Posted in Internet of Things Privacy and Data Security

NTIA IoT Workshop

Written by Sydney White

In response to comments on the National Telecommunications & Information Administration (NTIA) IoT Request for Comment (RFC) and the Stakeholder Engagement on Cybersecurity in the Digital Ecosystem RFC in 2015, NTIA held a workshop on “Fostering the Advancement of the Internet of Things” September 1.  The workshop  continued the process of gathering stakeholder input, which will be used to develop the Department of Commerce/NTIA IoT Green Paper, expected to be released later this fall. The Green Paper will make policy recommendations for the next Administration and Congress.

During the workshop, panelists drilled down on the importance of using the NIST Cybersecurity Framework for the IoT and emphasized public-private coordination on IoT security and a light regulatory touch.  There was also discussion of coordinating IoT standards and best practices across sectors and regulatory frameworks in order to reduce fragmentation.

Also in response to comments filed on the IoT RFC and the cybersecurity RFC in 2015, NTIA announced a new multistakeholder process to support better consumer understanding of IoT products that support security upgrades.  Specifically, NTIA identified promoting transparency how patches or upgrades to IoT devices and applications are deployed.  Potential outcomes could include a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.

Posted in Patents US Federal Law

When a Sale is not a Sale

Written by Mark Lehberg

An inventor is precluded from obtaining a patent on an invention if that invention was sold (e.g., embodied in a product that is sold) more than one year prior to the filing date of the patent application claiming the invention. This is the so-called “on-sale bar.”  The sale of the invention constitutes “prior art” for the claimed invention and invalidates the patent.

Seems pretty straightforward — file your patent application prior to the expiration of the one year sales period.

However, things got a bit messy with the America Invents Act (the “Act”).  Prior to the Act, any sale, whether a sale to the public or a private, secret or confidential sale, constituted a “sale” of the invention for purposes of the on-sale bar.  Here is the statutory language:  “A person shall be entitled to a patent unless, the invention was … in public use or on sale in this country, more than one year prior to the date of application for patent in the United States.”

However, the Act modified the on-sale bar. The Act provides that “A person shall be entitled to a patent unless the claimed invention was … in public use, on sale or otherwise available to the public” more than one year before the effective filing date.

So, is a secret, private or confidential sale (i.e., a sale that is not a public sale), a “sale” for purposes of the on-sale bar under the Act?

Earlier this month, the Federal Circuit heard arguments on this very issues. A District Court has held that the sale must be a “public sale” for purposes of the on-sale bar under the Act.

The USPTO, looking at the legislative history of the Act, has argued that the on-sale bar under the Act only applies to public sales and therefore a private, secret or confidential sale is not a sale for purposes of the on-sale bar under the Act.

So, the Federal Circuit will let us know shortly when a sale is not a sale.

Posted in Telecoms

Telecoms: the challenge of keeping up with cross-border regulation

As new technologies emerge, and are treated differently across jurisdictions, businesses need to stay alert to changes in the regulatory landscape

The chief disruptors in telecoms today are found in new media companies – businesses that often did not originate in the telecoms sector but who are increasingly challenging the incumbent players, and which most people associate with the technology rather than the telecoms sector.

But is it possible to distinguish between these two sectors in today’s changing environment? An environment that is characterised by the traditional telecommunications firms muscling in on the content side of the market (such as BT in the UK) and the new players fighting their way into the telecommunications sector by offering connectivity services to consumers.

Unarguably the biggest telecoms trend in recent years has been the rise of IP-based networks and the corresponding separation of services from the underlying physical telecoms infrastructure. Telecoms was once a monopoly or oligopoly market; vast up-front investments were required to enter (just think about all those radio masts), and once the infrastructure existed, there was little incentive for another company to build competing physical networks, lest the market cannibalised itself. The corollary of owning the infrastructure meant that the telecommunications providers had control over the provision of services over that network – phone calls, for example.

This monopoly/oligopoly structure has changed. Yes, competition authorities in many countries have been regulating and breaking up these dominant players for several years (although in fewer countries than you may think, as analysis in our Telecommunications Laws of the World handbook attests), but new forms of telecommunications services are subverting the sector even further, and they are doing so on a global basis.

