With attention to connected car cybersecuity issues increasing globally, the European Union Agency for Network and Information Security (ENISA) is leading the EU’s first bloc-wide initiative to identify cybersecurity rules of the road for connected cars. On July 13, ENISA announced a study aimed at creating a comprehensive list of cybersecurity policies, tools, standards, and measures to enhance security in next-generation automobiles. ENISA will include interviews with relevant stakeholders like car manufacturers and Tier 1 and 2 suppliers and solicit feedback on its findings at an open workshop October 10 in Munich, Germany. The study will also be reviewed by members of ENISA’s CaRSEC Expert Group, a collection of government, private, and public-sector experts knowledgeable about cybersecurity as it relates to car manufacturing, vehicular hardware and software, road standards, and car security. At the end of the study, ENISA will provide recommendations on how to enhance smart car security for EU consumers.
On 15 July 2016, the European Commission issued a revised version of MEDDEV 2.1/6 entitled “Guidelines on the qualification and classification of stand alone software used in healthcare within the regulatory framework of medical devices“. This new document is intended to replace the original version of MEDDEV 2.1/6 which was issued in January 2012. The revisions to the original document introduced by the new MEDDEV 2.1/6 are, however, fairly limited.
The principal and almost only novel element in the revised version of the MEDDEV 2.1/6 appears in Section 1 of the document concerning definitions.
The document now includes a definition of software which is a:
“set of instructions that processes input data and creates output data“.
The MEDDEV also introduces definitions of “input data” and “output data” to enable manufacturers to understand this new definition.
Input data is defined as:
A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service. The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.” See In the Matter of a Grand Jury Subpoena Directed to Marc Rich & Co. v. United States, 707 F.2d 663 (1983) and our earlier blog post on the district court decision.
The Second Circuit focused its analysis on the government’s use of a warrant issued pursuant to section 2703 of the Stored Communications Act (SCA) to obtain the content of emails. Under the SCA, where the U.S. Government seeks the content of emails from an email service provider, the Government must, in certain specified circumstances, use a warrant following the procedures in Rule 41 of the Federal Rules of Criminal Procedure. The court concluded that Rule 41, with the exception of certain diplomatic operations, only allows for magistrate judges to issue warrants for information stored in the United States. Moreover, the court found “Congress did not intend the SCA’s warrant provisions to apply extraterritorially,” citing the presumption against extraterritorial application of United States statutes absent a clear contrary intent.
Earlier this week, four Hogan Lovells partners met virtually and discussed the impact of Brexit on the Commission’s Digital Single Market strategy as announced on 6th of May 2015 (COM(2015) 192 final) and as currently put into practice by way of numerous legislative initiatives. Don McGown (London), Winston Maxwell (Paris), Nils Rauer (Frankfurt) and Falk Schoening (Brussels) looked at the consequences of the UK having voted in favour of leaving the European Union from various angles and put the leave decision in the broader context of the digital world. You can find a recording of the webinar here, plus the presentation slides here.
Don McGown opened the discussion with some remarks on what the referendum actually means and which decisions are to be taken by the new UK government now. He also touched upon the Article 50 process and the steps to be taken until the UK will have left the Union. Don further shared his view on what is likely to change and what might remain fairly the same in the TMT world after Brexit. This prognosis was deepened by Winston Maxwell who spoke from a European point of view about the main impacts on the media and telecommunication sector.
Given the amount of ink that has been spilled on the topic over the past months, most readers will likely be familiar with the term blockchain, as code for the type of distributed ledger technology that underlies bitcoin and other similar cryptocurrencies. Some of the more technologically inclined may already have an in-depth understanding of the workings of these systems. One thing seems certain: just about everyone will have heard ecstatic claims about how blockchain technology will transform the world of finance.
With this awareness has also come a level of scepticism, bringing a more rigorous focus on the underlying concepts and corresponding innovations, as lawyers, bankers and other participants in the finance sector seek to understand how it is that blockchain technology will drive the implementation of significant changes to the way finance business is conducted. To advance the discussion, it is worth examining three specific financial products and some of the opportunities and challenges for transitioning these products to a blockchain model.
On 12 July 2016, the European Commission issued its much awaited “adequacy decision” concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. This adequacy decision is based on the latest version of the Privacy Shield, which was further negotiated and revised following the Article 29 Working Party’s April 2016 concerns with the terms of the original Privacy Shield framework.
Many of our clients have questions about Privacy Shield—what it is, when it will be available for use, and how it differs from other data transfer mechanisms, among others. We have prepared a blog post to answer these questions about the updated version of Privacy Shield and its implications for companies engaging in trans-Atlantic data flows.
