GDPR: British Airways and Marriot International face record breaking fines from the ICO for data breaches

This week, the Information Commissioner’s Office (ICO) made its first public move to issue fines under the General Data Protection Regulation (GDPR) – and it did not disappoint. The ICO has issued statements that it intends to fine British Airways a record breaking £183.39m and Marriot International £99.2m. Both fines dwarfing fines issued by any other EU data regulator under the new GDPR regime.

British Airways

On 8th July 2019, the ICO issued a statement confirming it intends to fine British Airways £183.39m for infringements of the GDPR.

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018, where user traffic to the British Airways website was diverted to a fraudulent site resulting in approximately 500,000 customers’ data being compromised and harvested by hackers. In their statement, the ICO revealed its investigation had found that a “variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information”.

British Airways chairman and chief executive Alex Cruz said he was “surprised and disappointed” by the ICO’s initial finding. It is, however, clear from the Information Commissioner’s, Elizabeth Denham, comments that the ICO has adopted a hard-line approach in relation to its regulatory action against infringers of GDPR who said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The proposed fine represents approximately 1.5% of British Airways’ £11.6 billion worldwide turnover last year, indicating that the ICO exercised an element of restraint when announcing the record breaking £183m fine – as the GDPR has granted EU data regulators the power to issue fines equalling up to 4% of an offending company’s annual global turnover. This is a substantial uplift from pre-GDPR rules, where the maximum fine the ICO could issue was £500,000.

Before making a final decision, the ICO will need to consider comments from any EU data regulators whose residents have been affected, as well as consider representations made by British Airways. Willie Walsh, the chief executive of British Airways’ parent company – International Airlines Group – has said they “intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Marriott International

On 9th July 2019 – a day after the British Airways announcement – the ICO issued notice of its intention to fine Marriott International £99.2m for breaches of the GDPR.

The proposed fine relates to an incident notified to the ICO in November 2018 – when Marriot’s Starwood Hotels guest reservation database was hacked. Passport and credit card numbers was amongst the data exposed for approximately 339 million guest records worldwide, of which around 7 million related to UK residents.

The ICO’s investigation revealed that the vulnerability began when the Starwood Hotels group systems were compromised in 2014, two years before Marriott acquired Starwood in 2016. The importance of “carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected” was highlighted in a statement from Information Commissioner Elizabeth Denham.

Arne Sorenson, the President and CEO of Marriott International, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened.”

The proposed fine also acknowledges the extended territorial scope of the GDPR which now also applies to companies based outside the EU that offer goods or services to individuals within the EU.

The ICO has bared its teeth and these headline-grabbing figures have reinforced the fact that companies need to be extremely vigilant about their data security arrangements in the GDPR world in which we now reside.

For further information, please contact Simon Halberstam at simon.halberstam@smab.co.uk

Last week, Simons Muirhead & Burton’s technology team hosted a breakfast panel discussion considering issues that early-stage tech companies should consider when raising funds. This panel discussion demystified the fund-raising process and highlighted what investors look for when deciding whether to invest.

The panel comprise Simon Moynagh of Icon Corporate Finance, Robert Davis of Calculus Capital and Ella Botham of Silicon Valley Bank, and was co-chaired by Simon Halberstam and David Martin, both partners at Simons Muirhead & Burton.

State of the market for investment in early-stage tech companies

The panel concurred with Simon Moynagh’s initial comments that the investment market is highly active and there is a lot of money on offer for early-stage tech companies. This has increased competition for institutional investors (such as VCs). This has not, however, reduced the quality threshold in terms of in which companies institutional investors will look to invest.

He also pointed out that the tightening of EIS and SEIS tax relief schemes which are available to investors who invest in technology companies have increased the investment appeal of technology companies (as opposed to asset-backed companies, which cannot offer investors the same tax reliefs).

Ella Botham also added that the investment rounds are increasing in value, with early-stage tech companies asking for, and securing, up to twicee as much investment in comparison to previous years.

What do investors look for at each level of investment?

Ella Botham and Simon Moynagh both opined that investors will look for the following things at each level of early stage investment:

• At seed level: a strong management team and a business idea with a defined market niche, which is scalable;
• At Series A: not only a strong management team but also businesses which have started to generate revenue and there is early commercial evidence to show that significant growth can be achieved;; and
• At Series B: management teams which have a demonstrable plan in place for future growth and further commercialisation, with evidence/data-points that shows the business can now scale with further investment.

Robert Davis explained that at a later stage, tech companies must have developed a scalable product which already has traction in the market and generates around a million in revenue, annually.

The panel was unified in its opinion that a strong management team is essential.

How much money should early-stage tech companies raise?

The panel agreed with Robert Davis’s opinion that 2.5 years of ‘cash runway’ is a sensible amount of money to raise during early stage fund-raising rounds. This is enough money for at least one year of growth so that it can reach its short-term or goals or any inflection points needed to underpin the investment proposition in the next round, a year to raise funds for the next round (as for early-stage tech companies, raising funds takes up the lion’s share of the management team’s time and effort, and a half year buffer in case of any complications.

They all noted that early-stage tech companies must leave adequate time to raise funds. Otherwise, they risk weakening their negotiation position and may be forced to accept unfair terms from institutional investors at the last hour.

Legal pitfalls to avoid when fundraising

SMAB’s David Martin explained that transaction-readiness is key. Although it is tedious, early-stage tech companies should upload their documentation to a data room as early as possible. This will help smooth over the transaction process; help highlight any evidentiary gaps which may require some explanation; and show that the company has an organised management team.

Any trade-marks or other registrable intellectual property which has not been registered should be registered as soon as possible. Otherwise, the company risks losing investment opportunities or being undervalued.

It is sensible to seek advice during transactions. Advisers should be diligent, responsive and help to drive the transaction forward.

Business valuations

The panel agreed that business valuation is an art rather than a science, especially when it comes to early-stage tech companies. Simon Moynagh observed that valuations of any such companies are driven by the market more than hard evidence, especially where the company is not yet profitable. Institutional investors are often offering high valuations (which means they will invest more money for a smaller shareholding) but are securing their investment by requiring preferential shares be issued to them with certain conditions attached (such as a 2x liquidation preference for example).

Debt products available for start-ups

Venture debt is a type of debt-financing for early-stage tech companies. Ella Botham explained that venture debt should complement equity and not replace it. The amount of debt raised should be around 20%-30% of the equity raised during a fundraising round.

