The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.
Yesterday saw the formal appointment of another patents judge to the Court of Appeal. The Lord Chief Justice's Court was packed with other judges, members of the Bar, Solicitors and Patent and Trade Mark Attorneys welcoming Sir Christopher Floyd's elevation to the Court. The Lord Chief Justice and Henry Carr QC (11 South Square, Sir Christopher's former chambers) gave strong speeches of support; the LCJ recording his past service amongst other things no Bar Committees and the Copyright Tribunal; Henry Carr added congratulations on Sir Christopher escaping having to handle "on his
own" rafts of Smart Phone litigation (eg here and a selection here), where he was facing multiple large teams of
practitioners putting forward their complex arguments, also adding just a careful and restrained sprinkling of anecdotes -- no doubt mindful of future appearances. Sir Christopher will be a sad loss from the Patents Court; he will be a valuable addition to the Court of Appeal following the retirement (or part retirement) of Sir Robin Jacob. His appointment is a reminder of the calibre and strength of UK judges in the intellectual property field, keeping the UK Courts as an attractive forum for both UK and international litigation -- a point alluded to by the LCJ, perhaps a basis on which the UK judiciary should be awarded the Queens Award for services to export. Congratulations.
On 7 February, the PCI (Payment Card Industry) Security Standards Council issued the PCI DSS Cloud Computing Guidelines Information Supplement. The PCI Security Standards Council develops, manages and raises awareness around payment data security though its PCI Data Security Standard (PCI DSS). PCI DSS compliance is a benchmark for online merchants and payment service providers. The Cloud Computing Information Supplement sits alongside, and does not replace, PCI DSS. The guidance will be of use to both cloud service providers and merchants using cloud technologies for the storage and processing of cardholder data. Using the guidance will help cloud providers and cloud customers to identify and define their respective security responsibilities, a process that is essential in achieving and maintaining PCI DSS compliance.
The first time I saw Christopher Graham speak (he's the UK's Information Commissioner), I thought he still had a bit to learn about his new role. He was about to take office and gave a speech at an event (I've forgotten which one). He gave us a relatively bland snippet of information about his forthcoming reign (sufficiently bland that I can't remember what it was - maybe something about strategy or enforcement). The only bit that sticks in my mind is that he asked us to observe 'Chatham House rules' before he gave it.
Now for someone about to take the top job in information in the UK, charged with enforcing the 'right to know', I thought this was a little naive. It didn't seem to be very sensitive - but even if it was, there was no reason why we, probably a bunch of lawyers and civil servants, should have had privileged access to it. The ICO's in the public sector too, isn't it?
All of which is a slightly unfair way to introduce the fact that I saw him speak again yesterday at pdp's annual Data Protection Compliance Conference. What struck me most from his talk was that the current version of the General Data Protection Regulation is likely to be rather closer to the version that comes into force than I'd perhaps appreciated.
What does this mean for tech businesses?
- If you thought the Data Protection Directive/Act was difficult and they might make things easier, you'll be disappointed. They've cherry picked 'best practice' from across the EU and codified it - the Regulation is much bigger and much more onerous for businesses.
- If you hold data on behalf of your customers and currently take comfort that you are a mere 'data processor', think again. You'll have a raft of new obligations under the new Regulation.
- This probably means revisiting all your standard customer contracts to make sure you have proper protection.
- And it probably means revisiting any existing contracts too - there's not currently any carve-out for contracts signed before the Regulation comes into force.
- Start budgeting now for your Data Protection Officer and his or her team. If you've more than 250 employees or process a lot of data you'll be required to have one (and will probably need one to make sure you comply with your other obligations anyway).
- Don't take this lightly. The ICO will be able to impose penalties of up to 2% of turnover - and is quite likely to target data processors early on to set an example.
There's a whole lot more too. On the bright side, the law hasn't been finalised yet - so there's still time to lobby your MEP or tell the government if you're worried. And the IC made clear that he feels that the draft Regulation is too prescriptive - so he'll be trying to keep things in check. But he also made clear that people should start readying themselves for change because, diplomacy notwithstanding over the next year, something looking rather like the current draft is probably coming our way.