With the September 2015 effective date of Russia’s Data Localization Law less than six months away, the Russian data protection authority, Roskomnadzor, has still not issued any formal guidance on how it interprets the law’s broad requirement that companies must process and store the personal data of Russian citizens within Russia. Roskomnadzor has, however, recently held a series of meetings with different industry groups about the law. While Roskomnadzor’s views as expressed in these meetings do not constitute a formal position, they provide insight into how the regulator is likely to interpret the law.
Hogan Lovells is closely monitoring these developments, and we will be hosting a webinar next Thursday, April 2 to provide a summary and take your questions.
Key takeaways from the recent meetings are as follows:
Russian Advertising Law has been substantially amended in the course of 2014 and January 2015. More details are below, but the most remarkable amendments relate to the introduction of a prohibition on advertising on Pay-TV channels and prohibition on advertising of alcoholic beverages. In addition, some restrictions introduced in 2014 have been now softened, with more potential amendments in the works. Parties seeking to advertise in Russia should continue to monitor closely for new developments.
The Ban on Advertising on Pay-TV Channels, and Subsequent Amendments
The amendments to the Advertising Law, which introduced a prohibition on advertising on Pay-TV channels and/or channels that use technical decoding devices came into force on 1 January 2015. There is an exception from the ban for must-carry TV channels and channels distributed using a limited radio frequency resource through terrestrial over-the-air broadcasting.
These amendments were criticized by the Russian Pay-TV market, which historically has had low subscription fees in Russia. This reaction, including from state and regional Pay-TV channels, has prompted the legislators to start considering potential amendments to the law. As a first step, the legislator suggested introducing an exemption from the prohibition for so-called “regional” Pay-TV channels broadcasting through cable within the territory of one region of the Russian Federation or within one or a few municipal units of one region of the Russian Federation. This legislative initiative did not find the necessary support and did not result in law.
Security concerns and the need to increase cyber security measures have recently boosted the use of Bring Your Own Device (BYOD) policies in France. Recent events have exacerbated fears of data breaches and hacking for IT managers who were not overly concerned before. As a consequence, IT security teams are seeking to apply the same security and device management systems that apply to their own company’s equipment to employees’ devices when employees use their devices for work purposes.
Obligation to notify
A BYOD policy usually forms part of a company’s IT policies. It must be formally presented to the works council to ensure employees are informed. As an activity involving data processing, the implementation of a BYOD policy should also be notified to the French data protection authority – the Commission nationale de l’informatiques et des libertés (CNIL) before its implementation.
However, in considering the obligation to notify the CNIL, a company should be aware that:
- The CNIL pointed out in its guidelines (see below) that when an employer has already filed a normal declaration about employee management (including the processing of personal data to ensure the safe and proper operation of information systems), there is no need for an additional declaration to cover the BYOD policy.
- Similarly, there is no need for a further declaration to the CNIL if the company has appointed a Data Protection Officer (“Correspondant informatique et libertés“).
- The company cannot rely on simplified norm n°46 since it only concerns the electronic means that are made available by employers, which is not the case for BYOD (since, as its name suggests, these are devices owned by employees).
The Intelligence and Security Committee (ISC) of the UK Parliament has published its much anticipated report into the secret capabilities of the UK intelligence and security agencies (MI6, MI5 and GCHQ), in particular their powers to intercept electronic communications and acquire communications data. The full report is available here.
The key recommendation of the report (entitled “Privacy and Security: A modern and transparent legal framework”) is that the UK’s current laws governing the activities of the agencies be replaced in their entirety by a new, transparent, legal framework. The report proposes a new single Act of Parliament that improves transparency, strengthens privacy protections and increases oversight of the agencies’ use of their intrusive capabilities. While these proposals are in outline only, the report also makes specific recommendations about each of the capabilities in question.
The UK Government has previously stated its intent to introduce fresh legislation in this area before the end of 2016. Nevertheless, as the ISC is the Parliamentary Committee with statutory authority for oversight of the agencies and the UK’s secret intelligence community, its recommendations are likely to set the direction of travel in policy terms and shape how the draft legislation is formulated. The publication of the report, in effect, fires the starting pistol on what is likely to be an intense debate over the provisions of the new law.
The report is the result of an eighteen month long inquiry by the ISC, prompted by allegations made in relation to UK secret intelligence agencies following Edward Snowden’s leak of classified intelligence material in June 2013. It contains a considerable amount of information that was not previously in the public domain, and weighs in at 149 pages, with 54 conclusions and recommendations.
