MARCH - APRIL THE COMPUTER LAW AND SECURITY REPORT

Lotus 1-2-3. Mosaic are now claiming that the very existence of the case along with Lotus's size and discovery tactics are providing Lotus with a victory even before the merits of the case are discussed. Lotus is more than a hundred times larger than Mosaic, and the legal costs alone are already more than $100,000. Most of Mosaic's employees are being required to take part in the action, and potential customers are delaying order for 'Twin' pending the outcome of the litigation. It is therefore questionable whether Mosaic could withstand the financial cost of the action given the length of time necessary for pre-trial discovery. Mosaic are therefore seeking a court order whereby the copyright infringement issue would be settled first and any other issues subsequently. They also seek to limit discovery to five months and for the trial date to be two months later. In support of this motion, Mosaic point out that Lotus commenced this action 'under the bright lights of a well- publicisedpress conference', at which Lotus said it would seek a preliminary injunction and punitive damages of $10,000,000. Lotus has not sought an injunction and has dropped its claim for punitive damages. Thus, it is implied Lotus is achieving its aim through the adoption of tactics designed to prolong the case and thus cause harm to Mosaic's business.

Neeco Inc v The Computer Factory Inc et al (D. M A 8 7 - 1 9 2 1 - Z )

Neeco, a vendor of used computer hardware and software, required its employees to sign three types of confidentiality agreements. The employee in question worked at a fairly low level within Neeco and had limited contact with customers. The case arose after the employee left Neeco to work for a

competitor, and the judge was called upon to examine three types of provision. The first of these prohibited the employee from soliciting or diverting any of Neeco's employees to her new employer, The Computer Factory, for a period of two years following termination of employment. The judge found this clause excessive in that it applied to all Neeco customers across the country, and not just those with whom the employee had had any contact. The clause was therefore narrowed to apply only to such customers whom the employee knew to be customers as a result of her employment with Neeco. The second provision was a lifetime restriction on the disclosure of confidential data. This the judge found to be not unreasonable as it was intended to protect a company's proprietary information, which he called 'classic employer interests'. The third clause prohibited the employee from working for a group of named competitors within New England for one year. The judge found this restriction to be unreasonably broad given the employee's relatively low-level position and the fact that the Computer Factory was more than 150 miles from Neeco's Massachussets headquarters. The judge concluded that the provision was far broader than was necessary to protect Neeco's legitimate interest. Moreover, the risk to Neeco would be far less than the injury which the employee would be likely to suffer if forced to give up her new job.

David Greaves, Editorial Panelist The Report acknowledges the assistance of the US publication, The Computer Industry Litigation Reporter in tracing these case reports

CONFERENCE REVIEW

PROBLEMS RELATING TO LEGISLATION IN THE FIELD OF DATA PROTECTION

Three day conference in Athens on November 18-20, 1987, organised by the Council of Europe (COE). Speakers: Peter Hustinx

Yves Poullet K Mavrias Spiro Simitis

Day One The first report on the theme, 'Rule-making for data protection - present trends' was presented by Peter Hustinx, legal adviser in the Ministry of Justice, and Chairman of the Council of Europe Committee of Experts on Data Protection. Hustinx discussed the emergence of 'second generation' data protection legislation within Western Europe as having a number of characteristics: they cover a wider range of material, mainly relating to manual records; there is a trend towards simplification; a greater amount of differentiation for the sectors; a trend in favour of self-regulation, and the increased use of informal and civil sanctions as a means of enforcing data protection. The need for simplification has arisen in the face of the bureaucracy that data protection legislation has thrown up, and the corresponding costs and time involved, both for the business sector and the responsible authorities. The United Kingdom Registrar has recently brought out a shortened version of the registration form, specifically designed to aid small businesses in complying with the Act.

