Volume 7, Issue 3, April 2016 SOCIALLY AWARE 2011 BEST LAW FIRM NEWSLETTER THE SOCIAL MEDIA LAW UPDATE

IN THIS ISSUE How to Protect Your Company’s Social Media Currency Page 2 Clickwrap, Browsewrap and Mixed Media Contracts: A Few Words Can Go a Long Way Page 4 A Negative Review May Be Protected Activity Under U.S. Employment Law Page 6 The Internet of Things: Interoperability, Industry Standards & Related IP Licensing Approaches Page 6 Privacy Shield vs. Safe Harbor: A Different Name for an Improved Agreement Page 14 Digital Single Market Strategy Update: Europe Proposes Further Harmonization of Consumer Protection Laws Page18 Welcome to the newest issue of Socially Aware, our Burton Award EDITORS winning guide to the law and business of social media. In this edition, John F. Delaney Aaron P. Rubin we discuss what a company can do to help protect the likes, followers, views, tweets and shares that constitute its social media “currency”; CONTRIBUTORS we review a federal district court opinion refusing to enforce an John F. Delaney Aaron P. Rubin Kristina Ehle Stephanie L. Sharron arbitration clause included in online terms and conditions referenced J. Alexander Lawrence Joshua R. Stein in a “wet signature” contract; we highlight the potential legal risks Susan McLean Bastian Suurmond Christine E. Lyon Leanne Ta associated with terminating an employee for complaining about Sotirios Petrovas her salary on social media; we explore the need for standardization Mary Race Cynthia J. Rich and interoperability in the Internet of Things world; we examine the proposed EU-U.S. Privacy Shield’s attempt to satisfy consumers’ FOLLOW US privacy concerns, the European Court of Justice’s legal requirements, Morrison & Foerster’s Socially Aware Blog and companies’ practical considerations; and we take a look at the European Commission’s efforts to harmonize the digital sale of goods @MoFoSocMedia and content throughout Europe.

All this—plus an infographic illustrating the growing popularity and implications of ad blocking software. and videos but not the view counts Service. Darnaa sued for breach of the HOW TO PROTECT or comments that her videos had covenant of good faith and fair dealing, YOUR COMPANY’S generated prior to the account’s interference with prospective economic suspension. advantage and defamation. In an email SOCIAL MEDIA submitted with the complaint, Darnaa’s Lewis sued YouTube for breach of agent explained that she had launched CURRENCY contract, alleging that YouTube several large campaigns (each costing had deprived her of her reasonable By Aaron P. Rubin and Leanne Ta $250,000 to $300,000) to promote expectations under the Terms of the video and that the original link Today’s companies compete not Service that her channel would be was already embedded in thousands only for dollars but also for likes, maintained and would continue to of websites and blogs. Darnaa sought followers, views, tweets, comments reflect the same number of views and damages as well as an injunction to and shares. “Social currency,” as comments. She sought damages as prevent YouTube from removing the some researchers call it, is becoming well as specific performance to compel video or changing its URL. increasingly important, and companies YouTube to restore her account to its are investing heavily in building their original condition. The court dismissed all of Darnaa’s social media fan bases. In some cases, claims because YouTube’s Terms of this commitment of time, money and Service require lawsuits to be filed resources has resulted in staggering A good tip is to read within one year and Darnaa had filed success. Coca-Cola, for example, has her case too late. In its discussion, amassed over 96 million likes on its the applicable terms however, the court made several Facebook page, and LEGO’s YouTube of service carefully interesting points. In considering videos have been played over 2 billion to understand the whether YouTube’s Terms of Service times. platform’s rules were unconscionable, the court held With such impressive statistics, there that, although the terms are by nature is no question that a company’s social and the reasons for a “contract of adhesion,” the level of media presence and the associated which a platform may procedural unconscionability was pages and profiles can be highly slight, since the plaintiff could have valuable business assets, providing an delete or suspend publicized her videos on a different important means for disseminating accounts or remove website. Further, in ruling that content and connecting with customers. or relocate content. the terms were not substantively But how much control does a company unconscionable, the court pointed really have over these social media out that “[b]ecause YouTube offers its assets? What recourse would be hosting services free of charge, it is The court first held that Lewis could not available if a social media platform reasonable for YouTube to retain broad show damages due to the fact that the decided to delete a company’s page or discretion over [its] services.” YouTube Terms of Service contained migrate its fans to another page? a limitation of liability provision that Although the court ultimately dismissed The answer may be not very much. disclaimed liability for any omissions Darnaa’s claims based on the failure Over the past few years, courts have relating to content. The court also held to timely file the suit, the decision was repeatedly found in favor of social that Lewis was not entitled to specific not a complete victory for YouTube. media platforms in a number of cases performance because there was nothing The court granted leave to amend to challenging the platforms’ ability to in the Terms of Service that required give Darnaa the opportunity to plead delete or suspend accounts and to YouTube to maintain particular content facts showing that she was entitled remove or relocate user content. or to display view counts or comments. to equitable tolling of the contractual Accordingly, the court affirmed limitations period. Therefore, the LEGAL SHOW-DOWNS ON SOCIAL dismissal of Lewis’s complaint. court went on to consider whether MEDIA TAKE-DOWNS Darnaa’s allegations were sufficient to In a similar case, Darnaa LLC v. state a claim. Among other things, the In a recent California case, Lewis v. Google, Inc., Darnaa, a singer, posted court held that YouTube’s Terms of YouTube, LLC, the plaintiff Jan Lewis’s a music video on YouTube. Again, due Service were ambiguous regarding the account was removed by YouTube to allegations of view count inflation, platform’s rights to remove and relocate due to allegations that she artificially YouTube removed and relocated the user videos in its sole discretion. Thus, inflated view counts in violation of video to a different URL, disclosing on the court further held that if Darnaa YouTube’s Terms of Service. YouTube the original page that the video had were able to amend the complaint to eventually restored Lewis’s account been removed for violating its Terms of avoid the consequences of the failure

2 Socially Aware, April 2016 to timely file, then the complaint would be sufficient to state a claim for breach of the contractual covenant of good faith and A LOOK AT fair dealing. By contrast, the court found no such ambiguity in Song Fi v. AD BLOCKING Google Inc., a case with facts similar to those in Darnaa. In Song Fi, the plaintiff asserted claims for, among other things, SOFTWARE breach of contract and breach of the implied covenant of good faith and fair dealing. YouTube raised a defense under the Communications Decency Act (CDA) Section 230(c)(2)(A) which states that no provider of an interactive computer service is liable for removing content that it considers to be obscene, violent, harassing or “otherwise objectionable.”

The Song Fi court, interpreting this provision narrowly, found that although videos with inflated view counts could be a monthly active users 200 million problem for YouTube, they are not “otherwise objectionable” 1 of ad blocking software worldwide. within the meaning of Section 230(c)(2)(A), and thus, YouTube did not have immunity under that provision. Specifically, the court concluded that, in light of the CDA’s history and purpose, 16% of the U.S. online population the phrase “otherwise objectionable” relates to “potentially blocked ads in the second quarter of 2015.2 offensive material, not simply any materials undesirable to a content provider or user.” Further, the requirement that the service provider subjectively finds the blocked or screened material objectionable “does not mean anything or everything 36.7% YouTube finds subjectively objectionable is within the scope of the online population in Greece of Section 230(c).” Therefore, the court held that videos with blocked ads in the second quarter of inflated view counts fell outside the statutory safe harbor 2015, the highest percentage of any granted by Section 230(c)(2). 3 European country. Despite finding Section 230(c)(2) inapplicable, the court ultimately dismissed all of Song Fi’s claims. Notably, the $22 billion court dismissed the contract-based claims with prejudice, is the estimated amount that ad blockers holding that, although YouTube’s Terms of Service were “inartfully drafted,” they “unambiguously” reserved the 4 cost publishers in 2015. right for YouTube to remove content in its sole discretion and to discontinue any aspect of its service without liability. Therefore, the court held, the Terms of Service “unambiguously $215 a year foreclose[d]” Song Fi’s claims for breach of contract and breach is the estimated ad revenue associated of the implied covenant of good faith and fair dealing. with each U.S. Internet user; as heavy Facebook had more luck than did Google in asserting a Internet users, those using ad blockers CDA Section 230 defense in Sikhs For Justice “SFJ”, Inc. are potentially worth even more.5 v. Facebook, Inc., a case brought by a human rights group advocating for Sikh independence in the Indian state of Punjab. of Internet users, in return for Sikhs for Justice (SFJ) alleged that Facebook had blocked its ad-free access to online information, page in India at the behest of the Indian government. SFJ sued in the Northern District of California, asserting several causes would be willing to pay a charge equal of action including race discrimination, and sought damages 6 2% to the publisher’s lost ad revenue. and injunctive relief.

SOURCES The Sikhs for Justice court ruled in favor of Facebook, citing 1. http://www.businessinsider.com/us-publishers-could-band-together-to-stop-ad- CDA Section 230(c)(1), which states that “no provider of an blockers-2016-4 (citing survey from research firm Medianomics) interactive computer service shall be treated as the publisher 2. http://downloads.pagefair.com/reports/2015_report-the_cost_of_ad_blocking.pdf or speaker of any information provided by another information 3. http://downloads.pagefair.com/reports/2015_report-the_cost_of_ad_blocking.pdf 4. https://blog.pagefair.com/2015/ad-blocking-report/ content provider.” Based on this statutory language, Section 5. http://www.adweek.com/news/technology/how-ad-blocking-could-affect-youtubes- 230(c)(1) has been interpreted to provide a broad immunity subscription-model-163983 (citing Secret Media) 6. http://www.adweek.com/news/technology/how-ad-blocking-could-affect-youtubes- subscription-model-163983 (citing Secret Media) Socially Aware, April 2016 3 for website operators against liability For example, Mattocks v. Black of caution and avoid posting anything arising from user generated content. In Entertainment Television LLC (which that could be deemed offensive or dismissing the suit, the Sikhs for Justice we have discussed previously) involved obscene or that might infringe upon court explained that the content at issue a dispute between BET and Stacey other parties’ intellectual property was provided by SFJ, not by Facebook, Mattocks, whom BET had hired to help rights. And it goes without saying that and that Facebook’s refusal to publish manage the unofficial Facebook fan page users should avoid fraudulent practices, the SFJ page in India was “clearly for one of its shows. When Mattocks such as artificially driving up view publisher conduct” that is immunized restricted BET’s access to the fan page, counts or posting fake comments. by Section 230(c)(1). BET asked Facebook to “migrate” the fans to another official page that BET Most of all, businesses and individuals Notably, the court did not mention the had created, and Facebook granted should keep in mind that social media Section 230(c)(2) safe harbor for blocking the request. Mattocks sued BET for platforms have broad discretion when it user content, which YouTube had conversion of her business interest comes to decisions about what to publish asserted in SongFi as discussed above. in the Facebook fan page. The court, and where. As such, consider spreading According to some commentators, the holding that Mattocks failed to establish your company’s social media marketing Sikhs for Justice court’s failure to that she owned a property interest in efforts across a number of different discuss Section 230(c)(2) “highlights the page’s likes, granted BET’s motion platforms to minimize the impact of its weakness as a safe harbor.” for summary judgment. “If anyone sudden content removals or relocations can be deemed to own the ‘likes’ on a on any one platform. At the end of the In another case against Facebook, Facebook page,” the court stated, “it day, every social media account—even Young v. Facebook, Inc., the plaintiff, is the individual users responsible for those with millions of likes or views—is Karen Beth Young, found herself them.” While the Mattocks case did not controlled not by the user that created the suddenly banned from Facebook after directly target the social media platform account but by the platform that hosts it. sending friend requests to strangers. itself, it does demonstrate how difficult She sued for breach of the implied it can be for a plaintiff to challenge social covenant of good faith and fair dealing CLICKWRAP, media platforms’ decisions to remove as well as several other claims. In or relocate content based on purported contrast to some of the cases discussed BROWSEWRAP ownership of that content. above, the Young court found that “it AND MIXED MEDIA is at least conceivable that arbitrary or bad faith termination of user SAFEGUARDING YOUR SOCIAL CONTRACTS: A MEDIA CURRENCY accounts … with no explanation at all FEW WORDS CAN could implicate the implied covenant Ultimately, the cases discussed above of good faith and fair dealing,” show that social media platforms have GO A LONG WAY particularly since Facebook had significant control over what is (or isn’t) provided in its Statement of Rights and published on their websites, regardless By Joshua Stein and Responsibilities that users’ accounts of the amount of time and effort that J. Alexander Lawrence should not be terminated for reasons users have spent building up their Courts have generally categorized other than those described in the individual pages and profiles. With all online agreements into two types: Statement. Nonetheless, the court of this in mind, what can individuals “clickwrap” agreements and dismissed Young’s suit because her and companies do to protect their “browsewrap” agreements. complaint did not sufficiently allege social media currency? How can you that the account termination was help ensure that your hard-earned Clickwrap agreements—which require undertaken in bad faith or violated fans, likes, comments and views do not a user to check a box or click an icon to Facebook’s contractual obligations. suddenly disappear? signify agreement with the terms—are usually enforceable under U.S. law, even The cases above illustrate how difficult A good tip is to read the applicable where the terms appear in a separate it is for social media users to object to terms of service carefully to understand hyperlinked webpage but where language deletion or suspension of accounts or to the platform’s rules and the reasons accompanying the box or icon indicates removal or relocation of content based for which a platform may delete or that checking the box or clicking the icon on a platform’s contractual obligations suspend accounts or remove or relocate indicates assent to such terms. under the applicable terms of service. content. Make sure to comply with Users have met with similar obstacles the platform’s rules, including those On the other hand, browsewrap in asserting a property right in social regarding contests, collection and agreements—where the terms are media content. use of user information and content passively presented to users in a hyperlink guidelines. Users should err on the side somewhere on a webpage, typically at the

4 Socially Aware, April 2016 Holdbrook’s office manager, Nancy visible to the user during sign-up via The hyperlink, standing McStay, received the contract in hyperlink (like a browsewrap). A notice electronic form where the hyperlink above the “Sign Up” button stated that alone, was insufficient to was clickable, but then printed and “By clicking Sign Up, you are indicating show that Holdbrook had signed a hard copy. PCS argued that that you have read and agree to the because McStay signed the contract, Terms of Service” (like a clickwrap). “reasonable knowledge” one could assume that she read that the terms and and agreed to the entire agreement, Similarly, in Swift, a California court conditions were part of including the hyperlinked terms and found that a hyperlink to the Terms of conditions. Holdbrook disagreed. Service that appeared right below an the contract. It argued that the contract did not “Accept” button—along with a statement incorporate the terms and conditions that clicking “Accept” meant that the very bottom of the page in small font—are for several reasons. user accepted the terms—was sufficient often unenforceable because in many to prove the user agreed to those terms. First, the online terms and conditions cases it cannot be proved the user knew contained a separate signature block, the terms existed or even was aware of the The New Jersey court explained suggesting that it required additional hyperlink. that the fact that this case involved acceptance, and Holdbrook never “mixed media” did not matter. The signed onto those terms. A New Jersey court recently faced a contract was “much like the ‘clickwrap’ type of online agreement that did not Second, Holdbrook claimed that agreements in Fjeta [sic] and Swift, fit nicely into either category. Where a McStay had no idea that additional where the ‘Terms and Conditions’ were contract, sent electronically but signed terms were being incorporated, given contained in a hyperlink immediately in hard copy, contains a hyperlink to the garbled coding of the hyperlink next to a mechanism for accepting the a separate terms and conditions page, in the printed copy and the fact that agreement. In place of an ‘I Accept’ are those separate terms incorporated the contract contained no clause icon to be clicked, a Holdbrook into the agreement? In Holdbrook specifically pointing to the separate representative was required to sign the Pediatric Dental, LLC, v. Pro Computer terms and conditions. agreement on paper.” Service, LLC, the New Jersey court said no. A requirement to arbitrate Applying New Jersey contract law, the However, the New Jersey court found disputes buried in the online terms and court held that “a separate document one crucial component to be missing. conditions page was not incorporated may be incorporated through a In Fteja, Swift and other clickwrap into a contract where the contract hyperlink, but the traditional standard cases, a statement draws “the user’s merely stated “Download Terms and nonetheless applies: the party to be attention to the hyperlink” that is Conditions” near the signature line. bound must have had reasonable “sufficient to provide reasonable notice of and manifested assent to the notice that assent to the contract Again, the signed contract did not additional terms.” included assent to the additional itself contain an arbitration clause. terms.” The New Jersey court noted Rather, on the last page of the contract, After describing clickwrap and that there was no such statement in directly above the signature line, the browsewrap agreements, the New this case, nor instructions to sign following appeared in small text: “ we’ve discussed previously) and Swift The hyperlink, standing alone, was Download Terms and Conditions ,” which, if viewed in HTML, would a New York court found that a user had had “reasonable knowledge” that the instead appear as “Download Terms sufficient notice of Facebook’s terms of terms and conditions were part of the and Conditions.” The signed contract service even though the terms were only contract. looked like the below image:

“Further complicating matters” was the fact that the contract was sent in electronic form but could not be accepted in electronic form. It had to be printed and signed. This made it even less clear that the hyperlink contained additional terms.

5 Socially Aware, April 2016 The New Jersey court noted that much of the letter discussing wages, protection extends to non-unionized discovery might show that Holdbrook benefits, and the financial challenges employees as well. While there appear to actually reviewed the contract faced by her co-workers: be no reports of legal claims by Ben-Ora, electronically, noticed the hyperlink commentators have raised the question and agreed to its terms. In fact, after Every single one of my co-workers is of whether this type of posting might be conducting some limited discovery, struggling. They’re taking side jobs, legally protected under the NLRA. PCS filed a new motion to compel they’re living at home.… Another wrote arbitration, which, as of the date of on those neat whiteboards we’ve got this post, is pending before the court. on every floor begging for help because he was bound to be homeless in two The National Relations weeks…. Let’s talk about those benefits, Like the courts in Fteja, Swift and other though. They’re great. Except the Labor Board has clickwrap cases, the New Jersey court copays.… Twenty bucks each is pretty took careful note of the language that become increasingly neat, if spending twenty dollars didn’t surrounded the hyperlink to the terms aggressive in protecting determine whether or not you could and conditions to determine whether afford to get to work the next week. an employee’s right Holdbrook reasonably understood those additional terms were included in the to discuss wages and contract. It seems that, for the court, I got paid yesterday ($733.24, bi- working conditions in PCS’s “Download Terms and Conditions” weekly) but I have to save as much of was just a little too similar to a that as possible to pay my rent ($1245) a public forum, even “browsewrap” agreement to be found for my apartment that’s 30 miles away when that discussion enforceable without further inquiry into from work because it was the cheapest involves disparaging whether Holdbrook was, in fact, aware place I could find that had access to the of and agreed to the terms. train, which costs me $5.65 one way to the employer. get to work. That’s $11.30 a day, by the way. I make $8.15 an hour after taxes…. PCS may have been able to avoid the I woke up today with stomach pains. I issue entirely by simply including made myself a bowl of rice. The Ben-Ora incident is therefore a the following language in the signed reminder of the risks employers may agreement: “By signing the agreement, face—both legally and from a public you also accept the Terms and …As I said, I spend 80% [of my income relations perspective—in terminating Conditions on the PCS website.” on rent]. What do you spend 80% of your income on? I hear your net worth an employee who has recently protested is somewhere between $111 million and wages on social media. When it comes to enforcing online $222 million. That’s a whole lotta rice. agreements, a few words can go a long way. Shortly after Ben-Ora posted the letter, THE INTERNET Yelp terminated her employment. Yelp’s OF THINGS: A NEGATIVE REVIEW CEO stated that her termination was not related to the letter, but Ben-Ora’s post INTEROPERABILITY, MAY BE PROTECTED has the online world buzzing and Yelp is not receiving positive reviews. INDUSTRY ACTIVITY UNDER STANDARDS U.S. EMPLOYMENT There may be many valid reasons for terminating an employee. Employers & RELATED LAW should note, however, that the National Relations Labor Board has become IP LICENSING By Mary Race and Christine E. Lyon increasingly aggressive in protecting an APPROACHES Yelp, Inc. is more accustomed to being on employee’s right to discuss wages and the giving—rather than the receiving— working conditions in a public forum, By Stephanie Lynn Sharron and end of a negative review. That changed even when that discussion involves Nikita A. Tuckett recently when a Yelp customer service disparaging the employer. Under Section employee, Talia Ben-Ora, posted an 7 of the National Labor Relations Act The financial impact of the Internet of open letter to Yelp’s CEO on her blog, (NLRA), protesting an employer’s labor Things on the global economy will be lamenting her daily struggle to survive in policies or treatment of employees is significantly affected by interoperability. the Bay Area on low pay. Ben-Ora spent considered protected activity, and this A 2015 McKinsey Global Institute report indicated that, “[on] average,

6 Socially Aware, April 2016 interoperability is necessary to create networks and communications protocols discussion and debate about the extent 40 percent of the potential value that that support our connected world are far to which interoperability is desirable can be generated by the IoT in various more diverse and continue to proliferate. within the context of the IoT. settings […] Interoperability is required to unlock more than $4 trillion per year The term “things,” while not limiting One area of potential confusion in potential economic impact for IoT use in and of itself, is vague at best. In this in regard to interoperability is in 2025, out of a total impact of $11.1 article, when we refer to “things,” we distinguishing between the technology trillion across the nine settings that intend to encompass all of the types of and systems required to exchange McKinsey analyzed.” objects that have the ability to connect data from the technology and systems and communicate, whether those objects required for the use of that same However, at present, there is a lack be sensors, computers or everyday data. Communications protocols and of consensus between standards things. The ability to connect with other standards can be leveraged to ensure organizations and industry stakeholders objects and communicate data makes interoperability across heterogeneous as to even the most basic technical the object “smart.” hardware and software systems and standards and protocols that apply platforms. This sort of technical to how devices communicate. INTEROPERABILITY interoperability, however, will not Characterized as a “standards war” ensure that the data itself that is between technology groups, companies Interoperability is another term that is carried through networked layers of have competing incentives. While often articulated as being central to the the technology stack are in a form and all vendors share an interest in growth and success of the products and format that allows for transmission aligned standards that promote IoT services that leverage the IoT. While across systems. To support this sort of development and interoperability, interoperability is widely believed to interoperability, agreed frameworks individually some companies seek the be essential, defining what is meant for syntax and the encoding of data perceived competitive and economic by interoperability is difficult since (sometimes referred to as “syntactical advantages of building proprietary interoperability can mean something interoperability”) are needed. Finally, systems based on proprietary standards different when applied to the different systems will optimally be designed over and protocols (or so-called “walled- parts of the technology stack that time that support the ability of users gardens”). comprises the IoT than when applied to to obtain a common understanding of the data itself that is communicated and The lack of a uniform standard that the information communicated across processed through that technology stack. applies across devices and networks networked solutions that span diverse means that we lack any universally geographic and cultural boundaries. The European Research Cluster on the adopted set of semantics. As a result, This sort of interoperability is referred Internet of Things has proposed the without clear definition, opportunities to as “semantic interoperability.” following definition of interoperability: for misunderstandings abound. We For organizations that use different start then with the definition of two key technology across different cultures in “the ability of two or more systems or concepts: the definition of the Internet different parts of the world, all three of components to exchange data and use of Things or IoT, and the definition the above types of interoperability may information.” of interoperability as applied to the be desired. Internet of Things. The following definition of BENEFITS OF INDUSTRY INTERNET OF THINGS interoperability fleshes out some of the STANDARDS concepts that follow in this article. The term “Internet of Things” is Standards can offer a number of arguably a misnomer in today’s rapidly The ability of objects or devices, whether benefits. Standards can provide changing technical environment. The they be sensors, computers or other assurance to their members that term has two components, both of which everyday things, to connect with each if they implement the standards, are somewhat misleading: “Internet” other and communicate data in a form their products and services will and “things.” and format that can be understood and continue to operate within specified processed by other persons or entities parameters with each other. Technical interoperability is often a goal of The reference to the Internet is and is agnostic as to the hardware or industry standards. The broader the misleading because the Internet is software on which the data is to be set of specified hardware, software not the only networking protocol over further processed and stored. and communications protocols a which devices communicate. While the standard supports, the broader the Internet is a powerful enabler of the These definitions are not bulletproof. interoperability it may enable. broad adoption of connected devices, the Rather, they provide fodder for

7 Socially Aware, April 2016 Choosing to develop in accordance A BUSINESS CASE FOR products. Some also argue that they with an industry technical standard INTEROPERABILITY create impediments to innovation can also provide a level of certainty and competition, limiting with respect to intellectual property Despite these early movements, whether competitors’ ability to develop (IP) infringement, albeit not blanket and the extent to which the various new products compatible with the protection. This protection arises standards bodies will coordinate or standardized infrastructure. because most standards bodies require consolidate is an open point. Some that participants who contribute to the question whether such consolidation • One of IoT’s primary attractions is standard agree to license certain of their is necessary or even feasible, because the ability of connected devices to IP on pre-defined terms. The scope of interoperability takes place at different transmit and receive data to and the IP rights captured and the terms layers within the communications from cloud services, which in turn on which that IP is licensed, however, protocol stack among IoT systems and may perform powerful analytic vary from standard to standard and devices. Others emphasize that true functions. The lack of a consistent, are based on the participant’s level of interoperability requires any IoT device platform and OS-agnostic standard involvement and contribution. High- to be able to speak the same language, governing the collection, processing level descriptions of the type of license and connect and share information with and sharing of such data may inhibit that applies to some of the most well- other devices and systems, irrespective the ability of users to access the known IoT standards is included below, of platform or (OS), originating data, move to other to the extent information about the and that this requires one de facto service providers or perform their terms is publicly available. protocol. own analyses.

The time and investment required by • The lack of an existing and industry stakeholders to participate proven standard that IoT device Without coordination in a range of standardization efforts manufacturers may use to assess as to what options is significant, but there is likely to be technical design risks in the or services products overlap and even conflicts between some development process increases of the standardization protocols. The development costs. or components lack of a collaborative effort to produce that comply with a uniform standard could produce • In the absence of standardization, conflicting protocols, delay product the standard will developers face the behemoth task development and prompt fragmentation of developing integrations with implement, lack across IoT products and services. Such legacy systems, and end users of interoperability a fragmented array of proprietary IoT will be faced with the challenge technical standards will impede value for of configuring multiple individual will result. users and industry. devices across a range of standards. In addition, product developers Central challenges raised by the may be dissuaded from developing proliferation of IoT interoperability new products due to uncertainty When there is a proliferation of standards include the following: as to compliance with future competing standards that cover standards. the same or similar subject matter, • Device manufacturers perceive a however, the standards have the market advantage in establishing • End users may be discouraged potential to overlap or conflict. Without a proprietary ecosystem of from purchasing products where coordination as to what options or compatible IoT products that limit there is integration inflexibility, services products or components interoperability to those devices configuration complexity or concern that comply with the standard will within the manufacturer’s product over vendor lock-in, or where they implement, lack of interoperability line. By maintaining the proprietary fear products may be obsolete will result. This has led some industry nature of these systems, developers due to changing standards. The observers to suggest that broader exert more control over the user complications posed by a lack of collaboration between standard-setting experience. These “walled gardens” uniform connectivity standards for organizations, or even consolidation are opposed by interoperability product development and industry of various IoT standards, could be supporters as impediments to user growth are evident in the competing, beneficial in the longer term. choice because they arguably deter incompatible standards for devices users from changing to alternative with a low-range and medium-to-

8 Socially Aware, April 2016 low data rate (i.e., ZigBee, Bluetooth Standards that offer limited protection computing and emerging IoT devices, and LTE Category 0). from infringement of the IP rights of regardless of form factor, OS, or their contributors can lead to legal and service provider.” • Lack of reference and architectural business uncertainty. Legal uncertainty models that take into account the can arise because of the lawsuits for History, Scope and Members various needs for interoperability infringement that may be brought by In early 2015, the OIC released a and standardization may also contributors who have promoted the specification called IoTivity, an open have adverse consequences for adoption of features or works into source framework implementing the networks with which IoT the standard that if used without a the OIC Standards for device-to- devices connect, since poorly license, would infringe their patents device connectivity. Operating on designed sensor networks may use or copyrights. There may be business a constrained application protocol disproportionate bandwidth and uncertainty because companies lack (CoAP), IoTivity has limited platform be greedy consumers of available predictability regarding what the support, but is focused on security, power. ultimate cost of implementation of the simplicity and rapid development. The standard may be should contributors OIC’s open source standards cover In contrast, well-defined device charge for licenses to IP required to device discovery, communication, interoperability standards implement the standard. data exchange and other functions may encourage innovation as in multiple domains, including home disruptive technologies emerge, Central to this debate is what automation, automotive, enterprise, provide efficiencies for IoT device the appropriate licensing terms health care and industrial scenarios, manufacturers and generate economic should be for contributors to a with an initial focus on smart home and value as “things” become cheaper, particular standard. As seen in office solutions. smarter and easier to use. Barriers the telecommunications industry, License Approach to entry may be lowered. Moreover, standardized licensing terms can affect Under the OIC’s Intellectual Property interoperability facilitates the ability of the way an industry evolves: licensing Rights Policy, the OIC’s licensing users to select the devices best suited terms that are overly aggressive or policies contain a “RAND-Z” (or to the user’s needs in an environment demand too much of a participant “FRAND”) provision that requires where different devices can share will be eschewed in favor of more participating companies to offer a and communicate data between each acceptable models. This alert examines zero-royalty, reasonable and non- other. Nevertheless, such arguments the fragmented environment of IoT discriminatory license to their code for remain counterbalanced by companies’ technical standards and analyzes the member organizations. In addition, perceived competitive and economic differences between the proposed each member must agree that it will advantages of building proprietary licensing models, exemplifying how not seek to enforce its IP rights against systems for market domination in various standard bodies are attempting another member if reasonable and the IoT. to reconcile the issue. non-discriminatory compensation THE IOT STANDARDS Open Interconnect Consortium (“RAND”) for practice of IP rights SMORGASBOARD can otherwise be obtained. Further, Standard each member and its affiliates must IoT standards, including those IoTivity grant the OIC a worldwide, irrevocable, that adopt protocols that specify non-exclusive, non-transferable, The Open Interconnect Consortium communication details for IoT devices, sublicensable, royalty-free copyright (OIC) launched in July 2014, backed are central to the interoperability license to reproduce, create derivatives by such vendors as , Samsung discussion for the IoT. A number of of, distribute, display, perform and edit Electronics, Cisco, GE Software, standards bodies, consortiums and the member’s contributions for the Atmel, Dell, Honeywell, IBM, alliances are currently working on purposes of developing, publishing and Mediatek, ZTE, Acer, Broadcom, IoT standards issues. Below is a non- distributing: the final specifications; Asus, National Instruments and many exhaustive list of some of the current products incorporating compliant others. The OIC’s stated focus is major players in the development of portions based on the specifications; and “defining a common communications standards, the covered products and submissions to an approved standards framework based on industry standard services and the licensing approaches development organization. Subject to technologies to wirelessly connect that apply to the IP that is used by the member’s retention of its copyright and intelligently manage the flow products and services that implement in the individual contribution, OIC of information among personal these standards. owns all rights in the compilation

9 Socially Aware, April 2016 of contributions forming the final difference between the organizations. Thread relies on a low-power radio specifications and related works. Code Members of the AllSeen Alliance and protocol called IPv6 over Low Power contributions under the reference all non-members that contribute to the Wireless Personal Area Networks implementation, IoTivity, are licensed Alliance must pledge not to bring a claim (“6LowPAN”). Unlike Wi-Fi, which under the Apache 2.0 license. of infringement of the contributor’s sends large quantities of data and pledged patent claims against any consumes large amounts of power, AllSeen Alliance entity that uses, sells, offers for sale, Thread sends small amounts of data leases, licenses, imports, distributes and consumes very little power. The Standard or otherwise exploits an official code protocol gives each device an IPv6 AllJoyn release by the Alliance that meets the address and utilizes mesh networks Alliance’s certification requirements. that scale to hundreds of devices History, Scope and Members Pledged patent claims are those that without a single point of failure (i.e., Launched in December 2013, AllJoyn are directly infringed by the use, sale without the need for a hub device), and is an open-source software system or other disposition of the code that is involve “banking-class” encryption. intended to enable compatible smart contributed by the contributor alone According to Thread Group, as the devices, irrespective of OS and network and not in combination with any other technology only defines networking, protocols, to find and coordinate with contribution. The agreement does not in theory, high-layer standards such as each other. The project was developed extend to contributions made by others, AllJoyn or IoTivity, which still utilize by Qualcomm Innovation Center and is any modification of the contributor’s Wi-Fi or Bluetooth networks, could be now a collaborative open source project contribution or combination of the used in Thread-enabled products. of the AllSeen Alliance. Members of contributor’s contribution with anything the Alliance include Qualcomm, The else. This addition to the Alliance’s License Approach Foundation, Cisco Systems, patent policy was introduced in January Like OIC, patents that are necessarily Arcelik A.S., Canon, Electrolux, Haier, 2015; previously, AllSeen’s IP policies infringed by required portions of the LG, Microsoft, Panasonic, Philips, Qeo, had covered only copyright. Code final Thread specification are licensed Sharp, Silicon Image, Sony, Asus, AT&T, released by the Alliance for the AllJoyn on a perpetual, royalty-free basis Cisco, Honeywell, HTC, IBM, Lenovo, framework is licensed to users under the (“RAND-RF”). Each participant Symantec, TrendMicro, Vodafone and ISC License, which grants permission to must grant the Group and each many others. use, copy, modify and/or distribute the participant a worldwide, irrevocable, software for any purpose with or without non-exclusive, non-transferable, The open source AllJoyn protocol fee, provided that a copyright notice royalty-free copyright license to enables device manufacturers to create appears in all copies. Contributors are reproduce, create derivative works custom apps for integrating devices required to enter into a Contributor of, distribute, display and perform onto a Wi-Fi network. Products that use Agreement pursuant to which (with the right to sublicense) each AllJoyn include Panasonic’s multi-room contributors can elect either to assign final Thread specification for the audio systems and LG’s smart TVs; in to the Alliance the copyright rights and purposes of developing, publishing November 2014, Microsoft announced interests in the contribution subject to and distributing the final specification it was building the AllJoyn framework a license back to exploit the work, or to and related materials, as well as for into Windows 10. In early January grant to the Alliance a non-exclusive, promotional materials. Subject to each 2016, the AllSeen Alliance announced broad copyright license. member’s retention of the copyright its first update to the AllJoyn Gateway in its individual contribution, each Agent Plan, originally released on April Thread Group member must convey to the Group a 19, 2015. This extension of the AllJoyn non-exclusive, undivided and equal framework provides a standard and Standard ownership interest in any copyrights secure method to remotely access and Thread contributed to the final Thread manage IoT devices and applications specification, deemed “ownership of a via external/cloud networks and the History, Scope and Members collective work” under 17 USC 201(c). Internet. This moves the IoT from a Thread Group’s “Thread,” an IP-based This copyright license survives any series of Internet-connected gadgets into wireless networking protocol, is an withdrawal from membership of the a manageable system. initiative launched by Google’s Nest granting participant from the Thread Labs, , ARM Group. License Approach Holdings, Freescale Semiconductor, Unlike the OIC, AllJoyn does not Silicon Labs, Big Ass Fans and Yale contain a RAND-Z licensing term—a key Locks & Hardware.

10 Socially Aware, April 2016 ZigBee Alliance AVnu Alliance Industrial Internet Consortium Standard Standard History, Scope and Members AVB/TSN ZigBee Founded in March 2014 by General History, Scope and Members Electric, Cisco Systems, IBM, Intel History, Scope and Members Launched in August 2009 by founding and AT&T, the Industrial Internet Established in 2002, the ZigBee members that included Broadcom, Consortium (IIC) focuses on industrial Alliance is a non-profit association of Cisco Systems and Intel, the AVnu applications of the IoT and “setting 452 members, including ARM, Belkin, Alliance is a consortium of automotive the architectural framework for the AT&T, Bosch, Broadcom, Cisco Systems, and consumer electronics companies industrial internet.” The IIC has grown Emerson, Huawei and many others. collaborating to establish and certify the to more than 100 members, including interoperability of open Audio Video Microsoft, Samsung and Huawei The ZigBee Alliance’s standard, ZigBee, Bridging (AVB) standards. Technologies. is a common wireless language that everyday devices utilize to connect The IIC reports that it will not develop The Alliance focuses on “creating an to one another. In December 2015, a set of standards but will work with interoperable ecosystem servicing the ZigBee Alliance announced that standards bodies to ensure technologies the precise timing and low latency its members had ratified the ZigBee work together across business sectors requirements of diverse applications 3.0 specification, which includes and to identify, assemble and promote using open standards through a common application library that best practices. In particular, the IIC certification.” unifies the various application-specific wants to encourage coordination among industries within which IoT versions of its wireless specification License Approach and the older machine-to-machine into a single standard. Millions of Under the AVnu Alliance Intellectual (M2M) technologies have been ZigBee-enabled products exist on Property Rights Policy, when a member developed in relative isolation. That the market today, including in smart or its affiliates make a contribution will involve defining requirements homes, connected lighting, and the to a specification, the member and its for standards, designing reference utility industry. affiliates must grant to other participants architectures and frameworks necessary and their affiliates, on a RAND basis, a License Approach for interoperability, and creating new non-exclusive, non-transferable, non- Under the ZigBee Alliance’s industry cases and testbeds for real- sublicensable, irrevocable worldwide Intellectual Property Rights Policy, world applications. license (with or without compensation each ZigBee standard is made available at the member and its affiliates’ on a RAND basis: each contributing option) under certain of its patent License Approach member must grant to each other claims that are necessarily infringed by The IIC’s intellectual property policy member a non-exclusive license compliance with the final specification incorporates a broad copyright license, without a right to sublicense, to make, and that are within a specified “scope” but unlike many of the other standards have made, use, import, sell, offer to limited to functionality that enables initiatives, lacks any policy with respect sell, license, promote or otherwise products to interoperate, interconnect to the grant of rights under contributor dispose of the resulting product or or communicate. The license grants patents that may be infringed by their technology. The license is granted the right to make, have made, use, contributions. This may be in part due only under claims of the contributor’s import, offer to sell, lease, sell and to the fact that the IIC is not establishing patents that cover or directly relate otherwise distribute only those portions a standard itself, but rather working to one or more of the specifications of products that implement and are to encourage coordination across if: (1) the patent claim is necessarily compliant with the relevant portions standards. infringed by the specification, (2) of the final specification and are within no commercially reasonable non- the bounds of the above “scope.” The OneM2M infringing implementation of the Intellectual Property Rights Policy specification exists, and (3) such Standard also contains a broad license grant by infringement is necessary to meet the OneM2M members with respect to the member’s implementation requirements of the copyrights in any contributed materials. History, Scope and Members specifications. The Alliance charges A range of AVnu-certified products are Established in July 2012 by a no royalty for any use of the standards, available across automotive, consumer consortium of ICT standards and RAND terms are available to and industrial electronics markets. development bodies, OneM2M is a members and non-members. standard that provides a common M2M

11 Socially Aware, April 2016 service layer that can be embedded IPR policy requires the licensing of ITU-T within various hardware and software patent claims, the practice of which Standard to connect IoT devices. The partnership is necessary to implement either ITU-T SG20 currently has 216 participating partners mandatory or optional portions of and members, including Alcatel-Lucent, the standard when. if at the time of History, Scope and Members Adobe, AT&T, BT, Cisco, Ericsson, the standard’s approval, there was no Deutsche Telekom, IBM, Intel, Samsung, commercially and technically feasible In June 2015, Study Group 20 of the Sierra Wireless and Telefonica. non-infringing alternative means of International Telecommunication OneM2M has two types of members: implementation. The rights extend to Union announced its work developing Partner Type 1 comprises membership any Compliant Implementation, which standardization requirements for IoT organizations themselves, and Partner is defined as any product (including technologies, with an initial focus on Type 2 comprises members who are any component, sub-assembly or end IoT applications in smart cities and also participants in a Partner Type 1 product) or service that conforms to communities. The SG20 standard is organization or have otherwise had any mandatory or optional portion of a focused on developing “international their IPR policies vetted by OneM2M normative clause of an IEEE standard. standards to enable the coordinated at the time they joined. Ultimately, In early 2015, in a hotly debated move, development of IoT technologies, each partner must have agreed to an the IEEE amended its IP policy to clarify including M2M communications and IPR policy that is compliant with the that members may charge a reasonable ubiquitous sensor networks.” OneM2M IPR principles. royalty that is based in part on the value License Approach that the functionality of the claimed The ITU-T publishes a Common Patent License Approach invention or feature within the essential Policy that describes a code of practice OneM2M’s partnership agreement patent claim contributes to “the smallest with respect to patents. Disclosure of states that the copyright in technical saleable Compliant Implementation” known patents and patent applications specifications and reports are jointly that practices the essential patent claim. owned by the Type 1 partners. (whether their own or third-party patent rights) by parties participating in the Trademark usage is left to agreement IEEE among the Type 1 partners. With ITU is required. While in general the respect to patents, the organization’s Standard detailed arrangements with respect to IPR principles state that members must IEEE P2413 patent licensing are left to the parties comply with a FRAND IP rights licensing to negotiate, if a patent is disclosed History, Scope and Members regime. with respect to a recommendation or The Institute of Electrical and deliverable of the ITU-T, and a patent Electronics Engineers (IEEE) project Wi-Fi Alliance holder is not willing to negotiate a P2413 serves as a reference architecture FRAND license (whether royalty- Standard incorporating more than 350 IEEE free or royalty-bearing), then “the Wi-Fi HaLow standards applicable to IoT, and more Recommendation or Deliverable will than 110 new IoT-related standards not include provisions depending on the History, Scope and Members in various stages of development. patent.” In early January 2016, the Wi-Fi Alliance P2413 is intended to define the “basic announced its new IoT specification, architectural building blocks and Google Wi-Fi HaLow, based on the pending their ability to be integrated into IEEE 802.11ah specification, which is multi-tiered systems.” Among other Standard claimed to double the distance and cut things, project P2413 plans to turn Brillo & Weave the power consumption of traditional the information from different IoT History, Scope and Members Wi-Fi. The Wi-Fi Alliance, which has platforms into commonly understood In May 2015, at Google’s I/O 2015, about 700 vendors as members, expects data objects. The group held its first Google announced Brillo and Weave. to launch a certification process for Wi-Fi meeting in July 2014, with 23 vendors Brillo, an IoT OS that consists of an HaLow products in 2018; however, it is and organizations involved, and hopes Android-based OS, core platform anticipated that products supporting the to finish its work on the future standard services and a developer kit, links Wi-Fi HaLow specification will enter the by 2016. See the discussion of Wi- IoT devices with each other, with market earlier. Fi HaLow for the IEEE’s IP licensing other devices and with the cloud. approach. License Approach Brillo uses Google’s communications The IEEE requires IEEE members to License Approach protocol, Weave, the standard that license patents to users of the IEEE Not publicly available. Google hopes to promote as the default standards on FRAND terms. The IEEE standard for all IoT devices. Weave is

