Header graphic for print

Global Media and Communications Watch

The International Legal Blog for the Tech, Media and Telecoms Industry

Posted in e-commerce, Policy & Regulation, Technology

Hogan Lovells Global Payments Newsletter l February 2017

Welcome to the Hogan Lovells Global Payments Newsletter. In this monthly publication we provide an overview of the most recent payments, regulatory and market developments from major jurisdictions around the world as well as sharing interesting reports and surveys on issues affecting the market.

Key developments of interest over the last month include:

  • HM Treasury consults on PSD2 implementation: the stated aim of the consultation, which was published on 2 February 2017, is to reduce the burden of PSD2 implementation on businesses, where possible. Appendix B to the consultation paper contains draft Payment Services Regulations 2017.
  • European Commission revises draft RTS on separation of payment card schemes and processing entities under IFR: in a letter to the EBA, the Commission has proposed amendments to provisions in sections 3 (organisation) and 4 (decision-making process) of the draft RTS. The EBA has also published a revised version of the RTS containing the Commission’s amendments.
  • ‘Providing’ a durable medium in online banking: the CJEU has adopted the same reasoning as the previous AG’s opinion in the BAWAG case, which concerned whether a notice of variation under the PSD sent to a secure online banking mailbox was “provided” in a “durable medium”.

To view a PDF of the full Newsletter please click here. You can also follow us on Twitter at @HLPayments for regular news and updates.


Posted in Data Protection & Privacy

Privacy and Cybersecurity March 2017 Events

Please join us for our March 2017 Privacy and Cybersecurity Events.

March 2
Privacy Women Showcase
Julie Brill will be speaking at a NY Bar Association event on “Careers in Privacy.”
Location: New York, New York


March 14
Connected Car Technologies and Trends
Tim Tobin will speak on “Protecting the Connected Car” at Automotive Megatrends’ Connected Car Detroit 2017.
Location: Dearborn, Michigan


March 14
The Fundamentals of GDPR
Eduardo Ustaran will run a “GDPR Bootcamp” at IAPP’s Europe Data Protection Intensive 2017.
Location: London


March 15
Brexit, Article 29, and the ePrivacy Directive: The Changing Privacy Landscape
Eduardo Ustaran will speak on “Keeping Up with EU Privacy: Never-Ending Drama” at IAPP’s Europe Data Protection Intensive 2017.
Location: London


March 16
Global Data Privacy
Harriet Pearson will be speaking on “Data Privacy: International and Cross Border Issues” at the 21st Annual Corporate Counsel Institute. Among the topics to be addressed are the GDPR, Privacy Shield, CBPRs, and employee vs. customer/third party data.
Location: Georgetown University Law Center, Washington, D.C.


March 16
Brexit’s Impact on the GDPR and the Media
Eduardo Ustaran will keynote on “The Impact of Brexit on the GDPR” at The Brand Safety Summit’s What Exactly Is Brand Safety?
Location: London


March 20
Risks and Benefits of the Digital Revolution
Julie Brill will be speaking on “The ‘World’ Wide Web?” at the Princeton Fung Forum’s Society 3.0+: Can Liberty Survive the Digital Age? Topics include how different cultures prioritize and interpret what is and is not acceptable in the digital world and the narrowing distinction between state actors and private corporations.
Location: Berlin, Germany


March 20
Cybersecurity, Privacy, and Medical Devices
Marcy Wilder will speak on “Cybersecurity and Medical Devices” at the Hogan Lovells U.S. Medical Device Forum.
Location: Tel Aviv, Israel


March 23
Privacy Practitioners
Tim Tobin will moderate a panel of privacy practitioners at the Berkeley Center for Law & Technology’s 6th Annual Privacy Law Forum: Silicon Valley.
Location: Palo Alto, California


March 24
Cybersecurity in Higher Education
Allison Bender was invited to speak on “Cybersecurity Issues” at the 2017 Winter Legal Meeting of the National Council of Higher Education Resources, a trade association for student lending, finance, consumer protection, compliance, and loan servicing and collections.
Location: Washington, D.C.


March 29
German Data Protection Act & ePrivacy
Stefan Schuppert and Martin Pflüger will be participating in a compliance breakfast on “Privacy Compliance: Draft BDSG New, Draft ePrivacy Directive.”
Location: Hogan Lovells’ office in Munich


March 29
Global Privacy and Data Protection
Julie Brill will lead a Fireside Chat with UK Information Commissioner Elizabeth Denham. Topics will include an in-depth look at GDPR, Brexit, and convergence in data protection standards.
Location: Hogan Lovells’ office in Washington, D.C.


March 29
What New TCPA Rules Mean for Utilities
Mark Brennan will lead a session on “Complying with the TCPA” at KUBRA’s iConnect 2017.
Location: San Diego, California


March 30
Cross Border Privacy and Cybersecurity
Julie Brill will speak on “Data Protection: Global Convergence or Roads Diverged?,” along with UK Information Commissioner Elizabeth Denham, at the ABA’s Antitrust Law 2017 Spring Meeting.
Location: Washington, D.C.


