Header graphic for print

Global Media and Communications Watch

The International Legal Blog for the Tech, Media and Telecoms Industry

Posted in Cybersecurity, Data Protection & Privacy

SEC Issues New Interpretive Guidance on Cybersecurity Disclosures

On February 21, the Securities and Exchange Commission (SEC) published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission’s release follows shorter cybersecurity “disclosure guidance” issued in 2011 by the staff of the SEC’s Division of Corporation Finance. The new guidance was prompted by the agency’s concern over the increase in the risks and frequency of data breach incidents and other cyber-attacks affecting public companies. The Commission’s release addresses many of the matters raised in the staff’s guidance, while expanding the discussion to cover additional disclosure and compliance considerations.

The Commission’s release does not propose new rules or rule amendments that would impose new requirements, but rather expresses the Commission’s views within the existing disclosure framework. The new guidance nevertheless deserves careful study, because it represents a comprehensive statement of the Commission’s perspective on the obligation of companies to inform investors about material cybersecurity risks and incidents in a timely fashion. Based on experience with the 2011 guidance, the SEC staff can be expected to refer to the new release in evaluating cybersecurity disclosures – or the absence of such disclosures – by companies whose filings it selects for review.

The Commission’s release does not address the specific implications of cybersecurity for entities regulated under the federal securities laws, such as registered investment companies, investment advisers, brokers, dealers, exchanges, and self-regulatory organizations. The SEC staff previously has issued guidance on cybersecurity measures for some of these entities.

Continue Reading

Posted in Policy & Regulation, Telecoms & Broadband Michelle KisloffPaul OttoJoe Vladeck

Hogan Lovells Represents Sears in First-Ever Modification to FTC Privacy Consent Order, Clarifying FTC Expectations for Data Collection in Mobile Applications

The U.S. Federal Trade Commission has approved Sears Holdings Management Corporation’s request to amend the terms of Sears’ 2009 consent order (the “Order”) in a manner that helpfully clarifies the lead U.S. privacy regulator’s views of notice and consent in the marketplace for mobile applications (“mobile apps”). After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, as a result of changes in consumer expectations and to the mobile application marketplaces, the Order’s requirements as applied to Sears’ mobile apps were “burdensome and counterproductive, both for consumers and Sears.”  Hogan Lovells Partner Michelle Kisloff, Senior Associate Paul Otto, and Associate Joe Vladeck represented Sears in its petition, which is the first-ever successful petition to modify a privacy-related consent order.

The 2009 Order settled allegations that Sears did not adequately disclose the extent to which desktop software it distributed collected information from consumers, and contains detailed notice and consent obligations that apply to Sears’ “Tracking Applications” – a broadly defined term that covered every form of software that Sears distributed to the public, including mobile apps. The ecosystem for mobile apps was in its infancy when Sears and the FTC negotiated the Order.  At that time, Sears, like many other retailers, was focused on creating versions of its websites that were optimized for mobile web browsers rather than on developing mobile apps.  Nearly a decade later, Sears is in the midst of a transformation from a traditional “brick-and-mortar” retailer to a member-centric company that leverages digital commerce tools to support its stores, and mobile apps are integral to Sears’ strategy.

Continue Reading

Posted in Digital Single Market (EU), e-commerce Dr. Nils Rauer

Cross-border parcel delivery – European Parliament approves the regulation proposal

Some time ago now, the European Commission launched an initiative to improve transparency and regulate the cross-border parcel delivery sector as part of its aspiration to create a real Digital Single Market. Clearly, no pan-European online market can exist without a functioning delivery system covering the entirety of the Union. A draft regulation on this subject was first published on 25 May 2016 (COM (2016) 285). Since then, the proposal has been debated both on a national as well as a European level and now, the European Parliament has agreed on an amended text of the regulation.

Legislative Process

The initiative goes back to a communication issued by the Commission in 2012. It emphasized the need to launch a public consultation to identify potential hurdles related to the delivery of goods purchased online, be it by consumers or companies (SMEs in particular). The Commission summarized the responses, and in 2013 issued a roadmap by way of yet another communication. In particular, the fragmented state of the cross-border parcel delivery market was highlighted as an obstacle to EU endeavours to create one single market within the Union.

The proposal for a regulation on cross-border parcel delivery services was then published on 25 May 2016. The Commission’s main objectives were to

  • Improve the market’s efficiency through effective regulatory oversight and increased competition, and
  • Improve the price transparency to reduce unjustified tariff differences as well as the prices overall.

The proposal gave rise to quite some discussion. Eventually, in mid-December 2017 the European institutions reached a then still informal understanding on the regulation’s final wording. This Tuesday, 13 March 2018, the Parliament took a formal vote on the agreed text. A large majority of 604 parliamentarians voted in favour of the regulation (report).

Continue Reading

Posted in Digital Single Market (EU), Policy & Regulation Dr. Nils RauerWinston MaxwellOliver Wilson

The Digital Single Market: Geoblocking regulation ready to be enacted!

The new provision on the banning of unjustified geoblocking in online sales is at the heart of the EU Commission’s aspiration and effort to create a real Digital Single Market within the European Union.

The term “geoblocking” stands for any type of technical or contractual discrimination based on the nationality or residence of a customer. It is a common phenomenon on today’s Internet. Users are often rerouted and offered differing conditions and prices depending on their IP address.

The core aim of the now finalised regulation is to prevent discrimination for consumers and companies in the context of access to websites, prices, sales or payment conditions when buying products and services in another Member State. However, there are meaningful exceptions to the new anti-geoblocking regime – in particular copyright works and sales with no cross-border element.

Legislative Process

We have followed the progress of the Commission’s initial proposal for an anti-geoblocking regulation (COM (2016) 289) very closely. For further detail, please visit our blog Global Media & Communication Watch. In particular, the difference between justified and unjustified geoblocking occupied the initial debate. For example, geoblocking may be legitimate in order to safeguard a movie or other content being watched online only within the territory the service provider has actually obtained a license for. Continue Reading

Posted in Data Protection & Privacy Winston MaxwellPatrice Navarro

Hosts of health data: certified compliant!

The Decree No 2018-137 of 26 February 2018 on the hosting of personal health data has been published on 28 February 2018 in the Official Journal.  The Decree defines notably the arrangements for implementing the procedure for certifying hosts of health data.


The Decree has been adopted pursuant to Order No 2017-27 of 12 January 2017 on the hosting of personal health data which substantially modified Article L1111-8 of the French Public Health Code (FPHC).  As a reminder, this updated version of the Article, which will enter into force on 1st April 2018, sets out a transition from an approval procedure – currently governed by the Decree No 2006-6 of 4 January 2006 – to a certification procedure by accredited bodies for certifying hosts of personal health data in digital format.

It should be noted that an approval procedure will remain applicable for hosting health data in paper form and for hosting in digital format as part of an electronic archiving service.

The new mechanism of certification is defined notably by the Shared Healthcare Information Systems Agency (“Agence des Systèmes d’Information Partagés de Santé (ASIP)”) – previously in charge of issuing the approvals – which drew up the certification reference systems of which the draft versions can be consulted on the website esante.gouv.fr and will be approved by order of the Minister for Health.  Those reference systems are composed of the Certification reference system for hosts and the Accreditation reference system for bodies wishing to issue a certification.

Continue Reading

Posted in Data Protection & Privacy Eduardo Ustaran

Is Artificial Intelligence the Ultimate Test for Privacy?

Nothing challenges the effectiveness of data protection law like technological innovation. You think you have cracked a technology neutral framework and then along comes the next evolutionary step in the chain to rock the boat. It happened with the cloud. It happened with social media, with mobile, with online behavioural targeting and with the Internet of Things. And from the combination of all of that, artificial intelligence is emerging as the new testing ground. 21st century artificial intelligence relies on machine learning, and machine learning relies on…? You guessed it: Data. Artificial intelligence is essentially about problem solving and for that we need data, as much data as possible. Against this background, data privacy and cybersecurity legal frameworks around the world are attempting to shape the use of that data in a way that achieves the best of all worlds: progress and protection for individuals. Is that realistically achievable?

At a practical level, sourcing the data required for machine learning to happen is the first battleground. The volume of data available is not a problem in itself given the exponential growth of our digital interactions. But in many cases, the ability to magically crunch the necessary data will rest with those that provide services to the owners of the data. Using European data protection jargon, those developing artificial intelligence are often processors rather than controllers. The limited decision-making power of processors when it comes to the use of data can be a serious handicap. To what extent can a vendor of technology services to a hospital use the patient data to develop more effective services? Should a cloud provider be entitled to access data it does not own to enhance its offering? The potential benefits of these activities can be substantial but they may not be directly enjoyed by the controller. However, with the right level of openness, cooperation and creativity it should be possible to enable those vendors to use their insights from the provision of the services and still retain their role as processors.

Continue Reading

Posted in Copyright, Digital Single Market (EU) Dr. Nils RauerAlastair ShawPenny Thornton

Digital Single Market – New Copyright Directive advances

On 16 January 2018, the Bulgarian Presidency of the EU Council sought guidance from the Permanent Representatives Committee (Coreper) regarding the long-debated Draft Copyright Directive. The queries focused on two issues that are still controversial: the introduction of an ancillary copyright for press publishers (Article 11 of the draft) and the establishment of new monitoring obligations for certain online service providers (the ‘value gap provisions’) (Article 13 of the draft).

Since then, Coreper has shared its view with the EU Council. Based on Coreper’s comments, the Council Presidency has drawn up a discussion paper, published on 6 February 2018, expressing its current position. The Council’s view may be summarized as follows:

Article 11: Ancillary copyright for press publishers

The paper opens with the statement that both alternatives previously discussed in the context of Article 11 of the draft directive are feasible and still on the table: the creation of a “genuine” ancillary right for press publishers and/or the statutory presumption that press publishers may enforce certain rights.

Coreper’s comments further prompt the Presidency to propose three specific revisions concerning a possible ancillary copyright: (1) so-called “snippets” shall not be exempted from the scope of such ancillary right, (2) the latter shall be limited in such a way that it may only be enforced against ISPs and not against individual users, and (3) the duration of the right (so far 20 years) shall be subject to review at a later date. The Presidency’s paper contains specific drafting suggestions on how the criteria could be phrased in the eventual directive.

Article 13: Value gap and new monitoring obligations

Regarding Article 13 of the draft directive, the Presidency’s discussion paper includes two key suggestions: defining the services affected by the new obligations in order to target precisely the services covered and, secondly, clarifying the conditions for when such a service provider is ‘communicating to the public’. The Presidency suggests that a service would be ‘communicating to the public’ “when it plays an indispensable role and intervenes in full knowledge of the consequences of its action to give the public access to copyright protected works or other protected subject matter uploaded by their users.” In these circumstances, the ISP would not be able to rely on the liability privileges set out in Article 14 of the E-Commerce Directive 2000/31. However, the paper indicates that the Presidency still sees the need for further discussion of the details, in particular whether there should be some limitation of liability, under certain conditions.


Bottom line, we have to admit that the Presidency’s current paper offers little reason to expect things to move rapidly to a final compromise now. It is apparent that all the proposals previously discussed are still on the table. Even though the drafting suggestions made for Article 11 of the draft do make sense, the main question is whether to go for an ancillary right or a statutory presumption. From an economic point of view, it seems to be fair to say that the second option could very well work for press publishers. Legal certainty could be achieved and the publisher’s position would still be strengthened.

