On May 28, 2019, the Cyberspace Administration of China released the draft Measures on the Administration of Data Security (“Data Security Measures“, see our in-house English translation here) for public consultation.
These Data Security Measures will be a great leap forward in China’s current data protection landscape, which mainly consists of scattered provisions contained in various pieces of legislations and standards, such as the Cyber Security Law, the E-Commerce Law, the Consumer Rights Protection Law as well as the Personal Information Security Specification, the most comprehensive yet non-binding national standard with respect to data protection. The Data Security Measures, once officially promulgated, will be the first binding administrative regulation in China to specifically and systematically set out explicit protection for personal data and important data collected and processed through the use of cyber technologies, following the effectiveness of the Cyber Security Law in 2017 (see our briefings here).
View full article here
On Monday, April 29th 2019, policy makers and industry representatives from different IoT ‘verticals’ (agriculture, automotive, health, energy, aerospace) gathered in Brussels at the initiative of Vodafone to launch a conversation about the future policies applicable to the Internet of Things (IoT) in Europe.
Global Players Require Global Regulation
The debate emphasized how global any approach to IoT regulation should be. All participants agreed that Europe should and must be competitive on the IoT market globally. One aspect of such competitiveness may reside in the interoperability of IoT within Europe, which is in the interest of all governments.
London, Paris, 4 June 2019 – Hogan Lovells recently represented Twitter in the first case brought under the new French ‘fake news’ law.
On 17 May a claim brought by Ms. Marie-Pierre Vieu (a European Deputy running for reelection) and Mr. Pierre Ouzoulias (a French Senator), against Hogan Lovells client Twitter France SAS, was dismissed by the Paris Civil Court.
The claim aimed to get the removal of a tweet posted by Mr. Christophe Castaner on 1 May 2019 in relation to some ‘yellow vest’ events at the Parisian hospital Pitié-Salpêtrière. This was the first such request brought under the new French “fake news” law.
The judge ruled that Twitter France SAS was not the proper entity to sue as Twitter International Company is the entity which provides Twitter services to French users. He also noted that while Mr. Christophe Castaner’s tweet may have appeared exaggerated, it related to real facts.
The plaintiffs did not prove that the tweet would have been disseminated artificially or in an automated manner, and there was no obvious risk that the vote would be altered. So, the requirements to remove the tweet were not met.
The Hogan Lovells team representing Twitter comprised Christelle Coslin, Partner; Pauline Faron, Senior Associate; and Marie Voutsas, Associate.
.CLUB Domains, the Registry operating the .CLUB new generic Top Level Domain (gTLD), has recently launched a new service that enables qualified trade mark holders to block .CLUB domain name registrations containing their trade marks.
According to the .CLUB Domains’ press release, the Trademark Sentry Unlimited Name Blocking Service (UNBS) “protects a trademark from appearing in any portion of a domain with the popular .CLUB extension – literally covering trillions of permutations of a qualified trademark. Blocked at the registry level, protected names show up as “unavailable” through any registrar’s domain search.”
This service is therefore different from other existing brand protection services, such as Donuts’ Domain Protected Marks List (DPML), which enables trade mark holders to block their trade marks across Donut’s entire portfolio of 242 new gTLDs for a period of 5 years.
During this year’s 2019 INTA Annual Meeting, our Greater China IP team discussed the following key issues around China’s evolving IP landscape.
What’s in store for brand owners in China?
Partner, Helen Xia discussed recent updates on strategies to curb trademark hijacking and factors leading up to this phenomenon. In recent years, China has had a high volume of trademark fillings due to the first-to-file principle, the lack of an intent-to-use requirement, and the low costs of filing marks. Internal and external pressures, including trade negotiations with the U.S., have given rise to these “bad faith filings”. The recent amendment of the Trademark Law (TML) serves to stifle this practice through rejecting applications filed in bad faith and without intent to use. In principle, evidence is now requested for such filings.
While the law has not yet come into force, the lure of finding bad faith filings has already impacted China; the China IP Administration and related authorities have taken initiatives to reject trademark filings with obvious bad faith. Legislation changes aside, Helen Xia provided attendees with tips on how to bring your specific case to the forefront of the examiner and flagged trends to watch for.
Co-existence or no existence
Counsel, Yu-An Chang weighed in on the benefits and limitations of co-existence agreements. A coexistence agreement is one made by two or more parties so that similar marks can coexist without any likelihood of confusion. This enables parties to set rules to govern how marks can peacefully exist. Yu-An explained how to take advantage of these agreements, the evolving attitude of the courts to co-existence agreements, and ways to improve the prospect of registration. He discussed the similarity of trademarks, and how to point out differences to lessen the risk of confusion in the market.
Use it or lose it
Finally, Partner, Zhen (Katie) Feng wrapped up the engaging seminar on when the use of a trademark matters, and how to avoid or defend against trademark infringement. She dove into factors that impact the decision-making by the courts or China’s IP Administration bodies.
For more information on trademark enforcement in China, please access our publication: Integrated IP Enforcement – A practical toolkit for Asia
During the Annual INTA 2019 Meeting, a panel was held on the EU General Data Privacy Regulation (GDPR) and the temporary removal of data for the WHOIS directory. IPMT Partner David Taylor spoke on the following GDPR issues and their impact on global brand protection.
When the GDPR came into force back in 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) implemented a temporary policy which resulted in a majority of global registrant data being hidden from public view in the WHOIS directory. This temporary policy cannot extend beyond one year, and is intended to be replaced by a policy agreed through an Expedited Policy Development Process (EPDP).
Panelists reviewed relevant recent developments having an impact on IP owners’ access to WHOIS data. They also discussed enforcement impact and solutions, future challenges, and strategy. Specific areas of focus included;
- the outcome of the EPDP,
- the impact the lack of WHOIS data has on the prevalence and persistence of IP-related domain name abuse,
- and the challenges of a lack of public access to domain registrant data in enforcement strategies and practices.
David provided some initial background to the developments over the last year since GDPR became effective and how ICANN has applied GDPR to domain name registrant data. He highlighted the practical differences brand owners see today as well as the difficulties encountered in obtaining disclosure of the now-redacted registrant details, providing a breakdown of the low disclosure rates despite the legitimate interests of brand owners.
Those who attended INTA can access the recorded presentations here.
Nevada has a new privacy law. On May 29, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220) into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. The act, which amends an existing online privacy notice law, is significantly narrower than the California Consumer Privacy Act (CCPA). It applies only to online activities, defines “consumer” and “sale” in a much more limited manner than the CCPA, and includes broad exceptions for financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act, and vehicle manufacturers and vehicle service and repair entities that collect covered information from vehicles through connected or subscription services.
Although dozens of privacy bills have been introduced in state legislatures since California enacted the CCPA last year, many of those bills have failed to gain significant traction or have fallen short of passage (e.g., Washington’s SB 5376). SB-220’s passage serves as a reminder that some states are continuing to push forward with privacy legislation.
The act does not provide for a specific effective date. Therefore, under Nevada law, it will automatically become effective on October 1, 2019. This means the law will take effect before the CCPA, which comes into force on January 1, 2020. This earlier effective date may have a significant practical effect on certain US companies working to implement new CCPA requirements, particularly those that sell personal information to third parties for subsequent sale or licensing to additional third parties. Companies affected by SB-220 that are also considering the implementation of CCPA-compliance strategies to all of their US operations may no longer have until the end of the calendar year to finalize those programs. Either compliance in Nevada may need to be prioritized or the deadline for implementation of a US compliance program has now been moved up by three months. Continue Reading
Please join us for our June events.
Paul Otto and Tim Tobin are presenting at the Hogan Lovells Munich office’s privacy breakfast, “EU General Data Protection Regulation,” on privacy topics such as the California Consumer Privacy Act (CCPA), cybersecurity and data breaches, and sector-specific issues found in the life sciences and health care, automotive, and financial sectors. Click here to register.
Location: Munich, Germany
National Association of College and University Attorneys
Bret Cohen and Stephanie Gold are presenting at the annual conference of the National Association of College and University Attorneys on the panel, “Focus on GDPR and Other Privacy Laws: How to Develop and Implement a Practical Approach to Compliance.” Bret is also presenting on the panel, “Navigating GDPR Compliance for Research.”
Location: Denver, Colorado
Cyberthreats in the Internet of Things
Nathan Salminen, Allison Holt, and Paul Otto will discuss unique litigation and technical risks related to the Internet of Things (IoT). The discussion will include some of the technical aspects of hacking threats to connected devices, legal implications of such threats, and risk management strategies. Registration will be available shortly.
Blockchain Week was in full force, with Consensus 2019 event held in New York City May 13-15. Our IPMT group was represented by Ted Mlynar, Head of the U.S. Blockchain and DLT Practice, and was joined by UK partners John Salmon and Richard Diffenthal. Coined the most influential blockchain event of the year, Consensus brought together a wide array of developers, regulators, investors, and more to discuss the future of blockchain and cryptocurrency. Hot topics included crypto regulation, investment opportunities, technology advances, ongoing legal issues, and predictions for the future. Over 8,000 attendees gathered to network, debate, collaborate, and exchange ideas.
Following the one-year anniversary of the coming into effect of the GDPR, Hogan Lovells’ Privacy and Cybersecurity practice has prepared a compilation of key GDPR-related developments of the past 12 months. The compilation covers regulatory guidance, enforcement actions, court proceedings, and various reports and materials.
- Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (25.11.2018) – The EDPB confirmed the existing approach to the ‘establishment criterion’ for the application of the GDPR and introduced a ‘targeting criterion’, where the processing is related to the offering of goods or services to individuals in the EU or the monitoring of their behaviour. The EDPB took a pragmatic approach by applying the GDPR where the conduct of the controller or processor demonstrates an intention to offer goods and services to individuals in the EU or where a controller has a purpose in mind for the collection and reuse of the relevant data about an individual’s behaviour within the EU. More details in this blog post.
- Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation (23.1.2019) – The EDPB took the view that consent provided in accordance with GDPR standards may not be relied on as a basis for the collection and processing of patients’ personal data in many clinical trial scenarios, on the basis of a clear imbalance of powers between the patient and the investigator which implies that consent is not “freely given”. More details in this blog post and this blog post.
- Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (12.2.2019) –The EDPB adopted a very narrow interpretation of contractual necessity, which is to be assessed objectively, going so far as to say that if there are realistic and less intrusive alternatives to the type of processing envisaged, it is not “necessary”. More details in this blog post.
- The Dutch DPA issued guidance (7.3.2019) stating that cookie walls are not compliant with the GDPR as the consent required to access content protected by a cookie wall. The reason for this is that withholding consent has negative consequences for the user in that they cannot access the website. More details in this blog post.
- Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, particularly regarding the competence, tasks, and powers of data protection authorities (12.3.2019) – The EDPB confirmed that where the ePD provides for a more specific rule than the GDPR, the specific rule will prevail. For example, where cookies are used to collect information which constitutes personal data, while Article 6 GDPR provides several different lawful grounds for processing, Article 5(3) ePD requires consent to be obtained from individuals before cookies are placed on their devices. In this situation, the ePD rule applies and data controllers cannot avail themselves of a legal basis for processing other than consent. The same rule applies to the enforcement of each piece of legislation. More details in this blog post.
- The ICO’s main guidance on GDPR is found in its Guide to the GDPR.