Now more than ever, technology is influencing the way we do business, communicate, move through and around the world, access and manage our homes, receive and administer healthcare, make purchases, secure information, and protect our most valuable property. Morrison Foerster keeps pace with this rapidly evolving landscape across our internationally recognized corporate, finance, intellectual property, and litigation practices. MoFo Tech brings together our insights relating to fields such as blockchain and distributed ledger, cloud and as-a-service technologies, driverless cars, drones, fintech, computer hardware and software, the Internet of Things, semiconductors, and telecommunications. The MoFo Tech blog offers real-time, in-depth analyses of the trends and complex issues shaping the global technology industry.<h2>ABOUT MORRISON FOERSTER</h2>Morrison Foerster is a leading global law firm that transforms complexity into advantage for its clients. Our clients include some of the largest financial institutions, banks, consulting and accounting firms, and Fortune 100, technology, and life sciences companies. Highlighting the firm’s commitment to client service, leadership in market-changing deals and impact litigation, and values-based culture, Morrison Foerster has been repeatedly recognized as one of the top 10 firms on The American Lawyer’s A-List. Year after year, the firm receives significant recognition from Chambers and The Legal 500 across their various guides, including Global, USA, Asia‑Pacific, Europe, UK, Latin America, and FinTech Legal. Our lawyers passionately care about delivering legal excellence while living our values. Morrison Foerster has a long-standing commitment to creating a culture that respects and celebrates differences, while providing an inclusive environment. The firm has achieved Mansfield Certification Plus since 2018 as a result of successfully reaching at least 30 percent women, communities of color, and LGBTQ+ lawyer representation in a notable number of current leadership roles and committees. The firm also has a long history of commitment to the community and society through providing pro bono legal services, including litigating for civil rights and civil liberties, improving public education and fostering the wellbeing of children, advocating for veterans, promoting international human rights, enforcing the right to asylum, and safeguarding the environment.

Social

Search

testimage.jpg

MoFo Tech

Scott Llewellyn’s practice focuses on complex litigation in federal and state courts around the country, with an emphasis on patent and trade secret disputes. Over the past decade, he has worked on some of the most significant, high–profile IP cases involving technology for televisions, smartphones, and self–driving cars, relying on 40 years of experience with computer hardware and software. Scott also has significant experience with business divorce cases before courts and arbitrators, involving a mix of trade secret, patent, tort, and contract claims relating to technology development and implementation.Scott also has successfully tried general commercial arbitration and agency matters, briefed and argued various appeals in federal appellate court, and tried more than 20 cases for the Denver City Attorney’s office, most of them jury trials.Scott also has an active pro bono practice, having worked on a variety of criminal and immigration appeals, and having represented Colorado criminal defense and mental health organizations in high–profile suits against the state of Colorado for violations of the constitutional rights of defendants.At MoFo, Scott serves on the board of the Morrison & Foerster Foundation. In the broader legal community, he serves on the boards of the Colorado Lawyers Committee and Drop in the Bucket (a charity that builds wells and sanitation systems in sub–Saharan Africa).After law school, Scott clerked for the Honorable Clarence A. Brimmer, District of Wyoming, and the Honorable Diarmuid F. O’Scannlain, Ninth Circuit. He was also previously an adjunct professor at the Georgetown University Law Center.

llewellyn_scott_blog_150x150.png

llewellyn_scott_common_640x280.jpg

llewellyn_scott_heroretina_2700x1160.jpg

llewellyn_scott_mobileretina_750x1040.jpg

llewellyn_scott_social_600x600.jpg

Partner

Scott Llewellyn’s practice involves complex litigation before state and federal courts around the country, with an emphasis on patent and trade secret disputes for high-tech companies, to which he brings more than 35 years of experience with computer hardware and software, in particular relating to the processing and transmission of audio, video, voice, and other types of data. Mr. Llewellyn has also tried commercial arbitration and agency matters; briefed and argued various appeals in federal appellate court; and tried more than 20 cases for the Denver city attorney’s office, most of them jury trials.

Scott F. Llewellyn

favicon.ico

favicon-16x16.png

favicon-32x32.png

apple-touch-icon.png

MoFo Favicons

MoFo Tech brings together legal insights and in-depth analyses on trends and complex issues shaping the global technology industry, covering fields such as blockchain and distributed ledger, cloud and SaaS technologies, driverless cars, drones, FinTech, computer hardware and software, the IoT, semiconductors, and telecommunications.

Mofo Tech testimage

Announcements

Welcome to the MoFo Tech Blog

Blog - Blog Disclaimer

Blog - Terms of Use

Blog - Privacy Policy

Blog - Attorney Advertising

morrison-foerster-blog-logo.png

Provides insights and reports on the most current class actions lawsuits and product liability issues that affect consumer-facing companies.

Class Dismissed Blog

Class Dismissed

In-depth analysis of developments and trends impacting government contracting.

Government Contract Insights Blog

Government Contract Insights

Government Contracts Insights Blog

Govcon

News and thought leadership from lawyers who are adding value to the legal profession and the communities we call home.

  External-Link

MoFo + Blog

MoFo+ Together

MoFo Tech brings together legal insights and in-depth analyses on trends and complex issues shaping the global technology industry, covering fields such as blockchain and distributed ledger, cloud and SaaS technologies, driverless cars, drones, FinTech, computer hardware and software, the IoT, semiconductors, and telecommunications.

MoFo Tech

  Linkedin

MoFo LinkedIN

MoFo Tech Blog - RSS

Stay Connected

At the Intersection of Technology, Law, and Business

At the Intersection of Technology, Law, and Business

Morrison Foerster - Footer

Blogs -  Home Button

Home

Blog - Topics

Telecommunications

Topics

Blog - Editors

Editors

Blog - About

About

Blog - Subscribe

Subscribe

More

Scaling Success, Powering Innovation – Exploring #NYTechWeek

Subject Matter Eligibility of AI Medical Treatments

Bipartisan Coalition Of State AGs Oppose Ten-Year AI Regulation Ban

Data Privacy at the Crossroads of AI and Life Sciences: U.S. and EU Perspectives

Patent-Eligibility Considerations & Prosecution Strategies for AI-Based Life Sciences Patent Applications

LinkedIN

With brexited UK announcing that it will not join Europe’s long-awaited Unified Patent Court (UPC), the establishment of an efficient pan-European patent litigation system faces ever‑mounting challenges. Last Friday, the German Federal Constitutional Court declared that the German Act of Approval of the UPC Agreement void due to violations of the principle of due process and the rule of law. Under the multinational UPC Agreement and related acts, the participation of both countries, in addition to France, is mandatory for the UPC to come into existence. As the hotspots of European patent litigation, these recent actions by the UK and Germany raise doubts whether the UPC will ever successfully launch. Read our <a href="https://www.mofo.com/resources/insights/200334-europes-unified-patent-court.html?utm_source=publication&utm_medium=email">client alert.</a>

schonig_wolfgang_blog_150x150.png

schonig_wolfgang_common_640x280.jpg

schonig_wolfgang_heroretina_2700x1160.jpg

schonig_wolfgang_mobileretina_750x1040.jpg

schonig_wolfgang_social_600x600.jpg

Wolfgang advises clients on contentious and non-contentious matters involving their most valuable intellectual property assets in the digital, high-tech, life sciences, and pharmaceutical industries.

Wolfgang Schönig

Wolfgang Schönig is a partner of Morrison Foerster (International) LLP based in our German office in Berlin. His practice specialty is advising on IP aspects relative to transactions in, among others, the life sciences, AgTech and pharmaceuticals industry, as well as legal representation in IP disputes. Wolfgang is specialized in research and development collaborations, complex licensing agreements, technology acquisitions, know-how protection strategies, and employee invention law.

grohmann_robert_blog_150x150.png

grohmann_robert_common_640x280.jpg

grohmann_robert_heroretina_2700x1160.jpg

grohmann_robert_mobileretina_750x1040.jpg

grohmann_robert_social_600x600.jpg

Counsel

Robert advises companies from the technology and life sciences sectors on a wide range of commercial, intellectual property (IP) and regulatory matters. His clients range from multinational corporations to startups and scaleups.

Robert Grohmann

Robert Grohmann is counsel at Morrison Foerster’s German office in Berlin. As a member of the technology transactions group, he focuses on advising domestic and foreign companies and startups in all areas of technology and IP law, including patent and software licensing, employee inventions law, as well as know-how protection. Moreover, Mr. Grohmann’s expertise encompasses the judicial and extra-judicial representation in matters of trademark law, design law, and competition law.

mofotechblog-ip-600x295-lightbulb.jpg

Hard Knocks Keep Coming for Europe’s Unified Patent Court

Supreme Court Restricts the Extraterritorial Reach of U.S. Patent Law for Exported Goods

121901743

With brexited UK announcing that it will not join Europe’s long-awaited Unified Patent Court (UPC), the establishment of an efficient pan-European patent litiga

Hard Knocks Keep Coming for Europe’s Unified Patent Court

European Union

A White Paper on Artificial Intelligence (AI) from the European Commission provides insight on how governments might change product safety and liability rules to address the issues arising from AI systems.Five years ago, the European Commission (EC) established a key policy agenda designed to deliver significant legal changes to the “Digital Single Market” by 2019.  That agenda led to a series of material regulatory changes across the EU.Now, the EC has established the creation of a “Europe fit for the digital age” as a key political goal and has published a series of documents intended to shape Europe’s digital future.  Two of these documents relate to AI systems: a white paper titled “On Artificial Intelligence – A European approach to excellence and trust” and a report on the safety and liability implications for AI, the Internet of Things and robotics (the “Reports”).Among other issues, the Reports discuss new proposals for changing the regulatory framework on product safety and liability in the EU to address the changes brought by AI systems.Read our <a href="https://www.mofo.com/resources/insights/200323-liability-rules-ai.html">client alert</a> in which we explore:<ul><li>The current European rules on product safety and liability;</li><li>Recommendations established by the European Commission in relation to AI product safety and liability; and</li><li>The actions that organizations should take in response to these recommendations.</li></ul>

Autodesk

HM Revenue and Customs

Home Office, Department for Communities and Local Government, Department of Health

Intel

ITworx

lastminute.com

NYSE-listed health tech company

One of UK's largest public EV charging networks

Phoenix Group

Telenor

UK Border Agency

maughan_alistair_blog_150x150.png

maughan_alistair_common_640x280.jpg

maughan_alistair_heroretina_2700x1160.jpg

maughan_alistair_mobileretina_750x1040.jpg

maughan_alistair_social_600x600.jpg

Senior Counsel

Alistair Maughan co-leads Morrison & Foerster's European Technology & Commercial Practice.

