what's in the news

The European Commission (EC) has proposed a new draft Regulation on the processing of personal data. Significantly, the draft Regulation shifts substantial statutory compliance obligations on to data processors. This note highlights the areas of the draft Regulation that will be of most concern to data processors should it be adopted in its current form.

Who is in the sight?

Data processors are those who process personal data on behalf of a data controller, for example, a third party provider of:

- outsourced payroll services;
- a CRM database;
- a call centre;
- hosting provider; or
- a managed IT service or cloud provider.

So what’s new?

Under the current 1995 Data Protection Directive (Directive) (implemented in the UK in the form of the Data Protection Act 1998), data processors are not primarily liable for failure to comply with the Directive. Consequently, they do not face the same sanctions as data controllers for non-compliance. Instead, data processors currently have obligations passed to them through compulsory data processing agreements with data controllers. In this way, data controllers may set off some of their liability for breach of the Data Protection Directive in their corresponding supply agreement(s) with the relevant data processor(s). Experience has shown that some, if not most, of the high profile data breaches or losses of personal data have been caused by the default of an appointed third party supplier (or data processor). The new Regulation seeks to address this.

Set out below are some of the key changes in the draft Regulation that are aimed at imposing greater compliance responsibility upon data processors.

Technical measures

Article 30 requires data processors themselves to implement and maintain technical and organisational measures to keep the data they hold secure and to prevent unlawful destruction or accidental loss as well as unlawful forms of processing such as unauthorised dissemination and access. The obligation is subject to the nature of the data held, and is to be proportionate to the cost of such measures. Nevertheless, the requirement is directly enforceable against data processors themselves.

Joint controller

Under Article 26, where a data processor processes personal data other than as instructed by the data controller, the data processor shall be considered a joint data controller and, under Article 24, will be subject to potentially onerous provisions relating to data subject access.

Record keeping

Data processors will also be subject to the obligation to maintain documentation on all processing operations under its responsibility and the detail of all the information to be retained is set out in Article 28(2). The Information Commissioner’s Office (ICO) has suggested that, rather than prescribe in detail the extensive range of documentation data processors are required to maintain, the Regulation should instead focus on providing a desired outcome so as to prevent processors and controllers keeping the same documentation. Otherwise, the cost to data processors’ business in keeping such records may be disproportionate and is likely to be impractical in any circumstance given the current level of detail required.

DPOs

Under Article 35, all organisations processing data with 250 employees or more, and all public authorities, must designate a Data Protection Officer (DPO) who shall be responsible for compliance. The data processor and data controller may appoint a joint DPO. The DPO will be required to notify a personal data breach to the relevant supervisory authority, where feasible, within 24 hours of becoming aware of the breach. There is a similar obligation to notify the data subject ‘without undue delay’ where the data breach is likely to adversely affect the protection of personal data and privacy. The prescribed timescale within which notification must be made differs from the guidance based approach which is currently applied in the UK.

As a result, data processors will face an as yet unknown administrative burden in order to ensure they comply with all the new obligations in the Regulation.

In the firing line: fines

Most significantly, data processors may now also be directly liable for any sanctions that are imposed by the competent regulating authority (in the UK, the ICO) for intentional or negligent failure to comply with the Regulation. The fines work on a sliding scale but the maximum fine that may be levied for breaches as specified in Article 79 of the Draft Regulation is 1,000,000 EUR or up to 2% of annual worldwide turnover.

However the relevant supervisory authority may also impose a ban on processing, or order the destruction of data. This could severely disrupt companies which have data processing at the heart of their commercial enterprise. Even where such a ban is imposed, the fact that data processors are now also firmly in the limelight and crosshairs of the regulators (and any subsequent enforcement action) means that a data processor’s brand and reputation is now at significantly greater risk. Under the current regime, any liability may be dealt with behind closed doors under the auspices of private contract.  Individuals will also have the right to sue the data processor for compensation in lieu of any damage suffered as a result of unlawful processing of data.

Further, data processors will be just as susceptible to the challenges posed by hacking and cyber risk. The last year has seen numerous ‘hacktivists’ target companies which hold or process data and all have been seen to suffer reputational damage where customer data has been accessed.

How welcome is the new Regulation?

The extension of obligations to data processors is likely to be well received by data controllers by forcing data processors to take greater direct regulatory responsibility for data protection compliance. Indeed some data processors may also be unsurprised by this paradigm shift and in some respects may be better equipped and experienced to achieve compliance. Leading data processors may therefore also welcome the changes which may reflect some of their existing current business practice.

However, the proposed changes are likely to affect the costs and pricing models of outsourced and cloud based services significantly in light of the increased compliance risk. There is also therefore likely to be substantial resistance to some of the proposed changes, either because of the added cost implications or impracticality.

Other implications

The change in onus to data processors may well also impact the terms of standard processor service contracts, as data processors may be reluctant to provide data controllers with indemnities for their own failure to comply with data processing obligations. However, Article 26 identifies more measures to be included in data processing agreements and it appears that these documents will become more important and complex as both the data processors and data controllers seek protection from their liability under the new draft Regulation. In addition, there appears to be some duplication of responsibilities under the Regulations; accordingly data processors and data controllers should take this opportunity to respond to the draft Regulation to avoid confusion and inappropriate duplicated responsibilities (e.g. the requirement to maintain documentation).

Regulation versus Directive

Data processors should also be aware of the legal status of an EU Regulation. Whereas directives require the EU member states to transpose the EU law into national law by enacting their own legislation, Regulations are binding law as soon as they are brought in to force. Peter Hustinx, the European Data Protection Supervisor, has stated that the draft Regulation is not intended to substitute or replace the existing Privacy and Electronic Communications Directive (Privacy Directive). Under the Privacy Directive, ‘Service Providers’ such as telcos and ISPs are bounded to notify serious breaches not only to their relevant supervisory authority, but also, in some cases, to their customers. The EU does not propose to revise or update the Privacy Directive for several years when it is due for review. Accordingly, there is likely to be some overlap, conflict and inconsistency between the proposed Regulation and existing Privacy Directive (e.g. the fines for a Service Provider’s failure to notify under the Privacy Directive is only £1,000).

Timetable

Data processors will need to be alive to the changing legislative framework. It is anticipated that it will be a further two years before the proposals come in to force when adopted. The ICO, however, in responding to the draft Regulation, has recommended that it be brought in earlier than the customary two years following official publication. Data processors are advised to respond to the draft Regulation with any concerns. In addition, data processors should also start preparing now to ensure that they maintain their edge against competitors in this space so as to demonstrate best practice and assess and take steps to mitigate the potential impact of the draft Regulation.

For further information please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Pitmans SK Sport & Entertainment
T: 0207 634 4
E: pjames@pitmans.com

On 1 March 2012 the European Court of Justice (ECJ) gave judgment on the much-anticipated Football Dataco case stating that football fixture lists are not protected by copyright if the compilation is not the author’s own intellectual creation even if the compilation itself required significant labour and skill. This decision will impact any company that trades in data. Accordingly, if you license a database, you will need to ensure that the data comprised within it is presented in a sufficiently creative manner that enables it to be protected by copyright.

In Football Dataco and others v YAHOO! UK Ltd and others, Football Dataco organised football matches in England and Scotland and produced fixture lists detailing scores, penalties and player substitutions which were available to their online customers via the web. YAHOO! used these fixture lists to compile data for its own databases. YAHOO!’s business was largely, if not solely, reliant upon Football Dataco’s supply of this data.

Football Dataco claimed the use of this data by YAHOO! without a licence breached their rights by infringing copyright under the Copyright Design and Patents Act 1988 (CDPA) and Articles 3 and 7 of Directive 96/9/EC (Database Directive).

• Article 3 affords copyright protection to databases that in some form constitute the author’s own intellectual creation in regards to the selection or arrangement of its contents. For such protection to exist, evidence of labour and/or skill in the creation of the database itself is not sufficient.
• Article 7, known as the sui generis or database right, subsists whether or not the database or its contents are a copyright work but clear evidence of substantial investment in either the obtaining, verification or presentation of the data is required.

The Court of Appeal held the football fixture lists were protected by Article 3 but no right could be established under Article 7. YAHOO! appealed this decision and the Court of Appeal made a preliminary reference to the ECJ to clarify:

1. What is meant by “databases which, by reason of the selection or arrangement of their contents, constitute the author’s own intellectual creation”; and

2. Whether the Database Directive precludes national rights in the nature of copyright in databases other than those provided for by the Directive

In previous decisions, as seen in Fixtures Marketing Cases (The British Horseracing Board (BHB) and others, Case C-203/02 [2004] ECR 1 1-10415) the ECJ has ruled that the Article 7 database right does not attach to fixture lists or race course data. This is because investment in the creation of data has been held not to amount to investment in the “obtaining, verification or presentation of such data” as required by the Database Directive. In other words, the courts are reluctant to afford database right protection to databases which are created by the party seeking to rely on such protection. Consequently, the need to seek to rely on copyright protection is increasingly important to retain value in a database.

Whilst awaiting the formal decision from the ECJ, the Advocate General made some preliminary remarks highlighting a clear distinction between the creation of data and its subsequent arrangement. He stated that a database must be the intellectual creation of the author to be protected by Article 3 of the Directive and that protection may be provided by implementing a creative element when the pre-existing data is assembled into a database.

Upon handing down its decision earlier this week, the ECJ have seemingly followed the Advocate General’s opinion. The Database Directive does not extend protection to databases where significant labour and skill are required in the creation if the labour or skill does not express any originality in either its selection or arrangement. Furthermore, it was held that the Database Directive is intended to harmonise European law, so that, following the ECJ ruling, a claim for copyright protection as a literary work under the CDPA was not longer available.

Whilst awaiting the application of this decision by the Court of Appeal, it is clear the economic damage football leagues will face by having to curtail their income from licensing fixture lists but the knock on effect to other databases has yet to be seen.

For further information, please contact a member of Pitmans’ Data Privacy & Information Law or Intellectual Property teams.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 
E: pjames@pitmans.com

The government has announced that it is going to change the law to make stalking a specific criminal offence.

There it currently no legal definition of stalking. It has been argued that the Protection of Harassment Act 1997 does not go far enough to protect against stalking or punish offenders. The proposed changes are intended to provide more clarity and protection to victims and in turn help tackle the growing problem caused by ‘cyberstalking’ (also known as cyberbullying) through social networking and dating sites. The new proposal allows for offenders to receive up to 5 years in gaol and an unlimited fine.

What should you do if you are being stalked?

The Metropolitan Police website provides the following guidance:

1. Report the matter to the police.
2. Note the date and time of the incident and who was present – the more detail the better.
3. Keep copies of any emails, letters, documents etc.

You can also consider applying for an immediate injunction to restrain the perpetrator from continued activity. A breach of undertaking is normally a criminal offence which can result in up to 5 years imprisonment. Also, if the incident has taken place at your workplace or educational establishments talk to your HR department or tutor as the establishment may be vicariously liable if they fail to take action.

For further information on this article, please contact Pitmans Criminal Law team.

Chris Netiatis
Director, Criminal Law
T: 0207 634 4659
E: cnetiatis@pitmans.com

European Union Justice Commissioner Viviane Reding has stated that Google’s new privacy policy, launched yesterday, contravenes European law.

The new policy, announced by Google in January, consolidates 70 plus privacy policies into one main document to govern the majority of its products. The aim by Google is to explain what information is collected and how it is used in a much more readable way, with less “legal gloop to wade through”. Google have cited that the multiple policies were over complicated, and at odds with their efforts to integrate its different products more closely.

In practice, according to Google, users signed in to Google Accounts will be treated as a single user across all the products, meaning Google is able to combine information provided from one service with information from other services. Essentially, private information collected from browsing data and web history by one Google service can be shared with its other platforms, including YouTube, Gmail, Google+ and Blogger. This is to allow it to offer better targeted advertising to users, and customise search results more efficiently.

Google stated it was confident that its “new simple, clear and transparent privacy policy respects all European data protection laws and principle”. EU data protection agencies beg to differ however, concluding that the new policy does not meet the requirements of the European Directive on Data Protection. Following an investigation by France’s privacy watchdog CNIL (Commission national de l’informatique et des libertes) Reding announced “they have come to the conclusion that they are deeply concerned, and that the new rules are not in accordance with the European law, and that the transparency rules have not been applied”.

Despite being warned of CNIL’s concerns, Google proceeded with the launch, and defended the policy stating that it will not change any existing privacy settings or how information is shared outside of Google, with no additional information being collected.

Google has sparked further outrage with its Android users, after it emerged that they must accept the new policy. It has advised that any users concerned about the impact of the changes should choose not to login to the Google Account on their smartphones, but this means certain applications will be inaccessible. The news has prompted one privacy campaigner to sue Google for the cost of his handset.

To add to its woes, Google has received more widespread criticism of its new policy. The National Association of Attorneys General (NAAG) last week sent a letter signed by 36 state and territorial Attorneys General detailing their “strong concern” with the policy. It highlighted that the policy fails to provide users with an “opt-in” or “opt-out” option. The letter further cited that that the automatic sharing of personal information and the ability to learn the whereabouts of users, without their authority, amounts to an invasion of privacy.

Philip James, a Partner who leads Pitmans’ Data Privacy & Information Law team, comments, ‘Viviane Reding’s statement is a clear indication of the EU’s determination to protect consumer privacy and reflects the importance it places on Privacy by Default. The aggregation of a multitude of sites storing users’ profile data, coupled with Google’s increasingly dominant Android mobile platform places Google in a privacy predicament; it will need to be seen to be doing more than others to achieve compliance and prevent successful challenges to its approach. Its recent move is a direct result of its need to maintain market position in the light of Facebook’s continued success’.

CNIL has said it will send Google questions on the changes by mid-March. It remains to be seen how Google will deal with such criticism and probing, but it is safe to say that such scrutiny should be taken seriously.

If you would like further information about Google’s new privacy policy, and how it will affect you, please contact Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Head of Data Privacy & Information Law
T: 0207 634 4655
E: pjames@pitmans.com

According to a recent study carried out at a University in America employers’ may look favourably on an individual based on their social network page. The study showed that an employer is able to tell how good an individual will be just from looking at their Facebook page. Pictures showing drunken nights out, travels etc suggests that the individual is personable and social, an attractive quality for employers. However as positive as the results suggests, this is clearly only one side of the story.

A Facebook page may actually discourage some employers from recruiting an individual and there has in fact been evidence which supports this argument and understandably so. If an individual has made comments about their previous employer then this is a cause for concern. Likewise if they have been making derogatory comments, voicing extreme opinions or there are compromising pictures employers may not want to be associated with such an individual. Social media carries risk for an employer as comments and pictures can go viral. An employer will not want to risk hiring someone who freely shares all information and pictures no matter how damning or personal they may be as their actions could end up damaging the employer’s reputation.

Some employers do vet potential employee’s Facebook pages so individuals would be wise to keep their profiles clean and professional, thus maintaining their credibility. Although you can restrict who views your profile privacy only extends so far.  An employer does not have to seek an individual’s permission before checking profiles.

Likewise an employer also needs to be careful, if they choose to reject an individual for a job on the basis of what they have seen on a Facebook page and the individual in question discovers this then the employer is potentially at risk of a discrimination claim. You should make it clear from the outset what the job process involves and what you do. Any vetting of people’s pages should be proportionate and only carried out when necessary. An employer must be fair to all applicants; some people won’t have a Facebook page and those that do, if you view their page, view them with an open mind. Broadly speaking an employer should not make a judgement based on what they see, remember this is an individual’s right to express themselves. It is not necessarily an indication of how they will be in their professional life.

Viewing social media pages may be a useful tool but one should take care not to rely on what these pages contain. Yes a profile may make someone more attractive to employers but there will be cases when this is not so. Remember there are two sides to every story.

For further information on this article, please contact Pitmans’ Employment Team.

Mark Symons
Partner, Head of Employment
T: 0118 957 0340
E: msymons@pitmans.com

Thanks to the media and public figures speaking out the awareness of cyberbullying is ever increasing. Due to the rise of the internet, the use of smart phones and the increasing popularity of social media sites such as Twitter and Facebook cyberbullying is widespread. It doesn’t just occur during work time or school time it can occur 24 hours a day, 7 days a week. Cyberbullying may be virtual but this does not mean it is not happening or that it should be ignored. 

Cyberbullying can take on many forms, through text messaging, phone calls, pictures and emails through to posts on social network sites and account hacking. This bullying is now becoming a form of serious harassment. The main problem with cyber bullying is that it is incredibly hard to monitor and prevent. Social media sites provide people with anonymity and so tracking down the culprits can be an impossible challenge. People can assume a fake profile or assume many identities.

Currently the law in place is reactive rather than proactive. Instead of providing people with steps they can take to protect themselves from cyberbullying the law instead only provides for compensation once the cyberbullying has taken place. Often people are unaware of their legal rights and what steps they can take.  People who are subject to cyberbullying should speak out and record everything, keep texts, take screenshots etc.

Cyberbullying can have a significant impact on a person’s mental and physical health, it can affect self esteem, confidence and mental health. It may be possible for someone to bring a personal injury claim against their bullies as a result of this.

The Workplace

Employers should take a clear stance on all types of bullying and make it clear it is not acceptable. It is standard practice to have anti-harassment and bullying policy in force.

If an employer fails to take action to stop bullying then there could be a breach of their implied duty of trust and confidence which could result in an employee bringing a claim. At present an employee cannot bring a claim for cyberbullying alone in the Employment Tribunal. It has to be brought along with discrimination or harassment, yet this is likely to go hand in hand with cyberbullying.

An employer may be vicariously liable for the actions of their employees. If an employee is cyberbullying their colleague then an employer may find themselves included as party to a legal claim. An employer is unlikely to be able to argue successfully they were not responsible because the bullying took place outside of work time especially if they were made aware and failed to take steps to reprimand the bully in question.

The Law

Cyberbullies are potentially breaching many laws with their actions, a summary of which is set out below:

Protection from Harassment Act 1997
A person is not allow to behave in such a way which will amount to harassment of another and which he knows or ought to know amounts to harassment. The individual can obtain an injunction against the person causing the harassment. It is also a criminal offence so a person can be guilty of harassment if they have harassed the person causing distress and harm on more than one separate occasion. By making it criminal the police can be involved and they can investigate the harassment and use their powers to identify the harasser if they are not known. It is also a separate offence if the person’s actions cause another to fear violence will be used against him on at least two different occasions.

Communications Act 2003
A person will be guilty if they send an offensive or grossly offensive message or an obscene indecent image through a public electronic communications network or cause such communications to be sent. Likewise someone will also be liable if they send a message which they know to be false and it is sent for the purpose of causing annoyance, inconvenience or anxiety. It is also an offence to improperly use a public electronic communications network.

Defamation Act 1996
If comments are damaging someone reputation, then they are potentially defaming them. Internet hosts should be notified about this to put them on notice and they should remove the allegedly defamatory material quickly. By putting them on notice they will lose the benefit of the innocent dissemination defence afforded to them if they fail to act.

Malicious Communications Act 1988
It is an offence to for one person to send to another any communication or article which coveys a threat, false information or an indecent or grossly offensive message and the result of such communications causes the recipient distress or anxiety. Communication covers hard form communication and also electronic communications.

The penalty for falling foul of the Communications Act and the Malicious Communications Act is imprisonment for up to six months, a fine or both.

What can you do?

If you are experiencing cyberbullying through social media sites such as Facebook and Twitter then such sites will have policies in place which mean you can report such incidents. Facebook and Twitter, for example, allow you to report abusive content along with fake profiles. As well as reporting such incidents you can block people from being able to contact you. The sites will often offer advice on what you should do if you are experiencing bullying, for example Facebook gives tips on what to do.

An individual should also review the privacy settings on their Facebook account to ensure it can only be viewed by certain people, for example your friends. Individuals should also be wary of how much information they detail about themselves. If personal information is revealed it could lead to someone being able to impersonate you. Be wary of accepting a stranger’s friend request as this could have undesirable consequences, as highlighted by Cher Lloyd.

If an individual is receiving abusive texts, pictures or phone calls then they can contact their mobile network operator to get a number barred. This means the person will no longer be able to communicate with the individual.  This may not stop the bullying entirely but by taking positive steps the bully will be stopped in their tracks to an extent.

People do not need to stand back and tolerate such behaviour; there are steps an individual can take against their bullies.

Schools

Despite the age restrictions imposed on social media sites, more and more children are having profiles online. Children are often the most vulnerable to cyberbullying and as highlighted in recent media stories, they are often reluctant to speak out and seek help which can have serious consequences. Children should be educated in schools about cyberbullying and what actions can amount to cyberbullying and the implications cyberbullying can have. By raising awareness children will know what to look out for and should be more willing to speak out.

As you will see there are many steps an individual can take against cyberbullies and we are here to help assist.

If you would like to discuss any of the legal issues raised in this article further please contact:

Mark Symons
Partner, Employment, Cyber Risk Management
T: 0118 957 0340
E: msymons@pitmans.com