With regard to Article 13 of the draft, it is doubtful whether the proposed definition of affected ISPs could in practice lead to clear means of distinguishing services and thus to more legal certainty. Further, the concept of ISPs being primarily liable for ‘communicating to the public’ in relation to user-uploaded content remains under discussion. If the Council’s current proposals are agreed this would have a significant impact on platforms. It is essential that this and the relationship between the exploitation of copyright and the benefit of e-commerce privileges are clarified. A new definition of what is a ‘communication to the public’ is, however, not to be recommended. At least, not if it adds further ambiguity to an already complex area.

It is again up to the internal copyright working group to come up with a (hopefully) final compromise. At the meeting on 12 February 2018, the group reportedly did not make much progress in this regard.

Posted in Data Protection & Privacy Natalia GulyaevaMaria SedykhKatherine Gasztonyi

Russia: Main Takeaways from Roskomnadzor’s Open Doors Day

Recently, the Russian Data Privacy Authority (Roskomnadzor) organized an Open Doors Day in honor of the International Data Privacy Day. During the occasion, Roskomnadzor officers presented on the authority’s 2017 enforcement activities. They followed this presentation with an open question and answer period, during which they responded to numerous questions raised by attendees. We summarize the key takeaways below.

2017 Roskomnadzor Enforcement Highlights

Data operators continue to register with the Roskomnadzor, with approximately 33,000 new data operators registering with the Roskomnadzor in 2017, bringing the total to just over 400,000 data operators registered with the authority.

Of the industries represented by the data operators, the majority of data subject complaints emanated from or related to consumers’ relationships with banks, housing services providers, and debt collection agencies. This will come as little surprise to those operating in the data protection industry, where the personal data processed in connection with these activities is generally subject to additional protections. Also of note is the volume of complaints that related to general website operators, including social media providers. The Roskomnadzor looked into the data subjects’ complaints and found violations of applicable data protection laws in 5.4% of cases.

Continue Reading

Posted in e-commerce, Policy & Regulation, Technology

Hogan Lovells Global Payments Newsletter l February 2018

Welcome to the Hogan Lovells Global Payments Newsletter. In this monthly publication we provide an overview of the most recent payments, regulatory and market developments from major jurisdictions around the world as well as sharing interesting reports and surveys on issues affecting the market.

Key developments of interest over the last month include:

Bank of Italy publishes consultation papers: On February 2018, the Bank of Italy published three consultation papers on PSD2, interchange fees for card-based payment transactions, and the EBA guidelines on product oversight and governance arrangements for retail banking products.

EBA publishes letter to European Commission: The letter, dated 26 January 2018, discusses the status of the regulatory technical standards on strong customer authentication and common and secure communication under PSD2.

ECB finalises user requirements for future RTGS services: On February 2018, the ECB published the user requirements documents relating to the Eurosystem’s future real-time gross settlement services, following approval of the TARGET2-T2S consolidation project in December 2017.

To view a PDF of the full Newsletter please click here. You can also follow us on Twitter at @HLPayments for regular news and updates.

Posted in Policy & Regulation

EU regulators warn consumers of virtual currencies bubble

Three European regulators have warned investors about the risks associated with dealing with virtual currencies, saying they are unsuitable “for most purposes, including investment and retirement planning”.

What does this mean?

The European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority have joined together to express their concern over the fact that an increasing number of consumers are buying virtual currencies without being aware of the “high risk” of losing their money.

“The [virtual currencies] currently available are a digital representation of value that is neither issued nor guaranteed by a central bank or public authority and does not have the legal status of currency or money,” the regulators cautioned in a statement.

“They are highly risky, generally not backed by any tangible assets and unregulated under EU law, and do not, therefore, offer any legal protection to consumers.”

The regulators outlined multiple risks associated with virtual currencies, such as the absence of protection or the lack of exit options and transparency.

They even went as far as saying there was a “bubble risk” as most virtual currencies are subject to high price volatility, warning consumers that they could therefore lose all their investment.

Continue Reading