Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
EU Court of Justice: Orders to remove defamatory content issued by member state courts can be applied worldwide
On October 3, the European Court of Justice held that a social media company can be ordered to remove, worldwide, defamatory content previously declared to be unlawful “irrespective of who required the storage of that information.” The decision results from a 2016 challenge brought by a former Austrian politician against the social media company’s Ireland-based operation—responsible for users located outside of the U.S. and Canada—to remove defamatory posts and comments made about her on a user’s personal page that was accessible to any user. The social media company disabled access to the content after an Austrian court issued an interim order, which found the posts to be “harmful to her reputation,” and ordered the social media company to cease and desist “publishing and/or disseminating photographs” showing the former politician “if the accompanying text contained the assertions, verbatim and/or [used] words having an equivalent meaning as that of the comment” originally at issue. On appeal, the higher regional court upheld the order but determined that “the dissemination of allegations of equivalent content had to cease only as regards [to] those brought to the knowledge of the [social media company] by the [former politician] in the main proceedings, by third parties or otherwise.”
The Austrian Supreme Court of Justice requested that the EU Court of Justice adjudicate whether the cease and desist order may also be “extended to statements with identical wording and/or having equivalent content of which it is not aware” under Article 15(1) of Directive 2000/31 (commonly known as the “directive on electronic commerce”). Specifically, the EU Court of Justice considered (i) whether Directive 2000/31 generally precludes a host provider that has not “expeditiously removed illegal information”—including identically worded items of information—from removing content wordwide; (ii) if Directive 2000/31 does not preclude the host provider from its obligations, “does this also apply in each case for information with an equivalent meaning”; and (iii) does Directive 2000/31 also apply to “information with an equivalent meaning as soon as the operator has become aware of this circumstance.”
According to the judgment, Directive 2000/31 “does not preclude those injunction measures from producing effects worldwide,” holding that a national court within the member states may order host providers to remove posts it finds defamatory or illegal. However, the judges concluded that such an order must function “within the framework of the relevant international law.”
On October 1, the European Court of Justice held that, under the Privacy and Electronic Communications Directive (ePrivacy Directive), a website user does not “consent” to the use of a cookie when a website provides a “pre-checked box” that needs to be deselected for a user to withdraw consent. According to the judgment, a consumer group brought an action in German court against a German lottery company, challenging the website’s use of a pre-checked box allowing the website to place a cookie—text files stored on the user’s computer allowing website providers to collect information about a user’s behavior when the user visits the website—unless the consumer deselected the box. The consumer group argued that the pre-selection of the box is not valid consent under the ePrivacy Directive. The lower court had upheld the action in part, but, following an appeal, the German Federal Court of Justice stayed the proceedings and referred the matter to the EU Court of Justice.
On September 24, the European Court of Justice held that Europe’s “right to be forgotten” online privacy law — which allows individuals to request the deletion of personal information from online sources that the individual believes infringes on their right to privacy—can be applied only in the European Union. The decision results from a challenge by a global search engine to a 2015 order by a French regulator, Commission Nationale de l'Informatique et des Libertés (CNIL), requiring the search engine to delist certain links from all of its global domains, not just domains originating from the European Union. The search engine refused to comply with the order, and the CNIL imposed a 100,000 EUR penalty. The search engine sought annulment of the order and penalty, arguing that the “right to be forgotten” does not “necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.” Moreover, the search engine asserted that the CNIL “disregarded the principles of courtesy and non-interference recognised by public international law” and infringed on the freedoms of expression, information, and communication.
The Court of Justice agreed with the search engine. Specifically, the Court noted that while the “internet is a global network without borders” and internet users’ access outside of the EU to a referencing link to privacy infringing personal information is “likely to have immediate and substantial effects on that person within the Union itself,” there is no obligation under current EU law for a search engine to carry out the requested deletion on all global versions of its network. The Court explained that numerous nations do not recognize “the right to be forgotten” or take an alternate approach to the right. Additionally, the Court emphasized that “the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” The Court concluded that, while the EU struck that balance within its union, “it has not, to date, struck such a balance as regards the scope of a de-referencing outside of the union.”
U.S. Treasury concerned with European Commission's identification of AML/CFT-deficient U.S. territories
On February 13, the U.S. Treasury Department issued a statement responding to a list of jurisdictions published by the European Commission as having strategic deficiencies related to anti-money laundering and countering the financing of terrorism (AML/CFT). The list—which includes certain jurisdictions with strategic deficiencies that were already identified by the Financial Action Task Force (FATF) (see previous InfoBytes coverage here)—also identifies 11 additional jurisdictions, including the U.S. territories of American Samoa, Guam, Puerto Rico, and the U.S. Virgin Islands. According to the European Commission, the “banks and other entities covered by EU anti-money laundering rules will be required to apply increased checks (due diligence) on financial operations involving customers and financial institutions from these high-risk third countries to better identify any suspicious money flows.”
On December 16, the European Union’s (EU) data protection regulator, the Article 29 Working Party (WP29), released its first official guidance on the General Data Protection Regulation (GDPR), EU’s new privacy regime. Composed of three sets of guidelines and FAQs, the guidance covers a range of issues, including the qualification, appointment, and personal liability of data protection officers (DPOs). Links to the six guidance documents follow:
- (i) Guidelines & FAQs on the right to data portability;
- (ii) Guidelines & FAQs on DPOs; and
- (iii) Guidelines & FAQs on identifying the “lead supervisory authority” for cross-border activity.
The WP29 also announced that it is accepting additional comments on this guidance through the end of January 2017, and that it will release guidelines on Data Protection Impact Assessments and Certifications in 2017. The GDPR is set to take effect in May 2018.
