what's in the news

Courtesy of Thames Valley Business Magazine March 2012

In a quiet corner of Caversham a squad of athletes of the GB Rowing Team are training to exhaustion just a mile outside Reading in the charge of the famous sporting alchemist and coach Jurgen Grobler. The squad has a reputation: it has achieved gold at every Olympic Games since 1984, Jurgen since ‘72. Great titans of the sport have come and gone in this squad and the current generation of followers have no lesser ambition.

There is one difference – this time the team selected will be able to mine gold from a quarry not much more than a training row from HQ, at Dorney Lake, near Eton, home of the rowing competition of the 2012 London Games. It is ‘home water’ writ large.

Home water has been an advantage before. Previous success to the tradition started by Sir Steve had last come (literally) down the road at Henley in 1948 and now the current athletes all have gold on their mind.

Pitmans SK clients Andrew Triggs Hodge MBE and Zac Purchase MBE have both already won Olympic Gold Medals but are not satisfied until they have repeated their feat in front of their fans.

In order to do this, they, like the rest of the squad, must compete in repeated and relentless trials to determine whether they are worthy of a seat in a competing boat they may have qualified themselves. Team GB may take a team of 47 out of 48 athletes, having ensured that each boat (save one) has already pre-qualified for the Olympic regatta.

This might seem like room enough for all the contenders but the heavyweight sweep rowing (as opposed to sculling which involves one oar in each hand)  line-up has only 14 places, which will necessarily leave at least one world silver medallist on the bank. There are similar log jams among the women, lightweights and in the sculling squad: there is prodigious strength in depth.

“Everyone is fighting for those top seats” says Andrew.” Already there is furious racing going on.” He has however won every trial so far.

A trip to the River and Rowing Museum in Henley [also a Pitmans client] will trace why this is and will show more: that the Thames Valley, its River and institutions are at the heart of the sport from its source deep in the eighteenth century to its rise and now its (hopefully continued) flood. Baron de Coubertin (himself a sculler) drew the connection to the Olympic Games in drafting the Olympic Charter leaning heavily on the statutes of Henley Royal Regatta, which is over half a century its senior. This last Regatta hosted Olympic Games in 1908 and 1948 and many local oars shared in the gold rush. FISA, the world governing body [and a Pitmans SK client], organised World Championships at Eton Dorney in 2006.

Nowadays the source of the athletes has expanded in keeping with a successful, nationwide, professional sport with National Lottery support and commercial sponsors. While Oxford University, Leander Club and the Thames Valley’s great rowing schools still contribute athletes, other local institutions have provided several candidates such as Reading University and Molesey Boat Club high performance centres (among others round the country), thanks to British Rowing’s Start Programme sponsored by Siemens. Indeed a local Marlow boy became the greatest Olympian in Britain and possibly the world, Sir Steve Redgrave of Marlow Bottom.

Once these athletes have shown serious potential, they are cloistered within the Redgrave- Pinsent Rowing Lake and GB Rowing Team citadel, a modern, high performance facility hidden behind fences among the reeds at Caversham. They are now professional athletes. They train 3 times a day, on the water, in the gym and on rowing ergometers, which monitor every watt produced, in the obsessive care of the finest coaches and physiologists. This centre produces the best in the sport, which is crucial for the nation’s prestige, especially if it is the host of the Olympics.

While they are supported by the National Lottery Sports fund, the sums amount to subsistence allowances gratefully received. These men and women are motivated by gold rather than ’silver’. They have careers planned and are often studying. Triple silver medallist Katherine Grainger for example is studying elements of psychopathy in crime. These are serious, disciplined and driven people. She will be wanting gold this time.

Currently it is mooted as possible that the reigning World Champion four, might be broken up to allow 2 Olympic Gold Medallists aboard. It has happened before, such is the level of commitment to excellence and to ensuring gold for Britain being provided by this squad. It is an epic blow to those who are demoted, but most have the tenacity to carry on and produce gold from whichever boat they gain selection for. This too has happened before. Sir Steve Redgrave made history by winning 5 Olympic gold medals and on the undercard, the Eight, often seen as the blue riband event, were inspired to take gold too, for the first time since 1912. History may repeat itself this summer.

