Search Results for: NS0-404 Schulungsunterlagen đŸ©± NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⼆ NS0-404 ⼄ zu erhalten 🩗NS0-404 Fragen Antworten

Posted
By

Oracle recently published a policy document entitled “Licensing Oracle Software in the Cloud Computing Environment” which sets out specific requirements on customers when licensing various Oracle programs and using them in the following cloud computing environments:

  • Amazon Web Services
  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Relational Database Service (RDS)
  • Microsoft Azure Platform.

Oracle refers to these as “Authorized Cloud Environments.” The policy applies to a long list of Oracle programs (the list stretches over five pages), which you can review at this link, and applies to any of the listed software products when hosted in an Authorized Cloud Environment. The policy sets out some very specific requirements with potential licensing fee impacts.

For example, when using the products in Amazon EC2 and RDS, and Amazon Azure, a customer must count two virtual central processing units (vCPUs) as equivalent to one Oracle Processor license if hyper-threading is enabled, and one vCPU as equivalent to one Oracle Processor license if hyper-threading is not enabled.

A second example: for Oracle Linux purposes, each Authorized Cloud Environment instance is counted as a “System” and “Basic Limited” and “Premier Limited” support is not available for Authorized Cloud Environment instances with more than eight Amazon vCPUs or eight Azure vCPUs.

The document’s footer includes the following statement:

“This document is for educational purposes only and provides guidelines regarding Oracle’s policies in effect as of January 23rd, 2018. It may not be incorporated into any contract and does not constitute a contract or a commitment to any specific terms. Policies and this document are subject to change without notice.”

Describing the document as having “educational purposes” and denying that it may be incorporated into any contract strongly suggests that the policy is not intended by Oracle to have any contractual effect. However, as discussed, the main part of the document deals with some very specific requirements on its customers when licensing any of these Oracle programs and using them in an Authorized Cloud Environment. This sets up tension between that bold disclaimer statement and what appears to be the underlying purpose of the policy, which is to articulate specific requirements which go to the heart of the underlying software license agreement between Oracle and its customers since counts will often impact pricing (although this can depend on the licensing model). Whatever the actual status of the policy, contractual or otherwise, cloud users of these products need to review it very carefully with a close eye on their existing Oracle licensing arrangements.

Posted
By

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (a.k.a. the General Data Protection Regulation or GDPR) will, as most business people are probably aware of by now, come into force across the EU on 25 May 2018.

This will be the case in the UK (notwithstanding Brexit) and every other member state, since EU regulations have direct applicability. In other words, they do not need an act of parliament in the member state to make them into law. By contrast, EU directives are not directly applicable. When passed they still need legislation to be passed before they become part of national law. The current regime of the 1995 Data Protection Directive, and the UK’s Data Protection Act of 1998, both of which are due to be replaced next year, are good examples of this.

To complete the picture, from a UK regulatory perspective, in terms of what is changing, the government has introduced a Data Protection Bill which is currently passing through parliament. The Bill does not replace GDPR in the UK. Instead it seeks to make the UK’s own data protection laws “fit for purpose” in a digital age, replacing 1998 Act and, amongst other things, implementing the “GDPR standards across all general data processing”.

Data Protection Officer – Volunteers Step Forward
The concept of a Data Protection Officer (DPO) is not new in a number of countries, such as Germany and Korea, and in the United States in the context of health care data, where HIPAA applies. However, under Article 37(1) of GDPR the appointment of a DPO will soon be mandatory in the EU where:

  • the relevant data processing activity is carried out by a public authority or body;
  • the core activities of the relevant business involve regular and systematic monitoring of individuals, on a large scale;
  • the core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale; or
  • national law so requires.

This is explained in more detail in Guidance published by the Article 29 Working Party.

Businesses may voluntarily appoint a DPO even though there is not legal requirement to do so; however appointing a DPO voluntarily means that the businesses must still comply with the full range of DPO-related compliance obligations even though there was no legal requirement to do so.

What Does Being a DPO Entail?
Under Article 39(1), the main tasks and activities to be performed by the DPO are:

  • to inform and advise the controller or the processor and the employees who carry out processing of their obligations under GDPR and other applicable EU laws and regulations;
  • to monitor compliance with GDPR, etc., and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • to cooperate with the supervisory authority; and
  • to act as the contact point for the supervisory authority on issues relating to processing etc.

In performing his or her tasks, a DPO must “have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing” (see Article 39(2)).

You’ll Do – Selecting the Right Candidate
The Guidance suggests that DPOs should have appropriate professional qualities and expert knowledge of data protection law, although there is recognition that the required level of expertise will vary depending on the business. Complex or high risk data processing activities will require the DPO to have greater expertise. Fortunately, although a business can only appoint one DPO, the Guidance does confirm that this person can be supported by a team.

The Guidance provides that the DPO should, ideally, be located within the EU to ensure that the DPO is accessible to the business. Further, businesses are advised to keep a written copy of the decision making which lead to the appointment of the DPO (as part of their wider accountability obligations). This should be repeated each time the appointment changes.

It’s Lonely Over Here – Autonomous and Independent

The role of the DPO is not an operational one but one that involves monitoring for compliance and providing advice to the business. The role should be carried out in an autonomous and independent manner. In other words, the business must not instruct the DPO on how to perform his or her role. The DPO must be allowed to operate above any conflicts of interests that occur within the business, with internal rules and safeguards to facilitate this. For this reason, the Guidance bans individuals within an organisation who have senior management roles or who have operational roles which cause them to determine the purposes and means of processing.

Outsource the Problem?
A white paper published by the International Association of Privacy Professionals estimates that up to 75,000 DPOs will be needed as a result of GDPR. It is not immediately apparent where these individuals will come from.

One solution may be to outsource the DPO role to a third-party provider, that is to buy a DPO as Service solution from one of the growing number of providers positioning themselves in this space. Helpfully, Article 37(5), GDPR expressly provides that the DPO can be either a staff member or a contractor.

Outsourcing may be particularly attractive to SMEs given cost, time and other such pressures. However not every business needs to appoint a DPO, and as mentioned above, voluntary appointment brings with it a number of regulatory burdens which would not otherwise apply. That said, in today’s business environment, many SMEs may decide to appoint a DPO from a “best practice” perspective. Reasons to do this include the ability to tender for contracts where large customers and public sector bodies determine that the qualification criteria should include having a DPO as well as wanting to demonstrate to the public that data is handled and processed carefully and securely in a manner that complies with applicable laws and regulations.

As with any outsourcing, it is important to allocate sufficient time to assess the market and to conduct adequate due diligence on the shortlisted providers. As mentioned above, documenting the decision-making process and criteria applied in the selection of the DPO is also a GDPR requirement.

DPO as a Service – Market Assessment
In considering the different DPO as a Service offerings in the market, as well as determining whether to outsource or not, a number of factors will come into play, such as the size, and nature, of the organization, the existence of internal competences (including the ability (or otherwise) to ring-fence the DPO away from any conflicts that may arise), the categories of personal data processed, the complexity of the processing, digital transformation and automation plans, etc.

From a vendor evaluation perspective, key issues include access to relevant expertise (including ensuring that the individual who will perform the role has appropriate experience and qualifications such as Certified Data Protection Officer Certification), as well as pricing, service levels, reporting and exit support.

As yet, the market for DPO as a Service appears fairly immature, with largely smaller providers alongside organisations such as the British Standards Institute offering outsourced DPO services. It can be expected that this market will grow rapidly. In a recent blog discussing the opportunity for IT vendors to develop service offerings for customer’s GDPR compliance needs, analyst Mike Smart wrote that NelsonHall expects DPO outsourcing to grow fast and “expects to see a number of distinct offers around DPO emerge from IT services and law firms very soon.”

A word of caution for law firms however. The DPO must be able perform their duties in an independent manner and not cause a conflict of interest. That might, as pointed out in the Guidance, mean that where there is an external DPO appointment of a lawyer in a law firm providing day-to-day DPO services, that person’s firm become conflicted out of representing those entities before courts in cases involving data protection issues, not to mention related issues around managing the conflicts (under applicable professional rules) that might arise with the law firms’ other clients. For this reason, law firms may look to create DPO as a Service businesses which are ring-fenced from their core legal services businesses.

Posted
By and

TAKEAWAYS:

  • The European Union Court of Justice (“CJEU”) to rule on the validity of Model Contractual Clauses (“MCCs”) following referral by the Irish High Court.
  • The Irish High Court has “well-founded” concerns that there is no effective remedy in US law for EU citizens whose personal data is transferred to the United States and the use of MCCs does not eliminate those concerns.
  • The CJEU’s ruling may have seismic implications for billions worth of trade between the EU and the rest of the world.
  • If MCCs are declared invalid then EEA data exporters and non-EEA data importers will need to find alternative transfer solutions to ensure compliance – and quickly.
  • Given the ongoing problems associated with MCCs and the EU-US Privacy Shield framework, alternative transfer solutions, including the use of Binding Corporate Rules (“BCRs”) where appropriate, should be considered.

On the 3rd October 2017, Ms Justice Costello delivered her judgement on behalf of the Irish High Court in the case of The Data Protection Commissioner v Facebook Ireland and Maximilian Schrems (referred to by some as “Schrems II”).

The case involves a reformulated complaint brought by Schrems following the CJEU’s ruling in 2015 (“Schrems I”) which invalidated the EU-US Safe Harbour framework. Schrems II focuses on the validity of MCCs but is based on similar concerns as those expressed in Schrems I, i.e. (a) indiscriminate, mass surveillance of EU derived data by US security agencies, and (b) the perceived lack of an effective remedy for EU citizens under US law.

The judgement of the Irish High Court does not invalidate MCCs immediately. Instead, Ms Costello accepted that the concerns expressed by the Irish Data Protection Commissioner (the “DPC”) were “well-founded” and held that the High Court would refer the validity of MCCs to the CJEU. Since references to the ECJ generally take 18 months, a judgement is not expected before the implementation of the EU General Data Protection Regulation 2016/679 (“GDPR”) on 25 May 2018.

Background

The Law

Since the GDPR comes into force next year, this case was argued on the basis of the current law – the EU Data Protection Directive 95/46/EC (the “Directive”). The Directive implements the fundamental rights of European Citizens as set out in the European Charter of Fundamental Rights (the “Charter”). These include Article 7 (right to a private and family life), Article 8 (protection of personal data) and Article 47 (the right to an effective remedy and a fair trial).

The Directive provides a high standard of protection to EU citizens with regard to the processing of their personal data within the EU and states that personal data must not be transferred to non-EU countries which do not provide an equivalent high level of protection (Article 25 of the Directive).

Under Article 25(6) of the Directive, the European Commission may find that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law (this is known as an “Adequacy Decision”).

Where a non-EU country has not received an Adequacy Decision, entities must rely on one of the grounds set out in the Directive to transfer personal data to other entities based in that non-EU country. One such ground is the use of MCCs provided for in Article 26(4) of the Directive and various decisions by the European Commission. The relevant decision, in this case, is Commission Decision 2010/87/EU which creates model contractual clauses for the transfer of personal data from EU data controllers to non-EU data processors.

Factual Background

Following the invalidation of EU-US Safe Harbor framework in 2015, Schrems asked Facebook to confirm on what legal basis it transferred European personal data to the US. Like many companies, Facebook uses MCCs.

Schrems reformulated his complaint to the DPC arguing:

  • the MCCs used had a number of “formal insufficiencies”; and
  • exporters could not rely on the MCCs as a legal basis for transferring data from the EU to the US because US law does not “adequately protect” the rights of EU citizens under Articles 25 and 26 of the Directive.

Decision

MCCs and the Law of Third Countries

In summary, Ms Costello held that data exporters could not rely solely upon MCCs as complying with the requirements of the Directive. In particular, Data Protection Authorities (“DPA”), “have an obligation to ensure that the data still received a high level of protection and they are expressly granted powers to suspend or prohibit data transfers if the laws of the third country undermine that mandatory high level of protection in the EU” (Paragraph 153).

Surveillance by US Security Agencies

Ms Costello also reviewed the legal basis for electronic surveillance by the US and concluded that on the basis of, “evidence in relation to the operation of the PRISM and Upstream programmes authorised under s. 702 of Foreign Intelligence Surveillance Act (“FISA”), it is clear that there is mass indiscriminate processing of data by the United States government agencies, whether this is described as mass or targeted surveillance” (Paragraph 194).

Right to a Remedy in the US

In Ms Costello’s view, “the arguments of the DPC that the laws – and indeed the practices – of the United States do not respect the essence of the right to an effective remedy before an independent tribunal guaranteed by Article 47 of the Charter, which applies to data of all EU data subjects transferred to the United States, are well-founded” (Paragraph 294).

Ms Costello identified a number of “significant barriers” to EU citizens obtaining any remedy for unlawful processing of their personal data by US intelligence agencies.

MCCs provide a contractual remedy for data subjects against the non-EU entity. On the basis that the contractual clause cannot bind the sovereign authority of the US and its agencies, Ms Costello held that, “the MCCs themselves do not provide an answer to the concerns raised by the DPC in relation to the existence of effective remedies for individual EU citizens in respect of possible infringement of their data privacy protection rights if their data are subject to unlawful interference” (Paragraph 154).

Conclusion

The Irish High Court was therefore of the view that “[if] there are inadequacies in the laws of the US within the meaning of [EU law], the standard clauses cannot and do not remedy or compensate for these inadequacies.” Hence the referral to the CJEU to confirm the validity of the MCCs.

How does this affect my company whether based inside or outside the EEA?

Many organisations rely on MCCs to transfer personal data to group companies and third parties worldwide (and not just in the US).

If MCCs are ultimately invalidated, then EEA based data exporters and non-EEA based data importers will need to consider which other transfer solutions might be appropriate.

BCRs may well be the answer where intra-group transfers are concerned. Alternatively, the codes of conduct or certification mechanisms envisaged until the GDPR might be worthy of consideration once these frameworks are settled. Other derogations e.g. under Article 49 of the GDPR, such as where the transfer concerns only a limited number of data subjects, are very narrowly construed and hence will likely have limited value in practice.

The EU-US Privacy Shield framework, which safeguards data transfers to the US, is likely to be a key fall-back for companies transferring to the US if they are unable to rely on MCCs, however, this comes with a serious health warning in light of this CJEU referral and given the Privacy Shield is currently being challenged before the General Court in the Digital Rights Ireland and La Quadrature du Net cases.

Given the CJEU’s ruling will strike at the heart of global commerce, its ruling is much anticipated – not just in data protection circles and companies exporting or receiving EU data might well be advised to consider what their “Plan B” may look like in the event MCCs (and/or the EU-US Privacy Shield) are invalidated.

Posted
By

Tim Wright, Partner and Antony Bott, Special Counsel, in Pillsbury’s Global Sourcing & Technology Transactions Practice look at some of the issues to be considered when procuring and sourcing robotic process automation software and solutions

The Future Is Now
You can’t move in the outsourcing industry without hearing about Robotic Process Automation (RPA). And while it might sound like terminology cribbed from a sci-fi novel, the truth is that RPA is already here, and it is transforming the way modern businesses operate. Along with related developments in machine learning and artificial intelligence, automation as a whole has been characterised by the former chief scientist of Baidu as being “as transformative for society as electricity.” Fuelled by continuing developments in computing power, big data, storage and connectivity, the opportunity for companies is to save money, while operating more effectively, scalably and compliantly—it is, in many senses, a compelling opportunity.

Opponents of RPA highlight that it is disruptive, both in relation to the technology and the logistics, and in its interrelation with human nature and organizational politics – but others suggest those are challenges that can be managed, and that the bigger risk is in not implementing RPA, and then being out-competed by those that have embraced the innovation. As with any business change, the answer is to fully understand and consider the decisions, to negotiate contracts that give the right balance of protection and flexibility, and to manage the change with appropriate sensitivity.

What is RPA?
The Institute for Robotic Process Automation describes RPA as “the application of technology that allows employees in a company to configure computer software or a ‘robot’ to capture and interpret existing applications for processing a transaction, manipulating data, triggering responses and communicating with other digital systems.”

Put more simply, RPA is technology that enables computer software to automate human activities that are manual, repetitive and rule-based. RPA works best where the activities in question are high-volume and clearly definable. It has been successfully deployed across a broad array of business functions such as finance, procurement, supply chain management, accounting, customer service and human resources. Examples of tasks that can be automated include data entry, purchase order issuing, invoice processing, know your customer (KYC) checking, fraudulent account closure, and personal loan application processing. RPA software replaces the human activity, working more quickly, accurately, and tirelessly than any person, freeing them to up to tackle tasks benefiting more from emotional intelligence, reasoning, and interaction with the customer.

RPA vs Artificial Intelligence (AI)
While both RPA, and its “big brother” AI, are forms of automation (where a task previously performed by a human, is carried out by some form of automated system), there is a qualitative difference between them.

RPA is “robotic”—it is programmed to carry out a specific set of steps, and it will do so repeatedly and reliably, exactly as it has been coded. In contrast, AI uses machine learning to adapt to outcomes and changes in environment. When it produces a less than optimal output, or encounters a problem it hasn’t seen before, it learns. This makes AI suitable for automating much more complex tasks, involving highly subjective decisions tackled by the use of pattern analysis. Unlike RPA, AI can make sense of unstructured data, which is ambiguous, complex and a challenge to process. Put simply: RPA is programmed. AI is trained.

Why does this matter? AI may produce an answer with a better, more productive outcome, but it may be difficult or impossible to understand how it reached that answer—either because the ‘black box’ of the system is opaque by nature, or because the particular AI system is proprietary and the owner is not willing to open it up to analysis. How can users trust in AI-delivered outcomes if the inner workings of the system are not easily interpretable by a human? This perceived or actual loss of control may mean in the more immediate future, businesses are more ready and willing to deploy RPA than AI. Further, where a business builds an AI solution on a third-party platform, there is a risk of lock-in because the ‘machine-learning’ built up over a period of service may not be transferrable to an alternative third-party AI system.

We will examine legal considerations relating to AI in more detail in a follow up blog; suffice it to say that deploying AI (whether on its own in conjunction with RPA) offers many exciting opportunities for businesses beyond automating the kinds of back office tasks and activities which RPA is so good at.

Why use RPA?
The primary driver for the implementation of many RPA systems is the significant cost savings opportunities they provide—typically somewhere between one-third and one-fifth of the cost of a full-time equivalent (FTE) member of personnel, depending on the location of that individual. There are, however, a number of other potential benefits:

  • improved quality—through the elimination of human errors and delays;
  • better productivity—a robotic workforce can work on a 24/7/365 basis;
  • short return on investment timeframe – RPA deployments can be done over short timescales with minimal configuration or integration needed;
  • a happier, more motivated workforce—a robotic workforce enables redeployment of personnel to focus on higher value and more complex tasks;
  • enhanced resilience and scalability—digital labour doesn’t take holidays or succumb to illness, will carry out the prescribed functions in a consistent manner, and can be scaled up or down to meet changes in demand;
  • enhanced collection of transactional data; and
  • improved compliance and regulatory risk—achieved through all of the above combined with better management information and an auditable transaction trail.

More generally, deploying RPA allows an organisation to re-examine its operational model. For example, processes which were previously offshored can be repatriated and automated. Large, inflexible outsourcing agreements, which are often heavily dependent on FTE pricing models, can be renegotiated and/or broken up. FTEs who previously performed the affected activities may be redeployed to more valuable roles, although in some circumstances their positions in the organisation may become redundant.