Venture debt is flexible and can be used by companies for any reason, but Ella Botham noted that its best use is to boost cash so that the company can reach its next inflection point or meet certain goals in order to increase its valuation.

Take away points

The market is rife with opportunities for early-stage tech companies. Investors are also willing to offer high valuations on companies based on limited evidence, subject to obtaining security using preferential shares with certain conditions attached to them. Nonetheless, early-stage tech companies are still expected to demonstrate a promising business with a realistic chance for growth and scalability, supported by evidence where available.

Companies need to be smart when fund-raising and most importantly leave enough time to secure investment before running out of ‘cash runway’. They should also consider complementing their equity with debt products.

Transaction-readiness is key if companies want to avoid any legal pitfalls that may arise when closing an investment deal.

For further information, please contact Simon Halberstam, head of the SMAB technology law group at simon.halberstam@smab.co.uk

Ok, now that we have got your attention, let us turn to more mundane technological issues.

Do you know the difference between a ‘Bayda’ (Morocco) and ’Amarrabola’ (Peru)? Or even a ‘Palomita’ (Argentina) and ‘Hjólhestaspyrna’ (Iceland)? (Tom Williams, Do You Speak Football?: A Glossary of Football Words and Phrases from Around the World (Bloomsbury Sport) 3 May 2018). The World Cup is back and everyone, everywhere is talking about it.

For the first time ever, this tournament will make use of Video Assisted Referees. This technological development is nothing however compared to the organisers’ plans in Tokyo for the 2020 Olympics. One initiative is to use new analytical capabilities to detect the speed of swimmers and display it real time on TV broadcasts. Other plans include using cameras to determine the heart rate of athletes.

Over the past few years, sport’s reliance on ‘smart’ technologies has increased. From scoring and judging systems to retail transactions and the home viewer experience, many aspects of major sporting events are totally digital. Along with such new technology comes great opportunity – but also great risk.

Cyber threats to International Sporting Events

Cyber threats are nothing new. During the 2014 World Cup, Brazilian officials faced an onslaught of phishing attacks from ‘hacktivists’, who successfully infiltrated email accounts of Ministry of Foreign Affairs employees, who were helping to organise the Cup. Most recently, in the 2018 Winter Olympics, a cyberattack took place during the event’s opening ceremonies in Pyeongchang which affected internet and television access.

Traditionally there have been four categories of cyberattacks on major sporting events:

1. infiltration of sporting websites and IT systems;
2. ticket related scams;
3. the hacking and release of sensitive athlete data; and
4. the risk of fans’ devices being hacked while attending an event.

The proliferation of the Internet of Things is changing the face of the cybersecurity of sports, adding digital dimensions where there were none before. Digital technologies are now focal to almost every facet of the sporting experience, from scoring systems to athlete care, from ‘smart’ stadiums to device-enhanced viewing experiences for fans. Current trends include: video reviews incorporating technology designed to aid in officials’ decisions; increased interest in data collection on athlete performance; growth in wearable devices; and increased viewer immersion in sports through technology, including virtual reality and drones.

According to a report released by the UC Berkeley Center for Long-Term Cybersecurity (CLTC), “The Cybersecurity of Olympic Sports: New Opportunities, New Risks”, the increasing use of technology in sport (whilst bringing lots of opportunities) could potentially damage the integrity of sport and add to spectator, sponsor and safety concerns relating to the players/athletes.

Managing the risk

Everyone faces potential cyber risks: from the spectators to the players, and even the ticketing officers.

We have set out some cyber safety tips to keep in mind before, during and after the World Cup:

1. Avoid using public Wi-Fi networks and public charging stations. Using public Wi-Fi networks could compromise your security and public chargers may have been tampered with to infect your device with malicious software.
2. Be wary of scams of phishing emails. As enticing as the prospect of a “Free Ticket” to the World Cup may be, do not click on any links in emails marketing or referencing the event.
3. Be vigilant when using ATMs. Look out for evidence of machine tampering: some skimming devices can be spotted by a quick wiggle of the card reader or through visible marks on the PIN code area. To help lessen the impact of Point of Sale malware and ATM skimming, alternative forms of payment like chip and pin, pre-paid and pre-capped cards should be considered.

For further information please contact Simon Halberstam at simon.halberstam@smab.co.uk, head of the technology law team.

What is crypto? What is blockchain? What is Bitcoin? As Wittgenstein might have put it, many of these terms are only familiar to those who are involved in this “language game”. Now, these arcane digital concepts are going mainstream. Why?! CryptoKitties.

CryptoKitties are digital cats. Each one has different attributes and users can breed, buy and sell these kitties on Ethereum. The most expensive kitten was Founder Cat 18, a bug-eyed orange animal with purple spots. This CryptoKitty was sold for $122,095 on December 6.

If you have developed an affinity for Ethereum, you could ask for ERC-721 tokens for Christmas to buy your CryptoKitty. Better still, ask for Bitcoin but it won’t come cheap.

So what do CryptoKitties show us?

1. Application of blockchain

CryptoKitties is the first mainstream recreational decentralised application (“Dapp”). If you don’t know what a Dapp is, it consists of: (1) a frontend, written in HTML; and (2) a backend (think of it as the ‘database’ for your frontend). The fact that the first mainstream Dapp is a game and is about cats shows that practical applications of the blockchain can extend well beyond Initial Coin Offerings (“ICOs”).

2. Cats, Digital Assets or Securities?

You will be delighted to hear that CryptoKitties are probably not securities. Just like Bitcoins or Ether, CryptoKitties are peer-to-peer tradeable, provably scarce digital items that are accounted for by an open blockchain network.

Rather than finance itself through an ICO), it is using its own revenue model: The CryptoKitties team releases a new “Gen 0” CryptoKitty every fifteen minutes (up until November 2018). The starting price of “Gen 0” CryptoKitties is determined by the average price of the last five CryptoKitties that were sold, plus 50%.

There are https://www.cryptokitties.co/faq#How-much-does-it-cost-to-buy-a-CryptoKittycomplicated arguments as to whether some ICOs might be unregistered securities issuance. In the United States an offer and sale of “tokens” or “coins” may qualify as “securities” and be subject to the U.S. securities laws and the jurisdiction of the U.S. Securities and Exchange Commission (“SEC”). It all comes down to the “Howey” test. If an investment of money is made with an expectation of profits arising from a common enterprise that depends solely on the efforts of others (i.e. a promoter or third party) SEC v. W.J. Howey Co., 328 U.S. 293 (1946).

In a similar fashion, the Financial Conduct Authority (“FCA”) in the United Kingdom has issued a consumer warning about the risks of ICOs. It says “ICOs are very high-risk, speculative investments.” It adds that whether an ICO falls within the FCA’s regulatory boundaries or not can only be decided case by case and states: “Businesses involved in an ICO should carefully consider if their activities could mean they are arranging, dealing or advising on regulated financial investments.”

If we apply the Howey test, CryptoKitties are not being marketed as profit making investments, and ownership of a CryptoKitty doesn’t give you a right to dividends or revenue streams from the CryptoKitty team or anyone else for that matter.

Takeaway. I have had several clients asking us to review their ICO Whitepapers to determine, amongst other things, whether they would be likely to fail the “Howey” test. The utmost care should be taken when drafting documentation and promotional materials. If your offering is not a security then your materials should faithfully reflect that.

3. Capacity and labour pains

The interest CryptoKitties generated across the Ethereum network almost brought the network to a halt. At one point, its smart contracts accounted for up to 25% of the entire network’s transactions. As traffic increases, transactions become more expensive to execute quickly. CryptoKitties responded by issuing a tweet: Due to network congestion, we are increasing the birthing fee from 0.001 ETH to 0.002 ETH. This will ensure your kittens are born on time! The extra is needed to incentivize miners to add birthing txs to the chain. Long-term solution will be explored very soon!

Takeaway. This isn’t the first time the Etherum network has come under strain. CryptoKitties shows how scalability should be (and is) a top priority for the Ethereum development team. For blockchains to become fully mainstream, solutions will need to be found that can overcome the threat posed by digital cats. Ethereum is making progress on developments such as ‘Proof of Stake’, ‘sharding’, and second layer technologies that will support its ability to scale.

4. Cybersecurity and data protection

From a cybersecurity perspective, the immutability, encryption, and cryptographic elements inherent in cryptocurrency transactions on a blockchain lend themselves well to a secure environment.

Despite the added security benefits of cryptocurrencies’ underlying blockchain technology, it is not without risk. Notably the mechanism by which digital currencies are stored (e.g. in digital wallets) introduce penetration points that can be used to exploit the blockchain’s irreversibility, meaning that pilfered digital tokens and coins cannot be returned, and victims can be left without much recourse (unless issuers and users are properly insured or indemnified). Similarly, the use of private and public key authentication on a distributed network can create risk with respect to users’ private keys that, if lost or compromised, can result in serious losses. Further, many users are not actually holding their private keys (and therefore their Bitcoin) and instead entrust them to third parties.

No article nowadays would be without a discussion on data protection. The General Data Protection Regulation (GDPR) brings in a new data subject right, the “right to be forgotten/right to erasure”. This does not sit well with the decentralised and immutable components of blockchain technology which by its very nature does not enable the permanent deletion of data. Data subjects may however be less concerned if their data is pseudonymised. Regardless, further security features may need to be built on top of the existing framework to ensure compliance.

Takeaway. Issuers and users of cryptocurrencies should consider the need for adequate insurance solutions to account for these risks.

Conclusion
CryptoKitties may be as cool as cats but they are of the feral not the domesticated variety.

Please click here to email Simon Halberstam, Head of Technology Law, or call 020 3206 2781.

Yesterday, the iconic lights in London’s Piccadilly Circus were switched back on after nine months of renovation. The patchwork, which has become one of London’s most famous sights, has now been replaced by Landsec with a single 4K LED screen with in-built facial recognition technology that will feature six advertisers.

Today, we are closer than ever to the advertising ecosystem that Minority Report predicted in which billboards scanned the retinas of passers-by to show them personalised adverts. According to Landsec’s press report, the digital screen will be able to “react to certain external factors, such as the weather or temperature”. The facial recognition technology could also be used to deduce the age, gender and even mood of passers-by, as well as the make and model of cars; using that info to deliver targeted ads.

How this might work in practice was explained by Tim Bleakley, chief executive of Ocean Outdoor, the company that runs the board’s advertising. “Coca-Cola, for example, can log on at any given moment, see a large group of Spanish tourists and change the copy of the ad from ‘hello,’ to ‘buenos dias’.” Combine this data with all the data users of the billboard’s free WiFi hand over, could result in marketeers being able “to monitor and capture your every online move” warns Douglas Crawford, editor of independent online security and VPN advice service BestVPN.com. Landsec has tried to allay these concerns and has stated that the technology “does not collect or store any personal data and is unable to record images or audio.”

The advances in digital technology has given marketeers the ability to target individual consumers directly. According to an article in The Guardian last year, facial recognition technology is now used by an approximately 59% of UK fashion retailers. This is not set to go away; Apple’s new iPhone X incorporates Face ID technology – allowing you to pay with a smile! Other technologies being used by retailers are beacons. Harrods, for example, has a network of more than 500 beacons which connects to a user’s iPhone through Bluetooth and highlights consumers’ location on a map. This technology can also be used to send consumers location specific deals and recommendations to their phones while they browse in store.

While these tools may be a marketer’s dream, businesses should ensure that they are transparent at the way in which they use such data. There are strict rules in place regarding what businesses can and can’t do with data they have collected from consumers. In May 2018, with the advent of the General Data Protection Regulation, failure to comply could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).

If anonymised data is being used to change the layout of a store or to provide a consumer with an enriched customer experience, then that is from a legal perspective far less controversial than the use of facial-recognition technology to track an individual and then send unsolicited, personalised marketing materials based on that data.

Confession is good for the soul so let’s start with my admission that I am a scrabble addict. Whilst that idea may not set your pulses racing, it points to an obsession with words and that, as you will see below, is a fundamental requirement in the context of video game legals. The multi-dimensional world of video games entails myriad, inter-linking legal issues. This is anticipated to reach a new zenith next year with the launch of Jurassic World Evolution. Who would have thought that dinosaurs would be shaping the legal agenda in 2018?

Rather than bore you with extensive legalities, I will briefly highlight some of the key legal issues and leave you to ponder and contact me should any alarm bells start to sound.

Intellectual Property Rights (IPR)
• You need to protect your work and/or investment. This is mainly about copyright and database rights. Make sure you get assignments from anyone from whom you have bought or commissioned any code, graphics, sound effects or any other creative input.
• Patents may be relevant but the originality barrier is high and will require specialist assessment to determine if you have any qualifying ideas or concepts.
• Trademarks and domain names are generally more straightforward as they protect/reflect brands and names rather than underlying code and concepts. However, you will need to consider not only what you can protect but also whether what you have in mind might infringe third party rights. For that reason, it is advisable to run some clearance searches before you invest in your brand/developing your game; running a search on Google is a start.
• If you are planning to depict any people in a game, you will typically need to procure releases from the rights holders and failure to do so may result in “passing off” or other actions against you.
• Where there are in-game purchases, there may be further IPR ownership, licensing and infringement issues where the purchases of virtual goods/accessories are branded by the IPR owners or used without the owner’s permission.
• Another important area of IPR relates to design rights which may offer a route to protection of GUI and multiple visual elements.
• The use of open source in the creation process may undermine any claim to IPR protection by the game’s developers. Careful attention needs to be paid to governing open source licences such as the GNU family to see what impact the use of open source code might entail.
• Where the developers incorporate existing music or other audio or visual rights, permission or clearance will need to be sought/negotiated to clear any rights in the sounds recording and the musical composition (i.e. music and lyrics). Clearance will need to be sought from the record label and the publisher or collective right management organisation such as the PRS in the UK.

Terms and Conditions (T&C) and Data Protection
Not only do you need T&C which regulate use of your game and distribution agreements with your channel but also other sets of terms covering your use of gamers’ personal data and the cookies you or third parties place on their systems as well as an Acceptable Use Policy for in-game messaging. The privacy issue becomes exponentially more crucial next May when the new general data protection regulation (GDPR) enters force. Maximum fines for data breaches will rise from £500k to the higher of 4% of worldwide turnover or E20m. This means that it is paramount that you have in place appropriate, state of the art technology to prevent compromise or hacking of your subscribers’ personal details.

Gambling and Social Gaming
There has been considerable coverage of failures by gambling operators properly to demarcate between social gaming and gambling. The Sunday Times recently reported that some of Britain’s biggest gambling operators are targeting children with their favourite cartoon and storybook characters in online betting games, and that gambling operators are exploiting a legal loophole to promote games that appeal to children without breaching Gambling Commission rules. By way of example, they cited 888 website’s Jack and the Beanstalk game, which had a minimum bet of 20p and a maximum of £200, and Paddy Power’s Peter Pan game. Everyone involved in the gaming sector needs to be very careful not to overstep this mark.

Advertising
The video games industry has its own system of formal self-regulation to keep children safer offline and online: the PEGI (Pan-European Game Information) age rating system. In particular, publishers are required to follow PEGI’s Labelling and Advertising Guide (“the Guidelines”) to ensure the age rating icons and descriptors are displayed to consumers prior to purchase of both disc-based and online games. Game advertising is also subject to the CAP Guidance on advertisements for Video Games and Films as well as the CAP and BCAP Codes. When developing your game it is important to consider (if necessary) both age verification services and parental controls.

For further information please contact Simon Halberstam at simon.halberstam@smab.co.uk, head of the technology law team.

One of the myths surrounding open-source software (“OSS”) is that you can do whatever you like with it; there is even an OSS licence called Do What the F*** You Want To Public Licence (“WTFPL”). This could not be further from the truth.

In this article we explore some of the issues that companies should consider when using OSS.

What is OSS?

The basic concept common to all OSS licence agreements is that they seek to ensure that all downstream users have the freedom to use, modify and distribute the licensed OSS. “Permissive” OSS licence agreements such as MIT and Apache 2.0 impose minimal obligations on the licensee, such as obligations to maintain attribution and legal notices. Importantly, these licences often permit modifications of the OSS and allow such modification to be distributed under any licence (proprietary or open source) of the licensee’s choosing. On the other hand, “restrictive” OSS licence agreements (also referred to as “copyright” or “viral” licence agreements) impose obligations not only with respect to the licensed OSS but also with respect to any works derived from or combined with OSS. Failure to understand which type of licence you are subject to and the associated terms of use can entail huge risks for your business.

The risk involved with derivative works

Making available your source-code

Where proprietary software code is “mixed” with OSS, you may be creating a derivative work. If that OSS is subject to a restrictive licence, then when you license such software, you will have to make the sensitive source code you have created available to end users free of charge with the ability to modify and redistribute.

Copyright infringement

Many OSS licences are subject to United States copyright law, under which a derivative work is defined as:

“a work based upon one or more pre-existing works, such as…any other form in which a work may be recast, transformed or adapted. A work consisting of editorial revisions, annotations, elaborations, or other modifications which, as a whole, represent an original work of authorship, is a ‘derivative work’.”

Therefore, when dealing with OSS licences that rely on copyright law principles, a thorough investigation of how much and what part of the OSS code is copied or modified and/or how the OSS is used needs to be made in order to anticipate or predict how a court might rule on the legal implications for a “derivative work”. A key issue is understanding and knowing what may be classified as a “derivative” work, especially as many restrictive licences don’t even define the concept (e.g. Eclipse Public License, Version 1.0). In some cases, there is not necessarily an answer, particularly as there is little case law surrounding the issue. For example, what happens where you are linking to OSS or using Plug-ins?

Linking

Some OSS available is released as a library. Instead of incorporating it into your proprietary software you may want to create a link between your software and these (unmodified) libraries and to distribute them along with your software, either by compiling them together (“static linking”) or not (“dynamic linking”). There are instances where dynamic linking to OSS libraries is allowed while static linking is not. Much of this will depend on the terms of the OSS licence you use and so a case by case analysis is necessary.

Plug-ins

Plug-ins such as Adobe Flash Player are commonly used in web browsers to add video player functionality. Where your software application is configured with a programming interface to support the use of such plug in, a derivative work may be created when either the application or the plug-in is governed by a restrictive OSS licence.

In both these cases, it may well be difficult to determine whether the form of use envisaged might lead to a copyright infringement.

Warranties and limitations of liability

Generally speaking, OSS licences include a broad disclaimer of all representations and warranties or indemnities that might otherwise be expressly or impliedly provided by a commercial software licensor. Further, as there is often more than one contributor to OSS projects, it is impracticable to determine whether any contributor has contributed infringing code (knowingly or otherwise).

Unchecked use of OSS could have significant consequences and result in the need for time consuming remedial action. In a corporate transaction if in the course of due diligence, the prospective investor or purchaser alights upon an intellectual property ownership issue or other problem arising from the use of OSS and the issue cannot be remedied prior to closing, then the investor or acquirer may decide not to proceed or, more probably, seek additional contractual protection such as indemnities, or a cash escrow to cover the cost of any remediation efforts that may be necessary after closing.

How to manage the risk?

As a company, there are several things you can do to manage your risk:
• Establish a policy regarding the management and use of OSS.
• Carry out an OSS audit using a company such as ‘Black Duck’ and find out what OSS licence(s) your organisation is using/has used.
• Appoint someone within the organisation to be responsible for use of OSS.
• Create training programmes for employees.

For further information please contact:

Simon Halberstam, Partner and Head of the Technology Law Group

E: simon.halberstam@smab.co.uk

DDI: 020 3206 2781

Anne Rogers and Simon Halberstam dive into the EC’s draft e-Privacy Regulation and set out what it means for online gambling operators and crucially, what they need to do today in order to ensure that they comply. Click Here to read their latest article which first appeared in the March 2017 publication of the Online Gambling Lawyer magazine.

Contact Details: Simon Halberstam, Partner, Simon.Halberstam@smab.co.uk

From self-repairing cities to transforming cinematic and television experiences, drones are becoming increasingly prevalent. To ensure their safe and proper use in the UK, the Government launched its consultation on 21 December 2016, ‘Unlocking the UK’s high tech economy: consultation on the safe use of drones in the UK’ (Consultation). Those who wish to voice their opinion, should submit their response by 15 March 2017.

In this article, we explore some of the issues that drone users should consider when filming including: aviation law, copyright and privacy.

UK Aviation Regulations

In the UK, drones (otherwise known as “unmanned aircrafts”) are subject to a number of rules and regulations depending on their weight and proposed use. The principal piece of legislation governing drones is the Air Navigation Order 2016 (ANO) effected through the Civil Aviation Act 1982. The key points to note under ANO are as follows:

Overriding Principle. It is prohibited “to recklessly or negligently cause or permit an aircraft to endanger any person or property”.

Weight. To avoid falling within the remit of more extensive aviation regulations and be classified as a “small unmanned aircraft”, it is advisable not to exceed 20kg. Most aerial filming drones or camera drones weigh significantly less than 20kg.

Use. The most relevant Articles are 94 and 95 ANO. Article 94 ANO applies to all drones weighing less than 20kg. Article 95 ANO applies to drones weighing less than 20kg which are also used for surveillance (i.e. recording and filming).

There are two particular points of note:

1) If you wish to use a drone for “commercial operations” then you must apply to the Civil Aviation Authority (CAA) for permission. Unless you are using a drone for filming as a hobby, as Keith Bremner was when he caught Top Gear being filmed, then permission from the CAA will likely be required.

2) Drones may not fly: (a) over or within 150m of any congested area or open-air assembly of more than 1,000 people without permission from the CAA (e.g. over a major sports match); and (b) drones may not fly within 50m of any vehicle, building structure or person not under the control of the drone pilot without permission from the CAA.

Permission and Penalties. Applying for permission from the CAA can be rather complicated. Due to the complexities involved it may be advisable to seek a specialist contractor who has all the necessary insurance and CAA permissions to assist with any filming work, especially considering that failure to comply with the ANO is a criminal offence.

Copyright

Photographs. Under UK copyright law, the first owner of the copyright will be the photographer, unless the photographer was an employee. In that case, the employer will own the copyright in the photograph.

Films.  What about moving pictures (i.e. films)? Under the Copyright Designs and Patents Act 1988, a film has two legal owners: the producer and the principal director. Again, if the film is made during the course of employment, the employer will own the copyright in the film. In the case of drones, the owner will probably be the person who programmed the drone to make the film (i.e. the producer); and the person who has “creative control” (i.e. the principal director who decides what to film and how to film it).

Data Protection and Privacy

In the UK, there is no specific data protection legislation on the use of drones. A breach of privacy is likely to be dealt with under the established law on breach of confidence through the Human Rights Act 1998. The Information Commissioner’s Office (ICO) has however said that drones “can be highly privacy intrusive” as they may capture images of individuals “unnecessarily”. In light of this, the ICO has released some guidance which should be followed: In the picture: A data protection code of practice for surveillance cameras and personal information. It is advisable for anyone considering using drones in their next film or TV production, for instance, to read this, particularly considering the penalties.

Penalties. The ICO has the power to impose a fine of up to £500,000 where a drone operator seriously contravenes UK data protection law and the “contravention is of a kind likely to cause substantial damage or substantial distress, and is deliberate or likely and should have been prevented”. As previously noted, this will become more significant in May 2018 when the General Data Protection Regulation comes into force.

For further information please contact:

Simon Halberstam, Partner and Head of the Technology Law Group

E: simon.halberstam@smab.co.uk

DDI: 020 3206 2781

Drone deliveries, self-lacing sneakers, digital mirrors, shoes that help you feel the virtual reality world you’re walking in – welcome to 2017. These were some of the highlights at the Consumers Electronic Show (CES) 2017 in Las Vegas. Advances in consumer technology are transforming our lives. Many retail companies realising the importance of technology are now positioning themselves as ‘technology first companies’. The Chairman and CEO of Uniqlo, for example, has described the clothing brand as a “technology company”.

We look at some of the AI technology that retailers and brands are using and the importance of protecting consumer data.

AI Voice Assistance

“Alexa, please add salad dressing to my shopping list and order me a taxi”. Amazon Echo, Google Home and Apple’s Siri – voice activated smart home devices are transforming consumers’ lives. All of these devices use a voice recognition AI system. Amazon’s Echo, for instance, uses the Amazon-owned ‘Alexa’ online data analytics and voice recognition. This technology can learn from user behaviour and improve over time. If a user voices a question which is misunderstood by Alexa, the user can enter the app and edit the question. Alexa learns from this and applies the customised approach across its user interfaces. This technology has huge potential to transform the nature of omni-channel commerce by providing a new channel through which retailers can engage with consumers. Retailers who employ such technology will have to ensure (among other things) that they are transparent with consumers as to what data they are collecting and how such data is being used. Such information should be documented and made available on request – in the event of a data breach or a compliance complaint, for example. From May 2018, the General Data Protection Regulation (GDPR) will apply. Failure to document such information could result in a number of sanctions from the UK Data Protection Authority, the Information Commissioner’s Office (ICO), ranging from a warning to a fine of up to €20,000,000 or in the case of an undertaking, up to 4% of the worldwide annual turnover of the preceding financial year, whichever is higher.

