Home Blog Page 6

Protecting Famous Names and Luxury Brands – The dandg.com Domain Name Decision

Dolce & Gabbana recently took action against the registrant of dandg.com under the Uniform Domain Name Dispute Resolution Policy claiming that the registration infringed its registered trademarks in the term “D&G”.

If the domain name in question had contained the full “Dolce & Gabbana” name,  the prospects for the registrant would have been minimal.  However, the registrant managed to convince the panel that it had legitimate business plans to open a  marketing company under the name and produced evidence of this in the form of a logo, stationery and social media marketing through Facebook and Twitter as well as supporting statements from 3 potential customers.  If the UDRP provided more opportunity for scrutiny of evidence the registrant might have been unsuccessful.

Usually, an approach to the brand owner by the registrant soliciting an offer to buy the name is fatal to the registrant as it evinces bad faith. However,  in this case it was not as it was not necessary for the panel to consider the “bad faith” issue in any detail.

As a result of this,  Dolce & Gabbana failed to satisfy the UDRP panel that the respondent, Independent Digital Artists had no legitimate interests or rights in the name.

There are some key lessons that come out of this decision for both brand owners and registrants of domain names which might be associated with such brands.

  • Do not approach the brand owner seeking to sell the domain name – this is usually taken as indicative of bad faith and often fatal.
  • In cases where a brand owner wishes to challenge evidence of legitimate usage by the registrant, court proceedings may be a better option than UDRP
  • If you do register a brand name of this type, your chances of retaining it are far higher if you have a legitimate business plan that does not enter the brand owner’s sector of activity
  • Trademark registration is a key element of brand protection but not always sufficient to succeed in domain name proceedings.

For further information on domain name law, please click here or contact Simon Halberstam at simon.halberstam@smab.co.uk or on 020 3206 2781.

Beware – the Information Commissioner cometh!

The Data Protection Act 1984 was the first data protection legislation implemented in the UK. However, for many years it was largely ignored and there was little evidence of any determination to enforce on the part of the Data Protection Registrar.

In 2000, most of the Data Protection Act 1998 came into force and the name of the office was changed from the Data Protection Registrar to the Data Protection Commissioner and the year after changed again to the Information Commissioner (“ICO”).

The regime now has sharp teeth and contravention of the Act is a criminal offence punishable by an unlimited fine, and the ICO itself has the power to levy fines of up to £500,000 for those who misuse personal information.

The ICO recently decided to reinvestigate Google in relation to information gathered from private wireless networks during the company’s controversial Street View project.

This may not seem immediately relevant to your company but may well be as it is a sign of the increased profile of the Data Protection regime and the appetite of the ICO to enforce UK Data Protection Legislation more vigorously.

The ICO was acting in response to concerns that the Street View technology was grabbing personal information from unsecured wireless networks but the essence of the investigation and, indeed, the ICO’s function is the protection of personal information relating to UK  individuals.

One of the main concerns underpinning the UK Data Protection regime and associated legislation is that individuals should be made aware of any intended use of their personal data before such data is collected.

This may be relevant to various aspects of internal corporate life, notably the right to collect personal data and track personal behaviour of employees and the use that will be made of such data.

In relation to online activity, it is fundamental that there be a well-drafted privacy policy which informs website visitors what use will be made of personal information that is collected.

Such policies should cover issues such as any export of such data outside of the EU/EEA and sharing information with affiliated companies or an acquiror.

For further information or assistance, please contact Simon Halberstam on 020 3206 2781 or by email to simon.halberstam@smab.co.uk.

Google and Street View

The Information Commissioner’s Office (ICO) has recently announced that it is to reinvestigate Google over information gathered from private wireless networks during the company’s controversial Street View project. The initial investigation in July centred on Google’s alleged harvesting of individuals’ personal data via the Street View cars that travelled the country capturing images of street scenes. The ICO was acting in response to concerns that the Street View technology was grabbing personal information from unsecured wireless networks, however it found that any information captured did not include ‘meaningful personal details that could be linked to an identifiable person’, i.e. information that would come within the remit of Britain’s data protection legislation. Overseas investigations continued after the ICO reported in July.

Those international investigations have since discovered, and Google has disclosed via its blog – that in fact it ‘accidentally’ collected significant amounts of personal information, including entire emails, URLs and passwords. This information could fall within the definition of ‘personal data’, the use of which is heavily regulated under the Data Protection Act 1998 (the “Act”). In light of this development, the ICO is reopening its investigation into the Street View project, and announced that it was considering all options, including use of the enforcement powers given to it under the Act.

Contravention of the Act is a criminal offence punishable by an unlimited fine, and the ICO itself has the power to levy fines of up to £500,000 for those who misuse personal information. However as Google appears to be willing to rectify its mistake and ensure compliance with the legislation, the ICO is unlikely to take action so long as it is satisfied that Google’s actions were accidental.

Nevertheless, the fact that the Street View incident has made the news, and the strength of Google’s response in apologising and promising to delete and not use any personal information collected by the Street View project, demonstrates the importance of complying with the many requirements of the Act. Examples of such requirements include:

  • notifying the ICO of the use of any personal information in certain circumstances;
  • obtaining the necessary consent from individuals before their personal information is collected and used;
  • adequately securing and protecting that information; and
  • ensuring that the information is only used for its permitted purpose.

The importance to businesses of developing comprehensive policies – and communicating those policies to relevant individuals – to ensure that they do not contravene the Act cannot be overstated.

Please click here to email Simon Halberstam, Head of Technology Law, or call 020 3206 2781.

Conversion to SAAS – Legal Issues and Other Considerations

In most sectors of the IT industry, there are now extreme pressures and sometimes compelling reasons to convert to the SAAS model.  However there are other factors which militate against such a move. We will look briefly at some of the key legal and commercial issues.

Competitor Behaviour
If you operate in a sector in which your competitors have adopted SAAS or are about to do so, you may be driven to follow their lead. Existing customers who have paid the original licence fee and are now only paying annual maintenance will probably not be a concern. However, the chances of attracting new business are low if you require a sizeable initial licence payment whereas your competitors do not.

Loss of Revenues
People speak of the J-Curve effect which results from conversion to SAAS. The initial loss of up-front licence fees hits revenue hard but is subsequently offset by a rise in recurring income.  However, this is an over-simplification. Many software suppliers who have moved to the SAAS model manage to combine the typical subscription fees with certain up-front charges for set-up or similar and this can reduce if not eliminate the negative impact on cashflow.

Data Protection and Security
In those industries where systems process highly sensitive data, the issues of privacy and security are uppermost in the minds of customers. In such situations, customers want to retain the comfort of knowing that the software system is located and the data are processed on their own premises or in a datacentre where they are confident that all is totally secure. The prospect of such sensitive data moving through the cloud, possibly involving various sub-processors and jurisdictions is unsettling and may be inconsistent with legal obligations. In such cases, the traditional licensing model is likely to persist far longer.

Internet Limitations and Liability
Certain applications process a very high volume of data. In such cases, constraints on bandwidth may be another reason why a web-enabled SAAS solution may be unsuitable.  It is also worth noting that where platform stability and constant access are vital, there may be understandable reluctance to rely on a web-enabled service due to the inherent instability of the internet and customers may prefer a traditional local implementation.  It is very important in the contract to seek to exlcude or, at least, limit liability for failures to meet the SLA which arise from problems with connectivity and other infrastructure issues which are outside of your  control.  Precise wording must be included in the SAAS agreement to address that.

For further information on our model SAAS contract, please contact us.

Ryanair wins domain name fight but not the battle

Nominet, the UK domain name registry has decided in favour of Ryanair in a case relating to the ihateryanair.co.uk domain name. The decision entails the transfer of the domain name from the registrant to Ryanair. Ryanair won because the registrant had made a small commercial gain from the website which, according to the Nominet expert, took unfair advantage of Ryanair’s name as it was that name that had drawn visitors to the website.

However, the registrant has now transferred the content of the website to a different domain name, ihateryanair.org. The rules governing .org domain names are different from those governing .co.uk and Ryanair would face a more difficult challenge if it decided to initiate proceedings.

The risk for a trademark owner in such cases is that unless it obtains an injunction through the courts, the registrant can simply transfer the content to a multiplicity of other domain names.

It remains to be seen whether Ryanair will challenge the .org registration.

Please click here to email Simon Halberstam, Head of Technology Law, or call 020 3206 2781.

Agile Software – new model contract now available

Agile Software – new model contract now available.

Domain Names, Trademarks and Brand Protection

Domain names and trademarks are obviously vital elements of brand protection. I have dealt with many cases where third parties have registered domain names which my clients feel should belong to them. These break down into three main categories, each of which requires a different approach.

i. Cybersquatters
This is the situation where the registrant has no legitimate interest in the domain name and has registered it to make money by diverting internet traffic attracted by your name and/or by forcing you to buy the name at an inflated price to protect your brand. The first step is often a “cease and desist” letter but inured cybersquatters will often ignore these, especially if they are not in the UK. Whilst there are legal processes to deal with such registrants, they are time consuming, uncertain and, generally, expensive so in some cases it may make sense to eat one’s principles and seek a deal with the devil.

ii. Competitors
Competitors often seek to gain a competitive advantage by registering a domain name that precisely reflects your corporate or brand name or is a variant thereof. If a “cease and desist” does not work, the options include proceedings either via the domain name dispute protocols or through the courts. In the case of the courts, the action would usually be framed as “passing off”. These cases can be very complicated especially if your brand name sounds generic. In all such proceedings, a registered trademark can be extremely helpful to support your claim.

iii. Pre-existing Registrations
These can be the most frustrating situations as the registrant often registered the name speculatively and makes no use of it. You have a particular problem if the registration pre-dates the start of your business or at least is likely to have been made without knowledge of the existence of your business. Even in this situation, if the registrant at some subsequent stage makes use of the domain name to trade off your goodwill you may well have a good legal case to make, especially if the domain name is a .co.uk rather than a .com.

Pre-emptive Registrations
Whilst it is not possible to register every domain name variant, many problems can be avoided if you register the key variants at the outset. These will often be the .com, .net, .co.uk and those with suffixes reflecting the major territories in which you are or plan to be active. Approriate trademark registrations can be an invaluable reinforcement to your domain name registrations, enhancing your chances of procuring transfer of domain names from third parties and, at the same time, enhancing the value of your business.

Please click here to email Simon Halberstam, Head of Technology Law, or call 020 3206 2781.

