Ofcom launches high data capacity spectrum auction consultation

Posted on November 21st, 2014 by

Ofcom published a consultation on the release of spectrum in the 2.3 GHz and 3.4 GHz bands on 7 November 2014. Potential bidders will be able to submit their comments until 23 January 2015. The auction is expected at the end of 2015 or the start of 2016.

No specific uses have been prescribed for this spectrum. However, these spectrum bands are suitable for very high data capacity, making it ideal for mobile broadband services. The most recent mobile handsets released by the major players are compatible with the 2.3 GHz spectrum in other countries. The 2.3 GHz band is used for 4G mobile broadband networks in ten non-European countries. The 3.4 GHz band is already used for 4G wireless broadband in the UK and a further five countries.

Ofcom proposes to auction 40 MHz of spectrum within the 2.3 GHz band and 150 MHz of spectrum within the 3.4 GHz band in 38 lots of 5 MHz. Reserve prices of between £2.5m to £5m per lot for the 2.3 GHz spectrum, and £1m for the 3.4 GHz spectrum are proposed.

This spectrum has been released by the Ministry of Defence under the Government’s initiative to free up public sector spectrum.


The UK’s implementation of the new EU Procurement Directive

Posted on November 11th, 2014 by

The government has published proposed draft regulations to implement the new EU Public Procurement Directive (2014/24/EU, the “Directive“). The Directive is part of a package of measures that will reform public sector procurement across the EU and must be implemented in Member States by 17 April 2016. The government has indicated that it aims to implement the Directive sooner than the 17 April deadline.

The government proposes to adopt a “copy out” approach for much of the Directive. Most of the Directive’s provisions are mandatory and do not leave room for altering its substance when transposing it into UK law. However, there are areas of the Directive that are not mandatory or where the Directive leaves room for Member States to determine their national rules. This blog looks at three such areas and the government’s proposed approach.

The Light-Touch Regime

In a limited number of circumstances the Directive gives the government scope to make choices about how to implement the Directive. Perhaps the most significant change being brought in by the Directive is the abolition of the distinction between “Part A” and “Part B” (“priority” and “non-priority”) services and the introduction of a new “light-touch” regime for social and other specific services set out in Schedule 3 to the draft Public Contracts Regulations (the “Regulations“). Many (but not all) services that are categorised as “Part B” services under the current regime and procurements for these services will be subject to the new light touch regime if the contract value is €750,000 or more.

Member States have flexibility to devise their own national rules for the award of contracts for Schedule 3 services. The government has taken a “minimalistic” approach to the UK’s light touch regime. Contracting authorities will be able to determine the procedures to be applied in connection with the award of contracts for Schedule 3 services, as long as those procedures are sufficient to ensure compliance with the principles of transparency and equal treatment of economic operators.

SME Access/Division of contracts into lots

The Directive aims to increase the possibilities for small and medium sized enterprises (SMEs) to participate in large scale public procurements by introducing new mechanisms allowing contracting authorities to award contracts in the form of lots. Members States have a choice over whether the division of contracts into lots should be mandatory under national law. The government proposes to allow contracting authorities to decide whether to award a contract in the form of lots on a case by case basis. Where a contracting authority decides not to divide a contract into lots it would have to provide an indication of the reasons for its decision. The government also proposes to allow bidders to tender for combined lots. Contracting authorities would need to make clear in the procurement documents the possibility that contracts will be awarded for combined lots and indicate the lots that may be combined.

Bidders’ past performance

The Directive gives Member States the option to require contracting authorities to exclude economic operators from participating in a procurement procedure if that economic operator has “shown significant or persistent deficiencies in the performance of a substantive requirement under a prior public contract … which led to early termination of that prior contract, damages or other comparable sanctions”.

The current wording of the Regulations does not mandate an economic operator’s exclusion from a procurement procedure if there have been significant deficiencies in its past performance and the contracting authority retains discretion over whether or not to exclude the economic operator. The government has proposed that the “default” exclusion period should be three years; the maximum permitted under the Directive.

It is anticipated that the Government will publish guidance material for contracting authorities on how to exercise their discretion to exclude bidders based on their past performance.


Not-spots and Revelations – network coverage in the UK

Posted on November 6th, 2014 by

Having more to do with Muse than you might imagine, yesterday the UK government launched a consultation to look at proposals to improve network coverage in areas with access to some, but not all, of the 4 major networks (EE, O2, Three and Vodafone). These partial ‘not-spots’ affect approximately 20% of UK landmass. The consultation is asking for opinions on three different options to address partial not-spots (and considers a fourth ‘do-nothing’ option).

Option 1: infrastructure sharing

This proposal refers to Mobile Network Operator (MNO) site sharing, mast sharing and full radio access network sharing.

To achieve an infrastructure sharing programme the government is proposing to direct Ofcom to vary Wireless Telephony Act licence (“Telephony Licence”) terms to impose a coverage obligation on all MNOs, requiring them to achieve a geographic coverage equal to the combined coverage of all MNOs. The manner in which each MNO achieves this would be at their discretion.

Option 2: Multi-Operator Mobile Virtual Network Operators (MO-MVNO)

This proposal aims to encourage the use of a hybrid Mobile Virtual Network Operator (MVNO) model. A MO-MVNO would have agreements with two or more MNOs and would need to provide consumers with access to multiple networks.