Procurement Strategy
Procurement and sourcing groups regularly include RPA (and AI) capability as part of their evaluation frameworks. Pre-contract diligence issues (many of which need to be addressed in the contract) include:

  • financial and operational stability of the software vendor;
  • types of data which will be processed, which can mean data security and data privacy concerns;
  • interfaces needed with legacy systems;
  • ownership of the intellectual property in the software;
  • ease of exit transition to avoid single technology/vendor lock-in;
  • pricing model options, and how to handle changes to the customer’s requirements;
  • defining the “right to use” the software and understanding the limits of any licence;
  • evaluating the availability of disaster recovery and business continuity solutions; and
  • regulated customers will need to address any specific regulatory issues and requirements.

Customers should also review legacy software and system licences to ensure there are no unintended consequences, e.g., price increases under enterprise software agreements resulting from new system interfaces and data feeds. Other ‘internal’ items will also need to be addressed including the impact on staff and the possibility of redundancy.

Contracting Approach
RPA implementations usually follow one of two models: DIY and Outsourced.

  • With the DIY model, the customer enters into a contract (similar to a software licence or software as a service agreement) with the RPA software vendor.
    • The contract will focus on the technology being acquired.
    • The software vendor may also provide implementation and configuration support. Alternatively, this may be handled internally and/or with assistance from an external consulting firm.
    • The agreement with the software vendor may also cover ongoing maintenance and management services.
  • With the Outsourced model, a new or existing outsourcing (or managed services) agreement is used such that some component of the outsourced services is delivered using RPA technology.
    • The contract will focus on the services being performed (implementation and ongoing), rather than the technology used to perform them.
    • Unless the service provider owns the RPA software, it will need to license it from the owner.
    • The service provider will perform the services itself or use a subcontractor to do so, including any ongoing maintenance and management services that may be needed.

In the past, the RPA deployments often started as series of small pilots, on a process-by-process basis; however, as confidence in the technology has grown, the scale of deployments has grown, often in a relatively unplanned manner. Customers should look to structure contracts, whether DIY or Outsourced, to ensure that their leverage is maximised enabling them to flex and scale their RPA solutions as their business requirements change, as well as to benefit from future technological advances.

Businesses typically have at least one, and often many, outsourced service providers, across a wide range of IT and business processes. These outsourcing agreements may be FTE-based, e.g., where the services are delivered from a lower cost country such as India or the Philippines. Some will have been put in place before the rise of RPA in the relevant sector or domain. Many service providers will, however, by now already be using RPA on at least some of their customers’ accounts. Prior experience shows that most service providers will usually try to avoid a re-bid situation and a proactive approach by the customer will often lead to a positive negotiated outcome even if the contract is completely silent, especially where the customer can offer some incentive such as an extended term or scope of work.

Key Contractual Protections
Important items to be covered and/or negotiated include:

  • licence scope, usage permissions (including managed service providers) and volume caps;
  • service levels and performance metrics (which could be in line for adjustment, given the improved speed, reliability and quality that RPA services may offer);
  • intellectual property rights and indemnities;
  • liability caps and exclusions;
  • pricing terms and model (e.g., per unit (robot) versus outcome pricing, implementation and supports costs; alternatively, a managed services fee);
  • change management; and
  • exit transition support.

Governance Framework
The program operating model (including governance, resourcing and execution responsibilities) will also be important. In the Outsourced model, the agreement will usually already incorporate a governance schedule covering both implementation (initial and new projects) and steady state; in the DIY model, the customer (perhaps with an external consulting firm) will work with the software vendor to define required governance.

More generally speaking, customers looking to build RPA centres of excellence within their own organisations, should also look to define and document RPA best practices, challenges in identifying automation opportunities and optimizing return on investment, criteria for selecting RPA tools and technologies, as well as monitoring emerging RPA/AI technologies and capabilities.

People Considerations
The work force carrying out these tasks is digital, not human, but its deployment will impact people nonetheless. Customers looking to implement RPA should engage with human resources early and in some cases with works councils and employee representatives as appropriate. It is also important that the business appoints a senior person to champion the benefits of RPA, both prior to implementation as well as afterwards to communicate successes achieved.

Conclusions
RPA service delivery will have a major transformative impact on how businesses operate. By replacing people with automated systems, RPA can enable large volumes of data to be processed in a significantly reduced time, while delivering unparalleled accuracy, visibility, and a reduction of risk. In what most commentators predict will be a fast-moving, fast-changing environment, businesses will need to stay alert to the strategic decisions, opportunities and risks that will present.

Posted
By

Industry 4.0

The Fourth Industrial Revolution is the term coined by Klaus Schwab, the founder and executive chairman of the World Economic Forum, to describe the fourth major industrial era since the first industrial revolution which took place in Europe and America in the 18th and 19th centuries. Industry 4.0 comprises a collection of transformative technologies, what Schwab refers to as “emerging technology breakthroughs,” such as automation, artificial intelligence, the Internet of Things, digitalisation, use of composite materials, autonomous vehicles, quantum computing and nanotechnology with industrial/commercial applications.

Although not a new technology, many commentators would include additive manufacturing (AM) in the list of transformative technologies making up Industry 4.0. Until relatively recently, however, AM’s adoption was largely confined to development of prototypes with industrial uses rather than full scale manufacturing. This started to change with the expiration of certain key patents around a decade or so ago, to the point that today – although still in its infancy – AM has reached an inflection point as lower costs and technical advances have put it in reach of a greater number of businesses and consumers.

Taking a Closer Look at Additive Manufacturing

AM describes a number of individual processes covering various methods of layer manufacturing. AM is often referred to as 3D printing. Strictly speaking, however, 3D printing is one of several AM processes. Loughborough University’s Additive Manufacturing Research Group (AMRG), one of the world’s leading AM research and development centres, describes seven categories of AM, consistent with the catogorisation used in the applicable ISO international standard, as follows:

  • Vat Polymerisation – uses a vat of liquid photopolymer resin out of which the model is constructed layer by layer;
  • Material Jetting – creates objects in a similar method to a two dimensional ink jet printer, whereby material is jetted onto a build platform using a continuous or drop-on-demand approach;
  • Binder Jetting – a process which uses a powder based build material and a binder (usually in liquid form). The machine’s print head moves horizontally along the X and Y axes of the machine to deposit alternating layers of the build material and the binding material;
  • Material Extrusion – with this technology, material is drawn through a nozzle where it is heated and then deposited layer by layer. The nozzle moves horizontally whilst a platform moves up and down vertically after each new layer is deposited;
  • Powder Bed Fusion – comprises various printing techniques, such as direct metal laser sintering or electron beam melting, where a laser or electron beam is used to melt and fuse material powder together;
  • Sheet Lamination – a process which uses sheets or ribbons of metal bound together using ultrasonic welding, or layers of paper bonded by adhesive – the required shape is cut from the layer by laser or knife; and
  • Directed Energy Deposition – a range of printing processes, such as laser engineered net shaping and 3D laser cladding, which are commonly used to repair or add additional material to existing components.

Whilst individual processes differ depending on the material and machine technology used, the essence of AM is that a digital 3D design file – or blueprint – is used to create physical three-dimensional objects by incrementally adding successive layers of material. The blueprint may be made with CAD (Computer Aided Design) software or with an App where the user simply scans a real-life object with a smartphone’s camera. Common materials used include plastics, rubber, metals, alloys, polymers and ceramics.

Use Cases and Adoption Benefits

AM is already being used across a wide range of manufacturing and other industries including aerospace, defence, design, fashion, health, medicine, and electronics. Industrial AM applications include visual aids, presentation models, prototypes, patterns (e.g. for prototype tooling or metal castings), tooling components and functional parts, as well as food manufacturing and a range of medical uses such as surgical reconstruction and dental repair.

And with basic home printing machines available for less than £500, AM also offers potential for e-commerce as an alternative to home delivery. The concept of ‘Printing as a Service’ is also emerging where CAD files can be send online to a company which print and ships the printed object back to the customer, often in under 24 hours.

The adoption of AM can yield significant benefits such as the ability to innovate with design and to quickly revise products. It can also save energy costs and deliver reduced waste pollution. In the spare parts supply chain, AM can result in better manufacturing of spare parts, reduction of inventory and improved lead times, whilst in the field of asset lifecycle maintenance, it can  prolong the asset lifecycle through the improved design of products or parts, and by eliminating manufacturing steps, lowering tooling costs and simplifying the maintenance processes.

The Wohlers Report 2015 estimates that the market for AM systems, materials, supplies and services was worth some $7.3 billion in 2016, with the largest contributors being consumer electronics and automotive industries with 20% each.

So, what are the Legal Issues?

AM use brings with it some complex issues and challenges from a legal perspective, whether the technology is used in a commercial or a personal capacity. These will differ from jurisdiction to jurisdiction.

Protection and Infringement of Intellectual Property Rights

For AM adopters, concerns about infringement of a third party’s intellectual property (IP) e.g. in designs and blueprints and related manufacturing processes, is a key issue. In this context, the IP rights which may be infringed include copyright, patents, design rights and registered designs, as well trade marks, including rights in names and brands, whether or not registered. Such IP rights may exist in relation to CAD data (i.e. as technical drawing, software), materials, printer and printing processes.

As an example, when existing objects or designs are redesigned for manufacturing through AM (e.g. where a company maintains existing assets by means of 3D printed tooling and spare parts) this may constitute a breach of a third party’s copyright or design rights in the original objects or designs. Whilst there are some exceptions to infringement, such as reasonable repair of a purchased item through the creation of spare parts as well as exceptions for personal, non-commercial use, these are often complex and may not apply to the proposed use case. The bottom line is to work with counsel to ensure that AM processes are fit for purpose and comply within the legal framework.

For IP holders, since AM can be used as an enabler of IP piracy, new techniques to counter infringement are needed. Compared with traditional manufacturing, where the copying of a design can often be readily traced to a source because the infringer requires an infrastructure for fabrication, a marketing platform for sales etc., the AM environment requires no such infrastructure or platform making piracy harder to trace.

Product Liability and Safety

In the UK, there are a number of laws and regulations applicable to the manufacturing, distribution and sale of products. The General Product Safety Regulations 2005 (SI 1803/2005)) make it a criminal offence to place an unsafe product on the market. Sale of goods contracts with consumers are governed by the Consumer Rights Act 2015 or the Sale of Goods Act 1979, and Other jurisdictions will no doubt have equivalent or similar laws and regulations applicable to product manufacturers and distributors.

Liability for defective or dangerous products can also arise in tort since product manufacturers owe a duty of care to end users. There may also be sector or product-specific regulations, such as the Good Manufacturing Practice (GMP) system which applies to pharmaceutical ingredients and products.

Manufacturing Rules and Regulations

A web of European and local laws and regulations applies to the manufacture of goods including, in the case of AM, potentially the Machinery Directive (2006/4 2/EC), or, alternatively, the Low Voltage Directive (2014/35/EU). There are also sector-specific Directives and Regulations, and a wide range of potentially applicable standards and regulations. These often depend on usage such as IEC 60601 -1 which applies to medical electrical equipment, and IEC 60335-2- 64 which applies to kitchen machines.

Product labelling rules may also be relevant. As well as general product labelling requirements (e.g. labels not be misleading), there are also special rules on product labelling which apply to the manufacture, distribution or sale of products in the precious metals, footwear and food & drink sectors, as well as children’s products.

Emerging Legal Issues

AM technology remains in its relative infancy. Legal issues are still emerging as the understanding of AM technology, and related processes, grows, and applications emerge. Other important areas to be considered include environmental liability, health and safety, availability of insurance for AM manufacturing processes, data protection and cyber-security.

Increased Adoption will lead to more Regulation?

The European Commission, which adopted a Digitising European Industry (DEI) initiative sees AM as one of the pillars which will be used to strengthen the EU’s industrial sector. There are already a number of European AM initiatives. Under the Horizon 2020 initiative, Project “BARBARA” (Biopolymers with advanced functionalities for building and automotive parts processed through additive manufacturing) – a research project for the creation of 3D printable car and construction feedstock. There is also Factories of the Future, a public-private partnership which aim to achieve collaboration between stakeholders such as the Additive Manufacturing Platform and the ManuFuture European Technology Platform.

A September 2016 report for the EC by IDEA Consult, VTT Technical Research Centre of Finland and the Austrian Institute of Technology, described a fragmented European AM landscape facing strong competition from global players and mainly from the US and Japan and called for an EU strategy for AM, and called for a streamlining of standardization and certification efforts to be made in the context of different AM value chains.

It does seem seems inevitable, therefore, given the current interest in AM, the current legal and regulatory framework will, at some point, come under scrutiny of the law and standards makers such as the European Committee for Standardization.

