Social media is continuously expanding. Recent reports suggest Facebook at 1 billion, LinkedIn at 187 million and Twitter at 75 million users worldwide. This undoubtedly creates a wealth of opportunities for both individuals and organisations, but also a wide range of dangers.

What are employers’ main concerns?

Employers are increasingly concerned with the issues arising from these influential, accessible and highly publicised platforms. They find themselves between a rock and a hard place as, whilst mindful of the privacy rights of their employees, they are no longer able to ignore the potential implications of their personal use of social media.

Recent reports suggest that a significant number of employees have posted about work, customers or work colleagues on social networking sites. Unsurprisingly, employers have had to resort to disciplinary action.

How can an employer mitigate the risks of social media misuse?

Misuse can lead to reputational damage, breaches of confidentiality, libel and harassment. Employers can be liable due to the doctrine of vicarious liability if this is done in the course of employment, even if it is unauthorised, or even forbidden, by the employer.

Smith v. Trafford Housing Trust [2012] EWCH 3221 (Ch) considered whether an employee’s religiously motivated Facebook post to the effect that gay marriages in church were “an equality too far” which he made outside of the workplace constituted a breach of its employer’s equal opportunities policy. The High Court found that the post did not breach the policy despite the Facebook page associating the individual with the employer and the views he expressed causing offence to some colleagues.

Smith demonstrates the Court’s reluctance to extend the remit of employers’ work policies to employees’ private activities and moderately expressed personal views. In order to try to overcome this, policies where appropriate should explicitly cover conduct outside of the workplace. Enforceability against employees requires clear communication of the policy. Even then, provisions may be unenforceable if they extend so far that they interfere with employees’ human rights, such as right to privacy or freedom of expression.

Social Media Policies

Some organisations may impose a blanket ban on all use of social media in the workplace. This is often backed up by a prohibition on employees from making any reference to anything related to their employment, colleagues or customers outside of the workplace, or making any comments which may cause offence. However, due to the increasing role of social media in marketing, advertising and recruitment, this may be counter-productive and unrealistic. Furthermore, it’s likely to be unpopular and may tip over into infringement of civil liberties.

Preferable may be the implementation of a social media policy which balances an individual’s rights with the need to protect an organisation’s reputation, its staff and any relationships with relevant third parties.

Each employer will need to elaborate a policy which reflects the particularities of its industry, sector and specific circumstances.

A basic policy might usefully include the following:

• A requirement that employees are not to post comments about anything related to the organisation, its employees or its customers without prior consent from a designated person made responsible for social media management.
• A provision specifying that employees are liable for all personal social media communication and that no abusive, threatening or defamatory comments will be posted and that the social media account makes it clear that views expressed are those of the employee personally and not those of the employer.
• Guidance on the line of demarcation between personal and business related social media postings.
• Guidance on when the employer’s approvals is required for postings.
• Rules on who owns the account and connections made through it: this can be very important when the employee moves to a new employer.

Furthermore, the policy should emphasise that disciplinary action will follow social media misuse, clearly outlining what that disciplinary action might entail. This action should be implemented fairly and consistently in order to avoid employment claims.

What about reputational damage caused through social media misuse?

Twitter now heavily influences the way in which information is accessed and reported  – within seconds, anyone can produce a fanciful ‘tweet’ which can be viewed by thousands of ‘followers’.  This may even end up in mainstream news, regardless of the validity of the statement. This has led the Guardian to claim that ‘social networks are, first and foremost, a new outlet for the old human habit of amoral gossip’.

Many people still believe themselves anonymous when tweeting or posting under a pseudonym. However, this is not the case. If the issue is sufficiently serious, the target might apply for a Norwich Pharmacal order, requiring the Internet Service Provider (ISP) or web host to reveal the information it holds on the particular user in order to identify the perpetrator. Many people also seem to think that the normal rules on defamation do not apply on twitter; Lord McAlpine has amply demonstrated that this is not the case.

Alternatively, target might issue a notice to take down the content to the web host under the Electronic Commerce (EC Directive) Regulations 2002. Under these regulations, the ISP will be afforded protection against proceedings only so long as it acts ‘expeditiously to remove or disable access to the information’.

In light of recent events, the Metropolitan Police is meeting interested parties in order to assess whether criminal prosecutions can be brought under the Malicious Communications Act.  The invocation of the criminal law as a means of attempting to control the threat of dangerous and harmful internet communication must be weighed against basic civil liberties.

What about ownership of data collected through social media in the course of employment?

LinkedIn’s mission is ‘to connect the world’s professionals’ and is thus predominantly a business networking site. Its terms of use state that a user is ‘individually bound’ by a ‘legally binding agreement’, and that it owns the information it provides to LinkedIn. Consequently, an employer is not party to that agreement, and it seems that the employee is in control.

However, whilst a LinkedIn account is usually personal in the sense that it is in the name of the employee, it’s very likely that an employee will have populated its account with contacts made through the course of its employment and may even have used the facility that automatically scans its work address book in order to invite colleagues and clients to become contacts. Despite this, often employment contracts do not address the key issues.

In the case of Hays Specialist Recruitment Holdings Ltd & anor v. Ions & anor [2008] AII ER 216, the High Court considered that Hays had reasonable grounds to believe it might have a claim arising from the se of a LinkedIn account to “harvest” contact details of contacts acquired in the course of his employment Mr Ions was ordered to disclose give pre-action disclosure of all his LinkedIn business contacts, all emails sent to or received by his LinkedIn account from Hays’ computer network as well as other documents that showed any use by him of LinkedIn contacts and business obtained from them. Whilst this suggests that the LinkedIn connections belong to the employer upon termination of employment the decision needs to be treated with caution as it was only a preliminary one and the case did not go on to trial.

Employment contracts should include provisions regarding ownership of business contacts stored on social media sites both during and post-termination of employment and ownership of the social media accounts themselves.

Simon Halberstam

Everybody knows IPR (intellectual property rights) have a value, but the very reason IPR are used, to safeguard unique products or designs, makes them extremely difficult to value as there are often no comparators. Most people think of IPR as Trade Marks, Patents and Copyrights. However there are many other categories, notably design right, data base rights and domain names.

The IP Office reports industry norms for patents at 25-33% of anticipated gross profits (pre tax) and 10-15% for trademarks. This provides a useful starting point for negotiation but the vagaries of IPR ensure it remains only a starting point. As IPR tend to be unique there can be no direct market comparison and trying to base valuation on time and money spent creating the right is a pointless exercise. There are various criteria that can be used to value IPR, yet no valuation method will work in all circumstances, Set out below is an overview of relevant considerations.

Audit

Before trying to evaluate your IPR assets you need to assess what you own. The audit will focus on:

• identifying your IPR;
• the nature and strength of your IPR;
• whether there is an existing market for the associated product or whether one need to be established;
• the level of confidentiality maintained; and
• any 3^rd parties with existing rights in relation to your IPR.

