European national news

6
European national news Mark Turner Herbert Smith LLP, London, UK Keywords: Internet ISP/Internet service provider Software Data protection IT/Information Technology Communications European law/Europe abstract The regular article tracking developments at the national level in key European countries in the area of IT and communications e co-ordinated by Herbert Smith LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to compliment the Journal’s feature articles and briefing notes by keeping readers abreast of what is currently happening “on the ground” at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular signif- icance, CLSR may also cover it in more detail in the current or a subsequent edition. ª 2010 Herbert Smith LLP. Published by Elsevier Ltd. All rights reserved. 1. Belguim 1.1. Court of Appeal of Ghent finds that Yahoo!’s webmail is not an electronic communication service On 30 June 2010, the Court of Appeal of Ghent overturned the judgment of the Criminal Court of Dendermonde of 2 March 2009 in which Yahoo! Inc. was convicted for not cooperating with a Belgian public prosecutor. On the basis of the Belgian Criminal Procedure Code, the public prosecutor had requested Yahoo! to disclose the IP addresses of some registered users but Yahoo! had refused to do so, as it believed that the prosecutor’s request did not comply with the procedural requirements laid down in the Treaty between Belgium and the USA on Mutual Legal Assis- tance (‘MLAT’). However, the Criminal Court of Dendermonde found that the prosecutor did not have to comply with the MLAT Treaty as Yahoo! provides its webmail services on the Belgian territory in a virtual way and that such virtual pres- ence suffices for the Belgian Criminal Procedure Code to apply. The Court also held that Yahoo!’s webmail can be qualified as an electronic communication service and is thus subject to the Belgian Criminal Procedure Code obliging all electronic communication services providers to disclose any informa- tion requested by the public prosecutor. The Court of Appeal of Ghent, however, found that, first, Yahoo!’s portal website being virtually accessible on the Belgian territory is insufficient to establish Yahoo!’s presence in Belgium as a service provider and for the Belgian Criminal Procedure Code to apply to it. Second, the Court of Appeal found that Yahoo!’s webmail is not an electronic communication service. The definition of the term ‘electronic communication service’ involves a service which consists wholly or mainly in the conveyance of signals on electronic communications networks. The Court held that Yahoo! itself did not provide any conveyance of signals and that Yahoo’s webmail was merely an application that can only be run via an internet service provider which conveys signals over the internet. Erik Valgaeren, Partner [email protected] and Nicolas Roland, Associate [email protected], from the Brussels office of Stibbe (Tel.: þ32 2 533 53 51). 2. Denmark 2.1. Thepiratebay.org e internet provider ordered to block access to the website The Supreme Court of Denmark has by a judgment of 27 May 2010 upheld the obligation for the internet provider Telenor to block access to the website thepiratebay.org. The case began in 2008 when the enforcement court pro- hibited Tele2 (now Telenor) from facilitating the infringements available at www.sciencedirect.com www.compseconline.com/publications/prodclaw.htm computer law & security review 26 (2010) 558 e563 0267-3649/$ e see front matter ª 2010 Herbert Smith LLP. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2010.08.001

Transcript of European national news

c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 5 5 8e5 6 3

ava i lab le a t www.sc iencedi rec t .com

www.compsecon l ine .com/publ i ca t ions /prodc law.h tm

European national news

Mark Turner

Herbert Smith LLP, London, UK

Keywords:

Internet

ISP/Internet service provider

Software

Data protection

IT/Information

Technology

Communications

European law/Europe

0267-3649/$ e see front matter ª 2010 Herbedoi:10.1016/j.clsr.2010.08.001

a b s t r a c t

The regular article tracking developments at the national level in key European countries in

the area of IT and communications e co-ordinated by Herbert Smith LLP and contributed to

byfirms across Europe. This columnprovides a concise alerting service of important national

developments in key European countries. Part of its purpose is to compliment the Journal’s

feature articles and briefing notes by keeping readers abreast of what is currently happening

“on the ground” at a national level in implementing EU level legislation and international

conventions and treaties. Where an item of European National News is of particular signif-

icance, CLSR may also cover it in more detail in the current or a subsequent edition.

ª 2010 Herbert Smith LLP. Published by Elsevier Ltd. All rights reserved.

1. Belguim Belgian territory is insufficient to establish Yahoo!’s presence

1.1. Court of Appeal of Ghent finds that Yahoo!’swebmail is not an electronic communication service

On 30 June 2010, the Court of Appeal of Ghent overturned the

judgment of the Criminal Court of Dendermonde of 2 March

2009 in which Yahoo! Inc. was convicted for not cooperating

with a Belgian public prosecutor.

On the basis of the Belgian Criminal Procedure Code, the

public prosecutor had requested Yahoo! to disclose the IP

addresses of some registered users but Yahoo! had refused to

do so, as it believed that the prosecutor’s request did not

comply with the procedural requirements laid down in the

Treaty between Belgium and the USA on Mutual Legal Assis-

tance (‘MLAT’). However, the Criminal Court of Dendermonde

found that the prosecutor did not have to comply with the

MLAT Treaty as Yahoo! provides its webmail services on the

Belgian territory in a virtual way and that such virtual pres-

ence suffices for the Belgian Criminal Procedure Code to apply.

The Court also held that Yahoo!’s webmail can be qualified as

an electronic communication service and is thus subject to

the Belgian Criminal Procedure Code obliging all electronic

communication services providers to disclose any informa-

tion requested by the public prosecutor.

The Court of Appeal of Ghent, however, found that, first,

Yahoo!’s portal website being virtually accessible on the

rt Smith LLP. Published

in Belgium as a service provider and for the Belgian Criminal

Procedure Code to apply to it.

Second, the Court of Appeal found that Yahoo!’s webmail is

not an electronic communication service. The definition of the

term ‘electronic communication service’ involves a service

which consists wholly or mainly in the conveyance of signals

on electronic communications networks. The Court held that

Yahoo! itself did not provide any conveyance of signals and

that Yahoo’s webmail wasmerely an application that can only

be run via an internet service provider which conveys signals

over the internet.

Erik Valgaeren, Partner [email protected] and Nicolas

Roland, Associate [email protected], from the Brussels

office of Stibbe (Tel.: þ32 2 533 53 51).

2. Denmark

2.1. Thepiratebay.org e internet provider ordered toblock access to the website

The Supreme Court of Denmark has by a judgment of 27 May

2010 upheld the obligation for the internet provider Telenor to

block access to the website thepiratebay.org.

The case began in 2008 when the enforcement court pro-

hibitedTele2 (nowTelenor) fromfacilitating the infringements

by Elsevier Ltd. All rights reserved.

c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 5 5 8e5 6 3 559

of copyrights taking place via thepiratebay.org. Thepir-

atebay.org is developed on a technology known as BitTorrent

which provides a user with the opportunity to download files,

often very large ones, from other users. The website searches

for torrents (links) to connect users so that they can share files.

The enforcement court ordered Tele2 to take all possible

measures to prevent access to the website for their users.

Tele2 filed a complaint to the High Court and claimed that the

prohibition did not contain sufficient clarity and that it was

disproportionate.

The High Court dismissed the complaint and Telenor

appealed toTheSupremeCourt. TheSupremeCourt stated that

the infringements of copyrights facilitated by thepiratebay.org

were extensive and the Supreme Court ruled that it was not

disproportionate that Telenor should pay the costs of the dns

blocking of thepiratebay.org. A prohibition was necessary

because the copyright owners otherwise were not adequately

protected.

The district court of Norway has by a judgment of 6

November 2009 in a similar case determined, that Telenor is

under no obligation to block the use of thepiratebay.org. The

court was of the opinion that infringements of copyrights are

unacceptable and that also participation must be prevented.

The court ruled in favour of Telenor because a prohibition to

block thepiratebay.org required amore clear legal basis which

according to the court, was not present in this lawsuit. The

CourtofAppealupheld the judgmentandthecopyright owners

decided not to appeal to the Supreme Court of Norway.

Thereby, the legal practices of Denmark and neighbouring

Norway regarding whether it is possible to order an internet

provider to block access to file sharing services are not

congruent. The judgment rendered by the Supreme Court of

Denmark will have far-reaching influence in the debate about

internet provider’s obligation to assist in reducing the prolif-

eration of illegal internet services.

Carsten Raasteen, Partner, [email protected] and Nina

Broen, Assistant Attorney, [email protected] from Kro-

mann Reumert, Copenhagen office, Denmark (Tel.:þ45 70 12 12 11).

