Welcome back What’s Next readers, and if you’re in the U.S., I hope you had a restful three-day weekend. Happy belated GDPR Day! Unfortunately, it’s nothing like Rex Manning Day—although it probably resulted in just about as much fanfare on social media. In this week’s issue, lots of news about dealing with data in this new frontier.
➤➤ Want to receive What’s Next straight to your inbox? Sign up here.
In hindsight, I probably should have seen it coming. Max Schrems (pictured), the Austrian privacy activist and lawyer, has never been one to shrink from a major legal battle over privacy. He’s the guy responsible for the implosion of US-EU “Safe Harbor” data transfer framework (although he’d probably say that was the NSA’s fault). And after companies started shifting to another legal mechanism for transferring personal data across the Atlantic, he challenged that too.
So it’s really no surprise that on the inaugural day of the EU General Data Protection Regulation last Friday, Schrems blasted an opening salvo over Silicon Valleythrough his new nonprofit organization, the not-so-subtly named “None of Your Business”—or “NOYB” for short. The complaints he filed against Google and Facebook in four different countries could carry more than 8 billion euros in penalties under the GDPR’s stiff sanctions regime. They target the privacy policies of crown-jewel software and services: Android, Facebook, WhatsApp and Instagram.
Schrems is saying that under the GDPR, that whole approach doesn’t cut it. A company can’t just elicit blanket consent, under the threat of cutting the user off from the service. This method, the complaints allege, renders user consent ineffective under the new law, “as such consent would not be in any way ‘specific,’ but rather based on an ‘all or nothing’ approach.”
“Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the ‘agree’ button,” Schrems said in a statement announcing the move. With just a wee bit of hyperbole, he added that’s not a “free choice” and is more like “a North Korean election process.”
If he’s right on the law—even a little bit—it makes me wonder if a lot of other companies’ privacy policies are vulnerable under GDPR, despite efforts to comply. Interestingly, neither Google nor Facebook came right out and said Schrems was wrong. Facebook chief privacy officer Erin Egan said the company had “prepared for the past 18 months to ensure we meet the requirements of the GDPR.” Google said it was “committed to complying with the EU General Data Protection Regulation.”
Maybe “commitment” is enough for now? That’s what Hogan Lovells attorney Eduardo Ustaran—who I cite often here—told a recent conference in London, according to ComputerWeekly. “Organizations need to think of the GDPR as a long-term exercise,” he said, “because it is going to take years for everyone to really understand the issues and be fully compliant.”
>> Takeaway: It probably will be a while before the individual data protection authorities and new European Data Protection Board take action in response to the complaints. But this will be a test of the GDPR’s teeth, and just how much of a paradigm shift the new law really is.
Max Schrems Photo: Lukas Beck 2014 (With Permission)
Now That’s an Idea…
Post-GDPR Day, this item was making the rounds on Hacker News over the weekend. A UK writer named Oli Frost put all his Facebook data up for sale on eBay. “Everyone else’s making money off it, so why shouldn’t I?” he said in a tongue-in-cheek commentary on his blog.
Included in the batch of data, Frost said, is: “Every like, post, and inane comment since I was 16,” “Photos dating back to when I had a fringe and listened to Billy Talent,” and “Loads more, like who I vote for, my boss’s name, and where all my family live.”
He started bidding at 0.99 British pounds. As of Tuesday morning, the bidding was up to 300 pounds. All proceeds, Frost said, will go to the Electronic Frontier Foundation.
Who Can’t Get Your Private Data? Criminal Defendants.
At least this much is clear from the California Supreme Court’s decision last weekin Facebook v. Superior Court (Hunter): Social media providers must comply with subpoenas for data marked by users as “public.” But as for data marked “private”… well, TBD.
If that sounds like a “no duh” outcome, it wasn’t to the unanimous court, which took nearly 60 pages to explain its reasoning. The underlying case has to do with a drive-by shooting in San Francisco. The two criminal defendants facing gang-related murder charges have been seeking access to private Facebook, Instagram and Twitter data from a witness, in the hopes that they can prove she was motivated to testify against one of them out of jealousy.