 

Posted
By

Those of us who have been grappling with how best to approach GDPR compliance in outsourcing and other commercial contracts will be all too familiar with Article 28 of the GDPR. Article 28.3 builds on the limited obligations that existed under the existing regime but also include some significant enhancements to the minimum processor obligations to be addressed head on in the contract.

Processor’s obligation to notify infringing instructions

One requirement of Article 28.3 in particular, has provided clients and counsel alike with a degree of angst since the final draft of the GDPR was published in May 2016, and further back still for those of us who had followed the negotiations and multiple redrafts of the GDPR prior to its final publication.

The offending paragraph ‘floats’ at the end of Article 28.3’s list of contract requirements and reads:

“With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.”

We say ‘floats’ because the paragraph does not appear within the Article 28.3 list and from a formatting perspective, sits in line with (but between) Article 28.3 and the following Article 28.4.

GDPR-snip

Either way, the obligation throws up a host of questions that commercial and data protection professionals (especially those acting for processors and sub-processors) will now need to consider each time they negotiate an agreement under which personal data are to be processed and also as they design and implement new service offerings.

For example:

  1. What constitutes an instruction?

a.  What level of involvement must a processor have in the processing activities and the wider service provision to be deemed to have had knowledge of the customer’s instructions?

b.  For example, in a SaaS scenario, does the obligation apply where the supplier’s systems enable certain types of processing but the customer remains in control of configuring the system?

     2.  When, and to what extent will processors be expected to have or form an opinion?

a.  To what extent will a processor be expected to interrogate and assess the basis on which the data controller customer has the right to use the personal data in question in the manner specified under the contract? Will this now form a standard part of the Supplier’s initial contractual due diligence stage?

b.  Will processors be expected to build and maintain an internal compliance and legal capability to enable it to comply with this obligation (or even outsource these capabilities to external counsel or consultancies)?

c.  If so, will this result in processors who wish to be fully compliant with Article 28 being forced to raise their prices; potentially becoming uncompetitive when compared with their less compliant peers?

d.  Even where such compliance teams are established or enhanced, how will processor organisations ‘operationalise’ these teams so that they are sufficiently integrated into the sales and delivery cycle that infringements are identified and notified?

e.  To what extent will ignorance of what is undoubtedly an expansive and complex law be a defence?

     3.  To what extent can the data processor seek to limit or exclude contractual liability for this obligation?

a.  Will separate liability caps be required? Will suppliers seek to carve out this obligation from indemnity provisions?

b.  Will additional provisions be required to enable counter-claims by a supplier? For example will it become custom and practice for suppliers to insist on specific representations and warranties and, in the context of outsourcing arrangements, specific ‘customer dependencies’, that all instructions given by the customer are themselves lawful and compliant with the GDPR?

     4.  Finally, to what extent is this obligation an insurable business risk?

Is this a contractual obligation, statutory obligation or both?

In addition to the issues outlined above, the placement of the obligation within Article 28.3 and the reference to sub-paragraph (h) is also problematic. From a plain reading of Article 28.3, it is unclear whether the paragraph is intended to exist as a stand-alone statutory obligation on the data processor or as an additional contractual obligation to be included within the data processing contract, or indeed both.

Given the placement of the paragraph and the fact that the list of contractual obligations clearly ends at sub-paragraph (h) with a full stop, it is arguable that the correct interpretation is that the paragraph was intended as a stand-alone statutory obligation and not something that had to be included in the contract (although from a controller’s perspective it would clearly be desirable to do in any event).

In other words, if the draftspersons had intended for the clause to form part of sub-paragraph (h), why wouldn’t they have simply put it there?

Finally, it is also unclear what the qualification “With regard to point (h)” means in practice.  Sub-paragraph (h) requires processors to make information necessary to demonstrate compliance with the obligations set out in Article 28 and to allow for, and contribute to, audits. It is not clear what the link is between information and audit obligations on the one hand, and instructions of the controller on the other. Does the reference to sub-paragraph (h) mean, for example, that the obligation to notify the controller of infringing instructions relates only to information requests and audits?

ICO’s draft guidance

To date, there has been little guidance on the above, with businesses left to speculate as they prepare for 25th May 2018.

However, the UK’s data protection regulator, the Information Commissioner’s Office (ICO) issued draft guidance on contracts and liabilities between controllers and processors for consultation on 13 September 2017 (the “Draft Guidance”).  The Draft Guidance sets out how the ICO interprets the GDPR, and its “general recommended approach to compliance and good practice”.

The Draft Guidance seems to have been prepared almost entirely from the point of view of data controllers (perhaps a hang-over from the necessary approach under the existing controller-specific regime) and so provides little additional guidance (at least in its draft form) from the perspective of data processors. This lack of guidance extends to addressing how processors might go about complying with the obligation to inform of infringing instructions whilst taking into account some of the issues identified above.

However, on the question of whether the obligation to inform must be addressed in the contract and on whether it is somehow limited by reference to sub-paragraph (h), the Draft Guidance does state clearly that:

“Under Article 28.3(h), your contract must provide that
your processor must tell you immediately if it thinks it has been given an instruction which doesn’t comply with the GDPR, or related data protection law”.

So despite the questions of interpretation raised above, for now at least, the ICO’s position on this point seems clear: the obligation to inform is a contractual obligation and it is not limited to information and audit requests of the type referred to in sub-paragraph (h).

Hopefully, additional clarification will be forthcoming as the guidance is developed further by the ICO, or alternatively from the ICO’s EU counterparts.

Given the UK’s involvement in negotiating the GDPR throughout its draft iterations and the fact that the GDPR will effectively be adopted into UK law through the Data Protection Bill, the ICO’s guidance is undoubtedly persuasive and will likely remain so post Brexit. The ICO has stated that its guidance will need to evolve to take account of future guidelines issued by relevant European authorities, as well as its experience of applying the law in practice from May 2018 and that it intends to keep the guidance under review and update it in light of relevant developments and stakeholders’ feedback.

In the meantime, controllers and processors alike will need to consider how to address this obligation in their processing agreements. Controllers will no doubt seek to include this obligation on a near word for word basis. However, processors should consider carefully what additional contractual and (just as importantly) procedural protections they need in order to mitigate the potential impacts. For example, as a minimum, processors will need to implement governance frameworks and clear reporting lines to assess communications with their controllers and have a clear policy in place to guide those individuals concerned on how to handle instructions from the controller they deem to be infringing.

Final guidance

The ICO’s consultation ended on 10th October and it has previously stated its aim is to publish the much anticipated finalised guidance before the end of the year.  We will continue to monitor developments in relation to this short but important paragraph.

 

Posted
By

Toll-free telephone numbers celebrated their 50th birthday this year (frankly, without much fanfare). These numbers allow callers to reach businesses without being charged for the call. When long distance calling was expensive, these numbers were enticing marketing tools used by businesses to encourage customer calls and provide a single number for nationwide customer service—for example, hotel, airline or car rental reservations.

Toll-free numbers are most valuable to businesses when they are easy to remember because they spell a word (1-877-DENTIST) or have a simple dialing pattern (1-855-222-2222). Like all telephone numbers, however, the FCC considers toll-free numbers to be a public resource, not owned by any single person, business or telephone company. Toll-free numbers are assigned on a first-come, first-served basis, primarily by telecommunications carriers known as Responsible Organizations. The FCC even has rules that prohibit hoarding (keeping more than you need) or selling toll-free numbers.

But the rules will change if the FCC adopts its recent proposal to assign toll-free numbers by auction as it prepares to open access to its new “833” toll-free numbers. The Notice of Proposed Rulemaking issued last week proposes to auction off approximately 17,000 toll-free numbers for which there have been competing requests. The proceeds of these auctions would then be used to reduce the costs of administering toll-free numbers.

The NPRM also contemplates revising the current rules to promote the development of a secondary market for toll-free numbers. This would allow subscribers to reassign toll-free numbers to other businesses for a fee (think 1-800-STUBHUB!). The FCC suggests this would promote economic efficiencies, as the number would presumably be better utilized by a business owner willing to pay for it than by the company that merely happened to claim it first.

The proposed rules are not without controversy. Some toll-free numbers are used to promote health, safety and other public interest goals (e.g., 1-800-SUICIDE). The NPRM seeks comments on whether toll-free numbers used by governmental or certain nonprofit organizations should be exempt from the auction process. There are also questions about whether the expected demand for the 17,000 new numbers will erode if claiming a number is no longer free.

Comments in this proceeding will be due 30 days after the NPRM is published in the Federal Register, with replies due 30 days after that. If you are interested in filing comments, you can reach us at 1-888-387-5714.  After all, it’s a toll-free call.

Posted
By

Imagine dialing 911 and hearing an automated voice tell you that what you have dialed is not a valid number; or reaching a 911 call center only to have emergency personnel dispatched to the wrong location. In response to such problems, the FCC yesterday released a Notice of Inquiry (NOI) asking a broad range of questions about the capability of enterprise-based communications systems (ECS)—internal phone systems used in places like office buildings, campuses and hotels—to provide access for 911 calls.

According to the FCC, certain of these systems may not support direct 911 dialing, may not have the capability to route calls to the appropriate 911 call center, or may not provide accurate information on the caller’s location. The NOI seeks public comment on consumer expectations regarding the ability to access 911 call centers when calling from an ECS, and seeks ways, including regulation if needed, to improve the capabilities of ECS to provide direct access for 911 calls.

The FCC generally requires telephone service providers to offer enhanced 911 service, which basically means that the provider will forward the caller’s telephone number and registered location to the appropriate public safety answering point (PSAP), which should be the 911 call center closest to the caller. Call takers at the PSAP are then responsible for dispatching the appropriate emergency responder—police, fire or ambulance.

ECS equipment, which supports multiple users with individual handsets and unique extensions across a company, for example, have historically presented challenges for 911 service because the location information and phone numbers transmitted to the PSAP may not be the same as that of the actual calling party or may fail to provide the level of detail (floor or office number) required to locate the caller in an office building with multiple floors.

Another lingering problem has been the requirement to dial a digit (typically 9) to inform the ECS that the call is to go outside the organization (or hotel) and not to another employee extension (or another room). There have been tragic cases where someone needing help has dialed “911” only to have the ECS think that the caller is dialing 9 to reach an outside number, and then dialing “11,” which is not a valid phone number. The result is not even reaching a wrong number (certainly a problem in an emergency), but having the system fail to make any call at all. The result is at best a delay in getting emergency services, and at worst the caller giving up on reaching emergency personnel as they struggle to deal with the emergency itself.

This problem has been amplified by changes in technology that now favor internet-protocol or cloud-based technologies, both of which encourage mobility by end users. In particular, employees can now access ECS not just through traditional desk phones, but through applications on mobile phones or through software on laptops and tablets. Employees can also log into handsets in offices in different cities that give the appearance that the employee is in his or her home office. In all of these cases, unless the user takes steps to update their location for 911 purposes, it’s likely that a call to 911 will be routed to the PSAP associated with the home office, and not the PSAP closest to the calling party.

The NOI recognizes that a number of states have adopted requirements for 911 service provided by ECS operators. These include laws mandating direct 911 dialing and location accuracy, including ECS delivery of more precise location information (e.g., an apartment number or floor). Moreover, Congress is considering legislation that requires ECS equipment to have a configuration that permits users to call 911 without dialing any code or prefix.

The NOI does not propose any immediate solutions but asks broad questions including:

  • ECS marketplace: What are the number and types of ECS vendors and equipment; how are 911 calls typically handled and equipment’s existing capabilities, the number of subscribers using ECS and the percentage of 911 calls originating from ECS, the ability to support more than voice communications (e.g., video and text), whether there are technical barriers to providing a more reliable or accurate 911 service, how often calls are routed to the wrong PSAP, and the capabilities of misrouted calls to be re-routed to the correct PSAP;
  • VoIP: The capabilities of Voice over IP providers to support 911; whether the 911 registered location is for the enterprise owner or the end user, and whether VoIP providers can provide location information automatically without relying on customer-provided information;
  • Cost considerations: The cost of adapting ECS equipment to support 911 calling; who bears those costs; whether costs have been impacted by new technology; the costs for complying with state 911 laws, and whether insurers provide incentives for enterprise owners to implement 911;
  • Consumer expectations: Whether consumers expect 911 calls from an ECS will be quickly routed to the correct PSAP, whether consumers are aware of disparate dialing arrangements to reach 911 from certain ECS; and whether the ubiquity of wireless phones make it less likely that a caller will use a hotel or business phone to call 911; and
  • Options: Whether states are best positioned to devise rules for ECS in their jurisdiction; whether 911 capabilities of ECS should be uniform on a nationwide basis; whether there is any action the FCC should consider to encourage voluntary implementation of 911 for ECS; whether additional voluntary best practices, technical or operational standards should be established and who should monitor implementation; and what role, if any, the FCC should take and whether it should adopt new rules requiring ECS implementation of 911 or update its existing rules for VoIP, wireless and telecom carriers to better support implementation of 911 for ECS.

