Have European laws improved American privacy protections?

Have European laws improved American privacy protections?

The European Union’s landmark data privacy law, the General Data Protection Regulation (GDPR) went into effect one year ago this week. By now, the implications for European residents and companies are fairly well known. Many of us will have received updated privacy policies in our email inboxes, or become increasingly aware of headline-grabbing stories on mass data breaches. But what about beyond the borders of Europe? Has GDPR changed the way in which data protection and privacy matters are viewed in the United States? 

The first thing to consider is whether GDPR has the power to influence how American companies handle data. The answer is yes. The GDPR is a single legal framework that applies across all 28 EU member states – including, for the time being, the United Kingdom. But in a considerable departure from the old Data Protection Directive (95/46/EC), the GDPR imposes an expanded territorial scope beyond the EU itself. No matter where they are located around the world, companies must comply with the GDPR if they either offer goods or services to European residents, or monitor their behavior (see, inter alia, Recital 22).

These new regulations are not without teeth. Whereas fines under the previous directive generally maxed out at £500,000, fines under GDPR can reach up to 20 million euros or 4% of a breaching company’s global turnover. Accordingly, from 25 May 2018, many American companies became subject to European privacy laws for the first time, and faced considerably enhanced sanctions for noncompliance.

As a result, in the lead-up to GDPR taking effect, many Europeans were geo-blocked from accessing American websites. The reason? If European customers were blocked from accessing the websites, the companies would not technically be “offering their goods or services” to Europeans, nor would they be “monitoring their behavior”.

Although the majority of companies retreating from Europe were small to medium-sized technology companies, others included global names such as the Los Angeles Times (US small businesses drop EU customers over new data rule, Financial Times).

dims.jpg

The other approach taken by US companies was to move data centres and servers from Europe to the United States. Facebook made headlines by shifting data concerning more than 1.5 billion users from Ireland to its main offices in California. Although Facebook told Reuters that it applies “the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc [California] or Facebook Ireland,” representatives from the social media giant noted that “EU law requires specific language” in mandated privacy notices, whereas American law does not.

Has the GDPR made Europe “too chilled” for American tech companies? It is important to note that users impacted by Facebook’s server relocation mentioned above were non-EU users. Furthermore, the data migration does not release Facebook from its obligation to comply with the GDPR, insofar as European users are concerned. Nevertheless, the relocation underscores the point that the United States is often seen as a more friendly home for companies seeking fewer, less stringent privacy regulations.

Several companies which initially fled the long-armed reach of the GDPR have returned to Europe, albeit with significantly changed privacy notices and data protection practices. However, many have stayed away. Some privacy advocates will hail the departure of American tech companies who are unwilling to comply with the new privacy rules. But while it is true that privacy protection is an important and fundamental human right, it cannot be ignored that an increasing body of evidence suggests the GDPR has had a chilling effect on a wide variety of overseas companies.

According to a recent study by the Illinois Institute of Technology and the National Bureau of Economic Research, there has been an 18% decrease in the number of EU venture deals and a 40% decrease in the dollar amount per deal following GDPR implementation (The Short-Run Effects of GDPR on Technology Venture Investment).

Together with increased European regulations of the digital economy on the whole, it is arguable that lawmakers in Brussels are making it more difficult for American companies to enter the European market. Even for those that decided to remain in the EU despite the enhanced regulations, their future remains uncertain.

Will the GDPR inspire privacy laws in the United States? Given that US companies – even those located in America – must now play by European privacy rules in order to reach the EU market, it is arguable that various technology and media entities will start to impose tougher privacy standards on themselves. Such self-regulation is likely to be welcomed by technology professionals and corporate insiders, who may consider themselves better positioned than regulators and lawmakers to tackle the problems of privacy in a digital age. However, as we have seen in sectors ranging from pharmaceuticals to finance, self-regulation often falls short when it comes to consumer protection.

 

zb
In April 2018, Facebook founder Mark Zuckerberg was called before the US Senate to answer questions over Facebook’s responsibility to safeguard user privacy and the Cambridge Analytica scandal.

For a variety of reasons which fall beyond the scope of this post, the privacy laws of the United States have developed in an ad hoc fashion. Apart from the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPPA), few national laws exist to protect data privacy.

Instead, in the United States, companies are caught under different laws depending on which State they are headquartered in, or where they do business. Any applicable federal laws which touch on data privacy are most often to regulate specific industry sectors, such as health insurance mentioned above. Even in the wake of the Equifax data breach of summer 2017 – which affected over 145 million US consumers – attempts to improve consumer privacy protections have failed to pass in Congress.

Despite the lack of federal legislation, some American states are using their powers to pass laws at a more local level. One such state is California, which happens to boast both the world’s fifth largest economy, as well as one of the most impressive technology industries. Last year, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law.

While at only 12 pages the law is a far cry from the obviously more comprehensive GDPR, it does grant California consumers specific rights over their personal information held by companies. Perhaps most interestingly, because the CCPA applies to any company which does business with California residents, the law will likely have a major impact on the privacy landscape across the country.

This begs the question: if the United States is in need of enhanced privacy protections, who should spearhead the endeavour? The US federal government via Congress, state legislators, or companies themselves? Some believe consumers will be better protected if Congress resists the temptation to intrude at federal level, to allow the states to experiment with their own legislation.

As we have seen in Europe, it is abundantly clear that any single privacy framework must be both flexible, as well as scalable, across a variety of industry sectors, geographies, and company types. To add to the political complexity, powerful industry players will likely lobby for special exceptions, and various federal agencies may clash over who will enforce any such regulation(s).

In conclusion, it is safe to say that the GDPR has indeed changed the way in which data protection and privacy matters are viewed outside of Europe. But the direction with which the Americans will choose to take it remains unclear.

On the one hand, some American companies have retreated from the EU. On the other, local governments have begun to take consumer privacy more seriously, by introducing new domestic data protection legislation. To find a balance between the two forces of economic enterprise and regulatory powers may be difficult. More likely, there may be a push and pull effect; whether privacy will prevail is yet to be seen.

TickBox sent packing as film studios and Netflix win $25 million lawsuit

TickBox sent packing as film studios and Netflix win $25 million lawsuit

This story was first published for the 1709 Blog, where I regularly write about copyright law in entertainment, technology and media. 

The Alliance for Creativity in Entertainment (ACE), an industry coalition of global entertainment companies and film studios, together with Netflix and Amazon, has secured a major legal victory against Tickbox, a type of so-called “Kodi Box” streaming device. As a result of the judgement and permanent injunction, which were handed down in Los Angeles, California on September 11th, Tickbox will pay $25m (£19m) in damages. Additionally, Tickbox will no longer provide software that allows users to access pirated content, and agrees to disable any such software within 24 hours.

In its coverage of the matter, Variety noted that in initial advertising, Tickbox promised customers that they could get “virtually the channels you get from your local cable company … without you having to worry about paying rental fees or monthly subscriptions.” Tickbox devices retailed for about $150 (£115).

Image result for tickbox cut the cord

In October of last year, ACE originally filed a lawsuit alleging that TickBox was promoting their streaming device as “a tool for mass infringement of copyrighted motion pictures and television shows”. By this point, TickBox had changed the advertising wording, and in its defence to the lawsuit attempted to feign innocence by “claiming that the device manufacturer could hardly be held accountable for what their customers chose to download” (nocable.org). Essentially, Tickbox’s fundamental argument was that it is merely a hardware company, and therefore no more responsible for copyright infringement than any other computer manufacturer.

Judge Fitzgerald disagreed with TickBox’s reasoning, explaining that “There is sufficient evidence that the Device can be and is used to access infringing content, and there is sufficient evidence of TickBox’s fault — primarily in the form of its advertisements and customer-support efforts. TickBox may be held responsible for the instances of infringement that would not have otherwise occurred in the absence of the Device.”

This successful action against TickBox is the first brought on by ACE that targeted a streaming device. Other similar “Kodi-Box” lawsuits remain pending, and the outcomes are likely to be similar now that this one against TickBox is on the books.

Worth noting is that one of Tickbox’s competitors, Dragon Box, was also sued earlier this year by Netflix, Amazon, and others for copyright infringement. Dragon Box then released the following statement: Instead of closing our doors and shutting down all boxes and riding off into the sunset we decided that it was in the best interest of you the customers and the company to change our business model and adapt to change and continue to try and bring you the best legal content we can and add in as many services we can to make Dragon Box the box that beats any competitors out there.

For creatives in California, a recent employment law case may raise concerns over copyright ownership

For creatives in California, a recent employment law case may raise concerns over copyright ownership

This story was first published for the 1709 Blog, where I regularly write about copyright law in entertainment, technology and media. 

A California court ruling from April has raised concerns regarding its potential impact on copyright ownership. In Dynamex Operations West, Inc. v. Superior Court of Los Angelesthe matter before the court was a wage dispute, which required the court to consider the standard to apply in determining whether workers should be classified as employees, or as independent contractors.

Nowhere in the 85-page judgement is “copyright” or even “intellectual property” mentioned. However, in a state with so many media and software companies, the new ruling could affect whether a creator or a company gets to claim ownership as the original author of a work. In deciding if a worker is eligible for statutory employment protections, Dynamex replaced a complex multi-factor consideration with a simple three-part “ABC” test. Now, Californian companies are burdened with the requirement to prove that all three parts weigh against an employment relationship.

What does this mean for copyright law? The rise of the gig economy, which is characterised by short-term contracts and freelance work, poses new questions for intellectual property ownership. To determine if someone is an employee for purposes of copyright authorship, American Federal courts currently use a test in the US Treasury Department’s Internal Revenue Service code.

If, however, the courts start looking to the Dynamex case for guidance, people’s expectations might change. Speaking to Bloomberg Law, music industry lawyer Michael S. Poster explained: “If, under California law, a lot more people are going to be treated as employees rather than as independent contractors, chances are that a lot of their work product that they would have retained a copyright interest in might belong to their employer.”

Although the Copyright Act of 1976 provides authors with initial copyright interests, under the work-made-for-hire doctrine, it is the employer that is considered to be the author. (Section 201(b)). On the other hand, if the author is an independent contractor or freelancer – rather than an employee – ownership is retained by the individual creator, unless there is a contractual agreement to the contrary.

For participants in the gig economy, the Dynamex ruling could simply prompt media and software companies to hire fewer independent contractors, and instead only hire people as employees. Although the copyright implications of Dynamex are unknown, the decision underscores the need for employers and workers alike to ensure that any contract for services includes a carefully drafted intellectual property rights clause – especially for those in creative industries.

The Copyright Between Oceans?

The Copyright Between Oceans?

Imagine you’re an author trying to get your screenplay made into a film, but despite giving Miramax Studios and Working Title copies of your script, you have no luck. Ten years later, you discover the theatrical trailer for an upcoming movie starring Michael Fassbinder, Alicia Vikander, and Rachel Weiss. Your heart sinks as you realise that your story has been stolen. What do you do? If you’re Joseph Nobile, you call a lawyer and sue Hollywood for copyright infringement.

In 2012, Margot Watts (writing as M.L. Stedman) published The Light Between Oceans, a novel about a lighthouse keeper and his wife, and their desperate longing for a child. Set primarily in 1920s Australia, Tom and Isabel find an infant washed ashore in a lifeboat after a storm, together with the corpse of the baby’s father. The novel explores the psychological and moral consequences of the couple’s choice to raise the baby as their own.

Continue reading “The Copyright Between Oceans?”