On 19 May 2017, the Cyberspace Administration of China (the “CAC“) released a revised draft of its Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures (the “Second Draft Export Review Measures“).
The draft emerged just over a week after public comments closed on the first draft of the measures, which we discussed in our earlier briefing here (the “First Draft Export Review Measures“). There was a significant volume of industry commentary, and the Second Draft Export Review Measures do, to an extent, relax some of the more stringent requirements stated in the First Draft Export Review Measures and originally due to become law on 1 June, 2017 when China’s Cyber Security Law takes effect. However, the revised draft measures as set out in the Second Draft Export Review Measures still leave a significant compliance challenge for multi-national businesses operating in China (“MNCs“). On a less optimistic note, the test for when a data localization requirement will kick in has not really changed under the Second Draft Export Review Measures, except to remove the words “must be stored within China” and replace them with “must undergo a security review pursuant to these Measures” which does not change the fundamental position that without security review approval and clearance, by definition data cannot be exported so has to be (logically) stored in China.
Headline changes are:
Join us on 19 June, 10:00 a.m. – 1:30 p.m. EST, for a lively discussion with experts regarding the current regulatory developments in Europe and the United States. Andrea Glorioso, Counselor for the Digital Economy at the Delegation of the European Union to the United States, will provide an overview of what U.S. markets might expect from the EU. He will then be joined by Kelsey Guyselman, Counsel, U.S. House of Representatives and Adam Sedgewick, Technology Advisor at the National Institute of Standards and Technology to talk about the opportunities – and risks – that the EU’s new digital regulatory environment may create. They will also discuss the effects of the EU’s DSM plans on U.S. competitiveness, data privacy and data security, trade, and more, exploring what U.S. experiences might inform the EU’s plans and how the changes the EU is contemplating might affect U.S. domestic policies.
Digital trade between the U.S. and the European Union generates more than $8 trillion annually. Some portray the EU’s new “Digital Single Market” (DSM) initiative as a boon for U.S. transatlantic trade. Others view the EU’s DSM as an isolationist ploy that will handcuff U.S. businesses in the EU market.
Please contact Kiki Mohie if you would like to reserve a place. Please note that places are limited and are first come first serve.
Date: 19 June 2017
Venue: Hogan Lovells, Columbia Square 555 Thirteenth Street, NW Washington, DC 20004-1109
Time: 10:00 a.m. – 10:30 a.m. Registration and Coffee
10:30 a.m. – 12:30 p.m. Presentation, Panel Discussion, and Q&A
12:30 p.m. – 1:30 p.m. Luncheon
Wikipedia founder Jimmy Wales completes crowd-funding this week for his latest venture: Wikitribune, a news platform that, while not affiliated with Wikipedia, applies Wikipedia’s collaborative model to journalism. Wales intends to hire ten full-time journalists to work alongside the wiki community to author, fact-check and verify articles. This, he hopes, will provide a more reliable form of media and an antidote to what he describes as “broken news”. Wales’ proposed approach to news reporting highlights a convergence of media – and other platforms, publishers and journalists – and users. Yet granting to the masses the power to edit (and not just comment on) news articles could conceivably give rise to defamation issues under English law.
As traditional print media has largely moved towards online content, meaning that defamatory statements can be transmitted instantaneously from one corner of the earth to another, courts have been forced to grapple with a number of complex legal issues. We explore below certain issues that typically arise under English law in the context of defamation on the internet, with Wales’ proposed user-collaborative news platform in mind.
Jurisdiction in a global world
A key issue when it comes to defamation on the internet is to establish jurisdiction for defamation proceedings. UK courts are typically viewed as more claimant-friendly for defamation actions than e.g. US courts, including for reasons that a defamatory statement is presumed to be false unless the defendant proves otherwise. However, if the defendant is domiciled outside the UK and the EU, a claimant alleging defamation will have to convince the UK courts to hear the case, which may not be entirely straight-forward given the attempted crack-down on libel tourism in the Defamation Act 2013 (“DA 2013”).
In a ruling issued last week, the U.S. Court of Appeals for the District of Columbia Circuit vacated the FAA’s Registration Rule for small unmanned aircraft systems (UAS or drones) that are operated for recreational purposes, otherwise known as “model aircraft.” If the ruling stands, hobbyist and recreational drone enthusiasts will no longer be required to register their drones with the FAA. The ruling does not affect existing requirements for commercial operators to register their UAS with the FAA.
In response to news events involving careless operators misusing drones, including crashes at stadium sporting events and hundreds of alleged incidents involving close-encounters between UAS and manned aircraft, shortly before Christmas 2015, the FAA rushed to promulgate a new registration rule that required model aircraft to be registered with the FAA. Since the rule went into effect, more than 800,000 operators have registered their drones with the FAA. To put that in perspective, there are only around 320,000 manned aircraft registered with the FAA.
The Court sided with Plaintiff hobbyist John Taylor who argued that the FAA’s Registration Rule, as it applies to model aircraft, directly violates Section 336(a) of the FAA Modernization and Reform Act of 2012, which states that the FAA “may not promulgate any rule or regulation regarding a model aircraft.”
We are delighted to welcome market-leading M&A partners Richard Climan, Keith Flaum, and Jane Ross, and IP and Technology Transactions partner John Brockland, who have joined Hogan Lovells.
John Brockland focuses on strategic and commercial transactions involving the development, transfer, and licensing of technology and intellectual property assets. He has represented companies in a variety of industries, such as software, semiconductor, internet, renewable energy, and healthcare.
Brockland has been ranked as a leading lawyer for IT & Outsourcing by Chambers USA and Chambers Global. He is ranked Band 1 in California — IT & Outsourcing: Transactions. He earned his B.A. from Trinity University and his J.D. from the University of Chicago Law School.
Read our full press release here
The final report on the European Commission’s e-commerce sector inquiry was published last week and contains some important observations about how online channels of distribution are transforming consumer goods and digital content markets.
Margrethe Vestager, the European Commissioner in charge of competition policy, launched the Commission’s e-commerce sector inquiry in May 2015, announcing that “European citizens face too many barriers to accessing goods and services online across borders”. The final report largely confirms the Commission’s preliminary findings published in September 2016, but also reflects comments received in relation to those findings.
The inquiry was intended to identify possible competition concerns in European e-commerce markets, drawing on information collected from 1,900 stakeholders across all 28 EU Member States and an analysis of around 8,000 distribution and licence agreements.
The Commission has stated that the report will inform antitrust enforcement in European e-commerce markets, with the Commission suggesting that it will open further investigations in this area (in February 2017 it opened three separate investigations into suspected anti-competitive practices in e-commerce).
On Thursday 4 May 2017, Hogan Lovells’ Tech Hub hosted Azeem Azhar, renowned strategist, product entrepreneur and writer, who spoke about the current status and implications of Artificial Intelligence (“AI”).
Science fiction or science fact: the current AI boom
Far from being a futuristic ambition, we are living in a world where countless daily activities are powered by AI. Whilst Artificial General Intelligence may yet be a few years away, we are seeing applications of Artificial Narrow Intelligence across a range of use cases from virtual personal assistants to news generation, personalised content and movie recommendations. As Azeem outlined, this penetration of AI over the past few years has been growing exponentially. This has been enabled by the combination of progress in three critical areas, each of which supports and feeds into the other – processing power, availability of data and innovations in machine learning.
Our ability to exploit these technological developments as consumers and businesses has been dramatically enhanced by the availability and accessibility of a range of devices on different platforms (iOS, Android, enterprise IT, etc.) which have themselves been further enabled by the advanced integration of software with real world. The result is continued improvements in the practical usefulness of AI in the real world, leading to greater take up of the technology, rapid ROI and corresponding growth in investment.
