Category: Communication Media & Internet

2020 Predictions for Data Businesses

It’s a new year, a new decade, and a new experience for me writing for the HeyDataData blog.  My colleagues asked for input and discussion around 2020 predictions for technology and data protection.  Dom has already written about a few.  I’ve picked out four:

  1. Experiential retail

Stores will offer technology-infused shopping experience in their stores.  Even today, without using my phone, I can experience a retailer’s products and services with store-provided technology, without needing to open an app.  I can try on a pair of glasses or wear a new lipstick color just by putting my face in front of a screen.  We will see how creative companies can be in luring us to the store by offering us an experience that we have to try.  This experiential retail type of technology is a bit ahead of the Amazon checkout technology, but passive payment methods are coming, too.  [But if we still don’t want to go to the store, companies will continue to offer us more mobile ordering—for pick-up or delivery.]

  1. Consumers will still tell companies their birthdays and provide emails for coupons (well, maybe not in California)

We will see whether the California Consumer Privacy Act (CCPA) will meaningfully change consumers’ perception about giving their information to companies—usually lured by financial incentives (like loyalty programs, coupons, etc. or a free app).  I tend to think that we will continue to download apps and give information if it is convenient or cheaper for us and that companies will think it is good for business (and their shareholders, if applicable) to continue to engage with their consumers.  This is an extension of number 1, really, because embedding technology in the retail experience will allow companies to offer new (hopefully better) products (and gather data they may find a use for later. . . ).  Even though I think consumers will still provide up their data, I also think consumer privacy advocates try harder to shift their perceptions (enter CCPA 2.0 and others).

  1. More “wearables” will hit the market

We already have “smart” refrigerators, watches, TVs, garage doors, vacuum cleaners, stationary bikes and treadmills.  Will we see other, traditionally disconnected items connect?  I think yes.  Clothes, shoes, purses, backpacks, and other “wearables” are coming.

  1. Computers will help with decisions

We will see more technology-aided (trained with lots of data) decision making.  Just yesterday, one of the most read stories described how an artificial intelligence system detected cancer matching or outperforming radiologists that looked at the same images.  Over the college football bowl season, I saw countless commercials for insurance companies showing how their policy holders can lower their rates if they let an app track how they are driving.  More applications will continue to pop-up.

Those are my predictions.  And I have one wish to go with it.  Those kinds of advances create tension among open innovation, ethics and the law.  I do not predict that we will solve this in 2020, but my #2020vision is that we will make progress.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more on data use in retail & health & more, see the National Law Review Communications, Media & Internet law page.

The U.S. Patent and Trademark Office Takes on Artificial Intelligence

If the hallmark of intelligence is problem solving, then it should be no surprise that artificial intelligence is being called on to solve complex problems that human intelligence alone cannot. Intellectual property laws exist to reward intelligence, creativity and problem solving; yet, as society adapts to a world immersed in artificial intelligence, the nation’s intellectual property laws have yet to do the same. The Constitution seems to only contemplate human inventors when it says, in Article I, Section 8, Clause 8,

The Congress shall have Power … To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

The Patent Act similarly seems to limit patents to humans when it says, at 35 U.S.C. § 100(f),

The term ‘inventor’ means the individual or, if a joint invention, the individuals collectively who invented or discovered the subject matter of the invention.”

In fact, as far back as 1956, the U.S. Copyright Office refused registration for a musical composition created by a computer on the basis that copyright laws only applied to human authors.

Recognizing the need to adapt, the U.S. Patent and Trademark Office (PTO) recently issued notices seeking public comments on intellectual property protection related to artificial intelligence. In August 2019, the PTO issued a Federal Register Notice, 84 Fed. Reg. 166 (Aug. 27, 2019) entitled, “Request for Comments on Patenting Artificial Intelligence Inventions.” On October 30, the PTO broadened its inquiry by issuing another Notice, 84 Fed. Reg. 210 (Oct. 30, 2019) entitled, “Request for Comments on Intellectual Property Protection for Artificial Intelligence Innovation.” Finally, on December 3, 2019, the PTO issued a third notice, extending the comment period on the earlier notices to January 10, 2020. All of the notices can be downloaded from the PTO’s web site.

The January 10, 2020 deadline for public comments on the issues raised in the notices is fast approaching. This is an important topic for the future of technology and intellectual property, and the government is plainly looking at these important issues with a clean slate.

© 2020 Vedder Price

For more on patentable inventions, see the Intellectual Property law section of the National Law Review.

Limiting Junk Fax Class Actions: Online Fax Services Outside Scope of TCPA FCC Rules

 

On December 9, 2019, the Federal Communications Commission (“FCC”) issued a declaratory ruling In the Matter of Amerifactors Financial Group, LLC (“Amerifactors”) concluding that modern faxing technologies are not within the scope of the Telephone Consumer Protection Act (TCPA).  The Amerifactors ruling, which follows the express language of the TCPA, determines that faxes received via an online fax service as electronic messages are effectively email and therefore are not faxes received on a “telephone facsimile machine” under the statute. This narrows the scope of the TCPA to traditional fax machines and will make it more difficult for attorneys to certify classes of fax recipients under the TCPA, ideally curbing the plethora of TCPA Fax class action lawsuits.