Specifically, over-the-top (OTT) services leverage the connectivity provided by pre-existing infrastructure to offer services to end customers. Just think of how WhatsApp and WeChat have eroded text messaging or how voice calls can now be made using Skype or Facetime (and with video to boot).

The old behemoths of telecommunications are certainly still relevant – after all, the new entrants still rely on traditional infrastructure to carry the data for their services – but it is increasingly difficult for them to unbundle the use of infrastructure from services such as TV access, with resulting impacts on their revenue not least because the margins tend to be much larger for the latter.

So what does this mean from a legal perspective? For starters, it may be no surprise that there are question marks over how relevant old laws are for this new environment. Within Europe for example, ‘traditional’ telecommunications players and the ‘new’ OTT upstarts are at present governed by different rules: standard voice and SMS services – which involve the ‘conveyance of signals over a network’ – are typically understood to be governed by the Electronic Communications Framework Directive, whereas OTT services are governed by the E-Commerce Directive.

As recently as September 2016, the Commission published some proposals which will, for the first time, regulate OTT services which rely on telephone numbers (like SkypeOut) in the same way as conventional services, and will also introduce some (light) regulation even on OTT services that don’t use telephone numbers – although there are issues with their proposal on the definitions here, covering which OTT services will and will not be caught at all.

What this means in practice is that, just as the market shares of ‘traditional’ telecommunications players are being eroded by the new entrants, they are also subject to higher regulatory burden (on reducing roaming rates, for instance, or the price of mobile call termination, or in the new Open Internet Regulation which mandates net neutrality and restricts the ability of telecoms operators to offer certain types of retail offer); this operates as a double-squeeze on their margins.

At present, and until the Commission’s recent proposal (described above) is enacted, we have a very complicated regulatory position in Europe. A higher level of consumer protection exists for standard voice and SMS services than for OTT services and yet, complicating matters further, some national regulatory authorities (including ARCEP in France and CNMC Spain) have deemed that OTT services do involve the ‘conveyance of signals’, meaning the new entrants are subject to the more onerous regulatory regime found in the Electronic Communications Framework Directive.

If this sounds complicated, just imagine how OTT service providers arrive at a decision on how to discharge their regulatory obligations when, say, they are providing services for customers who live on the border of – and frequently travel between – France (with a higher regulatory burden) and Germany (which does not)? Should they adopt the more onerous regulatory standards across both countries and thus erode their profits, or should they risk a regulatory reprimand in France (which can result in ARCEP suspending the communications’ provider’s right to provide services)

This is just a snapshot of the problems within Europe – a continent with some of the most advanced, and most liberal, telecoms regulation in the world. Elsewhere, Russia is seeking to regulate VoIP services, and there are huge complications around providing OTT services in countries with a highly restrictive telecommunications regulatory framework. Many of the Gulf countries, for instance, ban or limit usage of OTT services but have found these restrictions being flouted by end-customers through the use of encryption technologies such as VPNs.

All these signs point towards a significant overhaul of the way national regulatory authorities seek to regulate telecommunications services globally and it is therefore no surprise that over 140 countries have adopted policies, plans and digital agendas in respect of national broadband (of which OTT services will no doubt feature a large part).

DLA Piper’s Telecommunications Laws of the World handbook will give you an insight into the patchwork of laws and regulations governing the provision of telecommunications services across the globe. And with legislation constantly developing as new technologies emerge, we will be updating the site to keep pace with the rapidly evolving regulatory landscape.

Posted in Technology and Commercial Telecoms

Mobile advertising and zero-rating

I was on a panel session for the Total Telecom Congress in London on Wednesday and thought i would share some observations gleaned from other speakers that are relevant to the media sector and it’s intersection with telecoms:

Something like 20-30% of all mobile data traffic is advertising! This is – i think -an astonishing statistic. It also makes me think that since consumers are paying for such a large volume of data they haven’t requested it would be perfectly reasonable for a mobile operator to offer a service where consumers did not pay for the data used up by ads.

