Enter your email address:

Delivered by FeedBurner

Mills & Reeve: Technology Law Update

Tech-hub-promo-box
DG-promo-box

Disclaimer

  • The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.

eCommerce

Major new report on artificial intelligence calls for hands-on policy-making

A UK Parliamentary report, "AI in the UK: ready, willing and able?"on the fast-moving artificial intelligence sector sees a role for the UK to push development of the technology in an ethical direction with a new AI Code. But it also proposes a range of practical measures, and encourages policy-makers to take a hands-on, proactive approach rather than leaving the industry to develop in its own way. Committee chair, Lord Clement-Jones commented:

“The UK has a unique opportunity to shape AI positively for the public’s benefit and to lead the international community in AI’s ethical development, rather than passively accept its consequences”

Practical steps to boost AI

AI has been developing for years, but recent enhancements in areas like deep learning and computer processing power, along with the expansion of big data, have led to rapid progress. The report downplays fears about superintelligent machines taking over society, and instead focuses on more immediate and practical concerns. Among the report’s proposals the following stand out:

  • Large companies with control over vast quantities of data should not be allowed to dominate. Competition authorities should be tasked with a proactive review of the potential monopolisation of data. Innovative companies of all sizes, and research organisations, should be able to access data on fair and reasonable terms. This has similarities with the approach taken by competition regulators to access to standard-essential patents in areas like mobile communications.
  • Greater visibility and control for individuals and better protection for privacy. Individuals should know when and how AI is being used to make decisions about them. Datasets should be audited to reduce the risk of prejudice against groups in society.
  • Support measures like a growth fund for SMEs in the AI field to support scale-up, co-funding of PhD positions and standardised mechanisms for spin-outs from universities.
  • Increased access to visas for international recruitment
  • Targeted procurement by public sector organisations to promote the use of AI.
  • Clarity around legal liability if AI systems malfunction or cause harm through poor decision-making, ideally through a Law Commission review.

Engaging with the ethical issues

The Committee heard from experts across industry and academia. The active approach of businesses like DeepMind, Microsoft and Prowler.io in engaging with the ethical issues is recognised in the report.

A core recommendation is for a cross-sector AI Code embodying five principles, that might form the basis of an international consensus:

  • Artificial intelligence should be developed for the common good and benefit of humanity.
  • Artificial intelligence should operate on principles of intelligibility and fairness.
  • Artificial intelligence should not be used to diminish the data rights or privacy of individuals, families or communities.
  • All citizens should have the right to be educated to enable them to flourish mentally, emotionally and economically alongside artificial intelligence.
  • The autonomous power to hurt, destroy or deceive human beings should never be vested in artificial intelligence.

The importance of ethics in this context should not be underestimated – it has been emphasised by various experts during discussions about AI that we have been involved in (for example: the pro-manchester annual business conference).

Paul Knight

Posted by on 20/04/2018 at 09:33 | | Comments (0)

Bringing WHOIS into compliance with privacy law

Internet governance organisation ICANN is planning new restrictions on access to information in order to comply with EU privacy rules. Those on the privacy side of the argument welcome the planned changes – WHOIS data is misused by spammers and scammers, they say. But others rely on the information for more positive purposes. WHOIS records have been used to tackle online crime, and online infringement of rights like trade marks. The changes will make life more difficult for them.

Europe’s new privacy regime, the General Data Protection Regulation or GDPR, is due to take effect from 25 May. This imposes much tougher controls on how personal data about individuals can be stored and used. Non-profit internet governance organisation, ICANN, is proposing changes to its policies to comply with the new law.

ICANN and other domain name registries currently make available data about domain name registrants through the WHOIS look-up service. Originally a directory of contact information for those transmitting information across the ARPANET, WHOIS has developed into a tool used by law enforcement agencies, IP owners and others to find the identity and contact details of domain name registrants.  Under existing policies, registries are obliged to provide unrestricted access to complete WHOIS information, and the information is shared between registries and data escrow agents for various purposes such as safeguarding against information loss due to the technical or business failure of a registry.

What are the problems under GDPR?

A range of different issues arise under the GDPR that make compliance in this area challenging.  For example:

  • purpose limitation

GDPR requires that personal data may only be collected where there are “specified, explicit and legitimate purposes”. The original collection of the data could be classified as processing necessary for the performance of a contract, but the subsequent uses of the data are varied and for largely different purposes.