The trend toward differentiation, the sectoral approach, of data protection rules has been a result of the ageing and experience of existing legislation. Such a process of differentiation enables both an increased level of protection for data subjects; as well as tailoring the legislation to fit in more suitably with the conditions within particular industries, and thus prevent the creation of unnecessary and unsuitable bureaucratic requirements. Divisions into sectors has occurred along such lines as the sensitivity of the data, and the purpose of the data. The Council of Europe, itself, has set up a number of sectoral working parties to draw up regulations for different categories of data users. It has already produced recommendations in areas such as direct marketing and medical data banks. Related to the greater differentiation of data protection rules is the trend towards self-regulation. Sectors of data users are being expected to draw up enforceable codes of practice. However, this was a trend that, though welcomed by various delegates, was seen as posing a potential threat towards the weakening of data subjects rights. Data protection agencies were still perceived as necessary for effective control. Legislative registration of data processing was seen as being a useful method of stimulating data users to think why they hold information. Few cases of criminal sanctions were found to exist in the field of data protection, and it was thus felt more appropriate to rely on informal and civil sanctions against rogue data users. Informal sanctions consist of investigations, where the data user is informed of the problem and given the scope to resolve it. In these situations, data protection authorities do

38

THE C O M P U T E R LAW AND SECURITY REPORT 6 CLSR

not need to act other than through the threat and use of publicity, and allows a greater degree of flexibility. In this respect, Hustinx believed that a data protection commissioner was more flexible than a data protection board. Finally, the issue of protection for legal persons was still felt by a number of delegates to be important. Failure to deal with this area, or at least discuss the possible implications fully, has left small companies in a grey area as regards the scope of data protection, as well as failing to provide adequate protection against the discrimination of certain social groups.

Day Two The morning session was devoted to the Greek data protection bill, which had been submitted to Parliament the previous week. It was introduced by Professor Mavrias, one of the members of the Council of State drafting committee which began work in 1983. The bill covers both automated and manual files. It distinguishes three categories of data: 'Confidential personal data', 'Strictly personal data' and 'Other personal data'. The bill is primarily concerned with the processing of confidential personal data. The bill will create a Commission on the Protection of Data which will be empowered to monitor and review the legislation; assist data subjects in the exercise of their rights and control the scope of activities that users are able to carry out using personal data. One issue raised at the Conference concerned the distinction between the 'file keeper', the owner of the file who also decides the file's purpose and organization; and the 'responsible person', upon whom the major liability lies, since this individual operates the file and has the power to allow third parties to have access to it. It was felt by some delegates that such a clause, which was unique to the Greek bill, would give companies the opportunity to avoid liability with respect to data protection violations. Some delegates were also concerned that the data protection Commission, to be created by this legislation, was giving up too much power, and thus independence, to the government. The Minister of Justice has been given the power in the bill (Article 19) to call for a review of any decision of the Commission involving serious public interest cases. The Council of Ministers will have the final authority to annul any Commission decision if the competent minister can justify locus standi (Article 20). Professor Simitis, Data Protection Commisioner for the State of Hessen, presented a report on the problem of legislating on data that is seen as being particularly sensitive, and thus deserving of greater protection. The new Greek bill has followed a growing number of countries, such as Norway and Sweden, in distinguishing between personal data, on the one hand, and strictly personal data on the other, the latter category being afforded appropriate additional safeguards. Simitis, however, found it impossible to offer any general rule as to what should fall within the category labelled 'sensitive', or 'extra sensitive'. Different national legal traditions concerning the limits of privacy, as well as the differing political-social backgrounds to organisations such as trade unions, makes any attempt at categorisation futile. Such differences in circumstances also operate within the state, and Simitis reiterated Hustinx's earlier call for a greater stress on the sectoral approach to data protection. It was pointed out that no personal information is in reality irrelevant, and to that degree all data can be seen as