To ensure that existing MVNOs and new market entrants could operate under this model the government would want to ensure that MNO and MVNO agreements do not contain exclusivity provisions. To do so they are proposing to direct Ofcom to vary Telephony Licence terms so that MNO/MVNO agreements cannot restrict an MVNO’s right to enter into agreements with other MNOs.

Option 3: national roaming

Under this proposal it would be obligatory for MNOs to make available, in partial not-spots, their coverage to other MNOs which do not have coverage in the area. Due to recognised technical and cost hurdles, only non-seamless national roaming for voice and text services would be required. 3G and 4G coverage would not need to be made available under this proposal.

To mandate national roaming the government would introduce secondary legislation to direct Ofcom to vary MNO Telephony Licences and introduce a non-seamless roaming requirement in areas where there are partial not-spots, as well as impose pricing restrictions.


Whilst addressing partial mobile coverage in different ways, each proposal introduces additional, and in some cases significant, obligations into existing and new MNO Telephony Licences and agreements. Now is the time for MNOs and other interested parties to weigh in with their arguments for the pros and cons of each option, or to state why existing infrastructure sharing projects and mechanisms are sufficient to address coverage concerns. Responses to the consultation must be submitted by 26 November 2014.

If the plans to address partial not-spots go ahead maybe we will be able to finally stream our favourite artists everywhere in the UK…

The press release and consultation, including the draft infrastructure sharing, MO-MVNO, and national roaming directions, are available online.


New ISO Standard for Cloud Computing

Posted on November 5th, 2014 by

The summer of 2014 saw another ISO Standard published by the International Standards Organisation (ISO). ISO27018:2014 is a voluntary standard governing the processing of personal data in the public cloud.

With the catchy title of “Information technology – Security techniques – Code of the practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO27018“), it is perhaps not surprising that this long awaited standard is yet to slip off the tongue of every cloud enthusiast.  European readers may have assumed references to PII meant this standard was framed firmly on the US – wrong!

What is ISO27018?

ISO27018 sets out a framework of “commonly accepted control objectives, controls and guidelines” which can be followed by any data processors processing personal data on behalf of another party in the public cloud.

ISO27018 has been crafted by ISO to have broad application from large to small and from public entity to government of non-profit.

What is it trying to achieve?

Negotiations in cloud deals which involve the processing of personal data tend to be heavily influenced by the customer’s perceptions of heightened data risk and sometimes very real challenges to data privacy compliance. This is hurdle for many cloud adopters as they relinquish control over data and rely on the actions of another (and sometimes those under its control) to maintain adequate safeguards. In Europe, until we see the new Regulation perhaps, a data processor has no statutory obligations when processing personal data on behalf of another. ISO27018 goes some way to impose a level of responsibility for the personal information it processes.

ISO27018’s introductory pages call out its objectives:

  1. It’s a tool to help the public cloud provider to comply with applicable obligations: for example there are requirements that the public cloud provider only processes personal information in accordance with the customer’s instructions and that they should assist the customer in cases of data subject access requests;
  2. It’s an enabler of transparency allowing the provider to demonstrate why their cloud services are well governed: imposing good governance obligations on the public cloud provider around its information security organisation (eg the segregation of duties) and objectives around human resource security prior to (and during employment) and encouraging programmatic awareness and training. Plus it echoes the asset management and access controls elements of other ISO standards (see below);
  3. It will assist the customer and vendor in documenting contractual obligations: by addressing typical contractually imposed accountability requirements; data breach notification, imposing adequate confidentially obligations on individuals touching on data and flowing down technical and organisation measures to sub-processors as well as requiring the documentation of data location. This said, a well advised customer may wish to delve deeper as this is not a full replacement for potential data controller to processor controls; and
  4. It offers the public cloud customer a mechanism to exercise audit and compliance rights: with ISO27018’s potential application across disparate cloud environments, it remains to be seen whether a third party could certify compliance against some of the broader data control objectives contained in ISO27018. However, a regular review and reporting and/or conformity reviews may provide a means for vendor or third party verification (potentially of more use where shared and/or virtualised server environments practically frustrate direct data, systems and data governance practice audit by the customer).

ISO27018 goes some way towards delivering these safeguards. It is also a useful tool for a customer to evaluate the cloud services and data handling practices of a potential supplier. But it’s not simple and it’s not a substitute for imposing compliance and control via contract.

A responsible framework for public cloud processors

Privacy laws around the world prescribe nuanced, and sometimes no, obligations upon those who determine the manner in which personal information is used. Though ISO27018 is not specifically aimed at the challenges posed by European data protection laws, or any other jurisdiction for that matter, it is flexible enough to accommodate many of the inevitable variances. It cannot fit all current and may not fit to future rules. However, in building this flexibility, it loses some of its potential bite to generality.

Typically entities adopting ISO27001 (Information security management) are seeking to protect their own assets data but it is increasingly a benchmark standard for data management and handling among cloud vendors. ISO27018 builds upon the ISO27002 (Information technology – Security technique – Code of practice for information security controls) reflecting its controls, but adapting these for public cloud by mapping back to ISO27002 obligations where they remain relevant and supplementing these controls where necessary by prescribing additional controls for public cloud service provision (as set out separately in Annex A to ISO27018). As you may therefor expect, ISO27018 explicitly anticipates that a personal information controller would be subject to wider obligations than those specified and aimed at processors.

