At the close of 2022, New York Governor Kathy Hochul signed the “Digital Fair Repair Act” (S4101A/A7006-B) (to be codified at N.Y. GBL §399-nn) (the “Act”). The law makes New York the first state in the country to pass a consumer electronics right-to-repair law.[1] Similar bills are pending in other states. The Act is a slimmed down version of the bill that was first passed by the legislature last July.

Generally speaking, the Act will require original equipment manufacturers (OEMs), or their authorized repair providers, to make parts and tools and diagnostic and repair information required for the maintenance and repair of “digital electronic equipment” available to independent repair providers and consumers, on “fair and reasonable terms” (subject to certain exceptions). The law only applies to products that are both manufactured for the first time as well as sold or used in the state for the first time on or after the law’s effective date of July 1, 2023 (thus exempting electronic products currently owned by consumers).

The concept of the “metaverse” has garnered much press coverage of late, addressing such topics as the new appetite for metaverse investment opportunities, a recent virtual land boom, or just the promise of it all, where “crypto, gaming and capitalism collide.”  The term “metaverse,” which comes from Neal Stephenson’s 1992 science fiction novel “Snow Crash,” is generally used to refer to the development of virtual reality (VR) and augmented reality (AR) technologies, featuring a mashup of massive multiplayer gaming, virtual worlds, virtual workspaces, and remote education to create a decentralized wonderland and collaborative space. The grand concept is that the metaverse will be the next iteration of the mobile internet and a major part of both digital and real life.

Don’t feel like going out tonight in the real world? Why not stay “in” and catch a show or meet people/avatars/smart bots in the metaverse?

As currently conceived, the metaverse, “Web 3.0,” would feature a synchronous environment giving users a seamless experience across different realms, even if such discrete areas of the virtual world are operated by different developers. It would boast its own economy where users and their avatars interact socially and use digital assets based in both virtual and actual reality, a place where commerce would presumably be heavily based in decentralized finance, DeFi. No single company or platform would operate the metaverse, but rather, it would be administered by many entities in a decentralized manner (presumably on some open source metaverse OS) and work across multiple computing platforms. At the outset, the metaverse would look like a virtual world featuring enhanced experiences interfaced via VR headsets, mobile devices, gaming consoles and haptic gear that makes you “feel” virtual things. Later, the contours of the metaverse would be shaped by user preferences, monetary opportunities and incremental innovations by developers building on what came before.

In short, the vision is that multiple companies, developers and creators will come together to create one metaverse (as opposed to proprietary, closed platforms) and have it evolve into an embodied mobile internet, one that is open and interoperable and would include many facets of life (i.e., work, social interactions, entertainment) in one hybrid space.

In order for the metaverse to become a reality – that is, successfully link current gaming and communications platforms with other new technologies into a massive new online destination – many obstacles will have to be overcome, even beyond the hardware, software and integration issues. The legal issues stand out, front and center. Indeed, the concept of the metaverse presents a law school final exam’s worth of legal questions to sort out.  Meanwhile, we are still trying to resolve the myriad of legal issues presented by “Web 2.0,” the Internet we know it today. Adding the metaverse to the picture will certainly make things even more complicated.

On December 9, 2020, the Wall Street Journal reported that Apple and Google will block the data broker X-Mode Social Inc. (“X-Mode”) from collecting location data from iPhone and Android users. Apple and Google have reportedly informed app developers to remove the X-Mode social tracking SDK from all of their apps within a short period of time or risk removal from the platforms’ app stores.  This action apparently was prompted by reports that X-Mode was selling location data to certain defense contractors and government entities.

The WSJ report suggests that Apple and Google notified Senator Ron Wyden about this action.  Senator Wyden and a group of other Senators have been soliciting government inquiries over the last several months into the sale of location data to government contractors and agencies. It is Senator Wyden’s position that such sales of users’ location data by commercial data brokers to government entities are unlawful without a warrant (citing the Supreme Court case, Carpenter v. United States, 138 S.Ct. 2206 (2018), which held that the acquisition of cell-site location information was a Fourth Amendment search).

Senator Wyden’s scrutiny over such practices does not seem to be limited to sale of location data to government sources, but more so toward the wider data tracking ecosystem. He was one of the senators that earlier this year sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Yodlee’s financial data collection practices were violating the FTC Act (a request which led to at least one civil investigative demand being issued by the FTC to Yodlee and a putative class action suit over such practices). In the WSJ article, Wyden is quoted as stating: “Apple and Google deserve credit for doing the right thing and exiling X-Mode Social, the most high-profile tracking company, from their app stores. But there’s still far more work to be done to protect Americans’ privacy, including rooting out the many other data brokers that are siphoning data from Americans’ phones.”

