what's in the news

The European Commission (EC) has proposed a new draft Regulation on the processing of personal data. Significantly, the draft Regulation shifts substantial statutory compliance obligations on to data processors. This note highlights the areas of the draft Regulation that will be of most concern to data processors should it be adopted in its current form.

Who is in the sight?

Data processors are those who process personal data on behalf of a data controller, for example, a third party provider of:

- outsourced payroll services;
- a CRM database;
- a call centre;
- hosting provider; or
- a managed IT service or cloud provider.

So what’s new?

Under the current 1995 Data Protection Directive (Directive) (implemented in the UK in the form of the Data Protection Act 1998), data processors are not primarily liable for failure to comply with the Directive. Consequently, they do not face the same sanctions as data controllers for non-compliance. Instead, data processors currently have obligations passed to them through compulsory data processing agreements with data controllers. In this way, data controllers may set off some of their liability for breach of the Data Protection Directive in their corresponding supply agreement(s) with the relevant data processor(s). Experience has shown that some, if not most, of the high profile data breaches or losses of personal data have been caused by the default of an appointed third party supplier (or data processor). The new Regulation seeks to address this.

Set out below are some of the key changes in the draft Regulation that are aimed at imposing greater compliance responsibility upon data processors.

Technical measures

Article 30 requires data processors themselves to implement and maintain technical and organisational measures to keep the data they hold secure and to prevent unlawful destruction or accidental loss as well as unlawful forms of processing such as unauthorised dissemination and access. The obligation is subject to the nature of the data held, and is to be proportionate to the cost of such measures. Nevertheless, the requirement is directly enforceable against data processors themselves.

Joint controller

Under Article 26, where a data processor processes personal data other than as instructed by the data controller, the data processor shall be considered a joint data controller and, under Article 24, will be subject to potentially onerous provisions relating to data subject access.

Record keeping

Data processors will also be subject to the obligation to maintain documentation on all processing operations under its responsibility and the detail of all the information to be retained is set out in Article 28(2). The Information Commissioner’s Office (ICO) has suggested that, rather than prescribe in detail the extensive range of documentation data processors are required to maintain, the Regulation should instead focus on providing a desired outcome so as to prevent processors and controllers keeping the same documentation. Otherwise, the cost to data processors’ business in keeping such records may be disproportionate and is likely to be impractical in any circumstance given the current level of detail required.

DPOs

Under Article 35, all organisations processing data with 250 employees or more, and all public authorities, must designate a Data Protection Officer (DPO) who shall be responsible for compliance. The data processor and data controller may appoint a joint DPO. The DPO will be required to notify a personal data breach to the relevant supervisory authority, where feasible, within 24 hours of becoming aware of the breach. There is a similar obligation to notify the data subject ‘without undue delay’ where the data breach is likely to adversely affect the protection of personal data and privacy. The prescribed timescale within which notification must be made differs from the guidance based approach which is currently applied in the UK.

As a result, data processors will face an as yet unknown administrative burden in order to ensure they comply with all the new obligations in the Regulation.

In the firing line: fines

Most significantly, data processors may now also be directly liable for any sanctions that are imposed by the competent regulating authority (in the UK, the ICO) for intentional or negligent failure to comply with the Regulation. The fines work on a sliding scale but the maximum fine that may be levied for breaches as specified in Article 79 of the Draft Regulation is 1,000,000 EUR or up to 2% of annual worldwide turnover.

However the relevant supervisory authority may also impose a ban on processing, or order the destruction of data. This could severely disrupt companies which have data processing at the heart of their commercial enterprise. Even where such a ban is imposed, the fact that data processors are now also firmly in the limelight and crosshairs of the regulators (and any subsequent enforcement action) means that a data processor’s brand and reputation is now at significantly greater risk. Under the current regime, any liability may be dealt with behind closed doors under the auspices of private contract.  Individuals will also have the right to sue the data processor for compensation in lieu of any damage suffered as a result of unlawful processing of data.

Further, data processors will be just as susceptible to the challenges posed by hacking and cyber risk. The last year has seen numerous ‘hacktivists’ target companies which hold or process data and all have been seen to suffer reputational damage where customer data has been accessed.

How welcome is the new Regulation?

The extension of obligations to data processors is likely to be well received by data controllers by forcing data processors to take greater direct regulatory responsibility for data protection compliance. Indeed some data processors may also be unsurprised by this paradigm shift and in some respects may be better equipped and experienced to achieve compliance. Leading data processors may therefore also welcome the changes which may reflect some of their existing current business practice.

However, the proposed changes are likely to affect the costs and pricing models of outsourced and cloud based services significantly in light of the increased compliance risk. There is also therefore likely to be substantial resistance to some of the proposed changes, either because of the added cost implications or impracticality.

Other implications

The change in onus to data processors may well also impact the terms of standard processor service contracts, as data processors may be reluctant to provide data controllers with indemnities for their own failure to comply with data processing obligations. However, Article 26 identifies more measures to be included in data processing agreements and it appears that these documents will become more important and complex as both the data processors and data controllers seek protection from their liability under the new draft Regulation. In addition, there appears to be some duplication of responsibilities under the Regulations; accordingly data processors and data controllers should take this opportunity to respond to the draft Regulation to avoid confusion and inappropriate duplicated responsibilities (e.g. the requirement to maintain documentation).

Regulation versus Directive

Data processors should also be aware of the legal status of an EU Regulation. Whereas directives require the EU member states to transpose the EU law into national law by enacting their own legislation, Regulations are binding law as soon as they are brought in to force. Peter Hustinx, the European Data Protection Supervisor, has stated that the draft Regulation is not intended to substitute or replace the existing Privacy and Electronic Communications Directive (Privacy Directive). Under the Privacy Directive, ‘Service Providers’ such as telcos and ISPs are bounded to notify serious breaches not only to their relevant supervisory authority, but also, in some cases, to their customers. The EU does not propose to revise or update the Privacy Directive for several years when it is due for review. Accordingly, there is likely to be some overlap, conflict and inconsistency between the proposed Regulation and existing Privacy Directive (e.g. the fines for a Service Provider’s failure to notify under the Privacy Directive is only £1,000).

Timetable

Data processors will need to be alive to the changing legislative framework. It is anticipated that it will be a further two years before the proposals come in to force when adopted. The ICO, however, in responding to the draft Regulation, has recommended that it be brought in earlier than the customary two years following official publication. Data processors are advised to respond to the draft Regulation with any concerns. In addition, data processors should also start preparing now to ensure that they maintain their edge against competitors in this space so as to demonstrate best practice and assess and take steps to mitigate the potential impact of the draft Regulation.

For further information please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Pitmans SK Sport & Entertainment
T: 0207 634 4
E: pjames@pitmans.com

Former Nottingham cricketer Chris Cairns has prevailed in his libel claim against Lalit Modi, former chairman of the Indian Twenty20 franchise IPL, yesterday. The conduct of Modi’s case is an object lesson in how not to deal with allegations of internet libel, and the consequences of that approach have been proportionately severe.
 
The original allegation, posted on Twitter in January 2010, suggested in clear terms that Mr Cairns was involved in match-fixing, an allegation which Mr Justice Bean has now found Mr Modi to have “singularly failed” to substantiate. So, rule 1: Do not make allegations you can’t prove.
 
The importance of the allegation to an individual’s private or professional reputation will also have an impact on how the Court will view the defamatory statements. In this instance, the Judge found that the allegation was “as serious an allegation as anyone could make against a professional sportsman” and this was reflected in the damages that he awarded. Rule 2: if the allegation is going to have serious professional or personal repercussions for the person referred to, really make sure you can prove it.
 
Mr Modi, according to various reports this morning, had still not apologised for the tweet at the point at which the judgment was handed down. For internet defamation, a prompt retraction of, and apology for, a defamatory comment will often be the end of the matter, and may indeed provide a defence for the party who originally published the libel. Rule 3, therefore is: if you have published an allegation you can’t prove, retract it quickly and apologise.
 
