On October 6, 2021, the Department of Justice (DOJ) announced the launch of its new Civil Cyber-Fraud Initiative that emphasizes accountability for conduct that could increase cybersecurity threats to the government. This initiative supports the Biden administration’s goals and efforts to improve U.S. cybersecurity generally. Those who do business with the government or receive federal funds need to be mindful of the updated compliance expectations this initiative poses. Our government contracts and national security teams discuss these risks in detail on our Global Regulatory Enforcement Law Blog.
The European Court of Justice (ECJ) ruled on 6 October 2021 in Top System SA v. Belgian State (Case C‑13/20) EU:C:2021:811 that, under article 5(1) of the Software Directive (Council Directive 91/250/EEC) (the Directive), lawful purchasers of software are permitted to decompile programs (in whole or in part) in order to correct errors affecting the software’s operation.
The decision comes as the result of a request for a preliminary ruling by the Brussels Court of Appeal. The request had been made in proceedings between Top System SA and the Belgian state concerning the decompilation by the Selection Office of the Federal Authorities in Belgium (SELOR) of a computer program developed by Top System and forming part of an application in respect of which SELOR holds a user licence.
What the Directive says
Article 4 of the Directive deals with “Restricted Acts” that give developers exclusive rights to reproduce and alter computer programs, whereas article 5 allows the licensor to reproduce and alter a program where necessary to use it for its intended purpose, including for error correction. Article 6 deals with decompilation, permitting the reproduction of software code and translation where doing so is indispensable to obtain the information necessary to achieve interoperability so long as: it is done by the licensee or other authorised person; the information necessary to achieve interoperability is not readily available to the licensee; and any related actions taken are limited to those portions of the original software/computer program necessary to achieve interoperability.
Decompilation: ECJ’s ruling
In Top System, the ECJ ruled that under an interpretation of article 5 the lawful purchaser of a computer program is entitled to decompile the program (in whole or in part) in order to correct errors affecting its operation, without being required to satisfy the requirements of article 6. The licensee would not be allowed to use the decompiled software for any other purpose than error correction.
Advocate general’s opinion
The advocate general’s opinion on the case confirmed that a licensee could decompile a computer program to correct errors, unless restricted by the licence. The opinion emphasised the independence of articles 5 and 6, and the possibility of decompilation under article 5, as well as article 6. Specifically, the opinion stated that article 5, independent of article 6 (which permits decompilation), should be interpreted as permitting a licensor to decompile a computer program where necessary to correct errors affecting its functioning.
The lesson from this ECJ ruling is that a computer program can be decompiled where necessary to fix an error under article 5 and that that right is independent of the article 6 right to decompile a program when necessary for interoperability. While the case should not be seen as opening the floodgates for decompiling software by a licensor, it does offer helpful clarity as to the rights and obligations of both the licensor and licensee when it comes to managing software errors.
To limit disputes around the decompilation of licensed software, the ECJ has advised that the procedure for correcting software errors should be addressed in the licence and contract provisions. Although the parties are not permitted to exclude the possibility of correcting errors altogether, a contractual arrangement will allow licensees and licensors to find a method best suited to the objectives of each party.
In July 2021, the European Commission (the Commission) adopted three proposals for regulations and one proposal for a directive of the European Parliament and of the Council in relation to reforms to the EU’s anti-money laundering (AML) and counter-terrorist financing (CTF) regime. The proposals serve to implement aspects of the Commission’s May 2020 action plan in respect of the same, with a view to addressing weaknesses in these areas. The key reforms include a new EU AML and CTF authority and a new EU single AML and CTF rulebook.
On 22 September 2021, the EU’s independent data protection authority, the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, published an opinion on the Commission’s proposals, alongside a press release.
Overall, the EDPS’ opinion of the proposals is positive, welcoming the AML package and its objective to increase the effectiveness of AML and CTF. In particular, Mr Wiewiórowski praised the envisaged increased harmonisation of the AML and CTF framework at EU level, which includes the creation of a European authority. Continue Reading
On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.
On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.
Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).
Last week, the Federal Trade Commission (FTC) announced in a Statement of the Commission On Breaches by Health Apps and Other Connected Devices (Policy Statement) that the FTC will begin enforcement of its Health Breach Notification Rule (Rule) issued in 2009. The Rule was issued by the FTC to regulate certain businesses that handle health information when they are not regulated by the Health Insurance Portability and Accountability Act (HIPAA). Many of those businesses are likely not aware of the Rule, because there has been no public enforcement activity. While questions about the Rule’s scope remain, recent actions by the FTC (including the Policy Statement) suggest that it may be time for businesses to consider whether and how their operations may be drawing interest (investigative and enforcement) from regulators.
Persistent uncertainty about the scope of the FTC’s Health Breach Notification Rule
Our colleagues wrote about the Rule when it was first issued, to explain how certain businesses that handle health information may be required by the Rule to provide notice of data breaches affecting health information. We will not restate that analysis here, but it remains as accurate now as it was then. Until last week, the FTC had never publicly enforced or published new guidance on the Rule. Significant questions, therefore persist, about how the FTC will interpret and apply the Rule.
