Information Commissior Office (UK) publishes guidance on changes to notification fee

The Information Commissioner's Office (ICO) has published a guidance note, which will come into effect on 1 October 2009, on changes to the notification fee system for data controllers under the Data Protection Act 1998. Under the two-tier notification fee system for data controllers due to be introduced under the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2009/1677), a data controller with an annual turnover of £25.9 million and 250 or more members of staff, and public authorities with 250 or more members of staff, will have to pay initial and annual renewal notification fees of £500, while other data controllers will continue to pay a £35 fee (see Legal update, New data protection regulations introduce two-tier notification fee structure). Among other things, the ICO's guidance explains the criteria used to determine which tier a data controller is in; provides details of certain organisations, such as charities, which will always be deemed fall into the lower tier, regardless of their size or turnover; and explains the rationale for the fee changes.

Source: ICO guidance, Notification fee changes.

IPO rejects opposition to YOU CAN'T BE A VIRGIN ALL YOUR LIFE ITS TIME mark for telecoms

A hearing officer of the Intellectual Property Office has dismissed Virgin Enterprises Limited's opposition to an application to register YOU CAN'T BE A VIRGIN ALL YOUR LIFE ITS TIME for, among other things, telecommunications in class 38. Virgin Enterprises relied on its earlier registrations of VIRGIN for identical services in class 38 to oppose the mark under section 5(2)(b) of the Trade Marks Act 1994 (TMA). The hearing officer held that there was very little similarity between the marks, and that the average consumer would not assume that there was an economic association between the parties so as to give rise to a likelihood of confusion. The hearing officer also dismissed Virgin Enterprises' opposition under section 5(3) of the TMA, which was based on its earlier mark VIRGIN MOBILE in classes 9 and 38. He held that, although the name VIRGIN MOBILE had acquired a reputation as a trade mark in relation to mobile phones and telecoms, the relevant public would not make a link between the respective marks on account of their lack of similarity. The hearing officer did not consider that the applicant's ordinary English-language use of the word "virgin" amounted to taking advantage of the VIRGIN mark. Case: Application no. 2466095 to register the trade mark YOU CAN'T BE A VIRGIN ALL YOUR LIFE ITS TIME and opposition no. 96472, BL 0-216-09, 23 July 2009.

©Legal & Commercial Publishing Limited; Practical Law Company Limited 2009

High Court upholds claim for misuse of confidential information, breach of database right and passing off against ex-employee

The High Court has held that an ex-employee who copied and retained various documents and information belonging to his ex-employer, including thousands of contact details and sales figures, had acted in breach of confidence. Peter Smith J said that the claimant's database was an important tool as it provided an immediate base which the ex-employee could use to start up his rival business of organising conferences. He held that the ex-employee's activities amounted to a classic springboard operation. The judge also held that the ex-employee's acts in extracting a large amount of information from the claimant's database was a breach of article 16(1) of the Copyright and Rights in Database Regulations 1997, as it was clear that the database had been created with substantial investment in obtaining, verifying and presenting its contents. The judge also upheld a claim in passing off as the ex-employee had suggested that the conference his company was organising was a follow-up to the conference the claimants had held the previous year. Case: First Conferences Services Limited & another v Richard Bracchi & another [2009] EWHC 2176 (Ch), 26 August 2009.

Argentine Court Holds Yahoo!, Google Liable for Defamatory Third-Party Content

They say a picture is worth a thousand words, but an Argentine court recently ruled that a picture can also be worth thousands of dollars in damages. Virginia Da Cunha sued Yahoo! and Google for damages after photos of her that were posted on sex-trade websites, without her consent, appeared in the results of Internet searches for her name. A civil court in Buenos Aires ruled for Da Cunha and awarded her $26,248 in damages, finding that the search engines actively amplified the harm of the defamatory third-party postings by making the sex-trade websites more accessible than they would otherwise be. The court also held that neither company was doing enough to guard against such harm to individuals.