Mr Modi, however, went rather further. At the trial Mr Modi’s barrister (presumably on his instructions) made further allegations in his closing submissions that Mr Cairns was being dishonest. According to the BBC website, the barrister used the terms “lie”, “liar” and “lies” 24 times during his closing speech. In circumstances where the judge indicated that he would in any event have awarded substantial damages of £75,000 to Mr Cairns to reflect the very serious nature of the allegations made, those damages was increased by 20% to £90,000 to reflect the conduct of the case in Mr Modi’s defence. Rule 4: if you are already in a potentially bad situation by having ignored Rules 1 to 3, don’t make it worse!
 
As is so often the case in libel disputes, however, the damages represent a fairly small percentage of the overall cost to Mr Modi to having defended this action all the way to trial. He has also been ordered to pay Mr Cairn’s legal costs, which are said to be in the region of £400,000, and once his own costs (of a likely similar amount) are taken into account, the case as a whole is likely to have cost him almost £1 million. Rule 5: if you ignore the rules – it is going to cost you.
 
Needless to say Mr Modi is looking to appeal. In the absence of a third official and an instant replay, he is likely to be in for something of a wait, and significant further costs, before the matter is finally concluded.”

Will Richmond-Coggan
Director, Solicitor Advocate
T: 0118 957 0369
E: wrcoggan@pitmans.com

On 1 March 2012 the European Court of Justice (ECJ) gave judgment on the much-anticipated Football Dataco case stating that football fixture lists are not protected by copyright if the compilation is not the author’s own intellectual creation even if the compilation itself required significant labour and skill. This decision will impact any company that trades in data. Accordingly, if you license a database, you will need to ensure that the data comprised within it is presented in a sufficiently creative manner that enables it to be protected by copyright.

In Football Dataco and others v YAHOO! UK Ltd and others, Football Dataco organised football matches in England and Scotland and produced fixture lists detailing scores, penalties and player substitutions which were available to their online customers via the web. YAHOO! used these fixture lists to compile data for its own databases. YAHOO!’s business was largely, if not solely, reliant upon Football Dataco’s supply of this data.

Football Dataco claimed the use of this data by YAHOO! without a licence breached their rights by infringing copyright under the Copyright Design and Patents Act 1988 (CDPA) and Articles 3 and 7 of Directive 96/9/EC (Database Directive).

• Article 3 affords copyright protection to databases that in some form constitute the author’s own intellectual creation in regards to the selection or arrangement of its contents. For such protection to exist, evidence of labour and/or skill in the creation of the database itself is not sufficient.
• Article 7, known as the sui generis or database right, subsists whether or not the database or its contents are a copyright work but clear evidence of substantial investment in either the obtaining, verification or presentation of the data is required.

The Court of Appeal held the football fixture lists were protected by Article 3 but no right could be established under Article 7. YAHOO! appealed this decision and the Court of Appeal made a preliminary reference to the ECJ to clarify:

1. What is meant by “databases which, by reason of the selection or arrangement of their contents, constitute the author’s own intellectual creation”; and

2. Whether the Database Directive precludes national rights in the nature of copyright in databases other than those provided for by the Directive

In previous decisions, as seen in Fixtures Marketing Cases (The British Horseracing Board (BHB) and others, Case C-203/02 [2004] ECR 1 1-10415) the ECJ has ruled that the Article 7 database right does not attach to fixture lists or race course data. This is because investment in the creation of data has been held not to amount to investment in the “obtaining, verification or presentation of such data” as required by the Database Directive. In other words, the courts are reluctant to afford database right protection to databases which are created by the party seeking to rely on such protection. Consequently, the need to seek to rely on copyright protection is increasingly important to retain value in a database.

