Certain aspects of the issue have been considered most recently in England and Wales by the High Court in Interflora Inc v. Marks & Spencer Plc [2009] EWHC 1094 (Ch) which concerned the purchase by Marks & Spencer of Google AdWords including not only the term ‘Interflora’, but also a number of combinations of ‘Interflora’ with a descriptive term (such as ‘flowers’, ‘delivery’ or ‘online’) some misspellings and variants (including ‘Inter flora’ and ‘Intaflora’), and Interflora’s domain names (www.interflora.co.uk and www.interflora.com). Therefore, when the search term ‘Interflora’ (or any of the variants purchased by M&S) is entered into Google, ‘M&S Flowers Online’ appeared as a sponsored link:

 
 
The European Court of Justice has since issued the preliminary opinion of Advocate General Poiares Maduro in the joined cases of Google France v. Louis Vuitton Malletier, Google France v. Vaiticum Luteciel and Google France v. CNRRH (joined cases C-236/08, C-237/08 and C-238/08)(28 September 2009)(the ‘Google France cases’). Advocate General Maduro concluded that Google did not infringe trade mark rights when selling AdWords or when sponsored links appeared alongside organic links following a Google search. He also concluded that Google cannot be regarded as providing an information society service within the meaning of Article 14 of the Directive on electronic commerce (Directive 2000/21/EC) since if AdWords displays results based on the commercial relationship with advertisers then it is not a neutral information vehicle which would fall within the definition of hosting under Article 14. The distinction between sponsored links and organic links was that, for natural search results, Google did not have any pecuniary interest in bringing any specific site to the searcher’s attention.

However, the Attorney-General’s opinion that Google’s selling of AdWords to potential competitors did not infringe trade mark rights is not fatal to Interflora’s case since it has a number of important distinctions. First, Google has a different policy in the UK from that which it operates in the rest of Europe. It used to be the case that a trade mark owner could notify Google that it had registered a particular word as a trade mark. Google would then block that word from being purchased as an AdWord without the permission of its owner. However, since 5 May 2008, Google’s policy for the United Kingdom and Ireland, but not for other EC member states, ceased blocking keywords registered as trade marks. The effect of this is that, within the UK and Ireland, parties may bid for AdWords registered as trade marks unfettered, including for use in relation to goods or services for which such trade marks are registered. Interflora expressly questions whether a search engine provider should not allow trade mark owners to block competitors bidding on their brands. In the High Court, Arnold J commented that:

A cynic might suggest that the explanation for this [Google’s policy] was a calculation…that the courts in the United Kingdom and Ireland interpret trade mark law more restrictively (that is to say, less in favour of trade mark owners) than courts in other member states.

Second, unlike the Google France cases, the Interflora action is brought against M&S, its competitor, and not the search engine. The Google France opinion does not deal with competitor bidding, but instead focuses on customer confusion which is not at issue in Interflora. Finally, the Advocate General’s opinion is precisely that: it is not guaranteed that the ECJ will follow it and it has no binding legal authority on the UK courts. It is for the UK courts to decide whether Interflora’s rights have been infringed.

The immunities in Articles 12 to 15 of the e-commerce Directive concern the exemptions from liability of intermediary service providers in relation to caching, hosting and acting as a ‘mere conduit’ of information. Yet, the provisions of the Directive were drafted with the content delivery model of the late 1990s in mind: the creation of software and content which was hosted, updated and distributed. This does not sit easily with the so-called Web 2.0 intermediaries who exploit both client- and server-side software with content syndication to deliver information storage, creation, and dissemination capabilities to users. Web 2.0 technologies are shifting the Internet from a traditional goods and services marketplace to a user-centred and user-driven environment. The new class of intermediary includes sites such as eBay, Facebook, Wikipedia and YouTube as well as search engines. This is mirrored by a shift from an online advertising model whereby companies deliver content based on a CPI (cost per impression) model or targeted online advertising on sites enjoying high traffic to companies who provide targeted online advertising based upon specific user data, such as browsing history or contextual relevance between a particular brand and the recipient website.

There is, then, a current absence of legal clarity in cases concerning the display of targeted advertising which might, on the face of it, infringe the rights of competitive brand owners. As a result of this legal uncertainty, the serving of advertisements which are based on behavioural marketing and which deliberately aim to exclude (or certainly to marginalise) the owners of competitive brands would seem set to continue, at least until the ECJ considers the queue of related cases coming before it (Portakabin Limited and Portakabin BV v. Primakabin BV; Die BergSpechte Outdoor Reisen und Alpinschule Edi Koblmuller GmbH v. Gunter Guni and trekking.at Reisen ; Bananabay) and manages to provide a level of certainty and harmonisation across the EU which is currently lacking. It may also finally review the system of immunities within the e-Commerce Directive in the light of the technological advances and consumer behaviour patterns of the past ten years.

