On 17 March Hogan Lovells hosted a live webinar where several of our Global TMT thought leaders interviewed a panel of academic experts from our Law and Technology Academic Advisory Council on the key legal and tech trends for 2017, including regulation of artificial intelligence, competition law and big data, global privacy and copyright trends, and the future of broadband privacy regulation. The panel was chaired by Hogan Lovells partner and former Commissioner of the US Federal Trade Commission, Julie Brill.
Will Germany establish a “Digital Agency” to monitor compliance with competition law rules in digital markets? Will a German “Digital Antitrust Enforcer” become a role model for a European protectionist approach against American and Asian platform providers?
The German Federal Ministry for Economic Affairs and Energy seems to see a pressing need for regulation in digital markets. The White Paper “Digital Platforms”, published on the 20 March 2017, provides an outlook on possible forms of digital regulatory policy in Germany and potentially also in Europe. Of particular interest from a competition law perspective is the proposal to establish a new “Digital Agency”.
The White Paper aims at creating the foundation for fair competition conditions in order to strengthen competition in digital platform markets in Germany and Europe. The Federal Ministry therefore proposes the following measures:
Eight months ago, just before the Referendum, I anticipated the implications of a Leave vote for the sector. Today sees the publication of the first results of the Hogan Lovells “Brexometer”, which will track the attitudes of global business to Brexit through the Article 50 process.
What does the Brexometer tell us about the TMT sector?
Like other sectors TMT respondents were generally pessimistic. 53% of TMT respondents globally saw Brexit as a threat to the UK and 23% as a threat to the EU.
TMT respondents appear more concerned than most about the impact on their own businesses. They expect the greatest negative impact on profits over a 5 year period of any sector – on average a 1.9% fall. Nearly a third see Brexit as a threat to their own company against a survey wide figure of a quarter.
Why might this be?
TMT is a sector in which regulation is important and the law is central, particularly in the form of IP. In my original post, I identified some of the legal and regulatory areas which might be impacted significantly. It isn’t therefore surprising to find that TMT businesses ranked legal/regulatory policy as the top priority Brexit issue for them.
What is, perhaps, more striking is that TMT easily outscores all other sectors in ranking access to people and skills as being almost as significant issue as law and regulation. This reiterates the message we have heard in many of our conversations with business in the sector.
How important are the negotiations?
Digging deeper into our results emphasises both the importance — and challenges — of the negotiating process. With the ability to move data or run an e-commerce platform seamlessly between the major European markets at stake, not surprisingly the gap between the anticipated impact of the best and worst case scenarios is significant. 90% of TMT businesses anticipate that their worst case outcome would require them to re-evaluate their strategy (the highest for any sector) compared with 43% in a “best case Brexit”.
Strikingly however in TMT the potential impact is not just on the UK.
In the TMT “best case” 63% of respondents expect to invest more in the EU and 53% in the UK; in the worst case these figures both fall – to 43% and 17% respectively. So more respondents expect TMT to invest in the EU than in the UK even in a best case Brexit. But a worst case Brexit doesn’t simply shift more investment from the UK to the EU; it markedly reduces investment levels on both sides of the channel. (The only other sector in which we saw this impact is Life Sciences – another high tech, high talent driven industry.)
In short, a successful outcome to the negotiations is critical to the TMT sector in both the UK and EU.
What makes TMT special?
These figures suggest that in many ways TMT is more vulnerable to Brexit than other industry sectors. On its face this is a surprising result, notwithstanding the role of IP, regulation and talent in the sector. There may however be one other important factor at play here. TMT is, relative to other industries, young and highly dynamic. Unlike the banks, oil majors or pharma giants whose histories stretch back to the early 1900’s, there is little, even distant, legacy of a pre-EU world in companies like Vodafone, Google or Amazon. And yet whilst TMT “majors” are creatures of a world in which the UK’s membership of the EU is a given, they also face a highly dynamic regulatory environment – meaning there is relatively little shared “DNA” to be carried forward into the future EU and UK regulatory systems as they start to diverge.
So it is perhaps natural that TMT businesses worry about the impact of Brexit on their European businesses as a whole, not just on the UK.
Is there any light in the tunnel?