For some athletes repeated success makes them household names and Matthew Pinsent, James Cracknell and Sir Steve have gained wider acknowledgment for their excellence and attracted endorsement deals and sponsors have benefitted from their association. Those mentioned above in the current squad do much for British Rowing’s sponsors and have attracted personal sponsors, such as Next, Omega, Allianz and locally Thames Water.  Pitmans has advised on a number of such deals and in comparison with other sports in which we practice such as cricket, rugby and football, rowing represents great value for money and excellent role models both during the Olympics and afterwards.

Meanwhile the machines keep whirring and the boats pound up and down the lake awaiting the opportunity to grab gold. This is an unique opportunity to watch and support this golden sport in the valley which is the cradle of this sport among many other modern sports which grew here. World sport is coming to the Valley, in many ways its birthplace, join in!

The Thames was described by the Queen at the opening of the River and Rowing Museum as the golden thread running through the fabric of the nation’s history. A number of her subjects in Caversham are hoping to add to the gold in this her Jubilee year.

Contact us for help or advice with any sport since we have dealt in most, through our offices in London and Reading, the homes of sport.

James Felt
Consultant, Sport, Media & Entertainment
T: 0207 634 4628
E: jfelt@pitmans.com

Jeremy Summers
Partner, Head of Intellecutal Property
T: 0207 634 4622
E: jsummers@pitmans.com

Pitmans hosted an evening seminar on 1 February, sponsored by Prolinx, a specialist IT security solutions provider, at which delegates were stimulated by a panel of experts who highlighted some of the current threats and challenges posed by cyber risk.

The key note presentation was made by Professor Sadie Creese of Cybersecurity at the University of Oxford. Professor Creese kicked off with the scale which faced today’s society, highlighting that by 2020, there will be 31 billion connected devices and 50 trillion gigabytes of data created. This, in turn, will result in an increasingly vast ‘attack surface’ which presents those seeking to protect cyber assets with an enormous challenge. Professor Creese, amongst other things, pointed out the scarcity of meaningful metrics in relation to data security as well as the importance of preparing to ‘respond and recover’. As part of current research, it was clear that much needed to be done to develop invaluable analytics to measure security. And that, above all, the ability to attribute an identity to hackers or intruders remained a perennial vulnerability.

Philip James, a Partner who leads Pitmans’ Data Privacy & Information Law team, explained that the World Economic Forum’s recent Risk Report now lists cyber threats as one of the top 5 most risks threatening society in terms of likelihood. Philip highlighted the risks this poses to the current intellectual property enforcement regime: in the absence of identifying culprits, it remains difficult to take criminal action against those responsible and that all that will be left will be a dispute between the victim and its suppliers as to who is to blame. In addition, investors and companies will be increasingly reluctant to invest in R&D if valuable intangible assets cannot be protected from extraction. Philip also summarised the EU’s recent draft Data Protection Regulation which seeks to introduce a much stricter regime for serious breaches of data security (calculated as a percentage of global turnover) and a concept of accountability so that data controllers are encouraged to take responsibility for the protection of personal data.

Simon Milner, Head of Cyber Risk at JLT Speciality Limited, then provided a realistic explanation of the insurance landscape and what solutions are available to customers on today’s insurance market. Simon picked up on some of the themes touched on by previous speakers including the need to develop better analytics to assist risk grading and assessment. In particular, it was clear that many in industry were not necessarily aware of the variety of products currently available in this space, e.g. to cover reputation management, legal costs and re-constitution of lost data.

Finally, Nick Baskett, Chairman of Matta Consulting, a penetration and vulnerability consultancy, provided an invaluable insight into the gaps and strengths in existing data security systems, including:

• an amusing, if scary, expose on how effective intrusion detection systems can be when they are not correctly implemented; and
• how a software house subsequently discovered (after passing on the opportunity to carry out a security audit on a number of previous occasions) that a trojan was residing in its primary code repository.

