News & Insights


May 1, 2017

Data, Privacy & Security Practice Report – May 1, 2017

Australia And China Establish Cybersecurity Agreement - On April 21, 2017, Australia and China forged an agreement to expand their cybersecurity cooperation.  This agreement emerged as part of the Australia-China High-Level Security Dialogue held in Sydney. 

According to a joint statement from the two countries, the key cybersecurity components of the new bilateral agreement include:

  • A reaffirmation of the countries’ “commitment to a peaceful, secure, open and cooperative Information and Communications Technology environment,” and an agreement “to support the work of the UN Group of Governmental Experts and to act in accordance with its reports.” 
  • An agreement to “establish a mechanism to share information to assist in the fight against and prevention of cybercrime,” and “to discuss options for joint operations to combat cybercrime.”
  • A commitment to “exchange cybersecurity delegations, relevant legal and regulatory documents and learn about each other’s legal environment, law enforcement procedures and other relevant circumstances through meetings, communication on individual cases as well as other methods, so as to enhance cooperation and mutual trust.”
  • An agreement “not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information with the intent of obtaining competitive advantage.”

The agreement between Australia and China incorporates the information security work of the United Nations Group of Government Experts (GGE).  The recent GGE report from July 2015 built on its 2013 recommendations and called upon States to “cooperate to prevent harmful [Information and Communications Technologies (ICT)] practices and. . . [to] not knowingly allow their territory to be used for internationally wrongful acts using ICT,” among other recommendations.  A newly convened GGE will report to the UN General Assembly in 2017.

Regarding the information sharing mechanism, the two countries agreed to “discuss issues related to cybersecurity and fighting cybercrime and communicate relevant information and experience with the aim of preventing cyber incidents that could create problems between the two states.”   Australia and China aim to work together to combat “malicious cyber actors, internet distribution of child sex abuse material, e-mail scams and other transnational cybercrime activities,” intending to “identify through consultation key incidents and carry out joint law enforcement actions.”

According to the Government of Australia, the agreement that “neither country would conduct or support cyber-enabled theft” is “consistent with a similar agreement between the US and China.”  In September 2015, President Obama and President Xi Jinping reached an agreement on cybersecurity which included a similar provision that the United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

The Trump administration has indicated that cybersecurity remains a priority in relations with China.  During President Xi’s recent visit to the White House, the two governments agreed to establish the United States-China Comprehensive Dialogue, which will include a Law Enforcement and Cybersecurity Dialogue pillar. 

Such cybersecurity cooperative agreements are gaining momentum worldwide.  China and Russia reached an agreement not to engage in cyber-attacks against one another in May 2015, and the United Kingdom entered into a similar agreement with China in October 2015.  The impact, however, of such agreements is debated.  For instance, while the United States continued to experience cyber-attacks reportedly attributable to China shortly after their agreement was reached, others reported a notable decline in cyber-attacks from China-based groups from 2014-2016, which may be due to a confluence of events that included the U.S.-China agreement.  Like the United States, Australia has faced several high profile cyber-attacks reportedly attributable to China, but the impact of the new China-Australia cybersecurity cooperation agreement remains to be seen.  Meanwhile, the next round of the China-Australia High-Level Security Dialogue will be held in China during the first six months of 2018.

Reporter, Elizabeth E. Owerbach, Washington, DC, +1 202 626 9223,

The FTC Seeks Comment: How Trusty Is The TRUSTe Plan For COPPA Certification? - The Federal Trade Commission (FTC) is currently seeking comment on proposed changes to TRUSTe’s safe harbor program under the agency’s Children’s Online Privacy Protection Rule (COPPA).   Per the Federal Register notice, the comment period will last for 30 days, until May 24, 2017. 

TRUSTe (True Ultimate Standards Everywhere, Inc.) is a private company that has operated as a COPPA safe harbor provider since May 2001.  The program is designed for websites that have actual knowledge that they are collecting personal information directly from the users of a website or online service directed at children.  As an approved safe harbor provider, TRUSTe is required to conduct annual audits of its clients’ online services to assess compliance with its program requirements.  A company that meets the requirements of TRUSTe’s program can receive immunity from enforcement action in accordance with Section 312.11(e) of COPPA.  While a compliance certification from TRUSTe is not a guarantee of COPPA immunity, companies in FTC-approved safe harbor programs are less likely to be ordered to pay penalties.

The proposed changes in the TRUSTe safe harbor program are a result of last month’s settlement agreement between TRUSTe and the New York Attorney General Eric T. Schneiderman, which represents the first time any state or federal law enforcement agency has taken action against the operator of a privacy certification program for children’s websites.  Attorney General Schneiderman announced that TRUSTe will pay a penalty of $100,000 and adopt new measures to strengthen privacy assessments of its customers’ websites in connection with the company’s “failure to adequately prevent illegal tracking technology from surfacing on some of the nation’s most popular children’s websites.”  These measures require TRUSTe to scan its customers’ children’s websites for tracking technologies prohibited by COPPA, disclose the technologies found to its customers, and maintain a database of third-party tracking technologies, among other procedures.  

