Website Contracts Sign Up Information

• GDPR-grade fines issued by UK ICO
  British Airways has been fined over £180m by the UK Information Commissioner's Office, whilst the Marriott hotels group has been fined almost £100m. Both fines relate to the theft of personal data by hackers. In BA's case, hackers took around half a million customer records, while in Marriott's case over 300 million records were stolen. The ICO found that BA had "poor security arrangements" which did not meet its security obligations under the GDPR. Similarly, Marriott failed to ensure that the systems of the Starwood hotels group, which it acquired in 2016, were secure. Both companies are expected to appeal. The cases demonstrate that where there is a major data breach, the ICO will not be reluctant to exercise its powers to levy large fines under the GDPR.
• Pornography age verification delayed
  The Digital Economy Act 2017 requires commercial pornographic websites to put in place verification systems to ensure that children cannot access their content. The heavily-criticised verification requirement was due to come into force on 15 July. However, it has been delayed for around 6 months as a result of an administrative error by the UK government. See this report from The Register for details.
• Copyright protecting trade marks
  In ATB Sales v Rich Energy and others, the IP Enterprise Court in London has ruled that the Whyte Bikes "stag" logo was copied by Rich Energy's designers when producing a logo for its energy drinks. The similarities between the two logos are striking, and the case is a useful reminder that when trade mark infringement proceedings are unavailable, copyright can sometimes come to the rescue of an aggrieved brand owner.
• EU fines US tech giants
  Google has filed an appeal against a €1.5 billion fine levied by the European Commission in March. The fine relates to historic AdWords terms, which forbade publishers from carrying rivals adverts and, later, required that any rivals' adverts were displayed less prominently than the AdWords adverts. Another US tech company, Qualcomm, is reportedly facing a €1 billion fine for making payments to Apple to block out rival chip makers.
• AdTech vs data protection
  The UK Information Commissioner has published a report on AdTech. Unsurprisingly, the report suggests that the AdTech industry is in widespread breach of EU data protection laws. In a key finding, the Commissioner states that not only is consent required for the placing of cookies on an individual's device, it is also the most appropriate basis for processing personal data collected using cookies in the course of serving personalised adverts. The full report is available on the ICO website.
• Restraints unrestrained
  The UK Supreme Court has ruled that a restraint of trade clause in an employment contract preventing the employee from "engaging or being concerned or interested in any business carried on in competition with" her employer's business was valid. Although the words "or interested" would have rendered the clause unreasonably broad, preventing even the holding of a minor shareholding in a competitor, the court found that they could be severed from the contract, with the remaining restriction left intact. There's a good summary of the case on Pinsent Masons' Out-Law service.

The UK's Data Protection Act 2018, which supplements the General Data Protection Regulation or GDPR, requires that controllers of personal data must, in certain defined circumstances, have in place "an appropriate policy document". This is distinct from the requirement for a privacy or data protection notice under Articles 12 to 14 of the GDPR.

The requirement applies to processing of special categories of personal data: (i) for the purpose of employment, social security and social protection law; (ii) on the basis of a substantial public interest; (iii) for the purposes of health and social care; (iv) for reasons of public interest in the area of public health; and (v) for archiving purposes, scientific or historical research purposes or statistical purposes.

The policy document must explain (inter alia) the controller's procedures for securing compliance with the principles in Article 5 of the GDPR in connection with the processing of personal data in reliance on the condition in question. Most notably, there seems to be a requirement for a documented security policy for these types of processing.  See Schedule 1 to the Act for more information.
 

VIDEO GAME EULAs

An end user licence agreement (EULA) is a legal document setting out the basis upon which a person may use software. In this post, Alasdair looks at the EULA-related issues affecting video game developers and publishers. The focus is on smaller and newer businesses, but much of the discussion is relevant to established businesses too.

• Online non-disclosure agreement (unilateral)
  Get from Docular Get from Website Contracts
• Video game EULA (in basic, standard and premium versions)
  Get from Docular Get from Website Contracts

• 18-month delay to authentication enforcement
  On 13 August the UK’s Financial Conduct Authority (FCA) announced a delay in the implementation of new authentication requirements for card issuers, payments firms and online retailers. The EU legislation containing the relevant rule comes into force on 14 September, but the FCA will not begin enforcement proceedings before 14 March 2021 – providing that the business in question is working towards compliance.
• Nasty videos, nasty fines
  In September, existing rules relating to video-on-demand will be extended to cover video sharing services. The rules are intended to protect children from inappropriate content, and the general public from various types of unlawful content. An Ofcom consultation issued in July suggest that the existing penalties regime, set out in the Communications Act 2003, will be extended to cover platforms. Accordingly, fines up to 5% of turnover or £250k (whichever is greater) may be applied.
• Copyright trumps freedoms
  The Court of Justice of the European Union (CJEU) has ruled that the publication, in a newspaper, of confidential military papers may infringe copyright, irrespective of the application of the fundamental freedoms of the press and of information recognised in the EU Charter of Fundamental Rights. The only exceptions to the copyright rules are those specific copyright exceptions set out in the InfoSec Directive. This case was reported on the IPKat blog.
• A new data privacy standard
  The International Standards Organization (ISO) has published a new standard on data privacy, extending ISO 27001 and ISO 27002.  From the ISO website: “ISO/IEC 27701 …  specifies the requirements for establishing, implementing, maintaining and continually improving a privacy-specific information security management system. In other words, a management system for protecting personal data (PIMS).”
• Nuisance calls @ 19 pence each
  The best ways to earn GDPR-grade fine remain the accidental or malicious disclosure of large amounts of sensitive personal data and, as UK boiler replacement firm Making it Easy Ltd has discovered, a blatantly unlawful marketing campaign. For making in excess of 850k nuisance calls, Making it Easy has been fined £160k by the Information Commissioner.

It remains the case that most UK and EU websites do not comply with the current rules on cookie consent. Although the law is not as clear as it might be, some things are fairly certain. For instance, a website should not be setting analytics cookies (which are "non-necessary" cookies) unless the website operator has the prior, clear, specific, informed, explicit consent of the user. If you are unsure how to apply the cookie consent rules to your website, one low risk approach is to copy the website of the UK Information Commissioner’s Office, which you can experience at https://ico.org.uk/. As you’ll see, the default for Google Analytics cookies on the ICO website is now “off”.

THE LEGAL STATUS OF WEBSITE TERMS AND CONDITIONS

Sometimes, there will be a contractual relationship between a website operator and a website user; other times, there will not. In this post, Alasdair considers this distinction in the context of website terms and conditions.

• New EU Directive on consumer rights
  The European Council has adopted a new Directive designed to enhance consumer protection, with the focus on the internet and online transactions. Highlights include: (i) the extension of certain consumer protection rules, including information provisions and contract cancellation rules, to contracts for digital services that are provided in exchange for personal data; (ii) transparency requirements relating to online reviews, ranking algorithms, personalised pricing and price reductions; and (iii) stronger enforcement. The new rules are likely to come into effect across the EU during the course of 2022. If a post-Brexit UK does not amend its consumer protection legislation in line with the Directive, businesses dealing with consumers in the UK and the EU may have to account for two very prescriptive but different sets of rules.
• Facial recognition technology in the UK
  The privacy campaign group Big Brother Watch is calling for a moratorium on the use of facial recognition technology for public surveillance in the UK. This call followed the revelation that the Kings Cross Estate has been using facial recognition technology without public knowledge. The South Wales Police were also taken to the High Court over use of similar technology. See the ICO statements on the High Court judgment and the Kings Cross case.
• What is Bitcoin?
  According to a legal statement published by the UK Jurisdiction Taskforce, cryptocurrencies and other cryptoassets may be the subject of property rights under English law, because they have "all the indicia of property" and their special characteristics – such as intangibility – do not disqualify them from being treated as property. The statement also asserts that, perhaps unsurprisingly, smart contracts can be contracts under English law.
• Freelance solicitors
  On 25 November the SRA (Solicitors Regulator Authority) launched a new regulatory framework for solicitors, designed to reduce bureaucracy and allow solicitors to work in new ways. Perhaps the most notable change is the introduction of a new category of "freelance solicitor".  These individual practitioners are likely to have lower costs than traditional law firms, not least because of a special exception/relaxation of the rules regarding professional indemnity insurance.

Prompted by the GDPR and its headline-grabbing fines, businesses have worked hard to ensure that they have a proper legal basis for their email marketing. This usually means consent from users, although in some circumstances "legitimate interests" may also be an option. In addition to establishing a proper basis for marketing under the GDPR, businesses should include certain other information in their emails. Regulation 23 of the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 provides that:

A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail—

(a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; or
(b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided.

Accordingly, business should include identity information in their email marketing templates along with an email address or similar for unsubscribes. Under UK company law, limited companies and LLPs must include the company's registered name and number, place of registration and registered office address. Depending upon how the business collects and handles personal data, a link to the business's relevant privacy policy may also be required.

NO DEAL BREXIT DATA PROTECTION CONSEQUENCES

At the time of writing, we still don't know when and how the UK will leave the EU. Certainly, the legal consequences will be far-reaching. But those consequences will be sudden and wrenching in the no deal scenarios.  In this blog post and this one, Hannah Kirby of ClaydenLaw sets out the key effects upon data protection law and the transfer of personal data from the EU to the UK and vice versa.

• Website terms and conditions
• Online shop terms and conditions
• Directory website terms and conditions
• Social network terms and conditions
• Subscription website terms and conditions