Washington in Review - May 10, 2019

Congress wrapped up a two week recess and returned to session on April 29, starting the clock on a five-week legislative stretch that will keep both chambers in session until Memorial Day. President Trump’s latest tariff hike on China may have muddled the ongoing US-China trade deal. Both chambers continue to hold privacy and cybersecurity hearings, though passage of a comprehensive federal privacy framework during this session of Congress seems unlikely. Taking a novel approach to consumer privacy, select global companies are offering to pay customers cryptocurrency in exchange for unfettered use of their personal data. Some GOP lawmakers have warned the administration that they will oppose any infrastructure measure that adds to the federal deficit. We cover these issues and more in this week’s edition of the WiRe. 

Want our Strategic Policy Advisory team to take a look at other topics? Let us know in the comments!

Trump’s Tariffs Talk Tough Once Again

President Trump raised tariffs this week on $200 billion worth of goods from 10% to 25%, and imposed a 25% tariff on $325 billion of additional goods. He threatened the tariffs after the Chinese appeared to shy away from several significant commitments made previously towards a final trade agreement. With progress delayed further, President Trump has now used these tariffs in an effort to expedite negotiations. His threat prompted a negative reaction from the Chinese, who indicated that they would not be keen to continue negotiating if the tariffs were increased.

What does it mean?

• Many view the threat of increased tariffs as a sign that negotiations are reaching a breaking point -- either an agreement will be reached soon, or talks will conclude without any agreement taking place.
• Following earlier rumors indicating that Chinese Vice Premier Liu and a high ranking delegation would no longer attend talks in the US at the end of the week, it appears the delegation is still scheduled to arrive for negotiations. However, comments made by Chinese officials indicated that they may be unwilling or unable to enter into binding commitments on areas under negotiating. The US side has been seeking to have the commitments enacted through changes to laws in China.

DoL Opinion May Not Be a Good Gig for Employers 

The US Department of Labor released an opinion letter on April 29 concluding that workers of one unidentified virtual marketplace company are independent contractors, not employees. As a result, the unidentified company will not need to offer federal minimum wage or overtime, or pay a share of Social Security taxes. The letter underscores the Trump administration’s departure from DoL guidance during the Obama era, when workers were often viewed as employees rather than as independent contractors. The opinion letter is advisory and non-binding, and applicable only to the specific company to which it was addressed. 

What does it mean? 

• This is a win for gig-economy tech companies. Classifying workers as employees rather than independent contractors could lead to an increase in labor costs by 20% to 30%, which could affect valuations as major players begin to go public.
• Companies should continue to carefully monitor the relevant laws in states like California that apply their own state wage and hour laws when determining whether to classify workers as independent contractors or employees.

Walking Out Against Arbitration 

Employees of a well known gaming company staged a walkout protesting how forced arbitration clauses are being used against fellow employees making claims against the company for sexual harassment and sex discrimination. They join other workers in the industry who have staged walkouts or are threatening similar direct actions as they agitate for what they deem to be fairer working conditions.

What does it mean?

• Employers need to engage in constructive dialogue with their employees in order to create a culture of inclusion during a period of time when gender inequality is becoming a major issue in the tech industry.
• Employees have begun agitating for changes in employment contracts, particularly around diversity and inclusion, equitable distribution of revenues, and fairer cultures overall, all topics that policymakers and legislators have recently brought to the forefront. Preemptive action to reflect these concerns by employers could help forestall future regulatory action.

NIST Issues Draft Guide for Securing IoT Devices

The National Institute of Standards and Technology (NIST) recently published a preliminary draft of the guide, “Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD).” The guide aims to help businesses, communications services, device manufacturers, and users of Internet-of-Things (IoT) devices understand how to enhance IoT device security. NIST takes the position that increased device security will reduce the vulnerability of networks to attacks and breaches. The guide details an architecture called Manufacturer Usage Description (MUD), which helps make networks more secure by, for example, prohibiting unauthorized traffic between IoT devices. NIST is seeking comments on the guide until June 24, 2019.

What does it mean?

• As NIST guides are often viewed as the standard for industry best practices, companies utilizing IoT devices can contribute to the discussion in order to help shape the forthcoming finalized guide.

Senate Cracks Down on Robocalls

A handful of Democrats in the US Senate recently introduced the Protecting American Consumers from Robocalls Act. The bill would enhance the Telephone Consumer Protection Act (TCPA) of 1991 and the Do-Not-Call Registry by letting landline and cellular consumers petition for statutory damages for all unconsented-to telemarketing calls immediately after the first violation of the TCPA. Additionally, communication companies would be required to install call authentication technology to weed out robocalls masquerading as local incoming calls, even though their origin could be overseas — a tactic known as “spoofing.” Following ongoing efforts by the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) to curtail robocalls, this is the latest bill in Congress seeking to crack down on pesky robocalls.

What does it mean?

• With attention from the FCC, FTC and Congress, additional anti-robocall legislation is expected this year. On the state level, regulators and legislatures have also taken action to increase protections under existing consumer protection statutes and to bolster criminal penalties for robocalls. Staying informed on shifting federal and state robocall policies is key.

Drones are Coming

US Senate Communications Subcommittee Chairman John Thune (R-SD) and Senator Ed Markey (D-MA) are urging the Federal Aviation Administration (FAA) to publish a proposed rule to inform the public about the ownership and travel routes of drones. In their letter to Department of Transportation Secretary Elaine Chao, the senators noted that drone sightings have yielded multiple flight delays and cancellations. The letter also points out that Congress granted the FAA a two year deadline to craft drone-tracking rules and that the deadline expired nearly a year ago. Their letter coincides with the FAA’s approval of the first air carrier certified for commercial drone delivery. Drone deliveries will begin in Virginia in the coming months, and may expand to other regions in the future upon FAA permission.

What does it mean?

• Companies looking to conduct commercial drone deliveries should be mindful of the senators’ requests, and should consider outlining transparent practices to implement after receiving FAA approval.
• As the greenlit company received FAA permission after fulfilling many of the safety requirements of a traditional airline, carriers hoping for approval now have an example of a successful application. 

Is Paying Crypto for Customer Data the Future? 

A major global auto manufacturer recently announced its plan to pay customers cryptocurrency for their personal data, debuting a relatively untested pay-to-play model and directly taking on controversial questions around consent and sale of data under global privacy frameworks as the manufacturer enters the data marketplace. The partnership with a distributed ledger company encourages customers to earn crypto credits redeemable for products and services like coffee and parking. In exchange, customers allow the manufacturer to access and share a range of driving data with third parties. 

What does it mean?

• The data selling model proposed by the manufacturer is yet to be tested in larger consumer markets, but use of the distributed ledger technology may prove to be a significant step for both blockchain and data protection. Companies may want to consider potential applications of similar technology as well as the privacy implications of its use. 
• Third party location data sharing continues to be a major challenge for the private and public sector under global privacy frameworks and court cases. While the manufacturer has not yet detailed its plan to collect customer consent under this model, companies should reassess collection and use of location data on a regular basis to account for the changing legal landscape in this area. 

UK Cyber Agency to Companies: Disclose Your Data Breach and No One Will Get Fined (Yet) 

As the General Data Protection Regulation (GDPR) approaches the one year mark, the UK’s National Cyber Security Centre (NCSC) announced it would not automatically disclose information about data breaches to the Information Commissioner’s Office (ICO). The agency stated that the measure is intended to encourage companies to report breaches to the government so that mitigation activities can take place without the threat of GDPR-related fines for disclosure of personal data. The agency also attempted to clarify their separate roles and responsibilities related to cyber incidents. The NCSC is the UK’s cybersecurity authority and handles breach reports. The ICO is the UK’s regulatory agency responsible for GDPR enforcement, which allows for fines up to 4% of annual global revenue for failure to report breaches. 

What does it mean?

• The confidentiality measure is in response to the determination by the NCSC and ICO that the prospect of GDPR fines deters companies from reporting incidents, as cyberattacks on businesses continue to increase. Companies should be aware that failure to report breaches is also a significant GDPR violation. 
• While privacy violation fines remain relatively low, companies should remain alert to developing data protection enforcement trends, as UK, EU, Australian, and US regulatory agencies hint that there will be significant fines in the near future. 

The Fight Against Piracy

Recently, the United States Trade Representative (USTR) released two reports focusing on the international issues facing US intellectual property owners. The Special 301 Report identifies 36 countries as having inadequate IP protections or denying market access, and the Notorious Markets List highlights 33 online markets and 25 physical markets reported to engage in and facilitate substantial copyright piracy and trademark counterfeiting. The report provides an important opportunity for IP-intensive US industries to highlight unfavorable cross-border IP rights issues and help shape the Trump administration’s priorities as it engages with trading partners on IP and similar market access issues.

What does it mean?

• Countries that fail to address the USTR’s concerns may be subject to enforcement under the WTO or dispute-settlement procedures under other trade agreements. 
• Companies with a major presence in highlighted countries should stay alert to any developments in the USTR’s ongoing review of compliance in order to prepare for cases in which the non-compliant countries are subject to enforcement actions.
• Companies should engage with the USTR, Congress, and other interested parties to ensure that the official US position is informed by the full range of views on the pertinent issues.

Senate Privacy and Security Hearing Roundup: All Talk, No Action, Yet

Over the past two weeks, Congress wrapped up several hearings on security challenges associated with the Internet of Things (IoT), consumer perspectives related to a federal privacy framework, and privacy rights and data collection in the digital economy, and Federal Trade Commission (FTC) privacy oversight. At the IoT hearing, the senators and panelists all spoke favorably about the National Institute of Standards and Technology’s (NIST) effort to create a federal IoT security standard through private-public collaboration. However, panelists disagreed about whether voluntary security guidance for IoT developers would be adequate; some called instead for an enforcement mechanism to support the adoption of bolstered IoT security standards. 

At the federal privacy hearings, consumer advocates and privacy experts (including, Jay Cline, PwC US Privacy Leader) offered their input on strategies for approaching data privacy protection laws. Panelists were largely in agreement that private sector self-regulation won’t sufficiently protect consumer data privacy, and that opt-out systems and privacy notices written in confusing legalese are futile and problematic. At the FTC oversight hearing, FTC Chairman Joseph Simons urged Congress to bolster the agency’s authority to police and fine large tech companies. Currently, the FTC only has authority to fine repeat offenders, and even then the agency can only levy those fines if the offending company either agrees to a settlement or the agency wins in court. Simons insisted that the FTC should be given limited, targeted rulemaking authority, noting that broad rulemaking authority could possibly cause the agency to become too politicized. 

What does it mean?

• In short, federal privacy law initiatives are not going away anytime soon. Large companies should routinely review their data collection and privacy policies and engage with policymakers to ensure that their views are shared in any pending or future privacy legislation. 
• Although the full scope of a federal privacy framework is still in flux, a new regulatory regime appears inevitable. Further, parallel efforts at the state level, as well as the California privacy law and the GDPR, may provide momentum for a comprehensive federal standard, and also affect the content of such a standard. 
• If the FTC is given broader authority to fine first-time offenders, large tech companies will need to be especially vigilant about their data privacy practices so as to avoid any fines. 

Patent Reform Shows Signs of Life 

Several congressional lawmakers recently released a bipartisan, bicameral framework seeking to change the law of patent eligibility under Section 101. The proposed framework seeks to define in the statute an exclusive set of categories of statutory subject matter that would be ineligible for patent protection. The examples provided include “[f]undamental scientific principles,” and “products that exist solely and exclusively in nature.” The proposed framework would also eliminate, within the patent eligibility requirement, the requirement that any invention or discovery be both “new and useful.” One of the chief goals behind the proposal is to increase innovation in technology and artificial intelligence. Following the framework’s release, the legislative language is expected sometime later this spring. 

What does it mean?

• While reforms to patent eligibility continue to garner significant interest, big tech companies and other intellectual property owners stand to be the most affected by any changes, as current case law on patent eligibility disincentivizes research and investment into critical areas of innovation. 
• With bipartisan support from leaders on the House and Senate Judiciary Committees, there is real potential for this proposal to be enacted. Interested stakeholders should engage with Congress to share their perspectives.

Hitting a Roadblock on Infrastructure 

Recent White House meetings with Congressional leadership have led to an agreement in principle on the need for a significant infrastructure package. With a purported $2 trillion price tag, the proposed package would include funds to address roads, bridges, and waterways—with notable additional emphasis on broadband and power grid investment. Funding sources remain a topic of debate and controversy as both parties have expressed little appetite for changes to their existing positions on any new tax initiatives. Specifically, President Trump has faced opposition within his own party as some Republican lawmakers have criticized the proposal as being too ambitious and warned they will oppose any measure that adds to the federal deficit. 

What does it mean?

• Despite President Trump emphasizing his eagerness to work with Congress on passing infrastructure legislation during his State of the Union address in February, the administration’s short- and long-term plans and strategies regarding infrastructure policy and funding remain unclear. Potentially impacted companies should stay abreast of any developments on an infrastructure package.

For past issues of Washington in Review and other commentary on policy and regulatory issues impacting the Technology, Media, and Telecommunications industries, visit us on the web. 

Contributors: Jocelyn Aqua, Regina Barillas, Rosie Brinckerhoff, Jennie Cunningham, Brian Dunch, Arie Esquenazi, Haley Fine, Nick Hall, Carl Holshouser, Josh Joseph, Dan Julian, Priya Kamdar, Julie Riccio, Rachel Roschelle, David Sapin, and Lenora Zimmerman.