EU and Japan conclude talks on reciprocal adequacy finding

On July 17, 2018, the European Commission successfully concluded negotiations with Japan on a reciprocal adequacy finding which will allow personal data to flow freely from the EU to Japan (and vice versa).

The adequacy decision has not yet been formally adopted, as it must still undergo the respective EU and Japanese approval procedures, which the EU and Japan expect to complete by fall 2018.  During that period, Japan is expected to implement additional safeguards required in order to meet EU data protection standards (e.g., for onward transfers).

The conclusion of the negotiations follow Japan’s recent modernization of its data protection legislation which increased the convergence between the two systems. By agreeing on a reciprocal adequacy decision, the European Commission (representing the EU) and Japan acknowledge each other’s data protection laws to “adequately” protect personal data.  Once the adequacy decision is adopted, data can flow safely between the EU and Japan without the need to adopt additional safeguards (e.g., standard contractual clauses). The adequacy decision is expected to strengthen trade and economic relations between the EU and Japan.

NTIA’s International Internet Policy Priorities for 2018 and Beyond

On July 20, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) published comments it received from a wide array of tech and telecom companies, trade groups, civil society, academia, and others regarding its “international Internet policy priorities for 2018 and beyond.”  NTIA’s Office of International Affairs (“OIA”) had requested comments and recommendations from interested stakeholders in four broad categories: (1) free flow of information and jurisdiction; (2) the multistakeholder approach to Internet governance; (3) privacy and security; and (4) emerging technologies and trends.  NTIA plans to harness the comments it received to help it identify “priority” issues, and to leverage its resources and expertise to effectively address stakeholders’ interests.   Continue Reading

District Court Rules “Direct Drop” Voicemails Subject to TCPA

Last month, a Michigan federal district court judge denied defendant’s motion for summary judgment regarding application of the Telephone Consumer Protection Act (“TCPA”) to “direct drop” voicemail messages (also known as “ringless voicemail”).  Emphasizing the “broad net” cast by the TCPA, Judge Gordon J. Quist of the Western District of Michigan held that such messages constitute “calls” under the statute.

Plaintiff Karen Saunders alleged that defendant Dyck O’Neal, Inc., made repeated debt collection calls to her over the course of a year.  In addition to these calls, defendant left approximately 30 direct drop voicemails on plaintiff’s mobile phone.  Dyck O’Neal argued that these voicemails did not fall within the scope of the statute, as its service provider, VoApp, did not dial Saunders’ cell phone number to leave the message, but instead, through alternate technology, placed the message directly on a voicemail service.  The court rejected this argument, finding that “by leaving a voicemail directly with the server space associated with Saunders’ phone, Dyck O’Neal was attempting to communicate with Saunders via her phone—which is the definition applied to the TCPA’s use of ‘call.’”

The service provider in Saunders filed a petition for declaratory ruling with the Commission in 2014, arguing that its service should not be covered by the TCPA.  Last year, All About the Message, LLC, another service provider, again sought a declaratory ruling, although it later withdrew its petition.  The FCC has not yet spoken on this issue.

French Supervisory Authority Issues 2 GDPR Warnings

By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses 

Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here).  The CNIL found that the consent on which both companies relied did not comply with the General Data Protection Regulation (“GDPR”).  The CNIL also concluded that one of the companies was keeping geolocation data for longer than necessary.

Fidzup and Teemo offer a tool (“SDK-tool”) that allows their customers, mobile app operators, to collect geolocation data and to use this data to provide customized advertising to their app users.  The two companies create profiles on the app users based on the users’ visits to certain points of interests identified by the customers, such as the physical stores of the customer (or of competitors).  They then provide advertising in the form of pop-ups to the app users.  Once a user downloaded a customer’s app, geolocation data is collected, irrespective of whether the app is running, and combined with other data collected about the app user, such as, an advertising ID and technical information about the device (e.g., MAC address).  Both companies relied on user consent obtained by the app operator to process the personal data they collected.  The agreements with Fidzup and Teemo required their customers to inform app users about the targeted advertising activities enabled by the SDK-tool and to obtain the app users’ consent.

The CNIL concluded that the consent obtained did not meet the requirements of the GDPR.  Under the GDPR consent must be “freely given, specific, informed and unambiguous”.  According to CNIL, the consent obtained did not meet any of these requirements. Continue Reading

India’s Committee of Experts Releases Draft Personal Data Protection Bill

On July 27, 2018, the Government of India’s Committee of Experts released a draft Protection of Personal Data Bill. Together with an accompanying report, the draft bill moves India one step closer towards enacting a comprehensive data protection regime.

