Category: Global

Exiting from the EU: Bre(xit)aking News

EU brexit UK Supreme CourtThe Supreme Court of the United Kingdom by a majority of 8 to 3 has today confirmed that triggering the exit procedure from the European Union requires an Act of Parliament.

As such the Supreme Court disagreed with the current UK Government which had argued that Government ministers could rely on their prerogative powers to trigger Article 50 of the Treaty on the European Union without prior authorisation by Parliament. Scottish Parliament, Welsh and Northern Ireland assemblies had argued that they too should be consulted. The judges did not agree with that view.

This is a big blow for the current Government. The judges held that triggering Article 50 will bring fundamental change to the UK’s constitutional arrangements by cutting off the source of EU law and by removing existing domestic rights of UK residents. As to the Brexit referendum, the Supreme Court confirms its political significance, however, notes that the statute authorising the Referendum was mute as to the specific legal consequences resulting from it. Defining the legal consequences will remain in the power of Parliament which will have to enact legislation fleshing out the changes in the law required to implement the referendum. Whether this will upset Theresa May’s timetable of invoking Article 50 by the end of March will have to be seen, the Government certainly does not think so and is expected to introduce a bill into Parliament shortly.

In the end the Supreme Court’s judgment is unlikely to change all that much given in particular that the Scottish Parliament, and the Welsh and Northern Ireland assemblies are unable to exercise any veto. In addition, over the last days members of Parliament from other parties have indicated their support for the triggering of Article 50. For those hoping that Article 50 will not be triggered the question is whether the pro-EU members of Parliament are able to form a credible opposition in the time available and will vote as a matter of their conscience.

The uncertainty for companies will remain. The reaction amongst clients and companies exposed to the UK has been varied so far with some already moving jobs and operations while others are waiting or are committing to the UK despite Theresa May’s indication on future steps all supporting a hard Brexit. We are following legal and political developments in the UK closely and would be delighted to discuss concerns with you.

Full text of the judgment, transcripts from the hearings and parties’ submissions: here.

ARTICLE BY Oliver Heinisch of Sheppard, Mullin, Richter & Hampton LLP

Copyright © 2017, Sheppard Mullin Richter & Hampton LLP.

Swiss-US Privacy Shield Will Replace Swiss-US Data Protection Safe Harbor

Swiss Privacy ShieldOn January 11, 2017, the Swiss Federal Council announced that a new framework will govern the transfer of personal data from Switzerland to the US.  According to the Federal Council, the Swiss-US Privacy Shield Framework “will apply the same conditions as the European Union.”  The International Trade Administration stated that the US Department of Commerce will begin accepting certifications on April 12.  Certification will allow companies to comply with Swiss data protection requirements, facilitating transatlantic commerce.

  • The Federal Council made note of several changes from the Swiss-US Safe Harbor to the Swiss-US Privacy Shield, including:

  • “Stricter application of data protection principles by participant companies”

  • Heightened administration and supervision requirements by US authorities

  • Enhanced cooperation between the Swiss Federal Data Protection and Information Commissioner and the US Department of Commerce

  • A new arbitration body to handle claims

  • Introduction of an ombudsperson in the US Department of State, who will address Swiss persons’ concerns about the processing of their personal data by US intelligence services

Because the Swiss-US Privacy Shield aligns with the EU-US Privacy Shield, the self-certification process should not be overly burdensome.

However, in light of this change, it is important to reassess current business practices to determine whether a company is participating in the transfer of personal data from Switzerland to the US.  If so, companies should remove any references to the Safe Harbor, and should be ready to apply for self-certification.  Further, companies should prepare for changes to internal policies to comply with the new requirements under the Swiss-US Privacy Shield.

ARTICLE BY Theodore F. Claypoole & Taylor Ey of Womble Carlyle Sandridge & Rice, PLLC

Copyright © 2017 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.

Russia v. USA: Geo Political Cyber Warfare And Your Business

Cyber warfare, Russian Flag HackThe cyber war battlefield has expanded, and your business is now a fighter and a target.

A new U.S. Government report explains many reasons for identifying and penalizing Russian hackers, the Russian intelligence services, and the Russian leadership in response to hacks on U.S. government, political and business targets. The report contains detailed information that organizations can use to determine if the Russians have accessed their systems, plus a detailed list of prudent steps and best practices that all organizations should consider as part of their cyber security efforts.

The overarching message of the report is that the DNC hack was not an isolated incident but part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.

The report is best understood as a call to arms for U.S. private sector and government entities to strengthen their vigilance and defenses against Russian Intelligence Services and join DHS and FBI in their effort to counter them. Many organizations believe that because they hold no state secrets, defense-related intellectual property, or sensitive information on government employees, they have no stake in geopolitical cyber security. DHS and the FBI are saying that this is not true. The national interest in cyber security is materially weakened whenever organizations with credibility and standing allow their domains to be breached and used conduits for cyber-attacks on others –as happened in the DNC breach. Furthermore, data collected from breaches of non-traditional targets is often used to create the highly-targeted and highly credible email packages for use in spear phishing campaigns against more traditional targets. Geopolitical cyber security is being “democratized” with wide ranging potential public policy implications.

On December 29, 2016, the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) jointly identified the Russian civilian and military intelligence services (RIS) as responsible for the 2015-2016 hack of the Democratic National Committee and its leadership. (In a nod to investigatory confidentiality, the joint DHS/FBI report refers to the targets only as a “U.S. political party,” and “multiple senior party members.”) The U.S. government has given the RIS effort the rather unartfully chosen name of “GRIZZLY STEPPE.”1

The joint DHS/FBI report provides the most detailed public discussion to date by U.S. law enforcement and cyber security agencies of the means and methods used in a foreign government-sponsored cyber-attack against U.S. interests. In October 2016, DHS and the Director of National Intelligence had reported that they were “confident” that RIS was behind the DNC attack. But this is the first time that a DHS/FBI joint report had formally assigned culpability for a specific cyber-attack to a specific nation. It is also the first time that specific operational groups within a foreign cyber directorate have been singled out and their identifying practices, approaches and tools have been publically discussed.

The report links these operations by RIS to damaging or disruptive cyber-attacks committed in recent years on foreign interests.2 The report does not mention these attacks by name but apparently is referencing recent cyber-attacks on the Ukrainian electrical grid, banking system and other infrastructure,3 and on Estonian governmental and quasi-governmental entities. All of these cyber-attacks have been widely attributed to the Russian government, which denies that attribution.

As part of its call to arm, the DHS/FBI report provides “technical details regarding the tools and infrastructure” being used by the RIS “to compromise and exploit networks and endpoints associated with a range of U.S. Government, political and private sector entities.

The report shows how groups working within RIS have been able to plant command and control infrastructure within the servers and domains of U.S. organizations and educational institutions –infrastructure they used to send phishing emails to potential victims and to serve as a pipeline to receive and retransmit stolen data once a breach was established. The report infers that the Russians were able to camouflage their actions by routing this malicious internet traffic through otherwise known and legitimate –perhaps even well-respected— private and educational organizations.

In the report, DHS and the FBI provides “technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to these the indicators provided and information on how to report such incidents to the U.S. Government.” The technical indicators include the specific software fingerprints (Yara signatures) for the malware planted by RIS, and the specific IP addresses, URLs and file hashes that the RIS operatives have used in their attacks on U.S. computer systems.

DHS and the FBI call on the private sector and others to put this information to immediate use to identify and remediate on-going RIS breaches and to limit future vulnerabilities. It is likely that other private and governmental entities are subject to active and breaches by the RIS, and may be serving as infrastructure for on-going RIS attacks on others. To this end, the report recommends that network administrators “review the IP addresses, file hashes, and Yara signatures provided and add the IP addresses to their watchlists” to determine whether malicious activity is taking place in their systems today.

