The role of the Data Protection Officer (DPO) and what requirements needs to meet has now been partially clarified by the Italian privacy authority. Continue Reading
Written by Victoria Lee
Given the ever more urgent demand for innovation, it is rare for software development to not incorporate third-party components. In most cases, it is easier and faster to buy rather than build. In the case of open source software, the buy decision is made even easier because the software seems to come at no monetary cost.
There is, however, a cost to using open source software, in the form of compliance with the applicable open source license. Investors in software companies and acquirers of companies where software is a key asset also recognize the existence of this non-monetary cost. Indeed, failure to comply may well bring with it further costs. As a result, these days, only rarely will an investor or acquirer fail to carry out a dedicated due diligence process that focuses on open source usage and compliance.
Once an incidence of non-compliance is identified in the course of diligence, the next step is typically a discussion about the appropriate corrective action. Typically, one of two paths may be taken at this point: either remove the open source code that resulted in the non-compliance, or, when a commercial license for the same software component is available, pay for the commercial license.
Such remediation steps are necessarily prospective solutions: the remediation does not eliminate the technical legal non-compliance that already took place. In most cases, the remediation has usually been acceptable as a business matter because open source enforcement has generally focused on enforcing compliance rather than seeking monetary damages. However, in today’s business climate, enforcement is growing, and it is focusing on monetary damages. Even when non-compliance is corrected, that prior legal non-compliance has the potential to lead to liability. Given that, it probably makes sense for investors/acquirers and companies/sellers who identify non-compliance to revisit their traditional approach.
Companies taking money from investors and sellers about to embark on an exit should consider including a disclosure against the obligatory non-infringement warranty when actual or potential non-compliance with an open source license is found. Of course, it may be possible to rely on the language we all see in schedules of exceptions and disclosure schedules that provide for a disclosure in one section to also apply to another when it is “reasonably apparent” from the disclosure. But, given the current state of enforcement, it is quite possible that, even after corrective action is taken, the open source non-compliance may result in an infringement claim for the prior non-compliance.
Enforcers of copyleft open source license (eg, GPLv2 or AGPL), rather than a permissive license (eg, MIT, BSD or Apache), pose the greatest risk of an infringement claim. In the case of an acquisition where there is an indemnity and escrow, one point of negotiation could be that such disclosure should be for information purposes only. Additionally, a buyer may want to consider having a special indemnity as a remedy for any infringement claim that may arise from the open source non-compliance (as well as any other remediation steps that may be demanded, such as release of the proprietary code).
The use of open source may accelerate the pace of development and innovation, but it is certainly not free. Increasingly, those pondering an investment or an exit understand that it may actually come at a cost, at a time when it is least desirable.
Many regulations and related guidelines have been adopted during 2017’s first semester in relation to roaming services. However, it is not very clear whether connected devices and related IoT connectivity services fall within their scope.
Telecom operators providing cross-border roaming services to their end-users have been pretty busy recently navigating between (i) the new guidelines published on March 27, 2017 by the Body of European Regulators of Electronic Communications (BEREC) on Regulation (EU) No. 2016/2286 on roaming retail charges, (ii) the adoption of Regulation (EU) No. 2017/920 dated May 17, 2017 (amending Regulation (EU) No. 531/2012 on wholesale roaming markets), (iii) the subsequent publication by BEREC on June 9, 2017 of new guidelines on Regulation (EU) No. 531/2012 as amended, and (iv) the entry in force on June 15, 2017 of the prohibition of roaming charges for call and SMS termination in the EU (in accordance with Regulation (EU) No. 531/2012 as amended).
These new regulations raise the issue of their scope of application, in particular in terms of stakeholders and services covered. More specifically, concerns have emerged as to whether the IoT sector — including connectivity services providers — should be subject to the ex-ante tariffs regulations applicable to roaming services within the EU
The scope of Regulation (EU) No. 531/201
Regulation (EU) No. 531/2012 (as amended by Regulation (EU) No. 2015/2120 and Regulation (EU) No. 2017/920) does not clearly define its scope of application. In particular, it does not expressly set whether connectivity services for connected devices are subject to its provisions
Nevertheless, Section 15 (4) specifies that the transparency obligations that generally apply to telecom operators in relation to their roaming fees should not apply to “machine-to-machine devices” using mobile data telecommunications
As a consequence, Section 15 (4) seems to imply that, by default, connectivity services for connected devices are subject to Regulation (EU) No. 531/2012 as far as roaming services are concerned
BEREC’s interpretation of Regulation (EU) No. 531/2012: A case-by-case approach depending on the connectivity technolog
Although this clarification is helpful, it does not clarify the exact scope of scenarios and roaming technologies that the Parliament and the Council intended to regulate through Regulation (EU) No. 531/2012
According to the reports and guidelines published by the BEREC, Section 15 (4) should indeed be interpreted “a contrario” as an indication that, by default, Regulation (EU) No. 531/2012 applies to all roaming services including those supporting connected devices
Having said that, BEREC makes some important clarifications which tend to significantly limit this assessment. Indeed, BEREC’s analysis is explicitly based on the assumption that roaming services use 2G / 3G / 4G (or GMS / UMTS / LTE) technologies, which are currently the most widespread standards. In particular, BEREC excludes services using LPWA (low-power, wide-area) technology as it considers that the market is not yet mature enough to consider regulating roaming services based this standard of connectivity
Moreover, in its interpretation of Regulation (EU) No. 531/2012, BEREC distinguishes between different situations in which connected devices might need roaming services. In particular, BEREC distinguishes between periodic (occasional) and permanent roaming, and considers that EU regulations should not apply to connected devices as soon as they are roaming on a permanent basis. More generally, BEREC stresses the need for the EU institutions to regulate connected devices through a case-by-case approach in order to take in account the technical and commercial specifics of all existing scenarios.
What to keep in mind
At this stage, roaming services related to connected devices are covered by EU regulations applicable to international and Union-wide roaming if these services are based on 2G / 3G / 4G mobile technologies
Conversely, there are arguments to support the view that these regulations are not currently applicable to services based on other less widespread connectivity technologies, such as LPWA. However, this conclusion could be overturned in the near future if the Commission were to decide that ex-ante tariff regulation is required for data communications terminations using emerging technological standards, in the light of the new entrants’ and the users’ interests
The IoT unveils the potential of data, but regulatory boundaries cannot be ignored. This is my message as part of SAP’s Insights on the Future of the Internet of Things. Continue Reading
Personal data, including big data, is a valuable asset for businesses, but how to maximise its exploitation at the age of the EU Privacy Regulation? Continue Reading
The role of the data protection officer is one of the most controversial changes introduced by the EU Privacy Regulation. What liabilities and obligations are on him? Continue Reading
A decision of the Italian privacy authority on the illegal collection of data on criminal convictions of employees raised the issue on a practice that is quite common. Continue Reading
Virtual currency for the 1st time falls under Italian anti-money laundering law with the decree implementing the European 4th AML Directive. Continue Reading
Privacy risks can arise from the usage of new technologies by employees at work and require a deep assessment especially in the light of the General Data Protection Regulation. Continue Reading
The Digital Economy Act finally became law prior to the dissolution of parliament at the start of the general election campaign. The Act contains within its pages the new Electronic Communications Code, which has been awaited for years and which many argue is essential to ensure the law is equipped to deal with advances in technology.
However, not all of Act’s provisions have come into force immediately and indeed, the new Code will only start to operate once it is brought into effect by regulations made by the Secretary of State. Some regulations (The Digital Economy Act 2017 (Commencement) Regulations 2017) have recently been made, but these do not bring into force the new Code.
In that respect, our recent enquires with the Department for Culture, Media & Sport as to when the Code will become law elicited these responses:
“There are a number of factors to consider, including supporting regulations, Codes of Practice etc. We are considering all aspects of implementation in order to achieve the most swift and appropriate approach, and will update stakeholders on commencement in due course.
We are … bringing into force measures to improve digital connectivity across the UK, starting the implementation of the new electronic communications code to assist operators to develop new infrastructure…in summary we have commenced the code for the purpose of making regulations over the autumn. Once we have those in place full commencement will follow.”
Given the turmoil thrown up by the election result and the more immediate issues the government is facing, including Brexit, the new Code could still be some way off, meaning that the existing Code continues to regulate arrangements for the installation of telecoms equipment.
The new Code introduces (whenever it finally becomes law), inter alia:
- Rents/compensation: it is thought that the new Code is likely to decrease the rents/compensation received by landowners from telecoms operators as the rents/compensation will be based on the land’s value to the landowner not the operator.
- Site sharing and assigning: operators will have rights to assign agreements and to share or upgrade apparatus without requiring the consent of the landowner, thus reducing the landowner’s control.
- Security of tenure: the new Code contains provisions to ensure there is no overlap between the security of tenure rights granted to business occupiers by the Landlord and Tenant Act 1954 and similar protection that telecoms operators can claim under the Code.
- Dispute resolution: the new Code can provide for a more specific dispute resolution procedure where the parties cannot agree terms.
- Conferral of Code rights: An operator will be able to apply to the Court for the grant of interim code rights for a certain period of time or until a certain event takes place.
- Termination: new, more lengthy, notice procedures for terminating Code agreements.
- Retrospectivity: existing agreements will not be covered by the new Code.
We will report further once the new Code finally comes into force…..
Rob Shaw, Senior Associate and Ben Rogers, Legal Director