Since the US Supreme Court’s June 21, 2018, decision in South Dakota vs. Wayfair, Inc. , many of the 45 sales tax-collecting states have been making moves to put laws and processes in place for tax collections for out-of-state online sales. Given the general complexity of state tax laws and the inconsistency from state to state, as well as the uncertainty as to whether or when uniformity across states may come to pass, businesses with online sales need to carefully monitor both the legal landscape and the processes established for administration and compliance for out-of-state transactions.

On June 5, 2017, the Supreme Court of the United States granted certiorari in Carpenter v. United States, a case in which the court will assess and decide the extent of the Fourth Amendment’s protection against a warrantless search and seizure of cell-site-location information (CSLI), which includes the GPS coordinates of each cell tower and the dates and times any cell phone connects to it.


In Carpenter, the FBI obtained CSLI from wireless carriers linked to suspect Timothy Carpenter’s cell phone in an attempt to place him at the sites of several robberies. However, the CSLI obtained was not only for those dates and times of the known robberies, but also included months of records detailing every location from which Carpenter made a call—and all of this was obtained without a warrant.

Carpenter, who is represented by the American Civil Liberties Union (ACLU), argues that his Fourth Amendment rights were violated when the FBI obtained the CSLI without a warrant. However, the FBI relied on the “third-party doctrine,” a legal theory used by law enforcement to access personal data without having to demonstrate probable cause. This would allow access to certain information collected by private businesses for providing services to customers without constituting a “search.”

On August 31, the White House released a report developed by the American Technology Counsel (ATC), Office of Management and Budget, Department of Homeland Security, Department of Commerce, and General Services Administration addressing the objectives of and a plan for the modernization of federal information technology (IT).

Historically, modernization has been a problem due to factors such as resource prioritization, the inability to procure services quickly, and technical issues. The report splits these issues into two groups—the modernization and consolidation of networks and the use of shared services to enable future network architectures.

Network Modernization and Consolidation

In the report, the ATC calls for government agencies to maximize the secure use of cloud computing, modernize government-hosted applications, and securely maintain legacy systems. In addition, the report calls for the consolidation and improvement of the acquisition of network services.

Earlier this month, the United Kingdom’s Information Commissioner’s Office (ICO) released an initial draft guide of contracting requirements and liabilities for data controllers and data processors doing business together under the General Data Protection Regulation (GDPR).

According to the ICO guide, any time a party that determines the purposes and means of the processing of personal data (Controller) uses a party that processes personal data on behalf of a Controller (Processor), a written contract between the parties is required. If a Processor uses a sub-Processor, the Processor shall be deemed a Controller and will be subject to the same requirements and liabilities as a Controller.

Earlier this month, the European Central Bank (ECB) released a draft guide to provide a consistent approach on how to assess fintech credit institution license applications. The guide defines fintech banks as having “a business model in which the production and delivery of banking products and services are based on technology-enabled innovation,” and intends to include both

  • existing banks that have evolved to become fintech banks through integration of technological innovation, whether developed in-house, through acquisitions, or through strategic partnerships (e.g., outsourcing or “white labeling”); and
  • new entrants to the market that adopt technological innovation to compete with existing banks and other existing financial service providers (such as payment institutions and electronic money institutions) that broaden or alter their services to the point that they should be considered new entrants to the market and therefore require banking licenses.

Last month, Morgan Lewis introduced a new LinkedIn and Twitter handle and hashtag: MLGlobalTech.

@MLGlobalTech. This new Twitter account features the latest global business and legal news affecting the tech industry from Morgan Lewis’s leading technology team, located around the world and across practice groups and industry sectors. In addition, this is a great resource to follow for technology-related events (both live and online) hosted by Morgan Lewis.

ML Global Tech. Join Morgan Lewis’s new group on LinkedIn.

Finally, the new hashtag: #MLGlobalTech can be used to find technology content related to the newly launched Twitter and LinkedIn accounts as well as a broad range of supplemental content from Morgan Lewis lawyers, staff, and others using the hashtag on their own profiles.

On September 8, 2017, the US Federal Trade Commission (FTC) announced that three US companies have reached a settlement regarding charges that the companies misled consumers in connection with their participation in the EU-US Privacy Shield (Privacy Shield). The Privacy Shield (which replaced the US-EU Safe Harbor framework in 2016) is a legal framework that allows companies to transfer consumer data between EU member states and the United States while remaining in compliance with EU law. According to the FTC, all three companies failed to complete the certification process for the Privacy Shield. Additionally, the FTC believed that one company falsely claimed to participate in the Swiss-US Privacy Shield framework. As part of their settlements with the FTC, these companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements.