Apple data sharing

Apple faces scrutiny for data sharing practices

Apple accused of potential improper data-sharing.

Earlier this month American multinational technology company Apple came under scrutiny for its data-sharing practice of sending IP addresses from users of its Safari browser to Google and Chinese-based tech company Tencent.

Apple has since defended this practice, noting that it is a Safari Fraudulent Warning security feature aimed at flagging websites known to be malicious. In an interview with iMore, Apple reportedly noted that When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never sharedwith a safe browsing provider and the feature can be turned off.

It is of note that Apples Fraudulent Website Warning setting is automatically set to on. As such users would have to delve into their settings and toggle this off if they do not want to have their IP address forwarded to Google and Tencent when using the Safari browser. It is also reported that toggling this setting to offwould potentially render browsing sessions less secure.

Potential GDPR and CCPA implications?

Considering that IP addresses can reveal user locations and can also be used to profile users,they are deemed as online identifiers, thus they are personal data as covered by Recital 30 GDPR, which means that this feature would be subject to GDPR compliance.

The recent Cookies Consent ruling by the CJEU, explored in one of our recent blog posts could also potentially affect the way Apple handles its default permission settings.

Moreover, with the California Consumer Privacy Act Regulations (CCPA Regulations)schedule to take effect on January 1, 2020introducing  consumer rights related third party sharing for companies doing business with California residents; it is likely that Apple would also have to review this practice to ensure CCPA compliance.

This practice was explained in the privacy policy within the section “About Safari & Privacy” and it was publicly accessible to anyone who opened the Settings app. However, one should note that even though the privacy policy shall contain every personal data processing carried out by the controller for the sake of transparency and in line with articles 13 and 14 GDPR, it does not mean that any data processing added to the privacy policy will automatically become lawful, for which a valid legal basis for the processing (contract, consent or legitimate interest among others) is required.

Does your company website facilitate data sharing to third parties? Aphaia’s  GDPR and CCPA adaptation services, including our  data protection impact assessments and Data Protection Officer outsourcing will help you ensure compliance with the soon to be effected CCPA Regulations and GDPR.

Reference: iMore

CCPA Regulations

CCPA Regulations Overview

CCPA Regulations, the Californian GDPR? California Attorney General releases draftRegulations under the California Consumer Privacy Act.

You think Data Privacy and Data Protection and it’s more than likely that the GDPR or the UK Data Protection Act 2018 will come to mind. This is because over the last few years significant strides have been made within the European Union and the United Kingdom as it relates to privacy rights in the todays highly connected technological era. Yet while it seemed that regulations and restrictions were more centered towards the European countries, the recent introduction of the CCPA Regulation by California Attorney General Xavier Becerra will undoubtedly usher in privacy changes for the US and any company doing business with California citizens.

What is CCPA?

According to Office of the Attorney General California the California Consumer Privacy Act (CCPA), creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.”

As a result of the CCPA California-based consumers will now have the following rights:

  •  the right to request that a business that collects a consumers personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
  •  the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
  •  the right to request that a business that collects personal information about the consumer disclose to the consumer information related to the categories of personal information collected, the source of the information, the use of the information and, if the information was disclosed or sold to third parties.
  •  the right to request that a business that sells the consumers personal information, or that discloses it for a business purpose, disclose to that consumer
  • the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumers personal information. This right may be referred to as the right to opt-out.

While the CCPA was enacted in 2018, Aphaia’s Managing Director Bostjan Makarovic explained that it needed regulations from the attorney general in order to function properly. Last week these much anticipated regulations were issued by the California AG.

CCPA Regulations Overview:

Known as the California Consumer Privacy Act Regulations these regulations govern compliance with the CCPA and violation of the regulations shall constitute a violation of the CCPA.

The following guidelines and requirements are detailed in the CCPA Regulations;

Notice to consumers
Business Practices for Handling Consumer Requests
Verification of Requests
Special Rules Regarding Minors

The regulations are expected to come into effect on January 1, 2020.

Will the CCPA affect Europe and UK-based companies?

Aphaia’s Managing Partner Bostjan says: “In a way similar to GDPR, CCPA is not only relevant for businesses based in the jurisdiction but also to any business that process (collect, sell, disclose) personal information from California resident consumers.”

Do you require assistance with CCPA compliance? Aphaia provides both GDPR and CCPA adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.

CJEU cookies active consent”

CJEU says active behavior required for cookies consent

The CJEU clarifies that “consent” in data protection and privacy laws in relation to cookies compliance refers to consent through active behaviour.

This week, the Court of Justice of the European Union (CJEU) issued a ruling resolving the definition of the term consent in regards to cookies compliance.  This came about as a result of a dispute between the Federation of Consumer Organisations, Germany) (the Federation’) and online gaming company, Planet49 GmbH.

Background of the Case

The case centered on Planet49s organization of a promotional lottery on website in September 2013.

In order to participate in the online lottery, internet users were required to provide their names, addresses and postal codes. Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first checkbox required users to provide their consent to being contacted by third party sponsors and cooperation partners. Meanwhile the second box focused on consent for the installation of cookies on the users device. This second checkbox contained a preselected tick. In addition, participation in the lottery was possible only if at least the first checkbox was ticked.

The court judgement document explains that the Federation had issued a letter to Planet49 asserting that the declarations of consent requested by Planet49 through the first and second checkboxes did not satisfy some of the requirements of the German Civil Code (BGB), the German Law against Unfair Competition and the German Telemedia Act (TMG). This letter was however unanswered.

Subsequently in March 2014 the Federation filed an injunction requiring Planet49 to cease using such declarations and to pay it EUR 214 plus interest from 15 March 2014. This action was upheld by the regional court.

Planet49 in turn filed an appeal before the higher regional court. The higher court held that the Federations injunction order was unfounded on the basis that; first, the user would realise that he or she could deselect the tick in that checkbox and, second, the text was set out with sufficient clarity from a typographical point of view and provided information about the manner of the use of cookies without it being necessary to disclose the identity of third parties able to access the information collected.

This ruling was subsequently appealed by Federation before the Federal Court of Justice, Germany. The Federation asserted that Planet49s success before the higher court centered on the interpretation of some articles of the ePrivacy Directive and the former Directive on Data Protection.

According to the judgement document,harbouring doubts as to the validity, in the light of those provisions, of the consent obtained by Planet49 from internet users of the website by means of the second checkbox and as to the extent of the information obligation provided for in Article 5(3) of Directive 2002/58, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and refer to the Court of Justice for a preliminary ruling.”

Specifically, the following question was posed:

Does it constitute a valid consent within the meaning of Article 5(3) and Article 2(f) of Directive [2002/58], read in conjunction with Article 2(h) of Directive [95/46], if the storage of information, or access to information already stored in the users terminal equipment, is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent?

The CJEU ruling

Following an analysis of EU data protection laws and regulation—namely, ePrivacyDirective, former Directive on Data Protection and GDPR—the CJEU concluded that:

  [The laws and regulations] must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website users terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.

As such cookie compliance requires consent through active behavior.

What is a cookie?

Norton explains that a cookie, known formally as an HTTP cookie is a a term for a packet of data that a computer receives, then sends back without changing or altering it.

It further explains that the purpose of cookies is to help the website keep track of your visits and activity.

Considering that cookies store large amounts of data which could potentially identify an individual, they are considered personal data. Cookies are therefore subject to GDPR compliance.

What are the implications of the CJEU ruling?

Aphaia Partner Bostjan Makarovic believes that, although not unexpected, the CJEU ruling has important implications for online business:Since the 2009 ePrivacy rules first required consent for cookies, there has been a lot of discussion whether this consent might be implied rather than expressly stated. For example, until recently, even the UK Information Commissioner was showing an openly lenient attitude regarding the matter. This is now clearly changing. Online businesses need to urgently rethink their current approaches to cookies.

Does your company utilize cookies on your website? Does your current use of cookies require active consent from users? Aphaia provides GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. Contact us today to ensure that your company website is fully compliant.

WhatsApp conversations as contract

WhatsApp conversations may be deemed valid contract in Spain

Using WhatsApp blue tick to sign contracts? WhatsApp chats have been considered a verbal contract between the parties by a Court in Vigo (Galicia, Spain).

WhatsApp conversations may be a legally binding contract for the parties. An unpaid rent was the origin of this ruling. The landlords sued the tenant and the Court accepted the WhatsApp messages as the valid contract that governed the legal relationship between them. The Court took into account the fact that WhatsApp was the means used by the parties to agree on all the terms of the rent and to share the relevant documents in order to formalise it.

WhatsApp messages as contract and evidence in Court

Article 1278 of Spanish Civil Code states that “contracts will be legally binding for the parties regardless of their verbal or written nature, as long as the essential elements for their validity are met [namely: consent, object and cause].

As for the use of WhatsApp messages as a valid evidence in Court, there are, however, some requirements that apply, like the need of experts reports to verify the origin of the communication, the parties identities and the content integrity. Providing the password in order to let the Court access the relevant accounts, allowing access to the device as such or gathering recognition of the existence and truthfulness of the conversation from each of the parties have been accepted by some Courts as evidence enough.

WhatsApp, smart contracts and blockchain

In the light of this ruling, one may wonder if WhatsApp conversations may become one of the “blocks” of blockchain technology and be part of the smart contracts in the future. In order to achieve this, all the messages would need to be sorted and be accessible, maybe with no time limit, for verification purposes. This hypothetical but possible scenario would involve several privacy concerns, because WhatsApp messages may be deemed personal data, thus RGPD and other pieces of legislation, like the one concerning AI, may apply.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.