Chatbots

“How would you describe your style?” “Classic”. “Perf! I’ve just created a customer style profile for you”. Chatbot technology is powered by artificial intelligence which is specifically designed to replicate human interaction. Consumers are able to use chatbots to make enquiries about delivery and returns, make product choices; and place and order. Throughout 2016, retail brands such as Tommy Hilfiger, Burberry and eBay all launched their own chatbot technology to promote sales and boost engagement. Other brands like H&M and Sephora are now using Kik’s new Bot Shop marketplace. Users who chat with the H&M bot can tell the bot a piece of clothing they like, and the bot will suggest an entire outfit and direct the user to buy the outfit through the messaging platform. Chatbots enable retailers and brands to engage with a younger generation and offer users a personalised customer experience. Retailers should inform consumers before they make an order that their statutory right to cancel within fourteen days of receiving a product does not apply to any products made to their specification or clearly personalised. Further, under the Consumer Contract Regulations 2014, retailers should also note that any payment order buttons in a chatbot message are clear and unambiguous as to the finality of the order thereby being made. ‘Order Now’ is not considered sufficient by the Directorate-General for Justice Guidance and could result in the consumer not being bound by the order. Wording such as ‘Pay Now’, ‘Buy Now’ and ‘Confirm Purchase’ on the other hand, would be sufficient.

Smart mirrors

“Does my bum look big in this?” Many brands have been experimenting with smart mirrors to enhance consumer experience. These mirrors use RFID technology to recognise the item the customer is wearing. The mirrors then take photographs of the consumer to provide recommendations on the fit and the colour. Ralph Lauren’s smart fitting room at its flagship on Fifth Avenue also suggests other products the consumer might like based on what it bought. In Uniqlo’s store in San Francisco you can see what your outfit looks like at all angles and text yourself side by side outfit comparisons which you can send to your friends on social media for their advice. This technology has resulted in an increase of sales and offers consumers a unique experience tailored to the brand.

How much data is being collected?

In 2013, Céline’s creative director and designer Pheobe Philo told UK Vogue: “The chicest thing is when you don’t exist on Google. God, I would love to be that person”. Privacy has become a luxury and consumers are becoming increasingly concerned about how their data is being used and the impact this may have on their privacy. From a consumer perspective, you may exchange your location settings in order to get a better service but it does not mean that you want the data to be seen by others.

From May 2018, brands which manufacture and develop these products will have an obligation to consider the concepts of privacy by ‘design’ and ‘default’ at the initial design stage as well as throughout the lifecycle of the relevant data processing. Brands will need to exercise caution and invest in their infrastructure to protect consumers’ data from data breaches and cyberattacks. It would be advisable to implement a privacy impact assessment to demonstrate that appropriate technical and organisational measures have been implemented; and that compliance is monitored. Any standard contracts with data processors should also be reviewed and revised to set out how liability is apportioned between the parties and that only personal data which are necessary for the specified purpose are processed. As stated above, failure to carry out such measures could result in significant fines.

For further information please contact:

Simon Halberstam, Partner and Head of the Technology Law Group

E: simon.halberstam@smab.co.uk

DDI: 020 3206 2781

The recent decision of the Grand Chamber of the European Court of Human Rights (ECHR), Delfi SA v. Estonia, Application no. 64569/09, 16 June 2015, is helpful in confirming the rules surrounding when and why website operators can be held liable for content posted on their websites by their users.

The area of liability for User Generated Content (or “UGC”) is largely governed by EU Regulations, which, in general, state that if website operator acts as a “mere conduit” and does not filter, or otherwise regulate content which appears on their website, then they have no responsibility for the content of those comments. The general EU regime that governs internet intermediaries is contained in the Electronic Commerce Directive 2000/31/EC. This states that EU Members States must ensure that their national laws provide intermediaries with immunity from all liability (subject to certain requirements outlined below) arising from hosting, transmitting or caching unlawful third party content. However, as noted above, this immunity is subject to the intermediary’s role being a passive one, with no knowledge or control over the content.

Furthermore, the intermediary must operate an effective ‘notice and take down’ procedure. That means that if the intermediary has actual or ‘constructive’ knowledge of the content (for example, if a website user makes a complaint, purporting a comment is defamatory or otherwise unlawful) but fails to remove or disable access to it, then immunity is not available to them.

Background to the claim

A popular Estonian online news service, Delfi, posted an article concerning ice bridges. This generated a large number of responses, including some particularly offensive comments towards an individual implicated in the story. Those comments remained on the website for 6 weeks until the individual requested both their removal and damages. Delfi removed these comments the same day, but refused to pay damages.

When the claim was dealt with by the national court, the individual was awarded damages – albeit an amount substantially less than originally claimed.

In response to the decision, Delfi proceeded to argue that the national court’s ruling of liability for defamatory comments posted by its readers was a breach of its right to freedom of expression, and consequently a violation of Article 10 of the European Convention on Human Rights. Claims that corporate entities (or “legal persons”) should have the same human rights as natural persons are not a new thing, with the most famous success to date being found in Citizens United v. Federal Election Commission (2010), a US Supreme Court case which held that corporations were entitled to the same constitutional right to freedom of expression as private citizens, leading to the unleashing of (now ubiquitous) ‘Super PACs’ into the field of US Politics.

Ignorance is not bliss

In spite of its arguments, it was held that Delfi was liable for the offending comments which had been posted on its website, due to its power to moderate such content.

It is particularly notable that this case highlights the fact that a website provider may be held liable for featuring offending material on its website before receiving express notification of a complaint from a user. Whilst Delfi did have terms of use prohibiting users from using threatening and abusive language, and an automatic filter to delete comments based on certain words, it appears this was ineffective and that its attempts to moderate its site were sufficient to make it liable for anything that slipped through the cracks. Consequentially, by a majority of fifteen votes to two, the ECHR upheld the rejection by the lower chamber of the ECHR of the news service’s claim, ultimately finding them culpable for the comments posted by its users.

Repercussions

This decision is neither strikingly novel nor revolutionary, and the position essentially remains the same as previously for Website operators.

The decision is not a huge blow to online freedom as many may argue. The decision paid particular attention to context, justified by the fact that Delfi is a professionally managed internet news portal, run on a commercial basis, and with active moderation of UGC. Therefore, social media sites and private bloggers need not worry about any new obligations being imposed upon them in the immediate future.

The decision does however serve as an important reminder to those who operate websites featuring UGC; if you take steps to monitor and moderate your content, then it is not sufficient to simply rely on user notifications before deleting potentially unlawful posts. While responding quickly and effectively to unlawful material remains crucially important for website operators, any moderation program which is operated must be robust and effective.

Should website operators try to skate around their obligations and fail to moderate their platforms in the necessary fashion then, as the Delfi case starkly illustrates, they may find themselves on a slippery slope towards paying substantial damages to the aggrieved subjects of their users’ posts.

For more information on the Delfi decision, or to discuss how the above issues might affect your online offering, please contact Raoul Lumb on 0203 206 2791 or at raoul.lumb@smab.co.uk

Well that depends! 

If the relevant governing licence is benign then it may be a “win-win” situation enabling you to save money and time on software development without having to comply with any disadvantageous conditions relating to Intellectual Property rights or otherwise. However, if the governing licence is less liberal, you may end up feeling that the deployment of the open source was a false economy. The common OS licences generally regarded as permissive are Apache, Berkeley Software Distribution (BSD) and MIT. There are no precise statistics but together these 3 are estimated to cover about 40 percent of open source projects whereas the more restrictive GNU General Public Licenses, notably GPL 2 and GPL 3 account for about 35 percent.

The main concerns re GPL can be traced to GPL 2 section 2(b) which stipulates that “You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work.. provided that you also meet all of these conditions….b) You must cause any work  that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License”

The attempt to interpret this wording definitively and without ambiguity is at the very least challenging. The dearth of relevant case law makes matters more complex. Many complex issues arise, notably:

• what constitutes a “derivative work?”
• does distribution within a company constitute “distribution or publication?”
• do resultant executables “contain or derive from” GPL code?
• what is the difference between “static” and “dynamic” linking?
• can one hermetically “seal” GPL code from proprietary code to avoid contamination of the latter by the former?

The answers to those questions merit a dissertation not a mere article.  Suffice it to say, one has to tread very carefully in this area. It may well be that the benefits of using open source would be outweighed by the detriment to the existence and value of the company’s IPR. Where the development team sits in-house, then with proper analysis and relevant expert input one should be able to reach an informed decision. However, where development is outsourced, matters become more complicated as the interests of the developer and the company may well diverge. The developer can save a lot of time by deploying open source and if the project is fixed-price or time-bound, this will be an attractive option. However, the company may not be aware of the potential impact on its IPR or may be aware but unable to monitor the developer’s coding processes. In some cases, companies that think they have a valuable IPR repository are only disabused when a potential investor or acquirer runs its slide rule over the company in the context of due diligence and finds that some or all of the company’s key code is not proprietary to the company.Indeed, if the open source runes are negative, investors who saw the company’s IPR as a major reason for investing or acquiring may seek to renegotiate or be deterred completely.

IPR in Jeopardy? Dynamic v Static Linking

The major IPR risk stems from use of GPL2 or GPL3 code. Those licences are commonly referred to as “infectious” because they generally mandate publication of modifications to the GPL code.  This is so even in SAAS cases where the software supplier is executing on its own server.  Other OS licences may prescribe such publication but generally in less frequent circumstances e.g.  EPL i.e. Eclipse Public License. Whereas under EPL, pure execution of modified EPL code on one’s own server via SAAS would be unlikely to require disclosure of the modifications, the situation would be different if the modified code were distributed. The need to publish such modifications would probably depend on whether the modifications were “hermetically” sealed in separate modules or took the form of adaptations to the original EPL code modules.

Under GPL 3, the situation is more clear-cut as the distinction between separate modules and modified GPL modules seems to fall away with publication required of any modifications to the GPL 3 code. The risk of contamination under GPL 3 arises from the apparent requirement in certain circumstances to publish pre-existing proprietary code that is intermingled with GPL 3 code. However, the need to publish will depend on the extent of the “coupling” between the proprietary and GPL 3 modules. “Dynamic linking” mandates publication whereas “static linking” may not.  Guidance, albeit legally not definitive, is set out in more detail in the GNU FAQ at www.gnu.org/licenses/gpl-faq.html#MereAggregation

Turning back to GPL 2 which still accounts for about 25% of the Open Source market, it does not talk in terms of “dynamic linking”. However, the best view seems to be that linking of proprietary code to GPL 2 code would mandate that the former be published.

Simon Halberstam, Partner and Head of Technology Law Team, May 2015 – simon.halberstam@smab.co.uk 020 3206 2781

On Wednesday Spotify announced a whole new raft of services for its users; video streaming, podcasts, and an extremely impressive ‘running mode’ (from a tech-geek’s point of view anyway… I’m certainly no great runner). The first of those two features didn’t come as great surprises and pundits (including yours truly) were all over the news talking about them some time before they were officially announced.

So that’s all good then. Spotify has a raft of flash new features to help it beat its competitors and finally start turning a profit. Next stop an IPO in 2016 (for which Goldman Sachs is understood to be retained already), and huge cash payments for everyone involved. The territory is ripe for the kind of easy-reading headlines that we all love to talk about; slick new features for the techies, share price speculation for the financiers, and dreams of making it as big for the entrepreneurs.

But because I’m a lawyer, I don’t want to do any of that, instead I want to sound a note of caution and direct your attention to some of Spotify’s other less happy news. Why? Because the company’s recent fortunes spell out a vital lesson for anyone starting, building, or running a tech business. Specifically, they can teach you how to make more money.

Lessons for Entrepreneurs

Underneath the big headlines that it likes talking about, Spotify is still making a loss.

1. For all the flash new features, the big deals with Starbucks, and the market leading paid-user count; Spotify is a company that just can’t seem to turn a profit. Its 2014 results indicated that, for yet another year running, its outgoings were rising faster than its revenues. In 2014 it lost €162 million euros. No matter how high and how fast its revenues climb, its outgoings seem to get even higher even faster.
2. Spotify’s biggest single outgoing is the 70% of its revenues that it claims to pay to ‘rights holders’ each year (i.e. to musicians who aren’t called Taylor Swift) but its recent annual results indicate that in 2014 81% of its revenues were paid as ‘Royalties & Distribution’ costs to record labels. That’s an immense bill; it’s a higher percentage than that paid to record labels by Spotify’s nearest competitors, and it’s still not enough to prevent awkward headlines for Spotify about artists being underpaid.
3. We have a pretty good idea of why Spotify can’t seem to get that 81% figure down, because its contract with Sony leaked online. A quick look through it reveals some absolutely horrific clauses from Spotify’s perspective and gives us some real clues as to why its outgoings keep spiralling upwards.

To summarise that 42 page deal very briefly:

1. Sony gets paid regardless of Spotify’s fortunes.
2. Sony doesn’t just get paid, it gets to choose the yardstick by which its payment is measured. If it’s a good year for Spotify then Sony can pick a revenue-share type deal, if it’s not been so good then Sony can pick a payment-per-stream deal.
3. Sony doesn’t even have to wait to get paid, it receives guaranteed minimum advance payments several times each year. Those payments aren’t technically earmarked as being ‘royalties’ either, so it may well be able to pocket them rather than passing them on to artists.
4. Sony doesn’t just get paid cash, it also gets additional sweeteners on top. Foremost among them free advertising space on the Spotify platform (which it appears that Sony may be free to sell on if it wishes, effectively becoming a competitor to Spotify itself).
5. Finally, to really rub it in, Sony has a ‘most favoured nation’ clause in its favour – which means that if any other record label gets an even better deal (whatever that looks like) then Sony is entitled to the same deal itself.

… and that’s just the deal that Sony managed to get. It may well be that other major record labels got even better terms.

Basically, it looks like the reason that Spotify can’t make a profit is because, no matter how much money it makes, it’s bound into agreements that let its suppliers gobble up its revenues as fast as it can bring them in.

So don’t sign that, or that, or that…

So, without wanting to seem as if I am criticising Spotify or their legal advisors (I’m not; they were almost certainly under certain commercial pressures when they signed the Sony deal) there are certain clauses that you just shouldn’t sign unless you absolutely have to:

Particularly distressing to a lawyer’s eye is the ‘most favoured nation’ clause, which is an incredibly onerous provision that we would usually advise clients to avoid like the plague. Beloved though they are by multinationals who find themselves in strong bargaining positions ,these clauses need to be resisted at all costs and are often the first thing on the agenda in a negotiation. Their presence effectively hamstrings the affected party’s ability to negotiate with other suppliers/customers, as the cost of granting any kind of concession or sweetener to make a deal happen has to be multiplied by the cost of also granting it to your ‘most favoured nation’. In cases like this, the existence of one or more of them in your contracts can make it nearly impossible to keep a cap on your costs.

Similarly, the idea of advance payments combined with a choice of payment measure is a no-go. Sure, suppliers might wish to be paid a share of your revenues, but they ought to be electing to pick either a safe option or a risky one, not getting the best of both worlds. If the Supplier fears that you might be unable to pay them in the future, then let them take advance payments and a fixed price. If however they want to share in your potential financial glories with a revenue share, then let them wait until you’ve made the money before they get paid it and don’t let them switch back to the safe fixed-price method only after seeing that you haven’t hit your targets.

… and get control of the deal early.

The simple lesson from the above? Remember how crucial the contracts that you sign are for your financial health. A contract isn’t just 42 pages of dense legalese, it’s the framework that sets out who gets paid what and when. Onerous clauses like those noted above can lock you into a position of perpetual loss making that you simply can’t earn you way out of.

So when you’re negotiating these kinds of deals, get a specialist technology lawyer (and maybe even an accountant if it’s critical) involved early to make sure that you keep the terms under control. Trying to minimise the costs of professional advice is a false economy, your lawyer can only do so much if you bring them in at the very end of the process to “check it all works”.

Get a specialist, get them involved early, and don’t get stung by the those clauses that sap your profits. All of the fancy video streaming in the world can’t get you out of a bad deal once you’ve signed it.

Raoul Lumb – 22 May 2015

Fortunately, for all of us and, in particular, online service providers logic has prevailed. The Court of Justice of the EU (CJEU) has rejected the idea that, without express copyright owner consent, copyright is infringed every time an internet user browses the internet and opens and peruses a website directly from the main server or from a cache.

This means business as normal for content aggregators, search services, broadcasters and streamers.

The alternative was unthinkable and unworkable. Article 5(1) of the Information Society Directive exempts from the copyright owner’s reproduction right both temporary  acts of reproduction which are “transient or incidental” to enable transmission in a network between third parties by an intermediary and lawful use of a work which has no independent economic significance”

The Newspaper Licensing Agency had argued on behalf of major UK newspaper publishers that users of Meltwater, a company that provides an online media monitoring service to compile an index of newspaper websites had overstepped the mark and that customers of Meltwater needed a direct licence from the copyright owners as, amongst other things, the copy  of the article in the user’s computer’s cache was an infringing copy.

The CJEU backed the UK Supreme Court’s view that temporary copies made in an end user’s cache and on screen when viewing the content of a web-page rather than downloading or printing it were exempted as “temporary copies”.

However, whilst this decision confirms that browsing the internet requires no licence from the copyright owner, it could have gone a lot further. As things now stand, the exception in Article 5(1) does not extend to downloading or printing content, forwarding content to third parties or obtaining financial gain by independently exploiting content as opposed simply to reading  it.

Simon Halberstam

Whilst the Data Protection Act 1998 and E-Privacy Directive go a long way to preventing the abuse of personal data, the regime is far from watertight. The adtech industry makes extensive use of “anonymous” tracking to study the browsing activities of consumers and then serve them relevant contextual ads.

It is hard to demarcate precisely between legitimate, anonymous tracking on the one hand and intrusive, abusive snooping on the other. There is a constant tug-of-war between consumers who wish to preserve the sanctity and secrecy of their personal data and internet usage and data traffickers who seek to monetize every snippet of personal information out there.

The current case of Vidal-Hall v Google seems to represent a significant shift in the sands in favour of consumer privacy. A group of claimants has been authorised to bring an action against Google for exploiting privacy flaws in the Safari browser to track and exploit consumer browsing habits. The case is significant as it recognises the nascent tort of “Misuse of Private Information” as a legitimate cause of action. From a legal perspective this is significant as to succeed in a tortious claim there is no need to show any actual loss. In the US, Google has already been fined almost US $40m in relation to this pattern of behaviour. Whereas the current UK cap on Data Protection fines is £500,000, the draft Data Protection Regulation envisages fines equating to the greater of Euros100m or 55 of global turnover.

The dividing line between what is legitimate and what is not is becoming clearer and the online advertising industry needs to tread very carefully.

Simon Halberstam