what's in the news

AIM-listed retail ERP (enterprise retail planning) and EFT (electronic funds transfer) software solutions specialist to the fashion sector, Prologic plc, has been sold to a company with the same ultimate controlling shareholder as US-based Versata Enterprises, Inc. The transaction delivered shareholders a 46% premium over the share price prior to the announcement of the Offer.

Established over 25 years ago, the Berkhamsted, Hertfordshire based retail ERP/EFT firm which provides integrated merchandising, warehousing, distribution, allocation, sourcing and point of sale into one single central database, boasts an impressive client portfolio including leading fashion labels Ted Baker, Paul Smith, T.M. Lewin and Fat Face. Prologic also built strategic alliances and partnerships with Oracle Corporation, Hewlett Packard and many others.

Prologic joins Versata’s corporate family of 22 enterprise software companies acquired over the past five years. With a global presence covering 45 countries, Versata solves the most complex business problems for the world’s largest organizations. West Hill acted as financial advisor to ESWC and Atlas Technology Group introduced ESWC to Prologic and acts as a financial advisor to the Versata corporate family.

Stephanie Perry, Corporate Partner at Pitmans LLP has a long-standing relationship with Prologic’s management team. Pitmans had previously supported the Prologic management team through an MBO in 1999 and their later admission to AIM in 2004.   Pitmans were therefore the logical appointment to support the Company through its proposed strategic review announced in late 2011.

The Board of Prologic Plc unanimously approved a bid by ESWC on 29 March 2012, and this was subsequently declared wholly unconditional following 98.7% shareholder acceptances on 24 April 2012.

Commenting on the transaction, Tom Fischer, Chief Executive of Prologic said: “We were delighted with Pitmans’ diligence and expertise which enabled us to complete this transaction more quickly and efficiently than we had anticipated.

Of the deal, Fischer commented “The Prologic Board is pleased to have agreed terms with ESWC on an Offer which represents an attractive premium to both current and recent market prices, particularly given the current difficult macroeconomic climate and the challenges being faced in the retail sector in general.” He continued “Prologic’s business is expected to benefit both financially and commercially.”

Stephanie Perry commented that: “We are delighted for Prologic and have had the pleasure of working alongside their management to see them grow, develop, float and now be acquired by an affiliate of a very large and successful US-based IT specialist.”

Pitmans’ team consisted of Corporate Partner Stephanie Perry and Corporate Solicitor Carolyn Butler.

Courtesy of Thames Valley Business Magazine April 2012

The performance of the BRIC economies, whilst not without their own problems, has for the most part been on a more stead upward trend in the last couple of years than the performance of the economies in the western world. In the Thames Valley, technology businesses have for some time now benefitted from the strong links with one of the BRIC economies – India. While Indian outsourcing IT services providers have long been active in the UK, there is now a growing level of engagement by businesses in the UK with Indian businesses directly and for professional services providers targeting Indian business this necessitates an approach that covers both fronts.  The following issues tend to crop up repeatedly.

Local advice

India (and the UK) have changed tremendously in the last 10-15 years, especially in relation to the flow of services between the two countries. The widespread use in India of English in business life and the high quality of education means Indian businesses are targeted increasingly for the provision of services to UK businesses. India’s consistent strength in IT-enabled and IT-related services means that this industry has become the focus of the commercial relationship between the two countries – this is evident in the Thames Valley with its large number of Indian IT professionals on short-term as well as long-term assignments.

When investing in an Indian company or appointing an Indian company as a service provider, it is essential to obtain local tax and legal advice. Many UK advisors offer such advice from the UK, but the rapid change in India’s investment laws as well as the variety of ways in which one can engage in business with Indian companies, necessitates someone on the ground who is on top of the current regulatory framework.

Service Delivery

Contracting with a service partner in the same jurisdiction can be tricky enough – the same relationship across several time zones needs even more attention. Notwithstanding the leading standards of Indian technical education and training, there are differences in service delivery culture and contract documentation may need to be structured with an emphasis on regular communication and governance, as opposed to relying on precise standards and remedies for breach of those standards. This is not a case of “better or worse” service standards as much as cultural and geographical differences in service delivery expectations.

Some of the larger Indian service providers have set up UK-based entities, designed specifically to contract with local businesses. While the presence of a local entity often facilitates better regular communication, the services themselves (especially where IT-related services are concerned) often continue to be provided (wholly or in part) by people in India and it is important to ascertain those facts and tailor service delivery requirements and expectations accordingly.

Jurisdiction

Due to the availability of technically educated graduates and the relatively low cost of setting up an IT-service business in India, there are many of them and most of them are targeting business from outside India. Many of these are smaller companies who will not (just as analogous businesses in the UK) have an awareness of the “legals” that are associated with running a business. One of the results of this is that clients in the UK are often faced with a fairly inflexible position in relation to choice of law and jurisdiction, which the service provider insists should be Indian law and India. The wheels of justice grind slowly in India and for complex service agreements (especially where they involve the delivery of goods or IPRs) some thought should be given to this, as it may be prohibitively expensive and/or too slow to resolve a dispute in India relying on the Indian courts.  It is equally expensive for a small Indian service provider to seek to resolve disputes in the English courts. The difficulties related to the enforceability of judgments in other territories as well as the expense of traditional legal processes means that often more innovative and consultative means to resolve dispute need to be considered.

There is much to be optimistic about, as far as the existing and growing relationship between Indian tech businesses and the Thames Valley is concerned. In a global economy, finding best value service delivery partners is of fundamental importance and with a growing awareness of potentially problematic issues and their solutions, this relationship can only get stronger.

David Archer
Senior Solicitor, Information Technology
T: 0118 957 0180
E: darcher@pitmans.com

Courtesy of Thames Valley Business Magazine February 2012

The start of a new year is an opportunity to reflect on possible developments over the next year.  The legal environment of the technology sector is unlikely to see any drastic changes in the next twelve months and we expect the issues below to form the basis of much of the discussions in the next year.  Hopefully, we will see many Thames Valley firms exploiting the commercial opportunities these issues throw up.

Software Development: A 2011 judgment from the European Court is likely to give food for thought to software developers who assumed that user interfaces in computer programs cannot be protected by copyright, thereby reducing the cost of developing applications able to link with other, copyright-protected applications.  The Advocate General’s opinion in SAS v WPL suggests that there may be elements or expressions of a computer program other than object code or source code (traditionally regarded as protectable by copyright) which can also be protected-provided they form a substantial portion of the source program.

ISP and intermediaries: The injunction on BT in the Newzbin2 case showed that courts are willing to force ISPs to put reasonable measures in place to prevent access to websites which contain copyright-infringing material. The judgment in Scarlet v SABAM also shows that ISPs are unlikely to be asked to put in place blanket measures that affect all its users. Neither judgment clarifies the cost implications of these measures and intermediaries will be keeping an eye out for further developments in this space.

Data Protection: Early this year, the European Commission will publish its proposals to reform data protection law in the EU. From the draft published in late 2011, we know that some of the changes will make it easier for businesses to comply with data protection law, while others will give data subjects greater rights in relation to their personal data, as well as impose a higher monetary penalty for serious breaches. The balance struck will be vital for those businesses at the frontline of data protection, e.g. those active in developing behavioural advertising applications.

Cloud Computing: An increasingly mature technology, this is likely to see greater use by small and medium sized businesses and individuals – especially in relation to online storage of music and other data (subject to the relevant copyright licences). However, important questions such as compliance with data protection law (in particular, transfer of data outside the EU) and data portability will continue to be of relevance, with smaller businesses and individuals unlikely to have the bargaining power to negotiate material changes in a supplier’s terms of business.

Apart from the specific issues above, the current economic climate will continue to force technology businesses to get the most out of their technology and intellectual property assets and their clients to get the most out of any money spent on new technology. Appropriate licensing and purchase strategies, with an element of flexibility, will continue to be at the core of legal work in this sector.

Rustam Roy
Senior Solicitor, Technology
T: 0118 957 0180
E: rroy@pitmans.com

Pitmans hosted an evening seminar on 1 February, sponsored by Prolinx, a specialist IT security solutions provider, at which delegates were stimulated by a panel of experts who highlighted some of the current threats and challenges posed by cyber risk.

The key note presentation was made by Professor Sadie Creese of Cybersecurity at the University of Oxford. Professor Creese kicked off with the scale which faced today’s society, highlighting that by 2020, there will be 31 billion connected devices and 50 trillion gigabytes of data created. This, in turn, will result in an increasingly vast ‘attack surface’ which presents those seeking to protect cyber assets with an enormous challenge. Professor Creese, amongst other things, pointed out the scarcity of meaningful metrics in relation to data security as well as the importance of preparing to ‘respond and recover’. As part of current research, it was clear that much needed to be done to develop invaluable analytics to measure security. And that, above all, the ability to attribute an identity to hackers or intruders remained a perennial vulnerability.

Philip James, a Partner who leads Pitmans’ Data Privacy & Information Law team, explained that the World Economic Forum’s recent Risk Report now lists cyber threats as one of the top 5 most risks threatening society in terms of likelihood. Philip highlighted the risks this poses to the current intellectual property enforcement regime: in the absence of identifying culprits, it remains difficult to take criminal action against those responsible and that all that will be left will be a dispute between the victim and its suppliers as to who is to blame. In addition, investors and companies will be increasingly reluctant to invest in R&D if valuable intangible assets cannot be protected from extraction. Philip also summarised the EU’s recent draft Data Protection Regulation which seeks to introduce a much stricter regime for serious breaches of data security (calculated as a percentage of global turnover) and a concept of accountability so that data controllers are encouraged to take responsibility for the protection of personal data.

Simon Milner, Head of Cyber Risk at JLT Speciality Limited, then provided a realistic explanation of the insurance landscape and what solutions are available to customers on today’s insurance market. Simon picked up on some of the themes touched on by previous speakers including the need to develop better analytics to assist risk grading and assessment. In particular, it was clear that many in industry were not necessarily aware of the variety of products currently available in this space, e.g. to cover reputation management, legal costs and re-constitution of lost data.

Finally, Nick Baskett, Chairman of Matta Consulting, a penetration and vulnerability consultancy, provided an invaluable insight into the gaps and strengths in existing data security systems, including:

• an amusing, if scary, expose on how effective intrusion detection systems can be when they are not correctly implemented; and
• how a software house subsequently discovered (after passing on the opportunity to carry out a security audit on a number of previous occasions) that a trojan was residing in its primary code repository.

Nick then stressed the distinction between carrying out a forensic investigation following an incident dependent on whether it was necessary to collect evidence or not (and the related costs involved). 

A copy of the WEF Global Risks Report is available here.

Following the session, McAfee have also released their 2012 Threats Predictions – click here for further details.

For further discussion of this seminar or other issues, please contact:

Pitmans’ Data Privacy & Information Law team

Pitmans’ Cyber Risk Management team

Philip James
Partner, Head of Data Privacy & Cyber Risk Management
T: +44 (0) 207 634 4655
E: pjames@pitmans.com

As many workers made their way home for their weekend, over 130 Reading based IT and Business professionals settled in to their makeshift camp for an evening in Forbury Gardens, all as part of the 13th annual Thames Valley Byte Night. Byte Night helps to raise money for the Action for Children charity which helps young homeless people get off the streets.

Sleeping bags were unrolled by many leading Thames Valley based firms, including Microsoft, Barclays Corporate, BDO, Volume and Pitmans LLP. They were joined across the UK by others taking part in similar events in London, Edinburgh and Cambridge.

The events have reportedly raised over £750,000 for the charity, an increase of £183,000 on 2010.

Pitmans Technology team, including Rustam Roy, Tim Clark, Andrew Peddie, Richard Devall and Philip James were pleased to participate in this night of fun, but with a very serious and important message.

Head of Technology, Tim Clark said “Thank heavens for a warm October evening, even though it did start to rain in the early hours of the morning! We’re really grateful to all our family, friends, colleagues and clients for supporting us in our night in the wild. We’ve seen sights in Reading that we didn’t know existed, and will be dining off for years to come. There was great spirit on the night, but thankfully we were in warm sleeping bags. We were very grateful to all those involved and look forward to participating in next year’s event.”

Pitmans next charity event is on the 24th November, when we are holding a charity pub quiz in aid of Combat Stress at the Sun Inn pub on Castle Street, Reading. If you would like to enter a team, please contact Jenny Littlewood.

This article was published by Workbooks.com

Philip James, Partner, and Carolyn Butler, Solicitor at Pitmans LLP examine some of the legal issues you should consider when moving to cloud computing and selecting a vendor.

1. Know the flight plan (negotiation and contract)

Carefully review the terms on which you are intending to contract with your cloud provider. Is the contract open to negotiation or are you expected to contract on the cloud provider’s standard terms? If the former, consider your specific requirements, and ensure your contract:
 
• adequately reflects your requirements in unambiguous language in a layout that’s easy to follow (in other words, don’t bury your specifications across numerous schedules);
• clearly delineates the roles and responsibilities of both the cloud provider and your organisation; and
• has quantifiable metrics or KPIs to verify the performance of your cloud provider.

