Header graphic for print

Global Media and Communications Watch

The International Legal Blog for the Tech, Media and Telecoms Industry

Posted in Internet, Policy & Regulation, Telecoms & Broadband Winston MaxwellMark BrennanArpan Sura

Study shows complexity and uncertainty of IoT regulation in Europe

A Hogan Lovells study comparing of regulatory requirements in the European Union, United States, and China shows the complexity and uncertainty of the regulatory framework relevant to Internet of Things (IoT) in Europe. The number of telecoms regulatory constraints affecting IoT in the EU is almost twice as high as in the United States and China. Federal Communications Commission (FCC) Chairman Ajit Pai compares the global race to 5G with World Cup football: “When it comes to 5G, we need to keep the playbook fresh and forward leaning.”[1]

Outdated regulations can slow IoT deployment. Our study shows that many regulations affecting today’s IoT were originally designed for human voice conversations. They simply don’t fit for machine-to-machine communications. Whether it’s privacy regulations, numbering restrictions, emergency calling rules, roaming, or net neutrality, many existing telecom rules are designed to protect interpersonal communications between humans, not communications between industrial machines, such as parking meters, pipelines, and transformers.

We surveyed telecom regulations in China, the United States, and the European Union and found that the European Union has 31 separate categories of regulatory requirements applicable to IoT, whereas China and the United States have fewer than 20. While 5G spectrum is one important factor in the race to 5G and IoT, spectrum is not the only ingredient for 5G success. The ability to use numbering resources across borders, to manage bandwidth flexibly, and to use metadata, are key facilitators for successful machine-to-machine communications.

Technology neutrality is also important to stimulate a coherent, but proportionate, regulatory approach for new IoT use cases. Different technologies for IoT connectivity, including Low Power Wide Area Networks, are evolving rapidly, and provide advantages and drawbacks depending on the different IoT use cases.[2] Regulators should encourage a healthy environment for technological innovation by avoiding asymmetrical regulation that penalizes one technology over another.

The U.S. regulatory regime includes the forbearance principle, which allows the FCC to refrain from applying regulation to certain areas where the regulation is no longer necessary. Europe has the concept of proportionality, which requires that regulation be limited to what is strictly necessary to achieve the relevant policy goal. The internal market principle requires that barriers to cross-border IoT services in the European Union be eliminated.

The EU’s new Electronic Communications Code has taken Europe part of the way forward. But more simplification is needed for machine-to-machine and IoT communications.

[1]               Ajit Pai, “Scoring a Victory for 5G”, FCC Blog, June 20, 2018.

[2]               “Conflicting goals like energy efficiency, high throughput, ultra-low latency and wide area coverage can be achieved by leveraging the benefits of each technology.” U. Raza, P. Kulkarmi and M Sooriyabandara, “Low Power Wide Area Networks: An Overview”, IEEE Communications Surveys & Tutorials, Volume 19, Issue 2, 2017, p. 15.

Posted in Cybersecurity, Data Protection & Privacy, International/EU privacy, Policy & Regulation, privacy and security litigation Joke Bodewits

Dutch Data Protection Authority States Cookie Walls Violate GDPR

On 7 March 2019, the Dutch Data Protection Authority published guidance (in Dutch) that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies.

Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website. In view of the Dutch DPA, websites should offer users a real choice to accept or reject cookies. Users who decide not to consent to the placing of tracking cookies should still be granted access to the website (e.g., in exchange for payment).

The guidance was issued following many complaints the Dutch DPA received about this practice. The Dutch DPA has sent a letter to several companies about their cookie walls. The Dutch DPA announced that it will carry out further verifications and intensify its enforcement to ensure that the GDPR is correctly applied in this area.

The Dutch DPA has received criticism for taking a too strict approach. However, the view seems to align with the current draft ePrivacy Regulation update which states that “making access to the website content provided without direct monetary payment conditional to the consent of the end-user […] would normally not be considered disproportionate” (recital 20).

Posted in Cybersecurity, Data Protection & Privacy, Policy & Regulation, privacy and security litigation, Technology

A global approach to IoT cybersecurity?

The European Telecommunications Standards Institute (ETSI) has published a new standard for cybersecurity in relation to consumer IoT products. The standard builds on the UK’s Code of Practice for Consumer IoT Security, published in October last year. The Code of Practice was developed by the UK Government following publication of a draft code as part of the Secure by Design report published by the Government in March 2018 and after consultation with industry, consumer associations, and academics. The UK Code is voluntary but the UK Government was keen to work with ETSI to develop it into a global standard.

With the growing number of interconnected consumer products making their way into consumers’ homes, issues relating to cybersecurity have increasingly come under scrutiny. The standard aims to set out ‘best practice’ to ensure that products are secure by design and to make it easier for people to stay secure in a digital world. The standard is applicable to consumer IoT products, other IoT products intended for industrial applications, or healthcare are outside the scope of the standard.

The standard contains thirteen outcome-focused, rather than prescriptive, guidelines to allow companies scope for innovation in developing security solutions for their products. The standard does not seek to provide solutions to all cybersecurity issues, instead focusing on addressing the most significant and widespread issues. ETSI has also noted that adherence to the standard can help in ensuring companies are compliant with the General Data Protection Regulation (GDPR), as well as assisting with future cybersecurity certification frameworks as anticipated in the EU Cybersecurity Act and the proposed US IoT Cybersecurity Improvement Act.

Key provisions of the standard include:

  • No default passwords – all devices should have a unique password and should not be resettable to a default password
  • Vulnerability reporting – all companies providing connected devices and services should make available a public point of contact as part of a vulnerability disclosure policy to allow for security issues to be reported. Any reported vulnerabilities should be acted on “in a timely manner”
  • Keep software updated – devices must be securely updateable and updates should be timely and not impact the functioning of the device

Our Products Law Team has been keeping a close eye on developments in this area. Please be in touch with anyone from our team for further details.

Posted in Policy & Regulation, Technology Tony LinSarah K. Leggin

A Big Year for Smallsats: Conference Highlights Optimism and Diversity in the Growing Industry

Mike Safyan, Planet

Last month, the smallsat community gathered in Silicon Valley for the 2019 Smallsat Symposium. The conference featured leading innovators, experts, and entrepreneurs in the industry who discussed their achievements and the expanding opportunities for funding, launch, and partnerships. Mike Safyan, VP Launch for Planet Labs, gave an inspiring keynote address describing Planet’s victories and challenges in its first 10 years, and highlighting new innovations from Planet, including Planet Explorer, Planet Analytics, and Queryable Earth. Safyan’s optimism about the future of the smallsat industry was echoed by other panelists throughout the conference. Continue Reading

Posted in Copyright, Digital Single Market (EU), Policy & Regulation Alastair ShawPenny ThorntonWinston MaxwellMorten PetersennAlberto BellanAlya BloumAnne SchmittBenedikt Lüthge

DSM Watch: EU Copyright Directive, the big picture

Agreement on a compromise text for the new Copyright Directive was reached between Member State government representatives, EU Parliament representatives and the EU Commission last week (see our “Breakthrough” post). On 20 February 2019, EU Governments formally voted, by a majority, to approve that compromise text: Italy, Poland, Luxembourg, the Netherlands and Finland opposed it; Belgium and Slovenia abstained.   However, it is not yet law despite some headlines which one may see in the popular press. But now that the draft text has stabilised, at least for the time being, DSM Watch takes a step back from the detail and looks at the whole picture.   We’ll also be posting deeper dives on the key provisions too.

What’s in the draft?

Regular readers of DSM Watch (and other reliable publications) would be forgiven for thinking that there was little else of interest or importance in the draft EU Copyright Directive beyond the proposed (and controversial) press publishers’ right (Article 11) and the content sharing service provider liability regime (Article 13).   But that is far from the case; it also contains important new mandatory exceptions benefitting the scientific research sector, help for museums and the like, as well as new rights and protections for authors and performers. Here’s a complete run-down.

Exceptions to permit text and data mining (TDM) for scientific research

  • Non-controversial, mandatory Article 3 will allow universities, other research organisations and cultural heritage institutions to more easily extract and reproduce copyright-protected works for scientific research (both natural and human sciences).
  • Slightly more controversial Article 3a also requires a mandatory exception for TDM for other purposes, but may have limited impact because rightholders can opt out in relation to particular works.
  • Each TDM exception is aimed at fostering AI research throughout the EU and cannot be excluded by contract.

Exceptions to permit use of digital works in teaching, including across EU borders

  • Non-controversial Article 4 creates an exception and a framework for the use of copyright-protected material in digital classrooms and for cross-border distant teaching, by deeming that the relevant permitted acts occur solely in the Member State where the relevant educational establishment is located. The exception cannot be excluded by contract, but may be restricted by Member States if suitable licences are already easily available.
  • Similar exceptions already exist in UK law, for example, but of course this is limited by national boundaries.

Preservation of cultural heritage

  • Non-controversial Article 5 gives cultural heritage institutions an exception to make copies of works in their owned or permanently-held collections in order to preserve them.

Licensing mechanisms for use of out-of-commerce works

  • Non-controversial Article 7 sets up mandatory licensing mechanisms to permit non-commercial use of out-of-commerce works in the possession of cultural institutions via collective rights management schemes.
  • Under Article 8, licences can be granted under such schemes so as to cover uses in any EU country, but they are not mandatory. Such licences will work by virtue of a provision that (using a ‘legal fiction’) deems any such use to occur only in the Member State where the relevant institution is established. This is similar to the current legal mechanism facilitating cross-border TV broadcasting, which is soon to be extended to ancillary online activity.

Optional extended collective licensing

  • Article 9a allows, but does not require, collective right management organisations without a direct mandate from every relevant rightholder to extend their schemes to the rights of rightholders who initially did not mandate the organisation concerned.
  • Such schemes will only take effect within the borders of each Member State choosing to enact the provision, and will not be available at all unless obtaining authorisations from rightholders on an individual basis is onerous and impractical.

New mediators to help inbound licensing for VOD platforms

  • Moderately controversial Article 10 requires Member States to set up or designate independent bodies to support parties negotiating licenses for audiovisual works on VOD platforms.

No new copyright for reproduction of an out-of-copyright work of visual art

  • There has been limited legislative consideration of this mandatory Article 10b, because it has been extracted at the last minute from an earlier proposal by the European Parliament on Article 5.
  • On its face, it seems aimed at ensuring that copyright protection is not perpetuated by virtue of a reproduction (for example by a photograph or replica) when copyright protection for the underlying visual art work has expired. ‘Work of visual art’ is not defined in the draft.

New neighbouring right for press publishers

  • This is the controversial and mandatory Article 11 provision, which as it now stands will give press publishers new rights for a potential period of just under three years post-publication. It has been clarified so as not to cover use of individual words or ‘very short extracts’ of a press publication, but what a very short extract is remains undefined. DSM Watch will be covering Article 11 (and related Article 12) in more detail soon.

New content sharing service provider liability regime

  • This is the well-known, highly controversial and mandatory Article 13. Covering a mammoth 5 pages of legislative text, its recent legislative history is explained in a number of our earlier DSM Watch blogs – latest here.
  • DSM Watch will be covering Article 13 as it stands today in more detail very soon. Those lobbying against it are hoping to de-rail it at the (final) European Parliament stage. Those in favour of it say that it now strikes a fair balance between rightholders, content service providers and users.

Fair treatment for authors and performers

  • Articles 14 through 16a give the following mandatory rights and protections to authors and performers who licence or transfer their exclusive rights of exploitation (but software is excluded).
    • Appropriate and proportionate remuneration for the exploitation of their work, not limited to online (Art. -14)
    • A right to receive regular information about the exploitation of their works from licensors or transferees: the “transparency obligation” (Art. 14). An optional mechanism for relieving the potential of a high administrative burden on smaller businesses which has recently been introduced into the text.
    • A remedy for authors and performers at a disadvantage by way of a “contract adjustment mechanism” (Art. 15). This allows them to renegotiate their remuneration if the original contract terms provide disproportionately low remuneration compared to the revenues generated by their work(s).
    • These fair remuneration, transparency and contract adjustment rights are backed up by a mandatory provision for alternative dispute resolution schemes, and also by a no contracting out provision.
    • Finally, and arguably controversially (at least in some Member States), a ‘use it or lose it’, provision whereby rights in a work can be reclaimed in whole or in part by the author or performer where there is a lack of exploitation by the licensee or transferee of the rights in question (Art. 16a). This “right of revocation” seems to have been overshadowed by the more highly charged debate around Articles 11 and 13, but it may have a significant impact on some sectors whose business models are based on a buy-out of authors’ or performers’ rights, at least in those jurisdictions, such as the UK, where an assignment of rights is currently non-revocable.
    • This ‘sleeper’ issue in the tail end of the draft Directive may receive more widespread attention from stakeholders in the coming months, and DSM Watch will be examining it in more detail soon.

What’s next?

The EU Parliament’s Legal Affairs (JURI) committee will look at the draft Directive on 26 February 2019, after which it will go to a full vote by MEPs, most likely in late March or early/mid April 2019. If the whole or part of the draft is passed by the European Parliament this spring, Member States will have two years to implement its provisions into national law, by mid-2021.

 

Wesley Horion has also contributed to this article.

Posted in Consumer Privacy, Cybersecurity, Data Protection & Privacy, Employment privacy, Financial privacy, Heath privacy/HIPAA, International/EU privacy, Policy & Regulation, privacy and security litigation Dr. Christian TinnefeldDr. Henrik Hanßen

GDPR Enforcement Update: Increasing Fines Expected from German DPAs | HL Chronicle of Data Protection

Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future.

The magnitude of new legal and business process requirements under the GDPR caused a tremendous change in the legal data privacy landscape for many companies doing business in Europe. Many of these companies sprinted (or at least made significant progress on the uphill struggle) to finalize their GDPR compliance programs by 25 May 2018, the day the GDPR took effect, with a careful eye toward how the DPAs would interpret and enforce some of the less clear requirements of the GDPR. We now have more information about DPA activities in Germany, and the trend is toward increasing enforcement.

Some facts and figures about DPA activities in Germany

In Germany, a recently published report (in German) provides some useful insights and figures on the enforcement activities by the German DPAs to penalize GDPR infringements, which echo our experiences with various DPAs in the German Federal States.

The report indicates that by the end of 2018, the German DPAs already had concluded a considerable number of pending cases. In these cases, they applied a variety of different sanctions—such as conducting investigations and on-site audits, or issuing warnings or reprimands—and issued more than 40 fines altogether.

The available figures show that the German state DPAs in Hamburg, Bavaria, Berlin, North Rhine-Westphalia, Hesse, and Baden-Württemberg have been considerably active. By contrast, the authorities in the other German states seem to be less active, or at least acting less visibly. According to statistics provided by the Baden Württemberg DPA, the number of data subject complaints increased 30 percent from 2017 to 2018. The number of DPA consultations by organisations in 2018 also more than doubled, and the number of reported data breaches increased more than tenfold.

Which types of infringements have been subject to sanctions?

The scope of data processing activities covered by German DPA investigations affected a broad range of commercial operations that are relevant for key industries in the German market. The following types of behaviours/incidents gave rise to the imposed fines:

  • Lack of a data processing agreement with an intermediary for postal services that was processing customer data.
  • Unsolicited marketing emails.
  • Unauthorized video surveillance of customers and employees.
  • Publication of health data on the Internet due to inadequate security control measures.
  • Disclosure of health data to the wrong patient by a hospital.
  • Recording of all outgoing and incoming phone calls in a fire department.
  • Disclosure of bank account statements to unauthorized persons during online banking.
  • Unauthorized access to customer data during a hacking attack on a web shop.
  • Unauthorized use of dashcams.
  • Open email distribution lists.
  • Unauthorized disclosure of personal data due to unencrypted storage of user passwords.
  • Inadequate technical and organizational measures taken by a hotel which could not rule out the possibility that credit card or other customer data from its booking system might have been disclosed in a ransomware attack.

What is the commercial impact?

While cases in which dissuasive fines have been imposed on leading technology companies in some EU countries seem to dominate the public interest, the value of fines imposed in Germany has not yet achieved a record high. For instance, the maximum fine issued by the Baden-Württemberg DPA amounts to €80,000. However, the DPAs in Germany have brought a considerable number of enforcement cases for seemingly minor offences (e.g., open email distribution lists) that create a number of new rules that have a considerable negative impact on companies that must subsequently (and frequently) revise their data processing operations to comply with the new precedent.

What is to be expected in the near future?

The first statistics on the imposed fines show that there has indeed been a number of GDPR enforcement actions brought by the German DPAs to date, and based on these enforcement patterns we expect that further increasing fines will be imposed in the relatively near future. For instance, according to press reports, the Bavarian DPA is currently dealing with 85 pending fine proceedings, and these pending proceedings will continue to yield an increasing number of fines and other sanctions.

Overall, the report indicated that German DPAs experienced that companies significantly increased their data protection awareness and understanding of their responsibilities with respect to the processing of personal data. However, several of the German DPAs are conducting audits at companies and public bodies, and we expect these audits to reveal additional deficiencies in GDPR compliance programs. For example, the DPA of Lower Saxony is currently conducting audits of 50 companies seated in Lower Saxony to detect shortcomings in their data protection compliance. Similar audits are conducted by other German DPAs, such as the Bavarian DPA which is specifically investigating data protection law violations by service providers (sub-processors) and cybersecurity issues and compliance with tracking tool requirements (online shops, social media platforms, streaming platforms, email service providers.

With a view to the future, it is likely that the German case-law on data protection infringements will significantly increase. It is also possible that the German DPAs will develop “catalogues” of fines for certain clear-cut and similar cases of data protection infringements. In addition to the enforcement activities in Germany, we have seen DPAs at a European level coordinate with each other to attempt to undertake a uniform and effective enforcement of the GDPR.

Given all this, while there may have been a temporary respite after the 2018 sprint to GDPR compliance, companies subject to GDPR enforcement in Germany should expect a continued increase of enforcement into 2019, and should continue to assess and remediate any gaps in their GDPR compliance programs.

Posted in Copyright, Cybersecurity, Digital Single Market (EU) Burkhart Goebel

Global IP Outlook 2019 – Two steps forward and a look back

2018 posed new opportunities and challenges for IP-rich businesses, with major new legislation introduced in Europe to govern trademark and trade secret protection; significant and transformational case law in the U.S., and the confirmation of new planned IP-specific legislation for several jurisdictions in Asia.

We’re here to help you keep abreast of these changes and understand how they impact you. Our third annual Global IP Outlook reflects on some of the major developments in intellectual property law and emerging and growing industries. Regardless of your industry or specialism the Outlook will provide you with valuable insight into the changes and their impact on your products, services and business.

Topics covered include:

  • Patents
  • Post Grant Proceedings
  • Trade Secrets
  • Trademarks
  • Copyright
  • Domain Names
  • International Trade Commission (ITC)
  • Transactions

We also examine emerging trends in technology, law and politics, and what they mean for your business, including:

  • 3D Printing
  • Artificial Intelligence
  • Blockchain and Smart Contracts
  • Brexit
  • Cybersecurity
  • Digital Health
  • Digital Single Market
  • e-Sports
  • Standard Essential Patents
  • Unified Patent Court (UPC)
  • Wearable Technology

Download the Outlook here.

In 2019 we will be running our Global IP Outlook webinar series – going into more detail on some of the topics covered in the Outlook.

Register your interest in the series and each topic using the form here.

Posted in Data Protection & Privacy, Policy & Regulation Winston MaxwellChristine Gateau

An Approach for Setting Administrative Fines Under the GDPR

Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.In addition to setting two levels of administrative fines, Article 83 of the GDPR provides criteria that national supervisory authorities must apply when setting administrative fines. On 3 October 2017, the Article 29 Working Party – a body now called the European Data Protection Board (“EDPB”) – issued guidelines (“EDPB Guidelines”) on the setting of administrative fines. Continue Reading

Posted in Copyright Penny ThorntonAlastair Shaw

EU Copyright Directive: Breakthrough

Last night the Commission, the European Parliament and the Council finally agreed the text of the long-awaited draft Copyright Directive. This followed a breakthrough compromise on the liability of platforms for making available user-uploaded content (Article 13). See our earlier blog of yesterday.

The next step will be a vote in the EU Parliament on the agreed text and, assuming it is passed, then it will be published in the Official Journal of the EU. Member States will then have 24 months to implement the new Directive. It remains to be seen whether the UK will be subject to that obligation – which depends on when and how the UK exits the EU. 

Once the official agreed text has been published we will report on the detail. In the meantime, you can read the Commission’s Press Release here and the EU Parliament’s Press Release here.