In the third instalment of the 2018 Internet of Things Webinar (IoT) Series, Yarmela Pavlovic, Paul Otto, Elisabethann Wright, and Fabien Roy hosted an educational webinar focusing on the evolving world of connected medical devices.
Fabien described the regulatory framework applicable to digital health technologies regulated as medical devices in the EU. He explained the criteria which must be met by products to be considered as medical devices and in particular when a health app becomes a medical device. The discussion included a review of the criteria laid down in MEDDEV 2.1/6 concerning the classification of software as medical devices. Fabien also highlighted the changes resulting from the application of the new Medical Devices Regulation (MDR) in May 2020 and the consequences of this new Regulation for the classification and regulation of digital technologies as medical devices in the EU. Finally, Fabien underlined that it is crucial for manufacturers to take appropriate steps to transition to the MDR as soon as possible.
Since the announcement on 6 June that the Council and European Parliament had reached agreement on the draft Directive establishing the Electronic Communications Code (the “Code”), the communications and competition communities have been on tenterhooks to see what the final version of the text contains.
The draft Code has been in the pipeline for almost two years and is part of the Commission’s Digital Single Market Policy. It is designed to set EU-wide common rules and objectives on how the telecoms industry should be regulated. The Commission’s aim has been to update the rules, taking account of technological developments, and to create the regulatory framework to enable the roll-out of 5G and new generation technologies in the context of the EU’s ambitious 2025 connectivity targets.
The audience from around the globe at the IBA’s 29th Annual Communications and Competition Conference in Milan this week was – while waiting with baited breath for the final text – cautiously optimistic.
In addition to provisions on the availability and predictability of access to the spectrum licences required for the deployment of 5G networks, the Code also focuses on creating a predictable investment environment, including through the provision of “regulatory holidays” where certain conditions are met.
The Federal Communications Commission is proposing to bring a $2.8 million penalty against HobbyKing for marketing drone-attachable audio/video (AV) transmitters that operate on unauthorized frequencies.
For marketers and retailers of unmanned aircraft systems (“UAS”) and attachable devices, this penalty signals that the FCC is cracking down on the makers and marketers of noncompliant UAS and UAS-attachable devices. This penalty also serves as a reminder to operators, who are required to have an FCC license to operate a drone, even if it only operates on amateur frequencies.
According the FCC’s Notice of Apparent Liability, HobbyKing purported to offer UAS-attachable AV devices that operate on amateur radio frequencies (which do not require FCC certification). On closer inspection, though, those devices also operated on additional frequencies, including some that require certification. Moreover, as the notice states, some of the devices also apparently operated at power levels in excess of what is permitted for amateur equipment.
HobbyKing argued that it did not market its devices to customers based in the U.S. The FCC was not persuaded, however, finding that HobbyKing had a record of sales in the U.S. and did not place limitations on shipping to the U.S. The Commission was also not persuaded by Hobby King’s argument that the burden was on the customers to comply with local laws, stating that the burden of device compliance falls on the makers and marketers of the devices.
“Getting to Data Nirvana” is our four-step approach to help you integrate your legal, regulatory and compliance work streams into your organisation’s overall data strategy.
The job of the legal and compliance teams is to make sure that their company’s data projects do not breach applicable laws.
Their task is not easy because the number of laws regulating the processing of data – particularly personal data – are increasing multiplying worldwide.
However, a focus solely on data compliance can prevent broader thinking about data strategy, and how legal and regulatory teams can contribute to value creation.
Hogan Lovells’ “Getting to data nirvana” guide helps open the door to broader thinking about data strategy, by showing how regulatory, contract, IP, competition and litigation strategy can be proactively engineered to create data value.
View the first guide: “Understanding data value and ownership“.
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.
How big is the Internet of Things (IoT)? It’s likely that there will be tens of billions of connected devices in use by 2020. As this massive network of “things” keeps expanding, so do the number of questions about IoT-related product safety and liability issues.
When we’re thinking about the standard of safety for IoT products, we need to look to the General Product Safety Directive (GPSD) and to other relevant product safety laws at both an EU and member state level.
In the event that a defective IoT product causes damage, the Product Liability Directive (PLD) is the key legislation that addresses product liability concerns. But advances in technology are outpacing the decades-old PLD. An evaluation now under way, however, should soon clarify some of the ambiguity arising from the evolving technology landscape, including new and more relevant definitions for defects, products, and producers.
In this hoganlovells.com interview, Valerie Kenyon, a partner focusing on product liability and safety in the Hogan Lovells London office, discusses the changes in and challenges to the EU’s regulatory regime as the IoT continues to shape perceptions about product safety and liability.
Why are we so interested in IoT safety and liability?
Kenyon: IoT devices have become part of our everyday lives. They’re in the hands and the homes of every conceivable demographic — not just adults or the tech savvy, but also children, the elderly, and vulnerable users. So it’s important that there are modern and clear rules around the safety and compliance of these devices, and that businesses in the IoT space are aware of these rules and the risks and liabilities they may face.
In the EU product regulatory landscape, IoT products fall within the scope of the GPSD. Let’s spend some time looking at the way the GPSD applies to connected devices.
If you’ve got any worries about the GDPR – Europe’s new data privacy regime – then we’re here to help with our recently recorded webcast, explaining why there’s no need to panic.
It’s a great discussion, with our industry-leading panel looking offering lots of helpful tips and practical examples of how you can prepare for the GDPR, even after the 25th May deadline – and make sure you don’t fall foul of regulators.
Watch it now by clicking here.
Free access to our European Privacy Toolkit
Hogan Lovells has launched an interactive European Privacy Toolkit to help those who are worried about fulfilling their obligations – which you can access for free.
The digital tool combines the insight of our industry-leading lawyers with interactive technology to offer you a one-stop data protection solution.
On 25 May 2018, after months of discussions, the EU Council’s Permanent Representatives Committee (COREPER) finally agreed its position on the draft Copyright Directive (see the official press release here), although it has been suggested that Germany, Finland, the Netherlands, Slovenia, Belgium and Hungary did not support it.
The agreed text (read it in full here) will serve as the mandate for the Council Presidency to negotiate with the EU Parliament, once the Parliament has agreed its own position. The EU Parliament Committee on Legal Affairs (JURI) is due to vote on a form of text on 20-21 June 2018.
The Council’s position differs only slightly from the draft published on 17 May (see our earlier report commenting in full on the draft here). The only substantial differences between the agreed text and the 17 May draft relate to Article 11 (introducing the controversial new press publishers’ right). The changes arguably make the exclusion of insubstantial parts of a press publication from the new right less clear than it was, by relegating the test of no ‘independent economic significance’ for short extracts to a Recital. The permitted alternative (and familiar) ‘expression of intellectual creation’ test remains in the operative Article 11.
DSM Watch will be back with an update once the Parliament’s JURI Committee has voted!
Data protection authorities set out guidelines for the application of the new EU General Data Protection Regulation
The European Data Protection Board (EDPB) is the joint coordination body of the EU data protection authorities. The EDPB provides guidance on the application of the EU Data Protection Regulation (GDPR). With the GDPR having come into force, the EDPB thus replaces the Art. 29 Data Protection Working Party (Art. 29 Group) which was established under the EU Data Protection Directive and other previously applicable data protection laws. More information about the EDPB can be found on its website.
Confirmation/endorsement of previous working papers and positions of Art. 29 Group
The Art. 29 Group had already published a whole series of working papers with application aids and interpretation notes on the new data protection regime before the GDPR actually became applicable. Some of the statements and conclusions of the Art. 29 Group were criticized as being not very practical and hardly feasible for business operations. At its first constituent meeting on 25 May 2018, the EDPB has now confirmed many of the previous positions of Art. 29 Group. The corresponding overview of the position papers adopted from the EDPB can be found here.
Class actions are commonplace in the United States but relatively rare in Europe.
The European Union wants to change that, by facilitating class actions for mass privacy and data breaches.
With the development of big data, the scope and impact of potential data breaches or losses have indeed significantly increased. In the EU, the GDPR comes into effect. Due to its extraterritorial applicability, it will affect business globally. Every day, somewhere in the world, the media report that data for large numbers of individuals, often millions of people, have been breached. It seems then only natural that public authorities would consider class actions as a potential remedy for these breaches, if not a way to prevent them.
At first glance, nothing is more rational: data breaches cause for each individual only a very limited damage, if any. This damage is very often unlikely to be sufficient to motivate the individual to seek compensation for it (or even seek who is actually liable for the breach). Yet, there may be an interest for the entire group affected by the breach to seek compensation for the aggregate damage, hence the idea of allowing class actions.
But, what if it were not that simple? In this guide, we take a step back and further analyse this topic by endeavouring to:
- put the U.S. experience over the last years into perspective ;
- look into the choice of the European Union to timidly open the doors to data class actions ;
- share four key lessons to bear in mind when facing data class actions in Europe; and
- provide a focus on certain Member States.
Click here to access the guide.
The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. In light of the urgency to adapt Law no. 78-17 dated 6 January 1978 to the new European Union law, the French Government has initiated an accelerated procedure. This procedure led to the adoption in final reading by the French National Assembly of the bill on personal data protection on 14 May 2018. However, some French Senators lodged a constitutional complaint against the said law on 16 May 2018.
The bill on personal data protection aims to adapt the “French Data Protection” Act to the new legal framework called “European data protection package” made of the GDPR and the directive on the processing of personal data implemented in police and judicial matters.
In various fields (notably in the field of medical research), the GDPR has provided a “margin of manoeuvre” for Member States, which have to specify certain provisions, arrange derogations or, on the contrary, strengthen safeguards already provided for by European law.
The bill was adopted by the French National Assembly in final reading on 14 May 2018 and plans an entry into force of the new provisions for 25 May 2018.
On 16 May 2018, some French Senators applied to the French Constitutional Council under Article 61(2) of the French Constitution. They argue that the referred law would, notably, disregard the objective of accessibility and intelligibility of the law and that it would infringe the principle of equality. The French Constitutional Council shall give a decision within a month from the date of referral, unless the French Government asks for the procedure to be accelerated.