Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

Net neutrality, zero-rating and today’s news from the Netherlands and Slovenia

Posted in Telecoms

The issue of net neutrality is certainly the current hot topic in the world of telecoms regulation. I thought I would just add a few (personal) thoughts on the matter following this week’s (in my view) shocking news from the Netherlands and Slovenia

First Principles

To take an approach from first principles my view is that regulators ought not to intervene and impose ex ante regulations (such as a net neutrality requirement) on market players unless there one (or more) of the participants has market power – and then they should only do so to the extent necessary to counteract that market power. This, of course, is exactly the approach taken by the EU in respect of most telecoms matters (leaving aside roaming but that’s another story) – regulations cannot be imposed in this way before the national regulator has conducted a review of the relevant market, and then only if they find that an operator has “significant market power” (SMP).

In the absence of specific regulation, then, ISPs are free to offer services in any way they choose. However if it later turns out that there has been any anti-competitive conduct (in this context meaning an abuse of a dominant position by an ISP or telecoms operator) then it would be appropriate to address this by the normal principles of competition law – ie an investigation leading to possible criminal sanctions and fines.

This consistent and logical system is designed to minimise the need for interference in the market, reserving regulatory intervention only where specifically justified.

In the context of net neutrality, then, this approach would tend to suggest that regulators should prevent behaviour by ISPs only if those ISPs have been found to have market power, or else only where it amounts to an abuse of a dominant position.

Today’s news

I was shocked to read news yesterday that the regulator in the Netherlands has fined Vodafone €200,000 for “zero-rating” the HBO-Go service – meaning not charging customers for the data use involved in using the service. KPN was also fined for blocking (not zero-rating) a particular VoIP service.

Similarly, also this week, it was announced that Slovenian operators Telekom Slovenije and Si.mobil have been fined for, respectively, zero-rating the Deezer music service and the “Hangar mapa” cloud storage service

In none of these cases has the “first principles” approach been applied. Instead there are specific regulations in place in both countries which appear to have the effect of allowing the regulator to issue fines and to interfere in the market without having previously made a determination that the operator concerned has SMP and without having to determine that there is an abuse of a dominant position.

The “zero-rating” examples are good case studies. The effect of this interpretation of the net neutrality rules is that customers in the Netherlands and in Slovenia have been denied the opportunity to access innovative services which challenge more established players in their particular market. It, will, now, be harder for HBO to challenge Netflix, harder for Deezer to challenge Spotify and harder for Hangar Mapa to challenge Dropbox, Google Drive and others.

This seems a very perverse outcome for regulations which ostensibly exist to foster innovation and encourage the startups to compete against the bigger more established players. It seems they are having quite the opposite effect. We will see whether any final regulation from the European Commission on net neutrality would also bite on zero-rating.

As a postscript I’d just add a few words on the KPN issue (where it was fined for blocking a VoIP service on free wif‑fi hotspots). Whilst it may  be right that this type of behaviour should not be permitted I would still maintain that the best way to deal with it under the European legal system would be to look into whether blocking VoIP services constitutes an abuse by (in this case) KPN of their dominant position in a relevant market. This will of course involve an analysis of what the “relevant market” is – not a simple exercise – but if the blocking only applied to the use of a free wi-fi service, it’s not obvious that this is in fact an abuse – and the effect of the fine may be to discourage KPN and others from offering free wif-fi at all.

What Exactly Do You Mean By “Reseller” Agreement?

Posted in Licensing, Technology and Commercial

Written by Sanjay Beri

I was recently reminded that the term “reseller” agreement can often mean different things to different people.  Misunderstandings about these types of relationships creates the potential for miscommunication and wasted time drafting the wrong terms.

A client recently asked me for a form of reseller agreement to engage resellers to help distribute the client’s software based product.  “You know, just grab something off the shelf that will work” went the common refrain.  As I talked to the client about the type of arrangement he was seeking, however, it became clear that the client was still in the process of making a number of business decisions that would greatly impact pulling the right “form” or, more likely, drafting the right terms.  Given this discussion, I thought it might be useful to impart a few high level questions that I found useful in guiding the conversation.  For ease, I’ll simply refer to my client from the conversation above as the “licensor” and the ultimate user of the product as the “end customer”:

(i) What type of relationship will the reseller have with the end customer (for example, will the reseller be entering a negotiation with the end customer or merely be passing through terms dictated by the licensor)?

(ii) Will the licensor need a direct contractual relationship with the end customer or need rights to prevent the end customer from taking particular actions with respect to the licensor’s product?

(iii) Will the reseller be modifying or bundling licensor’s product in any way for redistribution?

(iv) Will the reseller or licensor have direct support obligations with the end customer?