Implementation of New EU Regulation Establishes Uniform Legal Framework for e-Signatures Across All EU Member States
Recently, the EU adopted a new EU Electronic Signature Regulation 910/2014/EU, which established a new, comprehensive, legal framework for e-signatures, as well as e-identification, e-seals, e-timestamp, e-documents, e-delivery services, and website authentication. The new regulation applies to transactions dating back to July 1, replacing the prior Directive on Electronic Signatures (1999/93/EC). Among other things, the new regulation defines three levels of e-Signatures: (i) e-Signature, (ii) advanced e-Signature, and (iii) qualified e-Signature. “E-Signature” is defined as data in electronic form which are attached to, or logically associated with, other electronic data, which are used by the signatory to sign. “Advanced electronic signature” is defined as uniquely linked to the signatory, capable of identifying the signatory, and created using e-signature creation data that the signatory can, with a high level of confidence, use under his sole control. And finally, a “qualified electronic signature” is defined as an advanced electronic signature created by a qualified electronic signature creation device.
Notably, and in contrast to previous EU directives on e-signatures, the new regulation is directly applicable in all 28 EU Member States without any requirement that it be formally adopted into national law. Specifically, Article 25 of the New Regulation provides that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. Rather, a qualified electronic signature in one EU Member State shall now be recognized as a qualified electronic signature in all other Member States.
On July 6, the European Union (EU) approved cybersecurity rules that will require certain businesses, including those in financial service and digital service providers, to maintain security and report cybersecurity incidents. The new laws, referred to as the Network and Information Security (NIS) Directive, are intended to establish “harmonized” security and reporting requirements for “operators of essential services,” which EU member states will identify based on certain criteria, such as whether the service is “critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.” Certain digital service providers, such as online marketplaces, search engines, and cloud services, will also have to maintain security measures and report major incidents. The requirements are “lighter for these providers.” The NIS Directive will become effective on the twentieth day after publication in the EU Official Journal; member states “will have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.”
European Commission Celebrates Data Protection Day; Deadline for US-EU Data Protection Framework Approaches
On January 28, the European Commission issued a statement in observance of its 10th European Data Protection Day. Vice President Ansip and Commissioner Jourová commented on the December 2015 agreement on EU data protection reform, noting that “[w]ith one streamlined set of rules across the European Union, we will cut red tape and ensure legal certainty, so that both citizens and companies can benefit from the Digital Single Market.” The United States and the European Union are scheduled to reach an agreement on the “Safe Harbor” data transfer program in the upcoming week, to which Ansip and Jourová commented: “These flows are essential, between EU countries, but also between the EU and its closest partners. The European Commission is currently working on a renewed and safe framework on transfers of personal data with the United States. We need an arrangement that protects fundamental rights of Europeans and ensures legal certainty for businesses.”
On December 8, the European Commission announced that European Union lawmakers reached an agreement regarding cybersecurity and breach reporting legislation. The rules are intended to improve cybersecurity capabilities in Member States as well as their cooperation on cybersecurity, and will “require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to national authorities.” The text of the agreement is subject to formal approval by the European Parliament and the EU Council of Ministers; once officially published in the EU Official Journal, Member States will have 21 months to adopt the directive into their national laws and an additional 6 months to identify which internet providers it will affect.
On June 15, the 28 governments of the European Union agreed to a draft Data Protection Regulation that would establish tighter privacy provisions for users of online services – including those provided by U.S. tech companies – in a majority of European countries. The draft Regulation advances a single set of data protection rules for the EU, which include data breach notification obligations, within 24 hours if feasible, a strengthened “right to be forgotten,” and additional enforcement power for Europe’s data protection authorities, including penalties of up to €1 million or up to 2% of global annual turnover of a company. While EU Commissioners say the proposed law would cut costs for businesses, critics argue that its provision requiring data processors to delete individuals’ personal data upon request would inevitably increase costs for European-based internet companies. For the past three and a half years, the EU has tried to reach an agreement to merge the countries’ rules on personal data protection into one set of regulations. If this most recent proposal passes the next phase of European Parliament negotiations, the law will have a 2016 effective date, with a two year transitional period for companies and data protection authorities to adapt to the new regulations.
- Jonice Gray Tucker to discuss "MCCA's blueprint for selling & buying - A pitch workshop for outside counsel" at the Minority Corporate Counsel Association Creating Pathways to Diversity Conference
- Buckley Webcast: Get ready for CCPA
- Daniel P. Stipano to discuss "BSA/AML culture of compliance roundtable" at the FiSCA Annual Conference
- Daniel P. Stipano to discuss "Is there a better way to fight money laundering" at the FiSCA Annual Conference
- Michelle L. Rogers to discuss "What's trending in enforcement" at the Mortgage Bankers Association Annual Convention & Expo
- Kathryn L. Ryan and Moorari K. Shah to discuss "Today's regulatory environment - Are you in the know?" at the Equipment Leasing and Finance Association Annual Convention
- Buckley Webcast: Smoke and mirrors: Navigating the regulatory landscape in banking the marijuana industry
- H Joshua Kotin to discuss "CMS - Components of a successful monitoring program" at the RegList Annual Workshop
- Tim Lange to discuss "Temporary authority to operate - Are you prepared? Hear what the states are doing" at the RegList Annual Workshop
- Sherry-Maria Safchuk to discuss "Cybersecurity" at the RegList Annual Workshop
- Jeffrey P. Naimon to discuss "Hot topics in mortgage origination" at the Conference on Consumer Finance Law Annual Consumer Financial Services Conference
- Jonice Gray Tucker to discuss "Fintech regulatory developments, crypto-assets, blockchain and digital banking, and consumer issues" at the Practising Law Institute Banking Law Institute
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference