Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

UK – CYBER SECURITY – Government and CIPS introduce cyber security training for procurement professionals

Posted in Cybersecurity

Written by JP Buckley

The training is divided into modules introducing what the concept of Cyber Security is, what the relevant obligations are and then providing some examples. The Government has targeted the procurement profession as it considers that it handles particularly sensitive information.

You can find the background to and the links to the training here – https://www.gov.uk/government/news/new-cyber-security-training-to-boost-procurement-security

Cyber Security is very much part of our practice, and you can find out more about it here, on our DLA Piper website.

For more information about this post or our data privacy and security practice, please contact JP Buckley – Legal Director, DLA Piper UK LLP – jp.buckley@dlapiper.com

Avoid the Backend?

Posted in Licensing

Written by Jeff Aronson

We regularly help clients sell patent properties to “monetize” them, with the patent troll community as the typical buyers.  Clients are often excited about the prospects of getting a large future payment, under the rightful (or sometimes mistaken) belief that their patented inventions are very valuable and worth millions (or more).  The buyers often offer to pay little or nothing upfront and ask the seller to take a cut of the future revenue coming from the buyer’s litigation and ‘stick’ licensing efforts (the “backend”).

A suit filed in New York two weeks ago once again illustrates the risk involved in taking a backend on a patent sale.  In this case, the seller and the inventor sold several patent properties that the buyer – a prominent patent enforcement company – then reportedly litigated and licensed to third parties for over $100 million and then subsequently sold to an unaffiliated third party.  By the time the seller and inventor found out about the results of the buyer’s litigation and licensing activities, the patents had already been sold.  The seller and inventor ultimately received no money (because the buyer claimed there were no profits) and the seller and inventor lost all of their rights to the patents.  They are now suing for breach of contract, fraud, fraud in the inducement and unjust enrichment.  Among other things, the seller alleges the buyer’s improper accounting resulted in no proceeds from the patent suits and sale.  The pleadings are also replete with allegations of bad faith, delay, the withholding and thwarting of attempts by the seller to receive information about the buyer’s litigation and licensing efforts, the delivery of false financial reports and how false statements and promises were made to convince the seller to enter into the original purchase transaction.

So what could have been done differently here?  It is hard to critique the drafting of the purchase agreement without seeing a copy of it.  From a deal structure standpoint, the seller would have been wise to demand at least some reasonable upfront payment, to ensure the seller got at least something from the sale.  Perhaps the seller also could have insisted upon receiving a right of repurchase if the buyer were to sell the patent assets. The seller also could have not sold the patent but instead conducted its own monetization program.

The risk involved with taking a backend payment is not unique to patent litigation.  There has been plenty of litigation over the years from other industries involving backend payments, including the “Hollywood” accounting litigation from the Coming to America movie and numerous cases of “earn-out” litigation in the M&A context.  But unlike other contexts, other viable options may be available to let a seller skip the troll sale and instead sell the patent portfolio (or company) to a potential target or monetize the patents on its own.

Big data and IoT – a match with troubles…

Posted in EU Data Protection, Internet of Things, Privacy and Data Security, Technology and Commercial

Big data and Internet of Things (IoT) are the keys of the success for a large number of (if not all) companies, but their exploitation requires to deal with privacy and compliance issues. Continue Reading

Europe: One step closer to European Privacy Regulation?

Posted in EU Data Protection, Privacy and Data Security

On 15 June 2015, EU Justice and Home Affairs ministers have reached a general approach on the General Data Protection Regulation at their Council meeting (the document can be consulted here).

This means that, more than three years after the Commission’s initial proposal and more than one year after the European Parliament adopted its position, a compromise has been found within the Council on the basis of which the Council can now begin negotiations with the European Parliament and the Commission with a view to reaching a final text.

A first so-called trilogue with the Parliament and the European Commission is planned for next week on 24 June 2015. The ambition is to reach a final agreement by the end of 2015. Once formally approved and officially published, the Regulation will apply after a two-year transitional period.