We anticipate providing further analysis of various aspects of the report in future blog posts.
In its recent Open Internet Order (“Order”), the U.S. Federal Communications Commission (“FCC”) determined that broadband Internet access services are appropriately classified as common carrier “telecommunications services” under the Telecommunications Act of 1996. In doing so, the agency established itself as the primary U.S. data privacy and security regulator for those services and triggered additional requirements under the Act. It also promised a future rulemaking that could result in a sea change in how ISPs and their business partners interact with consumer data. Although the decision is widely expected to be appealed in court, organizations operating across the broadband ecosystem would be prudent to assess the potential impact on their current and planned online service portfolio.
Section 222 of the Communications Act Will Apply
In the Order, the FCC determined that Section 222 of the Act (47 U.S.C. § 222) would apply to broadband Internet access service providers. Going forward, broadband ISPs will be subject to a series of data privacy requirements under Section 222, including restrictions related to “customer proprietary network information” (“CPNI”). For example, they will have to comply with:
- A general duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers;
- Restrictions on how they may use proprietary information obtained from other carriers for purposes of providing telecommunications services; and
- Statutory restrictions on how they may use, disclose, or permit access to CPNI without a customer’s consent.
In reaching this conclusion, the FCC reasoned that consumers’ privacy needs are no less important when they use broadband Internet access service than when they rely on telephone service. In addition, the FCC found that consumer concerns about the privacy of personal information could affect demand for broadband services and lower both broadband adoption and deployment.
The FCC also noted that it takes Section 222’s protections “seriously.” As evidence, the FCC pointed to a recent data security enforcement action where it proposed a $10 million penalty against two companies that stored customers’ personal information, including social security numbers, on unprotected and unencrypted Internet servers. (See our prior post here.)
Earlier this month, the Canadian Radio-television and Telecommunications Commission’s (“CRTC’s”) Chief Compliance and Enforcement Officer issued a Notice of Violation and $1.1 million penalty to Compu-Finder for four violations of the Canadian Anti-Spam Legislation (“CASL”). Although Compu-Finder was apparently engaged in “flagrant” CASL violations, according to the Chief Compliance and Enforcement Officer, the CRTC also confirmed that it is assessing CASL complaints and that “a number of investigations are currently underway.” Therefore, organizations engaging with individuals located in Canada should review their communications and marketing practices for compliance under CASL and other applicable law.
As we detailed in our prior post, an organization must have consent to send commercial electronic messages (“CEMs”) to an email account, telephone account or instant messaging account. In addition, CEMs must include certain identification information and an unsubscribe mechanism. The law applies to messages whenever a computer system located in Canada is used to send or access the CEM. Certain exemptions and transition periods also apply. The potential liability for businesses under CASL is up to $10 million (Canadian).
According to the CRTC, Compu-Finder’s violations included sending unsolicited email – including business-to-business messages – and having a non-working unsubscribe link. The company also apparently “scoured” websites to find email addresses. The CRTC indicated that Compu-Finder’s actions were the source of more than 25% of all spam complaints.
Compu-Finder has 30 days from the Notice to submit written representations to the CRTC or pay the penalty, and it can also request additional consultation with the CRTC.
The UK’s 2015 Budget has provided a platform for the UK government to reaffirm its commitment to the development of the digital economy. Chancellor George Osborne announced a number of measures affecting the digital and technology sectors in the Budget, and in this post we highlight the main ones relevant to the TMT sector.
- The UK Government plans to invest up to £600m to reallocate spectrum so as to open up the 700 MHz spectrum for further use in 4G networks, and to improve 4G coverage nationwide. The additional spectrum is likely to be auctioned during the next Parliament.
- There is a continuing drive to have 98% of UK premises connected to broadband with speeds of up to 100 Mbps.
- Government investment of £100m over five years in ‘intelligent mobility’, including driverless car technology, is planned which will be matched by the industry itself. The UK has been positioning itself as a pioneer of driverless car technology for some time, with £19m funding being announced for trials of the vehicles in Greenwich, Bristol, Milton Keynes and Coventry in February.
- An investment of £40m in research into the Internet of Things (“IoT“), which will provide a research incubator, demonstrator programmes to encourage new ideas, and research hubs. The research aims to focus in particular on IoT applications in health and smart cities.
- Following the Isle of Man, the UK will apply anti-money laundering regulations to digital currencies. The aim of this is to support innovation in this sector and to crack down on its use as a currency used for criminal purposes. Funding for research into both the risks and opportunities of digital currencies will also be increased by £10m.
