Friday, September 10, 2010

Supreme Court rules that IP addresses are personal data in file-sharing case

The Supreme Court of Switzerland ruled that IP addresses constitute as personal data in an 8 September 2010 case involving a company, Logistep AG, which had collected, without consent, the IP addresses of internet users who were illegally downloading copyrighted materials using peer-to-peer software. The company – which then passed on the details of those users to copyright holders for a fee - was held to have violated the Swiss Data Protection Act.

Logistep AG had developed software in 2008 to research which works were being offered online on peer-to-peer networks without the author's consent. Whenever one of these works was downloaded illegally, the software would record and store the data relating to the download. This data was then sold to members of music and film industries interested in protecting their intellectual property, who could identify the owners of the internet connection used for the download and claim compensation for copyright violation.

The Court ruled that, while the interest of Logistep AG to reduce copyright infringement was valid, it did not override or justify the infringement into personal privacy. The method was deemed to have ‘significant interference in the private sphere of each user’, which the state is obliged to protect. Logistep AG must now discontinue all of its activities.

The Swiss Data Protection Authority filed the case at the Supreme Court, after the Federal Administrative Tribunal found in Logistep AG’s favour, ruled that the goal to hunt down those guilty of internet piracy did not require the consent of users.

Copyright (C) 2010 Data Guidance

Friday, September 03, 2010

CAP Code to apply to organisations' own website content and social networking sites

The Advertising Standards Authority (ASA) and the Committee of Advertising Practice (CAP) have extended the scope of the British Code of Advertising, Sales Promotion and Direct Marketing (CAP Code) to cover, from 1 March 2011, marketing communications on an organisation's own website and in other non-paid-for online space under a company's control, such as social networking sites. Currently, the Code applies to sales promotions wherever they appear but only to other marketing communications in paid-for online space. However, the Code's remit is to be extended in response to a formal recommendation from a wide cross-section of UK industry. As CAP accepts that it may be difficult to decide what marketing communications are covered by the new rules, it has set out a new three-step test to assist. The change represents a major extension to the remit of the ASA and CAP. Organisations have six months to ensure that their websites and other online space under their control comply with the code. The extended remit follows the introduction of a new CAP Code and Broadcast Committee of Advertising Practice (BCAP) Advertising Standards Code on 1 September 2010.

©Practical Law Publishing Limited; Practical Law Company Limited 2010

Friday, August 27, 2010

Update to Google Keyword Policy in Europe

Google has announced on 4 August 2010 a change to its keyword policy in Europe meaning that as of 14 September 2010 they will introduce a notice and take down procedure. Complaints can then be made directly to Google and if Google agrees that they are valid, Google will remove the offending ads. This follows the recent ruling of the Court of Justice in the recent Google France joined Cases.

See new policy - Adwords Trademark Policy

Friday, June 04, 2010

EU Takes Search Engines to Task on Data Retention

The European Union’s Article 29 Working Party has sent letters to Google, Yahoo!, and Microsoft telling them that they must cease retaining personal data of search engine users for more than six months and must improve their anonymization procedures. It also asked the companies to appoint outside auditors to review their procedures for anonymizing data to ensure that they truly prevent identification of the users behind the data. In addition, the Party sent copies of the letters to the U.S. Federal Trade Commission and asked it to investigate whether the companies’ data retention practices were “unfair” or “deceptive” within the meaning of the FTC Act.

Canada Moves A Step Closer to Mandatory Data Breach Notification

Canada’s Ministry of Industry has proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) that would require private sector entities to notify the Office of the Privacy Commissioner of breaches of personal data, and to notify affected individuals directly if the breach creates a “real risk of significant harm.” The proposal will now be considered by Parliament. The Privacy Office in the past has opposed mandatory notification, but this time around has said it welcomes the proposal. Chances thus seem fairly good that Canada will join the breach notification club.

Friday, February 19, 2010

EU Revises Model Contract Clauses for Data Transfers

The EU Data Protection Directive restricts transfers of personal data of EU residents to non-EU countries. A common approach for complying with this obligation is for the EU data transferor and the transferee abroad to adopt model contract clauses approved by the European Commission. The European Commission earlier this month adopted a decision approving a new set of model contract clauses for the transfer of personal data from a data controller to a foreign processor (controller-to-controller clauses were previously approved). The new clauses permit the foreign processor to re-transfer data to a sub-processor (the previous version did not permit this), and delete an arbitration provision from the previous version that had never been applied in practice.

© Copyright 2010 Steptoe & Johnson LLP

Friday, February 12, 2010

European Commission urges social-networking service providers to improve child safety policies

The European Commission is urging social-networking service providers to improve their child safety policies. In February 2009, 17 social-networking service providers such as Bebo, Facebook, Google and Microsoft signed an agreement on "Safer Social Networking Principles for the EU" (see Legal update, Social-networking service providers sign agreement on child online safety). The Commission has published a report, in which it says that most of these companies had empowered minors to tackle online risks by making it easier to change privacy settings, block users or delete unwanted comments and content. However, Viviane Reding, Commissioner for Information Society and Media, said more needed to be done. Less than half of social-networking providers made profiles of under-18 users visible only to their friends by default and only one third replied to user reports asking for help. Source: European Commission press release, 9 February 2010.

Court Muddies the Water on Electronic Signatures in New York

In Prudential Ins. Co. v. Dukoff, et al., a federal district court in New York has left unclear whether state regulators can add requirements for electronic signatures that go beyond those defined in the state’s electronic signatures law. While the court suggested that the state insurance department’s requirements were inconsistent with the statute, it nonetheless deferred to the department’s opinion that an electronic signature on an insurance application is valid only if the insurer can verify the identity of the person signing the application.

© Copyright 2010 Steptoe & Johnson LLP

Is the UK Moving Toward A De Facto Data Breach Notification Requirement?

The UK's Information Commissioner's Office recently warned companies that they could face tougher sanctions if they don't report data security breaches to the ICO. Although notification is not strictly required by the ICO, a recent statement by the ICO suggests that the agency may be seeking to establish a de facto notification requirement for serious data breaches. This warning is yet another sign that more countries, particularly in Europe, are moving toward expressly requiring notification of government agencies and/or affected individuals in the event of a data breach.

© Copyright 2010 Steptoe & Johnson LLP

Friday, January 22, 2010

Court Refuses to Enforce Take-Down Injunction Against Website

USA: A federal district court in Illinois has ruled in David Blockowicz, et al., v. Joseph David Williams, et al., that a website is not required to remove defamatory remarks despite an injunction against the persons who posted the remarks on the site. Wishing to avoid the immunity provision of the CDA, the plaintiffs sued the actual authors of the defamatory remarks rather than the websites that posted the remarks. The court issued an injunction requiring the plaintiffs to remove the remarks, but the plaintiffs were unable to contact the defendants. The plaintiffs therefore moved for third-party enforcement of the injunction against the website, But the court was unpersuaded that the website – despite Terms of Service that included a copyright claim to all posted comments, a statement that comments would never be removed, and an indemnification clause – should be considered an aider and abettor of the defamatory remarks, and therefore refused to enforce the injunction against it.

© Copyright 2010 Steptoe & Johnson LLP

UK: Court reject copyright infringement and breach of confidence

The High Court has rejected a claim by a computer games designer, Mr Burrows, that a director of a company called Circle Studio Limited (Circle) which had previously employed him, had infringed copyright in a game called "Traktrix" which Mr Burrows had proposed to them, or breached confidence, by trying to exploit a substantially revised version of the game. Norris J found that there was no breach of confidence because the proposal for "Traxtrix" was not disclosed in circumstances importing an obligation of confidence; in disclosing the idea to Circle, Mr Burrows was doing what he was paid to do as a games designer, and there was no evidence that he told Circle that it was an idea that he had thought up before joining Circle. Norris J rejected the copyright claim because, among other things, Mr Burrows argued that Circle had copied significant parts of his original document recording the concept for the game in a later design document relating to it. However, since nobody at Circle knew of the original document, if the design document incorporated parts of it, it was because Mr Burrows himself incorporated them. This was not a grant of an implied licence by Mr Burrows, but a unilateral act requiring no agreement on Circle's part.