Following recent leaks of the Draft Directive on Copyright in the Digital Single Market (“the Directive”) and the EU Commission’s Communication relating to the Directive (“the Communication”), we round up a list of the key proposed changes to the copyright legal landscape.

The Directive is in early form and still subject to review by the EU Parliament and Member States and its final form may well be different from what is laid out in these proposals. In this blog we look at the key points you need to know about the Directive, how the proposals have been received and the potential impact the package of measures may have on businesses operating in the EU.

The Digital Single Market

The Directive comprises a suite of measures focused on promoting a fair and efficient European copyright-based economy in the Digital Single Market (“DSM”). The DSM aims to reduce differences between national copyright regimes and promote wider access to online content across the EU. To achieve this it plans to focus on:

1. Ensuring wider access to digital content across the EU;
2. Adapting exceptions to infringement of copyright in digital and cross-border environments;
3. Achieving a well-functioning marketplace for copyright; and
4. Providing an effective and well-balanced copyright enforcement system.

Wider Access to Copyright Content

The package of measures includes proposals for an EU Regulation which will set out the rules relating to the online broadcasting and retransmission of copyright protected works. These rules will simplify and speed up the process for clearing rights for online broadcasting and retransmission services, promoting greater dissemination of works, consumer choice and cultural diversity within the single market.

Mandatory exceptions to copyright

Existing exceptions to copyright allow for the use of copyright protected works without prior consent of the rightsholder. New mandatory exceptions under the Directive have proven to be the most controversial of the proposed changes.  In the UK the exceptions to copyright, referred to as ‘fair dealing’ in the UK or ‘fair use’ in other jurisdictions, include acts such as copying limited extracts of protected works for non-commercial research and reporting current events or parody. Presently, most copyright exceptions in EU law are optional for Member States. Thus there is inconsistency of rights between Member States.

The Directive therefore proposes mandatory EU-wide exceptions for the use of copyright protected works for certain purposes in areas like education, research, preservation of cultural heritage and for the benefit of people who are blind or have disabilities and includes a mandatory exception for text and data mining carried out by research organisations. These are all laudable aims but no doubt some will prove more problematic than others. The text and data mining exception for example cannot be overridden by contract and is not limited to non-commercial use. This is bound to give rise to disputes. However the educational use exception should be welcomed in the UK as the existing law on this is very difficult to apply and the current exception can be very narrow in scope.

A well-functioning marketplace for copyright

As content is increasingly consumed and traded digitally across borders, the Commission wants to address growing concerns about the equitable sharing of the value generated by new forms of digital distribution. The marketplace has become increasingly focused on a few key players, especially in relation to the mainstream distribution of music, books, video, movies and television in digital form. This concentration of the marketplace has led to difficulties for rightsholders in control and maximising the economic rewards for their copyright works.

Controversially, the Directive proposes measures that seek to redress the balance, which has tipped against rightsholders over the last few decades. One of the most debated of the new measures is the so-called publishers’ ancillary or neighbouring right. Critics claim that Article 11 of the Directive will inhibit access to news publications and provides unnecessarily lengthy copyright protection of 20 years for the publishers. These critics cite the fear that publishers of news media will use this right to charge search engines like Google to display excerpts from copyright works in search results. This is a valid fear which was borne out when similar national measures were put in place in Spain and Germany in recent years. These measures have had a detrimental effect there in relation to access to media and were ultimately regarded as a failure (although in Germany, unlike Spain, the right could be waived by publishers). Other commentators have argued that whilst the Article 11 of the Directive may give publishers some leverage, it may be challenging for individual publishers to take on the might of the search engine giants like Google and Microsoft.

Provide an effective and well-balanced enforcement system

In the Communication, the Commission expresses its desire to focus its reforms on large-scale commercial infringement of IPRs and will consider options to amend the legal framework in this regard later this year (estimated Autumn 2016). An assessment of the overall functioning of the current enforcement framework is ongoing and early responses reveal that three quarters of respondents made up of rightsholders and public authorities have (perhaps not surprisingly) observed an increase in IPR infringement over the last decade (not just copyright).

Early feedback suggests that a principal concern for rightsholders is that the IP Enforcement Directive has not gone far enough to eliminate the disparities at a national level when it comes to enforcing IPRs. For the moment, the key takeaway is the Commission’s focus on large scale infringements. As specialists in IP disputes, the Brodies IP team will be monitoring developments closely and will keep readers updated as these measures are announced in Autumn 2016.

The Value Gap

The measures proposed by the Directive have been met with mixed reactions. Whilst rightsholders have lauded the attempt by the Commission to address the “value gap” (being the concern that online platforms like Spotify, Netflix and YouTube have driven down the value of copyright works), digital platform providers have criticised the potential burden being placed on them by the new measures.

For example for hosts and providers of digital content, there is a fear that the proposals in the Directive will require them to police content by requiring them to “to take appropriate and proportionate measures to prevent the availability on their services of works” not covered by agreements with rightholders (Article 13 of the Directive). This introduces a technical burden on platforms to implement systems and procedures to prevent access to content that is not appropriately licensed. This is an obligation that will no doubt require clarification by the European Court in due course.

Similarly, proponents of open and unrestricted access to content have expressed concern that the publishers’ ancillary right will lead to pay walls and diminished access to information.

What’s next for the Directive?

This article is based on a leaked draft of the Directive and relative Communication. The draft Directive will be officially announced later this month and will then need to go through the European Parliament and be subject to agreement by Member States. Ultimately the end product will inevitably contain variations on some of the above ingredients.

The changes proposed by the Directive will have an impact on any business operating in and offering services to the EU. Brexit will mean that the UK, if the Directive has not been implemented into national law by then, will not have the same rules in play as apply EU wide. It may decide to incorporate the same regime into local legislation anyway to assist to maintain a level playing field. Given the uncertainty surrounding the triggering of Article 50 by the UK at the time of writing, businesses based in the UK should keep an eye on developments and identify the potential risks and challenges posed by the Directive.

The post Directive on Copyright in the Digital Single Market: What you need to know appeared first on blogs.

Our last blog here was based on a leaked version of the proposed changes to copyright in the EU. The official press release from the European Commission has how been released and – as expected – the announcement has already produced some strong views and heated debate.

In general the proposals will not please everyone. However they can be viewed as a starting point to achieving a fair digital market and an optimum copyright system that balances fairly the rights and interests of all parties concerned. Inevitably though they will take considerable time to be finalised and passed into EU law.

We had commented in our last blog on 2 of the main proposals being to introduce a new ‘neighbouring right’ and the obligation being placed on online platforms providing user generated content (“UGC”) to monitor and proactively report unlicensed/ infringing content. These proposals were intended to fill the so called ‘value gap’.

The new and official version of the draft proposal at recital 38 and 39 and Article 13 suggests the approach preferred will place still more onerous obligations on digital content providers such as (Google, YouTube etc).

These new proposals will require digital content providers, if they give access to large amounts (It is not immediately clear as to what this may mean? Is it meant to apply only to the larger UGC platforms who may by definition have more materials uploaded to them? In any event there are no parameters included) of copyright protected work to take measures to protect these by use of technology (presumably by filtering to check if content is copyright infringing) even when they are eligible for the hosting liability exception under Article 14 of Directive 2000/31/EC of the European Parliament. Also they must provide the rightholders with adequate information on how those measures have been working/ functioning, as well as, when relevant,  adequate  reporting  on  the recognition and  use  of  the  works concerned.

Also in contrast Article 15 of that existing Directive 2000/31/EC provides that there is no general obligation on ISPs to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity. This seems inconsistent or contradictory to this new revised proposal. Whilst Youtube already has its content ID technology which assists it to identify infringing content, it was expensive to develop and no doubt is expensive to maintain and keep up to date to deal with attempts to get around it. Less well-resourced  or potential new entrants to this sector may be inhibited or even prevented from participating as a result of such new requirements.

In addition the new ‘neighbouring right’ for publishers of news content will apply to ‘press publications’ as opposed to ‘news publications’ the words used in the original leaked draft. It maybe that the new wording is intended as a broader definition.

In any event these proposals are bound to create controversy and strong views are already being canvassed by parties with interests on respective  sides of debate – the rights holders as the publishers will generally be in favour and the news aggregators/ search engines such as Google news will be against these as being costly to them. Indeed there are some suggestions that it will not be welcomed by all publishers either as the smaller  ones benefit or even rely on the news aggregators/ Google as their publishing of news snippets and links drives traffic to their sites and content which they would not otherwise receive. If therefore the likes of Google news simply decide it is too costly for them to pay licence fees to publish the news material they may choose to stop doing it in the EU, which will of course not necessarily be good for those smaller publishers or the general public.

The final outcome will clearly be important and will affect the developing role of the likes of the YouTube and search engines such as Google – can they remain mere hosts or will they be forced to become the effective police of the internet? Interestingly, Facebook recently lost out on an attempt to strike out an Irish court case against it for damages for misuse of private information, negligence and breach of the Data Protection Act for failure to block re-publication of a compromising photograph of a young girl by using a tracking process to identify the image. The offending photograph was said to have been posted on a so-called shame page on Facebook several times between November 2014 and January 2016. Whilst not dependent on copyright infringement this decision effectively rejected  the defence ‘we did not know’ in circumstances where it is feasible  to implement techniques to trace infringing / offensive material on the web. The irony may be that the more  ISPs and internet platforms are required to and do monitor and track uploaded content the more they will be potential liable as effectively being regarded as publishers.

Useful links to the Commissions communication and to the various draft Directives and Regulations:

https://ec.europa.eu/digital-single-market/en/news/promoting-fair-efficient-and-competitive-european-copyright-based-economy-digital-single-market

https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-laying-down-rules-exercise-copyright-and-related-rights-applicable-certain

https://ec.europa.eu/digital-single-market/en/news/proposal-directive-european-parliament-and-council-copyright-digital-single-market

https://ec.europa.eu/digital-single-market/en/news/proposed-regulation-cross-border-exchange-between-union-and-third-countries-accessible-format

https://ec.europa.eu/digital-single-market/en/news/proposal-directive-permitted-uses-works-and-other-subject-matter-protected-copyright-and

The post What you need to know about the now official proposals for a Digital Single Market and package of new EU Copyright reforms Number 2 appeared first on blogs.

Two local Forfar bakers have come together as the Forfar Bridie Producer Association to apply for a protected geographical indication (PGI) for the name “Forfar Bridie”. If they are successful these EU rights will mean that anyone producing bridies who is not based in Forfar or its locality would be prevented from calling their bridies “Forfar Bridies”.

What are PGI’s?

PGIs can cover agricultural products and foodstuffs which are produced, processed and prepared in a given geographical area using recognised know-how.

PGIs are a great weapon in what is now a globalised marketplace to protect internationally, as well as locally, well known product types which are unique at a local level. For example ‘Chablis’, ‘Queso Manchego’ or ‘Prosciutto di Parma’. Scottish PGIs include Scotch whisky, Arbroath Smokies, Stornoway black pudding and Scottish Salmon ( Scotland’s largest food export). These famous products can often be susceptible to being emulated and suffer from being copied and passed off by 3^rd parties.

Can Forfar Bridies succeed in its application to join this exclusive club?

It seems that there may be some opposition from other parties who have apparently been making bridies outside of Forfar and calling them by the name Forfar Bridies for a number of years and each have a different recipe. If this is so these factors could be a potential hurdle in the way of the applicants. This is because the name and product may already have become generic. The EU guidance makes it clear that to gain protection as a PGI the product cannot be a generic one, and must have characteristics distinguishing it from others. Also the link with the geographical area is essential and the applicant must demonstrate in what way the product’s characteristics are due to the geographical area and the natural, human and other elements are which give the product its uniqueness. The outcome remains to be seen but it will be interesting to see how matters develop. Indeed the value of this application could be called into question depending on what happens with Brexit and its fall out.

PGIs and other similar EU schemes which protect names and quality of agricultural products and food and drink. They are EU dependent rights and largely affect products in the food and drink industry. As a huge and rapidly growing sector for the Scottish economy it is an  interesting area particularly now and for Scotland .

The recently published stats in the Bank of Scotland 5th Annual Food and Drink Report indicates that it is the largest manufacturing sector in Scotland employing 34000 people and providing 19% of manufacturing jobs. It is targeting £16.5 bn in revenue by 2017 and also the creation of 1400 new roles.

As such PGIs and their like are of huge potential value to the Scottish economy  and at the moment there’s no national UK law that protects products in this way.

Brexit and PGIs

Following Brexit however unless the UK brings in specific reciprocal protection then it’s possible that the existing PGI type rights would just fall by the wayside and the iconic products concerned would no longer be able to rely on them. It is  envisaged that something will be done about that and new legislation enacted. However post Brexit PGIs will no longer cover the UK and so home grown and UK based copy cats could well emerge claiming their product is one and the same as a PGI product. This would include Forfar Bridies of course if the application is granted.  Again it will be important for the UK Government to sort this out as otherwise the quality of the hard earned reputations of such products could be severely undermined.

The post Forfar Bridies and intellectual property appeared first on blogs.

Most IT contracts contain a formal notice clause. Usually found at the end of a contract, this clause will generally stipulate who the supplier and customer should address notices under the contract to, where they should be sent, and the possible methods of delivery, among other things.

The recent decision in Hoe International Limited v Martha Andersen and Sir James Aykroyd, a Scottish Court of Session case, illustrates the importance of strictly complying with such clauses.

Background

Hoe International Limited (the Buyer) purchased all the shares of a company from Martha Andersen and Sir James Aykroyd (the Sellers) in September 2012.

The share purchase agreement contained a notice clause. It specified that any notices required to be sent to the Sellers’ solicitors: 1) by personal delivery, pre-paid first class post or recorded delivery; 2) marked for the attention of a specific person; and 3) to a specific address. Service by email was specifically excluded.

After the sale, the Buyer received a letter of claim from a third party against the company which the Buyer considered amounted to a breach of a warranty the Sellers had provided at the time of sale. Notice of a warranty claim required to be given before an action could be raised.

The Buyer’s solicitors sent a notice of the warranty claim to the Sellers’ solicitors by way of letter sent by DX (courier service) and email. The letter enclosed a copy of the letter of claim received.

The Buyer subsequently raised an action against the Sellers for breach of warranty. Among other defences, the Sellers argued that the notice was invalid because it did not contain sufficient information and was not sent in accordance with the notice clause in the share purchase agreement. Lord Woolman dealt with these arguments separately.

Did the notice contain the required information?

Lord Woolman held that the notice provided all details known to the Buyer at that stage, and a reasonable recipient would have known that a claim was being made and what the claim was about, because a copy of the third party’s letter was enclosed. Therefore that argument of the Sellers failed.

Was the notice served correctly?

The Sellers also argued that the notice was not served correctly because: 1) it was sent by DX and email; 2) it was not marked for the attention of the individual set out in the notice clause; and 3) the envelope did not give the full postal address of the Sellers’ solicitors.

The Buyer’s position was that a sensible commercial person would consider that service by DX was sufficient. The method of sending was immaterial, as the result would be the same, being that the letter would still have reached the Sellers’ solicitors.

However, Lord Woolman concluded that the notice clause specified exactly what constituted a valid notice, and that the parties did not intend to allow deviation from that. Therefore, he found that the Buyer had not served a valid notice.

Points to remember

Although this case concerned a notice sent under a share purchase agreement, the same principles would apply to a notice served pursuant to an IT contract.

The decision illustrates that the consequences of not sending a notice in the correct way are significant. Here, the Buyer lost their right to pursue their warranty claim against the Sellers (although the decision is being appealed).

Whether you are a customer or a supplier, it is equally important to send valid notices under an IT contract. For example, if a customer sent a notice when seeking to terminate an IT contract with a supplier, that could lead to it continuing to the customer’s cost. Additionally, if a supplier issued a defective Excusing Cause notice under the contract that would mean that it lost the protection afforded by those provisions.

Therefore it is vital that all parties to IT contracts thoroughly review notice provisions, and take legal advice, before serving any notices under the contract. We would recommend following the notice provisions to the letter to avoid any possible arguments that the notice has not been validly sent.

The post Take notice of notice clauses appeared first on blogs.

Buildings and property developments increasingly have unique personalities and commonly are given a quirky name or title as part of their address. They can also have distinct and instantaneously recognisable design features. Some even become iconic such as the Gherkin and the Shard in London. Nick names are also common.

This means that they can be viewed by 3rd parties as desirable images to be associated with when marketing a different product or service. If attempts to make such  associations are left uncontrolled they can cause confusion and potentially damage what might be a prestigious and even iconic image – for example if the goods and services which are linked to the building name or image are of poor quality. It can therefore be important right at the start to capture and protect the intellectual property which exists in and around the real estate concerned.

If this is done effectively not only will it prevent such damage but it can also allow exploitation of these intangible assets and secure additional revenue by way of licensing fees. This means too that the portfolio value of the property will be enhanced by the value of the IP concerned.

There are a variety of IP vehicles which can be used to achieve these goals. However each building or development will differ in relation to the type of protection it can obtain or rely on to do this. Here are some of the main considerations that any property owner should consider in planning to protect and exploit its IP.

Trade marks

The name or nick name of the building – or indeed associated brand logos – can often be protected by a trade mark registration. For example the Eiffel Tower, Arc de Triomphe, Trump Towers, Canary Wharf, the Hydro, the Gherkin, the Shard……are only a few.

Such protection should be considered even when deciding to come up with a catchy name in the first place. Not only could there be pre-existing trade mark rights that could present difficulties in breaching 3rd party IPRS but there could be problems in obtaining a registration if the name chosen is not for example sufficiently distinctive to qualify for protection. Registered trademarks will also tend to be more attractive to 3rd party investors /purchasers of the property concerned.

