Most Popular Resources

Look, up in the sky! It’s a bird! It’s a plane! It’s a Drone!

From self-repairing cities to transforming cinematic and television experiences, drones are becoming increasingly prevalent. To ensure their safe and proper use in the UK, the Government launched its consultation on 21 December 2016, ‘Unlocking the UK’s high tech economy: consultation on the safe use of drones in the UK’ (Consultation). Those who wish to voice their opinion, should submit their response by 15 March 2017.

In this article, we explore some of the issues that drone users should consider when filming including: aviation law, copyright and privacy.

UK Aviation Regulations

In the UK, drones (otherwise known as “unmanned aircrafts”) are subject to a number of rules and regulations depending on their weight and proposed use. The principal piece of legislation governing drones is the Air Navigation Order 2016 (ANO) effected through the Civil Aviation Act 1982. The key points to note under ANO are as follows:

Overriding Principle. It is prohibited “to recklessly or negligently cause or permit an aircraft to endanger any person or property”.

Weight. To avoid falling within the remit of more extensive aviation regulations and be classified as a “small unmanned aircraft”, it is advisable not to exceed 20kg. Most aerial filming drones or camera drones weigh significantly less than 20kg.

Use. The most relevant Articles are 94 and 95 ANO. Article 94 ANO applies to all drones weighing less than 20kg. Article 95 ANO applies to drones weighing less than 20kg which are also used for surveillance (i.e. recording and filming).

There are two particular points of note:

1) If you wish to use a drone for “commercial operations” then you must apply to the Civil Aviation Authority (CAA) for permission. Unless you are using a drone for filming as a hobby, as Keith Bremner was when he caught Top Gear being filmed, then permission from the CAA will likely be required.

2) Drones may not fly: (a) over or within 150m of any congested area or open-air assembly of more than 1,000 people without permission from the CAA (e.g. over a major sports match); and (b) drones may not fly within 50m of any vehicle, building structure or person not under the control of the drone pilot without permission from the CAA.

Permission and Penalties. Applying for permission from the CAA can be rather complicated. Due to the complexities involved it may be advisable to seek a specialist contractor who has all the necessary insurance and CAA permissions to assist with any filming work, especially considering that failure to comply with the ANO is a criminal offence.


Photographs. Under UK copyright law, the first owner of the copyright will be the photographer, unless the photographer was an employee. In that case, the employer will own the copyright in the photograph.

Films.  What about moving pictures (i.e. films)? Under the Copyright Designs and Patents Act 1988, a film has two legal owners: the producer and the principal director. Again, if the film is made during the course of employment, the employer will own the copyright in the film. In the case of drones, the owner will probably be the person who programmed the drone to make the film (i.e. the producer); and the person who has “creative control” (i.e. the principal director who decides what to film and how to film it).

Data Protection and Privacy

In the UK, there is no specific data protection legislation on the use of drones. A breach of privacy is likely to be dealt with under the established law on breach of confidence through the Human Rights Act 1998. The Information Commissioner’s Office (ICO) has however said that drones “can be highly privacy intrusive” as they may capture images of individuals “unnecessarily”. In light of this, the ICO has released some guidance which should be followed: In the picture: A data protection code of practice for surveillance cameras and personal information. It is advisable for anyone considering using drones in their next film or TV production, for instance, to read this, particularly considering the penalties.

Penalties. The ICO has the power to impose a fine of up to £500,000 where a drone operator seriously contravenes UK data protection law and the “contravention is of a kind likely to cause substantial damage or substantial distress, and is deliberate or likely and should have been prevented”. As previously noted, this will become more significant in May 2018 when the General Data Protection Regulation comes into force.

For further information please contact:

Anne Rogers, Associate, Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2727

Simon Halberstam, Partner and Head of the Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2781

The Legal Cost of Personalised Shopping

Drone deliveries, self-lacing sneakers, digital mirrors, shoes that help you feel the virtual reality world you’re walking in – welcome to 2017. These were some of the highlights at the Consumers Electronic Show (CES) 2017 in Las Vegas. Advances in consumer technology are transforming our lives. Many retail companies realising the importance of technology are now positioning themselves as ‘technology first companies’. The Chairman and CEO of Uniqlo, for example, has described the clothing brand as a “technology company”.

We look at some of the AI technology that retailers and brands are using and the importance of protecting consumer data.

AI Voice Assistance

“Alexa, please add salad dressing to my shopping list and order me a taxi”. Amazon Echo, Google Home and Apple’s Siri – voice activated smart home devices are transforming consumers’ lives. All of these devices use a voice recognition AI system. Amazon’s Echo, for instance, uses the Amazon-owned ‘Alexa’ online data analytics and voice recognition. This technology can learn from user behaviour and improve over time. If a user voices a question which is misunderstood by Alexa, the user can enter the app and edit the question. Alexa learns from this and applies the customised approach across its user interfaces. This technology has huge potential to transform the nature of omni-channel commerce by providing a new channel through which retailers can engage with consumers. Retailers who employ such technology will have to ensure (among other things) that they are transparent with consumers as to what data they are collecting and how such data is being used. Such information should be documented and made available on request – in the event of a data breach or a compliance complaint, for example. From May 2018, the General Data Protection Regulation (GDPR) will apply. Failure to document such information could result in a number of sanctions from the UK Data Protection Authority, the Information Commissioner’s Office (ICO), ranging from a warning to a fine of up to €20,000,000 or in the case of an undertaking, up to 4% of the worldwide annual turnover of the preceding financial year, whichever is higher.


“How would you describe your style?” “Classic”. “Perf! I’ve just created a customer style profile for you”. Chatbot technology is powered by artificial intelligence which is specifically designed to replicate human interaction. Consumers are able to use chatbots to make enquiries about delivery and returns, make product choices; and place and order. Throughout 2016, retail brands such as Tommy Hilfiger, Burberry and eBay all launched their own chatbot technology to promote sales and boost engagement. Other brands like H&M and Sephora are now using Kik’s new Bot Shop marketplace. Users who chat with the H&M bot can tell the bot a piece of clothing they like, and the bot will suggest an entire outfit and direct the user to buy the outfit through the messaging platform. Chatbots enable retailers and brands to engage with a younger generation and offer users a personalised customer experience. Retailers should inform consumers before they make an order that their statutory right to cancel within fourteen days of receiving a product does not apply to any products made to their specification or clearly personalised. Further, under the Consumer Contract Regulations 2014, retailers should also note that any payment order buttons in a chatbot message are clear and unambiguous as to the finality of the order thereby being made. ‘Order Now’ is not considered sufficient by the Directorate-General for Justice Guidance and could result in the consumer not being bound by the order. Wording such as ‘Pay Now’, ‘Buy Now’ and ‘Confirm Purchase’ on the other hand, would be sufficient.

Smart mirrors

“Does my bum look big in this?” Many brands have been experimenting with smart mirrors to enhance consumer experience. These mirrors use RFID technology to recognise the item the customer is wearing. The mirrors then take photographs of the consumer to provide recommendations on the fit and the colour. Ralph Lauren’s smart fitting room at its flagship on Fifth Avenue also suggests other products the consumer might like based on what it bought. In Uniqlo’s store in San Francisco you can see what your outfit looks like at all angles and text yourself side by side outfit comparisons which you can send to your friends on social media for their advice. This technology has resulted in an increase of sales and offers consumers a unique experience tailored to the brand.

How much data is being collected?

In 2013, Céline’s creative director and designer Pheobe Philo told UK Vogue: “The chicest thing is when you don’t exist on Google. God, I would love to be that person”. Privacy has become a luxury and consumers are becoming increasingly concerned about how their data is being used and the impact this may have on their privacy. From a consumer perspective, you may exchange your location settings in order to get a better service but it does not mean that you want the data to be seen by others.

From May 2018, brands which manufacture and develop these products will have an obligation to consider the concepts of privacy by ‘design’ and ‘default’ at the initial design stage as well as throughout the lifecycle of the relevant data processing. Brands will need to exercise caution and invest in their infrastructure to protect consumers’ data from data breaches and cyberattacks. It would be advisable to implement a privacy impact assessment to demonstrate that appropriate technical and organisational measures have been implemented; and that compliance is monitored. Any standard contracts with data processors should also be reviewed and revised to set out how liability is apportioned between the parties and that only personal data which are necessary for the specified purpose are processed. As stated above, failure to carry out such measures could result in significant fines.

For further information please contact:

Anne Rogers, Associate, Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2727

Simon Halberstam, Partner and Head of the Technology Law Group

E: [email protected]

DDI: +44 (0) 20 3206 2781

Skating On Thin Ice: penalties for website owners and keyboard warriors

The recent decision of the Grand Chamber of the European Court of Human Rights (ECHR), Delfi SA v. Estonia, Application no. 64569/09, 16 June 2015, is helpful in confirming the rules surrounding when and why website operators can be held liable for content posted on their websites by their users.

The area of liability for User Generated Content (or “UGC”) is largely governed by EU Regulations, which, in general, state that if website operator acts as a “mere conduit” and does not filter, or otherwise regulate content which appears on their website, then they have no responsibility for the content of those comments. The general EU regime that governs internet intermediaries is contained in the Electronic Commerce Directive 2000/31/EC. This states that EU Members States must ensure that their national laws provide intermediaries with immunity from all liability (subject to certain requirements outlined below) arising from hosting, transmitting or caching unlawful third party content. However, as noted above, this immunity is subject to the intermediary’s role being a passive one, with no knowledge or control over the content.

Furthermore, the intermediary must operate an effective ‘notice and take down’ procedure. That means that if the intermediary has actual or ‘constructive’ knowledge of the content (for example, if a website user makes a complaint, purporting a comment is defamatory or otherwise unlawful) but fails to remove or disable access to it, then immunity is not available to them.

Background to the claim

A popular Estonian online news service, Delfi, posted an article concerning ice bridges. This generated a large number of responses, including some particularly offensive comments towards an individual implicated in the story. Those comments remained on the website for 6 weeks until the individual requested both their removal and damages. Delfi removed these comments the same day, but refused to pay damages.

When the claim was dealt with by the national court, the individual was awarded damages – albeit an amount substantially less than originally claimed.

In response to the decision, Delfi proceeded to argue that the national court’s ruling of liability for defamatory comments posted by its readers was a breach of its right to freedom of expression, and consequently a violation of Article 10 of the European Convention on Human Rights. Claims that corporate entities (or “legal persons”) should have the same human rights as natural persons are not a new thing, with the most famous success to date being found in Citizens United v. Federal Election Commission (2010), a US Supreme Court case which held that corporations were entitled to the same constitutional right to freedom of expression as private citizens, leading to the unleashing of (now ubiquitous) ‘Super PACs’ into the field of US Politics.

Ignorance is not bliss

In spite of its arguments, it was held that Delfi was liable for the offending comments which had been posted on its website, due to its power to moderate such content.

It is particularly notable that this case highlights the fact that a website provider may be held liable for featuring offending material on its website before receiving express notification of a complaint from a user. Whilst Delfi did have terms of use prohibiting users from using threatening and abusive language, and an automatic filter to delete comments based on certain words, it appears this was ineffective and that its attempts to moderate its site were sufficient to make it liable for anything that slipped through the cracks. Consequentially, by a majority of fifteen votes to two, the ECHR upheld the rejection by the lower chamber of the ECHR of the news service’s claim, ultimately finding them culpable for the comments posted by its users.


This decision is neither strikingly novel nor revolutionary, and the position essentially remains the same as previously for Website operators.

The decision is not a huge blow to online freedom as many may argue. The decision paid particular attention to context, justified by the fact that Delfi is a professionally managed internet news portal, run on a commercial basis, and with active moderation of UGC. Therefore, social media sites and private bloggers need not worry about any new obligations being imposed upon them in the immediate future.

The decision does however serve as an important reminder to those who operate websites featuring UGC; if you take steps to monitor and moderate your content, then it is not sufficient to simply rely on user notifications before deleting potentially unlawful posts. While responding quickly and effectively to unlawful material remains crucially important for website operators, any moderation program which is operated must be robust and effective.

Should website operators try to skate around their obligations and fail to moderate their platforms in the necessary fashion then, as the Delfi case starkly illustrates, they may find themselves on a slippery slope towards paying substantial damages to the aggrieved subjects of their users’ posts.


For more information on the Delfi decision, or to discuss how the above issues might affect your online offering, please contact Raoul Lumb on 0203 206 2791 or at [email protected]

A Legal perspective on Open Source and IPR – Cost and Time Efficiencies or a Faustian Pact?

Well that depends! 

If the relevant governing licence is benign then it may be a “win-win” situation enabling you to save money and time on software development without having to comply with any disadvantageous conditions relating to Intellectual Property rights or otherwise. However, if the governing licence is less liberal, you may end up feeling that the deployment of the open source was a false economy. The common OS licences generally regarded as permissive are Apache, Berkeley Software Distribution (BSD) and MIT. There are no precise statistics but together these 3 are estimated to cover about 40 percent of open source projects whereas the more restrictive GNU General Public Licenses, notably GPL 2 and GPL 3 account for about 35 percent.

The main concerns re GPL can be traced to GPL 2 section 2(b) which stipulates that “You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work.. provided that you also meet all of these conditions….b) You must cause any work  that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License”

The attempt to interpret this wording definitively and without ambiguity is at the very least challenging. The dearth of relevant case law makes matters more complex. Many complex issues arise, notably:

  • what constitutes a “derivative work?”
  • does distribution within a company constitute “distribution or publication?”
  • do resultant executables “contain or derive from” GPL code?
  • what is the difference between “static” and “dynamic” linking?
  • can one hermetically “seal” GPL code from proprietary code to avoid contamination of the latter by the former?

The answers to those questions merit a dissertation not a mere article.  Suffice it to say, one has to tread very carefully in this area. It may well be that the benefits of using open source would be outweighed by the detriment to the existence and value of the company’s IPR. Where the development team sits in-house, then with proper analysis and relevant expert input one should be able to reach an informed decision. However, where development is outsourced, matters become more complicated as the interests of the developer and the company may well diverge. The developer can save a lot of time by deploying open source and if the project is fixed-price or time-bound, this will be an attractive option. However, the company may not be aware of the potential impact on its IPR or may be aware but unable to monitor the developer’s coding processes. In some cases, companies that think they have a valuable IPR repository are only disabused when a potential investor or acquirer runs its slide rule over the company in the context of due diligence and finds that some or all of the company’s key code is not proprietary to the company.Indeed, if the open source runes are negative, investors who saw the company’s IPR as a major reason for investing or acquiring may seek to renegotiate or be deterred completely.

IPR in Jeopardy? Dynamic v Static Linking

The major IPR risk stems from use of GPL2 or GPL3 code. Those licences are commonly referred to as “infectious” because they generally mandate publication of modifications to the GPL code.  This is so even in SAAS cases where the software supplier is executing on its own server.  Other OS licences may prescribe such publication but generally in less frequent circumstances e.g.  EPL i.e. Eclipse Public License. Whereas under EPL, pure execution of modified EPL code on one’s own server via SAAS would be unlikely to require disclosure of the modifications, the situation would be different if the modified code were distributed. The need to publish such modifications would probably depend on whether the modifications were “hermetically” sealed in separate modules or took the form of adaptations to the original EPL code modules.

Under GPL 3, the situation is more clear-cut as the distinction between separate modules and modified GPL modules seems to fall away with publication required of any modifications to the GPL 3 code. The risk of contamination under GPL 3 arises from the apparent requirement in certain circumstances to publish pre-existing proprietary code that is intermingled with GPL 3 code. However, the need to publish will depend on the extent of the “coupling” between the proprietary and GPL 3 modules. “Dynamic linking” mandates publication whereas “static linking” may not.  Guidance, albeit legally not definitive, is set out in more detail in the GNU FAQ at

Turning back to GPL 2 which still accounts for about 25% of the Open Source market, it does not talk in terms of “dynamic linking”. However, the best view seems to be that linking of proprietary code to GPL 2 code would mandate that the former be published.

Simon Halberstam, Partner and Head of Technology Law Team, May 2015 – [email protected] 0044 207 096 6619

Don’t sign that! – Spotify shows you how a lawyer can help you make money

On Wednesday Spotify announced a whole new raft of services for its users; video streaming, podcasts, and an extremely impressive ‘running mode’ (from a tech-geek’s point of view anyway… I’m certainly no great runner). The first of those two features didn’t come as great surprises and pundits (including yours truly) were all over the news talking about them some time before they were officially announced.

So that’s all good then. Spotify has a raft of flash new features to help it beat its competitors and finally start turning a profit. Next stop an IPO in 2016 (for which Goldman Sachs is understood to be retained already), and huge cash payments for everyone involved. The territory is ripe for the kind of easy-reading headlines that we all love to talk about; slick new features for the techies, share price speculation for the financiers, and dreams of making it as big for the entrepreneurs.

But because I’m a lawyer, I don’t want to do any of that, instead I want to sound a note of caution and direct your attention to some of Spotify’s other less happy news. Why? Because the company’s recent fortunes spell out a vital lesson for anyone starting, building, or running a tech business. Specifically, they can teach you how to make more money.


Lessons for Entrepreneurs

Underneath the big headlines that it likes talking about, Spotify is still making a loss.

  1. For all the flash new features, the big deals with Starbucks, and the market leading paid-user count; Spotify is a company that just can’t seem to turn a profit. Its 2014 results indicated that, for yet another year running, its outgoings were rising faster than its revenues. In 2014 it lost €162 million euros. No matter how high and how fast its revenues climb, its outgoings seem to get even higher even faster.
  2. Spotify’s biggest single outgoing is the 70% of its revenues that it claims to pay to ‘rights holders’ each year (i.e. to musicians who aren’t called Taylor Swift) but its recent annual results indicate that in 2014 81% of its revenues were paid as ‘Royalties & Distribution’ costs to record labels. That’s an immense bill; it’s a higher percentage than that paid to record labels by Spotify’s nearest competitors, and it’s still not enough to prevent awkward headlines for Spotify about artists being underpaid.
  3. We have a pretty good idea of why Spotify can’t seem to get that 81% figure down, because its contract with Sony leaked online. A quick look through it reveals some absolutely horrific clauses from Spotify’s perspective and gives us some real clues as to why its outgoings keep spiralling upwards.


To summarise that 42 page deal very briefly:

  1. Sony gets paid regardless of Spotify’s fortunes.
  2. Sony doesn’t just get paid, it gets to choose the yardstick by which its payment is measured. If it’s a good year for Spotify then Sony can pick a revenue-share type deal, if it’s not been so good then Sony can pick a payment-per-stream deal.
  3. Sony doesn’t even have to wait to get paid, it receives guaranteed minimum advance payments several times each year. Those payments aren’t technically earmarked as being ‘royalties’ either, so it may well be able to pocket them rather than passing them on to artists.
  4. Sony doesn’t just get paid cash, it also gets additional sweeteners on top. Foremost among them free advertising space on the Spotify platform (which it appears that Sony may be free to sell on if it wishes, effectively becoming a competitor to Spotify itself).
  5. Finally, to really rub it in, Sony has a ‘most favoured nation’ clause in its favour – which means that if any other record label gets an even better deal (whatever that looks like) then Sony is entitled to the same deal itself.

… and that’s just the deal that Sony managed to get. It may well be that other major record labels got even better terms.

Basically, it looks like the reason that Spotify can’t make a profit is because, no matter how much money it makes, it’s bound into agreements that let its suppliers gobble up its revenues as fast as it can bring them in.


So don’t sign that, or that, or that…

So, without wanting to seem as if I am criticising Spotify or their legal advisors (I’m not; they were almost certainly under certain commercial pressures when they signed the Sony deal) there are certain clauses that you just shouldn’t sign unless you absolutely have to:

Particularly distressing to a lawyer’s eye is the ‘most favoured nation’ clause, which is an incredibly onerous provision that we would usually advise clients to avoid like the plague. Beloved though they are by multinationals who find themselves in strong bargaining positions ,these clauses need to be resisted at all costs and are often the first thing on the agenda in a negotiation. Their presence effectively hamstrings the affected party’s ability to negotiate with other suppliers/customers, as the cost of granting any kind of concession or sweetener to make a deal happen has to be multiplied by the cost of also granting it to your ‘most favoured nation’. In cases like this, the existence of one or more of them in your contracts can make it nearly impossible to keep a cap on your costs.

Similarly, the idea of advance payments combined with a choice of payment measure is a no-go. Sure, suppliers might wish to be paid a share of your revenues, but they ought to be electing to pick either a safe option or a risky one, not getting the best of both worlds. If the Supplier fears that you might be unable to pay them in the future, then let them take advance payments and a fixed price. If however they want to share in your potential financial glories with a revenue share, then let them wait until you’ve made the money before they get paid it and don’t let them switch back to the safe fixed-price method only after seeing that you haven’t hit your targets.


… and get control of the deal early.

The simple lesson from the above? Remember how crucial the contracts that you sign are for your financial health. A contract isn’t just 42 pages of dense legalese, it’s the framework that sets out who gets paid what and when. Onerous clauses like those noted above can lock you into a position of perpetual loss making that you simply can’t earn you way out of.

So when you’re negotiating these kinds of deals, get a specialist technology lawyer (and maybe even an accountant if it’s critical) involved early to make sure that you keep the terms under control. Trying to minimise the costs of professional advice is a false economy, your lawyer can only do so much if you bring them in at the very end of the process to “check it all works”.

Get a specialist, get them involved early, and don’t get stung by the those clauses that sap your profits. All of the fancy video streaming in the world can’t get you out of a bad deal once you’ve signed it.


Raoul Lumb – 22 May 2015

Mistakes A Technology Company Should Avoid When Raising Capital

Tuesday 16 September 2014

We are delighted to invite you to our next Technology Breakfast Seminar being chaired by Simon Halberstam, SIMON HALBERSTAM, PARTNER AND HEAD OF TECHNOLOGY LAW AT SIMONS MUIRHEAD & BURTON

Our speaker will be David White – Founder & CEO of Import.IO.

Topics being covered:

  • Raising Capital
    whom to speak to and when
    – how much, if any
  • The Right Profile – what will make you attractive to potential investors
  • Mistakes to be avoided
  • Minority protection for both sides of the fence
  • Good leaver / bad leaver

Event Details:

Date:   Tuesday 16 September 2014.
Time:   8:30 – 9:00am  registration & networking followed by speakers, Questions~
            & Answers and further networking at 10.30am.
Venue:  Royal Bank of Scotland, 250 Bishopsgate, London, EC2M 4AA.

RSVP:  To register your interest or to request further information please email [email protected].


David White
Founder & CEO – Import.IO
My Experience in the Technology Sector

David believes strongly in the power of web data to change the future. He is the Founder and CEO of Import.IO, an innovative API creation platform recognized by GigaOM and The Summit as one of the best new startups in 2014. David has written numerous thought leadership pieces and has been named one of the entrepreneurs disrupting digital London.

Simon Halberstam

Simon’s work is focused on the drafting and negotiation of contracts for those providing or procuring technology or digital services. He advises on all aspects of Intellectual Property, as well as providing guidance to companies wishing to set up online gambling operations.

Browsing Without Licence – Logic Prevails but Limitations Remain

Fortunately, for all of us and, in particular, online service providers logic has prevailed. The Court of Justice of the EU (CJEU) has rejected the idea that, without express copyright owner consent, copyright is infringed every time an internet user browses the internet and opens and peruses a website directly from the main server or from a cache.

This means business as normal for content aggregators, search services, broadcasters and streamers.

The alternative was unthinkable and unworkable. Article 5(1) of the Information Society Directive exempts from the copyright owner’s reproduction right both temporary  acts of reproduction which are “transient or incidental” to enable transmission in a network between third parties by an intermediary and lawful use of a work which has no independent economic significance”

The Newspaper Licensing Agency had argued on behalf of major UK newspaper publishers that users of Meltwater, a company that provides an online media monitoring service to compile an index of newspaper websites had overstepped the mark and that customers of Meltwater needed a direct licence from the copyright owners as, amongst other things, the copy  of the article in the user’s computer’s cache was an infringing copy.

The CJEU backed the UK Supreme Court’s view that temporary copies made in an end user’s cache and on screen when viewing the content of a web-page rather than downloading or printing it were exempted as “temporary copies”.

However, whilst this decision confirms that browsing the internet requires no licence from the copyright owner, it could have gone a lot further. As things now stand, the exception in Article 5(1) does not extend to downloading or printing content, forwarding content to third parties or obtaining financial gain by independently exploiting content as opposed simply to reading  it.

Simon Halberstam

Misuse of private information – anonymised tracking, profiling and targeting

Whilst the Data Protection Act 1998 and E-Privacy Directive go a long way to preventing the abuse of personal data, the regime is far from watertight. The adtech industry makes extensive use of “anonymous” tracking to study the browsing activities of consumers and then serve them relevant contextual ads.

It is hard to demarcate precisely between legitimate, anonymous tracking on the one hand and intrusive, abusive snooping on the other. There is a constant tug-of-war between consumers who wish to preserve the sanctity and secrecy of their personal data and internet usage and data traffickers who seek to monetize every snippet of personal information out there.

The current case of Vidal-Hall v Google seems to represent a significant shift in the sands in favour of consumer privacy. A group of claimants has been authorised to bring an action against Google for exploiting privacy flaws in the Safari browser to track and exploit consumer browsing habits. The case is significant as it recognises the nascent tort of “Misuse of Private Information” as a legitimate cause of action. From a legal perspective this is significant as to succeed in a tortious claim there is no need to show any actual loss. In the US, Google has already been fined almost US $40m in relation to this pattern of behaviour. Whereas the current UK cap on Data Protection fines is £500,000, the draft Data Protection Regulation envisages fines equating to the greater of Euros100m or 55 of global turnover.

The dividing line between what is legitimate and what is not is becoming clearer and the online advertising industry needs to tread very carefully.

Simon Halberstam

Crowdfunding: A quick guide to the new restrictions and protections

A set of new consumer protections are due to come into force on 01 April 2014.

New restrictions will apply to two types of crowdfunding – loan-based (lending to individuals or businesses in exchange for interest payment and capital repayment) and investment (equity) based (typically in companies in exchange for shares, debt securities or other “non-readily realisable assets”).

The new rules will not apply to reward or donation-based crowdfunding.

Loan-based Crowdfunding – what happens to the lender’s money if a platform fails?

The recent focus on consumer protection is a by-product of the drastic expansion of loan based crowdfunding (especially P2P lending). Last year approximately £480 million was lent- representing a jump of approximately 150% on the previous year.

The new rules introduce not only minimum capital standards but also a requirement for firms running loan-based crowdfunding platforms to have arrangements in place to enable loan repayments to continue to be collected in the event that the platform fails.  From 1 April 2014, loan-based crowdfunding platforms will be required to hold regulatory capital of at least £20,000. This will increase to £50,000 in April 2017.

The new requirements should provide comfort to lenders, as they will still be unable to claim through the Financial Services Compensation Scheme.

Investment (equity) based Crowdfunding and other similar activities

The rules aim to ensure that consumers have access to fair and accurate information and are equipped to make informed decision about investments.


The new rules will affect direct offer financial promotions. For clarity’s sake- a direct offer is a promotion that contains an offer, or an invitation that specifies the manner of response, or includes a form, by which a response may be made.

If the promotion does not specify how to respond to it, then it is not caught by the new restrictions.

However, if the communication provides marketing information about a specified investment, then the restriction will apply and, as usual (unless an exception applies), one will also need to ensure the communication complies with the other relevant financial promotion rules.

A few tweaks may be required to direct offer financial promotion material whether in hard copy format or online and promoters may wish to consider removing downloadable forms – or make these accessible only to certain types of investors, as detailed below.


The new rules will place limitations on the types of investors to which equity based crowdfunding platforms may send direct financial promotions. Direct offer financial promotions can now only be targeted at professional clients and certain specific categories of retail clients whether sophisticated, high net worth investors, or retail clients who certify that they will not invest more than 10% of their net investible financial assets in unlisted equity and debt securities.

Is it appropriate?

In addition, crowdfunding platforms will need to consider an appropriateness test in cases where no  professional advice was provided. It is a requirement that all firms must check that clients have the knowledge and experience needed to understand the risks involved before being invited to respond to an offer. This new appropriateness test will be in line with the rules in the Conduct of Business Sourcebook (COB).

Firms operating equity-based crowdfunding platforms may also need to gather certain data on potential investors in order to undertake the appropriateness test.

Whilst the rules on direct offer financial promotions will come into force on 01 April 2014, the transitional arrangements provide that it will be acceptable for firms to continue to comply with the existing rules for another six months.

Data Protection Revisited – Hacking, Leaking and Cloud Concerns in 2014

Hardly a day goes by without a new story about another cyber-attack, leaked or hacked passwords or log-ins.

The 7th principle of the Data Protection Act 1998 mandates that

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Many of the leaks and hacks relate to information which falls squarely within the definition of “personal data”. The question is whether organisations are meeting their obligations under the 7th principle. It is a “big ask” as hackers are resourceful and continuously seeking and finding ways to circumvent protocols and technology that was previously considered safe and secure.

One of the major problems in the battle against cybercrime is that there is no absolute universal security standard. Thus, hackers will always look for the weakest point in any security chain. Recently it was reported that thousands of usernames and passwords were gathered by hackers during cyber-attacks on third party websites and the hackers then tried to use the usernames and passwords to access

Sometimes, leaks are inadvertent as evidenced by the recent accidental disclosure by Tesco of hundreds of customer email addresses whilst apologising for a pricing error. Instead of using the “bcc” field Tesco included all of the recipients’ email addresses in the ‘to’ field.

There are also data security questions relating to the transfer of data outside the EU to countries which aren’t as mindful of protection of personal data. This is reflected in the 8th principle of the Data Protection Act 1998 which provides that

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

To address this concern, the US introduced the voluntary “Safe Harbor” scheme under which entities voluntarily commit to abide by principles similar to those enshrined in our Data Protection Act. However, in a recent ironic twist, a draft report by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee on US National Security, the European Commission was leaked and this draft has cast doubt on the reliability of Safe Harbor citing numerous deficiencies and loopholes. As the USA is probably the leading cloud hosting provider in the world, this highlights all sorts of issues for EU companies which directly or indirectly transfer or store data in the USA.

Data Controllers should bear in mind not only their legal responsibilities under the Data Protection Act regime but also that the Information Commissioner now bears teeth with the power to impose fines of up to £500,000 on those who fail to comply.

Simon Halberstam