New DIFC Data Protection Law on the way…Are you ready?

Adela MuesHoward Womersley SmithBy Adela Mues, Tufayel Hussain and Howard Womersley Smith on Posted in Privacy & Data Protection, Regulatory

The Dubai International Financial Centre (DIFC) enacted the DIFC Data Protection Law No. 5 of 2020 (the DP Law) July 1, 2020. The DP Law has been designed primarily to bring DIFC’s data protection legal regime in line with international best practices in data privacy laws, in particular the General Data Protection Regulation (GDPR), which has ignited privacy and data law reform worldwide. DIFC entities have until October 1, 2020 to put in place structures, systems and controls that enable them to comply with the new law.

Our recent client alert details the changes brought in by the DP Law and how we can help.

The UK’s Supervisory Authority releases its Accountability Framework

Cynthia O’DonoghueBy Cynthia O’Donoghue and Sarah O'Brien on Posted in Privacy & Data Protection

The UK’s Information Commissioner’s Office (“ICO”) published earlier this month its Accountability Framework, available here. The Accountability Framework is designed to assist companies demonstrate compliance with their accountability obligation under the General Data Protection Regulation (“GDPR”) and assess whether their current measures meet the ICO’s expectations.

The Accountability Framework consists of ten categories where the ICO expects companies to be able to demonstrate compliance:

  1. Leadership and oversight;
  2. Training and awareness;
  3. Transparency;
  4. Contracts and data sharing;
  5. Records management and security;
  6. Policies and procedures;
  7. Individuals’ rights;
  8. Records of processing and lawful basis;
  9. Risks and data protection impact assessments; and
  10. Breach response and monitoring.

Continue Reading

Recent developments concerning Brazil’s General Data Protection Law

Bart HuffmanSarah BrunoMatthew GluschankoffHaylie TreasBy Bart Huffman, Sarah Bruno, Matthew Gluschankoff and Haylie Treas on Posted in Global Data Transfers, Privacy & Data Protection

In August 2018, Brazil passed its General Data Protection Law (LGPD), which could become effective as soon as September 16, 2020. Now is the time for organizations that collect personal data of individuals in Brazil or process personal data in Brazil to assess their processing activities and consider how to comply with the new law, while also ensuring they maintain compliance with other applicable privacy frameworks such as the CCPA and GDPR. Recently, the Brazilian government has taken actions that provide more guidance and certainty as to the LGPD’s effective date and its enforcement. Our client alert discusses these developments, namely the likelihood that the LGPD will become effective very soon and the structuring of a regulatory body for its enforcement, as well as a high-level overview of the LGPD’s scope and applicability.

Customs surveillance of IP rights update from a French perspective

By Christophe Arfan on Posted in Intellectual Property, Regulatory

An Economic Operator Registration and Identification (EORI) number, which is used to identify each economic operator in relation to its dealings with EU Customs authorities, will become mandatory for the filing, modification and extension of applications for action, which allow Customs authorities to enforce the customs surveillance of intellectual property rights within the EU on September 15, 2020. As a consequence, in order to ensure the smooth processing of their requests with Customs authorities, IP right holders should prepare by obtaining an EORI number in order to be ready before any need of Customs action or any infringement situation arises.

Our recent client alert provides answers on how to apply for an EORI number and the benefits of having one.

A French approach to disclosing a pending IP dispute

Thierry LautierBy Thierry Lautier on Posted in In the Courts, Intellectual Property

Unlike other countries, such as the US, France has a conservative approach of when and how IP right holders are entitled to disclose a pending infringement dispute to their clients and investors, under the legal concept of “disparagement”. France takes this step in order to limit the negative impact on the competitor resulting from disclosure at a too-early stage of the pending dispute. The French Supreme Court long ago established the principle that an IP right holder’s disclosure to a client of an infringement claim against a competitor before any legal decision had been rendered made the IP right holder civilly liable for disparagement.

Our recent client alert provides answers to how and when to disclose a pending IP dispute in France

UK Supreme Court hands down another FRAND decision

Marianne SchaffnerJonathan RadcliffeBy Marianne Schaffner and Jonathan Radcliffe on Posted in Information Governance, Regulatory

FRAND issues are at the heart of the most significant patent cases in Europe (in the UK, Germany and France – please see our previous alert here). After the Nokia vs Daimler decision last week by the Mannheim Court, and decision handed down in Sisvel v. Haier earlier in May by the German Supreme Court, the UK Supreme Court has issued its much awaited decision in Unwired Planet v. Huawei on Wednesday, September 26.

The UK Supreme Court handed down a judgement confirming that English courts have the power to set global licensing rates for multinational patent portfolios under European telecom standards on Wednesday, August 26, 2020. This ruling places the UK on the map, alongside both France and Germany, as an attractive destination for litigation.

Our recent client alert provides insight into the judgement and the future impact on litigation.

Implications for your business due to U.S. Executive Order on WeChat

Denise JongLeigh T. HanssonDora WangInez WongBy Denise Jong, Leigh T. Hansson, Dora Wang and Inez Wong on Posted in Global Data Transfers, Regulatory, Social, Mobile, Analytics & Cloud (SMAC)

Michael R. Pompeo, the U.S. Secretary of State, announced the “Clean Network Program” which aims to ban the so-called “untrusted” carriers, applications, mobile application stores, cloud service providers, operators of undersea cables connecting the United States and the global internet on August 5, 2020. Companies that are involved in these businesses, or entities that transact with or rely on vendors that might be impacted are advised to keep abreast of further developments and additional announcements from the U.S. Government regarding the scope of the sanctions in connection with the “Clean Network Program” to assess and plan for contingencies with respect to their business operations and cross-border communication between the United States and other parts of the world.

