The DLA Piper Internet of Things group just launched a series of webinars on legal and business issues of the Internet of Things. The first webinar will cover the Business and Legal Framework of the Internet of Things and will take place on Wednesday 22 April 2015 from 3.00 to 4.00pm UK time. Continue Reading
By Patrick Van Eecke and Julie De Bruyn
Today the Schrems v. Irish Data Protection Commission case was brought before the Court of Justice of the European Union (‘CJEU’) for an oral hearing, following referral by the Irish High Court. While the final ruling by the CJEU is to be awaited until June 24, it is expected that it may impact the (further existence of the) Safe Harbor Decision governing EU-US data flows. This may affect not only US companies participating in the PRISM program, but also other US organisations that rely on their Safe Harbor certification for EU-US personal data flows.
The proceedings were initiated by Maximilian Schrems – an Austrian privacy activist with a PhD in law – who contacted the Irish Data Protection Commission (DPC), i.e. the data protection authority (DPA) which has regulatory competence of Facebook Ireland Ltd in Ireland. Mr. Schrems, a Facebook user, expressed his concerns to the Irish DPC about the transfer of his data to Facebook in the US, referring to the mass surveillance of data by the NSA, and asked the Irish DPC to stop Facebook Ireland Ltd from transferring his personal data to the Facebook US headquarters. Following refusal by the Irish DPC to grant the request, Mr. Schrems brought the case before the Irish High Court, which subsequently referred the following questions to the CJEU:
- Is a DPA bound by an adequacy decision of the European Commission for a third country if it is claimed that the laws and practices of such third country do not contain adequate protection for the individuals concerned?; and
- May DPAs alternatively conduct their own investigation of the adequacy of a third country in light of factual developments since the Commission Decision on the adequacy of that third country was published?
Today’s oral hearing before the CJEU was attended by the 12 parties who had previously laid down written submissions (including 7 EU Member States, the European Parliament, European Commission, Mr. Schrems and the Irish DPC) as well as by other organisations such as the European Data Protection Supervisor. Each of the parties clarified their position during the hearing of today, and the topics on the table included the validity of the Safe Harbour Decision, its binding nature, the current adequacy level of the US and the powers of DPAs to suspend data flows to Safe Harbour certified organisations under certain circumstances.
The European Commission in particular was placed in the hot seat today, having to justify its adequacy decisions and to respond to a series of questions by the CJEU.
The ruling of the CJEU in the present case is expected on 24 June. While the validity of the Safe Harbour Decision does not form the subject matter of the present case, it is nevertheless expected that the ruling may have an impact on the further existence of the Decision, especially considering that when the European Commission could not confirm that the US still provides for an adequate level of protection, when asked by the CJEU.
We note that Mr. Schrems is also the initiator of a second lawsuit against Facebook, a class action involving over 25,000 participants, claiming that Facebook is in violation with European data protection laws. A first hearing of this lawsuit will take place on 9 April before the Austrian courts. Updates on this lawsuit can be found on our blog.
Eamon Holley of DLA Piper briefly reviews some key developments in four Gulf telecoms markets during 2014 and looks to what might lie ahead in 2015.
Bahrain’s TRA has a reputation for being a dynamic and forward looking regulator. It upheld this reputation in 2014 by publishing a series of very interesting reports considering regulation of the new telecoms world. Over The Top (“OTT”) services, like Skype, Whatsapp, Netflix, cannot be regulated in the same way as traditional telco services, but they appear to be here to stay. Recurring regulatory issues include consumer protection, licensing and Government revenue raising, competition and national security. The TRA considered how some of these issues may be addressed in the region.
Bahrain continued to focus on further strengthening its current framework through the publication of new fining guidelines, inter-operator dispute resolution guidelines, the continued reviews of competition in certain markets which resulted in the lifting of some regulations from Batelco in some broadband markets, and consultations on a bulk messaging regulations and in-building access.
It is expected that at some point in 2015 Bahrain will announce the launch of a National Broadband Network (“NBN”) in conjunction with Batelco.
