Header graphic for print

Global Media and Communications Watch

The International Legal Blog for the Tech, Media and Telecoms Industry

Posted in e-commerce, Policy & Regulation, Technology

Hogan Lovells Global Payments Newsletter l February 2018

Welcome to the Hogan Lovells Global Payments Newsletter. In this monthly publication we provide an overview of the most recent payments, regulatory and market developments from major jurisdictions around the world as well as sharing interesting reports and surveys on issues affecting the market.

Key developments of interest over the last month include:

Bank of Italy publishes consultation papers: On February 2018, the Bank of Italy published three consultation papers on PSD2, interchange fees for card-based payment transactions, and the EBA guidelines on product oversight and governance arrangements for retail banking products.

EBA publishes letter to European Commission: The letter, dated 26 January 2018, discusses the status of the regulatory technical standards on strong customer authentication and common and secure communication under PSD2.

ECB finalises user requirements for future RTGS services: On February 2018, the ECB published the user requirements documents relating to the Eurosystem’s future real-time gross settlement services, following approval of the TARGET2-T2S consolidation project in December 2017.

To view a PDF of the full Newsletter please click here. You can also follow us on Twitter at @HLPayments for regular news and updates.

Posted in Policy & Regulation

EU regulators warn consumers of virtual currencies bubble

Three European regulators have warned investors about the risks associated with dealing with virtual currencies, saying they are unsuitable “for most purposes, including investment and retirement planning”.

What does this mean?

The European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority have joined together to express their concern over the fact that an increasing number of consumers are buying virtual currencies without being aware of the “high risk” of losing their money.

“The [virtual currencies] currently available are a digital representation of value that is neither issued nor guaranteed by a central bank or public authority and does not have the legal status of currency or money,” the regulators cautioned in a statement.

“They are highly risky, generally not backed by any tangible assets and unregulated under EU law, and do not, therefore, offer any legal protection to consumers.”

The regulators outlined multiple risks associated with virtual currencies, such as the absence of protection or the lack of exit options and transparency.

They even went as far as saying there was a “bubble risk” as most virtual currencies are subject to high price volatility, warning consumers that they could therefore lose all their investment.

Continue Reading

Posted in Data Protection & Privacy Winston Maxwell

European Commission and Article 29 Working Party Urge Respect for International Law in Data Cases

Territoriality will continue to be one of the most vexing problems for data regulation in 2018.  One aspect of this debate relates to whether a U.S. judge can compel the disclosure of personal data located in Europe without using international treaty mechanisms.  This issue is currently being considered by the United States Supreme Court in the case United States v. Microsoft.  The case involves the question of whether a U.S. statute relating to search warrants can be interpreted as extending to a search for data located outside the United States; in this case, the data is located in Ireland.  The U.S. Court of Appeals found that, in the absence of express wording in the statute relating to extraterritorial application, the statute should be interpreted as being limited to searches conducted within the territory of the United States.  The Supreme Court is currently reviewing the case.  In December, 2017, the European Commission filed an amicus brief urging the Supreme Court to give due consideration to the principles of international comity and territoriality when interpreting the U.S. statute.

According to the European Commission:

“any domestic law that creates cross-border obligations – whether enacted by the United States, the European Union, or another state – should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity.  The European Union’s foundational treaties and case law enshrine the principles of ‘mutual regard to the spheres of jurisdiction’ of sovereign states and the need to interpret and apply EU legislation in a manner that is consistent with international law.”

Continue Reading

Posted in Policy & Regulation Mark Parsons

HKMA reboots virtual banking

On 6 February, 2018, the Hong Kong Monetary Authority (the “HKMA”) published draft revisions to its “Guideline on Authorization of Virtual Banks” (the “Draft Guideline”).

The framework will support the authorization in Hong Kong of ‘virtual banks’, defined as banks which deliver retail banking services primarily, if not entirely, through the internet or other electronic channels rather than through physical branches.

Consultation on the Draft Guideline is open to the public through 15 March, 2018.

The existing framework and the vision going forward

Once finalized, the Draft Guideline will replace the HKMA’s existing Guideline on Authorization of Virtual Banks issued on 5 May, 2000.  The original guidelines, which were largely unused, were introduced to support Hong Kong market entry by offshore licensed financial institutions through Hong Kong-based internet banking operations, which were growing in popularity at the time.

HKMA Chief Executive Officer Norman Chan signaled his intention to overhaul the virtual banking framework in his September, 2017 speech calling for a “New Era of Smart Banking” in Hong Kong. A new virtual banking framework was put forward together with a number of other proposals, including the recently launched “Open API” consultation (please see our separate briefing here).

Posted in Data Protection & Privacy Eduardo Ustaran

Misunderstandings, Panic and Priorities in the Year of the GDPR

It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare. However, even the most seasoned practitioners are at risk of being engulfed by the frantic fire-fighting mood out there. The hamster wheel of GDPR compliance is spinning faster and faster, but it is precisely now when we must look up, see the bigger picture and focus on getting the important things right.

First on the list is controlling the panic. There is a sense of panic about the perceived lack of compliance with the forthcoming framework which is stressful and paralysing at the same time. Many organisations are just starting to realise that this is going to affect them. Surprise! Those which have been preparing for it – many for the best part of two years – are also realising that the task is far from accomplished while the clock is ticking. But something that is crucial to appreciate is that data protection compliance is not a race. And if it was a race, it would be a marathon or, better yet, an ultra-marathon. The 25th May compliance deadline is in fact not a deadline. It is a milestone in a long process which will probably take years if not decades. So rather than assuming that perfect compliance is a matter of throwing bodies and budget at it for a few hectic months, it is our responsibility to show those who are panicking that the right way forward requires pragmatism and patience.

Continue Reading

Posted in Copyright, Digital Single Market (EU) Dr. Nils Rauer

Geoblocking – EU Parliament approves new regulation

The regulation on measures against unjustified geo-blocking is close to become binding law. After the European institutions had reached a compromise on some last open issues in last November, the European Parliament approved the revised draft regulation in its plenary session on Tuesday. The billed sailed through with 557 to 89 votes and 33 abstentions (press release). This marks a milestone in the endeavour to bring to an end willful obstacles within the Digital Single Market.

The legislative initiative goes back to a draft the European Commission, officially presented on 25 May 2016 (COM (2016) 289). It centres on the reasoned perception that the Single Market aimed at by the European Union for so long, and which is set out as one of the Union’s core goals in Article 26 TFEU, actually does not exist on the Internet (which as such stands for a borderless and global concept). This enables “geoblocking“, i.e. the differentiation by way of origin of the Internet user, to be commonplace. As a result, users are arbitrarily denied access to certain websites because of their IP address, or simply confronted with different terms and conditions than EU citizens from other Member States. For example, a car hire in Heathrow can be more expensive when booking the vehicle out of France or Germany than when accessing the site with an Italian, Spanish or English IP address. We will put this type of scenario behind us soon when the new regulation is enacted.

Banning “unjustified” geo-blocking

Specifically, the new law is intended to counteract online discrimination based on nationality, place of residence or temporary residence. In future, customers from all parts of the EU must be given equal access to digital services and marketplaces. Ordering a product or booking a service shall be possible on the same terms throughout the entire Digital Single Market. Restricting or blocking access to websites based on the criteria mentioned above will be prohibited. The same will be true for arbitrary offering of payment methods. Any type of customer redirection to a domestic website will only be permissible with the customer’s explicit consent.

Continue Reading

Posted in Data Protection & Privacy, Internet, Policy & Regulation Christine GateauChristelle CoslinPauline Faron

First views from the CJEU on how to build a consumer collective action in the Schrems v Facebook Ireland case: The concept of “consumer” and lack of jurisdiction of the consumer’s home court over assigned claims

The famous case brought by Maximilian Schrems against Facebook Ireland in Austria, aimed to become an international and large data protection class action, led on 25 January 2018 to a ruling from the CJEU on two main points:

  • A consumer’s right to have a claim heard in his or her home court under European law does not extend so as to confer jurisdiction on that same court where claims have been assigned by other consumers domiciled in other countries.
  • One should be regarded as a “consumer” in the context of his/her private Facebook account regardless of his/her professional activities as a privacy campaigner.

JUDGMENT OF THE COURT (Third Chamber) – 25 January 2018 – C-498/16

Background: Austrian proceedings 

Mr Schrems (domiciled in Austria) has been a Facebook user since 2008. He initially only used it for personal purposes. In 2011, he opened a Facebook page to inform internet users about (among other things) his legal proceedings against Facebook Ireland, his lectures, participation in panel debates, and his media appearances and to collect money to fund such actions.

Mr Schrems claims that Facebook Ireland has committed various infringements of European and Austrian data protection provisions. More than 25,000 people worldwide have assigned their claims to him.
The claimant brought the claim in the Regional Civil Court in Vienna on the basis that it would have jurisdiction under Article 16(1) of Regulation No. 44/2001, which states that a “consumer” may bring proceedings against the other party to a contract either in the courts of the member state in which that party is domiciled or “where the consumer is domiciled”.