Having precise discussions and clarity around these points is crucial for both the lawyer and the client.  By having these basic discussions, the parties can save lots of drafting time, and unintended delays in ensuring that the terms provided match up with the business objectives of the client.

Blue Edge Lab℠ and the Internet Security Alliance launch new online cybersecurity tool for multinational companies

Posted in Cybersecurity, International Privacy, Technology and Commercial

Blue Edge Lab, a wholly owned subsidiary of DLA Piper LLP (US), in partnership with the Internet Security Alliance (ISA), announced today the launch of CyberTrakSM, a highly innovative online cybersecurity tool featuring information on cybersecurity-related mandates and regulatory risk around the world.

CyberTrak is the inaugural product of a partnership between Blue Edge LabSM* and the Internet Security Alliance (ISA).

CyberTrak provides multinational companies instant online access to critical information about cybersecurity-related laws, regulations and generally accepted standards in 23 key markets in the Americas, Asia-Pacific, Europe and the Middle East, and in four highly regulated sectors in the US. It also provides brief summaries of requirements, as well as an assessment on enforcement risk and the degree of activity triggering the requirement.

Cybersecurity laws and regulations are evolving rapidly around the world. Companies battling ever more sophisticated cyberattacks face mounting compliance costs and higher risks if they do not keep up with new requirements in all markets where they operate.

CyberTrak is designed to help GCs, CIOs, CISOs, risk officers and legal, technology, IT and procurement departments of multinational companies make better, faster risk management decisions and reduce the costs associated with keeping up with these changing regulatory requirements.

CyberTrak content will be regularly updated three times per year by a global group of more than 50 carefully selected contributors in key jurisdictions, along with interim updates when major changes occur.

Understanding cybersecurity mandates on a global scale is critical to any multinational company that collects and retains customer data, trade secrets and other confidential data or operates in a critical infrastructure sector, such as energy, financial services, healthcare and defense/government contractors.

For more information, click here.

To register for a free trial or to learn more about CyberTrak, please visit www.BlueEdgeLab.com.

 

*Blue Edge Lab, LLC is a wholly owned subsidiary of DLA Piper LLP (US). Blue Edge Lab is not a law firm and does not provide legal services

EUROPE – Getting closer to the EU Data Protection Regulation?

Posted in EU Data Protection

January 21, 2015

Written by Giulia Zappaterra

After the Italian term, the Latvian Prime Minister, Mrs. Laimdota Straujuma, took over the rotating presidency of the Council of the European Union. The Prime Minister, during the debate before the European Parliament, outlined the priorities of her country’s term (you can find here the programme containing the main topics on the agenda).

Among other things, Mrs. Straujuma stressed the importance of building a stronger and more coherent European data protection framework, underlying the necessity to seek an agreement on the Data Protection Regulation (the “Regulation“).

Further to the approval by the European Parliament on the latest draft of the Regulation, the final framework shall now be determined on the basis of an agreement to be reached at the Council level. However, at present, the Council does not seem to have achieved a consolidated approach through the latest negotiating sessions (with a formal declaration on this yet to be made).

Among the outstanding issues which are still under the review of the Council (also see our colleagues’ highlights here and here) we can list the following:

(i) Data transfer to non-EU countries: according to the current draft of the Regulation, should a third country request an entity (for instance a social network or cloud provider) to disclose personal information processed in the EU, then such entity would be required to seek an authorization from the national data protection authority;

(ii) Profiling: the current Regulation seems to limit profiling activities, which will be allowed only subject to the data subject’s consent or when provided by law or when needed to fulfill a contract. In addition to the above, such practices should not lead to discrimination or be based only on automated processing; moreover certain data sets would be prohibited for use in a profiling situation, such as administrative sanctions and judgments and gender identifiers;

(iii) The concept of a “one-stop-shop”: according to the current draft, companies that operate in several EU countries will have one designated regulator in Europe, based upon the country of establishment for the company’s main activities. The issue would therefore be relevant for consumers, who might face some difficulties when complaining against a company established in a country other than their own place of jurisdiction.

Given that the above (and further issues) are still subject to discussion between EU member states, will the Latvian presidency be able to finalize the Regulation by June 2015, the end date of its term?

In any event there will still be a lot of time before the new provisions are implemented as the Regulation will come into force two years after its finalization and adoption by the European Parliament. Please let us know if you would like to discuss the matter (Giulia.Zappaterra@dlapiper.com).

EUROPE: The End of Roaming Charges in a “Connected Continent”?

Posted in Technology and Commercial

By Florence Guthfreund-Roland & Mathilde Hallé

After months of discussions, it is likely that the new so-called “Telecom Package”, expected to come into effect in 2015, will indeed prohibit telecom operators from charging customers additional fees for intra-EU roaming.

In accordance with the “Europe 2020″ digital strategy promoted by the European Commission, the European Parliament believes that fragmentation of the European electronic communications market (i.e., the significant number of operators existing in the region) should not prejudice customers traveling within the European Union.

To meet this goal, and thus offer further protection to EU customers, the Legislative Resolution of the European Parliament dated April 3rd, 2014 on the proposal for a regulation of the European Parliament and of the Council laying down measures concerning the European single market for electronic communications and to achieve a Connected Continent (amending Directives 2002/20/EC, 2002/21/EC, 2002/22/EC, and Regulations (EC) No 1211/2009 and (EU) No 531/2012) expressly recommends and provides that users of mobile communications services shall be entitled to roam with no additional charge, provided such roaming is within the European Union. The Resolution expressly mentions that this rule should apply to incoming and outgoing calls, outgoing SMS/MMS messages, and data services. As an exception to soften the potential effects of this rule in terms of traffic management, it also recommends that operators be entitled to implement usage restrictions in cases of excessive or unusual roaming. In short, international roaming would not be subject to additional charges within the EU, subject to fair use by the customer.

It should be noted that roaming tariffs are already regulated at the EU level. Indeed, since 2012, roaming tariffs have dramatically decreased each year, in accordance with Regulation No 531/2012 dated June 13, 2012 on roaming on public mobile communications networks within the EU. As of July 1st, 2014, roaming tariffs applicable to EU users have since decreased by up to 30%.

Should the Regulation be adopted as is by the European Council, its provisions would have to be implemented as from December 15, 2015. To anticipate its impact on wholesale markets, the Commission will reportedly publish additional regulations and/or guidance on wholesale tariffs by June 2015.

To read the Legislative Resolution of the European Parliament dated April 3rd, 2014, please click on the following link: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0281+0+DOC+XML+V0//EN. To read the Regulation (EU) No 531/2012 of the European Parliament and of the Council of June 13, 2012 on roaming on public mobile communications networks within the Union, please click on the following link: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:172:0010:0035:EN:PDF.

For further information, please contact Florence Guthfreund-Roland (Florence.Guthfreund-Roland@dlapiper.com) or Mathilde Hallé (Mathilde.Halle@dlapiper.com).

President Obama Unveils Plans About Cybersecurity

Posted in Cybersecurity, Privacy and Data Security, Technology and Commercial, US Federal Law

Written by Sydney White

President Obama made a series of announcements on cybersecurity, data security, and privacy that will be incorporated into his State of the Union address tonight.  In conjunction with the announcements, the White House released legislative proposals on cybersecurity information sharing and data breach notification.  http://www.whitehouse.gov/omb/legislative_letters

On cybersecurity information sharing, the proposal authorizes private entities to share cyber threat information with the National Cybersecurity and Communications Integration Center (NCCIC) under the Department of Homeland Security, with information sharing organizations, and with law enforcement.  The proposal requires private entities sharing cyber threat information to remove information that could be used to identify an individual.  It also provides limited liability protection for the sharing of cyber threat information.

The proposal on data security requires companies to notify consumers of a breach involving their personal information within 30 days of discovery.  The proposal gives dual enforcement and rulemaking authority to the Federal Trade Commission and the Federal Communications Commission (FCC) over entities subject to the authority of the FCC.  It also gives dual enforcement and rulemaking authority to the FTC and Consumer Financial Protection Bureau over “financial information” and “information associated with financial products and services”.  As such, it does not include an exemption for Gramm-Leach-Bliley regulated financial services companies, an exemption that has been included in most general Federal data breach notification bills.  Most importantly, the proposal provides for Federal preemption of the disparate state data breach notification laws.

All of these issues are at the top of policy makers lists this year and these proposals will contribute to existing momentum in Congress.

What privacy obligations and liabilities for drones?

Posted in EU Data Protection, Privacy and Data Security, Security Breaches, Technology and Commercial

Privacy breaches and potential liabilities might increase as a consequence of the usage of drones that represent a massive resource in a number of different sectors, but might also trigger some “new” unexpected legal risks. Continue Reading

If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.

Posted in Licensing, US Federal Law

Written by Jeff Aronson

In the not too distant past, there was a school of thought that a covenant not to sue (CNTS) had a different legal effect than a patent license in the US.   Differences I frequently heard included a CNTS does not run with the patent, a CNTS does not exhaust the grantor’s rights, there is different treatment in bankruptcy under 365(n), and rights to pending patent applications cannot be granted under a CNTS.  Court have recently ruled on each of these points that a CNTS is no different than a license.

