TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Russia has amended its main laws governing the internet to allow the government to restrict access to the internet and to control internet traffic in emergency situations.

Federal Law No. 90-FZ of 1 May 2019 introduced a set of amendments to the Federal Law on Communications and the Federal Law on Information, Information Technologies and on Protection of Information (the Amendments). The Amendments are colloquially referred to as the “sovereign runet law” or the “law on the secured internet.”

Every January, electronics manufacturers descend upon Las Vegas for the annual Consumer Electronics Show (CES) to showcase their latest and greatest forays in devices. Not surprisingly, there was no shortage of shiny fresh connected devices with new and evolving applications in everything from workouts and personal care to the more usual suspects of television and virtual assistants. With Internet of Things (IoT) becoming more ubiquitous, it was only a matter of time before legislation followed. On September 28, 2018, California enacted the United States’ first IoT law, set to go into effect January 1, 2020, just in time for next year’s CES.

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

The Pittsburgh session of the annual Cyberlaw Update for the Pennsylvania Bar Institute (PBI) will take place on Tuesday, July 17. Moderated by Morgan Lewis partner Peter Watt-Morse, the update enters its 21st year and this year’s seminar will focus on current hot-button issues including blockchain and cryptocurrency and security and privacy concerns related to social media, IOT, GDPR, and the Dark Web.

Speakers at the all-day event include Mr. Watt-Morse and of counsel Emily Lowe, who will be speaking on privacy and security concerns regarding social media from both a policy and regulatory standpoint in the wake of the disclosures related to Cambridge Analytics; and associate Ben Klaber who will be reviewing such concerns as they apply to the burgeoning market of Internet of Things (IoT) devices.

Just when we finally figured out how to contract for “cloud” services and SaaS, here comes blockchain—the next disruptor for IT, businesses and, yes, us lawyers.

So what is blockchain? This is one of the best definitions that we have found from the Wall Street Journal, CIO Explainer: What Is Blockchain?

A blockchain is a data structure that makes it possible to create a digital ledger of transactions and share it among a distributed network of computers. It uses cryptography to allow each participant on the network to manipulate the ledger in a secure way without the need for a central authority. Once a block of data is recorded on the blockchain ledger, it’s extremely difficult to change or remove. When someone wants to add to it, participants in the network—all of which have copies of the existing blockchain—run algorithms to evaluate and verify the proposed transaction. If a majority of nodes agree that the transaction looks valid…then the new transaction will be approved and a new block added to the chain.

The UK government recently released a policy paper outlining proposed requirements for makers of Internet of Things (IoT) devices to take certain actions to better protect IoT devices from growing cybersecurity threats. Secure by Design: Improving the cyber security of consumer Internet of Things Report was released by the UK’s Department for Digital, Culture, Media & Sport and contains a draft Code of Practice for manufacturers of consumer IoT devices and services.

Galvanized by a confluence of charged factors—like privacy, cybersecurity, children, and the Internet of Things (IoT)—and sparked by recent assertions of Children’s Online Privacy Protection Act (COPPA) regulatory power, the US Federal Trade Commission (FTC) entered into a pioneering settlement with electronic toy manufacturer VTech regarding a breach of children’s personal information. The FTC’s message to companies is crystal clear: when it comes to kids’ data, transparency and security are elemental.

Scarce Insulation from COPPA

The COPPA Rule explains what operators of websites and online services must do to protect children’s privacy and safety online, and the FTC serves as the enforcer. As we previously discussed, the FTC released updated guidance in response to concerns about the security of data collected and used by internet-connected products geared toward children. The FTC noted that COPPA defines “website or online service” broadly and specifically listed connected toys and IoT devices within the COPPA Rule’s purview. Although the FTC released a policy that permits collecting a recording of a child’s voice without parental consent in certain situations, such circumstances are narrowly limited to the sole and limited purpose of replacing written words—say, an instruction—and the recording must be immediately destroyed.

On June 5, 2017, the Supreme Court of the United States granted certiorari in Carpenter v. United States, a case in which the court will assess and decide the extent of the Fourth Amendment’s protection against a warrantless search and seizure of cell-site-location information (CSLI), which includes the GPS coordinates of each cell tower and the dates and times any cell phone connects to it.

Background

In Carpenter, the FBI obtained CSLI from wireless carriers linked to suspect Timothy Carpenter’s cell phone in an attempt to place him at the sites of several robberies. However, the CSLI obtained was not only for those dates and times of the known robberies, but also included months of records detailing every location from which Carpenter made a call—and all of this was obtained without a warrant.

Carpenter, who is represented by the American Civil Liberties Union (ACLU), argues that his Fourth Amendment rights were violated when the FBI obtained the CSLI without a warrant. However, the FBI relied on the “third-party doctrine,” a legal theory used by law enforcement to access personal data without having to demonstrate probable cause. This would allow access to certain information collected by private businesses for providing services to customers without constituting a “search.”

In April, US President Donald Trump signed a bill rejecting Obama-era regulations on the consent needed for a broadband internet access service (BIAS) provider to use and disclose a consumer’s sensitive information—including geolocation data. In the wake of such regulations being blocked, some state legislatures introduced geolocation privacy bills to address the use and disclosure of consumers’ geolocation information. The Illinois House and Senate recently passed one of those efforts to regulate such use of geolocation information.