The Rule does not apply to businesses regulated by HIPAA, but the Rule ambiguously describes the types of business to which it does apply. For example, as drafted, employers that hold employee health records electronically could theoretically be regulated by the Rule—even though it was likely not the FTC’s intent for the Rule to apply in the employment context. Given the Rule’s ambiguous scope, businesses may need to conduct a case-by-case assessment of the applicability of the Rule to their data security incidents to avoid missing this little-known and broad regulatory requirement.
In contrast with the FTC’s Health Breach Notification Rule, HIPAA, which is enforced by the Office for Civil Rights in the Department of Health and Human Services, generally provides clear guidelines as to the scope of its applicability. HIPAA is applicable only to health care providers that submit claims electronically, health plans, and health care clearinghouses. Similar to the Rule, a breach of unsecured protected health information regulated by HIPAA triggers potential breach notification requirements. A “breach” under HIPAA involves “an acquisition, access, use, or disclosure of protected health information in a manner not permitted” by HIPAA, which includes many restrictions on disclosures without patient authorization. Failure to comply with the notification requirements under HIPAA could result in civil monetary and other penalties.
AI is a hot topic, particularly in the area of patent law and inventorship.
On Tuesday 21 September 2021, the UK Court of Appeal ruled that artificial intelligence (AI) cannot be listed as an inventor on a patent application (Thaler v Comptroller General of Patents Trade Marks and Designs  EWCA Civ 1374).
The present case related to two patent applications submitted to the UK Intellectual Property Office (IPO) by Dr Stephen Thaler. Both applications listed the inventor as ‘DABUS’, an AI machine built for the purpose of inventing, which had successfully come up with two patentable inventions. The UK IPO had refused to process either application (considering them withdrawn) as they failed to comply with the requirement to list an inventor and Dr Thaler was not entitled to apply for the patents. According to the Patents Act 1977, an inventor must be a ‘person’.
At the Court of First Instance, Mr. Justice Marcus Smith had upheld the IPO’s decision.
On September 17, 2021, the Illinois Court of Appeals for the First District ruled that some BIPA claims are subject to a five year statute of limitations, while others must be brought within one year. In Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the appellate court accepted a certified question from the trial court, seeking clarification of BIPA’s applicable statute of limitations.
The Illinois law regulating biometrics has been making headlines in the last few years, with the most recent clash focusing on the period within which plaintiffs have to bring a claimed violation. BIPA itself does not contain a statute of limitations, and courts have wrestled over the proper applicable time period. Some courts have applied the catch-all five year statute of limitations, while others thought the one year statute of limitations applicable to state privacy actions should apply. In Black Horse Carriers, the court found both statutes of limitations applied depending on the specific claimed BIPA violation.
The court found that claims brought under Sections 15(c) and (d), for sale and disclosure of biometrics, respectively, are subject to the one year statute of limitations. All other BIPA claims, such as those brought under Section 15(a) for failure to provide notice, Section 15(b) for failure to obtain written release, and Section 15(e) for failure to use reasonable care, are subject to the state’s five year catch-all requirement.
As many BIPA-related questions continue to make their way through the appellate process, it is prudent to watch how the judicial landscape continues to take shape.
California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA regulations. Key rulemaking topics discussed at the board meeting included rules covering new topics such as rules related to automated decision-making and the CPRA’s new data protection assessment and auditing requirements.
CPPA executive director and staff to be appointed
With a little over nine months until the CPRA regulations are supposed to be finalized, the CPPA is still working on making key staff and leadership appointments. The Board recently held an all-day closed session to review and discuss the applications for the executive director post, indicating it may be close to making a decision on that leadership post. In the preceding open session, members discussed the Chief Privacy Auditor role and the requirements for that new position. As for staff, the Board noted that the Attorney General’s (AG) office already has 10 people dedicated to CCPA-related work and discussed hiring five retired state employees that are attorneys for part-time positions.
Extension of the July 1, 2022 rules deadline
With the CPRA rulemaking deadline looming on July 1, 2022, Board members expressed concern about the CPPA’s ability to draft, revise, and finalize a large number of new rules in the time that remains. Based on this concern, the Board discussed asking the legislature for an extension, enacting temporary “emergency” regulations, or adding grace periods for compliance with the new rules. Emergency rules would allow the CPPA to introduce new rules on an expedited basis while extending the final rulemaking beyond the July 1, 2022 deadline. Continue Reading
On 10 September 2021, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on its proposed reforms to the UK’s data protection regime, with a view to assessing the case for legislative change.
The consultation comes as the first step in the government’s plans to deliver on ‘Mission 2’ of its National Data Strategy, published in 2020: to secure a data regime that promotes growth and innovation for UK businesses, while also maintaining public trust.
The UK’s data protection regime has not received a substantive update since 2018 when the European Union’s General Data Protection Regulation (GDPR) took effect, alongside the introduction of the UK’s Data Protection Act 2018. The government’s National Data Strategy has suggested that the UK may start to move away from EU law when it comes to data protection.
According to the Secretary of State, the ultimate aim of the consultation is to ‘create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards’. Continue Reading
During the thirtieth meeting of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on August 20, 2021, they finally passed the long-awaited Personal Information Protection Law (PIPL), which will come into force on November 1, 2021.
Our recent client alert, the first in a series which we will be producing, provides a brief introduction to the key rules in the PIPL, focusing on the requirements that multinational companies with operations in China need to be aware of.
In our subsequent alerts, we will also address the particular challenges that companies across different sectors (such as TMT, health care, automotive, and financial services) may face in the context of the PIPL.