  • data minimisation

Does all of the data collected from domain name registrants need to be collected? Currently the data may include contact details including names, phone numbers, postal addresses and email addresses for administrative and technical contacts.

  • data accuracy

There is a question over whether current systems take sufficient steps to ensure the accuracy of data collected.

What is ICANN doing?

ICANN is well-advanced with its policy development and has been consulting on a single model around which it hopes to find consensus. This would involve a public register with reduced data, and an accreditation program for continued access to full Thick WHOIS data. Accreditation may well be extended to law enforcement agencies and intellectual property lawyers, but the criteria are yet to be defined.

Consultation with regulators, and particularly the EU’s WP29 grouping, continues. But it seems likely that access to full information will become much more restricted.

Edward Hadcock

Posted by on 03/04/2018 at 11:50 | | Comments (0)

WhatsApp and Facebook – can they share European users’ data?

The acquisition of social media app WhatsApp by Facebook in 2014 raised concerns among users and regulators about the protection of users’ data. What merited the $19bn price tag? Some felt that part of what Facebook was buying was a huge amount of personal data. So WhatsApp’s announcement in August 2016 of plans to share data with the rest of the Facebook group met with a strong reaction from users.

In its new privacy policy and terms of service, WhatsApp explained the benefits of data sharing,

“by coordinating more with Facebook, we'll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook's systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you've never heard of.”

The response of European regulators was swift. The EU-wide Article 29 Working Party (WP29) began a co-ordinated review, and set out “serious concerns” in a letter to WhatsApp on 27 October 2016. The letter called for WhatsApp to put its plans on ice until the privacy concerns were addressed.

What were the main issues under EU privacy law?

The planned data sharing presented several problems under EU data privacy law.

  • WhatsApp had not identified a lawful basis for the data sharing. This is a first step in any plans to process personal data. It is central under the existing system, and made even stronger by the forthcoming changes.
  • Users had not been given adequate information.
  • For existing users, their data would be used for purposes that were not compatible with the original purpose of collection.

At the time of WhatsApp's planned changes, the GDPR had been finalised but was still some way from being fully implemented. But even under the existing regime, the sharing was unlawful. Now, with the GDPR’s May 2018 implementation date fast approaching, tougher rules will apply.

What enforcement action has been taken?

UK regulator the ICO has carried out an in-depth investigation into the proposed data sharing. That has resulted in an undertaking in which WhatsApp agrees 

  • not to share EU user data with Facebook on a controller-to-controller basis before 25 May 2018
  • only to start sharing the data after that date, for safety and security purposes, on a controller-to-controller basis, in compliance with the GDPR
  • only to share data for the improvement of Facebook’s products and advertising in compliance with the GDPR and working with the appropriate national privacy regulator.

The ICO takes the view that a fine is not appropriate because the data sharing has not yet taken place.

Other national regulators are also taking their own enforcement action. In Germany, the Hamburg data protection commissioner has obtained a court order to prevent mass data exchange, at least until the GDPR comes into effect. French data protection watchdog, the CNIL, has served WhatsApp with a compliance notice.

What next?

WhatsApp set up an Irish subsidiary in 2017 alongside the much larger Facebook presence there. Under the GDPR, this means that in future regulation will fall mainly to the Irish regulator, the Office of the Irish Data Protection Commissioner. The Irish regulator will have the task of working with WhatsApp to ensure that any sharing complies with the new law. There is a system for input from each affected EU country, but the current scope for national regulators to take independent enforcement action will largely fall away.

Edward Hadcock

Posted by on 16/03/2018 at 13:34 | | Comments (0)

New EU-wide crowdfunding regime proposed

The EU is planning to put a new structure in place to regulate crowdfunding. The initiative seeks to iron out national rule differences and introduce a single EU-wide regime for many types of crowdfunding.

This makes a lot of sense as crowdfunding is generally run through online platforms, and confining their activity to one country makes little sense in today’s connected world. The resulting fragmentation of the EU market is thought to be holding back the growth of crowdfunding as compared to other major economies. 2016 data from the Cambridge Centre for Alternative Finance valued European crowdfunding at €7bn, compared with over €200bn for the Asia-Pacific region and €35bn for the Americas.

What are the planned changes?

The proposed legislation aims to:

  • establish a one-stop-shop access to the EU market;
  • provide tailored rules for European crowdfunding services providers covering both investment-based and lending-based business models;
  • open up opportunities to European investors while safeguarding a high level of investor protection in relation to crowdfunding services;
  • define the requirements crowdfunding service providers have to fulfil in order to achieve authorisation, and provide a single point of entry for authorisation and supervision by a single authority, the European Securities and Markets Authority (ESMA).

What activity is within scope?

The proposals are intended to apply to all crowdfunding services that offer investors a financial return, with debt and equity arrangements both covered. It would not apply to reward or donation based crowdfunding activity, however, as these are viewed as different from financial services. Also excluded is consumer lending as this has its own regulations.

There would a cap on the size of transaction that can use the system. Crowdfunding campaigns to raise a total of €1m within any year would instead fall within the scope of the Prospectus Regulation and The Markets in Financial Instruments Directive (MiFID II) rules.

This proposal forms part of the EU’s Fintech Action Plan. This ambitious project includes a series of initiatives that aim to build on and promote the success of Europe’s growing Fintech sector.

Posted by on 09/03/2018 at 13:00 | | Comments (0)

Cambridge Wireless and Mills & Reeve put the Future of Financial Data under the spotlight

Thursday night saw a fantastically well received "Future of Financial Data" event jointly hosted by Mills & Reeve and Cambridge Wireless at the Bradfield Centre on the Cambridge Science Park.

Simon Warburton of Mills & Reeve kicked off proceedings by welcoming everyone and explaining why last month’s introduction of PSD2 and the arrival of GDPR in May made this such an exciting time to be having this event - more on that here.

Alan Lockhart, Head of Applied Technologies at RBS, gave a fascinating insight into the challenges the bank faces in addressing the new regulatory requirements. He was quick to correct Simon’s "tongue in cheek" comment that the banks had simply kindly agreed to make their customer data available, but did suggest that opportunities potentially lay ahead for banks despite being forced down this path.

Alan was followed by an expert Fintech panel session. Ray Anderson (CEO, Bango), Hamish Anderson (CEO, Money Mover), Neil Garner (CEO, Thyngs), Emily Mackay (CEO, TAB) and Jeremy Sosabowski (CEO, AlgoDynamix) explained how their businesses currently use financial data and gave their predictions for the future. The broad range of businesses represented gave us a whole spectrum of ideas and opinions.

This prompted real enthusiasm and lots of questions on areas ranging from Open APIs, the interaction between GDPR and PSD2 and market consolidation. The responses from the panel revealed some interesting differences of opinion. A question on consumer appetite for the new data landscape led to Simon putting to the audience whether it was better to be served by a robot or an inauthentic human, chosen and prompted as to what to say based on your hobbies and interests. The latter won the show of hands by a huge margin suggesting people still want human contact even if the human is being told exactly what to say by a machine!

The Q&A continued beyond the expected close and there were still questions left unanswered when the session ended much later than originally planned.

Feedback on the night and afterwards was universally positive with calls for this to be the first of many Cambridge Fintech events.

Posted by on 28/02/2018 at 10:04 | | Comments (0)

Terminating contracts for insolvency – think before pressing "Send"

When you enter into an agreement with a commercial partner, the last thing you want to think about is failure of the relationship due to insolvency. But when that happens, it is important to pause for breath and think before terminating the agreement.

A recent dispute between mobile operator EE and failed independent retailer Phones 4U shows how using the termination for insolvency clause in a contract led to difficulties later on.

Read more here.

Posted by on 08/02/2018 at 12:23 | | Comments (0)

Unconventional trade marks are coming to an IP office near you

Changes to EU trade mark law are introducing new-style trade marks like motion marks, audiovisual files and holograms. The old requirement to represent all marks graphically (written words, drawings etc) is on its way out, although of course basic lettering and graphical images still remain relevant for word and logo marks. In future, any “sign” will potentially be allowed so long as it can distinguish the relevant goods or services from those of other providers and

“is capable of being represented on the register in a manner which enables the competent authorities and the public to determine the clear and precise subject matter of the protection afforded to its proprietor”.

This representation requirement is now being fleshed out by national IP offices in the EU in preparation for full implementation in respect of national trade marks in January 2019.

In a common communication put out by the EUIPO and national IP offices you can see the types of mark and file formats that each will accept. The plan is to update this as EU member states move towards implementation of the Directive in January 2019.

The UK is sitting on the fence though. The UK IPO is inviting comments on what file formats etc it should use. So if you feel strongly about a particular file type you should submit your views here

And while the UK is pressing ahead with implementation of the new rules, there is scope for divergence after Brexit. Whether this happens will be affected by what kind of future relationship is hammered out for the UK after its departure from the EU.

The EUIPO has already started accepting the new-style applications. You can see the types of formats accepted for an EUTM here.

Richard Plaistowe

Posted by on 31/01/2018 at 13:31 | | Comments (0)

Government response on the Cyber Security consultation

The Government has now published a response to its consultation the Network and Information Security Directive (also known as the Cybersecurity Directive). We provided feedback to the consultation back in September on many of the points addressed in the response, and welcome some valuable improvements to the proposals.

The Directive calls on EU member states to identify operators of essential services and set out the security standards that these key components of the national infrastructure must meet.

Points to note in the consultation response:

Relevant ‘Operators’:  The response makes improvements to the definitions of operators of essential services.

For example, the health sector in England will now cover “Providers of non-primary NHS healthcare commissioned under the National Health Service Act 2006 as amended in England (but not including any individual doctors providing such healthcare)”, rather than “NHS Trusts and Foundation Trusts in England (defined by the NHS Act 2006)”. However, many independent providers of healthcare remain out of scope and the proposal ignores the potential impact of inadequate cybersecurity amongst primary care providers. 

Some had called on the Government to extend the legislation beyond the requirements of the Directive and include other sectors such as Government, chemicals and food & agriculture. We are glad to see that Government has resisted these calls for gold-plating, but future expansion of the scope of the legislation to businesses in other sectors is not ruled out.

Competent authorities:  The Government has decided to stick with using sector-based competent authorities. 

We, and other respondents, had raised concerns regarding the potential for divergence of approaches between authorities. This is only addressed in the response by an assurance that there will be “common guidance” and cooperation between authorities will be encouraged. The possibility that multiple competent authorities may all have jurisdiction to respond to a breach is acknowledged and accepted by the Government, as is the risk of double-jeopardy. Operators may find themselves under a significant regulatory burden, having to deal with multiple, slightly differing regimes, and more than one regulatory investigation per breach.

Reporting breaches: the Government expects that all breaches/incidents that meet the terms of the Cybersecurity Directive will be reported to the relevant competent authorities, on a similar timescale as for GDPR reporting (“without undue delay and, where feasible, no later than 72 hours after having become aware of the incident”). 

Penalties: The Government takes the view that fines should be appropriate to the sector. While any competent authority must be consistent in how it approaches fines, the amount that is proportionate will vary across sectors.  It was pointed out in the consultation that there is a large disparity between the UK approach and that of other member states, risking disinvestment.  In response, the Government, while continuing to link to GDPR by setting a maximum fine of £17m, has removed the previous proposal to also copy the GDPR’s “4% of worldwide turnover”.

Digital Service Providers

Alongside the regulation of operators of essential services, the Directive imposes a reduced set of obligations on Digital Service Providers. The Government recognises that “Defining Digital Service Providers in a manner that is both compatible with the Directive and clear to individual Digital Service Providers is not simple.” The planned approach is for the implementing regulations to track the definitions in the Directive itself, with Guidance to clarify which service providers fall within the scope of the obligations. Among the service providers that may be affected are:

  • online marketplaces, The Guidance will clarify that price comparison sites, classified ad sites and online retailers are out of scope.
  • online search engines.  
  • cloud providers, including IaaS, PaaS and SaaS providers. This may include providers of email and online storage.

(Note that businesses with fewer than 50 employees and annual turnover and/or annual balance sheet total that does not exceed €10 million are automatically excluded.)

Details of the obligations that IT businesses will have to meet remain uncertain. A further consultation is planned once EU-level regulations on security measures and incident reporting are settled.   

The Network and Information Security Directive is due to be implemented by 9 May 2019. We can expect to see regulations reflecting the Government’s position appear shortly.

Claire Williams

Posted by on 29/01/2018 at 13:40 | | Comments (0)

It’s EASY enough to make idle threats

Trade mark owners have every right to enforce their rights and stop others using their names and branding. But there are limits. The UK ‘threats’ rules put a limit on what IP owners can say to those who they believe might be infringing, and give a right of action to people who feel that they have been unfairly threatened. We discussed those rules, and recent reforms to make them work better, here.

We were surprised, then, by a recent court ruling over some strongly worded solicitors’ letters, that seemed to suggest that if the threats made were so wide as to be unbelievable, then they should not be sanctioned.

The dispute was over the use of the sign "EasyRoommate" and some variants of it, for an online accommodation sharing service operating across several EU member states. The service was offered by Jean Camille Pons through his company W3. He was sued by easyGroup, a business with a stable of well-recognised “easy” brands including the easyJet airline and easyRentacar vehicle hire business.

Complaints from easyGroup began in 2003, following expansion of EasyRoommate from the US into the UK. After that, the website included a disclaimer saying that there was no connection with easyGroup – this was later removed. The EASY part of EasyRoommate was shown in orange (easyGroup’s main brand colour) from 2009.

The litigation was triggered by failed attempts to sell the EasyRoommate business – investors were understandably keen to see uncertainty over the name settled. So W3 began the threats proceedings in 2015.

Relevant to the threats case is the correspondence between the parties’ solicitors from 2011 to 2014. As well as statements that easyGroup were contemplating legal proceedings, the letters included very broadly worded undertakings referring to any use of any of easyGroup’s marks or anything similar to them.

The judge must decide what a reasonable person in the position of the recipient of the communication, with knowledge of all the relevant circumstances, would have understood the person making the communication to have intended. In his view, that person would have seen the threat as being in relation to the use of EasyRoommate for supply of services. The wider undertaking was just unrealistic:

“The reasonable reader would not think that the immense breadth of the undertaking sought meant that easyGroup was threatening to bring a trade mark infringement claim of that breadth. On the contrary, the reasonable reader would appreciate that a claim of that breadth was an impossibility.”

 Perhaps it is unsurprising, given the history between the parties and the judge’s ruling that there had been no infringement of easyGroup’s marks, that he reached this conclusion. But the case may be used to argue in future cases that sweeping demands in solicitors’ letters do not amount to threats because they are so wide. It seems to us that this undermines the purpose of the threats legislation.  In addition, it imposes on those who are threatened an obligation to understand trade mark law enough to know when what they are threatened with is too wide to be realistic. That seems unfair, when a key purpose of the legislation is to protect those who are trying to get on with their day to day business from being frightened into submission by confusing legal correspondence.

The changes made to the threats rules in 2017 don’t really affect this point. But it is worth noting that they introduce the concept of “permitted communications” clearly setting out what communications can be made to a potential infringer without risking a threats action. If a communication includes undertakings like those in easyGroup’s lawyers’ letters, they immediately fall outside this safe harbour.

Mark Pearce and Isabel Teare

Posted by on 24/01/2018 at 11:55 | | Comments (0)

Another £400k penalty for a cyber security breach

The Information Commissioner’s Office has imposed a £400,000 fine on mobile phone retailer Carphone Warehouse following a 2015 cyber attack. Originating from an IP address in Vietnam, the hack went on for 15 days before detection. It exposed the personal data of more than three million customers and 1,000 members of staff.

This penalty relates to a breach of the existing Data Protection Act. Like the fine imposed last year on telecoms company TalkTalk, it is close to the maximum level of £500,000 allowed under the current system. Under the new GDPR regime, which takes effect in May, both standards and possible penalties will be higher. The potential level of fines could be up to €20m (or 4% of worldwide turnover, if higher) in the most extreme cases.

Information Commissioner Elizabeth Denham highlighted Carphone Warehouse’s size and strength as a factor saying

“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

Multiple inadequacies were found in Carphone Warehouse’s data security. It had failed to carry out routine security testing and used outdated software. Software patching policies were not followed and no measures were in place to check this. Vulnerability scanning and penetration testing also fell short, and antivirus technology was not installed.

The company issued an apology emphasising the steps that it has taken since the attack to improve and upgrade its systems and procedures.

Under the new GDPR regime, businesses will have to build in data security from the outset. The concept of ‘privacy by design’, explained in more detail here, is one of the measures the new law emphasises to ensure that information about individuals is properly protected.

Edward Hadcock

Posted by on 11/01/2018 at 12:19 | | Comments (0)

Next »