Alistair Maughan

Alistair advises on the deployment of new technology platforms involving, for example, the internet of things, AI and machine-learning, and blockchain and distributed ledger technology.

samavi_mercedes_blog_150x150.png

samavi_mercedes_common_640x280.jpg

samavi_mercedes_heroretina_2700x1160.jpg

samavi_mercedes_mobileretina_750x1040.jpg

samavi_mercedes_social_600x600.jpg

Of Counsel

Mercedes Samavi is an associate based in the London office of Morrison & Foerster and a member of both the Technology Transactions Group and the Global Privacy Group.
Mercedes advises domestic and int

Mercedes Samavi

alam_danial_blog_150x150.png

alam_danial_common_640x280.jpg

alam_danial_heroretina_2700x1160.jpg

alam_danial_mobileretina_750x1040.jpg

alam_danial_social_600x600.jpg

Associate

Dan Alam is a member of Morrison Foerster’s Global Privacy + Data Security and Employment + Labor Groups, based in London.

Dan Alam

mofotechblog-software-600x295-tunnel.jpg

Changing the Safety and Liability Rules on AI – What is the European Commission planning?

Don’t Get Caught by the Phisherman’s Hook This Tax Season

507065943

A White Paper on Artificial Intelligence (AI) from the European Commission provides insight on how governments might change product safety and liability rules t

Changing the Safety and Liability Rules on AI – What is the European Commission planning?

Artificial Intelligence

The European Patent Office has denied two patent applications on the grounds that an AI system cannot be listed as the inventor. For the first time, the European Patent Office (EPO) has issued a ruling on its approach to patent applications that designate artificial intelligence (AI) systems as inventors. In January 2020, the EPO published its reasons for rejecting two patent applications where the inventor named on the applications was an AI system called “DABUS.” The UK Intellectual Property Office (UKIPO) has also rejected the applications on similar grounds.  What did DABUS “invent”?The “Artificial Inventor Project,” a group of patent attorneys, filed two patent applications at the EPO covering inventions that were supposedly “invented” by DABUS, an AI system developed by Dr. Stephen Thaler (the “Applicant”). One application was directed to a light emitting device that could be used as an emergency signal beacon and the other was directed to a food container device.Patent applications for these inventions were also filed at the UKIPO and the U.S. Patent and Trademark Office (USPTO).  The decisions of the EPO and UKIPOThe EPO and the UKIPO both addressed three key issues in their decisions:<ol><li>Can an AI system be named as an inventor in a patent application?</li></ol>The EPO and the UKIPO respectively applied the formal requirements of the European Patent Convention (EPC) and the UK Patents Act (UK PA), both of which require an inventor to be a named person. The EPO went one step further, stating that the requirement for an inventor to be a named person appears to be an international standard, citing a study that it had conducted on the concept of AI inventorship in multiple countries.While the UKIPO acknowledged that the idea of an AI inventor had not been contemplated when either the EPC or the UK PA was drafted, because the wording of the UK PA is clear and no other court had supported the concept of an AI inventor, the UKIPO was unable to decide that an inventor could be anything else besides a “natural person.”<ol><li>Would naming a natural person as an inventor mislead the public?</li></ol>Before the EPO, the Applicant argued that incorrectly listing a human as the inventor would mislead the public. The EPO rejected this argument, stating that the EPO does not verify the accuracy of named inventors. The EPO also pointed out that, because the application would be published, any member of the public could question or challenge its contents in national courts. <ol><li>Can an AI system transfer the right to apply for a patent to its owner? </li></ol>The Applicant argued that he obtained the right to apply for the patents from DABUS. However, both the EPO and UKIPO rejected the idea that a machine or AI system could own any intellectual property rights. If an AI system is unable to own any intellectual property rights, then it is unable to assign or transfer such rights to its owner.Will these decisions discourage the distribution of information about innovations involving AI?The UKIPO considered this point, but decided that the dissemination of information about innovations involving AI may occur in a number of ways, not just through the publication of a patent application or patent.Additionally, the UKIPO noted that recognizing an AI system as an inventor would not affect the likelihood that information about AI innovation would be available to the public because this decision would ultimately be made by the owners or developers of the AI system.What happens next?Currently, it appears that an inventor must be a named human person for a patent application filed at the EPO and the UKIPO.However, the UKIPO observed, in its decision, that the present patent system may not properly cater to inventions by AI systems, and encouraged a wider debate on this issue.As the Applicant has the right to appeal both decisions, higher courts may provide additional guidance on this issue in the future.The USPTO has not rejected these applications. On August 27, 2019, the USPTO published a Notice in the Federal Register requesting information from the public on AI patent-related issues, including whether current patent laws and regulations regarding inventorship need to be revised to take into account inventions where an entity or entities other than a natural person contributed to the conception of an AI invention or any other invention.London-based Trainee Solicitor, Danial Alam, contributed to the writing of this article.

yuan_anna_blog_150x150.png

yuan_anna_common_640x280.jpg

yuan_anna_heroretina_2700x1160.jpg

yuan_anna_mobileretina_750x1040.jpg

yuan_anna_social_600x600.jpg

Anna Yuan’s practice focuses on patent prosecution, IP due diligence, post-grant proceedings, and IP litigation support. 

Anna Yuan

mofotechblog-regulatory-600x295-computer-key.jpg

Can AI Be an Inventor? Not at the European Patent Office.

Biometric Information as Personal Information In A Brave New World of Regulatory Compliance

mofotechblog-regulatory-600x295-computer-key

The European Patent Office has denied two patent applications on the grounds that an AI system cannot be listed as the inventor. 
For the first time, the Europe

Can AI Be an Inventor? Not at the European Patent Office.

The UK has announced that it will not implement a key change in the EU copyright regime after Brexit. As a result, for affected businesses, consistent Europe-wide digital compliance in the post-Brexit era just became a little bit harder.The EU Digital Copyright Directive imposes greater obligations on online content-sharing platforms to avoid users’ uploading copyright infringing content. The UK’s position means that its post-Brexit liability regime will be more favorable to content-staring platforms than in the remaining 27 EU member states.Three and a half years after the UK’s referendum, <a href="https://www.mofo.com/resources/insights/200124-brexit-withdrawal-agreement.html?utm_source=publication&utm_medium=email">Brexit has finally become a reality</a>. Given the protracted negotiations around the UK’s decision to leave the EU – and with a minimum 11-month transition period – you could be forgiven for thinking that it could take a while before UK law would begin to diverge from the EU in any material way. However, the UK now seems to be embracing its legislative freedom before Brexit has even arrived, by changing its position in relation to one of the EU’s most controversial recent laws.As we have previously reported, the EU approved a new Digital Copyright Directive in 2019 after a long and controversial legislative process. Now, however, a UK government minister has announced that the UK “has no plans” to implement that Directive. This means that the UK will have a different liability regime than the EU for uploaded or online content which infringes a third party’s copyright. Perhaps not coincidentally – given the need for the UK to negotiate new trade deals with key global partners (especially the United States) – the UK’s liability regime will be more friendly to technology service providers and operators of online platforms.Under the Digital Copyright Directive, online content sharing service providers (“OCSPs”) are required to take greater responsibility for infringing content that is shared on their platforms.  The so-called “content filtering” provision (originally Article 13, now Article 17 as passed) in the Directive was fiercely opposed by many technology providers – and was even criticized by the current UK prime minister as being “terrible for the internet”. Despite the opposition (and with the UK’s active support), the Digital Copyright Directive passed and must be implemented in the 27 remaining EU member states by June 2021.Here is a summary of the key takeaways in relation to this provision:<ul><li>Any online content-sharing service providers must obtain licences from copyright holders before hosting or otherwise making available any copyright-protected materials on their service.</li><li>If an OCSP makes available copyright-protected materials without a valid licence, in order to avoid liability for user-generated content that’s uploaded and that turns out to infringe copyright it must demonstrate that:</li></ul><div><ol><li>it made “best efforts” to obtain permission from the copyright holder; </li><li>it made “best efforts” to make specific copyrighted works or material unavailable, if so requested by the rights holder; and</li><li>it acted expeditiously upon receiving notice from the relevant rights holder to remove or block access to the infringing material, and made “best efforts” to prevent future uploads of that material – the latter being known as the “stay down” obligation.</li></ol></div><ul><li>Smaller businesses (meaning, OCSPs whose services have been available in the EU for less than three years and that have an annual turnover of less than €10 million) are only required to demonstrate that they made “best efforts” in relation to obtaining authorization from the copyright holder, and acted expeditiously in removing or blocking access to the content – so while there is still a “take down” obligation, there is no “stay down” requirement. </li><li>Despite the above “softening” of this provision, the requirement to use “best efforts” to avoid liability is still a high threshold that many OCSPs may struggle to meet.</li><li>After receiving backlash for the potential impact on legitimate acts of expression (such as the creation of GIFs or memes), this provision was amended in 2019 to carve out exceptions for “purposes of quotation, criticism, review, caricature, parody and pastiche”. </li></ul><div>The UK’s decision not to implement the Directive will mean that the UK will maintain a much lighter-touch approach than the EU to online copyright infringement – i.e., there is no ‘stay down’ obligation, and liability would only accrue to an online hosting platform that goes beyond merely acting as a “conduit,” “cache” or “host” of information. Essentially, this means that passive online service providers that operate without actual knowledge of infringing content on their services are likely to escape liability for copyright infringement, as long as they act expeditiously in taking down that content if and when they do gain actual knowledge of the content. Online platforms will not be under a general obligation to monitor content that they transmit or store (and, indeed, may lose the protection of the above carve-outs, if they did choose to monitor the content and came across infringing content that they did not take down expeditiously).By diverging from the EU position to retain more technology-friendly digital compliance standards, the UK is sending a clear message that it intends to remain “open for business” post-Brexit. Other EU Member States will have until June 7, 2021 to implement the Digital Copyright Directive into domestic legislation but the UK, which will have left the EU by then, will not be one of them.</div>

One of UK’s largest public EV charging networks

ashcroft_sana_blog_150x150.png

ashcroft_sana_common_640x280.jpg

ashcroft_sana_heroretina_2700x1160.jpg

ashcroft_sana_mobileretina_750x1040.jpg

ashcroft_sana_social_600x600.jpg

Sana Ashcroft is an associate based in the London office of Morrison & Foerster and is a member of the Technology Transactions Group.
Sana advises on a wide range of domestic and cross-border commerci

Sana Ashcroft

Un-Levelling the Playing Field: The UK Declines to Implement the New EU Copyright Law

The UK has announced that it will not implement a key change in the EU copyright regime after Brexit. As a result, for affected businesses, consistent Europe-wi

Un-Levelling the Playing Field: The UK Declines to Implement the New EU Copyright Law

What are the real data protection issues?The fact that BC, both public and private, is inherently transparent and immutable may clash with data minimization principles and may make it impossible to respond to rights of individuals to have their data corrected or deleted. BC is further, by definition, unable to forget; as a result, the right to be forgotten will be impossible to enforce. The transparency and immutability issues can, to a large extent, be addressed by implementing innovative privacy‑by‑design measures (see below for examples). Noteworthy is that these innovations are not necessarily triggered by privacy considerations, but mostly out of efficiency considerations.In its most basic form, BC can be used to store plain text information on the ledger, which information can be accessed by those who have read rights. Storing all information on BC takes up a large amount of space on BC and takes a lot of energy both to run and cool the machines. Block space can be saved by separating (segregating) the signature (‘witness’) information from the transaction data (the ‘payload’), so the network can increase the transactions processed. These measures may also, to a certain extent, mitigate transparency issues.The immutability of BC further does not sit well with, for example, smart contracts in more complex transactions (as contracts often have to be amended for unforeseen circumstances); with technological malfunction, including in case of interference by hackers; and, more generally, with human error (known to lose their BC private key). Solving these issues will require solving the immutability of BC, which may also solve the issue of being able to respond to requests of individuals for deletion and the right to be forgotten. Immutability is not always an issueAs a side note, we mention that the immutability of BC is not always an issue. For certain applications (in particular, in case of public registries), immutability is actually a requirement. Illustrative here is the judgment of the European Court of Justice (ECJ) in the Manni case. The plaintiff (Mr. Manni) requested deletion of his personal information from the Italian public company register, where information on his prior bankruptcy was recorded. He argued that this record in the company register was widely reused by data brokers, and as a result, his reputation was prejudiced, having a detrimental effect on his new business. The ECJ balanced the public interest in the legal certainty in trade and transparency of business information in the company register with the fundamental right to data protection and concluded that, in this case, the interference with the right to data protection was not disproportionate, taking into account the limited amount of personal information held in the company register. In line with the above ruling, registering limited personal data in a BC for public registers like land ownership, trademark ownership, and company registers may, therefore, be justified. The above case entails that a balancing of interests should be made for each BC application. For other use cases, the balancing test may conclude that BC will not be suitable, as the impact on data protection will be disproportionate. An example of the latter would be if BC would be applied to provide air passengers with expedited access through the airport, while also recording all money spent in shops and restaurants at airports, subsequent transport, and accommodations on the BC for purposes of a loyalty program. Using BC for the commercial loyalty program would likely be disproportionate.  Privacy-by-Design OptionsLimit ledger storage. The original Bitcoin BC stores the full ledger on every node, making it impossible to make changes to prior blocks and thus providing an indisputable ledger for all prior transactions. However, this also means that the personal data included on the ledger is shared with a large number of nodes (Bitcoin has approximately 9,500 nodes). Storing so many instances of personal data is at odds with the data minimization principle of GDPR, which requires access to personal data to be limited to the fewest possible recipients.A privacy-by-design solution is to no longer store the entire ledger on all nodes. In most Bitcoin instances, the validity of a new block is verified by a consensus mechanism. This means that the creator of the block provides a unique hash of the information. The nodes make the same mathematical equations and, if the outcome of this hash is the same, the block is verified. This requires the nodes to have access to the information included on the block. However, the nodes would still be able to fulfill their verification function if they deleted the information after verification. This would increase the confidentiality of the personal data included on the block and, at the same time, has economic advantages. If each node has to store a full copy of the ledger, a large amount of storage capacity is required, which, in turn, requires a large investment in data storage and uses a lot of energy. Therefore, storing the ledger in one (or a few) instances, rather than on every node, has both privacy and economic advantages.Pruning. Most BC applications store all transactions since the start of the chain, dating back to the ‘genesis block’, which means that all transactions on that BC are stored infinitely (and, as set out above, are sometimes stored on all nodes). Storing data infinitely is, by definition, at odds with GDPR’s data minimization requirement but also brings ever-increasing storage requirements. For example, during a stress test, the size of the BC of an Ethereum client increased to 40 gigabytes in the first three months of the test.A privacy-by-design solution to this storage issue is pruning, which enables the node to verify a new block without processing historical transactions by having the node download as many block headers as it can and determine which header is on the end of the longest chain. Starting from this header on the longest chain, the node goes back 100 blocks to verify that the chain matches up. Because this verification process removes the need for retaining the entire chain history for verification purposes, this allows for the removal of unused blocks, which drastically lowers the required storage and implements data minimization into the BC. To ensure that no data is lost, the unused blocks can be stored in one or more archive nodes, which store all data just in case the rest of the network needs them in the future, but the ‘active’ nodes no longer have to process these archived blocks.Privacy-friendly consensus. A privacy-by-design solution for the infinite storage issue is the concept of non-interactive zero‑knowledge proof, which makes it possible to verify the correctness of a computation, e.g., a hash, without having to execute the computation or even learning what was executed. For example, the proposed currency Zerocoin works as follows. When a coin is purchased, a serial number is attributed to the coin, which can only be revealed using a random number. Using these two numbers, a user can generate a zero-knowledge proof for the fact that the user knows both the serial number and the random number. This zero‑knowledge proof can then be verified by the network without having access to the coin’s serial number or the random number.The potential use of zero-knowledge proof is not limited to the transfer of coins using BC but can be used to verify any computation without having access to the underlying information. This enables nodes to reach consensus on a new block without accessing the information on that block, and thus without sharing the personal data included on that block with the nodes.Editable BC. A more radical approach that solves a number of BC data protection issues is the editable BC, for which Accenture has been awarded a patent. The editable BC uses the ‘chameleon’ hash function, which allows for changing the underlying information without changing the outcome of the hash function. This allows for changes to the underlying information for which the hash is already included on the BC, which makes it possible to correct (human) error or intentional (fraudulent) inaccuracies on the BC. This would allow for the execution of individuals’ rights under GDPR, e.g., to correction and to be forgotten.Solving the immutability of BC comes at a price. To a large extent, the trust in a BC application relies on the network’s consensus on the content of a block and the immutability of the content thereafter. When removing this immutability, other measures should be implemented to retain (or gain) sufficient trust in the BC application for individuals and organizations to use it as a record of their transactions. The trust in a BC application could be retained if, for example, only a single trusted entity can make these changes, similar to the fact that only governments can make certain changes to governmental public registries. A different solution could be to implement a very strict change management procedure, which could include a consensus mechanism that verifies the legitimacy of a change. In any event, changes will have to be strictly logged to ensure that changes can always be reviewed and explained in the future.BC ‘self-sovereign’ identity management. The well-known use cases of BC are mostly focused on administering transactions, but BC can also be deployed for privacy enhancing purposes, for example, by facilitating ‘self-sovereign’ identity management. In the offline world, an individual’s identity is mostly established by verifying an individual’s driver’s license or passport. The strength of this system follows from a trusted central governmental authority that provides these proofs of identity. However, because the online world does not follow the national boundaries of the offline world, it is difficult to appoint such a trusted centralized authority for an online proof of identity. By now, there are many initiatives to provide individuals with a digital identity. An example of how BC can be deployed for online identify management is the initiative of Microsoft and Accenture providing a BC-based solution designed to allow individuals with direct control over who has access to their personal data. Rather than all service providers each collecting and storing the personal data required for providing services to an individual, the personal data are stored off-chain, and the system only calls on these data when the individual grants access, whereby access can be limited both in scope and in time. For example, when an individual needs to prove his or her identity when renting a car, the access to the identifying information can be limited to what is necessary to provide this proof and for a short period of time only.Decentralized identity management has a number of benefits. From a privacy point of view, it enables individuals to take back control over their digital identity, coined the ‘self-sovereign identity’. Currently, many individuals are, for example, not aware of the use of their digital identity and personal data, e.g., for advertising purposes. By using a decentralized identity system, individuals would be able to decide who to give access to which information, for which period of time. A single decentralized identity system also has economic benefits. Right now, a large number of companies are storing similar information about the same individuals. A decentralized identity management system makes this duplicated storage obsolete and ensures that companies have access to up‑to‑date information on an individual, insofar as the individual wants the company to have such access.Read <a href="https://mofotech.mofo.com/topics/why-blockchain-is-not-inherently-at-odds.html" target="_blank">Part 1</a> of this post.Read more about <a href="https://media2.mofo.com/v3/assets/blt5775cc69c999c255/bltec64345cb0bd32d9/627317cab5ad5f2863c59630/191019-blockchain-data-protection.pdf" target="_blank">the interplay of blockchain and data protection from Dr. Moerel</a>.Note: This blog is a summary version of a full publication of Lokke Moerel published in European Review of Private Law 6-2019 [825 – 852] and in The Cambridge Handbook of Smart Contracts, Blockchain Technology and Digital Platforms (September 2019).

moerel_lokke_blog_150x150.png

moerel_lokke_common_640x280.jpg

moerel_lokke_heroretina_2700x1160.jpg

moerel_lokke_mobileretina_750x1040.jpg

moerel_lokke_social_600x600.jpg

Senior Of Counsel

Among the world’s best-known privacy and cybersecurity advisers, Lokke Moerel is regularly called upon by some of the most sophisticated multinational organizations to confront their global privacy and ethical challenges. Lokke routinely offers guidance to clients when implementing new technologies and digital business models and assists them with their global cybersecurity incident response and regulatory investigations.

Lokke Moerel

Lokke Moerel is among the world’s best-known privacy lawyers. She advises companies on their global information handling governance, strategy, and compliance. “An authority on data protection matters” (Chambers 2014), Lokke is consistently ranked as a leader in data protection law in Chambers Global and Legal 500. She is also professor of global ICT law at Tilburg University, member of the Cyber Security Council of the Netherlands, the advisory body of the Dutch cabinet, and member of the Board of Trustees of WWF International.What do you like best about your work? I enjoy thinking about the data privacy issues and ethical dilemma’s presented by the new technologies, and helping companies decide on how to tune them and implement on a global basis, in an emerging regulatory environment.What do you enjoy doing in your free time? Travel with my husband and three children, the modern arts, but most of all, a good book!What individual most inspired you, and why? In my former EU-based firm, there were no female role- models (I was the first female partner with children) and partners step out at age 55. After moving to MoFo, I met women years older than me and fully at the forefront of their field. What an inspiration! I still have a whole career in front of me.

storm_marijn_blog_150x150.png

storm_marijn_common_640x280.jpg

storm_marijn_heroretina_2700x1160.jpg

storm_marijn_mobileretina_750x1040.jpg

storm_marijn_social_600x600.jpg

Marijn Storm specializes on the intersection of law and technology, with a focus on cutting-edge technologies, such as (generative) artificial intelligence (AI) and large language models, ethical tech, and biometrics. 

Marijn Storm

191008-mofo-tech-blockchain-2.jpg

Why Blockchain is not inherently at odds with GDPR - Part 2

Why Blockchain is not inherently at odds with GDPR - Part 2

191008-mofo-tech-blockchain-2

What are the real data protection issues?
The fact that BC, both public and private, is inherently transparent and immutable may clash with data minimization pr

Privacy + Data Security

“In an almost direct clash of intentions, the GDPR has effectively banned the use of blockchain technology in Europe because of its immutable nature.” – ForbesSummaryThe current perception is that blockchain is not compatible with GDPR. We disagree that this is the case and explain why none of the issues identified by legal scholars and stakeholders are likely to pose issues for blockchain applications. Our conclusion is that GDPR is well able to regulate this new technology.Current perceptionThe current conception amongst industry stakeholders is that blockchain (BC) is not compatible with GDPR, resulting in a call for urgent revision right after GDPR came into force. The concerns are fed by public statements of Jan-Philipp Albrecht (the MEP responsible for coordinating the Parliament’s input for GDPR) that BC “probably cannot be used for the processing of personal data” and the CNIL cautioning in draft guidelines that public BC may not be the most appropriate technology for the processing of personal data and that priority should be given to other processing solutions that can achieve the same purpose. As the same results currently can always be achieved with another solution, this is a difficult standard to meet. The above conception is fed by recent in-depth publications on the data protection aspects of BC, which indeed paint a grim picture: the characteristics of public BC would be “on a collision course” and “profoundly incompatible at a conceptual level” with GDPR.What are the issues?GDPR requires identification of a central ‘controller’ who is responsible for compliance with GDPR, while a public BC decentralizes the storage and processing of personal data, as a result of which there is no such central point of control. For lack of a better alternative, the authors conclude that all ‘nodes’ involved in operating a BC qualify as a controller under GDPR, raising enforcement and jurisdictional issues that make it impossible for individuals to enforce their rights. The transparency and immutability of a public BC would further not sit well with principles of data confidentiality, data minimization, data accuracy, and the rights of individuals to correction and deletion of their data.A different perspectiveWe disagree with this analysis. The main reason is that the authors focus on the shortcomings of the initial public (Bitcoin) BC when many new types of permissioned private and consortium BC already have been developed that significantly diverge from the original, permissionless public BC. In fact, these types of permissioned BC have been developed exactly in response to the shortcomings of public BC. The authors further consider the data processing implications of BC as if this technology itself constitutes a data processing activity for which a controller has to be identified. Controllership is, however, decided based on a specific use or deployment of a certain technology. BC, like the internet, is a general purpose technology (GPT) that is subsequently deployed by actors for a certain purpose in a specific context. We will explain below why none of these identified issues are currently hampering application of the GDPR to the internet and are equally unlikely to pose issues for BC applications.The conclusion is that GDPR is well able to regulate this new technology. This does not, however, mean that BC will thus be suitable for all use and deployment cases.Intermediaries will not become obsoleteWe consider it highly unlikely that BC will make intermediaries obsolete; rather, it will replace the current intermediaries. The BC revolution is well described by the World Economic Forum (2017 report), indicating that where the last decades brought us the internet of information, we are now witnessing the rise of the internet of value, whereby we can send money and soon any form of digitized value – from stocks and bonds to intellectual property – directly and safely between us.As BC is about value (rather than just ‘information’), and therefore whether someone has ownership of money, stocks, houses, or not (as evidenced by the BC), the participants will insist that their stakes be safeguarded before the BC will be trusted. The prediction, therefore, is that, whenever BC applications are built for evidence and transfer of value, there will always be a set of governance rules reflecting the terms agreed by the participants of the ecosystem to regulate their relationship. The first examples indeed show new entities being set up mostly as a consortium (often including or funded by incumbents, such as banks), which are in charge of the governance of the BC platform, as well as separate entities operating a BC application on top of the BC platform for specific ecosystems. These BC are permissioned, in the sense that they implement membership rules that determine which parties have read or read/write authorization. To avoid jurisdictional and enforcement disputes, these rules will provide who the responsible entity is, as well as a choice of law and forum. The jurisdiction and enforcement issues raised by the authors, therefore, are likely not a realistic reflection of how these issues will be encountered in practice. The controller issue is solved as, in any event, this central entity deciding on purposes and means of the BC platform will qualify as the controller under GDPR. The entities operating the BC application on top of the BC platform will also qualify as controllers in their own right (potentially jointly with the controller of the BC platform).Deja VuWe here recall that early predictions in respect of the internet foresaw similar enforcement and jurisdictional issues. Every encounter of consumers in cyberspace would raise the possibility that diverse laws would apply and multiple courts would have jurisdiction, and a myriad of court cases was predicted. Contrary to these early expectations, there have been only isolated court cases dealing with online cross-border consumer disputes. One of the explanations is that stakeholders quickly found practical work-arounds in the form of contractual self-regulatory systems. Examples are the use of credit cards for online payments, which bring their own dispute resolution system, and the emergence of large intermediaries like eBay, which was at first just regulated by the ratings and review consumers could post, but later introduced full‑fledged dispute resolution. Also, here the old intermediaries (retailers) were replaced by new intermediaries, again generating the required trust to do business. In fact, it is fair to say that there is very little happening on the internet that is not governed by some form of contract. The use of websites is regulated by their website , online purchases are governed by purchase terms, access to the internet is governed by the terms and conditions of ISPs, App stores have their own Terms & Conditions (“T&Cs”), search functionality is governed by the T&Cs of the provider of the search engine, etc. As happened with the internet, it is a justified expectation that the stakeholders involved in BC will implement their own contractual self-regulatory mechanisms to ensure adequate dispute resolution.GDPR applies to the use of a technology, not the technology itselfThe authors try to determine controllership in respect of BC technology at large, which would indeed raise the identified issues. Controllership is, however, decided based on a specific use or deployment of a certain technology. BC, like the internet, is a GPT that is subsequently deployed by actors for a certain purpose in a specific context. None of the issues raised by the authors have hampered the development of the internet, for the simple reason that controllership is not decided based on the technical level of operation of the relevant technology, but is based on who deploys this technology for a certain purpose. For example, a website owner uses the internet to offer its website. It is the website owner who qualifies as the controller in respect of the processing of any personal data via the website and not the operator of the technical infrastructure.GDPR does not impose requirements on designers of technologyGDPR includes an obligation for the controller to set up data processing functions on the basis of privacy-by-design (Article 25 GDPR). GDPR does not impose this requirement on providers of software and infrastructure that are used to process personal data. As a consequence, individual controllers need to expressly instruct each of their technology suppliers to provide software and infrastructure that incorporate privacy-by-design in order to meet their controller obligations.Although this indirect manner of regulating seems inefficient, the reality is that for technology developers, it is often difficult to foresee all possible deployments of their technology. As a consequence, it is difficult to implement all requirements into their product from the outset. It is often in the feedback loop of the users, customers, or society at large when the technology is deployed in practice that the design issues become apparent and are addressed. Too-strict upfront design requirements (in the form of standards) may even hamper innovation, and it may even lead to “widespread adoption of inferior technology” (as explained in this report of the World Economic Forum). In the words of Behlendorf (CEO of the Linux Foundation):“The space is still so young that the desire for standards, while well-placed, runs the risk of hardening projects that have just come out of the lab,” and “we need to avoid making serious architectural decisions that first become legacy and then become a hindrance.”GDPR is, just as its predecessor, technology agnostic (see Recital 15) in the sense that it provides for general data protection principles and requirements but does not prescribe any technology or technical manner for how these principles and requirements should be implemented. As BC is an emerging technology still in its infancy, GDPR works exactly as it is intended, challenging developers to think of creative ways for how to develop the technology in such a manner that the impact on the privacy of individuals can be mitigated and basic principles of GDPR can be complied with. That this may take several development cycles to be achieved is fully understood. The conclusion of the authors that GDPR is thus unable to embrace this new technology is missing the point that GDPR is intended to provide guidance on how to develop new technology in the first place. In Part 2 of this sequel, we will discuss how the transparency and immutability issues raised by BC can be addressed by implementing innovative privacy‑by‑design measures.Read <a href="https://mofotech.mofo.com/topics/blockchain-is-not-inherently-at-odds.html" target="_blank">Part 2</a> of this post here.Read more about <a target="_blank" href="https://media2.mofo.com/v3/assets/blt5775cc69c999c255/bltec64345cb0bd32d9/627317cab5ad5f2863c59630/191019-blockchain-data-protection.pdf">the interplay of blockchain and data protection from Dr. Moerel</a>.Note: This blog is a summary version of a full publication of Lokke Moerel published in European Review of Private Law 6-2019 [825 – 852] and in The Cambridge Handbook of Smart Contracts, Blockchain Technology and Digital Platforms (September 2019).

191008-mofo-tech-blockchain-1.jpg

Why Blockchain is not inherently at odds with GDPR - Part 1

Why Blockchain is not inherently at odds with GDPR - Part 1

191008-mofo-tech-blockchain-1

“In an almost direct clash of intentions, the GDPR has effectively banned the use of blockchain technology in Europe because of its immutable nature.” – Forbes


It’s all very well to issue regulatory guidance – but it’s what you do to enforce it that really counts. The UK financial services regulatory agencies have imposed fines exceeding $2 million on a UK bank that did not implement enough oversight on an outsourced provider of technology services. In this alert, we discuss the firmer approach being adopted by UK regulators when it comes to compliance with technology outsourcing rules.Read our <a href="https://protect-us.mimecast.com/s/qVxACW6jp1UoyBXJiKcttu">client alert</a>.

mofotechblog-financings-600x295-graph.jpg

Financial Services Technology Outsourcing: The UK Regulators Flex Their Muscles

Why Should Your Startup Care About Intellectual Property?

mofotechblog-financings-600x295-graph

It’s all very well to issue regulatory guidance – but it’s what you do to enforce it that really counts. The UK financial services regulatory agencies have impo

Financial Services Technology Outsourcing: The UK Regulators Flex Their Muscles