Amerifactors Background

In 2017, Amerifactors filed a petition for an expedited declaratory ruling asking the FCC to “clarify that faxes sent by “online fax services” are not faxes sent to “telephone facsimile machines”[1] therefore, outside of the scope of the TCPA. While faxing has declined in usage significantly, many of those who still receive faxes do so through cloud-based services that send the document via an attachment to an email.  At the time of Amerifactors’ declaratory filing, they were defending a class action suit with claims that Amerifactors violated the TCPA by sending unsolicited fax messages, the bulk of which were sent to consumers from online fax services.

FCC Ruling and Logic

In the Amerifactors ruling, the FCC explained that faxes sent by online fax services do not lead to the “specific harms” Congress sought to address in the TCPA’s Junk Fax Protection Amendment and concluded that “a fax received by an online fax service as an electronic message is effectively an email.”

Unlike printed fax messages that require the recipient to supply paper and ink, the FCC concluded consumers can manage faxes sent by online fax services the same way they manage their email by blocking senders or deleting incoming messages without printing them, short-circuiting many of the specific harms envisioned by the original legislation.  With online fax services, there is no phone-line that is occupied and therefore unavailable for other purposes, and no paper or ink used that must be supplied by the recipient.  Clarifying legislative intent, the FCC stated:

“The House Report on the TCPA makes clear that the facsimile provisions of the statute were intended to curb two specific harms: “First, [a fax advertisement] shifts some of the costs of advertising from the sender to the recipient. Second, it occupies the recipient’s facsimile machine so that it is unavailable for legitimate business messages while processing and printing the junk fax.”

In many ways, the FCC ruling in Amerifactors demonstrates FCC recognition of the changes in faxing technology.  Steven Augustino of KelleyDrye[2], one of the attorneys who represented Amerifactors,  points out that the language we use now does not match the technology that has largely replaced traditional faxing technology, instead offering a short-hand that has roots in an earlier era—and that references dead technologies.  Augustino says:

Amerifactors argued that the term “faxing” has outlived the actual technology of faxing, much in the same way that we still dial a telephone even though no one has a rotary telephone, or we “cc” people on emails but we aren’t using carbon copies.  In many ways, saying ‘I sent a fax’ is similar to that, the term has outlived the technology that has supported it.”

There is reason to believe that this is the first of many declaratory rulings on fax matters under the TCPA.  As of November 2019, there are thirty-six petitions in front of the FCC, and six of those petitions specifically address “junk” faxing rules.  These petitions represent a variety of faxing issues, such as consent and the definition of an advertisement.   The declaratory ruling in Amerifactors and the FCC’s reasoning related to technological changes will likely impact the FCC’s rule-making on similar issues.

Implications for Future TCPA Fax Class Action Lawsuits

According to Douglas B. Brown of RumbergerKirk, one of the attorneys who represented Amerifactors in the FCC’s declaratory ruling:

“While the traditional fax machine has faded out of today’s business communications, online fax services provide secure communications that are critical to providing consumers with secure information about their finances, health and other important matters. The FCC’s ruling allows for these communications to continue without interference from debilitating class-action lawsuits.”

Per Samantha Duke of RumbergerKirk who also represented Amerifactors:

“First, according to the Hobbs Act, federal district courts are bound to enforce the FCC’s rules, regulations, and orders relating to the TCPA. Thus, this declaratory ruling may impact all fax class actions filed in the district courts in the country.”

The Amerifactors ruling requires a closer look at how faxes are being received complicating how class actions are certified under the TCPA.  Per Duke:

The Amerifactors ruling now makes the method by which the fax was received key to determining whether any particular unsolicited facsimile violates the TCPA. This individualized determination will most certainly complicate any attempt to certify a TCPA-fax class action as the question of whether the facsimile was sent to an online fax service will predominate over any common issue.”

In short, unless a fax comes through an old-school fax machine, it’s outside the reach of the TCPA per the FCC’s Amerifactors ruling.

[1] See Petition for Expedited Declaratory Ruling of Amerifactors Financial Group, LLC, CG Docket Nos. 02-278, 05-338, at 2 (filed July 13, 2017) (Petition).

[2] Amerifactors Financial Group, LLC was represented by Rumberger, Kirk & Caldwell, PA attorneys Douglas B. Brown and Samantha Duke, along with attorney Steven A. Augustino of Kelley Drye & Warren LLP.

Copyright ©2019 National Law Forum, LLC

For more on the TCPA and FCC Regulations, see the National Law Review Communications, Media & Internet law section.

Reflections on 2019 in Technology Law, and a Peek into 2020

It is that time of year when we look back to see what tech-law issues took up most of our time this year and look ahead to see what the emerging issues are for 2020.

Data: The Issues of the Year

Data presented a wide variety of challenging legal issues in 2019. Data is solidly entrenched as a key asset in our economy, and as a result, the issues around it demanded a significant level of attention.

  • Clearly, privacy and data security-related data issues were dominant in 2019. The GDPR, CCPA and other privacy regulations garnered much consideration and resources, and with GDPR enforcement ongoing and CCPA enforcement right around the corner, the coming year will be an important one to watch. As data generation and collection technologies continued to evolve, privacy issues evolved as well.  In 2019, we saw many novel issues involving mobilebiometric and connected car  Facial recognition technology generated a fair amount of litigation, and presented concerns regarding the possibility of intrusive governmental surveillance (prompting some municipalities, such as San Francisco, to ban its use by government agencies).

  • Because data has proven to be so valuable, innovators continue to develop new and sometimes controversial technological approaches to collecting data. The legal issues abound.  For example, in the past year, we have been advising on the implications of an ongoing dispute between the City Attorney of Los Angeles and an app operator over geolocation data collection, as well as a settlement between the FTC and a personal email management service over access to “e-receipt” data.  We have entertained multiple questions from clients about the unsettled legal terrain surrounding web scraping and have been closely following developments in this area, including the blockbuster hiQ Ninth Circuit ruling from earlier this year. As usual, the pace of technological innovation has outpaced the ability for the law to keep up.

  • Data security is now regularly a boardroom and courtroom issue, with data breaches, phishing, ransomware attacks and identity theft (and cyberinsurance) the norm. Meanwhile, consumers are experiencing deeper and deeper “breach fatigue” with every breach notice they receive. While the U.S. government has not yet been able to put into place general national data security legislation, states and certain regulators are acting to compel data collectors to take reasonable measures to protect consumer information (e.g., New York’s newly-enacted SHIELD Act) and IoT device manufacturers to equip connected devices with certain security features appropriate to the nature and function of the devices secure (e.g., California’s IoT security law, which becomes effective January 1, 2020). Class actions over data breaches and security lapses are filed regularly, with mixed results.

  • Many organizations have focused on the opportunistic issues associated with new and emerging sources of data. They seek to use “big data” – either sourced externally or generated internally – to advance their operations.  They are focused on understanding the sources of the data and their lawful rights to use such data.  They are examining new revenue opportunities offered by the data, including the expansion of existing lines, the identification of customer trends or the creation of new businesses (including licensing anonymized data to others).

  • Moreover, data was a key asset in many corporate transactions in 2019. Across the board in M&A, private equity, capital markets, finance and some real estate transactions, data was the subject of key deal points, sometimes intensive diligence, and often difficult negotiations. Consumer data has even become a national security issue, as the Committee on Foreign Investment in the United States (CFIUS), expanded under a 2018 law, began to scrutinize more and more technology deals involving foreign investment, including those involving sensitive personal data.

I am not going out on a limb in saying that 2020 and beyond promise many interesting developments in “big data,” privacy and data security.

Social Media under Fire

Social media platforms experienced an interesting year. The power of the medium came into even clearer focus, and not necessarily in the most flattering light. In addition to privacy issues, fake news, hate speech, bullying, political interference, revenge porn, defamation and other problems came to light. Executives of the major platforms have been on the hot seat in Washington, and there is clearly bipartisan unease with the influence of social media in our society.  Many believe that the status quo cannot continue. Social media platforms are working to build self-regulatory systems to address these thorny issues, but the work continues.  Still, amidst the bluster and criticism, it remains to be seen whether the calls to “break up” the big tech companies will come to pass or whether Congress’s ongoing debate of comprehensive data privacy reform will lead to legislation that would alter the basic practices of the major technology platforms (and in turn, many of the data collection and sharing done by today’s businesses).  We have been working with clients, advising them of their rights and obligations as platforms, as contributors to platforms, and in a number of other ways in which they may have a connection to such platforms or the content or advertising appearing on such platforms.

What does 2020 hold? Will Washington’s withering criticism of the tech world translate into any tangible legislation or regulatory efforts?  Will Section 230 of the Communications Decency Act – the law that underpins user generated content on social media and generally the availability of user generated content on the internet and apps – be curtailed? Will platforms be asked to accept more responsibility for third party content appearing on their services?

While these issues are playing out in the context of the largest social media platforms, any legislative solutions to these problems could in fact extend to others that do not have the same level of compliance resources available. Unless a legislative solution includes some type of “size of person” test or room to adapt technical safeguards to the nature and scope of a business’s activities or sensitivity of the personal information collected, smaller providers could be shouldered with a difficult and potentially expensive compliance burden. Thus, it remains to see how the focus on social media and any attempt to solve the issues it presents may affect online communications more generally.

Quantum Leaps

Following the momentum of the passage of the National Quantum Initiative at the close of 2018, a significant level of resources has been invested into quantum computing in 2019.  This bubble of activity culminated in Google announcing a major milestone in quantum computing.  Interestingly, IBM suggests that it wasn’t quite as significant as Google claimed.  In any case, the development of quantum computing in the U.S. has progressed a great deal in 2019, and many organizations will continue to focus on it as a priority in 2020.

  • Reports state that China has dedicated billions to build a Chinese national laboratory for quantum computing, among other related R&D products, a development that has gotten the attention of Congress and the Pentagon. This may be the beginning of the 21st century’s great technological race.

  • What is at stake? The implications are huge. It is expected that ultimately, quantum computers will be able to solve complex computations exponentially faster – as much as 100 million times faster — than classic computers. The opportunities this could present are staggering.  As are the risks and dangers.  For example, for all its benefits, the same technology could quickly crack the digital security that protects online banking and shopping and secure online communications.

  • Many organizations are concerned about the advent of quantum computing. But given that it will be a reality in the future, what should you be thinking about now? While not a real threat for 2020 or the near-term thereafter, it would be wise to think about it if one is anticipating investing in long-term infrastructure solutions. Will quantum computing render the investment obsolete? Or, will quantum computing present a security threat to that infrastructure?  It is not too early to think about these issues, and for example, technologists have been hard at work developing quantum-proof blockchain protocols. It would at least be prudent to understand the long-term roadmap of technology suppliers to see if they have even thought about quantum computing, and if so, to see to how they see quantum computing impacting their solutions and services.

Artificial Intelligence

We have seen significant level of deployment in the Artificial Intelligence/Machine Learning landscape this past year.  According to the Artificial Intelligence Index Report 2019, AI adoption by organizations (of at least one function or business unit) is increasing globally. Many businesses across many industries are deploying some level of AI into their businesses.  However, the same report notes that many companies employing AI solutions might not be taking steps to mitigate the risks from AI, beyond cybersecurity. We have advised clients on those risks, and in certain cases have been able to apportion exposure amongst multiple parties involved in the implementation.  In addition, we have also seen the beginning of regulation in AI, such as California’s chatbot law, New York’s recent passage of a law (S.2302prohibiting consumer reporting agencies and lenders from using the credit scores of people in a consumer’s social network to determine that individual’s credit worthiness, or the efforts of a number of regulators to regulate the use of AI in hiring decisions.

We expect 2020 to be a year of increased adoption of AI, coupled with an increasing sense of apprehension about the technology. There is a growing concern that AI and related technologies will continue to be “weaponized” in the coming year, as the public and the government express concern over “deepfakes” (including the use of voice deepfakes of CEOs to commit fraud).  And, of course, the warnings of people like Elon Musk and Bill Gates, as they discuss AI, cannot be ignored.

Blockchain

We have been very busy in 2019 helping clients learn about blockchain technologies, including issues related to smart contracts and cryptocurrency. 2019 was largely characterized by pilotstrials,  tests and other limited applications of blockchain in enterprise and infrastructure applications as well as a significant level of activity in tokenization of assetscryptocurrency investments, and the building of businesses related to the trading and custody of digital assets. Our blog, www.blockchainandthelaw.io keeps readers abreast of key new developments and we hope our readers have found our published articles on blockchain and smart contracts helpful.

Looking ahead to 2020, regulators such as the SECFinCENIRS and CFTC are still watching the cryptocurrency space closely. Gone are the days of ill-fated “initial coin offerings” and today, security token offerings, made in compliance with the securities laws, are increasingly common. Regulators are beginning to be more receptive to cryptocurrency, as exemplified by the New York State Department of Financial Services revisiting of the oft-maligned “bitlicense” requirement in New York.

Beyond virtual currency, I believe some of the most exciting developments of blockchain solutions in 2020 will be in supply chain management and other infrastructure uses of blockchain. 2019 was characterized by experimentation and trial. We have seen many successes and some slower starts. In 2020, we expect to see an increase in adoption. Of course, the challenge for businesses is to really understand whether blockchain is an appropriate solution for the particular need. Contrary to some of the hype out there, blockchain is not the right fit for every technology need, and there are many circumstances where a traditional client-server model is the preferred approach. For help in evaluating whether blockchain is in fact a potential fit for a technology need, this article may be helpful.

Other 2020 Developments

Interestingly, one of the companies that has served as a form of leading indicator in the adoption of emerging technologies is Walmart.  Walmart was one of the first major companies to embrace supply use of blockchain, so what is Walmart looking at for 2020? A recent Wall Street Journal article discusses its interest and investment in 5G communications and edge computing. We too have been assisting clients in those areas, and expect them to be active areas of activity in 2020.

Edge computing, which is related to “fog” computing, which is, in turn,  related to cloud computing, is simply put, the idea of storing and processing information at the point of capture, rather than communicating that information to the cloud or a central data processing location for storage and processing. According to the WSJ article, Walmart plans on building edge computing capability for other businesses to hire (following to some degree Amazon’s model for AWS).  The article also talks about Walmart’s interest in 5G technology, which would work hand-in-hand with its edge computing network.

Our experience with clients suggest that Walmart may be onto something.  Edge and fog computing, 5G and the growth of the “Internet of Things” are converging and will offer the ability for businesses to be faster, cheaper and more profitable. Of course this convergence also will tie back to the issues we discussed earlier, such as data, privacy and data security, artificial intelligence and machine learning. In general, this convergence will increase even more the technical abilities to process and use data (which would conceivably require regulation that would feature privacy and data security protections that are consumer-friendly, yet balanced so they do not stifle the economic and technological benefits of 5G).

This past year has presented a host of fascinating technology-based legal issues, and 2020 promises to hold more of the same.  We will continue to keep you posted!

We hope you had a good 2019, and we want to wish all of our readers a very happy and safe holiday season and a great New Year!

© 2019 Proskauer Rose LLP.

For more in technology developments, see the National Law Review Intellectual Property or Communications, Media & Internet law sections.

British Member of “The Dark Overlord” Hacking Organization Extradited to Face Conspiracy and Identify Theft Charges in the United States

Beginning in 2016, the computer hacking organization known as “The Dark Overlord,” began to target victims in the St. Louis, Missouri area, including various health care providers, several accounting firms, and a medical records company.  By remotely accessing these victims’ computer networks without authorization, The Dark Overlord was able to obtain sensitive records and information, which it then threatened to release unless the companies paid a ransom in bitcoin.

Following a lengthy investigation conducted by the Federal Bureau of Investigation and British authorities, United Kingdom national Nathan Wyatt was extradited to the United States and appeared before a federal district court in eastern Missouri on Wednesday, December 18, 2019, to face charges of aggravated identity theft, threatening damage to a protected computer, and conspiracy.  While Wyatt is the first member of The Dark Overlord to face prosecution, government officials have expressed a hope that this will signal to other cyber hackers targeting American companies that they will not be able to use territorial borders to evade justice and prosecution by the United States.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

Facing Facts: Do We Sacrifice Security Out of Fear?

Long before the dawn of time, humans displayed physical characteristics as identification tools. Animals do the same to distinguish each other. Crows use facial recognition on humans.  Even plants can tell their siblings from unrelated plants of the same species.

We present our physical forms to the world, and different traits identify us to anyone who is paying attention. So why, now that identity theft is rampant and security is challenged, do we place limits on the easiest and best ID system available? Are we sacrificing future security due to fear of an unlikely dystopia?

In one of the latest cases rolling out of Illinois’ private right of action under the state’s Biometric Information Privacy Act (BIPA), Rogers v. BNSF Railway Company[1], the court ruled that a railroad hauling hazardous chemicals through major urban areas needed to change, and probably diminish, its security procedures for who it allows into restricted space. Why? Because the railroad used biometric security to identify authorized entrants, BIPA forces the railroad to receive the consent of each person authorized to enter restricted space, and because BIPA is not preempted by federal rail security regulations.

The court’s decision, based on the fact that federal rail security rules do not specifically regulate biometrics, is a reasonable reading of the law. However, with BIPA not providing exceptions for biometric security, BIPA will impede the adoption and effectiveness of biometric-based security systems, and force some businesses to settle for weaker security. This case illustrates how BIPA reduces security in our most vulnerable and dangerous places.

I can understand some of the reasons Illinois, Texas, Washington and others want to restrict the unchecked use of biometrics. Gathering physical traits – even public traits like faces and voices – into large searchable databases can lead to overreaching by businesses. The company holding the biometric database may run tests and make decisions based on physical properties.  If your voice shows signs of strain, maybe the price of your insurance should rise to cover risk that stress puts on your body. But this kind of concern can be addressed by regulating what can be done with biometric readings.

There are also some concerns that may not have the foundation they once had. Two decades ago, many biometric systems stored bio data as direct copies, so that if someone stole the file, that person would have your fingerprint, voiceprint or iris scan.  Now, nearly all of the better biometric systems store bio readings as algorithms that can’t be read by computers outside the system that took the sample. So some of the safety concerns are no longer valid.

I propose a more nuanced thinking about biometric readings. While requiring data subject consent is harmless in many situations, the consent regime is a problem for security systems that use biometric indications of identity. And these systems are generally the best for securing important spaces.  Despite what you see in the movies, 2019 biometric security systems can be nearly impossible to trick into false positive results. If we want to improve our security for critical infrastructure, we should be encouraging biometrics, not throwing hurdles in the path of people choosing to use it.

Illinois should, at the very least, provide an exception to BIPA for physical security systems, even if that exception is limited to critical facilities like nuclear, rail and hazardous shipping restricted spaces. The state can include limits on how the biometric samples are used by the companies taking them, so that only security needs are served.

The field of biometrics may scare some people, but it is a natural outgrowth of how humans have always told each other apart.  If limit its use for critical security, we are likely to suffer from the decision.

[1] 2019 WL 5699910 (N.D. Ill).

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more on biometric identifier privacy, see the National Law Review Communications, Media & Internet law page.

Privacy Tip #219 – FBI Considers FaceApp a Counterintelligence Threat

For those of you who have downloaded the face editing app FaceApp, please note that the Federal Bureau of Investigation (FBI) has classified FaceApp as a counterintelligence threat because of its Russian origins.

According to the FBI, “[T]he FBI considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat, based on the data the product collects, its privacy and terms of use policies, and the legal mechanisms available to the Government of Russia that permit access to data within Russia’s borders.”

When the FBI considers an app a security threat to the U.S., we all should. Downloading apps, in general, is risky, but downloading apps based in foreign countries that are trying to obtain information about U.S. citizens – and in fact are obtaining information from unwitting U.S. citizens – is potentially putting us in danger.

Now is the time to perform app hygiene. Check the apps on your phone to determine whether you are using them or not. If you aren’t using them, delete them. There is no reason to continue to allow them to collect your information if you are not using them and getting a benefit from them. If you are using them and can’t live without them, do some due diligence to determine the background of the app, read the Privacy Policy and Terms of Use to know what they are collecting and using about you, and delete the app if your gut tells you something’s not right. If you have downloaded FaceApp, that would be the first one to delete.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

The Rise Of Digital Services Taxes

Governments are coming after online businesses. Multinational clients that provide online advertising services, sell consumer data, or run online intermediary platforms should prepare themselves for the imminent arrival of digital services taxes (DSTs) on revenues from digital activities.

IN DEPTH

Having failed to reach an EU-wide unanimous consensus on an earlier EU Commission proposal for a DST Directive, certain EU countries, including Austria, the Czech Republic, France, Italy, Spain and the United Kingdom, decided to go it alone and introduce DSTs unilaterally into their own national tax systems. These decisions were driven primarily by a perception that larger multinationals, many of which have highly digitalised operations, are not paying their “fair share” of taxes globally. In addition, a growing consensus has emerged in recent months that “market jurisdictions” should have the right to tax, because those markets—namely, the countries where the users and consumers are based—ultimately create value for online businesses.

The Organisation for Economic Co-operation and Development (OECD) takes a neutral view on the use of DSTs by its members, in that it neither recommends nor discourages them. Member countries that do decide to adopt a DST should

  • Comply with international obligations
  • Ensure the DST is temporary and narrowly targeted
  • Minimise over-taxation, cost, complexity, and compliance burdens
  • Ensure the DST has a minimal adverse impact on small businesses.

The French DST is already in force. The Italian DST is in draft form, with the government intending for it to enter into force in January 2020, while other DST regimes, including that of the United Kingdom, are expected to come into force some time during 2020. None of these national rules seem to have complied with the OECD guidelines, and there are several practical challenges for businesses that are common across all three regimes.

Identifying Taxable Revenues and Services 

In France, each company belonging to a group that derives gross revenues from digital services exceeding €750 million on a worldwide basis, and €25 million in France, is subject to French DST at a rate of 3 per cent. French DST is assessed at the company level only, based on gross revenues derived from digital services deemed to be provided in France during the previous calendar year. This is calculated as the gross revenues derived from taxable digital services, multiplied by the proportion of French users over the total number of users of the taxable digital services.

As it currently stands, the Italian DST would apply to Italian resident and non-resident companies that, at the individual or group level, earned during a calendar year a total amount of worldwide revenues of over €750 million, and an amount of revenues derived from digital services provided in Italy of over €5.5 million.

Only groups with annual worldwide revenues above £500 million and UK revenues above £25 million would be affected by the UK DST, with the first £25 million of UK revenues being exempt. The UK DST would be calculated on a group-wide basis and apportioned pro rata to each group member. Groups with low operating margins may opt for a “safe harbour” alternative DST calculation, based on the group’s operating margin.

Identifying Taxable Services

The taxable services that fall within the scope of the French, Italian, and UK DSTs are broadly similar and include

  • The provision of a social media platform
  • Search engines
  • Any online marketplace
  • Online advertising business, including those that use or sell individual users’ data

It is noteworthy that digital platforms for the provision of payment services, communication services, crowdfunding services, or digital content, as well as self-operated digital platforms for the direct sale of goods and services, are specifically beyond the scope of the French and UK DST.

The issues that arise are also broadly similar. There are likely to be conflicts regarding dual-purpose platforms, i.e., those that include both taxable and exempt digital services. The fact that the lists are not exhaustive and that the DSTs will apply to all revenues received in connection with a relevant DST activity means that affected businesses will need to analyse the nature of the revenue streams and the activities from which they are generated, and each case will turn on its own facts.  This will entail a substantial administrative burden for affected businesses, as well as a lack of certainty over potential DST filing obligations.

Identifying Users 

Both France and Italy consider the location of users to be based on the location of the electronic device when the user accesses the digital services. The United Kingdom intends to determine that someone is a UK user if, it is reasonable to assume, they are normally located or established in the United Kingdom.

France and Italy will use IP addresses, wi-fi connections, GPS data, etc., plus reference to that user’s personal data and place of residence; while the UK plans to extrapolate user location from data such as delivery addresses, payment details, IP addresses, contractual evidence, or the address of properties for rent or location of goods for sale.

There are many problems with these approaches. At the most basic level, different data sources can provide conflicting evidence of a user’s location, and IP addresses can be easily manipulated. Businesses will, therefore, need to come to a reasonable, evidence-based conclusion on the likelihood of that user’s location, further adding to their administrative burden and broadening the scope to make a mistake. The use of personal data and place of residence are also likely to trigger data protection issues under the EU General Data Protection Regulations.

Potential Double Taxation and Reimbursements

There is a risk of double taxation if another jurisdiction imposes a DST on the same revenues, for example as a result of inconsistencies between one set of national rules and those of another jurisdiction regarding user location or taxing rights. DST is however generally deductible for corporate income tax purposes.

France’s President Macron stated at the 2019 G7 that any excess of French DST over the new international DST being brokered by the OECD would be refunded. He did not, unfortunately, give much detail as to how and under what limitations this refund will take place.

The Italian draft DST provisions do not include any specific rule on this aspect and, although they seem to propose a sunset clause according to which the Italian DST is automatically repealed when the new OECD-agreed corporate income tax enters into force, there does not appear to be scope for a retroactive reimbursement of the difference (if any) between the Italian DST and such future corporate income tax.

The draft UK DST rules disregard 50 per cent of UK revenues from cross-border transactions between a buyer and a seller through an online marketplace where the non-UK party is in another DST jurisdiction. But this does not fully resolve the issue of potential double taxation if the other jurisdiction imposes a DST on the same revenues, for example due to inconsistencies between the UK national rules and those of the other DST jurisdiction regarding user location and/ or taxing rights.

The UK DST will also not be creditable against either corporation tax, income tax under the Offshore Receipts in respect of Intangible Property regime, or diverted profits tax; although it should generally be deductible for corporation tax purposes as a trading expense. Unlike France or Italy, neither the draft legislation nor HMRC guidance mentions the possibility of a retroactive reimbursement of the UK DST once the OECD’s long-term solution for a revised corporate income tax has been agreed and implemented by member countries.

The US Response

The US administration takes a hostile view of DST proposals generally, as evidenced by a recent investigation into whether the French DST discriminates against US businesses. This could lead to retaliatory US tariffs being imposed on imports from France and punitive US tax charges on French companies doing business in the United States.

Other DSTs, including those of the United Kingdom and Italy, can probably expect similar responses from the United States. UK Prime Minister Boris Johnson has indicated his support in principle for a UK DST or a similarly targeted tax. He has also indicated that the structure of this tax would be on the table in any trade negotiations with the United States, and the future of the current draft Finance Bill hinges on the result of the UK general election in December, so there is currently very little certainty as to whether UK DST will take effect at all.

For now, the best course of action for affected businesses is to assume that all DSTs will take effect as planned and prepare accordingly, notwithstanding any current legislative or political uncertainty.

© 2019 McDermott Will & Emery

More on digital taxation on the National Law Review Tax law page.

DOJ Seeking to End Movie Studio and Theater Antitrust Decrees amidst Streaming Competition – A New Opportunity in Theatrical Distribution?

For the film and media distribution industries, this year has been action-packed.  Production budgets are skyrocketing and new digital services have been announced or are launching with each passing month. The streaming wars are upon us. Moreover, the FCC recently voted to treat streaming services as “effective competition” to traditional cable providers (or MVPDs), thereby triggering basic cable rate de-regulation in parts of Hawaii and Massachusetts.

The distribution landscape took yet another unexpected legal twist this week. On November 18, Assistant Attorney General Makan Delrahim announced that the Antitrust Division of the Department of Justice would ask a federal court to terminate the “Paramount Consent Decrees” (the “Decrees”), which have prohibited movie studios from engaging in certain distribution practices with movie theaters since the 1940s. The DOJ filed a motion to terminate the Decrees in federal court in the Southern District of New York on November 22, 2019.  Notably, the DOJ cites streaming services and new technology as a few of the many reasons that the Decrees may no longer be necessary in what the DOJ official sees as today’s highly competitive, consumer-driven content market. Given the volatility of the content licensing space, film licensors and licensees will have to carefully consider how the DOJ’s actions will affect their content rights and options going forward.

By way of background, the Decrees emerged out of the landmark 1948 Supreme Court antitrust case, United States v. Paramount Pictures, Inc. Prior to the case, top Hollywood studios frequently owned movie theaters (thus, owning both the means of production and distribution). This vertical integration led to lower distribution costs for the studios and gave them pricing power and the ability to discriminate about which theaters distributed their films. Not surprisingly, smaller, independent theaters struggled to survive.  The problem was exacerbated by studios engaging in practices such as “block-booking” (requiring theaters to distribute all or none of the studio’s slate of films) and overbroad “clearances” (restrictions on the time which must elapse between particular runs of a film), as well as alleged horizontal conspiracies between the studios and theaters on matters like minimum ticket pricing. As part of the Decrees, the defendant studios were restricted or prohibited from engaging in these practices and were required to divest certain interests in their theaters.

The DOJ’s November 22nd motion may not come as a surprise, as the DOJ first announced that the Decrees were under review in August 2018, after which several industry players, including the National Association of Theatre Owners (NATO), submitted comments. In particular, NATO argued, despite how streaming and technology might increase competition, that block-billing would still adversely impact independent or local chains that exhibit fewer films and may not be able to afford larger blocks of films.

Delrahim summed up the DOJ’s position, stating, “the [D]ecrees, as they are, no longer serve the public interest, because the horizontal conspiracy – the original violation animating the decrees – has been stopped. […] Changes over the course of more than half a century also have made it unlikely that the remaining defendants can reinstate their cartel.” In particular, the DOJ argued that the competitive concerns of the 1940s no longer exist because the movie marketplace has changed so drastically, citing how film distributors have become less reliant on theatrical distribution with the advent of streaming. According to the DOJ, colluding to limit theatrical film distribution in today’s market “would make no economic sense.”  In addition to streaming services, Delrahim also cited new theatrical release business models (such as flat-fee multi-ticket pricing) as increasing competition and innovation in film distribution.

The DOJ acknowledged NATO’s concerns in part and asked the court to implement a two-year sunset on block-booking and circuit dealing (licensing to all theaters under common ownership, as opposed to on a theater-by-theater basis). Whether terminating the Decrees would decrease innovation, neither the motion papers nor Delrahim venture to guess. Delrahim noted that antitrust enforcers need not predict the future but need only recognize that changes are occurring. He added that practices covered by the Decrees would not become per se lawful, but would rather be subject to review under the rule of reason standard.

Commentators are split on whether termination of the Decrees that have shaped Hollywood for decades will lead to any significant change for the movie business. One thing that is important to note is that the Decrees did not outright prohibit vertical integration of studios and theaters – the defendant studios could (and did) acquire theaters after proving that such acquisitions would not unreasonably restrain trade. Further, only those studios party to the Decrees remain subject to their restrictions, meaning many of today’s top studios (that now typically own a vast portfolio of traditional and digital entertainment properties) were non-existent or much smaller in the 1940s and have not been subject to the Decrees.

While it remains to be seen how this development will play out, it is noteworthy for digital providers because it may breathe extra life back into the theatrical release window. With mammoth streaming deals inked every week, the value of the theatrical release window was seemingly diminishing for some films. But now that many studios are forgoing third-party licensing fees and instead retaining their content for their own streaming platforms, studios may begin to ask whether added revenues from ownership of a theater chain could be a potential new source of revenue and a way to gain additional control of the theatrical window. Meanwhile, the effect of lifting the Decrees may not necessarily lead to a flurry of acquisitions, as other studios involved in direct-to-consumer streaming campaigns may not have the capital or desire to exploit the termination of the Decrees. Major theater chains will likely seek to strengthen relationships with studios, while independent theaters will look for ways to succeed despite potentially rising costs.

With all of these developments, studios and media platforms will also need to carefully consider how to protect their interests when handling their licensing arrangements, given the volatility in this space and keeping in mind the two-year sunset (assuming the DOJ succeeds) on block-booking and circuit dealing. While some distributors may be looking for long-term, exclusive content deals as they roll-out their streaming services, studios and content providers may seek flexibility as their distribution options are changing day-to-day.

© 2019 Proskauer Rose LLP.

More on entertainment distribution on the National Law Review Entertainment, Art & Sports law page.

CISA Releases “Cyber Essentials” to Assist Small Businesses Updated

On November 6, 2019, the Department of Homeland Security (“DHS”), Cybersecurity & Infrastructure Security Agency (“CISA”) released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity.

The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of Cyber Readiness,” specifically:

  • Yourself – driving awareness, strategy, and investment to build and sustain a culture of cybersecurity.
  • Your Staff – developing awareness and vigilance because your staff is often the first line of defense.
  • Your Systems – protecting your information and critical assets and applications.
  • Your Surroundings – limiting access to your digital environment.
  • Your Data – having a contingency plan to recover systems, networks, and data from trusted backups.
  • Your Actions Under Stress – planning and conducting drills for cyberattacks to bolster readiness to respond, limit damage, and restore operations in the event of an attack.

The final section of the guide provides a list of steps that small businesses can take immediately to increase organizational preparedness against cyber risks. These include backing up data (automatically and continuously), implementing multi-factor authentication (particularly for privileged, administrative, and remote access users), enabling automatic updates, and deploying patches quickly.

CISA’s Cyber Essentials guide is just the most recent example of a user-friendly resource aimed at assisting small businesses seeking lower-cost cybersecurity solutions. Recognizing that investing in cybersecurity may be difficult for some small businesses, Government agencies are making an effort to help small businesses understand the importance of cybersecurity.

For example, the U.S. Small Business Administration (“SBA”) has a page dedicated to providing information and resources for small business cybersecurity. It outlines common threats, risk assessment, and cybersecurity best practices. It also provides a list of upcoming training and events related to small business cybersecurity. Other entities, including the National Institute of Standards and Technology, the Federal Trade Commission, and the Federal Communications Commission also provide similar resources specifically tailored to small businesses.

The main takeaway here is that all organizations – regardless of size or resources – should take basic steps to improve their cybersecurity resilience.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

ARTICLE BY Jonathan E. Meyer, Townsend L. Bourne and Nikole Snyder a Law Clerk in Sheppard, Mullin, Richter & Hampton LLP’s Washington, D.C. office.