Header graphic for print

Global Media and Communications Watch

The International Legal Blog for the Tech, Media and Telecoms Industry

Posted in International/EU privacy Joke Bodewits

Dutch DPA: Banks May Not Use Payment Data for Marketing Purposes

In the wake of a recent announcement by a major Dutch bank that it would start providing its customers with personalized advertisements based on their spending patterns, the Dutch Data Protection Authority (DPA) has sent a letter to all Dutch banks urging them to thoroughly review their direct marketing practices. The DPA specifically asked any bank contemplating the use of transaction data for direct marketing to reconsider. In its analysis, the DPA may have introduced a very onerous obligation to re-collect personal data for every single use.

The DPA stated that it received a “significant amount of complaints” after the Dutch bank announced in June that it would start showing advertisements for financial products offered by the Dutch bank to customers based on their spending habits. The complaints prompted the DPA to investigate. Continue Reading

Posted in Cybersecurity, Internet, privacy and security litigation Paul OttoAllison Holt-RyanNathan Salminen

IoT Webinar Series: Cyberthreats in the Internet of Things

On July 16, 2019, Nathan Salminen, Allison Holt, and Paul Otto from the Hogan Lovells Privacy and Cybersecurity and Litigation teams presented a webinar, “Cyberthreats in the Internet of Things” where they explored some techniques that can be used to exploit potential vulnerabilities in connected devices and how those types of events impact organizations from a regulatory and litigation perspective.

Many of the nearly 20 billion Internet of Things (IoT) devices deployed worldwide perform critical functions or have access to networks that process highly sensitive information. The proliferation of connected devices across industry sectors has led to the emergence of a significant and distinct threat to many types of organizations, from electric utilities deploying IoT devices across its smart grid to financial institutions using IoT devices in conference rooms that may connect to the same network that financial data flows through.

The speakers discussed unique litigation and technical risks related to the IoT ecosystem and some of the technical aspects of hacking threats to connected devices, how those threats may differ from other cyberthreats, and the legal implications of such threats.

They also explored:

  • Different types of hacks and how they may be exploited in the IoT space
  • Ways that compromised IoT devices can present unique types of security risks
  • Unique legal implications of IoT cyberthreats
  • Litigation risks and strategies

To view the recording of the webinar and to download the presentation slides, please click here.

Posted in Data Protection & Privacy, Policy & Regulation, privacy and security litigation, Telecoms & Broadband Mark BrennanAdam CookeAlicia PallerJoseph J. Cavanaugh

Ill-Suited: Private Rights of Action and Privacy Claims

“For years, the plaintiffs’ bar has conjured multibillion-dollar class action lawsuits out of largely intangible privacy harms. This wave of litigation is increasingly driven by federal and state statutes that include private rights of action and allow for excessive statutory damages. Given the willingness of some courts to let cases proceed despite a lack of allegations or evidence of concrete harm, this litigation trend shows no sign of abating.”

The U.S. Chamber of Commerce Institute for Legal Reform has published “Ill-Suited: Private Rights of Action and Privacy Claims,” a white paper authored by Hogan Lovells’ Mark W. Brennan, Alicia Paller, Adam Cooke, and Joseph Cavanaugh explaining why private litigation is a poor enforcement tool for privacy laws.  As detailed in the paper, when it comes to privacy interests, “harms” are largely inchoate and intangible, and the wrongdoers are often unknown or unidentifiable. Even where class members may have suffered a concrete injury, the data indicates that they are unlikely to receive material compensatory or injunctive relief through private litigation. Meanwhile, plaintiffs’ counsel often walks away with millions of dollars, court dockets are unduly cluttered, and companies are forced to expend resources on baseless litigation.

Whereas a stream of harmful consequences flow from private rights of action for privacy laws, agency enforcement provides the right balance between protection, penalties, deterrence, and progress.

Continue Reading

Posted in Copyright Julia Anne MathesonBrendan C. Quinn

Pirates of the Caribbean copyright suit must walk the plank

The Central District of California recently sank a copyright infringement lawsuit against the Walt Disney Company’s Pirates of the Caribbean film franchise, finding that numerous elements of the Plaintiffs’ allegedly similar screenplay were either lifted directly from the eponymous ride at Disney’s theme parks or constituted unprotected scènes-à-faire common to all tales about pirates.