Dr Stefan Fafinski, IT expert of Invenio Research Limited (invenio-research.co.uk) and Simon Halberstam of Sprecher Grier Halberstam LLP, Solicitors (simonh@sghlaw.com) (weblaw.co.uk)

This statutory instrument, which came into force on 31 October 2000, is designed to protect consumers from abuses particular to distance selling.

With certain exceptions it applies to any contract between a business and a consumer which is not made face to face. Although the European Directive on which the Regulations are based was originally formulated with mail order and telesales in mind, the Regulations are likely to have most impact on B2C (business to consumer) e-commerce.

Information requirements 

You need to provide certain information to consumers before they enter into a contract with you including:

• your name and, if the consumer pays in advance, your address,
•  a description of the goods or services and the price,
• delivery costs and arrangements for delivery,
•  how long the offer or the price will remain valid,
• the existence of a right to cancel and who will be responsible for returning the goods, and
•  if appropriate, the length of time that the contract will remain in force (for example, if services are being provided over a period of time).

 Certain information (including all the above) must also be confirmed in writing in ‘durable form’ and there is some question as to whether this includes fax and email – the DTI certainly seem to think so. In addition to the above the written confirmation must also state details of any after sales service or guarantee and how a contract with no particular end date (such as telephone, gas or electricity supply contract) may be terminated by the consumer. These details can appear in a catalogue or an advertisement but more usually would appear in the standard terms and conditions provided before the contract is concluded. Updating your existing standard terms will be vital to ensure compliance with this provision.

If a consumer is telephoned at home by a business the caller will have to identify who it represents and the commercial purpose of the call at the beginning of the conversation.

Consumers’ cancellation rights 

Consumers also have a ‘cooling-off period’ of 7 working days in which they can cancel the contract without penalty. The period commences on the date of receipt of the goods or, in the case of services, the day on which the consumer agreed to proceed with the contract. However, if at that point the information requirements (see above) have not been complied with, the period of 7 working days commences when the information has been provided to the consumer or at the expiry of three months from delivery whichever is earlier.

If the consumer exercises the right to cancel it must make the goods available for collection (they are under no obligation to return them) and a full refund must be provided within 30 days of cancellation. It seems that the obligation to make goods available and the right to a refund cannot be linked. Therefore, if a customer has failed to allow a business to collect items, the business may still be required to provide the refund. The customer is obliged to look after the goods between cancellation and collection.

The only charge the business can make is a sum equivalent to the direct costs of recovery of the goods provided a term in the contract requires the consumer to return the items and he or she has failed to do so. An update to your terms and conditions could prove useful in this area.

If the contract is cancelled, any related credit agreement will be automatically cancelled at the same time.

There are certain contracts which cannot be cancelled such as contracts for the sale of software, CD-ROMs and videos once unsealed by the consumer and newspapers, periodicals and magazines (although, interestingly, not for books which would seem to leave the cancellation rights open to abuse against booksellers). Also the sale of perishables such as flowers is exempted as are items which cannot be returned such as electricity and items which are made to the customer’s specification.

Payment cards 

Where a consumer’s payment card is used fraudulently in connection with a contract concluded other than face to face the consumer is entitled to cancel the payment. If the payment has been made, the consumer is entitled to a refund. This removes the existing potential liability of the consumer for the first £50 of loss caused by fraudulent use of a payment card which exists under the Consumer Credit Act 1974. This now only applies to face to face contracts.

Performance of contract 

Unless agreed otherwise the contract must be performed (e.g. goods delivered) within 30 days and, if this is impossible, the consumer is entitled to be informed and to receive a refund. Any related credit agreement will then be cancelled. The business may be able to substitute other goods and services of equivalent quality and price for those which are unavailable if the contract with the consumer so provides.

Again scrutiny of your standard terms should be undertaken in view of the ability to mitigate the effect of this provision.

Inertia Selling 

Where unsolicited goods are sent or services are provided to a consumer and the goods or services are not provided in respect of the consumer’s business, that person may use or deal with them as though they were a gift. The rights of the sender are extinguished and it is an offence to demand payment for the goods or services. This pretty much restates existing law save that an offence of demanding payment for unsolicited services is created.

