John will be blogging separately on the draft data protection regulation published by Commissioner Reding earlier today, but I thought I’d share some thoughts in relation to its impact on outsourcing in the UK.

To date, data controllers in the UK have had a degree of flexibility when entering into outsourcing agreements that involve the processing of personal data outside the EEA.

Under the Data Protection Act 1998, which implemented the 1995 EU directive in the UK, transfers outside the EEA may broadly take place in the following circumstances:

• Where the European Commission has made a finding of adequacy in relation to the level of protection offered to personal data in the country or territory in question (including, for example, the US Safe Harbor scheme);
• Where the transfer is made pursuant to contract on terms approved by the European Commission (AKA the EU model clauses for data transfers);
• Where the organisation has put in place binding corporate rules that have been approved by the relevant data protection regulators; and
• Where the data controller has made a finding of adequacy in respect of the proposed transfer.

Findings of adequacy
The ability to make a finding of adequacy is particularly useful for data controllers, as it allows the data controller to make a reasoned decision based upon its diligence on the proposed data processor and the actual contractual terms that are put in place.

In particular, it allows the data controller to deviate from the approved model clauses without needing to go through the administrative burden of having those clauses approved by the Information Commissioner. For example, the data controller may wish to outsource a service through a single contracting entity on behalf of various group data controllers, rather than enter into multiple model clause agreements between each data controller and the end data processor.

The ability to make a finding of adequacy is not carte blanche to do anything – the data controller still needs to be able to justify its actions to the Information Commissioner, but it does provide some significant commercial flexibility.

The position outside the UK
But that permissive and flexible approach in the last bullet does not apply everywhere in the EU. In a number of EU member states, any deviation from the model clause agreements needs to be notified and approved by the national data protection regulator. In some member states even the use of the model clause agreements needs to be notified to the regulator.

So what will happen under the new law?
If passed as it stands, the regulation would have direct effect. Unlike a directive, there would be no need for local implementation by individual member states. The intention of the regulation is to have a uniform data protection law across the whole of the EU – a law that is not subject to local variations and differing interpretations by different parliaments, regulators and courts.

The consequence of this is that the rules on cross-border data transfers will be unified.

Under the draft regulation there is no ability for the data controller to make a finding of adequacy. If the data controller wishes to vary from the terms of the model clauses, the data controller will need to obtain the consent of the relevant data protection regulator.

Whilst not unexpected, confirmation of this restriction is disappointing and will substantially increase the red tape involved in entering into outsourcing agreements – particularly where there are complex inter-group arrangements and multiple data controllers.

The UK Information Commissioner has already issued a press release questioning this requirement, presumably with half an eye to the increased (and unnecessary) administrative burden that it will incur, when its resources are already stretched.

Of course the irony here is that as all seasoned data protection lawyers will tell you, the data processor has no direct obligations under data protection laws – it is the data controller that is responsible (contractually) for ensuring that data is securely processed. National legislation is irrelevant. Approved form processing contracts are not required within the EEA, so why should transfers outside the EEA be treated differently?

Why not simply leave it to the data controller to ensure that it has carried out its diligence and has an appropriate contract, as the law requires for outsourcing within the EEA? I’m not aware of major problems having arisen from data controllers deviating from the model clauses, so why try to fix something that isn’t broken?

It must be hoped that this change does not make it into the final draft. Those involved in outsourcing may wish to support the UK Information Commissioner in ensuring that a workable mechanism is in place for cross border outsourcing.

The post What the proposed data protection regulation means for outsourcing by UK organisations appeared first on Brodies LLP Legal Resource Area.

European Union Justice Commissioner Viviane Reding has announced a proposal for a new General Data Protection Regulation for the protection of personal data in the European Union.

The proposals retain the general principles of data protection law, but also introduce some significant changes around:

• Fines;
• Consent;
• Notification (including 24-hour notification of breaches);
• New obligations on data processors;
• Compulsory Data Protection Officers;
• Data subject rights;
• Collection of child data; and
• The “one stop shop” approach

Firstly, as Martin noted in his earlier blog on the impact for organisations engaged in outsourcing, the regulation has direct effect. Once passed, it will not be subject to local implementation in each member state. This is intended to ensure that the laws are applied consistently across the EU.

Powers to fine
The official announcement follows last month’s leaked proposals which suggested that companies breaching data protection law might face fines of up to 5% of their annual turnovers. While this level of fine is not advanced by the official proposal, companies will still be subject to a fairly stringent sliding-scale of fines:

• a maximum of 0.5% of annual turnover for failures such as not responding properly to requests by data subjects;
• a maximum of 1% of annual turnover for failures such as leaving inaccurate data uncorrected, or failing to adopt internal policies to comply with the new Regulation; and
• a maximum of 2% of annual turnover for the most serious violations, including “risky processing operations”, or failing to obtain data subject consent.

Consent
Another key change being proposed is that data controllers can no longer rely on implied consent. Instead, controllers will have to prove that they have been provided with “explicit” consent from the data subject, while consent may not be relied upon if there is a “clear imbalance between the data subject and the controller” (which will make it difficult for, for example, employers to rely on consent from employees, as grounds for processing).

As an alternative to obtaining explicit consent, “other legitimate interests” of a controller will provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.

Whilst this change is consistent with the opinions that have been issued by the Article 29 Working Party, this change will be particularly felt in the UK, where much of the UK Information Commissioner’s guidance has focussed on the concept of “implied consent”. For example, the Information Commissioner’s view on website privacy policies has generally been that the data controller does not need to flag up in flashing lights processing that is obvious. It will be interesting to see how guidance changes in this area.

Notification
Controllers will no longer have to notify data protection authorities that they are processing data -instead they will be asked to make available upon request evidence demonstrating their data protection policies and procedures, including “privacy by design and default” mechanisms, and privacy impact assessments.

Data breach notification
Controllers will also be expected to notify data protection authorities of data breaches within 24 hours. Where notification within 24 hours is not possible – and 24 hours looks like an onerous requirement – an explanation of the reasons for the delay should accompany the notification. Data processors, meanwhile, will be expected to “assist” controllers in cases of data breach or loss, and will be deemed joint controllers if they process personal data other than as instructed by the controller.

Data protection officers
All public sector bodies will be required to appoint a Data Protection Officer, as will private sector bodies with more than 250 staff (or whose core activities consist of processing operations).

The “right to be forgotten” and other new restrictions
Last month’s leaked document suggested that the new proposals would contain a controversial “right to be forgotten”, and many stakeholders were already pondering how such a right could possibly be guaranteed or enforced. The official proposals are less explicit regarding this right, proposing that a controller shall carry out erasure of data “without delay, except to the extent that the retention of the personal data is necessary” for a variety of grounds, including “public interest” and “compliance with a legal obligation”.