Nick then stressed the distinction between carrying out a forensic investigation following an incident dependent on whether it was necessary to collect evidence or not (and the related costs involved). 

A copy of the WEF Global Risks Report is available here.

Following the session, McAfee have also released their 2012 Threats Predictions – click here for further details.

For further discussion of this seminar or other issues, please contact:

Pitmans’ Data Privacy & Information Law team

Pitmans’ Cyber Risk Management team

Philip James
Partner, Head of Data Privacy & Cyber Risk Management
T: +44 (0) 207 634 4655
E: pjames@pitmans.com

This article was published by Workbooks.com

Philip James, Partner, and Carolyn Butler, Solicitor at Pitmans LLP examine some of the legal issues you should consider when moving to cloud computing and selecting a vendor.

1. Know the flight plan (negotiation and contract)

Carefully review the terms on which you are intending to contract with your cloud provider. Is the contract open to negotiation or are you expected to contract on the cloud provider’s standard terms? If the former, consider your specific requirements, and ensure your contract:
 
• adequately reflects your requirements in unambiguous language in a layout that’s easy to follow (in other words, don’t bury your specifications across numerous schedules);
• clearly delineates the roles and responsibilities of both the cloud provider and your organisation; and
• has quantifiable metrics or KPIs to verify the performance of your cloud provider.

If the latter, review the terms carefully to ensure, firstly, that they are fair and that there are no unpleasant surprises lurking and, secondly, that they cover everything you need them to. If not, seek to vary the standard terms with your cloud provider accordingly.

Look at the extent of the remedies available under the contract. The contract will probably contain limitations of liability, so if you are intending to outsource critical internal infrastructure, check whether those limitations adequately reflect the allocation of liability to your cloud provider.

• What limitation should apply?
• Are there risks for which liability should or should not be excluded? E.g. does the supplier exclude liability for loss of data (this is not much good if you are outsourcing your CRM database!)

In some cases, damages for breach of contract may not be a sufficient remedy if things go wrong, and you may wish to set out alternative, more appropriate remedies under the contract. Other key issues to look out for in your contract are explored in more detail below. In all cases, always seek specific legal advice if you are unsure about the effect of any element of your contract.

Before negotiating a contract with a cloud provider, the European Network and Information Security Agency’s Information Assurance Framework for Cloud Computing, which sets out questions that an organisation should ask a cloud provider, is essential reading¹.

2. First class, business class or economy class? (service levels)

Service levels need to be agreed upfront, and should be expressed in the service-level agreement in terms that are both clear and measurable, including maximum periods of downtime, the relative importance to the business of different elements of the service and processes for remedying defaults. While many businesses look to cloud providers as part of their business continuity strategy, it is also necessary to consider what would happen if the cloud provider’s operations become disrupted. How does your cloud provider manage its response to incidents such as natural disasters or security breaches to ensure disruption is kept to a minimum?

Before you sign up, ask your cloud provider about any extra costs and charges, work out which of these are relevant to your business and budget accordingly. You should also ensure your future as well as your present needs are taken into account: find out how quickly and by how much your cloud provider can scale up the services it provides, and, if you plan to expand your business abroad, whether your provider has the capabilities to meet your needs in other jurisdictions.

It is important that the ramifications of failing to meet the agreed service levels are clearly set out (often a service credits mechanism is used) and that the parties agree a process of escalating remedies in the event that problems supplementary to the agreed remedial mechanisms arise. The resolution of disputes can be a costly and time-consuming exercise, and it is in the interests of both parties to have workable and effective escalation processes in place to ensure problems are worked out amicably, the business relationship is preserved and any disruption is kept to a minimum.

3. Security checkpoints (security and data protection)

It is essential to verify with your cloud provider what responsibilities for security lie within the remit of your organisation and which are their responsibility.

