In a press release, the EC outlined the main changes that will be made to the data protection regime in the EU::

-          There will be one set of rules across the EU, rather than each EU Member State having its own rules.

-          The scope of the people caught by the data protection law will be increased. The rules will apply to data controllers who are not established within the EU if the data processing relates to offers of goods or services to data subjects within the EU or a monitoring of EU data subjects’ behaviour. Clearly, this is intended to cover large online players from the US such as Google.

-          In addition, what counts as personal data is being widened. Data will be personal data if it is not just data held by the data controller that can identify the individual but also data held by a third party which, in combination with the data held by the data controller, could identify. This could catch rights holders that hand over Internet Protocol addresses to Internet service providers for enforcement of copyright infringement under the Digital Economy Act 2010.

-          There will no longer be an obligation for organisations to notify (or register) all data protection activities to data protection regulators (such as the Information Commissioner’s Office (ICO) in the UK), but only data breaches will need to be notified; however, that will need to take place within 24 hours of becoming aware of the breach. Organisations will need to have continuous monitoring and reporting systems in place at all times. Security breaches must also be notified to data subjects “without undue delay”.

-          In place of general notification obligations, organisations will have to maintain documentation and records showing their processing activities, and be subject to strict audit requirements and produce that to the authorities on demand.

-          Data controllers will also have to comply with training requirements.

-          People will be able to access and transfer their own data more easily. They will have a right to be given their data in a convenient portable format such as a disk or MP3 file. They will also have a right to be told how long their data will be kept for.

-          Data subjects will have a right to be told where the data controller got their data from.

-          There will be a “right to be forgotten” where people will be able to delete their data if there are no grounds for it being retained. This will put a huge burden on Internet businesses in particular, which will have to do what they can to ensure links to the data is deleted by others even after they have deleted it.

-          Member State regulators, such as the ICO, will be strengthened to allow them to better enforce the rules, with possible fines of up to £1m or 2% of a company’s global turnover. The amount of the fine will depend on the nature, gravity and duration of the breach; whether the breach was deliberate or negligent; previous history of breaches; what security measures had been put in place; and the level of co-operation with the authorities.

-          All organisations will have to appoint data protection officers unless they have fewer than 250 employees, in which case they will be exempt from this requirement.

-          Clearer rules for the transfer of data across borders within multi-national organisations will be introduced. In addition, national data protection authorities will need to approve bespoke agreed clauses as an alternative to the standard contractual clauses for transfers between an organisation in one EU country and another organisation outside of the EU.

-          Any consent from a data subject will have to be explicit rather than implied. Any written consent such as a tick-box will need to be distinguishable from other consents. This would mark a change from current online acceptance practice.

-          Data access policies will have to be not only fair but also transparent.

-          The law will move from data being permitted if “not excessive” to effectively minimising the data as it will only be legitimate if the purpose cannot be fulfilled by processing non-personal data.

-          Data processors (people who process data on behalf of data controllers and do not take any decisions in respect of the data) are currently not subject to the data protection requirements. They are only caught under contract law when data controllers (as they are required to do) enter into a written agreement with the data processor to contain certain safeguards. That will change. Under the new regime, data processors will have specific direct obligations to maintain security of data under the law.

-          Data controllers will generally not be able to charge data subjects for data subject access requests.

The proposals will be sent to the European Parliament and the Council of Ministers for discussion, and will take effect two years after they have eventually been adopted.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “This proposed law makes depressing reading. The Commission has trumpeted the ease of cost to business, but such a statement totally ignores all the other increases in regulation that this law would introduce. On balance, this will involve much more red tape for business to have to comply with. At a time when SMEs need a helping hand to grow and help to rescue the EU’s economy, this development is not going to be welcomed. Instead of considering SMEs’s legitimate interests, the Commission seems to have been too focused on protecting EU citizens against big US Internet businesses.