The New York Attorney General’s forays into COPPA enforcement have garnered significant interest, because the vast majority of COPPA enforcement actions since the statute took effect in 2000 have been initiated by the FTC rather than by states.  Since the FTC amended the COPPA rules in 2013, however, New York, New Jersey, and Maryland have brought enforcement actions under the statute.  Attorney General Schneiderman has been particularly aggressive in investigating how third-party services on companies’ websites are tracking user data and in taking action against a privacy certification program like TRUSTe.

Last year, previous FTC Bureau of Consumer Protection Director Jessica Rich “applauded” the New York Attorney General’s actions and said that Congress “wisely provided for law enforcement by both the FTC and state attorneys general so that there are multiple cops on the beat protecting children’s privacy.”  Per its request for comment, the FTC is particularly interested in a cost-benefit analysis of TRUSTe’s new COPPA provisions, as well as an evaluation of the incentives for and mechanisms to assess operators’ compliance. 

Reporter, Anush Emelianova, Atlanta, +1 404 572 4616,

German Draft Law Against Hate Speeches: Solo Run Or A Model For Europe? - In March 2017, Germany’s minister of justice, Mr. Heiko Maas, released a new draft law “for the improvement of law enforcement in social networks” (Entwurf eines Gesetztes zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken).  The new draft law stipulates new regulations for social networks to fight hate speech and “fake news” and provides for high fines of up to EUR 50 million for non-compliance.  Individuals, for example board members, can be fined up to EUR 5 million. 

To date, the draft law is a German initiative, but Heiko Maas indicated that he wants to introduce the draft to his colleagues in the European Justice and Home Affairs Council with the goal of escalating the initiative to the European level.

With the new law, the minister of justice admonishes social networks to handle user complaints about hate speech and other criminal content in a quicker and more comprehensive way than in the past.  In the reasoning section of the draft, the minister refers to a recent study finding that Facebook allegedly only deleted illegal content in 39 percent, and Twitter only in 1 percent, of the cases following a complaint; only YouTube reached a level of 90 percent.  Based on these statistics, the minister explains that he is no longer willing to rely on the social networks’ pledge to improve the situation.

The subjects of the new compliance regulations are social networks with more than two million users.  In Germany, the new compliance regulations therefore primarily will affect Facebook, YouTube and Twitter, all of which have already reserved rights in their respective terms of use to remove illegal content.

The draft law, requires, inter alia:

  • quarterly reports from social networks about their handling of hate crimes and other criminal content;
  • the implementation of an effective complaint managing mechanism; and
  • the appointment of a domestic legal representative for service of lawsuits.

The quarterly reports must include general descriptions of the social networks’ efforts to fight criminal conduct on their platforms, the implemented complaint mechanism, complaint management, and the number of complaints filed.  Moreover, social networks must disclose how many posts have been deleted following a complaint and indicate the time period between receipt of the complaint and the deletion.

A key section of the draft law addresses the handling of complaints about “illegal content.”  “Illegal content” is defined by reference to enumerated provisions of the German Criminal Code; only content that constitutes an offense pursuant to these provisions (e.g. “public incitement to crime”) are within the scope of the new law.  The social network must decide whether the content constitutes an offense and is therefore subject to deletion.

The draft law distinguishes between “content that is illegal on its face,” which has to be removed within 24 hours, and “other illegal content,” which must be removed within a deadline of 7 days following the complaint.  The same applies to copies of the illegal content on the platform.  The longer 7-day period shall enable social networks to review content, which is not illegal on its face, more diligently and to discuss it with the author, if appropriate.  Social networks must save the removed content for 10 weeks for evidence purposes.

The draft law also suggests that regulators change sections of the German Telecommunication Act to make it easier for users to obtain the identities of the authors of illegal content.

The draft law now goes to Parliament for further consideration.  The ministry’s goal is to get the new law adopted in the course of this legislative period.   It remains to be seen, however, whether the adoption will be such an easy run.

Specifically, some critics argue that the short deadlines for the removal of content – which is atypical for German laws – in combination with high fines may cause social networks to delete too much content in order to minimize the network’s risk exposure under the draft law, thereby impairing freedom of speech and leading to censorship.  Critics also say that law enforcement is basically transferred to social networks, which are responsible for the deletion. 

In the light of the criticism, further lively discussions are anticipated before the act will enter into force. 

Reporter, Sebastian D. Müller, Frankfurt, +49 69 257 811 201,


King & Spalding’s 2017 Cybersecurity & Privacy Summit – On April 24, King & Spalding hosted its third annual Cybersecurity and Privacy Summit in its Atlanta office.  Over 125 people gathered for the half-day event in person, nearly 70 more attending via webinar.  Over the course of the afternoon, six panels focused on the industry and legal trends in the world of cybersecurity.  American Lawyer’s Legaltech news section featured a story on the event, here.