12 Socially Aware, April 2016 a cross-platform protocol that enables standards has characterized the standards key players toward a more collaborative device setup from a mobile phone, debate to date. In October 2014, effort. In April 2015, the ZigBee communication between devices and Broadcom, a founding member of the Alliance and the Thread Group to the cloud, and user interaction from OIC, reportedly quit the group due to a announced a collaboration to allow mobile devices and the web. Weave disagreement over the IP licensing terms the ZigBee Cluster Library to run over is operating system-agnostic, will that required companies contributing Thread networks, representing one of work with Brillo but also with other code to the project to waive their right to the first steps toward interoperability in operating systems, and will work on top assert their donated IP against infringers. the fragmented IoT space. Qualcomm of a variety of radio technologies (i.e., In contrast, at the time, the AllSeen announced in July 2015 that it would Thread, ZigBee, Bluetooth, and Wi-Fi). Alliance did not have such a provision, join the Thread Group as a member In August 2015, Google disclosed its but the Alliance’s IP Policy was amended of the board, opening the door for product Google OnHub, the first Brillo- in January 2015 to include a comparable potential cooperation and collaboration enabled device for the smart home. non-assert provision, seemingly rendering between multiple bodies of which it Intel announced that its Intel® Edison the dispute moot. is a member. In November 2015, the computer module is one of the first OIC announced that it had acquired platforms to support Brillo. Will these standard-setting organizations the assets of the UPnP (Universal learn from the historical experience Plug and Play) Forum, which had License Approach in other sectors regarding standard- been working on network connectivity Not publicly available. essential patents (SEPs) and FRAND since 1999. Earlier in 2015, the licensing terms? The problem is as IIC and OIC announced a strategic Z-Wave Alliance follows: for IoT to operate in a seamless liaison, including sharing use cases Standard and interoperable way, standardized and architecture requirements, to Z-Wave technology is essential. If the “accelerate the delivery of an industrial standardized elements of such technology grade communications framework for History, Scope and Members are patented, this creates a barrier to the IoT.” Further, in December 2015, Established in 2005, the Z-Wave entry to the IoT. Without a license, the ZigBee Alliance announced that it Alliance’s standard, Z-Wave, is third-party users may be forced to was working with EnOcean Alliance, a low-powered radio frequency either infringe upon such patents or pay a consortium for battery-less, wireless communications technology that exorbitant license fees. Other technology smart buildings and smart homes, to supports full mesh networks without industries, such as the smartphone combine the benefits of EnOcean energy the need for a coordinator node. The industry, have required owners of SEPs to harvesting wireless solutions with Z-Wave Alliance has over 375 members, offer non-exclusive licenses to prospective ZigBee 3.0 for worldwide applications and Z-Wave–powered products and licensees on FRAND licensing terms to in self-powered IoT sensor solutions. applications cover a range of control mitigate this issue. and monitoring for residential and light CONCLUSIONS commercial environments. The Z-Wave However, the process for agreeing to Technical and legal uncertainty, Alliance’s stated goal is to “to bring FRAND terms is seldom straightforward. if left unchecked, can threaten to advanced, yet practical wireless products Parties may not agree to what constitutes slow the maturation and growth of and services to market that work “fair and reasonable” in the context the technologies that the standards together seamlessly, regardless of brand of IoT licenses, particularly given the are intended to promote, as well as or vendor.” According to the Z-Wave prospect of enormous growth in the the businesses whose operations, website, there are over 1,400 Z-Wave industry. Therefore, although many of products and services depend on the interoperable products available, the standards bodies above have adopted interoperability achieved through and over 40 million Z-Wave products RAND or FRAND licensing models, implementation of the standards. While worldwide. The technology is licensed the determination of what those RAND it may seem that interests should align by Sigma Designs under a Z-Wave terms should be across the industry is to create more certainty with respect to Technology License Agreement, the far from settled. both technical and legal risks, this is not terms of which are not publicly available. always the case. Barriers to entry can Which standards will ultimately garner License Approach protect companies against competition the widest adoption also remains Not publicly available. and benefit those companies with the unclear. Companies like Qualcomm resources to understand and adapt and Intel have joined many of the to these risks. For many companies, OUR WAY OR THE HIGHWAY? standards organizations instead of however, the lack of harmonization backing a single one. Nonetheless, Disagreement over the appropriate IP can present substantial if not there have been recent movements by licensing terms for each of the proposed insurmountable obstacles.

13 Socially Aware, April 2016 For the IoT to achieve its potential for The publication of the Shield documents, transferred to the U.S., regardless of enhanced interoperability, adoption of on February 29, 2015, came at a time the transfer mechanism used. standards and licensing practices that of high expectations and a certain reduce technical and legal uncertainty tension. Last October, the European • The Shield’s dispute resolution are required so that information Court of Justice (the ECJ) invalidated framework provides multiple generated by smart devices may be the Commission’s decision 2000/520/ avenues for individuals to lodge shared across platforms to create new EC and effectively shut down the complaints, more than those and innovative functionality. The Safe Harbor framework, which had available under the Safe Harbor or myriad standards that define the wider previously allowed thousands of alternative transfer mechanisms such framework of IoT interconnection are European companies to send personal as Standard Contractual Clauses or paradoxically competing to be the most information to U.S. companies that Binding Corporate Rules. open and most interoperable. As the had committed to protecting personal IoT develops, networks of standardized information. As a result, thousands of technology (and the range of standards U.S. and EU companies were suddenly Before settling on a governing them) will continue to left in a legal limbo. In response proliferate. Whether the IoT industry to the risk of enforcement against transfer mechanism, will move toward collaborating to companies relying on Safe Harbor, organizations will achieve broader interoperability and and to address the concerns raised by adopting licensing terms that reduce IP EU DPAs, the Commission announced want to consider the risk likely will influence the extent to in early February that a new political regulatory involvement which the full potential for IoT will be agreement had been reached with the and compliance achieved and how quickly emerging IoT U.S. government. It also made good on technologies will mature and be adopted. its promise to make the details of the costs associated agreement public by month’s end. with each option.

PRIVACY SHIELD At first glance, the Shield bears a strong resemblance to Safe Harbor, VS. SAFE HARBOR: • An organization’s compliance with which misled some commentators the Shield will be directly and A DIFFERENT NAME to denounce it as a mere duplicate indirectly monitored by a wider array in disguise. However, the Shield of authorities in the U.S. and the FOR AN IMPROVED introduces substantial changes for data EU, possibly increasing regulatory protection, including additional rights AGREEMENT? risks and compliance costs for for EU individuals, stricter compliance participating organizations. By Sotirios Petrovas, Cynthia J. Rich requirements for U.S. organizations, and and Bastiaan Suurmond further limitations on government access • The Department of Commerce to personal data. From the perspective will significantly expand its role The European Commission (the of U.S. companies, it appears that the in monitoring and supervising “Commission”) and the U.S. Shield may actually signify a shift to compliance, including by carrying Department of Commerce issued heavily monitored compliance. In this out ex officio compliance reviews the draft legal texts for the much sense, the question may no longer be and investigations of participating anticipated EU-U.S. Privacy Shield (the “How good is the Privacy Shield for organizations. “Shield”), set to replace the currently privacy?” but rather “How burdensome inoperative Safe Harbor program (“Safe will it become for businesses?” • Participating organizations will be Harbor”). The new agreement is aimed subjected to additional compliance at restoring the trust of individuals in This alert takes a closer look at the Shield and reporting obligations, some of the transatlantic partnership and the and highlights some of the key differences which will continue even after they digital economy, and putting an end to from the Safe Harbor and other available withdraw from the Shield. months of compliance concerns of U.S. data transfer mechanisms. and EU companies alike. The draft will OVERVIEW be discussed with EU data protection Some of the key takeaways include: authorities (DPAs) and adopted by The Commission made public all Member States representatives before it the documents that will constitute • Safeguards related to intelligence becomes binding. the new agreement, namely: a draft activities will extend to all data Adequacy Decision, FAQs, a Factsheet,