March 30
Data Security, Storage, and Integration
Allison Bender was invited to speak as a panelist on The Knowledge Group’s Maintaining Effective and Efficient Multicloud Data Storage Strategies: 2017 Updates LIVE Webcast.
Location: Online


March 31
Women in Cyber: Cybersecurity, HIPAA, and Protecting Patients’ Data and Medical Devices from Hackers
Allison Bender will speak on “Securing the Medical and Health Internet of Things” at IAPP’s Inside Job “Securing Medical Devices and Health Records.”
Location: Washington, D.C.


Posted in Data Protection & Privacy, Telecoms & Broadband

FCC Chairman Announces Intent to Stay Broadband Data Security Rules

shutterstock_123802696-150x100The Federal Communications Commission’s (FCC) Media Relations Office has released a statement announcing Chairman Pai’s intention to stay a data security rule adopted by the Commission late last year in its Broadband Privacy Order.  Absent a stay, the rule is set to go into effect on March 2.

The data security rule at issue states in its entirety:

  1. A telecommunications carrier must take reasonable measures to protect customer proprietary information from unauthorized use, disclosure, or access.
  2. The security measures taken by a telecommunications carrier to implement the requirement set forth in this section must appropriately take into account each of the following factors:
    • The nature and scope of the telecommunications carrier’s activities;
    • The sensitivity of the data it collects;
    • The size of the telecommunications carrier; and
    • Technical feasibility.
  3. A telecommunications carrier may employ any lawful security measures that allow it to implement the requirement set forth in this section.

Continue Reading

Posted in Data Protection & Privacy

Australia Introduces Mandatory Data Breach Notification Scheme

Australian-flag-150x74On 13 February 2017, the Australian Senate passed into law the Privacy Amendment (Notifiable Data Breaches) Bill 2016. This law amends the primary privacy and data protection legislation in Australia, Privacy Act 1988 (Cth), to introduce the long-anticipated mandatory data breach notification scheme. Under this scheme, all agencies and businesses that are regulated by the Privacy Act are required to provide notice to the Australian Information Commissioner and affected individuals of certain data breaches that are likely to result in “serious harm.”

Why is this scheme being introduced?

With advances in technology, various agencies and organisations are increasingly collecting and holding larger amounts of personal information in electronic form, such as medical records, bank account details, occupational history, and other sensitive information about individuals’ personal preferences. This raises serious data security concerns with respect to the unauthorised access to or disclosure of personal information. The potential damage caused by such data breaches can be detrimental and costly.

In view of the growing threat of data breaches, the Federal Government has already made several aborted attempts to legislate data breach notification provisions in 2013 and 2015. The newly-passed bill reflects the Federal Government’s renewed commitment to impose positive obligations on businesses that suffer serious data breaches to notify the affected individuals and provide remedial steps for those individuals to minimise the adverse impact that might arise from such breaches.

Continue Reading

Posted in Data Protection & Privacy Harriet PearsonPaul Otto

The “Final Final” is Here: NYDFS Cybersecurity Regulations

shutterstock_71527090-300x194As Hogan Lovells previously reported, the New York State Department of Financial Services (NYDFS) has launched a significant initiative to impose detailed cybersecurity requirements on covered financial institutions. On February 16, NYDFS issued its Final Rules, following the initial proposed rules published in September 2016 and two rounds of feedback via industry complaints and public comment. The Final Rules set forth requirements for a risk-based approach to cybersecurity, and include expectations for reporting on cybersecurity risks and events to senior management and NYDFS.

Click here to learn more about how to prepare for the new requirements, timing and implementation details, changes to the rules since the December announcement, and other related cybersecurity developments.

Posted in Policy & Regulation Falk SchoeningRod Freeman

Regulate Frankenstein: the European Parliament calls for new rules for robots

robotWhen a parliamentary report cites Mary Shelley’s Frankenstein in its recitals and proposes new regulation for robots with artificial intelligence (“AI”), one cannot be sure whether the 19th or the 21st century has inspired the legislator. Last week, the European Parliament took a step to introduce new regulation of robots in Europe. Declaring that the EU needs to “take the lead” in this area, the Parliament endorsed a Report that asks the European Commission to propose rules on robotics and artificial intelligence, in order to fully exploit their economic potential and to guarantee a standard level of safety and security. The Report address various kinds of robots, amongst others autonomous vehicles, care robots, medical robots, or drones.

This follows an earlier report published in May 2016 on Civil Law Rules on Robotics with proposals on the regulation of the robotics industry at an EU level. Such regulation was argued necessary in order to ensure that the EU and its Member States maintained control over the regulatory standards at which the industry operated in the EU, as well as to ensure certainty for enterprises planning to develop their businesses therein. The parliamentary Committee on Legal Affairs released a preliminary study on the impact of robotics on civil law.

Continue Reading

Posted in Data Protection & Privacy Jakub Baczuk

Polish DPA Releases Data Privacy Inspection Plans – Targets Health, Shopping

shutterstock_283429205-150x100The Polish Data Protection Authority (GIODO) has just released its inspection plans for 2017. This year, the GIODO has decided to target its review of compliance with data protection laws on the health services and consumer sectors, with particular attention to certain profiling activities taking place in stores and shopping malls.

The health sector inspections will be directed at healthcare professionals and clinics. The inspections will focus on the process of patient registration, the circumstances under which registration data is collected from patients, and the overall data security provided. The inspections will be conducted either by the GIODO’s inspectors or by Data Protection Officers (ABI) registered with the GIODO.

The store inspections will focus on devices, particularly those carrying out video or closed-circuit television monitoring, which are used by a growing number of companies in Poland to profile their customers. These surveillance systems not only count the number of customers visiting a store but also establish the gender and age of shoppers using facial recognition software.

In addition, the GIODO announced that it will conduct inspections into entities that access the Schengen Information System and Visa Information Systems, as well as Eurodac and Europol systems.

Posted in Copyright, Entertainment & Content Penny ThorntonDr. Nils RauerEva Vonau

Hyperlinking in Hamburg and Prague: How national courts apply GS Media

9251839_Text_images_jpgOn 8 September 2016, the European Court of Justice (CJEU) handed down judgment C-160/15 on the means of hyperlinking which caught quite some attention. It has become known as the GS Media decision (see our blog post). In essence, this CJEU judgment imposed new verification duties on commercial website owners who embed hyperlinks to third-party content in their web sites. A Swedish court was first to apply the new criteria (Attunda Tingsrätt, case ref.: FT 11052-15) and now, judgments in Germany and the Czech Republic which deal with the new set of considerations developed in Luxembourg have been handed down.

District Court of Hamburg

With its court order of 18 November 2016, the Regional Court of Hamburg decided upon a case where a link was embedded leading to a photo on a source website where the photo had been made available without meeting the license terms set out by the right holder. Specifically, the linked image featured an edited version of the original photo. The changes were not permissible under the applicable creative commons license.

The German court, in applying GS Media criteria, affirms that hyperlinking in this manner constitutes communication to the public within the meaning of Art. 3 (1) of the InfoSoc Directive 2001/29/EC and therefore classifies this hyperlinking as a copyright-relevant act. This is mainly because the owner of the website sold tutorial material through his website.

Continue Reading

Posted in Data Protection & Privacy Mark Parsons

“Cybersecurity Review” Takes Shape in China

shutterstock_293627249-300x300On 4 February 2017, the Cyberspace Administration of China issued a draft of the Network Products and Services Security Review Measures (“Draft Measures”) for public comment: the Draft Measures remain open for comments until 4 March 2017.  The Draft Measures are follow-on legislation to China’s Cyber Security Law adopted on 7 November 2016, which will take effect on 1 June 2017.

The background to the Draft Measures is that the Cyber Security Law requires that network products and services purchased by operators of “critical information infrastructure” (the definition of which is somewhat vague and unsatisfactory) must undergo national security review (“Security Review”) if such network products and services “might potentially have an impact on national security,” failing which such operators risk being ordered to discontinue use and/or being subject to quite stiff fines.

The Draft Measures bring China one step closer to implementing such Security Review regime.  How this regime will look has been a major area of concern for foreign investors, especially due to concerns that the new Security Review process might be skewed in favour of “local” manufacturers and thus become a back door means of imposing essentially protectionist policies.

China’s proposed Security Review regime potentially impacts both (1) the businesses who are manufacturers of network products and providers of network services, as well as (2) the users, or prospective users, of such products and services.  While the Draft Measures give some shape to the process of Security Review, as drafted they leave a number of critical questions unanswered.

Click here for our full briefing on the Draft Measures.  Our in-house unofficial English translation of the Draft Measures is available free-of-charge upon request.  Please reach out to Mark Parsons or your normal contact at our firm for a copy.

Posted in Data Protection & Privacy Eduardo Ustaran

ICO Turns Spotlight on Data Broker Industry

shutterstock_187697849-150x100Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. In 2012, data brokers’ trade in personal data was reported to have generated over $150 billion in revenue.

The UK data protection regulator (the “ICO”) has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications.

In October 2016, the ICO imposed a £20,000 fine on Rainbow (UK) Limited, a lead generation company, for precisely this reason. In its monetary penalty notice, the ICO set out a suggested list of questions that organisations should ask the data broker in these circumstances:

  • How and when was the consent obtained?
  • Who obtained it and in what context?
  • What method was used – e.g., was it opt-in or opt-out?
  • Was the information provided clear and intelligible? How was it provided – e.g., behind a link, in a footnote, in a pop-up box, or in a clear statement next to an opt-in box?
  • Did it specifically mention texts, emails, or automated calls?
  • Did it list organisations that would be provided the information by name or by description, or was there consent for disclosure to any third party?
  • Is the seller a member of a professional body or accredited in some way?

Continue Reading