It will contain information about who controls the data, how the data will be used, whether the information is likely to leave the EEA, to whom the data will be transmitted and how the data is gathered.
Let me give you my legal opinion on your website (confidentially of course) by contacting me here.
These cookies are not the delicious kind. They are tiny text files that are stored on your device so that a website can recognise them. Cookies range from strictly necessary cookies for the functioning of a website, through to more complex cookies for the purposes of advertising and analytics. These cookies are used to "follow" you around the web. As such, a company using cookies must legally disclose this to the user and receive user consent before setting the cookies free to follow you around the web.
Cookies are not new, but the law regarding them is (under the Electronic Communications (EC Directive) (Amendment) Regulations 2011). The application of complex cookies on a website has grown quickly, thanks to a marketing concept called re-targeting. I like to call it the de-ja-cookie effect... It’s the weird web feeling you get, like you are being watched. Say you visit a website to look for a blazer, and, not finding what you are looking for, head off to another website to dream about your next holiday. Strangely, as you are looking for a flight, an advert for blazers 'just happens' to come up.
Legally, websites using cookies must tell you that cookies are there, explain what the cookies are doing, and obtain your consent before storing cookies on your device. In practice, websites have adopted a "take it or leave it" offer. You may have seen those annoying pop-ups on websites that tell you that they use them and if you don’t like it, then leave. Sorry, that’s just the way the cookie crumbles (I couldn’t resist). In my opinion, this is where the law is falling behind technology. You should have the option to disallow cookies being stored on your device and continue browsing.
Next week I will share insights around the law on "Privacy Policies." In the meantime, contact me here and I will confidentiality (and ever so quietly) take a look at your website to see if there are any glaring legal issues.
Intellectual property, the intangible property right that exists under law, is too often overlooked by businesses as a non-priority because it is not a tangible physical asset. On the contrary, in our tech-reliant era, intellectual property is crucial to businesses and understanding one’s intellectual property rights (“IPR”) and obligations should be at the core of every business plan.
1. INTERNATIONAL INTELLECTUAL PROPERTY LITIGATION
Intellectual property defines a category of various intangible property rights such as, amongst others, copyright, trademarks, designs and patents, and this legal protection encourages and protects innovation and creativity. As such, companies will aggressively defend their intellectual property rights especially where there is a threat to their brand recognition, customer following and position in the market. For example, Facebook's recent win in China against a company's use of its 'face book' beverage shows how important a worldwide trademark is in an age where the internet has facilitated international customer reach. More recently, the ongoing Yieldify case illustrates the complexities of a patent infringement case when applied to an e-commerce software business.
2. LAWS WHICH CAN NO LONGER KEEP UP
With ever evolving advances in technology, counterfeiters now operate in a mature and international illegal market. IPR infringement has moved from an individual illegally copying someone's work in a secret workshop, to now being carried out by anyone with access to a laptop and internet. The current law on IPR, captured in the Copyright, Designs and Patents Act 1988, reflects an era when the internet was still in its infancy. Merely reading the law is therefore no longer enough; an understanding of up to date UK and EU case law which add clarity and modern interpretation to the 1988 law is essential.
3. AMBIGUITY OF THE FAIR DEALING EXEMPTION
If someone uses another's copyright for reporting current events or for editorial purposes, this is considered 'fair dealing' and not in violation of the 1988 act. This is an established defence to copyright infringement in the UK. The problem with this defence is that it was originally developed for journalists dealing with printed news. The increase of blogging, social media commentary and online forums has created ambiguity on what constitutes fair dealing for the purposes of current events reporting. As such, businesses may need to conduct in depth internal reviews to assess whether they fall within this exemption, before seeking to rely on this defence. This is perhaps especially so following the recent case of England and Wales Cricket Board Ltd v Tixdaq Ltd (2016) EWHC 575 (Ch), where a three stage test was established to determine whether a use was considered ‘fair dealing’.
4. VARIETY OF COPYRIGHT INFRINGEMENT
Ensuring that you do not breach someone’s copyright is not as straight forward as merely avoiding plagiarizing someone else’s work. With businesses reliant on technology in their day to day activities, there are many business actions which may raise copyright questions. For example: (i) are you breaching someone’s copyright when taking information from their publicly available website and using it in your commercial service offering?; or (ii) are you breaching a website owner’s copyright if you did not explicitly agree to their online terms and you use their information in violation of the online terms?; or (iii) are you breaching copyright by directing users through hyperlinks to protected works (2014 Svensson case)? These are just a few examples of issues to consider, and they illustrate how copyright can permeate many aspects of a business.
5. DATA/WEB SCRAPING
Data/web scraping is, in short, a more advanced, automated and large scale method of copying someone’s information. 10 years ago, copyright infringement would follow a manual process of going through someone’s website or documents to copy their information. Nowadays, the market is flooded with software specializing in robotic/automatic crawling and information retrieval – these robots automatically ‘scrape’ information from a website. Some of these robots are programmed with intelligent scripts, meaning that the robot continues to crawl a website and associated links without further manual instructions.
Web/data scraping is of particular concern to businesses offering real time prices and data, which, when taken by someone else and reused, quickly reduces the uniqueness and value of their original information. Whilst the law on data/web scraping remains a grey area in the UK, this is something which will certainly evolve and which businesses should keep an eye on, especially in light of the EU decision in 2015 in Ryanair Ltd v PR Aviation BV (C-30/14).
Ultimately, IPR infringement may result in criminal civil liability, and aside from the costly effects of a law suit, the loss of reputation could be a deal breaker for your business, regardless of whether the final judgement finds you innocent or not.
