. The Louboutin/Amazon decision found that the operator of an online marketplace may be found directly liable under Article 9 of the EU Trade Mark Regulation . The decision followed adversely to the Advocate General’s Opinion, which stated that Amazon would not be held liable as it is always specified in advertisements whether goods are sold by third-party sellers or Amazon directly, and that the reasonably well informed and reasonably observant user could differentiate. Alas, the CJEU seems to have used the same string of thought and come to a different decision. The Court found that Amazon showing advertisements of third-party sellers, and carrying out storage and shipping of said goods could give users the impression that it is the one selling those goods. This being the main road paved to trade mark infringement liability. User-centred approach gone too far? We’ll see.

Over and out.

Sena Kontoğlu Taştan

IT law enthusiast and researcher.

One thought to “Berry Picks in IT Law #3”

  1. Pingback: Berry Picks in IT Law #9 – The IT Berry

Leave a Reply

Your email address will not be published. Required fields are marked *