Welcome to the Hogan Lovells Global Payments Newsletter. In this monthly publication we provide an overview of the most recent payments, regulatory and market developments from major jurisdictions around the world as well as sharing interesting reports and surveys on issues affecting the market.
Key developments of interest over the last month include:
- EBA consults on guidelines on security reporting: the draft guidelines specify, amongst other things, the criteria for classifying operational or security incidents as major, and a template for payment services providers to use when notifying incidents to the competent authorities.
- Implementation of PSD2: in Germany, two draft implementing acts (one for regulatory, one for contract law aspects of PSD2) have been published for consultation.
- UK PSR response to Which? authorised push payments super-complaint: the PSR, in conjunction with Financial Fraud Action UK, is looking to the banking industry to lead on a programme of work which will address the issue of a lack of clear data and develop best practice standards for banks to follow.
To view a PDF of the full Newsletter please click here. You can also follow us on Twitter at @HLPayments for regular news and updates.
While the UK Court of Appeal has opened the door for broadband ISP blocking to combat trademark or copyright-infringing activities (see our earlier report ), the picture in the United States, China and Hong Kong is more complex.
“‘It is, it is a glorious thing, to be a Pirate King,’ said W.S. Gilbert: but he was speaking of ship pirates. Today we speak of film pirates. It is not a glorious thing to be, but it is a good thing to be in for making money.” So said celebrated English judge Lord Denning in a 1980 pirate video case. One could say that being an IP pirate king today is much less risky than it was then; it can certainly be more lucrative. It is logistically more straightforward, with an enormous potential global market for unlawful copies of commercial content and counterfeit goods, downloadable at the touch of a screen or delivered in small packages from almost anywhere in the world. Add to this the ease with which, at the first sign of serious trouble, your virtual pirate galleon can set sail and anchor at another server in a remote jurisdiction where it is not easily enforced against. Or, if sunk by a takedown request, it can simply be refloated and renamed. The 21st century Blackbeards and street market hustlers of cyberspace might well feel as if the World Wide Web was made specially for them.
However, what if the virtual galleon need not be sunk, but merely traced and the digital barges carrying the infringing content and offers of counterfeit goods denied access at the shores of the world’s online markets?
This article focuses on whether internet service provider (ISP) blocking remedies are available to trademark and copyright owners in the United States, China and Hong Kong; but starts with a brief look at the position in the United Kingdom, where the courts have shown willing to adopt innovative solutions to this 21st century problem.
Read the full text here
The article first appeared in World Trademark Review, December 2016/January 2017. For further information, please go to www.worldtrademarkreview.com.
Maintaining a global supply chain brings its share of commercial, financial, and regulatory risks. Increasingly, telecommunications companies with global operations and suppliers are finding that U.S. trade control laws affect their operations. For instance, telecommunications companies can inadvertently breach export control or economic sanctions laws when critical suppliers are designated on U.S. or non-U.S. government restricted parties lists, engage in prohibited
transactions with sanctioned countries, or re-export U.S. origin items to prohibited destinations, end users, or end uses. In an interconnected world, even companies that primarily provide products and services within the U.S. can be exposed under trade control laws if they have a global supply chain. This article highlights the three areas of U.S. trade control laws that can affect the operations of U.S. telecommunications companies: export controls, economic sanctions, and anti-boycott restrictions. With U.S. and non-U.S. trade control laws constantly evolving as U.S. foreign and national security policies react to global developments, U.S. telecommunications companies need to remain alert to potential risks in their global activities and implement robust compliance programs to be prepared for sudden shifts in U.S. policy and/or legal requirements.
U.S. export controls laws
U.S. export controls laws govern how U.S. companies may export and re-export items to specified destinations and end-users around the world. These rules apply to dealings with third parties, as well as intra-company transfers. The export, re-export, and transfer of certain U.S. origin commodities, software, and technology requires authorization by the U.S. government and other procedures, even for transfers to U.S. company’s own affiliates and suppliers outside the United States. While most commercial telecommunications items are not highly controlled, there are certain items that require prior authorization. Therefore, it is critical for telecommunications companies to understand how their commodities, software, and technology are controlled. Major companies in the global supply chain for telecommunications and computer networking equipment have been targeted by export enforcement agencies, raising legal risks for U.S. companies who rely on their products and services.
Click here to read the full article, as published in our Global media and Communications Quarterly.
On January 10, 2017, the European Commission released a Communication, a fact sheet, a working document and a public consultation relating to Europe’s “data economy”. The fact sheet states that “data is a new type of economic asset”, which is essential for innovation and growth. The Commission’s objective is to remove “unjustified restrictions” and “legal uncertainties” in order to facilitate data sharing and innovation.
Interface with GDPR
The Commission’s Communication on the data economy brings to light a fundamental tension between the policy on protection of personal data and the policy of developing an innovative data economy. The General Data Protection Regulation (GDPR) is built on a human rights approach, under which personal data is an extension of an individual’s right to auto-determination. The data economy package is built on an economic approach, pursuant to which data is an asset that can and should be exploited and shared to maximize social welfare. The Communication suggests that the two approaches can co-exist, but it is a bit like trying to mix oil and water. The Commission suggests that anonymization is key: If the data are sufficiently anonymized, they fall outside the GDPR and can be freely shared and exploited. But if data are not sufficiently anonymized, the GDPR governs.
Putting the focus on anonymization is just pushing the problem into a different corner of the room. Under a fundamental rights approach, even a very small statistical risk that an individual may be re-identified will be considered an unacceptable risk. This could mean that data sets must be anonymized to such a high level that their economic and social value is significantly diminished. A data set that is anonymized at a level of 99.8% may be much more valuable to society than a data set that is anonymized at a level of 99.999%. It is unclear from the Commission’s Communication how this kind of trade-off will be managed. The GDPR leaves some room for discussion, because the concept of anonymization is linked to the idea of “all the means reasonably likely to be used” to single out an individual. The terms “means reasonably likely to be used” give some flexibility to make trade-offs, but will also trigger differences in interpretation depending on whether you’re addressing the question from a fundamental rights standpoint, or from a “data as an asset” standpoint.
On January 5, 2017 Paris Law School Panthéon-Assas launched its first university degree (diplôme d’université) aimed at training future Data Protection Officers (DPOs) under the new European General Data Protection Regulation (GDPR), which becomes effective across the EU on May 25th, 2018. Created by Paris University Professor Bénédicte Fauvarque-Cosson and Hogan Lovells partner Winston Maxwell, the new program will include courses in law, cybersecurity, data analytics, management and ethics. The faculty will include professors from various law schools, as well as practicing DPOs, information security specialists, lawyers and regulators from the CNIL (the French data protection authority), and major companies including Sanofi, GE, Axa, Lagardère, Google, Microsoft, Schneider Electric, BNP Paribas and the Banque Postale.
Speaking at the opening ceremony, Professor Fauvarque-Cosson commented: “This is an exciting time because data protection law is being created before our eyes. The new European regulation is just the start.” Winston Maxwell underlined the difficulties of the DPO role under the GDPR: “The DPO is an important management position, but it will not be easy.”
Information about the new program is available here.
To see Professor Fauvarque-Cosson’s and Winston Maxwell’s video, click here.
The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive. The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader territorial reach and applies generally to the provision of electronic communications services to end users in the EU and to the use of such services. It is also concerned with the protection of information related to the devices of end users located in the EU.
In this particular respect, the draft e-Privacy Regulation introduces revised and complex rules affecting end users’ terminal equipment and how data is collected in that context. Our high level assessment of the notice and consent requirements affecting various data activities involving users’ devices can be found here.
The consequences for non-compliance follow a two-tier approach as follows:
For thousands of years, society has recorded information in ledgers, ranging from clay tablets, books through to cloud based computer systems. Despite the advance of technology, all of these ledgers have effectively been siloed with access (or “permission”) to write and read information generally being restricted.
Blockchain is a new technology that flips the traditional model of a ledger upside down. Rather than have multiple separate silos, a blockchain (in its purest form) can act as a unified database that’s accessible (on a read and write basis) by everyone (it is in effect “permissionless”). The ledger stored on a blockchain is shared amongst a distributed network of computers. The use of cryptography enables users to modify the master ledger without the need for a central authority.
It is the distributed nature of the ledger that is such a powerful idea and which causes some to think that the blockchain will be as revolutionary as the internet. As noted above, with a blockchain there is no need for a central trusted authority or for intermediaries. The disintermediation of intermediaries could redefine the value chain in a wide range of industries, from financial services to media, and puts the power and value of data back in the hands of the people creating that data. Blockchains can be public (such as the Bitcoin blockchain or the Ethereum blockchain) – these are effectively permissionless, or they can be private (where access is restricted to a selected group of users).
Other arguments in favour of the use of blockchains has been the argument that they are immutable (i.e. cannot be altered) and the distributed nature of the network means that it is practically impossible to hack. However, as we will see this is not necessarily the case.
Click here to read the full article, as published in our Global media and Communications Quarterly.
The New York Department of Financial Services (NYDFS) just issued major revisions to the cybersecurity regulations for financial institutions that were due to come into effect on January 1, 2017. To allow covered institutions more time to implement the rules, the effective date will now be March 1, 2017, with a series of staggered implementation dates beyond this. There are several notable substantive changes in the revised rules.
Click here to learn more about the major changes to the proposed rules, timing and implementation details, and how to prepare for the new requirements as well as other related cybersecurity developments.
For more details on the NYDFS cybersecurity regulations for financial institutions, please see our previous blog post.
On 25 November 2016, the Ministry of Industry and Information Technology, China’s telecommunications and Internet regulator, issued a draft Circular on Regulating Business Activities in the Cloud Services Market for public comment (“Draft Circular“). The stated aims of the Draft Circular are to improve the cloud services market environment and further regulate business activities in this sector. In addition to introducing a number of minimum service requirements that cloud operators must observe, the Draft Circular is of particular interest to the industry due to the rules it sets out for market participation by foreign technology companies, including through cooperation with license holders in China. The period for public comments on the draft ended on 24 December 2016.
The cloud market is currently experiencing a period of explosive growth in China, with Chinese Internet titans Tencent, Alibaba, Baidu and others vying with Amazon, IBM, Google, Microsoft and other international cloud computing giants to develop and capture the public, private and hybrid markets. According to the 2016 Cloud Computing White Paper released by the China Academy of Information and Communications Technology in September 2016, the overall size of China’s cloud computing market in 2015 was RMB 37.8 billion, with a growth rate of 31.7%, meaning China’s share of the global market has risen from 3.7% in 2012 to 5%.
To read the full briefing, please click here.
Please join us for our January 2017 Privacy and Cybersecurity Events.
|Japan’s 2017 Data Privacy and Tech Agenda
|Julie Brill and Harriet Pearson will host a presentation by two of Japan’s most senior officials and authorities on recent changes to Japan’s privacy law and the establishment of a new Personal Information Protection Commission (PPC). Yoshikazu Okamoto, Director of the PPC Secretariat, will present on the mission and agenda of the PPC, the requirements and implementation timeline of the new law, and Japan’s international engagement on these issues. Professor Fumio Shimpo of Keio University, a noted expert on Japanese privacy and technology law and policy, will add his perspectives on legal and policy aspects of the Internet of Things, artificial intelligence, and robotics. Click here to register for the event.
|Location: Hogan Lovells’ office in Washington, D.C.
|January 31-February 1
|GDPRnow: A Practical Guide to Implementing the GDPR
|Hogan Lovells will be hosting GDPRnow, two half-day events that will feature speakers from our global Privacy and Cybersecurity practice and Helen Dixon, the Irish Data Protection Commissioner. GDPRnow will offer expert and practical guidance on how to prepare for the GDPR. Hogan Lovells speakers include: Julie Brill and Bret Cohen (Washington, D.C.), Joke Bodewits (Amsterdam), Gonzalo Gállego (Madrid), Marcus Schreibauer (Düsseldorf), Stefan Schuppert (Munich), and Eduardo Ustaran (London).
|Location: Hogan Lovells’ offices in Washington, D.C. and New York