Continue Reading

Posted in Data Protection & Privacy

Aetna $17.2 Million Breach Settlement Brings Lessons for Handling Health Data

Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s (NY AG) investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.

Ironically, the mailings at issue were a required part of a settlement agreement from other lawsuits against Aetna first brought in 2014 and 2015. As part of those settlements, Aetna was required to mail notice to certain customers of the various options for obtaining HIV medications. Thousands of patients received the mailing from Aetna—names and addresses, and also HIV status, were visible through the clear window of the envelopes. Family, friends, roommates, landlords, neighbors, co-workers, mail carriers, or even complete strangers could see the individuals HIV status through the address window. In addition to the class action lawsuit, the NY AG launched an investigation.

Adding a HIPAA twist, the lawsuit and NY AG alleged that although Aetna sent protected health information to its outside counsel handling the matter under a HIPAA business associate agreement, neither Aetna nor its outside counsel executed a business associate agreement with the third party settlement administrator engaged to mail the notices. The settlements highlight the importance of maintaining and implementing comprehensive policies and procedures, and related trainings and audits, to prevent unauthorized disclosures of protected health information (PHI).

Class Action Settlement

The proposed agreement requires Aetna to pay almost $17.2 million into a settlement fund. In addition, Aetna agrees to develop and implement a “best practices” policy for the use of PHI in litigation. For five years, Aetna would also be required to provide annual training on this policy to in-house counsel whose primary responsibilities include managing litigation involving Aetna and to provide any updates to the policy to opposing counsel. Aetna also agrees to conduct an audit of all outside counsel handling its litigation matters to ensure the proper business associate agreements are in place.

Continue Reading

Posted in Data Protection & Privacy Eduardo Ustaran

Thinking Strategically About Brexit and Data Protection

To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.

The UK Government’s Aim

Even before the referendum, it was patently obvious that as far as data protection was concerned, it was in the UK’s best interests to align itself with the ongoing legislative reform in the EU affecting this area. For that reason, the UK government did not hesitate to make it clear at the outset that while Brexit meant Brexit, UK data protection meant the GDPR. With this in mind, in September 2017, the government introduced in Parliament the Data Protection Bill, which is intended to replace the current Data Protection Act and primarily aimed at implementing the GDPR into UK domestic law.

The reason for this stance is and has always been eminently practical: by implementing the GDPR into the new UK data protection framework, the government believes that the UK will be able to maintain its ability to share data with other EU Member States and internationally after Brexit. This optimism is not entirely ill-founded: if today the UK is regarded as a safe jurisdiction for personal data, by retaining the EU’s legal framework irrespective of Brexit, the outcome should not change. However, this logic has already been challenged by the European Commission which in a Notice to Stakeholders of 9 January 2018, indicated that in view of the considerable uncertainties surrounding Brexit, companies were advised to consider how to prepare for the transfer of personal data to a “third country”. In other words, it should not be assumed that the UK will be granted an ‘adequacy decision’ allowing the free flow of personal data from the EU by default.

Continue Reading

Posted in Digital Single Market (EU) Dr. Nils RauerFalk SchoeningWinston MaxwellPeter WattsMarco Berliri

Tomorrow’s landscape for digital business – The Digital Single Market becomes real!

DSM – What is it about?

In 2018, we will see new EU legislation being widely implemented as part of the EU Commission’s Digital Single Market (DSM) Strategy. The amendments to the current legal framework are far reaching and will potentially be game changing. Some of the key areas to be affected will be:


Unjustified geo-blocking
Copyright law
Audio-visual media services (AVMS)
Internet broadcasting
Free flow of data / Cloud Services
VAT regulation for online trade
Platform liability
Electronic Communications Code
5G infrastructure


Value Gap – Amortization of digital copyright

The draft Copyright Directive is one of the centrepieces of the DSM. Its progress has been slow and looks set to remain that way. Almost a year since its first draft of a Report on the Commission’s proposal, the lead committee for this draft legislation (Legal Affairs/JURI) has yet to finalize its position and the amendments it will put forward to a plenary session of the European Parliament (EP). Until that session has been held it’s unlikely we will see any real progress towards resolution of a number of controversial measures within it, despite the feverish activity in late 2017 of the Estonian presidency of the Council (made up of Member State government representatives) to move things forward through a series of proposed compromise drafts. As things stand, it looks likely that no final vote in the EP will take place much before the summer of 2018.

One of the most controversial measures being considered is Article 13, which seeks to define a more proactive role for content hosting providers to deal with misuse of copyright material. Some have labeled this the “value gap” provision, others more tendentiously, call it the “censorship machine” proposal.

Continue Reading