In late 2014 Saudi Arabia’s CITC launched two consultations; one on interconnection, and the other on access to physical infrastructure. For those who don’t know, interconnection is the connection of different networks, allowing users on different networks to call each other. Access to physical infrastructure is where operators open (provide access to) parts of their network, like their ducts, in order to for another operator to use them, for example to install their own fiber. Sounds easy, right? It’s not. Incumbents want to protect their positions, challengers want to attack these positions, and so negotiations are often slow and tricky. Clear rules on interconnection and access are therefore essential. The CITC’s consultations will be critical in reviewing what’s working and what isn’t, ultimately with a view to strengthening fair competition between operators for the benefit of consumers. The consultations were due to end in early February 2015.
This market is in a real state of transition. In May 2014 the Kuwaiti Government published its long awaited Telecommunications Law, with a view to establishing an independent telecoms regulator. The regulator’s board has been established, but the executive regulation required to fully effect the new law is not yet published. The new law says that the regulator will take over from the Ministry of Communications 6 months after the executive regulation is published and in the meantime parts of the old regulatory regime that are not inconsistent with the new law will remain in effect. Kuwait already has three mobile operators and a number of ISPs but only one fixed line operator, which is the Ministry of Communications itself. It will be interesting to see whether and how the fixed line market opens up.
In April 2014 the Omani Government incorporated an NBN Co however little is available in the public domain about how or what precisely it will do. The industry is watching this closely to see exactly what will be implemented.
With two new NBN Cos expected to become operational in Bahrain and Oman, a new regulator in Kuwait and potentially a new access regime in Saudi Arabia, there is a lot to keep an eye on in 2015.
Eamon Holley, Legal Director, DLA Piper Middle East LLP
The European Council approved the “one-stop-shop” privacy rule which might cause relevant issues to companies operating in different European countries, including large American Internet and technology companies, where separate disputes might arise. Continue Reading
Today, the amendments to the current Dutch cookies regulation in Article 11.7a Telecommunications Act (TA) entered into force.
In short, amendments provide for:
1. An additional exception to the required prior informed consent rule for the placement of cookies and similar software. This means that both cookies that are strictly necessary for the provision of an information society service (functional cookies), as well as cookies that have little or no impact on the privacy of the internet user (e.g. first party analytic cookies), do not require prior informed consent of the user. The prior informed consent- instrument is now restricted to serious privacy cases and does not apply to cases which do not infringe users’ privacy; and
2. A ban on the use of cookie walls by public agencies. With this amendment, public agencies cannot refuse users who do not wish to pay for access to public services, by giving away their personal data.
For more detailed information about the new legislation, please click here.
Written by John Townsend
From the 6 April this year, the UK regulator the Information Commissioner will be able to issue fines for breaches of the direct marketing provision of the Privacy and Electronic Communications (EC Directive) Regulations 2003 without having to prove the organisation making the infringing call or sending the text or email knew or ought to have known that such breach would be of a kind likely to cause substantial damage or substantial distress.
This change in the law has been adopted primarily after Information Commissioner’s fine of £300,000 on Manchester based Tetrus Telecoms was held by the Information Rights Tribunal not meet the legal threshold of causing “substantial damage or substantial distress”.
To impose a fine (which may be up to £500,000) the Information Commissioner now only has to demonstrate the person sending the communication knew or ought to have known that there was a risk the 2003 Regulations would be contravened, but failed to take reasonable steps to prevent the contravention.
This power will make it easier for the Information Commissioner to impose fines in this area, but does change UK citizen’s the private rights of enforcement.
In addition to the above change of the law, the same legislation permits certain providers of mobile electronic communications services to disregard restrictions on the processing of traffic and location data that would otherwise be imposed on them by the 2003 Regulations. The providers are only permitted to do this for the purposes of providing an emergency alert service, or testing such a service, and only when acting in accordance with directions given by a relevant public authority or, in relation to testing, by a Minister of the Crown.
