The findings from the recent Higher Regional Court of Düsseldorf decision Mobiles Kommunikationssystem have established a new framework that should be followed when courts are benchmarking standard-essential patents (SEP) licence offers. The court has commented on which requirements are to be placed on the infringement notice, the licence request and the licence offer and how far the court’s examination duty reaches. The decision takes a step toward solutions that balance the interests of the parties. The case is now pending before the Federal Supreme Court and it is hoped that the case will provide legal practitioners with a benchmark for evaluating a licence offer as fair, reasonable and non-discriminatory (FRAND). Please refer to the full article by Dr Anette Gärtner in the current issue of the Mitteilungen der dt. Patentanwälte for further commentary.
On 28 February 2018, Andrus Ansip, the European Commission (Commission) Vice President and commissioner responsible for the Digital Single Market strategy, commented that all companies should be able to monetise user data, in the same way that social media companies do. Mr Ansip’s comments reflect the aims of the General Data Protection Regulation (GDPR) to harmonise regulation and protection across the European Union (EU). On a related theme, the Commission also published guidance earlier this year on the direct application of the GDPR.
Mr Ansip’s comments
Mr Ansip commented to CNBC that the Commission has to protect traditional media, and that the aim of the EU was to create a “more equal playing field between telecoms operators and social media platforms”. Mr Ansip highlighted what he perceives to be the unfairness in the data economy: “[s]ome players can use data they have and some other players are regulated, practically it is impossible to use the data they have in their hands … it will be normal when, on the basis of people’s consent, all the players can monetize the data they have.”
In the wake of recent cyberattacks, cities and states are taking a stand.
On March 29, New York City (the City) Mayor Bill de Blasio announced NYC Secure, an initiative that will include a suspicious activity alert app for residents and security upgrades to the City’s public Wi-Fi networks.The initiative is intended as a citywide effort to better protect citizens and mitigate systemic-level cyber threats to citizens or City infrastructure, not unlike the ransomware attack suffered by the City of Atlanta last month, which included the disabling of public Wi-Fi.
Hailed as New York City’s “first ever cybersecurity initiative,” NYC Secure will be developed and implemented by NYC Cyber Command, and will offer free resources to increase cybersecurity for residents and visitors to the Big Apple starting this summer. Core features of the app include alerting users to suspicious mobile device activity, identifying potentially malicious Wi-Fi networks, apps or websites, and providing tips for users to be more aware of their digital activities. While the app’s intentions are admirable, the City has already recognized the risks of improper implementation, particularly with respect to the potential for increasing the surface area of attack by creating another access point to user data. Continue Reading
In preparation for the EU’s General Data Protection Regulation (GDPR), which comes into effect May 25, Facebook announced it is launching a range of new privacy tools in an effort to “put people in more control over their privacy.” Interestingly, last week Mark Zuckerberg clarified that he intends to implement Europe’s GDPR across its entire global network of users, not just those located in the EU. Presumably, this global policy would make it possible for all Facebook users to exercise their data rights, including the potential for users to restrict Facebook processing their personal data if they believe their data is being misused.
“Overall I think regulations like this are very positive,” Zuckerberg stated on a conference call with reporters. “We intend to make all the same controls available everywhere, not just in Europe.” Zuckerberg noted that “Is it going to be exactly the same format? Probably not. We’ll need to figure out what makes sense in different markets with different laws in different places. But let me repeat this, we’re going to make all the same controls and settings available everywhere, not just in Europe.” Continue Reading
The UK government has published its response to a public consultation on the EU Directive on security networks and information systems (NIS Directive) that opened in August last year. The response sets out the UK’s vision for improving the security of the UK’s essential services by implementing the NIS Directive.
The NIS Directive
The NIS Directive provides legal measures to increase the overall level of network and information system security in the EU by: establishing national frameworks to promote the security of network and information systems; setting up a cooperation group to facilitate strategic cooperation and information exchange, and a Computer Security Incident Response Team (CSIRT) network to promote cooperation on specific security incidents; and ensuring the security framework is applied effectively across vital sectors.
Businesses in vital sectors will have to take appropriate and proportionate security measures to manage risks to their network and information systems. Operators of essential services are also required to notify serious incidents to relevant authorities. Key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with security and incident notification requirements established under the NIS Directive.
Earlier this year the UK Department for Digital, Culture, Media & Sport published its new Digital Charter. This short document outlines a UK rolling programme of work designed to make the UK a friendly environment to start-up and grow digital businesses. It is also designed to make the UK a safe place to be online. The charter will be updated as the government’s programme of work changes in response to technological advancements.
The goal of the charter is to establish rules and norms for the online world that can be put into practice.
The principles outlined in the charter, guiding the government’s work, are:
- the internet should be free, open and accessible;
- people should understand the rules that apply to them when they are online;
- personal data should be respected and used appropriately;
- protections should be in place to help keep people safe online, especially children;
- the same rights that people have offline must be protected online; and
- social and economic benefits brought by new technologies should be fairly shared.
A recent study conducted by researchers at the University of Piraeus, published in the Institute of Electrical and Electronics Engineers’ Access journal (29 January 2018), has indicated that many popular health apps have significant privacy and cybersecurity failings; many of them do not follow standard practices nor will they comply with the upcoming General Data Protection Regulation (GDPR). This means that a large number of mobile health apps are jeopardizing the privacy of millions of users.
Mobile health apps
In the last few years there has been a substantial growth in mobile health apps and the ‘connected health’ model, which aims to achieve flexible, effective and affordable healthcare services by using connected technology that offers better records management, information access and increased diagnostic capabilities. This is also known as ‘smart health’. Many healthcare professionals are shifting to mobile apps for easier communication with their patients, increased productivity and improved health management capabilities.
Recently, the European Commission endorsed draft horizontal provisions for cross-border data flows and personal data protection in trade agreements – as personal data is a fundamental right, it is not something which can be the subject of negotiation in EU trade deals.
Relatedly, the Article 29 Working Party (A29WP) consultation on the guidelines under Article 49 of the General Data Protection Regulation (GDPR) concerning cross-border data transfer derogations has closed, paving the way for the guidance to be finalised and issued later this year.
Cross-border data flows
Cross-border data flows are key to most organisations, which include moving around employee information, sharing financial details for online transactions, and analysing individuals’ browsing habits to serve them targeted advertisements.
The European Commission is seeking to break down barriers to the flow of data between businesses in future trade deals as part of its push towards a more digital economy, while at the same time safeguarding these key fundamental data protection principles. The preferred approach to facilitate the ongoing trade negotiations and to legitimise cross-border data flows are ‘adequacy decisions’ – which means the European Commission (the Commission) identified the third country (which is outside the European Economic Area) as providing adequate protections to those data protection laws in the EU. Continue Reading
In February, we reported that South Dakota and Alabama were the last two U.S. states without data breach notification laws. Since then, both states have enacted data breach laws.
South Dakota governor Dennis Daugaard signed South Dakota Bill No. 62 into law on March 21, making it the 49th state to pass a data breach notification law. The law integrates contemporary principles found in other recently enacted state data breach laws. These principles include a broad definition of personal information—for example, employee ID numbers together with an access code or biometric data fall within the scope of the definition. The law requires companies to disclose a breach to affected consumers no later than 60 days from the date of discovery or notification of the security incident. Affected consumers include any South Dakota resident whose “personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Indiana Attorney General Curtis Hill. AG Hill has prioritized rolling back federal overreach and safeguarding consumers from fraud and scams, along with continuing to take a hard line on crime. In the interview, he talks about his state’s consumer protection efforts with regard to data privacy and cybersecurity.
The article is available on the IAPP website.