The shape of a building could also potentially be trademarked but this is still a relatively new area and the hurdles can be high.

Copyright in the plans for the building(s) and in the buildings themselves?

There will be copyright arising automatically but it will be with the architect unless they have assigned it on to the owner or are an employee of the owner. This should be thought about at the start and assignation obtained if possible to secure the copyright which will last for the life of the architect plus 70 years.

Design Right

Registered and unregistered design rights can also be an option for particular features. This is a complex area however and the building design would need to be novel and have individual character to qualify for registered design.

Buildings and IPRs?

The value there can be in the IP in the various features of a building or development whether commercial or residential is becoming more important and thought should be given to this by all property developers, owners and investors from the outset of their planning. Not only can it add to the value of the real estate but merchandising rights can be very valuable. Such IP  can thus be effectively exploited financially by way of licensing out the IP in a controlled way in relation to 3rd party products and services.

Why not think ahead and secure the IP and protect and gain maximum financial reward for the investment made?

The post Exploiting The Intellectual Property in Your Real Estate Assets? appeared first on blogs.

A recent European Court of Justice (ECJ) ruling highlights  national court’s powers to enforce password protection on Wi-Fi networks and clarifies the instances where providers of free, unprotected wireless networks/ access points can avoid liability for intellectual property (copyright in particular) infringement carried out by third parties on such networks.

Liability for Copyright Infringement over un(password)protected Wi-Fi networks

The ECJ  has ruled in Tobias McFadden -v- Sony Music Entertainment Germany GmBH Case C-484/14 that national courts can impose an injunction on the provider of an unprotected wireless network forcing it to password protect the network in order to prevent copyright infringement by 3^rd parties taking place on it.

In particular this decision provides answers to questions of practical significance to many businesses across the UK and Europe which provide unprotected wireless internet access as a means of attracting more customers and/or as a means to advertise goods and services or collect information about users.

Facts and Background

The ECJ’s ruling was based on a referral from the Munich Regional court in a case concerning a business selling lighting and sound systems owned by Mr Tobias McFadden. Mr McFadden offered an unprotected wireless network that gave passers-by free and anonymous access to the internet. He did this mainly to drive traffic to his site, attract nearby customers on to it and draw attention to his business.

In September 2010, an anonymous user uploaded a musical work produced by Sony Music Entertainment Germany GmBH (“Sony”) to the internet using Mr McFadden’s network. Sony notified Mr McFadden that its copyright in the work had been infringed. In response Mr McFadden applied to the German court to obtain a declaration that he was not liable for the infringement. Sony counterclaimed seeking damages in respect of Mr McFadden’s direct liability for the infringement of its rights in the musical work, an injunction and its costs.

Judgement was found against Mr McFadden at first instance, and on appeal he argued that he was not liable for direct infringement of Sony’s rights in the musical work. The German appeal court considered finding Mr McFadden liable for indirect infringement of Sony’s rights, but before doing so sought to clarify via the ECJ whether it was entitled to do so or if Mr McFadden was protected from such a finding of liability for the infringement based on provisions of Directive 2000/31/EC (“the E-Commerce Directive”). The ECJ considered a number of questions referred by the German Court.

Article 12 of the E-Commerce Directive provides for what is known as the ‘mere conduit’ defence. In essence, where a service provider does not initiate the transmission of data does not select the receiver of the transmission and in no way modifies the information contained in a transmission, they will not be found liable for the information transmitted. They are merely acting as a conduit for the flow of information.

In this case, the Munich court asked the ECJ to consider if making an unprotected wireless network available to the general public free of charge fell within the scope of the Article 12 defence.

The ECJ concluded that in order for the ‘mere conduit’ defence to apply, services had to be provided for remuneration. The court made clear that remuneration for a service does not require the service to be paid for by those for whom it is performed. The Court went on to state at paragraph 42 that a service was provided for remuneration even “where the performance of a service free of charge is provided by a service provider for the purpose of advertising the goods sold and services provided by that service provider, since the cost of that activity is incorporated into the price of those goods and services.”

As such, where access to a wireless network is provided free of charge for the purpose of advertising the goods and services sold by the provider of the network, this would be considered an information service and so would fall within the scope of Article 12 of the Directive. The ‘mere conduit’ defence applied here.

Given that Article 12 of the E-Commerce Directive was found to apply in this case, the Court went on to state that that the provider of a free, unprotected wireless network could not be held liable for infringements carried out on the network. This meant that an IP rights holder (such as Sony here) could not seek damages or make a claim in respect of liability against the network provider for infringement carried out by third parties using the network. Of course the rights holder could try to find the infringer and sue them directly which is not always easy to do. However the question here was whether the network provider could be found liable. As a consequence, Sony was not entitled to claim its costs from Mr McFadden as Article 12 of the E-commerce Directive prevented a finding of liability.

Thus the good news for rights holders is the ECJ ruled that Article 12 of the E-Commerce Directive if applicable would mean the national courts could not claim financial compensation/ damages from  the provider of an unprotected network or force it to prevent infringement of copyright on that network.

However the ECJ did go on to consider three options for a network provider to prevent infringement on its network. These were:(1) monitoring of all traffic; (2) termination of the connection; and (3) password protection. The first option was immediately disregarded by the Court as this would be contrary to Article 15 of the E-Commerce Directive which excludes the imposition of a general obligation on network providers to monitor data.  Also termination of the network provider’s connection was considered by the Court to be disproportionate to the aim of preventing infringement. The Court concluded that the only proportionate injunctive relief that a right holder could seek would be to require that the network be password-protected and the password only given to individuals who reveal their identity and may therefore no longer act anonymously.

What is the practical consequence of the decision?

The ECJ’s decision has provided clarity for the thousands of businesses across Europe that provide free access to unprotected wireless network. The decision clarifies what rights holders can do when they suspect infringements are taking place on an unprotected wireless network and the issues to consider before raising an action for infringement.

Here are some key take-aways:

• If you are offering a free, unprotected wireless network make clear that use of and access to the network is for the purposes of advertising the goods and services you supply. Think about having a landing page when a user signs into your network advertising offers/ goods and services and include suitable provisions in your terms of service (which users should agree to before access to the network is granted).

• Rights holders should be wary of raising proceedings for infringement/ damages against the provider of an unprotected, free wireless network in instances where there network provider might seek to rely on the ‘mere conduit’ defence in the E-Commerce Directive.

• Where a rights holder has evidence to suggest a specific unprotected wireless access point is being used to infringe its rights, it can apply to the court for an injunction to require the network provider to password protect the network. We would however question how cost-effective and commercially beneficial it may be for rights holders to apply for an injunction (or interdict in Scotland) to require a network provider to password-protect their network. The risk is there however but the likelihood is that  prior notice would be given by a rights holder of its intention to apply for an injunction/interdict before it proceeded . They may choose to do this when instances of 3^rd party copyright infringement are frequent on the network concerned. Should such notice be received the network provider should take it seriously and consider whether the business upside of continuing password free is worth the risk of court action and the potential liability for the legal costs of the rights holder that might ensue.

The post Get your Wifi network password protected or face legal action? appeared first on blogs.

Trade marks and the ELVIS wars – pick your fights carefully?

Who would have thought we would see a Scottish based brewery taking on the might of the Elvis Presley Estate in a trade mark dispute? Well expect the unexpected in the world of trade marks.

Founders of the popular BrewDog brand have apparently been advised by the owners of Elvis Presley Estate that they are not entitled to use the term ‘Elvis Juice ‘ for their product – blood and orange infused IPA. BrewDog has applied for registered trademarks for ‘Elvis Juice’  and ‘Brewdog Elvis Juice’ and the Estate has also opposed these. Rather than back down and withdraw the applications and /or stop use of the term , BrewDog’s founders have reacted in an unusual way.

They have apparently changed their personal names to Elvis Watt and Elvis Dickie respectively. Their website has announced this https://www.brewdog.com/lowdown/blog/hello-my-name-is-elvis and suggests that they “could even lodge a counter-complaint aimed at Mr Presley himself for all the records he put out without Elvis Watt and Elvis Dickie’s permission! And if that doesn’t keep them busy enough, we would like to recommend that they divert their attention to another potential source of quick remuneration: a brewery that calls itself ‘The King’ of beers.”

Of course these name changes will not give them a defence to any claim for trade mark infringement which might be made. Although there is an own name defence it only applies if it is in accordance with “honest practices”.

Here, where the changes of name have happened after receipt of the notice, the Estate would no doubt argue that they should not be viewed as meeting those requirements. In any event these are the names of the individuals only and not the company name, which still contains the name BrewDog. As it is the entity that is trading using the names in dispute then it is what it is called that matters.

Of course, these are not likely to be intended as a serious challenge to the Estate’s threats. Rather it is more likely that BrewDog is underlining its belief that the intellectual property rights in this case are being pushed too far. It may well also be deliberately endeavouring to harness the considerable power of public opinion in this situation.

