Archive for May, 2012

Techblogger article on smartphone patent wars in Computers and Law Magazine

Prior to acquiring my Apple iPaytoomuch*, I experimented with various unsatisfactory mobile phone handsets, each of which were saddled with shoddy touch screens.  I won’t name and shame the devices, but let’s just say the worst of the bunch was (un)affectionately referred to as the Shamdung, in tribute to its general level of unreliability.

This touch screen torment has given me a keen interest in smartphone technology.  In the glaring absence of any straightforward guides to the smartphone patent wars, I have written one myself, and you can read it at the Computers and Law magazine website.

*traditional Techblog joke

Techblogger seminar on cookies law and usability

So, in advance of the expiry tomorrow of the ICO’s one year grace period for complying with the new cookies law, you’ve carried out your website audit and privacy impact assessment, identified the most appropriate way to obtain consent from users, and have implemented (or in the process of implementing) the necessary changes to your website.*

But did you think about usability and accessibility when developing your solution? Will it work on a mobile device? What about different browsers? How does it impact upon the customer journey? Might it put people off using your website? Will a visually impaired user be able to use it? Might your solution have unwittingly have put you in breach of your obligations under the Equality Act?

To help answer some of these questions, or at least set the background to facilitate a discussion amongst those that might have the answers, I’ve been invited by the Scottish chapter of the Usability Professionals Association to host a seminar on the new cookies law. For those of you that attended the User Vision seminars earlier this month, this seminar will provide a similar overview of the law, but will also look at the obligations of service providers under the Equality Act, and then go on to look at some of the solutions being adopted from a usability perspective, and question whether there is a better way of doing things.

Event details
The event takes place on Tuesday 12 June.

To find out more information and to register, follow this link to the SUPA website. The event is open to non-members as well as members, so if you are interested in learning about the usability issues, or want to share a cookies solution that you think ticks the usability boxes do come along.

Hope to see you there!

*If you’ve yet to start then I’d recommend reading our quick guide (PDF) to compliance with the new cookies law and our cookies law resources page.

Whose terms win? Key considerations when faced with a “battle of the forms”

A recent Scottish case, Specialist Insulation Limited v Pro-Duct (Fife) Limited, considered the age old problem of the “battle of the forms” and provided some useful guidance on the deemed acceptance of standard conditions of purchase/supply. 

Last shot approach
Where both parties to a contract attempt to incorporate their own standard terms and conditions into an agreement then there is bound to be an issue in determining which terms prevail. This is rather grandly referred to by law lecturers (and therefore lawyers) as the “battle of the forms.”

Traditionally, this has been approached using the general principles of offer and acceptance: one party gives the other its standard terms and if the other party, instead of accepting those terms, puts forward its own terms (a counter-offer), then those new terms replace the previous terms and require acceptance before the contract is formed. A battle of the forms ensues, and so it continues… Essentially the winner is whoever gets their set of terms on the table last or to follow the battle analogy, whoever fires the last shot.

Objective approach
In a 2009 (English) Court of Appeal case, Tekdata, this traditional “last shot” approach was questioned. The judge in Tekdata stated that in reality it was not possible to apply a general rule to the battle of the forms, suggesting instead that the objective intentions of the parties should be taken into account.

Approach in the Pro-Duct case
In the Pro-Duct case the Court of Session followed Tekdata’s holistic approach and the circumstances of the case as a whole were considered.

The key points in this case were:

  • the Supplier’s quotation expressly incorporated its own standard terms, but the Purchaser’s Purchase Order did not;
  • the Supplier’s standard terms stated that any terms of the Purchaser would not apply, unless the Supplier agreed to those terms in writing – he did not;
  • the Purchaser’s standard terms provided for acceptance by the Supplier by signing the form and returning it to the Purchaser – the terms weren’t signed or returned by the Supplier.

Findings

Generally an agreement can be deemed to have been accepted by performance. In this case the last terms on the table were the Purchaser’s, and the Supplier had started to supply the goods under the agreement.

However, perhaps surprisingly, the Court found that this didn’t necessarily mean that the Purchaser’s terms applied. Instead, the Court concentrated on the fact that the Purchaser had accepted the goods without having received a copy of its own terms signed by the Supplier, finding that the Purchaser must have accepted the goods on the Supplier’s terms.

This case serves as a good reminder as to some boilerplate provisions that should appear in your company’s standards terms and conditions of supply / purchase to deal with the battle of the forms, in particular to deal with acceptance of “other” terms. Businesses may also wish to take this opportunity to consider whether any formal requirements under their contracts (for example, the return of a counter-signed set of terms and conditions) are actually being adhered to in practice.

