Weekly Data Privacy Alert – 9 January 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Protection & Cybersecurity team. This week’s alert covers news from the EU, Germany and the United States.

EU

  • New Regulation Proposed to Ensure Privacy in Electronic Communications

Germany

  • Bavarian Data Protection Authority Informs on Marketing in the GDPR Context
  • German Lawyers’ Association Takes Stand on the Issue of Data Ownership

United States

  • Email Privacy Act Again Before US Congress

For more information on any of these items, or data privacy issues generally, please feel free to call any of the following individuals:

Annette Demmel (Germany)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

Philip Zender (San Francisco)

Pink or Orange: Colors That Are the By-Product of a Functional Improvement to a Product Are Not Entitled to Trade Dress Protection

On January 5, the U.S. District Court, District of Colorado ruled that ceramics company CeramTec GmbH is not entitled to trade dress protection for the pink color of its hip implant components.  C5Med. Werks, LLC v. CeramTec GmbH, D. Colo., No 14-cv-00643-RBJ, 1517 decision highlights the limits of trade dress protection, which only extends to non-functional elements that serve to identify a product’s source.

The plaintiff, C5 Medical Werks LLC, brought suit to cancel CeramTec’s trademark registration for pink hip implant components on the basis that the pink color is functional and therefore not entitled to trade dress protection.  After a bench trial, the court agreed.  The court found that the hip implant components’ pink color is the natural result of adding chromium to the components.  The court further found that the chromium increases hardness and thereby improves the components’ quality. Continue Reading

Proposal for New EU e-Privacy Regulation Published

All European Union flags in front of parliament euThe European Commission today published its formal proposal for a new regulation on e-Privacy (“ePR”), following publication of a leaked draft in late December 2016. The Commission also issued a communication on “Exchanging and Protecting Personal Data in a Globalised World”, a communication on “Building a European Data Economy” and a proposal for a Data Protection Regulation applicable to the EU institutions, as part of its Digital Single Market strategy.

The proposed ePR is intended to replace the current e-privacy Directive, updating it in line with the General Data Protection Regulation (“GDPR”) and technological developments that have occurred since the e-privacy Directive was amended in 2009.

The ePR proposal regulates the processing of electronic communications data and metadata, storage and erasure. In line with the proposed Electronic Communications Code, it would extend the obligations applicable to traditional electronic communications networks and services to cover certain online services, such as Voice over IP and web-based e-mail services. The proposed ePR also contains revised rules of general applicability regarding the installation and use of so-called cookies and similar apps as well as the sending of unsolicited communications. The European Commission proposes that the supervisory authorities responsible for the monitoring of the GDPR also monitor the application of the ePR.  The proposed level of fines for violations reflects the GDPR values (up to 2% or 4% of worldwide turnover).

The proposed legislation must now be reviewed by the European Parliament and the Council. The European Commission aspires to have the ePR enter into force on 25 May 2018, the same date as the GDPR. This is an ambitious objective given the concerns about the proposed rules that have already been raised by industry and consumer rights groups.  Further analysis of the proposed ePR may be found on our website.

Data Privacy – Commission changes existing decisions on standard contractual clauses and adequacy of third countries

In the aftermath of the Court of Justice of the European Union’s (“CJEU”) judgment invalidating Safe Harbor, on 16 December 2016 the European Commission published two decisions, changing its previous decisions on standard contractual clauses (“SCC”) and adequacy decisions on third countries. Arguably, the amendments have been made in order to minimise the risk of the earlier decisions being invalidated by the Court of Justice of the European Union (CJEU) in the same way that Safe Harbor was invalidated back in 2015.

Context

In its judgment in Schrems in October 2015, the CJEU ruled that national data protection authorities (“DPAs”) in Europe must retain the power to ensure that personal data is protected in accordance with the Data Protection Directive and the EU Charter of Fundamental Human Rights, and that this power cannot be restricted by a decision of the Commission.

Limitations to the powers of DPAs, similar to those that applied to Safe Harbor, exist both in the 10 adequacy decisions (other than for the Privacy Shield) and in the decisions adopting the SCCs.

