Archive for October, 2012

Amazon and Kindle library story highlights limited rights over digital media library

Yesterday the media picked up on the story of “Linn”, who was notified by Amazon that her account had been closed because it had been associated by Amazon with another account that had been closed for abuse of Amazon’s polices. Amazon has apparently refused to provide any further information, simply referring Linn to its terms of use, which provide Amazon with fairly wide rights to suspend accounts.

“Plenty more online bookstores out there. What’s Amazon’s loss is iTunes’ gain” you might say. Well, yes. But Linn has a Kindle, and the effect of her account being terminated is that she was unable to access any Kindle e-books previously “purchased” using the account (contrary to reports, her Kindle was not wiped, but as her old Kindle is broken she has been unable to download the books in her library onto a replacement Kindle).

Unfortunately for Amazon, Linn is the friend of a Norwegian tech journalist called Martin Bekkelund, and the story was covered by a wide range of high profile media outlets such as the Guardian, Yahoo!, Computing (and now BrodiesTechBlog). A link to the original story on Martin Bekkelund’s blog was also retweeted to 300,000 odd people by the broadcaster and columnist Catlin Moran.

Ownership vs a right to use
Whilst this has turned into a bit of a PR disaster for Amazon (and once again shows the power of Twitter to run with a story and influence popular opinion), it also provides a timely reminder of the difference in rights to the purchase of traditional media such as paper books and CDs and digital media.

John has blogged about this before. As the Amazon terms of use document notes:

Kindle content is licensed, not sold”. Should you attempt to break the DRM security block or transfer your purchase to another device, Amazon may legally “revoke your access to the Kindle Store and the Kindle Content without refund of any fees

and…

Your rights under this Agreement will automatically terminate if you fail to comply with any term of this Agreement. In case of such termination, you must cease all use of the Kindle Store and the Kindle Content, and Amazon may immediately revoke your access to the Kindle Store and the Kindle Content without refund of any fees.

In other words, if you misuse your content (or your wider Amazon account), Amazon can take it off you.

Whilst Amazon has now apparently restored Linn’s account at the time of writing Amazon has still not explained what Linn is alleged to have done wrong, or why her account was suspended (this, to my mind, is the more concerning bit of the story, given the impact of the suspension – if I were Linn then I would submit a subject access request to Amazon EU SARL (Amazon’s Luxembourish trading company for its European operations, and the data controller in respect of Amazon.co.uk).

Either way, those creating in valuable digital libraries that are subject to DRM controls should pay careful attention to their compliance with terms of use.

Court of Appeal confirms Apple must publish non-infringement decision

We have blogged a couple of times in the last few months on the Samsung v Apple case in England in which Samsung obtained a Court order that its Galaxy tablets 10.1, 8.9 and 7.7  did not infringe Apple’s registered design for the i-Pad.  Most recently, I wrote about the order which Samsung obtained from the High Court which forced Apple to publicise the decision of non-infringement on its website and in the press.  As I mentioned at the end of that blog, Apple appealed this decision and as a result the order to publish was suspended pending the Court of Appeal’s ruling.

The Court of Appeal has now issued its decision in this case (a copy of the decision can be found here).  Essentially it upheld the High Court’s ruling of non-infringement and importantly it also upheld the order, albeit in refined terms, on which Apple had to publicise the decision.  The Court of Appeal considered the publication issue afresh because there was a considerable amount of new material which had come to light since the original decision had been issued and whilst it reached the same conclusion it did so on different grounds. 

Subsequent to the initial High Court decision of non-infringement, which applied throughout Europe, Apple applied to a German court and obtained an order which prevented Samsung selling its Galaxy Tab 7.7, also effective throughout Europe.  The Court of Appeal said that this caused confusion in the market place and customers were left uncertain whether or not they were purchasing an infringing product, and if they did, whether it would be supported.  Interestingly, the Court of Appeal said that given the massive publicity of the High Court’s original finding (in which the headline that Samsung’s products were ‘not as cool’ as the Apple ones was seized upon by the media) it would not have granted the order for publication had it not been for the confusion caused by the German court’s decision.  This was what made it necessary.  The Court did however vary the terms of the High Court’s order and said that it would be sufficient for Apple to publish on its UK website a link entitled “Samsung/Apple UK judgment”, which led to a short notice summarising the High Court’s decision, for a period of one month.  It also required Apple to advertise the decision in the press, including the Guardian and the Financial Times, in a font size of not less than Arial 14 and on a page before page 6 of those publications.