39

'sensitive'. Secondly, the limitation of certain national legislation to information that has been automatically processed is a position that is difficult to justify if one believes in the Council of Europe data protection principles. A number of particular problems were brought forward in connection with the new 'data subject' rights created by national data protection legislation. Firstly, that of 'captive populations', such as prisoners, patients and job applicants. Worries were expressed concerning the possibility that such groups may be forced to use their access rights as part of some additional administrative requirement; for example, job applicants may be told to access their police files and thus show proof of an absence of a criminal record. Another question raised was that of whether data concerning the use by data subjects of their access rights should also be seen as 'sensitive'. Simitis told the conference that in West Germany, the police authorities were recording the fact that an individual had made use of his or her access rights. It was felt that such problems, arising out of the existence of national data protection legislation, would need to be considered in detail as existing legislation came up for amendment.

Day Three Professor Poullet, President of the Belgium Computer Law Association, considered whether the principles laid down in the Council of Europe Convention on data protection were adequate in the face of the growth of new information technologies, and the potential dangers such technologies offer. 'Electronic surveillance' is one example of such a fear, arising from the use of telematic services. In this situation, 'confidential' or 'sensitive' personal data does not arise so much from that which is stored in the data bank of the information service, but from the personal data that arises through the use of that service. Such information then gives rise to the possibility of constructing a profile of every user, or group of users, of the service. Professor Poullet also noted that it was important to distinguish the idea of data files from that of the processing location. The growth of the computer network has given rise to the need for a new terminology, moving from the concept of the 'controller of the file' to that of, 'controller of the network'. The role of the latter person would be to take responsibility for all the personal data held on a data subject throughout the network: to be known as the 'central logical file'. Telematic services and expert systems were also seen as opening up a potential threat to the Council of Europe data protection principles of collection, 'fairly and lawfully'; data only being recorded for 'specified purposes', and that of data security. Concerning a data subject's right of access, it was felt further moves were needed towards the "transparency of both the information collected and the routes followed by it in the course of operation". Part of this process would be to ensure a 'right to monitor', especially with the growth of public and private networking, as well as the diversification of an organisations activities. A final area of concern brought up by a number of delegates was the problem of 'equivalency': the restriction of transborder data flows due to the absence of data protection in another country. Although only a minority of international data flows involve personal data, it was felt that this was an area that had not been considered in enough detail. For instance, does 'equivalent protection' under the Council of Europe Convention mean identical or similar protection? While in either case, which authority or body will be able to deliberate on these issues when such situations arise?

MARCH - APRIL THE COMPUTER LAW AND SECURITY REPORT

The Conference was well organised and useful in making delegates more aware of the range of problems that exist, and the various national methods of controlling the use of personal

data. It continues to be an important area of informatior~ technology law.

lan Walden Trent Polytechnic Nottingham

PUBLICATIONS DATA

Commercial Law Given the recent spate of legislation concerning company law, financial services, corporate insolvency, insider dealing and the personal liability of directors, readers might be interested in the following texts. Fuelling that interest must also be the growing focus of attention on the duties, responsibilities and liabilities of company directors. The first book - Boyle and Birds' Company Law 2nd edition, edited by A.J. Boyle, John Birds and Graham Penn, 1987 (Jordan & Sons Ltd, 855pp.) £20, ISBN 0 85308 0909 has been written specifically with the needs of practitioners and those involved in the day-to- day administration of companies in mind. The twenty-four chapters cover the whole gamut of company law, providing a practical narrative and a clear and logical sequence for the reader to follow. Of particular interest is the section on auditors which also deals with liability for negligence and Chapters 20 and 21 on the duties of directors and minority shareholders remedies. Available from Jordan & Sons Ltd., 21 St. Thomas Street, Bristol BSl 6JS. The second book, Directors Personal Liability by Robert R. Pennington 1987, (Collins Professional Books, 270pp.) £22.50, ISBN 000 3832945 is, as the title suggests, a more specialist text, focussing upon the legal position governing directors of companies. As the preface suggests, "Directors are more vulnerable than they have ever been to the cost and trouble involved in defending allegations that they have failed to fulfil their duties fully, either because they have disregarded one or more of the statutory obligations heaped upon them by the Companies Acts since 1948, or because they have pursued some interest of their own or their families in a way not permitted by the fiduciary duties imposed upon them as directors. Not only has the law become more complex as a result of legislation; it has also become more burdensome on directors as the result of judicial decision." This book describes the duties and liabilities of directors to their companies and to the shareholders and creditors. Among the twelve chapters are sections dealing with the legal status of directors, their fiduciary duties, judicial and statutory extension to those duties, the duty of skill and care, the position under the Companies Acts, the enforcement of those duties and liabilities to shareholders and creditors. The final two chapters describe how directors duties may be enforced by the court and the remedies available to shareholders for unfair treatment. Although not fully up-to-date (the book being accurate to 1 October 1986) it is nevertheless to be recommended as an introduction to this important issue. Available from Blackwell Scientific Publications Ltd, 8 John Street, London WCIN 2ES. The third book - A Guide to the Financial Services Act 1986 by A.J. Wedgwood, G.A. Pall, Professor L.H. Leigh and C.L. Ryan, 1986 (Financial Training Publications Ltd, 371pp.) £12.95, ISBN 1 85185 0503 deals with what is described as "one of the most complicated and important pieces of legislation ever to affect business investment. Its impact will be felt by all those working in the financial services area." Produced in conjunction with Peat Marwick, the book is intended for bankers, solicitors, accountants and insurance

brokers and all those who need to know how the Act affects them and how to advise their clients. Chapters 1-3 outline the general regulatory background; Chapters 4-7 describe the process of authorisation and the way in which firms will be expected to conduct their business. The Act's specific application to "collective investment schemes" (such as Unit Trusts) insurance business and Friendly Societies is set out in Chapters 8 and 9. Chapters 10 and 11 deal with company law matters as they relate to investor protection in the areas of public issues, takeovers and insider dealing. The book is intended as no more than a guide to the legislation as it stood at the time. As the authors rightly point out, much more remains to be done before the new arrangements become fully operational. Available from Financial Training Publications Ltd, Avenue House, 131 Holland Park Avenue, London Wll 4UT.

International Trade International Exporting Agreements, Shaul Ezer, 1986 (Matthew Bender loose-leaf) $50 Lib. of Congress Cat. Card No.: 85-72293. This text from the United States is about the legal and commercial problems encountered in international sales contracts. Its principal emphasis is on the practical problems of the exporter in transactions where goods and services are sold from the developed countries to the lesser developed countries. It is intended for the legal, financial and marketing professional, advising or employed with a multi- national exporter as welt as for the proprietor of a small business contemplating an expansion of his market by exporting outside his country. The preface indicates that it is not a legal textbook but a practical world guide to problems encountered in practice and the ways in which they have been solved or managed. References are made to statutes and judicial decisions in certain countries but no attempt has been made to expound on the laws of that country. As the author rightly points out, this is best left to the legal expert in the importing country who, in the appropriate circumstances, would be engaged by the exporter. Of particular interest is Chapter 15, which deals with the international transfer of technology. Sections discuss the nature and form of technology, protection and transfer methods, government regulations of technology transfers, practical approaches to international protection and an appendix with various sample agreements. Available from Matthew Bender & Co. Inc, International Division 1275 Broadway, Albany, New York 12201, USA.

The Service Sector Service-led growth - the role of the service sector in world development by Dorothy I. Riddle 1986 (Praeger Publishers, 289pp.) $37.95 bound, $16.95 pb., ISBN 0 275 920410/0 275 927288. As the author points out at the very beginning "services lie at the very hub of economic activity in any society. In 1980, for example, service sector trade was valued at US$350 billion or about 20% of world trade; and the contribution of the service sector to gross domestic product (GDP) world wide averaged 580/0. People are spending an ever increasing percentage of their disposable

40