© Copyright 2009 Steptoe & Johnson LLP

District Court “Backs Up” from Ninth Circuit’s Ruling on Access to Stored Email

A district court in Illinois recently determined that opened, web-based emails held by an Internet Service Provider are not in “electronic storage” within the meaning of the Stored Communications Act (SCA). Accordingly, the government could obtain such emails with a mere subpoena rather than a search warrant. The district court came to this conclusion despite the Ninth Circuit’s contrary ruling in Theofel v. Farey-Jones which, as we previously reported, reached a broader interpretation of “electronic storage” and thus affords greater privacy protection for emails.

© Copyright 2009 Steptoe & Johnson LLP

Payment Card Industry Issues Data Security Guidance for Wireless Networks

The Payment Card Industry Security Standards Council released a new set of recommendations on how organizations subject to the PCI Data Security Standard (DSS) should address the data security concerns raised by wireless networks. The DSS requires all participating “merchants, banks, [and] POS [point of sale] vendors” -- as well as their service providers and other contractors -- to implement six sets of security requirements: build and maintain a secure network, protect card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. As we have previously reported, the latest version of the DSS added a requirement that covered entities ensure that "wireless networks transmitting cardholder data or connected to the cardholder data environment [CDE] ... use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission." The guidance issued last month by the Standards Council offers suggestions on how to comply this requirement.

Is There Such a Thing as an Honest Hacker?

According to the Second Circuit, there just might be. In reviewing a district court’s denial of a preliminary injunction against an alleged computer hacker accused of insider trading, the court drew a distinction between two types of hackers: one who misrepresents her identity to gain access to a computer, and another who takes advantage of a security glitch to achieve the same end. The court suggested that the latter conduct might not be “deceptive” within the meaning of section 10(b) of the Securities and Exchange Act of 1934.

British Court Finds Google Not Liable for Defamatory Search Results

A court in the United Kingdom ruled that Google is not liable for defamatory material that appears in its search results because it is not a "publisher" of such material. The court equated Google to a library catalogue, which would not be held liable for the content of the books it lists. The UK has traditionally been friendly to libel claimants, so this decision -- though consistent with rulings in the US and EU -- is an important precedent for search engines.

© Copyright 2009 Steptoe & Johnson LLP

Canada Joins Europe In Scrutinizing Social Networking Sites' Privacy Practices

The Office of the Privacy Commissioner of Canada has found that some of Facebook's most popular features -- including third-party applications and the tagging of photos with names and email addresses -- violate the data protection principles of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Those principles require organizations that use the personal information of Canadians to, inter alia, implement procedures to protect such information; identify the purposes for which it is collected; collect and retain it only where necessary for these purposes; and obtain the data subject's consent prior to its "collection, use, or disclosure." In its report, the Privacy Office found that Facebook failed to abide by these principles, citing several unresolved violations of PIPEDA. The Office stated that it would reassess Facebook's compliance with PIPEDA and the report's recommendations in 30 days. Along with a recent EU Article 29 Data Protection Working Party opinion (on which we previously reported) advising all social networking sites that handle the personal data of EU residents that they must comply with the EU Data Protection Directive, this report indicates that the increasing scrutiny of social networking sites' data protection policies around the world could force significant changes in the way such sites operate.

© Copyright 2009 Steptoe & Johnson LLP

Court fines owner of construction-worker database

The Information Commissioner's Office (ICO) has issued a press release indicating that Ian Kerr, owner of a firm trading as the Consulting Association, has been fined £5,000 by Knutsford Crown Court for breaching the Data Protection Act 1998 (DPA), and has been ordered to pay costs of £1,187. Mr Kerr had pleaded guilty to failing to notify as a data controller at Macclesfield Magistrates Court, which transferred the case for sentencing to the Crown Court (see Legal update, Owner of construction-worker database pleads guilty to data protection offences). An ICO investigation revealed that Mr Kerr had been operating a database for over 15 years containing details on 3,213 construction workers, including information about their trade union activity and employment history, which was used by over 40 construction companies to vet individuals for employment. The ICO also indicated in its press release that it intends to serve enforcement notices on 17 construction companies who were involved in using the database maintained by Mr Kerr. It said preliminary enforcement notices had been sent out, with formal enforcement action to follow shortly, subject to any representations made by the companies. Source: ICO press release, 16 July 2009.