“The one plus side is that the new data protection law will be implemented in one consistent way across the whole EU; the major downside, though, is that it will involve much stricter obligations than businesses currently face, including tougher internal programmes and records and quick reports to the regulators and data subjects of data breaches. And there will now be much bigger fines for breaches. Let’s hope some of the provisions are softened before the law is passed.”

The guidance advocates a cookie audit to identify the cookies used, distinguishing between session, persistent and third party cookies, look at how privacy-intrusive each cookie is and how clear information is provided to users.

The ICO has also given further guidance on obtaining consent. It says that website operators should have minimal use of cookies until users have consented. Implied consent is not a viable option at the moment, but as users become more aware of cookies, that could be used. It also advocates contractual obligations between third parties and website owners governing the collection of consent for the third party cookies.

The ICO’s report and the guidance can be found here:  http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.

In her statement, Reding said consumers should be more “empowered”. She also issued a warning that cloud computing service providers would face stricter provisions. Cloud computing refers to the making available of software and data on a network such as the Internet rather than on the user’s own servers.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: “This statement will send shockwaves through businesses. Currently, there are a number of grounds on which organisations can process data. They include if it is for their legitimate interests and it does not cause the data subject unwarranted harm. The statement is short so something may be lost in the translation, but at face value it suggests that the only grounds for processing data will be with explicit consent and that consent must be given in advance. That could prevent many businesses from functioning efficiently if they need to obtain explicit consent first every time.

“The new laws will also look to address the problem of social media site users saying something embarrassing and then never being able to remove it later, leaving them in an awkward position when a prospective interviewer checks them out on the web before a job interview. There has not yet been any clarity over users’ position when someone else posts a comment, photo or video clip about them on the web without their consent – if someone is featured in someone else’s posted content, will the subject be able to pull it?

“Further, the statement issues a warning for cloud computing service providers, but does not give any indication about how exactly their businesses may be affected.

“Overall, the statement leaves more questions than answers and is not particularly helpful for businesses looking to plan ahead to the new regime. They will have to watch this space over the next few weeks to see what the impact will be.”

The statement can be found here: http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&type=HTML.

The High Court has sided with the previous owners of the pharma business. Applying the principles from landlord and tenant cases in relation to interpretation of the phrase “not to be unreasonably withheld”, it said:

• The burden had been on 3M UK to prove that the refusal of consent was unreasonable.
• The sellers did not have to show that their consent was justified – only what someone in his position would reasonably have done in the circumstances. It was no surprise that the sellers had viewed 3M UK’s statements and profit projections with scepticism and it was reasonable for them to expect far clearer evidence of future figures.
• In deciding what was reasonable, the sellers only had to consider their own interests in earning as large a payment as possible. This was the case unless the benefit to one party was so disproportionate to the detriment of the other.
• The sellers did not have to balance their interests with anyone else’s in coming to that conclusion.

The High Court agreed with Playup’s claim. Givemefootball’s failure to deliver to the number of opted-in recipients amounted to a repudiatory (or fundamental) breach of contract. Playup was entitled to walk away from the contract. Buying in data did not satisfy the requirement to supply “opted-in” recipients. Although the agreement did not specify what a user should have opted-in to, it must have meant that they would have opted-in via the PFA website. The whole point of the agreement was to give Playup football access to the avid fans who were involved with the PFA Fans Awards rather than anyone who liked sport and could have come from another source, in order to maximise the chances of getting a positive response. Otherwise, Playup could have used its marketing budget for a cheaper and less targeted advertising campaign, such as through Google. “Targeted” had to mean just that and the other wording used in the contract reflected that purpose. The inclusion of the words “owned or controlled” by Givemefootball in relation to the databases was the result of careful drafting and did not infer bought in data.

The High Court added that the contractual requirement for data subjects to have provided prior consent to Givemefootball to receive direct marketing from Playup meant that the consent would have had to be made to Givemefootball rather than a third party data seller and the individual would have consented to receive the direct marketing from Playup or a class of which Playup was a member.

A lot of business is done in relation to marketing and promotional campaigns. Where one party agrees with another to run a targeted campaign, this decision makes clear that the campaign must be just that: targeted. That does not allow for buying in data from third parties to supplement the numbers, unless this still makes the campaign just as targeted.

The Article 29 Working Party’s opinions are not legally binding and they only represent the body’s own interpretation of data protection laws. However, they can be very persuasive and should not be ignored. It will be interesting to see what changes are made by the UK’s regulator, the Information Commissioner’s Office, to its stance on consent following this opinion. This can potentially affect a lot of businesses, particularly Internet ones.

The Article 29 Working Party opinion can be found here: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf.

It is an offence under the Data Protection Act to knowingly or recklessly obtain personal data without consent. The data was important to T-Mobile and its competitors as it contained details of names, addresses, telephone numbers and customer contract end dates. This is the first time the Information Commissioner has sought a confiscation order under the Proceeds of Crime Act. That is where an order is made to deprive the wrong-doer from any benefit he has received from the crime.

The Information Commissioner has hailed the result in this case as marking a new chapter in deterrents against misuse of personal data. This case proves that there will be an audit trail and his office will try to find what has happened to it, and will take appropriate action, according to the Commissioner. The fine is the largest ever for employees who have stolen personal data for their own gain.

In this case, the owner and licensee of the CTM for the word ‘STUNNING’ in relation to perfumes issued proceedings for trade mark infringement arising out of unauthorised use of the mark, and the High Court had to consider the CTM Regulation. The CTM Regulation states that CTM assignments have to be in writing, but does not specify any formalities in relation to CTM licences.

The High Court ruled that, if the owner provided its consent, the licensee could bring proceedings for infringement. The High Court also ruled that, in this case, an infringement of the CTM had taken place. The position in respect of the EU-wide CTM contrasts with what happens when a UK-only registered trade mark is infringed – in that case, the licence has to be in writing before a licensee can take action.

Geo-location services involve any services related to the actual location of a particular device, and the people linked to that device. The services may be used in any number of growing ways, such as for tagging where a photograph was taken, providing useful information for users as to where a local service such as a restaurant is located, recovering lost or stolen items, identifying where children are or whether friends are nearby. Geo-location data can be gathered in a number of ways, such as through GSM base stations, GPS, WiFi and RFID readers.

The Working Party’s findings are particularly strict and may affect a range of different types of organisation, from network operators to controllers of geo-location infrastructure (such as WiFi access points), to application providers, through to social networking sites that provide location-based functionality for mobile devices. The Article 29 Working Party’s opinion is not legally binding, but it is best practice to do so as it is the body of the European Union’s data protection regulators and so it strongly indicates how the regulators will interpret compliance with data protection legislation.

The change reflects EU legislative changes, but after considering the issue over the last couple of years, the Government has suddenly given website operators the news that they had been dreading just before the 26 May deadline: it will not be enough to obtain consent automatically on a general basis through their users’ browsers; other steps will be needed.

This has led to concerns as to how it will affect the user-friendliness of sites. But the law is clear – consent is needed. How to show consent is not clearly set out in the new law. The Information Commissioner’s Office has provided some guidance with suggestions. The type of consent the user must give will vary according to what the cookie contains, at what point in the process it is placed and also according to what the user may already have agreed to.  See here. However, the guidance does not give totally definitive answers.

We have already been advising clients on how to comply with this new law and have come up with some practical suggestions of our own. If you would like to obtain our advice, please contact us on mark.weston@mablaw.com or paul.gershlick@mablaw.com.

UPDATED 26 May: The Information Commissioner stated on 25 May, the day before the law comes into force, that although the law will still come into force on 26 May, his office will not take enforcement action for the first year following implementation against a site not obtaining consent to its use of cookies, provided that the site still provides clear information on the cookies used and it uses a brower-led solution by 25 May 2012.  In the meantime, the Commissioner will be working with Internet browser providers to find a technical solution so that browser-led consent can be provided within that timeframe. 

If websites can obtain consent through other means in the meantime, that would still be preferable, particularly as some people may not access a website through a browser and they would still need to give consent to cookies.

M-Tech’s objection here was that Oracle had conducted its business in a way in which it was not possible for traders to ascertain whether the goods had originated inside the EEA or outside. In particular, it had deliberately chosen not to make publicly available its database of product serial numbers – and those could have identified where the goods had been first marketed.

The High Court had awarded Oracle summary judgment but on appeal the Court of Appeal agreed that M-Tech had an arguable case. It thought that it was possible that Oracle’s actions amounted to an artificial partitioning of the European market, contrary to the Treaty on the Functioning of the European Union (previously the EC Treaty), with the aim of maintaining price differences in each country rather than any legitimate wish to protect its brand. The Court of Appeal did not award victory to one party or the other, but said that M-Tech’s arguments warranted a full trial and the case should probably end up being referred to the European Court of Justice to make a ruling.

The High Court ruled that Umbro had breached the licence by allowing Dick’s to dip into the off-field market. However, it also agreed that Hudson Bay had breached the licence by doing likewise the other way. The Court of Appeal has now agreed with the High Court’s ruling. The reasoning turned on pockets. FIFA (the regulatory body) had regulations which said that on-field clothing could not have pockets; in contrast, off-field clothes generally did have pockets. There were other differences such as the size of logos, but that was the main distinguishing design difference. Hudson Bay argued that it had asked for authorisation to stock a design without pockets, which had been agreed to by the head of Umbro’s US subsidiary. However, that person did not have actual or ostensible authority to bind Umbro UK, which was the party to the licensing agreement. That lack of authority was borne out by other surrounding facts in the case, such as the delay in executing the original agreement which had been negotiated by Umbro US so that Umbro UK people could sign it.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: ‘This case is interesting because of the sporting subject matter. But it raises another more serious point. When someone wants to get something approved or agreed by the other party in a contract, they should ensure that the individual they are dealing with has authority to bind that other party. Where in doubt, this should be checked with a board director.’

The CAP Code is a code of practice governing the content of adverts and marketing communications, and it is administered by the ASA. Although the Code does not have legal force, it is best practice to comply with it, as failure to do so can result in bad publicity and ultimately an inability to obtain advertising space. The ASA here ruled that KMC must not use the advert again and should ensure it had people’s approval for products allegedly endorsed by them.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of www.Upload-IT.com, comments: ‘This seems the correct result. It follows on from the Eddie Irvine case a few years ago which established image rights, when the racing driver was awarded £25,000 by the Court of Appeal after talkSPORT had featured his photo superimposed with a radio containing talkSPORT’s logo without his permission. This latest ruling shows that the ASA will also take action to stop the practice. In addition, it may now be possible for traders conducting misleading practices to be prosecuted under the Consumer Protection from Unfair Trading Regulations.’

In this case, Sun accused M-Tech of buying Sun’s products from China, Chile and the US and selling them in the UK without Sun’s consent. It therefore sought summary judgment against M-Tech. M-Tech raised a number of arguments.

The High Court dismissed M-Tech’s arguments and sided with Sun, awarding it summary judgment. It said M-Tech’s arguments had no real prospect of succeeding at a full trial. The judge was satisfied that the goods were first put on the market outside of the EEA and M-Tech had not produced any evidence to support its suggestion that they had been subsequently imported into the EEA with Sun’s consent.

M-Tech also raised another interesting legal argument, which was dismissed by the judge. It claimed that Sun’s distribution agreements which protected its trade mark rights infringed EU competition law and were therefore prohibited as they carved up the market. Sun was prepared to accept that its agreements may have infringed EU competition law, but argued that there was no connection between any such breach and its ability to enforce its trade mark rights. The judge was willing to accept Sun’s argument that the disappearance of any sort of secondary reseller market for Sun’s equipment was not because of its network of illegal agreements. Therefore, in the judge’s view, there was no real prospects of success between M-Tech’s argument that Sun should not be able to enforce its trade mark rights on EU competition law grounds.