Adopting ISO27018

Acknowledging that the standard cannot be all-encompassing, and that the flavours of cloud are wide and varied, ISO27018 calls for an assessment to be made across applicable personal information “protection requirements”.  ISO27018 calls for the organisation to:

  1. Assess the legal, statutory, regulatory and contractual obligations of it and its partners (noting particularly that some of these may mandate particular controls (for example preserving the need for written contractual obligations in relation to data security under the Directive (95/46/EC) 7th Principle));
  2. To complete a risk assessment across its business strategy and information risk profile; and
  3. To factor in corporate policies (which may, at times, go further than the law for reasons of principle, global conformity or because of third party influences).

What ISO27018 should help with

ISO27018 offers a reference point for controllers who wish to adopt cloud solutions run by third party providers. It is a cloud computing information security control framework which may form part of a wider contractual commitment to protect and secure personal information.

As we briefly explained in an earlier post in our tech blog, the European Union has also spelled out its desire to promote uniform standard setting in cloud computing. ISO27018 could satisfy the need for broadly applicable, auditable data management framework for public cloud provision. But it’s not EU specific and lacks some of the rigour an EU based customer may seek.

What ISO27018 won’t help with

ISO27018 is not an exhaustive framework. There are a few obvious flaws:

  1. It’s been designed for use in conjunction with the information security controls and objectives set out in ISO27002 and ISO27001 which provide general information security frameworks. This is a high threshold for small or emerging providers (many of which do not meet all these controls or certify to these standards today). So more accessible for large enterprise providers but something to weigh up – the more controls there are the more ways there are to slip up;
  2. It may be used as a benchmark for security and, coupled with contractual commitments to meet and maintain selected elements of ISO27018, it won’t be relevant to all cloud solutions and compliance situations (though some will use it as if it were);
  3. It perpetuates the use of the PII moniker which, already holding specific US legal connotation (i.e. narrower application) is now used is a wider defined context under ISO27018 (in fact PII under ISO27018 is closer to the definition of personal data under EU Directive 95/46/EC). This could confuse the stakeholders in multi-national deals and the corresponding use of PII in the full title to ISO27014 potentially misleads around the standard’s potentially applicability and use cases;
  4. ISO27018 is of no use in situations where the cloud provider is (or assumes the role) of data controller and it assumes all data in the cloud is personal data (so watch this space for ISO27017 (coming soon) which will apply to any data (personal or otherwise)); and
  5. For EU based data controllers, other than constructing certain security controls, ISO27018 is not a mechanism or alternative route to legitimise international data transfers outside of the European Economic Area. Additional controls will have to be implemented to ensure such data enjoys adequate protection.

What now?

ISO27018 is a voluntary standard and not law and it won’t entirely replace the need for specific contractual obligations around processing, accessing and transferring personal data. In a way its ultimate success can be gauged by the extent of eventual adoption. It will be used to differentiate, but it will not always answer all the questions a well-informed cloud adaptor should be asking.

It may be used in whole or in part and may be asserted and used alongside or as a part of contractual obligations, information handling best practice or simply a benchmark which a business will work towards. Inevitability there will be those who treat the Standard as if it is the law without thought about what they are seeking to protect against and what potential wrongs they are seeking to right.  If so, they will not reap the value of this kind of framework.



Small Business, Enterprise and Employment Bill Consultation

Posted on October 27th, 2014 by

It is no secret that SME’s find it difficult to get involved in public sector contract opportunities because of, amongst other things, the cost and amount of time they need to invest in a sometimes cumbersome and bureaucratic bidding process which gives them no guarantee that they’d actually win the work. They’re up against some large corporates who have very deep pockets, lots of bidding/public sector experience and immense pressure to win deals (sometimes at whatever the cost!).

Since 2010, the Government has been taking steps to remove these barriers, such as lean procurement methods and (more recently) the procurement law reforms following Lord Young’s Growing Your Business report.  Now, the Government has launched a consultation to help SME’s gain even better access to public sector opportunities (https://www.gov.uk/government/consultations/reforms-to-public-procurement). The Small Business Enterprise and Employment Bill (“SBEE”) aims “to build a stronger economy and improve the general climate in which small businesses operate“. A clause in the SBEE will, subject to Parliamentary procedure:

  • give the Government the ability to deliver “key measures to help to ensure that remaining barriers for small businesses are removed, procurement practices become more efficient and small businesses have better opportunities to grow“; and
  • enable the Government to issue guidance which contracting authorities will be obliged to take into account.

The consultation seeks the views of buyers, sellers and other stakeholders so that the Government can ensure that SMEs can better and more directly access public sector opportunities. It seeks views on three specific measures:

  • Measure 1 – duties to exercise procurement functions in an efficient and timely manner;
  • Measure 2 – a duty to make available, free of charge, information or documents, or processes necessary for any potential supplier to bid for a contract opportunity; and
  • Measure 3 – a duty to accept electronic invoices.

The consultation ends on 13th November 2014.

I would encourage SME’s to participate and if you would like more information on the consultation process, SBEE or any other procurement matters please don’t hesitate to get in touch.


PART 2 – The regulatory outlook for the Internet of Things

Posted on October 22nd, 2014 by

In Part 1 of this piece I posed a question asking: the Internet of Things – what is it? I argued that even the concept of the Internet of Things (“IoT“) itself is somewhat ill-defined making the point there is no definition of IoT and, even if there were, that the definition will only change. What’s more, IoT will mean different things to different people and talk to something new each year.

For all the commentary, there is not specific IoT law today (sorry there is no Internet of Things (Interconnectivity) Act in the UK (and nor will there be any time soon)). We are left applying a variety of existing laws across telecoms, intellectual property, competition, health and safety and data privacy / security. Equally, with a number of open questions about how the IoT will work, how devices will communicate and identify each other etc., there is also a lack of standards and industry wide co-operation around IoT.

Frequently based around data use and with potentially intrusive application in the consumer space (think wearables, intelligent vehicles and healthtech) there is no doubt that convergence around IoT will fan privacy questions and concerns.

An evolving landscape

This lack of definition, coupled with a nascent landscape of standards, interfaces, and protocols leaves many open questions about future regulation and the application of current laws. On the regulatory front there is little sign of actual law-making or which rules may evolve to influence our approach or analysis.

Across the US, UK and the rest of Europe some of the regulatory bodies with an interest in IoT are diverse with a range of regulatory mandates and sometimes with a defined role confined to specific sectors. Some of these regulators are waking up to potential issues posed by IoT and a few are reaching out to the industry as a whole to consult and stimulate discussion. We’re more likely to see piecemeal regulation addressing specific issues than something all encompassing.

The challenge of new technology

Undoubtedly the Internet of Things will challenge law makers as well as those of us who construe the law. It’s possible that in navigating these challenges and our current matrix of laws and principles that we may influence the regulatory position as a result. Some obvious examples of where these challenges may come from are:

  1. Adaptations to spectrum allocation. If more devices want to communicate, many of these will do so wirelessly (whether via short range or wide area comms or mobile). The key is that these exchanges don’t interfere with each other and that there is sufficient capacity available within the allocated spectrum. This may need to be regulated;
  2. Equally, as demand increases, with a scarce resource what kind of spectrum allocation is “fair” and “optimal” and is some machine to machine traffic more important than other traffic? With echoes of the net neutrality debate the way this evolves will be interesting. Additionally, if market dominance emerges around one technology will there be competition/anti-trust concerns;
  3. The technologies surrounding the IoT will throw up intellectual property and licensing issues. The common standards and exchange and identification protocols themselves may be controlled by interested party or parties or released on an “open” basis. Regulation may need to step-in to promote economic advance via speedy adoption or simply act as an honest broker in a competitive world; and
  4. In some applications of IoT the concept of privacy will be challenged. In a decentralised world the thorny issues of consent and reaffirming consent will be challenging. This said, many IoT deployments will not involve personal information or identifiers. Plus, whatever the data, issues around security become more acute.

We have a good idea what issues may be posed, but we don’t yet know which will impose themselves sufficiently to force regulation or market intervention.

Consultation – what IoT means for the policy agenda

There have been some opening shots in this potential regulatory debate because a continued interconnectivity between multiple devices raises potential issues.

In issuing a new Consultation: “Promoting investment and innovation in the Internet of Things“, Ofcom (the UK’s communications regulator) kicked off its own learning exercise identify potential policy concerns around:

  1. spectrum allocation and providing for potential demand;
  2. understanding of the robustness and reliability issues placed upon networks which demand resilience and security. The corresponding issue of privacy is recognised also;
  3. a need for each connected device to have an assigned name or identifier and questioning just how those addresses should be determined and potentially how they would be assigned; and
  4. understanding their potential role as the UK’s regulator in an area (connectivity) key to the evolution of IoT.

In a varied and quite penetrable paper, Ofcom’s consultation recognises what many will be shouting, their published view “is that industry is best placed to drive the development, standardisation and commercialisation of new technology“. However, it goes on to recognise that “given the potential for significant benefits from the development of the IoT across a range of industry sectors, ][Ofcom[ are interested in views on whether we should be more proactive; for example, in identifying and making available key frequency bands, or in helping to drive technical standards.”

Europe muses while Working Party 29 wades in early warning about privacy

IoT adoption has been on Europe’s “Digital Agenda” for some time and in 2013 it reported back on its own Conclusions of the Internet of Things public consultation. There is also the “Connected Continent” initiative chasing a single EU telecoms market for jobs and growth.   The usual dichotomy is playing out equating technology adoption with “growth” while Europe wrestles with an urge to protect consumers and markets.

In just one such fight with this urge, in the past month the Article 29 Working Party (comprising the data privacy regulators of Europe) published its own Opinion 8/2014 on the Recent Developments on the Internet of Things. Recognising that it’s impossible to predict with any certainty the extent to which the IoT will develop the group also calls out that the development must “respect the many privacy and security challenges which can be associated with IoT“.

Their Opinion focuses on three specific IoT developments:

  1. Wearable Computing;
  2. Quantified Self; and
  3. Domotics (home automation).

This Opinion doesn’t even consider B2B applications and more global issues like “smart cities”, “smart transportations”, as well as M2M (“machine to machine”) developments. Yet, the principles and recommendations their Opinion may well apply outside its strict scope and cover these other developments in the IoT. It’s one of our only guiding lights (and one which applies high standards of responsibility).

As one would expect, the Opinion identifies the “main data protection risks that lie within the ecosystem of the IoT before providing guidance on how the EU legal framework should be applied in this context”. What’s more the Working Party “supports the incorporation of the highest possible guarantees for individual users at the heart of the projects by relevant stakeholders. In particular, users must remain in complete control of their personal data throughout the product lifecycle, and when organisations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific.”