The Hong Kong Securities and Futures Commission (“SFC”) has issued a paper containing proposals to introduce cyber security guidelines under the Securities and Futures Ordinance (the “SFO”) applicable to internet brokers (the “Cyber Security Consultation Paper”). Comments are open through 7 July 2017.
The Cyber Security Consultation Paper reflects a sharpening of focus by the SFC on cyber security issues. The SFC notes that in the 18 months up to 31 March 2017, 12 licenced corporations reported 27 cyber incidents – the majority involving access to clients’ trading accounts. These incidents resulted in unauthorised trades to the value of HK$110 million. The Hong Kong Computer Emergency Response Team Coordination Centre is reported to have handled 6,058 cyber security incidents in 2016, an increase of 23% from 2015.
The Cyber Security Consultation Paper highlights the prevalence of a particular form of “pump and dump” scheme in which hackers gain unauthorised access to internet trading accounts and use the cash and securities in these accounts to fund the purchase of penny stocks targeted by the hackers. The hacked accounts are used to pump up the prices of these penny stocks, following which the hackers dump the stock, causing significant losses to the hacked accounts.
On 12 May 2017 the European Aviation Safety Agency (“EASA“) opened a consultation into sweeping new regulations on the operation of unmanned aircraft systems (“UAS” or drones) in European airspace. Individuals and companies that are interested in the future of UAS operations in the European Union (“EU”) should carefully review the Notice of Proposed Amendment and consider participating in the review process by submitting comments and letting EASA know their views on all aspects of the proposed regulations.
Under the current regulations, EASA only regulates large UAS with a maximum take-off weight of 150kg or more and the regulation of UAS with a maximum take-off weight of less than 150 kg is reserved to Member States. The European Commission and European Parliament are currently trying to extend the EU’s regulatory competences (jurisdiction) to include authority over all UAS weighing more than 250g. EASA’s new proposal will likely spur debate among industry stakeholders over whether this new and innovative technology should be regulated more broadly by EASA or by the individual Member States.
Who is in charge?
EASA, the European Parliament, and the European Commission argue that Member States’ regulation of UAS use is inconsistent and does not provide for adequate rules for cross-border UAS operations.
According to EASA, operators and manufacturers of UAS have “pleaded for a harmonisation” of the rules to allow for the creation of a European “market for UAS“. EASA argues that the current regulatory framework: (i) often creates barriers to entry for businesses in markets that could be made significantly more efficient by the use of UAS; and (ii) requires businesses to comply with a patchwork of different technical requirements in different Member States. Recognizing that a fragmented UAS regulatory system is hampering the development of a single EU market for UAS and cross-border UAS operations, the Notice of Proposed Amendment seeks to harmonise the regulation of UAS with a maximum take-off weight of 25kg throughout the European Economic Area (“EEA”).
Major companies, health care organizations and government agencies are facing a wave of cyberattacks involving ransomware that takes control of computers and denies access until a ransom is paid. These attacks are occurring on a global scale and in some cases are having a significant impact on business and healthcare operations. The cyberattack has disrupted targets throughout the world from Britain’s National Health Service to US Fortune 500 companies, the Russian Foreign Ministry, and universities in China.
Protecting Against the Threat
Security measures that can be taken to help protect against the threat are evolving as more information becomes available. Key measures that we advise counsel to confirm are in place include:
- Anti-virus signatures. Anti-virus signatures that will protect against known variants of the ransomware are available for most products. Your IT department should confirm availability and deployment of those signatures.
- Monitoring. Your information security team should monitor for new variants of the ransomware and take action to maintain protection against those new variants through deployment of updated malware signatures as available.
- Containment Plan. In the event that systems are compromised, as a priority action contain the affected system as quickly as possible to stop the spread of the ransomware within the network while otherwise activating your organization’s incident response plan.
- Response Plan. Consider now how your organization would likely address key issues raised by ransomware attacks, such as whether and how to pay ransom; how to interact with law enforcement; and the process by which to restore operations