3. France

3.1. Publication of a decree introducing a new offence ofgross negligence [negligence caracterisee] in thesupervision of access to an internet account

Nearly one year after the adoption of the Hadopi law, decree

no. 2010-695 dated 25 June 2010, now allows a maximum fine

ofV1500 to be imposed on internet account holders for “failing

to implement security measures to protect their internet

access” or “failing to exercise due care in the implementation

of the security measure” without a legitimate reason.

This decree which is central to the Hadopi system is

somewhat ambiguous as to the definition of “gross negli-

gence” and provides no details on how security measures are

to be installed by account holders. The stakes are high for

companies liable for the internet access used by their

employees in that the much-anticipated decree does not

identify the security tools they are obliged to set up. In fact, it

leaves the courts substantial room for manoeuvre and raises

more questions than it provides answers.

3.2. The French regulatory framework for onlinegambling and betting is now up and running

Following the dismissal by the French Conseil constitutionnel on

12 May 2010 of the appeal brought against the draft law lib-

eralising the online betting market, no.2010-476, three

implementing decrees adopted on 13 May 2010 have estab-

lished a regulatory framework for companies working in the

sector.

The French online gaming authority (ARJEL) which was

created under the new system has the power to issue licences

to gaming operators and to ensure the compliance of their

operations with the law. It also has a responsibility to fight

gambling addiction. ARJEL has already issued licences to 18

operators and notified 19 others to cease their illegal

operations.

In addition, the French audiovisual regulator (CSA) has set

new rules on advertisements for horse racing and sports

betting and poker websites and for all authorised gambling

services in France asking the companies concerned to adopt

a code of conduct with a view to limiting the volume of

advertising (resolution no.2010-23 of 18 May 2010 on adver-

tising). The resolution which is applicable until 31 January

2011 sets a range of criteria for the definition of television and

radio services and programmes aimed atminors duringwhich

this kind of advertising is prohibited.

3.3. The French Cour de Cassation takes note of the ECJjudgment on sponsored links

In four decisions handed down on 13 July 2010 (appeal nos. 06-

15.136, 05-14.331, 06-20.230 and 08-13.944), the commercial

chamber of the Cour de Cassation has issued its interpretation

of the ECJ judgment of 23 March 2010 in joined cases C-236/08,

C-237/08 and C-238/08. The French court held that referencing

service providers that store keywords and display commercial

messages are not infringing trade marks in that they are not

using them in the course of trade. The court also acknowl-

edged that these service providers could benefit from the

restrictions of liability set out in the E-Commerce Directive

provided that their conduct remained “merely technical,

automatic and passive”. However, the Cour de Cassation did

find that advertisers using trade marks as keywords were

infringing the mark’s function of identifying origin. The

court’s decision held no surprises, simply reiterating the ECJ’s

response to the preliminary questions in near identical terms.

3.4. Conclusion of a long-standing dispute overlimitation of liability clauses in IT contracts

On 29 June 2010, the commercial chamber of the French Cour

de Cassation issued a decision in a leading case on the condi-

tions for the validity of limitation of liability clauses. It upheld

the decision of the Court of Appeal that breaching a material

condition of the contract is not sufficient to void the limitation

of liability clause. According to the Cour de Cassation, the only

voided clause is that limiting the remedies that can be

c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 5 5 8e5 6 3560

exercised, where it contradicts the seriousness of thematerial

obligation assumed by the party in breach. It further held that

simply breaching a contractual obligation does not constitute

gross misconduct which must be assessed based on the

significance of the breach.

Following on from the Chronopost affair, this decision

should resolve a number of pending questions on the scope of

clauses limiting the damages that can be claimed for

contractual breach.

3.5. Failing to include terms in a Google AdWordsnegative keywords list can constitute an infringement

On 19 May 2010, the Paris Court of Appeal ruled that an

advertiser that had failed to include terms corresponding to

the trade names and domain names of its competitor in its

Google negative keywords list had committed an offence for

which it could be held liable. This judgment provides a vital

clarification of the rules to be followed by the users of online

referencing services which are fast becoming something of an

art for advertisers.

3.6. Online search engine patent revoked

On 19 March 2010, the Paris TGI revoked a patent for a search

engine on the grounds that the process used did not constitute

a patentable invention. Given that the description of the

process only stated the aim of the tool and did not specify the

technical processes involved or the technical characteristics of

the search engine itself, the invention could not be patented.

Alexandra Neri, Partner, [email protected] and

Julien Taieb, Associate, [email protected], from the

Paris Office of Herbert Smith LLP (Tel.: þ33 1 53 57 70 70).

4. Germany

4.1. International jurisdiction of German courts andviolation of personal rights on the internet

In a Federal Court of Justice decision last March, the principles

governing the international jurisdiction of German courts in

matters concerning the violation of personal rights on the

internet were more precisely defined and considerably

extended. This particular case concerned an English-language

article that had been published in the “Metropolitan Desk”,

the local news section of the online New York Times.

For tort actions relating to the violation of personal rights,

the competent court under both European and German law is

the court in whose district the tort was committed (locus

delicti). In the case at hand, the courts of first and second

instance had found that the locus delicti was not in Germany,

and thus the German courts do not have jurisdiction since the

article could only be accessed in the local news section of the

New York Times and was consequently not aimed at internet

users in Germany as its target or intended audience.

The Federal Court of Justice has now ruled otherwise,

holding that for German courts to have international juris-

diction it suffices if the content allegedly in violation of

personal rights objectively has clear domestic relevance. Since

people in Germany are then likely to become aware of such

content. In this specific case, the article had identified the

plaintiff living in Germany, the plaintiff’s company, which

was likewise mentioned, was located in Germany and the

author of the offending newspaper article referred to the

investigations conducted by the German authorities. This by

itself sufficed for the Federal Court of Justice to presume that

the requisite conflict of interests was in Germany and thus

German courts had jurisdiction.

In practice, this means that German courts of first and

second instance will be more likely to accept their interna-

tional jurisdiction in cases where personal rights are violated

on foreign-language web pages which, while not directly

aimed at the German public, nonetheless concern events in

Germany. On the other hand, this Federal Court of Justice

decision is not likely to be extrapolated to other areas, such as

intellectual property rights infringements on the internet.

Dr. StefanWeidert, LL.M, Partner, [email protected],

from the Berlin office of Gleiss Lutz, Germany (Tel.:þ49 308009790).

5. Italy

5.1. Italy implemented Directive 2007/65/EC

On 29 March 2010, Legislative Decree No. 44 dated 15 March

2010 (the “Decree”), implementing Directive 2007/65/EC on

television broadcasting activities (amending the Directive 89/

552/EEC, so called “Audiovisual Media Services Directive”,

recently repealed by Directive 2010/13/EU), was published in

the Italian Official Gazette. The iter for the approval of the

Decree raised many discussions and much criticism, partic-

ularly regarding the scope of the Decree’s application and

related issue of a possible editorial responsibility of ISPs. The

Decree, inter alia, (i) amends Legislative Decree No. 177 of 2005

(the “Radio Television Act”, now renamed “Audiovisual and

Radio Media Services Act”); (ii) provides for a definition of

audiovisual media services including, in particular, both the

"television broadcast” (i.e. a linear audiovisual media service)

and “on-demand audiovisual media service” (i.e. a non-linear

audiovisual media service). In compliance with the Recitals of

Directive 2007/65/EC, services which are primarily non-

economic and which are not in competition with television

broadcasting, such as private websites and services consisting

of the provision or distribution of audiovisual content gener-

ated by private users for the purposes of sharing and exchange

within communities of interest, online games and search

engines, websites that contain audiovisual elements only in

an ancillary manner, as well as any form of private corre-

spondence, are expressly excluded from this definition. Also,

natural or legal persons whomerely transmit programmes for

which the editorial responsibility lies with third parties, are

expressly excluded from the definition of media service

provider; (iii) requires a prior authorisation for providers of on-

demand audiovisual media services. For these purposes,

providers shall submit a notice of business commencement to

the competent authority; (iv) strengthens copyright and

minors protection. In addition, the Decree e in compliance

c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 5 5 8e5 6 3 561

with the provisions of Directive 2007/65/EC e sets forth

a number of rules governing audiovisual commercial

communication, television advertising and the limitation

thereof, sponsorship and product placement. In particular,

the Decree expressly rules that product placement e as

derogation to the relevant general prohibition e is admissible,

subject to certain requirements, in cinematographic works,

films and series made for audiovisual media services, sports

programmes and light entertainment programmes, with the

exclusion of children’s programmes. Viewers shall be clearly

informed of the existence of product placement by means of

proper warnings at the start and the end of the programme

and when a programme resumes after an advertising break.