No such publication has yet been made by Apple and so the question now remains whether it will further appeal and seek suspension of the Court of Appeal’s decision to the Supreme Court.  We will continue to monitor this case for further developments with eager anticipation!

 

Mark Cruickshank

OFT finds that websites are continuing to fall short on consumer protection laws

The Office of Fair Trading (OFT) has recently published the results of its annual survey of over 150 websites to check whether or not they complied with consumer protection law.

The survey, which included the 100 top online retailers and most popular clothing sites, had some interesting results.

Key areas of non-compliance
Amongst the areas of concern, the OFT noted the following:

  • 33% of sites that provided information on returns placed unreasonable restrictions on consumers. For example, by only accepting returns in their original packaging.
  • The law – under the Consumer Protection (Distance Selling) Regulations (which apply to most contracts “concluded at distance – for example, over the Web or by phone/mail order) consumers have the right to inspect the goods that they have purchased and have a seven working day ‘cooling off period’ in which they can return the goods, though there are some exceptions to this, such as where the goods are perishable or customised. If goods need to be returned in their original packaging, un-opened, then it is difficult for consumers to inspect the goods to check if they are fit for purpose. It’s also important that the return period runs from the correct date, and isn’t subject to other unreasonable conditions. 

  • 62% of sites had no email contact address.
  • The law – the E-Commerce Regulations set out certain information that websites should contain, such as the registered or principal office of the organisation, its VAT number, if UK VAT registered, and a contact email address.

  • 24% of websites notified consumers of unexpected additional charges at checkout.
  • The law – The reach of the Advertising Standards Agency (ASA)’s remit now extends to advertising and promotions on an organisation’s own website. One of the main consequences of this is that pricing information should comply with the ASA’s CAP code – in particular, pricing should be transparent and not misleading. Websites should display total prices payable – if you can’t opt out of a charge then it’s not additional. Similarly, if most of the customers of a website pay VAT then prices displayed should be VAT-inclusive. For more information on ASA’s advertising rules see this earlier TechBlog post.

Website health check
The survey did show that the general awareness by website operators of their basic legal obligations in relation to trading online is improving. 

However, while the survey is a useful indicator of compliance with certain aspects of the law, it focussed only on the “fair trading” aspects of consumer protection law. It doesn’t look into some other key areas of legal compliance – for example what organisations do with the personal information of their customers.

Fair trading rules are just one aspect of a wider matrix of rules applying to trading online. The problem is that there are a lot of different aspects to website compliance and these will vary depending on whether or not the site is a trading website or whether it deals with consumers rather than businesses. Knowing exactly what is required can be complicated.

Brodies can help by carrying out a health check of your website, to audit its compliance with the key legal requirements and recommend changes that you should make to comply with the applicable laws. If you are interested in this, please get in touch.

Leigh Kirktpatrick

CNIL v Google – one directive and 27 data protection laws

Today’s announcement from the French data protection regulator, CNIL, highlights one of the problems with the current Euroopean data protection regime for businesses that operate across the EU.

One data protection directive; 27 data protection laws
Whilst European data protection laws are derived from a single EU-wide directive, implementation of those laws is done at a national level, with each country having its own data protection regulator. This means that some countries have a more onerous implementation than others, and/or have a regulator that takes a more pragmatic approach than others. Or to put it another way, some countries are more business friendly than others.

These variations cover issues ranging from rules on international data transfers (the UK implementation of the directive is noticably more business friendly as it permits data controllers a degree of discretion in determining whether or not a proposed outsourcing arrangement provides sufficient guarantees in relation to the protection of personal data) to data subject consent (the UK ICO embraces the concept of “implied consent” (in particular, in relation to information collected online), whereas other member states reject that concept).

This means that businesses trading across Europe are being given mixed messages as to what is expected. Witness the recent issues with businesses grappling with different national implementations of the cookie law to see the sorts of problems that this can cause.

In relation to Google’s new privacy policy, the Article 29 Working Party (a grouping of representatives from each of the national data protection regulators) agreed to collaborate on a single response to Google, rather than provide Google with 27 different responses.

From a data controller’s perspective, that is to be welcomed.

However, it’s interesting that it is the French data protection regulator that led this investigation. French data protection laws (and the French regulator) are considered to be more onerous than those in many other member states, and CNIL has historically led the complaints against Google’s new privacy policy.