Exemptions 

Not all contracts fall within the ambit of the Regulations. These ‘excepted contracts’ include contracts concerning the sale and purchase of land, auctions, financial services, vending machines and pay-phones. Other types of contracts are exempted from certain regulations, for example contracts for the supply of food, drink, accommodation, transport and leisure services.

Enforcement 

Fortunately, the original proposal that breach of certain of the Regulations would constitute a criminal offence has now been dropped. However, particularly in the case of the compliance with the information requirements, businesses will ideally want the ‘cooling-off period’ to begin and end as quickly as possible and it is important to ensure that these requirements are complied with. The Director General of Fair Trading has the task of investigating complaints and enforcing the provisions of the Regulations – through use of injunctions, if necessary.

What businesses should do next 

The terms and conditions applicable to consumer contracts must be considered to ensure that they comply with the information requirements. If they do not, all distance contracts you enter into will be capable of cancellation for a period of three months from delivery of the goods or performance of the services.

Consumers cannot be asked to contract out of their rights under these regulations save where specifically provided. The effect of the Regulations can be mitigated in certain respects (as indicated above) by an update to your terms and conditions.

The full text of the regulations can be found at the HMSO website and advice is also provided on the DTI’s website.

For further information, please contact Simon Halberstam  (direct dial 0207 264 4500, email simonh@sghlaw.com)

Useful addresses:

HMSO: www.legislation.hmso.gov.uk (now Office of Public Sector Information)

 DTI: www.dti.gov.uk (now Department for Business Enterprise & Regulatory Reform) 

 Title: Consumer protection (Distance selling) regulations 2000

In force: 31 October 2000

Application: with certain exceptions the Regulations apply to any contract between a business and a consumer which is not made face to face (mail order, e-commerce, telesales).

Key Provisions:

• certain information must be provided to consumers before entering into a contract such as your name, address, price, delivery details etc;
•  this information must also be confirmed in durable form – writing, email (possibly) and fax; 
• consumers have a right to cancel a contract during a 7 working day cooling off period and, upon cancellation, a full refund must be given;
•  contracts must be performed within 30 days (e.g. goods delivered) unless certain exceptions apply.
•   You should consider your terms of business with consumers to ensure compliance with the Regulations.

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice

Please note the Law may have changed since publication of article.

Data is king. However, to commission its collection is often unviably expensive. The internet offers unlimited potential for harvesting data that others have compiled but is this legal?

There are various legal issues to consider focussing particularly on Copyright and Database Rights. Most of you will be fully conversant with the concept of copyright. Database Right is a new species of intellectual property which came into existence in 1998. It protects investment in obtaining, verifying and presenting the contents of a database as opposed to the intellectual effort in creating it. Such intellectual effort continues to attract copyright protection. Thus, Database Right subsists independently of but complementarily with copyright. It also overlaps with the law of confidence.

Website Owners’ Rights

It is probably illegal to gather and to make available to the public in the UK (or elsewhere in the EU) data obtained by spidering or screenscraping others’ sites in the UK/EU without the owners’ consent.

I insert the qualification “probably” because databases are only protected by database right to the extent that the person claiming the right made a significant investment in obtaining, verifying or presenting the data. The European Court has held that investment in creating data (as where a sporting fixture list is created) does not qualify. However, I would expect that most trading websites do make a significant investment in obtaining, verifying or presenting the data (as interpreted by the European Court). You should also bear in mind that databases are also protected by copyright to the extent that the selection or arrangement of the contents is original.

Some people argue that because a particular website is in the public domain, consent could to harvest the content could be inferred. However, by analogy with decisions on goods sold under trademarks, I think that merely putting information on the internet would not be regarded as consenting to its reproduction using scraping or similar technologies. There would have to be a clear indication in some form that the owner of the website consented.

Acquiescence can provide a defence, but for it not to be infringing, the owner of the rights normally has to do something positive to encourage the screen-scraping and the person doing it must rely on the encouragement.

Posters’ Rights

If you are contemplating harvesting content from someone else’s website, you need to consider not only the rights of the website owner but also the rights of anyone who has placed a posting on a website as it is possible that the poster might be able to object if its original text or graphics or branding are reproduced without its consent. The poster may own copyright in the content it has posted if the posting contains original text or graphics created by that person (or in which copyright has been assigned to that person). That person will also normally own any trademark rights in its branding if this is included. However, the operator of the website will normally own database right in the collection of postings, and this right is infringed if a “substantial” part of the collection is made available to the public or transferred from one medium to another in the UK/EU without its consent. The substantial part test can satisfied by a one-off substantial transfer or a bit at a time if done repeatedly and systematically. The website operator may also own copyright in an original selection or arrangement of the contents of a database.

Thus, you need to take into account the potential for legal action against you by either the owner of the website and/or anyone who has posted content on that site which you then harvest.

Of course, the situation is different if you obtained the express consent of the operator of the website on which the material was originally posted. There could however still be an infringement of the posters’ rights as discussed above and also of data protection legislation (i.e. legislation protecting personal data) if the data scraped contains personal details relating to living individuals and such personal data are held or transmitted without their consent.

Further Information

Hopefully, this article will have helped you to determine your legal position. However, if you have a specific problem, please send us a message, call us or visit us at our London offices

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Before we consider the particularities of the online world, we must take a step back and examine contractual formation in the offline world which is the background against which the relevant rules which have now been applied to the online world were established.

The Offline World

In the traditional world, it has long been clear when a contract has been concluded. It is when both parties put their pens to the signature section of a physical document which sets out the agreed terms. It is true that a contract may be concluded orally but if either party subsequently denies the existence of the contract, there are often enormous evidential problems in establishing that the agreement actually did come into place.

Before we consider the impact of the Internet on the contractual process, we need to consider the legal components which enable a contract to come into existence.

The 4 Contractual Components

There are four such elements. These are consideration, the intention to create legal relations, offer and acceptance,. The concept of consideration really means that each party should derive something beneficial from the transaction, hence if I offer to give you my car as a gift, I derive no consideration. The second element, namely the intention to create legal relations may be passed over swiftly as this is usually understood to exist by virtue of the fact that the parties are in negotiations. This leaves us with the essence of the conract; offer and acceptance.

Offer or Invitation to Treat?

By way of example, an offer is made when one party proposes to another that it should buy a particular item on particular terms, including the precise nature of the item, the price to be paid, the mode of delivery and the date of payment. An offer must not be confused with an invitation to treat. The latter is an intimation by one party to another that it may be willing to do business in relation to a particular article on particular terms and that the other party, if interested should make the first party an offer in relation thereto. This can be a very subtle distinction but is, from the contractual perspective, a crucial one. For example, perverse as it may sound, if you go to the check-out in a supermarket with a basket full of items of food and drink, the person at the check-out, if he/she were very well informed about the nuances of the law, would be fully entitled to turn you away and inform you that the supermarket does not wish to accept your offer for those items. Indeed, the items that you see with price labels on the supermarket shelves are deemed by the law to constitute invitations to treat not offers and therefore not capable of acceptance by the customer. In summary, you cannot accept an invitation to treat and thereby conclude a contract.

Acceptance – when does it occur and what are the effects?

This brings us on to the final element, acceptance. Let us assume that there is a proper offer on the table. For example, A offers B to sell him his car for £10,000 p.a. plus delivery costs of £250. Let us also assume that this offer is acceptable to B. The question then arises of how B can accept this offer. Again in the traditional environment, this would usually be achieved by both parties signing a document containing those and other relevant terms or, possibly by an exchange of correspondence. The moment of acceptance would generally determine not only the time the contract was entered into but also, if nothing contrary were stated in the terms of the contract, the nationality of the laws that would apply to the contract and the jurisdiction that would be the appropriate forum in which any disputes would be adjudicated. This can become very important if the 2 parties are in different countries with different legal systems. Most contracts avoid the risk by expressly stating the choice of law and jurisdiction. Readers should note the difference between an acceptance and a counter-offer. For example, if in response to A’s offer above, B were to write back and say, “yes I accept your offer to sell me the car for £10,000 including delivery, that would not constitute acceptance as the terms are not identical and therefore at this point no contract would enter existence.

On-line Acceptance

With the advent of the online world, the law of contract has not altered; rather it has had to apply the existing concepts to a new medium. There are two mainstream ways of concluding a contract online.

By Email

The first is by way of exchange of emails. This is similar to the exchange of physical correspondence. As long as the email of acceptance does not vary the terms set out in the email of offer, a contract will be concluded by the second email. However, questions can arise as to when the acceptance is valid. This is especially so when there is a limited supply. For example, what happens if a computer company has a total of 5 PCs to sell and sends out emails to all of its clients on 2nd January notifying them of the PCs and their price. If 6 of the company’s customers send emails of acceptance on 3rd January, which customer loses out? In the offline world to cover the equivalent situation, the first letter to be posted is the one which is deemed to be the successful acceptance even if it happens to arrive on the desk of the offeror after the other letter has already arrived. In the online world, it has not yet been unequivocally determined as to what constitutes the equivalent of posting in a letter box – is it the moment of transmission of the email, the moment it arrives in the addressee’s inbox or the moment that the addressee opens that email. The particular circumstances will usually dictate the answer. To avoid doubt, the company should specify in its terms and conditions how, in the event of competing emails of acceptance, it will determine which email has been deemed to arrive first.

By a Website

The other method of concluding an online contract is via a website when you go onto a website, select certain items and proceed to the checkout. The issue discussed above as to whether the display of certain items on a website constitutes an offer of invitation to treat or offer is also relevant to the website environment as Argos and other retailers who have made mistakes in the prices advertised on their website have discovered. In order for a company to run a proper e-commerce operation, it needs to ensure that its terms and conditions are property adapted to the online environment, that potential clients have sight of the terms and conditions which will govern the contract before conclusion of the contract and that it constructs its site in such a way as clearly to indicate whether the site is an offer capable of acceptance or an invitation to treat which is not. The acceptance will generally be by way of a click on the word “accept”. “Clickwrap” acceptance has now been granted similar status to the offline signature although, understandably, evidentially, the former is still preferable.

The SLA must also set out the maximum credit available in respect of any period and that the service credits cannot give rise to a refund or credit against fees due under any other agreement in place between the parties.

Summary

To conclude a valid online contract on the legal basis that you wish, you must ensure that the terms and conditions:

• are clearly displayed on the website or integrated into the exchange of emails;
• have been adapted properly to the online environment – certain changes are necessary to reflect legislation which only applies to online transactions;
• clearly set out whether the site constitutes an offer or invitation to treat;
• what will constitute valid acceptance.

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

“Most businesses shelling out their hard-earned marketing budget on a pay per click (PPC) campaign want to know that they can rely on the statistics they are provided with. After all most newspaper and magazine circulations are independently audited. However you may only have someone elses word to take for it on a PPC campaign.

An advertisers claim that ‘we regularly get 10,000 hits per week’ for example could amount to negligent or fraudulent misrepresentation, and in any case may well not tell the whole story. But how will you ever know?

If possible, such claims should be independently audited. If not then before investing your money you will need a clear understanding of how the statistics are collated and what they actually mean. The more money you are investing, the more care and attention you should take over the wording of the contract that you enter into and you should consider implementing a contractual mechanism for resolving any disputes effectively.

In the same way that dodgy pop-bands may tour the Record Shops buying their own single in order to boost their chart rating, the number of clicks may be fraudulently boosted to your cost. You may therefore want to be able to check whether repeated clicks have come from the same place to see if this is happening.

We all know the phrase ‘Lies, damn lies and statistics’. Even when the campaign provider is entirely honest, you may still walk away dissatisfied by the campaign, without necessarily any legal recourse. It’s worth taking up references from other clients who have used the same PPC campaign provider, and see how happy they were with it and how it worked for them.”

Download this article as a PDF

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Email Data Security:

If your job is to maintain the security and integrity of your organisation’s network, a detailed knowledge of the Data Protection Act and related legislation is a boring but necessary part of the job for many of my clients.

Legislation can really only recommend the basic principles and the world of IT will inevitably develop more quickly than the legislation underpinning it. The challenge for network security specialists developing new systems and solutions is to work within the letter and spirit of the legislative framework.

For most businesses regulatory compliance is inextricably linked to the commercial need to maintain secure networks. For example, if a credit card company failed to maintain network security, it would expose itself to the major fraud and legal claims which could cost millions of pounds.

Storage of Data and Liability:

The importance of backing up data must have been brought home to many of us by the experiences of businesses large and small in New Orleans, many of which no doubt will have suffered a devastating loss of data following Hurricane Katrina.

If anyone has any doubt about the importance of backing up data, it’s worth bearing in mind the following points from a legal perspective:

As a general rule legal actions may be brought within six years of the act or omission complained of. Liability can attract not only to the company itself but to the directors or even in some cases the main share holders.

Under the DPA, ‘personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes of which they are processed’. There’s also an obligation to keep the personal data up to date. In other-words you should have a rigorous system in place to ensure for example that your ancient data files only contain relevant, adequate and up to date personal information.

The DPA states that “appropriate technical and organizational measures shall be taken” to safeguard personal data. This is something that many businesses abjectly fail to do. As a result, credit card numbers, membership lists and other personal data have occasionally become publicly accessible on the web. From a commercial point of view, lose that data, and you may not have a business at all.

Download this article as a PDF

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

If you phone Australia for an hour long chat with Aunty Doris, you know that you will be paying for the privilege. On the other hand, if you’re blithely using the internet to download the next episode of ‘Lost’, you may be in for a nasty surprise when your next bill plumps onto the door mat (or in tray as the case may be).

We may all like surprises, but not when it comes to paying our bills. The essence of keeping customers happy is to ensure that they clearly understand what they are spending on the service they subscribe to. Broadband providers who fail to learn this lesson will quickly lose their market share to providers more attuned to the needs of their consumers.

There is going to be a huge slice of the population whose use of broadband will not extend beyond sending the odd photo by email attachment and who will never exceed their monthly data cap. Others (and you know who you are) are in the fast line on the information superhighway. You wouldn’t expect a turbo-charged Reliant Robin, and the same goes for your choice of broadband. In other words you pay for what you get. If you want a service that’s sleek and mean, that’s what you should go out and find.

That being said, if you shop around you can expect to pick some good broadband deals. We should be prepared to change our internet provider regularly. If providers do have to apply data caps, then arguably they should at least warn you when you exceed your cap. If the cap doesn’t fit, don’t wear it.

Download this article as a PDF

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice. j

Regulatory Powers and Code of Practice

Please note the Law may have changed since publication of article.

We live in a world where our personal details are beknown to an ever-increasing number of people. Just look at the amount of mailshots that land on your doormat every day. Much of this information is obtained and/or used illegally being contrary to the Data Protection Act 1998 (”the Act”). The data protection regime is administered by the Information Commissioner and based upon 8 principles set out in the Act. Obviously, complete confidentiality is an unrealistic goal but there must be limits on what use can be made of our personal details and by whom. In this article, we will consider employers and regulatory authorities, two categories of entities who, subject to certain limits are entitled to ascertain, retain and use certain personal data.

Employers’ Rights

The Information Commissioner is issuing guidance on the Data Protection Act by way of codes of practice (”the Codes”). Part of the Codes has already been issued and some is in draft format. The Codes regulate employers’ rights and practices in relation to the personal data which they hold relating to their personnel. Employers must ensure that monitoring of employees complies with the principles set out in the Act.
In brief, any surveillance of employees’ activities in the workplace must fall into one of the approved categories and, ideally, should have been accepted, in advance, by the employee by way of signature of an email and internet use policy issued by the employer. Monitoring must be for a specific purpose, be “fair and lawful” and not involve the retention of more data than is appropriate. The employer must not retain the data for a period in excess of that necessary to serve the purpose and must do its best to ensure that the data is accurate.

The fifth Principle of the Data Protection Act 1998 states that “Personal data shall not be kept for longer than is necessary”. Earlier this year, the Information Commissioner published part 1 of her Codes catchily entitled “Information Commissioner’s Employment Practices Data Protection Code Part 1″. The guidance notes considers the question of retention of records in the context of Employment situations but does not specify a fixed period after which data must be destroyed. This, obviously only deals with employee data.

Employers would be well advised to make sure that their internet and email policy closely follows the various codes issued by the Information Commissioner. Any departure from the Act and codes may infringe the employee’s right to privacy (including correspondence in the workplace) under Article 8 of the Human Rights Act or otherwise expose the employer to various claims, the most common of which are usually based on alleged discriminatory conduct or, if the employee is dismissed, unfair dismissal.

Employers should remember that where the activities of their employees are illegal, it is nearly always the case that, as employers, they are responsible for the acts and omissions of their employees even if the employees are not acting in accordance with the specific instructions of their employers.

Regulatory Surveillance

A. S.22(4)of the Regulation of Investigatory Powers Act 2000, empowers “designated persons” to demand communications data from network or postal operators. The fundamental aim of this is to obtain data which may assist to stop organised crime. An important distinction has been drawn between the interception of communications data and communications content. Access to Communications Data is carried out under an exception to the Data Protection Act 1998. “Communications Data” is defined very broadly as “any traffic data comprised in or attached to a communication …..” Access to this data is not limited to law enforcement or intelligence agencies but will also be available, for example, to the Inland Revenue, Customs & Excise, the DSS.

Communications data is also known as “traffic data”. There is no specific definition but it can include information such as:

• senders and addressees of emails
• file size of emails and attachments
• times and duration of phone calls
• location data on mobile phone users
• URL’s of websites visited
• newsgroups accessed; and
• phone no.’s sending and receiving faxes.