Clearly though there are two sides to every story. The Estate will own a large number of trademarks for and including the word ‘ELVIS’ and will want to ensure the name does not become generic such that the trade mark rights could be lost – along with the considerable royalty revenues that it can no doubt command on merchandising. Unauthorised use of the name as a trade mark by a third party for goods or services for which the mark is registered (or similar to those where there is likely to be confusion) will infringe those rights. Furthermore the Estate’s marks are likely to have acquired the enhanced status of marks with a reputation. This means the monopoly that these marks can command goes further than that of ordinary marks and can even include  use for dissimilar goods and services, and need not result in likelihood of confusion. For example, taking undue advantage of the mark’s repute or causing detriment to it can be enough. Thus in this case there are at least  some legal arguments that  could  be made in support of claim of infringement. Passing off is also another possible angle.

However these legal niceties may prove to be irrelevant in face of the tsunami of public opinion that can now be readily voiced via the internet in social media and otherwise. BrewDog’s fanbase could end up taking on the Elvis supporters in that public arena and how such an exchange plays out may well be a factor taken account of the Estate in deciding its next best steps. It will likely want to avoid or mitigate bad publicity if that is viewed to be the most likely result of sticking to its guns here.

This case illustrates how these days the law of brands and trade mark can become largely irrelevant to how it is applied and enforced in practice. Whether we like it or not it is being influenced more and more by public opinion. Could this be a way to rebalance the odds in the often reported ‘David and Goliath’ type battles and give the ‘underdogs’ a fairer crack of the whip or should it be viewed as an illegitimate way to skew the application of law in their favour?

The post A Potent Trade Mark Brew of Alcohol and Music……… appeared first on blogs.

The European Court of Justice (‘ECJ’) has decided that the Rubik Cube shape cannot be a valid registered trade mark.

The shape of this well-known best seller puzzle toy had been registered as an EU trade mark from as long ago as 1999. The registration was challenged by a third party toy manufacturer competitor in 2006.

This latest and final decision was the last in a series of battles fought since then through the European system for registration of marks. Indeed, it overturned a previous decision of the EU General Court which had dismissed the 3^rd party challenge.

Registered trade marks have been available for the 3D shape of products for some time now but have proved notoriously difficult to obtain and maintain, as recently demonstrated by the Kit Kat decision of the High Court last January where Nestle was held unable to trade mark the shape of its four fingered chocolate bar.

These difficulties are because registered trademarks cannot be granted over a shape which is necessary for the relevant goods to be able to perform a technical function.Thus they cannot be used to stop 3^rd parties using a technical solution (not otherwise protected) which necessarily incorporates a particular shape. Otherwise a shape trade mark monopoly could block use of such technical solutions.

Trademarks are intended to act as an aesthetic sign/guarantee as to origin and provenance of goods or services. They are not meant to cover functional aspects of products. There are other forms of IP which can do that such as, most obviously, patents. One other key difference between patents and trademarks is that patents can only last generally a maximum of 20 years whereas trade marks can be renewed forever. Thus without these restrictions on their grant  trademarks could provide an eternal monopoly over a technical solution which  could  not be justified in terms of public policy.

The technical function here under debate was the rotating capability of the cube. The trade mark, as registered, covered 3D puzzles and not just those restricted to ones with such a rotating capability.

The ECJ seems to be saying that the trade mark should have been limited to covering puzzles not just of that shape but including that rotating function. The rationale was that if it was not, this would mean that the owners of the mark would have an unfair monopoly over all cube shaped 3D puzzle games.  In making its assessment, the ECJ looked beyond the actual graphic representation of the registered trade mark i.e. the cube into its “invisible technical qualities”.

In so doing, the court effectively reverse engineered the graphical sign and looked into the functional features of it which were not depicted in the trade mark registration itself. The ECJ essentially decided that even if the graphical representation of a trade mark does not specifically show a technical function, it is none the less entitled  to take the reality of how that mark might function in use as a shape into account.

This decision does not mean that the Rubik cube has no IP protection left and it will no doubt have other IP rights such as trade marks in the name itself and goodwill in the name, design and packaging. It does however mean that other third parties are now able to manufacture and sell such a puzzle of this shape although they cannot call it a Rubik Cube or copy its appearance and get up. It thus opens up the possibility of emulating the same cubic shape for puzzles.

No doubt other players in the toy and game industry will be looking at their 3D trade mark registrations in light of this case to verify just how robust or not those registrations might be in the event of third party challenge.

Perhaps some will view this is as a puzzling decision. It may well make invalidity and opposition challenges more complicated in future as extrinsic evidence of use/invisible features of the registered sign may come into the equation. However it is really not surprising given previous approaches of the courts and the wish to ensure that IP rights do not unfairly inhibit 3^rd parties use.

This was a final decision in this case and businesses will need to bear it in mind in terms of shaping applications and validity of their existing registrations.

The post A Puzzling Decision? Rubik cube shape trade mark held invalid appeared first on blogs.

The first set of guidance on specific aspects of the new General Data Protection Regulation has been adopted by the Article 29 Working Party, the group that represents the data protection authorities of all EU member states.

The Working Party has just adopted guidance on:

• Data Protection Officers
• The right to ‘data portability’
• The rules for identifying which data protection authority should be the ‘lead’ authority for controllers and processors operating in more than one member state

The guidance can be accessed at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083.

We expect that this guidance will be used by the UK ICO as the basis for the corresponding guidance that it has promised to publish by the end of the year.

This guidance is the first real attempt by regulators to start putting flesh on the bones of the GDPR and how it will be applied in practice so it is significant not only for what it says on these issues but also in terms of giving a feel as to how regulators are approaching GDPR regulation generally.

For the public sector, the Data Protection Officer guidance is particularly interesting because, having noted that GDPR does not define the concept of a ‘public authority’, the Working Party concludes that what is/is not a public authority for these purposes will be a matter for member states and national law.

In UK terms, it is not absolutely clear what that means but it could mean that any organisation which is currently caught by the likes of the freedom of information or public procurement regimes will fall to be treated as a public authority for GDPR.

In consequence, not only will it be mandatory to appoint a data protection officer but also other GDPR provisions specific to public authorities will also apply – notably the exclusion of the right to rely on the ‘legitimate interests’ condition for processing.

We will publish further guidance in due course but to discuss how GDPR will affect your organisation and how we can help, please contact Grant Campbell or Christine O’Neill.

The post GDPR: First European Guidance Emerges appeared first on blogs.

Last week the European Commission published proposals for replacing the current ePrivacy Directive. Reforming ePrivacy laws is the final piece of the jigsaw for data protection law reform, following last year’s adoption of the General Data Protection Regulation (GDPR).

Why is the Commission proposing reforms?

The GDPR introduces substantial reforms to EU data protection law, including stricter rules on things like consent and enforcement powers. However, rules on ePrivacy (including electronic marketing and the tracking of online activities) are currently governed by a separate piece of legislation, the ePrivacy Directive. The new Regulation is intended to ensure consistency across data privacy laws by adopting many of the principles in the GDPR.

In addition, the Commission acknowledges frustrations with the current rules on website cookies.

What is being proposed under the ePrivacy Regulation?

Firstly, the new laws will take the form of a Regulation, rather than a Directive. This means, as with the GDPR, that they will apply automatically in each member state, avoiding the need for local implementing legislation (and the potential for inconsistent implementation). For more on what Brexit might mean for this, see our post on >Data Protection and Brexit.

The draft ePrivacy Regulation includes a number of reforms:

• Extension of reach to cover anyone providing services to citizens in the EU (mirroring the GDPR)
• Extension of rules on electronic communication providers to new “over the top” service providers of electronic communications such as WhatsApp, Facebook Messenger and Skype, but potentially covering any service facilitating electronic messaging (for example dating apps and ecommerce websites).
• The extension of rules to data created by Internet of Things devices
• Clarification on the use of meta data created other than in relation to electronic communications services
• Simplified rules on Cookies and other technologies capable of tracking users’ behaviour. These include the removal of the need for cookies for “web audience measuring” (analytics?) or “non-privacy intrusive cookies improving internet experience”. The Commission gives the example of a cookie to remember a shopping cart history. The Regulation will also enable users to use browser settings to control cookies.
• A requirement for consent (opt-in) for any electronic marketing, though the soft opt-in right under the current ePrivacy Directive to market similar services to existing customers will remain.
• A requirement for marketing calls to display a caller ID or use a special prefix that indicates that the call is a marketing call.

When will the ePrivacy Regulation come into force?

At this stage, the ePrivacy Regulation is simply a proposal from the European Commission and requires approval from the European Parliament and the Council before it can be adopted. For GDPR, that took the best part of four years. The Commission’s plans for the ePrivacy Regulation are more ambitious. It is calling upon the Parliament and the Council to “work swiftly” to ensure that the ePrivacy Regulation is adopted by 25 May 2018 – the day on which the GDPR comes into force.

Whether this is achievable remains to be seen (though it is worth noting that the ePrivacy Regulation is somewhat shorter than the GDPR).

