Archive: December 1, 2021

1
Mask Off: Social Media Giants to Unmask Trolls or Risk Themselves Becoming Liable for Defamation Payouts
2
Privacy Pandemic: Australians Losing Trust in Institutions’ Use of Their Data
3
New GDPR Guidelines on Data Transfers

Mask Off: Social Media Giants to Unmask Trolls or Risk Themselves Becoming Liable for Defamation Payouts

By Cameron Abbott, Rob Pulham, Warwick Andersen, Max Evans and James Gray

In a significant development in online regulatory oversight, the Australian government announced over the weekend that it will introduce new laws handing Australian courts the power to order social media companies to reveal the identities of anonymous trolls or risk themselves being liable for defamation payouts.

The so called “social media anti-trolling legislation” which the government has said will be introduced into parliament this week proposes to require social media companies stand up a functional and easy-to-use complaints and takedown process for users, who upon suspecting they are being defamed, bullied or attacked may file a complaint with the social media platform requesting that the relevant content be removed.

If that request is denied, the complainant can ask the social media company to provide the details of the “troll” so as to enable the complainant to commence an action. If this request is further denied, or if the social media platform is “unable to do this”, complainants may apply to obtain a court order requiring the social media company to release the identification details of the anonymous user so that a defamation action may be pursued. Failure to comply with such a court order will render the social media company themselves liable for the defamation claim.

Significantly, the reports indicate that these new laws will push legal responsibility for defamatory content from the author or page manager to the social media company which runs the platform. This represents a key move away from social media platforms being distributors of content but rather, in the eyes of online safety, being deemed publishers themselves. We will keep you posted as these proposed laws progress.

Privacy Pandemic: Australians Losing Trust in Institutions’ Use of Their Data

By Cameron Abbott, Rob Pulham, Max Evans and James Gray

In the age of QR code check-ins and vaccination certificates, as Australia edges towards a post-pandemic (or mid-pandemic, it increasingly seems) “normal”, new research from the Australian National University (ANU) has revealed that Australians have become less trusting of institutions with regards to data privacy.

The ANU researchers said that the decrease in public trust between May 2020 and August 2021 was small but “statistically significant”. A key reason for this decrease, according to the researchers, was concern around “how their private data from check-in apps might be used by major institutions” as lockdowns and the use of apps for contact tracing intensified.

The institutions which experienced the greatest loss of trust were social media companies (10.1% decline), telecommunications companies, and federal, state and territory governments. This echoes sentiment from the OAIC following its recent ‘community attitudes to privacy’ survey that Australians trust social media companies the least when it comes to handling personal information, followed by the government.

While it remains to be seen whether this loss of trust becomes a permanent trend, one way to make Australians more comfortable with an organisation’s data practices – as reinforced by the OAIC – is to ensure the purpose of the collection and use of personal information is clearly understood. The OAIC has found that Australians are increasingly questioning data practices where the purpose for collecting personal information is unclear.

With increased penalties for privacy non-compliance looming, there’s never been a better time to revisit your privacy policies and collection statements to make sure that these are clear, so your organisation can stand out against this trend and build consumer trust.

New GDPR Guidelines on Data Transfers

Claude-Étienne Armingaud, Camille Scarparo and Bastien Pujol

On 19 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines on the interplay between Article 3 GDPR (territorial scope) and Chapter V GDPR (transfer of personal data to third countries or international organization) of the General Data Protection Regulation (“GDPR”).

Those draft Guidelines aim at clarifying the mechanism of international transfers and more specifically provide a necessary assistance to controllers and processors in the European Union (“EU”) or otherwise subject to GDPR, including guidance on when a data importer would be subject to GDPR and an interpretation of the concept of international transfer.

In order to characterize a processing as a “transfer”, the EDPB relied on the three following cumulative criteria:

  1. The data exporter (a controller or processor) is subject to the GDPR for the given processing;
    • As a reminder, while GDPR generally applies to all entities processing personal data and established in the EU, it can also have an extra territorial reach for certain processing operations consisting in (i) offering products or services to individuals in the EU (e.g. ecommerce and apps) or (ii) monitoring of EU individuals’ behavior taking place in the EU (e.g. cookies and other tracking technologies).
  2. The data exporter transmits or makes available the personal data to the data importer (another controller, joint-controller or processor); and
    • In that regard, the mere remote access to the data would still qualify as a “data transfer” and it remains to be hopefully clarified in the final Guidelines whether the sharing of personal data among joint-controllers (both subject to GDPR from the inception of the processing operations) would in and of itself be considered as a data transfer.
  3. The data importer is in a third-country or is an international organization.

In addition, a processing that meets these three criteria will be considered a transfer when the importer is established in a third-country and subject to the GDPR following provisions of article 3.2 GDPR. The EDPB considered that when the controller located in a third-country is already subject to GDPR, “less protection/safeguards are needed”. Nevertheless, conflicting national laws, government access in the third-country as well as the difficulty to enforce and obtain redress against an entity outside the EU should be addressed when developing relevant transfer tools.

The EDPB specified that personal data directly collected from the data subjects, at their own initiative, should not to be considered as a transfer.

An online public consultation is opened on the matter until 31 January 2022.

Copyright © 2022, K&L Gates LLP. All Rights Reserved.