Cyber Law Watch

Insight on how cyber risk is being mitigated and managed across the globe.

1
Navigating the Intersection of Data Scraping and Artificial Intelligence–A Global Data Protection Authorities Take
2
Clarifications of Legal Bases for Cross-Border Data Transfers in Landmark Judgment by the Guangzhou Internet Court in China
3
Mass. SJC Limits Website Tracking Technology Claims Under Wiretap Act
4
Higher Regional Court of Hamm (Germany): Claims for Moral Damages Under Art. 82 GDPR are Assignable – German Class Actions Coming?
5
Australian Privacy Law Reform – The Wait is (Almost!) Over
6
Decision by German Higher Regional Court Koblenz: Consent for Publication of Interview not Revocable
7
Privacy Reform Bill Just Around the Corner
8
Japanese Government Published Checklist and Guidance Related to AI and Copyrights
9
Illinois Reigns in Excesses of Biometric Information Privacy Act: Form of Consent Expanded and Claims Limited
10
Ransomware attacks – is there harm even when nothing is stolen?

Navigating the Intersection of Data Scraping and Artificial Intelligence–A Global Data Protection Authorities Take

By: Claude-Etienne Armingaud and Anna Gaentzhirt

In alignment with the ongoing concerns from several European data protection authorities publishing guidelines on data scrapping (i.e., the Dutch DPA, the Italian DPA and the UK Information Commissioner’s Office), the Global Privacy Assembly (GPA)’s International Enforcement Cooperation Working Group (IEWG) recently published a Joint statement on data scraping and the protection of privacy (signed by the Canadian, British, Australian, Swiss, Norwegian, Moroccan, Mexican, and Jersey data protection authorities) to provide further input for businesses when considering data.

Read More

Clarifications of Legal Bases for Cross-Border Data Transfers in Landmark Judgment by the Guangzhou Internet Court in China

By: Sarah Kwong, Dan Wu, and Amigo Lan Xie

The Guangzhou Internet Court in China (Court) issued a landmark judgment under the Personal Information Protection Law (PIPL) (Judgment). This marked the first court decision in China regarding cross-border personal information transfers. In the case, the plaintiff expressed concerns about his personal information being transferred internationally without his explicit consent, while the defendants argued that the data processing was necessary for contractual obligations and aligned with industry standards.

Read More

Mass. SJC Limits Website Tracking Technology Claims Under Wiretap Act

By: Christopher Valente and Michael Stortz

In a critical new decision, the Massachusetts Supreme Judicial Court has confirmed that the state’s anti-wiretapping statute does not extend to website tracking technologies. In Vita v. New England Baptist Hospital, the Court held that the state’s 1968 Wiretap Act (Mass. G.L. c. 272, § 99) does not apply to the deployment of online software that collects and transmits information regarding user interactions with websites to third parties.

The Court’s opinion is both extensive and precise, in that the Court’s ruling turned on the scope of the Wiretap Act’s prohibition against unauthorized interception of “communications,” a phrase undefined in the statute. Canvassing dictionary definitions, prior decisions under the Act, and caselaw from outside of the Commonwealth, the Court determined that “communications” applies to “conversations and messages between people[,]” rather than web browsing or other standard interactions with websites. Noting the “significant difference between communicating with a person and communicating with a website,” the Court rejected plaintiffs’ claims that the hospital defendants violated the Wiretap Act by deploying website tracking technologies before obtaining user consent.

In dissent, Justice Wentlandt argued that the majority’s opinion improperly limited the statute’s scope, and that the hospital defendants’ privacy policies misrepresented that users’ identities and privacy would be protected. Notably, both the majority and dissent agreed that users might have other remedies under common law, and that the analysis may differ depending on whether the interception involved confidential medical information, as opposed to browsing history on public websites involving less potentially sensitive topics.

The decision illustrates the difficulties of applying decades-old statutes in the context of current online tracking tools. As the majority aptly observed, the plaintiffs’ proposed reading of the Wiretap Act would potentially impose “severe criminal and civil penalties” on “thousands of websites of owners” across myriad industries. As courts across jurisdictions grapple with this ever-increasing species of litigation, the Vita decision may help establish guardrails, based on the specific online activity at issue, the nature of the website or application, and user consent to the challenged technology.

Higher Regional Court of Hamm (Germany): Claims for Moral Damages Under Art. 82 GDPR are Assignable – German Class Actions Coming?

By Dr. Thomas Nietsch and Andreas Müller

On July 24, 2024, the OLG Hamm ruled that claims for moral damages under Art. 82 GDPR are generally assignable (case number: 11 U 69/23).

Read More

Australian Privacy Law Reform – The Wait is (Almost!) Over

By: Cameron Abbott, Stephanie Mayhew, and Rob Pulham

The long-awaited privacy reform has finally been introduced into the Australian Parliament today with the introduction of the Privacy and Other Legislation Amendment Bill 2024. Described as ‘Tranche 1’ of the reforms, the Bill introduces significant uplifts to several aspects of Australia’s privacy laws.

Read More

Decision by German Higher Regional Court Koblenz: Consent for Publication of Interview not Revocable

By: Dr. Thomas Nietsch and Andreas Müller

On 31 July 2024 the Higher Regional Court of Koblenz (Oberlandesgericht Koblenz) has rejected an appeal to a verdict of the Regional Court of Koblenz (Landgericht Koblenz) for deletion of an interview published on YouTube, due to lacking a prospect of success (case number 4 U 238/23).

Read More

Privacy Reform Bill Just Around the Corner

By: Cameron Abbott, Rob Pulham, and Lauren Hrysomallis

There appears to be a further delay to the long-anticipated privacy law reform legislation, most recently expected to be unveiled this month. But even with this delay the wait won’t be long; we could see a draft bill introduced in as little as three weeks’ time.

Read More

Japanese Government Published Checklist and Guidance Related to AI and Copyrights

By: Aiko Yamada and Yuki Sako

On 31 July 2024, the Agency for Cultural Affairs, Government of Japan (the Agency) published “Checklist and Guidance related to AI and Copyrights” (the Checklist), suggesting some ideas to resolve unsettled issues related to “Do inputs to AI infringe copyrights?” (see our previous blog “Japanese Government Identified Issues Related to AI and Copyrights”) for AI developers as described below:

Read More

Illinois Reigns in Excesses of Biometric Information Privacy Act: Form of Consent Expanded and Claims Limited

By: Cameron Abbott and Rob Pulham

In their recent article available here, Joseph Wylie, Kenn Brotman, and J. Morgan Dixon from our Chicago office discuss what changes to privacy law in Illinois will mean for company’s collecting or sharing individual’s biometric data.

Ransomware attacks – is there harm even when nothing is stolen?

In November 2020, accounting and consulting firm Nexia Australia (Nexia) was alerted to a “REvil” ransomware attack taking place within its system. The attackers threatened to post personal information of Nexia’s clients, customers and staff online unless it paid a $1m ransom within 72 hours.

It was reported that the hackers appeared to have posted Nexia’s confidential files onto the dark web; however, further investigation revealed that the hackers had merely posted screenshots of Nexia’s files. Realising this, Nexia dismissed the threat and refused to pay the ransom.

But it didn’t end there.

Shortly after the attack, a news service found the Nexia file screenshots on the dark web and publicised that the company’s confidential information had been stolen and shared. Not only did Nexia have to reassure panicking clients that their confidential information remained uncompromised, it had to convince the Australian Securities and Investments Commission, the Australian Federal Police and the Privacy Commissioner that nothing of concern had been taken.

It doesn’t help that ransomware-as-a-service is becoming an increasingly lucrative business for cybercriminals to launch this type of attack. All that is needed is off-the-shelf malware, a wallet of cryptocurrency and it’s ready to deploy against an unsuspecting organisation.

The attack on Nexia demonstrates that even if there is no evidence that confidential information has been leaked, organisations can still suffer significant damage. The cost of reassuring stakeholders and mitigating reputational harm can almost match the consequences of a full blown attack.

As Warren Buffet famously quoted, “It takes 20 years to build a reputation and 5 minutes to ruin it”.  While Nexia recovered valiantly, this serves as a lesson that even when unsuccessful, the public ramifications of a ransomware attack are not to be underestimated.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.