This packet of announcements makes the 2015 Budget one of the most technology-friendly in recent years. The publication of the Blackett Review, Sir Michael Walport’s analysis of the financial services technology (“FinTech“) sector and recommendations for government policy through to 2025 was timed to coincide with the Budget, and it reinforces the impression that the UK has ambitions to be a significant player in respect of new technologies.
The Blackett Review has clear implications for the financial services sector, with emphasis placed on mobile payments, big data analytics and digital currencies, and furthermore it demonstrates a wider trend of the permeation of new technologies in other industries.
Overall, the UK Government appears keen to bolster the UK’s knowledge economy by investing in technology infrastructure and in supporting research in topical areas for the economy. If successful, the impact of these investments is likely to reach far beyond the technology sector.
The author is grateful to Paul Maynard for his substantial assistance in preparing this post.
The UK and Canadian data protection regulators have written to webcam manufacturers to highlight concerns about the safety of internet-connected devices and to enlist their assistance in reducing the risks posed by their products. In particular, the regulators call for manufacturers to roll out privacy-friendly default settings, implement “privacy by design” – whereby data protection and privacy considerations are built into the design and manufacturing process – and provide increased guidance to consumers about ensuring the security of devices.
This invitation for action is perhaps unsurprising as data protection and consumer-focused regulators have been saying for some time now that product manufacturers have a crucial role to play in maintaining consumer privacy rights and ensuring compliance with data privacy laws. The letter should therefore be read with interest by the manufacturers of all connected technologies (not just webcams) as it is another clear indication that businesses that do not consider privacy and security issues as part of the product design phase and on an on-going basis run the risk of regulatory scrutiny.
Why have manufacturers been contacted?
The recent letter to webcam manufacturers focuses on the privacy risks posed by the Insecam website which, until recently, was streaming live video footage from over 73,000 camera feeds in residential and commercial properties worldwide. The website was able to access unsecured footage because camera owners failed to change the manufacturer’s default password settings. In the words of the regulators, this caused a “major breach of privacy and data protection rights and was extremely concerning for us and many other global Data Protection Authorities (“DPAs”) around the world”. The regulators’ investigations into the Insecam website established that camera users were not aware of the risks posed by not changing the default settings of their devices which is why the regulators now seek the assistance of manufacturers to help protect the privacy rights of their customers.
Private copying levies in the Member States have occupied the Court of Justice of the European Union (CJEU) quite a few times, previously for example in decision C‑521/11 from 2013. With the current decision in Nokia vs. Copydan Båndkopi (C‑463/12), the CJEU answers some of the most discussed questions surrounding copyright levies in the EU, especially in regard to levies on data storage media.
The Directive 2001/29 holds a number of exceptions and limitations regarding the position of copyright holders. Those are to be seen in the light of the overall aim of the European legislator to pave the way for a so-called “Information Society” with adequate access to copyright-protected works. One of the explicitly permitted acts is the copying of works for private, non-commercial purposes. We speak of the “Private Copying Exception”. A key element of this exception is the requirement of the right holder to receive fair compensation for the use made of his work. Such compensation is only dispensable under circumstances where the prejudice to the right holder is minimal. The compensation is provided for by levies, collected mainly though collecting societies and – depending on the relevant Member State – imposed on blank storage media (e.g. DVDs) and technical equipment (e.g. printers).
Copydan, a Danish collecting society, demanded payment of levies from Nokia Danmark A/S for detachable memory cards as contained in some of Nokia’s mobile phones. Those memory cards allow users to store copyrighted works such as music and video files, as well as personal data. Thus, they may be called “multifunctional” media carriers. Nokia disputed its liability for payment of copyright levies. Eventually, the Danish Court (Østre Landsret) stayed the main proceedings and referred a number of questions for preliminary decision to the CJEU.
Hogan Lovells has recently published the March edition of its Global Payments Newsletter with the latest updates on payment technology and policy developments from around the world. Notable items in the March edition include:
- Google’s announcement of the Android Pay mobile payments system, to allow integration of mobile payments into apps;
- Orange and Ecobank’s partnership in Africa allowing customers to transfer money between their accounts using only mobile phones; and
- German public and private banks’ joint venture to develop an online payment method to compete with PayPal.
To view a PDF of the full Newsletter for March please click here. You can also follow us on Twitter at @HLPayments for more regular news and updates.