Whilst awaiting the formal decision from the ECJ, the Advocate General made some preliminary remarks highlighting a clear distinction between the creation of data and its subsequent arrangement. He stated that a database must be the intellectual creation of the author to be protected by Article 3 of the Directive and that protection may be provided by implementing a creative element when the pre-existing data is assembled into a database.

Upon handing down its decision earlier this week, the ECJ have seemingly followed the Advocate General’s opinion. The Database Directive does not extend protection to databases where significant labour and skill are required in the creation if the labour or skill does not express any originality in either its selection or arrangement. Furthermore, it was held that the Database Directive is intended to harmonise European law, so that, following the ECJ ruling, a claim for copyright protection as a literary work under the CDPA was not longer available.

Whilst awaiting the application of this decision by the Court of Appeal, it is clear the economic damage football leagues will face by having to curtail their income from licensing fixture lists but the knock on effect to other databases has yet to be seen.

For further information, please contact a member of Pitmans’ Data Privacy & Information Law or Intellectual Property teams.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 
E: pjames@pitmans.com

A young fashion student, Nicola Kirkbridge, is taking on supermarket giant Tesco over the use of a photograph of her taken from her popular fashion blog. The photograph of Miss Kirkbridge modelling the latest fashion trends has appeared on a children’s jumper sold by Tesco throughout their stores nationwide without her knowledge.

According to reports, Tesco have responded to Miss Kirkbridge claiming they have no idea why this has happened and removed the product from sale pending a full investigation. The steps they have taken are understandable, as unless Tesco can establish that their use of the photograph was authorised, Miss Kirkbridge will have a claim of copyright infringement against them. For such a big player in the retail market to have used an unauthorised photograph highlights the confusion surrounding the use of photographs and other images that are available on the internet.

It is also interesting that Miss Kirkbridge’s photo had appeared on a blog, much has been written recently about the loss of control of photographs and other images when uploaded onto social media sites. Whilst uploading your photograph or image to a social media site doesn’t necessary mean that Tesco and others have the right to use that photograph, if you do wish to control the use of your photograph or image you should check the terms and conditions of any site before you upload it.

Pitmans’ Retail Team regularly work with retailers and their marketing and design teams to provide advice and training on the use and creation of photographs, images and designs with the aim of avoiding intellectual property infringement claims.

For further information please contact one of our Intellectual Property specialists within Pitmans’ Retail Team.

Sally Britton
Partner
T: 0207 634 4623
E: sbritton@pitmans.com

Alan Hunt
Solicitor
T: 0207 634 4632
E: ahunt@pitmans.com

European Union Justice Commissioner Viviane Reding has stated that Google’s new privacy policy, launched yesterday, contravenes European law.

The new policy, announced by Google in January, consolidates 70 plus privacy policies into one main document to govern the majority of its products. The aim by Google is to explain what information is collected and how it is used in a much more readable way, with less “legal gloop to wade through”. Google have cited that the multiple policies were over complicated, and at odds with their efforts to integrate its different products more closely.

In practice, according to Google, users signed in to Google Accounts will be treated as a single user across all the products, meaning Google is able to combine information provided from one service with information from other services. Essentially, private information collected from browsing data and web history by one Google service can be shared with its other platforms, including YouTube, Gmail, Google+ and Blogger. This is to allow it to offer better targeted advertising to users, and customise search results more efficiently.

Google stated it was confident that its “new simple, clear and transparent privacy policy respects all European data protection laws and principle”. EU data protection agencies beg to differ however, concluding that the new policy does not meet the requirements of the European Directive on Data Protection. Following an investigation by France’s privacy watchdog CNIL (Commission national de l’informatique et des libertes) Reding announced “they have come to the conclusion that they are deeply concerned, and that the new rules are not in accordance with the European law, and that the transparency rules have not been applied”.

Despite being warned of CNIL’s concerns, Google proceeded with the launch, and defended the policy stating that it will not change any existing privacy settings or how information is shared outside of Google, with no additional information being collected.

Google has sparked further outrage with its Android users, after it emerged that they must accept the new policy. It has advised that any users concerned about the impact of the changes should choose not to login to the Google Account on their smartphones, but this means certain applications will be inaccessible. The news has prompted one privacy campaigner to sue Google for the cost of his handset.

To add to its woes, Google has received more widespread criticism of its new policy. The National Association of Attorneys General (NAAG) last week sent a letter signed by 36 state and territorial Attorneys General detailing their “strong concern” with the policy. It highlighted that the policy fails to provide users with an “opt-in” or “opt-out” option. The letter further cited that that the automatic sharing of personal information and the ability to learn the whereabouts of users, without their authority, amounts to an invasion of privacy.

Philip James, a Partner who leads Pitmans’ Data Privacy & Information Law team, comments, ‘Viviane Reding’s statement is a clear indication of the EU’s determination to protect consumer privacy and reflects the importance it places on Privacy by Default. The aggregation of a multitude of sites storing users’ profile data, coupled with Google’s increasingly dominant Android mobile platform places Google in a privacy predicament; it will need to be seen to be doing more than others to achieve compliance and prevent successful challenges to its approach. Its recent move is a direct result of its need to maintain market position in the light of Facebook’s continued success’.

CNIL has said it will send Google questions on the changes by mid-March. It remains to be seen how Google will deal with such criticism and probing, but it is safe to say that such scrutiny should be taken seriously.

If you would like further information about Google’s new privacy policy, and how it will affect you, please contact Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Head of Data Privacy & Information Law
T: 0207 634 4655
E: pjames@pitmans.com

According to a recent study carried out at a University in America employers’ may look favourably on an individual based on their social network page. The study showed that an employer is able to tell how good an individual will be just from looking at their Facebook page. Pictures showing drunken nights out, travels etc suggests that the individual is personable and social, an attractive quality for employers. However as positive as the results suggests, this is clearly only one side of the story.

A Facebook page may actually discourage some employers from recruiting an individual and there has in fact been evidence which supports this argument and understandably so. If an individual has made comments about their previous employer then this is a cause for concern. Likewise if they have been making derogatory comments, voicing extreme opinions or there are compromising pictures employers may not want to be associated with such an individual. Social media carries risk for an employer as comments and pictures can go viral. An employer will not want to risk hiring someone who freely shares all information and pictures no matter how damning or personal they may be as their actions could end up damaging the employer’s reputation.

Some employers do vet potential employee’s Facebook pages so individuals would be wise to keep their profiles clean and professional, thus maintaining their credibility. Although you can restrict who views your profile privacy only extends so far.  An employer does not have to seek an individual’s permission before checking profiles.

Likewise an employer also needs to be careful, if they choose to reject an individual for a job on the basis of what they have seen on a Facebook page and the individual in question discovers this then the employer is potentially at risk of a discrimination claim. You should make it clear from the outset what the job process involves and what you do. Any vetting of people’s pages should be proportionate and only carried out when necessary. An employer must be fair to all applicants; some people won’t have a Facebook page and those that do, if you view their page, view them with an open mind. Broadly speaking an employer should not make a judgement based on what they see, remember this is an individual’s right to express themselves. It is not necessarily an indication of how they will be in their professional life.

Viewing social media pages may be a useful tool but one should take care not to rely on what these pages contain. Yes a profile may make someone more attractive to employers but there will be cases when this is not so. Remember there are two sides to every story.

For further information on this article, please contact Pitmans’ Employment Team.

Mark Symons
Partner, Head of Employment
T: 0118 957 0340
E: msymons@pitmans.com

Thanks to the media and public figures speaking out the awareness of cyberbullying is ever increasing. Due to the rise of the internet, the use of smart phones and the increasing popularity of social media sites such as Twitter and Facebook cyberbullying is widespread. It doesn’t just occur during work time or school time it can occur 24 hours a day, 7 days a week. Cyberbullying may be virtual but this does not mean it is not happening or that it should be ignored. 

Cyberbullying can take on many forms, through text messaging, phone calls, pictures and emails through to posts on social network sites and account hacking. This bullying is now becoming a form of serious harassment. The main problem with cyber bullying is that it is incredibly hard to monitor and prevent. Social media sites provide people with anonymity and so tracking down the culprits can be an impossible challenge. People can assume a fake profile or assume many identities.

Currently the law in place is reactive rather than proactive. Instead of providing people with steps they can take to protect themselves from cyberbullying the law instead only provides for compensation once the cyberbullying has taken place. Often people are unaware of their legal rights and what steps they can take.  People who are subject to cyberbullying should speak out and record everything, keep texts, take screenshots etc.

Cyberbullying can have a significant impact on a person’s mental and physical health, it can affect self esteem, confidence and mental health. It may be possible for someone to bring a personal injury claim against their bullies as a result of this.

The Workplace

Employers should take a clear stance on all types of bullying and make it clear it is not acceptable. It is standard practice to have anti-harassment and bullying policy in force.

If an employer fails to take action to stop bullying then there could be a breach of their implied duty of trust and confidence which could result in an employee bringing a claim. At present an employee cannot bring a claim for cyberbullying alone in the Employment Tribunal. It has to be brought along with discrimination or harassment, yet this is likely to go hand in hand with cyberbullying.

An employer may be vicariously liable for the actions of their employees. If an employee is cyberbullying their colleague then an employer may find themselves included as party to a legal claim. An employer is unlikely to be able to argue successfully they were not responsible because the bullying took place outside of work time especially if they were made aware and failed to take steps to reprimand the bully in question.

The Law

Cyberbullies are potentially breaching many laws with their actions, a summary of which is set out below:

Protection from Harassment Act 1997
A person is not allow to behave in such a way which will amount to harassment of another and which he knows or ought to know amounts to harassment. The individual can obtain an injunction against the person causing the harassment. It is also a criminal offence so a person can be guilty of harassment if they have harassed the person causing distress and harm on more than one separate occasion. By making it criminal the police can be involved and they can investigate the harassment and use their powers to identify the harasser if they are not known. It is also a separate offence if the person’s actions cause another to fear violence will be used against him on at least two different occasions.

Communications Act 2003
A person will be guilty if they send an offensive or grossly offensive message or an obscene indecent image through a public electronic communications network or cause such communications to be sent. Likewise someone will also be liable if they send a message which they know to be false and it is sent for the purpose of causing annoyance, inconvenience or anxiety. It is also an offence to improperly use a public electronic communications network.

Defamation Act 1996
If comments are damaging someone reputation, then they are potentially defaming them. Internet hosts should be notified about this to put them on notice and they should remove the allegedly defamatory material quickly. By putting them on notice they will lose the benefit of the innocent dissemination defence afforded to them if they fail to act.

Malicious Communications Act 1988
It is an offence to for one person to send to another any communication or article which coveys a threat, false information or an indecent or grossly offensive message and the result of such communications causes the recipient distress or anxiety. Communication covers hard form communication and also electronic communications.

The penalty for falling foul of the Communications Act and the Malicious Communications Act is imprisonment for up to six months, a fine or both.

What can you do?

If you are experiencing cyberbullying through social media sites such as Facebook and Twitter then such sites will have policies in place which mean you can report such incidents. Facebook and Twitter, for example, allow you to report abusive content along with fake profiles. As well as reporting such incidents you can block people from being able to contact you. The sites will often offer advice on what you should do if you are experiencing bullying, for example Facebook gives tips on what to do.

An individual should also review the privacy settings on their Facebook account to ensure it can only be viewed by certain people, for example your friends. Individuals should also be wary of how much information they detail about themselves. If personal information is revealed it could lead to someone being able to impersonate you. Be wary of accepting a stranger’s friend request as this could have undesirable consequences, as highlighted by Cher Lloyd.

If an individual is receiving abusive texts, pictures or phone calls then they can contact their mobile network operator to get a number barred. This means the person will no longer be able to communicate with the individual.  This may not stop the bullying entirely but by taking positive steps the bully will be stopped in their tracks to an extent.

People do not need to stand back and tolerate such behaviour; there are steps an individual can take against their bullies.

Schools

Despite the age restrictions imposed on social media sites, more and more children are having profiles online. Children are often the most vulnerable to cyberbullying and as highlighted in recent media stories, they are often reluctant to speak out and seek help which can have serious consequences. Children should be educated in schools about cyberbullying and what actions can amount to cyberbullying and the implications cyberbullying can have. By raising awareness children will know what to look out for and should be more willing to speak out.

As you will see there are many steps an individual can take against cyberbullies and we are here to help assist.

If you would like to discuss any of the legal issues raised in this article further please contact:

Mark Symons
Partner, Employment, Cyber Risk Management
T: 0118 957 0340
E: msymons@pitmans.com

Those in the hotel business will have been following with interest the latest developments in the referral of TripAdvisor’s UK advertising to the Advertising Standards Authority and the consequential requirement that they remove the word “trust” and “trusted” from their site in connection with hotel reviews posted in an unregulated way by members of the public (see here for example).

The Issue

Just as the issue has been enjoying attention in the national press, we have been conscious of increasing levels of concern among hotelier clients in relation to internet reviews of their businesses. Such concerns are by no means confined to any single provider of such services. These concerns encompass a perception both that their businesses are being damaged by negative reviews being placed online, and that their competitors are perhaps less scrupulous about the sources for comments on the same websites, intended to bolster business.
 
With a move away from travel agent bookings, and towards the undoubted benefits of being able to compare a wide variety of packages and destinations over the internet, these are concerns which, if not addressed, will become all the more pressing. They have undoubtedly been accentuated by the traditional January rush to make bookings for the summer holidays, and the fact that in the current economic climate, consumers are becoming ever more eager to ensure that their discretionary spending is being applied to experiences in which they can have confidence.

With those points in mind, a single adverse review can have a significant impact on a business’ revenue and goodwill, if it attracts attention and consequently prominence in whatever online forum it is published. The question for an affected business in those circumstances is what can be done about it.

It is perhaps unsurprising that TripAdvisor should have come in for special scrutiny in this regard. It is one of the world’s biggest travel resources featuring over 40 million reviews of hotels and restaurants a month worldwide and for many travellers the website has proved invaluable when they are choosing a hotel. By assessing the reviews placed with them TripAdvisor scores each hotel and restaurant on a percentage basis with a business’ rating changing on an on-going basis subject to the quality of the reviews that are posted online by the consumer.

Equally, the implications of the ASA’s ruling will be felt across an industry where individual feedback and recommendations have fast become the currency of choice for promotional purposes. The ruling in essence refused to rule out the possibility of such review systems being mis-used by unscrupulous competitors or vindictive private individuals, notwithstanding the relatively sophisticated systems of checks and moderation which TripAdvisor has in place. As such, any site which follows the same model, and in particular those where reviews remain permanently on a site unless withdrawn by the reviewer or proactively removed by the site owner, is by implication tarred with the same scepticism about the authenticity of its content.

“Negative” reviews

There are now many reported incidents where guests have posted negative reviews on comparison websites, and the establishments concerned have considered the review to be untrue or misleading. This is proving to be a particular concern as it is not necessary for the reviewer to have attended the hotel or the restaurant concerned to write a review, such that a review can be written by a disgruntled member or ex-member of staff, or a competing business looking to seek a competitive advantage.

It is also apparent that there is a small but growing band of so called “self appointed” reviewers that regularly contribute to these sites, notwithstanding that they have no formal training or understanding of the hospitality business and the standards required by the industry. The reviews provided by these amateur inspectors appear to be particularly damaging for the independent hotelier and restaurateur.

“Positive” reviews

Any service provider knows that generating spontaneous positive feedback is rather harder than the negative type. There is, as such, a natural self-selection on such sites in favour of negative feedback. While it cannot be condoned, it is therefore perhaps nevertheless unsurprising (particularly with the added pressures caused by the present economic environment) that some businesses have gone to the lengths of posting positive reviews on to comparison websites with the intention of raising their rating. We are aware of at least one example where five positive reviews were posted on to such a website with regard to one hotel, each review containing the same spelling mistakes and thus, in the view of our client, likely to have been posted by the same individual.

What can be done?

It is important to bear in mind that any reputable comparison site will almost certainly contain terms of use and a code of conduct which users must sign up to (probably on a “click through” basis) before they are able to post content. Demonstrable breaches of those codes of conduct have always been treated seriously, and in light of recent adverse publicity about reliability, it is to be expected that the sites will be making event greater efforts to ensure that genuine complaints are responded to efficiently and effectively.

Equally, of course, it is important to bear in mind that such allegations will need to be carefully considered, and capable of being proved to a relatively high standard, since the consequence for a hotel which is accused of posting fake “positive” reviews can be extremely detrimental. Those consequences might in turn lead to proceedings being issued against the site, which in turn may look to the party who made the original complaint, in order to substantiate their allegations. The prospect of such spiralling litigation deters many small businesses from embarking on such a high stakes course, and suggests that a more pragmatic approach is often required.

A Practical Approach

For small businesses a negative online review may prove personally upsetting and frustrating, even if it is genuinely true, after all of the hard work and effort that is put into running a business. It is inevitable that the distress and frustration will be all the greater where the review is untrue. Nevertheless, short of refusing to engage with the world of online comparisons (which for many is seen as a way to change the travel industry for the better, and in particular to bring small businesses to the attention of a worldwide audience), one approach is to engage with the reviews with a view to making them work for you.

Where a negative review or a number of reviews are posted that are factually wrong and can be shown to have caused the business an actual loss of trade, the incident/s highlighted in the reviews should be investigated and as much evidence as possible gathered to identify the reviewer/s. In the first instance the business should use its right to post a direct response to the negative review on the website as this may assist in negating the review.  If a review or reviews are considered particularly damaging the site operator should then be approached in a constructive manner and asked that the review is removed. As much information should be provided to the site operator as possible to show that the review contained false information or was misleading. Our experience suggests that adopting a collaborative approach with the provider, rather than “shooting the messenger”, often yields the best results.

If at this stage the site operator is not cooperative in removing the offending review, a decision will need to be taken. In the majority of cases, embarking on further disputes will simply result in an additional drain on management time and the business’ resources, which might more effectively be devoted to positive publicity aimed at counter-acting the negative reviews.

In some cases, however, the harm will be so serious, and the risks to the business so severe, that action must be taken. As a preliminary step, the identity of the end user (i.e. the writer of the review) needs to be substantiated so that legal action against them may be considered.  It may prove difficult to progress this matter if the site operator is not prepared to provide the end user’s identity or, once the user’s identity is confirmed, it is established that the user is not based in the UK.

The site operator can be asked to inform the user that legal action is being considered against them, if the operator is not prepared or is unable to divulge the end users identity and ask that the review is removed. Equally, it can be possible to obtain a court order for relatively detailed information about a user’s registration details, and even the IP address from which contributions were posted, where there is compelling evidence of genuine harm having been suffered.

However, pursuing a claim (whether in defamation or by some other route) via the UK Courts is not straightforward and should not be undertaken lightly. The legal costs for such an action could be substantial and there is no guarantee that the damages awarded by the Court, if a claim was successful would cover the costs incurred. That being so, it is always prudent to take informed, practical, advice at an early stage, so that a decision can be made that best suits the needs of the business in question, and is appropriate to the level of the harm that has been done.

David Loosemore
Solicitor, Hospitality Sector
T: +44 (0) 118 957 0240
E: dloosemore@pitmans.com

Will Richmond-Coggan
Director, Defamation/Social Media Law
T: +44 (0) 118 957 0369
E: wrcoggan@pitmans.com