Brexit Impact on EU Safe Harbor Agreements

Brexit Impact on EU Safe Harbor Agreements

Christopher W. Folk

In the referendum on June 23 with voter turnout exceeding 70%, voters in the UK decided 52% to 48% to leave the European Union.  The exit of the UK from the EU has been coined Brexit (Britain and exit).  Under the EU, a member may exit subject to Article 50 of the Lisbon Treaty which gives the UK and the EU two years to negotiate the terms of the UK’s exit.[i]

Data Protection and Brexit

Throughout the near-term and until the UK effectuates its exit from the EU, the UK will continue to operate under existing EU laws and the new General Data Protection Regulation (“GPDR”) with mandatory compliance by June 2018 will shape the way that UK firms handle personal data.[ii]  Consequently, it is anticipated that UK firms will be required to implement the GPDR policies concerning the protection of data for EU citizens.  This is echoed by the new Information Commissioner for the UK, Elizabeth Denham.  Denham openly advocates for the UK to move forward with the new GPDR regulations irrespective of the impending Brexit.[iii]  Consequently, in many respects technology firms in the UK have some assurance that the UK will move forward with GPDR, however, there is still some risk.  As Brexit follows closely on the heels of the European Court of Justice’s ruling that the EU/US safe-harbor agreement was invalid due to in large part to the lack of data privacy protections for EU citizens.[iv]  Which is interesting to note since Britain and Ireland were both largely supportive of the Safe Harbor agreement; whereas France and Germany had been pushing for more stringent privacy controls to safeguard their citizens’ data.[v]  Consequently, it would seem that while the replacement for Safe Harbor is being negotiated the UK will likely have a very keen interest in both the direction as well as the outcome since it often finds itself closely aligned with its ally across the Atlantic.

General Data Protection Regulation

The GPDR changes a number of things, the highlights are as follows: Personal data is expanded to include IP addresses and online identifiers and companies must have explicit consent to use this data.  Furthermore, citizens will be more readily able to ascertain which companies are storing their data, and how their data is being used.  GPDR also introduces the concept of data portability which allows a person to migrate their data between and amongst companies.  This also includes a duty for companies to advise when personal data is exposed (hacked) and upon request, personal data must be deleted.  Along with duties comes liability and companies that suffer data breaches can face fines of up to €20 million.[vi]

EU-US Privacy Shield

Following the ruling against the existing safe harbor agreement, the US and EU put together what is being termed as the Privacy Shield.  Under the Privacy Shield proposed framework, any US company that receives personal data from the EU must choose from one of the following cross-border transfer mechanisms: (1) typical contractual clauses, (2) binding corporate rules (e.g. intercompany/affiliate data transfers), or (3) the Privacy Shield framework.[vii]  Similarly, any EU company that transfers data to a US company must ensure that one of the three aforementioned schemes are utilized prior to a data transfer.  Any transfers conducted outside these mechanisms would be deemed illegal.  The Privacy Shield itself has several critical elements:

  • Contractual requirements for onward transfers of personal data to third parties: companies that transfer personal data to any third party must have specific contract provisions mandating that safeguards continue to persist for personal data even after the transfer and that the transferor retains control over the third parties use of the personal data;
  • Right to Modify Personal Data: the data owner has a persistent right to correct, amend, or delete inaccurate personal data or personal data that has been accessed in an unauthorized manner; further companies may not charge excessive fees when a user exercises their rights within this;
  • Persistent Contractual Obligations: under this, any downstream party (e.g. recipient) of data must adhere to all of the principles and rights afforded a person with respect to their personal data;
  • Opt-Out Rights: where personal data is either disclosed to a third party or when the data’s use is for a materially different purpose than the original agreement, the subject has an option to opt-out (to include modifying use for direct marketing purposes);
  • Dispute Resolution: there are a very specific set of steps and avenues for redress that may be pursued when a citizen asserts that a violation of the Privacy Shield has occurred;
  • Ongoing Compliance Monitoring: the US Dept. of Commerce is tasked with continuous monitoring to ensure that there is full compliance amongst US companies with the Privacy Shield provisions;
  • Restrictions on Bulk Collection: this was one of the leading criticisms of the EU-US Safe Harbor agreement following the revelations by Edward Snowden. Within this, bulk collection is expressly forbidden except in cases where selective collection is impractical and even in those outliers, minimization procedures must be effected to ensure that access to data is for specific purposes only;
  • Establishment of a Privacy Shield Ombudsman: this role will be filled by a person designated by the Secretary of State and will utilize additional State Department personnel as needed to ensure that this role is carried out in the absence of any influence or involvement by the Intelligence Community;
  • Annual Periodic Reporting and Assessment: data protection authorities from both the EU and US Dept. of Commerce will conduct periodic, annual reviews of the Privacy Shield framework to ensure compliance and to assess and advise of changes that should be implemented.[viii]

What path will the UK take?

Based on the fact that Brexit is going to take a minimum of two years, it seems as though the UK will have no choice but to comply with the GPDR regulations that take effect in 2018.  Having done so, it seems that moving away from those and trying to adopt an agreement such as the Privacy Shield would result in a cost benefit analysis for which the most efficient solution may likely be to merely continue under the GPDR.  However, as the UK continues to assert independence from the concept of the EU, it may need to find and validate a competitive advantage which could potentially be achieved by moving away from the GPDR and into the Privacy Shield framework.  While the negotiations are just entering their nascent stage, it will be important for EU and UK privacy interests that the terms of the GPDR or a Privacy Shield like agreement be fully ironed out.  Once outside the UK for example, the Data Protection Act would no longer denote the UK as a “safe” destination for data since the UK would be external to the European Economic Area.  Thus, either the negotiations under which the UK leaves the EU will have to include some of these provisions or the UK could be folded into or create its own Privacy Shield framework within which it could continue to operate.[ix]

Conclusion

Irrespective of the approach that the UK takes; it seems clear that data protection is going to be a topic of interest during the negotiations and citizens and companies will have a vested interest in the outcome.  Depending on how this moves and on what is implemented, companies in the UK may be merely on a level playing field with EU companies or they may be able to bargain for a comparatively better position which affords UK companies the ability to differentiate themselves either from a cost or a services perspective.  Meanwhile, the UK’s slow shift towards some of the US philosophies and their support for the previous Safe Harbor agreement may indicate that the UK is interested in adopting or becoming a partner in the new Privacy Shield agreement.  The last thing the UK wants is a competitive disadvantage and depending upon how they position themselves and on what other options are “on the table” will ultimately decide which way the UK chooses to move forward.

 

[i] Brian Wheeler and Alex Hunt, Brexit: All you need to know about the UK leaving the EU, BBCNews, available at http://www.bbc.com/news/uk-politics-32810887 (Oct. 3, 2016) (The two-year time period begins once Article 50 is invoked and negotiations start).

[ii] Nick Heath, Brexit: 5 Ways the UK leaving the EU will affect tech firms, TechRepublic, available at http://www.techrepublic.com/article/brexit-5-ways-the-uk-leaving-the-eu-will-affect-tech-firmsect-tech-firms/ (Jun 24, 2016).

[iii] Adrian O’Connell, Information Commissioner calls for post-Brexit Britain to implement EU data rules, Irish Legal News, available at http://www.irishlegal.com/5462/information-commissioner-calls-for-post-brexit-britain-to-implement-eu-data-rules/ (Oct. 3, 2016).

[iv] Mark Scott, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid, The New York Times, available at http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html?_r=0 (Oct. 6, 2015).

[v] Id.

[vi] Joe Curtis, EU Passes GPDR laws that require companies to drastically improve their data privacy policies, ITPro, available at http://www.itpro.co.uk/data-protection/26365/your-business-must-prepare-today-for-2018-eu-data-protection-laws (Apr., 15, 2016).

[vii] Chanley T. Howell, et al., Safe Harbor Replacement EU-US Privacy Shield Approved, The National Law Review, available at http://www.natlawreview.com/article/safe-harbor-replacement-eu-us-privacy-shield-approved (Jul., 12, 2016).

[viii] Id.

[ix] Toni Vitale, Brexit and Data Protection – Q&A, Lexology, available at http://www.lexology.com/library/detail.aspx?g=45fa1c0a-54c4-465e-a752-c27a80a6736a (Jun., 30, 2016).

October FDA Update – Approval of Cancer Drug, Lartruvo

William Salage

On October 19, 2016, the US Food and Drug Administration (FDA) approved a new drug, Lartruvo (olaratumab), to treat adults with certain soft tissue sarcomas (STS). Specifically, cancers that develop in muscles, fat, tendons or other soft tissues. Lartruvo is approved alongside the already approved drug doxorubicin for the treatment of patients with STS who cannot be cured with radiation or surgery and who have a type of STS for which an anthracycline (chemotherapy) is an appropriate treatment.

Lartruvo’s approval marks the first time the FDA has approved an initial treatment of STS in over 40 years. The National Cancer Institute estimates that 12,310 new cases of STS and nearly 5,000 deaths are likely to occur from the disease in 2016. The most common treatment for STS that cannot be removed by surgery is treatment with doxorubicin alone or with other drugs. STS includes a wide variety of tumors arising in the muscle, fat, blood vessels, nerves, tendons or the lining of the joints.

The FDA is approving Lartruvo under the agency’s accelerated approval program, which allows approval of a drug to treat a serious or life-threatening disease or condition based on clinical data showing the drug influences a surrogate endpoint that is reasonably likely to predict clinical benefit. Lartruvo also received orphan drug designation, which provides incentives such as tax credits, user fee waivers and eligibility for exclusivity to assist and encourage the development of drugs intended to treat rare diseases

Under Pressure: Samsung Now Officially Terminates the Flagship “Boom 7”

Xiang Qi

On Tuesday, Samsung finally killed it flagship cellphone “Galaxy Note 7” after numerous reports of phone explosion in the United States and worldwide. Starting from August, Galaxy Note 7 has spontaneously exploded during normal usage by customers. Initially, Samsung concluded that the defect was caused by faulty batteries from one of its suppliers. After Samsung issued recall of the problematic devices in September, it continued to ship new Galaxy Note 7s with batteries from a different supplier. However, some of the replacement phones continued to explode as Samsung’s technicians were unable to identify the problem.

Samsung finally pulled Note 7 out of its product line after the company suffered a disastrous stock slump, potentially causing more financial losses to the company as well as it shareholders. Note 7, now commonly referred by consumers as Boom 7, came to the market bearing hope that it will surpass iphone by winning more consumers from its archrival. Market analysts pointed out that the top-down, militaristic approach most Korean “Chaebols” operate also contributed to this time’s Boom 7 fiasco as people at the top has no idea how product technology worked.

It was an unusual and bold move for Samsung to end production of its flagship cellphone. However, this move is helpful in the long run as it tends to help rebuild consumer trust in Samsung’s products. It remains to be seen whether the growing consumer distrust in Samsung will spread to the rest of its product line as it seems that Samsung’s technicians still do not know where the problem is with Boom 7.

Potential Ninth Planet in Our Solar System

Lindsey Marie Round

Ten years ago, the world received shocking news that Pluto is not a full planet, but rather a dwarf planet.[1] In fact, scientists determined that there is not just one dwarf planet, Pluto, but there are multiple of these smaller planets in our solar system.[2] For all of those who grew up being taught in school that there were nine major planets, this scientific discovery was major news. However, the idea that there are eight major planets may be change once again. Professor Michael Brown at California Institute of Technology has proposed reasoning for why the plane of planet orbitals is slightly tilted. [3] Professor Brown has discovered evidence that there may be a huge planet, about the size of Neptune, located beyond Neptune orbiting the sun.[4] Since this planet is located beyond Neptune it would have the power to tilt the rest of the planets.[5] Professor Brown believes that scientists will be able to learn more about this possible ninth planet within the upcoming year.[6] So for now, there are eight major planets, but that could change in the near future, except this time the ninth planet will not be Pluto.

 

[1] Jorge Salazar, This Date in Science: Pluto Gets a Demotion, EarthSky (Aug. 24, 2006), http://earthsky.org/space/this-date-in-science-pluto-demoted-to-dwarf-planet-status.

[2] Id.

[3] Nicholas St. Fleur, If Planet Nine is Out There, It Tilts Our Solar System, N.Y. Times (Oct. 20, 2016), http://www.nytimes.com/2016/10/21/science/planet-nine.html.

[4] Id.

[5] Id.

[6] Id.

Obama Administration Calls for Supreme Court to Review Lexmark Decision

Aiden Scott

In a case that is surely near and dear to anybody who has gone through the plight of owning an inkjet printer, the Obama administration has called for the Supreme Court of the United States to review the Court of Appeals decision in Lexmark International, Inc., v. Impression Products, Inc.[1] The Solicitor General has requested that the Supreme Court review the U.S. Court of Appeals for the Federal Circuits’ decision. This month, they held that Impression Products had infringed Lexmark’s patents. The alleged “infringement comes from their sale of refurbished Lexmark ink cartridges that were sold with “single use” or “no resale” restrictions.”[2]

They urge that the Federal Circuit has “misconstrued 150 years of precedent”, and through its effect “unsuspecting downstream purchasers are at risk of spatent infringement suits.” [3] The gravamen of the case is to determine how far “patent owners can control the use of their products after an authorized sale, domestic, or foreign.”[4] Further, the Solicitor General argues that the decision by the Federal Circuit “would substantially erode the exhaustion doctrine.”[5] In any case, we will have to patiently wait to see if the court will grant cert.      

 

[1] Barbara Grzincic Administration Backs U.S. Supreme Court Review of Lexmark Patent Exhaustion Ruling, Reuters legal, (Oct. 14, 2016), https://1.next.westlaw.com/Document/Ie4d1ab6091f511e68f45b58dd1e656b4/View/FullText.html?originationContext=docHeader&contextData=(sc.Category)&transitionType=Document&needToInjectTerms=False&docSource=c904320afb854063b83b1d38880e8ad5.

[2] Id.

[3] Id.

[4] Id.

[5] Id.

Are Satellites the Next Cybersecurity Battleground?

Jeffrey Cullen

Alyssa Newcomb explains that many of our everyday activities rely on global positioning systems (GPS). Satellites in space are used in many different ways including intelligence gathering, communication, and navigation.[1] There has been much discussion about the vulnerability of our data through the use of the Internet. One realm that people may overlook is the technology that we have in space and its susceptibility to being hacked. The systems that we have in space are becoming older and face new threats. The space systems are not advancing at the same rate as our technology on earth and are at a high risk of being interfered with by hackers. It is said that any disruption to the satellite system could have major ramifications due to the interconnectedness of the system.[2] Accessibility to space is increasing. Therefore, updated security measures are needed in order to properly protect information.

 

[1] Alyssa Newcomb, Hacked in Space: Are Satellites the Next Cybersecurity Battleground?, NBC News (Oct. 3, 2016), http://www.nbcnews.com/tech/security/hacked-space-are-satellites-next-cybersecurity-battleground-n658231.

[2] Id.

Comcast to Cap Residential Data

Shamsheer Kailey

Beginning November 1, Comcast is applying 1-terabyte data cap to residential broadband customers in nearly a dozen states. Which means additional fee will be charged for going over the monthly limit. Usually, home Internet providers avoid placing a cap on data usage leaving it to the discretion of the wireless carriers. This is going to change.

Even though Comcast claims that users will not hit the limit, the cap will restrict many customers. Some of the states affected are: California, Colorado, Minnesota, Oregon, Washington, Wisconsin among others.

Customers will be provided alternatives to opt out of the data cap. Pay Comcast $50 a month extra for unlimited data or switch to an expensive fiber-optic service, Gigabit Pro, for $300 a month. Switching to lower-end plan with slower service will also let the customers avoid the plan.

According to the Charlie Douglas, a company spokesman the fact that the change affects primarily western and central U.S. and not northeast customers is intentional. However, the possibility hasn’t been ruled out.

______________________________________________________________________

Brian Fung, Nearly a dozen new states are about to get Comcast data caps, Washington Post (October 7, 2016), https://www.washingtonpost.com/news/the-switch/wp/2016/10/07/comcasts-internet-just-got-a-lot-more-like-cellphone-service/

“Life Does Not Stop and Start at Your Convenience” The Aid in Dying Movement Gains New States

Emma Fusco

Aid in dying has been a movement that has been under fire, with states like Oregon taking much of the flack.  Luckily for them, the backlash will likely now be dispersed over more states.  New York, Colorado, and the District of Columbia may soon join Oregon and a handful of other states where doctors are permitted to prescribe lethal doses of painkillers to terminally ill patients. [1]

Oregon, Washington, Vermont, California, and Montana are all under very strict guidelines in order to grant physician-assisted dying, and the pending regulations in the aforementioned three states are likely to follow in their footsteps.[2]  In order for physicians to legally assist patients in dying, two physicians must come to the conclusion that the patient seeking aid in dying is likely to die within six months.[3]  The terminally ill patient must also be of sound mind and free of coercion.[4]  Some states also require for the request for the lethal dose of drugs to be ask for again 15 days after the initial inquiry of such drugs.[5]

In states where this practice is banned, terminally ill patients are left two only two options.  The first is to somehow obtain a lethal dose of drugs under the table, exposing health care workers to law suits.[6]  The second option is to refuse food and starve to death.[7]  Is this how you would chose to die?

 

[1] The Editorial Board, Aid in Dying Movement Advances, N.Y. Times, Oct. 10, 2016, at A20.

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

Distributed Denial of Service Attack on East Coast

Nicholas Fedorka

It all started on on Friday morning, October 21st at 7:10 AM and wasn’t fixed until almost 12 hours later.  Dyn, a New Hamspshire-based company that monitors and routes Internet Traffic, was the victim of a distributed denial of service attack (DDoS).  This same issue affected East Coast users from accessing Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and other sites.  DDoS attacks flood servers with so many fake requests for information that they cannot respond to real ones, often crashing under the barrage.  It’s unclear who orchestrated the attack.  