Last year, the Supreme Court of India issued a landmark decision holding that privacy is a fundamental right under India’s Constitution. In that opinion, the Court invited the Government of India to formulate “a regime for data protection.” As a result, the Government established the Committee of Experts “to study various issues relating to data protection in India, make specific suggestions on principles underlying a data protection bill and draft such a bill.”

In November 2017, that Committee released a White Paper that outlined its views on data protection and solicited public comments. The draft bill incorporates those comments as well as the Committee’s own analysis. Continue Reading

Secretary Azar Says HHS Will Reform Health Privacy Regulations

On July 26, Secretary of the U.S. Department of Health and Human Services (HHS) Alex Azar said that HHS will undertake an effort to reform federal health privacy rules, including those under HIPAA and the rules governing substance abuse treatment records at 42 C.F.R. Part 2 (Part 2). In speaking about efforts by the Trump Administration to improve value-based care efforts that improve efficiency and reward outcomes in clinical treatment, Secretary Azar said that, “in the coming months,” HHS plans to release requests for information on HIPAA and Part 2. Following those requests, HHS will undertake “regulatory action to reform these rules.” Secretary Azar noted that these rules hinder not only value-based care, but also efforts to combat opioid addiction.

The HIPAA rules were last overhauled in 2013 when HHS promulgated the Omnibus Final Rule, following enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Notably, the Omnibus Final Rule made the HIPAA rules directly applicable to business associates. However, the Omnibus Final Rule did not address what critics view as barriers to sharing data in the HIPAA rules, which may hinder efforts to encourage providers to adopt electronic health technology more broadly. Recently, CMS has touted efforts to promote patient access to health data among Medicare beneficiaries, though CMS has not said whether these efforts will involve changes to HIPAA rules. It is possible that HHS will use this opportunity to make the HIPAA rules more supportive of efforts by CMS to encourage broader adoption of health care technology.

In any event, companies with interest in health privacy regulations should consider submitting ideas or policy proposals to HHS when the request for information is issued.

The GDPR and Blockchain

Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”.  Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in trading, clearing and settlement, as well as various middle- and back-office functions.  Its transformative capability also extends far beyond the financial sector, including in smart contracts and the storage of health records to name just a few.

A blockchain is a shared immutable digital ledger that records transactions / documents / information in a block which is then added to a chain of other blocks on a de-centralised network.  Blockchain technology operates through a peer network, where transactions must be verified by participants before they can be added to the chain.

Notwithstanding its tremendous capabilities, in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the General Data Protection Regulation (the “GDPR”) which came into force on 25 May 2018.  This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR. Continue Reading

Dutch Supervisory Authority Announces GDPR Investigation

On July 17, 2018, the Dutch Supervisory Authority announced that it will start a preliminary investigation to assess whether certain large corporations comply with the EU’s General Data Protection Regulation (“GDPR”) – see the official press release here (in Dutch).  To that end, the authority will review the “records of processing activities” from thirty randomly selected corporations which are located in the Netherlands.

Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities.  These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used.  While small organizations with less than 250 employees are generally exempted, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.

The thirty corporations will be selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.

According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the new EU data protection rules.

Covington Artificial Intelligence Update: China’s Framework of AI Standards Moves Ahead

China has set out on an ambitious agenda of aiming to become the world leader in artificial intelligence by 2030. Policy experiments for a critical part of China’s AI development strategy, and to that end multiple government think tanks have set out formulating standards that may impact AI innovation in China.

The China Electronics Standardization Institute (“CESI”), the major think tank responsible for standardization work under the Ministry of Industry and Information Technology (“MIIT”), is one of the key players in AI standardization in China. On January 24, 2018, CESI released the Artificial Intelligence Standardization Whitepaper, which summarizes current developments in AI technology, standardization processes in other countries, China’s AI standardization framework and China’s plan for developing AI capabilities going forward.

Since the release of that whitepaper, CESI continued its standardization work on two parallel tracks.  As the lead agency for China, CESI has been actively engaged in developing international standards. It is an active member of the ISO/IEC JTC 1/SC 42 subcommittee that develops international standards for the AI industry.

To both support CESI’s international standard-setting work and to develop China’s domestic AI standardization framework, CESI has established three working groups: one working group aiming to produce guidelines for establishing the AI standardization system in China, one working group focusing on AI and open source, and another on AI and social ethics. The three working groups are due to produce papers that will guide China’s standardization efforts in the years to come by the end of this year.  CESI aims to leverage China’s domestic standardization work in the development of international standards, while at the same time to learn from international stakeholders when formulating its own standards.

Some of the national AI standards led by CESI have already been finalized, such as Specification of Programming Interfaces for Chinese Speech Recognition Internet Services. More standards are under development or slated for development in the near future.  These standards cover the categories of testing and evaluation, AI platforms, edge intelligent computing and chip, machine learning, computer vision, human-machine interaction, augmented reality, virtual reality, robotics, smart home, intelligent medicine and AI security.

In parallel, other government think tanks are also moving forward on developing industry standards for AI. The Artificial Intelligence Industry Alliance (AIIA), an industry alliance established by China’s regulators with about 200 members, is seeking to develop industry standards on assessment and certification industry systems for AI products and services. These standards will set out requirements and testing methods for AI hardware and AI platforms for services based on voice, language and images.

Interested stakeholders may wish to closely follow progress being made by CESI, AIIA, and other agencies.

Many thanks to Zhijing Yu and Runze Li for their contributions to this post.

China Seeks Public Comments for Draft Cybersecurity Regulations

On June 27, 2018, China’s Ministry of Public Security (“MPS”) released for public comment a draft of the Regulations on Cybersecurity Multi-level Protection Scheme (“the Draft Regulation”). The highly anticipated Draft Regulation sets out the details of an updated Multi-level Protection Scheme, whereby network operators (defined below) are required to comply with different levels of protections according to the level of risk involved with their networks. The comment period ends on July 27, 2018.

China’s Cybersecurity Law (“CSL”), which took effect on June 1, 2017, requires the government to implement a Multi-level Protection Scheme (“MLPS”) for cybersecurity (Article 21). The Draft Regulation, a binding regulation once finalized, echoes this requirement and provides guidance for network operators to comply with the Cybersecurity Law.

The Draft Regulation updates the existing MLPS, which is a framework dating back to 2007 that classifies information systems physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked. The classification levels range from one to five, one being the least critical and five being the most critical. Information systems that are classified (initially self-assessed and proposed by operators and then confirmed by MPS) at level 3 or above are subject to enhanced security requirements.

Obligations for network operators

The obligations set out apply to network operators, which Article 21 of the CSL broadly defines  to include all entities using a network (including the Internet) to operate or provide services.  Network operators will be subject to different cybersecurity requirements corresponding to their MLPS classification level.

  • Self-assessment of security level. All network operators are responsible for determining the appropriate security level for their networks at the design and planning stage, taking into account the functions of the network, scope and targets of service, and the types of data being processed.  When network functions, services scope and types of data processed are significantly changed, network operators are required to re-assess their classification level.In addition, operators of networks classified level 2 or above are required to arrange for “expert review” of the classification level and may also be required to obtain approval from industry regulators and the MPS.
  • Cybersecurity requirements.
    • All network operators. The Draft Regulation sets out requirements generally applicable to all network operators regardless of classification level, which largely track the requirements under Article 21 of the CSL. All network operators are required to conduct a self-review on their implementation of the cybersecurity MLPS system and the status of their cybersecurity at least once per year and should timely rectify identified risks and report such risks and remediation plans to MPS with which the operator is registered.
    • Operators of networks classified level 3 and above. Additional requirements apply for operators of networks classified level 3 and above—some of them are repetitive or overlap with general requirements above. New level 3 networks must be tested by MLPS testing agencies accredited by MPS (a list of accredited testing agencies available here) before they can come online. (By way of comparison, network operators of networks level 2 and below can test their own new network before it comes online.) Operators of networks classified level 3 and above are also required to formulate cybersecurity emergency plans and regularly carry out cybersecurity emergency response drills (e.g., table top exercises).
  • Security incident reporting. The Draft Regulation briefly mentions that network operators are required to report incidents within 24 hours to MPS. Although the Draft Regulation does not elaborate the reporting process or the information required for such notifications, this requirement imposes a new reporting timeline on network operators because the CSL, itself, does not have a specific time frame for reporting.

Additional requirements for operators of networks classified level 3 and above

Operators of networks classified level 3 and above are also subject to other requirements, including relating to procurement of products and services, technical maintenance performed overseas, and the use and testing of encryption measures.  In addition, the Draft Regulation restricts the ability of certain personnel to attend “offensive and defensive activities organized by foreign organizations” without authorization.

Enforcement and Liability

The Draft Regulation stipulates a wide array of investigative powers for MPS and sanctions for non-compliant companies, ranging from on-site inspection, investigation, and “summoning for consultation” to monetary fines and criminal liability.

* * * * *

While the meanings of certain terms in these requirements are still not clear and may require further interpretation, multinational companies operating in China may wish to closely follow developments relating to the Draft Regulation and understand how recent developments may affect their business operations. Companies have until July 28 to provide feedback to the Chinese government on possible amendments.

For a more in-depth analysis of the Draft Regulation, please refer to our recent client alert here.

LexBlog