Archive for October, 2009

Halloween (not ®) fun

The UK Intellectual Property Office’s records show four registered trade marks (UK marks or Community marks covering the UK) in respect of the word “Halloween”. Take this link to carry out your own search – enter “Halloween” in the mark text search box. Halloween is the name of a perfume in a purple bottle by Spanish perfumier Jesus Del Posto. It has also been registered (along with a shape logo) for toys and playthings (unspecified) and, most recently, in an only minimally stylised form by a Dutch seed grower. A neat illustration of the trade mark system in action – separate registrations are permitted of the same word, presented with only minor visual differences (if any), for very different categories of goods.

There are nine more registrations for the word “Halloween” together with one or more other words. These registrations tend to cover the things which you would more readily associate with Halloween – “pumpkin carving tools”, “portable safety lights” and “false wands” (as opposed to real wands). This again shows the basic premise of the trade mark as a badge of origin, allowing consumers to distinguish between the goods and services of different suppliers. In law a mark cannot be registered in respect of goods or services if it is devoid of distinctive character or consists only of an indication of the intended purpose or other characteristics of those goods or services. So, whilst “Halloween” on its own could be registered for perfume and related goods, in order to be capable of registration for Halloween related merchandise, it tends to need another word or words to help to provide the necessary distinctiveness. Hence, “Meany Halloweeny” (owned by Mars), “Halloween Express” and “Halloween Works” (amongst others).

This has led me to think about Christmas. From a search of the IPO’s records today there don’t appear to be any UK registered trade marks for the word “Christmas” on its own. But I think I should save that one for nearer the time.

Have a happy Halloween!

Eleanor Peterkin

“I’ll Beer Back”…Bud v. Bud…Round 40

I was amused to see yet another case report on the long running trade mark battle between Budsweiser (US beer) and Budvar (Czech beer).

If I remember correctly Budweiser US is trying to stop Budvar using the “Budweiser” name.  In its defence Budvar claims that “Budweiser” is a geographical description that describes its beer (a bit like the word “Cheddar” in “Cheddar Cheese”), and that Budweiser shouldn’t have a monopoly over that geographical description.

Now I am not going to bore you with the legal ins and outs of the latest case. Rather what is interesting is that these two companies have been going at each other in the UK Courts (and other Courts across Europe) for as long as I have been following IP law (about 15 years). In fact I just looked at Wikipedia and it reports that there has been a battle since 1907!!


Also nice fees for the lawyers.  With that thought in mind if anyone from either of those fine companies is reading this, and wants some IP advice, then give me a call ;-)

This whole case reminds me of a verse from Robert Burns from his poem Scotch Drink:-

When neebors anger at a plea,
An’ just as wud as wud can be,
How easy can the barley-brie
Cement the quarrel!
It’s aye the cheapest Lawyer’s fee
To taste the barrel.

There is a translation into modern English here :  Scotch Drink.



Enterprising applications*

At the recent National Outsourcing Association Awards I was speaking with Clayton Locke, Managing Director (Europe) of IT and outsourcing services company, Virtusa. Virtusa is involved in software development, and one area that it has recently been exploring for its clients is developing enterprise apps for the iPhone and other smart phones.

To date, the majority of apps that have been developed are consumer facing. However, Clayton reckons that there is a market for developing apps that employees of an organisation can use. Given the relatively easy programming platform, it should be fairly straight forward to develop custom apps that can provide employees with an interface to back office systems – whether to view real-time data or to help automate some of the tasks that employees might wish to do on the fly.

Mobile apps already exist for some off-the-shelf enterprise systems. Through its alliance partner programme. Blackberry offers a number of these types of applications which provide mobile connectivity to standard software packages for things like time recording, digital dictation and document management systems.

However, the new SDKs for Blackberry, iPhone and Android should make it easy for individual organisations to develop their own custom apps that reflect the tasks that their employees perform on a day to day basis. One example might be an app for board members which gives real-time access to sales figures. Another example might be an app which allows employees to carry out tasks which would traditionally require a laptop to access and submit data.

The advantages of developing custom apps for the organisation’s chosen smartphone are obvious. Application development costs should be reasonably low. There are low deployment costs as the device is already in the pocket of most members of staff (or can replace their existing mobile device). It can be accessed anytime, any place – no need for a bulky laptop and power supply. Hosting an app on the client, rather than the server, lowers the amount of data traffic without any impact on functionality, as you only need to transfer the live data, not the application itself (cf with “The Future” ten years ago, when thin clients were seen as the way forward). The combination of 2G/3G and wifi connectivity means that a data link is usually always available (and when it’s not, data can be cached locally and then synchronised), and GPS/location based functionality adds another level of functionality. All these things can help improve productivity, efficiency and the service offered to customers. What might app could might you benefit from?

Of course, all this mobile access does give rise to increased risks.

I’ve blogged before about the security (or lack thereof) of personal mobile devices. Providing a direct link to back-end systems giving access to confidential data and (potentially) personal data raises a number of informations security and data protection issues. In particular, organisations developing and deploying such apps will want to ensure that the devices (and the data link) are encrypted, that a VPN is used to protect the link into the back-end systems, and that additional verification is considered when accessing the app itself. Any app that gives access to customer lists or customer information will need to be considered against the organisation’s obligations under the Data Protection Act. This also requires a health-check of the organisation’s internal acceptable use policies to ensure that employees are also doing everything that they should be to avoid unnecessary security risks.

Martin Sloan

*Sorry – no Schwarzenegger puns today.

Windows 7 Launch Day – Hasta La Vista Baby

Microsoft launched Windows 7 today.

Let’s hope its a better user experience than the hated Vista.  It was the Vista  experience, and the constant on-line virus threat for Windows machines, that persuaded me to move my home computers to  Ubuntu Linux a few years ago.   (Yes – I have more than one computer.) 

PC-Pro is giving Win7 some glowing reviews. However, reading the specs I can’t understand why. It doesn’t seem all that different from Vista. In fact it seems like Vista tidied up with a tweaked interface.

Anyway what triggered this blog was that I was using Windows 95 on my mum’s computer two nights ago. Now this was running on a 1996 laptop – your car probably has more raw computing power – but it was still like a flying machine compared to recent Windows releases running on newer hardware. It was even quicker than Ubuntu. 

I realise that Win95 does less, and has a lot of security holes, and is basically DOS with a GUI (graphical user interface), but it did what I needed it to do, and it did it quickly. 

Are subsequent releases of Windows just an example of software bloat, or is part of some Wintel plot to keep hardware sales buoyant? 

Interestingly, last year Microsoft admitted Vista was “bloated” when it demoed a stripped down operating system core dubbed “MinWin“.  This raised hopes that Win7 would be skinny and fast. However, it appears that Win7 does not have that skinny MinWin core

 Time for a reader poll.  My favourite operating system was/is [fill in the blank] because [fill in the blank]. 


Schwarzenegger terminates amendments to California breach notification law

Interesting news from California that Governor Arnold Schwarzenegger has vetoed a proposed amendment to the State’s data security breach notification requirements.

California introduced a requirement to inform its residents if the security of any unencrypted personal information about them had been compromised as far back as 2003. For those who are interested, the obligations can be found in California’s Civil Code – see section 1798.82.

A number of other States followed suit, but have since gone on to elaborate further on their respective notification requirements. The vetoed Bill would have done the same for California law, adding requirements to provide individuals affected with specific details about any breach, such as the types of personal information affected, the date or range of dates (actual or estimated) when the breach is believed to have occurred and a general description of the breach incident. Significantly, it would also have required that any single breach affecting more than 500 Californian residents be notified to the State Attorney General.

In declining to sign the Bill the Governor cited the absence of evidence that the additional requirements would benefit consumers. In particular, he made the apparently sensible point that a requirement to tell the Attorney General’s Office about breaches affecting a lot of people doesn’t really serve much purpose if the Attorney General doesn’t have any corresponding obligations to do anything in response.

On the face of it Schwarzenegger’s approach, although apparently a surprise to those backing the Bill, looks reasonable. Why impose more detailed rules around breach notification if it doesn’t help the individuals affected? Looking at this in practical terms, would a list of all of the things listed in the Bill – exactly what happened, how and when – help the individuals affected to take steps to protect themselves against misuse of their data in all or even most of the cases in which notification is required? And even if it potentially did, how many of those people would actually proactively use that additional information for those purposes in any given case? There is surely a danger that with more detail comes an increasing adminstrative burden (and cost) and that that cost quickly becomes out of proportion to any benefit which the additional information brings.

In the UK at present there is no breach notification  requirement. Guidance from the UK Information Commissioner’s Office states that, as a matter of good practice, data controllers should inform the ICO of any serious data security incident, with what is serious being determined by reference to the nature and extent of the personal data affected. The primary consideration according to the guidance is the likely extent of potential harm to the individuals whose data has been compromised. Separate guidance suggests broadly the same appproach to informing the individuals affected, stressing that notifying them should have a clear purpose, such as allowing them to take steps to prevent or mitigate the effects of any unauthorised use of their data.  Shades of Schwarzenegger’s reasoning on the Bill then.

To me, the UK’s current approach builds in the flexibility and proportionality which is essential if breach notification is to be a worthwhile exercise for everyone concerned. The danger, if the UK moved at any point to make notification mandatory, is that data controllers would be likely to “overnotify”. In other words, even if the obligation was drafted to reflect the ICO’s guidance – only tell people about serious incidents and where it will help them to protect themselves – data controllers would naturally tend to tell people about every incident, removing the need to take difficult decisions about what exactly the law required of them and avoiding any risk of compliance failure. That in turn, in my view, could lead to notification “fatigue”, with individuals becoming gradually less interested in (and therefore likely to do anything with) the information sent to them.

There are of course other views on this and I would be interested to hear what any of you think. The US are obviously quite keen on their breach notification requirements, albeit that Schwarzenegger has, for now at least, halted the legislative march in California. The issue though will undoutedly be back.

Eleanor Peterkin

Global harmonisation of data storage rules

On the train* and I’ve just read this story on the BBC website, which reports on calls from Microsoft for data storage rules to be harmonised across the world.

Microsoft’s argument is that operators of worldwide online services such as email and social networking sites tend, for obvious economic reasons, to cluster their data in a couple of data centres around the world and, for operational reasons, will often tend to want to bounce data from one data centre to another, regardless of where the end user is.

However, the rules that apply to data storage and retention vary from country to country – both at the customer/user level (eg data protection legislation) and the wider corporate/regulatory level (eg accounting and audit rules). In other words, the laws in some countries are stricter than others, and all that different red tape makes things more complicated for operators of snazzy Web 2.0 services.

Facebook’s recent experiences in Canada also show that even a single country can sometimes demand that global service providers follow that country’s rules.

So what is the answer? I suspect that the European Commission’s view is that the rest of the world should step up to the data protection and privacy rules that apply in Europe. Indeed, the effect of EU data protection legislation is such that those offering a service to consumers in Europe already have to do that if they wish to store data outside the EEA. Certainly, I can’t see the EU accepting a lower global standard than that set out in the Data Protection Directive.

For that reason, I’m not sure that globally harmonised data retention and privacy rules are achievable – at least in the short term. But pehaps the lobbying might of Microsft, IBM, Yahoo! et al will prove me wrong.

Martin Sloan

*typing this on my iPod Touch using Safari and the courtesy wifi. As a proof of concept it works (even inserting the links), but it’s a bit fiddly to do regularly. Next time I’ll try the WordPress app.

Online defamation – changes afoot in UK law?

In August John McGonagle wrote about the case of an Edinburgh based property developer who won a defamation case in the English High Court against the publishers of Dubai newspaper “Gulf News”.  See “Why not Dubai?” for a reminder.

The (allegedly) defamed are keen to try to sue in the UK it would seem and the UK courts are equally cooperative in finding that they have jurisdiction. However, if changes contemplated by the UK Government become law, the UK could start to look like a less attractive forum for defamation proceedings.

Last month the Government issued a consultation paper on defamation and the internet, seeking views on how the law might be changed, including by replacing the UK’s “multiple publication rule” with a “single publication rule”, as in the US.

In the UK at present, each publication of defamatory material gives rise to a separate cause of action. The limitation period therefore recommences with each publication. Applied to content disseminated by the internet, this means that a new cause of action, with its own limitation period (of one year under English law and three years under Scots law), arises on each occasion that someone accesses that content online.

The US, in contrast, has abandoned the multiple publication rule in favour of a single publication model. This means a single cause of action triggered by initial publication of the defamatory content. In other words then the window of liability for any defamation constituted by the dissemination of that content is much more restricted.

Clearly, the UK’s continued application of the multiple publication rule does give rise to some interesting issues as to the balance which the law of defamation should strike between freedom of expression and the rights of the individual. After all, the rule was established in 1849 when the Duke of Brunswick successfully sued the publisher of the Weekly Dispatch for defamation (more specifically “fasely, wickedly and maliciously printing and publishing” allegations of “acts of oppression and outrage” on the part of the Duke), founding his action on the purchase of a back copy of an edition of the newspaper originally published in 1830. The world of publishing has changed a lot since then.

The Government’s consultation exercise runs until 16 December. The consultation paper is worthwhile reading for anyone interested in the policy considerations which influence the law of defamation, and obviously of particular practical significance to publishers of online archives.

Martin English (trainee solicitor) and Eleanor Peterkin

And the winner is…

…us (or at least Andrew).

Brodies’ Head of Outsourcing Andrew Rigby has been named joint winner of the Outsourcing Professional of the Year title at the National Outsourcing Association’s Annual Awards 2009 in London, alongside Peter Coates of NHS Shared Business Services. Brodies was the only Scottish law firm short-listed for an award.

The NOA Awards celebrate the achievements in the outsourcing industry of suppliers, users and advisors, from small companies to major corporates and institutions, recognising best practice and innovation nationwide.

Since Spring 2008 Andrew Rigby has been instrumental in developing the Outsourcing Hub Initiative in Scotland – he is currently in India as part of the Scottish Council for Development and Industry’s trade visit, led by the Scottish Government’s External Affairs Minister, Michael Russell.


A European Disability Act for the Web?

Deep down in a recent white paper launch by European Commissioner for Information Society and Media, Viviane Reding, the Commissioner gave an indication of the Commission’s plans in respect of the accessibility of websites.

In the UK, the main legislation in this area is the Disability Discrimination Act 1995 (as amended) (DDA). In summary, the DDA places a general obligation on organisations not to discriminate when providing services. The DDA doesn’t specifically mention websites, but then the Web was barely a twinkle in Tim Berners-Lee’s eye when the bill that became the DDA was being discussed by parliament. That said, the flexible, principles-based approach of the DDA has proved relatively successful and adaptable, and there is a reasonably common consensus that the DDA imposes a general duty on the operators of websites to make those websites accessible to people with disabilities. For a deeper discussion on web accessibility and the DDA, see this paper.

To date, European-derived law has been limited, and its impact in the UK even more so. Yes, there are some European rules on equal treatment, but the main impact on accessibility has been on public procurement. Here, the current (EU-wide) rules governing procurement by public sector organisations require the procuring organisation to specify its requirements in relation to accessibility and design-for-all when developing its technical specification. See this legal update for more on that. However, the Commission has not yet flexed its muscles in relation to the private sector.

So what of the latest announcement? Well, we’ve seen this before. Back in 2006 the Commission announced European-wide accessibility rules but in the small print it became clear that the “rules” were in fact an action plan, and that its scope related only to the public sector (see previous paragraph).

This time, however, there is talk of encouraging all member states to embrace and endorse version 2.0 of the W3C‘s web content accessibility guidelines (WCAG) – a set of technical standards developed by technical experts. From a UK point of view, this is unlikely to lead to a seismic change – the British Standards Institute’s PAS 78 and the draft British Standard for web accessibility (BS 8878) both make reference to the WCAG, and I would expect a court to look to these documents when determining appropriate practice (particularly given that their development was sponsored by the Disability Rights Commission and its successor, the Commission for Equality and Human Rights). So far so good, then.

However, the most interesting part of the speech was how Commissioner Reding thought that the WCAG should be embraced by member states:

“I believe the way we should do this is to develop together with stakeholders a European Disability Act.”

Quite what form a “European Disability Act” will take remains to be seen. Will it once again apply only to the public sector or will it also apply to private sector organisations? What else will it say? Will it undermine the principles-based approach of the DDA?

One must assume that this will be implemented by way of a new Directive or Regulations. That being the case, I hope that those new rules are carefully drafted. One of the great benefits of the DDA is that (unlike equivalent, overly prescriptive, legislation in the US), its generic and flexible nature means that it can be easily adapted to changing technology. Hardcoding the WCAG 2.0 and other Web-specific rules into European law might be good on one level (in that it will force the introduction of some form of web accessibility requirement under national law), but I fear that further down the line this will cause service providers and courts to tie themselves in knots as they try to interpret and apply law that, quite frankly, can’t keep up with evolving technology.

Martin Sloan

The X (Ray) Factor

My girlfriend Wendy called me yesterday with some dramatic news.  I was all set to agree that it was disgraceful that Cheryl Cole was going to get to mime on the X Factor this weekend, absolutely disgraceful – when she interrupted me.  “No, it’s a legal thing!  Human Rights?  Manchester Airport have launched a trial where passengers will be security checked using “imaging technology”!  What that means is that security staff are going to get to see everybody naked!”

This, ladies and gentlemen, is what happens when your girlfriend gets hooked on the Daily Mail Showbiz website. It’s one small step from X Factor to the breaking technology stories of the day. And this particular story looks as if it has some way to run.

“Imaging technology” is effectively “body scanning” (but presumably openly referring to it as “body scanning” would freak passengers out too much).  The process works by bouncing x-rays off an individual’s skin to produce an outline image of their body in order to detect concealed and potentially dangerous objects.  There is no need for the passenger to remove their coat, jacket, shoes or belt.

The images are transmitted to a standalone computer and reviewed by a security officer who has no visual or verbal contact with the area where the imaging is taking place.  The security officer viewing the image electronically confirms if the passenger can proceed or whether a search is required.

According to Manchester Airport’s Head of Customer Experience, Sarah Barrett: “Imaging technology offers a potential alternative but we know that some people see it as controversial. That’s why we’re running a trial. We’re being completely open about how imaging technology works so that passengers can tell us whether it is an acceptable alternative.  The process is entirely anonymous. We can assure the public that contrary to popular misconception, imaging technology does not allow security staff to see passengers naked. The image produced is a black and white, ghost-like outline of an individual’s body without any distinguishing features such as hair or facial features, making it impossible to recognise people but simple to detect concealed threats.”

Besides obvious concerns about exposure to radiation (apparently the Health Protection Agency has confirmed that the amounts of radiation involved are tiny and perfectly safe), I’m not convinced that the technology will only produce “ghost-like outlines”.  The example which has been published is pretty clear.  (Bear in mind too that the BBC has applied some judicious “blurring” to the images shown.) 

If you’re getting a flight from Manchester Airport any time soon you’ll be pleased to hear that the trial is currently being run on an “opt-in” basis. 

Nevertheless it might not be long before all UK Airports start using this technology, and on a permanent basis.  After all, it’s already being rolled out in the US.  Will you have any right to refuse to participate? 

A lot may depend on the extent to which an individual can be said to be identifiable from the body scan which is taken.  As already discussed there is debate as to the quality of these images.  Comparisons can perhaps be drawn with recent case law regarding privacy and photographs of individuals, where photographs of individuals have been ruled unlawful because they have engaged the right to privacy under Article 8(1) of the European Convention on Human Rights (see for example Wood v Commissioner of Police for the Metropolis or, for a brief summary, our legal update on this case).

A body scan could also (potentially, depending on exactly what information (if any) the operating authority records) constitute “personal data” under the Data Protection Act 1998, meaning that any kind of enforced participation in the scanning would infringe the Data Protection Act if it wasn’t capable of justification on any of the grounds set out in that legislation.   There is also the related issue (both under data protection legislation and in wider privacy terms) of controlling the use of and access to the images and any related information. The privacy safeguards currently in place under the trial are unclear.  It’s claimed that the images cannot be stored or captured on the standalone computer to which they’re transmitted, but is this being independently verified?

I think there are a lot of questions to be answered about this technology and its privacy implications.  The trial will run for at least 12 months and I will watch the developments with interest.

John McGonagle

Twitter: @BrodiesTechBlog feed

October 2009
« Sep   Nov »

%d bloggers like this: