what's in the news

The British Olympic Association’s (BOA) bylaw excluding those found guilty of doping offences from eligibility for selection to Team GB (the British Olympic Team) has been held to be illegal by the Court of Arbitration for Sport in Lausanne. The Court further demanded that this bylaw be repealed by the BOA within May or further sanctions will be imposed. The decision’s effect is to allow athletes found guilty of doping to be included in Team GB if they reach the qualifying standard imposed by their sport’s governing body.

This is a controversial decision especially for clean athletes who feel that their lives are devoted to obtaining a medal which might be or has been taken from them by a drug cheat.

The Court however has jurisdiction over most sporting bodies who have agreed to use it as the final forum for disputes, including the Olympics. In these instances its powers are greater than any national courts and has bound the International Olympic Committee (IOC) itself in a similar decision to change its rules. It is unappealable.

It has decided that the only drug related penalty that may be imposed by any nation’s or sport’s governing body is that imposed by World Anti-Doping Agency (WADA), the world’s appointed anti-doping authority. Since the level of sanction set by WADA requires unanimity across all nations, the penalty is a mild one of 2 years, which means that most convicted athletes will be able to compete in the very next Olympic Games.

The effect is to impose not a minimum punishment but a maximum, a situation not lost on rower Andrew Triggs Hodge MBE, Olympic Gold Medallist and stroke of the Men’s Four recently selected for Team GB and Pitmans SK Sport and Entertainment client:

“There needs to be a much bigger debate on what it means, on athletes who return from 2-year bans.  Doping has almost become acceptable.”

Rowing champion calls for prevention not just cure in the fight against doping – The Telegraph 9 May 2012

The Chairman of the BOA, Lord Colin Moynihan, has vowed to fight on in the anti-doping cause by seeking change at international level, first by lobbying WADA. While this will not affect London 2012, this cause continues.

For further information on this article, please contact Pitmans Sport, Media & Entertainment team.

James Felt
Consultant
T: 0207 634 4628
E: jfelt@pitmans.com

Will Richmond Coggan
Director, Solicitors Advocate
T: 0118 957 0369
E: wrcoggan@pitmans.com

The Article 29 (A29) Working Party has recently published their opinion paper on the rise of facial recognition technology and the concerns that this brings for the protection of personal data online. This note looks at the issues of online privacy and the concerns for data privacy as facial recognition software becomes more widely available.

The A29 Working Party is the European body which comprises leading representatives from each data protection supervisory authority in the EU (in the UK, this is the Information Commissioner’s Office); its opinions are therefore particularly influential, if not binding.

Last year Pitmans published a briefing explaining the issues of privacy at the time Facebook changed their ‘tagging’ service for photographs to incorporate facial recognition technology. For further information, click here.

Since then, the availability and application of the technology has grown exponentially; as its accuracy and deployment expands, this technology could be used for the most routine events in every day life – but also by advertising companies, collecting market information based on attendance monitoring and profiling to tailor targeted advertising messages.

The A29 Working Party has identified facial recognition technology as being used for authentication or verification for devices or online services. However, the application of this technology may be naturally extended from the online to the offline world. From a defence and security perspective, retinal scans and other biometric data access are already in use at a number of airports and conditional access facilities; in addition, full facial recognition systems are reportedly already used by security agencies to identify known criminals at sporting and live events by using the technology to identify particular faces amongst the crowd (e.g. known hooligans at a football match or members of the public at the London Olympics).

Similarly, access to live events, venues and concerts has become more sophisticated than merely paper tickets – organisers continue to explore ways in which they may combat the growing grey market in second hand ticket sales which diverts income, and brand value, away from events and the artists. Methods include tickets containing photographs, bar codes or employing near field communication (NFC) technology. Fully automated facial recognition technology is a natural technological progression for those industries where secure access is an essential requirement.

But such applications raise data privacy concerns and consequently companies controlling or processing the data may be in breach of data privacy laws, unless such measures and new technologies are balanced against an individual’s right to privacy. While the A29 Working Party’s opinion on facial recognition focuses on online and mobile, the principles apply equally to anyone collecting and using data for facial recognition services.

The A29 Working Party consider that where a digital image contains an individual’s face, which is clearly visible and allows identification of the individual then such an image would be considered personal data. Therefore, where a reference template is created from an individual’s image, this template will also be personal data if it contains a set of distinctive features of an individual’s face which can be linked to the specific individual and stored for later use. The only instance where a template is likely not to be considered personal data, would be where it was not associated with an individual’s record, profile or original image – but clearly this would limit the application of the technology. Importantly, the template and corresponding profile (or personal details) of the data subject in question do not need to be held by the same entity – it may still constitute personal data where a data controller has the means to access the corresponding information needed to identify that individual (even where held by a third party supplier).

Directive 95/46/EC states the conditions by which the processing of personal data must comply. Article 6 states that images and templates must be relevant, and not excessive, for the purposes of facial recognition processing. As the images constitute biometric data, the processing of the personal data may only be performed if the informed consent of the individual is obtained prior to commencing processing or if another exception is satisfied under the Directive (e.g. for legitimate purposes pursued by the data controller – such as security for the venue in the light of perceived terrorist threats – provided it does not prejudice the rights of the individual concerned). The A29 Working Party note that some elements of processing may be necessary before consent is obtained, i.e. to verify existing records, but this should only be for the strictly limited purpose, and the information deleted immediately.

The digital images or templates stored must be used only for the specified purpose for which the have been provided – and for which consent has been sought or where another relevant exemption applies (as, for instance, in the case of the legitimate use exemption described above). The greater the sensitivity of the personal data concerned the more likely explicit consent will be required.

The A29 Working Party considers that technical controls should be implemented to ensure that third parties do not gain access to the data and use it in an unauthorised manner. As trials of cashless technology grow for events, it may be that this technology is used by individuals to purchase items using credit stored against their profile, for instance drinks or merchandise. Controllers should be aware of the parameters of consent and that data stored against a user’s profile, including data used for, or available from, facial recognition data, can be valuable information for advertising or marketing agencies profiling consumers.

Similarly, controllers and processors will need to guard against security breaches which may result in unauthorised access to the data. The A29 Working Party advises that technical measures such as encryption will need to be used for data storage and data transit. One method suggested by the A29 Working Party is for biometric encryption techniques themselves to be used so that the cryptographic key is directly bound to biometric data and is only re-created where correct live biometric sample is presented on verification.

To reduce such concerns the Working Party recommends minimising the data so that the images or templates stored do not contain more data than necessary to perform the specified purpose. Similarly, templates should not be transferable between facial recognition systems. Organisations developing or deploying such technology should also carry out Privacy Impact Assessments (PIA) and follow development methodologies based on Privacy by Design (PbD).

The everyday use of facial recognition software in society to improve security checks for employees, visitors or customers may soon become common place when using even the simplest of access control systems.

Data controllers and data processors should be aware of the law in this area as the technology becomes more prevalent. But consequently it appears the law may also need to keep abreast of various ways in which the software can be exploited to monitor and profile individuals using a range of services and ensure adequate protection for data subjects as the technology advances.

For further information please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 4655
E: pjames@pitmans.com

Former Nottingham cricketer Chris Cairns has prevailed in his libel claim against Lalit Modi, former chairman of the Indian Twenty20 franchise IPL, yesterday. The conduct of Modi’s case is an object lesson in how not to deal with allegations of internet libel, and the consequences of that approach have been proportionately severe.
 
The original allegation, posted on Twitter in January 2010, suggested in clear terms that Mr Cairns was involved in match-fixing, an allegation which Mr Justice Bean has now found Mr Modi to have “singularly failed” to substantiate. So, rule 1: Do not make allegations you can’t prove.
 
The importance of the allegation to an individual’s private or professional reputation will also have an impact on how the Court will view the defamatory statements. In this instance, the Judge found that the allegation was “as serious an allegation as anyone could make against a professional sportsman” and this was reflected in the damages that he awarded. Rule 2: if the allegation is going to have serious professional or personal repercussions for the person referred to, really make sure you can prove it.
 