Written by Sydney White
The White House released its much anticipated legislative proposal on the Consumer Privacy Bill of Rights Act (CPBRA) that was first floated in 2012. The CPBRA, if enacted (which seems unlikely before 2016), would provide consumers with the right to decide how and what personal data is collected by companies and how companies use that data. Personal data is defined in far broader terms than we have seen in previous privacy legislation to include address, phone number, or persistent identifier, in addition to actual personal identifiable information such as a social security number. Covered entities include any person that collects, processes, or retains personal data of more than 10,000 individuals. The principles of the CPBRA are: transparency; individual control over data; respect for context in processing data; focused collection and responsible use; security; access and accuracy; and accountability.
The legislative proposal would provide the FTC with Administrative Procedure Act (APA) Rulemaking Authority to establish the minimum requirements for codes of conduct under which covered entities can qualify for a safe harbor. The FTC is not provided with APA rulemaking over other sections of the proposal. The proposal would also provide the FTC and state attorneys general enforcement authority over violations, but preclude private rights of action. There is a carve out for entities that are covered by comparable provisions of another Federal privacy law including the Gramm-Leach-Bliley Act, the Communications Act of 1934, and the Health Insurance Portability and Accountability Act.
Given the breadth of this proposal and the almost immediate negative reactions from industry, some privacy hawks on Capitol Hill, the FTC (although Commissioners have applauded the CPBRA as a start), and consumer and civil liberties groups, the proposal seems unlikely to move forward in Congress. However, it may be used to inform future agency enforcement actions and guidance.
Written by Mark Lehberg
As we all know, companies enter into non-disclosure or confidentiality agreements in the normal course of business to protect their trade secrets and other confidential information. In addition, many technology and commercial agreements include non-disclosure and confidentiality terms. Two of the many issues that need to be considered in connection with entering into an NDA or an agreement with confidentiality terms are (i) how important/valuable is the information to be disclosed and (ii) how long do the obligations regarding non-disclosure and non-use last.
We have seen in a number of instances where a proposed NDA puts a “term” on how long the non-disclosure and non-use obligations last. This is potentially dangerous territory if the information being disclosed includes valuable trade secrets.
The Uniform Trade Secret Act defines a trade secret as “information …that: (i) derives independent economic value, …, from not being generally known to … other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”
If a trade secret is disclosed under an NDA and the NDA says the obligation of non-disclosure and non-use expire after some period of time (e.g., 3, 5 or 10 years), at least two courts have indicated that having such expiration periods is evidence that the trade secret owner is not exercising reasonable efforts to maintain the secrecy of the information. See Silicon Image, Inc. v. Analogk Semiconductor, Inc. (N.D. Cal. Jan 17,2008) and D.B. Riley, Inc. v. AB Engineering Corp, 977 F.Supp 84 (D. Mass 1997). While these cases might not control in any particular instance, they provide examples of instances where trade secret status was lost or likely lost.
Therefore, care should be taken when entering into NDAs where there is an expiration period on the non-disclosure and non-use obligations.
One final thought on this. When the NDA is initially signed, if the NDA has a time limit on the non-disclosure and non-use obligations, then each party is incentivized to disclose information that will have limited value as a secret after the expiration of such period. However, after the initial signing of an NDA, we often here the following “We have an NDA with them, so we can disclose confidential information to them.” Yet rarely does someone go back to review the NDA to see if there is an expiration on the non-disclosure and non-use obligations.
The Internet of Things will generate in the retail sector US $ 329 billion of revenues by 2018 according to a report published by SAP, but such massive growth has to deal with legal issues concerning not only privacy compliance and cyber security, but also among others product liability. Continue Reading
On March 9, 2015, the Federal Trade Commission (FTC) announced that it executed a Memorandum of Understanding on privacy enforcement cooperation with the Dutch Data Protection Authority. In executing the MOU, the FTC noted that it increasingly seeks the assistance of international privacy authorities in its efforts to protect consumer privacy. In the MOU, the parties memorialize their intent to cooperate in the exchange of information (including complaints and providing investigative assistance) in furtherance of each entity’s efforts to protect consumer privacy and enforce violations. The FTC already has similar MOUs in place with the data protection authorities in the United Kingdom and in Ireland.