However, a first analysis of the text adopted today shows that there are still some important issues to be discussed at the negotiating table:

  • Sanctions Whereas the European Parliament called for administrative fines of up to EUR 100 million or up to 5 percent of an undertaking’s annual worldwide turnover (whichever is the greater), the Council has lowered the maximum administrative fines back to the level of the Commission’s proposal, i.e. EUR 1 million or 2 percent of an undertaking’s global annual turnover (whichever is the greater).
  • One-stop shop – During the past year’s negotiations the “one-stop-shop” mechanism has been weakened to a certain extent. The aim of this mechanism is to ensure that companies will only have to deal with one supervisory authority, instead of being confronted with potentially up to 28 national supervisory authorities. However, according to the Council’s compromise, each national supervisory authority will have the right to deal with a complaint if “the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.”
  • Data breach notifications The provisions regarding the data breach notification to the national supervisory authorities and to the data subjects have been substantially amended by the Council, making them more business-friendly, notably by stipulating that they are only compulsory when the breach is “likely to result in a high risk for the rights and freedoms of the individuals […] or any other significant economic and social disadvantage“.
  • Explicit consent Where processing is based on consent, the European Parliament requires this consent to be “explicit” whereas for the Council “unambiguous” consent suffices.
  • Data protection officer Contrary to the Commission’s and the European Parliament’s versions of the draft Regulation, the text adopted today no longer requires companies to designate a data protection officer, leaving it to the Member States to decide whether or not to lay down this obligation.

It results from the above that interesting discussions are likely to follow in the coming weeks and months and we will keep a close eye on these and how they develop.

For more information in the meantime, please contact Patrick.VanEecke@dlapiper.com or Mathieu.LeBoudec@dlapiper.com.

BELGIUM: Belgian Privacy Minister plans to introduce sanctions up to 810.000€

Posted in EU Data Protection, Privacy and Data Security

By Patrick Van Eecke and Antoon Dierick

After the summer recess, I will propose draft legislation to turn the Belgian Privacy Commission into a real regulator, competent to impose administrative fines“, announced Bart Tommelein, the Belgian Minister competent for privacy. Under current Belgian legislation, the Privacy Commission does not have the possibility to impose fines upon companies infringing data protection laws and must refer them to the courts in case the Commission wishes them to be sanctioned.

The purpose of this change in law is to prepare Belgium for future European legislation. The European General Data Protection Regulation, which is currently still under discussion, provides for substantially extended sanctioning mechanisms which will likely require a change in law in most European countries, including Belgium.

The Minister also reportedly stated that he wishes to fortify the position of the Privacy Commission and indicate that Belgium, of whom the recently installed new government devoted several paragraphs to the protection of privacy in the coalition agreement, wants to play a leading role in safeguarding privacy rights.

Although the level of the possible fines still has to be decided and approved, it has been suggested that the Minister would like to follow the example of recent Dutch legislation, allowing to impose fines of up to 810.000 EUR.

It is clear that Belgium is becoming one of the more assertive countries when it comes to privacy and data protection. After having appointed a Privacy Minister (which is rather unique in the world) in 2014, the Belgian Privacy Commission recently also issued a recommendation (http://www.privacycommission.be/sites/privacycommission/files/documents/aanbeveling_04_2015.pdf) in relation to Facebook’s new terms of service and data policy and announced to take further legal action in case Facebook would not comply.

For more information, please contact Patrick.VanEecke@dlapiper.com or Antoon.Dierick@dlapiper.com

Data Protection Regulation – the coming storm for outsourcing contracts

Posted in EU Data Protection, Technology and Commercial

Written by Kit Burden

For many years, the liability provisions regarding data protection issues have been something of a “negotiation backwater” in the context of outsourcing transactions. From a customer perspective, there has been a sensitivity about such provisions from a brand/customer relations perspective which has led them to seek to attach unlimited liability to any breach of such provisions; whilst service providers are understandably nervous about any provision which does not shelter under the protection of a limitation of liability, many of them have taken the view that the quantum of claims likely to arise vis a vis breaches of such provisions are unlikely to be such as to give rise to a “catastrophe” level exposure, and as such, have been willing to let data protection-related breaches be included alongside the likes of IP infringements and breaches of confidentiality in the list of losses which will be outside the scope of the limits of liability.

Might this now be about to change…?

In the EU, the new proposed Data Protection Regulation is inching its way towards ratification. In its present incarnation, it would dramatically change the potential quantum of fines which might be imposed in the event of a breach of the data protection legislation, now potentially up to the greater of €1 million or 5% of global turnover (whichever is the greater). Given the potential concentration of data handling in the hands of an outsource service provider, one can immediately see the risk that mishandling of personal data in the context of the outsourced services could leave the customer (as Data Controller) exposed to such fines, which would then – pursuant to the terms of the outsource contract – flow down in turn to the service provider itself. The larger the client, the greater the exposure would then be to a fine based upon the client’s global turnover.

In the light of this, one can anticipate that the days of data protection related liability provisions simply being “nodded through” during the outsourcing negotiation process are likely to rapidly come to an end (at least if the Regulation maintains its current form – which seems likely, but is not yet certain). Service Providers will need to more carefully assess the extent of liability that they are willing to take on, whilst customers might equally have to consider whether they will be willing to bear the additional risk contingency that a service provider may wish to add (either simply through its pricing or by reason of the engineering of its delivery model), in return for still accepting unlimited liability.

As the famous phrase says…..we live in interesting times.

BELGIUM – Belgian Privacy Commission publishes first official guidance on cookies

Posted in Cookies, EU Data Protection

By Patrick van Eecke and Mathieu Le Boudec

Almost one year after the publication of the draft version, the Belgian Privacy Commission has recently issued the final version of its recommendation regarding the use of cookies (which can be consulted through the following links in Dutch language or in French language).

The extensive document (over 70 pages), covering both technical and legal aspects, constitutes the first official guidance by a Belgian authority on the use of cookies.

In accordance with the opt-in rule, introduced by the revised ePrivacy Directive in 2009 and transposed into Belgian law by an amendment of the Act on Electronic Communications in 2012, cookies (and similar technologies) can only be stored and accessed on a user’s device after having obtained the informed consent of this user.

However, in two cases cookies are exempted from this informed consent requirement:

  1. when the cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  2. when they are strictly necessary in order to provide the user with a service s/he has explicitly requested.

These rules have not always been easy to implement in practice and therefore this recent recommendation may provide useful guidance to website owners and other stakeholders.

Below some key points of the recommendation relating to (1) the information obligation, (2) the consent requirement and (3) the exemptions have been summarized.

1. Information obligation

Users should be provided with a clear, comprehensible and visible notice on the use of cookies. This notice should provide a link to a more detailed cookie policy.

The cookie policy should be accessible and referred to at every page of a website.

The information should cover the following elements:

  • the purposes for which the different types of cookies are stored or accessed;
  • the categories of saved information;
  • the storage terms;
  • how to erase the information;
  • means to object to the processing;
  • the communications, if any, to third parties.

The Privacy Commission stresses that in case the data controller does not respect his cookie policy it may be subject to sanctions based on the Privacy Act and consumer legislation.

2. Obtaining consent

The Privacy Commission calls for a granular approach, giving users the possibility to accept all or only certain types of cookies. Moreover, users should be able to change their choices at all times.

Consent can be given through an affirmative action of the user (e.g. clicking or checking a box) from which the consent can be inferred unambiguously.

It is explicitly stated that “further browsing” can qualify as a valid consent provided that:

  • the notice regarding the use of cookies is clearly visible on the homepage in such a manner that it cannot be missed;
  • the notice has to state explicitly that further browsing on the website can be construed as consent;
  • the notice remains visible as long as the user has not continued browsing the website.

However, a lack of action cannot be interpreted as a valid consent.

Once consent has been obtained it is not required to ask the user’s consent again for the storing of a cookie with the same purpose and originating from the same provider. However, the validity of the consent should be limited in time, especially when the consent was obtained implicitly or relates to tracking cookies.

The Privacy Commission advises against the use of pop-ups due to their obtrusive nature and provides several examples of means to validly obtain consent from visitors such as banners (provided an affirmative action of the visitor is required in order to proceed his/her visit of the website) and tick boxes.

