Stay current on your favorite topics
The Technology Newsflash contains articles and timely updates on the latest technology, outsourcing and privacy legal issues and trends affecting businesses today. We encourage you to visit the site often as it is updated regularly. We welcome any questions about the topics covered here and those relating to our global capabilities.
Table of Contents
The English Court of Appeal has ruled in two recent cases that subject access requests are generally valid, and businesses must comply with such requests, even if they are made for collateral purposes, such as collecting information for use in litigation. However, the court also clarified that the subject access regime only requires businesses to conduct a reasonable and proportionate search – not an exhaustive search.
The English Court of Appeal has confirmed in a recent case that data protection claims may be brought hand-in-hand with defamation claims. The case provides a reminder to businesses that the use of data protection as a weapon in litigation is growing ever more commonplace.
As discussed in our March 1, 2017 update, the New York Department of Financial Services ("NYDFS") issued final regulations that require New York banks and insurance companies, as well as other financial services companies that are supervised by the NYDFS—including New York state-licensed branches and agencies of non-US banks—to establish and maintain a cybersecurity program designed to protect consumers' private data and ensure the safety and soundness of New York's financial services industry ("Cybersecurity Regulations").
Understand what's required under NY State's first-of-its kind cybersecurity regulation, and why their divergence from a cost-benefit approach to cybersecurity risk assessment is raising questions.
Subject Access Requests ("SARs") are an increasingly popular weapon in litigation, because they can be used to provide a cheap and quick form of pre-action disclosure. However, courts have confirmed that information subject to legal professional privilege ("LPP") does not need to be disclosed in response to a SAR, unless the person making the SAR has a "prima facie case" that the party relying on LPP is doing so to hide some form of wrongdoing.
This newsflash considers trends and developments in data privacy and cyber security in the wider global macroeconomic, political and social context.
The Court of Justice of the European Union has declared that IP addresses are personal data in many circumstances – but were the right questions asked, and will the GDPR change the outcome?
The EU's Article 29 Working Party has published new Guidelines on the role of Data Protection Officers under the General Data Protection Regulation. Data Protection Officers are seen as a cornerstone of data protection compliance, and many businesses will be subject to a mandatory obligation to appoint a Data Protection Officer.
The Court of Justice of the European Union (the "CJEU") has ruled that EU Member States cannot pass laws that require communications service providers to carry out general and indiscriminate retention of communications data and location data. Moreover, the CJEU stated that where such data are retained, they can only be accessed by national law enforcement agencies in limited circumstances. The ruling casts the UK's new Investigatory Powers Act 2016 into doubt.
The EU-US Privacy Shield, introduced earlier this year to provide a lawful means of transferring personal data from the EU to the US, is facing a second legal challenge, this time from several French privacy rights groups. Alongside this, a number of German regulators are investigating hundreds of randomly-chosen companies in relation to exports of personal data from Germany out of the EU.
The UK Investigatory Powers Bill has received royal assent and passed into law as the Investigatory Powers Act 2016. The Act will have a significant and far reaching impact on data, technology and communications businesses, and not just those in the UK.
Recently available DMCA Exemption allows vehicle owners to modify the computer code in their vehicles for certain legitimate purposes without fear of a claim under the DMCA's anti-circumvention provisions.
The National Highway Traffic Safety Administration's new cybersecurity guidelines are a step toward improved safety practices in the modern vehicle.
The High Court has ruled that a business that receives a Subject Access Request ("SAR") can refuse to disclose the requested information in some cases, if the dominant purpose of the SAR is litigation. This appears to mark a significant departure from existing case law and regulatory guidance on this issue.
The UK government has confirmed that it will implement the EU General Data Protection Regulation, notwithstanding the UK's decision to leave the EU. This announcement confirms that UK businesses will need to become GDPR compliant by 25 May 2018.
New protections are being proposed in the UK to allow regulated sector firms to share information regarding suspicions relating to money laundering and terrorist financing, in circumstances where law enforcement has been notified. Regulated sector firms are financial gatekeepers and greater sharing of information between these firms and law enforcement should bolster the existing anti-money laundering and counter-terrorist financing regime.
The FCC has adopted privacy and security rules that establish specific requirements for how Broadband service providers may use and share customer information for commercial purposes.
Privacy advocacy group Digital Rights Ireland has launched a challenge in European courts against the EU-US Privacy Shield scheme, claiming it does not adequately protect the privacy rights of EU citizens. The lawsuit is expected to take over a year to resolve, continuing the uncertainty surrounding transfers of personal data from Europe to the US, including for the hundreds of companies that have already signed up for certification under the scheme.
The Court of Justice of the European Union has held that IP addresses are "personal data" in certain circumstances. This decision is significant because it means that the collection and further processing of IP addresses may be subject to EU data protection law, creating potential compliance difficulties for businesses.
At a recent Parliamentary meeting to discuss the draft Digital Economy Bill, the UK Information Commissioner recommended imposing personal liability and accountability upon company directors. If such liability is imposed, it will mark a radical departure from the current law, under which directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies.
The Electronic Frontier Foundation argued that Section 1201 of the Digital Millennium Copyright Act ("DMCA") is overbroad and is in violation of the First Amendment.
The proposed cybersecurity rules require extensive cybersecurity protections; including cybersecurity programs, policies, personnel, risk assessments, trainings, and breach reporting within 72-hours.
The UK Information Commissioner's Office has issued a record fine of £400,000 to a UK telecoms company, in connection with a data breach. The fine, and the related adverse publicity, serve as a stark warning to companies that fail to implement appropriate data security measures.
USDOT announces new policy for safe design, development and deployment of autonomous vehicles.
The European Commission outlined specific initiatives to achieve a Digital Single Market by modernizing EU copyright rules, establishing a copyright regime that is more suited across jurisdictions.
Proposed NY state rules aimed at protecting consumers would require DFS-regulated institutions to implement and enforce cybersecurity programs.
The Court of Justice of the European Union has held that injunctions against intermediaries whose services are being used by third parties to infringe intellectual property rights are not limited to electronic commerce but may also be issued against providers of 'real-world services', such as letting or subletting pitches in a marketplace.
US organizations can now apply for Privacy Shield certification, and have until September 30 to take advantage of a nine-month grace period to bring existing third-party contracts into conformity.
Bascom ruling suggests that a detailed step two analysis is crucial to intellectual property protection and may confer patent eligibility.
A judgement issued by the Court of Justice of the European Union (CJEU) provides certain but no decisive copyright-related guidelines for businesses offering television or radio programs in their facilities for customers.
A detailed Handbook designed to assist businesses in understanding and complying with the GDPR. The GDPR will impact almost every organisation that is based in the EU, as well as many organisations that do business in the EU, even if based abroad. It is extremely serious, wide-ranging and significantly raises the bar for compliance, with maximum fines of up to €20 million or 4% of annual global turnover.
The EU-US Privacy Shield has now been formally approved, providing a new mechanism for transferring personal data from the EU to the US, and reducing the legal uncertainty international businesses have been facing – at least for now.
Recent amendment to Japan's Patent Act modifies the right of an employee inventor to "reasonable" compensation, but falls short of creating a bright-line rule on acceptable compensation.
Federal Circuit confirms that the first step of the Alice inquiry is meaningful and not a mere formality.
US Supreme Court affirms Federal Circuit on IPR Claim Construction Standard and that IPR Institution Decisions are Final and Non-appealable
Yesterday, the U.S. Supreme Court affirmed the Federal Circuit in Cuozzo v. Lee by confirming (i) the U.S. Patent and Trademark Office ("PTO") application of the broadest reasonable construction ("BRI") standard to claim construction in inter partes review ("IPR") proceedings, and (ii) that PTO decisions whether to institute IPR proceedings are final and may not be appealed pursuant 35 U.S.C.§ 314(d) of the Leahy-Smith America Invents Act ("AIA").
Online Traders: New Obligation in EU for Provision of Link to Online Dispute Resolution (ODR) Platform
European online dispute resolution (ODR) platform, intended to resolve disputes between consumers and online traders, forces traders to modify websites to comply with new regulation or risk an infringement of unfair competition law.
The transfer of personal data from the EU to the US is continuing to come under attack in the EU, with Model Clauses now in the regulatory crosshairs. Consequently, organisations that do business on both sides of the Atlantic are facing an increasingly uncertain future.
The EU regulator is considering to subject Over The Top ["OTT"] internet based services, which include messaging services, audio/video streaming applications and other services social media platforms, to its telecoms regulation. The current regulatory framework was designed for Electronic Communication Services ["ECS"]. As OTT services grow rapidly and compete with established ECS, the latter are calling for a level playing field in terms of regulation. The German regulator, holding that the existing regulatory framework for ECS is applicable to certain types of OTT services, is taking a different approach.
