The European Court of Justice (ECJ) in Luxembourg rendered a judgment on July 12 that explains, among other things, what a (joint) data controller is. The judgment is on the “old” EU Data Protection Directive 95/46/EC, but the relevant provisions in the General Data Protection Regulation (GDPR), Art. 4 and 26, are very similar.

1) Background

The case is about Jehovah’s Witnesses Community and whether taking notes in the course of their door-to-door preaching falls under the GDPR. The ECJ states that (a) their activities don’t fall under the exemptions for religious communities, and that (b) the community is a data controller jointly with its members who engage in this preaching activity.

2) Quotes from the Judgment (emphasis added)

65 “As expressly provided in Article 2(d) of Directive 95/46, the concept of ‘controller’ refers to the natural or legal person who ‘alone or jointly with others determines the purposes and means of the processing of personal data’. Therefore, that concept does not necessarily refer to a single natural or legal person and may concern several actors taking part in that processing, with each of them then being subject to the applicable data protection provisions (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 29).

Authored by Barbara Murphy Melby, Christopher C. Archer, and Jay Preston

In the typical SaaS scenario, the SaaS vendor provides, maintains, and hosts (either itself or through a hosting SaaS vendor) the desired application layer, and grants the customer and its authorized users access to the application functionality via the internet. At a high level, there are two variations of this scenario:

  • The application is provided and hosted as a dedicated instance, with common base software (sometimes with customization or variation) but running as a separate instance in a dedicated environment.
  • The application is provided and hosted in a multitenant environment, with one common application layer and hosting environment that is logically partitioned by the customer.

In this Contract Corner series, we will look at ownership issues in SaaS solutions in two parts, with different perspectives based on whether the solution utilizes a dedicated instance (Part 1) or a multitenant environment (Part 2).

The Pittsburgh session of the annual Cyberlaw Update for the Pennsylvania Bar Institute (PBI) will take place on Tuesday, July 17. Moderated by Morgan Lewis partner Peter Watt-Morse, the update enters its 21st year and this year’s seminar will focus on current hot-button issues including blockchain and cryptocurrency and security and privacy concerns related to social media, IOT, GDPR, and the Dark Web.

Speakers at the all-day event include Mr. Watt-Morse and of counsel Emily Lowe, who will be speaking on privacy and security concerns regarding social media from both a policy and regulatory standpoint in the wake of the disclosures related to Cambridge Analytics; and associate Ben Klaber who will be reviewing such concerns as they apply to the burgeoning market of Internet of Things (IoT) devices.

Cybersecurity remains at the top of the list of risk concerns when organizations outsource IT and other functions leveraging cloud-based solutions. While there are no guaranteed methods to fully eradicate cybersecurity risks, companies should consider taking the following steps to mitigate the risk.

#1 – Diligence!

As a first step, it is helpful to define the minimal security controls that you will require your outsourcer to implement and adhere to, and then compare your organization’s own security requirements to the outsourcer’s solution. You can begin by forming a cross-functional due diligence team with stakeholders such as IT security, internal audit, compliance, and business owners to conduct robust and meaningful reviews of an outsourcer’s security solution and evaluate essential factors, including the following:

  • Types of data
  • How data is flowing and transferred
  • Location of data
  • How your organization’s privacy policies align with the outsourcer’s
  • Encryption requirements and access control processes
  • How remote access is handled
  • Whether the outsourcer follows industry best practices and regularly monitors and audits its controls
  • How the outsourcer uses subcontractors
  • Applicable laws and regulations

Just when we finally figured out how to contract for “cloud” services and SaaS, here comes blockchain—the next disruptor for IT, businesses and, yes, us lawyers.

So what is blockchain? This is one of the best definitions that we have found from the Wall Street Journal, CIO Explainer: What Is Blockchain?

A blockchain is a data structure that makes it possible to create a digital ledger of transactions and share it among a distributed network of computers. It uses cryptography to allow each participant on the network to manipulate the ledger in a secure way without the need for a central authority. Once a block of data is recorded on the blockchain ledger, it’s extremely difficult to change or remove. When someone wants to add to it, participants in the network—all of which have copies of the existing blockchain—run algorithms to evaluate and verify the proposed transaction. If a majority of nodes agree that the transaction looks valid…then the new transaction will be approved and a new block added to the chain.

Morgan Lewis is proud to host TechFest Club, an event series for women in the technology industry. Speakers at this upcoming event include Sneha Keshav, a UI and brand designer at IrisVR where she is responsible for establishing scalable design systems, as well as Ana Garcia Puyol, the director of user experience at IrisVR, where she plans, designs, and prototypes user experience features for the virtual reality software ecosystem.

Sneha and Ana will share how they have learned to navigate the world of emerging virtual technology while designing human-friendly products. They will also discuss the unanticipated challenges they faced during the process of research, formation, and branding of an emerging technology for a new industry.

If you are a woman in tech, consider attending! The event will be at Morgan Lewis’s New York office (101 Park Ave., 39th Floor) from 8:30–10:00 am ET.

Registration and additional information for the event can be found here.

The lower chamber of the Russian parliament has approved three initial draft laws, which if passed, would address the use of cryptocurrencies and related activities such as mining, token offerings, and crowdfunding. Currently, the use of cryptocurrency in Russia is not directly addressed or regulated, and these draft laws aim to address this current state of ambiguity.

For more details on these proposed laws, read the LawFlash.

With the Federal Communication Commission’s decision to repeal net neutrality regulations, companies are attempting to forecast how the new landscape will affect their business operations. This has put general counsels (GCs) in a precarious position; they are being asked to advise their companies on the potential effects of the deregulation with limited guidance or experience on what internet service providers will actually do following the repeal.

In a recent Law360 feature on the impact of net neutrality, the authors noted that GCs should be aware of the following:

  • All Businesses Can Be Impacted. Business in practically every industry is increasingly conducted online. Thus, any change to online access policies by service providers will affect all businesses in some capacity.
  • Online Customer Interactions Could Suffer. If the changes to net neutrality slow a company’s website, it can adversely affect user experience. Smaller businesses could be put in a competitive disadvantage from higher costs to acquire the top-tier internet speed.
  • Online Data Storage May Become Cost-Prohibitive. If costs of top-tier internet service increases, the ability of companies to access data that has been stored in cloud-based solutions will also increase. If that occurs, it could lead companies to revert to storing frequently accessed data on-site to lower costs.
  • Avoid Public Stances. Net neutrality is a political hot-button issue and companies should use caution when discussing this issue as any stance risks alienating customers on either side. This is particularly important as participants in this debate appear eager to impact corporate reputations through social media activism.

Tech & Sourcing @ Morgan Lewis will continue to track this and other impacts of the net neutrality repeal during the coming months.

In Part 1 of this two-part series, we discussed issues related to the defense and indemnification aspects of intellectual property indemnification. In this second part, we will review the exceptions, remedies, and liability limitation related to this common provision.


As described in Part 1, both technology providers and users will want providers to be responsible for claims that the technology infringes the intellectual property rights of a third party. However, providers will want to limit such obligations where actions by users or other third parties cause infringement. Providers will frequently attempt to carve out of IP indemnification clauses infringement claims based upon

  • use of the technology in combination with other hardware, software, or data;
  • unauthorized use;
  • modifications to the technology; or
  • failure to incorporate the latest updates or upgrades.

Two members of our Technology, Outsourcing, and Commercial Transactions practice group, Morgan Lewis partner Barbara Melby and associate Katherine O’Keefe, recently published an article in The Legal Intelligencer that analyzes best practices with respect to diligence, internal controls, and management of providers in the mitigation of security risks in cloud-based offerings. The article, titled, “Mitigating Security Risks in Cloud Offerings Through Diligence, Oversight,” discusses how companies, in even the most risk-averse industries, have begun to routinely adopt cloud-based solutions and how these companies are mitigating the inherent risks associated with cloud services.