You can find more on EU data protection law reform on our GDPR hub.

Next steps

The ePrivacy Regulation doesn’t just apply to tech companies. It will affect all organisations that operate online or carry out electronic marketing – whether by phone, email/SMS or through other electronic means. If you would like to discuss how the ePrivacy Regulation might affect your organisation, please get in touch.

The post Commission proposes new ePrivacy rules appeared first on blogs.

Following a recent consultation by the Scottish Law Commission (SLC), the Scottish Government today introduced a bill to the Scottish Parliament to reform the laws on third party rights under Scottish contract law.

Why is the law being reformed?

Third party rights under Scottish contract law have been around for a long time. They pre-date third party rights under English law and are so old that the doctrine has a Latin name (jus quaesitum tertio (JQT))!

However, JQT is not without its faults. In particular, JQT is quite inflexible as it is difficult to amend or terminate a third party right once it has been created.

The position under English law (set out in the Contracts (Rights of Third Parties) Act 1999) is more much more flexible. That’s attractive to large corporate groups, who might want to enter into one contract for the benefit of the whole group (eg an outsourcing contract or a software licence) that can then be used and enforced by group companies and ensure that group losses are properly recoverable.

This is one reason that such entities sometimes choose to contract under English law rather than Scots law, even when both parties are located in Scotland.

As part of its contract law modernisation programme, the Scottish Law Commission looked at areas of Scottish contract law that could be improved. The SLC’s consultation and recommendations led to today’s bill.

What does the bill say?

The bill will bring Scottish contract law on third party rights into line with English law, adopting a similar (familiar?) approach.

In particular:

• JQT will be abolished
• parties will be able to create third party rights in favour of specific third parties or groups of third parties (e.g. all subsidiaries from time to time in a company group)
• those rights will be the same rights that would have applied had the third party been a direct party to the contract
• the parties to the contract will be able to modify and extinguish those third party rights

The new bill is to be welcomed and as with recent reforms on execution in counterparts and electronic execution will help to ensure that Scots law remains commercially attractive.

Preparing for the new law

As with contracts under English law, it will be important to ensure that third party rights are not unwittingly created and (from a service provider perspective) that appropriate controls are included on conducting group claims. This will require new clauses to be included in Scots law contracts.

Organisations will also want to review their existing contracts to check that they work properly under the new law, and allow them to take advantage of the new law.

If you would like to discuss how the new law will work, or would like to review your contracts and draft appropriate third party rights clauses please get in touch.

The post Bill to reform third party rights under Scottish contract law appeared first on blogs.

There have been a couple of developments this week which may help shed some light on the approach that the Government plans to take in relation to data protection law in the UK following Brexit, and how this will impact on the General Data Protection Regulation (GDPR), which comes into force in May 2018.

Providing equivalence to the GDPR

Yesterday, the Government published its white paper on Brexit. Sections 8.38 to 8.40 deal with data protection, but do not reveal much other than the Government’s intention to “seek to maintain the stability of data transfer between EU member states and the UK.”

The white paper notes that:

[t]he European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely

The Government would presumably seek to achieve this through a finding of adequacy by the Commission in respect of the UK data protection regime.

In terms of future UK data protection law itself, the white paper goes on to say that the Great Repeal Bill will preserve “all EU laws which are directly applicable in the UK (such as EU regulations)”. That would include the GDPR, which will come into force prior to Brexit occurring.

The Government’s position in the white paper was trailed earlier in the week when Matt Hancock MP, Minister of State for Digital and Culture, Department for Culture, Media and Sport, appeared before the EU Home Affairs Sub Committee. The Minister said that legislation to mirror the GDPR will be brought forward in the next parliamentary session.

However, even if the GDPR is mirrored into UK domestic law, a finding of adequacy may not be automatic.

In particular, UK legislation such as the Investigatory Powers Act is likely to be subject to close scrutiny. The point here is that whilst the challenge to the IP Act’s predecessor (the Data Retention and Regulatory Powers Act) did not inhibit the free movement of data between the UK and other parts of the EEA, post-Brexit such transfers will be dependent upon a finding of adequacy in respect of the UK. In determining whether or not to make that finding, the European Commission will look at the broader regulatory regime dealing with access to and use of personal data (including surveillance powers).

This is not a hypothetical observation – the ruling declaring the EU/US Safe Harbor scheme unlawful centred on the surveillance powers of US law enforcement agencies, and led to several months of chaos and uncertainty caused by the sudden removal of the legal basis for thousands of EU/US data transfers.

Harmonised interpretation?

The white paper goes on to say that “the preserved law should continue to be interpreted in the same way as it is at the moment”.

How this will work in practice is unclear. The GDPR will delegate certain acts to the European Commission and will be supplemented by guidance from the European Data Protection Board (EDPB) (the successor to the current Article 29 Working Party).

The Information Commissioner’s Office has already acknowledged that upon Brexit the ICO will cease to be a member of the EDPB, and therefore the ICO will cease to have formal influence over the development of that guidance.

Will the UK simply adopt the Commission’s delegated acts and EDPB guidance or will it develop is own guidance?

If the latter then the desire for friction-free data transfers may be frustrated as data controllers juggle differing rules and guidance in the UK compared to that which applies in the rest of the EEA.

It is also unclear whether and how the UK might continue to benefit from the international data transfer arrangements that the EU has in place with countries outside the EEA (for example, the Privacy Shield arrangement with the USA). Would the UK have to put in place its own Privacy Shield style arrangement, or can it piggyback on the existing arrangements?

Data controllers will welcome early answers on all of these questions. Meantime, they should continue to prepare for the GDPR coming into force in May 2018. To find out how we can assist, access our GDPR Hub or get in touch.

The post Data protection and Brexit – an update appeared first on blogs.

Last week a Scottish court issued a judgment in a case where damages were sought for breaches of the Data Protection Act 1998 (DPA) in relation to domestic CCTV and surveillance equipment. Whilst, as a sheriff court decision, the court’s judgment is not binding on other courts, the case does consider a number of interesting issues.

Background

Woolley & Woolley v Akbar or Akram (Woolley) centred on two neighbours who each owned properties in a semi-detached house in Edinburgh, one above the other.

After their relationship broke down in 2013, both neighbours installed surveillance equipment.

Unlike the pursuers, whose CCTV equipment covered only their own property, the defender’s surveillance equipment had been positioned it to cover the pursuer’s garden and entrance to their property.

The defender also installed audio recording boxes which were able to pick up conversations in the pursuers’ garden and (it was feared) inside the pursuers’ property itself.

The justification given by the defender was that the equipment was installed to capture any altercations between the parties.

After three (unsuccessful) attempts by the pursuers to limit the extent of the defender’s surveillance and to obtain copies of the personal information processed by the defender, the matter, along with other disputes, came before the courts.

Decision

The Sheriff held that the defender had been a data controller for the purposes of the DPA since installation of the equipment in 2013, despite only registering as such in 2015.

In terms of the duty owed to data subjects (including the pursuers), the Sheriff held that the defender had committed multiple breaches of the DPA, which can be broadly summarised as follows:

• the processing was not fair or lawful (a breach of the first data protection principle);
• the surveillance was ‘extravagant, highly intrusive and not limited in any way’ and no adequate justification had been given (a breach of the third data protection principle); and
• the data collected was kept for longer than was necessary (a breach of the fifth data protection principle).

The pursuers were awarded approximately £17,000 in compensation.

The domestic purposes exemption

The case is the latest to consider the application of the EU data protection laws to the activities of private individuals and the exemption in relation to processing for purely personal or household activity (the “domestic purposes exemption”).

In 2014, the European Court of Justice (ECJ) gave a significant ruling in the Reynes case, which confirmed that an individual would not be able to rely on the domestic purposes exemption where the surveillance also monitors a ‘public space’. This applies regardless of the party’s intentions, and prompted the Information Commissioner’s Office (ICO) to update its code of practice for surveillance.

Whilst surveillance that also monitors a public space does not fall within the domestic purposes exemption, the ECJ noted that this did not automatically mean such processing would be a breach of data protection law, if it could be justified.

Interestingly there was no reference in Wooley to the ECJ’s ruling in Rynes, but it does highlight the risks of individuals using surveillance equipment for personal reasons. It also provides some guidance on the meaning of a ‘public space’, which in this case was interpreted to mean any space that is beyond the boundary of an individual’s own private property.

Depending on the nature of activities, many householders using CCTV may be unaware that they qualify as data controllers and fall within the scope of the DPA.

Approach to compensation

Prior to Vidal-Hall v Google Inc.(Vidal-Hall), it was understood that there was a requirement under the DPA for individuals claiming compensation to show pecuniary loss. A claim could not be awarded on the basis of distress alone. However, Vidal-Hall ruled that this approach was incompatible with the EU Directive 95/46/EC (the Directive which the DPA implements into UK law).

In the absence of clear financial loss, quantification of damages for distress can be difficult, and is a developing area.

In Wooley, the pursuers claimed (and were awarded) damages calculated on the basis of £10 per person per day that the defender operated the CCTV system in breach of the DPA. The judgment does not provide more detail on the basis of this model and it was acknowledged that no authority exists for compensation in such circumstances. Indeed, there are indications (a reference to the calculation being a “moderate” basis of claim) that the court may have been minded to award higher damages if they had been sought.

Comment

In this case, it appears that the defender did not make any real attempt to justify its actions under the DPA and the ICO’s code of practice for surveillance cameras. In the absence of such representations and such extensive use of surveillance, it was difficult for the court to reach any different conclusion in relation to the alleged breaches of the DPA. For that reason, the court’s specific findings on the breaches of the first, third and fifth data protection principles may be of limited relevance.

However, the case does provide a helpful reminder of the issues to be borne in mind when using surveillance equipment (whether domestic or otherwise) and the importance of ensuring that the use of surveillance equipment is justified and proportionate and complies with the ICO’s guidance.

The court’s approach to quantifying damages for distress is also notable, adopting a per day approach to calculating a monetary amount. It will be interesting to see if this approach is adopted in future cases as the Vidal Hall principle develops.

You can read a longer version of this blog post on the Society for Computers and the Law’s website

The post When neighbours fall out: court awards damages for misuse of CCTV appeared first on blogs.

Earlier this month, Google announced that the Article 29 Working Party (WP29) has confirmed that Google’s terms and conditions for G-Suite (Google Apps) and Google Cloud Platform are consistent with the EU Commission’s Standard Contractual Clauses (SCCs) for data transfers outside the EEA.

Google is not the first vendor to get approval for its own terms and conditions. The WP29 approved Microsoft’s terms for its cloud services back in April 2014.

Isn’t the legality of the Standard Contractual Clauses being challenged?

Yes. At least in relation to transfers of personal data to the United States (though any adverse finding will have wider consequences). A compliant has been made to the Irish Data Protection Commissioner in relation to Facebook’s use of the SCCs for transfers of personal data to the US.

The Irish DPC is currently in the Irish courts seeking to refer the question to the Court of Justice of the European Union. Even if the Irish courts do agree to refer the question to the CJEU, we are still some time away from clarity on this. Meantime, the SCCs remain a lawful basis upon which to transfer personal data outside the EEA.

Coincidentally, the review of Google’s terms and conditions was led by the Irish Data Protection Commissioner. You can read the Irish DPC’s decisions here (G-Suite/Google Apps) and here (GPC).

Isn’t Google now certified under Privacy Shield?

Yes, Google Inc is certified under the EU/US Privacy Shield scheme. Given that Privacy Shield was developed in response to the CJEU’s decision on the lawfulness of Safe Harbor, and provides certain assurances from the US Government in relation to surveillance and the ongoing challenges to the legality of the SCCs, organisations will likely prefer to rely upon Privacy Shield rather than SCCs when Google is hosting personal data in the US.

Why is Google taking a twin track approach? Looking at the dates in the correspondence between Google and the Irish DPC, it is clear that discussions have been ongoing for some time and pre-date Privacy Shield coming into effect.

Remember also that Privacy Shield applies only to transfers to the US. It would not apply to transfers to Google data centres elsewhere in the world. In contrast, the SCCs (and Google’s standard terms) are destination neutral.

What does this mean if I want to use Google’s services?

In short, it should simplify the process for EU organisations contracting with Google for cloud based services, where non-EU data centres are being used.

The 29WP is essentially saying that using Google’s standard terms falls within the scope of the derogation approved by the European Commission for transfers of personal data under the model controller to processor clauses approved by the EU Commission for international data transfers. In other words, customers using Google’s services need not enter into a standalone set of SCCs.

However, the approval of Google’s standard terms deals only with the eighth data protection principle (that personal data should not be transferred outside the EEA unless the country ensures an adequate level of protection). The WP29’s approval does not deal with the appropriateness of Google’s security measures. It remains incumbent upon organisations to review those measures and ensure that they are comfortable with them.

In particular, organisations will want to know which locations are being used to process their data. More generally, they should still consider whether they are comfortably with their data being held in data centres outside the EEA.

Google customers will also need to ensure that the appendices to the terms and conditions (setting out the nature of the data being transferred, the purposes for which it is being processed and the security measures being adopted) are properly reviewed and completed. In certain member states, the contents of those appendices may still need to be approved by the national data protection authority.

Those appendices are not just a case of filling in the blanks – they will require careful review as the data controller (ie the customer) remains responsible for the processing that Google carries out.

Nonetheless, the announcement is welcome step towards simplifying cloud contracts. Expect to see more organisations seeking similar approvals.

The post WP29 approves Google ts and cs for international data transfers appeared first on blogs.

The Information Commissioner (ICO) has published for consultation draft guidance on its interpretation of “consent” under the General Data Protection Regulation (GDPR). The consultation is open until 31 March 2017.

Consent is one of the grounds for lawfully processing personal data under the current Data Protection Act. However, it is an concept that frequently confuses people. For example, many organisations appear to ask for consent when they already have a lawful basis for processing. An individual does not need to “consent” to a fair processing notice if the notice does not set out any processing that relies upon consent. Yet the very act of asking for consent when it is not required could mislead the individual into thinking that they can prevent the processing by withdrawing the consent.

Consent can also be particularly problematic when it is arguable that the individual is not in a position to freely give consent (for example, in an employer/employee relationship).

Under the GDPR, the concept of consent is being strengthened, with a number of new rules, requiring organisations to provide more transparency.

The ICO’s draft guidance seeks to help organisations better understand the concept of consent by bringing together the extended requirements for consent under the GDPR with some practical examples of when the ICO considers that consent is or is not valid. The consultation seeks feedback on whether the guidance is clear and easy to understand and includes the right level of detail.

What’s changing under the GDPR?

The GDPR introduces a number of new requirements in relation to consent. In addition to the existing requirement that consent is freely given, specific and informed, consent must now be “unambiguous” and given “by a statement or clear affirmative action.” The GDPR also goes on to set out a number of other requirements.

Key changes include:

• Unbundled – consent should be set out separately from the acceptance of other terms and conditions requests
• Active opt-in – organisations must use unticked boxes or similar. Pre-ticked boxes or requirements to opt out will be invalid
• Granular – separate consent should be sought for different types of processing
• Named – each party relying on the consent needs to be clearly identified. The ICO’s view is that “even precisely defined categories of third party organisations” will not be sufficient
• Documented – organisations need to keep records showing what an individual was told, what they consented to and when and how consent was given
• Easy to withdraw – it must be as easy to withdraw consent as it is to give it. Individuals need to be told that they have the right to withdraw consent.
• No imbalance – the GDPR states that organisations cannot rely upon consent where there is an imbalance in the relationship. Consent may be particularly difficult for public authorities and employers.

The draft guidance provides a detailed overview of the ICO’s expectations in relation to each of these points.

Do I need to “re-paper” my existing consents?

In all likelihood, yes.

The ICO’s view is that there is no express requirement for organisations to seek fresh consent from individuals upon the GDPR coming into force, provided that the organisation is comfortable that the consent it has obtained complies with the requirements of the GDPR. If it does not, then fresh consent will be required.

The biggest issue here is likely to be that many organisations simply don’t hold detailed enough records to show that they have obtained GDPR-compliant consent from individuals. Given the stronger rules introduced by the GDPR (in particular in relation to things like granularity), most organisations will need to ensure that they refresh their consents in advance of May 2018.

What about sensitive personal data?

The GDPR requires that consent for processing sensitive personal data is “explicit.” Explicit consent is also one of the gateways to carrying out automated decision making.

The ICO’s guidance attempts to explain the difference between unambiguous and explicit consent. For the latter, the ICO’s view is that explicit consent cannot be implied from a person’s actions. There must be a clear, affirmative, statement – for example, ticking a box next to a clear statement such as “I consent to…”

In contrast, the ICO’s view is that consent can be implied for non-sensitive personal data provided that there is some clear and unambiguous act (for example, leaving a business card to enter a prize draw or entering an email address above a statement saying that the email address will be used to provide details of special offers).

Is there anything else to be aware of?

Consent needs to provide individuals with a genuine choice. The ICO’s view is that consent cannot be a precondition of a service. If it is, then the individual’s consent is unlikely to be freely given. Instead, look at other grounds for processing – for example, that the processing is necessary for the performance of a contract, or it is in the organisation’s legitimate interests.

As noted above, consent is not available where there is an imbalance between the organisation and the individual, with the GDPR making specific reference to public authorities. Public authorities will also be losing the ability to rely upon the legitimate interests test, which means that they will need to think very carefully about the lawful basis for their processing.

Special rules apply in relation consent from children to use information society services (ie websites and apps). If consent is required, then it will need to be provided by a parent or guardian if the child is under 16 (or 13, if the UK opts to apply a lower age). The ICO will be issuing further guidance on age verification and parental authorisation.

Finally, consent needs to be kept under review. It should not be viewed as a one off activity. In certain situations, it may be necessary to seek fresh consent, depending on the scope of the consent and the individual’s expectations.

Next steps

Whilst the ICO’s guidance has been published in draft form, it is unlikely to change much before it is finalised.

Organisations should therefore start looking at their existing consents and work out whether consent is the most appropriate basis for the processing, whether the consents need to be refreshed and, if so, what form the new consent takes and how the “re-papering” exercise is carried out. This will require organisations to look not just at their electronic consents, but also at their historic, paper-based consents. That is no small task.

If you would like to discuss the ICO’s draft guidance or how your organisation should prepare for the GDPR, please visit our GDPR Hub or get in touch.

The post Consent and the GDPR – the ICO publishes draft guidance appeared first on blogs.

Equating planning permission with a copyright licence in designs can be costly.

A recent English High Court case (Signature Realty Limited V Fortis Developments Ltd and others) has again brought attention to the vexed issues around copyright in plans approved as part of planning permission. The amount of damages is yet to be decided but there are hints in the decision that it could be significant – even as much as £360,000.

Implications

Usually a site owner /developer will instruct architects to draw up the planning designs. If planning is granted based on those and the owner then sells the site to a 3rd party, it can normally use the drawings without infringing copyright.

This is because although the architect will have usually have retained the copyright in them, if they have been paid for all of their work, there will be an implied licence to use these for all purposes connected with the erection on the site of the development to which the plans relate. That implied licence is also transferable. Even if the original architect is cut out of doing the subsequent work they have no claim.

The difference here was that the new owner – Fortis – did not buy the plot from the party which owned the copyright (which became the Claimant ) and had applied for the planning permission. Rather they bought from the party which owned the plot.

That party could not have any licence to the copyright or ability to transfer it. Any implied licence to the copyright here lay with the Claimant which of course did not own the land!

Whilst planning permission allows a subsequent owner of a site to build on it this does not mean that they can do this in line with any design drawings which have been relied on to obtain the permission. This is because these are subject to copyright and such use without a licence will be infringement.

This may render the planning permission more or less redundant as it will be difficult to comply with it without infringing. Also any defence of independent creation may prove difficult to establish and lack credibility given that the designs are publically available.

Thus careful attention needs to be paid to the copyright issue as planning permission is not a licence to copy or a get out of jail free card!

Tips to avoid the Planning Permission/ Copyright Trap

• Don’t rely on planning permission and the public availability of the underlying designs as a licence to use the latter.
• Planning permission does not equate to a licence to copy/ use the approved plans and this may be in breach of existing copyright.
• Drawings are generally copyright and copying/ reproduction without consent is prohibited
• Changing the designs or using only small parts of them may not be enough to avoid infringement – all that is needed is substantial copying which is judged qualitatively as opposed to quantitatively
• Before acquiring the land, as part of the due diligence, check who owns the copyright in the designs and secure the clear written licence/consent/assignation of the true copyright holder (as well as warranties of ownership if possible) before using the approved plans for any purpose.
• Do not just turn a blind eye or adopt a careless attitude to copyright as to do so risks an infringement claim, liability for damages and even worse an award of additional damages for flagrancy.

The post Planning Permission – not a licence to infringe copyright in designs appeared first on blogs.

The Information Commissioner (ICO) has published the results of an Information Governance survey carried out last year in relation to local government. The survey highlights some key areas that local authorities will need to address in order to prepare for the General Data Protection Regulation (GDPR).

What are the key findings?

The survey identified a number of issues:

• A quarter of local authorities do not have a data protection officer (DPO). The GDPR requires public authorities to appoint a DPO.
• More than 15% of local authorities do not conduct data protection training for their employees
• A third of local authorities fail to use privacy impact assessments (PIAs). Conducting a PIA will be mandatory for certain types of processing
• 37% of local authorities do not have a data sharing policy

Employee training on data protection

The findings in relation to staff training are particularly surprising given that the failure to carry out data protection training is a factor that the ICO will take into account when deciding whether or not to issue a Monetary Penalty Notice following a failure to comply with the Data Protection Act.

Concerningly, less than half of the local authorities that responded said that completing data protection training was a pre-condition of systems access.

Going forward, employee training will become even more important as organisations will be required to demonstrate that they are complying with the GDPR. That means being able to show that staff understand the organisation’s data protection policies and the requirements of the GDPR.

Privacy impact assessments

PIAs help organisations identify the privacy risks of a proposed project or new processing and the steps that can be taken to mitigate those risks. PIAs are currently form part of the ICO’s best practice guidance, but will become mandatory for certain types of processing.

A PIA can help an organisation demonstrate its compliance with the GDPR and ensuring that new projects adopt Privacy By Design and data minimisation. In the absence of a PIA, an organisation may not be able to show that privacy issues were properly considered at the outset and that due thought was given in relation to things such as the basis upon which processing is carried out or the security measures that are adopted.

Data sharing with other organisations can often raise data protection issues. A data sharing policy and a PIA can be particularly helpful in identifying whether a proposed data sharing arrangement is lawful and the controls that should be put in place to regulate the data sharing.

How should local authorities prepare for the GDPR?

The first step is to carry out an information audit or prepare an information asset register to identify what information is processed by the authority.

The ICO’s survey identified that just 17% of local authorities have prepared an information asset register. Only once an organisation has identified what information it processes (and why) can it then work out what steps it needs to take to comply.

The GDPR raises a number of specific challenges for public authorities.

The GDPR tightens up the legal basis upon which public authorities can process personal data, by limiting the ability of those organisations to rely upon consent as a basis for processing or the legitimate interests condition. Local authorities that currently rely upon the legitimate interests condition to process any personal data will therefore need to identify another lawful basis for processing – for example, a statutory basis. That will require local authorities to look at their statutory functions and identify any areas where existing processing activities do not fall within those functions.

It is not yet clear how these restrictions will apply to, say, commercial activities undertaken by public authorities or services provided through arms’ length subsidiaries or their behalf on an outsourced basis.

The GDPR comes into force on 25 May 2018. To find out more about the GDPR and how we can assist, download our two page summary to the GDPR or register for our data protection law updates this Spring in Aberdeen, Edinburgh and Glasgow.

The post ICO identifies priorities for local authorities on GDPR compliance appeared first on blogs.

A recurring question from clients is whether they can send an email to individuals that have opted out of marketing to ask them if they would like to opt back in. Is that request in itself marketing?

A Monetary Penalty Notice issued by the Information Commissioner’s Office (ICO) considers just that issue. In short, the ICO confirmed that contacting an individual that had previously opted out of electronic marketing was, in itself, marketing.

Background

The rules on electronic marketing (by email or SMS) are set out in the Privacy and Electronic Communications Regulations 2003 (PECR). The Regulations state that an organisation needs consent to issue electronic marketing and that individuals have the right to require the organisation to cease electronic marketing.

Under the fourth data protection principle, organisations must ensure that the personal data that they hold is accurate and, where necessary, kept up to date. The fifth data protection principle requires that data is not kept any longer than is necessary for the purpose.

To comply with the fourth and fifth principles, organisations often contact individuals and ask them to confirm that their contact details are correct and up to date. The tension arises when steps taken to comply with the fourth and fifth principles cut across the rights of individuals to opt out of marketing.

In this case, FlyBe deliberately instructed its marketing agents to issue an email to 3.3 million customers that had previously opted out of receiving electronic marketing asking them to confirm that their details were up to date but also including a link to update their marketing preferences. If the individual entered updated its marketing preferences then it would be entered in a prize draw.

The ICO held that this email itself constituted marketing and by deliberately sending it to individuals that had asked not to be sent electronic marketing Flybe had breached PECR. The ICO fined Flybe £70,000.

A separate investigation was carried out into Honda, which had sent a similar email. In Honda’s case, it believed that the email did not constitute marketing, but instead constituted a customer service email designed to help Honda comply with the fourth principle. Honda’s email was sent to just under 300,000 individuals.

Due to a design issue with the software portal through which the data was entered, Honda was unable to demonstrate to the ICO that the recipients had agreed to receive such emails as the database entries had neither an opt in nor opt out flag. The ICO concluded that as Honda did not have a record of whether those individuals had agreed to receive electronic marketing, Honda did not have consent. Honda was fined £13,000.

When is an email a marketing email?

The decision might come as a surprise to some, who may view an email asking individuals to review and update their contact details and preferences as being good data management. Indeed, under the GDPR, organisations are actively encouraged to regularly review and refresh their consents.

The approach taken by the ICO is to adopt a very broad interpretation of a marketing email. The ICO’s approach suggests that whilst an organisation should regularly contact individuals to ask whether they wish to continue receiving marketing emails, it does not work the other way around.

When sending emails to customers to check that their contact details are up to date, it is therefore important that the email does just that.

Some organisations use preference centres to allow individuals to manage their contact details and set their marketing preferences. Again, organisations will need to be careful to ensure that emails inviting individuals to review their details do not encourage them to change their marketing preferences.

The same issues apply when sending customer service emails (for example, order confirmations and account statement etc). This can be particularly difficult when an organisation wishes to communicate the availability of new functionality or benefits. At what point does an email cease to be a customer service email keeping the customer up to date about the service that customer is using and instead become marketing?

What impact might the GDPR have?

The General Data Protection Regulation (GDPR) does not make any changes to PECR or the Directive that PECR implements. The Commission has published proposals for a new ePrivacy Regulation to replace that Directive which, if passed, would replace PECR. Under the current draft, the rules on electornic marketing do not really change much, though the draft ePrivacy Regulation does incorporate the GDPR’s definition of consent. You can read more about that here.

However, as I noted in a previous blog, the GDPR (and, if approved, the ePrivacy Regulation) may require organisations to “re-paper” their existing consents if those consents do not meet the requirements for consent under the GDPR. The ICO’s draft guidance on consent does not provide much guidance on how this should be done, and organisations will be wary about doing this in a manner that may lead to previous consents for marketing lapsing and not being renewed by the individual. For that reason, it is understandable that there may be business pressure to see whether individuals that have previously opted out might want to opt back in again.

These MPNs make clear that if an organisation does need to “refresh” its marketing consents for the purposes of GDPR and the ePrivacy Regulation, then it should not be using that as an opportunity to contact individuals that had previously opted out of electronic marketing to encourage them to opt back in. Instead, it should be contacting only those individuals for whom it has pre-GDPR/ePrivacy Regulation consents for electronic marketing or ensuring that an email linking to a preference centre takes a very neutral approach in its call to action.

If you would like to discuss electronic marketing or how the GDPR and ePrivacy Regulation will affect your organisation, please get in touch or visit our GDPR hub.

The post ICO issues fines for breaches of rules on electronic marketing appeared first on blogs.

Notice clauses are usually found at the end of IT contracts and so can often be overlooked. We blogged back in September on why you should check this clause before serving a notice on your supplier or customer, after the Scottish Court of Session decided that a notice hadn’t been validly served in Hoe International Limited v Martha Goodnow Andersen & Another. This decision has now been overturned on appeal but compliance with notice clauses remains important.

Background

Hoe International Limited (the Buyer) purchased a company from Martha Goodnow Andersen and Sir James Aykroyd (the Sellers).

The company subsequently received notice of a claim against it by a third party, which the Buyer contended was a breach of warranties given by the Sellers.

According to the share purchase agreement between the Buyer and the Sellers, the Buyer was required to give notice to the Sellers of any such claims before it could raise a breach of warranty action against the Sellers. The notice clause specified that the notice had to be sent: 1) by personal delivery, pre-paid first class post or recorded delivery; 2) marked for the attention of a specific person; and 3) to a specific address.

The Buyer’s agents subsequently served a notice on the Sellers’ agents by DX (legal courier) and email, enclosing a copy of the letter of claim received from the third party. The third party’s claim was subsequently settled and the Buyer raised an action against the Sellers in the Court of Session for breach of warranty.

The Sellers argued that the breach of warranty claim should not succeed because the notice was invalid. Although it was received by their solicitors, their position was that 1) it did not contain sufficient information and 2) it was not sent in accordance with the notice clause.

Did the notice contain sufficient information?

Last year Lord Woolman found that the notice did contain sufficient information as it provided all the details known to the Buyer at the point the third party’s claim was received. The Inner House, the appeal court, agreed with that.

Was the notice validly served?

Lord Woolman had found that the notice clause specified exactly what constituted a valid notice, and that the parties did not intend to allow deviation from that. As the notice had been sent by DX and had not been marked for the attention of the person specified in the notice clause, it was invalid.

However, the Inner House focused on the purpose of the notice. It found that the more drastic the consequences of a notice, the greater the need for strict compliance with the notice clause.  For example, a termination notice was a drastic notice because it brought about a fundamental alteration in the parties’ legal relationship. Here the notice was informative in nature, and so fell at the less drastic end of the scale.

Crucially, the Sellers had not been prejudiced as a result of the alleged non-compliance with the notice clause. As the notice had actually been received by their solicitors, the means of delivery were of no real significance and it didn’t matter that it wasn’t sent to the identified person.

In any event, the court found that DX was a form of personal delivery and therefore the notice had been sent in compliance with that part of the notice clause.

As a result, it decided that the notice had been validly served and the Buyer was entitled to proceed with the warranty claim against the Sellers.

Key points

The same principles will apply to notices served under IT contracts.

While the Inner House took a pragmatic approach in this case, this decision turned on the fact that the notice was informative in nature and that the Sellers had not been prejudiced by the failure to comply with the notice clause, which may not always be the case.

Accordingly, our advice remains that you should carefully check your contract and seek legal advice before serving any notices to ensure that the notice itself, and the service of it, complies with the notice clause. This is especially important when the notice is one with “drastic” consequences such as a termination notice or step-in notice.

Finally, you should ensure that your terms and conditions and new contracts provide for the service of notices by commonly-used and up-to-date methods. DX is already frequently used in the legal profession in Scotland to transmit documents between one firm of solicitors and another, but it will be interesting to see if it becomes a more common method of serving notices going forward.

The post Serving notices: revisited appeared first on blogs.

Following monetary penalty notices issued against the RPSCA and the British Heart Foundation last December, the Information Commissioner’s Office has fined another eleven charities for breaches of data protection laws. The ICO’s action follows a two year investigation.

How did the charities breach data protection law?

The contraventions cover three broad activities:

• Wealth screening – profiling donors so that they could be targeted for additional donations
• Data and tele-matching – using third party data sources to fill in the gaps in donor records
• Data sharing – trading personal details with other charities, creating a pool of donor data for sale

In carrying out these activities, the charities breached a number of the data protection principles set out in the Data Protection Act 1998 (DPA). These include principle 1 (that data is processed fairly and lawfully) and principle 2 (that data is used only for a purpose consistent with the purpose for which it was collected).

In total, the fines issued to the 13 charities come to £171,000, but the ICO has made clear that the level of fines was significantly reduced from the levels that might have applied had the organisations in question not been charities.

You can read the ICO’s summary of what each charity did on the ICO website.

Has the ICO issued any guidance to charities?

The ICO published a conference paper on these issues in advance of a joint event with the Charities Commission and the (English and Welsh) Fundraising Regulator on fundraising and data protection. You can read the paper on the ICO website.

The paper emphasises that charities need to ensure that their use of personal data complies with the data protection principles.

Whilst the ICO has not said that these activities can never be carried out, organisations need to ensure that it is done in a lawful way.

That means ensuring that the individuals in question are provided with fair notice of what the charity will do with their data and ensuring that the organisation has satisfied one of the conditions in Schedule 2 of the Data Protection Act – ie valid and informed consent or the charity’s legitimate interests. The latter involves balancing those interests against the intrusion into the individual’s privacy.

There is also an overarching requirement for the processing to be fair. As Elizabeth Denham, the Information Commissioner, said in her keynote speech at the fundraising conference:

Fairness…means that personal information should only be used in a way that people would reasonably expect

Fair notice is usually provided by way of a privacy notice, and the ICO emphasises that charities will need to go to particular efforts to bring these activities to the attention of donors as (in its view) things like wealth screening would not fall within the reasonable expectations of individual donors. It should not be hidden in a link on a website.

When using third party data sources, charities also need to ensure that they are using that data in a manner that is consistent with the purpose for which it was originally collected. Just because data is shared by an individual on social media or is available from a public source or a third party does not mean that it can be used for any purpose. It is incumbent on the charity, as the data controller, to carry out appropriate diligence on its data sources.

As the ICO says, there may be reasons why an individual has decided not to share particular information. Whilst there is an obligation under the DPA to ensure that data is up to date, that does not mean that charities (or any other organisation) are required to find someone’s new phone number when a previous phone number no longer works. It should simply delete the out of date number from its records.

Similar issues apply in relation to data sharing. Whilst data sharing is not prohibited by the DPA, it does need to be carried out in a manner that complies with the DPA. In these cases, the charities in question had failed to ensure that they did so. In one case, the charity unlawfully shared over 3,000,000 donor records with third parties, including lottery and prize promotion companies.

Where can I find out more?

Brodies will be hosting an event in Glasgow on 17 May on the new fundraising regime in Scotland, which will cover effective compliance by charities with data protection and information law requirements. We are delighted to be joined by a speaker from the Information Commissioner’s Office, who will discuss the recent enforcement action and where the charities in question went wrong.

To find out more and register for the event, visit our Seminars page.

Charities and third sector organisations should also be thinking about how the steps that the General Data Protection Regulation (GDPR), which comes into force in May 2018 and will replace the Data Protection Act. Amongst other things, the GDPR will require organisations to be far more transparent in relation to how they use data and impose a new obligation to be able to demonstrate compliance.

To find out more, please visit our GDPR Hub, download our GDPR overview, or get in touch.

The post ICO fines more charities for breaches of data protection laws appeared first on blogs.