By Nikolaos Theodorakis
China’s new cybersecurity law (“Cybersecurity Law”), which came into force on 1 June 2017, is a milestone. Unlike the EU that has adopted the General Data Protection Regulation, China does not have an omnibus data protection law. It instead regulates issues of privacy and cybersecurity over a number of industry-specific laws, like health and education sectors. The cybersecurity law is somewhat different since it has a wide scope and contains provisions relevant both to data privacy and cybersecurity.
What is the new law about?
The Cybersecurity Law focuses on the protection of personal information and privacy. It regulates the collection and use of personal information. Companies based in or doing business with China will now be required to introduce data protection measures and certain data must be stored locally on domestic servers. Depending their activity, companies may need to undergo a security clearance prior to moving data out of China.
The Cybersecurity Law defines personal information as any information that, on its own or in combination with other information, can determine the identity of a natural person (e.g. name, DOB, address, telephone number, etc.). It mainly regulates two types of organizations, network operators and Critical Information Infrastructure (CII) providers.
Network operators must:
- Acquire the user’s consent when collecting their personal information (it is yet unclear whether consent must be express or not);
- State the purpose, method and scope of data collection;
- Keep the information secure and private (e.g. use back up and encryption methods);
- In the event of a data breach or likely data breach, take remedial actions, inform users and report to competent authorities;
- Erase personal information in case of an illegal or unauthorized collection, and correct inaccurate information;
- Keep log-files of cybersecurity incidents and implement cybersecurity incident plans.
CII providers are required to observe the same cybersecurity practices as network operators, along with additional requirements such as conducting annual cybersecurity reviews. Furthermore, they are required to store personal information and “important data” within China, as discussed below.
What does this mean for businesses?
If your company is doing business in China, or has a physical presence in China, you will need to conduct a gap assessment to determine whether you must undertake changes to be fully compliant with the cybersecurity law.
Failure to comply with the new law comes with significant consequences: a monetary fine up to 1 million yuan (about $150,000) and potential criminal charges. Individuals (e.g. company directors/ managers) may be subject to personal, albeit lesser, fines as well. In determining the applicable sanction, elements taken into account include the degree of harm and the amount of illegal gains. Fines could go up to ten times the amount of ill-gotten gains, potentially skyrocketing the amount. The law also gives the Chinese government the ability to issue warnings, confiscate companies’ illegal income, suspend a violator’s business operations, or shut down a violator’s website.
Not every aspect of the Cybersecurity Law applies to all companies, however. Many of the law’s provisions only apply to the two types of companies mentioned above, network operators and critical information infrastructure providers. However, these categories are defined quite broadly. Even companies that would not ordinarily consider themselves as network operators or CII providers could see the law applying to them.
In fact, network operators include network owners, administrators and service providers. Networks are “systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information according to certain rules and procedures” (Article 76 of the new Cybersecurity Law). The Cybersecurity Law does not differentiate between internal and external networks; the Law is broad enough to include any company that owns an internal network. The Cybersecurity Law therefore suggests that any company that maintains a computer network, even within its own office, could qualify as a network operator. Companies that are based outside of China that use networks to do business within China could also fall under this definition (e.g. an EU based company that uses networks in China to process data for its operations.
Critical Information Infrastructure providers are defined more narrowly: those that if lost or destroyed would damage Chinese national security or the public interest. This includes information services, transportation, water resources and public services. The law also includes more generally-applicable requirements that relate to cybersecurity and contains provisions that apply to other types of entities, like suppliers of network products and services.
Current and upcoming data localization requirements
The new cybersecurity law also requires critical information infrastructure providers to store personal information and important data within China and conduct annual security risk assessments. Important data is not defined in the Cybersecurity Law, yet it likely refers to non-personal information that is critical.
Apart from CIIs, it is anticipated that several foreign companies doing business in China will be required to make significant changes on how they handle data. The draft version of the “Measures for Security Assessment”, published by the Cyberspace Administration of China, suggests expanding the data localization requirements to all network operators. If adopted, this measure will mean that practically all personal information that network operators collect within China must not leave the country other than for a genuine business need and after a security assessment. In anticipation of this development, there is a trend for foreign companies to set up data centers in China to be able to store data locally.
The Draft Implementation Rules also suggest that individuals and entities seeking to export data from China- even if they are not network operators and based outside China- must conduct security assessments of their data exports. This development, if applied, will significantly increase the cybersecurity law’s data localization requirements.
Over the coming months, the Chinese government will continue to issue implementing legislation and official guidance clarifying the scope of the law.
By Maria Sturm
On 6 May 2015, the European Commission issued a communication with the title “A Digital Single Market Strategy for Europe” to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. This digital single market strategy is comprised of three main pillars:
- Better access to online goods and services for consumers and businesses across Europe.
- Creating the right conditions for digital networks and services to flourish.
- Maximizing the growth potential of the European Digital Economy.
The second pillar includes the goal of creating new possibilities to process communication data and to reinforce trust and security in the Digital Single Market. Therefore, in January 2017, the EU Commission issued a proposal for a “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)”. A study was conducted on behalf of the EU Commission to evaluate and review Directive 2002/58/EC. The most important findings of the study were:
- The Member States transposed the directive in very different ways. This uneven transposition led to legal uncertainty and an uneven playing field for operators.
- This fragmented implementation leads to higher costs for businesses operating cross-border in the EU.
- New means of communication (e.g. WhatsApp) are not covered by the directive. This means that EU citizens enjoy a different level of protection, depending on which communications tools they use.
Based on these findings, the new proposal seeks to keep up with the pace of the fast developing IT-services. The data business is an important economic actor, which creates a lot of workplaces. This sector needs to be able to use data and make it available. But on the other hand, consumer protection and privacy, as emphasized in Art. 7 of the Charter of Fundamental Rights of the EU, are important in establishing and maintaining trust in the digital single market. Thus, the proposal aims to strike the right balance between the expectations of businesses and the expectations of consumers, and to establish a framework for more security on both sides.
The focal points of the proposal are:
- The directive will be replaced by a regulation to create an even playing field for operators across the EU. While a directive needs to be transposed by each single Member State, the regulation becomes immediately enforceable.
- The proposal covers new means of communication, such as instant messaging or VoIP telephony, the so-called “Over-the-Top communications services”. It therefore guarantees the same level of confidentiality no matter whether a citizen of the EU uses a new communication system or makes a “traditional” phone call.
- New business development opportunities can emerge, because once consent is given, communication data can be used to a greater extent.
- Cookie-rules, which today are cumbersome and result in an overload of consent requests, will be streamlined and made more user-friendly.
- Spam protection will be increased.
- Enforcement will be delegated to national data protection authorities, which are already responsible under the General Data Protection Regulation. This makes enforcement more effective.
The proposal attacks directly the problems and issues detected by the study on Directive 2002/58/EC and aligns the ePrivacy legislation with the General Data Protection Regulation of April 27, 2016 (see also TTLF Newsletter of February 3, 2017). There may be further changes made to the proposal during the rest of the discussion. It remains to be seen exactly what those developments will entail. However, it is a given that the current legislation on privacy and electronic communication is fragmentary and needs to adapt to new electronic evolutions and needs.
 European Commission, Press Release IP-17-16.
 Voice over Internet Protocol.
By Nikolaos Theodorakis
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing UK’s Data Protection Act 1998 (DPA). It is yet unclear how Brexit will play out, yet in the meantime, the United Kingdom is moving to adopt the GDPR principles so that it adequately protects the personal data transferred within the EU. The GDPR sets a high standard for consent and compliance, which means that companies must start preparing for this transition.
The Information Commissioner’s Office (ICO) issued a guidance on GDPR consent on 2 March, explaining its recommended approach to compliance and its definition of valid consent. The ICO also provides examples and practical advice that can assist companies deciding when consent is unbiased, and when other alternatives must be sought.