As reported in our main Brexometer paper, we found a clear trend that those groups that are relatively well prepared for Brexit tend to be more confident about the potential outcomes. The survey indicated that TMT, as an industry, is relatively ill-prepared compared with most other sectors, which suggests that there is a considerable opportunity for the sector to improve its level of confidence with further preparation.
Overall, the first edition of the Brexometer brings into sharp focus the potential risks which Brexit carries for TMT across Europe. For a young industry which has grown up with the EU and is heavily influenced by coordinated regulation and free movement of talent, concern is inevitable. But it also suggests that, if the industry increases engagement with the Brexit process, there is a real opportunity to manage these risks.
Since the first proposals for amendments to the European Commission’s draft copyright directive were leaked earlier this month, we have seen quite some discussion on what the Digital Single Market will bring about. The leaked report was drafted by the European Parliament’s Committee on Legal Affairs. MEP Therese Comodini Cachia takes responsibility over the subject. The paper puts forward an impressive total of 73 proposals for change.
Last week, we cast an eye on a highly controversial aspect of the new copyright directive: the introducing of new neighbouring right for press publishers (see our blog post). Whilst, the Commission is clearly in favour of such right, the Parliament rather prefers a mere assumption of press publishers acting on behalf of the authors when going against unauthorised use of press publications on the Internet. Today, we want to touch upon an equally important subject: Article 13 of the Commission’s draft directive holds a set of new obligations for online service providers.
Pursuant to Article 13 of the draft, online service providers storing and providing the public with access to large amounts of works uploaded by their users shall take measures in order to prevent infringements. Specifically, such platforms shall, in cooperation with rightholders, “take measures to ensure the functioning of agreements concluded with rightholders for the use of their works or other subject-matter or to prevent the availability on their services of works or other subject-matter identified by rightholders through the cooperation with the service providers.” According to the Commission, a possible measure could for instance be the implementation of content recognition technologies. However, the Commission has, as yet, failed to give any indication as to how such an obligation could work together with the liability privilege providers enjoy under the current e-Commerce Directive 2001/31.
The European commission published its last draft directive on the modernizing of the European copyright law (COM(2016) 593 final) on 14 September 2016. The draft was part of a larger strategy to bring about a single digital market within the European Union. Back then, the legislative proposal triggered quite some discussion given that its provisions touched upon more than one sensitive topic including text and data mining, a neighbouring right for publishers and new obligations for Internet providers. Most recently, the first statements from the European Parliament were leaked. Specifically, the Committee on Legal Affairs’ report became public as drafted by MEP Therese Comodini Cachia. The report puts forward an impressive total of 73 proposals for change. Considering that the draft directive has only 24 articles in total, this is quite a statement.
The leaked report suggests that the controversial neighbouring right for press publishers will be dropped and replaced with a new Article 11(1), a presumption of representation of authors of literary works contained in press publications. This would give press publishers the legal capacity to sue in their own name when defending the rights of authors in relation to the digital use of articles published in the press. In essence, the press publisher shall not be entitled to any intellectual property rights in those articles but shall have the right to sue infringers on behalf of the author.
As previously reported, on Thursday, March 9th, the Federal Trade Commission (FTC) hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. This is the second of two entries on the March 9th FinTech Forum. Today’s post focuses blockchain technologies. Coverage of the opening remarks and the AI discussion may be found here.
The panel discussions on blockchain technologies reflected the nascent stage of the technology, with industry representatives expressing confusion over the applicability of current regulation, and regulators expressing a lack of clarity over jurisdictional questions. Although blockchain technology is currently being utilized primarily for digital currencies such as BitCoin, the technology is beginning to proliferate in other sectors and many uses remain untapped. As panelist Peter Van Valkenburgh, Director of Research at the Coin Center, explained, blockchain technologies are simply “connected computers reaching agreement over shared data.” Where connected computers have shared data, each node can be used by another to verify identity credentials (including personal data such as credit scores), property records, or provisions of digital goods. Upon verifying the information the connected computers can also execute a transaction against that shared data as is the case, for example, in securities transactions.
On Thursday, March 9th, the Federal Trade Commission (FTC) hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. This was the FTC’s third forum on issues in FinTech. Previous FinTech Forums covered marketplace lending and crowdfunding and peer-to-peer payments.