Comments on the NOI are due November 15, and replies are due December 15. As demonstrated by the unprecedented number of destructive hurricanes this month, reliably reaching 911 in any circumstance can be critical. The changes that may result from this proceeding will be important for both communications service providers and users of enterprise communications systems.

Posted
By and

The UK Government has published a statement of intent containing details of its proposed Data Protection Bill. The full text of the Bill is expected in September 2017, when the UK Parliament returns from its summer break.

The Bill will enshrine the EU General Data Protection Regulation (GDPR) into UK domestic law. It will also implement the requirements of EU Directive 2016/680 (The Law Enforcement Directive) which covers the processing of personal data for crime prevention, and the free movement of such data.

Why is a UK bill needed?
The GDPR is an EU regulation and therefore will have direct effect in all EU Member States (including currently the UK) without the need for implementation at the national level. The Data Protection Bill aims to ensure that, post-Brexit, UK data protection law will remain in-step with its EU trading partners.

The change is necessary because after the UK leaves the European Union, it will become a “third country” for data protection purposes. EU data protection law prohibits the transfer of EU personal data to third countries which do not ensure an adequate level of protection. Adequacy does not require identical laws but the third country must provide ‘essentially equivalent’ protection. The implementation of GDPR-style legislation in the UK makes it more likely that the EU Commission will make an adequacy decision in favour of the UK under Article 45 of the GDPR.

What does the statement say?
The statement of intent suggests that UK data protection law will align with the requirements of the GDPR meaning severe penalties for breach (€20 million or 4% of global turnover) will be applied to UK-based companies. The content of the statement does not mark a significant departure from the language of the GDPR and, on the face of it, would not require companies to take alternative compliance steps in the UK.

However, the statement does set out three new offences to be contained in the Bill.  In particular, it:

  1. Creates a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.
  2. Creates a new offence of altering records with intent to prevent disclosure following a subject access request. The offence would use section 77 of the Freedom of Information Act 2000 as a template. The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland.
  3. Widens the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if the they initially obtained it lawfully).

The details of the first offence will be interesting to see.

The UK Government also states that “default reliance on the use of default opt-out or pre-selected “tick boxes”
will become a thing of the past.” It is not clear whether the exception for consent to e-marketing by existing customers, contained in the e-Privacy Directive, will be included in the Bill. Indeed, the statement does not mention the current e-Privacy Directive or the proposed e-Privacy Regulation which will also require similar implementation post-Brexit.

There also seems to be some confusion as to the meaning of “privacy by design and default.” It suggests the principle can be achieved by “giving citizens the right to know when their personal data has been released in contravention of the data protection safeguards, and also by offering them a clearer right of redress.” The concept of privacy by design and default promotes compliance with data protection laws and regulations from the earliest stages of initiatives involving personal data and does not necessarily relate to notification and redress.

What should businesses be doing?

Although companies with a UK footprint will need to familiarise themselves with the Bill when it is published, it is unlikely to represent a major departure from the requirements of the GDPR in the authors’ view.

In order to be compliant under both the GDPR and the Bill, companies will need to ensure that they have robust policies and procedures in place. With the risk of heavy fines under the GDPR and the Bill, not to mention the reputational damage and potential loss of consumer confidence caused by noncompliance, nothing should be left to chance. In terms of key first steps, companies might consider prioritising the following as a minimum in order to comply with both pieces of legislation:

  • Review privacy notices and policies—ensure these are compliant. Do they provide for the new rights individuals have?
  • Prepare/update the data security breach plan—to ensure new rules can be met if needed.
  • Audit your consents—are you lawfully processing data?
  • Set up an accountability framework—e.g., monitor processes, procedures, train staff.
  • Appoint a DPO where required.
  • Consider if you have new obligations as a processor – is your contractual documentation adequate? Review contracts and consider what changes will be required.
  • Audit your international transfers—do you have a lawful basis to transfer data?

For those businesses who have yet to consider their obligations, the advice is to start thinking about compliance under the GDPR as soon as possible and the Bill once it is published. Not only will compliance be crucial for retaining customer trust it will also avoid being made an example of in a way that will not only hurt your reputation, but also your bottom line.

Posted
By

Financial Institutions may need to revise consumer contracts to remove class action waivers in preparation for a March 2018 federal rule.

On July 19, the U.S. Consumer Financial Protection Bureau, the federal regulator for a sweeping range of depository and non-depository consumer financial services companies (including the largest of U.S. banks), published a final rule that makes it illegal for many of the CFPB’s regulated entities to include consumer class action waivers in pre-dispute arbitration agreements. The Rule’s effective date is September 18, 2017, and applies to contracts entered into after March 19, 2018. (The Rule does not apply to pre-existing contracts.)

As a result, covered consumer contracts entered into after March 19, 2018, will need to: (a) remove language in pre-dispute arbitration provisions that bars consumers from participating in class actions; and (b) add language informing consumers of their rights to participate in class actions. The Rule will also require such companies to provide information on individual arbitration awards to the CFPB for publication in a public database (redacting consumers’ private financial information). Although the Rule does not outright prohibit pre-dispute arbitration agreements themselves (as many expected the CFPB might), companies will need to reconsider the economics behind offering consumers a full arbitration program in light of a future reality of increased class actions.

Unlike the majority of the CFPB’s regulations, which cover specific financial products or services, the Rule applies across a wide swath of traditional and online consumer financial products and services, including among other things deposit accounts, credit cards and consumer reporting products. (Arbitration agreements, themselves, are already prohibited in residential mortgage transactions, so the Rule does not cover those.)

Although the Rule was issued as “final” (as opposed to a mere proposal), the Rule is currently subject to fierce political headwinds from Congressional Republicans, the White House and industry trade groups, all of whom strongly oppose the CFPB’s current director, Richard Cordray, an Obama appointee.

Indeed, the House of Representatives has already passed a resolution that, if adopted by the Senate and signed by the President, would nullify the Rule and bar the CFPB from issuing a similar rule in the future without an express Congressional directive. The catch is that the procedure Congress would invoke to nullify the Rule, the Congressional Review Act, must be used within 60 legislative days of the Rule’s publication of the Federal Register. While the House of Representatives has taken the first step, it remains to be seen if the Senate will have opportunity to act in light of other legislative priorities.

Notwithstanding these potential threats to the Rule from Congress, as of the time of this writing, the CFPB appears to be moving full steam ahead. As a result, companies that fall within the Rule’s coverage are well advised to begin reviewing their consumer agreements and dispute resolution procedures in preparation for the distinct possibility that prohibitions on consumer class action waivers become the law in March 2018.