After all, a written contract which doesn’t reflect what the parties actually do in practice is almost as bad as no written contract at all.

Leigh Kirktpatrick

First appeal against a fine issued by the ICO for breach of the Data Protection Act?

The ICO today announced another fine for a breach of the Data Protection Act, followed almost immediately by a statement from the recipient that it intends to appeal the decision.

According to the BBC, Central London Community Healthcare NHS Trust is going to appeal the £90,000 fine issued to it following the same personal information being faxed to a member of the public 45 times over a three month period.

As far as I am aware, this would be the first time that a data controller has appealed a fine issued by the ICO. (In January, we blogged about an NHS Trust in Brighton announcing that it was challenging a proposed fine, but this was a challenge to the ICO’s Notice of Intention to Fine, as opposed to a challenge to the fine subsequently issued)

The background
In this case, an administrator within the Trust’s Pallative Care Unit regularly faxed inpatient information to a hospice to assist with the provision of out of hours care. The fax contained information on the patients, including their medical diagnosis, domestic situation and resucitation instructions. A fax protocol was in place to cover the faxing of the information, under which a template fax coversheet was used and the administrator called the hospice to confirm that the fax had been received.

Following a verbal request from the hospice, the administrator also copied the fax to a second number. Unfortunately, the second number used was incorrect. Whilst the administator continued to phone for confirmation of receipt (and received such confirmation from the person he phoned), the protocol was not robust enough to ensure that confirmation was sought in relation to both faxes. Further, the administrator failed to update the template cover sheet with the second number, or obtain approval from his line manager to the addition of a new number.

The issue came to light only when a member of the public phoned to say that he had been receiving the list by fax for three months.

The administrator had not received training in relation to variations to the protocol. It was also clear from the breach that arose that the protocol was inadequate, and that the Trust had failed to consider an alternative (more secure) means of sending the data.

In short, the Trust failed to put in place adequate technical and organisational measures to prevent the unauthorised access or disclosure of data (the seventh principle).

What chance of success if the appeal goes ahead?
As I noted in my blog last week, the ICO will look at the sensitivity of the information involved and the consequences of unauthorised loss or access when determining what measures are appropriate. The greater the potential damage or distress, the more the ICO expects organisations to do to protect that information.

This is not a frolic of the ICO’s; it is set out in the Act (Para 9 of Part II of Schedule 1, to be precise).

In this case, it’s clear that there were organisational failings, as the protocol put in place failed to deal with a fairly obvious potential data breach (sending data to the wrong fax number/email address). The Trust was clearly aware of the risks (it had a fax protocol in place), but it was either deficient, or the training of its staff was decifient.

The fine issued by the ICO is consistent with a number of other fines issued to date, and is towards the lower end of the scale for such breaches (and well within the £500,000 maximum). In the circumstances, it’s not clear on what basis the Trust will appeal – the fact that the fine was issued, or the level of the fine itself.

As I say, if the Trust goes ahead with its intention to appeal, then this will be the first time that the ICO’s fines have been subjected to external judicial scrutiny. It will also provide some insight into how the ICO calculates the value of its fines. It will be interesting to see whether the Tribunal endorses the ICO’s approach to date.

ICO issues another fine under the DPA following sensitive data loss by a local authority

The Information Commissioner’s Office (ICO) has announced this morning that it has issued another monetary pentalty under the Data Protection Act.

Background
Once again, the recipient is a local authority, and once again the penalty has been imposed following the loss of sensitive personal data (in this case relating to the sexual abuse of children). A social work service manager took home a laptop bag containing printed papers and an encrypted laptop. The manager’s house was burgled and the laptop bag (including the papers) stolen.

In this case, it appears that there was no alternative to the manager taking the papers home and the work could not have been carried out using secure electronic means. Whilst the local authority had an information security policy in place, the policy did not address the risks identified by this breach. In particular, the local authority did not have a paper handling policy in place at the time of the incident. This is despite the local authority having signed an undertaking with the ICO following an earlier incident 10 months earlier.

The ICO issued a fine of £70,000.

Appropriate measures
Whilst the burglary might be “bad luck”, the ICO pointed to the obligations on data controllers to put in place appropriate techical and organisational means to protect personal data.

In determining what is “appropriate” the data controller must ensure a level of security that is appropriate to the harm that might result from unauthorised disclosure and the nature of the data to be protected.

In other words, the more senstive the data (and the more harm and distress that might arise in the event of its loss or unauthorised disclosure), the more the ICO expects data controllers to do to guard against such loss or unauthorised access.