The DHS/FBI report cautions that some of the traffic crossing network perimeters or firewalls and reflecting the suspicious IP addresses and other identifying information may prove to be legitimate. Conversely, some traffic that appears legitimate may involve RIS or others scanning public-facing servers (e.g., HTTP, HTTPS, FTP) to identify websites that are vulnerable cross-site scripting (XSS) or Structured Query Language (SQL) injection attacks. This scanning can be the precursor to exploitation of the vulnerabilities found.

The FBI and DHS cannot impose direct legal consequences on private sector and governmental entities who fail to act on this information. But scenarios can be envisioned where the failure to do so could be considered a failure to provide the minimum levels of data protection that are may be required by the multiple statutory, regulatory and common law constructs under which businesses operate today. Womble Carlyle advises its clients to evaluate the DHS/FBI report carefully, and to document and the actions and decisions taken response to it for future reference.

As to the specific DNC attack, the report concludes that two separate groups within RIS breached the DNC computer system. These teams used different techniques and malware exploits and the report does not show direct coordination between the breaches. The report designates the two RIS hacking groups as APT (Advanced Persistent Threat) 28 and APT 29.

(An advanced persistent threat actor or APT is a hacker or team of hackers whose sophisticated methods, choice of targets, and the determination to breach those specific targets set them apart from even the most accomplished global cybercriminals. APTs are generally assumed to be associated with nation states and other political actors.)

The report indicates that the initial breach of the DNC computer resulted from a 2015 spear phishing campaign in which APT29 sent “out emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims.” But even before this, APT29 had breached a number of “legitimate [internet] domains, to include domains associated with U.S. organizations and educational institutions.” Through these earlier breaches, APT29 had set up operational infrastructure (i.e., false user and email accounts) within the computer domains of these legitimate organizations. These accounts allowed APT29 to send spear phishing emails to its victims from legitimate organizations, possibly organizations known to and respected by the potential victims, albeit from unauthorized and fraudulent email accounts hosted there.

Links in the spear phishing emails directed the victims to web pages created by APT29 and hosted, once again, on the domains of these otherwise legitimate organizations. The pages included malware droppers which downloaded malicious software on the targets’ computer system when the victims’ clicked on the links.

At least one targeted individual, apparently a “U.S. Government victim,” activated the malicious link from a computer on the DNC’s system. The downloaded malware granted APT29 remote access to that individual’s computer which the group then used to obtain control over the computer’s operating systems (PowerShell commands). The group established “persistence” in the form of difficult to detect “back doors” allowing its members to come and go on the system at will. They “escalated privileges” harvesting credentials that allowed them wider and wider access to the data on the DNC’s system. They created their own user accounts on the DNC domains to receive, encrypt and exfiltrate (steal) data. They conducted surveillance and began exporting data using encrypted connections.

Operational infrastructure unwittingly hosted on legitimate sites formed the pipeline for breaching the DNC and transmitting the stolen data to Russia. This made the malicious nature of the transfers harder to detect.

A second breach occurred in the spring of 2016 when a separate RIS group, APT28, hacked the DNC using a different spear phishing technique. DHS and the FBI report that APT28’s established modus operandi is to “leverage[e] domains that closely mimic those of targeted organizations.” This can mean, for example, substituting www.yourcompany.co or www.youcompany.com for www.yourcompany.com. Spear phishing emails can be sent that spoof an email from the targets’ IT department or other leadership. The email instructs the targets to confirm or update their passwords using a link provided. The link is to a fraudulent web page on an unwitting host’s system. If the targets click on the link and enter passwords as instructed, their credentials are immediately transmitted to the hacker who uses them to gain access to the computer and begin uploading malware and conducting exploits.

APT28’s approach appears to gained access to the email accounts of “multiple senior party members” at the DNC. The report indicates that the 19,000 emails and other documents posted on WikiLeaks on the eve of the Democratic National Convention were harvested by APT28.

Other reports indicate that it was APT28’s attempts to breach the DNC’s computers in the spring of 2016 that led to DNC to retain cybersecurity consultants to look for a potential breach. Apparently, by the time remedial action could be taken the damage had been done. It also seems that the investigation into the APT28 cyber-attack lead to the discovery of the older, on-going APT29 breach, which may explain the fact that the team responsible for the older breach was assigned the higher reference number.

The DHS/FBI report does not say which “U.S. organizations and educational institutions” were the unwitting hosts to the RIS’s activities. But it is very reasonable to assume that sometime in the summer of 2016, a legitimate and undoubtedly respected U.S. organization or educational institution received a call from the FBI telling them that their lax cyber security policies materially contributed to what the U.S. government is now reporting to be a deliberate attempt by Russia to subvert the U.S. political process. Other organizations may be in a similar situation today, with RIS actively using their infrastructure to carry out cyber-attacks on other U.S. interests.

Would an organization become civilly liable, if absent good reasons, it were to ignore the tools and recommendations cited in this report and then becomes (or continues to be used as) the conduit for future data breaches that injure others? The law on this point is in its infancy. The answer will only come when courts resolve claims by specific plaintiffs seek against specific defendants in future lawsuits. But the process for creating future precedents on these matters will likely be slow, embarrassing and expensive for the defendants involved. And the resulting reputational black-eye may represent the greatest cost of all.

ARTICLE BY Belton T. Zeigler & Theodore F. Claypoole of Womble Carlyle Sandridge & Rice, PLLC

Copyright © 2016 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.

1 Would a second such cyber-attack become the “GRIZZLY TWO-STEPPE” or simply “DANCING BEAR?”

2 http://www.wsj.com/articles/behind-russias-cyber-strategy-1483140188

3 http://www.wsj.com/articles/cyber-experts-cite-link-between-dnc-hacks-an…

Base Erosion Profit Shifting Multilateral Agreement

Base Erosion Profit ShiftingThe most recent element of the ongoing global dispute resolution process is the late November 2016 release of the so-called multilateral instrument (MLI), a cornerstone of the base erosion and profit shifting (BEPS) project. It is an ambitious effort of the Organization for Economic Cooperation and Development (OECD) to impose its will on as many countries as possible. The explanation comprises 85 single-spaced pages and 359 paragraphs. The MLI draft itself is 48 similar pages. The purpose of the MLI is to facilitate implementation of the BEPS Action items without having to go through the tedious process of amending approximately two thousand treaties.

In essence, the MLI implements the BEPS Action items in treaty language. While consistency is obviously an intended result, the MLI recognizes the reality that many countries will not agree to all of the provisions. Accordingly, countries are allowed to sign the agreement, but then opt out of specific provisions or make appropriate reservations with respect to specific treaties. This process is to be undertaken via notification of the “depository” (the OECD). Accordingly, countries will be able to make individual decisions on whether to update a particular treaty using the MLI.

There are a variety of initial questions to be addressed by each country, including:

  • Does it intend to sign the MLI?

  • Which of its treaties will be covered?

  • Will treaty partners agree?

  • What provisions will be included or opted out of? If there is an opt out, the country is supposed to advise the depository of how this impacts each of its treaties. This will be a time-consuming process.

  • How will it negotiate with specific treaty partners with respect to the various technical provisions of the MLI?

The arbitration provisions are intended to implement the BEPS Action 14 recommendations, focused on mandatory binding arbitration. These provisions would apply to a bilateral treaty only if both parties agree. The arbitration articles provide an outline of arbitration procedures, allowing the competent authorities to vary the procedures by mutual agreement. The form of the proceeding provides a default for “last best offer” (or “baseball style”). The parties may also agree to a “reasoned decision” process, which is stated to have no precedential value. If the parties do not agree on either of these forms of proceeding, the competent authorities should endeavor to reach agreement on a form. If there is no agreement, then the arbitration provisions are inapplicable.

Whether the US or other countries will sign the MLI, it seems apparent that the net result will be a period of chaos in treaty relationships, as there will inevitably be: (1) signers and non-signers; (2) reservations; (3) opt outs; etc.

In a world in which the list of countries zealously seeking to protect their tax bases and making proposals to increase domestic tax revenues (following BEPS and related guidance), continually expands, it seems apparent that dispute resolution processes will need to evolve to resolve the tsunami of disputes that are expected to materialize. If this is not the case, then countries and MNEs alike will incur prejudice to their respective interests.

Accordingly, these dispute resolution issues should be on the agenda for consideration as effective tax rate strategies are revisited in the post-BEPS world.

ARTICLE BY Cym H. Lowell of McDermott Will & Emery
© 2016 McDermott Will & Emery

UK Employee Classification: Uber Drivers Uber Happy

Uber employee ClassificationAs you may have seen from the extensive press coverage, the UK Employment Tribunal has delivered its much anticipated judgment in Aslam and Farrar v Uber. The case was about whether Uber drivers are self-employed contractors, or are “workers” with rights to minimum wage, statutory holidays, sick pay and breaks, amongst other workers’ rights.

In Depth

A “worker” is someone who has entered into a contract to personally do work for, or provide services to, a third party. This contract can be implied and does not have to be in writing. If that third party is a customer of the individual’s business undertaking, however, then that individual is self-employed.

Determining the status of the relationship between businesses and those they engage involves the Employment Tribunal looking beyond the terms and conditions in place between the parties to the reality of the relationship. The Tribunal will look at a number of factors to determine the true status of the relationship, but what really matters is the Tribunal’s view of how much control the business exerts over the individual, and whether or not that tips the balance away from the individual truly having the autonomy of being self-employed.

Uber’s Position

Uber said that it did not have the necessary control over drivers because

  • It is just a “platform” (through the Uber app) that links fare-paying customers to Uber drivers, rather than a transportation business.

  • Once linked, the Uber driver uses his/her own vehicle to take the customer to the requested destination.

  • There is no obligation on the drivers to work and drivers are not performance managed or subject to disciplinary procedures, although they do receive a “rating” from customers at the end of the journey.

  • Uber does not “pay” the drivers.  The drivers receive the fare paid by the customer (collected by Uber through the platform), after the deduction of Uber’s service fee. The service fee to Uber is taken as payment for the use of the app.

  • The drivers pay for the vehicle, the expenses associated with running that vehicle and their own taxi licenses.

  • It is the end-user (Uber’s customers) who contract with the drivers; they engage the drivers as self-employed contractors.

  • The drivers accept their self-employed status for tax purposes.

  • The drivers are permitted to work for other organisations, including direct competitors of Uber; they are not required to work exclusively for Uber.

The Employment Tribunal’s Decision

The Tribunal was not persuaded by Uber’s arguments nor, in relation to some aspects, Uber’s perspective on how its business operated. The Tribunal found that Uber was, indeed, running a transportation business through which the drivers provided skilled labour, from which Uber profited. The key factors were

  • That the drivers can only use the Uber app on Uber’s terms.

  • Uber interviews and “recruits” the drivers.

  • Uber handles customer complaints and often compensates customers following these complaints. Uber’s findings in respect of customer complaints are not always shared with the driver.

  • Uber accepts liability for losses, e.g., refunds to passengers, which would usually fall to a driver who was genuinely self-employed.

  • Uber does pay the drivers.

  • Uber’s ratings system (whereby the customer would rate the driver following the completion of a journey), is essentially a performance management procedure that could result in the driver being disconnected from the app.

  • Fares are fixed by Uber.

  • The language used by Uber in its PR communications is inconsistent with their argument that the drivers are self-employed.

What’s Next?

Uber has confirmed to customers and the press that it will be appealing the decision. In order to get an appeal off the ground, however, Uber will need to identify an error of law in the Tribunal’s judgment, or show that it had reached a decision which no reasonable tribunal could have reached on the facts.

How Does This Affect My Business

The analysis of an individual’s employment status will depend on the facts of each individual case. The Uber judgment therefore does not necessarily mean that all companies within the gig economy, or who engage self-employed contractors, must now give these individuals workers’ rights.

It does, however, serve as a useful reminder to review your workforce, consultancy/contractor agreements and other documents/communications and processes. Keep in mind, however, that were there to be a dispute over the status of the working relationship, a tribunal or HMRC would look beyond the contractual documents to the true relationship of the parties.

ARTICLE BY Katie L. Clark & Paul McGrath of McDermott Will & Emery

© 2016 McDermott Will & Emery

IP Addresses Constitute Personal Data According to Court of Justice of European Union

IP AddressesIn a decision dated 19 October 2016, the Court of Justice of the European Union (CJEU) has provided much needed clarification on a long-standing issue in EU data protection law.

A German politician brought an action concerning websites operated by the Federal Republic of Germany that stored personal data, including IP addresses, on logfiles for two weeks.  The question before the CJEU was – are IP addresses personal data?  According to Article 2(a) of EU Directive 95/46personal data” is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly from the data.

The CJEU ruled that dynamic IP addresses constitute personal data for an online media service provider (here the Federal Republic of Germany) that makes a website accessible.

A dynamic IP address means that the computer’s IP address is newly assigned each time the website is visited.  Unlike static IP addresses, it is not possible for dynamic IP addresses, using only files which are accessible to the public, to create an identifiable link between the user’s computer and the physical connection to the internet provider’s network . Hence, the data included in a dynamic IP address does not enable the online media service provider to identify the user.

However, according to the CJEU, a dynamic IP address will be personal data if the additional data necessary to identify the user of a website is stored by the user’s internet service provider. The website provider only needs to have the legal means which enables him to identify the user. Legal means are, for example cyber attacks and does not have to be applicable for the specific case.

This decision has significant practical implications for all website providers, because the storing of user information by internet service providers falls under data protection laws. Ultimately, the website provider needs the consent of the user to store the dynamic IP address. This will also apply after the General Data Protection Regulation (GDPR) comes into force in May 2018, because Article 2 of Directive 95/46 is incorporated in almost the same words in Article 4 (1) of the GDPR.

ARTICLE BY Annette Demmel & Christina Schattauer of Squire Patton Boggs (US) LLP

© Copyright 2016 Squire Patton Boggs (US) LLP

China’s Quantum Cryptography: Tales from (Quantum) Crypt

China Quantum CryptographyThe dream of hack-proof communication just got a little closer to reality. On August 16, 2016, China launched the world’s first “quantum satellite,” a project the Chinese government hopes will enable it to build a communication system incapable of being hacked. Such a system, if perfected, would allow for encrypted communications between any two devices with absolute certainty that the encryption could not be broken, and with a built-in mechanism for alerting the sender/receiver if someone tried.If you are interested in truly understanding the mechanics of quantum cryptography, I would highly recommend the article “How Quantum Cryptography Works.” For the purpose of this post, a very basic explanation is as follows:

In order to encrypt a two way communication, the sending party (who we will call “Alice”) typically encodes a message using a key and sends the message to the receiving party (who we will call “Bob”), who then decrypts the message using the same key. Since modern technology makes it possible to engineer almost unbreakable keys, the best way for an eavesdropper (who we will call “Eve”) to access the message is to find the key itself, which is vulnerable because it also needs to be communicated between Alice and Bob, but can’t itself be encrypted, or else Bob won’t be able to use it.

Quantum cryptography would allow Bob and Alice to use a new key for every message AND guarantee that if Eve tries to intercept the key, they will know. Quantum entanglement is a physical phenomenon that can cause certain particles to become “entangled” such that a change in one will elicit a predictable change in the other, no matter how far apart the entangled particles are, and without any measurable (by current scientific standards) communication between them. If Alice and Bob share entangled particles, Alice can transmit the information for a new key to Bob for every communication by altering the directional spin of her particles, which in turn will alter the spin of Bob’s particles. A complicated process of measuring particle spin and cross-checking information between Alice and Bob (more fully explained in the article linked to above) is then used to generate the key.