However zero-rating advertising this way is something which is currently – in most cases – banned by (new) EU rules. I have blogged about how wrong-headed this is this many times eg here:

It seems to me that the issue of consumers paying for data they haven’t requested, and in fact regulators *requiring* mobile operators to charge for this non-requested data is likely to be especially acute in emerging markets where consumers are poorer and are likely to access the internet only through a mobile device.

Ironically India is itself a “leader” (if that is the right word) in preventing zero-rating by regulation. This also, i think, explains the fact that mobile ad-blocking technology is much more prevalent in emerging markets (see here)

So the issue of data used by mobile advertising seems to me a further reason to object to any regulation which in principle prevents the practice of zero-rating.

Posted in EU Data Protection International Privacy Privacy and Data Security

Belgian Privacy Commission issues a 13 steps plan for companies preparing for GDPR compliance

Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-readiness roadmap helping companies processing personal data to start preparing themselves.

The Privacy Commission will also create a GDPR-themed section on its website where data controllers and processor can consult additional guidelines, instruments and frequently asked questions.

The 13 steps forming the roadmap for organisations for ensuring GDPR compliance by 25 May 2018 are the following:

  1. Raising awareness

Inform key figures and policymakers on upcoming changes. They will have to assess the impact of the GDPR for the organisation.

  1. Data mapping

Document which personal data you manage, where it comes from and with whom it has been shared. Map your data processing activities. You may potentially have to organize an information audit.

  1. Communication

Evaluate your existing privacy policy and plan necessary changes in view of the GDPR.

  1. Rights of the data subject

Verify whether the current procedures within your organisation provide all the rights granted by the GDPR to the data subject. Check how personal data can be erased or how personal data will be communicated electronically.

  1. Access requests

Update your existing access procedures and think about how you will process future access requests under the new GDPR terms.

  1. Legal basis for processing personal data

Document the various types of data processing by your organisation and identify the legal basis for each of them.

  1. Consent

Evaluate your way of requesting, obtaining and registering consent. Modify where necessary.

  1. Minors

Develop systems to verify the age of the individual concerned and request parental or custodial consent when processing personal data of minors.

  1. Data breaches

Foresee adequate procedures to detect, report and investigate personal data breaches.

  1. Privacy by design and privacy impact assessment

Get acquainted with terms such as “privacy by design” and “privacy impact assessment” and verify how you can implement these concepts in your organisation’s day to day operations.

  1. Data protection officer

If necessary, appoint a data protection officer or someone responsible for complying with data protection laws. Evaluate how this person will function within the management of your organisation.

  1. International

Determine who is your supervisory data protection authority if your organisation is active in multiple jurisdictions.

  1. Existing contracts

Evaluate your existing contracts – mainly with processors and subcontractors – and adopt the necessary changes in a timely manner.

Posted in Asia Privacy Cybersecurity Privacy and Data Security

HONG KONG – HONG KONG’s Privacy Commissioner addresses privacy compliance and best practice for BYOD

Written by Scott Thiel

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the “HKAB Guidelines“), the trend towards Bring Your Own Device (“BYOD“) has come to the attention of Hong Kong’s Privacy Commissioner. The Commissioner published an information leaflet on 31 August 2016 (the “Information Leaflet“), which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emails/systems, and suggests best practices for organisations allowing BYOD. Unlike previous industry-specific guidance, the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong. It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (the “Ordinance“) and the Data Protection Principles (“DPPs“).

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security, implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and likelihood of loss or unauthorised disclosure. This reflects the approach taken in the HKAB Guidelines, which recommend specific and distinct practices which differ depending on whether or not the organisation’s data is stored on the personal devices or within a “sandbox”. The Commissioner has suggested as best practice that organisations should, at the outset of any BYOD implementation, conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance.

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance. For instance, organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device, and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (e.g. sandboxing, password protection and independent encryption).

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme, and any practices implemented to manage employees’ BYOD devices should respect the employees’ private information.

For more information, the Information Leaflet is available here.