Protecting your IPR Assets

You may need a 3^rd party to review your business to establish what your IPR portfolio comprises. Often people fail to take the necessary steps to protect IPR. Considerations here include:

• Should the IPR be registered?
• For how long are the IPR valid? What is the duration of the IPR and what is the revenue generation potential?
• Do you have the finances to withstand litigation if your IPR are challenged?
• Do your IPR safeguard your position by creating barriers to market entry?
• Are there still extensive costs involved in bringing the associated products to market?
• What is the economic climate and how will it affect sales of your product?

Monetising IPR

This can be achieved by licensing or outright sale. In determining the best approach in this context it is important to look at:

• Cash flow and long term benefits of each option
• Probable lifespan of your IPR (e.g. patents have a renewable lifespan of 20 years)
• The extent of your potential market and your current market share?
• If there is a royalties element to the sale you need to evaluate not only the percentage paid but also the distribution network, and the potential for complementary products of the buyer or licensee.

Valuation techniques

We outline below 3 recognised valuation techniques, cost evaluation, market valuation and economic benefit evaluation. These are most appropriate for product based IPR.

Cost Evaluation

This takes into account the following factors:

• Cost of development: labour, materials, equipment, research and development.
• Likely cost of creating a similar product
• Acquiring approval and certification
• Registering IPR

Whilst this valuation method typically appeals to sellers as a reflection of the time and effort put into the product, it may not be so popular with buyers. This is because the factors taken into account have no direct correlation with the revenue and profitability that the buyer will generate.

Market Valuation

This is based on the IPR and licence sales of similar products. However this is often problematic.

• How do you compare a unique product? The lack of comparable offerings on the Market may make valuation by comparison extremely difficult;
• Most contracts relating to IPR are kept confidential.

Economic Benefit Valuation (EBV)

This is assessed by looking at the value added, i.e. what income may be generated in the future against the cost of generating that income over the lifetime of the IPR. This is then discounted to allow for risk and cost of development. This method has its own problems:

• How do you determine the period during which IPR are likely to generate revenue. Whilst the duration of the right may be fixed, there is no crystal ball for future market developments notably the economic environment and new competition.
• How do you accurately assess the amount of income generated solely by the IPR when other factors such as knowledge of the market and ability of staff also play a vital role?
• How do you estimate the income and demand for a product at an early stage of development?

Conclusion

Knowing the value of your IPR is crucial both when protecting it or selling it. Any prospective purchaser or licensor will have their own idea of its value so it is vital for an IPR owner to have an idea of its true worth.

For more information, please contact Simon Halberstam.

What is Crowdfunding?

Crowdfunding is the practice of raising capital through numerous small investors. This is predominantly done online and the investment platform will rarely have a lower limit with many accepting as little as £10. In return the investor will receive either share equity and/or an “exclusive gift” which could be a ticket to a concert or a backstage pass where the investment vehicle is a band. The hosting platform generally takes around 5% commission.

There are 2 types of crowd fund:

• All or nothing – A target is set for the required level of investment within a time limit and the funds are only released to the business or individual once the target has been reached. If the target is not reached then the investments are returned.
• Keep it all – A target is set as above, but whether funds are returned or not is at the discretion of the individual or business.

FSA Position

At present the majority of websites offering crowd-funding service are not FSA authorised and as such provide little or no protection for the investor with no recourse to the Financial Ombudsman or the Compensation scheme. Recent guidance published by the FSA stated that crowd-funding should only be targeted at “sophisticated investors who know how to value a startup business, understand the risks involved and that investors could lose all of their money.” Consumer protection legislation states that only PLCs can promote or offer their shares for sale to the general public, all of which is heavily regulated by the FSA. In addition to this there are restrictions placed on carrying out a “regulated activity” such as arranging or advising on investments or offering the public securities without producing an approved prospectus. The UK regulation of collective investment schemes restricts the ability of crowd-funding platforms to use models based on a fund (as opposed to a corporate) structure.

The dangers of crowdfunding

The dangers to a naive investor or an unlucky hosting site remain high. Crowdfunding firms may be mixing client and investor money without FSA authorisation removing any protection for the investor as seen in the collapse of MF Global where the investors were left with a shortfall of $1.6billion. The FSA has yet to prosecute any site offering crowd-funding yet that does not mean it will not chose to do so in the future.

Seedrs

As of July 2012, Seedrs is the only crowdhosting platform authorised and regulated by the FSA, affording protection for investments of up to £85,000 should a regulated institution collapse.

Loopholes

Many other crowdfunding platforms are operating through legal loopholes, one such example is Crowdcube. When an investor signs up to Crowdcube’s website it becomes a “shareholder” without the standard rights. Crowdcube also takes shares in the companies looking to raise capital. Therefore when the investment “opportunities” are advertised they are targeted at the same group of existing shareholders. This is a legal promotion under FSA regulations.

Another loophole allows potential investors to buy a share in the hosting site and in doing so not only acknowledge the investment is not FSA regulated but also take responsibility for due diligence.

The practice of crowd-funding has grown over the past few years both in number of platforms and investment vehicles yet it has never been challenged by the FSA. However, any money laundering, fraud or a high profile collapsed venture could change the current relaxed attitude to these practices.

One of the key foundations of the FSA is the protection of the investor, yet the existence and use of unregulated crowdfunding sites seems to undermine this.

The Future

The current economic pressures and reluctance of banks to invest in potentially risky ventures have made crowd-funding a popular option amongst many who see it as a good way to stimulate growth and kick-start the economy. It remains to be seen whether legislation in the UK will legitimise crowd-funding, forcing Companies to take the Seedrs line or follow the US JOBs Act and deregulate passing responsibility to individual investors.

For more information, please contact Simon Halberstam.

Recent decisions by the Advertising Standards Agency (ASA) and guidelines from the Committee of Advertising Practice (CAP) show marketing through the use of tweets remains perilous.
According to the ASA, marketing or advertising tweets need to be highlighted by hash-tag #ad or #spon, irrespective of the formality of the arrangement.

Following recent advertising tweets direct from the official accounts of Wayne Rooney and Jack Wilshere the ASA decided that the precursor hash-tag #makeitcountgonike did not make it sufficiently obvious that it was a marketing communication.

Reality TV personality Gemma Collins also fell foul of the ASA when she tweeted about a haircut she was happy with and mentioned a discount. The ASA stated endorsing a product/service or advising of a discount will be deemed “marketing communication” regardless of the fact that there was no formal contract between the two parties.

An earlier decision by ASA had cleared a series of five tweets, only one of which was identified as marketing through hash-tag #spon (sponsorship) and @snickersuk. The first four tweets were deemed teasers and did not, in themselves, need to be identified as marketing. They merely encouraged greater interest in certain celebrities, not naming or picturing the product. Only on the fifth was the hash-tag #spon used and the product named. Yet taken as a whole it was “sufficiently clear” that the chain of tweets was part of a marketing campaign.

There is a fine line regarding the acceptability to the ASA of promotional tweets. However, as the ASAs main sanction is ‘naming and shaming’, it is unlikely unsolicited marketing and advertising tweets will stop until the breaches are deemed serious enough to warrant legislation or fall foul of existing laws.

It is worth noting that tweets like any other form of published content can of course be defamatory and get the tweeter into hot legal water.

For more information, please contact Simon Halberstam.

A recent ECJ decision has endorsed the right for licensees to ‘resell’ their licensed ‘second hand’ software across Europe. This is dependent on the original licence term having been perpetual and regardless of whether or not the original licence prohibited onward sale. This position is based on the doctrine of ‘exhaustion of rights’.

Implications

This decision also has retrospective implications, apparently validating the ‘resale’ of any software which was ‘sold’ on a permanent basis. Yet the software can only be used by the ‘purchaser’ for the purpose for which it was originally bought as stipulated in the licence. However, the law of exhaustion does not apply to support contracts which are separable from the contract of sale. Therefore the transferee will generally not be entitled to support under the original contractual arrangements.

Options for software suppliers

Companies wishing to maintain an element of control over distribution of their software should look to provide time limited licences paid for periodically. Cloud based services might be a good option for software providers worried about the exhaustion of their rights as software is provided on a subscription, rather than sale basis. Another option is selling licences to groups of users as it was made clear in the ECJ ruling that these licences cannot be split for the purposes of sale.

For more information, please contact Simon Halberstam.

What is Crowdfunding?

Crowdfunding is the practice of raising capital through numerous small investors. This is predominantly done online and the investment platform may well have no lower or upper limits. In return the investor will receive either share equity and/or an “exclusive gift” which could be a ticket to a concert or a backstage pass where the investment vehicle is a band. The hosting platform generally takes around 5% commission.

There are 2 types of crowdfund:

All or nothing – A target is set for the required level of investment within a time limit and the funds are only released to the business or individual once the target has been reached. If the target is not reached then the investments are returned.

Keep it all – A target is set as above, but whether funds are returned or not is at the discretion of the individual or business.

FSA Position

At present the majority of websites offering crowdfunding service are not FSA authorised and as such provide little or no protection for the investor with no recourse to the Financial Ombudsman or the Compensation scheme. Recent guidance published by the FSA stated that crowdfunding should only be targeted at “sophisticated investors who know how to value a startup business, understand the risks involved and that investors could lose all of their money.”

The dangers of crowdfunding

The dangers to a naive investor or an unlucky hosting site remain high. Crowdfunding firms may be mixing client and investor money without FSA authorisation removing any protection for the investor as seen in the collapse of MF Global where the investors were left with a shortfall of $1.6billion. The FSA has yet to prosecute any site offering crowdfunding yet that does not mean it will not do so in the future.

Seedrs

As of September 2012, Seedrs was the only crowdfunding platform authorised and regulated by the FSA, affording protection for investors of up to £85,000 should a regulated institution collapse.

Loopholes

Many other crowdfunding platforms are operating through legal loopholes. When an investor signs up to such a website it becomes a “shareholder” but without typical shareholder rights. The crowdfunder will typically take shares in the companies looking to raise capital. Therefore when the investment “opportunities” are advertised they are targeted at the same group of existing shareholders. This is a legal promotion under FSA regulations.

Another loophole allows potential investors to buy a share in the hosting site and in doing so not only acknowledge the investment is not FSA regulated but also take responsibility for due diligence.

The practice of crowdfunding has grown over the past few years both in number of platforms and investment vehicles yet it has never been challenged by the FSA. However, any money laundering, fraud or a high profile collapsed venture could change the current relaxed attitude to these practices.

One of the key foundations of the FSA is the protection of the investor, yet the existence and use of unregulated crowdfunding sites seems to undermine this.

The Future

The current economic pressures and reluctance of banks to invest in potentially risky ventures have made crowdfunding a popular option amongst many who see it as a good way to stimulate growth and kick-start the economy. It remains to be seen whether legislation in the UK will legitimise crowdfunding, forcing Companies to take the Seedrs line or follow the US JOBs Act and deregulate passing responsibility to individual investors.

Simon Halberstam

The precise placement of the boundary line between gaming and gambling is a matter that inevitably provokes strong reactions from operators, lawyers and legislators. The classification of an activity as falling into either camp carries not only social connotations, but also very real legal and regulatory implications.

What can be said with certainty is that wherever the line is drawn, operators will innovate to avoid regulatory control. In recent years this has been especially true in the ‘social gaming’ sphere, with an incredible number of businesses springing up to take advantage of the rise of social networks (most notably Facebook) and the proliferation of handheld computing devices (i.e. Smartphones and tablet PCs) to offer gaming products to consumers in ways entirely unforeseen by existing UK regulation.

Inevitably, the increasing prominence of these ventures has led to calls for regulation and supervision of the market. The move in May of this year by Japan’s Consumer Affairs Agency to ban so-called ‘Kompu Gacha’ gaming practices within online social games (in which users pay for the opportunity to win randomised rare items, in the hope of collecting a complete set that can be exchanged for a rarer item), is a sign of the direction in which other national regulators are likely to move.

For the time being, operators offering social gaming products in the UK tend to avoid regulation by virtue of the fact that they do not offer prizes that are considered to be ‘of value’ by UK regulators, with ‘prizes’ (in whatever guise) consisting entirely of intangible virtual items that have no practical application outside of the game in which they are created.

In light of international developments and the increasing value of the social gaming market this may well change.

Online Games and Real-World Legalities

Readers will probably already be aware that gamers are willing to sink serious time and money into acquiring rare in-game items, especially where a network of like-minded enthusiasts exists. For example Diablo 2, released by Blizzard Entertainment in 2000, famously generated whole communities of online grey-market traders, whose trafficking of rare in-game objects saw individuals bidding upwards of $100 for single items.

Nowadays, trading is more sophisticated and the sums involved even higher; the rise of ‘Massively Multiplayer Online’ games (“MMO’s”) such as World of Warcraft, means that exchanges of items can take place directly between players in-game (often arranged in advance via auction sites, as cash sales are usually forbidden by game operators). Indeed, so active is the market for in-game intangibles, that developers such as Blizzard are now seeking to harness it as a revenue stream in its own right. The company’s recently released Diablo 3 features a ‘Real Money Auction House’ (“RMAH”) system in which players can bid real currency for intangible in-game items, with a small commission paid to Blizzard on each sale.

Risks and Rewards

This demonstrates the significant value and consequent monetary consideration attributed by gamers to in-game items.

As in-game assets are increasingly monetised, it becomes ever likelier that they will draw the attention of regulators; especially given the low average age of online-game players and the habit-forming effect that social gaming has been shown to have. In the UK for example, the Gambling Act is specifically aimed at ‘protecting children and other vulnerable persons from being harmed or exploited by gambling’. It is likely that future legislation will increase its control over the sector.

The RMAH is a fascinating case in point. As it stands, Diablo 3 is free to play once the user purchases it; but how would the UK’s Gambling Commission view a similar game if a monthly fee were payable? It might well be concerned by the fact that young users could effectively gamble on winning back their monthly payments by selling-on their randomly acquired in-game items to other users at the end of each month, with the operator profiting heavily from their addiction.