While your cloud provider may be unable to give you precise details about the security measures it has in place (since a detailed disclosure of the systems in use could impair their integrity), a high-level description of those measures should be given, for example, the extent to which data encryption is used, whether anomaly detection systems are applied, the protocols in place to deal with the theft of user credentials and the physical security used to protect the locations where data is stored. Your cloud provider should also be able to tell you whether it meets any of the existing web standards² and give you details of the security features on offer for users, such as user authentication and authorisation/administration controls. Find out whether your cloud provider offers any guarantees that customer resources are fully isolated from one another, and to what degree data, metadata or other traces of use by your organisation is erased before machines are reallocated. You should request sufficient information to allow you to make a sensible judgement about the adequacy of the security measures offered by your cloud provider, whether additional measures are required and need to be agreed in your contract.

Further, your cloud provider may intend to outsource or subcontract any of the operations that it is contracted to supply to you, and, if they do, find out who those third parties are, where they are based, what procedures are used to verify and monitor the quality of services they provide, and the security controls in place to protect your data. For instance, it is not much use having contractual protections in your agreement with your provider if the ‘subbie’ to whom the service is sub-contracted is not subject to the same terms agreed with your supplier (you may also not have conducted due diligence in respect of that subbie).

4. Final destination (location)

Just as importantly, find out where your cloud provider will physically hold your data. Your data should be stored in a jurisdiction where an acceptable level of protection is mandated by law. Data protection standards vary from one jurisdiction to another and, although efforts are being made to harmonise the requirements across the EU as a whole, outside of the EU they may be non-existent. Nevertheless, if you are a business based in the UK, and the data in question is being processed in the context of that business, the full extent of the UK rules will most likely apply.

Further, if you are intending to store personal data in the cloud, such as HR records, take note that the transfer of personal data to a country or territory outside of the EEA is prohibited, unless equivalent protection in that country or territory is assured (and in this respect, if it is to be stored outside the EEA, seek specific legal advice on this issue as there are a number of compliance requirements which may need to be dealt with). Where this is concerned, it is always easier from a data privacy compliance perspective to engage a supplier whose data centre is located in the UK or Europe than enter into an arrangement with a supplier whose servers are in the US or China (or worse still, in a virtual data centre i.e. you don’t know where it is stored!).

Note also that, where HR data is concerned, it is also likely to contain sensitive personal data. As such, there are a number of more stringent restrictions as to how this type of data may be processed and specific consents may need to be obtained from the data subjects (i.e. the person to which such personal data relates). Ideally, find a cloud provider based in your jurisdiction that can provide assurances that data (and at the bare minimum, personal data) will not be transferred outside of the EEA.

It is important to ensure your contract with your cloud provider clearly states the choice of territorial jurisdiction (that is, the country in which any dispute in relation to the country will be heard) and the choice of law that the courts will apply in determining any dispute. Ideally, this should be a jurisdiction in which your organisation operates. If a dispute arises, and the choice of law and jurisdiction has not been specified, under EU law a defendant may be sued where they live, or where the contractual obligation was performed. The applicable law, however, will be the law with the closest connection to your contract. It is easy to see how this can create problems in a cloud computing environment where there are cloud providers all over the globe eager for your business, and where your data could potentially be stored anywhere in the world, so explicitly state in the contract what’s intended.

5. Take a moment to find the nearest exit (transitioning)

Although it may feel like a remote prospect, before you enter into a cloud contract it is necessary to anticipate how you intend to exit those arrangements. Care should be taken to ensure the portability of your data, including your metadata. Review your contract to determine what events could trigger a right to terminate the agreement by either you or your cloud provider. Ask what procedures are in place to export your data (in an orderly fashion) if you change cloud providers or in the event that the agreement is terminated. Find out whether those procedures are regularly tested to ensure that they work.

Also, if there is a specific format in which you expect to receive your ported data, you should try and specify that (to the extent that is possible) in your contract with your supplier. Please note: there may be additional costs associated with ensuring your data is in a format which is compatible with your systems. The ownership of intellectual property (IP) can be a particularly contentious issue in the cloud environment. Examine the IP provisions in the agreement with your cloud provider to determine how data ownership is dealt with, and whether those provisions are acceptable to you. IP is a technical area of law; as such, therefore, if in doubt, always seek specific legal advice to ensure you are adequately protected.