If the latter, review the terms carefully to ensure, firstly, that they are fair and that there are no unpleasant surprises lurking and, secondly, that they cover everything you need them to. If not, seek to vary the standard terms with your cloud provider accordingly.

Look at the extent of the remedies available under the contract. The contract will probably contain limitations of liability, so if you are intending to outsource critical internal infrastructure, check whether those limitations adequately reflect the allocation of liability to your cloud provider.

• What limitation should apply?
• Are there risks for which liability should or should not be excluded? E.g. does the supplier exclude liability for loss of data (this is not much good if you are outsourcing your CRM database!)

In some cases, damages for breach of contract may not be a sufficient remedy if things go wrong, and you may wish to set out alternative, more appropriate remedies under the contract. Other key issues to look out for in your contract are explored in more detail below. In all cases, always seek specific legal advice if you are unsure about the effect of any element of your contract.

Before negotiating a contract with a cloud provider, the European Network and Information Security Agency’s Information Assurance Framework for Cloud Computing, which sets out questions that an organisation should ask a cloud provider, is essential reading¹.

2. First class, business class or economy class? (service levels)

Service levels need to be agreed upfront, and should be expressed in the service-level agreement in terms that are both clear and measurable, including maximum periods of downtime, the relative importance to the business of different elements of the service and processes for remedying defaults. While many businesses look to cloud providers as part of their business continuity strategy, it is also necessary to consider what would happen if the cloud provider’s operations become disrupted. How does your cloud provider manage its response to incidents such as natural disasters or security breaches to ensure disruption is kept to a minimum?

Before you sign up, ask your cloud provider about any extra costs and charges, work out which of these are relevant to your business and budget accordingly. You should also ensure your future as well as your present needs are taken into account: find out how quickly and by how much your cloud provider can scale up the services it provides, and, if you plan to expand your business abroad, whether your provider has the capabilities to meet your needs in other jurisdictions.

It is important that the ramifications of failing to meet the agreed service levels are clearly set out (often a service credits mechanism is used) and that the parties agree a process of escalating remedies in the event that problems supplementary to the agreed remedial mechanisms arise. The resolution of disputes can be a costly and time-consuming exercise, and it is in the interests of both parties to have workable and effective escalation processes in place to ensure problems are worked out amicably, the business relationship is preserved and any disruption is kept to a minimum.

3. Security checkpoints (security and data protection)

It is essential to verify with your cloud provider what responsibilities for security lie within the remit of your organisation and which are their responsibility.

While your cloud provider may be unable to give you precise details about the security measures it has in place (since a detailed disclosure of the systems in use could impair their integrity), a high-level description of those measures should be given, for example, the extent to which data encryption is used, whether anomaly detection systems are applied, the protocols in place to deal with the theft of user credentials and the physical security used to protect the locations where data is stored. Your cloud provider should also be able to tell you whether it meets any of the existing web standards² and give you details of the security features on offer for users, such as user authentication and authorisation/administration controls. Find out whether your cloud provider offers any guarantees that customer resources are fully isolated from one another, and to what degree data, metadata or other traces of use by your organisation is erased before machines are reallocated. You should request sufficient information to allow you to make a sensible judgement about the adequacy of the security measures offered by your cloud provider, whether additional measures are required and need to be agreed in your contract.

Further, your cloud provider may intend to outsource or subcontract any of the operations that it is contracted to supply to you, and, if they do, find out who those third parties are, where they are based, what procedures are used to verify and monitor the quality of services they provide, and the security controls in place to protect your data. For instance, it is not much use having contractual protections in your agreement with your provider if the ‘subbie’ to whom the service is sub-contracted is not subject to the same terms agreed with your supplier (you may also not have conducted due diligence in respect of that subbie).

4. Final destination (location)

Just as importantly, find out where your cloud provider will physically hold your data. Your data should be stored in a jurisdiction where an acceptable level of protection is mandated by law. Data protection standards vary from one jurisdiction to another and, although efforts are being made to harmonise the requirements across the EU as a whole, outside of the EU they may be non-existent. Nevertheless, if you are a business based in the UK, and the data in question is being processed in the context of that business, the full extent of the UK rules will most likely apply.