Whereas previous games with subscription fees have avoided falling within the ambit of gambling regulations by allowing players to purchase intangible items using only fictional in-game currencies (e.g. ‘gold’) that have no direct cash value; the RMAH explicitly acknowledges that randomly generated in-game items do have a real world value that can be ‘cashed out’. From there, it’s not too difficult to view a monthly subscription fee as an entry fee, with randomly dropped items as financially valuable prizes.

Operators ought to be aware of the potential direction that UK and/or European legislation could take. The experience of Japanese operators serves as a stark example of the kind of features that national regulators may seek to control in the future. Gaming operators should pause to consider whether their offerings might fall on the wrong side of the gaming/gambling boundary.

For further information on compliance with the new legislation on cookies, please contact Simon Halberstam

Cookies
The Privacy Electronic Communications (EC Directive) Regulations 2003 (“PECR”) governs the use of cookies in the UK.

Cookies are a useful and sometimes essential tool for any website provider.  PECR complements the GDPR and provides specific rules on cookies.  We have significant experience advising on compliance with PECR and GDPR, and ensuring that cookies are deployed and used in accordance with those rules.

What is a cookie?
The UK’s information commissioner’s office (the “ICO”) defines cookies as: “a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.”

Cookies have many potential uses including, identifying users, remembering a user’s custom preferences and helping users complete tasks without have to re-enter information when browsing from one page to another or when re-visiting the site.  Cookies can also be used for online behaviour target advertising and to show adverts relevant to something that the user searched for in the past.

What does your organisation need to do if it wants use cookies?  
Regulation 6 of PECR requires organisations to:

• [provide] clear and comprehensive information about the purposes of the storage of, or access to, that information; and
• [obtain] his or her consent.

This means that if you choose to use cookies, you will need prepare a document that provides key information about what cookies you are using (a “Cookies Policy”) and obtain users’ consent before dropping cookies.

Cookies Policy
As users’ awareness of what cookies are and their purpose is relatively low, Cookies Policies should include general information about what cookies are and the different types of cookie you use.  For example, a simple explanation of analytical cookies, notably that they are used to recognise and count the number of visitors to your website and provide information about how users move around your website.

This general, broader information should be complemented by a table which contains specific information about each of the cookies you use, so that more techy users have the information they need to make decisions about those cookies.

The ICO requires organisations to make the Cookies Policy easily identifiable. This increases the level of user awareness and ensures the validity of the consent.

Consent
The ICO has confirmed that the GDPR level of consent also applies to PECR.  Therefore, consent must be freely given, specific and informed.  It must involve some form of unambiguous positive action.  This includes ticking a box confirming that the user agrees to your organisation’s use of cookies.

In practice, this means that the website should deliver a consent solution in which no cookies are set to a user’s device before that user has signalled its wishes regarding those cookies.  This may cause difficulties for many organisations who are likely to set cookies as soon as a user accesses their website.

We are able to advise you on the most appropriate method of obtaining consent, overcoming these practical issues, without impeding user experience or diminishing the quality of your website.

Exceptions
There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is: (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

The ICO interprets “strictly necessary” narrowly, and does not include cookies which may reasonably be seen as important but not essential.  Examples of the types of cookies that pass this test are:

• cookies used to remember the goods a user wishes to buy when it add goods to its online basket or proceeds to the checkout on an internet shopping website, or
• cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – e.g. online banking service

Upcoming developments in cookie law
The E-Privacy Directive, the EU law from which PECR is derived is being updated to the E-Privacy Regulation.

This E-Privacy Regulation will likely change how organisations are required to use cookies including how they obtain consent from users and the type of cookies that are exempt from these requirements.

For further information please contact Simon Halberstam (Partner – Head of Technology Law) Simon.Halberstam@smab.co.uk

The suggestion by the cross-party ‘Independent Parliamentary Enquiry into Online Child Protection’ (the ‘Enquiry’) that Internet Service Providers (“ISPs”) be obliged to implement an ‘Opt-Out’ filter for adult material has been greeted enthusiastically by several news outlets; but would implementing such a proposal really do any good?

In essence, the Enquiry’s proposal is that ISPs ought automatically to block access to ‘adult’ content for all users, unless individual users specifically indicate that they wish to retain access to such content when they sign up for internet access (i.e. users have to ‘opt-out’ of having their content filtered).

Gradual erosion of online privacy?

Unsurprisingly, the proposal has raised privacy and freedom of speech objections from several parties. These arguments have tended to come in two flavours; the first states that an ‘opt-out’ proposal is unduly intrusive and serves only to force individuals to reveal unnecessary personal details about themselves to their ISPs. If there is a filter, it ought not be automatic and should instead be rolled out on an ‘opt-in’ basis, with users only signing up if they feel that they require it.

The second argument is more extreme; stating that the censoring of internet content is something that is best left to individuals to implement on their own terms (i.e. by using a program such as Net Nanny or CYBERsitter). Any kind of ‘opt-in/out’ system forces individuals to register their internet browsing preferences with their ISP, eroding their personal privacy and turning ISPs into unelected internet ‘gatekeepers’.

It’s easy to sympathise with the above arguments. Certainly, from a legal perspective it’s difficult to reconcile comfortably an ‘opt-out’ filter with the European Convention on Human Rights’ Article 10 “Freedom to … receive and impart information and ideas without interference…”. However, it can’t be denied that the idea of giving parents the option of setting a content-filter which lies beyond the interference of (increasingly technologically savvy) minors is an appealing one.

A new problem with an old solution?

Interestingly, several UK mobile telephone networks already apply content filters to their users’ handsets, a fact which has raised very little public outcry. Unlike an On/Off filter applied to a child’s mobile handset, a filter applied to an internet connection that services an entire household (possibly containing several different computers) would be a blunt instrument that lacked the necessary sophistication to make it truly effective.

For example, what good would such a filter be to a parent who wished to safeguard his/her children from accessing the seedy side of the internet, but wished to retain the ability to occasionally access such material him/herself?

Further, it’s only fair to ask how effective a filter of specific websites can be, when young teenagers have already proven themselves startlingly adept at using new technology and (perfectly legitimate) social networks to create and distribute their own distinctly ‘adult’ material in the form of explicit home-videos, ‘sexts’ and ‘slash’ fiction (amateur pornographic literature). While an ISP level filter might well stop one household’s children from accessing pornographic websites, it wouldn’t stop them from looking at exactly the same material downloaded by a friend and then shared via Facebook or Tumblr.

The reality is that while an ISP filtering regime may initially appear attractive (especially when offered as a simple ‘set and forget’ package) it’s far from being a panacea solution to regulating children’s behaviour online. A simplistic Opt-In or Opt-Out regime fails to take account of the complex patterns of household computer use and provides no protection against inappropriate material shared via legitimate social networks.

Late nights for Facebook’s legal team in the wake of Yahoo! filing a suit against the social network claiming that it operates in breach of ten patents held in Yahoo’s portfolio.

Outsiders were quick to note that Yahoo didn’t seem to have a problem with Facebook’s technology until very recently, many going so far as to speculate that Yahoo’s decision to go to court may have less to do with defending intellectual property and more to do with securing a settlement paid in equity before Facebook goes public later this year.

As well as underscoring the importance of patenting innovations at the first possible opportunity, Yahoo’s claim raises interesting questions about whether current software patenting regimes (both in the UK and US) are viable in the longer term.

What exactly does Yahoo have the rights to?

A quick look at the ten patents that underpin Yahoo’s claim indicates that, prima facie, it has the rights to patents which enable Facebook features as diverse as placing targeted adverts on user’s profile pages, ‘liking’ posts/entities, sending instant messages to other users’ message inboxes, and previewing how privacy settings will look to others.

If Yahoo really does have such rights over those intellectual properties, then it may be that it could launch similar proceedings against an innumerable other tech companies; for example, every service with an equivalent of the ‘like’ feature, or that uses targeted adverts. That’s a prospect which is made particularly worrying by virtue of the fact that Yahoo can do so without having to demonstrate that it actually uses the patents it holds (it doesn’t, for example, have to show that it operates its own social networking service which Facebook imitates).

That’s not a position which is unique to Yahoo; companies such as Microsoft and Google also own sizeable portfolios of registered patents which could be used for similar litigation if they wished. The only factors that prevent them from acting in that, what might perhaps be called abusive, fashion are commercial rather than legal; which raises the question of whether it’s realistic to continue to work with such a patent system.

How to debug the patent system?

Given that software patents are, by their very nature, descriptive rather than definitive (unlike, say, pharmaceutical patents for chemical formulas) it’s not unfair to question whether the current system is the best option for policing intellectual property in the area.

Suggestions for reform range from minor tweaks, such as calling for software patents to be more specifically defined, to more drastic measures, such as providing for patents unused by their holders to lapse after short time-spans. More radically, some commentators (such as web entrepreneur and former Yahoo employee Andy Baio) have called for software patents to be scrapped altogether, leaving the market regulated solely by copyright.

Proposals aside, what is clear is that the sheer scale of the Yahoo litigation is likely to attract the attention of legislators on both sides of the Atlantic, especially in the event that it is successful. That means that its outcome is likely to have implications not just for Facebook’s future share price, but also for the intellectual property rights of the software industry as a whole.

Tamiz v Google Inc is the latest in a series of cases in which individuals have sought damages from Google in respect of allegedly defamatory material published about them on its ‘Blogger.com’ platform.

Google’s usual policy for dealing with such complaints is to refuse to take sides, awaiting a court order before taking action. This approach has led to cases such as Tamiz, in which defendants have sued Google directly after it has denied takedown requests.

A safe harbour for providers of data storage…

In Tamiz, Google relied on the protection, or ‘safe harbour,’ contained in s.19 of the Electronic Commerce (EC Directive) Regulations 2002/2013.

S.19 gives providers of ‘storage of information’ (i.e. providers of conduits for information, who are not active publishers) a complete defence against claims for damages and criminal sanctions brought in respect of unlawful activity conducted, or unlawful information contained, on their servers. In order to avail itself of the defence, the storage provider needs to show that it did not have ‘actual knowledge of unlawful activity’ being conducted and was not aware of ‘facts or circumstances’ that should have made it apparent to it that it was.

The legal argument Google successfully relied on in Tamiz is that a mere complaint by an individual about posted content posted is not enough to make a storage provider aware of ‘unlawful activity’. Without taking the complaint at face-value the service provider cannot conclusively decide whether content is or is not defamatory, and therefore cannot have the sufficient awareness of ‘unlawful activity’ that would require it to remove it.

The judgement represents a continuation of the UK Courts’ tendency to protect providers of online platforms for free speech and data transfer from liability for the acts of users. It should provide reassurance to ‘storage providers’ that, so long as they are not actively publishing or promoting the material, they need not fear complaints about user generated content (UGC), nor feel obliged to act as adjudicator where the truthfulness of content is disputed.

…but what about moorings for pirates?

It is difficult to read s.19 without thinking of the ongoing troubles of Kim Dotcom, the now notorious founder of Megaupload.com.

Given that s.19 can be used as a shield against both civil and criminal proceedings in the UK, it is interesting to speculate whether Dotcom would be under house arrest (for online piracy charges brought against him by the US authorities) had he based his operation within the EU and been UK resident.

After all, would he not be entitled to argue that his organisation was unable to determine whether the materials uploaded by users infringed third party copyright or would that be considered too disingenuous?

March is proving to be an exciting month for European technology and privacy lawyers, notably with the Commission Nationale de l’Informatique et des Libertés(CNIL)’s announcement that Google’s new privacy policy is likely to be in breach of European Law.

At a first glance, such a proclamation sounds ominous for all organisations that collect user data in order to provide targeted marketing services to organisations. However, a quick look at the law behind the headline should provide both established businesses and potential start-up enterprises with cause for relief.

The first thing to take away from the CNIL’s open letter to Google is that, in principle, there is no legal objection to the use of a combined policy for multiple services. Indeed, the CNIL even goes so far as to “welcome Google’s effort to streamline and simplify its privacy policies” across its various platforms.

The CNIL’s problem with Google’s new policy is about the level of transparency that it provides to users. Specifically, it is concerned that “the new privacy policy provides only general information about all the services and types of personal data Google processes”, which as a consequence means that it is “extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals”.

What does a data-gatherer need to tell a data-subject?

The real objection then, is not that Google can’t do what it wants to do with user data (collect it and share it across multiple platforms), it’s that it can’t do it without telling its users exactly what data is going to be recorded and to whom the records will be disclosed.

The legal basis for the CNIL’s concerns can be found within Articles 10 and 11 of Directive 95/46/EC; which state that where data is collected from or about ‘data subjects’ those subjects have the right to know the ‘categories of data’ that are being recorded, the ‘purpose of the processing’ of that data, as well as the ‘recipients or categories of recipients’ to whom it will be made available.

While the CNIL has not publicly spelled out the steps that it feels Google needs to take in order to achieve compliance, it’s a fair bet to guess that a satisfactory redress probably involves Google specifically disclosing to users the details of which types of data each of its services collects and then circulates to the others. More crucially, it may even need to explain the purposes for which its separate platforms then use that data.

Ultimately, however, Article 10 and 11 reflect little more than the “informed consent” principle that underpins “data protection/privacy” laws and the protection of individual rights. The CNIL’s objections in this instance simply spell out the fact that the ‘Informed’ part of that principle is just as important as the ‘Consent’.

ONLINE PRIVACY: HOW TO COMPLY WITH THE NEW LAW ON COOKIES – 29 MAY 2012

On 26 May 2012 the Electronic Communications (EC Directive) Regulations 2003, which governs websites’ use of cookies in the UK, came into force. At the time of writing, very few websites are compliant.

The new law requires websites to gain explicit user consent to receive a cookie prior to deployment. The precise requirements for compliance were, and remain somewhat, unclear. The Information Commissioner’s interpretation of the new Regulations (see also) is summarised below.

Consent

Consent must involve an end-user knowingly indicating acceptance of the cookie(s) that it is downloading, this could for example be by way of click acceptance.