Product placement of tobacco products or cigarettes or

product placement from undertakings whose principal

activity is the manufacture or sale of cigarettes and other

tobacco products, as well as of specific medicinal products or

medical treatments available only on prescription, is

expressly prohibited. (http://www.camera.it/parlam/leggi/

deleghe/testi/10044dl.htm)

Salvatore Orlando, Partner, [email protected] and

Stefano Bartoli, Associate, [email protected] from

the Rome office of Macchi di Cellere Gangemi (Tel.: þ39 06 362141).

6. The Netherlands

6.1. Court allows Ziggo to continue providing access tothe pirate bay

On 19 July 2010, the District Court of The Hague ruled in

interlocutory proceedings that telecommunications provider

Ziggo does not have to deny its subscribers access to the

download website The Pirate Bay.

Stichting BREIN, a foundation which focuses on the legal

enforcement of intellectual property rights and combating

online piracy in the music, film and gaming industry, claimed

that Ziggo should be ordered to block access of its subscribers

to The Pirate Bay website. Stichting BREIN based its claim on

the argument that Ziggo, being an Internet Service Provider

(“ISP”), serves as an intermediary whose services are used by

third parties e namely, the subscribers of Ziggo e to infringe

intellectual property rights.

The District Court held in principle that it is possible to

bring an action against an ISP for services provided by the ISP

which are used by subscribers to infringe an intellectual

property right. However, the District Court stated that a cease-

and-desist-order can only apply to those subscribers of Ziggo

who indeed infringe intellectual property rights. Stichting

BREIN’s claim related to all subscribers of Ziggo. The District

Court ruled that such a far-reaching claim cannot be upheld

since the alleged infringements cannot be attributed to all

customers of Ziggo.

This judgment can be considered a setback for Stichting

BREIN in its legal campaign against the download website The

Pirate Bay. On 16 June 2010, the District Court of Amsterdam

ruled that The Pirate Bay should cease all its activities in The

Netherlands subject to of a penalty of EUR 50,000 per day.

However, The Pirate Bay refused to acquiesce in the ruling,

which made Stichting BREIN instigate a test case against

telecommunications provider Ziggo in order to ensure

a complete blockade of The Pirate Bay. Since this action could

create a precedent for all Dutch ISP’s, Xs4all joined in the

proceedings at the side of Ziggo as co-defendant.

The digital civil rights organisation “Bits of Freedom”

stated in a comment to the ruling in interlocutory proceedings

of the District Court of The Hague that it fears that Stichting

BREIN will now shift its focus to individual users. Stichting

BREIN indeed indicated that it will not rule out possible legal

proceedings against individuals. Apart from this, Stichting

BREIN announced that it will appeal against the decision of

the District Court.

The ruling of 19 July 2010 can be found at (Dutch only):

http://zoeken.rechtspraak.nl/resultpage.aspx?

snelzoeken¼true&searchtype¼ljn&ljn¼BN1445&u_ljn¼BN1445

The ruling of 16 June 2010 can be found at (Dutch only):

http://zoeken.rechtspraak.nl/resultpage.aspx?

snelzoeken¼true&searchtype¼ljn&ljn¼BN1626&u_ljn¼BN1626

Reinout Rinzema, Partner, [email protected] and

Rembrandt Brouwer, Associate, [email protected]

from the Amsterdam Office of Stibbe, The Netherlands (Tel.: þ31

20 546 01 12).

7. Norway

7.1. “Delete me” e a status update

In this year’s May edition of CLSR (Volume 26, Issue 3), we

wrote about a new service from the Norwegian Data Inspec-

torate called “delete me” that provides practical advice and

guidance to individuals whose privacy has been violated

online. Following the recent publication by the Inspectorate of

a report about the use of the service, we would like to follow-

up with some statistical data from the service’s first three

months of operation.

The said status report shows that there has been a great

influx of people who have wanted help. On the “top three” list

of complaints, Facebook is on top with 440 of a total of 1258

enquiries. The majority of these enquiries relate to issues

such as the deletion or regaining of access to user profiles,

deletion of false profiles and removal of unwanted pictures

and defamatory content.

In second place are the various Norwegian journalistic

mediums. Seventy nine individuals have sought help to

prevent old articles from appearing via online search engines

and to remove comments and contributions they have previ-

ously posted, as well as sensitive personal data that appears in

news articles.

Google is number three with 72 enquiries, concerning

issues like how to avoid certain search results from appearing

when searching for individuals, and how to remove search

results that show incorrect information, personal data or refer

to deleted websites.

As millions of Norwegians are members of online

communities, it is not surprising that 440 enquiries concerned

an online community. More surprising, the Inspectorate says,

is the fact that the Norwegian press come in second on the

c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 5 5 8e5 6 3562

Inspectorate’s complaint list, before online giants like Google.

According to the Inspectorate, the explanation may be that

search engines prevent news articles from being outdated,

and that readers share information to a greater extent than

before.

Haakon Opperud, Partner, [email protected] and Stein-Erik

Jahr Dahl, Associate, [email protected], Thommessen Krefting

Greve Lund AS, Norway (Tel.: þ47 23 11 14 94).

8. Spain

No contribution for this issue.

Jorge Llevat, Partner, [email protected], Albert

Agustinoy, Senior Associate, [email protected] and

Daniel Urban, Associate, [email protected] from

Cuatrecasas, Goncalves Pereira, Spain (Tel.: þ34 93 2905585).

9. Sweden

9.1. The data Inspection Board clarifies responsibility forpersonal data published on Facebook and blogs

The Data Inspector Board (“DIB”) recently published results

from a project in which the DIB has examinedmunicipalities’,

authorities’ and companies’ (“Organisations”) use of social

media. The conclusions include that Organisations have

a responsibility for personal data processed on the social

media used, such as Facebook and blogs (“Websites”). The

responsibility includes data published by the Organisation but

also data published by others, and routines must be in place

for removal of personal data that may entail a violation of

a person’s integrity.

The DIB clarifies that since the Organisations operate the

websites and thus decide the purpose of the websites and are

able to erase information, the Organisations shall also be

responsible for all personal data, even such published by

others. Regarding Twitter the Organisations’ responsibility

includes own posts, but not such comments as “followers”

may leave.

The DIB advises Organisations, inter alia, to have clear

policies and intern routines regarding the Websites purpose

and use, to avoid that personal data thatmay entail a violation

of a person’s integrity is being processed.

9.2. A preliminary ruling in the first Swedish IPREDcase?

The first Swedish IPRED case has reached the Supreme Court.

The Supreme Court has prepared a draft for a request of

preliminary ruling by the European Court of Justice. However,

before such request may be referred, the parties to the case

shall comment on the draft, as well as on the necessity of

a preliminary ruling.

Briefly, the main issue is whether the Data Retention

Directive (EC/2006/24) (“Directive”) prevents an application of

a national provision built on the IPRED Directive (EC/2004/48),

as well as the implication of Sweden’s omission to implement

the Directive in time.

Bjorn Gustavsson, Partner, [email protected], and

Mikael Satama Granberg, Associate, Mikael.Satama-Granberg@

vinge.se from Advokatfirman Vinge KB, Sweden (Tel.: þ46 8 614

30 00).

10. UK

10.1. Ofcom consults on draft code on ISPs’ initialobligations under the Digital Economy Act

Ofcom, the UK communications regulator, has recently con-

sulted on a draft code of practice to underpin the initial obli-

gations imposed on internet service providers (ISPs) by the

Digital Economy Act 2010 (DEA) to reduce online copyright

infringement.

The DEA requires ISPs to notify their subscribers if their IP

addresses are reported by copyright owners as being used to

infringe copyright. Any such copyright infringement reports

delivered by copyright owners must contain evidence that the

subscriber has engaged in copyright infringement of some

kind. The DEA also requires ISPs to provide copyright owners

with copyright infringement lists of subscribers that have

triggered infringement reports exceeding a certain threshold

(on an anonymous basis). These lists are intended to assist

copyright owners in identifying serial offenders and in taking

further action once a court order is obtained against a partic-

ular subscriber.

The draft code sets out the detail of how this scheme will

work, including how andwhen ISPs need to send notifications

to their subscribers, and the content of such notifications.

Having considered three options for notification and escala-

tion procedures (by volume of infringement reports received,

by behaviour of subscribers over time, and by the cost of

copyright infringements), Ofcom has proposed an approach

based on subscriber behaviour. Broadly, the first notification

will be triggered by the first infringement report received

relating to a subscriber, and subsequent notifications will be

sent for each infringement report received at least a month

following the previous infringement report. A subscriber may

then be included on an infringement list where that

subscriber has received three notifications within a year and

where the copyright owner requesting the list has sent at least

one of those infringement reports.

The draft code proposes to establish an independent,

robust subscriber appeals mechanism for subscribers that

believe they have incorrectly received a notification and

anticipates arrangements for enforcement, dealing with

industry disputes and information gathering.

The obligations imposed on ISPs under the DEA are stated

to apply to all ISPs except those demonstrating a very low level

of online copyright infringement. Ofcom does not currently

have any infringement report data on which to set an

infringement report-based threshold for qualifying ISPs and

has instead proposed that the draft code will only initially

apply to fixed-line ISPs with over 400,000 subscribers,

comprising the UK’s 7 largest ISPs: BT, TalkTalk, Virgin Media,

c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 5 5 8e5 6 3 563

Sky, Orange, O2 and the Post Office, together providing

internet access to 96% of the UK market. Ofcom intends to

review evidence of online copyright infringement and may

extend the application of the code if appropriate.

The provisions of the DEA and, in particular, the require-

ments that specified ISPs notify their subscribers if they

trigger copyright infringement, have been the subject of

industry criticism and BT and TalkTalk, two of the largest ISPs

in the UK, have requested a judicial review of the new legis-

lation, claiming that the DEA unfairly targets larger ISPs to

bear a disproportionate administrative burden and may

prompt consumers to move to unregulated ISPs in order to

avoid detection.

The consultation on the draft code closed on 30 July 2010

and was the first in a series of three consultations Ofcom

intends to issue this year in relation the DEA (subsequent

consultations will cover enforcement of the code and cost

sharing).

10.2. UK Information Commissioner publishes code ofpractice on online privacy

The code of practice has been issued by the UK Information

Commissioner’s Office (ICO) under section 51 of the Data

Protection Act 1998 (DPA), which requires the promotion of

good practice in complying with the requirements of the DPA.

The code is intended to give practical guidance to assist

organisations in developing their own compliance strategies

and is aimed at organisations of all sizes processing personal

information online, from ISPs to small businesses trading

online.

Following responses received to the earlier consultation on

code of practice, the ICO has implemented several revisions to

the code prior to final publication, including to clarify the

relationship between the code and the DPA, to confirm the

ICO’s view that in many cases IP addresses will constitute

personal data, and to more clearly explain online advertising

andmarketing processes following consultationwith industry

experts.

The publication of the code of practice follows a request

issued by the European Commission in June that the UK

government complies with the provisions of the Data Protec-

tion Directive (96/45/EC). The request took the form of

a reasoned opinion (the second stage of EU infringement

procedures) in which the Commission raised criticisms that

the directive had not been fully implemented into UK law by

the DPA as applied by UK courts. The Commission also asked

that the powers of the Information Commissioner’s Office be

increased. The UK government has been given two months to

respond to these issues and report back to the Commission on

the measures it has taken to ensure full compliance with the

directive.

10.3. BSkyB vs. EDS update: EDS abandons appeal

On 7 June 2010, EDS (now part of Hewlett Packard) concluded

its long-running dispute with BSkyB by agreeing the quantum

of BSkyB’s claims at £318 million and dropping its attempt to

appeal against the judgment handed down in January of this

year.

The case arose out of BSkyB’s project to create a new

customer relationship management system. EDS had been

appointed in 2000 to design and build the new CRM system,

but the project was beset with problems from the outset and

EDS was eventually removed. BSkyB subsequently completed

the project in-house, but at a significantly higher cost and

following a substantial delay.

BSkyB alleged that a key employee of EDS had deliberately

lied about the work done in preparing the bid in order to

secure the contract. In 2004, BSkyB commenced High Court

proceedings against EDS for fraudulent misrepresentation,

negligence and breach of contract. The case came to trial in

October 2007 and, following a hearing that lasted 9months,Mr

Justice Ramsey handed down his long awaited decision in

January 2010. He found that EDS had deceived BSkyB to secure

the contract.

Whilst the settlement of the quantum of BSkyB’s claims

and EDS’ decision to abandon its appeal concludes the final

chapter of this long-running dispute, the judgment will

remain a potent reminder to both suppliers and customers in

large IT and outsourcing projects to review their bidding and

contracting practices and processes to ensure they comply

with best practice.

Mark Turner, CLSR Professional Board, Partner, mark.turner@

herbertsmith.com and Tony Lai, Associate, tony.lai@herbertsmith.

com from the London Office of Herbert Smith LLP (Tel.: þ44 20

7374 8000)