MediaTech Law

By MIRSKY & COMPANY, PLLC

Legal Issues in Ad Tech: De-Identified vs. Anonymized in a World of Big Data

In the booming world of Big Data, consumers, governments, and even companies are rightfully concerned about the protection and security of their data and how to keep one’s personal and potentially embarrassing details of life from falling into nefarious hands.   At the same time, most would recognize that Big Data can serve a valuable purpose, such as being used for lifesaving medical research and to improve commercial products. A question therefore at the center of this discussion is how, and if, data can be effectively “de-identified” or even “anonymized” to limit privacy concerns – and if the distinction between the two terms is more theoretical than practical. (As I mentioned in a prior post, “de-identified” data is data that has the possibility to be re-identified; while, at least in theory, anonymized data cannot be re-identified.)

Privacy of health data is particularly important and so the U.S. Health Insurance Portability and Accountability Act (HIPPA) includes strict rules on the use and disclosure of protected health information. These privacy constraints do not apply if the health data has been de-identified – either through a safe harbor-blessed process that removes 18 key identifiers or through a formal determination by a qualified expert, in either case presumably because these mechanisms are seen as a reasonable way to make it difficult to re-identify the data.

Read More

“Do Not Track” and Cookies – European Commission Proposes New ePrivacy Regulations

The European Commission recently proposed new regulations that will align privacy rules for electronic communications with the much-anticipated General Data Protection Regulation (GDPR) (the GDPR was fully adopted in May 2016 and goes into effect in May 2018). Referred to as the Regulation on Privacy and Electronic Communications or “ePrivacy” regulation, these final additions to the EU’s new data protection framework make a number of important changes, including expanding privacy protections to over-the-top applications (like WhatsApp and Skype), requiring consent before metadata can be processed, and providing additional restrictions on SPAM. But the provisions relating to “cookies” and tracking of consumers online activity are particularly interesting and applicable to a wide-range of companies.

Cookies are small data files stored on a user’s computer or mobile device by a web browser. The files help websites remember information about the user and track a user’s online activity. Under the EU’s current ePrivacy Directive, a company must get a user’s specific consent before a cookie can be stored and accessed. While well-intentioned, this provision has caused frustration and resulted in consumers facing frequent pop-up windows (requesting consent) as they surf the Internet.

Read More

Dataveillance Protection: The E.U.-U.S. Privacy Shield

For many years, technology outpaced policy when it came to standards and protections around ownership of and access to personal data. Privacy policies are not set by governments but rather by technology companies that created the digital world as it is experienced today. Many if not all of the dominant players in this space are American technology companies that include Alphabet (i.e. Google), Apple, Amazon, Facebook and Microsoft. These companies have more say about a user’s online life than any individual local, state or national government.

Read More

Liability for Data Loss in the Cloud: Why No One Accepts Liability? Why Carve it Out?

Why is liability for data loss typically carved out or tightly limited in cloud service and IT outsourcing contracts?  A common disclaimer in contracts for cloud services (and sometimes plain old IT outsourcing) runs like this:

You agree to take full responsibility for files and data transferred, and to maintain all appropriate backup of files and data stored on our servers. We will not be responsible for any data loss from your account.  (From http://techtips.salon.com/liability-loss-data-under-hosting-agreement-2065.html (emphasis added))

What is the Liability from Data Loss?

First, what exactly is the liability – from data loss – that is being disclaimed?  What is the risk?  For that, we turn to Dan Eash writing in Salon’sTech Tips”:

  1. Your site might be corrupted by hackers and spammers because your host didn’t properly secure the servers.
  2. Your host might do weekly backups, but something goes wrong and you lose days of work.
  3. You might have customers in a hosting reseller account who lose data because the host you bought the account from didn’t do regular backups.
  4. You might even have an e-commerce site where new customers make daily purchases.  If something goes wrong, how do you restore lost orders and customer details without a current backup?

I would add a 5th scenario: You just don’t know. 

Read More

SaaS: Software License or Service Agreement? Start with Copyright

SaaS, short for “Software as a Service”, is a software delivery model that grants users access to a program while the software itself and its accompanying data are stored off-site, on a vendor’s (or another third party’s) servers.  A user accesses the program via the internet, and the access is provided as a service.  Hence … “Software as a Service”.

In terms of user interface functionality, a SaaS service – typically accessed via a subscription model – is identical to a traditional software model in which a user purchases (or more typically, licenses) a physical copy of the software for installation on and access via the user’s own computer.  And in enterprise structures, the software is installed on an organization’s servers and accessed via dedicated “client” end machines, under one of many client-server setups.  In that sense, SaaS is much like the traditional client-server enterprise model where servers in both cases will likely be offsite, the difference being that SaaS servers are owned and managed by the software owner.  The “cloud” really just refers to the invisibility of the legal and operational relationship of the servers to the end user, since even in traditional client-server structures servers might very likely be offsite and accessed only via internet.

Read More

MegaUpload – Where is my Data?

A not-insignificant consequence of the federal government’s move in January to shut down the popular file-sharing site MegaUpload is that customers are blocked from being able to access their files.

First, some background. In January, the government charged that MegaUpload and its founder Kim Dotcom operated an organization dedicated to copyright infringement, or in other words operated for the purpose of a criminal enterprise.  The site provided a number of online services related to file storage and viewing, which (among other things) allowed users to download copyrighted material.  The government also claimed in its indictment that the site was also used for other criminal purposes including money laundering.

Not surprisingly, the file-sharing activities caught the unpleased eye of prominent content ownership groups

Read More

Dropbox TOS – In Praise of Clarity

Earlier this month, Dropbox spawned a new kerfuffle in internet-land with changes to its Terms of Service (TOS).

The outrage was fast and furious.  A nice deal of blog and Tumblr and other commentary zeroed in on changes Dropbox announced to its TOS before the 4th of July holiday, and in particular how this or that provision “won’t hold up in court”.  See for example J. Daniel Sawyer’s commentary here.

Sawyer was referring to language in the TOS for cloud-server services granting ownership rights to Dropbox or other cloud services.

At least I think that’s what he was referring to, because the Dropbox TOS did not actually grant those ownership rights to Dropbox.  Dropbox’ TOS – like similar TOS for SugarSync and Box.net – granted limited use rights to enable Dropbox to actually provide the service.  Here is the offending provision:

… you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service.

To be clear, if Dropbox actually claimed ownership rights to customer files – and actually provided for the same in its TOS – there’s no particular reason such a grant “won’t hold up in court”.   There are certainly cases of unenforceable contracts – contracts that are fraudulently induced or in contravention of public policy, for example – but a fully and clearly disclosed obligation in exchange for a mutual commitment of service is enforceable.

Read More