The Fieldfisher team will shortly publish its thoughts and explanation of this Opinion. As one may expect, the IoT can and will challenge the privacy notions of transparency and consent let alone proportionality and purpose limitation. This means that accommodating the EU’s data privacy principles within the application of some IoT will not always be easy. Security poses another tricky concept and conversation. Typically these are issues to be tacked at the design stage and not as a legal afterthought. Step forward the concept of privacy by design (a concept recognised now around the globe).

In time, who knows, we may even see the EU Data Protection Regulation pass and face enhanced privacy obligations in Europe with new focus on “profiling” and legal responsibilities falling beyond the data processor exacting its own force over IoT.

The US is also alive to the potential needs of IoT

But Europe is not alone, with its focus on activity specific laws or laws regulating specific industries, even the US may be addressing particular IoT concerns with legislation. Take the “We Are Watching You Act” currently with Congress and the “Black Box Privacy Protection Act” with the House of Representatives. Each now apparently have a low chance of actually passing, but may regulate monitoring of surveillance by video devices in the home and force car manufacturers to disclose to consumers the presence of event data recorders, or ‘black boxes’, in new automobiles.

A wider US development possibly comes from the Federal Trade Commission who hosted public workshops in 2013, itself interested in privacy and security in the connected world and the growing connectivity of devices. In the FTC’s own words: “[c]onnected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The workshop brought together academics, business and industry representatives, and consumer advocacy groups to explore the security and privacy issues in this changing world. The workshop served to inform the Commission about the developments in this area.” Though there are no concrete proposals yet, 2014 has seen a variety of continued commentary around “building trust” and “maximising consumer benefits through consumer control”. With its first IoT enforcement action falling in 2013 (in respect of connected baby monitors from TRENDnet whose feeds were not secure) there’s no doubt the evolution of IoT is on the FTC’s radar.

FTC Chairwomen, Edith Ramirez commented that “The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet“.

No specific law, but plenty of applicable laws

My gut instinct to hold back on my IoT commentary had served me well enough. In the legal sense with little to say, perhaps even now I’ve spoken too soon?   What is clear is that we’re immersing ourselves in IoT projects, wearable device launches, health monitoring apps, intelligent vehicles and all the related data sharing already. The application of law to the IoT needs some legal thought and, without specific legislation today, as for many other emerging technologies we must draw upon:

  1. Our insight into the existing law across and its current application across different legal fields; and
  2. Rather than applying a rule specific to IoT, we have to ask the right questions to build a picture of the technology, the way it communicates and figure out the commercial realities and relative risks posed by these interactions.

Whether the internet of customers, the internet of people, data, processes or even the internet of everything; applied legal analysis will get us far enough until we actually see some substantive law for the IoT. This is today’s IoT challenge.

Mark Webber – Partner, Palo Alto California mark.webber@fieldfisher.com




Part 1: Cutting through the Internet of Things hyperbole

Posted on October 15th, 2014 by

I’ve held back writing anything about the Internet of Things (or “IoT“) because there are so many developments playing out in the market. Not to mention so much “noise”.

Then something happened: “It’s Official: The Internet Of Things Takes Over Big Data As The Most Hyped Technology” read a Forbes headline. “Big data”, last week’s darling, is condemned to the “Trough of Disillusionment” while Gartner moves IoT to the very top of its 2014 emerging technologies Hype Cycle.

Something had to be said. The key point for me is that the IoT is “emerging”. What’s more, few are entirely sure where they are on this uncharted journey of adoption. IoT has reached an inflexion point and a point where businesses and others realise that identifying with the Internet of Things may drive sales, shareholder value or merely kudos. We all want a piece of this pie.

In Part 1 of this two part exploration of IoT, I explore what the Internet of Things actually is.

IoT –what is it?

Applying Gartner’s parlance, one thing is clear; when any tech theme hits the “Peak of Expectations” the “Trough of Disillusionment” will follow because, as with any emerging technology, it will be sometime until there is pervasive adoption of IoT. In fact, for IoT, Gartner says widespread adoption could be 5 to 10 years away. However, this inflexion point is typically the moment in time when the tech industry’s big guns ride into town and, just as with cloud (remember some folk trying to trade mark the word?!), this will only drive further development and adoption. But also further hype.

The world of machine to machine (“M2M“) communications involved the connection of different devices which previously did not have the ability to communicate. For many, the Internet of Things is something more, as Ofcom (the UK’s communications regulator) set out in its UK consultation, IoT is a broader term, “describing the interconnection of multiple M2M applications, often enabling the exchange of data across multiple industry sectors“.

The Internet of Things will be the world’s most massive device market and save companies billions of dollars” shouted Business Week in October 2014, happy to maintain the hype but also acknowledging in its opening paragraph that IoT is “beginning to grow significantly“. No question, IoT is set to enable large numbers of previously unconnected devices to connect and then communicate sharing data with one another. Today we are mainly contemplating rather than experiencing this future.

But what actually is it?

The emergence of IoT is driving some great debate. When assessing what IoT is and what it means for business models, the law and for commerce generally, arguably there are more questions than there are answers. In an exploratory piece in ZDNET Richie Etwaru called out a few of these unanswered questions and prompted some useful debate and feedback. The top three questions raised by Ritchie were:

  1. How will things be identified? – believing we have to get to a point where there are standards for things to be sensed and connected;
  2. What will the word trust mean to “things” in IoT? – making the point we need to redefine trust in edge computing; and
  3. How will connectivity work? – Is there something like IoTML (The Internet of Things Markup Language) to enable trust and facilitate this communication?


None of these questions are new, but his piece reinforces that we don’t quite know what IoT is and how some of its technical questions will be addressed. It’s likely that standardisation or industry practice and adoption around certain protocols and practices will answer some of these questions in due course. As a matter of public policy we may see law makers intervene to shape some of these standards or drive particular kinds of adoption. There will be multiple answers to the “what is IoT?” question for some time. I suspect in time different flavours and business models will come to the fore. Remember when every cloud seminar spent the first 15 minute defining cloud models and reiterating extrapolations for the future size of the cloud market? Brace yourselves!

I’ve been making the same points about “cloud” for the past 5 years – like cloud the IoT is a fungible concept. So, as with cloud, don’t assume IoT has definitive meaning. As with cloud, don’t expect there is any specific Internet of Things law (yet?). As Part 2 of this piece will discuss, law makers have spotted there’s something new which may need regulatory intervention to cultivate it for the good of all but they’ve also realised that there’s something which may grow with negative consequences – something that may need to be brought into check. Privacy concerns particularly have raised their head early and we’ve seen early EU guidance in an opinion from the Article 29 Working Party, but there is still no specific IoT law. How can there be when there is still little definition?

Realities of a converged world

For some time we’ve been excited about the convergence of people, business and things. Gartner reminds us that “[t]he Internet of Things and the concept of blurring the physical and virtual worlds are strong concepts in this stage. Physical assets become digitalized and become equal actors in the business value chain alongside already-digital entities“.   In other words; a land of opportunity but an ill-defined “blur” of technology and what is real and merely conceptual within our digital age.

Of course the IoT world is also a world bumping up against connectivity, the cloud and mobility. Of course there are instances of IoT out there today. Or are there? As with anything that’s emerging the terminology and definition of the Internet of Things is emerging too. Yes there is a pervasiveness of devices, yes some of these devices connect and communicate, and yes devices that were not necessarily designed to interact are communicating, but are these examples of the Internet of Things? Break these models down into constituent parts for applied legal thought and does it necessarily matter?

Philosophical, but for a reason

My point? As with any complex technological evolution, as lawyers we cannot apply laws, negotiate contracts or assess risk or the consequences for privacy without a proper understanding of the complex ecosystem we’re applying these concepts to. Privacy consequences cannot be assessed in isolation and without considering how the devices, technology and data actually interact. Be aware that the IoT badge means nothing legally and probably conveys little factual information around “how” something works. It’s important to ask questions. Important not to assume.

In Part 2 of this piece I will discuss some early signs of how the law may be preparing to deal with all these emerging trends? Of course the answer is that it probably already does and it probably has the flexibility to deal with many elements of IoT yet to emerge.


How can I use my US sales terms in Europe?

Posted on October 14th, 2014 by

Nearly every US in-house counsel has faced the task of tackling an impending overseas deal when only US State law governed terms are at hand. Staring down the barrel at an unknown legal system, a familiar scene plays out:

Do you push to use the US terms unamended?

Often, there is an overwhelming desire to use what you have. You have invested time in these terms, you understand their structure and where you would concede on them. What’s more, they are based on your home law. If you get embroiled in litigation, it is not far to travel to litigate in the Santa Clara County courts and you will be defending your position with California law and with terms you drafted.

However, if you use them abroad, are they enforceable?

Should you fully localise the US terms?

If there is the budget and time available, another option is to take the US form and have someone with the right expertise “localise” the contract. They can make the necessary amendments to ensure the provisions comply with the relevant local law and local market practices. Inevitably, this involves relinquishing the relative sanctity of local courts and familiar law.

When localised, you know the contract will now be enforceable and acceptable. But what have you lost? Unfamiliar with your systems and appetite for risk, has the local counsel “given away” ground? Why are there now fewer exclusions and wider warranty provisions? Inevitable, some control is ceded.

The contractual dilemma

Depending on the scenario, it may be reasonable to take either approach. Seasoned advisors will know where to draw the line. The decision is a fundamental one which sets the tone and shape of negotiations immediately. Where each side favours their own system and laws, building an entrenched position in favour of home advantage may, in practice, turn out to be the wrong decision.

Yes, each party could agree to local law and the right to apply for their home courts when defending an action under the contract. But what will a French court make of a US style exclusion of liability clause crafted for Washington State law? At that point you may wish you had localized.

Yes, local counsel can attempt to cobble together an agreement which would “work” in every EU Member State as well as the US, but do you understand and accept the consequential risks of an imperfect document? With a true blend of applicable systems, can anyone actually understand the extent of the compromises being made?

The legal dilemma

Like it or not, different territories have different laws. There are 28 states in the European Union and across these states there are tranches of relatively harmonised laws in certain areas. The basic underlying laws of contract and case law or codes which aid their interpretation are, however, all different.

Faced with just such a decision regarding localisation – what are 10 issues should you consider?

One: Freedom of contract

In Europe we have “freedom of contract”. For most business-to-business (B2B) contracting scenarios, it is possible for the parties to negotiate freely and choose the law that should apply to the contract and to the forum that should hear any resulting dispute. Yes, particular local regulation may intervene in a few areas, but there is nothing to outlaw a Delaware State law deal between two consenting businesses in Italy.

The instinctive reaction is to go with what is familiar. Instead, step back and consider the likely scenarios in which the contract could be enforced. Consider also which legal concepts/provisions on which you are most likely to rely.

Two: When consumers are involved in Europe, work to their local law

Across the European Union, when consumers are contracting, the game changes. EU consumers are always entitled to have any contract they are entering into subject to the law of the land in which they are domiciled. This is the case whether the Dutch consumer is offered Californian or Belgium law. Any attempt to over-ride this will fail.

Additionally, an EU-based consumer cannot be denied their local court. And, no matter how hard you try, you cannot force a consumer into arbitration.

If a court will apply the consumer’s local law, to get the best protections for the business, you should try to craft terms around these laws. Take time to assess the local system and approach of peers and regulators. In Germany consumer organisations and even competitors have standing to object. Elsewhere, there are potentially more lenient enforcement regimes. US terms maybe unenforceable but, if it’s a free product, perhaps retaining US State law is an acceptable risk to take?

Additionally, European consumers are entitled to terms which are:

  • fair” and “reasonable“; and
  • accessible in “plain and intelligible” language.

This means not only the use of clear and non-technical language, but also local language (English language terms for a French customer are always “unfair” and unenforceable). The law also overreaches to restrict how aggressive and one-sided you can be. There cannot be a “significant imbalance” in approach. Admittedly, drafting to this vague and flexible notion can be a challenge. 

Three: Be aware of legalese and differences in terminology

Words familiar and acceptable in the US sometimes have a different interpretation in the EU. For example, only an individual goes “bankrupt” in the UK and- at times- restrictions permissible in the US are outlawed in the EU. The use of stock phrases like “save as maybe permitted by law” or “including the occurrence of any analogous event in any jurisdiction“, can get you so far but, as in any legal system, there is an art to crafting restrictions within laws and limitations.

As discussed below, this is particularly the case with vocabulary used to exclude liability

Four: Consider and assess mandatory laws

Make the necessary amendments for local mandatory laws“- this is a common instruction which is rarely understood. Few have the confidence to get to the bottom of whether there is value in doing this kind of review. The answer varies depending on the context and market.

Sometimes, including a provision which over-steps a mandatory law simply renders the provision unenforceable. Occasionally, it may be tactical to include the restriction, knowing that some opposing parties may believe it to be enforceable and not open to challenge. However, over-step in areas of competition/anti-trust law (e.g. by fixing prices or imposing minimum pricing in a vertical agreement) could lead to significant fines and pain.

Five: Dealing with intellectual property

There are a number of nuances to be aware of when dealing with intellectual property (IP). First, be aware that “Works for Hire” concepts do not apply in Europe. If you want to own the IP created, you will need to get an express written assignment.

If the circumstances dictate, ensure a developer of IP waives any moral rights (rights to be recognised as author). These moral rights can be waived but only by the author. Consider contractual obligations to ensure the appropriate waivers are provided by legal persons other than the contracting party.

Thanks to international treaties many IP concepts are similar, but be aware of Europe’s unique beast – the database right. Where there is specific effort involved in compiling a database (even absent any element of creativity), an IP right known as database right may arise. Does the contract consider this right and do you need any specific rights to use, transfer, or protect any database?

Six: Effectively excluding liability

If you do anything, consider provisions limiting or excluding liability:

(1) There are certain liabilities which cannot be excluded by law (e.g. causing death or personal injury as the result of negligence in the UK).

(2) Case law or codified law in various European countries ascribes particular meaning to commonly used words like “indirect“, “consequential“, and “direct” loss. In the UK loss of profit can be a direct loss. In most jurisdictions the courts will never make exemplary or punitive awards. Use of any of these words in exclusions is likely to be unfair when dealing business-to-consumer.

(3) There is often an over-riding concept of reasonableness which pervades contractual exclusions. This applies where a vendor deals on non-negotiated standard terms or to provisions which are not negotiated. Under unfair contract legislation, in many circumstances, clauses which exclude too much, and leave no real remedy other than refund of monies paid, may well contain unreasonable exclusions which are open to challenge in the courts (even B2B).

While evolving case law applies at common law, if you move to France, Germany or Austria your exclusion clause may need to say much less because the applicable codes imply core principles around recovery and exclusions.

Seven: Effectively dealing with privacy

A common mistake when deploying a US-style contract in a European situation is to forget to consider what is not there; privacy is seldom sufficiently dealt with. As you will be aware, European privacy laws are rigorous and have ubiquitous application to personal data, unlike the US situation where particular privacy wrongs have been addressed on a sectoral basis.

In a nutshell, in Europe, the “data controller” (as the entity than makes decisions about the manner in which personal data is used) has a legal responsibility in relation to the use and sharing of that data. As data controller, rules which apply across the EU require them to handle data in accordance with eight broad principles. The seventh principle requires the data controller to ensure it has a written contract with a data processor (i.e. an entity processing or using the data on their behalf) requiring certain contractual protections to ensure that the data remains adequately protected. Under that same principle, they also have an obligation to ensure they take technical and organisational steps to keep those data secure.

Data controllers are required to pass on certain contractual requirements to ensure that data is protection both by their data processor but also ensuring these obligations are flowed down to any sub-processors. Of course, European rules equally restrict the transfer of personal data outside of the European Economic Area (the 28 EU Member States plus Norway, Iceland, and Lichtenstein), unless there is adequate protection for that data. Typically this is a key point of contractual friction.

Eight: Assess and understand what terms are automatically implied into a contract

On the basis that implied provisions usually add risk and liability, it is important to understand what terms will be implied into any contact. Broad-brush exclusions can be effective but be aware some implied terms are conditions and not warranties like the US. Standard US language often misses this or alternative concepts like “satisfactory quality“.

Not all implied terms can be excluded in all situations. Importantly, know where these can be excluded and, where possible, ensure that you effectively exclude them.

Nine: Boilerplate

An area often ignored is the boilerplate. Sometimes, localisation focuses only on how and where to serve notices within the EU. Precedent law has evolved to require terms be drafted in a particular manner. Whilst the boilerplate in US and EU agreements may appear similar at first glance, there are subtle differences which are there for a reason. Fraudulent misrepresentations cannot be effectively excluded with an entire agreement clause in the UK. Some EU jurisdictions have laws which dispense with the rules of privity of contract- do you want a third party who is not a party to this contract taking a benefit?.

Ten: “Look and feel”

So, you think this final point is trivial? While many agreements used in Europe have their roots in the US, it’s amazing how easy it is to spot a US agreement. Whether it is the lengthy paragraphs, references to “Section” and not “Clauses”, CAPITLISATION, or simply the tone, a US agreement is easily identified. This is not always an issue, but, if you’re a vendor competing with other European businesses or trying to get your own terms accepted in a battle of the forms scenario – “look and feel” counts.

In Europe, it’s not necessary to capitalise to ensure the effectiveness of clauses. Equally, if you’ve not fully localised, a single unenforceable clause or concept included within a large paragraph this may cause the entire clause to fail. If you are not fully localising, sometimes breaking up concepts and clauses and considering severability counts.


There is lots to think about and the devil is in the detail. Striking a clear balance and making a determination based on the actual risk is important. Risks will vary depending on the circumstances. In a business-to-consumer context, more careful and more piecemeal localisation is typically required.

Ultimately, do you want to understand why a provision works effectively in the EU, or are you prepared to risk it?

Mark Webber, Partner – Fieldfisher (Palo Alto, California)





Local Digital Terrestrial Television Licensing Update

Posted on October 1st, 2014 by

In July 2011, the then Culture Secretary, Jeremy Hunt, set out his proposed framework for local television in the UK*, and the Local Digital Television Programme Services Order 2012 was passed amending the Broadcasting Act 1996 and the Communications Act 2003 to enable the provision of local digital television services.  Also passed were the Wireless Telegraphy Act 2006 (Directions to OFCOM) Order 2012, providing for spectrum to be kept available for the broadcast of local television services; and the Code of Practice for Electronic Programme Guides (Addition of a Programme Service) Order 2011, amending s.310 of the Communications Act 2003 to make local television services a ‘public service channel’, requiring them to be given preference along with the other public service offerings.

On 15th September Ofcom, which has responsibility for licensing local television stations, issued an update to summarise the progress made over the last two years – the headlines are that:

– 30 local television licences have been granted to a number of different organisations across the UK – these include not-for-profit community ventures, as well as commercial ventures involving TV production companies, local newspapers, and the education sector; and

– there are currently six local channels on air (in London, Nottingham, Glasgow, Norwich, Brighton & Hove, and Grimsby), broadcasting local services to a potential audience of 6 million viewers. Ofcom believes that, to date, around 6,400 hours of local programming has been transmitted.

A second phase of licensing is now underway**.

*The framework is available at http://goo.gl/LU9oSN

**For further information regarding the licensing of local television, see Ofcom’s website – http://stakeholders.ofcom.org.uk/consultations/local-tv/



The Smart Metering Implementation Programme – an update

Posted on September 15th, 2014 by

The latest report of the Public Accounts Committee on the preparations for the UK Smart Metering Implementation Programme was published on 10 September 2014.  The report provides an insight into the progress of the Programme along with recommendations on how to tackle a steadily growing list of potential issues.

The Smart Metering Implementation Programme is an initiative led by the Department of Energy and Climate Change which requires UK energy suppliers to replace existing gas and electricity meters in homes and small businesses with smart meters.  The cost of this (currently estimated to be £215 per household) will be passed on to consumers by energy suppliers via a small increase in energy bills over the course of several years but offset by increased savings to consumers as a result of their new found ability to keep track of and optimise their energy use.  Along with establishing the necessary infrastructure to facilitate the Programme, the Department of Energy and Climate Change has established the regulatory framework requiring suppliers to install the meters and to establish and fund a new central body whose role is to increase awareness of the Programme and promote long-term behavioral changes in consumers.

Although a number of potential issues are identified by the Committee, the two key concerns (besides predictable reservations over the increasing cost of the Programme) were as follows:

1. “The [Department of Energy and Climate Change] is primarily relying on assumed competition in the industry to control costs and deliver benefits. This may well prove insufficient on its own to protect consumers”; and

2. “There is also a danger that the Government gets locked into an existing technology when technologies are changing fast – leading to consumers paying for investment in a system which is already out of date.”

With regards to the latter, of particular concern to the Committee is that certain aspects of the Programme could be out-of-date by the time it is fully rolled out. The example given in the report to illustrate this is that of the in-home displays which allow consumers to view real time data of their energy usage becoming redundant even before they’re installed owing to the increasing likelihood that such a function could be carried out using a consumer’s smart phone instead.

The UK wide roll-out is currently penciled in to be completed by the end of 2020.