The European Commission is taking stock of what has been accomplished regarding its Strategy for a Digital Single Market. Two years ago, on 6 May 2015, Commissioners Oettinger and Ansip announced their strategy to create a single European market in the online world. Such market should rest on three pillars: (1) better access for consumers and businesses to digital goods and services across Europe; (2) creating the right conditions and a level playing field for digital networks and innovative services to flourish; (3) maximising the growth potential of the digital economy.
Back in 2015, President Jean-Claude Juncker said:
“Today, we lay the groundwork for Europe’s digital future. I want to see pan-continental telecoms networks, digital services that cross borders and a wave of innovative European start-ups. I want to see every consumer getting the best deals and every business accessing the widest market – wherever they are in Europe. Exactly a year ago, I promised to make a fully Digital Single Market one of my top priorities. Today, we are making good on that promise. The 16 steps of our Digital Single Market Strategy will help make the Single Market fit for a digital age.”
On 20 April, Hogan Lovells hosted the second instalment of the 2017 webinar series on emerging issues with the Internet of Things (IoT). This instalment focussed on the potential patent law issues presented by IoT technology.
Dr. Chris Mammen, a partner in Hogan Lovells San Francisco office, considered how these issues can impact companies in the IoT space, and discussed what companies should do now to prepare for the inevitable disputes that will arise.
The IoT creates many opportunities for patent protection: from sensors and processors, to transmitters, hubs and servers, and even the processing algorithms themselves. Companies in this space must think about which areas are or will be of most value (and how these can be protected) and which areas have the potential to cause problems now or in the near future.
The range of potentially patentable areas gives rise to a number of issues which were considered on the webinar. These include:
The Digital Economy Bill passed into UK law last Thursday 27 April 2017 amidst the flurry of activity known as the “wash up” period before the dissolution of Parliament and ahead of the early general election in the UK to be held on 8 June. The Digital Economy Act introduces measures to “modernise the UK for enterprise,” and includes plans for public sector data sharing, direct marketing and age verification for online pornography, amongst other measures. An overview of these measures is set forth in this post.
As most of the measures rely on further codes of practice that are yet to be published, the privacy implications of the Act are not yet clear. However, data protection practitioners are likely to welcome the forthcoming statutory code of practice on direct marketing, and it is expected that there will be significant privacy implications in relation to the public sector data sharing regime and the age verification measures for online pornography providers.
The key measures introduced by the Act include:
Welcome to the Hogan Lovells Global Payments Newsletter. In this monthly publication we provide an overview of the most recent payments, regulatory and market developments from major jurisdictions around the world as well as sharing interesting reports and surveys on issues affecting the market.
Key developments of interest over the last month include:
- FCA launches consultation on revised guidance and Handbook rules for PSD2: On 13 April 2017, the FCA published a consultation (CP17/11) on proposed updates to its Payment Services Approach Document, Handbook and Perimeter Guidance Manual (PERG) to reflect PSD2 implementation in the UK.
- Legislation implementing the Payment Accounts Directive (PAD) is introduced in Italy: A legislative decree to implement PAD was published in the Italian Official Gazette on 30 March 2017 and enters into force on 14 April 2017.
- EPC updates white paper on mobile payments in Europe: On 14 March 2017, the European Payments Council published version five of its white paper on mobile payments across the Single Euro Payments Area following responses to a consultation that opened in June 2016.
To view a PDF of the full Newsletter please click here. You can also follow us on Twitter at @HLPayments for regular news and updates.
On 27 April 2017 the German Parliament passed an entirely new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The new BDSG replaces the old BDSG, which has been in force for the last 40 years. The new BDSG shall adapt the German law to the provisions of the EU General Data Protection Regulation (GDPR). The new BDSG will now form the basis for the adaption of German acts to the GDPR. Further acts concerning special processing situations like social security data protection are likely to follow.
Companies operating in Germany should analyze the BDSG requirements and make sure that German operations comply with them. In many GDPR implementation projects, this national GDPR implementation law will affect several work packages. In particular, decision makers should start adopting the new BDSG employee data protection rules. Where necessary changes need to be aligned with works councils, this can be a time-consuming process. It is worth noting that the provisions that go beyond the scope of the GDPR are of limited practical relevance as German courts and authorities must not apply provisions of the BDSG if they deem them as contrary to European law. Where they limit data subject rights, companies should stick to the GDPR requirements instead and not rely on clauses which bring little benefit and may be revised by the European Court of Justice.
The companies should be aware of the following new provisions:
There is no end in sight regarding CJEU decisions on the meaning of “communication to the public“. On 26 April 2017, the European Court of Justice (CJEU) ruled (C-527/15 – Filmspeler) that the sale of a multimedia player with pre-installed add-ons that contained links to illegal streaming websites constitutes a copyright infringement. At the same time, the court clarified that the exemption for acts of temporary reproduction under Article 5(1) of the InfoSoc Directive 2001/29 did not apply.
The case was referred to the CJEU by a Netherlands district court. It focuses on the question of whether the sale of the multimedia player named “filmspeler” infringes copyright or not. The player, sold by the defendant creates a connection between a TV screen and audio-visual data such as online videos using a user-friendly interface. Additionally, the defendant installed several add-ons that – after a simple click – retrieve content from streaming websites and play the content on the multimedia player. Some of the content provided by the websites had been uploaded without the right holders consent. The defendant used this feature to advertise the product and promised easy and free access to illegally uploaded works.The Dutch foundation Stichting Brein, which protects the interests of copyright holders, sued the defendant and argued that the sale of the “filmspeler” would constitute a “communication to the public” in the sense of Art. 3 (1) of the InfoSoc Directive. The defendant denies this interpretation and additionally argues that the reproduction produced while streaming is covered by the exception for temporary copies according to Art. 5 (1) of the InfoSoc Directive.
New York AG Settles Data Protection Enforcement Against Mobile Health Apps
After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General (NY AG) settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor.
Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.
The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised.
When to Carry out a DPIA
DPIAs are a key part of the GDPR accountability principle, and have to be carried out if a processing activity is “likely to result in a high risk” to data subjects. The Working Party’s guidance clarifies this phrase, and provides a series of concrete criteria which might trigger a DPIA, including:
- “evaluation and scoring” of an individual (e.g. profiling), especially where it relates to an individual’s performance at work, health, behaviour, location or movements;
- automated decision-making which would be subject to Article 22 GDPR;
- use of sensitive data, i.e. processing special categories of personal data or data relating to criminal convictions;
- processing on a large scale;
- using datasets that have been matched or combined, for example, combining data you have collected with data purchased from third-party data brokers;
- data concerning vulnerable subjects, such as employees (as their relationship with their employer is not an equal one), children and the elderly; and
- processing which might prevent individuals from exercising a right, using a service or entering into a contract. This would include processing that might prevent a data subject from entering into a contract such as bank screening on the basis of credit referencing and processing of personal data in publicly accessible areas, for example through CCTV.
On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cybersecurity breaches and how they affected UK companies in the last year. Headline statistics from the report include:
- 61% of businesses hold personal data electronically;
- 46% of all UK businesses identified at least one cybersecurity breach in the past year, rising to 51% of those that hold personal data on customers, 66% amongst medium-sized firms and 68% amongst large firms;
- The most common breaches involved members of staff receiving fraudulent emails. This demonstrates that technical measures can only take an organisation so far, and that strong procedures and training are vital;
- External reporting of breaches is still not common – only 26% of companies reported their most serious breach to someone other than a cybersecurity company who could assist with solving the problem. This will have to change where personal data is lost under the GDPR;
- Only 37% of businesses have any rules around encryption of personal data, and 37% of businesses have segregated wireless networks; and
- Only 13% of businesses require their suppliers to adhere to specific cyber security standards.
A close observer of the GDPR will have noticed that, in several places, individual EU Member States can implement derogations from the GDPR requirements. Of course, as a regulation under EU law there is less scope for local flexibility under the GDPR than under the current EU Data Protection Directive 95/46. Yet the GDPR does, in a number of key areas, allow an EU Member State to set down local laws that could allow a more locally relevant flavour to a particular aspect of compliance.
While the prospect of different local flavours may be unwelcome to global businesses seeking to maintain a harmonised standard of compliance across the EU (one of the policy aims of the GDPR of course), clearly the EU policy makers and legislators considered that Member States must be given room to implement their own rules in certain areas. For instance, Member States may introduce further rules around the use of genetic data, biometric data and health data.