In early February 2020, before most of us were truly aware of the implications of COVID-19, a well-respected IT consulting group predicted a $4.3 trillion global spend on information technology in 2020. Drivers of the projected activity included cybersecurity, outdated infrastructure, mobile accessibility needs, cloud and SaaS transitions, and on-premises technology requirements.  In late 2019, another well-respected consulting group had predicted that, in 2020, “[t]here will be increasing opportunities for technology vendors and service providers to grow their businesses, and for technology buyers to innovate and upgrade their infrastructure, software, and services.” In fact, as 2020 began, many deals for technology development, implementation and related services were signed and technology providers, consultants and related service providers (collectively referred to in this post as “vendors”) and their customers were busy building, implementing and testing new systems.

Then came COVID-19. Most people in the United States and in many other parts of the world are now working from home. Capital markets are volatile. The global economy came to a screeching halt and recessions are forecast.  As a result of these and other factors, many deals that were humming along nicely are now facing significant and unanticipated challenges. For example:

  • In many cases, neither the vendor nor the customer community is “in the office.” While it is not uncommon for software developers to work remotely, many important aspects of a complex implementation – e.g., hardware installation, software testing and user training – are most effective when done on site. Obviously, given the work-from-home and no-travel environment that we are in, this is not possible.
  • Key individuals from both the vendor and customer community may be less available, either due to their own illnesses or due to pressing family issues or other concerns related to the pandemic.
  • Some customers may experience significant and unanticipated financial distress, and as a result, the payment obligations associated with the initiative may become particularly burdensome for them. Vendors may also be facing similar financial distress.
  • Due to the downturn in the business climate resulting from the pandemic, the business volume assumptions on which the ongoing initiative was based may no longer be realistic.

This blog post is intended to suggest a practical approach that both technology vendors and their customers might take to find amicable solutions to challenged deals.

While Washington’s comprehensive data privacy bill (SB 6182) — inspired by California’s CCPA — died when legislators could not hammer out a compromise over enforcement mechanisms, the state legislature did reach agreement and Gov. Jay Inslee signed into law a facial recognition bill (SB 6280) that provides some important privacy and antidiscrimination provisions regarding state and local governmental use of the technology.

An interesting New York Times article last week posited that governments’ use of digital surveillance techniques for the COVID-19 response – such as the tracking of geolocation to gauge quarantine restrictions – would lead to more pervasive digital tracking in the future. On a related note, there have been reports of an increased use of facial recognition technologies as governments use digital tools to respond to the outbreak.

These developments bring to mind some interesting questions:

In the future, given our collective experience with this invisible foe, will there be a move away from contact-based security and access control systems to “germless” and “touchless” processes?

If so, what role will be played by facial recognition and other biometrics-based systems in that shift?

As part of the response to the outbreak of COVID-19, many organizations are working on contingency and business continuity plans that include an all-employee “work-from-home” scenario.  If it becomes necessary to implement such a plan, all employees of the organization will access the organization’s networks and systems remotely. Unfortunately, many organizations that are testing these plans are discovering that that their remote access technologies may not be able to handle, without significant degradation in performance, the volume of activity this will generate.  Indeed, given the complex host of business applications and collaboration tools that many businesses employ, many entities may not be fully ready for their entire workforce to access their systems remotely without first checking in with their vendors and IT personnel.

This is understandable. Except for the case of those businesses that always operate “virtually” — without any fixed offices — most organizations build their remote access infrastructure (including the related telecommunications, security, videoconferencing, collaboration and other software tools that are involved in remote access) based on an assumption that only a portion of an organization’s employees will use remote access at any given point in time.  For example, contractual service level commitments (in which vendors promise certain levels of performance of their systems) often assume a simultaneous user base being a subset of all employees of the organization.  Further, SaaS-based services that are priced based on a specific number of “simultaneous users” may not anticipate all, or substantially all, of the company’s employees using the service at the same time.

Organizations should be reviewing their agreements with the myriad set of vendors that provide software related to remote access. These reviews should evaluate what commitments, if any, are included in those agreements that may be helpful in what may be this unprecedented “100% work-from-home” effort.  To the extent contractual deficiencies or other issues are identified, early engagement with vendors can be helpful.  For example, in the event service level commitments appear insufficient to meet anticipated demand, an early discussion with the vendor may result in an increased allocation of the vendor’s resources to that customer.  And while some SaaS service agreements priced by the number of simultaneous users may allow customers to exceed simultaneous user limits (with a premium true-up at a later date), others impose hard blocks on usage in excess of contract limitations.  To the extent these issues are identified in an agreement, customers are best served by engaging with the vendor in advance – to avoid premium true-ups or interference in service.