Gathering Clouds – Transferring Personal Data outside the EEA

Whereas data protection is largely standardised in the EEA and transfers within the EEA raise no issues, transfers to most other jurisdictions, notably the USA may raise complex legal issues. The 8th principle of the Data Protection Act 1988 (‘DPA’) stipulates that Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
However, in a global, increasingly cloud-based economy, data transfers between the EEA and the USA and other countries are inevitable. Thus, mechanisms have been developed to accommodate this. First there are the ‘Safe Harbor’ rules to which US companies may sign up agreeing to be bound by rules akin to those set out in the DPA. There are also Binding Coroprate Rules (‘BCR’) and Model Contractual Rules (‘MCR’) that can be invoked to address the problem. BCR are a set of inter-company rules reflecting the 8 DPA principles. These are only valid for data transfers from EEA companies to their non-EEA affiliates. The European Commission has approved MCR which comprise model contractual clauses that can be implemented into contracts for data transfers from EEA companies to unaffiliated non-EEA companies.
Data Controllers and Data Processors
The DPA distinguishes between a Data Controller is a person who alone, jointly or in common with others determines the purposes for which and the manner in which any personal data are processed and is responsible for ensuring compliance with the provisions of the DPA. Where Data Controllers have external contractors process data on their behalf, the latter are known as “Data Processors”.  But the Data Controller nevertheless remains responsible for the actions of the Data Processors.
Where an EU Data Controller sends personal data to a non-EEA Data Processor, the MCR can be invoked. In today’s cloud-based environment, data may pass through numerous different processors and countries. It is not realistic to expect the Data Controller to monitor each such transfer so it has been deemed sufficient for the non-EEA Data Processor to obtain the consent of the EU Data Controller prior to entering into an agreement to send personal data to a sub-processor and for the Data Processor to enter into an agremeent with sub-processors to process and handle the data in accordance with EU data protection law.

Online advertising, AdWords, the e-commerce Directive and Web 2.0

There has been a considerable number of cases within Europe in which the owners of trademarks have complained that sale of Google AdWords infringes their intellectual property rights. When the Google search engine is used to carry out a search, it displays ‘natural’ or ‘organic’ links based on relevance to the search term used, as well as ‘sponsored links’ which are triggered by searching for an AdWord. Clicking on a sponsored link triggers a charge to the advertiser.

Certain aspects of the issue have been considered most recently in England and Wales by the High Court in Interflora Inc v. Marks & Spencer Plc [2009] EWHC 1094 (Ch) which concerned the purchase by Marks & Spencer of Google AdWords including not only the term ‘Interflora’, but also a number of combinations of ‘Interflora’ with a descriptive term (such as ‘flowers’, ‘delivery’ or ‘online’) some misspellings and variants (including ‘Inter flora’ and ‘Intaflora’), and Interflora’s domain names (www.interflora.co.uk and www.interflora.com). Therefore, when the search term ‘Interflora’ (or any of the variants purchased by M&S) is entered into Google, ‘M&S Flowers Online’ appeared as a sponsored link.

The European Court of Justice has since issued the preliminary opinion of Advocate General Poiares Maduro in the joined cases of Google France v. Louis Vuitton Malletier, Google France v. Vaiticum Luteciel and Google France v. CNRRH (joined cases C-236/08, C-237/08 and C-238/08)(28 September 2009)(the ‘Google France cases’). Advocate General Maduro concluded that Google did not infringe trade mark rights when selling AdWords or when sponsored links appeared alongside organic links following a Google search. He also concluded that Google cannot be regarded as providing an information society service within the meaning of Article 14 of the Directive on electronic commerce (Directive 2000/21/EC) since if AdWords displays results based on the commercial relationship with advertisers then it is not a neutral information vehicle which would fall within the definition of hosting under Article 14. The distinction between sponsored links and organic links was that, for natural search results, Google did not have any pecuniary interest in bringing any specific site to the searcher’s attention.

However, the Attorney-General’s opinion that Google’s selling of AdWords to potential competitors did not infringe trade mark rights is not fatal to Interflora’s case since it has a number of important distinctions. First, Google has a different policy in the UK from that which it operates in the rest of Europe. It used to be the case that a trade mark owner could notify Google that it had registered a particular word as a trade mark. Google would then block that word from being purchased as an AdWord without the permission of its owner. However, since 5 May 2008, Google’s policy for the United Kingdom and Ireland, but not for other EC member states, ceased blocking keywords registered as trade marks. The effect of this is that, within the UK and Ireland, parties may bid for AdWords registered as trade marks unfettered, including for use in relation to goods or services for which such trade marks are registered. Interflora expressly questions whether a search engine provider should not allow trade mark owners to block competitors bidding on their brands. In the High Court, Arnold J commented that:

A cynic might suggest that the explanation for this [Google’s policy] was a calculation…that the courts in the United Kingdom and Ireland interpret trade mark law more restrictively (that is to say, less in favour of trade mark owners) than courts in other member states.

Second, unlike the Google France cases, the Interflora action is brought against M&S, its competitor, and not the search engine. The Google France opinion does not deal with competitor bidding, but instead focuses on customer confusion which is not at issue in Interflora. Finally, the Advocate General’s opinion is precisely that: it is not guaranteed that the ECJ will follow it and it has no binding legal authority on the UK courts. It is for the UK courts to decide whether Interflora’s rights have been infringed.

The immunities in Articles 12 to 15 of the e-commerce Directive concern the exemptions from liability of intermediary service providers in relation to caching, hosting and acting as a ‘mere conduit’ of information. Yet, the provisions of the Directive were drafted with the content delivery model of the late 1990s in mind: the creation of software and content which was hosted, updated and distributed. This does not sit easily with the so-called Web 2.0 intermediaries who exploit both client- and server-side software with content syndication to deliver information storage, creation, and dissemination capabilities to users. Web 2.0 technologies are shifting the Internet from a traditional goods and services marketplace to a user-centred and user-driven environment. The new class of intermediary includes sites such as eBay, Facebook, Wikipedia and YouTube as well as search engines. This is mirrored by a shift from an online advertising model whereby companies deliver content based on a CPI (cost per impression) model or targeted online advertising on sites enjoying high traffic to companies who provide targeted online advertising based upon specific user data, such as browsing history or contextual relevance between a particular brand and the recipient website.