Although the cookies Regulations do not use the term “prior”, the Commissioner expects cookies to be sent only after consent and full information about the cookies to be downloaded has been given. It is recognised that cookies are often automatically downloaded the moment a user arrives on a site. If possible, web managers should postpone the download of cookies until users have been given sufficient information to make a choice about whether or not they want cookies on their machines. If delaying the download of cookies is not possible, websites should ensure they minimise the time between the first cookie being downloaded and the point where sufficient information is provided to the user and consent to permit the cookie to remain on its machine can be given.

Responsibility for compliance

The Commissioner considers that the person or entity setting the cookie is primarily responsible for compliance with the cookie Regulations. However, when a third party’s cookies are deployed via a website, the Commissioner takes the stance that both the website owner and the third party are responsible for compliance.

In practice, the information requirements and opportunity for a user to give its consent will be provided on the website that the cookies are dropped from. As such, third parties dropping cookies, and the sites through which they drop cookies, are encouraged to work together to achieve compliance. Third parties should seek to impose contractual obligations upon the websites through which they drop cookies in respect of compliance with the consent and information requirements in the Regulations.

Avoidance tactics have also been considered by the Commissioner. A website hosted overseas (outside the EU) will be likely to fall within the ambit of the Regulations if:

• the organisation which owns the website is based in the UK; or
• the website itself is targeted at the European market; or
• products and services are provided from the website to customers predominantly based in Europe.

Enforcement

The Commissioner has also revealed the primary enforcement actions available to him for organisations which refuse or fail to comply with the Regulations, namely:

• Information notice. A request for specific information from an organisation within a specified time frame.
• Undertaking. An organisation must carry out specific action to improve its level of compliance.
• Enforcement notice. An organisation must carry out specific actions to ensure compliance with the Regulations. Failure to comply with this notice may be considered a criminal offence.
• Monetary penalty notice. A fine of up to £500,000 to be used for only for the most serious breaches.

Enforcement action will be proportionate to the associated privacy concerns. As such, cookies which do not greatly impinge on a user’s privacy rights (e.g. first party analytical cookies and those used to support the accessibility of sites and services) are likely to register extremely low on the Commissioner’s priority list for enforcement.

The Commissioner has gone as far as suggesting that, while not considering them exempt from the Regulations, he is unlikely to take action in respect of cookies that do not impinge on users’ privacy. On the other hand, organisations dropping cookies which focus on gathering user’s personal information will be the main focus for enforcement.

Potential Exemptions for providers of online gaming services

Of particular interest to operators in the online gaming sector is the statutory exemption from obtaining prior consent where a deployed cookie is “strictly necessary for the provision of an information society service requested by the subscriber or user”.

In this context, an ‘information society service’ is defined as “any service normally provided for remuneration, at a distance, by means of electronic equipment… at the individual request of a recipient of a service”. The Information Commissioner has indicated that this definition covers cookies that manage online ‘shopping baskets’, serving to remember information about products or services that an individual has indicated a desire to purchase whilst it navigates around, or temporarily leaves, the site.

This exemption should serve to lighten the burden for the online gaming industry. Specifically, it could allow sites to continue to use cookies to record information such as an individual’s balance of funds, ticket purchases, and winnings in much the same way as they do now. As involvement in online gaming activity is actively requested by users when they choose to play games online, the download of cookies which specifically manage their engagement with that service seems likely to fall within the exception set out above.

What needs to be done now?

Web managers in the UK should therefore be doing the following:

• Ascertaining what type of cookies are used by their websites and how they are downloaded onto users’ machines (effectively a ‘cookie audit’).
• Gauging the likelihood of existing cookies’ fitting within the ‘provision of service’ exemption detailed above.
• Deciding on which method(s) of obtaining consent to cookies are best for their website, given the results of the cookie audit.
• Recording the cookie audit and implementation methods in an easily digestible form, lest the ICO investigate the site.

Suggested methods of implementation

Below are a few options which have been suggested to procure user consent before cookies are downloaded. Please note that consent only needs to be provided by a user the first time each type of cookie (used for the same purpose) is downloaded onto its machine:

• Pop-ups each time a new type of cookie is to be downloaded onto a user’s machine.
• Having in place a privacy policy setting out the site’s use of cookies; the terms of which a user must positively accept upon visiting the site for the first time (e.g. via a tick box).
• Settings and feature-led consent. If cookies are downloaded when a user does something e.g. watches a video or personalises the site, obtaining the user’s consent prior to feature access.
• Web managers should bear in mind the “strictly necessary” exemption, but be careful not to place excessive reliance on it.

What next?

The ICO has suggested that, in the near future, consent could be validly provided through users’ web browsers. ICO guidance envisages a future scenario whereby a user accesses a website via a sufficiently sophisticated web browser set up to reject certain cookies and accept others, allowing a web manager to assume that the user has provided its consent accordingly. However, it is acknowledged that many web browsers are not sufficiently sophisticated for this method to be currently viable. The Government is therefore currently consulting with the major web browser manufacturers and it is envisaged that an announcement as to compliance via this unobtrusive method will eventually be made.

However, the Article 29 Working Party (a group of data protection regulators from EU member states) has given a non-binding (albeit very persuasive) opinion on consent via web browsers. The Working Party has suggested that reliance on users navigating websites via sophisticated web browsers is not, in itself, a substitute for procuring their positive consent to the download of cookies. Instead, the Working Party has suggested that web browsers need to be supplied to consumers with a default setting of rejecting cookies. In order for consent to be validly given via these browsers, users would also have to be provided with comprehensive information about cookies before actively changing their browser settings to allow cookies.

Conclusion

The fundamental problem seems to be a disconnect between the law and technology. In most cases the law is running to try to keep up with the technology (e.g. super-injunctions failing to keep pace with the rise of social media). However, in this case the law is way ahead; making unrealistic demands of the current technological landscape and necessitating that developers build innovative solutions to meet the new legal requirements.

____________________________________________________________________________________________

COOKIES UPDATE – JANUARY 2012

As you may now already be aware, laws surrounding the download of cookies changed in May 2011. The amended E-Privacy Regulations require websites to seek the consent of end-users prior to the download of cookies onto their machines. End-users must also be given comprehensive information about the use of cookies on the websites they visit.

The Information Commissioner has put in place a one year moratorium on enforcement of the new regulations to allow businesses sufficient time to formulate their plans for compliance. Businesses have been reluctant to implement consent measures on their websites, citing reasons such as the options available being very detrimental to the user experience (e.g. pop-ups) and fears surrounding the paucity of key site analytical data that will be collected should users not consent to the download of cookies.

Clearly mindful of the confusion and apprehension surrounding implementation of the new cookies regulations, the Information Commissioner published updated advice regarding cookie compliance on 13 December 2011. The Commissioner’s additional interpretation of the new regulations is summarised below.

Consent

Consent must involve the end-user knowingly indicating their acceptance, for example by actively clicking an icon or subscribing to a service.

Although the cookies regulations do not use the term “prior”, the Commissioner expects cookies to be set only after consent and full information about the cookies to be downloaded has been given. It is recognised that cookies are often downloaded the moment a user arrives on a site. If possible, web managers should postpone the download of cookies until users have been given sufficient information to make a choice about whether or not they want cookies on their machines. However, if delaying the download of cookies is not possible, then websites should ensure they minimise, as much as possible, the time between the first cookie being downloaded and the point where sufficient information is provided to the user and consent can be given.

Responsibility for compliance

The Commissioner considers that the person or entity setting the cookie is primarily responsible for compliance with the cookies regulations. However, when a third party’s cookies are dropped via a website, the Commissioner takes the stance that both parties are responsible for compliance with the law. In practice, the information requirements and opportunity for a user to give their consent will be provided on the website that the cookies are dropped from. As such, third parties dropping cookies, and the sites they drop cookies from, are encouraged to work together to achieve compliance. Third parties should seek to include contractual obligations upon the websites they drop cookies from in respect of the consent and information requirements in the regulations.

Organisations contemplating avoidance tactics have been considered by the Commissioner also. A website hosted overseas (outside the EU) will still likely have to comply with the cookies regulations if:

• the organisation which owns the website is based in the UK; or
• the website itself is designed for the European market; or
• products and services are provided from the website to customers predominantly based in Europe.

Enforcement

The Commissioner has also revealed the primary enforcement actions available to him for organisations which refuse or fail to comply with the cookies regulations, namely:

• Information notice. A request for specific information from an organisation within a specified time frame.
• Undertaking. An organisation must carry out specific action to improve its level of compliance.
• Enforcement notice. An organisation must carry out specific actions to ensure compliance with the regulations. Failure to comply with this notice may be considered a criminal offence.
• Monetary penalty notice. A fine up to a £500,000 maximum, to be used for only for the most serious breaches.

Enforcement action will be proportionate to the issue that it seeks to address. As such, cookies which do not greatly impinge on a user’s privacy rights (e.g. first party analytical cookies and those used to support the accessibility of sites and services) are likely to register extremely low on the Commissioner’s priority list for enforcement. The Commissioner has gone as far as suggesting that, while not considering them exempt from the regulations, he is unlikely to embark on “any consideration of regulatory action” in respect of the cookies referenced above, so long as organisations have done all they can to provide users with prominent and sufficient information about the purpose of such cookies. On the other hand, organisations dropping cookies which closely relate to user’s personal information should be prioritising implementation of the consent (and information) requirements of the regulations.

Conclusion

The additional guidance from the Commissioner suggests that a common sense attitude will be taken in respect of enforcement of the regulations from May onwards. However, what is stressed throughout the updated guidance is that the new regulations cannot be ignored and organisations should currently be doing all they can to achieve compliance.

Recently, there has been an interesting ruling by the European Court of Justice (ECJ) on two joined cases, both relating to alleged multi-jurisdictional defamation by means of material published on the internet. The inherent conflict of the globality of the internet and the territorially limited jurisdiction of national courts was the key issue.

eDate Advertising v X

In 1993, X and his brother were sentenced by a German court to life imprisonment for murder. X was released on parole in January 2008.

eDate Advertising (established in Austria) linked from the info news section on its website to a report that named X and stated that he had lodged an appeal against his conviction. In addition to a brief description of the crime, the report also contained a quote from X’s lawyer saying that X intended to prove that several of the principal witnesses for the prosecution had not told the truth at the trial. X requested eDate Advertising to stop reporting on the matter and to refrain from any future publication. eDate Advertising did not reply but removed the disputed information from its website.

Not satisfied with this, X brought an action before the German courts to prevent eDate Advertising from using his full name when reporting about the crime. eDate Advertising argued that the German court had no jurisdiction to make any order restricting publication outside of Germany. Therefore, the court referred the matter to the ECJ to make a ruling on whether it had such jurisdiction.

Martinez v MGN

The French actor Olivier Martinez and his father brought an action before the Paris Regional court that his private life had been interfered with, following a posting on the website ‘www.sundaymirror.co.uk’, entitled ‘Kylie Minogue is back with Olivier Martinez’, with pictures and details of a meeting between Kylie and Olivier.

The action was brought against MGN, the publisher of the Sunday Mirror. MGN raised the objection that the Paris Regional court lacked jurisdiction to make any order restricting publication, as the article was in English and on a UK website. The Parisian court also referred the matter to the ECJ to rule on jurisdiction.

The ECJ found that:

Where there was an alleged infringement of personality rights by way of content placed on an internet website, the claimant could bring an action either 1) before the courts in the country where the publisher is established, or 2) before the courts where the claimant is based, or 3) before the courts of each country where the allegedly infringing content is or has been accessible online.

Conclusion

The ECJ appears to be adopting a wide interpretation in order to protect an individual’s personality rights on the internet, allowing potential claimants several options as to how they want to bring an action against any infringer. Publishers should take a more careful approach to what and how they post information. In light of this clarification, ‘forum shopping’ by claimants may become more prevalent.

On 11 October 2011 the new EU Consumer Rights Directive was formally adopted by Member States. It substantially strengthens consumer rights in all 27 EU countries, particularly when shopping online.

Here are a few of the key benefits to consumers:

1) Hidden charges and costs on the Internet will be eliminated

From now on, consumers must explicitly confirm that they understand that they have to pay a price and will be protected against hidden “cost traps” on the Internet, for example,paying for ‘free’ services, such as recipes.

2) Increased price transparency

Traders have to disclose the total cost of the product or service, as well as any extra fees. Consumers will not have to pay charges or other costs if they were not properly informed before they place an order.  This is an issue that has attracted particular focus in the budget airline market.

3) Banning pre-ticked boxes on websites

Currently, consumers often unwittingly end up with additional services on a default basis having failed to un-tick associated boxes. These pre-ticked boxes will be banned across the EU meaning that positive “buy-in” will be necessary.

4) 14 Days to change your mind on a purchase

Previously, the time period where a consumer could withdraw from a sales contract was 7 calendar days. This has been extended to 14 calendar days. The time period will also start from the moment the consumer receives the goods, as opposed to the old legislation, which was from the conclusion of the contract. In addition:

• Where a seller hasn’t clearly informed the customer about the withdrawal right, the return period will be extended to a year;
• Where a trader calls a consumer beforehand and presses the consumer to agree to a visit (solicited visit), the consumer will also enjoy the right to withdraw;
• Online auctions, such as eBay are also included (though goods bought in auctions can only be returned when bought from a professional seller); and
• The EU has introduced a model withdrawal form which can be used for any contract in the EU, making it more accessible and faster for consumers.

5) Better refund rights

Consumers must now receive their refund within 14 days of the withdrawal. This includes the costs of delivery. Also, if traders want the consumer to bear the cost of returning goods after they change their mind, they have to clearly inform consumers about that beforehand, typically in their terms and conditions, otherwise they have to pay for the return themselves. Traders must also give an estimate of the maximum costs of returning bulky goods before the purchase, so consumers can make an informed choice before deciding from whom to buy.