14 Socially Aware, April 2016 Annexes detailing the principles and was “acting as an agent to perform task(s) and Liability). This reversal of the various compliance mechanisms and a on behalf of and under the instructions burden of proof will mean that Commission Communication describing of the organization” (i.e., the processor) companies face a challenge in practice the current developments in the broader (See Onward Transfer principle, Safe to show that they are not liable for their context of transatlantic discussions of Harbor Decision 2000/520/EC, Annex agents’ violations, even if the agent acted the past few years. I). For sharing data with an agent, the in contravention with its contractual organization was required to: obligations. In its press release, the Commission stated that the Shield “reflects the • “ascertain that the third party For onward transfers to controllers, the requirements” set by the ECJ in its certified to Safe Harbor principles or Shield principles add a new requirement ruling from October 6, 2015 (the another adequacy finding;” or to the notice and choice obligations that “Schrems ruling”). Key concerns of existed under the Safe Harbor. Now, the Schrems ruling included: (1) • enter into a “written agreement organizations will be required to enter the indiscriminate and excessive requiring that the third party provide into a contract that provides that the government access to EU citizens’ at least the same level of privacy data may only be processed for limited personal information, and (2) the lack protection as is required by the and specified purposes consistent with of judicial redress mechanisms for EU relevant Principles.” the consent provided by the individual citizens for privacy related complaints. and that the recipients will provide the Under the Shield principles, the rules same level of protection as the Shield According to the Commission, the Shield for transfers to third-party controllers principles. Some limited exceptions are will provide for “strong obligations and agents change considerably. provided for occasional employment- on US companies” as well as “robust According to the Third principle related operational needs, however. enforcement” mechanisms to ensure (Accountability for Onward Transfer), Here, too, the Shield goes beyond what that such obligations are complied to make transfers to “agents” (or is required under the SCCs (Controller- with. It will lay down “clear safeguards “processors”), organizations must to-Controller), where the U.S. company and transparency obligations on US meet a host of requirements, including (data importer) has to address the cross- government access.” Thirdly, it will complying with the principle of purpose border transfer. The individual’s right to ensure effective redress of EU Citizens’ limitation, ensuring that the agent object (as opposed to consent) is only one rights by means of “several redress provides the same level of protection as of the means to legitimize the transfer to possibilities.” Finally, an annual joint required by the Shield’s principles, and third-party controllers, not a prerequisite review mechanism will allow the stopping and remediating unauthorized for all transfers. Commission, the U.S. Department of processing. Also, more significantly, Commerce, and the European DPAs to organizations must provide a summary However, for transfers to affiliated monitor how well the Shield functions. or a representative copy of the relevant companies, the Shield principles provide privacy provisions of its contract a bit more flexibility than the SCCs, ASSESSMENT OF KEY ASPECTS with that agent to the Department of namely that a contract is not always Commerce upon request. While the required: data controllers within a The following is a discussion of several obligation to provide a copy of privacy “controlled group of corporations or key aspects of the new agreement, in provisions also exists under SCCs entities” may base such transfers on relation not only to its predecessor, Safe (Controller-to-Processor), there the other instruments, such as BCRs or other Harbor, but also to other available data obligation for the U.S. company (the intra-group instruments (e.g., compliance transfer mechanisms such as Binding data importer) is limited to providing and control programs), ensuring the Corporate Rules (“BCRs”) and EU copies of sub-processing agreements to continuity of protection of personal Standard Contractual Clauses (“SCCs”). the data subject (the individual) or the information under the Shield principles. data exporter (the EU company), not The participating organization remains 1. Transfers to Third Parties directly to a supervisory authority. responsible for compliance with Shield principles. One of the important changes pertains to Moreover, notwithstanding having met conditions for participating organizations these requirements, the organization 2. Safeguards Related to to transfer the data to third parties. remains liable if its agent processes Intelligence Activities Will Extend Under the Safe Harbor principles, an the personal information in a manner to All Data Transferred to the U.S. organization had to provide notice inconsistent with the Shield principles, and choice prior to disclosing personal unless it proves that it is not responsible In early February, the Commission information to a third-party controller. for the event giving rise to the damage indicated that the U.S. has given written This was not required if the third party (Principle 7(d), Recourse, Enforcement assurances that access to EU citizens’

15 Socially Aware, April 2016 personal data by the U.S. government A potentially problematic issue is the which it will try to issue within 60 days. will be subject to “clear limitations, multitude of avenues that individuals Once the advice is issued, organizations safeguards and oversight mechanisms” may use to lodge a complaint under must comply within 25 days. Should and that any exceptions will be the Shield. In practice, this may create an organization fail to comply, the “necessary and proportionate.” Also, an a significant administrative burden for DPA panel may either refer the matter Ombudsman within the Department of organizations, which will now have to to the Federal Trade Commission State will be responsible for receiving and be alert and ready to respond on many (FTC), or another body with statutory investigating complaints and inquiries fronts. authority to enforce against unfair and about U.S. intelligence practices from deceptive trade practices, or inform EU individuals. The Ombudsman First, individuals are encouraged to raise the Department of Commerce that the will, however, have no independent any concerns or complaints with the organization should lose its Shield investigative or enforcement powers. organization itself, which is obligated certification because it seriously to respond within 45 days. Note that breached its agreement to cooperate Until now, it was unclear whether such this is stricter than some European data with the panel, and therefore that safeguards would be confined to data protection laws (in France, for example, agreement is null and void. transferred via the Shield or if they the timeframe is two months under would also apply to all data irrespective current law). Under the Shield, individuals For disputes or complaints involving of the transfer mechanism used. In the also have the option of working through human resources data that are not context of the WP29 discussions on the their local DPA, which may contact the resolved internally by the organization consequences of the Schrems ruling on organization and/or the Department of (or through any applicable trade other transfer mechanisms, the concern Commerce to resolve the dispute. union grievance procedures) to the was that European DPAs might decide satisfaction of the employee, the to suspend transfers to the U.S. based The second avenue is an independent organization is expected to direct the on SCCs or BCRs because of mass recourse mechanism. The Shield employee to the state or national DPA and indiscriminate surveillance and requires organizations to provide an or labor authority in the jurisdiction excessive access to such data by the U.S. independent recourse mechanism where the employee works. government. that will investigate and expeditiously resolve complaints and disputes at no The Shield provides yet another From the documents made public cost to the individual. Organizations dispute resolution mechanism, namely on February 29, it appears that U.S. may select a private sector alternative binding arbitration by the Privacy commitments will extend to personal dispute resolution (“ADR”) provider or Shield Panel. This option is open to data transferred by means of other a panel of European DPAs. The private individuals who have raised their transfer mechanisms such as SCCs sector ADR provider must satisfy complaints with the organization, used and BCRs. Indeed, in section 3.1.2 of certain Shield requirements, such the independent recourse mechanism the draft Commission Implementing as responding promptly to inquiries and/or sought relief through their Decision, the overview of effective legal and information requests from the DPA but whose claimed violations still protection in U.S. law is of general Department of Commerce; reporting remain fully or partially unremedied. scope and not limited to data transfers an organization’s noncompliance to Note that arbitration is not available made via the Shield. Also, in section regulators, courts or the Department if a DPA has “authority to resolve the 3.2 of its Communication (COM(2016) of Commerce; and issuing annual claimed violation directly with the 117 final), the Commission explicitly reports that provide aggregate organization.” The Privacy Shield indicates that such safeguards will statistics regarding their Shield ADR Panel is composed of one or three apply to all personal data transferred to services. Organizations may also independent arbitrators admitted to the U.S. for commercial purposes, not opt to use a panel of DPAs for their practice law in the U.S., with expertise only to Shield transfers. This is a independent recourse mechanism. Note in U.S. and EU privacy law. The panel positive development because it that this is mandatory if an organization can only impose equitable relief, such becomes harder for European regulators uses the Shield for transfers of human as access or correction—it cannot or potential plaintiffs to argue that resources data. In that case, the award damages. Arbitrations should SCCs and BCRs would allegedly fail to DPA panel will be competent to hear be concluded within 90 days. While meet the test laid down by the ECJ in individual claims that have remained the individual may not bring his or her the Schrems ruling with respect of U.S. unresolved despite the organization’s claim for equitable relief in another government access to personal data. internal complaint handling efforts. forum after opting for arbitration, he Both parties will have an opportunity to or she may still file a claim for damages 3. Dispute Resolution provide comments and submit evidence otherwise available in the courts. before the DPA panel issues its “advice,” Furthermore, both parties may seek

16 Socially Aware, April 2016 judicial review of the arbitral decision compliance. To accomplish this matter to the appropriate regulator under the U.S. Federal Arbitration Act. new mission, the Department of for enforcement action; and Commerce has doubled the size of the • In other words, after raising a program staff and has committed to Conducting searches for false complaint with the organization, dedicating the resources necessary claims by organizations that have petitioning the independent recourse to ensure effective monitoring and never participated in the program mechanism, filing a complaint with the administration of the program. Some and taking the aforementioned DPA and seeking equitable relief from of the Department of Commerce’s new corrective action when such false the Privacy Shield Panel, the parties responsibilities include: claims are found. may still petition the courts (with the exception of individual complaints • Serving as a liaison between The FTC will give priority consideration to the FTC or another U.S. statutory organizations and DPAs for Shield to Shield compliance issues raised body). compliance issues; by the Department of Commerce and European DPAs. In particular, it is • In light of the above, a participating Verifying self-certification designating an agency point of contact, organization contemplating which data requirements by evaluating, among creating its own standardized referral transfer compliance mechanism to other things, the organization’s process to facilitate referrals from the implement may be discouraged by this privacy policy for the required DPAs and providing guidance to the wide array of avenues and potential elements and verifying the DPAs on the type of information that fronts. For comparison, the SCCs (both organization’s registration with an would best assist the FTC in its inquiry Controller-to-Processor and Controller- ADR provider; into a referral. to-Controller) provide for dispute • Conducting periodic ex officio resolution either by mediation or by Private sector independent recourse compliance reviews which will the courts of the EU member state in mechanisms will have a duty to actively include sending questionnaires which the data exporter is established. report organizations’ failures to comply to participating organizations to Also, for BCRs, the dispute resolution with their rulings to the Department identify issues that may warrant mechanisms seem less burdensome, as of Commerce. Upon receipt of such further follow up action. In they provide for an internal complaint notification, the Department will particular, such reviews will take handling process, lodging complaints remove the organization from the place when the Department of with competent DPAs and before the Shield List. Commerce has received complaints courts either at the data exporter’s about the organization’s location or at the location of the EU Both individual DPAs and the DPA compliance, the organization does headquarters of the organization. panel will be able to refer complaints not respond satisfactorily to its regarding Shield compliance to the inquiries and information requests Department of Commerce. Of course, 4. Enforcement Authorities or there is “credible” evidence the DPAs also have the authority to that the organization does not address organizations directly if they In addition to adding several channels comply with its commitments. process HR data or have committed to through which an organization may be Organizations will be required cooperate with DPAs. confronted with individual complaints, to provide a copy of the privacy other types of enforcement are provisions in their service provider The above overview illustrates the expanded as well. An organization’s contracts upon request. The complexity of the new agreement and compliance with the Shield may be Department will consult with the the multiplication of authorities in directly or indirectly monitored by the appropriate DPAs when necessary; Department of Commerce, the FTC, charge of oversight, all of which is the Department of Transportation (or • Conducting ex officio investigations likely to result in greater regulatory other body with statutory authority), of those who withdraw from the scrutiny of and compliance costs for European DPAs and private sector program or fail to recertify to verify participating organizations. By way of independent recourse mechanisms or that such organizations are not contrast, when an organization relies on other privacy selfregulatory bodies. making any false claims regarding alternative transfer mechanisms such their participation. In the event as the SCCs, the regulatory oversight Under the Shield, the Department of that it finds any false claims, it will is performed by EU regulators against Commerce will significantly expand first issue a warning, and then, if the EU company (as data exporter). its role in monitoring and supervising the matter is not resolved, refer the Therefore, before settling on a transfer

17 Socially Aware, April 2016 mechanism, organizations will want to concerns of all interested parties: consider the regulatory involvement privacy concerns of citizens, legal DIGITAL SINGLE and compliance costs associated with requirements of the ECJ and legitimate MARKET STRATEGY each option. practical considerations of companies wishing to comply on both side of the UPDATE: EUROPE 5. Reporting and Continuing Atlantic. PROPOSES Compliance Obligations There are indications already that the FURTHER Finally, participating organizations Commission may face some challenges will be subjected to additional to finalizing the deal in the coming HARMONIZATION compliance and reporting obligations, weeks. On April 13, 2016, the WP29 OF CONSUMER some of which will continue even issued its non-binding opinion on after withdrawal from the Shield. As the Shield which identified a number PROTECTION LAWS was required under the Safe Harbor, of shortcomings and requested By Susan McLean and Kristina Ehle organizations must recertify their clarifications with respect to redress compliance on an annual basis. In mechanisms, the Ombudsman and The European Commission has published addition, Shield organizations will restrictions on mass surveillance, two draft directives on the supply of now be required to maintain records among others. The Commission will digital content and the online sale regarding the implementation of their now consider the WP29’s comments of goods that aim to help harmonize privacy program and provide them to and decide whether to negotiate consumer law across Europe. In regulators upon request. further changes before submitting proposing these new laws, the European its draft adequacy decision to the Union is making progress towards one of Like the Safe Harbor, organizations Article 31 Committee of EU Member the main goals in its Digital Single Market that leave the Shield program for States’ representatives. The Article Strategy (announced in May 2015), which any reason must continue to protect 31 Committee must issue an opinion is concerned with strengthening the the information received during before a final adequacy decision can European digital economy and increasing their participation in the program be issued. After that, the adequacy consumer confidence in online trading in accordance with the Principles. decision will go through the committee across EU Member States. According to However, the Shield adds a new procedure before it is formally adopted. the Commission, only 12% of EU retailers reporting requirement for these sell online to consumers in other EU organizations. For as long as they Companies should give careful countries, while more than three times as retain the information, they must consideration to the potential many sell online in their own country. The affirm annually to the Department of advantages and disadvantages of Commission has also announced a plan to Commerce that they are protecting the the Shield in comparison with other carry out a fitness check of other existing information in accordance with the transfer tools such as SCCs and BCRs. European consumer protection laws. Principles. Otherwise, the organization The complexity of the new agreement must return or delete the information and the increased cost of compliance This article outlines the potential or provide “adequate” protection for underscore that the Shield goes implications of these latest developments, the information by another authorized far beyond a mere upgrade of Safe with a particular focus on the UK and means (e.g., SCCs). Harbor. Also, although the Shield Germany. may withstand judicial scrutiny this CONCLUSION year, the ECJ warned that adequacy DIGITAL CONTENT AND ONLINE determinations are an ongoing process, SALES OF GOODS The text of the proposed EU-U.S. hence the inclusion of an annual Shield signals the intention of the EU review process involving EU and U.S. This is not the first time that the and U.S. governments to work together authorities. What the consequences of Commission has tried to align consumer to address the gap in data transfer this process will be for companies is laws across the EU: the Commission’s last mechanisms left by the Schrems ruling. unclear: if the result of annual reviews attempt at a Common European Sales Law But it also underlines the complexity is to add new requirements on top of faltered in 2015. But the Commission has and depth of the differences in the existing ones as issues arise, it may now proposed two new directives dealing way the two systems approach privacy. very well turn the Shield into a moving with contracts for the supply of digital It remains to be seen whether and to compliance target. content (“Draft Digital Content Directive”) what extent the Shield in its current and sales of online goods (“Draft Online form appropriately addresses the Goods Directive”) (together, the “Proposed

18 Socially Aware, April 2016 Directives”). The Online Goods Directive the CP Directives have been achieved, DRAFT DIGITAL CONTENT will replace certain aspects of an Existing whether further harmonisation is DIRECTIVE Sales of Consumer Goods and Associated necessary, whether there is potential for Scope Guarantees Directive (“Existing Goods complication of the current regulatory Directive”), whereas the Digital Content framework and whether there is scope The Draft Digital Content Directive would Directive introduces a new set of rights for of consolidation of EU consumer law. apply only in business-to-consumer consumers when they buy digital content The Commission will also consider sales and would not extend to SMEs. across the EU. whether the Unfair Contract Terms In addition, digital content providers in Directive should be reinforced by certain sectors, such as financial services, Part of the issue with previous EU a blacklist of terms that are always gambling or health care, are outside the legislative initiatives in this area is that deemed to be unfair. scope of the directive. The rules would “harmonized” has really meant “the apply: (i) regardless of the method of sale same as long as a country doesn’t want In addition, the Commission wishes to (unlike the Draft Online Goods Directive) to do anything different.” This time, the look at whether consumer rules should and (ii) to both digital content sold to the Proposed Directives have been drafted also apply in business-to- business (B2B) consumer (i.e., licensed on a perpetual as so-called “maximum harmonization transactions, in particular, transactions basis) and digital content supplied measures,” which would preclude Member with small and medium-sized under a temporary license. Currently, States from providing any greater or lesser enterprises (SMEs) and not-for-profit most EU Member States do not have protection for the matters falling within entities that don’t qualify as consumers national consumer protection legislation their scope. The Commission hopes that under the current rules. Lastly (with the specifically concerning sales of digital this consistent approach across Member rise of the sharing economy in mind), content to consumers (the issue tends to States will encourage consumers to enter the Commission wants to review the be covered by sales of goods or services into transactions across EU borders, while issues arising in both consumer-to- rules). The Commission believes that there also allowing suppliers to simplify their consumer transactions and consumer- is a risk of further legal fragmentation if no legal documentation by using a single set to-business relations. action is taken at the EU level. of terms and conditions for all customers within the EU. The Proposed Directives will be taken The key provisions of the Draft Digital into account when the fitness check is Content Directive include: The Proposed Directives will need to be being performed, and are expected to adopted by the EU Parliament and Council have an impact on the Commission’s • Supplier’s liability for defects: before becoming law. Member States findings in these areas. If the digital content is defective, the would then have two years to transpose consumer can request that the defect the Proposed Directives into national law. The Commission will also consider be fixed. This can be done by the as part of this review sector-specific supplier providing an update of the CONSUMER PROTECTION FITNESS consumer protection directives and EU content, or by asking the consumer CHECK legislation related to retail commerce, to access/download a new copy of such as the E-Commerce Directive the digital content. There will be no Following publication of the Proposed and the Services Directive, both of time limit for the supplier’s liability Directives, the Commission also which contain consumer information for such defects because, unlike published a roadmap setting out its requirements. goods, digital content is not subject plan to carry out a “fitness check” of to “wear and tear.” six consumer protection directives (the Evidence will be gathered during Misleading and Comparative Directive, 2016, including via an online public • Reversal of burden of proof: If Unfair Commercial Practices Directive, consultation, and the Commission aims the digital content is defective, it will Price Indication Directive, Unfair to publish its report on the results of be the supplier’s responsibility to Contract Terms Directive, Sales and the fitness check in the second quarter prove that the defect did not exist at Guarantee Directive and Injunctions of 2017. the time of supply. The Commission Directive (“CP Directives”)), with the believes that this is important aim of assessing the effectiveness, The Commission is also carrying because the technical nature of digital efficiency, coherence and relevance of out a separate review of the existing content means that it can be difficult the CP Directives. Consumer Rights Directive (CRD) for consumers to prove the cause which has been in force since June of a problem. Software companies The Commission will look at the extent 2014, and the results of that review will have criticized this approach on the to which the fundamental objectives of also feed into the fitness check. basis that they believe that it will be

19 Socially Aware, April 2016 IMPLICATIONS FOR THE UK • Data protection: BIS states The Commission will that although the Draft Digital Since October 1, 2015, UK consumers Content Directive has been drafted look at the extent to have enjoyed new rights and remedies without prejudice to applicable which the fundamental with respect to digital content under data protection law, “any confusion the Consumer Rights Act (CRA). The with or unjustified extension of the objectives of the CP Draft Digital Content Directive would already comprehensive EU rules in Directives have been reduce UK consumer protection in this area including the GDPR should some areas and enhance it in others. be avoided.” achieved, whether Accordingly, various concerns have further harmonization been raised by the UK’s Department for • Installation of digital content: is necessary, whether Business, Innovation & Skills (BIS), the The Draft Digital Content Directive there is potential for UK’s competition regulator (CMA) and introduces new provisions regarding the UK’s Chartered Trading Standards installation that are not included in complication of the Institute (CTSI). the CRA. current regulatory • Scope: The Draft Digital Content • Modification of digital content: framework and Directive applies to a broader range Under the Draft Digital Content whether there is scope of digital content than the CRA. In Directive, more restrictions are of consolidation of EU particular, the CRA applies only imposed on modifications by where digital content has been suppliers, and consumers have a consumer law. paid for. The Directive extends new right to terminate the contract remedies to “free” content in that if the trader makes a modification the Directive covers content that that adversely affects access to or almost impossible for them to prove is provided for non-monetary use of the digital content. Although that their digital products were not consideration, e.g., in exchange for it agrees with the general thrust, the defective. The proper function of the consumer actively providing CMA has concerns that a trader’s software depends on the hardware, personal data. BIS suggests that the right to update content shouldn’t be operating system and other software concept of “actively providing” data used to dilute consumer control. used on the consumer’s systems; is not clear. Does this simply require any interfaces to those systems or a positive action by the consumer? • Standards and remedies: BIS incorrect use of the software may be Is simply agreeing to make data believes that the approach to standards responsible for an issue. Analyzing available sufficient to pass this test? in the Draft Digital Content Directive and identifying the issue would The CMA believes that consumers (i.e., fit for a specific purpose, as mean that the provider would have would need to do more than, say, described and of satisfactory quality) to access the consumer’s system, and “click” a button. Whereas BIS states will have the same effect as the providers argue that this would cause that extending rights to cover free applicable provisions in the CRA. unreasonable effort and costs for the services may not be proportionate, However, BIS points out that they provider. the CMA broadly welcomes the are not in line with the regime in proposed approach but suggests the Online Goods Directive, which • Right to end a contract: how this works in practice will isn’t helpful. The CMA agrees that Consumers will have the right to need careful consideration. The alignment would help avoid market terminate long-term contracts and Draft Digital Content Directive also distortions and uncertainty. contracts to which the supplier makes extends to certain types of digital major changes. services not currently covered in • Reversal of the burden of the CRA (e.g., cloud storage services proof: Currently in the UK there is • Contract established in and social networking). However, an assumption that digital content exchange for data: If the consumer BIS believes that the Directive could must comply with its contract for has obtained digital content or a be clearer as to which services are six months after purchase. Under service in exchange for personal data, covered and which are not, to avoid the Digital Content Directive, this the new rules clarify that the supplier overlap/conflict with other EU reversal of the burden of proof should stop using the data when the legislation. has the potential to continue for a contract terminates. considerably longer period.

20 Socially Aware, April 2016 • Termination: The Draft Digital Goods Directive, which state that DRAFT ONLINE GOODS DIRECTIVE Content Directive introduces a new consumer goods are considered to right to terminate after one year have been defective at the time of Like the Draft Digital Content any contract of indefinite length or delivery if a defect is found within Directive, the Draft Online Goods that extends beyond one year. In six months, currently only apply to Directive would only apply in business- addition, with respect to the new physical goods. In particular, with to-consumer sales. Only goods sold rules on the return of consumer regard to digital content licensed online or otherwise at a distance fall data, BIS believes that these rules for a limited term only (which is within its scope. As such, any face-to- appear very broad (beyond what considered a rental contract and face sales are not covered. Contracts is required under data protection not a sales transaction), the burden for the supply of services would not law) and potentially onerous. BIS of proof is currently with the be subject to the Directive. Where a suggests that it could be difficult licensee. The permanent reversal contract is for the supply of both goods for the trader to retrieve this data of the burden of proof for digital and services, the rules would apply which “would appear to be of little content under the Draft Digital only to those elements of the contract practical use to the consumer.” Content Directive would be an that relate to goods. entirely new concept under IMPLICATIONS FOR GERMANY German law. The key provisions of the Draft Online Goods Directive include: In Germany, no statutory consumer • Right to damages: The law specific to digital content currently Draft Digital Content Directive • Reversal of the burden of proof exists. Instead, German courts apply stipulates that consumers are for two years: Under existing law, general laws on the sale or rental of entitled to damages caused by a consumer asking for a remedy for items (including consumer-specific the defective content. As the a defective product does not have to rules) where digital content is provided German Civil Code generally prove that the defect existed at the in exchange for payment. Where the provides for comprehensive rules time of delivery; it is up to the seller digital content is provided in exchange on compensation of economic to prove that the defect did not exist. for non-monetary considerations (e.g., damages, we do not expect that Currently, the time period during user-generated content or user data), the substantive changes will be which the seller has this burden of statutory rules on barter contracts apply. required. proof varies by Member State; under The Draft Digital Content Directive the new law, this period will be would constitute the first comprehensive • Termination: The termination extended up to two years throughout legal framework for the supply of digital right for long-term contracts after the EU. content in Germany. one year (as contemplated by the Draft Digital Content Directive) • No notification duty: • Standards and remedies: would enhance existing German Consumers won’t lose their rights Under the Draft Digital Content consumer protection law. Under if they don’t inform the seller of a Directive, digital content needs to existing law, contract terms of up to defect within a certain period of be in conformity with the contract two years are enforceable in standard time (as is currently the case in or, where the contract is silent, agreements with consumers. some Member States). to at least be fit for ordinary use. These rules explicitly determine • Reimbursement: Under the • Minor defects: If the seller is conformity of digital content by Draft Digital Content Directive, unable or fails to repair or replace mirroring the corresponding rules following termination, the seller a defective product, consumers of the Existing Goods Directive. must reimburse the purchase will have the right to terminate the Therefore, only a few changes price or, where the content was contract and be reimbursed. This is to German law will be required, provided in exchange for non- also true in cases of minor defects. as many of the existing rules are monetary consideration, refrain already applied to digital content in from using what the seller received • Secondhand goods: For Germany. from the consumer (e.g., the user- secondhand goods purchased generated content or data). The online, consumers will now have • Reversal of the burden of latter provision extends consumers’ the possibility to exercise their proof: The reversal of the burden rights under German law. rights within a two-year period, of proof provisions in the Existing as is the case with new goods,

21 Socially Aware, April 2016 instead of the one-year period that repealed. The UK would be required this extended period, it will be the currently applies in some Member to reinstate the law that existed responsibility of the supplier to prove States. before the CRA which, according that the goods were satisfactory at to CTSI, lacked clarity and led to the time of sale. On this point, CTSI IMPLICATIONS FOR THE UK significant consumer frustration, is not supportive as it says it is not i.e., consumers can ask for a price sure this enhancement strikes the The Draft Online Goods Directive reduction or refund if a repair/ right balance and it may be unfair to retains many of the same key rights and replacement cannot be provided businesses. The CMA supports the remedies set out in the Existing Goods within a reasonable time and proposal in principle, but the proposal Directive and recently implemented without significant inconvenience. doesn’t offset its concerns regarding in the UK under the CRA. However, The CMA also disagrees with the the reductions in consumer protection there are some differences between removal of this key protection and introduced by the draft Online Goods the statutory remedies proposed in the recommends the draft Online Goods Directive. Draft Online Goods Directive and the Directive be amended in line with CRA and it’s likely that a number of the CRA. Other concerns have been raised in the key rights under the CRA would likely UK. For example, suppliers operating need to be repealed for online and other • Liability period: Currently, the in the UK would be subject to different distance sales, which has led to concerns liability and limitation periods for rules depending on the method they being raised by BIS, CMA and CTSI, in remedies are six years in England, use to supply goods: offline selling particular: Wales and Northern Ireland and would fall within the scope of the CRA, five years in Scotland. The Draft whereas online or distance selling would • Short-term right to reject: Online Goods Directive would engage the provisions of the Proposed Under the CRA, consumers have reduce the liability period (i.e., Directives. Suppliers using both methods a right to reject and obtain a full the period in which a fault has to would be required to comply with both refund within 30 days. This would appear before a consumer can make sets of rules, and there are concerns need to be repealed in relation to a claim) to two years. Again, CTSI from both CTSI and CMA that this could goods purchased online. However, and CMA don’t support this change, lead to confusion for consumers, and consumers’ rights under the CRD believing it a significant reduction challenges for suppliers juggling two would not be affected so consumers in consumer rights. different sets of rights. CMA also points would still be entitled to a 14-day out that the different rules could lead to right of withdrawal for goods bought • Deduction for use: The approach market distortion, with consumers more online or at a distance. However, to deduction for use under the CRA inclined to buy offline, thus reducing unlike the short-term right to reject, is different and would need to be online growth. the consumer has to bear the cost updated. Under the CRA, if a repair of returning the goods under the or replacement is impossible or IMPLICATIONS FOR GERMANY right to withdraw and the trader has failed or has not been carried may make a deduction for use out in a reasonable time or without The Existing Goods Directive, which from the refund, depending on significant inconvenience to the is amended by the Draft Online Goods the circumstances. CTSI sees this consumer, then the consumer may Directive, is currently transposed into proposed change as a retrograde reject the goods and obtain a refund. the German Civil Code. step and doesn’t consider the CRD If the final right to reject is exercised provisions sufficient to ameliorate within six months of delivery of It is worth noting that in Germany, the problems caused by the removal the goods, then the trader must with the exception of the provisions of the right to reject. The CMA generally give the consumer a full on the trader’s redress, the reversal is also unhappy with the change, refund. After the first six months, of the burden of proof, some features believing it would reduce certainty, the trader may apply a deduction of the consumer guarantee and the to the disadvantage of both to the refund to account for the mandatory nature of the rules, most consumer and trader. consumer’s use. of the rules of the Existing Goods Directive have been extended to non- • Loss of one repair or On the other hand, the Draft Online consumer sales contracts. It remains replacement limit: Under the Goods Directive will enhance consumer to be seen whether a similar extension CRA, consumers can pursue a protection under the CRA by extending will be made with regard to the changes price reduction or refund after the the reversal of the burden of proof in the Draft Online Goods Directive, goods have undergone one repair or from six months to two years. During which would impact B2B e-commerce replacement. This would need to be transactions.

22 Socially Aware, April 2016 • Reversal of the burden of proof: • Liability period: Currently, sellers CONCLUSION As set forth in the Existing Goods in Germany are already liable for Directive, under existing German defective goods sold online for two Although the Proposed Directives law, if there is a defect within the years after the sale, which is the still have a long way to go before they first six months following delivery of corresponding statute of limitations. become law, they demonstrate that goods, the burden of proof that the Consequently, there will be no there is a keen desire for harmonization delivered goods were not defective change under the Draft Online at the EU level. at the time of delivery lies with the Goods Directive. supplier. The Draft Online Goods Being able to have one set of terms Directive would extend this reversal • Reimbursement for returns: and conditions for all customers in of the burden of proof to two years. It Under existing German law, the Europe would certainly appeal to many remains to be seen how this reversal seller may refuse to reimburse businesses that already offer, or would of the burden of proof would be the buyer until the goods have like to offer, consistent terms for their treated by the German courts that been returned. The Draft Online cross-border sales to consumers and are have tended to minimize the impact Goods Directive requires the currently navigating a patchwork of the existing reversal. seller to reimburse the consumer of consumer laws. within 14 days from receipt of the • No notification duty: There is termination notice. A possible alternative would have been no notification duty with regard to to apply the consumer law of the home defects for consumers under current • Compensation for decrease country of the respective provider also German law, so its abolition in the in value: Consumer sales law to transactions with consumers seated in Draft Online Goods Directive would in Germany currently prohibits another Member State. The E-Commerce not impact German law. deduction for use and compensation Directive (2000/31/EC) is an example of value when a consumer of this “country of origin principle.” This • Minor defects: German law terminates the sales contract. The alternative approach not only would currently only provides for a Draft Online Goods requires the benefit the businesses actually involved proportionate reduction of the consumer to pay for a decrease in in cross-border e-commerce, but would purchase price in case of minor the value of the goods insofar as also prevent additional costs and efforts defects but not for a termination the decrease exceeds depreciation for many SMEs that do not aim to do right. A right to terminate would through regular use. cross-border business but, nevertheless, be an extension of consumer rights would have to implement the new fully under German law. harmonized consumer rules proposed by the Commission.

If you wish to receive a free subscription to our Socially Aware newsletter, please send a request via email to [email protected]. We also cover social media-related business and legal developments on our Socially Aware blog, located at www.sociallyawareblog.com. For breaking news related to social media law, follow us on Twitter @MoFoSocMedia. To review earlier issues of Socially Aware, visit us at www.mofo.com/sociallyaware.

We are Morrison & Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, Fortune 100, and technology and life sciences companies. The Financial Times has named the firm to its lists of most innovative law firms in Northern America and Asia every year that it has published its Innovative Lawyers Reports in those regions. In the past few years, Chambers USA has honored MoFo’s Bankruptcy and IP teams with Firm of the Year awards, the Corporate/M&A team with a client service award, and the firm as a whole as Global USA Firm of the Year. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.

Because of the generality of this newsletter, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. The views expressed herein shall not be attributed to Morrison & Foerster, its attorneys or its clients.

23 Socially Aware, April 2016