Update: IT/IP
Susan Singleton considers new laws on 'cookies', proposed fines for major breaches of data protection law, new regulation of online content, keywords in advertisements, and unfair commercial practices
Although there have been no new major statutory developments in intellectual property or IT law in recent months, the area as a whole continues to be one of the most fast-moving legal fields.
At the end of last year, the information commissioner's office published 'The Guide to Data Protection'. The guide is written in plain English (clear English standard logo) and is designed to provide businesses and organisations with practical advice about the Data Protection Act and to dispel myths.
Most of the guide is set out as a series of frequently asked questions. It appears likely that the new information commissioner will take a fairly tough approach to breaches of data protection law, and therefore now is a good time for lawyers and their clients to review and step up their data protection compliance. The guide is available at: www.ico.gov.uk/upload/documents/ library/data_protection/practical_application/the_guid
New 'cookies' law
The European Union has passed its new e-privacy directive which cover 'cookies' and what users of the internet must be told about information gathered regarding them online in the new EU 'Telecoms Package', which provides that cookies may be stored on a computer only if the user 'has given his or her consent, having been provided with clear and comprehensive information'. There is an exception where the cookie is 'strictly necessary' for the provision of a service 'explicitly requested' by the user.
The recitals to the text say: 'Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application.'
Article 5(3) provides that member states must make sure that information is only stored or accessed in the terminal equipment of a subscriber/user with their consent; that subscriber/user having been provided with clear and comprehensive information as to the purpose behind it. Exceptions apply to information stored or accessed 'for the sole purpose of carrying out the transmission of a communication over an electronic communications network', or that which is 'strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service'.
The recital says: 'Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access.
'The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.'
It is possible there will be continued debate over the exact limitations contained in the words above, but it seems that the mention of appropriate settings in a browser is sufficient and that most of those running websites will not fall foul of the new rules once they come into force. However, clarity and certainty and drawing terms to the attention of the buyer will aid any business or website owner in reducing risk of infringement. There is already an obligation to notify users if cookies are used on a website.
New proposed data protection fines
The information commissioner may be given rights to fine up to £500,000 for major breaches of data protection law. The proposals are set out in a consultation: 'Civil Monetary Penalties: Setting the maximum penalty'. The power is already contained in section 144 of the Criminal Justice and Immigration Act 2008. It is likely the new power will be in force in April 2010.
The new fine would apply where:
- There has been a 'serious contravention' of one of the Act's eight principles; and
- it has to have been of a kind likely to cause substantial damage or substantial distress, and either:
- the contravention was deliberate; or
- the data controller knew or ought tohave known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage orsubstantial distress, but failed to take reasonable steps to prevent the contravention.
There has been some controversy over whether these fines are too high. In the past criticism has been made about the low typical level of fines. Although a fine could be imposed for each infringement, a typical fine was often only about £1,000 or £2,000, as the annual reports of the information commissioner show.
As the changes are likely to come into force in April, businesses should consider now if they are non-compliant in any areas. Those who draft contracts for clients ought to check if data protection warranties and indemnities could usefully be added to some contracts. A few of the recent scandals include contracts put out to tender by government where the contractor has then lost the data concerned. This has led to a tightening of contractual provisions.
The consultation period has just ended and copies of the papers are available on the Ministry of Justice's website (www.justice.gov.uk).
ASA to regulate online content
Print advertisers pay a levy of about 0.1 per cent of marketing budgets to fund the ASA regulation of advertising in the UK. From late 2010, the ASA will have jurisdiction over marketing claims on websites. This is likely to include marketing on blogs and social networking sites. Google has helped fund this with some seed capital. The ASA will manage the 'policing' process and Google will have some involvement if one of its advertisers breaks Google's terms.
The full details of the proposals will be published once formally ratified by bodies such as the Advertising Standards Board of Finance (ASBOF) and the Advertising Standards Authority Council.
Keywords and financial products
The Office of Fair Trading and Financial Services Authority have said that rules on advertising control apply not just to the words used in the advertisements, but the words used to trigger them: 'Where the sponsored link is not in line with the search term used and the website returned by the sponsored link does not accurately reflect the expectations created by the search term used, the sponsored link would not be fair, clear and not misleading,' said new guidance which applies only to financial services and products.
The phrase 'independent financial advisers' (sic) produced firms which were not independent. This could give rise to the risk that consumers are misled into dealing with firms which are not independent. The phrase 'guaranteed returns' returned firms whose investment products are linked to the performance of stocks and shares where returns could not in fact be guaranteed. The term 'free advice' included links to firms whose advice was not free.
The regulators told advertisers to take advantage of the facility offered by search engines to exclude certain terms from the search terms they purchase. For example, with Google AdWords an advertiser can sponsor 'financial advisers' and list the term 'independent financial advisers' in its 'Negative Keywords'.
'Firms should give careful consideration to these to help ensure that their sponsored links do not mislead consumers, and work with search engine providers to use these facilities responsibly'¦ Firms should be mindful of this when purchasing '“ or instructing media agencies to purchase '“ search terms on their behalf from search engine providers'¦ They should also have adequate systems and controls in place to ensure they do not buy keywords or terms which result in misleading return results'¦ We would also remind firms not to bid on the names of other firms/competitors if this could result in misleading the consumer or creating an expectation that their firm is the same as the one the consumer has searched on.'
The new guidance is available on the FSA's website (www.fsa.gov.uk).
Unfair commercial practices report
The EU published at the end of 2009 a 62-page report into how the Unfair Commercial Practices Directive is working. In the UK, this was implemented by the Consumer Protection from Unfair Trading Regulations 2008. The new report looks at a number of areas relevant to IT lawyers such as social networking and comparison websites. There is a useful flow chart at the end of the report to help those assessing if a practice is banned. The report is on the consumers' page of the European Commission's website (www.ec.europa.eu/ consumers).