The legal question is whether, under Section 2702 of the 1986 Stored Communications Act, companies are prohibited from handing over private user data. The defendants argue they have a constitutional right to the posts under the Fifth Amendment’s due process principle, as well as their rights to prepare an effective defense under the Sixth Amendment. To the extent the SCA impedes those rights, they maintain, the law should be declared unconstitutional.
But the California high court last week punted on that constitutional question, and instead sent the case back down to the trial court with the directive that the parties suss out what they can find in the public data first. If there’s enough there to suggest that the defendants might glean something useful from the private data, then the court will have to work that out then.
“Ultimately, whether any given communication sought by the subpoenas in this case falls within the lawful consent exception of Section 2702(b)(3), and must be disclosed by a provider pursuant to a subpoena, cannot be resolved on this record,” Chief Justice Tani Cantil-Sakauye wrote for the court.
>> Takeaway: Public data, of course, is already public. But now providers have an obligation to package it up and ship it over to defense counsel, notes Riana Pfefferkorn of Stanford Law School’s Center for Internet and Society. “Providers are now on notice that they’re presumably going to get a lot more of these types of subpoenas.”
Protocol: ’Sweeping’ The Crypto Wild West
It isn’t just the SEC anymore. The Denver Post reports on how Colorado joined regulators in at least a dozen regions in the U.S. and Canada in a crackdown on initial coin offerings dubbed “Operation Cryptosweep.” At least two schemes targeted by Colorado were across state lines, signaling that state regulators are intent on keeping their reach broad in this budding area.
“We have more investigations going,” Colorado Securities Commissioner Gerald Rome told the newspaper. “We’ll continue to look at what’s happening in Colorado and doing the job that we’re supposed to do.”
The wider operation was announced in a May 21 press release by the The North American Securities Administrators Association, or NASAA. Its president, Joseph Borg, indicated the focus of the effort is on outright fraud schemes, but it’s possible that otherwise legit-seeming projects that haven’t registered their coin offering could fall into the dragnet.
>> Think Ahead: The regulatory drumbeat continues. “The actions announced today are just the tip of the iceberg,” Borg said in a statement. NASAA put together a task force last month to begin coordinated ICO investigations; it says the group has found some 30,000 crypto-related domain name registrations.
Choose your metaphor: A big haystack, or a lot of fish in a barrel?
Listen Up: Fear Not the Smart Contract
Speaking of crypto and blockchain, you won’t want to miss the latest Legal Speak podcast featuring yours truly and some leading thinkers on the future of smart contracts. I chat about what this technology will mean for lawyers, and get a crash course in how it works. Guests include Aaron Wright, co-founder of the Open Law smart contracts project; Casey Kuhlman, CEO of Monax; Stuart Popejoy, co-founder of blockchain company Kadena; and Amir Azaran, a transactional attorney at Loeb & Loeb focusing on technology, licensing and advertising.
Dose of Dystopia
OK, so before you say, “Hey Alexa, play Ben’s awesome new podcast” and continue carrying on your office conversation, you might want to read this. According to Seattle’s KIRO 7 news, a woman in Portland says her Amazon device picked up a private conversation with her husband and transmitted it to a random contact—in this case, one of his employees. (Luckily, the conversation wasn’t all that scintillating as they were reportedly chatting about hardwood flooring.)
Amazon didn’t deny the report. Instead, it gave this explanation (NYT): “Echo woke up due to a word in background conversation sounding like ‘Alexa,’” Amazon said in a statement. “Then, the subsequent conversation was heard as a ‘send message’ request. At which point, Alexa said out loud ‘To whom?’ At which point, the background conversation was interpreted as a name in the customer’s contact list. Alexa then asked out loud, ‘[contact name], right?’ Alexa then interpreted background conversation as ‘right’. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
What if the conversation had been more sensitive, and the results more disastrous? Should Amazon be liable for apparent design flaws like this one, or are we responsible for inviting the listening devices into our homes?
That’s it for this week. Watch what you say out there!