what's in the news

This article was first published by Solicitors Journal on 17 April 2012, and is reproduced by kind permission

The cases of Key2Law (Surrey) LLP – v – De’Antiquis and Spaceright Europe Limited – v – Baillavoine have provided further clarification as to the protection afforded to employees under TUPE in the case of a transfer of an employer’s business and assets in an Administration.  The position had been unclear following the decision of the Employment Appeal Tribunal in Oakland –v- Wellswood (Yorkshore) Limited in 2009.

The Transfer of Undertakings (Protection of Employment) Regulations 1981 and 2006  (TUPE) confers on employees certain rights in the event of a transfer of an employer’s business.  TUPE provides that employees will automatically transfer to the transferee on their existing terms of employment and the transferee will then inherit employment liabilities and obligations in relation to them.   Further, a dismissal which was connected to the transfer will be automatically unfair, unless the reason is economic, technical or organisational (referred to as an “ETO” reason), entailing changes in the workforce.

Clearly, the potential adoption of liability under employment contracts would discourage purchasers of insolvent businesses and so the government introduced provisions in order to assist by adding some flexibility.

TUPE provides that, where the employer is subject to “bankruptcy proceedings or any analogous insolvency proceedings which were instituted with a view to the liquidation of the assets of the transferor”, employees would not automatically transfer to the transferee and a dismissal for reasons connected with the transfer would not be automatically unfair.

TUPE also provides that, where there are “relevant insolvency proceedings” (being “insolvency proceedings which have been opened in relation to the transferor not with a view to the liquidation of the assets of the transferor and which are under the supervision of an insolvency practitioner”) there would be greater scope to vary the terms of employment, where the variation is designed to safeguard employment by ensuring the survival of the business or part of it.

There have been a number of decisions in the Employment Tribunal and above that have demonstrated the shortcomings in TUPE, and more particularly the definitions of “relevant insolvency proceedings” and “bankruptcy proceedings or any analogous insolvency proceedings”  when it comes to be applied to an administration.

It is important to understand the difference between an administration and a liquidation.

The statutory purpose of an administration is to achieve one of the following objectives:

• The rescue of the company as a going concern; and only if that cannot be achieved
• The achievement of a better result for the company’s creditors as a whole than would be likely if the company were wound up; and if that cannot be achieved
• The realisation of some or all of the company’s property to make a distribution to one or more secured or preferential creditor.

Often, the administrator, once appointed, will trade the company either with a view to rescuing it and returning it to its directors (albeit this is rare) or in order to preserve goodwill and avoid termination or breach of contracts whilst the business is marketed for sale.

Conversely, the purpose of a liquidation is to sell assets and distribute them to creditors.  A company can only trade in liquidation in so far as it is necessary for the beneficial winding up of the company and even then the permission of the Court may be required.  A liquidation procedure therefore fits squarely into the definition of a process “with a view to the liquidation of the assets” whereas an administration process does not.

Administrator objectives

It is not always clear, at the outset of an administration, what the objective of the administrator may be and it may change as the possibility of achieving the primary and/or secondary objective disappears.  There is no obligation upon the administrator to state his objectives until he makes his proposal to the company’s creditor’s which may be up to 8 weeks after the administration.  His only obligation is to consider each of the objectives and either perform the administration so as to achieve the primary objective or dismiss it and move onto the secondary and possibly the tertiary objective. To that extent an administration should always be commenced with a view to rescuing the company as a going concern.  Does that mean that an administration can never be considered to have been carried out with a view to liquidation of assets, regardless of the actual outcome, such that it would never be possible to avoid the consequences of TUPE and that a dismissal connected to a transfer of the business would be automatically unfair?

In practice, very often the second or third objective is achieved by selling the assets of the business in one go so that the business is sold as a going concern.  Effectively the insolvent company’s assets will have been liquidated albeit the business will have been preserved through the sale.   Sometimes this will happen after a period of trading whilst in administration. Sometimes the buyer is found before the company goes into administration and the sale effected upon administration in order to preserve the goodwill and trade of the business (a “pre-pack” sale).  Often, once the business has been sold the company quickly moves into a liquidation.  Does that mean that such administrations were commenced with a view to liquidation of assets or does it depend upon whether there was a post-administration period of trading?

In Oakland the insolvent company had been sold back to its director and shareholder on the day that it went into administration. The Employment Appeal Tribunal decided that, in circumstances where the company would not trade in administration and would shortly enter into liquidation, this was “bankruptcy proceedings or any analogous insolvency proceedings… instituted with a view to the liquidation of the assets of the transferor” such that the employees did not automatically transfer to the transferee.  The Employment Appeal Tribunal did not say that this would always be the case but considered that it would be a question of fact to be determined by the Court.  This would mean that a Court would have to reconstitute the circumstances existing at the time of the commencement of the process and the objective of the administration in the mind of the administrators at that time.

Not only would this decision mean a great degree of uncertainty as to the rights of employees against transferees and the risk of a transferee adopting employee liabilities but the decision would encourage the use of  pre-pack administration where the purchaser would, on this view, be able to take the business free of employee liabilities.

Seeing clearly

A contrary view was adopted by the Employment Appeal Tribunal in OTG – v – Barke.  However, the Court of Appeal has recently considered the issue in two cases which now provide much needed guidance on the position.

In 2011, in Key2Law, the Court of Appeal considered the effect of an administration on employees.  In this case a company went into administration in the hope that a buyer could be found but it wasn’t. Instead firms of solicitors were engaged by the administrators to carry out the work of the company as its agent.

The Employment Appeal Tribunal had considered that the aim of an administration was not a question of fact but was absolute, depending upon the procedure adopted and that, since the primary aim of an administration is to rescue a company as a going concern, it would not be a process analogous to bankruptcy.  The Court of Appeal agreed, accordingly employees of companies in administration would automatically transfer to a transferee and be protected from dismissals by reason of the transfer of the business.

In Spaceright, the business and assets of the company were sold one month after the company went into administration.  At the time of the administration a buyer of the business had not been identified.  The Court of Appeal had to decide whether the dismissal of the managing director of the company was connected with the transfer of the business.  It decided that it was, notwithstanding that the actual buyer was not in contemplation at the time of the dismissal.  This is an important clarification.  Further, the Court considered that the dismissal did not relate to the ongoing business, for example, a general reduction in the number of employees to assist trading as a going concern, accordingly the dismissal was not for an ETO reason and was unfair.

Purchasers of the business of companies in administration, and other transferees, need to be aware that they are likely to adopt liabilities in relation to employees.  Purchasers should be advised that employment liabilities cannot be avoided by reaching an agreement with the administrators of the seller that they will procure the dismissal of employees before the sale of a business and assets. This is an important consideration for purchasers in any purchase but where there is a sale by an administrator, a purchaser cannot expect an indemnity from the seller or the administrator in relation to any liabilities that the purchaser may find that they have adopted.  Indeed, administrators will often insist on the purchaser providing an indemnity in favour of the seller and invariably in respect of himself, in respect of any claims subsequently made by employees against them.

All too often purchasers are unaware of this risk and the question of employment liabilities becomes a “deal breaker”.  Either the sale will fall away, potentially damaging the value of the business, or the purchaser will negotiate a reduction in the purchase price, reducing the return to creditors, or the purchaser will have to take the risk that it may have to take on employees that it does not need and/or risk employment claims from employees that are or have been involved in the business.  The claims that may be made against a purchaser may be substantial, including claims for failure to consult employees in relation to a transfer.  Liability for such failure may amount to up to 13 weeks pay per employee.

Policy decisions

Pre-pack sales of businesses out of an administration have received a great deal of bad publicity in the press fuelled by unpaid creditors left high and dry.  However, it is well established that the advantage of a “pre-pack” sale in an administration is that jobs are usually saved.  The government has considered whether pre-pack sales should be outlawed or further regulated.  Whilst more stringent reporting requirements and duties have been imposed upon administrators, in an attempt to avoid sales back to directors of an insolvent business, for the purpose of avoiding having to pay creditors, proposals that creditors should receive notice of an intended sale have been dropped.

Ultimately the government has a policy decision to make as to whether legislation protects creditors or employees.  Particularly in the current economic environment, the interests of employees must be considered to be paramount. That said, in general a sale of a business as a going concern is likely to result in a higher return to creditors (albeit it is usually secured creditors that benefit) than a break-up sale of assets, in a liquidation, would achieve.  Further, where employee liabilities transfer to a buyer of the business, the level of liabilities in the insolvent company is reduced thereby potentially increasing the level of any distribution of funds in the administration to unsecured creditors.

At its best, Oakland created a period of uncertainty when many purchasers may have been comforted by the decision and held the view that employment liabilities for dismissed employees would rest with the insolvent company.

At its worst, the decision potentially meant that the transfer of employment rights could be avoided when a business was sold out of an administration process.  This is entirely contrary to the understanding of insolvency professionals and the basis upon which policy upon administrations has been formed.  The decisions in Key2Law and Spaceright must therefore be welcomed.

Denise Fawcett
Partner
T: 0207 634 0642
E: dfawcett@pitmans.com

On 1 March 2012 the European Court of Justice (ECJ) gave judgment on the much-anticipated Football Dataco case stating that football fixture lists are not protected by copyright if the compilation is not the author’s own intellectual creation even if the compilation itself required significant labour and skill. This decision will impact any company that trades in data. Accordingly, if you license a database, you will need to ensure that the data comprised within it is presented in a sufficiently creative manner that enables it to be protected by copyright.

In Football Dataco and others v YAHOO! UK Ltd and others, Football Dataco organised football matches in England and Scotland and produced fixture lists detailing scores, penalties and player substitutions which were available to their online customers via the web. YAHOO! used these fixture lists to compile data for its own databases. YAHOO!’s business was largely, if not solely, reliant upon Football Dataco’s supply of this data.

Football Dataco claimed the use of this data by YAHOO! without a licence breached their rights by infringing copyright under the Copyright Design and Patents Act 1988 (CDPA) and Articles 3 and 7 of Directive 96/9/EC (Database Directive).

• Article 3 affords copyright protection to databases that in some form constitute the author’s own intellectual creation in regards to the selection or arrangement of its contents. For such protection to exist, evidence of labour and/or skill in the creation of the database itself is not sufficient.
• Article 7, known as the sui generis or database right, subsists whether or not the database or its contents are a copyright work but clear evidence of substantial investment in either the obtaining, verification or presentation of the data is required.

The Court of Appeal held the football fixture lists were protected by Article 3 but no right could be established under Article 7. YAHOO! appealed this decision and the Court of Appeal made a preliminary reference to the ECJ to clarify:

1. What is meant by “databases which, by reason of the selection or arrangement of their contents, constitute the author’s own intellectual creation”; and

2. Whether the Database Directive precludes national rights in the nature of copyright in databases other than those provided for by the Directive

In previous decisions, as seen in Fixtures Marketing Cases (The British Horseracing Board (BHB) and others, Case C-203/02 [2004] ECR 1 1-10415) the ECJ has ruled that the Article 7 database right does not attach to fixture lists or race course data. This is because investment in the creation of data has been held not to amount to investment in the “obtaining, verification or presentation of such data” as required by the Database Directive. In other words, the courts are reluctant to afford database right protection to databases which are created by the party seeking to rely on such protection. Consequently, the need to seek to rely on copyright protection is increasingly important to retain value in a database.

Whilst awaiting the formal decision from the ECJ, the Advocate General made some preliminary remarks highlighting a clear distinction between the creation of data and its subsequent arrangement. He stated that a database must be the intellectual creation of the author to be protected by Article 3 of the Directive and that protection may be provided by implementing a creative element when the pre-existing data is assembled into a database.

Upon handing down its decision earlier this week, the ECJ have seemingly followed the Advocate General’s opinion. The Database Directive does not extend protection to databases where significant labour and skill are required in the creation if the labour or skill does not express any originality in either its selection or arrangement. Furthermore, it was held that the Database Directive is intended to harmonise European law, so that, following the ECJ ruling, a claim for copyright protection as a literary work under the CDPA was not longer available.

Whilst awaiting the application of this decision by the Court of Appeal, it is clear the economic damage football leagues will face by having to curtail their income from licensing fixture lists but the knock on effect to other databases has yet to be seen.

For further information, please contact a member of Pitmans’ Data Privacy & Information Law or Intellectual Property teams.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 
E: pjames@pitmans.com

A young fashion student, Nicola Kirkbridge, is taking on supermarket giant Tesco over the use of a photograph of her taken from her popular fashion blog. The photograph of Miss Kirkbridge modelling the latest fashion trends has appeared on a children’s jumper sold by Tesco throughout their stores nationwide without her knowledge.

According to reports, Tesco have responded to Miss Kirkbridge claiming they have no idea why this has happened and removed the product from sale pending a full investigation. The steps they have taken are understandable, as unless Tesco can establish that their use of the photograph was authorised, Miss Kirkbridge will have a claim of copyright infringement against them. For such a big player in the retail market to have used an unauthorised photograph highlights the confusion surrounding the use of photographs and other images that are available on the internet.

It is also interesting that Miss Kirkbridge’s photo had appeared on a blog, much has been written recently about the loss of control of photographs and other images when uploaded onto social media sites. Whilst uploading your photograph or image to a social media site doesn’t necessary mean that Tesco and others have the right to use that photograph, if you do wish to control the use of your photograph or image you should check the terms and conditions of any site before you upload it.

Pitmans’ Retail Team regularly work with retailers and their marketing and design teams to provide advice and training on the use and creation of photographs, images and designs with the aim of avoiding intellectual property infringement claims.

For further information please contact one of our Intellectual Property specialists within Pitmans’ Retail Team.

Sally Britton
Partner
T: 0207 634 4623
E: sbritton@pitmans.com

Alan Hunt
Solicitor
T: 0207 634 4632
E: ahunt@pitmans.com

The surge in global internet usage in recent years has resulted in domain names becoming precious and sought after commodities. “Cybersquatters” have inevitably sought to take advantage of this. In order to ensure the success, protection and promotion of your brand, it is paramount to take steps to prevent cybersquatting activities. If the opportunity for prevention has been lost, and a domain name dispute does arise, it is important to resolve any potential disputes effectively and efficiently.

Cybersquatting is the registering, selling or using of a domain name in bad faith with the intent of profiting from the goodwill of someone else’s trade mark. It generally refers to the practice of buying up domain names that use the names of existing businesses and trying to sell them back to a party for an inflated price. It is also commonly used to direct traffic to the cybersquatter’s website or the website of a competitor of the trade mark holder in return for payment of a commission.

Prevention is always better than cure. There are a number of steps that can be taken to protect domain names and reduce the risk of disputes arising:

1. Search prior to registration – A search of unregistered and registered trade marks in territories of interest will assist you in identify whether there are likely to be issues in using and/or registering a domain name.

2. Strategy - Registering every available domain name extension is not always possible or necessary. Registrations of Country Code Top Level Domains (“ccTLDs”) and Generic Top Level Domains (“gTLDs”) should be targeted according to your business interests and the territory you operate in.

3. Register the domain name as a trade mark – If it is worthwhile considering registering your domain name as a trade mark. Having a registered trade mark could assist in the event of a dispute over rights in a domain name.

4. Register common misspellings - If a name is commonly spelt incorrectly it may be advisable to register misspellings in order to prevent “typosquatters”.

5. Identify new ccTLDs and gTLDs – New extensions are continually being introduced.  Make sure you are up to date and consider including them in your domain name portfolio. 

6. Monitor – Regularly check and actively monitor if any similar domain names have been registered.  There are services available which will actively monitor all new registrations and services which purchase domain names as soon as they become available for registration.

7. Manage - Be aware that your domain name requires renewal and may be registered by a third party if you forget. Work with a registrar, and ensure that contact details are kept up to date.

If a dispute cannot be avoided, there are various ways for resolution:

As an initial step, a Cease and Desist letter (asking the other party to stop using and to transfer the domain name) may be enough to prompt them to transfer it avoid further legal action. Negotiating a price for the acquisition of the domain name may be the commercially prudent solution.

There are Domain Name Dispute Resolution Services directly applicable to domain names, which are incorporated in the terms of registration. The most widely used is Uniform Dispute for Domain Names Resolution Policy (“UDRP”) which allows complaints to be filed with the World Intellectual Property Organisation (“WIPO”) and other national bodies.  These services have been developed to allow for a timelier and cost effective resolution of disputes without the need to resort to court proceedings.

Domain name recovery can also be dealt with via traditional Dispute Resolution techniques and options, including mediation, can be explored. 

To be successful in a UDRP complaint, a complainant must establish that:

i. The domain name registered by the respondent is identical or confusingly similar to a trade mark or service mark in which the complainant has rights;
ii. The respondent has no rights or legitimate interests in respect of the domain name; and
iii. The domain name has been registered and is being used in bad faith. 

To avoid failures, here are some UDRP filing tips to ensure a cost effective success:

1. Research, research, research – The importance of research cannot be underestimated. Research case law, research the registrant, research the provider you want to use, research your panellist.

2. Include similar domain names under the same defendant -  It is always recommended to include other domain names with your marks to a complaint. Use a service that will allow you to search a registrant name and identify their domain portfolio. If there are similar domains (typos or phonetically similar) owned by the same registrant, it would be worth adding these domains to the complaint so you can maximise your return.

3. Check the panellist appointed to your case – You have the right to object to any appointed panellist. Once named, it is advisable to review the biography of your panellist to ensure that there is no potential conflict of interest which could arise and provide you with the best chances of a favourable decision.

4. Use three-person panels only for complex cases -  If your case is clear, supported with ample evidence and fulfils all three requirements outlined above, a one-person panel is likely to be sufficient

5. Shorter is sweeter – A limit of 5000 words is placed on the UDRP assertions and arguments, but in all likelihood you should never need to use the maximum word length in your filing. You will find more success if your arguments are succinct and supported by relevant case law.

10. Don’t just settle – It may be worth proceeding with the case establish a record of documented evidence that may be used by yourself and others filing against them. Additionally, your company will be on record as an organisation that takes a proactive stance against cybersquatters.

For further information on domain name filing, domain name protection strategies and Domain Name Dispute Resolution, please do not hesitate to contact Pitmans’ Intellectual Property team.

Stacey Jones
Solicitor
T: +44 (0)118 957 0235
E: staceyjones@pitmans.com

Sally Britton
Partner
T: +44 (0)20 7634 4623
E: sbritton@pitmans.com

The ECJ has held that an order imposed by a Belgian court, which required an internet service provider (“ISP”) to filter and block access by its customers to files containing infringing copies of musical works, was incompatible with EU law. (Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL, Case C-70/10, 24 November 2011.)

The case concerned questions referred by the Brussels Court of Appeal to the ECJ regarding Scarlet, an ISP. Scarlet was ordered by a Belgian court to make it impossible for its customers to share files that infringe rights held by members of SABAM, the Belgian Society of Authors, Composers and Publishers.

In 2004, SABAM established that users of Scarlet’s services were downloading works in SABAM’s catalogue from the Internet, without authorisation and without paying royalties, by means of peer-to-peer networks (a transparent method of file sharing which is independent, decentralised and features advanced search and download functions).
 
Upon application by SABAM, the President of the Brussels Court of First Instance ordered Scarlet, in its capacity as an ISP, to bring those copyright infringements to an end by making it impossible for its customers to send or receive in any way electronic files containing a musical work in SABAM’s repertoire by means of peer-to-peer software.

On appeal to the ECJ, it held that EU law precludes the imposition of an injunction by a national court which requires an ISP to install a filtering system with a view to preventing the illegal downloading of files. It concluded that such an injunction does not comply with the prohibition on imposing a general monitoring obligation on such a provider. The filtering system would mean that the ISP was required to monitor data relating to its customers, which is explicitly prohibited by Art 15 of the E-Commerce Directive.

The ECJ also ruled that the injunction did not comply with the requirement to strike a fair balance between, on the one hand, the right to intellectual property, and, on the other, the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information – fundamental rights safeguarded by the Charter of Fundamental Rights of the EU.

The case follows an earlier UK ruling where BT became the first ISP to be forced by a court order to block its customers from accessing a website on grounds of copyright infringement. The site in question, www.newzbin.com, allowed users to share data files, predominantly pirate films, TV show downloads and music. The case was brought by six major film studios.

Scarlet was held distinguishable in that the film studios were not asking for an unlimited filtering system for all customers, but rather for a clear and precise injunction requiring BT to implement an existing technical solution which BT itself had accepted would be technically feasible and the costs would not be excessive. Therefore, it was not in breach of Article 10 of the European Convention of Human Rights.

It is clear the scope of the injunction sought and the technical feasibility of achieving it will be relevant in each case. This also does not bode well for any orders which the Secretary of State may make under the Digital Economy Act (DEA), as any such orders to prevent unlawful file sharing may be unenforceable under EU law for similar reasons.

The online infringement provisions of the DEA oblige ISPs to assist in identifying copyright infringers and allow enhanced measures to be taken against copyright infringers, including an ability to require ISPs to suspend internet connection to persistent offenders. Following a recent Judicial Review (JR) by BT and Talk Talk, the High Court has held that the provisions of the DEA are compatible with EU law; so, whilst copyright owners and the government are relieved by the JR decision, the issue still very much remains open in light of Scarlet.

For more information, please do not hesitate to contact Pitmans’ Intellectual Property Team.

Philip James
Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Setting up your first business can be a daunting prospect. However, to help you cut through the red tape when embarking on a business venture of your own – and avoid some common legal mistakes – we explain some of the key issues entrepreneurs are likely to encounter when starting out.

1. Legal structure

One of the first legal points to consider is identifying and setting up the most appropriate legal structure for your business. Typically, small businesses start life as a sole trader business or partnership before being formally incorporated as a limited liability company or limited liability partnership. Usually, the best option for your business will depend on what you are intending to do, and the most-tax efficient way to achieve your aims.

The structure you choose will affect various aspects of how your business is run, such as the type and amount of records and accounts that you will need to keep, and your personal liability if your business runs into financial difficulties. However, even if you intend to operate as a sole trader, it is important to ensure you are registered as such for income tax and national insurance purposes at H M Revenue & Customs. As a first port of call, discuss your circumstances and intentions with an accountant for advice on the most tax-efficient structure for you.

2. Business names

Picking a name for your business is an important first task, but it can also be problematic from a legal perspective. It is important to ensure that your business’s name is not the same as any others (or confusingly similar), and that it does not infringe the registered or unregistered trade marks of any third parties. As well as checking trade mark registers, telephone directories, domain name registries, trade journals and trade magazines, there are a number of online resources, such as Companies House and the National Business Register where checks should also be performed.  As this is a highly specialised area, it is recommended that you use a specialist solicitor to perform these checks.

Be aware, too, that use of certain sensitive words in a business name, such as “institution”, “national” and “society”, are restricted by law and it is an offence to register any of those words as part of a business name without the approval of the Secretary of State. It is also an offence to carry on business under a name using an indicators of legal status to which the business is not entitled, for example, using the word “Limited” at the end of your business name when your business has not been registered as a limited liability company.

Before making your choice, run your shortlist past your solicitor so any issues are identified as early as possible.

3. The key legal agreements

Putting the right legal agreements in place to govern the arrangements between you and the other people involved in running your business, and ensuring that these are tailored to your needs, is essential to keeping your business running as smoothly as possible. The type of agreements that you need will, in part, depend on the legal structure you have selected for your business.

For instance, if you choose a limited liability company structure, a key document for your company will be its Memorandum and Articles of Association, which is essentially a ‘rulebook’ directing how the company operates that must be registered at Companies House (and made available for public inspection). However, you may prefer for certain arrangements between you and any other shareholders that have invested in your company to remain private, and a separate shareholders’ agreement that gives certain powers or rights to certain shareholders may be appropriate (for instance, the owner-manager may require weighted voting rights to ensure they cannot be voted off the board).

If, however, you decide a partnership structure is best for your business and co-investors, then a partnership agreement setting out the rules of how the partnership operates (for example, the share of profits each partner is entitled to) is vital to displace the provisions of the Partnership Act 1890 which would otherwise apply to such arrangements by default – and which may have some undesirable consequences.

4. Terms of business

If your business will provide products or services to third parties, or purchase products or services from others, then it is fairly inevitable that you will be requested to enter into terms and conditions of business with those parties with whom you trade. If any of the terms in those contracts seem unusual or unduly onerous, then seek legal advice prior to signing.

Having your own sets of standard terms prepared, which you can then incorporate into your purchase and supply contracts wherever possible, will put your business in a more advantageous position and ensure it is dealing on the most favourable terms that it can.

You must also ensure that the terms of any contract you enter into are properly documented so that you have a record of your contractual obligations towards your customers and suppliers to refer to in the future. Similarly, if those third parties are not performing their own contractual obligations, ensuring that a copy of the contract is kept on your file will assist you and your advisors in identifying and enforcing the contractual rights available to you.

5. Funding

Broadly speaking, funding falls into two camps: debt finance, where your business borrows money from a third party via loans, mortgages, debentures or invoice discounting, and equity finance, where individuals or other companies invest in your company in return for a share in the ownership of the business.

The options available to you will depend on the circumstances of your business. For instance, in order for a bank to be willing to offer your business a loan, it may require you or your business to own assets of a certain value on which the loan may be secured.

Likewise, the options you decide to pursue will depend on the advantages of the type of financing for your business –debt finance, for example, allows you to retain ownership of your business, but repayments must normally be made on fixed dates which may cause problems if your business’s income stream is unpredictable. In many cases, businesses rely on a mixture of both debt and equity finance.

In all cases, you should carefully agree and document the terms of any financial agreement you make – even (or especially) if it is an informal loan from a relative or friend.

6. Regulatory and compliance issues

The legislative obligations that may apply to your business will really depend on the activities your business undertakes. Some regulations, however, are likely to apply to many trading businesses, such as:

• Sale of Goods Act 1979: which requires you to sell goods of satisfactory quality, that are fit for their purpose and that are as you describe them.

• Sale of Goods and Supply of Services Act 1982: which requires you to perform the services you offer with reasonable care, skill, time and cost.

• Trade Descriptions Act 1972: which makes it a criminal offence to knowingly make false or misleading claims about the goods or services you offer, whether written or verbal.

• Data Protection Act 1998: imposes certain restrictions on the way personal data (such as records of the names of any individuals, including your customers) may be handled, and requires you to register with the Information Commissioner’s Office if you process any personal data (unless an exemption applies).

• Proceeds of Crime Act 2002: which creates the money laundering offences that make it a criminal offence to (amongst other things) conceal, disguise, convert or transfer any property that you know or suspect has been obtained from criminal conduct.

To help you get started, the government’s Business Link website provides information on the rules and regulations that apply to particular sectors. Alternatively, contact a local trade association or representative body for advice. The Trade Association Forum’s directory of UK trade associations is available here.

If you intend to engage contractors, staff or workers, in connection with your business then there will be certain legal obligations with which you must comply. Most importantly, the terms agreed between your business and any employee must be set out in a contract of employment along with certain other pieces of information, such as a job description and details of the place of work, as mandated by section 1 of the Employment Rights Act 1996. Again, the Business Link website covers the basics.

For help with more specific and/or complex regulatory issues, you should consult a solicitor.

7. Property

If you decide to run your business from home, it is important to check your planning permission to ensure that you have the required consents to operate a business from your home address. If you need to apply for additional planning permission, contact your local authority.

However, if you decide to lease or purchase business premises, you will need to agree terms with your landlord or vendor, and ensure you understand the terms on which you intend to contract. There should be a formal agreement in place, and you should seek legal advice on negotiating and documenting the terms of your occupation.

