Update: IP/IT

Every summer a raft of case law emerges before courts go off on holiday and this was no exception: there is a plethora of developments, from cases on what is protected by copyright to liability of internet service providers. But equally significant are some of the reports published over the summer months.

Hargreaves review of IP

The government has launched a major consultation exercise on intellectual property law '“ the Hargreaves review of intellectual property law. This is a lengthy review which makes some proposals for change, but no major replacements of the main IP statutes in the UK. Ensuring English copyright law is altered so that it is no longer illegal for consumers to buy a DVD for their own use and copy it to their iPod is a long-mooted change in the report which would bring the UK into line with laws in the US and much of Europe. There are many other changes.

It is worth following the review both in relation to IT and to intellectual property law in general to see what legislation emerges. It follows the earlier Gowers review (www.ipo.gov.uk/ipreview-finalreport.pdf).

Counterfeit goods on eBay

The Court of Justice of the EU this summer has clarified the issue of liability for organisations such as eBay where goods are sold which infringe intellectual property rights on their sites. There seems to be constant stream of queries about internet selling, use of images online, stopping unauthorised distribution and the like at present for IP and competition lawyers, and the internet is at the heart of it as more and more businesses move online and buyers in business and as consumers make the internet and search engines their first port of call.

In L'Oreal the court held that there is no liability on an organisation such as eBay if a business is unaware of the infringement. On the other hand it said that if the organisation has bought search terms to improve search engine rankings which lead consumers to infringing products the organisation might be liable. The English court had decided that in general eBay was not liable in 2009 decision '“ it was a mere conduit. This was consistent with earlier case law such as Amstrad, which related to twin-deck cassette players. However, this recent case arose from some additional questions on which the English court wanted clarification from the Court of Justice.

Newspapers Licensing Agency v Meltwater

All copyright lawyers must read this Court of Appeal judgment. It looked at a number of fascinating issues which arise in relation to copyright and online use of material. It held that there can be copyright protection in headlines. Meltwater alerts its customers to news items of interest to them electronically. The temporary copying and fair dealing defences did not apply.

Taking short extracts from a work will also infringe rights. The EU case Infopaq was followed where only 11 words copied was sufficient to amount to infringement. This may have implications for those who write slogans such as 'Go to work on an Egg' (Fay Weldon's), 'Up Yours Delors', 'Labour isn't working' and the like.

Newzbin and copyright

Twentieth Century Fox Film Corporation and others v British Telecommunications Plc [2011] EWHC 1981 (Ch) looked at section 97A of the Copyright, Designs and Patents Act 1988 which implemented article 8(3) of the Information Society Directive (2001/29/EC). The section provides that the court has power to grant an injunction against an ISP where the ISP has 'actual knowledge of another person using their service to infringe copyright'. Newzbin2 operates as part of the Usenet internet discussion system often used for uploading films/parts of films. Newzbin1 had been closed down and emerged as 'Newzbin2' based in the Seychelles with servers based in Sweden.

Six Hollywood distributors brought a claim against BT, which argued it was a mere passive conduit and not liable. BT lost under section 97A. It was forced to block its users from using Newzbin2.

BBC policy on photograph use

The BBC announced in August that it will use photographs that people have published on social media sites such as Twitter without the copyright owner's permission if this is in the public interest and no restrictions on re-use have been indicated. Users should therefore put a notice of any restriction on use very clearly against photographs.

The interesting legal issue is whether posting a photograph on twitter gives an implied licence: (a) to allow it to be retweeted (almost certainly); and (b) to allow it to be used elsewhere either for no gain or for commercial purposes (not necessarily and Twitter's terms and conditions simply say: 'We encourage and permit broad re-use of content. The Twitter API exists to enable this.')

Data protection fines

Fines and a confiscation have been imposed for breach of data protection law. Ex-employees of T-Mobile who sold customer data were ordered to pay £73,700 in fines and confiscation costs following a hearing at Chester Crown Court. David Turley and Darren Hames pleaded guilty to offences under section 55 of the Data Protection Act 1998. A chronology about the investigation and how the men were caught is on the the Information Commissioner's Office's (ICO) website.

The Proceeds of Crime Act is the legislation which provides for the recovery of the proceeds from crime. This case is the first time the ICO has applied for and been granted use of confiscation orders. Under the Act, a proportion of any money recovered is given to the prosecuting authority to be used in the prevention and detection of crime. The ICO will use its proportion of the money to fund training for its investigation staff.

Misdirected emails

Surrey County Council has been fined £120,000 for breach of the Data Protection Act 1998. The Information Commissioner's Office (ICO) fined the council after it sent sensitive information to incorrect e-mail addresses on three separate occasions. In one of these instances the health and welfare information of 241 people was sent to the wrong recipients in an unencrypted email. The second misdirected email involved the personal data of a number of individuals being mistakenly emailed to more than 100 recipients. The third involved the council's children services department mistakenly sending confidential information about an individual.

Surrey is now the fourth council to be fined for breaching the Data Protection Act since the ICO's powers were extended last April. It is also the body to have received the largest penalty to date. Hertfordshire Country Council and Ealing and Hounslow Councils have also received fines. UK information commissioner Christopher Graham said: 'Surrey County Council has paid the price for its failings and this case should act as a warning to others that lax data protection practices will not be tolerated.'

Cookies '“ one-year grace period

Under new rules in force in May companies must ensure users of their web sites consent to the use of 'cookies' on the site. The Information Commissioner has given businesses 12 months to implement the new cookies law although there is nothing to stop any of them using a similar method of obtaining consent to cookies from website users as the ICO's site uses.

Now the EU has said it will allow industry a year to find a common method of dealing with the issue.

Commissioner Neelie Kroes said: 'I urge all interested parties to come to the standardisation table. And I challenge you to agree a 'do not track' standard by June 2012. The standard must be rich enough for users to know exactly what compliant companies do with their information and for me to be able to say to industry: if you implement this, then I can assume you comply with your legal obligations under the Privacy and Electronic Communications Directive. We need a uniform approach to the law and solutions that reinforce our principles of transparency, fairness and user control. If I don't see a speedy and satisfactory development I will not hesitate to employ all available means to ensure our citizens' right to privacy.

Only five EU countries, including the UK, met the implementation date.

Separately, the UK Department for Culture, Media and Sport (DCMS), in consultation with the UK Information Commissioner's Office has clarified how the new cookies rules will be implemented (see culture.gov.uk), and the ICO has guidance on the new law and enforcement at ico.gov.uk.

ACS Law

The owner of former solicitors firm ACS Law has been served with a monetary penalty for failing to keep sensitive personal information relating to around 6,000 people secure, the Information Commissioner's Office (ICO) said. Andrew Jonathan Crossley '“ as data controller of the former law firm - has been served with a monetary penalty of £1,000.

Information commissioner, Christopher Graham, said: 'This case proves that a company's failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress. The security measures ACS Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details.

'As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people's circumstances and their ability to pay into account.'

ACS Law - which has now ceased trading - specialised in pursuing alleged copyright infringement cases on behalf of copyright holders from the music, video games and adult film industries. The firm had written to thousands of individuals who were alleged to have broken copyright law.

In related developments, Davenport Lyons lawyers were recently involved in a case before the SRA for sending letters to alleged infringers of copyright although there was no data protection issue in that other case. They were pursued using information obtained from individuals' internet service providers (ISPs). In September 2010, ACS Law's website was subjected to an online attack which caused it to crash. After the attack a file containing emails between ACS Law staff, and some to and from ISPs or members of the public, appeared on a website which allowed anyone who downloaded the file access to around 6,000 people's sensitive personal information. This included individuals' ISP account details, their names and addresses, their IP addresses and information about the content they were alleged to have illegally copied. Some of the emails also included people's credit card details, as well as references to their sex life, health and financial status.

The ICO's investigation found serious flaws in ACS Law's IT security system. The ICO said that Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law's web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.