A data controller might not be able to stop a burglary taking place, but it can take steps to reduce the likelihood of it occurring, and minimise the fallout.

These themes were covered in a recent talk I gave at a conference on data handling in health and social care, and I will be blogging again in the next few days to pull together some key principles that organisations can take from the pattern of fines issued by the ICO to date.

Watch this space.

Techblogger quoted in article on new cookies law

I am quoted in an article on the new cookies regulations in this month’s edition of B2B Marketing magazine.

B2B Marketing is a magazine for business marketers, and the article looks at some of the practical issues around implementating the necessary changes required to comply with the new regulations.

As I note in my comments, even at this late stage there is a lack of clarity on exactly what the Information Commissioner’s Office (ICO) is expecting organisations to do to achieve compliance. Interestingly, the ICO now appears to be briefing against its official guidance in media interviews, commenting that enforcement is not a priority and that things frowned upon under the guidance are unlikely to lead to enforcement action. It’s a shame that this informal briefing hasn’t been reflected in clarifications to the formal guidance.

Email campaign tracking
One last point.

I see that one of the other interviewees in the B2B Marketing article states that the new rules don’t apply to web beacons used for tracking the success of email campaigns. Whilst the ICO may not have focussed on this issue in its guidance, I don’t think that you can definitively conclude this from either the original directive or the UK regulations.

As I have noted previously, whilst the law is often referred to as the “cookies law”, the law makes no specific reference to cookies – Instead, the regulations simply talk about “information stored [on the user’s] terminal equipment.”

In practice, this means any software or code on a user’s device that can be used to track or identify that user, regardless of whether that it through a web browser or an email client. This will include mobile apps and could include open tracking in emails, depending on how the tracking is carried out.

The DMA is, understandably, lobbying the ICO to issue guidance that the new regulations do not apply to email tracking. However, the DMA is at the same time also advocating that, as a matter of good practice, marketers are up front with their users about the use of email tracking.

This is consistent with data protection principles generally, and the reasons that the European Commission introduced changes to the previous cookie law. Organisations may therefore wish to think carefully before deciding not to review how they inform users about their use of email tracking.

Beware of the link? English High Court raises possibility of liability for linking to defamatory material

A recent English High Court decision in McGrath and another v Dawkins and others [2012] EWHC B3 (QB) (you can read the decision herehas indicated that a person who links to a webpage containing defamatory material could themselves be liable for defamation.  The case is particular to its facts but it serves as a reminder of the need to be cautious when linking to material online and to be aware of what the link actually contains. 

The facts

The action was raised by Mr McGrath on behalf of himself and his company MCG.  They sued Professor Richard Dawkins, The Richard Dawkins Foundation, the online retailer Amazon and Mr Jones for comments made by Mr Jones on various online fora, relating to Mr McGrath’s book “The Attempted Murder of God: Hidden Science You Really Need To Know”.   It is fair to say that the ‘religion versus science’ debate got very heated and the exchange of comments became very personal.

The case against Amazon

In respect of the case against Amazon, the judge, HHJ Moloney QC, found that as Mr McGrath had not used Amazon’s standard online complaint system to notifiy it of the alleged defamatory material, Amazon could not be deemed to have actual knowledge of the comments in terms of Regulation 19 of the E-Commerce Regulations 2002.  Therefore the claim against Amazon was struck out. 

Liability for linking?

However, what emerged as one of the main issues in the case was whether The Richard Dawkins Foundation was liable for providing a link to the alleged defamatory comments which were posted on the website www.richarddawkins.net.  That website was operated by a separate US company which was not a party to the action.  However, The Richard Dawkins Foundation operated the website www.richarddawkinsfoundation.org in the UK and it provided a link to the comments on the .net website.  HHJ Moloney QC held that “the two websites are very closely associated [and] the link is hidden”.  In addition, he found that when a party clicked on the “Home” button of the .org site, it resolved to the index of the forum on the .net site without the user being given any indication that he was being directed away from the original website.

Ultimately it was a matter of fact whether the .org website could be responsible and liable for content on the .net website.  However, the judge said that he was not prepared at this early stage in proceedings to strike out Mr McGrath’s claim until further evidence is heard. 

Comment 

Whilst this case is very ‘fact specific’ and no decision has yet been made, it is a sobering reminder to be wary of linking to the content of third parties on the internet.  This case is particularly relevant against the background of Attorney General Dominic Grieve’s comments today that social media users should be more aware of how easy it is to break the law by posting comments online.

Mark Cruickshank

Andrew McConnell in Brodies’ Employment Law team has an article in this week’s Times Educational Supplement Scotland on the dangers of the “misuse” of social media by teachers. Many of the issues he discusses are equally applicable to other employees in positions of responsibility. Follow the link above to find out more.

Brodies Employment Blog

My article in the Times Educational Supplement Scotland warns teachers of the dangers of the “misuse” of social media sites. Increasingly, tribunals are finding that dismissals connected to an employee’s social media “misuse” are fair – even where the individual has set their privacy settings so that only friends can view their posts.

http://www.tes.co.uk/article.aspx?storycode=6220016

View original post

The Patent Box – what is it and how does it work?

This blog post was published earlier today as an e-update to our email subscribers. To receive e-updates from Brodies’ Technology, Information and Outsourcing Group please register your details or contact your usual TIO Group contact.

GlaxoSmithKline recently announced that it is to invest more than £500m in the UK’s research and development sector, creating 1,000 jobs. The Patent Box, which the Government had been consulting on since November 2010, was cited as a key influence in making this investment in Britain rather than elsewhere.

The Patent Box was formally announced in the recent Budget as an initiative that would encourage innovation and growth. It seems to have done so, making the UK an appealing and dynamic location for organisations that derive income from patents, particularly in the technology, manufacturing and R&D sectors.

What is the Patent Box?
The Patent Box is a form of tax relief that means that organisations will be able to elect to pay UK corporation tax at a reduced rate of 10% on profits attributable to qualifying patents.

The relief will also apply to certain lesser-known intellectual property rights, namely plant variety and data exclusivity rights. The latter is an intellectual property right relied upon in the pharmaceutical industry to protect drugs in their infancy while awaiting regulatory approval.

This reduced rate will be phased in over a five year period from April 2013.

What is a ‘qualifying’ patent?
In essence, a qualifying patent is one that has been granted either by the UK Intellectual Property Office (IPO) or by the European Patent Office. However, it is the Government’s intention to extend the Patent Box regime to patents granted by other EU Member States which have similar examination and patentability criteria as the UK. The list of qualifying jurisdictions is still to be confirmed.

While certain concessions have been made to accommodate group structures, in order for an organisation to claim the relief it must either hold the qualifying patent or have an exclusive licence to use the qualifying patent within a particular territory – sole licences will not qualify. It is worth clarifying here the distinction in the UK between an exclusive licence and a sole licence: if your organisation grants a licence to another party to use one of your patents on an ‘exclusive’ basis, but your organisation retains the right to use that patent itself, then this will actually be a sole licence.

As well as holding qualifying IP (or having an exclusive licence to use it) companies claiming the relief must also meet certain development conditions. The company seeking the relief must either be:

  • creating or making a significant contribution towards the creation of the patented innovation; or
  • further developing the patented invention or developing a product that incorporates the patent.

Which profits are attributable to a patent?
Assessing ‘profits that are attributable to a patent’ involves the application of a formula, which I shall leave accountants and tax advisors to comment on… Side stepping that, the definition of attributable profits is encouragingly wide and will apply to worldwide income generated from the qualifying right in the patent. Of course, the relief is a reduced rate of 10% UK corporation tax on worldwide income, and other taxes in other countries may be applicable.

The UK relief will cover a broad range of income streams. It will apply, as may be expected, to royalties, licence fees and income from infringement proceedings, but it will also encompass income from sales of patented products and, notably, will extend to the sale of products that incorporate patented technologies. This will be a very appealing aspect of the UK Patent Box, particularly to companies within the manufacturing sector.

If you’d like to find out more about how the Patent Box might help your business, then please contact Grant Campbell or Will McIntosh.

Leigh Kirktpatrick

Techblogger seminar on the new cookies law

I’m taking part in a breakfast seminar next week, hosted by Edinburgh based usability consultants User Vision, on the new cookies law.

I’m sharing a platform with Andrew Hood, managing director of web analytics company, Lynchpin Analyytics, and our host, Chris Rourke, managing director of User Vision.

The seminar is proving so popular that we’ve decided to run it again the following week on Tuesday 15 May. If you’d like to come along then follow this link to book. The seminar is free, and will look at the legal, technical and usability issues arising out of the new laws.

The first seminar sold out in less than three hours (so quickly that I didn’t even get a chance to plug it on this blog), so if you are interested then you’d better sign up quickly!


Twitter: @BrodiesTechBlog feed

May 2012
M T W T F S S
« Apr   Jun »
 123456
78910111213
14151617181920
21222324252627
28293031  

%d bloggers like this: