Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

China Issues New CBRC Guidelines: Disclosure Requirements Affect Foreign IT Suppliers, Foreign Banks

Posted in Asia Privacy, International Privacy, Privacy and Data Security

Written by Scott Thiel and Belinda Tang

A new set of regulations issued by the China Banking Regulatory Commission has fuelled concerns that China intends to squeeze foreign investment in its banking industry.

The Guidelines on Banks Using Secure and Controllable Information Technology 2014-2015 were promulgated and became effective in late December.  The Guidelines require banks to implement “secure and controllable” information technology products within a specific timeframe.

Although not expressly precluding foreign IT suppliers from operating a business in China, the new guidelines stipulate that such suppliers are required to disclose sensitive and proprietary information to the Chinese government.

IT suppliers are now faced with the choice of whether or not to stay in China – clearly a decision which cannot be taken lightly and which will on any basis have significant consequences. Foreign banks also face tough IT challenges as a result of the new guidelines.

Find out more.

Russia: Important changes to Russian data protection rules

Posted in New Privacy Laws, Privacy and Data Security

By Michael Malloy and Pavel Arievich

On July 20, 2014 a new law amending the law on data protection and law on information was signed off by the Russian president and thus was officialy adopted. The law, as further clarified, will come into force on September 1, 2015.

The law requires all personal data operators to store and process any personal data of Russian individuals within databases located in Russia (subject to few exceptions). The penalty for violation of this requirement is ultimately the blocking of websites involving unlawful handling of Russian personal data. A Register of Infringers of Rights of Personal Data Subjects shall be established by the Russian telecommunication authority (Roskomnadzor) and from there, Roskomnadzor may move to block websites.

As the law is newly passed and not in effect yet, it is unclear as to how this register and the website blocking would work in practice, but we note that blocking websites is a commonly used enforcement method in Russia.

These rules are important for anyone doing business with Russians, regardless of where the business is located.

These new rules will have a considerable impact on Russian and multi-national companies with Russian presence, or with involvement of Russian-oriented websites, as many of such activities involve collection, storage and/or processing of personal data outside of the Russian Federation.

Moreover, they are likely to place a heavy burden on the many international businesses operating online (such as travel services companies) who routinely process data of individuals from all countries (including Russia) without having any Russian subsidiary or presence as it would require them to distinguish the data pertaining to Russian individuals and store this data within Russia. A particularly distressing aspect for these companies is that without a Russian presence, they will have little opportunity or ability to engage Roskomnadzor regarding inclusion on the register or blocking of the websites.

According to the views of many commentators, enactment of such unprecedented rules could place a substantial new burden on foreign investment into Russia and may involve broader negative economic consequences than anticipated. With that in mind, there is a good chance that the law will be modified or finetuned before September 1, 2015. While this new law creates additional compliance requirements, there are strategies through which efficient compliance may be achieved.

At this point, we strongly advise anyone doing business in Russia or with Russians to take a close look at how personal data of Russians is handled. We would be more than happy to provide any further details or assistance.

Please feel free to contact either Michael Malloy (michael.malloy@dlapiper.com) or Pavel Arievich (pavel.arievich@dlapiper.com) in our Moscow Office.

Spain: €13 Million to Promote 27 Smart Cities

Posted in International Privacy, Privacy and Data Security, Technology and Commercial

Written by Ceyhun Pehlivan

The Spanish Ministry of Industry, Energy and Tourism will finance up to 80% of 13 projects linked to the development of smart cities, from which 27 Spanish cities are expected to benefit.

In June 2014, Red.es, Spain’s internet and ICT development agency, had issued the call for the selection of the participating municipalities in the “First call for smart cities” of the Digital Agenda for Spain. With a total budget of €15 million, the call was open to more than 100 municipalities with over 20,000 inhabitants in the Spanish regions of Andalusia, Castilla La Mancha, and Extremadura.

The initiatives were submitted by city councils or groups of municipalities, with a maximum budget of €1 million per city. In total, 37 individual and collective initiatives were submitted under this call, which represented a total of 49 municipalities.

Following an assessment process, the Spanish Ministry has selected 13 initiatives, involving a total investment of €13.1 million, co-funded by the European Union through its European Regional Development Fund (ERDF).

The aim of this call for smart cities is to select municipalities where to carry out initiatives geared towards the smart development of the cities and the improvement of the quality of life of its residents and visitors.

In this respect, the call has endorsed the creation of initiatives for the opening and re-use of public data, the implementation of mature management systems, as well as the launch of infrastructures and technological elements to improve the services provided by the cities.

This smart city projects call will therefore represent an investment of approximately €10 million for the southern region Andalusia, €2.8 million for the land of windmills and the stomping ground of Don Quijote Castilla La Mancha, and circa €0.5 million for the west-central region Extremadura on the border with Portugal.

Further details can be checked at recent press release from the Spanish Government.

THE ELECTRONIC COMMUNICATIONS CODE – SECURITY OF TENURE

Posted in Telecoms

By Rob Shaw, Senior Associate – DLA Piper (real estate)

This is our second article on the Electronic Communications Code. The first is here

A key issue for operators to be aware of when entering into agreements with landowners or occupiers for the siting of telecoms apparatus on their land is how protected they will be when a landowner or occupier wants to recover that land when the agreement expires or alternatively what happens if they require the apparatus to be moved.  Operators will be in a better bargaining position when it comes to negotiations if they are aware of their rights from the start.

The Code provides its own form of security of tenure to operators.  Paragraph 20 provides a power to landowners or occupiers to require the alteration or removal of apparatus where “necessary” and paragraph 21 provides a restriction on the right to require the removal of apparatus.  Such provisions can present difficulties for landowners or occupiers when wanting to recover possession or alter the position of apparatus (unless the operator voluntarily agrees).

In addition leases allowing the siting of telecoms apparatus are not exempted from the usual security of tenure provisions of Part II of the Landlord and Tenant Act 1954 (“1954 Act”).  As such, so long as an operator can satisfy the test under the 1954 Act (that they are in occupation of premises for the purpose of a business carried on by them) then the lease will continue after contractual expiry and the landlord will only be able to terminate the lease on one of the statutory grounds set out in the 1954 Act.  The 1954 Act may also apply even if landowners or occupiers think they have granted a licence, which in reality is actually found by a court to be a lease – although to avoid any uncertainty here it would be sensible to ensure a lease is expressly granted from the start.

It is possible for parties to agree that the 1954 Act will not apply to a lease, but the Code is something separate and elements of it will apply irrespective of any agreement between the parties.

The interaction between the Code and 1954 Act is not clear (and it has caused parties and their lawyers many headaches in the past).  The safest course of action for landowners or occupiers is to exclude the provisions of 1954 Act, so that the parties only need to be concerned with the Code instead of two potentially conflicting pieces of legislation.  However, there is no obligation on operators to agree to such an exclusion and rely on only their rights under the Code.

It should be noted that the government is in the process of drafting a new version of the Code which will likely include provisions automatically exempting a lease granting Code rights from the security of tenure provisions of the Landlord & Tenant Act 1954.  This will clear up any conflict between the Code and 1954 Act, but could remove some of the protections currently afforded to operators.

European Data Protection Supervisor launches its 2015-2019 strategy

Posted in Cloud Computing, EU Data Protection, New Privacy Laws, Privacy and Data Security

The European Data Protection Supervisor (EDPS) launched it data protection strategy, summarizing it in three strategic objectives and 10 accompanying measures for the next five years.

The EDPS stated that it is a crucial moment for data protection, a period of unprecedented change and political importance, not only in the EU but globally.

1. Data protection goes digital

  • Promoting technologies to enhance privacy and data protection;
  • Identifying cross-disciplinary policy solutions;
  • Increasing transparency, user control and accountability in big data processing.

2. Forging global partnerships

  • Developing an ethical dimension to data protection;
  • Speaking with a single EU voice in the international arena;
  • Mainstreaming data protection into international policies.

3. Opening a new chapter for EU data protection

  • Adopting and implementing up-to-date data protection rules;
  • Increasing accountability of EU bodies collecting, using and storing personal information;
  • Facilitating responsible and informed policymaking;
  • Promoting a mature conversation on security and privacy.

Special attention will be given by the EDPS to the data protection challenges of cloud computing, big data analytics, the internet of things and techniques for electronic mass surveillance.

The strategy can be consulted at the EDPS website

For more information about the strategy and its impact, please contact Patrick Van Eecke (patrick.vaneecke@dlapiper.com)

What is ‘Blocking IP’?: Why You Should Care When Licensing Source Code

Posted in Licensing, Technology and Commercial

Written by Isabel DeObaldia

A client this week asked me to help him with a source code license. What started as a simple request with crafting a paragraph inevitably grew due to the concept of “blocking intellectual property.”  While I would argue that the document is still “simple” in structure, for the non-initiated it now probably looks like the Sunday crosswords in legalese, and without the results key.

Blocking IP is what may happen when a license to source code gets tangled in its own terminology. The reason why this occurs is that it is easy to forget that software can be legally protected under different forms of intellectual property rights. Let’s think of this as separate buckets of Lego® pieces: the bucket of copyrights contains different pieces than those in the patent bucket, the trade secret bucket and even the trademark bucket.  But I may need all of these pieces for my Lego® creation, i.e., the license to the software.

The trickiest bucket can be that of the patent rights, because a patent (and this is what tends to be forgotten) does not give the right to make or do anything. A patent gives the patent-holder the right to exclude others from making that which the patent protects. In other words, having a patent does not give the proverbial little Troll under the bridge the right to cross the bridge, but it allows the Troll to stop all others from crossing that specific bridge. If the Troll gives you a patent license, you can cross the bridge if you want to, but not because you have a right to cross, but because the license gives you the right to cross that particular bridge without being bothered by the Troll.

Now, let’s imagine that the patent is not for the crossing but for the building of the bridge. What if you realize after crossing the bridge that putting guardrails in the bridge will make it safer and easier to cross? You may find yourself the holder of an improvement patent.  However, the guardrails cannot stand on their own, by definition they are an improvement on the Troll’s patent, so you still need the Troll’s permission to be able to make and commercialize the bridge on which your guardrails stand. Likewise, if the Troll develops his own version of guardrails, you as the owner of the guardrail patent can stop (“exclude”) the Troll from building and selling guardrails.  So this is what Blocking IP means: without the Troll’s permission for the underlying bridge you don’t get to sell guardrails and without your permission, the Troll does not get to put guardrails in any bridge.

When licensing source code it is customary to give the right to build upon and expand the code. This is usually done by giving the licensee the right to create Derivative Works.  But this is a Lego piece picked from the bucket of Copyrights. This does not address the right to “an Improvement”, which is a piece from the bucket of Patent Rights. In other words, the described license does nothing to avoid the potential problem of Blocking IP, because it is only choosing pieces from the Copyright bucket.  When choosing pieces from the Patent bucket, the licensor and the licensee can follow different avenues for not blocking each other, the most common are (i) granting each other prospective licenses in all future improvements; or (ii) adding a non-assert clause to the contract, where they promise not to assert claims of infringement against each other.

There are cons and pros to either avenue, depending if you are licensor or licensee and depending if your license is non-exclusive or vice-versa, but that is a matter ought to be explored in another blog entry.

 

THE ELECTRONIC COMMUNICATIONS CODE – SOME BASICS

Posted in Telecoms

By Petra Billing, Partner and Rob Shaw, Senior Associate – DLA Piper (real estate)

The Electronic Communications Code (“Code”) provides statutory rights to telecommunications operators to install and maintain electrical communications apparatus in, over or under land.  The principle of the Code is that no person should unreasonably be denied access to an electronic communications network or to electronic communications services.

The Code is relevant to all operators, landowners and occupiers entering into agreements relating to the siting of telecoms apparatus on land.

Operators should consider their legal position carefully prior to entering into any agreements as they may inadvertently lose or give up certain legal rights, especially those relating to their ability to retain apparatus on land even where a landowner or occupier requires the apparatus to be removed or relocated.

The Code and other legislation (such as the Landlord and Tenant Act 1954) set out certain legal procedures that may need to be followed in relation to the recovery of land from an operator and an operator can ensure they are better placed going into any negotiations with a landowner or occupier by being aware of such procedures in advance.

Rights under the Code are split into 2 categories:

  1. The “general” category applies where an operator either: (a) obtains the voluntary agreement of the owner or occupier of the land to exercise their rights under the Code or (2) obtains a court order permitting this (essentially this route is used where the owner or occupier will not enter into a voluntary agreement).
  2. The “special” category applies to instances such as street works, overhead lines, tidal waters, railways, canals or tramways.

The Code has been subject to much criticism in the past as the way it is drafted has left a lot to be desired.  It has famously been described by the courts as “not one of Parliament’s better drafting efforts….it must rank as one of the least coherent and thought through pieces of legislation on the statute book”!

This has resulted in calls for the Code to be reformed and the government was very recently close to introducing a new version of the Code via the Infrastructure Bill that is currently passing through Parliament.  However, the government has now removed this revised version of the Code to allow for further consultation before it is implemented.  The new code will have a direct impact on operators, who may want to consider any consultation opportunities that arise in order to try and influence the final version of the new code.

As regards case law, there is, unhelpfully, little case law providing guidance on how the Code should be applied and interpreted by operators and landowners/occupiers.  However, the advice is to always seek assistance from lawyers with past experience of dealing with the Code.

When an Exception is Not an Exception…

Posted in Technology and Commercial

 Written by Victoria Lee

Lawyers see non-disclosure agreements all the time. Some of our well-established clients may see literally hundreds of them over the course of a year. In fact, we all probably see so many of them that they may not always get the attention they deserve (except when the confidential information involves source code or some other critical information). There are lots of issues that I am often surprised to see appear in what seem to be tried and true non-disclosure agreement forms; these include issues such as (a) not having a clear distinction between the period during which the exchange of information takes place and the period during which the confidentiality obligations are binding on the parties; (b) specifying a term for the confidentiality obligations without separately addressing the fact that trade secrets may be protected indefinitely; or (c) imposing restrictions on disclosure without any restrictions on use of confidential information. However, the issue for today’s blog is the “exception” for legally required disclosures.

We’ve all seen the list of exceptions in a non-disclosure agreement; it is the list of information that is not considered confidential (information that is publicly available, information that is disclosed by a third party without breaching a duty of confidentiality, information that is independently developed, information that the receiving party rightfully possesses). Interestingly, I still see “information that is required by law to be disclosed” as an exception. The problem with treating information that is legally required to be disclosed as an exception to what is confidential information is that once that information is disclosed it is no longer confidential information. The correct way to incorporate this concept in a non-disclosure agreement is instead to include “legally required disclosures” as an exception to the non-disclosure obligations. That is, “legally required disclosures” are a specifically permitted disclosure of confidential information. Even after the information is disclosed, the information is still confidential information. In fact, most provisions allowing for legally required disclosures also include specific conditions to the disclosure, such as having giving prior notice of the proposed disclosure and having to seek a protective order. The following is a sample of such language: “A disclosure by Recipient of any of Discloser’s Confidential Information (1) in response to a valid order by a court or other governmental body; (2) as otherwise required by law; or (3) necessary to establish the rights of either party under this Agreement shall not be considered to be a breach of this Agreement by the Recipient; provided, however, that Recipient provides prompt prior written notice thereof to the Discloser to enable Discloser to seek a protective order or otherwise prevent the disclosure.”

Just remember the next time you see a non-disclosure agreement; it may be short; it may be like the last ten other non-disclosure agreements you saw; it may not need any changes. But then again, it may include an exception that really should not be an exception.

EUROPE: European cookie sweep results published: average of 34.6 cookies per website.

Posted in Behavioral Advertising, Cookies, E-Commerce and Social Media, EU Data Protection

By Patrick Van Eecke and Julie De Bruyn

Article 29 Working Party, the European data protection advisory body, has published its report on the ‘cookie sweep’ that was carried out in September last year in partnership with data protection authorities and other regulators across 8 Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the UK).

The cookie sweep covered 478 websites in the e-commerce, media and public sectors, which are considered by the Article 29 Working Group to present the greatest data protection and privacy risks to EU citizens. The specific websites targeted by the sweep were amongst the 250 most frequently visited websites by individuals within each participating Member State.

The sweep was carried out to assess the current steps taken by website operators to comply with the requirements set forth by Article 5 (3) of the ePrivacy Directive 2002/58/EC (notably the information and consent requirements) and to inform the Article 29 Working Party of the current usage of cookies. In a first stage, the cookies used by the websites and their technical properties were put through a statistical review, while in a second stage a more thorough manual review of the cookie information and consent mechanisms was carried out.

Key findings of the automated, statistical review (478 websites reviewed by 8 Member States) are that:

  • 16.555 (both first and third party) cookies were set by 478 websites, resulting in an average of 34.6 cookies per website;
  • over 70% of the cookies are third party cookies, notably cookies that are set by a domain other than that of the website visited by the user);
  • over 86% of the cookies are persistent cookies, notably cookies that remain on a user’s device for the period of time specified in the cookie, rather than being deleted once the browser is closed by the user. The average duration of the first party persistent cookies was 14,34 years and 1,77 years for third party persistent cookies;

Key findings of the manual sweep (437 websites inspected by 7 Member States) are that:

  • only 7 websites did not set any cookies;
  • the most common notification method is to use some sort of cookie banner (59%) or a link in the header or footer (39%), or both;
  • 26% of the websites did not show any notification of any kind on the landing page visited during the sweep. The vast majority of these websites were swept by the Czech Republic;
  • of the websites that did provide some sort of notification, 43% of them were considered not to provide sufficient information regarding the types or purposes of cookies used;
  • 50% of the websites inspected request consent from the user to store cookies; the remaining 50% use language such as ‘we use cookies’, ‘cookies are being set’, or similar;
  • Only 16% of the websites inspected provided the user a granular level of control by offering the choice to accept or decline certain types of cookies. For 84% of the inspected websites, the user is required to review his browser settings to control the use of cookies;
  • If a user had set its browser settings to not accept third party cookies and visited the same websites, 70% of the cookies recorded would not have been set;
  • Of the 3 sectors in the scope of the sweep, websites of the media sector set on average the highest number of cookies, public sector sites set the fewest cookies.

The full report (including more statistics and diagrams) can be consulted here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp229_en.pdf

The Article 29 Working Party’s working document providing guidance on obtaining consent for cookies can be consulted here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf The Article 29 Working Party’s Opinion on Cookie Consent Exemption can be consulted here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

For further information, please contact Patrick Van Eecke (patrick.vaneecke@dlapiper.com) or Julie De Bruyn (julie.debruyn@dlapiper.com).

Belgium getting tough on Facebook?

Posted in E-Commerce and Social Media, EU Data Protection, Social Networking

By Patrick Van Eecke and Julie De Bruyn

Today a delegation of Facebook is meeting with the Belgian ‘Secretary of State’ responsible for Privacy , Bart Tommelein. The subject of conversation are Facebook’s new terms of service and data policy, which are claimed to be in breach of the Belgian Data Protection Act. This afternoon, the Facebook delegation is also expected to meet with the President of the Belgian Privacy Commission, Willem Debeuckelaere, to discuss the new terms. The meetings have been requested by Facebook itself following statements made in the press by the Belgian authorities saying that the new terms were in breach of applicable laws.

Some key changes introduced by the new data policy and terms of service foresee that Facebook will:

  • own information that relates to users but is not posted by users (e.g. pictures in which one is ‘tagged’ by another person),
  • track user’s browsing behavior to understand what users like on websites,
  • know what devices users use to access the website (type of device, telephone number, telecom provider, etc.), and
  • use user’s GPS, Bluetooth and wifi to determine user’s location at all times and without asking for consent, and use this location data for commercial purposes.

The outcome of the discussions remains to be seen, however, ahead of today’s meeting, the Belgian DPA has already warned that if no solution can be reached which is more considerate of the users’ privacy, it will not refrain from initiating legal proceedings against the tech giant. The Belgian Privacy Commission is supported by other European Data Protection Authorities, (for instance the CBP in the Netherlands) who have voiced their concerns regarding the new terms, and have in some cases launched further investigations into the terms.

UPDATE

Following the meeting between Belgian Secretary of State for Privacy Bart Tommelein, and the Facebook delegation yesterday, a spokesperson for Mr. Tommelein confirmed that Facebook has demonstrated its willingness to conform to the Belgian laws. Facebook has agreed to take into account the concerns called upon by Mr. Tommelein, however explained that there are a lot of misunderstandings with respect to the new terms too. The spokesperson continued by stating that Facebook emphasized that it did not implement many changes to its terms end of January, and denied that user data will be shared with third party advertisers. Facebook has since January reformulated the terms in a more intelligible language, in line with the transparency requirement of the European Data Protection Directive. Mr. Tommelein suggested that Facebook should take on a more educational role, especially since weaker parties in today’s information society (such as children) have trouble understanding the terms. In a news interview yesterday evening, Mr. Tommelein confirmed that in his view it is preferred to carry out the battle for the preservation of privacy with Facebook, rather than against it.

The meeting between Facebook and the Belgian data protection authority is yet to take place – no date has been made public yet for this meeting. The meeting is in any case expected in the near future as the President of the data protection authority has previously announced that he expects a signal from Facebook with respect to a letter of the data protection authority that was addressed, following the publication of the new terms, to Facebook, enlisting 13 issues with respect to the new terms, and requesting clarification by Facebook on the new terms.

For further information, please contact Patrick Van Eecke (patrick.vaneecke@dlapiper.com) or Julie De Bruyn (julie.debruyn@dlapiper.com).

Back to Top of Page