Further, if you are intending to store personal data in the cloud, such as HR records, take note that the transfer of personal data to a country or territory outside of the EEA is prohibited, unless equivalent protection in that country or territory is assured (and in this respect, if it is to be stored outside the EEA, seek specific legal advice on this issue as there are a number of compliance requirements which may need to be dealt with). Where this is concerned, it is always easier from a data privacy compliance perspective to engage a supplier whose data centre is located in the UK or Europe than enter into an arrangement with a supplier whose servers are in the US or China (or worse still, in a virtual data centre i.e. you don’t know where it is stored!).

Note also that, where HR data is concerned, it is also likely to contain sensitive personal data. As such, there are a number of more stringent restrictions as to how this type of data may be processed and specific consents may need to be obtained from the data subjects (i.e. the person to which such personal data relates). Ideally, find a cloud provider based in your jurisdiction that can provide assurances that data (and at the bare minimum, personal data) will not be transferred outside of the EEA.

It is important to ensure your contract with your cloud provider clearly states the choice of territorial jurisdiction (that is, the country in which any dispute in relation to the country will be heard) and the choice of law that the courts will apply in determining any dispute. Ideally, this should be a jurisdiction in which your organisation operates. If a dispute arises, and the choice of law and jurisdiction has not been specified, under EU law a defendant may be sued where they live, or where the contractual obligation was performed. The applicable law, however, will be the law with the closest connection to your contract. It is easy to see how this can create problems in a cloud computing environment where there are cloud providers all over the globe eager for your business, and where your data could potentially be stored anywhere in the world, so explicitly state in the contract what’s intended.

5. Take a moment to find the nearest exit (transitioning)

Although it may feel like a remote prospect, before you enter into a cloud contract it is necessary to anticipate how you intend to exit those arrangements. Care should be taken to ensure the portability of your data, including your metadata. Review your contract to determine what events could trigger a right to terminate the agreement by either you or your cloud provider. Ask what procedures are in place to export your data (in an orderly fashion) if you change cloud providers or in the event that the agreement is terminated. Find out whether those procedures are regularly tested to ensure that they work.

Also, if there is a specific format in which you expect to receive your ported data, you should try and specify that (to the extent that is possible) in your contract with your supplier. Please note: there may be additional costs associated with ensuring your data is in a format which is compatible with your systems. The ownership of intellectual property (IP) can be a particularly contentious issue in the cloud environment. Examine the IP provisions in the agreement with your cloud provider to determine how data ownership is dealt with, and whether those provisions are acceptable to you. IP is a technical area of law; as such, therefore, if in doubt, always seek specific legal advice to ensure you are adequately protected.

Once you have moved your data, you will no doubt be seeking assurances from your cloud provider that all traces of your data will be deleted as soon as possible. So, before you commit to a particular cloud provider, find out whether this is a realistic prospect: it may take a number of weeks for your data to be deleted if it is stored in more that one place (for example, if it is copied on to back-up tapes) and it may be impossible to destroy your data completely if your cloud provider allows you to share disk space with other customers. If that’s not good enough, give your cloud provider the opportunity to put satisfactory processes in place for you.

For further information in relation to the issues raised by this note, please contact:

Philip James
Partner
pjames@pitmans.com
+44 (0) 207 634 4655

Carolyn Butler
Solicitor
cbutler@pitmans.com
+44 (0) 118 957 0234

¹ http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework/?searchterm=assurance framework

² Such as ISO27001 (http://www.27001-online.com/), which implements OECD (Organisation for Economic Cooperation and Development) principles governing security of information and network systems, and the SAS70 auditing standard (http://sas70.com/)

PLEASE NOTE: This note has been prepared to provide general guidance on the benefits as well as some of the risks associated with cloud computing. As such, it should not be relied on. Always seek specific legal advice in relation to your specific circumstances in question.

Courtesy of Thames Valley Business Magazine October 2011

Manufacturers of Android mobile devices may soon find themselves struggling to answer searching copyleft licence questions.

Recently published data has confirmed that the Android operating system continues to build its market-share lead in the smartphone and mobile device field. It is estimated that, in the second quarter of 2011, Android’s share of the market increased to more than 43% of smartphone sales – some 46 million units worldwide – up from 36% in Q1 2011 and 17 percent in the same period last year.

This makes all the more surprising the serious Android licensing compliance issues recently highlighted by the Free Software Foundation and other free software organisations.

Copyleft in a nutshell

The problems stem from the licence under which part of the Android operating system is distributed, including most notably the Linux kernel upon which Android is founded.

This licence – the GNU General Public Licence version 2 (“GPLv2”) is a free, so-called “copyleft” licence, published by the Free Software Foundation (“FSF”). According to FSF,  the GPLv2 licence is intended to guarantee users freedom to share and change all versions of a program, to make sure that it remains “free” software to all users (note that “free” in this context refers to freedom to reproduce, adapt and distribute the software, rather than to price).

As one would expect, when the software is distributed, the distributor is required to comply with the conditions set forth in the GPLv2 licence itself. Although the full GPLv2 licence is lengthy, the key tenet can be simply stated: if you include code subject to this licence in a larger program, or adapt the code in some way, any subsequent distributions of the code (whether free of charge or commercial) must be subject to the same GPLv2 licence terms. In other words, you must pass on to the recipients the same freedoms that you received. The underlying intention is to give anyone who receives the software both the legal permission and the practical tools necessary to change and share the software themselves if they wish.

Importantly for the present purposes, section 3 of GPLv2 provides that distributors must in practice also:

- ensure that those in receipt of the software are provided with the “complete corresponding machine-readable source code” behind the software, or receive a written offer to that effect. The obligation to provide source code is personal to each company or person in the supply chain. Manufacturers cannot rely on others to provide the relevant source code; and

- provide the terms of the GPLv2 licence, in order that those receiving the software know their rights.

One strike and you’re out

The strategy deployed in GPLv2 licence for ensuring compliance is at the same time commendably simple and unusually brutal. Section 4 of the GPLv2 states:

You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this Licence. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this Licence. However, parties who have received copies, or rights, from you under this Licence will not have their licences terminated so long as such parties remain in full compliance.

Dissecting this clause, the first sentence refers to all of the obligations that licensees have under GPLv2, including the source code disclosure obligations contained in section 3.  The second sentence imposes a drastic sanction for distributors that fail to comply with all of the licence terms: that non-compliance will automatically terminate their rights under GPLv2.

Worse, it is no excuse for manufacturers to say that they did the right thing 99% of the time, or even for each of the millions of handsets sold bar one. Non-compliance automatically terminates the GPLv2 licence, regardless of whether or not the same manufacturer complies in any future distributions of the same open source software. The licence has been lost to that manufacturer once and for all from the date of the first infringement, and any further act of copying or distribution (regardless of whether those subsequent activities were in compliance with licence) would be without the authors’ permission and hence infringes the authors’ copyright.

In other words, one strike and you’re out. Permanently.

And here’s the most extraordinary point: almost all manufacturers of mobile devices running Android have fallen out of compliance at some point. Very few are able to demonstrate that they have always complied – a point that GPL activists and organisations like FSF are rapidly becoming alive to.

Nervous times for Android device makers

The practical consequences of this problem are potentially huge. The Linux kernel at the heart of Android was written in the early 1990s. Since then, many thousands of individuals have contributed to the development of that code and other software vital to Android’s increasingly sophisticated operation.

Potentially, any one of these thousands of authors could argue that, by a manufacturer losing its original grant of the GPLv2 licence, any subsequent distribution was (and is) unlicensed and hence that manufacturer needs to come to a settlement with him for both past infringements and future rights. In respect of the latter, that agreement would of course only protect the manufacturer in respect of that particular author’s (possibly tiny) contribution. There would still be thousands more individuals with potential causes of action.

If a few of these authors came together to pursue their claims and enforced their rights in unison, it is not difficult to imagine matters rather quickly getting somewhat serious for Android device makers, particularly if FSF or other free software organisations weighed in to support the action.

In some cases, and if the authors complaining were few, it is conceivably possible for manufacturers to replace the code those particular authors contributed. However, this would provide no answer to past infringement, and such replacement might well take longer than the time needed for an aggrieved contributor to seek an injunction preventing further sales.

For new software in the future, FSF has inserted much more forgiving termination provisions for GPL version 3, but that will be no comfort to manufacturers facing the present difficulties who are stuck with devices that have been built around GPLv2 code. In theory, the only safe option for Android device manufacturers appears to be to secure agreement (and a new licence) from each and every contributor over the years.  The sheer logistical effort is unlikely to be appealing, even if it is assumed that all such contributors could be traced. In the absence of such steps, it is difficult to see how manufacturers will answer the claims that seem almost inevitable to arise sooner or later.

It is anyone’s guess how this matter will play out over the coming months and years, but it seems unlikely the issue will simply disappear – much as the manufacturers of Android mobile devices might wish it would.