Mr Modi, according to various reports this morning, had still not apologised for the tweet at the point at which the judgment was handed down. For internet defamation, a prompt retraction of, and apology for, a defamatory comment will often be the end of the matter, and may indeed provide a defence for the party who originally published the libel. Rule 3, therefore is: if you have published an allegation you can’t prove, retract it quickly and apologise.
 
Mr Modi, however, went rather further. At the trial Mr Modi’s barrister (presumably on his instructions) made further allegations in his closing submissions that Mr Cairns was being dishonest. According to the BBC website, the barrister used the terms “lie”, “liar” and “lies” 24 times during his closing speech. In circumstances where the judge indicated that he would in any event have awarded substantial damages of £75,000 to Mr Cairns to reflect the very serious nature of the allegations made, those damages was increased by 20% to £90,000 to reflect the conduct of the case in Mr Modi’s defence. Rule 4: if you are already in a potentially bad situation by having ignored Rules 1 to 3, don’t make it worse!
 
As is so often the case in libel disputes, however, the damages represent a fairly small percentage of the overall cost to Mr Modi to having defended this action all the way to trial. He has also been ordered to pay Mr Cairn’s legal costs, which are said to be in the region of £400,000, and once his own costs (of a likely similar amount) are taken into account, the case as a whole is likely to have cost him almost £1 million. Rule 5: if you ignore the rules – it is going to cost you.
 
Needless to say Mr Modi is looking to appeal. In the absence of a third official and an instant replay, he is likely to be in for something of a wait, and significant further costs, before the matter is finally concluded.”

Will Richmond-Coggan
Director, Solicitor Advocate
T: 0118 957 0369
E: wrcoggan@pitmans.com

On 1 March 2012 the European Court of Justice (ECJ) gave judgment on the much-anticipated Football Dataco case stating that football fixture lists are not protected by copyright if the compilation is not the author’s own intellectual creation even if the compilation itself required significant labour and skill. This decision will impact any company that trades in data. Accordingly, if you license a database, you will need to ensure that the data comprised within it is presented in a sufficiently creative manner that enables it to be protected by copyright.

In Football Dataco and others v YAHOO! UK Ltd and others, Football Dataco organised football matches in England and Scotland and produced fixture lists detailing scores, penalties and player substitutions which were available to their online customers via the web. YAHOO! used these fixture lists to compile data for its own databases. YAHOO!’s business was largely, if not solely, reliant upon Football Dataco’s supply of this data.

Football Dataco claimed the use of this data by YAHOO! without a licence breached their rights by infringing copyright under the Copyright Design and Patents Act 1988 (CDPA) and Articles 3 and 7 of Directive 96/9/EC (Database Directive).

• Article 3 affords copyright protection to databases that in some form constitute the author’s own intellectual creation in regards to the selection or arrangement of its contents. For such protection to exist, evidence of labour and/or skill in the creation of the database itself is not sufficient.
• Article 7, known as the sui generis or database right, subsists whether or not the database or its contents are a copyright work but clear evidence of substantial investment in either the obtaining, verification or presentation of the data is required.

The Court of Appeal held the football fixture lists were protected by Article 3 but no right could be established under Article 7. YAHOO! appealed this decision and the Court of Appeal made a preliminary reference to the ECJ to clarify:

1. What is meant by “databases which, by reason of the selection or arrangement of their contents, constitute the author’s own intellectual creation”; and

2. Whether the Database Directive precludes national rights in the nature of copyright in databases other than those provided for by the Directive

In previous decisions, as seen in Fixtures Marketing Cases (The British Horseracing Board (BHB) and others, Case C-203/02 [2004] ECR 1 1-10415) the ECJ has ruled that the Article 7 database right does not attach to fixture lists or race course data. This is because investment in the creation of data has been held not to amount to investment in the “obtaining, verification or presentation of such data” as required by the Database Directive. In other words, the courts are reluctant to afford database right protection to databases which are created by the party seeking to rely on such protection. Consequently, the need to seek to rely on copyright protection is increasingly important to retain value in a database.

Whilst awaiting the formal decision from the ECJ, the Advocate General made some preliminary remarks highlighting a clear distinction between the creation of data and its subsequent arrangement. He stated that a database must be the intellectual creation of the author to be protected by Article 3 of the Directive and that protection may be provided by implementing a creative element when the pre-existing data is assembled into a database.

Upon handing down its decision earlier this week, the ECJ have seemingly followed the Advocate General’s opinion. The Database Directive does not extend protection to databases where significant labour and skill are required in the creation if the labour or skill does not express any originality in either its selection or arrangement. Furthermore, it was held that the Database Directive is intended to harmonise European law, so that, following the ECJ ruling, a claim for copyright protection as a literary work under the CDPA was not longer available.

Whilst awaiting the application of this decision by the Court of Appeal, it is clear the economic damage football leagues will face by having to curtail their income from licensing fixture lists but the knock on effect to other databases has yet to be seen.

For further information, please contact a member of Pitmans’ Data Privacy & Information Law or Intellectual Property teams.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 
E: pjames@pitmans.com

The ECJ has held that an order imposed by a Belgian court, which required an internet service provider (“ISP”) to filter and block access by its customers to files containing infringing copies of musical works, was incompatible with EU law. (Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL, Case C-70/10, 24 November 2011.)

The case concerned questions referred by the Brussels Court of Appeal to the ECJ regarding Scarlet, an ISP. Scarlet was ordered by a Belgian court to make it impossible for its customers to share files that infringe rights held by members of SABAM, the Belgian Society of Authors, Composers and Publishers.

In 2004, SABAM established that users of Scarlet’s services were downloading works in SABAM’s catalogue from the Internet, without authorisation and without paying royalties, by means of peer-to-peer networks (a transparent method of file sharing which is independent, decentralised and features advanced search and download functions).
 
Upon application by SABAM, the President of the Brussels Court of First Instance ordered Scarlet, in its capacity as an ISP, to bring those copyright infringements to an end by making it impossible for its customers to send or receive in any way electronic files containing a musical work in SABAM’s repertoire by means of peer-to-peer software.

On appeal to the ECJ, it held that EU law precludes the imposition of an injunction by a national court which requires an ISP to install a filtering system with a view to preventing the illegal downloading of files. It concluded that such an injunction does not comply with the prohibition on imposing a general monitoring obligation on such a provider. The filtering system would mean that the ISP was required to monitor data relating to its customers, which is explicitly prohibited by Art 15 of the E-Commerce Directive.

The ECJ also ruled that the injunction did not comply with the requirement to strike a fair balance between, on the one hand, the right to intellectual property, and, on the other, the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information – fundamental rights safeguarded by the Charter of Fundamental Rights of the EU.

The case follows an earlier UK ruling where BT became the first ISP to be forced by a court order to block its customers from accessing a website on grounds of copyright infringement. The site in question, www.newzbin.com, allowed users to share data files, predominantly pirate films, TV show downloads and music. The case was brought by six major film studios.

Scarlet was held distinguishable in that the film studios were not asking for an unlimited filtering system for all customers, but rather for a clear and precise injunction requiring BT to implement an existing technical solution which BT itself had accepted would be technically feasible and the costs would not be excessive. Therefore, it was not in breach of Article 10 of the European Convention of Human Rights.

It is clear the scope of the injunction sought and the technical feasibility of achieving it will be relevant in each case. This also does not bode well for any orders which the Secretary of State may make under the Digital Economy Act (DEA), as any such orders to prevent unlawful file sharing may be unenforceable under EU law for similar reasons.

The online infringement provisions of the DEA oblige ISPs to assist in identifying copyright infringers and allow enhanced measures to be taken against copyright infringers, including an ability to require ISPs to suspend internet connection to persistent offenders. Following a recent Judicial Review (JR) by BT and Talk Talk, the High Court has held that the provisions of the DEA are compatible with EU law; so, whilst copyright owners and the government are relieved by the JR decision, the issue still very much remains open in light of Scarlet.

For more information, please do not hesitate to contact Pitmans’ Intellectual Property Team.

Philip James
Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Once again ‘the season to be merry’ is almost upon us and it’s time to plan the party!

However whether you are a business simply planning to entertain clients and contacts or, for example, an organisation planning a music festival or major event for the public next year the principle is the same – don’t forget to check your insurance cover!

The laws that impose duties upon organisers of events, especially from a liability perspective, are surprisingly wide. However, fortunately there is a wide range of insurance cover available and there needs to be as the implications if things go wrong can have a devastating effect upon businesses and those who run them. The critical consideration is to ensure that all potential risks are covered as far as possible.

By way of illustration if a member of the public attending your event were suffer serious injury or die in an accident caused by a failure of your employees or agents to safely erect temporary steps then the consequences could be far reaching. The same would apply if one of your employees suffered serious injury or died due to inadequate supervision or safety precautions taken during their work.

Following a serious accident the law enforcement agencies, which includes not only the Police but The Health & Safety Executive and the Environmental Health Officers of the local Authorities, would immediately commence investigations and could issue a prohibition notice closing the event if they suspected there was a likelihood of reoccurrence.

Further, if they suspected that there were breaches of Health & Safety law then criminal prosecutions could follow against the organisers of the event and/or against the directors or senior officers if their gross negligence caused the incident.

Successful prosecutions could lead to unlimited fines for the business and imprisonment for the individuals concerned together with very bad publicity which could have a devastating effect on the business.

In the event of a death then there would also have to be an Inquest at which the business may have to explain their actions.

In either event there would no doubt be a civil claim for damages either by the injured individual or, following a fatality, by the Estate on behalf of any dependents. 

In addition to needing insurance cover for liability risks there are a multitude of other prospective risks and related insurance coverage that should be considered by organisers and it is appropriate now to review some of the more common:

Property: cover for premises against damage, office contents, musical instruments, hired-in equipment, marquees, audio & visual equipment and plant, merchandise stock, CDs, and promotional materials.

Business Interruption: should there be fire, flood, power or a telecommunications failure, then BI insurance offers protection from income streams during physical and technological disruptions.

Employers’, Public and Product Liabilities: Employers liability insurance is of course compulsory and it should cover not only your own full time employees but part time contractors, volunteers and freelancers. Audiences will be covered by public liability insurance and food/drink and merchandise by product liability cover.

Financial: misappropriation, loss of cash, box office receipts, fees, subsistence expenses and merchandise.

Legal Expenses: provides cover for legal advice and representations of your company in health & safety issues, employment disputes, contract disputes and can provides an advisory service. This is often included in a ‘combined risk’ policy.

Professional Indemnity: provides cover against claims of negligence, breach of duty or mismanagement.

Cancellation Insurance
Cancellation cover replaces lost revenue and reimburses expenditure incurred from an event which is necessarily and unavoidably postponed, abandoned, cancelled, curtailed or relocated in circumstances beyond your control. For artist managers, it can also protect commission income streams for high-earning performers.

Cyber Liability Insurance
Your current insurance coverage may not protect against the special risks that accompany your activities into the online space. Cyber Liability cover can provide protection against the new risks that come with this continually developing technology. 

Directors liability
Increasing regulation is placing greater pressure on company directors & officers to perform meticulously. If a shareholder, employee or any other 3rd party thinks a director or officer has failed to exercise ‘due care’ in the running of a business claims can be made against them personally.

Safety planning for an event is outside the scope of this article but don’t forget:

Risk assessments for members of the public attending the event and employees working on it should always be carried out by a person deemed ‘competent’ under the requisite Regulations.

Being able to point to the existence of a risk management plan can be invaluable in the event of an unexpected incident. The plan may be a simple  document incorporating a communication plan should an incident occur.

Conclusion

Don’t forget that your risk exposure starts as soon as you sign a contract with the venue to host the event. Consider all of your risks when in the planning stage and the contractual liabilities that you will be liable for if things don’t go according to plan.
Accordingly, it is critical to regularly check the adequacy of your insurance coverage with your brokers. Ensure full descriptions of your actual and intended business everything are recorded in writing to your brokers and passed to your insurers so they can assess the risks and charge an appropriate premium that reflect the risks.

You should ensure you understand the nature and extent of the policy coverage, the policy exclusions and limitations such as whether legal advice cover is included for any enforcement authority investigation and /or prosecution before agreeing terms and paying the policy premium.

This article is only intended to provide a brief summary of some of the main insurances that organisers of an event should consider and discuss with their brokers.

If you would like any specific advice on the legal implications of holding an event, please contact Alan Davies, Defendant Insurance Partner and member of the Hospitality Sector or Nicola Kirk, Dispute Resolution Partner and Head of the Hospitality Sector.

Alan Davies
T: +44 (0)118 957 0300
E: alandavies@pitmans.com

Nicola Kirk
T: +44 (0)118 957 0226
E: nkirk@pitmans.com

For further information, please see:

Pitmans’ Hospitality Sector Services

Pitmans’ Dispute Resolution legal services

Pitmans’ Defendant Insurance legal services

Facebook’s recent, silent UK roll-out of its auto-tagging functionality, which prompts users to tag facial-recognition links of friends, has given further cause for concern over privacy in relation to social network sites (“SNSs”). Philip James, Partner, and Carolyn Butler, Solicitor, at Pitmans LLP examine how the existing regulatory framework and technology needs to adapt and evolve to protect users’ identities online more effectively.

Tagging and Privacy

“I never forget a name or a face, but sometimes have difficulty correlating the two.”
Anon

Recently, the media’s attention has focused on the rights of individuals to control the use of their facial image online. In particular, Facebook’s largely unannounced launch of its auto-tagging functionality in the EU in June, which followed its official launch in the US in December last year, has caught the attention of the European Commission, as well as local regulators.

Facebook has featured ‘tagging’ on its photo-sharing facility for some time now. This is a feature that allows an individual in a photo to be identified by a ‘tag’ that contains personal information such as the individual’s name and a link to his or her profile on the relevant SNSs. For the benefit of anyone viewing the photo, the tag identifies the individual depicted from other people of the same name using that SNS. For the individual that has been tagged, he or she is alerted as part of the tagging process that a photo featuring them has been uploaded (and, significantly, only after they have been tagged are they notified and presented with an opportunity to remove the tag).

The process of tagging individuals in a series of photographs was previously a relatively manual exercise. Now, following the trend evident in Google’s Picasa image-organising suite and Face.com’s Photo Finder and Photo Tagger apps, Facebook’s auto-tagging function uses facial-recognition technology to streamline the tagging process. Facial-recognition software works as follows:

• it analyses a digital image for the distinguishable landmarks that make up facial features;

• it then converts the data derived from those landmarks into a numerical code called a ‘faceprint’;

• the faceprint acts like a digital ‘fingerprint’ which is then compared against other faceprints on a particular database to find a match; and

• since Facebook already has a vast database of tagged images at its disposal, its software identifies a person’s face in photos by analysing and comparing the new image against other images where that person has previously been tagged.

Given a faceprint’s similarity to a fingerprint, there is significant concern as to how tagging, and auto-tagging, in particular, compromises privacy. This concern derives from the lack of the requisite prior consent from the data subject to this type of tagging. This also raises the issue of whether a more stringent level of consent should be required for facial recognition tagging (and whether this should be considered to be sensitive personal data, in the same way as possibly location data should also be).

On Facebook, the consent is not sought before a tag is placed on a photo – they are only notified once they have been tagged. Even though, under Facebook’s terms of use, users are required to seek consent from those individuals before tagging them, this requirement is not brought to the users’ attention during the tagging process and undoubtedly, that requirement is not observed by users in practice. Gerard Lommel, of the Article 29 Data Protection Working Party, agrees that “tags of people on pictures should only happen based on people’s prior consent”. Nevertheless, consent is not automatically sought as part of the tagging mechanism, a fact that had not attracted much attention, let alone widespread criticism, until auto-tagging recently forced the issue into the limelight.

Under the current law, personal data is defined as:

“data relating to a living individual who can be identified from it, or from the data and other information which is in the possession of (or is likely to come into the possession of) the data controller”

Personal data must be lawfully processed, not kept longer than is necessary and, unless certain other exempting criteria apply, the data subject must give his or her unambiguous consent to processing. There is some debate as to whether SNSs can be properly characterised as “data controllers”, but the opinion of the Article 29 Working Party is that they are (see also recent opinions issued by the Canadian privacy regulator which is often seen as a trailblazer in relation to social-networking regulation).

Facebook would be well advised to review the ways in which it should obtain the requisite consents to process personal data in the content of its auto-tagging facial technology. In so doing, specific and informed consent will need to cover:

• Firstly, the actual processing of users’ faces to create the faceprint and name suggestion (‘faceprint name’) (undoubtedly, having their ID facially recognised was not in the contemplation of data subjects at the time of accepting Facebook’s terms of use); and

• Secondly, the act of tagging itself, once another user has confirmed the suggested faceprint name.

It will come as no surprise that all Facebook privacy settings are switched off by default (therefore opting users in to the technology). Once users have discovered the auto-tagging function existed, it is up to them to opt out of auto-tagging by amending their privacy settings. For many users, the procedure to engage privacy screening is too complicated for them to navigate successfully. Often, users do not realise that they need to amend their settings themselves. Since the activation of auto-tagging was not announced, users were not even aware of the need to adjust their privacy settings before (and not until some time after) the function was activated. This raises the question of what privacy notices users should be required to review before they sign up, as well as at the time any new feature is introduced. Requiring users to review and confirm their settings on their privacy dashboard at both points would greatly assist SNSs satisfy compliance requirements.

In a wider context, facial-recognition software used in other technological applications, such as in the analysis of CCTV footage, is fuelling civil liberties concerns and has prompted parliament to introduce further regulatory provisions. While the Information Commissioner already has a code of practice for monitoring CCTV images that covers the whole UK (including the public and private sectors), its enforcement powers have never been used . The Protection of Civil Liberties Bill, which is currently before the House of Commons, introduces measures such as a new body to regulate CCTV, a code of practice for surveillance camera systems (including facial and ‘gait’ (i.e. a persons way of walking) recognition systems), and provides for judicial approval of certain surveillance activities by local authorities.

EU Policy

The European Commission observed in its strategic communication on A comprehensive approach on personal data protection in the European Union, issued in November last year, that “social networking… presents significant challenges to the individual’s effective control over his/her personal data”. Vivian Reding, the Vice-President of the European Commission EU Justice Commissioner, agrees. In March she spoke to the European Parliament about how the modernisation of the existing legal framework will enshrine “four pillars” of online data protection for individuals. In relation to social-networking sites, individuals should enjoy:

• A right to be forgotten, where individuals have shall have the right to withdraw their consent to data processing, and have their personal data deleted from servers;

• Transparency, where users of social networking are properly informed of the restrictions over their control of their own private data or that their data may be made irretrievably public;

• Privacy by default, since privacy settings often require considerable operational effort in order to be put in place and therefore such settings are not a reliable indication of users’ consent; and

• Protection regardless of data location, where domestic privacy regulators shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target consumers in the EU.

It is clear from this missive that the European Commission has SNSs including other location-based services firmly in its sights. Reding’s four pillars will encourage SNSs to lead by example to inculcate a culture of privacy.

The Article 29 Working Party has argued for data controllers to demonstrate greater accountability in, for example, producing and enforcing data protection compliance programmes. However, supplemental to that objective is the need for users to be better educated about the intrinsic risks and responsibilities in uploading their own and their friends’ personal data to SNSs. Whilst it is not suggested that the “household exemption” is removed and direct enforcement action is taken against individuals, regulators may consider that placing a duty on SNSs to ensure that users comply with data privacy laws is the only means of effectively protecting the public from their own worst enemy: themselves.

Right to be forgotten
Even where consent is given, data subjects will shortly have a legal right to withdraw their consent and request the deletion of content: a “right to be forgotten”. Implicitly, this applies to all online data concerning an individual, whether they uploaded it themselves or otherwise. Again, SNSs will need to consider how the developing EU policy, which will shortly become legislation, may affect the existing and future processes programmed into their products. Examples of this may include:

• introducing functionality that allows user generated content to ‘fade’ (or automatically be suppressed) after a defined period (cf. the time limits search engines employ);

• in addition to making it simpler for users to delete their profile, allowing users an ability to remove all tags (simple or faceprints) which reference their name (by means of identifying a UID which links any tags to their profile);

• encouraging third-party developers to produce Privacy Enhancing Technology (PETs) in the form of applications which users can add to their profile to give them greater control over the use of their ID, and to scour for and remove any unwanted tags, or provide users with customised privacy dashboards to allow greater control over their data.

By the same measure, the European Commission needs to be realistic and alive to the practical dynamics of SNSs in developing policy. While SNSs can remove content if notified to do so, they have little control over the content being uploaded by users, and the possibilities that content holds for infringing the rights of other users. The elements that SNSs can control, and which should therefore be targeted by the Commission, are the technical mechanics used to upload and protect personal data.

Poacher turned Gamekeeper
While certain applications have the potential to undermine privacy, the same tools can be harnessed to protect it. Although PETs are not new, consumers that may be alarmed by the ways in which their privacy may be compromised are driving the demand for technological solutions.

For example, Face.com’s Photo Finder already allows users to apply face-recognition software to Facebook searches to find photos of themselves or their friends that have not yet been tagged. This application could allow individuals to regain control of their own personal data by identifying unknown sources of personal data in order to arrange its deletion.

Google has to date resisted temptation to combine its Picasa face-recognition software with its popular Google Image Search, saying that such an innovative step would be “creepy”.

In any event, any organisation seeking to employ facial recognition technology should carry out a PIA (or privacy impact assessment) and ensure its technology has been devised using the concept of Privacy by Design (PbD). It would be an interesting exercise to audit what steps and precautions those who are currently employing such technologies have taken to measure the potential effect its use may have on people’s privacy. In the vein of ‘Jack Bauer and 24’: “we’re watching you”.

This article was published in the June 2011 issue of Data Protection Law & Policy and has kindly been reproduced with the consent of the publisher.

For further information regarding Pitmans Intellectual Property legal services, please contact:

Philip James
Partner, Intellectual Property
+44 (0)207 634 4655
pjames@pitmans.com

Carolyn Butler
Solicitor, Corporate
+44 (0)118 957 0234
cbutler@pitmans.com

For further information, please see “The Information Commissioner’s response to the Home Office Consultation on a code of practice relating to surveillance cameras” and “The Information Commissioner’s evidence to The Public Bill Committee on the Protection of Freedoms Bill”, both dated 24 May 2011 and available from the ICO’s website

Response from Pitmans LLP to the Hargreaves report:

Leading law firms believes that the Hargreaves Report into outdated copyright laws falls short of making significant enough recommendations and fails to address some key issues.

Nigel Dewar Gibb in Pitmans’ media and entertainment team said:

“At Pitmans SK we have been involved in a significant investigation into global income flows from IP assets, a key issue that has not been addressed by the Hargreaves Report. The Report’s objectives are to remove the obstructions to innovation and promote economic growth. In order to fully do that the economic benefits need to flow through from rights users to rights owners and to creators who are often not the rights owners as they have usually assigned their rights. Regrettably, the report is largely silent on the issues that surround existing copyright databases and royalty supply chains and the benefit that might come from shining a spotlight on these.”

Nigel Dewar-Gibb
+44 (0)20 7634 4629
ndewargibb@pitmans.com