Potentially more interesting is a new right for data subjects not to be subject to a “measure based on profiling”, meaning that organisations will be potentially barred from profiling individuals based on automatic processing seeking to predict a person’s creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour. This may well impact upon Amazon’s religious beliefs patent (as blogged about by Martin last month).

It’s also worth noting that under the new proposals the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. This concept of a “child” and the parental consent requirements will almost certainly conflict with many organisations’ current practices.

The “one stop shop approach”
Finally, the draft proposes that controllers and data subjects will have a one stop shop in terms of regulators. If a data subject wishes to complain about processing by a data controller in another EU country, it will complain to its local regulator who will raise the issue with the regulator in the data controller’s home country.

Given that non-EU data controllers collecting data from EU data subjects will also be subject to the new regulation, this will surely increase the administrative burden on the various national regulators.

These are just some of the changes to the present European data protection regime which are being proposed. It’s worth remembering that these proposals will need to be approved by the European Union’s member states and ratified by the European Parliament before they can come into effect. Given the extent of the proposed changes, that process might take up to 2 years, if not longer.

The post The draft data protection regulation – a summary of the key provisions appeared first on Brodies LLP Legal Resource Area.

The UK’s Ministry of Justice has today opened an informal consultation on the proposed new EU data protection rules.

The MoJ is keen to emphasise that this is not a formal consultation, but rather a “call for evidence” to assist the UK government in forthcoming negotiations at EU level.

The call for evidence is open until 6 March 2012. You can access the papers and respond by way of an online questionnaire by following this link.

To read our initial views on the draft legislation see these Techblog entries:

• e-update on the draft data protection regulation – what price harmonisation?
• The draft data protection regulation – a summary of the key provisions
• What the proposed data protection regulation means for outsourcing by UK organisations

The post UK government opens informal consultation on new EU data protection regulation appeared first on Brodies LLP Legal Resource Area.

The European Commission yesterday announced that it had reached agreement with the European Parliament and Council on the final text of the proposed new General Data Protection Regulation (GDPR). The GDPR will replace the current Directive and the national laws that implement it in each member state.

It is anticipated that the final text will be formally adopted by the Parliament and Council in early 2016, following which there will be a two year transitional period before the Regulation comes into force in 2018. Whilst the Commission has not yet published the agreed text, a German law firm has published what it believes is the final version.

What will change?
Whilst some changes reduce the administrative burden on data controllers and reduce inconsistent implementation of rules between different member states, others will mean a step-change is required in relation to data protection compliance.

Stricter requirements on consent, rights for data subjects to be able to easily transfer data to another provider, increased “rights to be forgotten” and new rules in relation to breach reporting will require all organisations to review their internal procedures and processes in relation to the collection and handling of personal information.

The emphasis on privacy by design and privacy impact assessments means that privacy issues will need to be considered at the outset of any new project or activity, rather than as an afterthought.

Powers to issue fines of up to 4% worldwide annual turnover or €€20,000,000 mean that data protection compliance is an issue that should now be a board level compliance issue. Certain organisations will also be required to appoint a data protection officer.

It’s also notable that the threshold at which parental consent is required for the use of information society services by children was raised at the last minute from 13 to 16, though the leaked final text states that member states can lower this to 13. That change to age 16 is also at odds with the views of a number of internet safety campaigners. Indeed, may well lead to greater privacy intrusion for young people when seeking advice and information about things like abuse and bullying. We’ll blog separately on that.

What about international data transfers and Safe Harbor?

On international data transfers, the Commission’s press release is notably silent on any further progress in relation to discussions with the United States on reform of the now invalid Safe Harbor regime. Last month, the Commission set itself a target of January 2016 for concluding negotiations on a compliant mechanism for US data transfers, and it remains to be seen whether that target will be hit.

We will publish a more detailed analysis of the final text and what it means for data controllers in due course. In the meantime, if you’d like to discuss the new GDPR and what it means for you, please get in touch with me or your usual Brodies contact.

The post Commission announces agreement on new General Data Protection Regulation appeared first on Brodies LLP Legal Resource Area.

If Alice fell down the rabbit hole in 2015, it wouldn’t take an Oxford don to document her adventures. #Wonderland would be trending on Facebook and Twitter and Alice’s Instagram would be full of selfies with the March Hare and the Cheshire Cat.

Children today are as technologically literate as any grown up. My 4-year-old nephews, for example, could navigate YouTube before they learned to read. But the new General Data Protection Regulation (GDPR), the European Commission’s tool to unify data protection in the EU, might prove to be a stumbling block for digital users under 16.

Background

As Martin blogged yesterday, the Commission has this week announced that the final text of the GDPR has been agreed with the European Parliament and Council, but not before a last minute change to the so-called ‘digital age of consent’.

Earlier drafts indicated that the Commission would adopt 13 as the threshold at which parental consent is required for the use of information society services (websites and other online services), but a last minute amendment changed this to 16. The apparent final draft (PDF) published by a German law firm suggests that the threshold has indeed been raised to 16, though individual member states may reduce this to 13 if they choose. Ironically, eliminating national inconsistencies was one of the key aims of the GDPR.

Will anything change in the UK?

When collecting personal data it is important that the data subject properly understands how the data they provide will be used. That can be difficult when collecting data from children.

The Data Protection Act does not specify the age at which children are legally able to give consent to processing of their personal data. Current guidance (PDF) from the Information Commissioner’s Office recommends that consent should be sought from a parent or guardian prior to collecting information from children up to the age of 13, but notes that there may be cases where it is necessary to obtain parental consent from children older than 13:

“Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly. Some form of parental consent would normally be required before collecting personal data from children under 12. You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is greater risk. This has to be determined on a case by case basis.”
This will change when the GDPR comes into effect in 2018. Whether or not the UK government will stick to this limit or increase the threshold to 16 in line with the GDPR remains to be seen.

How will the threshold be enforced?

From a technical perspective, social media platforms and other website operators will need to think about how they obtain parental consent from each child under 16 accessing their digital content. Opponents to the increased threshold also argue that it will simply encourage children to lie about their age.

From a legal point of view, the proposed threshold is at odds with a child’s capacity to enter into contracts on their own behalf. In Scotland, a child under the age of 16 can enter into contracts of a kind commonly entered into by people of his age and circumstances, provided that the terms are not unreasonable.

Historically, this has allowed children to make simple transactions, like buying sweets or bus tickets.

However, now that young people access websites and apps every day and are often as digitally aware as many adults, it is probably the case that they can legally consent to terms and conditions on their own behalf. Clearly, though, there will be a lower cut off age – my nephews can hardly be expected to properly understand YouTube’s terms and conditions – and any terms to which a child will be consenting should be in clear and plain language that a child can easily understand.

Returning to the Alice in Wonderland analogy, if a child will access a website regardless, is it perhaps better to draft terms of use that are capable of binding the child rather than disappear down the rabbit hole of having no binding terms of use at all?

Will it actually protect children?

Whilst an increased digital age of consent might seem like a good way to protect children, online safety experts have expressed their concerns about the sudden change to the threshold in an open letter published last Friday.

The signatories point out that increasing the age limit for consent is artificial, as research shows that young people are adept at controlling the information they share online, more so than many adults. Moreover, they highlight the important role played by digital platforms and social media in self-development and education.

The extra bureaucracy involved in obtaining parental permission could restrict the access children have to valuable online resources. Such resources include not only educational services, but also online support and advice to children suffering from abuse or online bullying. Indeed, it could actually lead to an erosion of the child’s privacy as such advice and information could not be sought in confidence.

What should providers of online services be doing?

There has been no announcement from the UK Government on whether a lower age limit will apply in the UK. Either way, the new hard-wired age will require providers of information society services that might be used by children to think about how they collect data and ensure that appropriate consents are obtained. That might require changes to website terms of use and registration procedures.

If you’d like to discuss the GDPR further, please get in touch with my colleague Martin Sloan or your usual Brodies contact.

The post GDPR to raise digital age of consent for online services appeared first on Brodies LLP Legal Resource Area.

Last week I attended a stakeholder workshop organised by the Information Commissioner (ICO) on the new General Data Protection Regulation (GDPR).

The workshop was attended by a range of representatives from central government and other public sector bodies, private and third sector organisations, industry bodies and law firms, who were invited by the ICO to help it understand particular areas of concern for data controllers.

The output of the workshop will influence the ICO’s programme of work over the next two years in the run up to the GDPR coming into force.

What was discussed?

The ICO identified eight key areas for discussion:

• The scope of the GDPR and principles
• Transparency and individual rights
• Consent
• Breach notification
• General data controller duties
• Enforcement
• International issues/consistency between member states
• Criminal enforcement/interaction with the new directive on law enforcement

The workshop took the form of round table discussions (with each table allocated one of the eight issues) and then a plenary session to feed back comments and concerns on each area.

The plenary session spent most time looking at the first three areas, and that reflects the areas where there is the greatest need for guidance.

Specific issues on the GDPR

I was sitting at the Transparency and Individual Rights issues. One of the key issues for data controllers will be compliance with the new requirements on fair processing notices, which are more prescriptive than at present. This presents data controllers with a number of challenges, particularly given the ICO’s current emphasis on lawyered notices, and the need to keep those notices up to date. There are also practical issues associated with the new rights to erasure, data portability and automated processing/profiling.

On scope and principles, concerns were raised in relation to the requirement to have a legal basis for the processing (particulary in the context of data sharing), interpretation of terms like pseudonymisation and profiling.

On consent, concerns were expressed in relation to consistency in approach across member states and within different sectors. The changes will require data controllers to review where they rely upon consent and how that is obtained and managed. The new hard-wired requirement for a digital age of consent also presents challenges for data controllers.

On breach notifications, there was a request for guidance on how this will work in practice. Will the ICO apply a threshold in terms of severity and impact? what about near misses?

In relation to accountability the overlap of responsibility as between data controllers and data processors was identified as an area needing clarification – particularly with legacy contracts. Where does accountability sit> How is this managed when both parties will have legal duties under the GDPR? Concern was also expressed in relation to expectations in relation to records keeping and records management (particularly with outdated legacy systems) and how this interacts with the rights of erasure and data portability.

On enforcement the ICO was asked how its current approach of educating and engaging (rather than necessarily going straight to enforcement) may change given enforcement action by other DPAs. The ICO confirmed that it is not planning to change that philosophy and will continue to collaborate with other regulators and trade associations/industry bodies.

Organisations that operate in multiple member states expressed concern in relation to the operation of the international issues and the consistency mechanism. In particular, whether the GDPR will recognise that an international group may process data for different purposes in different member states, and how that fits with the concept of the “place of main establishment”. The consistency mechanism was however welcomed as a means of ensuring so far as possible a common approach across member states. Conversely, there is potential for conflicts of laws and guidance where data controllers and data processors are located in different member states.

Finally, on criminal justice and law enforcement, the primary concerns here relate to the multiple layers of legislation that will apply, the impact on legacy systems and data sharing (for example, using hubs). Again, stakeholders are looking to the ICO for guidance on interpretation and approach.

Two overarching themes also emerged from the plenary session:

• the need to ensure that practical advice is made available to SMEs and others how are unlikely to have internal expertise or budget to engage external support
• the new fines and enforcement regime is a major cause for concern and may encourage organisations to take overly cautious approaches. That may, for example, mean that privacy notices contain too much information, which may make them less accessible to data subjects.

Next steps for GDPR guidance

The ICO was clear at the outset that aside from addressing obvious contradictions in the drafting and other minor issues requiring tidy up, the text of the GDPR is now essentially finalised. The GDPR is not going to be changed because a provision is uncertain or data controllers think that it is impractical (or simply don’t like it).

Rather, the ICO will use the feedback from the workshop (and other sessions) to identify areas where guidance is needed as a matter of priority and where it needs to work with data protection authorities in other member states to develop clear positions (noting of course that the GDPR does allow for some areas where member states can choose to implement a provision in a particular way – for example, the digital age of consent).

The ICO is already working with its counterparts in other member states through the Article 29 Working Party (which will morph into the European Data Protection Board) and factoring the GDPR into its new guidance (including, for example the consultation launched last week on a new Privacy Notices Code of Practice).

Given the GDPR’s intention for consistency across EU member states, it is inevitable that the ICO’s current pragmatic approach to interpretation will change. Data controllers will clearly want early sight of the new guidance but the ICO was unable to provide a timetable for when that will be issued.

Starting your GDPR compliance programme

In the meantime, data controllers will need to start thinking about how they will review and update their policies, procedures contracts and systems so that they can make the changes necessary to comply with the GDPR. To find out how Brodies can help with that, please get in touch.

To keep up to date with the latest developments on the GDPR and to receive information about our seminars and briefings, follow the @BrodiesTechBlog Twitter account, sign-up for our e-bulletins, or follow our blog.

The post Data controllers provide ICO with key concerns on the GDPR appeared first on Brodies LLP Legal Resource Area.

Earlier this week, the Information Commissioner’s Office published a short guide (PDF) setting out 12 steps that organisations can take now to help them prepare for the new General Data Protection Regulation (GDPR), which will come into effect in 2018.

The GDPR will impact on all organisations in the UK and require them to review their approach to handling personal information, their internal policies and procedures and ensure that privacy issues are considered at the outset of any new project. The new laws are backed up by stronger enforcement powers including fines of up to €20m or 4% of global turnover.

With little over two years to go until the new laws come into force, organisations need to start thinking now about their compliance programme.

To help organisations prepare, we will be hosting a series of free seminars at our offices in Aberdeen, Edinburgh and Glasgow, featuring contributions from Scotland’s leading experts on Data Protection and Information Law:

• Aberdeen – Thursday 19 May 2016 (12:00 to 13:30)
• Edinburgh – Tuesday 12 April 2016 (08:30 to 10:00)
• Glasgow – Wednesday 27 April 2016 (08:30 to 10:00)

If you would like to sign up to attend, please follow the relevant link above.

In the meantime, if you would like to discuss how the GDPR will impact on your organisation and the steps that you should be taking, please get in touch with me, Grant Campbell or your usual Brodies contact.

The post Preparing for the General Data Protection Regulation – attend our free seminars appeared first on Brodies LLP Legal Resource Area.

The General Data Protection Regulation (GDPR) has passed through the final stages of approval, clearing the way for publication in the Official Journal. The GDPR will come into force roughly two years following the date of publication.

Following political agreement between the European Commission, the Council of Europe and the European Parliament in December last year, the compromise text has been going through a formal adoption process.

Last week, the text was approved by EU member states in a vote by the Council of the European Union. Today the final part of the process took place with approval from the European Parliament.

Whilst the final text of the GDPR itself has now been formally approved, much of the detail will be set out in other documents.

Guidance will be issued by the European Data Protection Board (which replaces the Article 29 Working Party grouping of national data protection authorities) and member states will need to pass national implementing legislation in relation to those areas of the GDPR where member states are given derogated powers to legislate. The European Commission is also provided with the power to adopt delegated acts and implementing acts. It is expected that more detail on this will be published over the coming months.

Preparing for the GDPR

We are running a series of events in our offices to explain what is changing with the GDPR and what organisations should be doing to prepare for the GDPR coming into force in 2018.

You can register by following these links:

If you’d like to discuss how the GDPR will impact on your organisation or what you should be doing to prepare, please get in touch with me or your usual Brodies contact.

The post GDPR passes final approvals appeared first on Brodies LLP Legal Resource Area.

The new General Data Protection Regulation (GDPR) has now been published in the Official Journal, firing the starting gun on the countdown to compliance. Yesterday’s publication of the official text follows on from final approvals from the Council of the European Union and the European Parliament.

When will the GDPR come into effect?

The GDPR will apply from 25 May 2018, meaning that organisations have just over two years to prepare.

How will the GDPR impact my organisation?

The GDPR will require all organisations to review and update their processes and practices for the handling of personal data. In order to assess the level of impact and the steps required to ensure compliance, each organisation will need to carry out a detailed review of how it currently collects and uses personal data and the adequacy of its internal policies and procedures.

Unless an organisation has a full picture of how it currently processes personal data, it will not be able to work out what needs to be done to ensure it is compliant come May 2018.

Where can I find out more about the GDPR?

We are already working with clients to help their organisations plan and prepare for the GDPR. To find out how we can assist you please contact me or your usual contact in Brodies’ Data Protection and Information Law team.

To get an overview of the key changes download our two page summary to the GDPR (PDF).

We’ll also continue to blog and tweet about the latest developments on the GDPR, including new guidance from the Information Commissioner and UK implementing legislation. You can register for updates.

Meantime, if you are in Aberdeen on 19 May then you can catch the last leg of our BInformed seminar series on the GPDR explaining the key changes and what organisations should be doing to prepare. We’ll be running more BInformed seminars later in the year.

The post GDPR to apply from 25 May 2018 appeared first on Brodies LLP Legal Resource Area.

As part of its vision to achieve a digital single market, the European Commission has taken the first steps in reviewing the Privacy and Electronic Communications Directive (the “ePrivacy Directive”), by launching a consultation on the effectiveness, relevance, coherence and efficiency of the Directive as well as suggesting possible future reforms.

The ePrivacy Directive was implemented in the UK through the Privacy and Electronic Communications (EC Directive) Regulations 2003, which were subsequently updated to reflect amendments to the E-Privacy Directive to deal with the use of cookies.

The ePrivacy Directive complements the existing Data Protection Directive (95/46/EC) and is concerned with the protection of personal data being processed in the electronic communications sector. The E-Privacy Directive essentially sets out additional rules in relation to electronic communications.

The timing of the consultation is unsurprising following final approvals of the EU General Data Protection Regulation (“GDPR”), which will overhaul the current EU data protection landscape.

This is reflected in the Commission’s objectives, which are aimed at ensuring a high level of protection for EU citizens whilst promoting a level playing field for those operation within the electronic communication sector:

In particular, given the strict new rules in the GDPR on consent and the prohibition on the use of pre-ticked boxes, it seems inevitable that the so called “soft opt-in” for electronic marketing under the PECR will not be permitted following the review.

It is also reasonable to expect enforcement powers to be aligned with the enhanced powers to fine under the GDPR and the use of a regulation to ensure greater consistency in the laws across the EEA.

The consultation is open until 5 July 2016. The consultation takes the form of an online questionnaire. You can submit your response through the Commission’s website.

The post Commission launches public consultation on e-Privacy Directive appeared first on Brodies LLP Legal Resource Area.

Following last month’s publication of the final text of the General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) recently set out its plans for issuing updated guidance to organisations under the GDPR.

Phase 1 – priority actions

The first phase of the ICO’s programme, covering the next six months, focusses on ensuring that organisations are familiar with the key changes being introduced by the GDPR and have the building blocks in place to develop their compliance strategies.

Outputs will include:

• An overview of the GDPR
• Guidance on individual rights
• Contracts
• Consent
• the updated Privacy notices code of practice

The ICO will also be contributing to EU wide guidance on the following areas, which the Article 29 Working Party has identified as priority areas:

• Identifying an organisation’s main establishment and lead supervisory authority
• Data portability
• Data protection officers
• Risky processing and data protection impact assessments (AKA privacy impact assessments)
• Certification

The ISO will also carry out preparatory consultation and stakeholder workshops on a number of other key areas, including profiling, the new record keeping obligations, the relationship between data controllers and data processors and international transfers.