Disney’s film Pirates of the Caribbean: The Curse of the Black Pearl was an instant blockbuster when released in the summer of 2003 and spawned a franchise of four more feature films chronicling the adventures of Jack Sparrow, Captain Barbossa, and other swashbucklers. Disney developed the concept for the franchise from its wildly popular “Pirates of the Caribbean” theme park ride, which debuted at Disneyland in 1967. In August 2000, Disney had allegedly received – and turned down – Plaintiffs’ script for a film about the pirate Davey Jones and his quest for treasure on the high seas. Plaintiffs titled their screenplay “Pirates of the Caribbean.”

Plaintiffs sued Disney for multiple counts of copyright infringement in November 2017, claiming that Disney’s films copied their screenplay. On May 13, 2019, the court dismissed these claims with prejudice.

Continue Reading

Posted in Cybersecurity, Data Protection & Privacy, Policy & Regulation

Privacy and Cybersecurity KnowledgeShare event: Sept 19, London

Join us on Thursday 19 September for our Privacy and Cybersecurity KnowledgeShare in London. We’ll share our latest thinking on the key privacy and cybersecurity issues faced by those with data protection responsibilities within organisations. Our all-day event will cover a lot of ground through incisive quick-fire presentations, Q&A panels and hands-on workshops.

Topics will include:

  • Nailing the basics – Fast insights into key issues such as lawful grounds for processing, people’s rights and DPIAs.
  • Enforcement – What the risk-based approach truly means.
  • Privacy challenges of the digital economy – AI, life sciences, biometrics, facial recognition, IoT and product development.

The workshops will focus on key compliance topics such as incident response, international data transfers, privacy litigation, Brexit, CCPA and e-Privacy.

For the full programme, speaker information and registration, please contact Joshua Prietzel.

We look forward to seeing you!

Posted in International/EU privacy Katie McMullan

Cookie consent – What “good” compliance looks like according to the ICO

On 3 July 2019, the UK data protection authority (the ICO) updated its guidance on the rules that apply to the use of cookies and other similar technologies.  The ICO has also changed the cookie control mechanism on its own website to mirror the changes in the new guidance.

Since the EU legislators shocked the internet world a decade ago by changing the legal requirement for the use of cookies and similar technologies from “notice and opt-out” to “notice and consent”, many businesses have struggled to find a way to balance the expectations of the regulators with the effective functioning of their services without disrupting the experience of those that use them.  The ICO’s new cookie consent guidance may help with taking a view on how to address the obligations in practice, but it also contains some robust views which will likely cause those who have taken steps to address the cookies rules already to re-think them.

Continue Reading

Posted in Internet Eugene LowCharmaine Kwong

China: 2-year time-bar revised to 3 years under CNDRP

Previously, under the CNNIC ccTLD Dispute Resolution Policy (CNDRP) which governs the .CN (and .中国) domain in China, no complaints under CNDRP could be filed against a .CN domain which had been registered for more than 2 years.

This time bar led to debates as to whether it imposes an unreasonable time limit on the fair and equitable enforcement of intellectual property rights.  For further background to this time-bar under CNDRP, please refer to our previous post (July 2017).

Time-Bar extended to 3 years

As discussed in our previous post, we speculated whether this time bar under CNDRP would be extended to 3 years, following the extension of time bars for general civil claims from 2 years to 3 years as announced in the amendments to the General Civil Law Rules of People’s Republic of China in 2017.

Recently, the China Internet Network Information Center (CNNIC) issued an amended CNDRP for consultation.  Among other proposed changes, the amended CNDRP proposed to extend this time bar from 2 years to 3 years.  The consultation period ended on 9 June 2019.  The time bar under CNDRP has now been extended to 3 years –  implemented, since 18 June 2019.


We see this as a positive development for brand owners.

Whilst the CNDRP is still unique in having a time bar, the extension of this time bar at least provides some more flexibility in terms of timing for complainants to initiate complaints.

Although the proposed amendments are silent on the retrospective effect of the new rules, the general wording of the amended CNDRP should mean that this new 3-year time bar applies to both .CN domain names registered before or after the amendments came into effect.

This post is selected from our Anchovy News publication: Anchovy® is our comprehensive and centralised online brand protection service for global domain name strategy, including new gTLDs together with portfolio management and global enforcement using a unique and exclusive online platform developed in-house. For more information please contact us at  mailto:anchovynews@hoganlovells.com

Posted in Cybersecurity

Privacy and Cybersecurity July 2019 Events

Please join us for our July 2019 events.

July 4
Making Privacy Actionable
Eduardo Ustaran and Nicola Fulford are hosting the IAPP London KnowledgeNet which will discuss, “Making Privacy Actionable: Working with the Chief Data Officer.”
Location: London

July 5-8
Privacy at the Aspen Institute
Harriet Pearson will lead a seminar on “What is Privacy and How Do We Protect It?,” at the Aspen Institute’s Socrates Program.
Location: Aspen, Colorado

July 11
Mark Brennan will provide insights on the FCC’s TCPA-related actions and prospects for robocall legislation in Congress on the panel, “Landmark Debt Collection Policymaking in Washington, D.C.,” at the ACA International Annual Convention & Expo.
Location: Washington, D.C.

July 16
Cyberthreats in the Internet of Things
Allison Holt Ryan, Paul Otto, and Nathan Salminen will discuss techniques that can be used to exploit potential vulnerabilities in connected devices and how those types of events impact organizations from a regulatory and litigation perspective during the webinar, “Cyberthreats in the Internet of Things.” To register, click here.
Location: Washington, D.C.
July 23
Medical Device Cybersecurity in Europe
Paul Otto will discuss European cybersecurity expectations and requirements for medical devices at the 4th Annual Medical Device Cybersecurity Risk Mitigation Conference.
Location: Arlington, Virginia

July 3
Data Protection in the UK
Nicola Fulford will discuss data protection at a round table hosted by the UK Department for International Trade.
Location: London

Posted in Internet Jane Seager

.PL Registry lock service introduced

NASK, the organisation responsible for the Top Level Domain .PL (Poland), recently announced the introduction of a Registry Lock service for .PL domain names.

Locking a domain name at the Registry level provides an added layer of security against domain name hijacking. Domain name hijacking occurs when an attacker gains unauthorised access to registration data for a domain name, thereby gaining administrative control over the domain.  This enables them to modify several elements of the domain name, including the website to which it resolves.

The .PL Registry Lock service will work in a similar way to Registry Lock services already offered by other Top Level Registries, such as Verisign for the extensions .COM, .NET, .TV, .CC and .NAME, Afnic for .FR (France), The Internet Foundation in Sweden for .SE (Sweden), and CIRA for .CA (Canada).

The .PL Registry Lock service will ensure an extra layer of protection in that the following changes to the domain name will not be possible while the lock is active:

1) Deletion of domain name

2) Change of contact information or other data

3) Transfer of the domain name to another registrar

4) Re-delegation of the domain name

5) Delete or change of IP of a name server

This service will be offered by .PL accredited registrars, such as Hogan Lovells.  The Registry Lock activation procedure will be a manual process initiated by the registrar by sending NASK a Registry Lock activation request in accordance with the procedure in place.  The Registry Lock deactivation procedure will be initiated in the same way as the activation procedure.

This post is selected from our Anchovy News publication: Anchovy® is our comprehensive and centralised online brand protection service for global domain name strategy, including new gTLDs together with portfolio management and global enforcement using a unique and exclusive online platform developed in-house. For more information please contact us at mailto:anchovynews@hoganlovells.com

Posted in Data Protection & Privacy

Now Available: Webinar – Operationalizing the California Consumer Privacy Act – Key Decisions and Compliance Strategies

We have extensively covered the California Consumer Privacy Act, the first U.S. law comprehensively regulating the collection, use, and disclosure of general consumers’ personal information in the U.S.  This important legislation poses significant compliance challenges for organizations that engage with residents of California, the world’s fifth largest economy.

On June 19, 2019, Hogan Lovells partners Mark Brennan and Bret Cohen discussed in great detail the impact of the law, explained key definitions, and offered practical guidance on how to navigate it during the webinar, “Operationalizing the California Consumer Privacy Act.” More than 600 live attendees participated and were able to hear Mark and Bret address how to determine whether businesses are covered, how to account for opt-outs from sales to third parties, the content and timing of CCPA notices, how to apply the CCPA’s exceptions, and more.

To hear the full webinar, please click here. To access the slide presentation, please click here.

For additional analyses of the California Consumer Privacy Act and the challenges ahead for companies, read Hogan Lovells’ CCPA blog series.