There is, then, a current absence of legal clarity in cases concerning the display of targeted advertising which might, on the face of it, infringe the rights of competitive brand owners. As a result of this legal uncertainty, the serving of advertisements which are based on behavioural marketing and which deliberately aim to exclude (or certainly to marginalise) the owners of competitive brands would seem set to continue, at least until the ECJ considers the queue of related cases coming before it (Portakabin Limited and Portakabin BV v. Primakabin BV; Die BergSpechte Outdoor Reisen und Alpinschule Edi Koblmuller GmbH v. Gunter Guni and trekking.at Reisen ; Bananabay) and manages to provide a level of certainty and harmonisation across the EU which is currently lacking. It may also finally review the system of immunities within the e-Commerce Directive in the light of the technological advances and consumer behaviour patterns of the past ten years.

Dr Stefan Fafinski, IT expert of Invenio Research Limited (invenio-research.co.uk) and Simon Halberstam, Solicitor (weblaw.co.uk). Contact Simon Halberstam

Useful Websites

Consumer Protection – Distance Selling

Please note the Law may have changed since the publication of article.

This statutory instrument, which came into force on 31 October 2000, is designed to protect consumers from abuses particular to distance selling.

With certain exceptions it applies to any contract between a business and a consumer which is not made face to face. Although the European Directive on which the Regulations are based was originally formulated with mail order and telesales in mind, the Regulations are likely to have most impact on B2C (business to consumer) e-commerce.

Information requirements 

You need to provide certain information to consumers before they enter into a contract with you including:

  • your name and, if the consumer pays in advance, your address,
  •  a description of the goods or services and the price,
  • delivery costs and arrangements for delivery,
  •  how long the offer or the price will remain valid,
  • the existence of a right to cancel and who will be responsible for returning the goods, and
  •  if appropriate, the length of time that the contract will remain in force (for example, if services are being provided over a period of time).

 Certain information (including all the above) must also be confirmed in writing in ‘durable form’ and there is some question as to whether this includes fax and email – the DTI certainly seem to think so. In addition to the above the written confirmation must also state details of any after sales service or guarantee and how a contract with no particular end date (such as telephone, gas or electricity supply contract) may be terminated by the consumer. These details can appear in a catalogue or an advertisement but more usually would appear in the standard terms and conditions provided before the contract is concluded. Updating your existing standard terms will be vital to ensure compliance with this provision.

If a consumer is telephoned at home by a business the caller will have to identify who it represents and the commercial purpose of the call at the beginning of the conversation.

Consumers’ cancellation rights 

Consumers also have a ‘cooling-off period’ of seven working days in which they can cancel the contract without penalty. The period commences on the date of receipt of the goods or, in the case of services, the day on which the consumer agreed to proceed with the contract. However, if at that point the information requirements (see above) have not been complied with, the period of seven working days commences when the information has been provided to the consumer or at the expiry of three months from delivery whichever is earlier.

If the consumer exercises the right to cancel it must make the goods available for collection (they are under no obligation to return them) and a full refund must be provided within 30 days of cancellation. It seems that the obligation to make goods available and the right to a refund cannot be linked. Therefore, if a customer has failed to allow a business to collect items, the business may still be required to provide the refund. The customer is obliged to look after the goods between cancellation and collection.

The only charge the business can make is a sum equivalent to the direct costs of recovery of the goods provided a term in the contract requires the consumer to return the items and he or she has failed to do so. An update to your terms and conditions could prove useful in this area.

If the contract is cancelled, any related credit agreement will be automatically cancelled at the same time.

There are certain contracts which cannot be cancelled such as contracts for the sale of software, CD-ROMs and videos once unsealed by the consumer and newspapers, periodicals and magazines (although, interestingly, not for books which would seem to leave the cancellation rights open to abuse against booksellers). Also the sale of perishables such as flowers is exempted as are items which cannot be returned such as electricity and items which are made to the customer’s specification.

Payment cards 

Where a consumer’s payment card is used fraudulently in connection with a contract concluded other than face to face the consumer is entitled to cancel the payment. If the payment has been made, the consumer is entitled to a refund. This removes the existing potential liability of the consumer for the first £50 of loss caused by fraudulent use of a payment card which exists under the Consumer Credit Act 1974. This now only applies to face to face contracts.

Performance of contract 

Unless agreed otherwise the contract must be performed (e.g. goods delivered) within 30 days and, if this is impossible, the consumer is entitled to be informed and to receive a refund. Any related credit agreement will then be cancelled. The business may be able to substitute other goods and services of equivalent quality and price for those which are unavailable if the contract with the consumer so provides.

Again scrutiny of your standard terms should be undertaken in view of the ability to mitigate the effect of this provision.

Inertia Selling 

Where unsolicited goods are sent or services are provided to a consumer and the goods or services are not provided in respect of the consumer’s business, that person may use or deal with them as though they were a gift. The rights of the sender are extinguished and it is an offence to demand payment for the goods or services. This pretty much restates existing law save that an offence of demanding payment for unsolicited services is created.

Exemptions 

Not all contracts fall within the ambit of the Regulations. These ‘excepted contracts’ include contracts concerning the sale and purchase of land, auctions, financial services, vending machines and pay-phones. Other types of contracts are exempted from certain regulations, for example contracts for the supply of food, drink, accommodation, transport and leisure services.

Enforcement 

Fortunately, the original proposal that breach of certain of the Regulations would constitute a criminal offence has now been dropped. However, particularly in the case of the compliance with the information requirements, businesses will ideally want the ‘cooling-off period’ to begin and end as quickly as possible and it is important to ensure that these requirements are complied with. The Director General of Fair Trading has the task of investigating complaints and enforcing the provisions of the Regulations – through use of injunctions, if necessary.

What businesses should do next 

The terms and conditions applicable to consumer contracts must be considered to ensure that they comply with the information requirements. If they do not, all distance contracts you enter into will be capable of cancellation for a period of three months from delivery of the goods or performance of the services.

Consumers cannot be asked to contract out of their rights under these regulations save where specifically provided. The effect of the Regulations can be mitigated in certain respects (as indicated above) by an update to your terms and conditions.

The full text of the regulations can be found at the HMSO website and advice is also provided on the DTI’s website.

For further information, please  contact Simon Halberstam

 Title: Consumer protection (Distance selling) Regulations 2000

In force: 31 October 2000

Application: with certain exceptions the Regulations apply to any contract between a business and a consumer which is not made face to face (mail order, e-commerce, telesales).

Key Provisions:

  • certain information must be provided to consumers before entering into a contract such as your name, address, price, delivery details etc;
  •  this information must also be confirmed in durable form – writing, email (possibly) and fax; 
  • consumers have a right to cancel a contract during a 7 working day cooling off period and, upon cancellation, a full refund must be given;
  •  contracts must be performed within 30 days (e.g. goods delivered) unless certain exceptions apply.
  •   You should consider your terms of business with consumers to ensure compliance with the Regulations.

Family in battle over web address

An Edinburgh father who bought a website domain name for his son is facing a battle with the estate of Chronicles of Narnia author CS Lewis.

Richard Saville-Smith paid £70 for the name www.narnia.mobi so his son Comrie, 10, who is a CS Lewis fan, could use it for his e-mail address.

To view full news story on  family in battle over web address  BBC Scotland (june 2008)

How to contract online

Please note the Law may have changed since publication of article.

Before we consider the particularities of the online world, we must take a step back and examine contractual formation in the offline world which is the background against which the relevant rules which have now been applied to the online world were established.

The Offline World

In the traditional world, it has long been clear when a contract has been concluded. It is when both parties put their pens to the signature section of a physical document which sets out the agreed terms. It is true that a contract may be concluded orally but if either party subsequently denies the existence of the contract, there are often enormous evidential problems in establishing that the agreement actually did come into place.

Before we consider the impact of the Internet on the contractual process, we need to consider the legal components which enable a contract to come into existence.

The 4 Contractual Components

There are four such elements. These are consideration, the intention to create legal relations, offer and acceptance,. The concept of consideration really means that each party should derive something beneficial from the transaction, hence if I offer to give you my car as a gift, I derive no consideration. The second element, namely the intention to create legal relations may be passed over swiftly as this is usually understood to exist by virtue of the fact that the parties are in negotiations. This leaves us with the essence of the conract; offer and acceptance.

Offer or Invitation to Treat?

By way of example, an offer is made when one party proposes to another that it should buy a particular item on particular terms, including the precise nature of the item, the price to be paid, the mode of delivery and the date of payment. An offer must not be confused with an invitation to treat. The latter is an intimation by one party to another that it may be willing to do business in relation to a particular article on particular terms and that the other party, if interested should make the first party an offer in relation thereto. This can be a very subtle distinction but is, from the contractual perspective, a crucial one. For example, perverse as it may sound, if you go to the check-out in a supermarket with a basket full of items of food and drink, the person at the check-out, if he/she were very well informed about the nuances of the law, would be fully entitled to turn you away and inform you that the supermarket does not wish to accept your offer for those items. Indeed, the items that you see with price labels on the supermarket shelves are deemed by the law to constitute invitations to treat not offers and therefore not capable of acceptance by the customer. In summary, you cannot accept an invitation to treat and thereby conclude a contract.

Acceptance – when does it occur and what are the effects?

This brings us on to the final element, acceptance. Let us assume that there is a proper offer on the table. For example, A offers B to sell him his car for £10,000 p.a. plus delivery costs of £250. Let us also assume that this offer is acceptable to B. The question then arises of how B can accept this offer. Again in the traditional environment, this would usually be achieved by both parties signing a document containing those and other relevant terms or, possibly by an exchange of correspondence. The moment of acceptance would generally determine not only the time the contract was entered into but also, if nothing contrary were stated in the terms of the contract, the nationality of the laws that would apply to the contract and the jurisdiction that would be the appropriate forum in which any disputes would be adjudicated. This can become very important if the 2 parties are in different countries with different legal systems. Most contracts avoid the risk by expressly stating the choice of law and jurisdiction. Readers should note the difference between an acceptance and a counter-offer. For example, if in response to A’s offer above, B were to write back and say, “yes I accept your offer to sell me the car for £10,000 including delivery, that would not constitute acceptance as the terms are not identical and therefore at this point no contract would enter existence.

On-line Acceptance

With the advent of the online world, the law of contract has not altered; rather it has had to apply the existing concepts to a new medium. There are two mainstream ways of concluding a contract online.

By Email

The first is by way of exchange of emails. This is similar to the exchange of physical correspondence. As long as the email of acceptance does not vary the terms set out in the email of offer, a contract will be concluded by the second email. However, questions can arise as to when the acceptance is valid. This is especially so when there is a limited supply. For example, what happens if a computer company has a total of 5 PCs to sell and sends out emails to all of its clients on 2nd January notifying them of the PCs and their price. If 6 of the company’s customers send emails of acceptance on 3rd January, which customer loses out? In the offline world to cover the equivalent situation, the first letter to be posted is the one which is deemed to be the successful acceptance even if it happens to arrive on the desk of the offeror after the other letter has already arrived. In the online world, it has not yet been unequivocally determined as to what constitutes the equivalent of posting in a letter box – is it the moment of transmission of the email, the moment it arrives in the addressee’s inbox or the moment that the addressee opens that email. The particular circumstances will usually dictate the answer. To avoid doubt, the company should specify in its terms and conditions how, in the event of competing emails of acceptance, it will determine which email has been deemed to arrive first.

By a Website

The other method of concluding an online contract is via a website when you go onto a website, select certain items and proceed to the checkout. The issue discussed above as to whether the display of certain items on a website constitutes an offer of invitation to treat or offer is also relevant to the website environment as Argos and other retailers who have made mistakes in the prices advertised on their website have discovered. In order for a company to run a proper e-commerce operation, it needs to ensure that its terms and conditions are property adapted to the online environment, that potential clients have sight of the terms and conditions which will govern the contract before conclusion of the contract and that it constructs its site in such a way as clearly to indicate whether the site is an offer capable of acceptance or an invitation to treat which is not. The acceptance will generally be by way of a click on the word “accept”. “Clickwrap” acceptance has now been granted similar status to the offline signature although, understandably, evidentially, the former is still preferable.

The SLA must also set out the maximum credit available in respect of any period and that the service credits cannot give rise to a refund or credit against fees due under any other agreement in place between the parties.

Summary

To conclude a valid online contract on the legal basis that you wish, you must ensure that the terms and conditions:

  • are clearly displayed on the website or integrated into the exchange of emails;
  • have been adapted properly to the online environment – certain changes are necessary to reflect legislation which only applies to online transactions;
  • clearly set out whether the site constitutes an offer or invitation to treat;
  • what will constitute valid acceptance.

Pay Per Click Campaign – Fraud Abundant

Please note the Law may have changed since publication of article.

“Most businesses shelling out their hard-earned marketing budget on a pay per click (PPC) campaign want to know that they can rely on the statistics they are provided with. After all most newspaper and magazine circulations are independently audited. However you may only have someone elses word to take for it on a PPC campaign.

An advertisers claim that ‘we regularly get 10,000 hits per week’ for example could amount to negligent or fraudulent misrepresentation, and in any case may well not tell the whole story. But how will you ever know?

If possible, such claims should be independently audited. If not then before investing your money you will need a clear understanding of how the statistics are collated and what they actually mean. The more money you are investing, the more care and attention you should take over the wording of the contract that you enter into and you should consider implementing a contractual mechanism for resolving any disputes effectively.

In the same way that dodgy pop-bands may tour the Record Shops buying their own single in order to boost their chart rating, the number of clicks may be fraudulently boosted to your cost. You may therefore want to be able to check whether repeated clicks have come from the same place to see if this is happening.

We all know the phrase ‘Lies, damn lies and statistics’. Even when the campaign provider is entirely honest, you may still walk away dissatisfied by the campaign, without necessarily any legal recourse. It’s worth taking up references from other clients who have used the same PPC campaign provider, and see how happy they were with it and how it worked for them.”

© This article is copyright Simon Halberstam  2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Email security and usage

Please note the Law may have changed since publication of article.

Email Data Security:

If your job is to maintain the security and integrity of your organisation’s network, a detailed knowledge of the Data Protection Act and related legislation is a boring but necessary part of the job for many of my clients.

Legislation can really only recommend the basic principles and the world of IT will inevitably develop more quickly than the legislation underpinning it. The challenge for network security specialists developing new systems and solutions is to work within the letter and spirit of the legislative framework.

For most businesses regulatory compliance is inextricably linked to the commercial need to maintain secure networks. For example, if a credit card company failed to maintain network security, it would expose itself to the major fraud and legal claims which could cost millions of pounds.

Storage of Data and Liability:

The importance of backing up data must have been brought home to many of us by the experiences of businesses large and small in New Orleans, many of which no doubt will have suffered a devastating loss of data following Hurricane Katrina.

If anyone has any doubt about the importance of backing up data, it’s worth bearing in mind the following points from a legal perspective:

As a general rule legal actions may be brought within six years of the act or omission complained of. Liability can attract not only to the company itself but to the directors or even in some cases the main share holders.

Under the DPA, ‘personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes of which they are processed’. There’s also an obligation to keep the personal data up to date. In other-words you should have a rigorous system in place to ensure for example that your ancient data files only contain relevant, adequate and up to date personal information.

The DPA states that “appropriate technical and organizational measures shall be taken” to safeguard personal data. This is something that many businesses abjectly fail to do. As a result, credit card numbers, membership lists and other personal data have occasionally become publicly accessible on the web. From a commercial point of view, lose that data, and you may not have a business at all.

© This article is copyright Simon Halberstam 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Data Capacity Limitations

Please note the Law may have changed since publication of article.

If you phone Australia for an hour long chat with Aunty Doris, you know that you will be paying for the privilege. On the other hand, if you’re blithely using the internet to download the next episode of ‘Lost’, you may be in for a nasty surprise when your next bill plumps onto the door mat (or in tray as the case may be).

We may all like surprises, but not when it comes to paying our bills. The essence of keeping customers happy is to ensure that they clearly understand what they are spending on the service they subscribe to. Broadband providers who fail to learn this lesson will quickly lose their market share to providers more attuned to the needs of their consumers.

There is going to be a huge slice of the population whose use of broadband will not extend beyond sending the odd photo by email attachment and who will never exceed their monthly data cap. Others (and you know who you are) are in the fast line on the information superhighway. You wouldn’t expect a turbo-charged Reliant Robin, and the same goes for your choice of broadband. In other words you pay for what you get. If you want a service that’s sleek and mean, that’s what you should go out and find.

That being said, if you shop around you can expect to pick some good broadband deals. We should be prepared to change our internet provider regularly. If providers do have to apply data caps, then arguably they should at least warn you when you exceed your cap. If the cap doesn’t fit, don’t wear it.

© This article is copyright Simon Halberstam  2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice. j

Data Protection and the workplace

Data Protection – Regulatory Powers and Code of Practice

Please note the Law may have changed since publication of article.

We live in a world where our personal details are beknown to an ever-increasing number of people. Just look at the amount of mailshots that land on your doormat every day. Much of this information is obtained and/or used illegally being contrary to the Data Protection Act 1998 (“the Act”). The data protection regime is administered by the Information Commissioner and based upon 8 principles set out in the Act. Obviously, complete confidentiality is an unrealistic goal but there must be limits on what use can be made of our personal details and by whom. In this article, we will consider employers and regulatory authorities, two categories of entities who, subject to certain limits are entitled to ascertain, retain and use certain personal data.

Employers’ Rights

The Information Commissioner is issuing guidance on the Data Protection Act by way of codes of practice (“the Codes”). Part of the Codes has already been issued and some is in draft format. The Codes regulate employers’ rights and practices in relation to the personal data which they hold relating to their personnel. Employers must ensure that monitoring of employees complies with the principles set out in the Act.
In brief, any surveillance of employees’ activities in the workplace must fall into one of the approved categories and, ideally, should have been accepted, in advance, by the employee by way of signature of an email and internet use policy issued by the employer. Monitoring must be for a specific purpose, be “fair and lawful” and not involve the retention of more data than is appropriate. The employer must not retain the data for a period in excess of that necessary to serve the purpose and must do its best to ensure that the data is accurate.

The fifth Principle of the Data Protection Act 1998 states that “Personal data shall not be kept for longer than is necessary”. Earlier this year, the Information Commissioner published part 1 of her Codes catchily entitled “Information Commissioner’s Employment Practices Data Protection Code Part 1”. The guidance notes considers the question of retention of records in the context of Employment situations but does not specify a fixed period after which data must be destroyed. This, obviously only deals with employee data.

Employers would be well advised to make sure that their internet and email policy closely follows the various codes issued by the Information Commissioner. Any departure from the Act and codes may infringe the employee’s right to privacy (including correspondence in the workplace) under Article 8 of the Human Rights Act or otherwise expose the employer to various claims, the most common of which are usually based on alleged discriminatory conduct or, if the employee is dismissed, unfair dismissal.

Employers should remember that where the activities of their employees are illegal, it is nearly always the case that, as employers, they are responsible for the acts and omissions of their employees even if the employees are not acting in accordance with the specific instructions of their employers.

Regulatory Surveillance

A. S.22(4)of the Regulation of Investigatory Powers Act 2000, empowers “designated persons” to demand communications data from network or postal operators. The fundamental aim of this is to obtain data which may assist to stop organised crime. An important distinction has been drawn between the interception of communications data and communications content. Access to Communications Data is carried out under an exception to the Data Protection Act 1998. “Communications Data” is defined very broadly as “any traffic data comprised in or attached to a communication …..” Access to this data is not limited to law enforcement or intelligence agencies but will also be available, for example, to the Inland Revenue, Customs & Excise, the DSS.

Communications data is also known as “traffic data”. There is no specific definition but it can include information such as:

  • senders and addressees of emails
  • file size of emails and attachments
  • times and duration of phone calls
  • location data on mobile phone users
  • URL’s of websites visited
  • newsgroups accessed; and
  • phone no.’s sending and receiving faxes.

Although the National Criminal Intelligence Services wished for up to 7 years of communications data to be retained by Communications Service Providers, the Government’s official position was that mandatory traffic data retention for periods longer than those required for business purposes would not be introduced in the UK. However, the Government’s publicly stated position was belied by its efforts in Brussels to remove privacy protection in the review of the Telecoms Data Protection Directive when the UK government fought against the Directive’s ban on blanket data protection. In any event, the directive effectively allows for long-term retention in cases involving national or public security and the investigation of serious crime. After September 11, the Home Office announced that it would introduce a voluntary code of practice for Communications Service Providers to retain all communications data for up to 12 months with a veiled threat that if this were unsuccessful a mandatory scheme would be introduced.

© This article on data protection is copyright Simon Halberstam  2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Transferring customer data abroad

Intra-group transfer of data outside of the EEA

Please note the Law may have changed since publication of article.

Background

Boombust Limited intends to transfer details of all its existing customers to an off shore company within the same group of companies. The final decision as to where this company will be based has not yet been taken but is likely to be Jersey or Portugal.

There are two issues here. First, Boombust is transferring customer data to a third party and secondly that transfer is possibly to be made to a place outside of the European Economic Area (the EU plus Iceland, Norway and Liechtenstein). Although the issues are linked, they are covered by two different principles under the Data Protection Act 1998 (“the Act”).

In this article we have assumed that most, if not all, of the information to be transferred relates to individuals rather than companies and that none of it is ‘sensitive data’. This means data about a person’s health, sex life, religion, politics, ethnic origin or membership of trade union.

Transfer of data to a different group company

Information required to be given:

The First Principle requires that Boombust must inform individuals of the processing of their data which is to be carried out, before that processing occurs. Boombust’s terms and conditions do not provide for such transfer. The transfer Boombust proposes is to a third party (despite being within Boombust’s group of companies) and we will assume that the information will not be anonymised before it is transferred. Boombust should inform customers of this proposed transfer before it occurs.

If Boombust decides not to do so, it will be in breach of the Act. However, if such pre-information is not viable, Boombust’s next best option would be for Boombust’s off shore company to inform customers as soon as possible after the transfer. The notification should also set out the processing that it intends to carry out in relation to the customer names. Specific legal advice should be taken in this regard.

Conditions to be fulfilled:

In addition to informing customers of the transfer, the First Principle also requires that one of a number of conditions be fulfilled before the transfer can occur. These include that Boombust have the consent of the individuals to the transfer or that it is necessary for Boombust’s ‘legitimate business interests’ provided this does not cause unwarranted prejudice to the rights and freedoms of individuals.

If Boombust is informing customers before the transfer takes place, it can couple that with gaining their consent at the same time. Depending on the sensitivity of the data being transferred, it may be sufficient to gain opt out rather than opt in consent. Individuals could be allowed to tick a box if they did not want their details transferred. See also below as regards the consent needed under the Eighth Principle.

If Boombust does not intend to inform customers of the impending transfer then, presumably, it would not want to contact them to gain consent. In that case, it will need to rely upon the ‘legitimate business interests’ condition as mentioned above. As this is a new provision under the Data Protection Act (which only came into force at the end of October 2001), there is little guidance as to what would constitute ‘legitimate business interests’. Boombust also needs to weigh up its interest against any perceived prejudice to the rights and freedoms of individuals. Boombust needs to consider the pressing commercial need to transfer this data to a third party and how its business would be affected if it did not do so. Weigh this against the fact that the data will then be handled by a different entity (but within the same group – so that, arguably, there is unlikely to be much prejudice involved) and also possibly outside of the EEA. If Boombust’s off shore company were to produce and observe a comprehensive privacy policy protecting the rights of individuals, it may be that there would be no prejudice for individuals as a result of the transfer. If that privacy policy were group wide then that would assist the argument that no prejudice flowed from the transfer.

If Boombust intended to rely upon this condition, it would probably be advisable that it show, perhaps in a board minute, that Boombust has considered the legitimate business interests (giving reasons) as well as any possible prejudice to individuals and that Boombust has concluded that the prejudice to individuals is slight to non-existent (again, giving reasons).

Transfer of data to a different territory

Portugal

This is within the EU. A transfer to this territory will simply need to comply with the First Principle.

Jersey

Jersey is outside the EEA although it does have similar data protection laws to those in the UK. The Eighth Principle prohibits the transfer of data outside of the EEA unless the recipient country/territory has an adequate system of data protection in force in respect of that data. Jersey does not have an adequate system of data protection.

As Jersey has not achieved adequacy, there are two ways to get around this. First, Boombust can seek the consent of the customers to the transfer outside of the EEA. Boombust will need to tell them where their data is to be sent, what processing of their data will be carried out by the off shore company and also mention that the data protection regime of that territory has not achieved adequacy. Ideally Boombust should obtain opt in consent so that individuals must tick a box to show that they consent to the transfer. If Boombust is complying with the First Principle by informing customers before the transfer takes place and seeking their consent to the transfer, then it can couple this with seeking consent to the transfer outside of the EEA.

If Boombust is not intending to contact all its customers it will need to use contractual provisions to allow compliance with the Eighth Principle. Boombust is allowed to ‘plug the gaps’ of a data protection regime by providing for those gaps in the contract it has with the recipient of the data. Jersey has not achieved adequacy because it has no Eighth Principle – its data protection regime is based on the UK’s old 1984 Data Protection Act which had no prohibition on the transfer of data outside of the EEA. If, in Boombust’s contract with the Jersey company, Boombust prohibits the transfer of any data by the Jersey company to any place outside of the EEA then that transfer will have achieved adequacy.

Other Territories

This is outside the scope of this article. However, apart from Hungary and Switzerland, no countries outside the EEA are deemed to have achieved adequacy in terms of their data protection regime. Thus, any proposed data transfer to any non-EEA territory will require consideration in the light of the data protection regime, if any, in operation there. Other issues to be considered prior to such transfer will include practicality of obtaining consent, legitimate business interests of the transferring company, potential prejudice to rights of the data subjects and appropriate contractual provisions governing the transfer. In the case of transfers to the US, the so-called ‘Safe Harbor’ principles will apply to legitimise the transfer of data if the recipient company within the US (rather than the state in which the company is located) has applied these principles. Specific advice should be sought on these issues.

Further action

The matters Boombust now needs to decide include:

  • Will it be contacting individual customers before the transfer takes place?
  • If not, what are its commercial needs to make the transfer?
  • Is there any prejudice to individuals as a result of the transfer?
  • Where will the off shore company be based?

Boombust should consider updating and expanding its privacy policy which, ideally, should be a group wide policy applicable to the processing of data wherever it is held within the Boombust group.

© This article is copyright Simon  Halberstam  2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

1...567...9Page 6 of 9

Latest Blogs and Videos

© 2025 SIMONS MUIRHEAD & BURTON LLP
All Rights reserved. Terms and conditions apply. Regulated by the Solicitors Regulation Authority.