Once you have moved your data, you will no doubt be seeking assurances from your cloud provider that all traces of your data will be deleted as soon as possible. So, before you commit to a particular cloud provider, find out whether this is a realistic prospect: it may take a number of weeks for your data to be deleted if it is stored in more that one place (for example, if it is copied on to back-up tapes) and it may be impossible to destroy your data completely if your cloud provider allows you to share disk space with other customers. If that’s not good enough, give your cloud provider the opportunity to put satisfactory processes in place for you.

For further information in relation to the issues raised by this note, please contact:

Philip James
Partner
pjames@pitmans.com
+44 (0) 207 634 4655

Carolyn Butler
Solicitor
cbutler@pitmans.com
+44 (0) 118 957 0234

¹ http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework/?searchterm=assurance framework

² Such as ISO27001 (http://www.27001-online.com/), which implements OECD (Organisation for Economic Cooperation and Development) principles governing security of information and network systems, and the SAS70 auditing standard (http://sas70.com/)

PLEASE NOTE: This note has been prepared to provide general guidance on the benefits as well as some of the risks associated with cloud computing. As such, it should not be relied on. Always seek specific legal advice in relation to your specific circumstances in question.

Courtesy of Thames Valley Business Magazine October 2011

Manufacturers of Android mobile devices may soon find themselves struggling to answer searching copyleft licence questions.

Recently published data has confirmed that the Android operating system continues to build its market-share lead in the smartphone and mobile device field. It is estimated that, in the second quarter of 2011, Android’s share of the market increased to more than 43% of smartphone sales – some 46 million units worldwide – up from 36% in Q1 2011 and 17 percent in the same period last year.

This makes all the more surprising the serious Android licensing compliance issues recently highlighted by the Free Software Foundation and other free software organisations.

Copyleft in a nutshell

The problems stem from the licence under which part of the Android operating system is distributed, including most notably the Linux kernel upon which Android is founded.

This licence – the GNU General Public Licence version 2 (“GPLv2”) is a free, so-called “copyleft” licence, published by the Free Software Foundation (“FSF”). According to FSF,  the GPLv2 licence is intended to guarantee users freedom to share and change all versions of a program, to make sure that it remains “free” software to all users (note that “free” in this context refers to freedom to reproduce, adapt and distribute the software, rather than to price).

As one would expect, when the software is distributed, the distributor is required to comply with the conditions set forth in the GPLv2 licence itself. Although the full GPLv2 licence is lengthy, the key tenet can be simply stated: if you include code subject to this licence in a larger program, or adapt the code in some way, any subsequent distributions of the code (whether free of charge or commercial) must be subject to the same GPLv2 licence terms. In other words, you must pass on to the recipients the same freedoms that you received. The underlying intention is to give anyone who receives the software both the legal permission and the practical tools necessary to change and share the software themselves if they wish.

Importantly for the present purposes, section 3 of GPLv2 provides that distributors must in practice also:

- ensure that those in receipt of the software are provided with the “complete corresponding machine-readable source code” behind the software, or receive a written offer to that effect. The obligation to provide source code is personal to each company or person in the supply chain. Manufacturers cannot rely on others to provide the relevant source code; and

- provide the terms of the GPLv2 licence, in order that those receiving the software know their rights.

One strike and you’re out

The strategy deployed in GPLv2 licence for ensuring compliance is at the same time commendably simple and unusually brutal. Section 4 of the GPLv2 states:

You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this Licence. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this Licence. However, parties who have received copies, or rights, from you under this Licence will not have their licences terminated so long as such parties remain in full compliance.

Dissecting this clause, the first sentence refers to all of the obligations that licensees have under GPLv2, including the source code disclosure obligations contained in section 3.  The second sentence imposes a drastic sanction for distributors that fail to comply with all of the licence terms: that non-compliance will automatically terminate their rights under GPLv2.