©Legal & Commercial Publishing Limited

MySpace Wins CDA Immunity in Assault Cases

A California Court of Appeal recently upheld a lower court's ruling that the Communications Decency Act (CDA) immunized MySpace against claims stemming from "its decision not to implement reasonable, basic safety precautions with regard to protecting young children from sexual predators." In four consolidated cases, several girls aged 13 to 15 who were sexually assaulted by men they met through MySpace (the Julie Does) and their parents or guardians sued MySpace for negligence, gross negligence, and strict product liability. The appellate court held that these claims were barred by section 230(c)(1) of the CDA, which states that "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider" and has generally been interpreted as immunizing websites against claims stemming from information posted by third parties. Finding that it was "undeniable that appellants s[ought] to hold MySpace responsible for the communications between the Julie Does and their assailants," the appellate court concluded that "section 230 immunity shields MySpace" from liability. Along with the Lori Drew ruling discussed above, the court’s dismissal of these claims against MySpace suggests that both users and providers of social networking websites may be able to skirt liability for some of the sites' more unsavory uses – at least for now. But if courts continue to throw out cases where social networking websites have been involved in incidents of stalking, bullying, or assault, the public backlash could lead Congress to narrow the scope of CDA immunity.

© Copyright 2009 Steptoe & Johnson LLP

UK: High Court considers role of search engine operator as publisher

The High Court has held that Google Inc. could not be regarded as the publisher of words alleged to be defamatory which appeared in search results. The search engine operator had been joined in proceedings for defamation because internet searches on certain terms, including one of the claimant's trading names (Train2Game), brought up a thread "Train2Game new SCAM for Scheidegger" from a bulletin board which the claimant said was defamatory of it. Eady J found that, given that the search results were generated automatically, and that Google Inc. had blocked access to specific URLs identified by the claimant, but had no control over formulating search terms, so that it could not otherwise remove offending material, it was unrealistic to attribute responsibility for publication to Google Inc., whether on the basis of authorship or acquiescence. Eady J also considered various arguments regarding the application of section 1 of the Defamation Act 1996 to the facts, and the potential relevance of the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013) to providers of search engine services. Case: Metropolitan International Schools Limited v (1) Designtechnica Corporation, (2) Google UK Limited, (3) Google Inc. [2009] EWHC 1765 (QB), 16 July 2009.

(source: practical law)

WIPO proposes paperless UDRP proceedings

ICANN has launched a 30-day consultation on a proposal from WIPO to allow for paperless UDRP proceedings by amending the UDRP implementation rules. In its proposal, WIPO explains that abolishing the requirement for hard-copy pleadings, in its view, will result in significant time and costs savings. However, it is proposing that notification of the proceedings is still sent by post to a respondent in case its e-mail address is incorrect or inactive. WIPO does not propose any changes to the UDRP itself. The consultation closes on 12 August 2009. Source: ICANN announcement, 13 July 2009

(source: practicallaw)

IP crime data for 2007 published

The Intellectual Property Office (IPO) has published an interim report covering intellectual property (IP) crime data for 2007. The last IP crime report, which was published in December 2007, included IP crime data from 2006 (see Legal update, Government publishes 2007 intellectual property crime report). The IPO is to change the reporting period for the annual crime report from a calendar year basis to April to March, to follow the financial year, and this interim report will be included as an annex to the 2008/09 report. The interim report contains data from a number of sources, including a UK survey on film and television piracy, a study on the amount of unlicensed software in the EU, UK court statistics on IP cases, and data from a European Commission report on customs activities in relation to counterfeiting and piracy. Source: IPO press release, 9 January 2009.