Phases 2 – identifying areas for review/developing toolkits

As part of phase 2 the ICO will review and map its current guidance against the GDPR and prioritise key areas for action. Concerningly, the ICO makes clear that some of the refreshed content may not be available prior to the GDPR coming into force in May 2018.

Phase 2 will also involve the development of tools and resources, with a particular focus on SMEs, who are unlikely to have internal expertise or be in a position to engage external support. The timescales for these toolkits being made available are not yet clear.

Phase 3 – bulk guidance refresh/production

The final phase will implement the actions identified during phase 2. Where possible, the ICO will seek to adapt its existing guidance under the Data Protection Act, with a view to ensuring some familiarity with the existing regime. The ICO will also signpost relevant European level guidance (developed by the WP29) and “translate” it into ICO guidance as and where necessary. It is here that data controllers are likely to see the biggest changes in approach as the GDPR’s consistency mechanism comes into play.

Will the GDPR lead to a change in the ICO’s approach to regulation?

The ICO has acknowledged that the consistency mechanism under the GDPR is likely to require it to change its current business friendly approach to guidance and enforcement. At a recent conference, Ian Bourne, the ICO’s DP Policy Delivery Group Manager, said:

The ICO’s traditional ability to be flexible and business savvy will be under much more scrutiny from other DPAs and the European Data Protection Board (EDPB) as well as the European Commission. So we will have some challenging times internationally.

That said, there are around 40 areas where member states can exercise national discretion (for example, the age at which the rules on digital consent apply). In those areas, the ICO expects the UK Government to adopt an approach to implementation that is similar to that which applies currently.

Where can I find out more about the GDPR?

Download our summary (PDF) to find out how the GDPR will reform data protection laws in the UK. You can also follow our updates on this blog.

If you would like to discuss what your organisation should be doing to prepare for the GDPR, and how we can help, please .

The post ICO sets out plans for GDPR guidance appeared first on Brodies LLP Legal Resource Area.

As the dust settles on the vote to exit the European Union, many of us currently grappling with the intricacies of the new European Data Protection Regulation (finalised only last month although it seems like years ago) may be forgiven for giving an enormous sigh of relief and putting our already well-worn copies on a shelf to gather dust – but is it that simple?

Unfortunately not. There are a couple of reasons.

1. Last week’s vote does not mean that the UK has exited the EU. The UK remains a member state and will do so until the exit process has been completed and that is unlikely to happen before 2018. The GDPR comes into force on 25 May 2018 and unless the UK has ceased to be an EU member state before that date then the GDPR will take effect in the UK, unless (presumably) both sides agree otherwise.

2. Even if the UK has ceased to be an EU member state before the date that GDPR comes into force, its terms will still be relevant to the UK. Firstly, the GDPR contains provisions that require non EU organisations processing personal data of EU citizens for the purposes of offering goods and services (or monitoring activities) to comply with its terms in relation to that processing.

So, for example, UK companies targeting online sales to EU citizens will be caught. Secondly, transfers of personal data from the EU to the UK will need to comply with the GDPR as well. So, if the UK wishes for personal data to be easily transferrable from the EU to these shores, it will need to adopt GDPR or some other data protection law that the EU recognises as giving adequate protection to personal data.

Meanwhile, as the ICO has said in a press release, the Data Protection Act 1998 continues to apply.

Moreover, in the ICO’s view:

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”

The post Data Protection and Brexit appeared first on Brodies LLP Legal Resource Area.

Businesses should be prepared for a Brexit vote. Andy Nolan, an associate in our Commercial Services Division, considers the potential impact a vote to leave might have on commercial contracts in Monday’s edition of The Scotsman.

If you have any questions about the potential implications of the EU referendum on commercial contracts, or indeed any other issue, please don’t hesitate to get in touch.

The post Businesses should be prepared for a Brexit vote appeared first on blogs.

Last week, a new EU-wide Regulation (eIDAS) took effect with the aim of further harmonising EU laws on the use of electronic signatures. As the Regulation has direct effect (and therefore overrides conflicting member state laws), consequential amendments have also been made to the existing UK laws such as the Electronic Communications Act 2000 and the Electronic Signatures Regulations 2002 are repealed.

What does eIDAS do?

Effective identity verification systems are a key part of delivering the European Commission’s aim for a Digital single Market and enabling greater use of electronic contracting. eIDAS replaces a Directive from 1999 and is intended to standardise and ensure mutual recognition of electronic signatures across the European Union.

eIDAS sets out specific rules in relation to what are called advanced electronic signatures (AES) and qualified electronic signatures (QES). A QES is a form of AES where the signature is created using a qualified electronic signature creation device (eg a secure smartcard) and the identity of the individual is certified by a qualified trust services provider.

In particular, eIDAS:

• makes clear that an electronic signature shall not be denied legal effect and admissibility solely on the grounds that it is in electronic form;
• gives QESs the same equivalent legal effect of a handwritten signature; and
• provides a legal framework for cross-border electronic identity and trust services, through mutual recognition of QESs issued within an EU member state.

What does eIDAS mean for electronically signing contracts in Scotland?

eIDAS will have little practical effect on the laws dealing with electronic signatures in Scotland and England and Wales. The reason for this is that both legal systems in the UK already give broad recognition to electronic signatures (in whatever form they may be) for the majority of contracts. The issue largely comes down to whether, from an evidential perspective, the electronic signature provides sufficient certainty of the person’s identity and intention to form a contract.

To put that another way, if challenged, can you prove that the person you think authenticated a document did indeed do so? That is much easier to do with an AES or a QES, compared to a simple electronic signature.

Unlike England and Wales, AES and QES are given special prominence under Scots law and, indeed, are required in order to electronically authenticate certain types of documents. Under Scots law, authentication using a QES is given the same status as a witnessed wet ink signature. However, one (perhaps) unintended consequence of the Scottish legislation is that it is less flexible than the law in England and Wales when dealing with the reliance that can be put on less secure (but more commonly available) forms of electronic signature.

On of the main barriers to the adoption of electronic signatures (and a criticism of the 1999 Directive) has been the limited availability of AESs and QESs.

Notably, the basic signing functionality in online platforms such as Adobe Sign does not satisfy the requirements for an AES or QES. Whilst these platforms do provide some meta data which may assist in proving the identity of the signatory, the provider does not verify that person’s identity. If you wish to use these platforms with a secure signature such as an AES or QES then you will need to use an AES or QES provided by a third party trust services provider.

Whilst a number of providers make available B2B solutions (for example, the Law Society of Scotland’s smartcard, which provides all Scottish solicitors with a QES, or closed loop systems such as that used by BACS), at present there appears to be no provider in the UK of publicly available QESs for use by individuals.

This may change given the new cross border framework in eIDAS, as trust providers will be able to provide individuals with a QES that will be recognised across the EU.

Can I use electronic signatures for my business?

As noted above, not all electronic signatures are equal. Different types of signatures provide different levels of identity assurance and (as noted above) certain types of documents can only be authenticated using more robust forms of electronic signatures. For example, a bank card PIN is a form of (simple) electronic signature. More secure signatures such as AES and QES use PKI technology and third party verification of the signatory’s identity, with a specific liability regime applying to providers of QES services.

When using electronic signatures it’s important to think about both the legal and commercial risks and weigh these up against the commercial and administrative benefits of using electronic signing. For many contracts, using a simple electronic signature may be sufficient, but for higher value/higher risk contracts it may be appropriate to require the use of an electronic signature that provides a greater degree of certainty.

You should therefore carry out appropriate diligence on the proposed signing system before it is used. Remember, also, that certain types of contract or documents may be subject to specific rules on the use of electronic signatures.

We have advised a number of clients on the use of electronic signatures and the commercial and legal risks involved. If you would like to discuss this further, please get in touch.

The post eIDAS – a new framework for electronic signatures appeared first on blogs.

Killing multiple birds with one stone? Court of Appeal affirms Brand Owners can prevent large scale on line trade mark infringements in one fell swoop.

It is good news for brand owners that today the English Court of Appeal has confirmed that they can in principle use court orders to block websites which are alleged to infringe their trade marks.

A previous decision of the High Court in favour of the trade mark owner Richemont  had been appealed by the 5 ISPS included in the case – namely Sky, BT, EE, TalkTalk and Virgin. Richemont were seeking an injunction against the ISPs to force them to use technology to prevent access to 3rd party sites which were selling counterfeits of  Richemont products. The ISPs appealed arguing that the UK law did not provide for this type of remedy in a trade mark case and also that the costs to them would be disproportionate to the benefits to be gained as such sites were not used to the same extent as copyright infringing ones. Helpfully for brand owners the Court of Appeal disagreed and dismissed these arguments.

Unlike with copyright the UK law does not provide directly for this type of remedy in a trade mark case as the UK government opted not to implement the particular provision of the relevant EU Directive into national law. That provision was as follows: ‘ Member States shall also ensure that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe an intellectual property right, without prejudice to Article 8(3) of [the InfoSoc] Directive.’  It felt that there was a broader UK law provision (namely s37(1) of the Senior Courts Act 1981 which states  “[t]he High Court may by order (whether interlocutory or final) grant an injunction … in all cases in which it appears to be just and convenient to do so.”) which would allow for that in any event.

What did the court decide?

In this case the Court of Appeal noted that although the ISPs were not themselves infringing 3rd party IP or under any duty to take care not to so infringe the infringing websites needed the services of the ISPs to be in a position to offer for sale and sell their counterfeit goods to UK consumers. Thus ‘the ISPs are therefore inevitable and essential actors in those infringing activities.”

Even though the provision of the EU Directive in question had not been implemented in the UK the  national law must be interpreted and applied consistently with it. This meant that the UK law provision as above could be used to give the court jurisdiction to deal with the application and to grant it if it was just and convenient to do so. Helpfully too the Appeal decision indicated that the courts ‘were able to adapt to new circumstances by developing their practice … where it is necessary and appropriate to do so to avoid injustice …”

What does this means for trade mark owners?

It is a good decision for trade mark owners who struggle continuously to deal with on line infringements. The intermediaries offer a route to cutting off the infringing website owners en masse and avoid the expense  of having to pursue  them on an individual basis – that is on the assumption they can be traced in the first place. The ISPs were required to bear the costs of the technical steps involved in complying with the order but could choose to pass this on to their subscribers.

Will Brexit have an impact on this decision?

It is also a timely decision bearing in mind the recent Brexit vote as it confirms that there should still be scope for the UK to grant this type of order even upon Brexit as even in the absence of implementation of the Directive’s  provision there is UK law which can be used to the same effect. That said these types of orders are now likely to become more popular as a result of this decision and as they do the UK Government may want to put the matter beyond doubt in the event of an actual Brexit by implementing specific and effective measures in UK legislation.

Gill Grassie is a Partner within Brodies’ award winning IP/IT Litigation team. 

The post UK courts make it easier to shut down infringing websites ‘en masse ‘ appeared first on blogs.

Today the Court of Justice of the European Union (CJEU) has issued a judgement which will be welcomed by brand owners as a new weapon to tackle the sale of counterfeit goods in physical marketplaces.

A number of leading fashion brands including Tommy Hilfiger, Lacoste and Burberry requested that the Czech Court order Delta Centres, the tenant of a market place which sub let stalls to tenants, to take steps to stop trade mark infringement and essentially not allow traders selling counterfeit goods to have stalls in the market.

A reference was made by the Czech Court to the CJEU asking whether Delta Centres as could be classified as a third party intermediary and so be ordered to stop existing infringements and police the same future infringements against tenant stall holders in terms of the 2004 European IP Enforcement Directive.

Article 11 of the Directive provides that ‘Member States shall ensure that, where a judicial decision is taken finding an infringement of an intellectual property right, the judicial authorities may issue against the infringer an injunction aimed at prohibiting the continuation of the infringement…. Member States are also to ensure that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe an intellectual property right”

In 2009 the CJEU ruled in the L’Oreal v Ebay case that on-line selling platforms such as Ebay were intermediaries. Today the CJEU has also confirmed that physical market places are also caught and that providing or renting physical spaces to tenants makes you an intermediary who can be ordered to stop infringement of IP. There is no distinction between on-line and physical market spaces.

This means that the operator of physical market places can be ordered to stop and police infringements. The judgement stresses that any injunction/interdict must be effective and dissuasive, equitable and proportionate, not excessively expensive or a barrier to legitimate trade.

It will be up to national courts in member states to apply the new CJEU ruling, but it will be welcomed by brand owners as a potential threat and weapon for use against markets which have a reputation for selling large volumes of counterfeit goods. It should encourage operators to assist with requests to take action against counterfeit traders as otherwise the operator could be ordered by a court to stop the existing infringements and even police against the same infringements in future.

There is no reason why the same reasoning would not be applied in relation to copyright and design rights. Today could well be the start of clamp down against notorious counterfeit markets and just in time for the holiday season.

As ever there is no such thing as a bargain that is too good to be true and this is a positive step for brand owners in the fight against counterfeits.

The post Hilfiger and Burberry secure victory over counterfeit markets appeared first on blogs.

Protecting IP against unauthorised 3D Printing of products – the new industrial revolution?