Worse, it is no excuse for manufacturers to say that they did the right thing 99% of the time, or even for each of the millions of handsets sold bar one. Non-compliance automatically terminates the GPLv2 licence, regardless of whether or not the same manufacturer complies in any future distributions of the same open source software. The licence has been lost to that manufacturer once and for all from the date of the first infringement, and any further act of copying or distribution (regardless of whether those subsequent activities were in compliance with licence) would be without the authors’ permission and hence infringes the authors’ copyright.

In other words, one strike and you’re out. Permanently.

And here’s the most extraordinary point: almost all manufacturers of mobile devices running Android have fallen out of compliance at some point. Very few are able to demonstrate that they have always complied – a point that GPL activists and organisations like FSF are rapidly becoming alive to.

Nervous times for Android device makers

The practical consequences of this problem are potentially huge. The Linux kernel at the heart of Android was written in the early 1990s. Since then, many thousands of individuals have contributed to the development of that code and other software vital to Android’s increasingly sophisticated operation.

Potentially, any one of these thousands of authors could argue that, by a manufacturer losing its original grant of the GPLv2 licence, any subsequent distribution was (and is) unlicensed and hence that manufacturer needs to come to a settlement with him for both past infringements and future rights. In respect of the latter, that agreement would of course only protect the manufacturer in respect of that particular author’s (possibly tiny) contribution. There would still be thousands more individuals with potential causes of action.

If a few of these authors came together to pursue their claims and enforced their rights in unison, it is not difficult to imagine matters rather quickly getting somewhat serious for Android device makers, particularly if FSF or other free software organisations weighed in to support the action.

In some cases, and if the authors complaining were few, it is conceivably possible for manufacturers to replace the code those particular authors contributed. However, this would provide no answer to past infringement, and such replacement might well take longer than the time needed for an aggrieved contributor to seek an injunction preventing further sales.

For new software in the future, FSF has inserted much more forgiving termination provisions for GPL version 3, but that will be no comfort to manufacturers facing the present difficulties who are stuck with devices that have been built around GPLv2 code. In theory, the only safe option for Android device manufacturers appears to be to secure agreement (and a new licence) from each and every contributor over the years.  The sheer logistical effort is unlikely to be appealing, even if it is assumed that all such contributors could be traced. In the absence of such steps, it is difficult to see how manufacturers will answer the claims that seem almost inevitable to arise sooner or later.

It is anyone’s guess how this matter will play out over the coming months and years, but it seems unlikely the issue will simply disappear – much as the manufacturers of Android mobile devices might wish it would.

Lessons to be learned

The fact that large multinationals find themselves facing such serious issues should serve as a salutary lesson for the wider sector. Businesses licensing software incorporating an open source element, however minor, should:

- take care to fully understand the licence terms upon which that open source code is made available;

- consider whether those licence terms are appropriate both at the present time and for the future, by which upgrades and developments might mean that your software bears little relation to its current form; and

- produce a written policy on incorporation of open source software, to ensure that employees understand the issues that must be considered, and the potentially far-reaching consequences if they are not.

Phil Smith
Solicitor
T: +44 (0)118 957 0462
E: psmith@pitmans.com

“SMEs will find some athletes willing to accept backing for a few hundred pounds. The beauty of the Olympic Games is that it provides opportunities for a wider appeal for the athletes who are not yet household names,” says Jeremy Summers.

Click here to read more.

Courtesy of Data Protection Law & Policy – May 2011

Last November, the EU Commission set out its aims to modernise the 1995 EU Data Protection Directive in a November 2010 Communication. Philip James, Partner at Pitmans, reviews some of the responses to the Commissioner’s consultation in relation to a particular conundrum facing the Commission – data portability.

This long-overdue overhaul of the existing data protection framework is intended to address some of the key challenges facing current data privacy regulation, namely: the collection and use of personal data via new technologies, harmonisation and simplification of notification throughout the EU, and globalisation and cross-border data flows.

The purpose is to reinforce an individual’s right to privacy, whilst on the other, to harmonise and simplify data privacy regulation. The Commission has indicated that the revised framework may include a possible EU-wide notification process, involving a central EU Information Commissioner.
 
A key part of this harmonisation process will depend upon the establishment of precedents, template data processing agreements and fair processing notices. In addition, organisations will be required to adopt Privacy Impact Assessments (PIA) and Privacy by Design (PbD) into new technologies from inception through to implementation and day-to-day operation, rather than immediately prior to launch. In short, privacy is to be embedded into the development of business and technology from the word go.

A Refresher of the Review

Key objectives of the modernised data privacy strategy are to:

- Strengthen individuals’ rights and clarify what types of information will fall into the definition of ‘personal data’, such as user profile information.

- Increase transparency for data subjects, for example, by introducing mandatory personal data breach notification.

- Create new responsibilities for data controllers by making the appointment of an independent Data Protection Officer mandatory.

- Place a duty on data controllers to carry out PIA where appropriate, and promote the use of Privacy Enhancing Technologies (PET) and the PbD model of system design.

- Enhance individuals’ control over their data including the socalled ‘right to be forgotten’ and empower users with a right to port their personal information, otherwise known as data portability.

- Raise and finance public awareness and promote the application of approved ‘privacy seals’ for organisations which meet certain minimum privacy standards.

- Ensure informed and free consent (and, in so doing, provide pre-approved data privacy notices on EU standard forms).

- Harmonise the conditions for processing sensitive data and review the categories of information which may be classed as sensitive.

- Make remedies and sanctions more effective and promote an active infringement policy.

- Clarify and simplify the rules for international data transfers.

- Encourage self-regulatory initiatives.

Data Portability

Cloud providers and social network providers will need to pay particular attention to the proposed right for users to port their personal information to an alternative provider, as well as their right to erase their digital footprints, pursuant to their right to be forgotten. It may not have gone unnoticed that Google has recently launched a range of Chrome laptops, in conjunction with Acer and Samsung, which provides users with a suite of solely cloud-based applications, i.e. just the barebones on the machine itself; applications aren’t installed locally but accessed remotely. The service is a direct challenge to Microsoft’s enterprise offering. What is clear is that cloud-based computing isn’t going away anytime soon.

The right for consumers to port their data to a new provider will also be of a specific concern to social networks whose servers continue to brim over with usergenerated content.

In theory, the right for users to require providers to transfer their data to a new provider should promote cloud shopping. This, in turn, will promote greater competition between providers. One of the most effective weapons customers have in their armoury is to switch providers. Permitting users to transfer their personal portfolios of friends, photos and documents to an alternative supplier offering greater control and security will be a powerful means of promoting privacy. This is an ideal that should be pursued.

Data Liberation

Notably, Google is supporting this initiative by means of its Data Liberation campaign. This is to be welcomed, although it remains uncertain whether the genuine motive is to relieve its competitors of their data buckets, rather than liberate its customers’ own data. This will come as no surprise, given the continuing data and PR battle between the digital woolly mammoths, Facebook and Google.

In practice, the story is somewhat different. There are some significant hurdles to truly liberal customer data migration policy. The Commission asked organisations and interested sector groups to respond to its consultation in relation to the Directive review by 15 January 2011. There is a wealth of feedback, and after reviewing some select responses, the following were of particular interest.

Microsoft’s response to the Commissioner’s consultation is particularly helpful on this issue. In recognising the brand value of winning customers’ trust, the report starts with ’Microsoft’s success depends on users having confidence in our ability to responsibly manage and protect their data’ and continues the theme in Section C. (Enhancing control over one’s own data): ’An essential element of a user’s control over that data is the ability to retrieve that data in a simple and costefficient way….Microsoft strives to build capabilities into those services to give the user that control’.

Practical Challenges

However, at the same time, the response outlines the practical and commercial realities that may inhibit data portability:
 
- Any right must draw a distinction between a user’s own data and underlying applications or related metadata or stats generated by use of the service.

- The right should be limited to data held by the provider.