The guidance’s main points on consent are:
- Individuals should be in genuine control of consent;
- Companies should check their existing consent practices and revise them if they do not meet the GDPR standard. Evidence of consent must be kept and reviewed regularly;
- The only way to adequately capture consent is through an opt-in;
- Explicit consent requires a very clear and granular statement;
- Consent requests should be separated from other terms and conditions. Companies should avoid making consent a precondition of service;
- Every third party who relies on the consent must be named;
- Individuals should be able to easily withdraw consent;
- Public authorities and employers may find using consent difficult. In cases where consent is too difficult, other lawful bases might be appropriate.
The basic notion of consent is not new. It was initially defined under the Data Protection Act 1998 (DPA) that implemented the Data Protection Directive 95/46/EC, which is currently in force. The GDPR builds on the standard of consent that was introduced in the DPA and includes more details and specific requirements. Consent is now defined in Article 4(11) of the GDPR in a similar way as in previous legislation, yet adding requirements of unambiguity and clear affirmative action. More provisions throughout the GDPR however relate to consent (e.g. Article 7 and recitals 32, 42 and 43), which complicates the notion of consent and what employers need to do to secure valid consent.
The ICO is running a public consultation on the draft guidance until 31 March 2017 to solicit the views of relevant stakeholders and the public. The feedback received will then be taken into account in the published version of the guidance, which is provisionally aimed for May 2017. The GDPR consent guidance can be found here, and the public consultation form here.
Other European countries have already launched relevant public consultation events:
In June 2016, the French data protection authority (“CNIL”) launched a public consultation on the GDPR. Two hundred twenty-fiv organizations participated in the public consultation and the outcome was integrated into recent guidance from the Consortium of European Data Protection Authorities. The CNIL’s report on the French public consultation is available (in French) here.
In Germany, the Interior Ministry has been drafting a proposed Data Protection Amendments and Implementation Law (Datenschutz-Anpassungs- und Umsetzungsgesetz – or “DSAnpUG”) approximately since the GDPR was passed. The DSAnpUG implements the GDPR as well as the EU Law Enforcement Information Sharing Directive 2016/860. At present, several committees of the Upper House of Parliament (Bundesrat) are debating the draft, and a full vote of the Upper House is scheduled for March 8, 2017.
In February 2017, the Spanish Ministry of Justice launched a public consultation as a preliminary step before the drafting of a new bill implementing the GDPR. The press release on the Spanish consultation is available (in Spanish) here.
It is important to remember that invalid consent can have severe financial consequences, apart from reputational damage. Infringements of the basic principles for processing personal data, which includes consent, are subject to the highest tier of administrative fines. This means a fine of up to 20 million Euro, or 4% of a company’s total worldwide annual turnover, whichever is higher, could be issued.
National Competition Authorities take position on regulatory measures for online transport platforms
By Gabriele Accardo
In May 2015, the European Commission committed to assess the role of online transportation platforms, such as Uber, as it launched a public consultation to better understand the social and economic role of platforms, market trends, the dynamics of platform development and the various business models underpinning the platforms. According to the Commission, knowledge gained through this exercise will also contribute to various legislative initiatives—including online platforms regulation—which the Commission plans to launch to boost the Digital Single Market.
Currently there is a heated discussion as to whether online platforms should be subject to regulation at all.
While the European Commission may still take some time to elaborate on the contributions to the public consultation and eventually to state whether and to what extent some form of regulation may be warranted, recently, two national competition authorities, namely the UK Competition and Market Authority (CMA) and the Italian Competition Authority (ICA), made their view public.
The Position of the ICA
On September 29, 2015, the ICA issued an opinion on the legality of activities carried out by companies like Uber, which are carried out by either professional (e.g. Uber Black) or non-professional (e.g. Uber Pop) drivers through digital platforms accessible by tablets and smartphones.
The ICA first noted that it is not clear yet whether acting as an intermediary between the owner of a vehicle and a person who needs to make a trip by managing IT resources, is merely a transport service or, must be considered to be an electronic intermediary service or an information society service, as defined by Article 1(2) of Directive 98/34/EC.
The ICA noted that the Court of Justice of the European Union shall rule on this specific issue, and that until then it cannot be ruled out that the activity falls within the second category (i.e. an electronic intermediary service), which is not regulated, and therefore totally legitimate.
That said the ICA made the following findings, taking into account the characteristics of the activities carried out by Uber.
First, the ICA recognized that even traditional taxi services are more and more adopting technologies similar to those embraced by Uber. Yet, the ICA stressed that services such as Uber ensure a greater ease of use of the mobility service, a better response to a public need for which there is no current offering, and the ensuing reduction of the costs for users of such services. Last but not least, to the extent that it discourages the use of private means of transportation, Uber-like services also contribute to the decongestion of urban traffic.
Second, with regards to the activity of UberBlack or UberVan, i.e. transport services carried out by professional drivers, the ICA considers the current regulation (Italian Law No. 21 of 1992 concerning the non-linear public transport of people) as restrictive of competition insofar as its provisions restrict the geographic scope of the activity of vehicles to the municipality that has granted them a license, and further require that after each trip, each car must return to the base.
Third, with regards to the services such as those provided by UberPop, consisting of acting as an intermediary between the owner (non-professional driver) of a vehicle and a person who needs to make a journey within a city, the ICA observed that the Court of Milan ordered the blocking of UberPop throughout the national territory allegedly because this services would breach the rules regulating the taxi industry and may be characterized as an act of unfair competition. In that respect, the Court held that UberPop’s activity cannot be carried out to the detriment of people’s safety, in terms of cars used for the service, the suitability of drivers, as well as insurance coverage.
Yet, the ICA held that, even so, any form of regulation of such new services, if at all necessary, should be the least invasive as possible. In that respect, the ICA eventually singled out measures such as a registry for online platform providing such services and the provision of certain requirements for drivers.
The Position of the CMA
The position held by the UK Competition and Market Authority is even firmer than that of its Italian counterpart.
Preliminarily, while it recognized that “private hire vehicles” need the protection of appropriate regulation, the CMA considered that consumers also benefit from effective competition exerting downward pressure on prices and upward pressure on service quality and standards.
The CMA takes the view that innovative services (which include app-based booking systems) may drive efficiencies through which it is possible to offer benefits such as lower prices and greater responsiveness to demand. The introduction of new services also has an inherent benefit in the form of greater choice for consumers.
From a general stand point, the CMA thus considers that competition should only be compromised or restricted by regulatory rules to the extent that doing so is absolutely necessary for consumer protection. Above all, regulation should not favor certain groups or business models over others and any measures that restrict the choices available to consumers should be minimized.
The CMA focused on a number of regulatory proposals (made by the Authority Transport for London or “TfL”) that might have the greatest impact on competition.
5-minute wait requirement. TfL proposes that operators must provide booking confirmation details to the passenger at least 5 minutes prior to the journey commencing.
According to CMA, this proposal reduces the competitiveness of alternative services than black cabs by artificially hampering the level of service that new services can provide.
Approval for changes to operating models. TfL proposes that operators will be required to seek TfL approval before changing their operating model. The CMA considers that ex ante regulation of business models is liable to reduce incentives for innovation (a key competitive parameter) and by extension to restrict competition.
Mandatory pre-booking facilities. In the CMA’s view, mandating ancillary functions (such as a facility to pre-book up to seven days in advance) can place undue burdens on some providers, leading to increased costs for private hire vehicles and thus distorting competition, as those unable or unwilling to provide these functions will be excluded from the market. The CMA notes that in instances where consumers find ancillary facilities useful, they are likely to be provided by a competitive market where different offerings proliferate.
Fixed landline telephone requirement. Similarly, the CMA believes that TfL’s proposal whereby operators must have a fixed landline telephone number which must be available for passenger use at all times, could raise barriers to entry (entrants would have to provide both a number and staff to handle calls) as well as restricting innovation (including platform-based business models) and could therefore lead to reduced competition between private vehicle operators. Moreover, it is not clear that it is necessary to make this functionality mandatory, as consumers may not value having a landline number to contact to choose private hire vehicle operators that provide one.