These recent decisions have shed so much light on the subject that, the next time you hear someone say there are differences, you may want to respond just by saying “quack, quack.”

AFRICA: On the Way to Digital Migration

Posted in Technology and Commercial

By Florence Guthfreund-Roland & Mathilde Hallé

By June 17, 2015, all African countries should have completed the transition from analogical to digital radio transmission of TV and radio signals.

This deadline was set by the Regional Conference of the International Telecommunications Union (ITU) in the 2006 Geneva Agreement (GE-06). The main goals are to improve the quality of signals received, to diversify the existing commercial offers in terms of TV programs and channels, and to make frequency slots available for other purposes such as, e.g., for telco operators to develop fast or ultra-fast broadband internet offers. It is expected that many investment opportunities should arise further to this migration, which should both foster the development of the media and telecom markets, still serving public interests goals.

Considering the challenges, a strong commitment from public authorities is required to put this migration to digital terrestrial transmission (DTT) on track. Indeed, Governments and national regulatory authorities need to identify the priorities, hold the consultation processes with private stakeholders, review the existing legal and regulatory background for the media and telecom sectors and then define the agenda to complete the transition. More specifically, the migration to DTT notably entails the need for local public authorities to get together to define the best way to refarm the frequency spectrum, in accordance with the ITU recommendations and international best practice, so as to have frequency blocks effectively and shortly released by broadcaster. Another challenge is to identify sources of funding to fit users/citizens with digital decoders (whose minimum cost is USD 50 per item), but also to foster the development of new TV and radio programs and offers by broadcasters.

Considering these challenges and the complexity of the issues at stake, it is very likely that many countries will not be in a position to meet the June 2015 deadline. As of today, only a few countries have completed the transition to DTT (including notably Tanzania, Rwanda and Mauritius) and several other are reportedly in the process of transitioning (such as Tunisia, Morroco.Kenya,  Uganda, South Africa and Ghana). In this context, many countries have reportedly obtained from the ITU that this deadline be postponed in 2020.

More details on the GE-06 and the digital migration in Africa are available in the ITU publications and toolkits:

www.itu.int/ITU-R/terrestrial/broadcast/plans/ge06/

www.itu.int/oth/R0B07000012/fr

www.itu.int/en/ITU-D/Technology/Documents/Broadcasting/GuidelinesTransitionAD_FINAL_F.pdf.

For further information, please contact Florence Guthfreund-Roland (Florence.Guthfreund-Roland@dlapiper.com) or Mathilde Hallé (Mathilde.Halle@dlapiper.com).

Hong Kong Privacy Commissioner Issues Guidelines re Cross-Border Data Transfers

Posted in Asia Privacy, Cross-Border Transfers

Although the restrictions for transfer of personal data outside of Hong Kong set out in section 33 of the Personal Data (Privacy) Ordinance (the Ordinance) are currently not yet in force, on December 29, the Hong Kong Privacy Commissioner for Personal Data (PCPD) published a Guidance on Personal Data Protection in Cross-border Data Transfer (the Guidance), in which the PCPD aims to assist data users in understanding their compliance obligations for cross-border data transfer once section 33 comes into effect.  DLA Piper Hong Kong has contributed to the drafting and preparation of the Guidance and the recommended data transfer clauses contained therein.

There are six exceptions to the cross-border data transfer restrictions set out in section 33(2) of the Ordinance. A data user is required to satisfy at least one of them if the data user wishes to transfer personal data outside of Hong Kong.  Certain of the exceptions are highlighted below:

  • Cross-border transfer is permissible if personal data is to be transferred to any one of the jurisdictions specified by the PCPD in the White List.  However, the jurisdictions to be included in the White List have not yet been revealed in the Guidance.
  • Obtaining data subjects’ express and voluntary consent in writing to the cross-border transfer is also one of the exceptions set out in section 33(2) and this is regarded as a more onerous consent requirement on the part of data users.
  • One of the exceptions to cross-border transfer restrictions is that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in the place outside Hong Kong, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance.  The PCPD has suggested that adopting enforceable contractual means between the parties to the transfer may satisfy such diligence requirement.  The PCPD has therefore prepared a set of recommended model data transfer clauses to assist data users to develop enforceable data transfer agreement.

We recommend that data users start reviewing their data collection and transfer practices to ensure these are aligned with the recommended practices set out in the Guidance.  Some to-do actions include:

  • Reviewing and updating your Personal Information Collection Statements;
  • Reviewing and updating your cross-border personal data transfer arrangements; and
  • Developing group-wide policies for cross-border intra-group data transfer.
Back to Top of Page