8. Intellectual property

Your intellectual property (often referred to as ‘IP’) comprises not only your business name, but also your confidential information (including know-how and trade secrets), trademarks, copyright, patents, goodwill (that is, the reputation and status attaching to your business, products and services), design rights, domain names… the list goes on. You will need to consider how your IP will be protected and who will own it. For example, you should be aware that IP commissioned by you or created by your employees or directors may not be automatically owned by you. You should take advice from a specialist solicitor on what IP rights you have, or are likely to acquire in the near future (such as IP in new products or know-how created by your employees) and how best to protect those rights.

We wish you every success with your new venture, but if you require any legal advice in relation to these and other issues, we are here to help.

For more information, please visit:

Pitmans’ Corporate legal services

Pitmans’ Commercial legal services

Pitmans’ Intellectual Property legal services

Carolyn Butler
Solicitor, Corporate
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Andrew Peddie
Partner, Corporate
T: +44 (0)118 957 0321
E: apeddie@pitmans.com

Sally Britton
Partner, Intellectual Property
T: +44 (0)20 7634 4623
E: sbritton@pitmans.com

What’s the news and the current trend?

The Advertising Standards Agency (ASA) has recorded a huge surge in complaints made about companies’ digital marketing communications, with figures exceeding 5,500.

5,531 complaints were recorded about brands’ online marketing communications since March, when the ASA’s remit was extended to cover the area.

The ASA now covers non-paid for online marketing communications under the marketer’s control, including social media such as Facebook, as well as companies’ own websites. A marketing communication is a type of communication for a good, service, opportunity or gift that primarily sets out to sell something. Marketing communications may set out to sell in a myriad of different ways, and may not necessarily include a price or seek an immediate financial transaction. Also included are direct solicitations for donations as part of a company’s own fund-raising activities.

In the seven months since the remit was extended, the total number of complaints received across all channels reached 18,369. This is an increase of 30% on the same period in 2010.

No one business sector was primarily responsible, with blame being spread equally across the retail, leisure and telecoms sectors, amongst others. The type of complaints matched the typical spread for broadcast and non-broadcast adverts, and concerned issues with price and availability. Complaints regarding misleading alternative health sites were also notable.

To deal with the increase in complaints, the ASA has increased staff numbers by 10%.The ASA has commented that people cannot expect all to be immediately compliant, and that many companies do not yet know about the changes.

Online marketing communications are governed by the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (the CAP code). If a marketing communication breaks the Code, the organisation/individual responsible is told to amend or withdraw it. If they do not, the Compliance team will consider the sanctions available to it.

Non-compliance may result in removal of paid-for advertising, adverse publicity as a result of ASA adjudications, denial of access to advertising space, and the withdrawal of recognition and trading privileges, such as discounts. The company in question may also face action for breach of the Consumer Protection Regulations.

How can Pitmans help?

Pitmans Digital Brands Team can carry out a digital marketing and brand audit of your digital channels (Twitter, Apps, Facebook pages, Company website) at an agreed fixed cost.

We can identify any risks, whether they be regulatory or legal, and provide a clearance risk assessment. We can also advise on ways in which you can protect and manage your digital brand portfolio, as well as advise on any IP rights and data comprised in your digital channels. All sectors are affected but clients in the Media & Entertainment, Automotive, Hospitality and Retail sectors may find this of particular interest.

For further details please contact:

Philip James
Partner
T: 0207 634 4655
E: pjames@pitmans.com

Sally Britton
Partner
T: 0207 634 4623
E: sbritton@pitmans.com

Retailers Take Note: Data Privacy Trends and Actions for the coming year: Highlights of the Information Commissioner’s Annual Report 2010/11

If the idea of digesting the Information Commissioner’s 86-page long annual report in full doesn’t really appeal to you, then why not let us do the hard work? Below, we highlight not only the key changes to the policy and enforcement objectives of the Information Commissioner’s Office (“ICO”) over the past year, and the likely indications from the report of the developments to come, but also our suggested actions and comment to help you avoid falling foul of data privacy compliance, risking damage to your reputation and incurring unnecessary cost and resource further down the line.

New powers

The ICO’s enforcement arsenal was enhanced significantly in April 2010 when it was granted the power to fine organisations up to £500,000 for serious breaches of the Data Protection Act. Four monetary penalties have been issued since then, as well as five prosecutions brought in the last year. However, the ICO has been keen to stress that such tactics are a means of last resort, and seeks to resolve cases informally where there is opportunity to do so.

Pitmans Comment; it is worth noting that since May 2011 the ICO now also has the power to fine organisations up to £500,000 for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the previous power to fine only extended to serious data breaches, not breaches of the laws relating to electronic marketing and privacy).

In addition, the ICO also has a new power to audit measures taken by a public electronic communications service provider (service provider) to:

• safeguard the security of its service; and
 
• comply with a new personal data breach notification and recording requirement.

This second requirement is a significant development and, where a breach may adversely affect the personal data or privacy of a user, a service provider is not only obliged to notify the ICO, but also the user concerned. This has a significant cost and PR implication.

The ICO favours prevention over cure; it tends to accept undertakings (where an organisation commits to making specific improvements) as a precursor to more formal action. The number of instances where the ICO has approached organisations to offer good practice audits has increased dramatically over the past year, although take-up in the private sector has been poor. Nevertheless, the ICO issued 26 audits in 2009/10, 60% more than in 2009/10. It also released several codes of practice last year to help businesses stay on the straight and narrow, including a Code of Practice on Personal Information Online which was launched in June.

Pitmans Suggested Action: ensure you have a paper trail evidencing compliance and training. Refresh staff by periodic training and regular security reviews and conduct vulnerability testing to public accessing applications. It is clear that audits are becoming more popular. Always be prepared.

Emerging enforcement trends

The hot topics

Subject access requests were the most popular topic of complaint, accounting for nearly a third (28%) of all issues reported to the ICO. Since this is the area where, statistically, data controllers tend to slip up, companies are well advised to ensure they have appropriate systems in place to deal with subject access requests within the applicable time limits. Inaccurate data (15%), inappropriate disclosure of data (12%), and automated and live marketing calls (9% each) are the cause of the next most numerous complaints. There has also been an increase of 17% in the number of freedom of information cases referred to the ICO over the past year.

The ICO has earmarked the challenges perpetuated by (or, indeed, in spite of) technological advances as a priority. The ICO is concerned that a significant amount of highly sensitive personal data is still sent by fax, despite the securer alternatives offered by newer technology. Failures by organisations to encrypt personal data in appropriate circumstances remain also remain a key concern.

The new rules in relation to cookies are also firmly on the agenda. Although the lead-in period for the new rules expires in May 2012; the ICO has indicated that it will intervene in the meantime in certain circumstances: “we shall hold our enforcement powers in reserve, intervening in the first year only where it is clear that a website owner is doing little to attempt to comply”.

Pitmans Suggested Action: review what technical and operational security measures your organisation currently employs in relation to sending personal data and keeping data secure. If your staff are using mobile devices and laptops, review and implement encryption software solutions.

Companies would also be well advised, if they have not already done so, to conduct a digital marketing audit and review their data processing and collecting practises in the e-commerce environment. Please let us know if you would like assistance with such an audit.

The targeted organisations

Essentially, the ICO targets those organisations about which it receives the most complaints. The ICO affirmed that it also uses a risk-based process to identify and contact organisations that handle personal information, which takes into account a number of factors such as volume and type of data an organisation holds, complaints received by the ICO and cases where enforcement action was considered. It then uses the information from individual cases to build a picture of how seriously data controllers take the issue of handling personal data or providing information the public has a right to see.

The ICO has declared that it now expects more from data controllers when complaints are reported – as well as asking them to explain the circumstances of individual complaints, it now asks for information about how the data controller intends to put things right and how they adhere to general information rights obligations.

Pitmans Suggested Action: respond to complaints and proactively manage any inappropriate use of personal data carefully. Consider preparing a contingency response plan to any complaints, with a pre-prepared response to customers, the ICO and the press.

The targeted sectors

Over the past year, the ICO launched campaigns aimed at estate agents and private medical practitioners to remind them of their obligations to notify the ICO if they handle personal data. Accordingly, we should probably expect similar campaigns in the future directed at other industries in the private sector that routinely handle personal data, e.g. education and training providers, telecoms companies, and online retailers.

Pitmans Suggested Action: retailers, in particular, take note. The ICO issued a statement on 9 August in the light of a security breach suffered by Lush, the cosmetics retailer, making it clear that etailers must ensure they keep customers’ personal data secure. An extract of the statement is reproduced below: -

Acting Head of Enforcement at the ICO, Sally Anne Poole said:

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.
 
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

In the meantime, the ICO will be consulting on a revised Information Rights Strategy showing how it prioritises the different sectors and subjects for regulatory attention, which is definitely a development to watch out for!

The likely consequences

The ICO’s report contains a selection of salutary tales demonstrating exactly how not to deal with a data protection breach. These case studies indicate the circumstances that the ICO is likely to consider as “aggravating factors” when determining whether to issue monetary penalties. As well as the impact and severity of breach the ICO will consider a number of factors, such as whether:

• a risk assessment was made;
• alternative means of storing/transmitting data were considered/devised;
• other measures were employed to minimise risks (e.g. by using a ‘ring ahead’ system to increase security of fax transmissions);
• the organisation followed its own policies;
• effective remedial action was taken following the breach (such as the re-training of staff);
• the organisation’s officers and staff understand the cause and significance of the breach.

Pitmans Suggested Action: conduct Privacy Impact Assessments (PIA) and employ Privacy by Design (PbD) into concept and new product design to ensure that any privacy implications of new technologies are considered at an early stage. This may reduce the likelihood of incurring substantial re-development costs at a later stage, as well as the risk of complaint, adverse PR and enforcement.

Improved efficiencies

The number of decision notices issued by the ICO increased significantly from 628 in 2009/10 to 817 in 2010/11, However, the appeal rate has remained constant at around 25%, meaning, effectively, that there has been no corresponding deterioration in the quality of decision making. The ICO has put this dramatic improvement down to the introduction of new structures and processes that has allowed it to deal more quickly with complaints.

There has also been a blitz on freedom of information complaints. Over the last 12 months, the number of complaints that have been in the ICO’s in-tray for more than a year has reduced from 117 complaints to just three.

Involvement in law making

In terms of the ICO’s contributions to UK legal policy, it has had a busy year. The ICO issued responses in December 2010 and February 2011 to the Protection of Freedoms Bill, and provided evidence to the Public Bill Committee in March 2011. Also in December last year, the ICO issued a statement welcoming proposals set out by the government to expand the scope of the Freedom of Information Act.

At present, the ICO is engaged in the review of the OECD’s Privacy Framework and modernisation of the Council of Europe’s Data Protection Convention, and, through its membership of the Article 29 Working Party, the ICO is also reviewing the EU Data Protection Directive. The ICO will also be contributing to the post-legislative scrutiny of the Freedom of Information Act by the House of Commons Justice Committee.

This year, the ICO appointed Simon Rice, who has a background in delivering databases, software tools and data analyses for a government research agency, as the ICO’s first technology policy advisor to assist with the work on policy development, investigations and complaints handling. Simon’s appointment is complemented by the creation of a Technology Adviser Panel, whose role is to assist the ICO in producing up-to-date, relevant guidance on technical innovation and up-and-coming issues.

Pitmans Suggested Action: technology providers and organisations using new technologies to gather and analyse and mine user profiling data beware. The ICO is investing more in analysing new technologies and is likely to be more savvy in its enforcement of non-compliant data repositories and applications. Again, consider privacy at an early stage of design and development and, before licensing a new CRM system or data tool, ask the relevant supplier to confirm what steps it has taken to ensure that it complies with data privacy laws (whether it be at home or abroad).

For further information regarding Pitmans Intellectual Property  team, please contact:

Philip James
Partner
+44 (0)207 634 4655
pjames@pitmans.com

Carolyn Butler
Solicitor
+44 (0)118 957 0234
cbutler@pitmans.com

Courtesy of Managing Information Magazine.

Understanding Privacy and Data Protection in the internet context is a complex business, and there is a desperate need for easy-to-comprehend guidance, especially for users. How do we offer that guidance in ways that are meaningful and yet digestible? Lawyer Philip James, a partner with Pitmans SK Sport and Entertainment LLP, has expounded the idea of a Highway Code for Privacy and Data Protection. Managing Information magazine went along to talk to him about these ideas.

Managing Information Magazine (MI): Why have you mooted the idea of a Privacy and Data Protection Highway Code?

Philip James (PJ): There is traffic on the roads, and there is traffic on the web. There are common themes in managing road traffic flows and behaviour which could also be applied to the internet.

MI: Can you give us an example of that?

PJ: When you come to a junction, traffic  lights indicate which way and when you can go, and other signs indicate what you can and cannot do. We need variations on that theme to support and guide users’ understanding of Privacy and Data Protection and how to make more informed decisions about disclosing personal details online.

MI: Why do you think signs are necessary, wouldn’t text-based guidance do the same job?

PJ: Generally speaking, people’s receptivity to signs is better and their reaction is quicker than to text.

MI: Would there be other potential benefits from a Highway Code for the internet?

PJ: Traffic on the web is a new environment for us. We are at the beginning of a Highway Code guiding traffic on the web. Privacy is a motivation of course, but it could also be a good way of driving traffic and make it more efficient.

MI: How might this work in practice?

PJ: The Information Commissioner (“ICO”) is taking a more layered approach to Privacy Policies. For example, a web page could have an icon taking users to a short form of privacy policy, and then to a longer text for greater detail. Google has a privacy ‘dashboard’ for example – users are familiar with dashboards in their cars. Why not have a more widespread privacy dashboard? There are three elements to compliance:
• Education
• Notice
• Control.
A Privacy and Data Protection Highway Code would help with the understanding of all three elements.

MI: Do you have any practical examples of how such a scheme might operate?

PJ: In the field of online behavioural advertising, icons which take users to easy-to-understand codes of practice are placed on websites. The codes have been developed and are overseen by the Internet Advertising Bureau (IAB). Although it is not policed by the IAB as such, those who sign up (voluntarily) to the code of practice are independently audited (see: http://www.youronlinechoices.com/good-practice-principles). There is a list on the IAB web pages of those organisations which are signatories and have been audited, those which are signatories and are complying, and those which are signatories and are committed to compliance. A lot more could be done along these lines to educate people.

MI: Could you tell us a little more about that?

PJ: At the moment, there isn’t any specification setting out the size a privacy notice is meant to be – for example a percentage of a web page. In a broadcasting context, if you have a notice on screen, for example on a teleshopping channel, a code of practice sets out the minimum text and box sizes for warning notices/viewer alerts. This idea could be adapted for privacy notices on the web, provided the guidance was not overly proscriptive.

MI: Can you tell us more about how the signs would help?

PJ: There are significant challenges in enforcing a Privacy and Data Protection Highway Code, not least because of trying to implement uniform international standards. In the maritime sphere, we have a system of buoyage to guide vessels –port buoys are red; starboard is green. The colours denote which side a vessel must pass. However, in Japan, the Americas, South Korea, and the Philippines the rules for a vessel passing green and starboard buoys are the other way around. Similarly, we drive on the left in the UK and right in Europe. Whether you are talking buoys or road signs, it is based around colours, silhouettes and shapes, and possibly also noises, which give more help than purely text. It is important that any Privacy and Data Protection Highway Code is standardised throughout the world to avoid confusion.

MI: So how might such ideas help us with Privacy and Data Protection?

PJ: It can help us to manage some of the complexities and terminology, make things easier to understand and more accessible. People say they will introduce new sections on their websites entitled ‘cookie guidance’. This word ‘cookie’ will mean nothing to your average man or woman on the street (other than in the context of biscuits). Is a reference to ‘cookie guidance’ all that helpful? Does anyone beyond those who are privacy lawyers and those who have expertise in web technology understand it? Instead we could include sections labelled ‘Privacy information’ and ‘How we use your data’ or use signs and imagery to communicate these concepts.

PJ: It took a significant length of time for the roads Highway Code to develop, and now it is international in scope. In the internet sphere, it would be good to have a similar international highway code that children learned at school. People associate a padlock symbol with security for example. A lock image of some description could be used to indicate privacy information. Microsoft are developing ‘private browsing’ on Internet Explorer 9. If you don’t want to have your browsing tracked, it would be useful to have a symbol or an icon on which users could click to opt out of having their browsing tracked.

MI: How might colours be used?

PJ: It would be good to have a common colour for textboxes relating to Privacy and Data Protection. However, it shouldn’t be taken too far. I wouldn’t want to impair the creativity of website designers by being excessively strict about what colours can be used.

MI: Do you have an idea of other symbols and signs which might be useful?

PJ: In terms of symbols, binoculars, magnifying glasses, telescopes and safes are examples of what could be used as symbols and icons to indicate privacy information and options. There may be some road Highway Code signs which could be used, such as traffic lights and stop signs. The latter could be used in conjunction for example with a text box: ‘Have you obtained permission to use the person’s information?’ A compass could be used as an icon for geolocation information – giving the option to turn on and off the function which identifies your whereabouts.

MI: Who should oversee this, to achieve some sort of standardization?

PJ: You could of course spend a lot of time dreaming up signs and symbols which can be used. It would be useful if the ICO would express views on what constitutes good signage in the Privacy and Data Protection sphere.

MI: Do you think a Privacy and Data Protection Highway Code should be enshrined in law?

PJ: I don’t think it necessarily has to be mandatory. I think a code of practice would work. Some people might already be doing this, of course. However, I don’t think there has been sufficient focus on the potential benefits. For example, some people are not aware of important differences between Tweeting and Facebook – Twitter is public whereas Facebook offers more privacy – some people understand this difference, others do not. A Privacy and Data Protection Highway Code could help with this. I don’t think people are sufficiently aware of the implications of submitting their personal details online.

MI: So where do we go from here?

PJ: You show me a sign and hopefully I will follow it. Just so long as it’s not a dead-end. For children in schools, developing an online version of a lollipop lady would greatly assist learning and understanding these issues.

For further information about data protection or Pitmans Intellectual Property legal services, please contact:

Philip James
Partner, Intellectual Property
+44 (0)207 634 4655
pjames@pitmans.com

Facebook’s recent, silent UK roll-out of its auto-tagging functionality, which prompts users to tag facial-recognition links of friends, has given further cause for concern over privacy in relation to social network sites (“SNSs”). Philip James, Partner, and Carolyn Butler, Solicitor, at Pitmans LLP examine how the existing regulatory framework and technology needs to adapt and evolve to protect users’ identities online more effectively.

Tagging and Privacy

“I never forget a name or a face, but sometimes have difficulty correlating the two.”
Anon

Recently, the media’s attention has focused on the rights of individuals to control the use of their facial image online. In particular, Facebook’s largely unannounced launch of its auto-tagging functionality in the EU in June, which followed its official launch in the US in December last year, has caught the attention of the European Commission, as well as local regulators.

Facebook has featured ‘tagging’ on its photo-sharing facility for some time now. This is a feature that allows an individual in a photo to be identified by a ‘tag’ that contains personal information such as the individual’s name and a link to his or her profile on the relevant SNSs. For the benefit of anyone viewing the photo, the tag identifies the individual depicted from other people of the same name using that SNS. For the individual that has been tagged, he or she is alerted as part of the tagging process that a photo featuring them has been uploaded (and, significantly, only after they have been tagged are they notified and presented with an opportunity to remove the tag).

The process of tagging individuals in a series of photographs was previously a relatively manual exercise. Now, following the trend evident in Google’s Picasa image-organising suite and Face.com’s Photo Finder and Photo Tagger apps, Facebook’s auto-tagging function uses facial-recognition technology to streamline the tagging process. Facial-recognition software works as follows:

• it analyses a digital image for the distinguishable landmarks that make up facial features;

• it then converts the data derived from those landmarks into a numerical code called a ‘faceprint’;

• the faceprint acts like a digital ‘fingerprint’ which is then compared against other faceprints on a particular database to find a match; and

• since Facebook already has a vast database of tagged images at its disposal, its software identifies a person’s face in photos by analysing and comparing the new image against other images where that person has previously been tagged.

Given a faceprint’s similarity to a fingerprint, there is significant concern as to how tagging, and auto-tagging, in particular, compromises privacy. This concern derives from the lack of the requisite prior consent from the data subject to this type of tagging. This also raises the issue of whether a more stringent level of consent should be required for facial recognition tagging (and whether this should be considered to be sensitive personal data, in the same way as possibly location data should also be).

On Facebook, the consent is not sought before a tag is placed on a photo – they are only notified once they have been tagged. Even though, under Facebook’s terms of use, users are required to seek consent from those individuals before tagging them, this requirement is not brought to the users’ attention during the tagging process and undoubtedly, that requirement is not observed by users in practice. Gerard Lommel, of the Article 29 Data Protection Working Party, agrees that “tags of people on pictures should only happen based on people’s prior consent”. Nevertheless, consent is not automatically sought as part of the tagging mechanism, a fact that had not attracted much attention, let alone widespread criticism, until auto-tagging recently forced the issue into the limelight.

Under the current law, personal data is defined as:

“data relating to a living individual who can be identified from it, or from the data and other information which is in the possession of (or is likely to come into the possession of) the data controller”

Personal data must be lawfully processed, not kept longer than is necessary and, unless certain other exempting criteria apply, the data subject must give his or her unambiguous consent to processing. There is some debate as to whether SNSs can be properly characterised as “data controllers”, but the opinion of the Article 29 Working Party is that they are (see also recent opinions issued by the Canadian privacy regulator which is often seen as a trailblazer in relation to social-networking regulation).

Facebook would be well advised to review the ways in which it should obtain the requisite consents to process personal data in the content of its auto-tagging facial technology. In so doing, specific and informed consent will need to cover:

• Firstly, the actual processing of users’ faces to create the faceprint and name suggestion (‘faceprint name’) (undoubtedly, having their ID facially recognised was not in the contemplation of data subjects at the time of accepting Facebook’s terms of use); and

• Secondly, the act of tagging itself, once another user has confirmed the suggested faceprint name.

It will come as no surprise that all Facebook privacy settings are switched off by default (therefore opting users in to the technology). Once users have discovered the auto-tagging function existed, it is up to them to opt out of auto-tagging by amending their privacy settings. For many users, the procedure to engage privacy screening is too complicated for them to navigate successfully. Often, users do not realise that they need to amend their settings themselves. Since the activation of auto-tagging was not announced, users were not even aware of the need to adjust their privacy settings before (and not until some time after) the function was activated. This raises the question of what privacy notices users should be required to review before they sign up, as well as at the time any new feature is introduced. Requiring users to review and confirm their settings on their privacy dashboard at both points would greatly assist SNSs satisfy compliance requirements.

In a wider context, facial-recognition software used in other technological applications, such as in the analysis of CCTV footage, is fuelling civil liberties concerns and has prompted parliament to introduce further regulatory provisions. While the Information Commissioner already has a code of practice for monitoring CCTV images that covers the whole UK (including the public and private sectors), its enforcement powers have never been used . The Protection of Civil Liberties Bill, which is currently before the House of Commons, introduces measures such as a new body to regulate CCTV, a code of practice for surveillance camera systems (including facial and ‘gait’ (i.e. a persons way of walking) recognition systems), and provides for judicial approval of certain surveillance activities by local authorities.

EU Policy

The European Commission observed in its strategic communication on A comprehensive approach on personal data protection in the European Union, issued in November last year, that “social networking… presents significant challenges to the individual’s effective control over his/her personal data”. Vivian Reding, the Vice-President of the European Commission EU Justice Commissioner, agrees. In March she spoke to the European Parliament about how the modernisation of the existing legal framework will enshrine “four pillars” of online data protection for individuals. In relation to social-networking sites, individuals should enjoy:

• A right to be forgotten, where individuals have shall have the right to withdraw their consent to data processing, and have their personal data deleted from servers;

• Transparency, where users of social networking are properly informed of the restrictions over their control of their own private data or that their data may be made irretrievably public;

• Privacy by default, since privacy settings often require considerable operational effort in order to be put in place and therefore such settings are not a reliable indication of users’ consent; and

• Protection regardless of data location, where domestic privacy regulators shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target consumers in the EU.

It is clear from this missive that the European Commission has SNSs including other location-based services firmly in its sights. Reding’s four pillars will encourage SNSs to lead by example to inculcate a culture of privacy.

The Article 29 Working Party has argued for data controllers to demonstrate greater accountability in, for example, producing and enforcing data protection compliance programmes. However, supplemental to that objective is the need for users to be better educated about the intrinsic risks and responsibilities in uploading their own and their friends’ personal data to SNSs. Whilst it is not suggested that the “household exemption” is removed and direct enforcement action is taken against individuals, regulators may consider that placing a duty on SNSs to ensure that users comply with data privacy laws is the only means of effectively protecting the public from their own worst enemy: themselves.

Right to be forgotten
Even where consent is given, data subjects will shortly have a legal right to withdraw their consent and request the deletion of content: a “right to be forgotten”. Implicitly, this applies to all online data concerning an individual, whether they uploaded it themselves or otherwise. Again, SNSs will need to consider how the developing EU policy, which will shortly become legislation, may affect the existing and future processes programmed into their products. Examples of this may include:

• introducing functionality that allows user generated content to ‘fade’ (or automatically be suppressed) after a defined period (cf. the time limits search engines employ);

• in addition to making it simpler for users to delete their profile, allowing users an ability to remove all tags (simple or faceprints) which reference their name (by means of identifying a UID which links any tags to their profile);

• encouraging third-party developers to produce Privacy Enhancing Technology (PETs) in the form of applications which users can add to their profile to give them greater control over the use of their ID, and to scour for and remove any unwanted tags, or provide users with customised privacy dashboards to allow greater control over their data.

By the same measure, the European Commission needs to be realistic and alive to the practical dynamics of SNSs in developing policy. While SNSs can remove content if notified to do so, they have little control over the content being uploaded by users, and the possibilities that content holds for infringing the rights of other users. The elements that SNSs can control, and which should therefore be targeted by the Commission, are the technical mechanics used to upload and protect personal data.

Poacher turned Gamekeeper
While certain applications have the potential to undermine privacy, the same tools can be harnessed to protect it. Although PETs are not new, consumers that may be alarmed by the ways in which their privacy may be compromised are driving the demand for technological solutions.

For example, Face.com’s Photo Finder already allows users to apply face-recognition software to Facebook searches to find photos of themselves or their friends that have not yet been tagged. This application could allow individuals to regain control of their own personal data by identifying unknown sources of personal data in order to arrange its deletion.

Google has to date resisted temptation to combine its Picasa face-recognition software with its popular Google Image Search, saying that such an innovative step would be “creepy”.

In any event, any organisation seeking to employ facial recognition technology should carry out a PIA (or privacy impact assessment) and ensure its technology has been devised using the concept of Privacy by Design (PbD). It would be an interesting exercise to audit what steps and precautions those who are currently employing such technologies have taken to measure the potential effect its use may have on people’s privacy. In the vein of ‘Jack Bauer and 24’: “we’re watching you”.

This article was published in the June 2011 issue of Data Protection Law & Policy and has kindly been reproduced with the consent of the publisher.

For further information regarding Pitmans Intellectual Property legal services, please contact:

Philip James
Partner, Intellectual Property
+44 (0)207 634 4655
pjames@pitmans.com

Carolyn Butler
Solicitor, Corporate
+44 (0)118 957 0234
cbutler@pitmans.com

For further information, please see “The Information Commissioner’s response to the Home Office Consultation on a code of practice relating to surveillance cameras” and “The Information Commissioner’s evidence to The Public Bill Committee on the Protection of Freedoms Bill”, both dated 24 May 2011 and available from the ICO’s website