The most troubling fact was that the attackers relied on an easy-to-use program called Mirai.  This system allows even unskilled hackers to take over online devices and use them to launch DDoS attacks.  The software uses phishing emails to first infect a computer or home network and then spreads everything on it.  Dyn is getting “tens of millions” of messages from around the globe sent by seemingly harmless but Internet-connected devices.  Kyle York, Dyn’s chief strategy officer said “It could be your DVR, it could be a CCTV camera, a thermostat.  I even saw an Internet-connected toaster on Kickstarter Yesterday,” said York.  

Lily’s Place: A Treatment Option for Opioid Addicted Newborns

Samantha Cirillo

Today, the United States is facing an opioid epidemic. The number of pregnant women using heroin, opioids, or methadone has increased more than 5 times the rate since 2000. As a result, according to the National Institute on Drug Abuse, every 25 minutes a baby is born with opioid withdrawals in the United States. This is a dramatic increase from hospitals only seeing one or two Neonatal Abstinence Syndrome cases a year.

When a woman is pregnant and using opioids, the substance can pass through the placenta causing the fetus to develop a physical drug dependence. Once the baby is born they are removed from the drug supply causing them to go through withdrawals. The symptoms associated with these withdrawals may include excessive crying, vomiting, sleep problems and muscle cramps.

The treatment for babies in withdrawal is fairly simple. They receive small doses of methadone or morphine to wean them from their addiction. Treatment for withdrawals is far less intensive and technical than other newborns in an intensive care unit suffering from other life-threatening conditions. However, due to the rise in opioid use, opioid addicted newborns are taking up a majority of the space in the neonatal intensive care units in many hospitals.

After many efforts, the community of Huntington, West Virginia believes to have found the solution to free up Hospital Intensive Care Units and save taxpayer money. Huntington is far too familiar with the opioid epidemic having an opioid overdose death rate of 10 times the national average.

The first attempt to find a solution came in 2012 when the city’s hospital, Cabell Huntington Hospital, created a separate newborn therapy unit just to treat withdrawal symptoms. Babies with withdrawals do not require the same high-tech equipment and therefore the newborn therapy unit was able to cut cost in half when compared to the treatment received in the neonatal intensive care unit.

On October 1, 2014, Huntington opened the first transitional therapy center in the country called Lily’s Place. The goal of the center is to eventually allow parents to have the ability to take care of their babies at home, while the baby is still receiving treatment over a period of 3-6 weeks.

The center is run by the same doctors and nurses at Cabell Huntington Hospital, social workers, nurses, and administrative staff. Typically, opioid addicted babies are safely able to leave the hospital after 2 weeks. From the hospital they are sent to Lily’s Place to continue treatment and observation.

The center is set up with 15 private nurseries that allow parents to visit throughout the day and occasionally spend the night. While babies are receiving treatment, the center’s social workers help parents and family members prepare to welcome the newborns home. Babies may continue to experience withdrawal symptoms for several months and the center trains family members on care techniques to be continued when released.

Social workers also help parents or family members find jobs, housing, addiction treatment, and financial help if necessary. Once the babies are completely weaned off of the small doses of methadone they are released to the trained parents or family members. The center continues to observe the family’s status by visiting the home every month.

Lily’s Place has been seen as a model for other communities and over 30 groups across the country are hoping to replicate the center in their own communities. To help with starting a neonatal abstinence center, Lily’s Place created a how-to book titled “How to Create a Neonatal Withdrawal Center”. The second center of its kind is set to open in April 2017 in Dayton, Ohio.

The road was not always smooth for Lily’s Place. At first, in order to be recognized as a certified medical center, Lily’s Place had to be classified as a long-term care center for the elderly and disabled. With the support of U.S. Representative, Evan Jenkins, who at the time represented Huntington on the State Legislature, HB 2999 was passed which created a new licensing designation for Neonatal Abstinence Centers.

Jenkins also supported the Comprehensive Recovery and Addiction Treatment Act which included a provision that called upon the government to smooth the regulatory path for communities to have the opportunity to open facilities similar to Lily’s Place. Additionally in order to help with funding, Jenkins is working to negotiate with U.S. Centers for Medicare and Medicaid Services to get approval for Neonatal Abstinence Centers to receive reimbursement through Medicaid.

Christine Vestal, Caring for the opioid epidemic’s youngest victims, L?? A?????? T???? (Oct. 11, 2016), http://www.latimes.com/nation/sns-tns-bc-opioids-infants-20161011-story.html.
L???’? P????: I????? R??????? C?????, http://www.lilysplace.org/.