3D printing could be the new industrial revolution. However, as a truly disruptive business model, it could also completely change the shape of Intellectual Property Rights (IPRs) and how they are used, as well as undermine their value. This is because it offers an easy and increasingly affordable way to digitally manufacture and essentially produce an exact copy of a product. The Gardener Consultancy Group predicted in 2014 that by 2018, companies would lose $100 billion worth of IP due to 3D printing. That is a scary statistic.

Facilitating infringement of IPRs

Whilst there are huge advantages to businesses that can use it to prototype, as well as manufacture, new products, including spare parts, it will also make it very easy to infringe IP rights across the board. It has vast potential applications from spare parts, medical devices, tailored pharmaceutical drugs to more simple industrial and mechanical devices – it is all possible. Many of these products are patented, trademarked and/or protected by design right/copyright.

Home printing by consumers will also become more common place and this will be difficult if not impossible to stop. This activity will not always in any event be actionable, as depending on the type of IP involved, the “personal use” defence may apply. Even if it is actionable, as the music industry has experienced with illegal peer to peer file sharing, this type of consumer “infringement” is not easily dealt with. It can also result in adverse unwanted publicity. Thus the possibility of online sharing of unauthorised CAD files (used in the 3D printing process) may increase and exacerbate the scale of problem.

Virtual transport of counterfeits

Large scale illegal counterfeiting will also be assisted by 3D printing technology as it becomes more widely available. A product no longer needs to be manufactured in a particular jurisdiction where IP might not perhaps be an issue and can simply be exported digitally from there in the form of the CAD file direct to consumers en masse into a jurisdiction in which there is infringement. This avoids physical imports through customs and takes away the added protection that IP owners can obtain by using such procedures to seize infringing goods at the border.

Protecting your rights in the age of 3D printing

The existing laws and remedies on IP protection such as the potential availability of blocking orders against ISPs hosting websites offering the means to infringe may not be the complete answer. In addition it could render patents specifically for novel processes for products much less valuable as use of 3D printing will avoid infringement. That said it will still be of benefit for original manufacturers and IP owners to gear up and obtain as much registered IP protection around their products as possible. Registered designs seem an obvious candidate for protection of features of 3D product designs. The rights owners may also wish to get ahead of the game and learn lessons from the music industry.

Perhaps one way of helping to prevent or mitigate the problem is to address it head on and for businesses to secure their own IP rights to their 3D files and even their own unique specific 3D printing processes to optimise the process for users. As a complimentary offering to traditional retail sale online or offline, customers could be offered the chance to buy legitimate 3D files to use to produce products at home. A licence model may work but would need to be carefully thought through to eliminate the possibilities of unauthorised multiple use. Making this process easy and cheap for the consumer could be another way forward.

Ultimately though the alternative to engaging with and embracing the new technology may mean devaluing IP rights as well as potential huge loss of sales revenue, as a result of growth in illegal counterfeits.

The post Protecting IP against unauthorised 3D Printing of products – the new industrial revolution? appeared first on blogs.

On 6 July the European Parliament approved the Network and Information Security Directive (the “NIS Directive” – aka the ‘Cybersecurity Directive’) which sets out a common framework for EU Member States’ responsibilities and obligations in relation to cyber security.

The cybersecurity threat

Organisations of all sizes are under the constant threat of theft of intellectual property from systems, private data being compromised and leaked online or fraudulent activity taking place using corporate systems or gaining access via so-called ‘social engineering’ attacks.

The UK Government Cyber Security Breaches Survey 2016 Report illustrates the gravity of the cybersecurity risks facing businesses:

• 65% of large firms detected a cybersecurity breach or attack in the last past year;
• 25% of large firms that detected a breach experience at least one per month;
• The average cost of a breach to a large organisation is £36,500;
• Only 13% of all businesses set cyber security standards for their suppliers;

In an increasingly interconnected and interdependent commercial world these risks are faced by organisations across jurisdiction and borders. Recognising this challenge, the ‘Cybersecurity Strategy for the European Union’ and the ‘European Agenda on Security’ have been launched over the last 3 years to rise to these challenges.

The goal of these EU initiatives is to provide the overall strategic framework for the EU approach to cybersecurity and cybercrime and this latest development introduces enhanced responsibilities for essential and digital service providers.

What does the NIS Directive do?
The NIS Directive introduces minimum standards and levels of cyber security across EU Member States for certain types of organisations. The NIS Directive will regulate private and public operators of “essential services” in industries like energy, financial services, transport, banking, and water.

The NIS Directive also includes requirements for digital service providers (“DSPs”), such as online marketplaces, online search engines or cloud computing service providers (but not social networks, which were removed from the definition on DSP after appearing in earlier drafts).

Organisations with less than 50 employees are generally exempt from the NIS Directive.

Organisations covered by the NIS Directive will be under an obligation to report any security incidents to the national competent authority setup by the Member State to monitor the application of the Directive. The Directive requires any security incidents which have an “actual adverse effect” on the security of networks and information systems be reported. As a result organisations need to consider and adopt common steps to manage the cybersecurity risk.

What impact will the NIS Directive have on UK businesses?

Key issues for organisations to consider are:

• Security and incidence reporting;
• Voluntary reporting;
• Enforcement and sanctions; and
• Information sharing.

In real terms this will mean further investment in organisational security. Investment will be required in terms of physical IT hardware flowing from the need for improved security policies, practices, monitoring and reporting standards within organisations.

A significant issue for DSPs to consider is the incident reporting requirements and when an incident is considered to have a ‘substantial impact’ on the DSPs services.

Assessing whether or not an incident has a substantial impact will require consideration of the number of people affected, the duration, location and impact on users and the organisation itself. Businesses should therefore ensure they have the monitoring, systems and processes in place to be able to quickly assess the nature of any security incident and have the data and analytics readily available to conclude if an issue will, or is likely to have a substantial impact.

When will the NIS Directive come into force?

The NIS Directive comes into force in August 2016. EU Member States will then have 21 months to implement it through national legislation.

Will the NIS Directive be affected by Brexit?

It is possible that the deadline for Member States to implement the NIS Directive will pass before Brexit takes place. At the time of writing, it is unclear to what extent the UK will continue to legislate in accordance with directives coming from the EU following or in the run-up to Brexit.

However, irrespective of the UK legal landscape post Brexit, as with the forthcoming General Data Protection Regulation (GDPR) businesses in the UK need to be aware of their responsibilities.

This is especially critical for DSPs offering services EU-wide. The NIS Directive requires organisations without a place of establishment in the EU to designate a representative in an EU Member State where it offers services. UK businesses offering services in the EU will therefore continue to be subject to the NIS Directive notwithstanding Brexit.