Lessons to be learned

The fact that large multinationals find themselves facing such serious issues should serve as a salutary lesson for the wider sector. Businesses licensing software incorporating an open source element, however minor, should:

- take care to fully understand the licence terms upon which that open source code is made available;

- consider whether those licence terms are appropriate both at the present time and for the future, by which upgrades and developments might mean that your software bears little relation to its current form; and

- produce a written policy on incorporation of open source software, to ensure that employees understand the issues that must be considered, and the potentially far-reaching consequences if they are not.

Phil Smith
Solicitor
T: +44 (0)118 957 0462
E: psmith@pitmans.com

Our Technology lawyers are more than just advisers, they regard themselves as part of the industry they practice in. On Friday 7 October, five of our technology team will be sleeping out on the streets of Reading for Byte Night 2011.
 
Over 700 people from the IT and business community will be taking part this year. Byte Night raises valuable funds to help Action for Children tackle the root causes of youth homelessness. The event helps thousands of children and young people across the UK to build better lives with secure accommodation, education and training opportunities and family support.
 
Pitmans’ team consists of Tim Clark, Andrew Peddie, Richard Devall, Philip James and Rustam Roy. They hope to raise over £3000 for the cause and have set up an easy way to support them via Just Giving: http://www.justgiving.com/teams/pitmans/
 
The Pitmans team would be extremely grateful for any support you can offer. Why not contribute to Byte Night 2011? You will be helping fund innovative projects such as the Bayswater Families Centre and the Fostering Therapeutic Service.
 
Last year, Byte Night raised a record £567,000 and this year we need your support to ensure it continues to be the biggest single event benefiting Action for Children. Byte Night really does help change lives. You may find it changes your life too.
 
If you would like to hear about other ways in which your organisation could contribute to this very worthwhile event please get in touch with one of the Pitmans team.

Courtesy of Data Protection Law & Policy – May 2011

Last November, the EU Commission set out its aims to modernise the 1995 EU Data Protection Directive in a November 2010 Communication. Philip James, Partner at Pitmans, reviews some of the responses to the Commissioner’s consultation in relation to a particular conundrum facing the Commission – data portability.

This long-overdue overhaul of the existing data protection framework is intended to address some of the key challenges facing current data privacy regulation, namely: the collection and use of personal data via new technologies, harmonisation and simplification of notification throughout the EU, and globalisation and cross-border data flows.

The purpose is to reinforce an individual’s right to privacy, whilst on the other, to harmonise and simplify data privacy regulation. The Commission has indicated that the revised framework may include a possible EU-wide notification process, involving a central EU Information Commissioner.
 
A key part of this harmonisation process will depend upon the establishment of precedents, template data processing agreements and fair processing notices. In addition, organisations will be required to adopt Privacy Impact Assessments (PIA) and Privacy by Design (PbD) into new technologies from inception through to implementation and day-to-day operation, rather than immediately prior to launch. In short, privacy is to be embedded into the development of business and technology from the word go.

A Refresher of the Review

Key objectives of the modernised data privacy strategy are to:

- Strengthen individuals’ rights and clarify what types of information will fall into the definition of ‘personal data’, such as user profile information.

- Increase transparency for data subjects, for example, by introducing mandatory personal data breach notification.

- Create new responsibilities for data controllers by making the appointment of an independent Data Protection Officer mandatory.

- Place a duty on data controllers to carry out PIA where appropriate, and promote the use of Privacy Enhancing Technologies (PET) and the PbD model of system design.

- Enhance individuals’ control over their data including the socalled ‘right to be forgotten’ and empower users with a right to port their personal information, otherwise known as data portability.

- Raise and finance public awareness and promote the application of approved ‘privacy seals’ for organisations which meet certain minimum privacy standards.

- Ensure informed and free consent (and, in so doing, provide pre-approved data privacy notices on EU standard forms).

- Harmonise the conditions for processing sensitive data and review the categories of information which may be classed as sensitive.

- Make remedies and sanctions more effective and promote an active infringement policy.

- Clarify and simplify the rules for international data transfers.

- Encourage self-regulatory initiatives.

Data Portability

Cloud providers and social network providers will need to pay particular attention to the proposed right for users to port their personal information to an alternative provider, as well as their right to erase their digital footprints, pursuant to their right to be forgotten. It may not have gone unnoticed that Google has recently launched a range of Chrome laptops, in conjunction with Acer and Samsung, which provides users with a suite of solely cloud-based applications, i.e. just the barebones on the machine itself; applications aren’t installed locally but accessed remotely. The service is a direct challenge to Microsoft’s enterprise offering. What is clear is that cloud-based computing isn’t going away anytime soon.

The right for consumers to port their data to a new provider will also be of a specific concern to social networks whose servers continue to brim over with usergenerated content.

In theory, the right for users to require providers to transfer their data to a new provider should promote cloud shopping. This, in turn, will promote greater competition between providers. One of the most effective weapons customers have in their armoury is to switch providers. Permitting users to transfer their personal portfolios of friends, photos and documents to an alternative supplier offering greater control and security will be a powerful means of promoting privacy. This is an ideal that should be pursued.

Data Liberation

Notably, Google is supporting this initiative by means of its Data Liberation campaign. This is to be welcomed, although it remains uncertain whether the genuine motive is to relieve its competitors of their data buckets, rather than liberate its customers’ own data. This will come as no surprise, given the continuing data and PR battle between the digital woolly mammoths, Facebook and Google.

In practice, the story is somewhat different. There are some significant hurdles to truly liberal customer data migration policy. The Commission asked organisations and interested sector groups to respond to its consultation in relation to the Directive review by 15 January 2011. There is a wealth of feedback, and after reviewing some select responses, the following were of particular interest.

Microsoft’s response to the Commissioner’s consultation is particularly helpful on this issue. In recognising the brand value of winning customers’ trust, the report starts with ’Microsoft’s success depends on users having confidence in our ability to responsibly manage and protect their data’ and continues the theme in Section C. (Enhancing control over one’s own data): ’An essential element of a user’s control over that data is the ability to retrieve that data in a simple and costefficient way….Microsoft strives to build capabilities into those services to give the user that control’.

Practical Challenges

However, at the same time, the response outlines the practical and commercial realities that may inhibit data portability:
 
- Any right must draw a distinction between a user’s own data and underlying applications or related metadata or stats generated by use of the service.

- The right should be limited to data held by the provider.

- Any data transferred will depend on the format of the data and APIs (application programme interfaces) in question. Whilst there are industry standard formats and APIs, few service providers store data in the preferred format for data exchange.

- In addition, the richer the data format, the harder it may be to transfer data to a new provider.

The more raw the data, the easier the transfer.

In short, there are significant, technical challenges and users cannot have it both ways – have a specialised, slick user interface, then expect to be able to click a button and transfer their whole data suitcase to a new data ‘hotel’.

The risks of data portability cannot be understated. In Nokia’s response, the risks of failing to identify correctly the user who is requesting the data transfer are significant (page 10). One recommendation is to ensure that only ‘identified individuals’ can exercise their rights. In addition, there may be some benefit to limiting the frequency with which a user can exercise this right.

Promoting a Privacy Market

Cloud customers often marry at haste and repent at their leisure. In other words, unless users are provided with clear information about what will happen to their data at the end of the relationship (call it a ‘data pre-nup’ if you will), privacy is likely to suffer. In reality, a limited number of data oligarchs are likely to retain market control over customers’ data, based on first mover advantage, rather than necessarily providing the most effective platform for maintaining their customers’ privacy. Facilitating data portability will in itself generate healthy competition in relation to privacy enhancing technologies and empower customers’ with control over their data. Comparisons can be drawn with the mobile network market and the ability of customers to switch provider. For a long time, there was great resistance which was eventually overcome.

Industry Standards

Requiring providers to allow competitors access to their technology to produce compatible exchange interfaces and promoting common, standard industry data exchange formats (where reasonably practical) should assist users in migrating to a new provider. However, as ever, where there are associated costs of porting data, such costs should be reasonable and users should be informed of what these costs are in advance of ‘moving in’.

What Questions Should I Ask?

Google has succinctly distilled the questions a user should ask before signing up to a cloud service, in its Data Liberation site, as: 

- Can I get my data out at all?

- How much is it going to cost to get my data out?

- How much of my time is it going to take to get my data out?

These are questions both consumers and businesses should be asking before they embrace the economically attractive cloudbased services on offer. It may come as no surprise that many cloud services offer low introductory fees, whilst the costs to switch to a new provider in the future may be astronomical.

Directive or Regulation?

The Commission will propose legislation this year. It should be borne in mind that the option remains open to the Commission to introduce new legislation in the form of a Regulation, rather than as a Directive. The upshot of this being that the law would be directly applicable and there may be a genuine opportunity for the Commission to achieve greater harmonisation within the EU.

Philip James
Media & Entertainment Partner
+44 (0)207 634 4655
pjames@pitmanssk.com