- Any data transferred will depend on the format of the data and APIs (application programme interfaces) in question. Whilst there are industry standard formats and APIs, few service providers store data in the preferred format for data exchange.

- In addition, the richer the data format, the harder it may be to transfer data to a new provider.

The more raw the data, the easier the transfer.

In short, there are significant, technical challenges and users cannot have it both ways – have a specialised, slick user interface, then expect to be able to click a button and transfer their whole data suitcase to a new data ‘hotel’.

The risks of data portability cannot be understated. In Nokia’s response, the risks of failing to identify correctly the user who is requesting the data transfer are significant (page 10). One recommendation is to ensure that only ‘identified individuals’ can exercise their rights. In addition, there may be some benefit to limiting the frequency with which a user can exercise this right.

Promoting a Privacy Market

Cloud customers often marry at haste and repent at their leisure. In other words, unless users are provided with clear information about what will happen to their data at the end of the relationship (call it a ‘data pre-nup’ if you will), privacy is likely to suffer. In reality, a limited number of data oligarchs are likely to retain market control over customers’ data, based on first mover advantage, rather than necessarily providing the most effective platform for maintaining their customers’ privacy. Facilitating data portability will in itself generate healthy competition in relation to privacy enhancing technologies and empower customers’ with control over their data. Comparisons can be drawn with the mobile network market and the ability of customers to switch provider. For a long time, there was great resistance which was eventually overcome.

Industry Standards

Requiring providers to allow competitors access to their technology to produce compatible exchange interfaces and promoting common, standard industry data exchange formats (where reasonably practical) should assist users in migrating to a new provider. However, as ever, where there are associated costs of porting data, such costs should be reasonable and users should be informed of what these costs are in advance of ‘moving in’.

What Questions Should I Ask?

Google has succinctly distilled the questions a user should ask before signing up to a cloud service, in its Data Liberation site, as: 

- Can I get my data out at all?

- How much is it going to cost to get my data out?

- How much of my time is it going to take to get my data out?

These are questions both consumers and businesses should be asking before they embrace the economically attractive cloudbased services on offer. It may come as no surprise that many cloud services offer low introductory fees, whilst the costs to switch to a new provider in the future may be astronomical.

Directive or Regulation?

The Commission will propose legislation this year. It should be borne in mind that the option remains open to the Commission to introduce new legislation in the form of a Regulation, rather than as a Directive. The upshot of this being that the law would be directly applicable and there may be a genuine opportunity for the Commission to achieve greater harmonisation within the EU.

Philip James
Media & Entertainment Partner
+44 (0)207 634 4655
pjames@pitmanssk.com

Leading law firm Pitmans has strengthened its team with the promotion of Intellectual Property specialist Sally Britton to the position of director. Based at Pitmans’ City of London office, Sally works within the Pitmans SK division of the firm, advising clients within the sports and entertainment arenas.

Sally specialises in advising on brand protection and exploitation, including trademark and design prosecution, portfolio management, infringement matters, ticketing issues and commercial contracts. Her clients include The Ting Tings, England & Wales Cricket Board, Taio Cruz, Academy Music Group, Clear Channel and Ascot Racecourse.

Christopher Avery, managing partner of Pitmans, comments: “Sally’s expertise in the intellectual property field is truly excellent and this promotion is as a result of the outstanding advice she has consistently provided to clients. Intellectual property is a practice area with unique challenges that requires specific skills and Sally has shown herself to boast such expertise.”

Prior to pursuing a career in law, Sally was a brand manager for Heinz and Budweiser. The roles have given her a unique insight into the intellectual property requirements of prominent brands, allowing an unrivalled understanding of the distinctive challenges in the sector.

Christopher Avery continues: “Hands-on experience, such as that held by Sally, adds another dimension to the advice lawyers can provide to their clients and enables an even more comprehensive service to be made available to them.

“Sally’s specific understanding from her time as a brand manager has given her a unique understanding of the exact issues being faced and her advice is highly valued and sought after a result. Pitmans is constantly searching for ways to offer even better levels of advice and Sally’s situation is just one example of how the firm does this.”