TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Following the US Department of Justice’s recent recommendations to reform Section 230 of the Communications Decency Act (CDA) to provide incentives for online platforms to address illicit material on their platforms, two US senators have proposed the Platform Accountability and Consumer Transparency Act (PACT), legislation aimed at reforming Section 230 of the CDA.

The July 1 enforcement of the California Consumer Privacy Act (CCPA) is one week away. Despite calls by the business community and trade associations to push back the enforcement date to January 2021 due to the coronavirus (COVID-19) pandemic and related disruptions to compliance efforts, the California state attorney general issued a press release on June 2 stating, “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”

Additionally, on June 1, the attorney general took action to finalize the CCPA regulations by submitting the final text of the proposed regulations to the California Office of Administrative Law, requesting expedited review in an attempt to have the regulations adopted and enforceable by July 1.

In case you missed it, the Morgan Lewis COVID-19 Legal Issue Compendium provides an overview of our firm’s key publications covering the legal and regulatory landscape relating to the coronavirus (COVID-19) pandemic. It includes both business management and industry-specific issues challenging executives and in-house legal teams around the world. Links to our publications are embedded within the compendium.

The German Federal Court of Justice (BGH) ruled on May 28 that an opt-out for cookies settings is inadmissible under German law under Section 15(3) of the German Telemedia Act (TMG) in conformity with the ePrivacy Directive (press release of the BGH; available only in German). As a result, website operators can no longer rely on the fact that it would be possible to set cookies in Germany solely based on their legitimate interests. Previously, operators had justified the opt-out process based on earlier statements of the German supervisory authorities and the wording of TMG regulations.

As the digital landscape in the United States evolves, federal courts are reexamining federal cybersecurity laws enacted during an era before individuals, companies, and the government had easy access to computers and the internet. In particular, the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, a cybersecurity bill enacted in 1986 as an amendment to an existing computer fraud law, has come under significant scrutiny. In this blog post, we will review the CFAA and recent federal court activity regarding the law.

The Financial Stability Board (FSB) published on December 9, 2019, its report on financial institutions’ increasing reliance on third parties to provide cloud computing services (the Report). Established by the G-20 in April 2009 to promote international financial stability, the FSB is an international body that assesses vulnerabilities in the global financial system and coordinates the work of national financial authorities and international standard-setting organizations to develop and promote appropriate regulatory and supervisory policies.

The Report outlines the benefits from the increasing use of third-party cloud computing services, focusing primarily on cost savings, improved competition and cybersecurity, and increased operational resilience. It notes, though, the new challenges that the current scale of use may pose, such as the significant and systemic effects that an operational failure of critical third-party infrastructure could have. This is due to the highly concentrated cloud computing sector and the increasingly complex network of third-party suppliers and dependencies.

Morgan Lewis recently published an article on the 2019 Novel Coronavirus (COVID-19) outbreak and its effect on General Data Protection Regulation (GDPR) in the European Union. This article discusses the nature of the temporary suspension of some data-protection rights in times of crisis, and how the need to address the ongoing health crisis is being balanced with data-protection rights in Italy, France, and Germany.

Read the full article.

Trainee associate Valeria Gaikovich contributed to this post.

Following adoption of the law on the preinstallation of Russian software on electronic devices in December 2019, the Russian Federal Antimonopoly Service (FAS) has developed draft guidelines to determine the types of electronic devices that will be subject to the new regulations, as well as the deadlines and procedures for the preinstallation of domestic software. The draft guidelines will not apply to electronic devices manufactured or released into circulation in Russia before July 1, 2020.

According to the draft guidelines, as of the dates set forth below, all touchscreen electronic devices with two or more functions (e.g., smartphones, tablets, smart watches) must have the following apps preinstalled:

The UK government has indicated that the UK’s approach to public procurement will fundamentally change post-Brexit. While it remains to be seen whether such a fundamental change will be possible in practice, the UK government’s pronouncements clearly suggest that change is on the way, which will most likely provide a less prescriptive framework for UK contracting authorities to follow.

These changes will almost certainly have a significant impact on how outsourcing and technology providers interact with the UK government, both in the context of their current agreements and also in respect of future contract bids and awards.

Current Regime

The laws that govern the UK’s public procurement regime are largely based on EU rules found in several EU directives and the Treaty on the Functioning of the European Union. Broadly speaking, these rules aim to open up public procurement to EU-wide competition. Public bodies must, for example, award public contracts without discrimination on grounds of nationality and advertise their contracts EU-wide via the Official Journal of the European Union ( OJEU).

Washington may be the next state to enact its own data privacy law after a bill was introduced into the Washington State Senate earlier this month. Known as the Washington Privacy Act, the bill’s sponsor, Sen. Reuven Carlyle, stated at a press conference that lawmakers had reached “95 percent agreement in principle on the core elements of the bill.” If enacted, the act would add to the complex regulatory framework governing data privacy, including the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020.

The act would apply to legal entities conducting business or producing products targeted to Washington State residents and that (1) control or process personal data of more than 100,000 consumers or (2) derive 50% of gross revenue from the sale of personal data and process or control the personal data of more than 25,000 consumers.