what's in the news

The European Commission (EC) has proposed a new draft Regulation on the processing of personal data. Significantly, the draft Regulation shifts substantial statutory compliance obligations on to data processors. This note highlights the areas of the draft Regulation that will be of most concern to data processors should it be adopted in its current form.

Who is in the sight?

Data processors are those who process personal data on behalf of a data controller, for example, a third party provider of:

- outsourced payroll services;
- a CRM database;
- a call centre;
- hosting provider; or
- a managed IT service or cloud provider.

So what’s new?

Under the current 1995 Data Protection Directive (Directive) (implemented in the UK in the form of the Data Protection Act 1998), data processors are not primarily liable for failure to comply with the Directive. Consequently, they do not face the same sanctions as data controllers for non-compliance. Instead, data processors currently have obligations passed to them through compulsory data processing agreements with data controllers. In this way, data controllers may set off some of their liability for breach of the Data Protection Directive in their corresponding supply agreement(s) with the relevant data processor(s). Experience has shown that some, if not most, of the high profile data breaches or losses of personal data have been caused by the default of an appointed third party supplier (or data processor). The new Regulation seeks to address this.

Set out below are some of the key changes in the draft Regulation that are aimed at imposing greater compliance responsibility upon data processors.

Technical measures

Article 30 requires data processors themselves to implement and maintain technical and organisational measures to keep the data they hold secure and to prevent unlawful destruction or accidental loss as well as unlawful forms of processing such as unauthorised dissemination and access. The obligation is subject to the nature of the data held, and is to be proportionate to the cost of such measures. Nevertheless, the requirement is directly enforceable against data processors themselves.

Joint controller

Under Article 26, where a data processor processes personal data other than as instructed by the data controller, the data processor shall be considered a joint data controller and, under Article 24, will be subject to potentially onerous provisions relating to data subject access.

Record keeping

Data processors will also be subject to the obligation to maintain documentation on all processing operations under its responsibility and the detail of all the information to be retained is set out in Article 28(2). The Information Commissioner’s Office (ICO) has suggested that, rather than prescribe in detail the extensive range of documentation data processors are required to maintain, the Regulation should instead focus on providing a desired outcome so as to prevent processors and controllers keeping the same documentation. Otherwise, the cost to data processors’ business in keeping such records may be disproportionate and is likely to be impractical in any circumstance given the current level of detail required.

DPOs

Under Article 35, all organisations processing data with 250 employees or more, and all public authorities, must designate a Data Protection Officer (DPO) who shall be responsible for compliance. The data processor and data controller may appoint a joint DPO. The DPO will be required to notify a personal data breach to the relevant supervisory authority, where feasible, within 24 hours of becoming aware of the breach. There is a similar obligation to notify the data subject ‘without undue delay’ where the data breach is likely to adversely affect the protection of personal data and privacy. The prescribed timescale within which notification must be made differs from the guidance based approach which is currently applied in the UK.

As a result, data processors will face an as yet unknown administrative burden in order to ensure they comply with all the new obligations in the Regulation.

In the firing line: fines

Most significantly, data processors may now also be directly liable for any sanctions that are imposed by the competent regulating authority (in the UK, the ICO) for intentional or negligent failure to comply with the Regulation. The fines work on a sliding scale but the maximum fine that may be levied for breaches as specified in Article 79 of the Draft Regulation is 1,000,000 EUR or up to 2% of annual worldwide turnover.

However the relevant supervisory authority may also impose a ban on processing, or order the destruction of data. This could severely disrupt companies which have data processing at the heart of their commercial enterprise. Even where such a ban is imposed, the fact that data processors are now also firmly in the limelight and crosshairs of the regulators (and any subsequent enforcement action) means that a data processor’s brand and reputation is now at significantly greater risk. Under the current regime, any liability may be dealt with behind closed doors under the auspices of private contract.  Individuals will also have the right to sue the data processor for compensation in lieu of any damage suffered as a result of unlawful processing of data.

Further, data processors will be just as susceptible to the challenges posed by hacking and cyber risk. The last year has seen numerous ‘hacktivists’ target companies which hold or process data and all have been seen to suffer reputational damage where customer data has been accessed.

How welcome is the new Regulation?

The extension of obligations to data processors is likely to be well received by data controllers by forcing data processors to take greater direct regulatory responsibility for data protection compliance. Indeed some data processors may also be unsurprised by this paradigm shift and in some respects may be better equipped and experienced to achieve compliance. Leading data processors may therefore also welcome the changes which may reflect some of their existing current business practice.

However, the proposed changes are likely to affect the costs and pricing models of outsourced and cloud based services significantly in light of the increased compliance risk. There is also therefore likely to be substantial resistance to some of the proposed changes, either because of the added cost implications or impracticality.

Other implications

The change in onus to data processors may well also impact the terms of standard processor service contracts, as data processors may be reluctant to provide data controllers with indemnities for their own failure to comply with data processing obligations. However, Article 26 identifies more measures to be included in data processing agreements and it appears that these documents will become more important and complex as both the data processors and data controllers seek protection from their liability under the new draft Regulation. In addition, there appears to be some duplication of responsibilities under the Regulations; accordingly data processors and data controllers should take this opportunity to respond to the draft Regulation to avoid confusion and inappropriate duplicated responsibilities (e.g. the requirement to maintain documentation).

Regulation versus Directive

Data processors should also be aware of the legal status of an EU Regulation. Whereas directives require the EU member states to transpose the EU law into national law by enacting their own legislation, Regulations are binding law as soon as they are brought in to force. Peter Hustinx, the European Data Protection Supervisor, has stated that the draft Regulation is not intended to substitute or replace the existing Privacy and Electronic Communications Directive (Privacy Directive). Under the Privacy Directive, ‘Service Providers’ such as telcos and ISPs are bounded to notify serious breaches not only to their relevant supervisory authority, but also, in some cases, to their customers. The EU does not propose to revise or update the Privacy Directive for several years when it is due for review. Accordingly, there is likely to be some overlap, conflict and inconsistency between the proposed Regulation and existing Privacy Directive (e.g. the fines for a Service Provider’s failure to notify under the Privacy Directive is only £1,000).