Although the National Criminal Intelligence Services wished for up to 7 years of communications data to be retained by Communications Service Providers, the Government’s official position was that mandatory traffic data retention for periods longer than those required for business purposes would not be introduced in the UK. However, the Government’s publicly stated position was belied by its efforts in Brussels to remove privacy protection in the review of the Telecoms Data Protection Directive when the UK government fought against the Directive’s ban on blanket data protection. In any event, the directive effectively allows for long-term retention in cases involving national or public security and the investigation of serious crime. After September 11, the Home Office announced that it would introduce a voluntary code of practice for Communications Service Providers to retain all communications data for up to 12 months with a veiled threat that if this were unsuccessful a mandatory scheme would be introduced.

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice. ]]> http://www.weblaw.co.uk/articles/data-protection-and-the-workplace/feed/ 0 http://www.weblaw.co.uk/articles/transferring-customer-data-abroad/ http://www.weblaw.co.uk/articles/transferring-customer-data-abroad/#comments Sun, 06 Sep 2009 08:23:04 +0000 jonkal http://www.weblaw.co.uk/dev/?p=367

Intra-group transfer of data outside of the EEA

Please note the Law may have changed since publication of article.

Background

Boombust Limited intends to transfer details of all its existing customers to an off shore company within the same group of companies. The final decision as to where this company will be based has not yet been taken but is likely to be Jersey or Portugal.

There are two issues here. First, Boombust is transferring customer data to a third party and secondly that transfer is possibly to be made to a place outside of the European Economic Area (the EU plus Iceland, Norway and Liechtenstein). Although the issues are linked, they are covered by two different principles under the Data Protection Act 1998 (”the Act”).

In this article we have assumed that most, if not all, of the information to be transferred relates to individuals rather than companies and that none of it is ’sensitive data’. This means data about a person’s health, sex life, religion, politics, ethnic origin or membership of trade union.

Transfer of data to a different group company

Information required to be given:

The First Principle requires that Boombust must inform individuals of the processing of their data which is to be carried out, before that processing occurs. Boombust’s terms and conditions do not provide for such transfer. The transfer Boombust proposes is to a third party (despite being within Boombust’s group of companies) and we will assume that the information will not be anonymised before it is transferred. Boombust should inform customers of this proposed transfer before it occurs.

If Boombust decides not to do so, it will be in breach of the Act. However, if such pre-information is not viable, Boombust’s next best option would be for Boombust’s off shore company to inform customers as soon as possible after the transfer. The notification should also set out the processing that it intends to carry out in relation to the customer names. Specific legal advice should be taken in this regard.

Conditions to be fulfilled:

In addition to informing customers of the transfer, the First Principle also requires that one of a number of conditions be fulfilled before the transfer can occur. These include that Boombust have the consent of the individuals to the transfer or that it is necessary for Boombust’s ‘legitimate business interests’ provided this does not cause unwarranted prejudice to the rights and freedoms of individuals.

If Boombust is informing customers before the transfer takes place, it can couple that with gaining their consent at the same time. Depending on the sensitivity of the data being transferred, it may be sufficient to gain opt out rather than opt in consent. Individuals could be allowed to tick a box if they did not want their details transferred. See also below as regards the consent needed under the Eighth Principle.

If Boombust does not intend to inform customers of the impending transfer then, presumably, it would not want to contact them to gain consent. In that case, it will need to rely upon the ‘legitimate business interests’ condition as mentioned above. As this is a new provision under the Data Protection Act (which only came into force at the end of October 2001), there is little guidance as to what would constitute ‘legitimate business interests’. Boombust also needs to weigh up its interest against any perceived prejudice to the rights and freedoms of individuals. Boombust needs to consider the pressing commercial need to transfer this data to a third party and how its business would be affected if it did not do so. Weigh this against the fact that the data will then be handled by a different entity (but within the same group – so that, arguably, there is unlikely to be much prejudice involved) and also possibly outside of the EEA. If Boombust’s off shore company were to produce and observe a comprehensive privacy policy protecting the rights of individuals, it may be that there would be no prejudice for individuals as a result of the transfer. If that privacy policy were group wide then that would assist the argument that no prejudice flowed from the transfer.

If Boombust intended to rely upon this condition, it would probably be advisable that it show, perhaps in a board minute, that Boombust has considered the legitimate business interests (giving reasons) as well as any possible prejudice to individuals and that Boombust has concluded that the prejudice to individuals is slight to non-existent (again, giving reasons).

Transfer of data to a different territory

Portugal

This is within the EU. A transfer to this territory will simply need to comply with the First Principle.

Jersey

Jersey is outside the EEA although it does have similar data protection laws to those in the UK. The Eighth Principle prohibits the transfer of data outside of the EEA unless the recipient country/territory has an adequate system of data protection in force in respect of that data. Jersey does not have an adequate system of data protection.

As Jersey has not achieved adequacy, there are two ways to get around this. First, Boombust can seek the consent of the customers to the transfer outside of the EEA. Boombust will need to tell them where their data is to be sent, what processing of their data will be carried out by the off shore company and also mention that the data protection regime of that territory has not achieved adequacy. Ideally Boombust should obtain opt in consent so that individuals must tick a box to show that they consent to the transfer. If Boombust is complying with the First Principle by informing customers before the transfer takes place and seeking their consent to the transfer, then it can couple this with seeking consent to the transfer outside of the EEA.

If Boombust is not intending to contact all its customers it will need to use contractual provisions to allow compliance with the Eighth Principle. Boombust is allowed to ‘plug the gaps’ of a data protection regime by providing for those gaps in the contract it has with the recipient of the data. Jersey has not achieved adequacy because it has no Eighth Principle – its data protection regime is based on the UK’s old 1984 Data Protection Act which had no prohibition on the transfer of data outside of the EEA. If, in Boombust’s contract with the Jersey company, Boombust prohibits the transfer of any data by the Jersey company to any place outside of the EEA then that transfer will have achieved adequacy.

Other Territories

This is outside the scope of this article. However, apart from Hungary and Switzerland, no countries outside the EEA are deemed to have achieved adequacy in terms of their data protection regime. Thus, any proposed data transfer to any non-EEA territory will require consideration in the light of the data protection regime, if any, in operation there. Other issues to be considered prior to such transfer will include practicality of obtaining consent, legitimate business interests of the transferring company, potential prejudice to rights of the data subjects and appropriate contractual provisions governing the transfer. In the case of transfers to the US, the so-called ‘Safe Harbor’ principles will apply to legitimise the transfer of data if the recipient company within the US (rather than the state in which the company is located) has applied these principles. Specific advice should be sought on these issues.

Further action

The matters Boombust now needs to decide include:

• Will it be contacting individual customers before the transfer takes place?
• If not, what are its commercial needs to make the transfer?
• Is there any prejudice to individuals as a result of the transfer?
• Where will the off shore company be based?

Boombust should consider updating and expanding its privacy policy which, ideally, should be a group wide policy applicable to the processing of data wherever it is held within the Boombust group.

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice. ]]> http://www.weblaw.co.uk/articles/transferring-customer-data-abroad/feed/ 0 http://www.weblaw.co.uk/articles/dangers-of-email-and-internet-use-in-the-workplace/ http://www.weblaw.co.uk/articles/dangers-of-email-and-internet-use-in-the-workplace/#comments Sun, 06 Sep 2009 08:16:45 +0000 jonkal http://www.weblaw.co.uk/dev/?p=364 Please note the Law may have changed since publication of article.

Because employers can be held legally liable for the content of e-mails sent from their premises and for the content of downloads from the internet onto their computers, it is vitally important for companies to ensure that they establish and enforce a policy on the use of electronic communications at work. The policy should set out clearly to employees the circumstances in which they may or may not use the e-mail system and internet access for private communications. Any failure to enforce such a policy, however, could result in two adverse consequences for employers:

1. any policy which is not generally enforced cannot then later be relied upon when instigating disciplinary proceedings for an offence under the policy as it will be the practice rather than the policy which determines whether the monitoring is appropriate; and
2. failure to enforce a policy which involves the monitoring of e-mails and internet access can lead to an expectation of privacy on the part of employees.

It is only if employees do not have a reasonable expectation of privacy that e-mails (and other communications) can be monitored. Further, any monitoring must be proportionate to the risks an employer is trying to avoid. Normally, monitoring e-mail traffic rather than content would be as far as an employer could reasonably go without being in breach of their employees’ right to privacy under the Human Rights Act 1998.

The decision by Ford to give a two week ‘amnesty’ to all its twenty thousand employees in which to delete any offensive e-mails and downloads from their computers, suggests that there have been numerous complaints and perhaps a number of allegations of discrimination against the company. All employees were sent an e-mail which warned against “transmitting or possessing ‘jokes’ of an offensive nature, for example, content of which is sexually explicit, racially offensive or otherwise demeans people on the basis of their religion, disability, sexual orientation”. They were further warned not to return to any banned internet sites as internet access would be monitored.

Ford have made it clear that any failure by the employees to adhere to these instructions will lead to summary dismissal. However, they will need to be very careful to ensure that they stick to their stated policy. Any failure by them to do so could lead to an expectation amongst employees that it is not being enforced and could then lead to a finding of unfair dismissal if any employee is later dismissed for breach of the policy.

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.