The High Court has now granted that order. Virgin Media, Sky, Everything Everywhere, O2 and TalkTalk have been ordered by the High Court to put measures in place that prevent their respective users accessing The Pirate Bay. ISPs have criticised the move as a part-solution only to the increasing problem of copyright infringement.

In this instance, Wintersteiger, an Austrian business, accused its German competitor, Products 4U, of registering the adword “Wintersteiger” so that, when a consumer searched for “Wintersteiger” on google.de, the Product 4U website came up. Wintersteiger issued proceedings for trade mark infringement in the Austrian courts, as it had registered the word mark “Wintersteiger” in Austria. The Austrian courts had initially rejected the application on the grounds that it did not have jurisdiction as the issue related to google.de and not google.at.

Advocate General Cruz Villalón, an advisor to the ECJ, had advised that proceedings could be brought (i) in the country where the infringed trade mark was registered (in this case, Austria), or (ii) in the country corresponding to the country code in the relevant search engine’s top level domain name (in this case Germany).

However, the Advocate General’s views are not binding, and the ECJ ruled in a slightly more restrictive way in relation to (ii) above; that such claims can only be brought in that member state if the alleged infringing advertiser has an “establishment” there. It is not clear what “establishment” means, and whether it means anything different from “domiciled”, as the ECJ didn’t give an opinion on that specific point; future cases on this will hopefully clarify that issue.

The European Commission is already looking into whether Google is abusing its dominant position in the way in which it lists competitors’ sites. If found guilty of breaching European Union competition law, Google could face very tough sanctions including a fine of up to 10% of its turnover. No doubt, the slow wheels of this case will run and run for many months yet.

 It was a question of fact on a case by case basis as to whether the linking site was liable. In this case, the two web sites seemed to be closely associated and the home page of the .org site went through to the .net site. Although this ruling does not mean that the Foundation was liable, the Court refused to grant the strike out application and said it should be decided at trial as the result was not sufficiently certain.

We now await the main court case to find out more about liability for sites that provide a link.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “In my view, these are breaches of the Act, but not really serious breaches. Considering the flagrant breaches of data protection laws carried out by some, it would be unfortunate if an organisation’s mistake that did not reveal very private categories of data went punished when it does so much good. However, it should still be a salutary lesson to always have regard to data protection laws.”

It will no longer be enough to obtain consent automatically on a general basis through a user’s browser; other steps will be needed. This has led to concerns as to how it will affect the user-friendliness of sites. But the law is clear – consent is needed. How to show consent is not clearly set out in the new law. The Information Commissioner’s Office has provided some guidance with suggestions. The type of consent the user must give will vary according to what the cookie contains, at what point in the process it is placed and also according to what the user may already have agreed to. See the guidance here. However, despite the guidance being updated in late 2011, it does not give totally definitive answers.

We have already been advising clients on how to comply with this new law and have come up with some practical suggestions of our own. If you would like to obtain our advice, please contact us on mark.weston@mablaw.com or paul.gershlick@mablaw.com.

Social networking sites can process the photos without breaching data protection law if that processing is being done to check whether consent has been obtained, but, once that check has been finalised, the site must delete that information.

Facebook currently uses facial recognition technology to suggest the names of people featured in photographs to the uploaders. The name tags used by the uploaders can be viewed by other Facebook users.

Aside from consent, the Article 29 Working Party said that the social networking sites would need to take adequate technical measures such as encryption while the images are being uploaded. They should also use technical controls to try to safeguard against the images being used by third parties for purposes for which the user had not consented. To add to the regulatory burden, the body added that compliance with EU data protection law also meant giving the data subjects sufficient access rights to their images and not storing more data than was necessary for the tagging purpose.

The Working Party’s opinion also included some comments on the use of facial recognition technology by search engine providers and gaming services.

The Opinion is not legally binding, but it is best practice to comply with it, particularly as it gives an indication as to the action that the regulators would take to enforce the law.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “The Working Party has once again taken a strict pro-privacy stance in providing an opinion. This is similar to the tough line it took against social networking sites and others in its opinion last year on geo-location services. For more on that geo-location opinion, click here: http://www.mablaw.com/2011/06/article-29-working-party-geo-location-data/.”

The proposed law would also require manufacturers of devices that can access the Internet (including mobile phones) to ensure that those devices have filtering functionality installed.

ISPs have criticised the proposed law over concerns that it would lead to over-blocking and also because it leaves open the question as to who decides what is and what is not pornographic.

The app had been downloaded from iTunes 70,000 times before its withdrawal. It allowed users to access the location data of nearby users and also to access profiles of nearby users in a map format.

Facebook has made the move after Yahoo!’s recent issuing of proceedings against Facebook for the infringement of 10 patents including those involving messaging, news feed generation, display of advertising, and click fraud and privacy controls.

1. In order to succeed in a defamation claim, Mr Tamiz would have to prove that the damage caused by the publication was “real and substantial” within the jurisdiction, but Google argued that this was not the case;
2. At common law, the definition of “publisher” includes anyone who participated in the publication of the alleged defamatory material to a third party – Google argued that it was not the publisher of the material by that definition;
3. Google argued that it had a defence under section 1 of the Defamation Act 1996 which would protect Google if it could show that it was not the publisher, it took reasonable care in any publication it did make and it did not know or have reason to believe that it was contributing to the publication; section 1 also states that those providing equipment, systems or services allowing for electronic communication or who operate or provide access to communications systems to people outside of its control (including Internet service providers (ISPs)) are not publishers; and
4. Google argued that it had a defence under regulation 19 of the E-Commerce Regulations 2002, which states that an information society service provider hosting information (including an ISP) will not have any liability for damages for the storage of that information if it does not have actual knowledge of any unlawful activity or information, it is not aware of the circumstances indicating that the information is unlawful where a claim for damages is made, and that, on becoming aware of the unlawful information or activity it acts quickly to remove or disable access to that information.

The High court accepted that a “real and substantial” tort had been committed within the jurisdiction. However, the High Court ruled that Google’s role had been passive and it was therefore not a publisher at common law. The High court considered the role of an ISP and ruled that it was not clear under English law whether an ISP could be considered to be a publisher; it was something that was dependant on the facts in each case. Therefore the High court declined jurisdiction as Google was not a “publisher” in common law; rather, as a platform provider, its role was passive, so that, even after Mr Tamiz notified Google of the material, it was outside the definition of publisher. As Google had not committed any act causing damage as it was not a publisher, the High Court ruled that it had no jurisdiction to hear the claim.

The High Court considered in passing (but this bit of the judgment is not binding) that the defence under section 1 of the Defamation Act would have applied if Google was a publisher at common law as Google had not issued material to the public in the course of a business and was not a publisher. The High Court also stated that Google had no effective control over those using Blogger.com, that Google making of contact with the blogger, although slow, was still within a reasonable time and that Google had no reason to believe that it had caused or contributed to the defamatory comments.

The High Court stated (also in passing) that the defence under Regulation 19 of the E-Commerce Regulations would have applied – Google was an information society service provider in relation to which the “London Muslim” blogger was the recipient. Mr Tamiz had alleged that the comments were defamatory but had not stated why they were defamatory; Google had to be aware not only of the relevant material but also that it was unlawful. As such, Google did not have to accept Mr Tamiz’s complaints and there would be no grounds to deny Google the protection of the E-Commerce Regulations and liability for damages. Google was entitled to leave the blog available on the Internet until it had weighed up the case for taking it down.

Simon Weinberg, a solicitor at Matthew Arnold & Baldwin LLP, comments: “This ruling will be welcomed by ISPs, but it is relevant only in so far as the facts of this case apply. In fact, this ruling might actually raise more questions than answers – the ruling seems to be inconsistent with previous case law that seems to have similar facts. In addition, the interpretation of Regulation 19 of the E-Commerce Regulations seems to go against what is widely understood to be the intention of the legislation; if Google was entitled to weigh up the case in front of it in relation to the alleged defamatory material before taking it down, that undermines the underlying objective of protecting the defamed “victim”.”

Meanwhile, the Government has rejected other suggestions by the Joint Committee on the Defamation Bill, such as the proposal that websites keep defamatory statements online as long as they are published next to a complaint about the statement, whilst anonymous comments are taken down. The Government said that these suggestions would be unworkable in practice. It reiterated its desire to create a balance between protecting reputation on the Internet and not requiring intermediaries unduly to remote or monitor information due to fears about liability.

Google had consolidated all of its privacy policies into one so that personal data collected through one Google service could be shared with other Google services such as YouTube, Gmail and Blogger. Google’s aim behind having one privacy policy across its services is to make its position on privacy easier to understand and to improve the experience of its users – Google hopes to be able to use data between its services to offer a more personalised experience to users when they login to their user accounts. Critics have expressed concern that the new privacy policy gives citizens less control over the use of their data as it is freely transferable across services.

BT and TalkTalk had some trouble in getting the appeal heard by the Court of Appeal, and it seems that they may now push to have the appeal heard by the Supreme Court.

The European Commission has suggested and the European Parliament will agree new provisions for roaming, including data roaming on mobiles to take effect from 2014. This will involve consumers being given a choice as to whom they use for roaming services. That means that they could choose a different operator from their home state operator to be their international roaming provider. Restrictions on roaming charges are likely to remain and new restrictions on data roaming out of the EU are likely. Ofcom has noted that a very large number of complaints arise from charges for out of the EU data roaming and indeed there can be few practitioners in the telecoms area who haven’t been approached by people with outrageous bills, quite often for downloads that are automatically re-continued after a flight abroad.  It would be fair to say that the Communications and Internet Services Adjudication Scheme (CISAS) takes a fairly unsympathetic view to people if they are given warnings that they may incur charges and then ignore them. Where no warning has been given, however, they seem much more keen to suggest reducing the charges.

That takes me to an area where the UK and Europe seem to be getting out of step. That’s the regulation of non-geographic number services. The UK’s long-awaited response to its last consultation on the non-geographic numbering review has been delayed and delayed and delayed. It’s now expected sometime after the end of March! The last reason given for this delay was that senior staff involved were also caught up in the 08X appeals. Probably not that a convincing reason! 

We are out of step here with other countries in Europe because, as the Berec draft report on special rate services and enforcement of remedies suggested, we are not taking perhaps the most straightforward route in making things work. The Portuguese have taken, for example, a far more strident line in getting mobile operators to in effect review access charges for services like 118, etc. Here there is supposed to be some form of interim measure going to be suggested by Ofcom, but nobody really knows what that is going to be. A long-term solution is probably, therefore, two or so years away. Plus, the time it will take for the inevitable appeal to the Competition Appeal Tribunal (CAT).

I long remember, from years ago, a meeting in Somerset House, chaired by the then Director General of Telecommunications, concerning the introduction of a general competition condition into PTO licences in the UK, where a telecommunication company which has gone on to be a substantial UK player said they didn’t really care what regulators did as long as they were 70 per cent right and got on with it! That is something we certainly seem to have lost in this country, being bound up as we are in competition-based ex-post regulation where the MNOs control regulation through a judicious use of appeals and greater resources, particularly in the field of competition law. 

The Telecoms Minister, Ed Vaizey, has just publicly given notice of what’s been suspected for some time, which is that his Ministry is dropping proposals to change the CAT appeal procedure to make it more difficult for the mobile network operators (MNOs) to drag regulation into a constant legal mire. The proposal for the crucial sections of Communications Act 2003 to be changed so that the appeal will be on the merits but be on the principals of judicial review is dropped.  Further suggestions are sought from the industry and it is believed a number of operators will have their thinking caps on, creating some kind of appeal mechanism that stops every decision of any importance ending up in the Court of Appeal.

It was the case, pre-2003, that Oftel had surprisingly few judicial reviews and was not subject to on the merits appeals, but it managed to regulate surprisingly well through all of the difficult birth pang periods of the liberalisation of UK telecoms. Let’s hope that those with the thinking caps on will provide further suggestions as to what the Government has called for.

The CAT’s own view on the situation is more or less summed up if you read the judgment in the recent TalkTalk appeal on broadband.  It basically made a pitch for how it would be able to handle appeals cost effectively and try and draw in the confines of the appeal, so as not to turn every appeal into a three ring circus looking at every possible aspect of the subject matter under consideration, but I doubt that is enough.

Meanwhile, the Court of Appeal in the 08X case gave consent to the MNOs to present a complete list of challenges on the law and not just those permitted by the CAT when giving permission to appeal. Rumour has it that the matter will reach the Court of Appeal sometime in March or April, with a decision shortly thereafter. It would seem to me that it is very difficult for Ofcom to complete its non-geo review while the 08X appeals are not decided, so very probably once again the mobile operators have gummed up the works.

Facetiously the other day I suggested that a way to curb regulatory problems at the moment in Europe would be to deem all mobile operators to have significant market power. It might balance things up for the substantial difficulties in European completion law jurisprudence related to sharing joint dominance. Our way to a perfect world…

As an adjunct to the O8X appeals, BT and Everything Everywhere are now embroiled in a dispute over whether or not clauses 12/13 of the BT SIA are fair and reasonable. Clause 12 was a substantial reason why CAT decided in the 08X case the way that it did because it gave weight to BT being able to exercise its contractual powers to vary charges unilaterally, which was contrasted with clause 30 where other operators didn’t have the same power. Essentially Everything Everywhere appear to be trying to use this dispute to nullify the effects of a loss in the Court of Appeal, if that’s what they suffer. All operators, however, should be very wary about a situation whereby somebody ended up with the same power as BT being able to reject price increases or changes without being in the honest broker position of being a transit operator like BT. It also highlights a problem in the CAT for setting policy or the best way of doing things in a vacuum. Somebody looking to set a rule for the future in respect of, for example, ladder pricing would be best taking into account everybody’s position. That is to say how it would apply to both BT and others. The CAT didn’t because of the inbuilt presumption on the part of the judiciary that they should always deal with just the case in front of them. This was reinforced a couple of years ago in the telecoms area by the Court of Appeal in the Floe case.

For those who have missed the boat in not being able to express an interest in the clause 12/13 matter, but who might be affected even if they are late to let Ofcom know of their interest.

Lastly, we had some fun recently acting for the Raspberry Pi Foundation, in particular doing an OEM Contract to enable its product to be commercialised and distributed.  It’s funny, however, that that experience once again just highlights the same points that are always a problem in those contracts.

•        making sure the background IPR remains in the same ownership;

•        dealing with IPRs in improvement  to design; and

•        the length of time from sale to accounting for a royalty.

A number of record companies, represented by the BPI and PPL (Phonographic Performance Ltd) applied to the High Court for an order for ISPs to block, or at least impede, access to The Pirate Bay. As with the Newzbin2 case, the application came under section 97A of the Copyright, Designs and Patents Act 1988 (CDPA) which provides that an injunction may be obtained against an ISP that has “actual knowledge” of another person using their service to infringe copyright. The parties had agreed to a trial of two preliminary issues – whether (i) the operators and (ii) the users of the website infringed the copyright of the BPI and PPL members.

The High Court ruled that both the operators and users of The Pirate Bay had infringed copyright under the European Union’s Copyright Directive and the CDPA. The High Court will now go on to consider whether to grant the order against the ISPs to block The Pirate Bay in the same way that Newzbin2 has been blocked, but the outcome seems to be beyond doubt – the High Court stated that the copyright infringement in this case was the same, if not greater, than that involved in Newzbin2.

The ruling in the Newzbin2 case was considered to be a landmark in the fight against copyright infringement, and copyright owners were celebrating a victory. This was particularly following the slow progress in making the blocking provisions of the controversial Digital Economy Act 2010 active. The High Court seems to have upheld the decision in Newzbin2, or at least has got half way there – this will be a huge encouragement to copyright owners to continue in their pursuit of the protection of their copyright by using section 97A of the CDPA.

The guidelines follow a period in which there has been increasing concern about how apps use personal data after the operators of the Path and Hipster apps admitted data breaches. The guidelines state that users must be given certain information about how the app uses their data before it is activated on their mobile device, and also that users of social networking apps must be given the option to delete their account and have all personal information about them removed.

However, the move has come in for serious criticism. Before the plan was implemented, the Article 29 Working Party urged Google to postpone any action to allow an investigation to take place to ascertain whether the plan was lawful, and the French data protection regulator, the CNIL, appointed by the European Union to perform that investigation, expressed concern that there were “strong doubts” as to whether it was compliant with European Union data protection laws.

Now that Google has put the plan in action, the European Union’s justice commissioner has also come out and said that the changes are in breach of European Union law. The CNIL is to send Google a list of questions about the move in the next few weeks to further its investigation.

• It welcomes the continued exemption for domestic processing, although it says that it would be helpful to clarify that personal commercial activity such as selling something for oneself on an online auction site – is within the exemption.
• The ICO is pleased to see non-EU data controllers fall within the law, but it questions how it can be enforced, and also who would be caught – for example, would a US site merely offering goods that happen to be seen by someone in the EU have to comply with the EU laws?
• It wishes to see clarity over whether online identifiers such as Internet Protocol addresses and cookie identifiers count as personal data. The ICO believes it should depend on the context, so that where the details are used to target a particular individual, that would be personal data. 
• Clarity that, for consent to apply, this would need a clear affirmative action such as clicking a tick-box or taking some other positive step.
• The ICO wishes to see a default position of processing being able to take place except where it overrides the data subject’s fundamental rights and freedoms.
• The ICO wonders why some categories of data such as trade union membership are given heightened status of “sensitive personal data”, whereas others that data subjects would think of as being more sensitive (such as financial data) are not considered as such.
• It welcomes the new “right to be forgotten”, being the right of individuals to have their data (such as at online social networking sites) removed. However, this could be misleading to data subjects as in many cases their data cannot be totally “forgotten” and will still appear on the Internet.
• Perhaps the strongest criticism comes in relation to notification of data breaches. Whilst the ICO is strongly in favour of such a duty, it should be proportionate with only the serious breaches (such as financial loss occurring) being notified to avoid the danger that regulators will receive more notifications than it can cope with. In addition, the proposed timing should be changed so that the requirement should be without undue delay rather than within 24 hours, as too early a notification could lead to meaningless information and a distraction from dealing with the breach.

The EBA is concerned that fraudsters may target consumers by applying for those gTLDs, with consumers then presuming that all websites using those gTLDs are endorsed by financial regulators.

The Raspberry Pi is a credit-card sized, low-cost computer that is designed to help teach children (and adults) to program. The £22 computer is sold uncased and without a keyboard or monitor, and has been created by volunteers drawn mainly from academia and the UK technology industry.

The computer went on sale this week and its launch is timely given that the Department for Education has just announced that it is considering making changes to the way computing is taught in schools, with the aim of placing greater emphasis on skills such as programming.

In his recent speech outlining the aforementioned changes, the Secretary of State for Education praised the Raspberry Pi, saying “Initiatives like the Raspberry Pi scheme will give children the opportunity to learn the fundamentals of programming… This is a great example of the cutting edge of education technology happening right here in the UK.”

As well as the Government, the Raspberry Pi has naturally created a lot of interest amongst the general public and its launch has been covered by the BBC and the national press. The demand to purchase the new computer has been so overwhelming that The Guardian newspaper even reported that as soon as it went on sale it sold out, crashing the websites selling it in the process! Distributors Premier Farnell reported that its website received half a million hits in 15 minutes, and RS Components said that it was the greatest level of demand it had ever received for a product at any one time.

For those who have been unable to purchase one, don’t worry – more will become available soon, and an even cheaper £16 version will go on sale later in the year.

Ted Mercer, The Partner who did the work, comments, “It has been very exciting to work on the OEM, commercialisation and distribution contract to enable the Raspberry Pi to go on sale and we wish it every success in inspiring a new generation of schoolchildren to learn to program.”

Google’s aim behind having one privacy policy across its services is to make its position on privacy easier to understand and to improve the experience of its users – Google hopes to be able to use data between its services to offer a more personalised experience to users when they login to their user account.

The Article 29 Working Party, which is made up of representatives from the data protection regulators of each European Union (EU) member state, has now asked Google not to introduce the changes until the French data protection regulator, the CNIL, has assessed what impact the single policy might have on EU citizens, with many critics expressing concern that the new policy will mean citizens will have less control over the use of their data as it will be freely transferable across services.

Google has responded to criticism by arguing that users will still be able to use many of its services without having a user account and disclosing personal data to Google, and those that do sign up to an account will be able to review the privacy policy and use various privacy tools to dictate how Google can actually use their information. Google has also indicated that it may not be willing to postpone the launch of the new policy, citing the fact that the European Commission and various data protection regulators have already been consulted when the single privacy policy was being put together.

Ofcom’s research has shown that, on switching, one in five customers lose their broadband for a week and more than 130,000 customers have experienced issues with the wrong phoneline being taken over, either when switching or moving house. The research also shows that 500,000 households had their services slammed in the year-period in which the research was carried out.

Ofcom’s proposals include:

-          making sure switches are verified by an independent third party to protect from slamming;

-          simplifying the switching process to avoid confusion;

-          making the new service provider responsible for the switching process;  and

-          addressing the technical problems that can be experienced when switching.

Whilst telecoms service providers have, on the whole, expressed their support for the proposals, some have also expressed their concern that an independent service provider to verify switches could add to costs.

Ofcom is consulting on the proposals until 23 April and will report on the consultation in Autumn 2012.

PhonepayPlus ruled that CIS were responsible for a candidate in an online beauty pageant urging the girls to vote for her on Facebook, the social networking website. The voting took place by text on what was a premium rate service phone number. The ruling stated that CIS were operating a service that was effectively aimed at children, and that their practice in not informing the girls in question of the cost of the text messages was a breach of the PhonepayPlus Code of Practice.

The ASA noted in its ruling that TripAdvisor did not verify reviews placed on the website, so the claim that the reviews were from “genuine travellers” could not be made as TripAdvisor could not prove who had placed the reviews. The ASA ruled that the claims breached the CAP Code and should not be repeated.

The CAP Code is the code of practice that seeks to ensure that adverts are not misleading. Although the CAP Code does not have legal force, it is best practice to comply with it, as failure to do so can result in bad publicity and ultimately an inability to obtain advertising space.

Richard O’Dwyer closed the website in 2010 after he was visited by the police and US officials. However, US authorities alleged that the website contributed towards “criminal activity” in the US despite O’Dwyer never having been to the US, and despite the fact that no action is being taken against him in the UK. They also claimed that the website generated $230,000 in advertising revenue before it was shut down. O’Dwyer should be extradited to face charges of “authorising copyright infringement” as providing the links to the pirated content is a serious offence in the US and would justify extradition under the UK-US extradition agreement.

O’Dywer’s lawyers had argued that the website was merely a search engine for content, and that he should only face charges in the UK. He could face up to ten years in a US jail if found guilty of copyright infringement.

When Mr Patel complained to Unite about the postings, Unite took the forum offline and released a statement that the allegations against Mr Patel were unfounded; but Unite failed to respond to Mr Patel’s request for the identification of those responsible.

The BASSA website was subject to terms of use, which warned users that their personal data might be disclosed subject to data protection and privacy law.

Mr Patel successfully applied to the High Court for a “Norwich Pharmacal” order, which required Unite to provide the identities, addresses and Internet Protocol addresses of the users responsible. Instead, Unite maintained that the information requested had in fact been deleted. Mr Patel and his solicitors pushed Unite to make further efforts to recover the information, without success. Mr Patel therefore sought a further Norwich Pharmacal order for an independent expert to be given access to Unite’s database on the grounds that the continued failure to provide the information must be, at best, as a result of incompetence or technical ignorance. Unite objected to a further order on data protection grounds.

The High Court ruled that Unite had not provided sufficient evidence that it had carried out the reasonable search required by the first Norwich Pharmacal order, and Unite had not shown that it had actually followed up the information provided by Mr Patel in order to carry out that search. The High Court noted that the additional order that Mr Patel was asking for was intrusive, but that it was proportionate and necessary to give the order so that Unite would comply with Mr Patel’s information request. The High Court considered the fact that the website terms of use warned users that Unite might disclose a user’s identity, subject to data protection and privacy law, and that, without the order, those responsible would not be identified. Whilst the order was given by the High Court, it was strictly limited to an expert appointed jointly by both parties and only to the disclosure of the information which would identify those responsible, or which explained why identification was not possible.

The Court of Appeal has rejected an appeal against the decision of the High Court, on the grounds that the High Court’s findings were not based on any error of principle or perversity in factual findings, leaving no scope for a fresh evaluation by the Court of Appeal.

However, the Court of Appeal allowed a cross-appeal against the finding that the UK trade mark for the number 32 had not been infringed. The Court of Appeal ruled that the High Court had incorrectly assumed that, where a separate reputation had not been established by use of the trade mark, there could be no infringement under section 10(2) of the Trade Marks Act 1994; rather, the number 32 was a significant part of the trade marks that the High Court had ruled had been infringed, such that there was no basis for saying that the trade mark for the number 32 had not been infringed as well.

In a press release, the EC outlined the main changes that will be made to the data protection regime in the EU::

-          There will be one set of rules across the EU, rather than each EU Member State having its own rules.

-          The scope of the people caught by the data protection law will be increased. The rules will apply to data controllers who are not established within the EU if the data processing relates to offers of goods or services to data subjects within the EU or a monitoring of EU data subjects’ behaviour. Clearly, this is intended to cover large online players from the US such as Google.

-          In addition, what counts as personal data is being widened. Data will be personal data if it is not just data held by the data controller that can identify the individual but also data held by a third party which, in combination with the data held by the data controller, could identify. This could catch rights holders that hand over Internet Protocol addresses to Internet service providers for enforcement of copyright infringement under the Digital Economy Act 2010.

-          There will no longer be an obligation for organisations to notify (or register) all data protection activities to data protection regulators (such as the Information Commissioner’s Office (ICO) in the UK), but only data breaches will need to be notified; however, that will need to take place within 24 hours of becoming aware of the breach. Organisations will need to have continuous monitoring and reporting systems in place at all times. Security breaches must also be notified to data subjects “without undue delay”.

-          In place of general notification obligations, organisations will have to maintain documentation and records showing their processing activities, and be subject to strict audit requirements and produce that to the authorities on demand.

-          Data controllers will also have to comply with training requirements.

-          People will be able to access and transfer their own data more easily. They will have a right to be given their data in a convenient portable format such as a disk or MP3 file. They will also have a right to be told how long their data will be kept for.

-          Data subjects will have a right to be told where the data controller got their data from.

-          There will be a “right to be forgotten” where people will be able to delete their data if there are no grounds for it being retained. This will put a huge burden on Internet businesses in particular, which will have to do what they can to ensure links to the data is deleted by others even after they have deleted it.

-          Member State regulators, such as the ICO, will be strengthened to allow them to better enforce the rules, with possible fines of up to 2% of a company’s global turnover or €1m for other bodies. The amount of the fine will depend on the nature, gravity and duration of the breach; whether the breach was deliberate or negligent; previous history of breaches; what security measures had been put in place; and the level of co-operation with the authorities.

-          All organisations will have to appoint data protection officers unless they have fewer than 250 employees, in which case they will be exempt from this requirement.

-          Clearer rules for the transfer of data across borders within multi-national organisations will be introduced. In addition, national data protection authorities will need to approve bespoke agreed clauses as an alternative to the standard contractual clauses for transfers between an organisation in one EU country and another organisation outside of the EU.

-          Any consent from a data subject will have to be explicit rather than implied. Any written consent such as a tick-box will need to be distinguishable from other consents. This would mark a change from current online acceptance practice.

-          Data access policies will have to be not only fair but also transparent.

-          The law will move from data being permitted if “not excessive” to effectively minimising the data as it will only be legitimate if the purpose cannot be fulfilled by processing non-personal data.

-          Data processors (people who process data on behalf of data controllers and do not take any decisions in respect of the data) are currently not subject to the data protection requirements. They are only caught under contract law when data controllers (as they are required to do) enter into a written agreement with the data processor to contain certain safeguards. That will change. Under the new regime, data processors will have specific direct obligations to maintain security of data under the law.

-          Data controllers will generally not be able to charge data subjects for data subject access requests.

The proposals will be sent to the European Parliament and the Council of Ministers for discussion, and will take effect two years after they have eventually been adopted.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “This proposed law makes depressing reading. The Commission has trumpeted the ease of cost to business, but such a statement totally ignores all the other increases in regulation that this law would introduce. On balance, this will involve much more red tape for business to have to comply with. At a time when SMEs need a helping hand to grow and help to rescue the EU’s economy, this development is not going to be welcomed. Instead of considering SMEs’s legitimate interests, the Commission seems to have been too focused on protecting EU citizens against big US Internet businesses.

“The one plus side is that the new data protection law will be implemented in one consistent way across the whole EU; the major downside, though, is that it will involve much stricter obligations than businesses currently face, including tougher internal programmes and records and quick reports to the regulators and data subjects of data breaches. And there will now be much bigger fines for breaches. Let’s hope some of the provisions are softened before the law is passed.”

The Government’s actions are intended to take effect later this year, and will implement the Consumer Rights Directive, which was approved by the European Union in October last year.

Paul Gershlick, Head of Pharmaceuticals and Life Sciences at Partner at Matthew Arnold & Baldwin LLP and a data protection law specialist, comments: “We need to understand the facts as the ICO sees them and then make a judgement, but such a large fine seems harsh given that the hospital appear to have been the victim and no data actually got into the public domain through the hospital’s action with the police when the items appeared on eBay. This action signals the tough intentions of the UK’s data protection regulator in dealing with data security breaches involving people’s health data.”

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: “This case shows the need for organisations to have clear IT and Internet usage policies. Organisations should also make sure that those policies have been updated since the increased use of business and personal social networking sites.”

The guidance advocates a cookie audit to identify the cookies used, distinguishing between session, persistent and third party cookies, look at how privacy-intrusive each cookie is and how clear information is provided to users.

The ICO has also given further guidance on obtaining consent. It says that website operators should have minimal use of cookies until users have consented. Implied consent is not a viable option at the moment, but as users become more aware of cookies, that could be used. It also advocates contractual obligations between third parties and website owners governing the collection of consent for the third party cookies.

The ICO’s report and the guidance can be found here:  http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.

Viagogo – the website – had objected to the hand over, saying that to do so would be disproportionate and infringe its users’ data protection rights. The Court of Appeal disagreed. The rights had to be balanced and the RFU was entitled to know about who was infringing its contract terms. The Court of Appeal therefore ruled that it was right to grant the RFU a “Norwich Pharmacal Order” against Viagogo to reveal the data. Whether or not the England rugby body used that data to take action against the sellers or the people who had provided the tickets to the sellers was irrelevant to the ruling.

Under the E-Commerce Regulations, web service providers can be liable for material that they host if they have actual knowledge of unlawful activity, but they can avoid liability if they expeditiously remove the unlawful material.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: “Despite this ruling, the best advice for any website service provider to avoid the risk of liability would be to have clear terms and conditions that allow it to take down material, and then to do so at the first suggestion that it is going to get caught in any cross fire.”

Details of the case can be found here: http://www.bailii.org/ew/cases/EWHC/QB/2011/3031.html.

In Apple’s business model, it calls itself an agent and gets a commission on the sale price. In genuine agency situations, the supplier is free to tell the agent what price to sell at. However, if it is not a genuine agency situation, this is forbidden. The EU rules as to what amounts to a genuine agency are complex. They include looking at who bears the financial risk or commercial risk in the sale of the books.

The Commission will now investigate. If found guilty, the parties to anti-competitive arrangements can be fined up to 10% of their turnover, the agreements are unenforceable and third parties can sue for damages.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: “This result is interesting in light of recent court orders that the MPA has obtained against ISPs in the UK such as BT and Sky, under which the ISPs have had to block access to infringing content. The law needs to be clearer or at least applied in a more clear way across the European Union.”

There are two totally independent Merck companies. This arose out of the Treaty of Versailles at the end of World War I, under which the two different Merck companies were each given exclusive rights to the brand in different territories.

German Merck claims that it held the rights to material on the web page at www.facebook.com/merck, but it has recently discovered that those rights were now being allocated to the US company. German Merck has no argument with US Merck – its complaint is with the social networking site, which it claims has been less than helpful over the issue.

This case shows the issues that can arise with owners of parallel brands existing in an ever-smaller global market.

1. the meaning of a “communication to the public” for the purposes of the Copyright Designs and Patents Act 1988 (the “Act”); and
2. the meaning of “reproduction in part” (whether individual frames amounted to a substantial part of the copyright work and whether the display of a broadcast on screen amounted to reproduction) for the purposes of the Act.

The High Court has now ruled that the first question should be amended for reference to the ECJ, as to whether the right to authorise or prohibit broadcasts extends to broadcasters of free-to-air programmes online to users who could lawfully receive those broadcasts on their televisions.

The High Court has also stated that the second question above has been answered by the ruling of the ECJ in the case of the FA Premier League v QC Leisure & Karen Murphy, which stated that copyright owners do have the “exclusive right to authorise or prohibit direct or indirect” reproduction of their content in the form of “transient fragments of the works within the memory of a satellite decoder and on a television screen, provided that those fragments contain elements which are the expression of the authors’ own intellectual creation, and the unit composed of the fragments reproduced simultaneously must be examined in order to determine whether it contains such elements”.

The Court dismissed Folly’s arguments that “STALKER” had been used in conjunction with “tackle” as that was not always the case on its website. It also did not agree that “STALKER” was used in a descriptive sense, as that was not how Folly had used it. The Court also had no time for the arguments that “STALKER” was generic or had no distinctiveness.

All in all, the case brought was pure folly and the defendant should have found a better angle to win.

The EU has proposed several changes to the current data protection regime, including granting individuals a “right to be forgotten” by allowing them to force organisations to delete personal data they hold and making non-EU based organisations subject to EU data protection law if they store personal data of EU citizens in the “cloud” (i.e. storing the data on an Internet-based network rather than on local servers).

The Culture Minister responded that:

-          A “right to be forgotten” would give the public false expectations. His argument was based on the ease and speed with which data can be copied and circulated on the Internet, to the extent that the Government would be unlikely to pass a law into force that it was impossible to enforce.  After all, how could one organisation promise that someone’s photos had been permanently deleted when someone else may have copied them from that original site?

-          It was questionable how feasible it would be to enforce EU law against non-EU organisations and there was the possibility that the law would stifle innovation and economic growth in the sector.

The full text of the speech can be found here.

ENISA also expressed concern in relation to security and privacy risks from such practices. The report suggests that users are becoming increasingly dependent on websites storing their personal information to make their future visits quicker and easier; whilst this is a benefit to a user, it makes fraud and unauthorised access easier, with the potential for not only financial loss but also possible reputational harm, discrimination and even exclusion from websites altogether.

The report suggests that the other effect of the practice is that website operators are being put under increasing pressure to store and protect personal information in a legally compliant way, which they may not have the knowledge or financial means to undertake.

ENISA suggested that privacy-friendly mechanisms should be incorporated into new websites and software, with clear instructions for users explaining the risks involved in a personalised service.