Hogan Lovells has published Demystifying the U.S. CLOUD Act, a detailed analysis of the impact of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) on non-U.S. businesses and individuals who use cloud storage solutions.
Demystifying the U.S. CLOUD Act was written by Hogan Lovells partners Winston Maxwell and Mark Brennan, and senior associate Arpan Sura.
The report specifically focuses on language in the CLOUD Act that allows U.S. law enforcement agencies, under certain circumstances, to lawfully demand data stored in foreign countries from entities subject to U.S. jurisdiction. The report addresses concerns that this language in the CLOUD Act gives the U.S. government new powers to surveil and monitor the data of non-U.S. citizens or businesses using a cloud services provider with operations in the United States. The report concludes that such fears are overstated.
Other highlights of the report include:
- An explanation of how the CLOUD Act seeks to restore the legal consensus that U.S. law enforcement agencies can reach data stored extraterritorially from a U.S. entity that had “possession, custody, or control” over the data.
- A discussion of the meaningful limitations on U.S. law enforcement that the CLOUD Act leaves in place.
- A comparative analysis of the European Union’s approach to cross-border data requests from law enforcement, which is largely consistent with the CLOUD Act.
- An examination of whether the CLOUD Act violates international law or the GDPR.
To download the full report, click here.
Increasing numbers of initiatives, devices, and solutions related to the Internet of Things (IoT) are substantially impacting the development of cybersecurity and data privacy regulations throughout Asia. After the implementation of the General Data Protection Regulation (GDPR) in Europe, for example, Asian lawmakers are considering strengthening their own data protection laws. The region is also characterized by a push in a number of jurisdictions towards data localization requirements driven more by “cyber sovereignty,” national security considerations, and protectionist impulses than data protection considerations. Restrictions on the collection and free use of data may pose a challenge for IoT models, particularly if data is required to be kept onshore.
At the same time, it is clear that many Asian jurisdictions see IoT as a key driver for economic growth. A number of jurisdictions have “smart city” initiatives and interests in areas such as automotive telematics. Japan, South Korea, and China, in particular, have strong automotive sectors and are focused on maintaining technological leadership. Unmanned aerial vehicles (UAV) are also an area of focus, both in terms of the supply of vehicles and components and in terms of their deployment as part of these “smart” initiatives.
In this hoganlovells.com interview, Mark Parsons, a Hogan Lovells partner based in Hong Kong, summarizes the current status of IoT-related policies in the Asia-Pacific region and discusses changes anticipated in 2019. Continue Reading
When is an amnesty not an amnesty? When the carrot is the (possible) absence of stick.
HMRC announced today the introduction of their new Profits Diversion Compliance Facility (PDCF). This is a way for multinationals to take the initiative and explain their legal and operational structures before HMRC launch their next wave of full-scale “transfer pricing” investigations into corporates. The PDCF will be particularly relevant to groups with long established transfer pricing models which HMRC now believe need updating, and will allow groups to retain greater control of the process.
We believe HMRC is serious about launching that next wave of investigations. It may well start in early 2020.
Full-scale HMRC investigations are intrusive. HMRC is also confident that when they launch investigations they will recover significant tax. This is based on what they see as recent high-profile successes. There is also a real prospect that a corporate subject to one of those investigations will suffer penalties. So 2019 is a window of opportunity. Continue Reading
The federal government shutdown that began at midnight December 29, 2018 shows no sign of ending soon. The Federal Communications Commission tapped on-hand funds to continue operations uninterrupted but ran out of time – and money – last week.
The FCC earlier issued a statement that the agency had enough funding to remain open through January 2, 2019, but has furloughed most staff as the shutdown continues. On December 18, 2018, the Commission released its Plan for Orderly Shutdown Due to Lapse of Congressional Appropriations (“Shutdown Plan”), which details how the agency will allocate its limited resources during the shutdown. Continue Reading
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on 15 February 2020. The new data protection law significantly improves Brazil’s existing legal framework by regulating the use of personal data by the public and private sectors. Very similar to the General Data Protection Regulation (“GDPR”) implemented in the European Union, the LGPD imposes strict regulations on the collection, use, processing, and storage of electronic and physical personal data. In conjunction with the passing of the LGPD, the National Data Protection Authority will be created in order to adequately implement the new legislation. Continue Reading
On 18th December we hosted the final instalment in our Internet of Things Webinar series for 2018 (more to come in 2019!). Michele Farquhar, Tim Tobin, Mark Parsons, and Valerie Kenyon provided a round-up of the hot topics from 2018, including key regulatory and legal developments in the U.S., Europe, and Asia, in areas such as connected vehicles, drones, smart phones, medical devices, and many more. They also provided an insightful look into what developments and changes 2019 has in store.
Please click here to listen to the webinar recording.
It’s been almost a year since the new “Internet clause” in China’s Anti-Unfair Competition Law (AUCL) is in force. The enforcement authority hasn’t used it much in 2018. But one decision is noteworthy.
On 1 January 2018, the first amendment to the AUCL since its enactment in 1993 came into effect. One of the major changes it brought was the addition of a new “Internet clause.” Article 12 of the amended AUCL prohibits the use of technological means to obstruct or disrupt the regular operations of online competitors, and lists several examples of unfair competition practices.
Before 2018, allegations of unfair competition practices in the Internet space had been mainly handled under Article 2 of the AUCL, a catch-all provision referring to the high-level principles of fairness and good faith. Most, if not all, Internet cases under Article 2 were dealt with before the courts, not the enforcement authority. Continue Reading
The U.S. Federal Communications Commission auctions wireless broadband spectrum to the highest bidders, and the agency’s latest spectrum auction continues to march toward a conclusion.
Auction 101 is the first of several auctions offering high-frequency “millimeter wave” spectrum that the Federal Communications Commission has committed to hold in 2018 and 2019. At the close of bidding in Round 78 Tuesday, total provisionally winning bids surpassed $689 million, although this total has not changed much over the past several days. While bidding has slowed recently, the FCC has said the auction will run through the end of the week, or as long as bidding continues, and then resume in the new year, if necessary. Continue Reading
Class actions have become an increasingly common means to seek redress in data privacy cases. With data breaches and data privacy claims on the rise, we asked our lawyers in France and the U.S. what you should bear in mind.
How real is the risk of class actions in data privacy?
Michelle Kisloff, U.S.: Class actions have long been a fact of life in the U.S., in areas ranging from securities, product liability, employment and consumer protection, to name a few. For the past several years, they have been on the rise in data privacy. So yes, it’s a real risk.
Christine Gateau, France: Data privacy breaches usually affect lots of people. One person’s claim may be too small to launch an action on its own, generally. This makes class action — the opportunity to bring joint claims — a stronger option. Plus, French lawmakers are in favor of allowing consumers to seek redress for data loss and privacy breaches.
Adam Cooke, U.S.: The risk is real. But in the U.S. plaintiffs have hurdles to overcome in prosecuting a class action. A threshold hurdle is that plaintiffs must show they have the ability, or “standing,” to bring a claim. One component of standing is injury, and plaintiffs must show they have suffered or will suffer losses, which must be real or imminent, not hypothetical. The mere possibility of future harm alone is not enough. Continue Reading
On December 4, 2018, the New York Attorney General (NYAG) announced that Oath Inc., which was known until June 2017 as AOL Inc. (AOL), has agreed to pay a $4.95 million civil penalty to settle allegations that AOL’s ad exchange practices violated the Children’s Online Privacy Protection Act (COPPA). The $4.95 million penalty is the largest ever assessed by any regulator in a COPPA enforcement matter.
The NYAG alleged that AOL used its display ad exchange to help advertisers track and serve targeted display ads to children on hundreds of websites that the company knew were directed to children under the age of 13. Ad exchanges enable websites to sell, and advertisers to buy, advertising space through an auction process that takes place in real time after a user visits a webpage that contains ad space. To facilitate its online auctions, AOL allegedly collected, used, and disclosed to advertisers the personal information from child-directed websites’ users without first obtaining verifiable parental consent as required by COPPA. Continue Reading