Timetable

Data processors will need to be alive to the changing legislative framework. It is anticipated that it will be a further two years before the proposals come in to force when adopted. The ICO, however, in responding to the draft Regulation, has recommended that it be brought in earlier than the customary two years following official publication. Data processors are advised to respond to the draft Regulation with any concerns. In addition, data processors should also start preparing now to ensure that they maintain their edge against competitors in this space so as to demonstrate best practice and assess and take steps to mitigate the potential impact of the draft Regulation.

For further information please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Pitmans SK Sport & Entertainment
T: 0207 634 4
E: pjames@pitmans.com

The Article 29 (A29) Working Party has recently published their opinion paper on the rise of facial recognition technology and the concerns that this brings for the protection of personal data online. This note looks at the issues of online privacy and the concerns for data privacy as facial recognition software becomes more widely available.

The A29 Working Party is the European body which comprises leading representatives from each data protection supervisory authority in the EU (in the UK, this is the Information Commissioner’s Office); its opinions are therefore particularly influential, if not binding.

Last year Pitmans published a briefing explaining the issues of privacy at the time Facebook changed their ‘tagging’ service for photographs to incorporate facial recognition technology. For further information, click here.

Since then, the availability and application of the technology has grown exponentially; as its accuracy and deployment expands, this technology could be used for the most routine events in every day life – but also by advertising companies, collecting market information based on attendance monitoring and profiling to tailor targeted advertising messages.

The A29 Working Party has identified facial recognition technology as being used for authentication or verification for devices or online services. However, the application of this technology may be naturally extended from the online to the offline world. From a defence and security perspective, retinal scans and other biometric data access are already in use at a number of airports and conditional access facilities; in addition, full facial recognition systems are reportedly already used by security agencies to identify known criminals at sporting and live events by using the technology to identify particular faces amongst the crowd (e.g. known hooligans at a football match or members of the public at the London Olympics).

Similarly, access to live events, venues and concerts has become more sophisticated than merely paper tickets – organisers continue to explore ways in which they may combat the growing grey market in second hand ticket sales which diverts income, and brand value, away from events and the artists. Methods include tickets containing photographs, bar codes or employing near field communication (NFC) technology. Fully automated facial recognition technology is a natural technological progression for those industries where secure access is an essential requirement.

But such applications raise data privacy concerns and consequently companies controlling or processing the data may be in breach of data privacy laws, unless such measures and new technologies are balanced against an individual’s right to privacy. While the A29 Working Party’s opinion on facial recognition focuses on online and mobile, the principles apply equally to anyone collecting and using data for facial recognition services.

The A29 Working Party consider that where a digital image contains an individual’s face, which is clearly visible and allows identification of the individual then such an image would be considered personal data. Therefore, where a reference template is created from an individual’s image, this template will also be personal data if it contains a set of distinctive features of an individual’s face which can be linked to the specific individual and stored for later use. The only instance where a template is likely not to be considered personal data, would be where it was not associated with an individual’s record, profile or original image – but clearly this would limit the application of the technology. Importantly, the template and corresponding profile (or personal details) of the data subject in question do not need to be held by the same entity – it may still constitute personal data where a data controller has the means to access the corresponding information needed to identify that individual (even where held by a third party supplier).

Directive 95/46/EC states the conditions by which the processing of personal data must comply. Article 6 states that images and templates must be relevant, and not excessive, for the purposes of facial recognition processing. As the images constitute biometric data, the processing of the personal data may only be performed if the informed consent of the individual is obtained prior to commencing processing or if another exception is satisfied under the Directive (e.g. for legitimate purposes pursued by the data controller – such as security for the venue in the light of perceived terrorist threats – provided it does not prejudice the rights of the individual concerned). The A29 Working Party note that some elements of processing may be necessary before consent is obtained, i.e. to verify existing records, but this should only be for the strictly limited purpose, and the information deleted immediately.

The digital images or templates stored must be used only for the specified purpose for which the have been provided – and for which consent has been sought or where another relevant exemption applies (as, for instance, in the case of the legitimate use exemption described above). The greater the sensitivity of the personal data concerned the more likely explicit consent will be required.

The A29 Working Party considers that technical controls should be implemented to ensure that third parties do not gain access to the data and use it in an unauthorised manner. As trials of cashless technology grow for events, it may be that this technology is used by individuals to purchase items using credit stored against their profile, for instance drinks or merchandise. Controllers should be aware of the parameters of consent and that data stored against a user’s profile, including data used for, or available from, facial recognition data, can be valuable information for advertising or marketing agencies profiling consumers.

Similarly, controllers and processors will need to guard against security breaches which may result in unauthorised access to the data. The A29 Working Party advises that technical measures such as encryption will need to be used for data storage and data transit. One method suggested by the A29 Working Party is for biometric encryption techniques themselves to be used so that the cryptographic key is directly bound to biometric data and is only re-created where correct live biometric sample is presented on verification.

To reduce such concerns the Working Party recommends minimising the data so that the images or templates stored do not contain more data than necessary to perform the specified purpose. Similarly, templates should not be transferable between facial recognition systems. Organisations developing or deploying such technology should also carry out Privacy Impact Assessments (PIA) and follow development methodologies based on Privacy by Design (PbD).

The everyday use of facial recognition software in society to improve security checks for employees, visitors or customers may soon become common place when using even the simplest of access control systems.

Data controllers and data processors should be aware of the law in this area as the technology becomes more prevalent. But consequently it appears the law may also need to keep abreast of various ways in which the software can be exploited to monitor and profile individuals using a range of services and ensure adequate protection for data subjects as the technology advances.

For further information please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 4655
E: pjames@pitmans.com

On 1 March 2012 the European Court of Justice (ECJ) gave judgment on the much-anticipated Football Dataco case stating that football fixture lists are not protected by copyright if the compilation is not the author’s own intellectual creation even if the compilation itself required significant labour and skill. This decision will impact any company that trades in data. Accordingly, if you license a database, you will need to ensure that the data comprised within it is presented in a sufficiently creative manner that enables it to be protected by copyright.

In Football Dataco and others v YAHOO! UK Ltd and others, Football Dataco organised football matches in England and Scotland and produced fixture lists detailing scores, penalties and player substitutions which were available to their online customers via the web. YAHOO! used these fixture lists to compile data for its own databases. YAHOO!’s business was largely, if not solely, reliant upon Football Dataco’s supply of this data.

Football Dataco claimed the use of this data by YAHOO! without a licence breached their rights by infringing copyright under the Copyright Design and Patents Act 1988 (CDPA) and Articles 3 and 7 of Directive 96/9/EC (Database Directive).

• Article 3 affords copyright protection to databases that in some form constitute the author’s own intellectual creation in regards to the selection or arrangement of its contents. For such protection to exist, evidence of labour and/or skill in the creation of the database itself is not sufficient.
• Article 7, known as the sui generis or database right, subsists whether or not the database or its contents are a copyright work but clear evidence of substantial investment in either the obtaining, verification or presentation of the data is required.

The Court of Appeal held the football fixture lists were protected by Article 3 but no right could be established under Article 7. YAHOO! appealed this decision and the Court of Appeal made a preliminary reference to the ECJ to clarify:

1. What is meant by “databases which, by reason of the selection or arrangement of their contents, constitute the author’s own intellectual creation”; and

2. Whether the Database Directive precludes national rights in the nature of copyright in databases other than those provided for by the Directive

In previous decisions, as seen in Fixtures Marketing Cases (The British Horseracing Board (BHB) and others, Case C-203/02 [2004] ECR 1 1-10415) the ECJ has ruled that the Article 7 database right does not attach to fixture lists or race course data. This is because investment in the creation of data has been held not to amount to investment in the “obtaining, verification or presentation of such data” as required by the Database Directive. In other words, the courts are reluctant to afford database right protection to databases which are created by the party seeking to rely on such protection. Consequently, the need to seek to rely on copyright protection is increasingly important to retain value in a database.

Whilst awaiting the formal decision from the ECJ, the Advocate General made some preliminary remarks highlighting a clear distinction between the creation of data and its subsequent arrangement. He stated that a database must be the intellectual creation of the author to be protected by Article 3 of the Directive and that protection may be provided by implementing a creative element when the pre-existing data is assembled into a database.

Upon handing down its decision earlier this week, the ECJ have seemingly followed the Advocate General’s opinion. The Database Directive does not extend protection to databases where significant labour and skill are required in the creation if the labour or skill does not express any originality in either its selection or arrangement. Furthermore, it was held that the Database Directive is intended to harmonise European law, so that, following the ECJ ruling, a claim for copyright protection as a literary work under the CDPA was not longer available.

Whilst awaiting the application of this decision by the Court of Appeal, it is clear the economic damage football leagues will face by having to curtail their income from licensing fixture lists but the knock on effect to other databases has yet to be seen.

For further information, please contact a member of Pitmans’ Data Privacy & Information Law or Intellectual Property teams.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 
E: pjames@pitmans.com

European Union Justice Commissioner Viviane Reding has stated that Google’s new privacy policy, launched yesterday, contravenes European law.

The new policy, announced by Google in January, consolidates 70 plus privacy policies into one main document to govern the majority of its products. The aim by Google is to explain what information is collected and how it is used in a much more readable way, with less “legal gloop to wade through”. Google have cited that the multiple policies were over complicated, and at odds with their efforts to integrate its different products more closely.

In practice, according to Google, users signed in to Google Accounts will be treated as a single user across all the products, meaning Google is able to combine information provided from one service with information from other services. Essentially, private information collected from browsing data and web history by one Google service can be shared with its other platforms, including YouTube, Gmail, Google+ and Blogger. This is to allow it to offer better targeted advertising to users, and customise search results more efficiently.

Google stated it was confident that its “new simple, clear and transparent privacy policy respects all European data protection laws and principle”. EU data protection agencies beg to differ however, concluding that the new policy does not meet the requirements of the European Directive on Data Protection. Following an investigation by France’s privacy watchdog CNIL (Commission national de l’informatique et des libertes) Reding announced “they have come to the conclusion that they are deeply concerned, and that the new rules are not in accordance with the European law, and that the transparency rules have not been applied”.

Despite being warned of CNIL’s concerns, Google proceeded with the launch, and defended the policy stating that it will not change any existing privacy settings or how information is shared outside of Google, with no additional information being collected.

Google has sparked further outrage with its Android users, after it emerged that they must accept the new policy. It has advised that any users concerned about the impact of the changes should choose not to login to the Google Account on their smartphones, but this means certain applications will be inaccessible. The news has prompted one privacy campaigner to sue Google for the cost of his handset.

To add to its woes, Google has received more widespread criticism of its new policy. The National Association of Attorneys General (NAAG) last week sent a letter signed by 36 state and territorial Attorneys General detailing their “strong concern” with the policy. It highlighted that the policy fails to provide users with an “opt-in” or “opt-out” option. The letter further cited that that the automatic sharing of personal information and the ability to learn the whereabouts of users, without their authority, amounts to an invasion of privacy.

Philip James, a Partner who leads Pitmans’ Data Privacy & Information Law team, comments, ‘Viviane Reding’s statement is a clear indication of the EU’s determination to protect consumer privacy and reflects the importance it places on Privacy by Default. The aggregation of a multitude of sites storing users’ profile data, coupled with Google’s increasingly dominant Android mobile platform places Google in a privacy predicament; it will need to be seen to be doing more than others to achieve compliance and prevent successful challenges to its approach. Its recent move is a direct result of its need to maintain market position in the light of Facebook’s continued success’.

CNIL has said it will send Google questions on the changes by mid-March. It remains to be seen how Google will deal with such criticism and probing, but it is safe to say that such scrutiny should be taken seriously.

If you would like further information about Google’s new privacy policy, and how it will affect you, please contact Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Head of Data Privacy & Information Law
T: 0207 634 4655
E: pjames@pitmans.com

Thanks to the media and public figures speaking out the awareness of cyberbullying is ever increasing. Due to the rise of the internet, the use of smart phones and the increasing popularity of social media sites such as Twitter and Facebook cyberbullying is widespread. It doesn’t just occur during work time or school time it can occur 24 hours a day, 7 days a week. Cyberbullying may be virtual but this does not mean it is not happening or that it should be ignored. 

Cyberbullying can take on many forms, through text messaging, phone calls, pictures and emails through to posts on social network sites and account hacking. This bullying is now becoming a form of serious harassment. The main problem with cyber bullying is that it is incredibly hard to monitor and prevent. Social media sites provide people with anonymity and so tracking down the culprits can be an impossible challenge. People can assume a fake profile or assume many identities.

Currently the law in place is reactive rather than proactive. Instead of providing people with steps they can take to protect themselves from cyberbullying the law instead only provides for compensation once the cyberbullying has taken place. Often people are unaware of their legal rights and what steps they can take.  People who are subject to cyberbullying should speak out and record everything, keep texts, take screenshots etc.

Cyberbullying can have a significant impact on a person’s mental and physical health, it can affect self esteem, confidence and mental health. It may be possible for someone to bring a personal injury claim against their bullies as a result of this.

The Workplace

Employers should take a clear stance on all types of bullying and make it clear it is not acceptable. It is standard practice to have anti-harassment and bullying policy in force.

If an employer fails to take action to stop bullying then there could be a breach of their implied duty of trust and confidence which could result in an employee bringing a claim. At present an employee cannot bring a claim for cyberbullying alone in the Employment Tribunal. It has to be brought along with discrimination or harassment, yet this is likely to go hand in hand with cyberbullying.

An employer may be vicariously liable for the actions of their employees. If an employee is cyberbullying their colleague then an employer may find themselves included as party to a legal claim. An employer is unlikely to be able to argue successfully they were not responsible because the bullying took place outside of work time especially if they were made aware and failed to take steps to reprimand the bully in question.

The Law

Cyberbullies are potentially breaching many laws with their actions, a summary of which is set out below:

Protection from Harassment Act 1997
A person is not allow to behave in such a way which will amount to harassment of another and which he knows or ought to know amounts to harassment. The individual can obtain an injunction against the person causing the harassment. It is also a criminal offence so a person can be guilty of harassment if they have harassed the person causing distress and harm on more than one separate occasion. By making it criminal the police can be involved and they can investigate the harassment and use their powers to identify the harasser if they are not known. It is also a separate offence if the person’s actions cause another to fear violence will be used against him on at least two different occasions.

Communications Act 2003
A person will be guilty if they send an offensive or grossly offensive message or an obscene indecent image through a public electronic communications network or cause such communications to be sent. Likewise someone will also be liable if they send a message which they know to be false and it is sent for the purpose of causing annoyance, inconvenience or anxiety. It is also an offence to improperly use a public electronic communications network.

Defamation Act 1996
If comments are damaging someone reputation, then they are potentially defaming them. Internet hosts should be notified about this to put them on notice and they should remove the allegedly defamatory material quickly. By putting them on notice they will lose the benefit of the innocent dissemination defence afforded to them if they fail to act.

Malicious Communications Act 1988
It is an offence to for one person to send to another any communication or article which coveys a threat, false information or an indecent or grossly offensive message and the result of such communications causes the recipient distress or anxiety. Communication covers hard form communication and also electronic communications.

The penalty for falling foul of the Communications Act and the Malicious Communications Act is imprisonment for up to six months, a fine or both.

What can you do?

If you are experiencing cyberbullying through social media sites such as Facebook and Twitter then such sites will have policies in place which mean you can report such incidents. Facebook and Twitter, for example, allow you to report abusive content along with fake profiles. As well as reporting such incidents you can block people from being able to contact you. The sites will often offer advice on what you should do if you are experiencing bullying, for example Facebook gives tips on what to do.

An individual should also review the privacy settings on their Facebook account to ensure it can only be viewed by certain people, for example your friends. Individuals should also be wary of how much information they detail about themselves. If personal information is revealed it could lead to someone being able to impersonate you. Be wary of accepting a stranger’s friend request as this could have undesirable consequences, as highlighted by Cher Lloyd.

If an individual is receiving abusive texts, pictures or phone calls then they can contact their mobile network operator to get a number barred. This means the person will no longer be able to communicate with the individual.  This may not stop the bullying entirely but by taking positive steps the bully will be stopped in their tracks to an extent.

People do not need to stand back and tolerate such behaviour; there are steps an individual can take against their bullies.

Schools

Despite the age restrictions imposed on social media sites, more and more children are having profiles online. Children are often the most vulnerable to cyberbullying and as highlighted in recent media stories, they are often reluctant to speak out and seek help which can have serious consequences. Children should be educated in schools about cyberbullying and what actions can amount to cyberbullying and the implications cyberbullying can have. By raising awareness children will know what to look out for and should be more willing to speak out.

As you will see there are many steps an individual can take against cyberbullies and we are here to help assist.

If you would like to discuss any of the legal issues raised in this article further please contact:

Mark Symons
Partner, Employment, Cyber Risk Management
T: 0118 957 0340
E: msymons@pitmans.com

The surge in global internet usage in recent years has resulted in domain names becoming precious and sought after commodities. “Cybersquatters” have inevitably sought to take advantage of this. In order to ensure the success, protection and promotion of your brand, it is paramount to take steps to prevent cybersquatting activities. If the opportunity for prevention has been lost, and a domain name dispute does arise, it is important to resolve any potential disputes effectively and efficiently.

Cybersquatting is the registering, selling or using of a domain name in bad faith with the intent of profiting from the goodwill of someone else’s trade mark. It generally refers to the practice of buying up domain names that use the names of existing businesses and trying to sell them back to a party for an inflated price. It is also commonly used to direct traffic to the cybersquatter’s website or the website of a competitor of the trade mark holder in return for payment of a commission.

Prevention is always better than cure. There are a number of steps that can be taken to protect domain names and reduce the risk of disputes arising:

1. Search prior to registration – A search of unregistered and registered trade marks in territories of interest will assist you in identify whether there are likely to be issues in using and/or registering a domain name.

2. Strategy - Registering every available domain name extension is not always possible or necessary. Registrations of Country Code Top Level Domains (“ccTLDs”) and Generic Top Level Domains (“gTLDs”) should be targeted according to your business interests and the territory you operate in.

3. Register the domain name as a trade mark – If it is worthwhile considering registering your domain name as a trade mark. Having a registered trade mark could assist in the event of a dispute over rights in a domain name.

4. Register common misspellings - If a name is commonly spelt incorrectly it may be advisable to register misspellings in order to prevent “typosquatters”.

5. Identify new ccTLDs and gTLDs – New extensions are continually being introduced.  Make sure you are up to date and consider including them in your domain name portfolio. 

6. Monitor – Regularly check and actively monitor if any similar domain names have been registered.  There are services available which will actively monitor all new registrations and services which purchase domain names as soon as they become available for registration.

7. Manage - Be aware that your domain name requires renewal and may be registered by a third party if you forget. Work with a registrar, and ensure that contact details are kept up to date.

If a dispute cannot be avoided, there are various ways for resolution:

As an initial step, a Cease and Desist letter (asking the other party to stop using and to transfer the domain name) may be enough to prompt them to transfer it avoid further legal action. Negotiating a price for the acquisition of the domain name may be the commercially prudent solution.

There are Domain Name Dispute Resolution Services directly applicable to domain names, which are incorporated in the terms of registration. The most widely used is Uniform Dispute for Domain Names Resolution Policy (“UDRP”) which allows complaints to be filed with the World Intellectual Property Organisation (“WIPO”) and other national bodies.  These services have been developed to allow for a timelier and cost effective resolution of disputes without the need to resort to court proceedings.

Domain name recovery can also be dealt with via traditional Dispute Resolution techniques and options, including mediation, can be explored. 

To be successful in a UDRP complaint, a complainant must establish that:

i. The domain name registered by the respondent is identical or confusingly similar to a trade mark or service mark in which the complainant has rights;
ii. The respondent has no rights or legitimate interests in respect of the domain name; and
iii. The domain name has been registered and is being used in bad faith. 

To avoid failures, here are some UDRP filing tips to ensure a cost effective success:

1. Research, research, research – The importance of research cannot be underestimated. Research case law, research the registrant, research the provider you want to use, research your panellist.

2. Include similar domain names under the same defendant -  It is always recommended to include other domain names with your marks to a complaint. Use a service that will allow you to search a registrant name and identify their domain portfolio. If there are similar domains (typos or phonetically similar) owned by the same registrant, it would be worth adding these domains to the complaint so you can maximise your return.

3. Check the panellist appointed to your case – You have the right to object to any appointed panellist. Once named, it is advisable to review the biography of your panellist to ensure that there is no potential conflict of interest which could arise and provide you with the best chances of a favourable decision.

4. Use three-person panels only for complex cases -  If your case is clear, supported with ample evidence and fulfils all three requirements outlined above, a one-person panel is likely to be sufficient

5. Shorter is sweeter – A limit of 5000 words is placed on the UDRP assertions and arguments, but in all likelihood you should never need to use the maximum word length in your filing. You will find more success if your arguments are succinct and supported by relevant case law.

10. Don’t just settle – It may be worth proceeding with the case establish a record of documented evidence that may be used by yourself and others filing against them. Additionally, your company will be on record as an organisation that takes a proactive stance against cybersquatters.

For further information on domain name filing, domain name protection strategies and Domain Name Dispute Resolution, please do not hesitate to contact Pitmans’ Intellectual Property team.

Stacey Jones
Solicitor
T: +44 (0)118 957 0235
E: staceyjones@pitmans.com

Sally Britton
Partner
T: +44 (0)20 7634 4623
E: sbritton@pitmans.com

On 25 November, the government published its cyber security plan setting out in greater detail how it intends to work with the private sector in countering cyber risk. What is becomingly increasingly clear is that responding to this risk is something that is best tackled by a public-private partnership. Given the austere economic climate, this approach may present both public and private concerns alike with new opportunities.

The Minister for the Cabinet Office and Paymaster General, Francis Maude, explained in a written statement that the purpose of “…this strategy [is to] outline how we will cement a real and meaningful partnership between the Government and private sector in the fight against cyber attacks”. She also emphasises that the private sector “has a crucial role to play” in carrying out the government’s plans since it “owns, maintains and creates most of the very spaces [the government] are seeking to defend”.

The plans include a new national cyber security ‘hub’ that will allow the Government and businesses to exchange information on threats and responses with the private sector. A pilot will commence in December and will involve five business sectors: defence, finance, telecommunication, pharmaceuticals, and energy.

Other highlights of the government’s anti-cyber crime strategy include:

• Creation of a new national cyber crime capability as part of the new National Crime Agency by 2013, and enhancing the work of the Metropolitan Police’s eCrime Unit by expanding the deployment of ‘cyber-specials’;

• By the end of 2011, building a single reporting system for citizens and small businesses to report cyber crime so that action can be taken and law enforcement agencies can establish the extent of cyber crime (including how it affects individuals and the economy);

• Promoting greater levels of international cooperation and shared understanding on cyber crime as part of the process begun by the London Conference on Cyberspace, in addition to promoting the Council of Europe’s Convention on Cybercrime (the Budapest Convention) and building on the new EU Directive on attacks on information systems, as well as contributing to the review of security provisions of the EU Data Protection Directive and the proposed EU Strategy on Information Security;

• Working with domestic, European, global and commercial standards organisations to stimulate the development of industry-led standards and guidance that help customers to navigate the market and differentiate good cyber security products;

• Creating and building a dedicated and integrated civilian and military capability within the MoD, mainstreaming cyber within the organisation and setting up a Defence Cyber Operations Group (DCOG). An interim DCOG will be in place by April 2012 and will achieve full operational capability by April 2014;

• Undertaking a review of policy and regulation of the UK communication sector, with a view to publishing a Green Paper early in 2012 followed by a White Paper and a draft Bill by 2013;

• Supporting net neutrality and the open internet by working with the Broadband Stakeholder Group to develop industry-wide principles on traffic management and non-discrimination and reviewing its transparency code of practice in early 2012;

• Establishing a certification scheme for certifying the competence of information assurance and cyber security professionals by March 2012, and a scheme for certifying specialist training in 2012. Continuing to support the Cyber Security Challenge as a way of bringing new talent into the profession; and

• Identifying Centres of Excellence in cyber research to locate existing strengths and providing focused investment to address gaps, with the first focused investment occurring by March 2012.

It seems this strategy will require responses at a national level as well as greater international collaboration, not to mention the orchestration of resources within and outside the traditional defence communities. This raises its own challenges, but if ever there was a common cause, this is it. Or is it? Some nations may prefer to allow cyber strikes to be launched from its shores in the hope of receiving the benefit of any stolen assets. Watch this space. There may also be opportunities for employers to engage cyber poachers turned gamekeepers to assist defence and IT security. The level of support that government can lend to such employment opportunities will undoubtedly determine its success.

This is one of a series of articles on cyber security. To read the last article in this series, on protecting your business from cyber security threats, please click here. Pitmans will be hosting an evening seminar on Cyber Asset Protection on 1 February 2011 in London. For further discussion of these and other issues, please join us. Click here for more information on this seminar, or if you would like to register your interest now, please email poppy@pitmans.com.

Carolyn Butler
Solicitor
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Philip James
Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Cyber attacks targeted at the UK are once again in the news. The director of the government’s communications intelligence agency, GCHQ, Iain Lobban, reported in The Times (31 October 2011) this week that the country has been subject to a “disturbing” number of cyber threats. However, Mr Lobban observes in his report that the challenges faced by cyber security are “not for the government alone”.

Since the government announced this time last year that it had allocated £650 million to cyber security and resilience as part of its Strategic Defence and Security Review, it has started to endorse a collaborative approach between the public and private sectors to cyber security. Although the government is keen to demonstrate that the issue is a top priority, it has acknowledged that it can’t manage the challenges posed by cyber threats single-handed – not least because the majority of providers of Critical National Infrastructure (CNI), such as energy, water, finance, transport and telecommunications, are in the private sector. The foreign secretary William Hague will host a two-day conference on cyber security in London this week, to advance the dialogue with the business community in that respect.

As a consequence, the government has highlighted to the private sector what it has to lose (and in fact has already lost) in playing down the importance of cyber security. Last week, Major General Jonathan Shaw, head of the Ministry of Defence’s cyber security programme, told the Daily Telegraph (24 October 2011) that hacking by foreign governments and organisations had already cost the UK economy £27 billion and that “the biggest threat to this country by cyber is not military, it is economic”. Mr Lobban reinforced this view in his report, stating that the theft of British ideas and designs in the IT, technology, defence, engineering and energy sectors “doesn’t just cost the companies concerned; it represents an attack on the UK’s continuing economic wellbeing”. In other words, there seems to be an overwhelming opportunity for continued public private partnerships in this sector, as well as reciprocal arrangements between the defence and non-defence sectors to counter this threat.

So what can businesses do to safeguard their economic interests? Chatham House, a leading independent think tank on international affairs, has made a number of recommendations for businesses in its report entitled Cyber Security and the UK’s Critical National Infrastructure which it published last month. While the report is primarily aimed at corporations active in CNI sectors, it is also essential reading material for any board member. In particular, examples of good, improving and poor cyber security practice are explored in pages 23 to 26 of the report.

Below, we highlight and comment upon some of the key recommendations from the report and some practical suggestions for board members to enhance an organisation’s resilience to cyber threats.

1.   Vulnerabilities: Senior management need to acquire (if they haven’t done so already) a good understanding of the vulnerabilities and dependencies of their business, and the implications for budgets and reputation management that they may entail. First, examine the dependencies of your business and consider, in particular, those that may be ‘hidden’ in the other businesses on which it depends (as well as any ongoing chains of supply). Identify both existing and emerging risks.

2.   Risk Assessment and Response: Once you have a better understanding of your business’ and its suppliers’ vulnerabilities, look at the processes and mechanisms that are already in place to asses the risks posed by cyber attacks and to respond to such attacks if and when they occur, and consider how they work in practice. If there is a disparity between policy and practice, one or the other must change. If appropriate, consider engaging a penetration (PEN) or vulnerability testing consultant to stress-test and evaluate your IT security measures. Such a consultant can also propose a number of options to repair any gaps or improve security in line with your requirements. Assess the adequacy of the response measures and contingency plans you have in place to cope when any element of the chain of dependency fails.

3.   Investment: Cyber security is often under-funded despite the economic damage that a breach may entail. In order to work well, the planning and implementation of cyber security measures must be underpinned by appropriate resource allocation, in terms of both human resources and financial investment. In the current economic climate, this remains one of the key challenges. However, carefully well-allocated resource can result in significant improvements to security which can materially reduce the business impact and remedial costs should an incident occur.

4.   Know-how: The training and development of all staff that may encounter cyber threats must be viewed as an integral part of your organisation’s risk management strategies. Is everyone aware of the risk assessment mechanisms and security procedures?  Your organisation will therefore need to decide whether to adopt best practice depending upon the viability and sensitivity of your systems and the information contained within. Mechanisms that allow for the reporting, and onward dissemination, of know-how gained from experience (in particular “lessons learned” from cyber security incidents) are also essential.

5.   Board-level Buy-in: Cyber security can no longer be delegated to the IT team to deal with on its own. According to the Chatham House report, “the potential for damage, both economic and reputational, from complacency over matters of cyber dependency and vulnerability is too high to be ignored” and deserves the regular attention of senior management. Ensure it regularly appears on your agenda.

6.   Communication: The Chatham House report suggests that the issues connected with communicating technical ideas to non-technical people are intimately linked to the issue of board-level buy-in, since in its research it often found that “an organisation’s cyber security policy is not delegated (in a constructive managerial way) but is deliberately pushed below the boardroom level in order to remove a complex and baffling problem from sight”. Chatham House wants to see more chief information security officers from non-technical backgrounds appointed, and advises that “IT security departments [need] to develop a deeper understanding of how value is created in the organisations they endeavour to protect” to meet the business’s needs. However, communication flows both ways, and it is equally important for the board to grasp the nettle of cyber security with both hands to develop a coherent, strategic response.

In addition to these recommendations, organisations should also consider the following: -

Insurance

Review your insurance policies to ensure you are adequately protected against risks that cannot be mitigated. If you discover any uninsured risks that need to be covered, discuss with your insurer what they can do for you. Given the diversity of risks faced by different businesses, corporations are increasingly finding a ‘one-size-fits all’ approach to IT-related policies, such as network security insurance and business continuity insurance, is impractical at best and, at worst, leaves them perilously exposed. Many insurers now offer a flexible, or even bespoke, range of policies to meet this emerging need.

Reputation Management

As part of your contingency and disaster recovery planning, consider whether and in what circumstances you would need to engage an agency experienced in ICT reputation management in order to minimise any long-term damage to your business and/or its brand. If this could be necessary, investigate the available options now, and ensure a protocol is in place so that assistance is sought where appropriate. Some insurers also offer policies to cover the costs of retaining public relations assistance in the event of a crisis.

Pitmans will be hosting an evening seminar on Cyber Asset Protection on 1 February 2011 in London. For further discussion of these and other issues, please join us. Click here for more information on this seminar, or if you would like to register your interest now, please email poppy@pitmans.com.

Carolyn Butler, Solicitor
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Philip James, Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Jonathan Durrant, Director
T: +44 (0)118 957 0270
E: jdurrant@pitmans.com

For more information, please see:

Pitmans’ Defence and Security legal services

Pitmans’ Data Privacy & Information Law legal services

‘Initiatives Against Cyber Crime – Recent Developments’

‘Cyberspace – Industry and the Cyber Armoury’

What’s the news and the current trend?

The Advertising Standards Agency (ASA) has recorded a huge surge in complaints made about companies’ digital marketing communications, with figures exceeding 5,500.

5,531 complaints were recorded about brands’ online marketing communications since March, when the ASA’s remit was extended to cover the area.

The ASA now covers non-paid for online marketing communications under the marketer’s control, including social media such as Facebook, as well as companies’ own websites. A marketing communication is a type of communication for a good, service, opportunity or gift that primarily sets out to sell something. Marketing communications may set out to sell in a myriad of different ways, and may not necessarily include a price or seek an immediate financial transaction. Also included are direct solicitations for donations as part of a company’s own fund-raising activities.

In the seven months since the remit was extended, the total number of complaints received across all channels reached 18,369. This is an increase of 30% on the same period in 2010.

No one business sector was primarily responsible, with blame being spread equally across the retail, leisure and telecoms sectors, amongst others. The type of complaints matched the typical spread for broadcast and non-broadcast adverts, and concerned issues with price and availability. Complaints regarding misleading alternative health sites were also notable.

To deal with the increase in complaints, the ASA has increased staff numbers by 10%.The ASA has commented that people cannot expect all to be immediately compliant, and that many companies do not yet know about the changes.

Online marketing communications are governed by the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (the CAP code). If a marketing communication breaks the Code, the organisation/individual responsible is told to amend or withdraw it. If they do not, the Compliance team will consider the sanctions available to it.

Non-compliance may result in removal of paid-for advertising, adverse publicity as a result of ASA adjudications, denial of access to advertising space, and the withdrawal of recognition and trading privileges, such as discounts. The company in question may also face action for breach of the Consumer Protection Regulations.

How can Pitmans help?

Pitmans Digital Brands Team can carry out a digital marketing and brand audit of your digital channels (Twitter, Apps, Facebook pages, Company website) at an agreed fixed cost.

We can identify any risks, whether they be regulatory or legal, and provide a clearance risk assessment. We can also advise on ways in which you can protect and manage your digital brand portfolio, as well as advise on any IP rights and data comprised in your digital channels. All sectors are affected but clients in the Media & Entertainment, Automotive, Hospitality and Retail sectors may find this of particular interest.

For further details please contact:

Philip James
Partner
T: 0207 634 4655
E: pjames@pitmans.com

Sally Britton
Partner
T: 0207 634 4623
E: sbritton@pitmans.com

Retailers Take Note: Data Privacy Trends and Actions for the coming year: Highlights of the Information Commissioner’s Annual Report 2010/11

If the idea of digesting the Information Commissioner’s 86-page long annual report in full doesn’t really appeal to you, then why not let us do the hard work? Below, we highlight not only the key changes to the policy and enforcement objectives of the Information Commissioner’s Office (“ICO”) over the past year, and the likely indications from the report of the developments to come, but also our suggested actions and comment to help you avoid falling foul of data privacy compliance, risking damage to your reputation and incurring unnecessary cost and resource further down the line.

New powers

The ICO’s enforcement arsenal was enhanced significantly in April 2010 when it was granted the power to fine organisations up to £500,000 for serious breaches of the Data Protection Act. Four monetary penalties have been issued since then, as well as five prosecutions brought in the last year. However, the ICO has been keen to stress that such tactics are a means of last resort, and seeks to resolve cases informally where there is opportunity to do so.

Pitmans Comment; it is worth noting that since May 2011 the ICO now also has the power to fine organisations up to £500,000 for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the previous power to fine only extended to serious data breaches, not breaches of the laws relating to electronic marketing and privacy).

In addition, the ICO also has a new power to audit measures taken by a public electronic communications service provider (service provider) to:

• safeguard the security of its service; and
 
• comply with a new personal data breach notification and recording requirement.

This second requirement is a significant development and, where a breach may adversely affect the personal data or privacy of a user, a service provider is not only obliged to notify the ICO, but also the user concerned. This has a significant cost and PR implication.

The ICO favours prevention over cure; it tends to accept undertakings (where an organisation commits to making specific improvements) as a precursor to more formal action. The number of instances where the ICO has approached organisations to offer good practice audits has increased dramatically over the past year, although take-up in the private sector has been poor. Nevertheless, the ICO issued 26 audits in 2009/10, 60% more than in 2009/10. It also released several codes of practice last year to help businesses stay on the straight and narrow, including a Code of Practice on Personal Information Online which was launched in June.

Pitmans Suggested Action: ensure you have a paper trail evidencing compliance and training. Refresh staff by periodic training and regular security reviews and conduct vulnerability testing to public accessing applications. It is clear that audits are becoming more popular. Always be prepared.

Emerging enforcement trends

The hot topics

Subject access requests were the most popular topic of complaint, accounting for nearly a third (28%) of all issues reported to the ICO. Since this is the area where, statistically, data controllers tend to slip up, companies are well advised to ensure they have appropriate systems in place to deal with subject access requests within the applicable time limits. Inaccurate data (15%), inappropriate disclosure of data (12%), and automated and live marketing calls (9% each) are the cause of the next most numerous complaints. There has also been an increase of 17% in the number of freedom of information cases referred to the ICO over the past year.

The ICO has earmarked the challenges perpetuated by (or, indeed, in spite of) technological advances as a priority. The ICO is concerned that a significant amount of highly sensitive personal data is still sent by fax, despite the securer alternatives offered by newer technology. Failures by organisations to encrypt personal data in appropriate circumstances remain also remain a key concern.

The new rules in relation to cookies are also firmly on the agenda. Although the lead-in period for the new rules expires in May 2012; the ICO has indicated that it will intervene in the meantime in certain circumstances: “we shall hold our enforcement powers in reserve, intervening in the first year only where it is clear that a website owner is doing little to attempt to comply”.

Pitmans Suggested Action: review what technical and operational security measures your organisation currently employs in relation to sending personal data and keeping data secure. If your staff are using mobile devices and laptops, review and implement encryption software solutions.

Companies would also be well advised, if they have not already done so, to conduct a digital marketing audit and review their data processing and collecting practises in the e-commerce environment. Please let us know if you would like assistance with such an audit.

The targeted organisations

Essentially, the ICO targets those organisations about which it receives the most complaints. The ICO affirmed that it also uses a risk-based process to identify and contact organisations that handle personal information, which takes into account a number of factors such as volume and type of data an organisation holds, complaints received by the ICO and cases where enforcement action was considered. It then uses the information from individual cases to build a picture of how seriously data controllers take the issue of handling personal data or providing information the public has a right to see.

The ICO has declared that it now expects more from data controllers when complaints are reported – as well as asking them to explain the circumstances of individual complaints, it now asks for information about how the data controller intends to put things right and how they adhere to general information rights obligations.

Pitmans Suggested Action: respond to complaints and proactively manage any inappropriate use of personal data carefully. Consider preparing a contingency response plan to any complaints, with a pre-prepared response to customers, the ICO and the press.

The targeted sectors

Over the past year, the ICO launched campaigns aimed at estate agents and private medical practitioners to remind them of their obligations to notify the ICO if they handle personal data. Accordingly, we should probably expect similar campaigns in the future directed at other industries in the private sector that routinely handle personal data, e.g. education and training providers, telecoms companies, and online retailers.

Pitmans Suggested Action: retailers, in particular, take note. The ICO issued a statement on 9 August in the light of a security breach suffered by Lush, the cosmetics retailer, making it clear that etailers must ensure they keep customers’ personal data secure. An extract of the statement is reproduced below: -

Acting Head of Enforcement at the ICO, Sally Anne Poole said:

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.
 
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

In the meantime, the ICO will be consulting on a revised Information Rights Strategy showing how it prioritises the different sectors and subjects for regulatory attention, which is definitely a development to watch out for!

The likely consequences

The ICO’s report contains a selection of salutary tales demonstrating exactly how not to deal with a data protection breach. These case studies indicate the circumstances that the ICO is likely to consider as “aggravating factors” when determining whether to issue monetary penalties. As well as the impact and severity of breach the ICO will consider a number of factors, such as whether:

• a risk assessment was made;
• alternative means of storing/transmitting data were considered/devised;
• other measures were employed to minimise risks (e.g. by using a ‘ring ahead’ system to increase security of fax transmissions);
• the organisation followed its own policies;
• effective remedial action was taken following the breach (such as the re-training of staff);
• the organisation’s officers and staff understand the cause and significance of the breach.

Pitmans Suggested Action: conduct Privacy Impact Assessments (PIA) and employ Privacy by Design (PbD) into concept and new product design to ensure that any privacy implications of new technologies are considered at an early stage. This may reduce the likelihood of incurring substantial re-development costs at a later stage, as well as the risk of complaint, adverse PR and enforcement.

Improved efficiencies

The number of decision notices issued by the ICO increased significantly from 628 in 2009/10 to 817 in 2010/11, However, the appeal rate has remained constant at around 25%, meaning, effectively, that there has been no corresponding deterioration in the quality of decision making. The ICO has put this dramatic improvement down to the introduction of new structures and processes that has allowed it to deal more quickly with complaints.

There has also been a blitz on freedom of information complaints. Over the last 12 months, the number of complaints that have been in the ICO’s in-tray for more than a year has reduced from 117 complaints to just three.

Involvement in law making

In terms of the ICO’s contributions to UK legal policy, it has had a busy year. The ICO issued responses in December 2010 and February 2011 to the Protection of Freedoms Bill, and provided evidence to the Public Bill Committee in March 2011. Also in December last year, the ICO issued a statement welcoming proposals set out by the government to expand the scope of the Freedom of Information Act.

At present, the ICO is engaged in the review of the OECD’s Privacy Framework and modernisation of the Council of Europe’s Data Protection Convention, and, through its membership of the Article 29 Working Party, the ICO is also reviewing the EU Data Protection Directive. The ICO will also be contributing to the post-legislative scrutiny of the Freedom of Information Act by the House of Commons Justice Committee.

This year, the ICO appointed Simon Rice, who has a background in delivering databases, software tools and data analyses for a government research agency, as the ICO’s first technology policy advisor to assist with the work on policy development, investigations and complaints handling. Simon’s appointment is complemented by the creation of a Technology Adviser Panel, whose role is to assist the ICO in producing up-to-date, relevant guidance on technical innovation and up-and-coming issues.

Pitmans Suggested Action: technology providers and organisations using new technologies to gather and analyse and mine user profiling data beware. The ICO is investing more in analysing new technologies and is likely to be more savvy in its enforcement of non-compliant data repositories and applications. Again, consider privacy at an early stage of design and development and, before licensing a new CRM system or data tool, ask the relevant supplier to confirm what steps it has taken to ensure that it complies with data privacy laws (whether it be at home or abroad).

For further information regarding Pitmans Intellectual Property  team, please contact:

Philip James
Partner
+44 (0)207 634 4655
pjames@pitmans.com

Carolyn Butler
Solicitor
+44 (0)118 957 0234
cbutler@pitmans.com