Visitors should at all times be able to easily withdraw their consent. Upon withdrawal the cookies and data collected through the cookies shall be deleted from the devices of the users by the data controller. In case this is not possible, the privacy policy of the data controller should clearly describe how the user can delete the information himself.

3. Exemptions

The recommendation also sheds some light on the exemptions by illustrating the two categories with examples and by giving examples of non-exempted cookies. Unless stated otherwise all these examples relate to session cookies.

Examples of cookies exempted according to the first criterion (i.e. cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network) are:

  • cookies used to detect to origin of the users and how they visit a website, provided they are analyzed anonymously. However, it should be noted that the Privacy Commission explicitly states that first party analytic cookies do not fall within the scope of this exemption;
  • load balancing session cookies provided they are only analyzed anonymously.

The following cookies are exempted according to the second criterion (i.e. strictly necessary cookies for providing a service the user has explicitly requested):

  • user input cookies;
  • authentication cookies that are necessary for authenticated services;
  • user centric security cookies, e.g. the data necessary for securing a service the user has explicitly requested;
  • multimedia content player cookies;
  • user interface customization cookies, for the duration of a session (or slightly more if additional information is provided).

Finally, the Privacy Commission explicitly states that no exemption exists for the following types of cookies:

  • tracking cookies of social network plug-ins;
  • advertising cookies.

It is important to note that apart from the abovementioned cookie rules the general rules of the Privacy Act (e.g. regarding the purpose limitation principle, the transfer of personal data to third countries, the data subject’s rights, etc.) will generally also apply taking into account the fact that most cookies constitute personal data.

For more information, please contact Patrick.VanEecke@dlapiper.com or Mathieu.LeBoudec@dlapiper.com

Are You Prepared for the Next Information Age?

Posted in Internet of Things, Privacy and Data Security, Technology and Commercial

Written by Brian Joe

The Internet of Things (IoT) – a network of devices connected through the internet offering almost limitless possibilities for convenience, efficiency, safety and control through remote sensing, monitoring, and, ultimately, learning – is quickly becoming a reality. According to some estimates, by the year 2020 there will be nearly four times the number of non-traditional devices (think watches and cars) connected to the internet than PCs, tablets and smartphones combined, resulting in a number running into the tens of billions.

Even given these predictions of explosive growth, for now, the IoT is still experiencing a number of growing pains, including security issues and a lack of uniformity preventing seamless compatibility across devices. For their part, several major tech companies are currently in development of a standardized operating system for the universe of IoT connectible-devices which could go a long way in helping to reduce or eliminate some of these concerns.

So, what does this mean in 2015?

  • There is no time like the present for manufacturers, developers, and IoT service providers. The IoT will add trillions of dollars to the global economy and will be the largest device market in the world – within the next half decade. This represents a windfall for IoT firms and translates into innumerable novel opportunities, whether in hardware, software, or in the industries that support them. Many of these opportunities are as-of-yet undiscovered.
  • “Things” are becoming more data-driven. It used to be that “what you see is what you get.” Not anymore. The IoT is flipping the world on its head, and, as it does, essential functions of products may seem like secondary characteristics (case in point: one well-known manufacturer of the common lightbulb is re-tooling its business strategy and planning for a not-so-distant future where the primary revenue stream is based not on the bulb, but on data collection and analysis).
  • As a result, data and access to data will become more prominent, and in some cases, central, to business contracting. Data is at the heart of the IoTevolution and will continue its ascent to becoming the primary IoT commodity. As data becomes increasingly valuable, it will become imperative and increasingly urgent for companies to consider their usage and treatment of it. Questions including which data is shared and how, with whom it is shared, when it is shared (and when it may or should not be), and the liability associated with it – not to mention security and the amount, type and quality of control an owner has and maintains over that data – are just a few issues that can determine the difference between success or failure in the age of the IoT.

The IoT, with all its potential, represents an exciting new frontier, but is laden with pitfalls for the unprepared. As firms – both current operators in the nascent IoT and new entrants alike – consider potential opportunities in this rapidly developing space, it is worthwhile to consider carefully the treatment of their most important resource.

Back to Top of Page