Requirement to specify the fare in advance. Another proposal that the CMA rejects is mandating operators to specify the fare for each journey prior to the commencement of that journey. According to the CMA, the supply of a precise and fixed fare at the time of booking would effectively prohibit innovative pricing models that could be more efficient than pre-calculated fares (e.g. by varying according to supply and demand). This would remove another parameter of competition among private hire vehicle operators.
Drivers to only work for one operator at a time. TfL further proposed a requirement that licensed private hire vehicle drivers can only work for one operator at a time, claiming that this is necessary to reduce the risk of drivers working excessive hours for a number of different operators.
The CMA notes that this proposal may not be suitable or necessary to meet the stated objective. First, TfL’s proposal seems to address only excessive hours among drivers working for multiple operators, and not the risk of excessive hours among drivers working for a single operator, or the danger of black cab drivers working excessive hours.
More interestingly, the CMA believes that ‘multi-homing’ (i.e. the ability of drivers to work for multiple platforms) can allow drivers to switch their supply to where it is needed in the market. Mandatory single-homing can create a strong network effect, as it gives drivers the incentive to only work for the platform with the most customers. The consequence could be fewer private hire vehicle operator platforms, or even a single dominant platform, with the potential for all the consumer harm that platform dominance might bring.
By Marie-Andrée Weiss
What is retail tracking?
This is the first FTC complaint against a retail tracking company. According to the complaint, Nomi “uses mobile device tracking technology to provide analytics services to brick and mortar retailers . . . [and] has been collecting information from consumer’s mobile devices . . . since January 2013.”
While online retailers may easily track their visitors’ digital trail, brick and mortar retailers used to have to resort to asking “are you looking for something in particular?” to find out about their client’s interests, only to be often rebuffed by “just looking…” They also could instruct their staff to report observations about clients’ expressed interests and peruse over sales reports to define and refine their marketing strategy. But tracking companies can now provide retailers precise data on consumer’s behavior.
The complaint explained how sensors placed by Nomi in its clients’ stores detect the media access control (MAC) addresses which mobile devices broadcast when searching for WiFi networks. Nomi also collects MACs from the stores’ WiFi access points. The information thus collected by Nomi is used to compile analytics reports about the percentage of customers passing by the store versus entering it, the average duration of their visit, the type of mobile devices they use, the percentage of repeat consumers within a particular period of time, and the number of customers that have also visited another of the retailer’s location. This information allows retailers to measure the impact of in-store promotions or displays and to adjust their layouts and offerings accordingly.
Nomi provided an opt-out option on its own site. However, consumers had to provide all of their mobile devices’ MAC addresses, a rather cumbersome process, especially since consumers did not know which retailers were using Nomi tracking services and could thus spend time opting out of a service which may never even track them.
According of the terms of the consent order, Nomi agreed not to misrepresent “the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or… the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.”
Do retail tracking systems identify consumers?
Each MAC is a 12-digit identifier, which the FTC considers to be a persistent unique identifier, even though Nomi cryptographically hashes it, because when a particular MAC is hashed, the resulted hashed MAC is always the same. When one hashes a document or information to encrypt it, an algorithm transforms a string of characters, the input, into another string of characters, the hash value. In our case, each unique 12-digit identifier input are encrypted into a unique hash value, which can be therefore used as identifier.
In his dissenting statement, Commissioner Wright argued that Nomi did not track individual consumers, but merely recorded whether they are unique or repeat visitors to a store, without knowing their “identity.” But Chairwoman Ramirez cited in her statement about the proposed consent order an article written last year by Jonathan Mayer, from Stanford University, which stated that “[h]ashing [MAC addresses] is… no defense against re-identification” and explained how he had built such a re-identification system in less than an hour. Ashkan Soltani, the FTC Chief Technologist, noted in a post that the use of a persistent identifier presents privacy issues since tracking pattern of movement in itself is often enough to uniquely identify an individual.”
Commissioner Wright also argued in his dissenting statement that the FTC should not have issued a complaint against Nomi, as “aggressive prosecution of this sort will inevitably deter industry participants like Nomi from engaging in voluntary practices that promote consumer choices and transparency [ and…] sends a dangerous message to firms weighing the costs and benefits of voluntarily providing information and choice to consumers.” For Commissioner Wright, the market has already responded to consumers expressing their preference, and he alluded in a footnote to several instances where retailers pulled out their tracking programs after consumers voiced their concerns.
But these instances may also be interpreted as signs that consumers are very concerned about being tracked in stores, and thus must be provided with effective ways to opt out, after having been put on notice of such programs. Ashkan Soltani cited in his post a recent OpinionLab survey which found that 8 out of 10 shoppers do not want retailers to track them using their smart phones, adding that “[t]he privacy issues are further exacerbated by the fact that most consumers are not aware that their device information may be captured as they walk by a store or visit an airport.” As such, defining privacy policies may very well drive innovation by incentivizing the creation of products and services respecting consumers’ privacy.
The FTC offered the public the opportunity to file comments about the case, and provided an Analysis to Aid Public Comment. The Information Technology and Innovation Foundation (ITIF), a think tank, while stating it did not condone Nomi’s mistake, argued in its comment that “innovation, by its very nature, involves risks and mistakes . . . .Certainly, companies should not face punitive measures for actions that were taken in good faith and did not cause consumer harm. This would create perverse incentives for companies to slow down the pace of innovation” (ITIF comments, p. 3).
Whether or not the FTC was too quick to act, this case signals the need to provide start-ups and entrepreneurs with the privacy framework they need to create products and services respecting consumers’ privacy. Since most consumers wish to guard their privacy, privacy protection can be an effective marketing tool to attract consumers and generate sales.
On 19 May 2010, the European Commission made public its long awaited policy document on the Digital Agenda for Europe. The overall aim of the Digital Agenda is to deliver sustainable economic and social benefits from a digital single market based on fast and ultra fast internet and interoperable applications.
In particular, one of the goals of the Digital Agenda is improving ICT standard-setting and interoperability, as effective interoperability between IT products and services is key to building a truly digital society. To this end, the Digital Agenda will for example, propose legal measures to reform the rules on implementation of ICT standards to allow the use of certain ICT fora and consortia standards.
More importantly, guidance on transparent ex-ante disclosure rules for essential intellectual property rights and licensing terms and conditions in the context of standard setting is also deemed to contribute to lower royalty demands for the use of standards and thus to lower market entry costs.
In this respect, in a recent speech Neelie Kroes, Commissioner for Information Society and Media, made it clear that a legislative solution on standard setting may be a possibility, although she stressed that the aim is to make standard setting more efficient, and not more burdensome for companies.
Mrs. Kroes appears to flag that, if need be, she would be ready to go beyond the recently published Commission’s draft antitrust rules on horizontal agreements relating to standard-setting. The draft rules, currently available for consultation (see above p. 7) rely on the well-established concepts of non-discrimination, transparency, and availability and specify minimum requirements that distinguish standard-setting from a cartel. On the important issue of licensing, Mrs. Kroes is of the view that because establishing FRAND (Fair, Reasonable and Non-Discriminatory) prices is a hard task, transparency of costs (and therefore of licensing terms) is in everyone’s interest, as it would facilitate implementation of the standard and reduce the risks of litigation.
Ultimately, according to Mrs. Kroes, the European Commission should not need to run lengthy investigations in every case where there is a lack of interoperability. Yet, she made it also clear that companies should not be able to withhold essential interoperability information from the market when such behaviour would result in lock-in situations. [Gabriele Accardo]
The European Commission confirmed that from 13 to 15th January 2009 European Commission officials carried out an unannounced inspection at the premises of Slovak Telekom a.s., the incumbent telecom operator in Slovakia. The European Commission has reason to believe that the company concerned may have infringed EC Treaty rules on abuse of a dominant market position (Article 82). The suspected conduct may include refusal to supply, margin squeeze and tying, possibly as part of an overall strategy to exclude competitors from the market. [European Commission Memo]