You can find out more about the practical implications of Brexit on our Brexit Hub.

Next steps

The NIS Directive will be implemented in the UK by national legislation.

Whilst the Government has not yet published its proposals, there are steps that you can take to prepare for the NIS Directive, such as

reviewing your internal security policies to identify potential gaps in your procedures.

The NIS Directive can also be used as a means of opening up a dialogue generally within your organisation around internal security policies, IT security and staff training and the need for further investment in these areas to ensure compliance with the NIS Directive and the GDPR.

To discuss how the NIS Directive might affect your organisation and what you should be doing to prepare for the NIS Directive and the GDPR, please get in touch.

Anoop Joshi is a solicitor in Brodies’ award winning IP/IT Litigation Team

The post Cybersecurity Directive enhances security responsibilities for Digital and Essential Service Providers appeared first on blogs.

In a recent decision by the High Court, it was held that software falls within the definition of “goods” for the purposes of the Commercial Agency Regulations 1993 (the “Regulations”).

Background

Given the intangible nature of software, its classification has long been problematic for those operating within the software industry.

Under legislation such as the Sale of Goods Act (SOGA), it is settled law that software constitutes goods where it is provided on physical (tangible) media, such as a CD or memory stick. This is an important distinction, as the SOGA imposes a number of implied terms into the contract of sale that do not apply to a contract for the provision of services.

Software is often promoted by agents or intermediaries, with the agent or intermediary being paid commission for the sales that they facilitate.

The Regulations provide commercial agents with a number of measures to protect the investment that they have made in their agency. The Regulations set out mandatory provisions such as the payment of compensation to an agent on termination of his agency, as well as an entitlement (in certain circumstances) to commission post-termination. These can result in significant pay-outs on the part of the principal.

However, the Regulations apply only in the context of “goods”. They do not apply to the provision of “services”. The legal classification of software is therefore key in determining the application of the Regulations to an agent involved in the promotion and sale of software applications.

Unfortunately, the term “goods” is not defined in the Regulations.

Software Incubator Ltd V Computer Associates: The Facts

The case concerned a non-exclusive agency arrangement between The Software Incubator Ltd (TSI) and Computer Associates UK Ltd (CA), where TSI acted as CA’s agent for the promotion of a particular commoditised software product. The software was licensed on a perpetual basis and was made available electronically, rather than on physical media.

The Court disregarded the SOGA case law and held that the software in question fell within the definition of “goods” for the purposes of the Regulations, despite being supplied in an intangible format.

The Court held that the software was a product, rather than a service, and that the method of delivery was not relevant:

These days I would suggest that the essential characteristics of a piece of software like the Product cannot depend on its mode of delivery any more than the nature of tangible goods depends on whether they are transported by rail, sea or air.

What does the Court’s decision mean in practice?

Organisations involved in the sale or promotion of software under commission-based arrangements will need to review those arrangements to understand the extent to which the Regulations might apply to those arrangements.

In particular, the decision may mean that the principal (ie the software licensor) is liable to pay an introducer or agent compensation upon the termination of that appointment. If those costs were not anticipated then that could have a material impact on the commercial arrangements between the parties.

Software licensors should also review their standard form agency or referral contracts to determine if any steps can be taken to mitigate the potential application of the Regulations.

Does the decision apply to all types of software? What about the Cloud?

What is less clear is how the decision will apply to software that is not licensed on a perpetual basis.

Software is increasingly licensed on an annual licence/subscription fee basis or provided through the web as Software as a Service (SaaS).

Whilst the Court has tried to ensure that the law keeps pace with the “modern world” and the move away from providing software on physical media, it seems that the problem has simply been shifted further down the line – the concerns that the Court attempted to address as between the provision of software on physical media and electronic supply may continue to apply where software is licensed on a subscription licence basis or where it is provided on a cloud hosted basis.

Under those models, the user simply rents the right to use the software for a limited period, rather than acquiring an outright perpetual licence. That is much more akin to a service than outright ownership of goods.

Despite an emphasis on ensuring that the law reflected the “modern world” there is no mention of these other ways of making software available. It seems unlikely that the Court’s reasoning could be extended to apply to subscription licensing or SaaS, meaning that different forms of software distribution are likely to continue to be treated differently.

That means organisations involved in the marketing and sale of software will need to look carefully at the products and services involved to identify whether the Regulations might apply to their marketing and agency arrangements and how that might impact on their commercial model for recompensing sales intermediaries.

To discuss your commercial arrangements for the sale and distribution of software products, and how the decision might impact on your business, please get in touch.

The post Do the commercial agents regulations apply to the sale of software? appeared first on blogs.

IP owners do not always have to go to court to stop or resolve infringement disputes. Aside from a number of well known alternative dispute resolution processes there is another less known method which can achieve great and cost effective results.

Registering your IP with Customs

Under an EU Regulation of 2013  IP owners can register their IPRs via an Application for Action with relevant Customs in the EU state(s) in which the intellectual property rights (IPRs) apply. Most types of IPRs qualify, including unregistered rights such as copyright, design rights and passing off.  This means that where Customs identify suspect infringing/counterfeit goods at the relevant border(s) they must seize and detain them.

As far as registered  trade marks are concerned, even if the goods in question are ‘in transit’ and not destined for an EU Member State, they can  be seized in view of another recent EU Regulation. The latter will apply unless the ‘infringer’ can establish that the goods would not infringe IPRs in the ultimate destination country.

Options when goods are seized

Clearly, it assists to provide Customs with as much detail as possible about, for example, the ‘infringing’ goods, how to differentiate them from the real thing, and where they are likely to come from and be going to etc.

If suspect goods are seized the IP owner will have 10 working days (possibly extendable) to inspect these and decide if they infringe. If they do, they may consent to their destruction. The “infringer” will also however be given 10 days to consent or object to this.

Only if they try to object in the 10 day timeframe will court proceedings be needed to decide if there has been an infringement or not. Where the goods identified are in small quantities (less than 2 kg or 3 units or less) if the Application has authorised it, Customs may destroy them without any consent from the IPR owner – provided the ‘Infringer’ does not object. This can lead to savings of time and cost.

These Applications last for a year and can be renewed at that stage.

As these procedures are based on an EU Regulation, absent any successful negotiation to maintain the UK’s participation post Brexit, they will cease to apply to the UK Customs/UK IPRs. However, it will still be open to UK IP based owners to use them so far as the rest of the EU is concerned.

IP owners should seriously consider use of this cost effective and efficient weapon where they are concerned about infringing  or counterfeit imports coming into the EU from elsewhere.

The post Unusual use of Customs and Excise can keep your Intellectual Property Rights in tact appeared first on blogs.