FinTech patents may not be grounded within the contours of patentable subject matter under Alice

The U.S. District Court for the Southern District of New York recently invalidated Western Express Bancshares, LLC’s (Western Express) U.S. Patent No. 8,498,932 relating to a method of transferring funds through a bankcard. This decision was the result of a motion to dismiss a patent infringement action brought by Western Express against Green Dot Corporation (Green Dot) for the sale of allegedly infringing CashBack Visa® Debit Cards, Reloadable Prepaid Visa® Cards, Load Go Prepaid Visa® Cards, and Reloadable Prepaid Mastercard® Cards. Green Dot took the stance that the ’932 Patent is invalid under the landmark 2014 U.S. Supreme Court decision in Alice Corp. v. CLS Bank, which held that patent claims directed to an abstract idea without any inventive concept are ineligible for a patent under Section 101 of the U.S. Patent Code.

In Western Express the court found that the ’932 Patent is “broadly directed to a ‘method of funds transfer […]’ [and that the] concept of transferring money through a bankcard is similar to other ‘fundamental economic practices’ that the Supreme Court and the Federal Circuit have held [to be unpatentable] abstract ideas.”

To read more about this decision and how it impacts the FinTech industry, visit our FinTech blog.

Calculation of administrative fines under GDPR – standardized concept published in Germany

After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019.

The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance with article 83(4) and (5) of the General Data Protection Regulation (GDPR) and also takes into account the circumstances of the individual case as described in article 83(2) GDPR. The Concept provides a uniform determination of administrative fines under GDPR without losing the flexibility to consider the individual case and situation of the violating person or organization (Violating Entity).

The Concept is not binding on courts, non-German authorities, or the European Data Protection Board (EDPB) and shall only be used for violations in Germany that are not cross-border cases. The Concept shall only be used until the EDPB has issued its own guidelines for the determination of fines under article 83 GDPR. In addition, the Concept shall not be used for fining associations or natural person outside of their economic activity.

In this blog, we explain the five-step procedure that the DSK applies in the calculation:

Continue Reading

MIAX keeps stocking up the wins against Nasdaq in Fintech patent battle

Within two weeks, Miami International Holding Inc. and its subsidiaries (MIAX) have attained five victories before the Patent Trial and Appeal Board (PTAB) of the U.S. Patent and Trademark Office.

The PTAB declared that five Nasdaq patents (U.S. Patent Nos. 6,618,707, 7,246,093, 7,921,051, 7,747,506, and 8,386,371), related to electronic securities trading systems, are invalid under 35 U.S.C. section 101. Section 101 defines patent-eligible subject matter. MIAX awaits the PTAB’s decision on an additional patent (U.S. Patent No. 7,933,827) challenged by MIAX.

To read more about this Fintech patent battle and how it impacts the FinTech industry, visit our FinTech blog.

Office of Administrative Law approves an adjustment to the covered electronic waste (CEW) recycling fee for covered electronic devices (CED)

The Office of Administrative Law approved an adjustment to the covered electronic waste (CEW) recycling fee for covered electronic devices (CED) on October 8, 2019. When a California consumer buys a CED – generally, any video display device with a screen larger than four inches – from a retailer, a CEW recycling fee is assessed. These fees fund the Department of Resources Recycling and Recovery (CalRecycle)’s CEW Recycling Program.

The fee adjustments will take effect on January 1, 2020 and will be codified at California Code of Regulations title 14, section 18660.40.

To find out more about these fee adjustments, visit our EHS Law Insights blog.

California attorney general issues draft CCPA regulations

On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with a public comment period set to close on December 6, 2019.

For a more in-depth discussion of the regulations, their operational impact, and how you may participate in the comment process, visit ReedSmith.com.

Compliant use of cookies in the EU is still a secret recipe: ECJ decides on Planet49, but does not provide clarity

In its judgment of 1 October 2019, the European Court of Justice (ECJ) decided on cookie consent requirements under the General Data Protection Regulation 2016/679/EU (GDPR) and the Cookie Directive 2002/58/EC (Cookie Directive) (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Judgment)).

The ECJ set clear requirements on what cookie consent must look like. However, the requirements for when websites must ask for cookie consent may vary from one EU member state to another as some member states, such as Germany, have not implemented the Cookie Directive and the Judgment, therefore, does not apply directly.

As a rule of thumb, it can be said that, at minimum, websites must ask for cookie consent for all cookies other than cookies that are technically required to operate the website or to provide the website service to the user. In other words, tracking, marketing and analytics cookies may only be used with explicit, clear, informed (Art. 13 GDPR) and prior consent.

Background

The case involved a promotional lottery, which was presented with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (Marketing Checkbox)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (Cookie Checkbox)

Continue Reading

With latest lawsuit, New York attorney general continues to demand cybersecurity compliance

In a continued pursuit for cybersecurity compliance, New York Attorney General (AG) Letitia James has sued Dunkin’ Brands, Inc. (franchisor of Dunkin’ Donuts) over two data breaches in 2015 and 2018, accusing the company of mishandling a series of cyberattacks that together compromised more than 320,000 customer accounts.

In the complaint filed last week, AG James alleges that Dunkin’, by failing to notify consumers of the breaches or to take sufficient steps to investigate and safeguard consumer data, violated not only its internal data security procedures but also New York data breach notification and consumer protection laws.

In 2015, Dunkin’ was the target of a series of brute force attacks, in which automated software was used to gain access to accounts by guessing various combinations of usernames and passwords. The lawsuit alleges that despite being notified of these attacks by one of its mobile app developers, Dunkin’ did not notify its customers – in violation of the New York data breach notification law – nor did it conduct any security protocols to prevent future attacks, such as resetting passwords or freezing accounts.

Continue Reading

The e-Privacy Regulation saga rumbles on

The long-running e-Privacy Regulation saga continues. On 18 September 2019, the Council of the European Union (the Council) released proposed amendments to the draft regulation. We take a look at some of the proposals.

Proposals

The draft e-Privacy Regulation will replace the current Directive 2002/58/EC to “reinforce trust and security in the Digital Single Market”. It was meant to be introduced concurrently with GDPR in May 2018. However, it has been subject to many delays, debates and inter-EU institutional wrangling. The Council (under its current Finnish presidency) has now proposed additional changes to the existing draft.

The most eye-catching changes are new obligations regarding processing of electronic communications data to detect, delete and report child pornography.

Continue Reading

A new California privacy initiative seeks to further bolster individual privacy rights

Another potentially groundbreaking California ballot initiative has been announced, just as companies began to digest and incorporate the amendments to the California Consumer Privacy Act (CCPA) into their compliance plans and learned the draft CCPA regulations will be issued by the California Attorney General in October. Last week, the primary advocate for and co-architect of the CCPA announced a new privacy initiative for California’s November 2020 ballot – the California Privacy Rights and Enforcement Act of 2020 (CPREA), which would revise and expand upon the CCPA.

The new law would:

  • Create new rights around the use of sensitive personal information including race, ethnicity, geolocation, health and financial information.
  • Provide enhanced protection for children’s privacy by requiring opt-in consent to collect data from individuals under 16 and tripling CCPA fines on children’s privacy violations.
  • Require transparency around automated decision-making and profiling regarding employment, housing, credit, and politics.
  • Establish a new authority, the California Privacy Protection Agency, to enhance enforcement of the law and provide guidance to consumers.
  • Require corporations to disclose whether and how they use personal information to influence elections.
  • Require that future amendments are limited to furthering the law.

Continue Reading

Forget-me-not: Google v. CNIL defines territorial scope of the right to be forgotten

Today, the European Court of Justice (ECJ) handed down its decision in Google v. CNIL, dealing with the remit of the ‘right to be forgotten’ (RTBF). In short, the ECJ held that the operator of a search engine is not required to carry out de-referencing on all domain extensions of its search engine when dealing with a RTBF request. It is required, however, to carry out de-referencing on the versions of its search engine corresponding to all member states and take measures to protect the data subject’s fundamental rights. Though the decision was made under the former Data Protection Directive, it will have implications for data subjects under the General Data Protection Regulation (GDPR) as the RTBF was codified by GDPR Article 17.

Continue Reading

LexBlog