After the CJEU invalidated Safe Harbor in 2015, many organisations, including high profile global brands and platforms, switched to SCCs as the new basis for the transfer of EU user data to the US. However, the SCCs themselves are now subject to a validity challenge similar to that previously launched against Safe Harbor.  The issue of transfers based on SCCs has been referred by the Irish DPA to the Irish High Court and could ultimately be referred to the CJEU. In light of this, the European Commission has decided to hurriedly change its decisions on SCCs as well as the adequacy decisions, arguably to prevent any risk of invalidation by the CJEU.

Continue Reading

Weekly Data Privacy Alert – 2 January 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Protection & Cybersecurity team. This week’s alert covers news from the UK and the USA.

United Kingdom

  • Investigatory Powers Act Challenged in Court of Justice for the European Union

United States

  • New York Department of Financial Services Issues Revised Cybersecurity Regulation
  • Privacy Implications of 21st Century Cures Act
  • Case Under Illinois Biometric Privacy Law Settled

For more information on any of these items, or data privacy issues generally, please feel free to call any of the following individuals:

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

 

New French Regulation on Online Platforms

We have previously posted on the new French Digital Republic Bill which modified a number of provisions of the French Data Protection Act and other data protection related regulations. This post looks at another change introduced by the Bill.

The Bill introduces a new regulation on online platforms, in the consumer protection code and the code of tourism.

Online platforms

The regulation defines an “online platform operator” as any individual or company, providing for free or in return for a fee (i) online referencing or comparison shopping services or (ii) online marketplaces.

The Bill provides that online platforms must provide fair, clear and transparent information on:

  • the terms and conditions of use;
  • the way in which the contents, goods or services are referenced, delisted or classified;
  • the existence of a contractual relationship, financial interest or a remuneration that influences referencing or comparison; and
  • the advertiser and the rights and obligations of the parties in civil and tax matters, when consumers are put in contact with professionals or non-professionals.

A number of implementing decrees are still pending.

The Bill also provides that major operators must also develop and publish consumer “best practices” aimed at reinforcing the obligations of transparency and loyalty.

The supervisory authority has the power to:

  • conduct surveys to evaluate and compare the practices of online platform operators;
  • collect relevant information from such operators; and
  • publish the results of these evaluations and comparisons as well as a list of online platforms that are non-compliant.

mobile-phone-tweet-240x300.jpg

Social networks and forums

The Bill provides that social networks, forums and chatrooms operated by companies or individuals (even where these are incidental to the company’s or individual’s main activity) must:

  • provide users with fair, clear and transparent information on the publication and processing of posts;
  • provide information on the existence and manner of moderation;
  • display the date of the posts and any updates;
  • provide reasons for the rejection of a post; and
  • implement a functionality, free of charge, that allows those responsible for the products or services that are the subject of an online notice to question the authenticity of the post, provided that such a statement is reasoned.

Online homestay networks for very short-term rental residential properties

The code of tourism provides that very short term rentals may be subject to prior registration with the local town administration. In such a case, the Bill provides that the online homestay network must publish the relevant registration and ensure that, where the relevant property is the lessor’s principal place of residence, it is not rented for more than 120 days per year.

Implementing decrees are still pending in relation to monitoring of the implementation and sanctions.

For more information on any aspect of the French Digital Republic Bill, please feel free to call Stephanie Faber.

Material Changes to French Data Protection Regulation

On 7 October 2016, a new French Digital Republic Bill came into force, modifying a number of provisions of the French Data Protection Act and other data protection related regulations. The Bill:

  • modifies the rights of data subjects and the obligations of data controllers;
  • increases the powers of the CNIL;
  • introduces a new provision on data portability into the consumer protection code; and
  • amends the code of electronic communication to extend the secrecy of correspondence.

Please read on for a brief explanation of each of these modifications.

iStock_90809319_XLARGE

Continue Reading

Video Surveillance in Public Areas – Lawful or Not?

After the brutal terror attacks in Berlin and Ansbach and the rampage in Munich last year, the German Government intends to allow video surveillance in public areas.

Therefore, the German Government has presented a draft law that facilitates video surveillance for private operators of public areas and public events. More precisely, the Federal Data Protection Law will be amended to introduce a legal basis for video surveillance. According to the draft law, the protection of life, health and freedom shall be regarded as a “particularly important public interest” that allows video surveillance. Private operators will not be obliged to install cameras. However, the government hopes that they will make more use of them.

