The Enforcement Bureau (“Bureau”) proposed a $20,000 penalty against Viaero Wireless (“Viaero”) for allegedly transmitting in the 3650-3700 MHz band without authorization. Continue Reading
Last night the Commission, the European Parliament and the Council finally agreed the text of the long-awaited draft Copyright Directive. This followed a breakthrough compromise on the liability of platforms for making available user-uploaded content (Article 13). See our earlier blog of yesterday.
The next step will be a vote in the EU Parliament on the agreed text and, assuming it is passed, then it will be published in the Official Journal of the EU. Member States will then have 24 months to implement the new Directive. It remains to be seen whether the UK will be subject to that obligation – which depends on when and how the UK exits the EU.
Hogan Lovells partner Winston Maxwell spoke at the executive roundtable on artificial intelligence and online hate speech, organised on January 31, 2019 by CERRE, the Centre on Regulation in Europe. The goal of the roundtable was to discuss what measures should be adopted to fight hate speech online and to look at the pros and cons of using machine-learning in that context. Continue Reading
The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the California Consumer Privacy Act (CCPA). The March 8 deadline is an extension from the previously set end-of-February deadline.
Pursuant to section 1798.185(a) of the CCPA, the California Attorney General (AG) is obligated to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA sets out seven specific areas for AG rulemaking:
- Updating as needed the categories of personal information expressly enumerated in the definition of personal information in order address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
- Updating as needed the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business upon request.
- Establishing any exceptions to the CCPA necessary for businesses to comply with state or federal law, including but not limited to those relating to trade secrets and intellectual property rights.
- Establishing rules and procedures:
- To facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information.
- To govern business compliance with a consumer’s opt-out request.
- For the development and use of “a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.”
- Adjusting the monetary thresholds for businesses to be covered by the CCPA.
- Establishing rules, procedures, and any exceptions necessary to ensure that notices and information that businesses are required to provide under CCPA are provided “in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer,” including establishing rules and guidelines regarding financial incentive offerings.
- Establishing rules and procedures to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information upon request, “with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business” and to govern a business’ determination that a request for information received by a consumer is a verifiable consumer request.
The CCPA also expressly states that the AG “may adopt additional regulations as necessary to further the purposes of [the CCPA].”
The AG will consider pre-rulemaking comments when drafting CCPA rules. The AG’s slide deck about its ongoing CCPA public forums indicates that the first draft of the regulations is expected to be published via a Notice of Proposed Regulatory Action in Fall 2019. After the notice is published, the AG will hold public hearings during the formal comment period. Significant changes made to the regulations in response to public comments may trigger an additional comment period. Otherwise, the regulations will proceed through the finalization process and eventually be adopted by the California Department of Justice. The CCPA requires that the AG adopt CCPA regulations on or before July 1, 2020.
A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm).
The draft act contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.
Particular controversy has been caused by the government’s proposal to limit the scope of data on which the credit risk scoring may be based, to only those categories of data which are expressly indicated in the draft act. In its current version, the proposed data catalogue is limited solely to identification data, data concerning marital status and matrimonial regime, information about financial and work situation, as well as credit history.
Importantly, such limitation of the data catalogue excludes the possibility of using behavioral data (e.g. Internet habits, including behavior in social media) in credit scoring, which to date has been widely used.
At the same time, the current wording of the draft act excludes (but not expressly) the possibility of broadening the data catalogue, even with the credit applicant’s consent.
According to unofficial information gathered from the participants of the parliamentary commission’s debate, the government side is reluctant to agree to any revisions of the draft. If this information is confirmed, many banks and loan companies may be required to significantly modify their model of granting credits and loans. These changes may also affect other entities in the fintech industry.
The draft act is currently under first reading (out of three) in Sejm. Before adoption the draft act must be accepted by the upper house of the Parliament (Senat) and subsequently by the President.
Since publishing the original version of our guide to blockchain and data protection in September 2017, there has been considerable further commentary from academics, politicians and practitioners, some of which suggested that there is inherent incompatibility of blockchain systems with EU data protection law.
This updated version of our guide puts forward our views on this question, offering a more optimistic view.
In addition, we also address the key data protection issues that will arise in any blockchain project in the EU, including:
- Does the blockchain process personal data?
- Is a hash personal data or anonymised data?
- What about a public key?
- Who is the data controller and the data processor in a blockchain context?
- What is the applicable law?
The answers to these questions may lead to the conclusion that a given blockchain project’s nexus to personal data is so remote that only minimal data governance mechanisms are required.
By contrast, some projects will involve high-risk data processing, requiring a full-blown data protection impact assessment.
Our guide assumes some knowledge about blockchain principles, but little knowledge of EU data protection law. It includes definitions of key blockchain and data protection terms and principles, outlines recent legal developments on the concept of personal data and also reviews the different blockchain systems.
You can view the guide here (registration required).
This post was initially posted on HL Engage. You can register for free on the site for more news and analysis that is tailored to you, as well as access to Hogan Lovells’ cutting-edge interactive Lawtech tools.
You can also keep track of all the Engage content by following our LinkedIn page.
Hogan Lovells has published Demystifying the U.S. CLOUD Act, a detailed analysis of the impact of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) on non-U.S. businesses and individuals who use cloud storage solutions.
Demystifying the U.S. CLOUD Act was written by Hogan Lovells partners Winston Maxwell and Mark Brennan, and senior associate Arpan Sura.
The report specifically focuses on language in the CLOUD Act that allows U.S. law enforcement agencies, under certain circumstances, to lawfully demand data stored in foreign countries from entities subject to U.S. jurisdiction. The report addresses concerns that this language in the CLOUD Act gives the U.S. government new powers to surveil and monitor the data of non-U.S. citizens or businesses using a cloud services provider with operations in the United States. The report concludes that such fears are overstated.
Other highlights of the report include:
- An explanation of how the CLOUD Act seeks to restore the legal consensus that U.S. law enforcement agencies can reach data stored extraterritorially from a U.S. entity that had “possession, custody, or control” over the data.
- A discussion of the meaningful limitations on U.S. law enforcement that the CLOUD Act leaves in place.
- A comparative analysis of the European Union’s approach to cross-border data requests from law enforcement, which is largely consistent with the CLOUD Act.
- An examination of whether the CLOUD Act violates international law or the GDPR.
To download the full report, click here.
Increasing numbers of initiatives, devices, and solutions related to the Internet of Things (IoT) are substantially impacting the development of cybersecurity and data privacy regulations throughout Asia. After the implementation of the General Data Protection Regulation (GDPR) in Europe, for example, Asian lawmakers are considering strengthening their own data protection laws. The region is also characterized by a push in a number of jurisdictions towards data localization requirements driven more by “cyber sovereignty,” national security considerations, and protectionist impulses than data protection considerations. Restrictions on the collection and free use of data may pose a challenge for IoT models, particularly if data is required to be kept onshore.
At the same time, it is clear that many Asian jurisdictions see IoT as a key driver for economic growth. A number of jurisdictions have “smart city” initiatives and interests in areas such as automotive telematics. Japan, South Korea, and China, in particular, have strong automotive sectors and are focused on maintaining technological leadership. Unmanned aerial vehicles (UAV) are also an area of focus, both in terms of the supply of vehicles and components and in terms of their deployment as part of these “smart” initiatives.
In this hoganlovells.com interview, Mark Parsons, a Hogan Lovells partner based in Hong Kong, summarizes the current status of IoT-related policies in the Asia-Pacific region and discusses changes anticipated in 2019. Continue Reading
HMRC announced today the introduction of their new Profits Diversion Compliance Facility (PDCF). This is a way for multinationals to take the initiative and explain their legal and operational structures before HMRC launch their next wave of full-scale “transfer pricing” investigations into corporates. The PDCF will be particularly relevant to groups with long established transfer pricing models which HMRC now believe need updating, and will allow groups to retain greater control of the process.
We believe HMRC is serious about launching that next wave of investigations. It may well start in early 2020.
Full-scale HMRC investigations are intrusive. HMRC is also confident that when they launch investigations they will recover significant tax. This is based on what they see as recent high-profile successes. There is also a real prospect that a corporate subject to one of those investigations will suffer penalties. So 2019 is a window of opportunity. Continue Reading
The federal government shutdown that began at midnight December 29, 2018 shows no sign of ending soon. The Federal Communications Commission tapped on-hand funds to continue operations uninterrupted but ran out of time – and money – last week.
The FCC earlier issued a statement that the agency had enough funding to remain open through January 2, 2019, but has furloughed most staff as the shutdown continues. On December 18, 2018, the Commission released its Plan for Orderly Shutdown Due to Lapse of Congressional Appropriations (“Shutdown Plan”), which details how the agency will allocate its limited resources during the shutdown. Continue Reading