On August 6, 2020, President Trump issued an Executive Order (EO) attempting to ban the use of WeChat and other “untrusted” technology companies to be identified by the U.S. Secretary of Commerce, with effect on September 20, 2020. Any U.S. businesses that transact with those companies should promptly consider alternatives.

Our recent client alert explains the EO and how it may affect your business.

Face-off part 2: UK Court of Appeal finds deficiencies in use of automated facial recognition technology

Cynthia O’DonoghueBy Cynthia O’Donoghue and Sarah O'Brien on Posted in In the Courts

On 11 August 2020, the Court of Appeal published its decision challenging the High Court’s approval of South Wales Police’s (‘SWP’) use of CCTV facial recognition. We wrote about the High Court’s judgment in September last year, which can be viewed here.

As a quick recap of the case, SWP used CCTV automated facial recognition (‘AFR’) software to enable faces on a ‘watchlist’ to be checked against faces taken from the CCTV feed in real-time. If a match was not found, the image taken from the CCTV was deleted automatically after the comparison was made, but if a match was found, the matching images would be reviewed by an AFR operator. Edward Bridges, assisted by human rights organisation Liberty, claimed that SWP’s use of AFR was not compatible with human rights law nor with data protection legislation. He made a claim for judicial review of SWP’s decision to deploy AFR. The High Court dismissed the claim.

The Court of Appeal decision

While the Court reaffirmed that the use of AFR was a proportionate interference with human rights, it reversed the High Court’s decision in a number of areas. In particular, the Court found:

  • There was insufficient operational guidance for the software, including guidance as to where the software could be used and who could be put on a watchlist. In particular, SWP’s Standard Operating Procedure did not specify any normative requirement as to where or when the monitoring could take place, or on what grounds the SWP could consider using AFR (e.g. on what basis they may believe the relevant people on the watchlist may be present at a particular location);
  • SWP’s data protection impact assessment was deficient, particularly as the assessment proceeded on the basis that data subjects’ Article 8 rights under the European Convention on Human Rights were not engaged (whereas the Court found that there were) and therefore the risks to the rights and freedoms of data subjects was not adequately assessed; and
  • SWP did not take reasonable steps to find out if the AFR software had a racial or gender bias, particularly as the software was a novel and controversial technology. It can be noted however that the Court did not find that the AFR software had such a bias, nor did it assess the extent to which such bias may be present.

The Court granted declaratory relief to reflect the points made above. It is understood that SWP does not seek to appeal against this judgment.

Comment

This judgment follows the spirit of the ICO’s comments made shortly after the High Court case (which can be read here, with a full opinion here), in which the ICO expressed concerns that police forces need to ‘slow down’ and ‘justify [AFR’s] use’. The decision was also welcomed by the Surveillance Camera Commissioner, whose statement may be read here.
This case demonstrates the importance of assessing the risks of implementing and using novel technologies that use biometric information, even if such biometric data is only held temporarily. Organisations hoping to use similar technologies should consider drafting a watertight operational policy for use of the technology and conduct a thorough data protection impact assessment.

Legal framework for influencers in Germany, the United Kingdom and the United States

John P. FeldmanToam RubinsteinDr. Alexander HardinghausRamona KimmichNick BreenBy John P. Feldman, Toam Rubinstein, Dr. Alexander Hardinghaus, Ramona Kimmich and Nick Breen on Posted in Regulatory, Social, Mobile, Analytics & Cloud (SMAC)

The COVID-19 pandemic has hit the brand ambassador and influencer industry in different ways. Social media engagement is up. Screen times have increased. Advertising campaigns of brand ambassadors for organizations and influencers might have been adjusted. Self-quarantining audiences have different demands. With the strong trust from their followers, influencers on social media channels such as Facebook, Instagram or Twitter still have a power that pays off.

Our recent client alert gives an updated overview of the legal framework that applies to influencers when posting content with promotional character in Germany, the United Kingdom and the United States.

Monetary Authority of Singapore publishes a “Consultation Paper on a Proposed New Omnibus Act for the Financial Sector”

Hagen RookeCharmian AwTamara BoxClaude BrownLee Ann DillonDavid AdelmanJanet CheungBy Hagen Rooke, Charmian Aw, Tamara Box, Claude Brown, Lee Ann Dillon, David Adelman, Janet Cheung and Johnny Lim on Posted in Regulatory

The Monetary Authority of Singapore (MAS) published a “Consultation Paper on a Proposed New Omnibus Act for the Financial Sector” (the CP) on July 21, 2020. The CP sets out proposals relating to the expansion of supervisory powers by the MAS in a range of important areas, including (among others) additional powers to take enforcement action against individuals, to apply new licensing requirements to certain types of virtual asset service provider (VASP), and to impose technology risk management (TRM) requirements. The consultation is therefore likely to receive significant attention from the financial services industry. The CP also has far-reaching implications for the overall structure of the Singapore financial services regulatory framework.

Read more about consultation in our client alert.

Interested parties must respond to the consultation by August 20, 2020. Should you wish to discuss any aspects of the consultation or require assistance with your feedback to the MAS, please reach out to any of the team below, or to your usual Reed Smith contact.

 

Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, “Reed Smith”). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.

LexBlog