EDPS issues second opinion on amendment of E-Privacy Directive

The European Data Protection Supervisor (EDPS) has published a second opinion on the proposed amendments to the E-Privacy Directive (2002/58/EC). The opinion analyses and compares the positions put forward by the European Council, the European Parliament and the European Commission, and includes a number of recommendations. Among other things, the EDPS continues to support the adoption of a security breach notification scheme under which national regulators and individuals will be notified when individuals' personal data has been compromised. He also reiterates many of the suggestions made in his first opinion relating to the scope of the Directive and the right of legal persons (including consumer associations) to bring legal action against service providers for infringement of the Directive. Compared to his original opinion, the EDPS has taken great care to spell out in more detail the specific reasons for his original recommendations, taking on board many of the points that have been made by the three European legislators since the first opinion was published. Read more.

PLC IPIT&Communications weekly

MySpace obtains transfer of myspace.co.uk

MySpace Inc. has succeeded in having the domain name myspace.co.uk transferred to it using Nominet's dispute resolution procedure. The respondent had registered the domain name in 1997, long before MySpace launched its social-networking site. The Nominet expert's main reason for finding the registration abusive was that after MySpace became a household name, the respondent posted links to various social-network site links on a pay-per-click "parking" site accessible via the domain name, enabling it to profit from the success of the MySpace site and also creating a risk of confusion between MySpace's services and those of other sites. This decision is a reminder that even if a domain name is registered in all innocence, the respondent's subsequent use of it may render the registration abusive.Source: MySpace Inc. v Total Web Solutions Limited, Case 04962, January 2008.

© Legal & Commercial Publishing Limited

ICASA guns for unlicensed WISPs

The Independent Communications Authority of SA (ICASA) has vowed to crack down on wireless Internet service providers (WISPs) that operate without a licence or allocated spectrum.

Click on link above to read more

For opinions and advice on above topic - call us at Van Gaalen Attorneys

Mobile subscriber registration almost law

The National Assembly yesterday passed amendments to the monitoring of communications law.The amendments mandate cellular operators to register all prepaid customers within one year and that all visitors must register their cellphones. SA's estimated 38 million cellphone subscribers largely consist of prepaid users.

Click on link above to read more

Who Knows What Evil Lurks in the Hearts of Disloyal Employees?

The Shadow may know, but some courts couldn't care less. Employers increasingly use the Computer Fraud and Abuse Act (CFAA) to seek redress against former employees that pilfered company data. Courts have split, however, on whether a former employee's improper use of company information is enough to make out a CFAA claim. As we have previously reported, several courts have held that an employee who accessed information for an improper purpose -- such as his personal benefit or that of his employer's competitor -- acted "without authorization" or "exceed[ed his] authorized access" within the meaning of the Act. But a few courts have gone the other way. Most recently, a federal court in Pennsylvania ruled in Brett Senior & Associates v. Fitzgerald that a former employee's allegedly unauthorized use of client files did not establish that the employee exceeded his authorized access when he took the files.

© Copyright 2007 Steptoe & Johnson LLP. Steptoe & Johnson LLP

German Court Rules that Skype Violated Open Source License

Open source software (OSS) is big right now. Part of what makes OSS so attractive is its licensing structure. OSS licenses require that software source code (i.e., the version that can be read and changed by human programmers) must be made publicly available, and most OSS licenses -- including the most popular, known as the GNU General Public License (GPL) -- require anyone who distributes a program based on OSS must likewise make their changes publicly available. Many companies have discovered that using OSS code in their products makes good business sense. But using OSS software in a commercial product can also create legal complications. A case in point is a German court ruling (see case summary) that distribution of an OSS mobile phone using the Skype software without a copy of the GPL or source code violated the license's terms.

© Copyright 2007 Steptoe & Johnson LLP. Steptoe & Johnson LLP