This article was previously published in a special edition of the German newspaper Handelsblatt. Buzzwords like "connectivity" and "autonomous driving" are the harbingers of a new era that we will be facing in the next 5 to 10 years.
The EU General Data Protection Regulation ("GDPR") is now in force, and the clock is officially ticking for businesses to bring their operations into line with its sweeping changes.
The US Federal Communications Commission has proposed new information privacy and security regulations for Broadband Internet service providers, currently in a period of public comment.
Under certain circumstances, dynamic IP addresses can be “personal data”. Businesses that process IP addresses should take note.
On May 11, 2016, President Obama signed the Defend Trade Secrets Act of 2016 ("DTSA"), creating a federal private civil action for the misappropriation of trade secrets. The DTSA does not preempt state law but provides an additional forum for relief.
The General Data Protection Regulation (or “GDPR”) was officially published on 4 May 2016. Enforcement will begin on 25 May 2018, giving businesses just over two years to bring their operations into line with the sweeping changes introduced by the GDPR.
The High Court has held that employers can be vicariously liable for data breaches caused by rogue employees. The decision highlights the importance to businesses of ensuring that data protection compliance requirements are properly addressed.
The High Court has ruled that a company conducting an investigation may be compelled to give effect to requests for information made under data protection legislation.
The UK's Financial Conduct Authority ("FCA") will launch a 'regulatory sandbox' on 9 May 2016 to foster innovation in the UK financial services market. Unauthorised firms that successfully apply to the FCA will be able to obtain restricted authorisation to test innovative products or services in a live environment.
EU Data Protection Authorities met in Brussels last week to deliver their eagerly anticipated opinion on the proposed EU-US Privacy Shield.
The European Parliament has voted on the General Data Protection Regulation (the "GDPR"). The vote marks the end of a four-year legislative process and makes the GDPR a reality.
The Federal Circuit is currently considering a challenge to patent venue rules that could lead to dramatic shifts in where patent infringement actions are filed.
The progress of the EU-US Privacy Shield has been uncertain for the last few months. However, recent developments have clarified the situation somewhat.
The NHTSA has started to adapt the federal safety regulations for motor vehicles by interpreting traditional terms and standards to reflect emerging technology.
The EU-US Privacy Shield remains a hotly debated issue and significant areas of disagreement remain between the European Commission, the European Parliament, privacy activists and businesses.
A bill currently under discussion before the French Parliament should result in tightened sanctions against organizations found to be in breach of data protection law. New sanctions provided under the bill are a reflection of the forthcoming General Data Protection Regulation (the " GDPR").
The recent settlement in FTC v. Sitesearch suggests that whether subject to the FCRA or not, the FTC is examining companies that trade in consumer information with increased scrutiny.
Following the conclusion in early February of negotiations for the Privacy Shield (the replacement for Safe Harbor), the European Commission has published draft documents providing the full detail of the Privacy Shield program.
Bărbulescu v. Romania clarifies an employers' rights to monitor the contents of their employees' private electronic communications
This ruling is aimed at providing a balance between the employer’s interests and employee’s rights under Article 8 of the ECHR.
The European Data Protection Supervisor and the Article 29 Working Party have both recently published their forward-looking work agendas, with both organisations expected to have significant influence on key regulatory developments during this period of unprecedented change in the European data protection landscape.
A controversial portion of the EU's forthcoming General Data Protection Regulation is a provision restricting the ability of EU businesses to comply with demands from non-EU courts for the production of documents containing personal data. Following a recent announcement by the UK government, these restrictions will not apply to businesses in the UK.
The EU’s Article 29 Working Party has published an Opinion that seeks to clarify the application of EU data protection law in relation to businesses based outside the EU.
US and EU announce a new framework to replace Safe Harbor and allow for international data transfers.
Guidance and checklist for fast growth companies on managing international data privacy issues.
States consider measures to protect their residents and business from abusive patent litigation.
The Third Circuit affirmed the FTC’s authority to pursue privacy-related claims, and the recent settlement provides some guidance as to reasonable privacy and data security practices.
The new EU directive on trade secrets will be aimed at removing differing national levels of protection for trade secrets.
UK and EU Law Enforcement Investigatory and Data Sharing Powers: Developments and International Impact
After Sales-Service: Don't Be Misled! — European Court of Justice Rules: Erroneous Information Provided by an Undertaking to a Consumer in the Context of After-Sales Service Is a Misleading Commercial Practice
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2017 White & Case LLP