In 2018, Congress passed the Foreign Investment Risk Review Modernization Act (FIRRMA) to modernize the Committee on Foreign Investment in the United States (CFIUS). CFIUS is chaired by the Secretary of the Treasury and is empowered to review certain transactions involving foreign investment in the U.S.

On January 7, 2019, the federal Office of Management and Budget (OMB) released a draft of a memorandum setting forth guidance to assist federal agencies in developing regulatory and non-regulatory approaches regarding artificial intelligence (AI).  This draft guidance will be available for public comment for sixty days, after which it will be finalized and issued to federal agencies.

According to the draft, the guidance was developed with the intent to reduce barriers to innovation while also balancing privacy and security concerns and respect for IP. The proposed guidance features ten principles to guide regulatory approaches to AI applications.  In addition, in what may be a boon for those in the private sector developing AI infrastructure, the OMB reinforces the objective of making federal data and models generally available to the private sector for non-federal use in developing AI systems.

Initial responses to the proposed guidance has been mixed, and it remains to be seen how the principles in the guidance (when finalized) will be put in practice. Notably, however, those who intend to invest significant resources in AI-based infrastructure should be aware of what may prove to be the emerging blueprint for AI regulation in the near future.

It is that time of year when we look back to see what tech-law issues took up most of our time this year and look ahead to see what the emerging issues are for 2020.

Data: The Issues of the Year

Data presented a wide variety of challenging legal issues in 2019. Data is solidly entrenched as a key asset in our economy, and as a result, the issues around it demanded a significant level of attention.

  • Clearly, privacy and data security-related data issues were dominant in 2019. The GDPR, CCPA and other privacy regulations garnered much consideration and resources, and with GDPR enforcement ongoing and CCPA enforcement right around the corner, the coming year will be an important one to watch. As data generation and collection technologies continued to evolve, privacy issues evolved as well.  In 2019, we saw many novel issues involving mobile, biometric and connected cars. Facial recognition technology generated a fair amount of litigation, and presented concerns regarding the possibility of intrusive governmental surveillance (prompting some municipalities, such as San Francisco, to ban its use by government agencies).
  • Because data has proven to be so valuable, innovators continue to develop new and sometimes controversial technological approaches to collecting data. The legal issues abound.  For example, in the past year, we have been advising on the implications of an ongoing dispute between the City Attorney of Los Angeles and an app operator over geolocation data collection, as well as a settlement between the FTC and a personal email management service over access to “e-receipt” data.  We have entertained multiple questions from clients about the unsettled legal terrain surrounding web scraping and have been closely following developments in this area, including the blockbuster hiQ Ninth Circuit ruling from earlier this year. As usual, the pace of technological innovation has outpaced the ability for the law to keep up.
  • Data security is now regularly a boardroom and courtroom issue, with data breaches, phishing, ransomware attacks and identity theft (and cyberinsurance) the norm. Meanwhile, consumers are experiencing deeper and deeper “breach fatigue” with every breach notice they receive. While the U.S. government has not yet been able to put into place general national data security legislation, states and certain regulators are acting to compel data collectors to take reasonable measures to protect consumer information (e.g., New York’s newly-enacted SHIELD Act) and IoT device manufacturers to equip connected devices with certain security features appropriate to the nature and function of the devices secure (e.g., California’s IoT security law, which becomes effective January 1, 2020). Class actions over data breaches and security lapses are filed regularly, with mixed results.
  • Many organizations have focused on the opportunistic issues associated with new and emerging sources of data. They seek to use “big data” – either sourced externally or generated internally – to advance their operations.  They are focused on understanding the sources of the data and their lawful rights to use such data.  They are examining new revenue opportunities offered by the data, including the expansion of existing lines, the identification of customer trends or the creation of new businesses (including licensing anonymized data to others).
  • Moreover, data was a key asset in many corporate transactions in 2019. Across the board in M&A, private equity, capital markets, finance and some real estate transactions, data was the subject of key deal points, sometimes intensive diligence, and often difficult negotiations. Consumer data has even become a national security issue, as the Committee on Foreign Investment in the United States (CFIUS), expanded under a 2018 law, began to scrutinize more and more technology deals involving foreign investment, including those involving sensitive personal data.
  • For more information about developments over the past year on data-related issues, and to keep abreast on new developments in the future, you may want to subscribe to Proskauer’s privacy blog, privacylaw.proskauer.com. You may also want to review our Practical Law article “Trends in Privacy and Data Security:2018” and get a hold of our update that will publish in winter 2020.

I am not going out on a limb in saying that 2020 and beyond promise many interesting developments in “big data,” privacy and data security.