2018 posed new opportunities and challenges for IP-rich businesses, with major new legislation introduced in Europe to govern trademark and trade secret protection; significant and transformational case law in the U.S., and the confirmation of new planned IP-specific legislation for several jurisdictions in Asia.
We’re here to help you keep abreast of these changes and understand how they impact you. Our third annual Global IP Outlook reflects on some of the major developments in intellectual property law and emerging and growing industries. Regardless of your industry or specialism the Outlook will provide you with valuable insight into the changes and their impact on your products, services and business.
Topics covered include:
- Post Grant Proceedings
- Trade Secrets
- Domain Names
- International Trade Commission (ITC)
We also examine emerging trends in technology, law and politics, and what they mean for your business, including:
- 3D Printing
- Artificial Intelligence
- Blockchain and Smart Contracts
- Digital Health
- Digital Single Market
- Standard Essential Patents
- Unified Patent Court (UPC)
- Wearable Technology
Download the Outlook here.
In 2019 we will be running our Global IP Outlook webinar series – going into more detail on some of the topics covered in the Outlook.
Register your interest in the series and each topic using the form here.
Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.In addition to setting two levels of administrative fines, Article 83 of the GDPR provides criteria that national supervisory authorities must apply when setting administrative fines. On 3 October 2017, the Article 29 Working Party – a body now called the European Data Protection Board (“EDPB”) – issued guidelines (“EDPB Guidelines”) on the setting of administrative fines. Continue Reading
The Enforcement Bureau (“Bureau”) proposed a $20,000 penalty against Viaero Wireless (“Viaero”) for allegedly transmitting in the 3650-3700 MHz band without authorization. Continue Reading
Last night the Commission, the European Parliament and the Council finally agreed the text of the long-awaited draft Copyright Directive. This followed a breakthrough compromise on the liability of platforms for making available user-uploaded content (Article 13). See our earlier blog of yesterday.
The next step will be a vote in the EU Parliament on the agreed text and, assuming it is passed, then it will be published in the Official Journal of the EU. Member States will then have 24 months to implement the new Directive. It remains to be seen whether the UK will be subject to that obligation – which depends on when and how the UK exits the EU.
Once the official agreed text has been published we will report on the detail. In the meantime, you can read the Commission’s Press Release here and the EU Parliament’s Press Release here.
Hogan Lovells partner Winston Maxwell spoke at the executive roundtable on artificial intelligence and online hate speech, organised on January 31, 2019 by CERRE, the Centre on Regulation in Europe. The goal of the roundtable was to discuss what measures should be adopted to fight hate speech online and to look at the pros and cons of using machine-learning in that context. Continue Reading
The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the California Consumer Privacy Act (CCPA). The March 8 deadline is an extension from the previously set end-of-February deadline.
Pursuant to section 1798.185(a) of the CCPA, the California Attorney General (AG) is obligated to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA sets out seven specific areas for AG rulemaking:
- Updating as needed the categories of personal information expressly enumerated in the definition of personal information in order address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
- Updating as needed the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business upon request.
- Establishing any exceptions to the CCPA necessary for businesses to comply with state or federal law, including but not limited to those relating to trade secrets and intellectual property rights.
- Establishing rules and procedures:
- To facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information.
- To govern business compliance with a consumer’s opt-out request.
- For the development and use of “a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.”
- Adjusting the monetary thresholds for businesses to be covered by the CCPA.
- Establishing rules, procedures, and any exceptions necessary to ensure that notices and information that businesses are required to provide under CCPA are provided “in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer,” including establishing rules and guidelines regarding financial incentive offerings.
- Establishing rules and procedures to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information upon request, “with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business” and to govern a business’ determination that a request for information received by a consumer is a verifiable consumer request.
The CCPA also expressly states that the AG “may adopt additional regulations as necessary to further the purposes of [the CCPA].”
The AG will consider pre-rulemaking comments when drafting CCPA rules. The AG’s slide deck about its ongoing CCPA public forums indicates that the first draft of the regulations is expected to be published via a Notice of Proposed Regulatory Action in Fall 2019. After the notice is published, the AG will hold public hearings during the formal comment period. Significant changes made to the regulations in response to public comments may trigger an additional comment period. Otherwise, the regulations will proceed through the finalization process and eventually be adopted by the California Department of Justice. The CCPA requires that the AG adopt CCPA regulations on or before July 1, 2020.
Click here for the Attorney General’s CCPA rulemaking website, which includes instructions for submitting written comments and a list of the remaining CCPA public forum events.
A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm).
The draft act contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.
Particular controversy has been caused by the government’s proposal to limit the scope of data on which the credit risk scoring may be based, to only those categories of data which are expressly indicated in the draft act. In its current version, the proposed data catalogue is limited solely to identification data, data concerning marital status and matrimonial regime, information about financial and work situation, as well as credit history.
Importantly, such limitation of the data catalogue excludes the possibility of using behavioral data (e.g. Internet habits, including behavior in social media) in credit scoring, which to date has been widely used.
At the same time, the current wording of the draft act excludes (but not expressly) the possibility of broadening the data catalogue, even with the credit applicant’s consent.
According to unofficial information gathered from the participants of the parliamentary commission’s debate, the government side is reluctant to agree to any revisions of the draft. If this information is confirmed, many banks and loan companies may be required to significantly modify their model of granting credits and loans. These changes may also affect other entities in the fintech industry.
The draft act is currently under first reading (out of three) in Sejm. Before adoption the draft act must be accepted by the upper house of the Parliament (Senat) and subsequently by the President.
Since publishing the original version of our guide to blockchain and data protection in September 2017, there has been considerable further commentary from academics, politicians and practitioners, some of which suggested that there is inherent incompatibility of blockchain systems with EU data protection law.
This updated version of our guide puts forward our views on this question, offering a more optimistic view.
In addition, we also address the key data protection issues that will arise in any blockchain project in the EU, including:
- Does the blockchain process personal data?
- Is a hash personal data or anonymised data?
- What about a public key?
- Who is the data controller and the data processor in a blockchain context?
- What is the applicable law?
The answers to these questions may lead to the conclusion that a given blockchain project’s nexus to personal data is so remote that only minimal data governance mechanisms are required.
By contrast, some projects will involve high-risk data processing, requiring a full-blown data protection impact assessment.
Our guide assumes some knowledge about blockchain principles, but little knowledge of EU data protection law. It includes definitions of key blockchain and data protection terms and principles, outlines recent legal developments on the concept of personal data and also reviews the different blockchain systems.
You can view the guide here (registration required).
This post was initially posted on HL Engage. You can register for free on the site for more news and analysis that is tailored to you, as well as access to Hogan Lovells’ cutting-edge interactive Lawtech tools.
You can also keep track of all the Engage content by following our LinkedIn page.
Hogan Lovells has published Demystifying the U.S. CLOUD Act, a detailed analysis of the impact of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) on non-U.S. businesses and individuals who use cloud storage solutions.
Demystifying the U.S. CLOUD Act was written by Hogan Lovells partners Winston Maxwell and Mark Brennan, and senior associate Arpan Sura.
The report specifically focuses on language in the CLOUD Act that allows U.S. law enforcement agencies, under certain circumstances, to lawfully demand data stored in foreign countries from entities subject to U.S. jurisdiction. The report addresses concerns that this language in the CLOUD Act gives the U.S. government new powers to surveil and monitor the data of non-U.S. citizens or businesses using a cloud services provider with operations in the United States. The report concludes that such fears are overstated.
Other highlights of the report include:
- An explanation of how the CLOUD Act seeks to restore the legal consensus that U.S. law enforcement agencies can reach data stored extraterritorially from a U.S. entity that had “possession, custody, or control” over the data.
- A discussion of the meaningful limitations on U.S. law enforcement that the CLOUD Act leaves in place.
- A comparative analysis of the European Union’s approach to cross-border data requests from law enforcement, which is largely consistent with the CLOUD Act.
- An examination of whether the CLOUD Act violates international law or the GDPR.
To download the full report, click here.
Increasing numbers of initiatives, devices, and solutions related to the Internet of Things (IoT) are substantially impacting the development of cybersecurity and data privacy regulations throughout Asia. After the implementation of the General Data Protection Regulation (GDPR) in Europe, for example, Asian lawmakers are considering strengthening their own data protection laws. The region is also characterized by a push in a number of jurisdictions towards data localization requirements driven more by “cyber sovereignty,” national security considerations, and protectionist impulses than data protection considerations. Restrictions on the collection and free use of data may pose a challenge for IoT models, particularly if data is required to be kept onshore.
At the same time, it is clear that many Asian jurisdictions see IoT as a key driver for economic growth. A number of jurisdictions have “smart city” initiatives and interests in areas such as automotive telematics. Japan, South Korea, and China, in particular, have strong automotive sectors and are focused on maintaining technological leadership. Unmanned aerial vehicles (UAV) are also an area of focus, both in terms of the supply of vehicles and components and in terms of their deployment as part of these “smart” initiatives.
In this hoganlovells.com interview, Mark Parsons, a Hogan Lovells partner based in Hong Kong, summarizes the current status of IoT-related policies in the Asia-Pacific region and discusses changes anticipated in 2019. Continue Reading