A privacy impact assessment represents an obligation under the EU Data Protection Regulation in case of high risk data processing activities, but how and when shall it be done? Continue Reading
Written by Petr Šebatka and Jan Metelka
Less than 6 months remain for individuals and companies to get ready for the breakthrough regulation in personal data protection envisaged by the Regulation 2016/679 of 27 April 2016 (furthermore as “GDPR“). Since the final version of this Regulation, experts have tried to clarify some remaining “grey” areas to leave as few room for doubts and misinterpretations as possible. The most relevant and valuable inputs came from the Article 29 Data Protection Working Party, which is composed of representatives of the supervisory authorities designed by each EU country, representatives of the authorities established for the EU institutions and bodies and a representative of the European Commission. Also in relation to GDPR, the guidelines and FAQs from the Article 29 Working Party were proven undeniably helpful in clearing some outstanding issues, such as the right to “data portability”, role of Data Protection Officers (“DPOs”), role of the Lead Supervisory Authorities, or for example, the consequences of automated individual decisions making.
One of the main reasons for the fuss regarding GDPR and for quick implementation of all required obligations is the issue of fines, further described in the wording of Article 83 of GDPR. A fine may be granted up to a maximum of EUR 10,000,000 (or up to 2% of the total worldwide annual turnover in the case of an enterprise) or up to EUR 20,000,000 (or up to 4% of the total worldwide annual turnover in the case of an enterprise). The breakdown into two groups reflects the importance of breached obligations where the higher rate group has obligations whose breach is expected to increase the level of interference with the right to protection of personal data that GDPR ensures. The lower rate includes, for example, a breach of the provisions on records of processing or privacy impact assessments, while higher rates include, for example, breaches of the principles governing the law and the lawfulness of processing, the conditions for consent to the processing of personal data, the conditions for processing specific categories of personal data and the rights of the data subject.
Article 83 already includes a brief condition for the calculation of the fine: that regard shall be given mostly to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, any action taken by the controller or processor to mitigate the damage, the degree of responsibility of the controller or processor, any relevant previous infringements, the degree of cooperation with the supervisory authority or the categories of personal data affected by the infringement. That provides a fair overview on how should the potential fine be calculated.
However, in the viewpoint of Article 29 Working Party, this distinction is not clear enough and therefore the Working Party in October 2017 adopted the respective Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (furthermore as “Guidelines“), being the first and most relevant document for the interpretation of Article 83 of the GDPR and its interplay with Articles 58, 70 and their recitals. The goal is that these Guidelines shall be used by the supervisory authorities to ensure better application and enforcement of the GDPR. Although the Guidelines are not exhaustive and cannot provide the reader with the differences between administrative, civil or criminal law sanctions in various countries in general, they can serve as a template for a common consistent approach among member states.
That is stressed in the first section of Guidelines explaining the main Principles, such as that the level of protection should be equivalent in all Member States (in cross-border cases consistency shall be achieved primarily through the one-stop shop cooperation mechanism) and all imposed measures shall be effective, proportionate and dissuasive in both national cases and in cases involving cross-border processing of personal data. The Guidelines then continue with the important concept of assessing each case individually, which shall mean, that choosing the appropriate measures must include consideration of all of the corrective measures, which would include consideration of the imposition of the appropriate administrative fine, either accompanying a corrective measure under Article 58(2) of GDPR or on its own.
Key part of the Guidelines is dedicated to the various assessment criteria arising from the Article 83 (2) GDPR, which are listed under letters a) – k) and some of them have already been mentioned above in this text. It provides the reader with a further description of what is deemed long duration, intentional/negligent character, various mitigating actions, steps of responsibility of data controllers and processors and many others. In conclusion it is safe to say, that using the Guidelines across the European Union, the degree of coherence would be significantly higher, positively contributing to the legal certainty of all parties and further increasing the quality of contemporary data protection laws in the European Union.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which could be found online on http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
The ePrivacy draft regulation is turning towards a more stringent regime with after the approval by European Parliament of the latest draft. Continue Reading
Written by Mark Lehberg
With the pace of the world around us these days, more and more of us are simply exhausted. And, now with the United States Supreme Court decisions over the past couple years, your copyrights and patents are as exhausted as you. Here is a quick review:
In 2013, the United States Supreme Court held that the sale of a work of authorship outside the United States exhausted the copyright owner’s rights under copyright law. That is, the copyright owner may not enforce his/her copyrights in a copy of a work of authorship that was sold abroad.
This decision arguably “opened the door” for the Federal Circuit and the United States Supreme Court to revisit prior decisions with respect to international exhaustion with respect to patents and the Supreme Court walked through that door with its decision in Impression Products Inc. v. Lexmark International Inc.
In Lexmark, the Federal Circuit, consistent with prior decisions, held that the sale of products outside the United States does not exhaust U.S. patent rights with respect to the products that were sold. The Supreme Court disagreed and held that, like copyrights, the authorized sale of a product, regardless of where the sale occurs, exhausts the patent owner’s rights in the products that were sold. The authorized sale might be by the patent owner or it might be a sale by a licensee.
However, Lexmark gave the Supreme Court the opportunity to deal with another controversial patent exhaustion issue. Specifically, whether a patent owner can avoid patent exhaustion by imposing lawful, post-sale restrictions on a product at the time the product is sold. In Lexmark the Federal Circuit, consistent with prior decisions, held that a patent owner may avoid patent exhaustion by imposing post-sale restrictions on an a product. Here too the Supreme Court disagreed and held that post-sale restrictions will not prevent exhaustion. Another blow to patent owners.
Over the last 10-12 years it seems as though patent owners have taken-it-on-the-chin when it comes to patent exhaustion. In the Lexmark decision the U.S. Supreme Court, citing another Supreme Court decision, note that “the sale terminates all patent rights to that item.” (emphasis added) It will be interesting to see where the phrase “all patent rights” takes us in the next 10 years. I am exhausted just thinking about it.
The role of the Data Protection Officer (DPO) and what requirements needs to meet has now been partially clarified by the Italian privacy authority. Continue Reading
Written by Victoria Lee
Given the ever more urgent demand for innovation, it is rare for software development to not incorporate third-party components. In most cases, it is easier and faster to buy rather than build. In the case of open source software, the buy decision is made even easier because the software seems to come at no monetary cost.
There is, however, a cost to using open source software, in the form of compliance with the applicable open source license. Investors in software companies and acquirers of companies where software is a key asset also recognize the existence of this non-monetary cost. Indeed, failure to comply may well bring with it further costs. As a result, these days, only rarely will an investor or acquirer fail to carry out a dedicated due diligence process that focuses on open source usage and compliance.
Once an incidence of non-compliance is identified in the course of diligence, the next step is typically a discussion about the appropriate corrective action. Typically, one of two paths may be taken at this point: either remove the open source code that resulted in the non-compliance, or, when a commercial license for the same software component is available, pay for the commercial license.
Such remediation steps are necessarily prospective solutions: the remediation does not eliminate the technical legal non-compliance that already took place. In most cases, the remediation has usually been acceptable as a business matter because open source enforcement has generally focused on enforcing compliance rather than seeking monetary damages. However, in today’s business climate, enforcement is growing, and it is focusing on monetary damages. Even when non-compliance is corrected, that prior legal non-compliance has the potential to lead to liability. Given that, it probably makes sense for investors/acquirers and companies/sellers who identify non-compliance to revisit their traditional approach.
Companies taking money from investors and sellers about to embark on an exit should consider including a disclosure against the obligatory non-infringement warranty when actual or potential non-compliance with an open source license is found. Of course, it may be possible to rely on the language we all see in schedules of exceptions and disclosure schedules that provide for a disclosure in one section to also apply to another when it is “reasonably apparent” from the disclosure. But, given the current state of enforcement, it is quite possible that, even after corrective action is taken, the open source non-compliance may result in an infringement claim for the prior non-compliance.
Enforcers of copyleft open source license (eg, GPLv2 or AGPL), rather than a permissive license (eg, MIT, BSD or Apache), pose the greatest risk of an infringement claim. In the case of an acquisition where there is an indemnity and escrow, one point of negotiation could be that such disclosure should be for information purposes only. Additionally, a buyer may want to consider having a special indemnity as a remedy for any infringement claim that may arise from the open source non-compliance (as well as any other remediation steps that may be demanded, such as release of the proprietary code).
The use of open source may accelerate the pace of development and innovation, but it is certainly not free. Increasingly, those pondering an investment or an exit understand that it may actually come at a cost, at a time when it is least desirable.
Many regulations and related guidelines have been adopted during 2017’s first semester in relation to roaming services. However, it is not very clear whether connected devices and related IoT connectivity services fall within their scope.
Telecom operators providing cross-border roaming services to their end-users have been pretty busy recently navigating between (i) the new guidelines published on March 27, 2017 by the Body of European Regulators of Electronic Communications (BEREC) on Regulation (EU) No. 2016/2286 on roaming retail charges, (ii) the adoption of Regulation (EU) No. 2017/920 dated May 17, 2017 (amending Regulation (EU) No. 531/2012 on wholesale roaming markets), (iii) the subsequent publication by BEREC on June 9, 2017 of new guidelines on Regulation (EU) No. 531/2012 as amended, and (iv) the entry in force on June 15, 2017 of the prohibition of roaming charges for call and SMS termination in the EU (in accordance with Regulation (EU) No. 531/2012 as amended).
These new regulations raise the issue of their scope of application, in particular in terms of stakeholders and services covered. More specifically, concerns have emerged as to whether the IoT sector — including connectivity services providers — should be subject to the ex-ante tariffs regulations applicable to roaming services within the EU
The scope of Regulation (EU) No. 531/201
Regulation (EU) No. 531/2012 (as amended by Regulation (EU) No. 2015/2120 and Regulation (EU) No. 2017/920) does not clearly define its scope of application. In particular, it does not expressly set whether connectivity services for connected devices are subject to its provisions
Nevertheless, Section 15 (4) specifies that the transparency obligations that generally apply to telecom operators in relation to their roaming fees should not apply to “machine-to-machine devices” using mobile data telecommunications
As a consequence, Section 15 (4) seems to imply that, by default, connectivity services for connected devices are subject to Regulation (EU) No. 531/2012 as far as roaming services are concerned
BEREC’s interpretation of Regulation (EU) No. 531/2012: A case-by-case approach depending on the connectivity technolog
Although this clarification is helpful, it does not clarify the exact scope of scenarios and roaming technologies that the Parliament and the Council intended to regulate through Regulation (EU) No. 531/2012
According to the reports and guidelines published by the BEREC, Section 15 (4) should indeed be interpreted “a contrario” as an indication that, by default, Regulation (EU) No. 531/2012 applies to all roaming services including those supporting connected devices
Having said that, BEREC makes some important clarifications which tend to significantly limit this assessment. Indeed, BEREC’s analysis is explicitly based on the assumption that roaming services use 2G / 3G / 4G (or GMS / UMTS / LTE) technologies, which are currently the most widespread standards. In particular, BEREC excludes services using LPWA (low-power, wide-area) technology as it considers that the market is not yet mature enough to consider regulating roaming services based this standard of connectivity
Moreover, in its interpretation of Regulation (EU) No. 531/2012, BEREC distinguishes between different situations in which connected devices might need roaming services. In particular, BEREC distinguishes between periodic (occasional) and permanent roaming, and considers that EU regulations should not apply to connected devices as soon as they are roaming on a permanent basis. More generally, BEREC stresses the need for the EU institutions to regulate connected devices through a case-by-case approach in order to take in account the technical and commercial specifics of all existing scenarios.
What to keep in mind
At this stage, roaming services related to connected devices are covered by EU regulations applicable to international and Union-wide roaming if these services are based on 2G / 3G / 4G mobile technologies
Conversely, there are arguments to support the view that these regulations are not currently applicable to services based on other less widespread connectivity technologies, such as LPWA. However, this conclusion could be overturned in the near future if the Commission were to decide that ex-ante tariff regulation is required for data communications terminations using emerging technological standards, in the light of the new entrants’ and the users’ interests
The IoT unveils the potential of data, but regulatory boundaries cannot be ignored. This is my message as part of SAP’s Insights on the Future of the Internet of Things. Continue Reading
Personal data, including big data, is a valuable asset for businesses, but how to maximise its exploitation at the age of the EU Privacy Regulation? Continue Reading
The role of the data protection officer is one of the most controversial changes introduced by the EU Privacy Regulation. What liabilities and obligations are on him? Continue Reading