On 19 July the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020).
The Scope of the Guidelines
The new guidelines apply to all types of operations involving cookies and trackers on any type of device, including smartphones, computers, connected vehicles and any other object connected to a telecommunications network open to the public.
It’s been a busy month in the world of tax for tech companies. France and the UK are introducing digital services taxes, and serious work is underway at the OECD that may result in a shake-up of the international tax system in a manner that affects tech companies and digital businesses in particular, and sooner than people may think.
Given how fast the ground is shifting, there is a real need for companies in this sector of the economy – and possibly for a much wider group of multinationals – to start assessing, planning, and possibly even taking action. The G7 finance ministers have in the last few days agreed on the urgency of addressing the topic, and the OECD aims to deliver an international consensus solution by the end of 2020. The new tax in France meanwhile will have effect retroactively from 1 January this year, and the UK version from 1 April 2020. Both will remain in force until an international solution is implemented.
In the wake of a recent announcement by a major Dutch bank that it would start providing its customers with personalized advertisements based on their spending patterns, the Dutch Data Protection Authority (DPA) has sent a letter to all Dutch banks urging them to thoroughly review their direct marketing practices. The DPA specifically asked any bank contemplating the use of transaction data for direct marketing to reconsider. In its analysis, the DPA may have introduced a very onerous obligation to re-collect personal data for every single use.
The DPA stated that it received a “significant amount of complaints” after the Dutch bank announced in June that it would start showing advertisements for financial products offered by the Dutch bank to customers based on their spending habits. The complaints prompted the DPA to investigate. Continue Reading
On July 16, 2019, Nathan Salminen, Allison Holt, and Paul Otto from the Hogan Lovells Privacy and Cybersecurity and Litigation teams presented a webinar, “Cyberthreats in the Internet of Things” where they explored some techniques that can be used to exploit potential vulnerabilities in connected devices and how those types of events impact organizations from a regulatory and litigation perspective.
Many of the nearly 20 billion Internet of Things (IoT) devices deployed worldwide perform critical functions or have access to networks that process highly sensitive information. The proliferation of connected devices across industry sectors has led to the emergence of a significant and distinct threat to many types of organizations, from electric utilities deploying IoT devices across its smart grid to financial institutions using IoT devices in conference rooms that may connect to the same network that financial data flows through.
The speakers discussed unique litigation and technical risks related to the IoT ecosystem and some of the technical aspects of hacking threats to connected devices, how those threats may differ from other cyberthreats, and the legal implications of such threats.
They also explored:
- Different types of hacks and how they may be exploited in the IoT space
- Ways that compromised IoT devices can present unique types of security risks
- Unique legal implications of IoT cyberthreats
- Litigation risks and strategies
To view the recording of the webinar and to download the presentation slides, please click here.
“For years, the plaintiffs’ bar has conjured multibillion-dollar class action lawsuits out of largely intangible privacy harms. This wave of litigation is increasingly driven by federal and state statutes that include private rights of action and allow for excessive statutory damages. Given the willingness of some courts to let cases proceed despite a lack of allegations or evidence of concrete harm, this litigation trend shows no sign of abating.”
The U.S. Chamber of Commerce Institute for Legal Reform has published “Ill-Suited: Private Rights of Action and Privacy Claims,” a white paper authored by Hogan Lovells’ Mark W. Brennan, Alicia Paller, Adam Cooke, and Joseph Cavanaugh explaining why private litigation is a poor enforcement tool for privacy laws. As detailed in the paper, when it comes to privacy interests, “harms” are largely inchoate and intangible, and the wrongdoers are often unknown or unidentifiable. Even where class members may have suffered a concrete injury, the data indicates that they are unlikely to receive material compensatory or injunctive relief through private litigation. Meanwhile, plaintiffs’ counsel often walks away with millions of dollars, court dockets are unduly cluttered, and companies are forced to expend resources on baseless litigation.
Whereas a stream of harmful consequences flow from private rights of action for privacy laws, agency enforcement provides the right balance between protection, penalties, deterrence, and progress.
The Central District of California recently sank a copyright infringement lawsuit against the Walt Disney Company’s Pirates of the Caribbean film franchise, finding that numerous elements of the Plaintiffs’ allegedly similar screenplay were either lifted directly from the eponymous ride at Disney’s theme parks or constituted unprotected scènes-à-faire common to all tales about pirates.
Disney’s film Pirates of the Caribbean: The Curse of the Black Pearl was an instant blockbuster when released in the summer of 2003 and spawned a franchise of four more feature films chronicling the adventures of Jack Sparrow, Captain Barbossa, and other swashbucklers. Disney developed the concept for the franchise from its wildly popular “Pirates of the Caribbean” theme park ride, which debuted at Disneyland in 1967. In August 2000, Disney had allegedly received – and turned down – Plaintiffs’ script for a film about the pirate Davey Jones and his quest for treasure on the high seas. Plaintiffs titled their screenplay “Pirates of the Caribbean.”
Plaintiffs sued Disney for multiple counts of copyright infringement in November 2017, claiming that Disney’s films copied their screenplay. On May 13, 2019, the court dismissed these claims with prejudice.
Join us on Thursday 19 September for our Privacy and Cybersecurity KnowledgeShare in London. We’ll share our latest thinking on the key privacy and cybersecurity issues faced by those with data protection responsibilities within organisations. Our all-day event will cover a lot of ground through incisive quick-fire presentations, Q&A panels and hands-on workshops.
Topics will include:
- Nailing the basics – Fast insights into key issues such as lawful grounds for processing, people’s rights and DPIAs.
- Enforcement – What the risk-based approach truly means.
- Privacy challenges of the digital economy – AI, life sciences, biometrics, facial recognition, IoT and product development.
The workshops will focus on key compliance topics such as incident response, international data transfers, privacy litigation, Brexit, CCPA and e-Privacy.
For the full programme, speaker information and registration, please contact Joshua Prietzel.
We look forward to seeing you!
Previously, under the CNNIC ccTLD Dispute Resolution Policy (CNDRP) which governs the .CN (and .中国) domain in China, no complaints under CNDRP could be filed against a .CN domain which had been registered for more than 2 years.
This time bar led to debates as to whether it imposes an unreasonable time limit on the fair and equitable enforcement of intellectual property rights. For further background to this time-bar under CNDRP, please refer to our previous post (July 2017).
Time-Bar extended to 3 years
As discussed in our previous post, we speculated whether this time bar under CNDRP would be extended to 3 years, following the extension of time bars for general civil claims from 2 years to 3 years as announced in the amendments to the General Civil Law Rules of People’s Republic of China in 2017.
Recently, the China Internet Network Information Center (CNNIC) issued an amended CNDRP for consultation. Among other proposed changes, the amended CNDRP proposed to extend this time bar from 2 years to 3 years. The consultation period ended on 9 June 2019. The time bar under CNDRP has now been extended to 3 years – implemented, since 18 June 2019.
We see this as a positive development for brand owners.
Whilst the CNDRP is still unique in having a time bar, the extension of this time bar at least provides some more flexibility in terms of timing for complainants to initiate complaints.
Although the proposed amendments are silent on the retrospective effect of the new rules, the general wording of the amended CNDRP should mean that this new 3-year time bar applies to both .CN domain names registered before or after the amendments came into effect.
This post is selected from our Anchovy News publication: Anchovy® is our comprehensive and centralised online brand protection service for global domain name strategy, including new gTLDs together with portfolio management and global enforcement using a unique and exclusive online platform developed in-house. For more information please contact us at mailto:firstname.lastname@example.org
Please join us for our July 2019 events.
Making Privacy Actionable
Eduardo Ustaran and Nicola Fulford are hosting the IAPP London KnowledgeNet which will discuss, “Making Privacy Actionable: Working with the Chief Data Officer.”
Privacy at the Aspen Institute
Harriet Pearson will lead a seminar on “What is Privacy and How Do We Protect It?,” at the Aspen Institute’s Socrates Program.
Location: Aspen, Colorado
Mark Brennan will provide insights on the FCC’s TCPA-related actions and prospects for robocall legislation in Congress on the panel, “Landmark Debt Collection Policymaking in Washington, D.C.,” at the ACA International Annual Convention & Expo.
Location: Washington, D.C.
Cyberthreats in the Internet of Things
Allison Holt Ryan, Paul Otto, and Nathan Salminen will discuss techniques that can be used to exploit potential vulnerabilities in connected devices and how those types of events impact organizations from a regulatory and litigation perspective during the webinar, “Cyberthreats in the Internet of Things.” To register, click here.
Location: Washington, D.C.
Medical Device Cybersecurity in Europe
Paul Otto will discuss European cybersecurity expectations and requirements for medical devices at the 4th Annual Medical Device Cybersecurity Risk Mitigation Conference.
Location: Arlington, Virginia
Data Protection in the UK
Nicola Fulford will discuss data protection at a round table hosted by the UK Department for International Trade.