Since so far as science is currently aware there is nothing “communicated” between the entangled particles, there is nothing for Eve to intercept unless she can actually access Bob’s particles. Meanwhile, Heisenberg’s uncertainty principle states that anytime the spin of one of these particles is measured, the very act of measuring it changes the spin of that particle. This means that if Eve does manage to physically access Bob’s entangled particles and measures them to try and get Alice’s key before passing the particles back to Bob, Bob will know the particles were intercepted because the key he thinks he got from Alice won’t work to unlock Alice’s message after he and Alice cross-check their information, since Eve’s measuring of Bob’s particles caused the spin of those particles to change. Furthermore, since Eve is not able to cross-check her information with Alice, even if she is able to listen to Bob and Alice cross-checking their information, Eve will not be able to use her information to formulate the correct key to decode Alice’s message.

The ability to send completely secure messages between any two points has myriad applications for data security. From a commercial standpoint, it could mean the ability for enterprises to remote access data without fear of interception. It could also mean an increase in the security of customer information (especially information that is legally required to be protected, such as personally identifiable information) and a corresponding decrease in the risk of a security breach that might result in damage to a company’s brand, increased compliance costs, or potential litigation awards and expenses. For consumers, it could mean the ability to communicate private information securely in an age where so many online transactions require the sending of sensitive information over the internet.

More troubling (or liberating, depending on your point of view) are the challenges quantum cryptography poses for law enforcement and national security. Agencies such as the CIA, FBI, and NSA currently depend on access to third party data networks, such as e-mail clients and telecommunication companies, for a large part of their data collection and monitoring activities. Under the “third-party doctrine” when Alice sends a message to Bob, if a copy of that message is kept by the medium they use to communicate (e.g. by Alice’s e-mail client), a government agency can request a copy of that information directly from Alice’s e-mail client without needing to get a warrant, and without telling Alice or Bob about the request. Quantum cryptography could allow Alice to send an encrypted message to Bob such that, even if a government agency gets a copy of the message itself from Alice’s e-mail client, they will not be able to decrypt it without help from either Alice or Bob.

Quantum cryptography still has a long way to go before it lives up to its promise, and there will almost certainly be bumps along the way. Yet, if the Chinese satellite launch does kick start the quantum cryptography revolution, commercial enterprises, consumers, governments, hackers, and lawyers alike will need to find ways to respond to the new challenges it creates.

ARTICLE BY Adam Waks of Proskauer Rose LLP
© 2016 Proskauer Rose LLP.

Location Data Gathering Under Europe’s New Privacy Laws

location dataThe rise in popularity of apps and services that use location data (technology that pinpoints a consumer’s location automatically), like the smash-hit Pokémon Go, have EU privacy regulators calling on companies to ‘mind the gap.’ The much-anticipated General Data Protection Regulations (the “GDPR), as well as other EU privacy laws, aim to tighten up the rules for obtaining consent from consumers about what data they are sharing and to restrict how companies can use the data they are mining from consumers. There has been much speculation about how these new regulations, not directives, coupled with a much higher potential for fines, will impact U.S. companies that operate or plan to operate in the EU. Those using location data in apps and for passive tracking should pay close attention to EU regulators as GDPR implementation draws near.

Why are EU regulators particularly concerned about location data?

Location-specific data can reveal very specific and intimate details about a person, where they go, what establishments they frequent and what their habits or routines are. Some location-specific data garners heightened protections, such as where and how often a person obtains medical care or where a person attends religious services.

In the U.S., consumers typically agree to generalized privacy policies by clicking a box prior to purchase, download or use of a new product or service. But the new EU regulations may require more informed notice and consent be obtained for each individual use of the data that a company acquires. For example, a traffic app may collect location data to offer geographically-focused traffic reports and then also use that data to better target advertisements to the consumer, a so-called “secondary use” of the data.

The secondary use is what is concerning to EU regulators. They want to give citizens back control over their personal data, which means meaningfully and fully informing them of how and when it is used. For example, personal data can only be gathered for legitimate purposes, meaning companies should not continue to collect location data beyond what is necessary to support the functionality of their business model; also additional consent would need to be obtained each time the company wants to re-purpose or re-analyze the data they have collected. This puts an affirmative obligation on companies to know if, when and how their partners are using consumer data and to make sure such use has been consented to by the consumer.

What should a company do that collects location data in the EU? 

  1. Consumers should be clearly informed about what location information is being gathered and how it will be used, this does not just mean the primary use of the data, but any ancillary uses such as to target advertisements, etc.;

  2. Consumers should be given the opportunity to decline to have their data collected, or to be able to “opt-out” of any of the primary or secondary uses of their data;

  3. Companies need to put a mechanism in place to make consumers aware if the company’s data collection policies change, for example, a company may not have a secondary use for the data now, but in 2 years it plans on packaging and reselling that data to an aggregator; and

  4. Companies must have agreements in place with their partners in the “business ecosystem” to ensure their partners are adhering to the data collection permissions that the company has obtained.

ARTICLE BY Kathryn T. Allen of Polsinelli PC

© Polsinelli PC, Polsinelli LLP in California

Brexit: Government Statement on EU Nationals in UK

UK EU nationals BrexitA small piece of employment-related Brexit news for you. The Cabinet Office, Home Office and Foreign & Commonwealth Office have published a webpage with a statement on the status of EU nationals in the UK. In it they state: “When we do leave the EU, we fully expect that the legal status of EU nationals living in the UK, and that of UK nationals in EU member states, will be properly protected. The government recognises and values the important contribution made by EU and other non-UK citizens who work, study and live in the UK”.

The webpage also contains questions and answers for those who may be affected, but the position is very much that there has been no change to the rights and status of EU nationals in the UK as a result of the referendum.

What Should Employers Do Next?

If any of your workforce are worried about their future in the UK, point them in the direction of the statement for reassurance.

ARTICLE BY Sarah Bull & Christopher Hitchins of Katten Muchin Rosenman LLP
©2016 Katten Muchin Rosenman LLP

Warning: Don’t Use Trademarked Olympic Hashtags, Images

Olympic hashtagsWith all of the hype and public attention paid to the Olympics, you and your employees should be aware of the rules that govern the use of hashtags and images related to the Olympic games. The U.S. Olympic Committee (USOC) and the International Olympic Committee (IOC) have historically been very aggressive in policing any use of the Olympic trademarks, images, and hashtags. This year’s games are no exception.

In the last few weeks, the USOC has sent a number of letters to companies that sponsor athletes (who now happen to be Olympians) but have no sponsorship relationship with the USOC or the IOC warning them not to discuss the games on their corporate social media accounts. Companies have specifically been told that they cannot use the trademarked hashtags “#Rio2016” or “#TeamUSA” in any of their postings. The letters also warn companies not to reference Olympic results or to repost or share anything from the official Olympic social media accounts, this includes use of any Olympic photos, logos, or even congratulatory posts to Olympic athletes. While media companies are largely exempt, all other commercial entities should carefully monitor their social media accounts for any Olympic commentary.

Olympic trademarks are the subject of intense legal protections around the world and the IOC and USOC will pursue alleged offenders regardless of their size. In fact, previous enforcement actions have ranged from trademark suits against small restaurants with the word “Olympic” in their names to issuing cease and desist letters to companies that used trademark hashtags such as #Sochi2014 during past games. Guidelines about Olympic brand usage can be found by clicking here.

ARTICLE BY Jennifer E. Hoekel & Donna Frazier Schmitt of Armstrong Teasdale

© Copyright 2016 Armstrong Teasdale LLP. All rights reserved