The growth of usage of blockchain based smart contracts in Italy might be boosted by a new law which deemed them equal to written documents in some cases. Continue Reading
CTIL v University of London 
The new Electronic Communications Code (“Code”) came into force on 28 December 2017 with its aim being to update telecommunications operators statutory rights to enable the installation, maintenance and use of telecoms equipment in order to operate their networks or provide an infrastructure network.
Much of the drafting contained within the Code has left some ambiguity on how it will operate in practice with the first substantive decision on the Code being CTIL v University of London  UKUT 356.
The case concerned operators’ interim access rights at sites under the Code and the Upper Tribunal’s (“Tribunal”) ability to impose an agreement for access where terms cannot be agreed with a site owner. An issue for operators of telecommunication services is that due to the perceived stringent nature on site owners of the Code provisions, site owners are often reluctant to allow operators to install equipment on their land and in this case, even grant access to operators for the carrying out of surveys to assess the suitability of sites.
In this instance the operator, CTIL, believed that the most suitable site for a new telecoms mast in the Paddington area of London was a building owned by the University of London. CTIL approached the University and asked for permission to survey the rooftop, but the University refused permission. CTIL therefore served a notice under Paragraph 26 of the Code seeking interim Code Rights.
The first question before the Tribunal was whether interim access (under Paragraph 26) for the purposes of a survey was a right granted to operators pursuant to the Code i.e. a “Code Right”. The Tribunal held that the Code Rights should be interpreted widely in line with the overall objective of the Code, that is to enable easier and faster installation of telecommunications infrastructure. As such the decision was clear that interim access for the purpose of surveying a site to assess its suitability was a Code Right, within either paragraph 3(a) or 3(d) of the Code:
Paragraph 3: ‘a “code right” … is a right:
(a) to install electronic communications apparatus on, under or over the land,
(d) to carry out any works on the land for or in connection with the installation of electronic communications apparatus on, under or over the land or elsewhere’
Amongst other reasons, such an approach was also supported by the need to avoid a situation where the Code was undermined by allowing landowners to ransom access to sites.
The University contested a second point that if an operator intended to seek an agreement for interim rights, then this needed to be twinned with an application for permanent Code Rights as when deciding whether to grant interim rights paragraph 26 refers to a lower standard of proof – that being the operator has a “good and arguable” case. The University contended this presented a way around the more stringent test for permanent Code Rights.
However, the Tribunal was satisfied after analysing the Code that there was no condition that an application for interim rights must be twinned with or be a precursor to an application for permanent rights.
This decision is welcome clarification on the provisions of the Code. It bolsters the operators’ position when looking to rollout and maintain their networks and demonstrates that the Tribunal seem minded to view drafting within the Code with a broad lense that seeks to achieve the purpose of the Code – making installation and maintenance of telecommunications networks for operators more straightforward.
Ben Rogers (Legal Director) and Rob Shaw (Senior Associate)
The authors would like to acknowledge Danny Lavender, trainee solicitor at DLA Piper UK LLP, for his contribution to this article.
On the 29th October 2018, the Department for Digital, Culture, Media and Sports published a consultation that focuses on addressing the issue of compelling landlords to consider the telecoms connectivity of their tenants and allowing Operators to install infrastructure where landlords are unresponsive.
The consultation is specifically seeking views on proposals to support residential and commercial tenants that want to receive gigabit-capable connections. This includes ways to improve the response rate of landlords to requests for access from Operators and the options available to Operators when a landlord fails to respond.
At the moment it would appear that Operators are reluctant to take the issue to the Upper Tribunal (although some cases under the New Electronic Communications Code are starting to come through) as they want to keep landlords on their side for commercial reasons and the process of going to the Upper Tribunal can take considerable time (an estimated 7-12 months).
The consultation states that for the implementation of access or wayleave agreements, Operators have informed the government that a high number of landlords (particularly in relation to multi-dwellings) are not responding to requests for access. The result has been that as the Operators are prevented from providing services, they have removed the properties from their build plans altogether. This is due to the additional administrative burden in chasing up unresponsive landlords which is not cost effective for the deployment of new infrastructure.
Essentially the proposals seek to amend the New Code using primary legislation to encourage landlords to engage with operators where a tenant requests a service. The intention is to amend the New Code so that an obligation is placed on landlords to facilitate access once they have been suitably notified by an Operator or where a service request is made by a tenant. Where a landlord is absent or unidentifiable, access may be granted via a magistrates’ court issued warrant of entry which is similar to powers that already exist in relation to gas, water and electricity.
This court enabled access is intended to be temporary, allowing the Operators to install and maintain electronic communications apparatus and will remain valid until such time as the landlord engages with the Operator and a negotiated voluntary agreement is put in place (or, presumably, one is imposed under the existing provisions of the New Code). The proposal states that the Operators will be able to apply 2 months after first contacting the Landlord. There will also be stipulations on the mode and frequency of how the Operator has contacted the Landlord prior to applying to the Magistrates’ Court.
The consultation closes on 21 December 2018.
Ben Rogers (Legal Director) and Rob Shaw (Senior Associate)
The authors would like to acknowledge Danny Lavender, trainee solicitor at DLA Piper UK LLP, for his contribution to this article.
[This is an updated version of my earlier blog piece from July to take account of revisions agreed through the legislative process since then. On 4th December the European Council concluded the legislative process for the new Code and the final text will be published in the EU Official Journal on 17 December, though no changes are expected to this text which dates from 21 November. Please also see my (updated) further piece specifically on the new co-investment rules, also published today]
The new European Electronic Communications Code contains some significant developments for the European telecoms sector, and it updates the EU’s widely respected regulatory structure, often used as a reference for best practice internationally [i]. It repeals all the existing 2002 Directives and replace them with a single, consolidated text, for implementation in Member States within two years (ie by December 2020). Having spent some time reading through the (c.450) pages the main changes or issues appear to be as follows:
[This is an updated version of my earlier blog piece from July to take account of revisions agreed through the legislative process since then.]
The new European Communications Code (the “Code” – which I have blogged about here) will introduce a mechanism allowing investments in fibre networks made by operators with significant market power (SMP), in some circumstances, to be excluded from the normal access rules that are usually imposed by national regulatory authorities (NRAs). This blog piece will discuss this further and look at some possible models that could qualify for the exemption before concluding with some comments critiquing this new approach on the basis of its deviation from the well-respected (and broadly successful) approach that would otherwise have applied. For the reasons explained below the new rules could even act as a disincentive to new investment over the next two (plus) years.
The Exemption – Commitments and the “cumulative conditions”.
The rules on co-investment are contained at Article 76 of the Code. This says that:
Undertakings that have been designated as having SMP may offer “commitments” to open the deployment of a new very high capacity network (that consists of optical fibre elements up to the end-user premises or base station) to co-investment.
The first point to note, then, is that this applies only to optical fibre and would not apply to other technologies (such as satellite) irrespective of their merits. This is of course a deviation from the normal principles of technology-neutrality that usually govern EU telecoms regulation.
The Federal Communications Commission issued an order on Wednesday, November 14, 2018, eliminating the “Solicited Fax Rule”—a blanket requirement created by the FCC in 2006 requiring senders of facsimile advertisements to include opt-out information on every facsimile, even if the recipient technically “solicited” the advertisement. This order came in (somewhat-delayed) response to the 2017 D.C. Circuit Court of Appeals opinion Bais Yaakov of Spring Valley v. FCC—authored by then-Judge/now-Justice Brett Kavanaugh—which held that imposing such a requirement exceeded the authority given to the FCC by the 2005 Junk Fax Prevention Act. The order explicitly renders moot all pending petitions for retroactive waiver of the Solicited Fax Rule, and has the added effect of resolving any remaining circuit splits on the issue.
Effective January 1, 2020, a new game-changing privacy law will go into effect in California: the California Consumer Privacy Act of 2018 (CCPA). The law will have profound implications for companies that collect personal information, as that term is broadly defined, about California consumers, even if the Company is not based in California. For many companies, compliance with the law will require substantial implementation time, not only to address the legal issues but also to implement any operational changes that may be necessary for your company to be able to meet the requirements with the law. We often are asked whether applying an EU-like GDPR compliance program to California residents will be sufficient to address CCPA. There are substantial differences between GDPR and CCPA, such that compliance with GDPR will not cover all of the CCPA requirements. To this end, we have prepared an overview of the CCPA as well as a brief comparison of key individual rights under GDPR as compared with CCPA.
This blog piece sets out an overview of the regulation of broadband networks in the UK, both now and in the future. As can be seen from the (very recent) dates on the various document referred-to, this is an area which is changing rapidly at the moment, and is a strong focus of both regulatory and of governmental attention.
The basic principles of telecoms regulation in the UK are that no access regulations will be imposed on any provider of electronic communications networks or services unless they have been determined to have “significant market power” (or SMP) in the relevant market, following a detailed market review and consultation. In the UK (aside from in the Hull area), as relevant to fibre, the only company with SMP in any part of any market is Openreach (owned by BT but structurally separated from it).
This means that in some cases Openreach is obliged by OFCOM to offer certain wholesale broadband products on regulated terms. In those cases, then, OFCOM’s regulations can have an impact both on the wholesale fibre broadband market and also, indirectly, on the prevailing retail prices that any ISP is able to achieve. In setting regulated wholesale prices OFCOM recognises that competing providers will only invest in building their own networks if this is more attractive than buying wholesale services from BT, and so the price of wholesale services, where they are regulated, must be set in such a way as to balance the incentives to invest in new networks (which would suggest higher wholesale prices) with the risk of harm to consumers through consequentially higher retail prices in the shorter-term. Continue Reading
Anthem, Inc. has agreed to pay a record-setting $16 million to the US Department of Health and Human Services’ Office for Civil Rights (OCR) to settle alleged HIPAA violations in connection with Anthem’s 2015 health data breach that affected almost 79 million people. In addition to the settlement amount, Anthem agreed to a substantial Corrective Action Plan (CAP) to comply with HIPAA.
The $16 million settlement is nearly three times the previous record of $5.55 million. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.
The breach occurred when hackers gained access to Anthem’s IT systems after an employee from one of Anthem’s subsidiaries opened a spear phishing email deployed by the hackers. From December 2, 2014 to January 27, 2015, the hackers stole the electronic Protected Health Information (ePHI) of nearly 79 million people, including their names, social security numbers and dates of birth.
In response to media reports of the breach and information on Anthem’s website concerning the incident, OCR initiated a compliance review of Anthem. In addition to the impermissible disclosure of ePHI, OCR’s investigation found that Anthem allegedly failed to conduct an enterprise-wide risk analysis, did not regularly review information system activity, failed to identify and detect security incidents and failed to implement sufficient minimum access controls.
The settlement with Anthem is notable in several respects. First, the size of the settlement amount is far greater than in previous settlements. Second, the settlement appears to target Anthem’s role as a business associate to Anthem Affiliated Covered Entities (ACE). This makes Anthem the third OCR settlement with a HIPAA business associate. Third, as part of the CAP, Anthem agreed to establish policies and procedures “to address access between Anthem systems containing ePHI, such as network or portal segmentation, and provisions to enforce password management requirements, such as password age.” This aspect of the CAP is significant given that neither HIPAA regulations nor guidance expressly require network segmentation. That said, adopting such policies and procedures is a good practice and helps to thwart the common hacker tactic of stealing administrator privileges and then using those credentials to move laterally across a network.
OCR’s findings are in sharp contrast to the results of a national investigation into the same breach that was led by seven state insurance commissioners. That investigation, the results of which were released in January 2017, found that Anthem took reasonable measures to protect its data prior to the breach. Anthem reportedly paid more than $260 million dollars for security improvements and remedial actions in response to the breach, which appeared to be a factor in the decision of those state insurance commissioners not to impose administrative fines or sanctions.
The Anthem settlement pushes the total amount of fines for HIPAA violations in 2018 to almost $25 million − also a new record. However, it is yet to be seen whether this settlement signals higher settlements in HIPAA enforcement actions generally, or should be attributed solely to the large number of affected individuals.
A clear message
The settlement should be viewed as a clear message that OCR will continue to enforce HIPAA vigorously in the Trump era.
To avoid potentially large fines resulting from a HIPAA violation, covered entities and business associates should assess their privacy and security programs and regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports. These entities should conduct a HIPAA risk assessment, which is a comprehensive assessment of risks to ePHI, as required under the Security Rule. Risk assessments, which are an essential step in managing cyber-risk, take time to perform, as evident from the seven months that Anthem was given by the CAP to provide a risk assessment.
With 24 OCR settlements to date against companies for failing to conduct an accurate and thorough risk assessment under HIPAA, OCR has made it clear that inaction on risk assessments will result in an enforcement action.
Learn more about this settlement and its implications by contacting either of the authors.
Written by Mohamed Toorani and Eamon Holley
On 12 July 2018, the Kingdom of Bahrain (Bahrain) issued Law No. 30 of 2018 on the Personal Data Protection Law (PDPL). The PDPL will enter into force on 1 August 2019, giving businesses just under one year from the date of this article to prepare for the new regime.
The PDPL will be a paradigm shift for how business is done in Bahrain. It will provide individuals with rights in relation to how their personal data can be collected, processed and stored. Conversely, it will impose new obligations on how businesses manage this, including ensuring that personal data is processed fairly, that data owners (often referred to as “data subjects” in other data protection laws) are notified of when their personal data is collected and processed and that data owners can exercise their rights directly with the businesses.
The PDPL also imposes new obligations upon businesses to ensure that the personal data they collect is kept secure.
The PDPL will set up a new authority, known as the Personal Data Protection Authority (Authority). This Authority has the power to investigate allegations of violations of the PDPL either by itself, at the request of the responsible Minister, or in response to a complaint.
The Authority can issue orders to stop violations, including issuing emergency orders and fines. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data manager (often referred to as a “data controller” in other data protection laws), or violating the provisions of the PDPL by a business’s data protection supervisor (often referred to as a “data protection officer” in other data protection laws). Finally, the most concerning feature of this law for businesses is that the PDPL carries criminal penalties for violations of certain provisions.
While the PDPL can be compared to laws such as the European Union’s General Data Protection Regulation (GDPR), there are important differences that need to be considered. Businesses operating in Bahrain that have recently implemented a GDPR compliance program will still need to pay close attention to these differences and should be aware of the new obligations in the PDPL.
In this article we review some of the main features of this new law.
The PDPL applies to:
- Individuals normally residing or having a workplace in Bahrain
- Businesses with a place of business in Bahrain; and
- Individuals not normally residing or having a workplace in Bahrain, and businesses not having a place of business in Bahrain, but processing personal data by using means available in Bahrain, unless the use of such processing means are solely for the purpose of passing data through Bahrain without any other purpose
In the last scenario, each business must appoint a local representative in Bahrain to carry out its obligations and notify the Authority of that appointment. The PDPL will therefore have extra-territorial effect. If an individual or business not in Bahrain is processing personal data within Bahrain through means such as their appointed local representatives, the PDPL would apply.
Personal data is defined as any information of any form related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through their personal identification number, or one or more of their physical, physiological, intellectual, cultural or economic characteristics or social identity.
Sensitive personal data is a subset of personal data. It is personal data which reveals, directly or indirectly, the individual’s race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or sexual life. Sensitive personal data requires more rigorous treatment by data managers.
Processing is defined as any operation or set of operations carried out on personal data by automated or non-automated means, such as collecting, recording, organising, classifying in groups, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.
Like the GDPR, the PDPL requires that personal data:
- Is processed fairly and legitimately
- Is collected for a legitimate, specific and clear purpose
- Is sufficient, relevant and not excessive for the purpose of the data’s collection or for the purpose for which subsequent processing is carried out
- Is correct and accurate, and subject to updates whenever necessary; and
- Shall not remain in a form allowing identification of the data owner after meeting the purpose of its collection or for the purpose for which subsequent processing is carried out. The PDPL does allow the storage of anonymised data for a longer time for historical, statistical or scientific research purposes
Processing of personal data can only occur with the consent of the data owner, unless the processing is necessary:
- To implement a contract to which the data owner is a party
- To take steps at the request of the data owner to conclude a contract
- To implement an obligation required by law, contrary to a contractual obligation or an order from a competent court
- To protect the vital interests of the data owner; or
- To exercise the legitimate interests of the data manager or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data owner
Processing of sensitive personal data is also prohibited without the consent of the data owner, unless one of the exceptions in Article 5 of the PDPL apply.
However, it is prohibited for data managers to process the following personal data types without the prior written authorisation of the Authority:
- Automatic processing of sensitive personal data of persons who cannot provide consent
- Automatic processing of biometric data
- Automatic processing of genetic data (except for treatment provided by physicians and specialists at a licensed medical establishment, where the treatment is necessary for purposes of preventative medicine or diagnostic medicine, or for the provision of treatment or healthcare)
- Automatic processing that entails the connection of personal data files that are in the possession of two or more data managers that are processing personal data for different purposes; and
- Processing that consists of visual recording to be used for monitoring purposes
Like the GDPR, the PDPL has specific requirements about how consent must be given. For consent to be valid it must be:
- Issued by an individual of full eligibility
- Written, explicit and clear; and
- Issued based upon the data owner’s free will and consent, after being fully informed about the purposes of the processing of their personal data
The data owner has a right to withdraw consent at any time. The Authority’s Board of Directors must issue a resolution outlining these procedures for withdrawing consent and the data manager’s decision on requests for withdrawal of consent.
RIGHTS OF DATA OWNER
The PDPL introduces several concepts that data managers will need to become very familiar with. Again, those familiar with the GDPR will see similarities here with the GDPR’s data subject rights.
Where the data is collected, directly or indirectly, from the data owner, the data manager at the time of registering such data, must notify the data owner of the following information:
- The full name of the data manager, their field of activity or profession and address
- The purpose for which the data is to be processed
- Names or categories of the recipients of the data
- Details about the data owner’s rights in respect of the data; and
- Whether the data will be used for direct marketing
This notification is important, because it alerts data owners of their rights regarding their personal data. These rights include:
- To be notified of when their data is being processed
- To object to direct marketing
- To object to processing that causes harm or distress to data owner or others
- To object to decisions made based upon automated processing; and
- To rectify, block or erase personal data in certain circumstances
The PDPL requires that data managers apply technical and organizational measures capable of protecting the data against unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of processing.
The PDPL requires that the Authority’s Board of Directors issues a decision specifying the terms and conditions that the technical and organizational measures must satisfy. The decision may require specific activities by applying special security requirements when processing personal data.
Data managers must also use data processors who will provide sufficient guarantees about applying the technical and organizational measures that must be adhered to when processing the data. Data managers must also take reasonable steps to verify that data processors comply with these measures.
Interestingly, there is no mandatory data breach notification provision in the PDPL requiring the data managers to notify the Authority or data owner in the event that there is a breach of personal data held by the data manager.
TRANSFERS OF PERSONAL DATA OUTSIDE OF BAHRAIN
Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient protection to personal data. Those countries need to be listed by the Authority and published in the Official Gazette.
Data managers can also transfer personal data to countries that are not determined to have sufficient protection of personal data where:
- The data owner has consented to the transfer
- The data is from a public register
- The transfer is necessary for:
- Executing a contract between the data owner and data manager, or taking preceding steps at the data owner’s request for the purpose of concluding the contract
- Executing or concluding a contract between the data manager and a third party for the benefit of the data owner
- Protecting the data owner’s vital interests
- Fulfilling a non-contractual obligation imposed by law, or an order of the court, public prosecution, an investigating judge or military prosecution; or
- Preparing, executing or defending a legal claim
Transfers can also be made with the permission of the Authority, issued on a case-by-case basis, if it deems that the data will be sufficiently protected.
APPOINTMENT OF A DATA PROTECTION SUPERVISOR
Data managers may voluntarily appoint a data protection supervisor. The Authority’s Board of Directors may also issue a decision requiring specific categories of data managers to appoint data protection supervisors. However, in all instances, the data manager must notify the Authority of such an appointment within three (3) days of its occurrence.
A data protection supervisor must help the data manager in exercising its rights and fulfilling its obligations prescribed under the PDPL. The data protection supervisor also has a number of other roles, including liaising with the Authority, verifying that personal data is processed in accordance with the PDPL, notifying the Authority of any violations of the PDPL that the supervisor becomes aware of and maintaining a register of processing operations that the data manager must notify the Authority about.
The Authority must create a register of data protection supervisors. To be accredited as a data protection supervisor, an individual must be registered in that register.
ORDERS, CIVIL, COMPENSATION AND CRIMINAL PENALTIES
The Authority can issue orders to stop violations, including emergency orders and fines. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data manager, or arising from the data protection supervisor’s violation of the PDPL. Appeals can be made against decisions of the Authority.
Finally, the PDPL also carries a range of criminal penalties and administrative fines for violating certain provisions.
Criminal penalties of imprisonment of not more than one (1) year and/or a fine between BHD 1,000 (circa US$ 2,645) to BHD 20,000 (circa US$ 52,910), can be issued against any individual who:
- Processes sensitive personal data in violation of the PDPL
- Transfers personal data outside Bahrain to a country or region in violation of the PDPL
- Processes personal data without notifying the Authority
- Fails to notify the Authority of any change made to the data of which they have notified the Authority
- Processes certain personal data without prior authorization from the Authority
- Submits to the Authority or the data owner false or misleading data to the contrary of what is established in the records, data or documents available at their disposal
- Withholds from the Authority any data, information, records or documents which they should provide to the Authority or enable it to review them in order to perform its missions specified under the PDPL
- Causes to hinder or suspend the work of the Authority’s inspectors or any investigation which the Authority is going to make; and/or
- Discloses any data or information which he is allowed to have access to due to his job or which he used for his own benefit or for the benefit of others unreasonably and in violation of the provisions of the PDPL
Businesses that have already implemented a data protection compliance program under the GDPR may have developed some of the infrastructure that will apply under the PDPL; however compliance with the GDPR will not guarantee compliance with the PDPL. For example, businesses that are data managers will need to:
- Recognise the right of Bahraini data owners to object to processing of personal data that causes harm or distress to the data owner or another person (this is not a data subject right found in the GPDR)
- Notify the Authority of their processing; and
- Obtain prior written approval of the Authority to process certain types of personal data (this is not found in the GDPR)
Finally, the risk of criminal penalties is a risk that is not found in the GDPR (although it is possible that Member States of the European Union may have specific laws that may be similar).
As a first step, a business will need to determine if its activities mean that it falls within the definitions of data manager. If it does, then it will need to determine what sort of personal data it is collecting, from who, and for what purposes. Data managers need to ensure that they are collecting and processing personal data and, in particular, sensitive personal data, in accordance with the PDPL, including notifying the Authority of their processing activities, or preparing submissions for permission to process certain types of personal data.
DLA Piper’s Middle East data protection team has deep experience in assisting clients in assessing their data protection compliance risks, and developing remediation and compliance programs.
Although the PDPL will become effective on 1 August 2019, our experience with the GDPR has shown us that data mapping exercises are often complex and resource intensive exercises. Early preparation for commencement of the PDPL will pay off in the longer term.