Ireland IP & Technology Law Blog

Facebook's Data Protection Audit - Showing the Way for Social Networks

Kate Gorey — Mon, 14 May 2012 18:19:11 +0100

Facebook has released an updated version of its Data Use Policy which clarifies its practices and potential future uses of user data. The update has come as a result of the recent audit conducted by the Irish Office of the Data Protection Commissioner (ODPC) which recommended more transparency surrounding use of user data.

These audits are mandated under the Data Protection Acts 1988 and 2003 (the Data Protection Acts). The resulting report was published on 21 December 2011 (click here for the full Report)

Following on from the audit Report, Facebook committed to implement suggestions arising from the advice from the ODPC. The principal recommendations emanating relate to the areas of Privacy Policies, Data Retention, Data Access Requests, Security and General Compliance and are summarised below.

Recommendations and Actions

Privacy Policies: Emphasis was placed on transparency as an imperative. Clear links to explanatory information throughout the registration process is preferable. In addition, where general statements are included in privacy statements, they should insofar as possible, be followed by more specific statements, examples or explanations.

Data Subject Access Requests: As a result of user complaints and a user designed access request form, Facebook had received some 40,000 access requests in the space of a number of weeks, which was unprecedented in the experience of the ODPC. Data subject access requests are the cornerstone of transparency for individuals but are an increasingly significant administrative and cost burden on data controllers. However, the ODPC confirmed that complexity and scale were not a basis for non-compliance with a data subject access requests. However, there the ODPC favours an approach whereby technical solutions are devised, not just to make the process of submitting and processing a data subject access request more efficient, but wherever possible, to rule out the need for an access request in the first place. In this regard, Facebook has devised, and will continue to enhance, a download tool in order to facilitate this.

Data Retention: The ODPC acknowledged that data retention is an issue that presents a significant challenge to data controllers in all sectors and one which also cannot be the subject of a fixed policy. The ODPC looks favourably on tools such as the Facebook "Activity Log" which enables users to privately view and manage deletion of their own data. The retention periods for data must always be decided upon based on an evidence based justification to retain, for example, Facebook retains log-in information for security and fraud investigative purposes. However that information can only be accessed by relevant members of the security team, the suspicious payments investigation team and limited staff members in user operations.

Security: The ODPC stated that there is a need for an appropriate balance to be struck between using information for what might be deemed by the controller as security purposes but might be regarded by the user to be disproportionate and unnecessary use of personal data.

Despite its scope, the Report is only interim. It will be interesting to see whether the results of the ongoing interaction between Facebook and the ODPC will continue to be published in such detail and such interaction is sure to shape and influence best practice generally in the Social Networking arena.

Following on from the above, Facebook has now implemented changes providing advice to users, primarily surrounding targeted advertising, and clarifications on the Activity Log which will allow users to adjust their privacy settings for every piece of content posted onto the Timeline. Facebook’s chief privacy policy officer has recommended that users have a look at the proposed updates and pass on their feedback. According to the data-use policy, all it takes to get a vote is more than 7,000 comments on a change, excluding those made for legal or administrative reasons.

The policy states: "we will give you seven (7) days to provide us with comments on the change. If we receive more than 7000 comments concerning a particular change, we will put the change up for a vote. The vote will be binding on us if more than 30% of all active registered users as of the date of the notice vote." So in short, users should login today to have their say!

New Ruling on Scope of Software Directive Copyright Protection

Deirdre Fallon — Fri, 11 May 2012 17:29:53 +0100

The Court of Justice of the European Union (CJEU) has ruled on the level of copyright protection applicable to computer software under the Software Directive (Directive 91/250/EEC) in Case C-406/10 SAS Institute Inc. v World Programming Ltd.

SAS had developed a computer program which allowed licensed users to write and run their own scripts in the SAS programming language. WPL created a competing program which had the same functionality as the SAS system, thereby giving SAS users the ability to run scripts on both the SAS and WPL programs. SAS commenced copyright infringement proceedings against WPL in the UK High Court. The High Court referred several questions to the CJEU with regard to the scope of copyright protection under the Software Directive, all on the basis that WPL had never copied nor even seen the SAS source or object codes.

The CJEU responded with the following findings:-

The Software Directive protects forms of expression of a computer program (e.g. source code, object code). The functionality of a computer program, its programming language and data formats were found not to be forms of expression and so are not protected under the Software Directive. Such rights may, however, have copyright protection under other legislation.
A computer program may be studied, observed and tested by a lawful user, provided that lawful user does not infringe the exclusive rights of the program’s copyright owner.
The elements of a programming language (e.g. keywords, figures, mathematical concepts) are not of themselves considered to be intellectual creations worthy of copyright protection. However, the manner in which these elements are selected, sequenced and combined could potentially constitute an intellectual creation. It is a decision for the UK High Court as to whether the reproduction of elements appearing in an earlier user manual constitute the expression of the intellectual creation of the author of the earlier user manual.

Although the decision is not hugely surprising, it is a welcome clarification of the law on software copyright, which will undoubtedly provide more certainty in the area. The case has now returned to the UK High court where a judgment is expected this year. Click here for the full text of the CJEU’s judgment.

DataCo Scores a Database Right for Live Football Statistics

Sally Anne Hinfey — Fri, 11 May 2012 16:47:32 +0100

The UK High Court has this week confirmed that there can be a database right in independently compiled football statistics.

The decision in Football Dataco Ltd & Ors v Sportradar GmbH & Ors [2012] EWHC 1185 (Ch) comes in the wake of a number of other decisions which suggest that copyright is not available in such factual compilations and will also be a welcome clarification of the traditional scope of database rights as set out in the British Horseracing Board Ltd & Ors v William Hill Organisation Ltd (Case C-203/02). To read the full decision click here.

The plaintiff, Football Dataco, displayed football statistics on an interface known as "Football Live". This interface was used to input match data into a much larger database maintained by its subcontractor PA Sport UK. That data consisted of , for example, scores, penalties and player substitutions, and was "live" in the sense that it was updated while the matches were being played....

Dataco employed football analysts to attend matches in order to collect and compile information, which was then directly relayed to information processors who would update the database in real time. Sportradar provided football statistics to betting companies in real time via a facility called "Live Scores". Sportradar obtained this information from their operators who watched the matches, however, not all games were available live. In these circumstances, they derived information from alternative sources some of which had sourced information indirectly from the Plaintiffs' database.

Stan James, an online betting company, had a written agreement with Sportradar to provide the Live Score service on their website. An agreement analogous to this was made between Sportradar and betting company, Bet365, also. The plaintiff alleged that by virtue of this, their database rights (under Directive 96/9/EC) had been infringed and claimed that Sportradar and Stan James were jointly liable for the infringement committed by Stan James’ customers. Similarly, that Sportradar was also jointly liable for the infringement by the customers of Bet365.

Directive 96/9/EC, stipulates that for a sui generis database right to exist, the creator of the database must have made a qualitatively and/or quantitatively substantial investment in the obtaining, verification or presentation of its contents. This requirement has been introduced into Irish law pursuant to the Copyright and Related Rights Act 2000, Section 321.

Judgment

With respect to the investment which is required in order for a database to be protected under the sui generis database right, Justice Floyd held that the test (as above) is satisfied where, as was the case here, factual data was collected and recorded at a live event eg. a football match, and those events were outside the control of the person doing the collection and recording and were, accordingly, not created by that person, but merely obtained by him.

Justice Floyd held that there was a database right in the data collected via the Football Live interface and that individual users of the Live Scores service had infringed that right in relation to data on non-televised matches and that Stan James (but not Sportradar) was jointly liable for those users' acts of infringement.

Although there is still an outstanding reference to the ECJ in this case which relates to whether or not Dataco can pursue Sportrader for primary infringement due to the location of their servers, the case is undoubtedly a welcome further clarification of the database right.

Counterfeiter Stitch-Up Ploy Unsuccessful

Alison Obernik — Fri, 11 May 2012 10:23:59 +0100

In recent weeks surveillance and intelligence shared between Irish Customs and Gardai has resulted in a seizure of counterfeit clothing worth an estimated street value of €600,000 by Gardai. The clothing was imported without labels which were separately posted into Ireland and re-attached to the products. The removal of the labels appears to have been an attempt by the counterfeiters to avoid detection by customs officials at import point. This ploy was unsuccessful in this instance.

Council Regulation (EU) No 1383/2003 and Commission Regulation (EU) No 1891/2004 provide enhanced measures for Customs action against counterfeit and pirated goods. Ireland is bound by these Regulations which enable Irish custom authorities to detain any goods that are suspected of infringing relevant Intellectual Property Rights. However, difficulty will arise where goods display no readily identifiable counterfeit marks (such as labels).

The Trademarks Act 2006 provides for a range of civil and criminal remedies in the context of trademark infringement. The act also provides customs and police with the statutory framework to enable anti-counterfeiting action. Even in the present circumstances where the labels containing trade marks had been removed before import of the clothing, the Irish law provides protection for the brand owner.

Section 92 (1) of the Trade Marks Act 1996 specifically addresses the fraudulent application or use of trade marks on goods. The Act provides that it is an offence:

(a) to apply a mark identical to or nearly resembling a registered trade mark to goods or to material used or intended to be used for labelling, packaging or advertising goods

(b) to sell, let for hire, offer or expose for sale or hire or distribute goods or material bearing such a mark which is used or intended to be used for labelling, packaging or advertising goods

(d) to possess in the course of a business goods or material bearing such a mark with a view to doing any of the above

The removal of the labels in the case above was an attempt to avoid detection by customs which was foiled by the joint efforts of the Gardai and customs authorities. However, these strategies on the part of counterfeiters will certainly present a challenge for brand owners who rely on customs actions. This will make co-operation amongst brand owners and customs for the detection of counterfeit products even more crucial. Organisations like the International AntiCounterfeiting Association will presumably be hoping that increased co-operation and communication initiatives between members and customs authorities will result in enhanced capability for border authorities to readily identify counterfeit products.

Technology Focus in New Data Protection Commissioner Annual Report

Mark Rasdale — Mon, 30 Apr 2012 13:55:09 +0100

The Office of the Data Protection Commissioner has published its 23rd Annual Report today. The high level of investigative activity in relation to data protection matters continued unabated during 2011. The ODPC notes a clear shift from traditional complaints relating to inappropriate or unfair use of personal data to a "clearer technology focus" where complaints are increasingly relating to the security of personal data and the use or misuse of technology in ways that present real risks to personal data.

A few interesting statistics are included in the report:

Investigations and enforcement accounted for 35% of the allocation of the ODPC resources;

A total of 17 formal decisions on whether there had been a breach of the data protection legislation were made, 13 of which fully upheld the complainant's assertion of breach;

Complaints in relation to data subject access requests accounted for approximately 40% of the overall total of complaints received (and interestingly 3 of the 13 case studies included in the ODPC Report relate specifically to data subject access requests);

There was a 300% increase on the number of data security breach notifications received during 2011 compared to 2010;

A total of 23 audits were conducted by the ODPC.

The ODPC make specific reference to the transposition of the e-Privacy Directive (SI 336 of 2011), which contains the so called "Cookie Law". The ODPC indicates that it now regards this law as being well established and expects to see significant efforts being made by websites to achieve compliance.

The ODPC also confirms that it worked with the implementation group appointed by Government to consider the potential for further development of cloud computing in Ireland. It notes that the Government is expected to report on the findings of the relevant implementation group later this year.

A full copy of the annual report can be accessed here.

Data Retention Directive does not preclude copyright holders from obtaining access to data retained by ISPs

Davinia Brennan — Tue, 24 Apr 2012 14:43:43 +0100

The CJEU has ruled, in Bonnier Audio AB and others v Perfect Communication Sweden AB, Case C-461/10, 19 April 2012, that the Data Retention Directive (2006/24/EC) does not preclude the application of national laws that allow an ISP to be ordered to provide information identifying a particular subscriber whose IP address is suspected of being used for infringing purposes.

The Data Retention Directive (which was implemented in Ireland by the Communications (Retention of Data) Act 2011) requires ISPs and Telcos to retain certain data to ensure such data is available for the purposes of the investigation, detection and prosecution of serious crime and the combating of terrorism, and to provide such data only to certain public authorities.

The Facts

The applicants, several Swedish publishing companies which hold exclusive rights to the reproduction, publishing and distribution to the public of 27 works in the form of audio books, claimed that their exclusive rights had been infringed by the public distribution of these 27 works, without their consent, by means of an FTP (file transfer protocol) service. The ISP through which the alleged illegal file exchange took place was ephone.

The applicants applied to Solna District Court, in Sweden, for an order for disclosure of the name and address of the person using the IP address from which it the alleged infringing files had been sent. The ISP, ePhone, challenged this application arguing that it was contrary to the Data Retention Directive. Solna District Court granted the application for an order for the disclosure, and ePhone brought an appeal before the Stockholm Court of Appeal, seeking dismissal of the application for disclosure. It also requested a referral to the CJEU seeking clarification of whether the Data Retention Directive precludes the disclosure to persons other than those authorities referred to in the Directive, of information relating to a subscriber to whom an IP address has been allocated.

The Stockholm Court of Appeal held that there is no provision in the Data Retention Directive which precludes a party to a civil dispute from being ordered to disclose subscriber data to someone other than a public authority. It also dismissed the application for a referral to the CJEU. However, the Court of Appeal also found that the audio book publishers had not adduced clear evidence that there was an infringement of an IP right, and so it set aside the order for disclosure of data granted by the District Court.

The publishing companies then appealed to the Supreme Court of Sweden, who decided to stay proceedings and asked the CJEU:

- Does the Data Retention Directive precludes the application of a national provision which is based on Article 8 of the Intellectual Property Enforcement Directive (2004/48/EC), and which permits an ISP in civil proceedings, in order to identify a particular subscriber, to be ordered to give a copyright holder or its representative information on the subscriber to whom the ISP provided a specific IP address, which address it is claimed, was used in the infringement? The question is based on the assumption that the applicant has adduced evidence of the infringement of a particular copyright and that the measure is proportionate.

- Is the answer affected by the fact that the Member State has not implemented the data storage directive despite the fact that the period prescribed for implementation has expired?

The Decision

The CJEU held that the Data Retention Directive does not preclude national laws, based on Article 8 of the Intellectual Property Enforcement Directive, that permit an ISP to be ordered to provide information identifying a subscriber whose IP address is suspected of being used for infringing purposes. This was because that legislation does not fall within the material scope of Data Retention Directive.

The main proceedings in this case involved a civil procedure and the data was requested not by a competent national authority, but by private persons, and the Data Retention Directive was accordingly not applicable. The second question, relating to the effect of the failure to transpose the Data Retention Directive into Swedish law, was thus irrelevant.

The ECJ also noted that the e-Privacy Directive (2002/58/EC) and the Intellectual Property Enforcement Directive must be interpreted as not precluding Member States from imposing an obligation to disclose to private persons personal data in order to enable them to bring civil proceedings for copyright infringements, but nor do they require Member States to lay down such an obligation. However national legislation, transposing the directives, must enable the courts to weigh the conflicting interests involved in an application for disclosure of personal data, and to take into account the facts of the case and the requirements of proportionality, (Productores de Musica de Espana (Promusicae) v Telefonica de Espana SAU (Case C-275/06) cited).

gTLD list due to be published by ICANN

Ciara Cullen — Fri, 20 Apr 2012 13:54:03 +0100

There have been a number of developments on this topic since our last blog post. Since January, companies and organisations have been applying to the Internet Corporation for Assigned Numbers and Names (ICANN), to have almost any word, in any language, registered as a domain name or gTLD.

April 30^th is an important date for all brand owners as the full list of domain name applications is due to be published that day. The number of applicants is expected to be at least 1,000. It will be interesting to see who has made an application.

Where an application has been made for a similar or identical domain name, it will be possible for brand owners to object through WIPO.It will also be important over the next few months for companies to consider registering their brands with ICANN’s Trade Mark Clearing House (TCH), which is an initiative being implemented by ICANN as part of the gTLD application programme to protect current trade marks. ICANN estimates that this will be operational by October 2012. The TCH will act as a central storehouse of trade mark information. Once an applicant attempts to register a gTLD that matches a trade mark registered with the TCH, they will receive a warning stating that the creation of the domain name may be considered cybersquatting. This system will be invaluable to brand owners of trade marks who, if registered in the TCH, will receive advance notification when someone tries to register a domain name that is identical to their trade mark.

Brand owners eagerly await publication of the list of applications. Hopefully further technical problems can be avoided - ICANN recently had to take the gTLD online application system offline for a few days after a technical glitch allowed some applicants to see the file and user names of other applicants. However, ICANN remains optimistic that the publication will go ahead as planned.

BBC Allege Virgin "Doctored" Advertising

Sally Anne Hinfey — Wed, 18 Apr 2012 15:39:19 +0100

Virgin Media has discontinued a recent advertisement for the Virgin TIVO style set top box. The television advertisement contained a sketch in which the former Doctor Who, David Tennant sits watching television and selects his favourite programmes which includes old Doctor Who episodes, complete with images of the Doctor Who logo. Meanwhile, Richard Branson appears to be tinkering with a time machine which subsequently transforms him into his younger self.

The BBC alleged that the references to time travel combined with the display of old Doctor Who episodes and the Doctor Who logo was an unauthorised attempt to use the show's brand and goodwill for the promotion of the Virgin product and that such use could be perceived as a commercial endorsement of Virgin Media products.

Virgin has indicated that it will take down the advertisement as a gesture of goodwill to the BBC. This clearly shows that great care should be taken by businesses when devising media and advertising campaigns. For example, in Ireland the Consumer Protection Act 2007 does provide that a commercial practice will be misleading where it deceives or is likely to deceive in relation to, for example, the existence, extent or nature of any approval or sponsorship (direct or indirect) of a product by others and which accordingly is likely to cause a consumer to make a transactional decision he would not otherwise make.

Even indistinct allusions and references to popular or well-known third party brands can incur the ire of the owner of those rights. It is crucial to consider fully the risks involved in such advertising before going to the cost and expense of producing the final product. Virgin Media might now wish it could travel back in time to choose another way to advertise its new set top box.

Who said there is only One Direction?!

Ciara Cullen — Fri, 13 Apr 2012 15:45:31 +0100

Boy band One Direction was sued for trade mark infringement in the US this week. A California-based rock group of the same name has filed a multi-million dollar lawsuit against the British/Irish band and their representatives, Syco Entertainment and Sony Music, seeking an injunction preventing them from using the name One Direction in promotional materials.

The California-based band has allegedly been using the name One Direction since late 2009, prior to the formation of the British/Irish band on the X Factor in 2010.

It filed an application to register the trade mark at the US Patent and Trademark Office in early 2011. The trade mark has not yet however been registered. Interestingly, it appears from online searches at the USPTO that representatives of the British/Irish One Direction have applied to register a similar trade mark, “1D One Direction”.

The lawsuit, filed in the California Central District Court, claims that Syco Entertainment and Sony Music “chose to ignore the plaintiff’s rights and wilfully infringed them” after realising that the two bands shared the same name. It goes on to state that the use of the name by both bands is causing “substantial confusion and substantial damage” to the goodwill earned by the US group. The lawsuit claims that the US group is entitled to three times the profit earned by their rivals, together with compensatory damages in excess of $1million.

This case should serve as a warning to new bands to give careful consideration to the name they choose. A newly formed band should treat its proposed name like a start-up company would – in this regard, it is worth considering carrying out searches in order to ensure that the proposed name, or a confusingly similar name, is not already registered or in use in any jurisdiction in which the band intends to market and promote itself.

One Direction’s recent US number one album has made pop history bringing enormous media coverage and fame to its five young members. The teenage hysteria has been compared to 1960’s Beatlemania. This success may however be tainted if the US Court decides against it. We shall wait and see who will ultimately win out in the Battle of the Bands!

Court of Justice referral denied to controversial Anti-Counterfeit Trade Agreement

Angeline O'Connell — Thu, 05 Apr 2012 18:40:19 +0100

Recently, we blogged on the progress of the Anti-Counterfeit Trade Agreement (ACTA) currently being fostered by the European Commission. The Agreement, which has been signed by the US, Japan and Australia, represents common standards by which countries agree to regulate aspects of IP infringement. Following a decision at the European Parliament on 27 March, ACTA has now side-stepped a referral to the CJEU.

The decision, the outcome of a vote by the International Trade Committee (ITC), will result in the ACTA coming before the European Parliament for a full vote as early as this summer. The referral to the Court of Justice of the European Union was recommended by the European Commission, which has championed this controversial Trade Agreement.

Critics of ACTA have broadly welcomed the decision, calling the referral a stalling tactic to delay the vote taking place in the European Parliament.

Cookie Law Clarification

Mark Rasdale — Thu, 05 Apr 2012 16:14:21 +0100

The European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011 took effect from 1 July 2011 in Ireland and introduced the updated and rather controversial provision requiring consent to the use of cookies on websites (see our earlier blog here). Therefore, the publication by the International Chamber of Commerce in the UK of new guidance on the subject is timely and to be welcomed, although it shouldn't be taken as a definitive statement of the law or indeed reflective of the views and approach of the Irish Data Protection Commissioner.

A few points are worth noting from the Guidance, a full copy of which can be accessed here. It is intended to promote consistent presentation on websites about the use of cookies and supports a move towards the use of iconography by businesses to make it easy for users to understand what cookies are used and why. It places cookies into four broad categories:

(i) Strictly Necessary: These are cookies without which certain web based services could not be provided (such as maintenance of tokens to access secure website areas) and which do not generally require consent. However, it is still necessary to provide information to users about such cookies;

(ii) Performance Cookies: These are cookies which, for example, analyse the traffic to a website on an anonymous basis in order to enhance performance;

(iii) Functionality Cookies: These are cookies which collect information about user behaviour in order to enhance the users experience online, such as remembering previously provided preferences; and

(iv) Targeting cookies: These are used to deliver targeted advertising to users based on browsing habits.

It acknowledges the importance of carrying out technical audits in relation to cookies and ensuring, depending on the category of cookie, that website terms and notices are drafted to ensure that appropriate information is being provided and where it is required, consent is both informed and clearly captured. The interaction between web-site providers and third parties who set cookies is highlighted as an area that requires particular focus and can give rise to complications, in terms of who is best placed to obtain the consent from the user. It includes sample consent wording for website operators to consider. A consent is only meaningful where it can be withdrawn and so website operators should consider how this can be achieved.

Data Protection Working Party issues Opinion on the data protection reform proposals

Davinia Brennan — Wed, 04 Apr 2012 14:34:45 +0100

The Article 29 Working Party has issued its Opinion on the draft Data Protection Regulation. The Working Party welcomes the proposals, but notes that parts of the Regulation need clarification and improvement.

With regard to the positive aspects of the Regulation, in brief, the Working Party states that:

For individuals, the Regulation strengthens their rights by providing for greater transparency, strengthened right to data access, strengthened right to object, right to data portability, strengthened right to data deletion ('right to be forgotten'), and strengthened right to redress both through the DPA and the courts.
For data controllers, the Regulation brings greater consistency, through privacy impact assessments, appointment of a DPO, data breach notification duties and the adoption of a precautionary approach to international transfers.

For data processors, the Regulation introduces an obligation to take on the responsibility of controller for a specific data processing operation if the processor goes beyond the instructions of a controller regarding that processing operation (relevant to 'cloud' providers).
For DPAs, the Regulation provides for strengthened independence and powers, including administrative fines, and the obligation to be consulted on legislative measures.

The Working Party suggest a number of improvements to the Regulation, such as clarification that data subjects with a complaint should initially address the DPA within the jurisdiction where they reside, or the DPA where the data controller or processor has an establishment. The Regulation currently includes several possibilities for data subjects to exercise their rights and seek justice, which might lead to confusion and uncertainty.

It is recommended that DPAs should have a margin of discretion in deciding when to impose a fine, rather than being obligated to impose them in situations prescribed in the Regulation.

The Working Party suggest amending the way in which the data breach notification duty is set up by instead introducing a two-step notification approach. Notification of the breach by the controller should occur within 24 hours after becoming aware of the breach, with a further opportunity to notify any information which cannot be provided within the 24 hour limit. This should help ensure timely notification.

The Working Party state that the definition of ‘personal data’ as it now stands might lead to an unduly restrictive interpretation of the notion of personal data, in relation for instance to IP addresses and cookie IDs. It suggests that the definition is amended to ensure IP addresses and cookie IDs may be considered ‘personal data’.

The Working Party note that the manner in which it is decided where a multinational company (whether EU-owned or non-EU owned) has its main establishment needs to be further clarified, including where it has separate legal entities operating in different sectors.

Further, the Regulation provides that it applies to the processing of personal data of data subjects residing in the EU by a controller that is not established in the EU, where the processing activities are related to the offering of goods and services to such data subjects in EU or the monitoring of their behaviour. The Working Party opines that further clarification is needed in regard to what is meant by both ‘offering of goods and services’ and ‘monitoring of their behaviour’.

Opinion 01/2012

€1.2m to Make Ireland a World Leader in Cloud Computing

Ciara Cullen — Wed, 04 Apr 2012 11:46:01 +0100

Earlier this week the Minister for Jobs, Enterprise and Innovation, Richard Bruton TD, unveiled the Government’s planned investment of €1.2 million in a new research programme that it hopes will not only create jobs and economic growth but will also help to make Ireland a world leader in cloud computing.

The funding, which will be allocated to a consortium of Higher Education Institutions over 12 months, will support the initial research programme of the Cloud Computing Technology Research Centre as part of the Government’s five year investment in the centre. Technology Centres are public-private research centres that bring industry and education together to create new, industry-relevant knowledge.

The Cloud Computing Technology Research Centre is one of ten such thematically based centres to be established jointly by Enterprise Ireland and IDA Ireland.

The consortium will be led by Dublin City University and will work with a group of software companies to establish innovative ways of exploiting cloud computing technology with a particular emphasis on the areas of cloud computing technology architecture, service management, business research and cloud security.

Cloud computing has been identified by the Government, in its Action Plan for Jobs, as a potential growth area in which Ireland has distinct advantages over other countries given its highly educated and skilled workforce, telecoms connectivity and established reputation in the ICT sector. The Cloud Computing Technology Research Centre is seen as key to growing Ireland’s cloud computing sector, and this investment by the Government is a key step in the right direction with the potential to create fresh opportunities for businesses in Ireland.

New Draft Code Clamps Down on "Bad Foods" Advertising

Sally Anne Hinfey — Fri, 30 Mar 2012 17:04:40 +0100

The Broadcasting Authority of Ireland (BAI) has today launched a public consultation on a new Draft Children’s Commercial Communications Code (Children’s Code) and a new Draft General Commercial Communications Code (Commercial Code). The new Children’s Code is necessary for the Broadcasting Act to fulfil its obligations under the Broadcasting Act 2009. A copy of the draft Children's code is available here. The focus of the draft Children’s Code is, in particular, the area of fatty and sugary foods and the limits which ought to be placed on advertising of such foods to children. The code proposes that..

children’s commercial communications for food and drink which is high in fat, salt and sugar (or “HFSS”) shall not:

1) be permitted in children’s programmes as defined by the code;

2) include celebrities or sports stars;

3) include programme characters;

4) include licensed characters e.g. characters and personalities from cinema releases;

5) contain health or nutrition claims; or

6) include promotional offers.

The new draft Commercial Code proposes a limitation on HFSS advertising so that no more than 25% of sold advertising time and only one in four advertisements for HFSS products will be permitted across the broadcasting day.

The BAI has now opened up the two draft codes to a second round of consultations from interest parties and the public. It is calling for responses to this consultation no later than Thursday, 31st May, 2012.

No Cloud Over the Patriot Act

John Whelan — Wed, 21 Mar 2012 18:39:08 +0100

Numerous laws and treaties are in place that bolster the ability of law enforcement authorities to co-operate across borders in the investigation, apprehension and conviction of serious criminals and terrorists. In the US these laws, which are often misunderstood, have recently come under scrutiny because of amendments to the USA Patriot Act 2001. There has been a suggestion that the US legislation provides over-broad powers for US law enforcement authorities to subpoena business records from companies connected with the US, regardless of location or jurisdiction, and that the cloud computing sector is particularly vulnerable. A&L Goodbody has produced a comprehensive article which discusses the issues around data security and cloud computing in the context of the Patriot Act and equivalent Irish laws. The fact of the matter is that there is no "cloud" over the new legislation.

Government Launches Consultation on New Data Protection Law Proposal

Mark Rasdale — Mon, 12 Mar 2012 18:14:27 +0100

The Minister for Justice and Equality last week launched a consultation process on the European Commission’s proposal for a new Regulation on data protection standards within the EU.

The proposal is generating significant debate within the business community, not least due to the headline grabbing proposal to introduce financial sanctions for non-compliance linked to a percentage scale of the global turnover of companies.

The current data protection regime is widely acknowledged to be in need of updating. The Regulation will not allow Member States the discretion which a Directive allows, in terms of how the provisions are to be implemented. The aspiration to move towards harmonisation and standardisation of approach in data protection matters across the EU is to become a reality.

One key area of focus for many corporates in Ireland will be the proposal to introduce a one-stop shop principle to data protection regulation. The current regime has a relatively uncontroversial "establishment" test in order to determine whether local data protection laws in each Member State apply. In broad terms, the proposal is to enhance the significance of the establishment test by providing that companies are subject to regulation only in the jurisdiction in which they have their main place of establishment. This will be particularly important for many coporates established in Ireland (who will be familiar with the main or principal establishment concept in the context of tax considerations) and is likely to lead to a much more involved analysis of the establishment rule in the context of data processing in the future. It may also lead to even more significant demands on the resources of the Office of the Data Protection Commissioner in Ireland if the current welcome trend of global companies (particularly those in the technology, data centre services and social media spaces) establishing operations in Ireland continues.

Another key area of focus for corporates will be the increased importance of the principle of accountability for data processing activities and the need for data controllers and processors to be able to demonstrate in a detailed and very public manner, that their procedures and controls are in place and working. The current regime is to a large extent reactionary in terms of managing risks and dealing with individual concerns about processing. That said, it still presents a significant demand on the resources of many companies and we are increasingly seeing signs of a shift from a relatively co-operative approach to data protection enforcement to a more proactive and intrusive regime. The new Regulation will do nothing to buck that trend it seems, particularly with new obligations such as appointment of a Data Protection Officer in all companies with over 250 employees, the requirement to carry out privacy impact assessments on an ongoing basis, increased obligations for data processors, and, of course siginifcant monetary sanctions.

There is much food for thought in the new Regulations. These are just two aspects that might prompt companies to contribute to the consultative debate. Deadline for submissions is the end of March!

Further information can be found on on the Department of Justice and Equality's website at the following link: European Commission's proposal for a new Data Protection Regulation

UK Decision Paves the Way for Service of Legal Claims via Facebook

Michelle Halton — Tue, 06 Mar 2012 17:20:14 +0100

The English High Court recently confirmed that legal papers can now be served through the social networking site, Facebook. On 21 February of this year, Justice Nigel Teare granted permission to a lawyer representing a pair of investment managers to serve a legal claim via Facebook in circumstances where the defendant was proving difficult to locate. The lawyers for the plaintiffs, having made enquiries, were able to satisfy the Court that the Facebook account belonged to the defendant and that the defendant was in the habit of checking it.

This is not the first time that social media sites have been used for such a purpose. In 2009, the English High Court permitted a lawyer to use Twitter in order to serve an injunction to a Twitter user and Facebook has been used in the past in the UK for the purpose of issuing a court summons to an otherwise elusive debtor. Similarly, social media sites have been used to serve claims in Australia and New Zealand ever since the landmark ruling in December 2008 of the Australian Territory Supreme Court in Canberra, where the Australian courts granted permission to a Canberra based law firm to deliver legal papers online via Facebook to a couple, after ascertaining that the profiles found by the lawyers did indeed belong to the couple in question. In granting permission to use the social networking site, the judge directed that the legal papers be sent by private email so that other people visiting the page could not read their contents.

It has been reported that this is the first time this method of service has been approved at such a high level, namely in a case involving a £1.3m claim before the English High Court.

Music Companies Challenge DPC Enforcement Notice

Steven Duggan — Fri, 02 Mar 2012 18:24:02 +0100

On Tuesday of this week, four major music companies issued judicial review proceedings seeking to quash an enforcement notice of the Data Protection Commissioner (the DPC).

The four companies, EMI Records (Ireland) Ltd, Sony Music Entertainment Ireland Ltd, Universal Music Ireland Ltd and Warner Music Ireland Ltd, fear that the DPC’s notice will bring an end to their “three strikes” agreement with eircom (see a previous post on this here).

The companies believe that the enforcement notice of 5 December 2011, which effectively directs eircom to cease the implementation of its three strikes policy, amounts to an unlawful attempt by the DPC to reopen data protection issues already determined by the High Court in its decision in EMI Records& Ors –v- Eircom Ltd (the DPC was not a party to these proceedings).

The challenge arises out of the fact that data protection concerns, raised by the DPC, relating to the three strikes procedure being implemented by eircom were previously declared to be in compliance with data protection legislation by Mr. Justice Charlton in his judgment in the EMI Records& Ors –v- Eircom Ltd case.

Despite the ruling of Mr Justice Charlton, the DPC, in November 2011, informed eircom of his belief that the three strikes procedure was not in compliance with data protection legislation. This was followed by the issuing of the enforcement notice requiring eircom to cease obtaining subscriber data in order to operate the procedure.

As such, the music companies claim that the DPC has operated in excess of his powers and are seeking to have the enforcement notice quashed.

However, it is noteworthy that there have been a number of Opinions released by the European Commission since the EMI Records& Ors –v- Eircom Ltd case, which will be of relevance in this particular space. In particular the Opinion of the European Data Protection Supervisor on net neutrality, traffic management and the protection of privacy and personal data published in February 2012 will no doubt be of relevance. Although this Opinion is not directly on point, it recognises that:

“…when ISPs inspect communication data in order to differentiate each communication flow and to apply specific policies, which may be unfavourable to individuals, the implications are more significant. Depending on the circumstances of each case and on the type of analysis performed, the processing may be highly intrusive for an individual’s privacy and personal data.”

Certainly, this area continues to attract controversy and discussion at both national and European level and this case will be “one to watch”. We will be sure to post further updates as the case progresses.

Copyright Developments Abound

Sally Anne Hinfey — Fri, 02 Mar 2012 13:23:58 +0100

Two major developments in Irish copyright law came about this week. The First was the signing into law of the European Union (Copyright and Related Rights) Regulations 2012 on which we previously blogged (see link to article here).

The second was the publication of the long awaited Copyright Review Group report on the barriers to innovation in the Copyright and Related Rights Act 2000 (“CRRA”) (see full Copyright Review Group Report here).

The findings of the Copyright Review Group (“Review Group”) are too many to summarise in detail here. However, of significance were recommendations around amending the wording for the exception for transient and incidental copying to include wording that will require that the act of transmission has “no independent economic significance”. Furthermore, the Review Group has recommended that the “Fair Dealing” definition be non-exhaustive and that Ireland implement all EU exceptions and limitations provisions in order to bring it in line with other countries and prevent a competitive disadvantage arising.

Interestingly, the Review Group also acknowledged that there may be a need for an Irish Copyright Council who would engage with collecting societies to oversee the development of a simple yet broad rights-clearance mechanism:

“a one-stop shop with a central and comprehensive database of licensable rights, and perhaps even work towards online automated digital permission and payment systems.

While making a number of recommendations, the Report also clearly rejects some submission made by interested parties and indicates that some others were not relevant to the Review Group’s mandate to examine barriers to innovation. In particular, the Review Group were largely not in favour of introducing private copying levies and did not see the controversial area of the Artist Resale Right as one which impeded innovation.

The Review Group have also called for submissions on a number of areas where they were unable to reach conclusive views, to include:

Broadcasting and the extension of the definition of “Broadcasting” under the CRRA to bring it in line with the Broadcasting Act 2009 which allows for certain internet broadcasts to fall within the remit of that Act – The Review Group did not sway one way or another on this point and sought submissions on the issue.
Cable re-transmission and web streaming – The Review Group looked at whether this should apply to web-based streaming and invited submissions on this point.
Intermediary liability – The Review Group has called for submissions around the area of Intermediary liability, the case for immunities for Intermediaries and the possibility of re-defining the term “intermediary”.

Probably to the disappointment of some, the Review Group has not largely opined on the area of Intermediary service provider liability and the current carve outs under Irish law for such liability. However, it is likely that this area will be developed further by the Courts now that new Regulations provide expressly for injunctive relief against ISPs.

Those parties who wish to learn more about the various matters discussed in this Report may attend a Public Meeting from 10:00am until 12:00 noon, on Saturday 24 March 2012, in Trinity College Dublin.

CJEU finds online social networking provider not required to install filtering system

Davinia Brennan — Fri, 17 Feb 2012 16:58:30 +0100

The CJEU has held* that EU law precludes an injunction requiring an online social networking provider to install a system for filtering information stored on its servers by users, in order to prevent files from being made available to the public in breach of copyright.

The Belgian court asked the CJEU whether Directives 2000/31 (the E-Commerce Directive), 2001/29 (the InfoSoc Directive), and 2004/48 (the Enforcement Directive), were to be interpreted as precluding a national court from issuing an injunction against a hosting service provider requiring it to install a filtering system. It was not in dispute that the owner of an online social networking platform, such as Netlog, which stores information provided by users of that platform on it servers, was a hosting service provider within the meaning of Article 14 of the E-Commerce Directive.

In November 2011, in Scarlet Extended SA v Societe belge des auteurs, compositeurs et editeurs (SABAM) Case C-70/10, the CJEU held that EU law precludes the imposition of an injunction by a national court which requires an internet service provider to install a filtering system with a view to preventing illegal downloading of files (see our discussion of the ECJ’s judgment in Scarlet Extended SA here).

The CJEU followed its earlier findings in Scarlet Extended SA. Itnoted that the InfoSoc Directive and the Enforcement Directive provide that holders of intellectual property rights may apply for an injunction against operators of online social networking platforms (such as Netlog), who act as intermediaries. However article 15 of the E-Commerce Directive prohibits national authorities from adopting measures which would require a hosting service provider to carry out general monitoring of the information that it stores.

The proposed filtering system would require the hosting service provider to: identify the files on its servers likely to contain works in respect of which intellectual property holders could claim to hold rights; to determine which of those files were being stored and made available to the public unlawfully; and lastly, to prevent files that it considered to be unlawful from being made available.

The CJEU found that the imposition of injunction would require the hosting service provider to actively monitor almost all the data relating to all of its service users, in order to prevent any future infringement of intellectual property rights. It followed that that injunction would require the hosting service provider to carry out general monitoring, which was prohibited by Article 15 of the E-Commerce Directive.

The injunction was therefore inconsistent with EU law, and would result in a serious infringement of the freedom of the hosting service provider to conduct its business. In those circumstances, the CJEU held that the injunction to install the contested filtering system could not be regarded as respecting the requirement that a fair balance be struck between the protection of the intellectual property right of copyright holders, and that of the freedom to conduct business enjoyed by hosting service providers.

The CJEU’s decision will be welcomed by online social networking providers as it shows that it is incompatible with EU law to require them to install filtering systems in order to prevent infringements of copyright.

*Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog NV, Case 360/10, 16 February 2012