6) Eliminating surcharges for the use of credit cards and hotlines

Traders will not be able to charge consumers more for paying by credit card (or other means of payment) than what it actually costs the trader. Traders who operate telephone hotlines will also be unable to charge more than the basic telephone rate for the telephone calls.

7) Information on digital products

More detail will be provided, including product compatibility with hardware and software and the application of any technical protection measures, for example limiting the right for the consumers to make copies of the content.

8) Unified approach for businesses over Europe

The new legislation provides common rules for all businesses to ensure a similar approach in trading. These include:

• A single set of core rules for distance contracts and off-premises contracts in the European Union, creating a level playing field and reducing transaction costs for cross-border traders, especially for sales by internet; and
• Standard forms, for example one to comply with the necessary information requirements on the right of withdrawal.

The full text of the directive will be published in the Official Journal shortly. Member states will have two years from the publication in the Official Journal to implement the Directive into national legislation.

In July 2011, the European Court of Judgement (ECJ) considered the case L’Oréal v eBay, where L’Oréal had brought proceedings against eBay and a number of its users for trade mark infringement for the sale of counterfeit products on eBay’s auction site, and ruled on several points which had been referred by the High Court, namely whether eBay (and other websites like it):

• Could be jointly liable for trade mark infringement through the sale of infringing products by its users;
• Could be liable for infringement through the use of sponsored links on third party search engines and its own site insofar as they led people to postings for infringing products;
• Had a defence under Article 14 of the E-Commerce Directive (2000/31/EC) (Article 14) for liability for information it (as an internet service provider (ISP)) merely “hosts” on behalf of recipients of its service; and/or
• Could, nevertheless, be prevented under Article 11 of the Intellectual Property Rights Enforcement Directive (2004/48/EC) (Article 11) from selling infringing goods on its site, even if there was no infringement by eBay itself.

The ECJ decision, which will go some way to strengthening the position of brand owners , found that eBay can be held to account for infringing activity taking place on its online marketplace, in relation to past, as well as future, infringements under Article 11.

Critically, the ECJ also found that where goods were being sold through eBay by suppliers located outside the EEA, and those goods had not previously been put on the market in the EEA by the trade mark owner, the owner could still enforce its trade mark rights against the seller, as long as the webpage in question was targeted at consumers within the EEA market. This would be a question of fact for national courts to decide, and could take into account the currency of payment, language and even the website address, for example, in L’Oreal v eBay, the address was – www.ebay.co.uk, therefore the ECJ thought this was conclusive that it was aimed for consumers in the UK territory and therefore covered by the national trademarks.

The ECJ then considered whether eBay could rely on the defence in Article 14, and found that eBay could not. The ECJ said that if a diligent economic operator should have been aware of the unlawful activity and did not act in accordance of Article 14(1)(b) and remove the information expeditiously from its site, the defence would not be available. The ECJ further stated that the defence is limited to only the technical and automatic processing of data.

It seems that, following on from the decision of the ECJ:

• The High Court  will be able to place injunctions on intermediaries despite the UK having yet to adopt specific rules to implement Article 11 in full;
• Injunctions against future, as well as past, infringing activity on online marketplaces will now be available for brand owners;
• Online marketplace providers and other ISPs cannot rely on the defence provided by Article 14 if they have played an active role in the promotion or sale of the trade-marked goods, or gained knowledge of facts or circumstances that should have put them on notice that the offers for sale were unlawful, and they failed to act expeditiously.

The net is clearly tightening around portals and peer to peer websites that profit from the interaction of buyers and sellers.  It seems that the number of hiding places for ISPs is also likely to diminish in the near future.

On 21 September 2011, the Senate Judiciary Subcommittee on Antitrust opened a hearing to look at the state of competition in online search engines.

The subcommittee is specifically looking at whether Google abuses its market position by fixing its search results to promote its own websites and services. Opening the hearing, the honourable Herb Kohl said “For the last five years or so, Google has been on an acquisition binge, acquiring dozens of Internet-related businesses, including, in health, finance, travel, and product comparison. This has transformed Google from a mere search engine into a major Internet conglomerate. And these acquisitions raise a very fundamental question – is it possible for Google to be both an unbiased search engine and at the same time own a vast portfolio of web-based products and services? Does Google’s transformation create an inherent conflict of interest which threatens to stifle competition?”

In response to the concerns raised, The executive chairman of Google, Eric Schmidt, who gave evidence before the subcommittee on 21^st September, said “I can assure you we’re not cooking anything…..Google does nothing to block access to any of the competitors and other sources of information.”

When asked by the subcommittee whether Google was a monopoly company, Mr Schmidt said the search engine giant was “in that area“, adding that it recognised it had a special responsibility because of its position.

The US Federal Trade Commission (FTC) is also investigating the same competition issue and the New York Times reported that FTC officials privately debated this month whether to allow the agency’s Bureau of Competitions to issue subpoenas to Google, and the FTC is now close to moving forward with handing out the court orders. The Financial Times reportedly said that attorneys-general in California, New York and Ohio have also launched antitrust investigations into Google. US law dictates that for any breach to have occurred, an actual detriment to customers must be identified.

Closer to home, Google is also subject to an investigation by the European Commission, launched in November 2010. This followed various complaints by other search engines and companies, most notably Microsoft, all of whom allege that Google gives unfavourable treatment to their services in unpaid and sponsored search results, coupled with an alleged preferential placement of Google’s own services.

Google offers two types of search result – unpaid results that are displayed in the main body of the page and “ads” (previously called sponsored links).

The investigation will try to determine whether Google’s method of generating unpaid results adversely affects the ranking of other organisations, specifically specialist search providers, such as price comparison sites. Google argues that these sites are ranked poorly because the websites duplicate information from other sites.

Finally, the investigation is also probing how Google deals with advertising partners. It has been alleged that Google imposes exclusivity obligations on advertising partners, which Google has refuted.

Whereas an offence is only committed in the US if the authorities can establish that there has been a detriment to consumers, there is no such requirement in EU law. The European Commission will need to examine Google’s actual search algorithm and email trail to determine whether EU laws have been followed. If a breach of EU law has been committed, the European Commission can fine a company up to 10% of its annual global turnover.

Despite the Europe-wide ban being lifted following a challenge from Samsung, the Dusseldorf district court has now reinstated the ban on the sale of the Galaxy tablet across Germany saying that it does infringe Apple’s IP.

This tussle is only a small part of the global IP battle between these two tech giants which is currently raging across the US, Australia and South Korea.  In Europe at least, Samsung appears to be on the back foot as it was forced to withdraw its Galaxy Tab 7.7 from the IFA electronics fair in Berlin, one of the most important showcases in the industry.

However, Samsung has counter-claimed that Apple has infringed its wireless patents.  And Apple is facing another challenge from HTC for infringement of patents which they acquired from Google.

Lawsuits are now being used as anti-competitive weapons to stall rivals’ product launches.  The battle lines are being drawn: Apple v Samsung, Google and HTC; Apple v Android. Perhaps this will prove to be less one-sided than you might first imagine.