In opening remarks, the FTC acknowledged the benefits of technological developments in AI and blockchain technologies: AI promises better decision-making and personalized consumer technologies, while blockchain technologies would increase the efficiency of financial transactions and eliminate the need for the middleman, among other benefits. But, the FTC stressed that advancements in these technologies must be coupled with an awareness of and active engagement in identifying and minimizing associated risks. For AI, this means countering biased or incomplete results, improving the transparency of decision-making, and addressing general lack of consumer awareness and understanding. For blockchain, it means strengthening data security, increasing oversight, and preventing abuse of the technology. The need to carefully consider the challenges raised by technological advancements was echoed by panelists throughout the forum, suggesting that the FTC will likely expect companies in these industries to have assessed and taken steps to mitigate the novel risks they face as they continue to innovate and break new ground in these spaces.
This is the first of two entries on the March 9th FinTech Forum. Today’s post focuses on Artificial Intelligence, with coverage of blockchain technologies to follow.
The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.
A few examples:
- The new guidance states: “name your organisation and any third parties who will be relying on consent – even precisely defined categories of third party organisation will not be acceptable under GDPR.” This is a departure from the current guidance on direct marketing which says that an indirect consent may be valid “if the consent very clearly described precise and defined categories of organisations and the organisation wanting to use the consent clearly falls within that description.”
- Controllers must give granular options to consent separately for separate purposes, unless this would be unduly disruptive or confusing. In addition, language likely to confuse “for example, the use of double negatives or inconsistent language” will invalidate consent.
- Controllers should consider whether to automatically refresh consent at appropriate intervals. The frequency of this will depend on the context, but the ICO recommendation is that, if in doubt, controllers should consider refreshing consent every two years. The guidance also suggests that, if not in regular contact with individuals, controllers could “consider sending occasional reminders of their right to withdraw consent and how to do so.”
- The guidance is also specific about what it means to make it “as easy to withdraw as to give consent,” as required by article 7(3) of the GDPR. The process of withdrawing consent should be an easily accessible one-step process, if possible using the same method as was used to collect the consent. So, companies collecting consent online should also provide online opt-out links.
The guidance also tackles the common misunderstanding that consent is generally the best approach for legitimising data processing. Many controllers struggle to understand this, but as the guidance says, “if you cannot offer a genuine choice, consent is not appropriate” and controllers should look for a different basis for the processing. It takes a conservative approach to the impact of article 7(4) on the conditioning of consent, and it would be helpful to have more guidance on when conditioning consent might be justified in the context of a free service.
The guidance is open for consultation until 31 March.
In a March 17 live stream webinar, a panel of academic all-stars will discuss the key legal and tech trends for 2017, including regulation of artificial intelligence, the disruptive potential of blockchain, competition law and big data, global privacy and copyright trends, and the future of net neutrality.
Our panel will also share insights into the tech priorities of the Trump administration, and key China developments.
Hogan Lovells partner and former FTC Commissioner, Julie Brill, will chair the panel, which includes Joshua Gans, author of “The Disruption Dilemma”, Phil Weiser, Dean of University of Colorado Law School and former White House technology adviser, algorithmic regulation scholar Karen Yeung of Kings College London, international copyright scholar Seagull Song of Loyola University, and Deirdre Mulligan of UC Berkeley, co-author of “Privacy on the Ground.”
The live webinar will occur on March 17 at 11:30 – 13:00 Eastern daylight time, 15:30 – 17:00 GMT and 16:30 – 18:00 CET. To register and obtain the URL to connect to the live video stream, click here.
Last week, the UK’s Information Commissioner’s Office (ICO) published a monetary penalty notice which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
In this instance, several data protection compliance issues were at stake – HCA had engaged a subcontractor based in India to process sensitive personal data without putting an agreement in place that met the requirements of the Data Protection Act 1998 (DPA) and without taking steps to ensure an adequate level of protection for data transferred outside the EU. One of HCA’s hospitals had recorded doctors’ consultations with patients discussing very sensitive and personal matters concerning IVF treatment and then sent the audio recordings by email in unencrypted form to the Indian subcontractor. But HCA had not required the Indian subcontractor to take appropriate security measures to protect the audio recordings which had been held by the subcontractor on an unsecured FTP server without restricted access controls. Consequently, a patient had been able to locate the sensitive data through carrying out an Internet search.