Whilst CNIL’s decision is apparently endorsed by all the national EU data protection regulators (with the exception of Greece, Romania and Lithuania), the approach is very much consistent with what might be expected by CNIL under French data protection law. Had the investigation been led by another data protection regulator then the report may have been different.

Does this matter? Well yes – if the effect of the report is that a national data protection regulator’s requirement is more onerous than the requirements under the national data protection laws in a particular member state (or that regulator’s previous guidance and practice), then the data controller may feel a bit agreived.

Will this change under the new data protection regulation?
Ultimately, these problems arise because of the different approaches in each member state. Under the proposed data protection regulation this is likely to change. In particular:

  • The new laws will be set out in a regulation, not a directive. That’s important as a regulation has direct effect under EU law and does not need to be implemented nationally by each member state. This means that there will not be any varations between member states in relation to the statutory laws.
  • A requirement for explicit consent to the processing will apply (it cannot be implied). This should help ensure that organisations take a common approach to consent across the EU.
  • Data controllers operating in multiple countries will be able to elect a “home” regulator, rather than be subject to up to 27 different regulators. Issues raised by data subjects in other member states will be referred for resolution by the data subject’s data protection regulator to the home regulator of the data controller.

This last point is directly aimed at ensuring that the processing activities of a data controller are subject to a consistent approach across the EU.

Of course, the fact that there will still be 27 data protection regulators means that there could still be 27 implementations of the regulation, as each regulator will interpret the regulation in its own way. How will disagreements in interpretation of the regulation between the national regulators be resolved? Will we see a sink to the bottom where businesses choose as their home regulator the most business-friendly regulator (and if so, how will that regulator be funded)?

That remains to be seen. But I bet Google doesn’t choose CNIL as its home regulator.

Claire Scott blogs on Brodies EmploymentBlog about the importance of employee social media policies, following footballer Ashley Cole’s recent tweet about the FA’s findings in relation to the John Terry/Rio Ferdinand incident.

Brodies Employment Blog

The issue of employees’ use of social media has been brought back into focus following the Football Association’s decision to charge Ashley Cole with misconduct in relation to a Twitter comment he made about football’s governing body. Ashley Cole’s club Chelsea have also said he may face disciplinary proceedings.

The offending tweet which can be seen at http://www.bbc.co.uk/sport/0/football/19857353 was in response to an Independent FA Commission’s finding that John Terry was guilty of making abusive and insulting comments to Anton Ferdinand, which included a reference to his race, during a match between Chelsea and QPR in October 2011. In reaching their decision, the Commission called into question the evidence that had been given to it by Mr Cole.

Speaking on BBC Radio 5 Live Sport, former England player Graeme Le Saux commented that the FA must make players aware “there are consequences” for inappropriate use of social media.

The FA’s…

View original post 439 more words

ICO issues first monetary penalty against a charity

Yesterday, the Information Commissioner’s Office (ICO) announced that it had issued its first monetary penalty against a charity.

Once again, the fine has arisen out of a breach of the Data Protection Act (DPA) in relation to the handling of sensitive personal information in the health and social care sector. The decision highlights a number of important information security issues, and also raises some interesting issues in relation to data sharing arrangements between data controllers.

Background
An employee of the data controller, a charity that acts as an adoption agency, had obtained background reports from two local authorities in relation to four children who were in care. The employee had requested the reports so that she could inform prospective adopters of potential issues that may arise when caring for the children. The reports contained confidential and highly senstive personal data relating to the children and their families.

The employee attempted to hand deliver the bundle of papers to one couple. Upon finding that they were not home, the employee left the package in a “concealed area at the side of the house” and phone the prospective adopters to tell them where to find the package. Unfortunately, by the time the couple arrived home, the package was gone.

The data controller’s information security measures
The data controller had in place a data security policy, but the policy contained no specific guidance on sending personal data to prospective adopters. The data controller had also failed to provide the employee with data protection training, despite a commitment to do so in the policy.

Although not expressly mentioned in the decision notice, it is also implied that the policy did not contain advice on when documents should be circulated in a redacted format, with personal data removed. In this case, it is arguable that there was no need for unredacted reports to be circulated – the reports could simply have referred to Child A, Child B etc.

As an organisation that regularly handled adoption cases, the data controller should have been aware of the confidential and sensitive nature of the data involved, and the damage and distress that could arise from its loss or misue.

The ICO therefore found that the data controller had breached the seventh principle of the Data Protection Act by failing to take appropriate organisational measures against accidental loss of personal data (for more on that, and the tests for determining appropriate measures see this blog post regarding a similar decision).

The role of the local authorities?
It’s interesting to note that the reports in question were provided to the adoption agency in an unredacted format by the local authorities.

In terms of data protection law, it’s fairly clear that the adoption agency was acting as a data controller in its own right. In other words, it determined how personal data in its possession was processed, and was responsible, under data protection law for ensuring that the personal data was processed in accordance with the DPA. The adoption agency was not acting as a data processor on behalf of the local authorities. This means that the local authorities cannot be held liable under the DPA for the adoption agency’s subsequent breach.

However, the local authorities are responsible under the DPA for the initial disclosure of the reports in an unredacted format to the adoption agency.

The ICO makes no mention of this in its decision notice, and it’s not clear what (if any) controls or restrictions the local authorities imposed on the adoption agency as a condition of the disclosure (for example, a data sharing protocol).

It’s not clear whether the ICO is also taking enforcement action against the local authorities, but if I were one of the data subjects concerned, I might question whether the local authorities concerned had also breached their obligations under the DPA by providing the reports in an unredacted format at a stage when (arguably) there was no need to for the reports to be disclosed on that basis.

If the reports could have been disclosed to the prospective adopters in a redacted format (as the ICO implies in its decision), then this is arguably also the case as between the local authorities and the adoption agency. Had the local authorities not disclosed the reports in an unredacted format, then the data breach would not have occurred.

This does not excuse the adoption agency’s breach, but I do wonder whether there are appropriate steps that the local authorities, as original data controllers, should have taken to reduce the risk of the reports being accidentally disclosed.

ICO guidance – deletion of personal data

The Information Commissioner’s Office (“ICO”) published new guidance recently to help organisations better understand the requirement imposed on them by the Data Protection Act 1998 (the DPA) in relation to deletion of personal data. This guidance is available on the ICO’s website, http://www.ico.gov.uk/.

The exact requirements under the DPA in relation to deletion of personal data previously have been open to wide interpretation. The problem is that, in an IT sense, ‘deletion’ doesn’t have the clearest of meanings.

What does the DPA say?

The DPA centres on a number of key issues, or principles, in relation to safeguarding personal data. The fifth principle states that personal data should not be kept for any longer than is necessary to fulfil the purpose for which it was processed in the first place.

While in the case of a paper-based system it is straightforward to destroy the information held, when you are dealing with electronic records, ‘deletion’ has many permutations. Technically, archiving data will still fall within the scope of the DPA, but holding personal data in an archive system, particularly one that is not easily searchable, is unlikely to be detrimental to the relevant individual.

This has lead to many organisations being unsure as to what they need to do in order to comply with the Act.

What the guidance says

To help organisations navigate this maze of uncertainty, the ICO has said that it will not take action in respect of a breach of the fifth principle in respect of data that, although technically not deleted, has been put ‘beyond use’, nor will such data fall within the scope of data subject access request. The ICO will consider that data has been put beyond use if the data controller (the person controlling the processing of the data) meets the following criteria:

  • It is unable to (or will not attempt to) use the personal data in any way that would affect the relevant individual;
  • It does not give any third parties access to that personal data (unless, for example, it is compelled by law to do so);
  • It puts in place appropriate technical and organisational measures to safeguard that data (essentially a restatement of the seventh principle);
  • It commits to permanently deleting the personal data, when possible.

Conclusion

While data controllers will have to meet all four criteria for their obligation to delete data to be suspended, the conditions are not particularly onerous. In fact, they give welcomed clarification on this issue and better reflect how organisations work in practice.

If you would like to discuss whether your current process for archiving complies with the requirements set out in the guidance, or any other aspect of data protection law or information security best practice, please get in touch with your normal Brodies contact.

Leigh Kirktpatrick

Consumer law – where can I sue?

In a recent case the European Court of Justice (ECJ) has ruled that consumers can sue in the member state in which they are domiciled, where the party that they are suing is domiciled in another member state, and the contract was not “concluded at a distance.”

This latter phrase was given a surprisingly wide interpretation by the court, and has consequences for any business that promotes its services online, even if it concluded contracts offline.

The facts
In this case, the individual raising the action, Ms Muhlleitner (who resided in Austria) had bought a car from a company based in Germany. She had come across the German company on the internet, but did not buy the car online, instead she travelled to Germany to conclude the contract and collect the car.  

When Muhlleitner arrived back in Austria, she discovered that there was a problem with the car, but the company that she bought it from refused to repair it. She then raised an action in the Austrian courts to seek to annul the contract of sale. The Austrian courts then had to consider whether or not they actually had the jurisdiction to hear a dispute against a German trade, in relation to a contract that hadn’t been ‘concluded at a distance’ (by internet or by phone).

The law
The ECJ considered the issue, and decided that, under the Brussels Regulation, the contract did not have to be concluded at a distance for the consumer to be given the additional protection of being able to sue in their home state.  

Instead they found that, in order for a consumer to raise an action in their own member state (rather than the state of the business they are suing):

  • the business must pursue commercial or professional activities in the member state in which the consumer was domiciled, or in anyway direct such activities to that member state; and
  • the contract  in question must relate to those activities.

What this means
This decision will be welcomed by consumers, making it much easier (and cheaper) to raise legal proceedings against a supplier in another member state. As can easily be imagined, the concept of ‘directing’ or ‘pursuing’ commercial interests in a particular EU state is not that limiting when you consider that online marketing and the use of websites will bring into scope many businesses. The decision is consistent with the EU’s aims of protecting consumers and encouraging cross-border trade.

However, the decision may not be welcomed by businesses, who now need to be aware that rules governing jurisdiction of disputes now have a wider application than previously thought, bringing offline transactions into scope. Businesses that promote their services outside their member state should therefore be aware that exclusive jurisdiction clauses in their standard terms and conditions may not be effective.

Leigh Kirktpatrick

New ICO guidance on the use of cloud services

The Information Commissioner’s Office (ICO) has published new guidance on the use of cloud computing services. The guidance is intended to provide an overview of how data protection law applies to businesses that utilise cloud based solutions to handle and process data.

The guidance is essential reading for any organisation that currently utilises (or is considering utilising) cloud based solutions, and emphasises that organisations remain responsible for the security of data that they store or process in the cloud.

The guidance
The guidance covers a variety of cloud based services, including infrastrastructure as a service (IaaS), platform as a service (Paas), and software as a service (SaaS). It also considers the differences between private, public and hybrid deployment models, and “layered” services where, for example, a SaaS vendor is in turn utilising a third party IaaS vendor – such as using a third party SaaS service that is hosted on servers by Amazon Web Services.

Issues covered by the guidance include:

  • Identifying the data controller (or data controllers)
  • The data controller’s responsibilities – including risk assessment, due diligence and monitoring
  • Selecting a cloud provider
  • Access control and protecting your data
  • Encryption
  • Understanding how the cloud provider will process data – for example, will it use any of the data processed by it for the purposes of targeted advertising?
  • Use of cloud services located outside the UK/EEA – including the importance of understanding where the cloud provider will store and process data
  • Staff training

The guidance also provides a checklist to help organisations assess the risks of using a cloud service, covering confidentiality, integrity of the data, availability and legal/contractual issues.

Assessing the cloud provider’s security measures
As with previous ICO guidance on outsourcing, the guidance emphasises the importance of pre-contractual diligence, appropriate written contractual terms between the data controller and the cloud provider (which prevent the cloud provider from changing the terms of service without your approval), and regular monitoring and oversight of the cloud provider’s compliance with the agreed information security measures. As the ICO notes, the fact that auditing and oversight may be harder with a cloud provider does not lessen the data controller’s obligations under the Data Protection Act.

The ICO does recognise the role that independent security audits (such as an ISAE3402 or SSAE16 report) can play in verifying the adequacy of the cloud provider’s security measures. For more on the use of such audits see this previous TechBlog post.

Organisations should, however, be aware that the ICO draws a distinction between security audits conducted in accordance with recognised independent standards, and industry recognised standards and kitemark schemes, as a kitemark is unlikely to address all aspects of data protection compliance.

Increased regulatory focus
As the fine issued last month to Scottish Borders Council illustrates, the adequacy of outsourcing arrangements is a area coming under increased scrutiny from the ICO, with hefty fines being levied where data controllers have failed to exercise appropriate oversight of their data processors.

For organisations that are increasingly looking to use cloud based services, this guidance will provide a timely reminder of the important steps that should be taken to ensure that such services do not adversely impact upon the security of personal data.

You can download the guidance from the ICO website.


Twitter: @BrodiesTechBlog feed

October 2012
M T W T F S S
« Sep   Nov »
1234567
891011121314
15161718192021
22232425262728
293031  

%d bloggers like this: