technology – Page 2 – Kelsey Farish

The Six Principles of Data Protection: Facebook fails

March 31, 2018April 1, 2018by kelsey farishLeave a Comment

Facebook may believe that dubious data collection and security practices justify a more connected audience: the incoming General Data Protection Regulations say differently.

Once again, data privacy is in the headlines. But this time, it isn’t a credit agency or department store that has fallen short of consumer expectations: instead, it’s Facebook. Much credit is due to Carole Cadwalladr and her team at The Guardian, who first broke the the Cambridge Analytica story.

#DeleteFacebook was trending on Twitter for a while, and I myself was considering ditching my account – not least because I simply don’t use Facebook often. While I’ve decided against deletion, I was genuinely saddened – although, in retrospect, not surprised – to come across the leaked 2016 “Ugly Truth” Memo from a Facebook executive Andrew “Boz” Bosworth. You can see the Memo in full at Buzzfeed, but the part that hit me hardest reads as follows:

We connect people. Period.

That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.

The natural state of the world is not connected. It is not unified. It is fragmented by borders, languages, and increasingly by different products. The best products don’t win. The ones everyone use win.

“Questionable contact importing practices”? By Bosworth’s own admission, “the ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is de facto good.”

The General Data Protection Regulations (GDPR) say differently. With less than two months to go until the implementation date of 25 May (!) I’ve set out a little refresher on the main responsibilities for organisations below.

Article 5 of the GDPR contains Six Principles of personal data collection and processing. The data controller (the company collecting or otherwise controlling the data) are responsible for, and must be able to demonstrate, compliance with these principles.

(A) Processed lawfully, fairly and in a transparent manner.
A company collecting data must make it clear as to why the data are being collected, and how the data will be used. The company must provide details surrounding the data processing when requested to do so by a person whose data is collected (the “data subject”). “Questionable practices” are likely neither fair nor transparent!

(B) Collected for specified, explicit and legitimate purposes.
Have you ever filled in a form, only to think, “why am I being asked this question?” This principle states that organisations should not collect any piece of personal data that doesn’t have a specific purpose, and a data subject must give explicit consent for each purpose. A lawful purpose could mean fulfilling a contract: for example, your address is required for shipping something you bought online.

(C) Adequate, relevant and limited to what is necessary.
Companies strive to understand customer buying behaviours and patterns based on intelligent analytics, but under this principle, only the minimum amount of data required may be stored. Asking for one scanned copy of a drivers’ licence may be adequate, but asking for a drivers’ licence, passport, and birth certificate might be more than necessary.

(D) Accurate and, where necessary, kept up to date.
Controllers must ensure personal data is accurate, valid and fit for purpose. Accordingly, data subjects have the right under Article 16 (Right of Rectification) to rectify any personal data held about themselves.

(E) Kept for no longer than is necessary.
This principle limits how data are stored and moved, and for how long. When data is no longer required, it should be deleted. This is closely related to the Right of Erasure (“Right to be Forgotten”) under Article 17, which I previously wrote about in respect of the Google case in England.

(F) Processed in a manner that ensures appropriate security.
This principle is perhaps what most people think about when they think of data protection. It means that IT systems and paper records must be secure, and the security must be proportionate to the risks and rights of individual data subjects. Negligence is no longer an excuse under GDPR!

In 2016, a Gallup study found that Millennials (those of us born between 1981 and 1996) are generally aware of potential data security risks, but less likely to be concerned about them. Prior to familiarising myself with these principles, I simply thought data protection was another phrase for “IT security”. I thought it was just about firewalls, encryption, and outsmarting hackers.

But in the months I’ve been helping clients to get ready for the GDPR, I’ve realised that compliance is about more than just having strong passwords: it really is a mindset. That’s what’s so disappointing about Facebook’s apparent attitude towards the end consumer, in which people are seen only as a series of clicks or “likes” which can be analysed, predicted, and manipulated – at any cost. My Facebook account may remain active, but I for one will certainly be less engaged.

Photo credit – Book Catalogue

corporate

From Stockholm to Stock Market: Sweden’s Spotify set to list on NYSE

March 3, 2018March 31, 2018by kelsey farishLeave a Comment

Music streaming giant Spotify recently filed its application to put shares on the New York Stock Exchange. The 264 page document details the company’s key risks and challenges: I’ve read them so you don’t have to!

The Securities Exchange Act of 1933, often called the Truth in Securities law, requires that investors receive financial and other significant information concerning financial securities. To avoid misrepresentations and other fraud, any company wishing to place its shares on an American market must submit a prospectus, formally known as an SEC Form S-1 (or an F-1 for foreign companies).

Sweden-based Spotify filed their prospectus for the New York Stock Exchange on 28 February. Prospectuses are heavily regulated, and accuracy is vital: it is a lawyer’s job to fact-check these documents in a process known as “verification.” To allow investors to make informed decisions, a company must be honest about its particular commercial situation, and explain how share prices may decline. Spotify’s estimated valuation is nearly $20 billion, but it has never made a profit and reports net losses of €1.2bn (£1.1bn).

Spotify clearly needs a capital injection,
but given the risks below, would you invest?

Hitting the right note with listeners.
Spotify’s unique features include advanced data analytics systems and proprietary algorithms which predict music that users will enjoy. These personalised streams rely on Spotify’s ability to gather and effectively analyse large amounts of data, together with acquiring and categorising new songs that appeal to “diverse and changing tastes.” If Spotify fails to accurately recommend and play music that customers want, the company may fail to retain or attract listeners.

Screenshot 2018-03-02 at 11.16.33 PM.png — Spotify knows that 71% of my recent tunes are energetic, upbeat, and suitable for a fitness enthusiast. Touché!

Licensing and royalties.
To make its 35 million tracks available for listeners, Spotify requires licenses from the musicians and record labels who own the songs. Additionally, Spotify has a complex royalty payment scheme, and it is difficult to estimate the amount payable to musicians under their license agreements. Even if Spotify secures the necessary rights to sound recordings from record labels and other copyright owners, artists may wish to discontinue licensing rights, hold back content, or increase their royalty fees. In 2014, Taylor Swift removed her songs from the streaming service in protest, although she later added it back.

Technical glitches and data protection.
Spotify’s software and networks are highly technical and may contain undetected bugs or other vulnerabilities, which could seriously harm their systems, data, and reputation. Growing concerns regarding privacy and protection of data, together with any failure (or appearance of failure) to comply with data protection laws, could diminish the value of Spotify’s service. This especially worth noting as Europe nears the General Data Protection Regulation (GDPR) implementation date of 25 May.

Innovation and skilled employees.
Rapid innovation and long-term user engagement is prioritised over short-term financial gain. Spotify admits “this strategy may yield results that sometimes do not align with the market’s expectations.” The company also depends on highly skilled personnel to operate the business, and if they are unable to attract, retain, and motivate qualified employees, the ability to develop and successfully grow the company could be harmed.

International regulation and taxation.
As Spotify expands into new territories, it must adhere to a variety of different laws, including those in respect of internet regulation and net neutrality. Spotify even admits that language barriers, cultural differences, and political instability can bring share prices down! Furthermore, public pressure continues to encourage governments to adopt tougher corporate tax regimes, and tax audits or investigations could have a material adverse effect on the company’s finances.

Method of offering.
While Spotify may not be able to successfully overcome each challenge listed in its prospectus, many of the risks are relatively common amongst international technology and media companies. But as an additional risk, Spotify has chosen a relatively unconventional method known as a direct public offering (DPO) to bring its shares to the stock market. Unlike a traditional IPO, in a DPO a company will not use an investment bank to market or underwrite (insure) its offering. While this avoids bank fees, uncertainty can result in a discounting of share prices. This is a really technical point and somewhat nuanced (it gave me headaches in law school!) but a risk worth noting.

I’ve written previously about Spotify’s copyright challenges, as well as its controversial privacy policy.

Briefing, intellectual property

Cisco v Arista: what next for computer programs and copyright?

February 12, 2018February 14, 2018by kelsey farishLeave a Comment

Computer programs are functional, but they are also “literary works” that may be protected under copyright law. In December 2016, Arista Networks defended itself against a $335 million copyright infringement lawsuit from Cisco Systems. Cisco is now appealing the decision.

Cisco Systems, the largest networking company in the world, is trying to prevent Arista Networks from building ethernet switches which partially rely on technology copied from Cisco. Now on appeal before Federal Court in California (9th Circuit), the legal question is whether aspects of the particular technology deserves copyright protection in the first place.

ethernet switches connect devices together on a network

Copyright protects creative expressions of an idea, but not the idea itself. This “idea–expression dichotomy” therefore limits the scope of copyright protection. In an earlier blog post, The Copyright Between Oceans, I explained how the scène à faire doctrine was used as a successful defence in a copyright lawsuit regarding the novel The Light Between Oceans, and its subsequent film adaptation. When scène à faire (French for “essential scene”) is applied, common or typical plot developments are denied copyright protection. This means that broad themes, storylines and ideas which are common in a particular genre remain free for use by authors, screen writers, and other artists.

In the United States, computer programs are considered “literary works” under the Copyright Act, 17 U.S.C. § 101. Accordingly, scène à faire may be applied to preclude copyright protection from aspects of a computer program which are common or otherwise “dictated by practical realities.” Practical realities include hardware compatibility, manufacturer design, and industry practice. Arista’s defence turns on this concept.

Continue reading “Cisco v Arista: what next for computer programs and copyright?” →