Assuming the draft law does come into force, the new legal basis for video surveillance may also be applicable after May 2018, when the EU General Data Protection Regulation (GDPR) becomes enforceable. The GDPR contains flexibility clauses that allow Member States to maintain or introduce more specific provisions in certain circumstances.

The German Association of Judges considers that the draft law conflicts with the German Constitution. The Association’s view is that the law would conflict with the fundamental right of informational self-determination. This fundamental right is also embodied in the fundamental right of human dignity and any limitation of the right of informational self-determination requires a legal basis that is sufficiently precise and clear. The Association also considers that the draft law does not meet the requirements around the prohibition of excessive measures. The majority of people observed by video surveillance in public areas are not given a reason for the surveillance. The Association’s view is that a feeling of being observed constitutes a breach of the fundamental rights of informational self-determination/human dignity. The Association is also of the opinion that public safety and security is a core function of the state and not of private companies.

There is concern that the introduction of video surveillance will lead to a heightened sense of being observed among the German public. It is doubtful whether that will actually happen given that most public areas are already observed by thousands of private mobile cameras. More generally, the likely effectiveness of video surveillance is questionable.  Will cameras be effective in deterring terrorist attacks?  Cameras are likely to be most useful in capturing images that will allow suspected terrorists to be apprehended and so, arguably, video surveillance serves the investigation of criminal offences only. In addition, many people would agree that public safety and security is a fundamental task of the State and that this should not be transferred to the private sector.  In light of this, perhaps the proposed amendments to the Federal Data Protection Law are inappropriate?

In the German context, the reinforcement of video surveillance poses problems with the fundamental right of the supervised persons. However, the recent disasters show the very real risk of terrorist atrocities in public areas. Whether video surveillance will be an effective solution remains to be seen.

 

Is the Broadest Reasonable Interpretation of Claim Terms, as Applied in Inter Partes Review, Converging on the Standard Applied in Litigation?

This past summer, the Supreme Court settled the debate about the standard to be applied by the Patent Trial and Appeal Board (PTAB) in construing patent claims – finding its use of the broadest reasonable interpretation (BRI), the approach used by the US patent office for the past century, was proper.1 Its decision left in place what academics and practitioners alike had bemoaned to be an unjustified distinction in the standards used by the PTAB in assessing the validity of claims compared to those used by the courts.2 This may, however, become a distinction without a difference.

The rules for determining the BRI are seemingly self-evident. The patent office instructs its patent examiners to give pending claims “their broadest reasonable interpretation consistent with the specification.” MPEP §2111. It emphasizes that this does not mean the broadest “possible” interpretation. Rather, the meaning of a claim term must be “consistent with the ordinary and customary meaning of the term [and] the use of the claim term in the specification and drawings.” Id. Limitations on the plain meaning of a claim term can be made, but only if the patentee expressly provides for them. Continue Reading

New York Revamps Proposed Cybersecurity Regulation for Financial Services and Insurance Entities

New York City Skyline - Midtown and Empire State BuildingOn December 28, 2016, the New York Department of Financial Services (“DFS”) published in the State Register a revised proposed cybersecurity regulation (23 NYCRR 500). The deadline to submit comments on this version is January 27, 2017, and the proposed effective date of the regulation is March 1, 2017. This version of the proposed regulation took into account the over 150 comments received since the DFS first proposed the regulation in September.  A description of the earlier proposed regulation is described in our September Alert).

While maintaining the structure and subject matter of the original draft proposal, the revised cybersecurity regulation attempts to provide more flexibility and company customization. It does so by (1) simplifying some of the requirements; (2) linking compliance to items material to the regulated entities; and (3) loosening up the reporting and timing requirements found in the original draft.   Unlike the initial proposed regulation, the new version now provides entities with an eighteen-month transitional period to create written procedures to ensure the security of their applications, establish policies for the secure disposal of nonpublic data, and develop an audit trail system, and a two year transitional period to develop and implement written policies and procedures for their third-party vendors. Continue Reading

LexBlog