Following the UK Information Commissioner’s Office’s (ICO) recent publication of its guidance on the General Data Protection Regulations (“GDPR”) (https://dpreformdotorgdotuk.files.wordpress.com/2016/05/preparing-for-the-gdpr-12-steps.pdf), companies are already busy analyzing how the GDPR will affect their businesses and what changes they will need to implement in advance of the law coming in force in 2018.
The protection of personal (an individual’s) data in the UK is currently governed by the Data Protection Act 1998 (“DPA”). Bearing in mind the enormous technological advances since 1998, the DPA has struggled to be able to address legal risks and issues which have only developed in recent years. The GDPR is therefore an attempt by the European Parliament and Council of the European Union to both update the laws on data protection as well as harmonize data protection laws in all EU countries.
Most businesses are heavily tech-reliant: from those that standardize their data and mass market online, to those that operate self service delivery models, businesses collect, store and use more personal data than ever. And, in many cases, standard (non-personal) data will be combined with the personal data of its clients, suppliers, partners and investors. It is therefore more crucial for businesses to establish clear data protection policies and implement robust procedures to protect individuals’ personal data. The current maximum fine in the UK for breaches of data protection law stands at £500,000 – under the GDPR, this maximum fine will increased to 20 million Euros or 4% of the company’s annual word wide turnover (which is the greater) - violation of the GDPR is therefore not a risk that businesses should willingly take. Alongside this, data processors (the individual/company which collects, stores and processes personal data) will also face hefty penalties and liability alongside the data controller (the individual/company who the data processor collects, stores and processes the personal data for). And, to account for the fact that businesses now reach customers worldwide, the GDPR will also apply to non-EU businesses if they process EU individuals’ personal data.
Development of the GDPR is being actively monitored by businesses in an attempt to get an early start on what may result in huge overhauls to their business policies. Have you started reviewing your data protection policies yet?
dutían's Spring 2016 Newsletter is out now! Access the newsletter by downloading the PDF file below and check out what we've been up to. Read about the development of the business, upcoming events, recent client news and important legal updates. Happy reading!
Have 2 minutes to kill while waiting for the train? Take a look at some of the key legal changes to watch out for in 2016. Remember to look further into the ones which may have an impact on your startup or SME and never underestimate the power of legal compliance to make or break your business!
Already aware of and prepared for the above changes? Brilliant. First time you’ve heard of some of the above changes? Time to move legal compliance up on your priority list – for further information or a complementary confidential chat, contact us now on firstname.lastname@example.org.
Around the time we were perspiring our way through the crowds getting last minute Christmas shopping and sipping on snowmen topped cinnamon lattes, the European Parliament and Council of the European Union were doing something entirely different. On 15th December 2015, the General Data Protection Regulation (to be implemented in 2018) was formally agreed for adoption in 2016. By way of explanation, the existing Data Protection Directive in the EU requires each member state to produce its own data protection rules (in the UK, this is in the form of the Data Protection Act 1998). The GDPR will therefore replace this - yikes.
The GDPR may not sound too menacing a threat, but for start-ups and SMEs aiming to grow their businesses and online presence, now is the time to start getting familiar with the GDPR and assessing if and what changes will be needed to ensure compliance in the not so long future.
Why all the fuss? In today's tech-reliant environment where data privacy protection is becoming increasingly complex, having robust procedures in place for data protection is more important than ever and should be front and centre of any small business’ agenda.
We’ve summarized some of the key draft provisions of the GDPR below for you (subject to Parliament’s revisions once published), although these are not by any means all of the draft provisions.
1. How much?
Right – this one’s a biggie. Currently, the maximum fine in the UK for breaches of data protection rules is £500,000. Under the GDPR, the proposed maximum fine could be up to 20 million euros or 4% of the company’s annual worldwide turnover (whichever is the greater). Ouch. For small businesses on the road to success, getting lumped with a fine for data protection violation may just stunt that growth.
The GDPR will also apply to non-EU businesses if they offer goods/services to EU individuals or if they process EU individuals’ data. In today’s digital era, where businesses strive to reach customers in multiple countries, the GDPR may mean that they need to revamp their data protection policies.
3. Data processors beware
A data processor is an individual or entity that carries out processing and storage of individuals’ (e.g. customers) data. Currently, in the event of a data protection breach, it is the data controller (i.e. person/entity that the data processor is acting for) that is liable. The GDPR however casts the liability net wider and data processors may be liable for fines of up to 5% of the company’s annual worldwide turnover. This is still under heavy debate, and we’re keen to see what the published provisions will look like.
4. I hereby consent
Although the precise terms are yet to be published, the GDPR is likely to make it harder for businesses to prove that individuals ‘consented’ to having their data processed and stored. For businesses relying heavily on internet traffic or mobile app sharing, this may be something that will need addressing earlier on at an operational level, for example, during the production stage of an app.
5. Policeman for all
Currently, the Information Commissioner’s Office (ICO) in the UK monitors, investigates and enforces alleged data protection breaches. Under the GDPR, there’ll be one single authority across the EU that deals with all data protection matters for all member states. Hmmm. We have our doubts about this one working practically; however, we’ll reserve judgment until we see the published text!
6. One Shoe Fits All
The GDPR will implement a single framework of data protection legislation that will apply to each EU member state. This fortunately provides businesses in the EU with a more consistent set of rules and will no doubt be a good thing. Hurrah, a big happy positive!
Have any questions on the upcoming GDPR or on existing data protection compliance under the Data Protection Act 1998? Get in touch and we’d be happy to chat through your concerns or queries!