What is Privacy Shield?
In 2000, the United States Department of Commerce and the European Commission devised the “Safe Harbor” privacy framework to protect the rights of European citizens as their data traveled across the Atlantic. American companies that agreed to self-certify to the seven Safe Harbor principles were allowed to collect and use data originating from the EU, and store such data on U.S. servers.
By October of last year, some 4,500 U.S. companies, large and small, were relying on Safe Harbor to transfer employee and consumer data from the EU to the U.S. That month, the Court of Justice of the European Union (CJEU) invalidated Safe Harbor as a data transfer mechanism in the case Schrems v. Data Protection Commissioner. The CJEU held that, in approving Safe Harbor in 2000, the European Commission did not appropriately consider whether it provided EU personal data with the right level of protection. The Department of Commerce and European Commission redoubled existing efforts to produce a successor framework to Safe Harbor that would address the concerns of the CJEU and European stakeholders.
Julie Brill, Hogan Lovells partner, and co-head of our global privacy and Cybersecurity practice, recently commented on the EU-US Privacy Shield for the EurActiv publication. Her comments are republished here, with permission:
The free flow of data is essential to an ever-growing segment of the global economy. Yet some policymakers and advocates, citing privacy concerns, have called for shutting off the faucet and restricting data flow, to the detriment of European consumers and European businesses, both small and large.
With cooler heads and a laser-like focus on the best interests of all European citizens, the European Commission and the US Department of Commerce have been tirelessly working to build a better framework for maintaining a seamless flow of data across the Atlantic in a manner that respects the privacy of European citizens.
After much debate, a major European court opinion, and at least one act of Congress to address the issue, a solution is at hand that will enhance real, enforceable privacy protections on both sides of the Atlantic.
Three years ago, the Snowden revelations led the Commission to sharply question the safety of at least one transatlantic data transfer mechanism, known as the US-EU Safe Harbour framework, and to call for development of a better framework.
Last week, Russian President Vladimir Putin signed the law “On introducing amendments to the Federal law ‘on fighting terrorism’ and other legislative acts of the Russian Federation related to establishment of additional measures against terrorism and ensuring public security” (the “Law”). Specifically, the Law introduces amendments to the Russian Law on Communications and the Russian Law On Information, Information Technologies and Protection of Information.
Specifically, the Law imposes extensive data storage requirements on (i) telecommunication operators (“Telco operators”) and (ii) Internet telecommunication operators (“Internet Telco operators”).
Both operators will be obliged to store in the territory of the Russian Federation information about users’ communications (i.e., about receiving, transmitting delivery and/or processing of voice and text messages, images, videos and other messages) for 3 years (for Telco operators) and 1 year (for Internet Telco operators), as well as the content of those communications for up to 6 months. In addition, the Internet Telco operators will be obliged to provide state security authorities with decryption keys if the processed messages and files are additionally encrypted.
The Law revises and increases the fines that Telco and Internet Telco operators face for violations of the Code of Administrative Offences of Russia.
The Law comes into legal force starting on 20 July 2016, though operators will not have to store the content of processed messages until 1 July 2018.
Data privacy in an employment context remains a challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance. Few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a reasonable expectation of privacy – including in their workplace. This inherent conflict of interests has created a considerable volume of case law regarding employee monitoring in several Member States, e. g. relating to the permissibility of monitoring internal investigations and compliance controls.
Modern technology offers advanced technical options to monitor employee performance and conduct. Even standard IT applications may be used to control or record personnel behaviour in the workplace. Where previously the degree of employee supervision was limited by what the technology could do, rapid technological advancements mean that data protection laws are now the principal limitation in the EU. The Regulation is due to play a major role in this respect. As a consequence, employee data privacy has been one of the most hotly debated aspects of the Regulation. This area of data privacy will remain less harmonised than other fields of data protection.
A non-compete obligation which is imposed on the seller in the context of a M&A transaction can be permissible when it is ancillary to the transfer of the relevant business, that is, when it is directly related and necessary to the implementation of the deal. In order to enjoy the fruits of the purchase of the transferred business, the buyer must be able to benefit from some protection against competition from the seller. However, non-compete clauses only comply with antitrust/competition laws when their geographical scope, duration, subject matter and the persons subject to them do not exceed what is reasonably necessary to achieve the legitimate objective of implementing the transaction.
In two judgments dated 28 June 2016, the EU General Court upheld the European Commission’s strict approach to non-compete clauses in M&A transactions. This example is European, but the conduct at issue can raise antitrust risk around the world.
There are five key takeaways: