Media and Technology

How private are your communications?
21 August, 2017

Invasions of privacy come in many forms, for example the police helicopter pilot, who filmed members of the public sunbathing in their back gardens, but the privacy of emails and other electronic messages is likely to be of more relevance to most people.

This is a hot topic. Against the background of a heightened terror threat, the authorities have argued it is necessary to trade privacy for safety, and to allow the police and intelligence services to view and monitor our private communications. Messaging apps such as Whatsapp, which allow private chat through the end-to-end encryption of messages, have become the focus of much government ire and frustration.

The technology itself however poses an initial and fundamental problem for those attempting to monitor private conversations: due to the nature of end-to-end encryption it does not, and cannot, allow third party access. Even if the technology companies wanted to, it’s generally accepted that it’s not possible to install an access ‘backdoor’ through which messages could be intercepted. So for the moment, those conversations on the whole remain private.

Where other types of encrypted software could allow monitoring, backdoors can themselves pose a fundamental risk to the security of the data itself.

Lord Evans, the former head of MI5, on BBC Radio 4’s Today programme, recently argued that “…compelling companies to put back doors into encrypted services would make millions of ordinary people less secure online”.

Backdoors can put cybersecurity at risk because once discovered, it’s possible that any backdoor method could be exploited for criminal purposes, compromising the privacy of all users of a service.

As we are encouraged and incentivised to share more personal data, and as more data is generated and collected through our use of technology (the ‘internet of things’), individuals are now at risk of much greater harm when privacy is breached.

Whilst technical innovations such as the storage of data in blockchain networks may protect against the manipulation of data, privacy concerns still remain about the disclosure of the data itself.

To understand further how your data and privacy is currently protected under UK law, please see https://www.cripps.co.uk/media-and-tech/guide-new-general-data-protection-regulation-gdpr-part-1-5/

For more information on privacy of communications please contact Will Charlesworth on will.charlesworth@cripps.co.uk or +44 (0)1892 506 004

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw


“Breaking one law to get ready for another” – Take care when obtaining consent to send marketing emails
11 August, 2017

Puzzled by the forthcoming GDPR and unsure how to comply? You’re not alone – a number of businesses have recently tried to prepare for the GDPR coming into force and have made some pretty big errors in the process, sometimes with disastrous consequences.

You may have seen that Moneysupermarket.com was recently fined £80k for sending unsolicited emails to around 7 million individuals who had opted out of its marketing material. The emails acknowledged that the individual had asked not to receive these in the past, and gave individuals the option to reconsider their choice.

This was a breach of the current marketing regulations, the Privacy and Electronic Communications Regulations 2003 (PECR). Under the PECR, you mustn’t send any unsolicited marketing emails to individuals unless you have their explicit consent, with a few limited exceptions. Where an individual explicitly opts out of receiving your marketing material, you must stop contacting them from that point onwards, and must not ask them questions about why they opted out or whether they might like to change their mind.

While emails sent solely for routine customer service purposes will not fall under the Act, you will need consent to send unsolicited emails “for the purposes of direct marketing” which includes asking customers to consent to receiving marketing.

The confusion is understandable. Honda and Flybe also received 5-figure fines for sending similar emails. The upcoming GDPR, which tightens up the rules about what level of consent you need from individuals for certain uses of their data, and a potential update to the PECR, have made data protection a hot topic for businesses recently.

 

The key lesson here is to carefully consider your GDPR compliance process and always keep in mind what the current law is. Businesses “can’t break one law to get ready for another” as the ICO succinctly put it. At the opposite end of the spectrum, while Wetherspoons’ deletion of its entire customer email database eliminates a lot of potential risk, it won’t be necessary (or sensible) for every business. We’ll be providing plenty of tips for handling GDPR preparation on our website in the coming months, but in the meantime if you have questions about anything GDPR or marketing-related, don’t hesitate to get in touch with Elliot Fry.

 

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw


Singhsburys and Morrisinghs – a risky play on words?
17 July, 2017

A play on words can be an effective way of marketing a business.  However, business owners should be careful when doing this as including words and/or creating words and/or logos which are the same as, or similar to, well known registered trade marks run the risk of trade mark infringement.  On the other side, trademark owners need to consider whether they want to take action against this kind of infringement.

A recent example of this concerned Jel Singh Nagra, who owned a newsagent’s in North Tyneside.  Jel Singh Nagra thought a good name for his business would be Singhsbury’s, creating a sign above his shop which looked as follows:

Image source- The Telegraph

 

Unfortunately for Jel Singh Nagra, Sainsbury’s did not see the comical side of things and threatened legal action against him.  Whilst the specific details of the threatened legal action are unknown, it is likely to have been primarily based on infringement of Sainsbury’s registered trade mark SAINSBURY’S. 

Whilst we do not comment on the merits of any possible trade mark infringement claim that Sainsbury’s may have had against Jel Singh Nagra we thought it useful to recap on the three main ways you can run the risk of trade mark infringement in a commercial/business context.  These are:

i) using a sign that is identical to a registered trade mark in relation to identical goods and/or services which it has been registered for

ii) using a sign which is:

  1. identical to a registered trade mark in relation to similar goods and/or services which it has been registered for; or
  2. similar to a registered trade mark in relation to identical goods and/or services which it has been registered for.

and which gives rise to a likelihood of confusion on the part of the public (which includes a likelihood of association).  

iii) using a sign which is identical/similar to a registered trade mark in relation to similar (or dissimilar) goods and/or services it has been registered for, and such use (where the registered trade mark has a reputation in the UK) takes unfair advantage of, or is detrimental to, the distinctive character or repute of the mark.

In light of the impending legal action from Sainsbury’s, Jel Singh Nagra decided to rename his shop, but rather than steer clear of major supermarket brands, he adopted the name Morrisinghs as depicted below: 

Image source- The Telegraph

 

Fortunately for him, Morrisons appear to have seen the humorous side of things, and rather than resort to legal action, like Sainsbury’s, wished him well. 

In deciding whether to take action against a potential infringer, trademark owners will need to weigh up the importance to them of protecting their brand and deterring others from using identical or similar signs to their trade mark, against the potentially negative publicity created by pursuing the “underdog”, who the public will see as simply engaging in harmless fun.

If you need any advice in relation to trademarks please contact Phil Bilney on +44 (0)1732 224 046 or by email to phil.bilney@cripps.co.uk

 


Court of Appeal sets some limits on requirement to comply with Subject Access Requests
12 July, 2017

The amount of time and resources a business has to spend complying with a subject access request has long been one of the most contentious areas of data protection law, particularly given that most subject access requests (SARs) are made during the course of employment litigation where the relationship between data controller and data subject is already somewhat strained.  Two recent cases[1] seem to have swung the balance a little way back towards the data controller by suggesting there are some limits on the data search that needs to be undertaken following a SAR, but businesses need to be stepping up data protection compliance in advance of new tougher rules to come.

The Data Protection Act 1998 (the DPA) gives people the right to request a copy of their personal data from an organisation by making a SAR.

The DPA puts a legal obligation on organisations to supply “a copy of the information in permanent form” unless to do so is “not possible or would involve disproportionate effort.” So, the right to have a SAR met is balanced by the fact that an organisation does not have to go to any length to do so.

The “disproportionate effort” exemption has been considered by the Court of Appeal on two occasions this year. Prior to these cases it had been assumed that the exemption only applied to the effort involved in providing a copy of the information. However, the Court of Appeal said that it also applies to finding the information in the first place. Therefore, in some circumstances there may be a limit on the extent of the searches that an organisation has to make – but only if the effort outweighs the benefit to the requestor.

Organisations cannot rely upon the “disproportionate effort” exemption to refuse to make any search whatsoever and must remember that the threshold for their efforts remains high. Reasonable and proportionate steps must be taken to find and supply the information requested, even though every item of personal data might not necessarily be retrieved. In the words of the Court: “there may be things lurking beneath another stone which has not been turned over”. Nevertheless, each case will turn on its own facts, and at the end of the day an organisation may have to evidence that reasonable and proportionate steps have been taken to comply with the request.  The Courts have made it clear that, as far as possible, SARs should be actioned.

In June the Information Commissioner’s Office (ICO) updated its Subject Access Code of Practice to reflect the Court of Appeal’s decisions. The ICO has said: “Even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you must still try to comply with the request in some other way, if the applicant agrees” (see page 45 of the Code of Practice – https://ico.org.uk/media/for-organisations/documents/2014223/subject-access-code-of-practice.pdf).  

Will things change when the General Data Protection Regulation (GDPR) comes into force on 25 May 2018?

The GDPR grants new rights to data subjects which may require organisations to locate, and take action in respect of, personal data. SARs will have to be actioned in a shorter time frame. Data subjects will have new rights to have their inaccurate data rectified, their data erased completely (the “right to be forgotten”), and their data provided to them or other organisations in “a structured, commonly used and machine-readable format” (known as “data portability”).

One might reasonably ask how these new rights can be accommodated if an organisation cannot find all of the personal data in the first place. Will they also be subject to limitations and exemptions similar to those under the current SAR regime? We do not currently know. While proportionality will remain a general principle of EU law, the GDPR may place a greater burden on organisations to know where all of an individual’s personal data is held.  Read more about GDPR here.

In terms of practical steps businesses can take, setting up systems to enable them to deal more efficiently with SARs will be key, so that locating and accessing personal data can be done more quickly and easily.

For further information on the above or any aspect of data protection law please contact George Fahey or Elliot Fry.  For advice on dealing with SAR’s made in relation to employment please contact Erica Dennett.

 

[1] Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others [2017] EWCA Civ 121.


Cyber security for SME’s – can you hack it?
23 June, 2017

Prior to the recent headline grabbing WannaCry ransomware attack, businesses may have thought such incidents only affected big American companies, the likes of Sony and Ashley Madison. The WannaCry story brings home that cyber crime is a global issue, and one which is set to affect UK businesses more and more in future and to which SME’s are not immune.

 

A government report from earlier this year indicated that 68% of large businesses and 52% of small businesses had suffered a cyber security breach in the past year. Don’t assume that just because your business isn’t national, or high profile, or based around online sales, you’ll be safe. Cyber criminals, as with any other kind, will target anyone, and may see smaller businesses as more vulnerable.

 

Cyber security breaches carry a number of adverse potential consequences. Aside from the business interruption of evaluating and repairing any damage caused, implementing emergency measures, and potentially notifying your customers, breaches of cyber security are bad publicity, and erode the trust and confidence you spend so long building with your customers. Where a breach results in your customers suffering a loss, you may find they turn to you for compensation. Defending legal claims, and dealing with more informal ones, can be expensive and risks further damage to your reputation.

 

So, what can you do about cyber risk? Well, as with every other risk, take steps to mitigate it, and insure against it. Many insurance companies offer a policy covering cyber attacks, and practical advice on risk management and loss prevention. Mitigating and minimising your risk requires more than just effective firewalls and antivirus software.  Implementing segregated networks and least-privilege models ensures that the effect of any breach (be it external, or by an employee) is minimised. Network segregation creates sub-partitions allowing you to limit access to sensitive information, and a least-privilege model gives users only the permissions necessary for them to carry out their role. However, to remain effective these systems need regular checking and updating.  Effective monitoring, alerting and filtering software will help anticipate and prevent  attacks, but training for users on how to identify and avoid suspicious emails and websites is also needed as things like phishing emails become increasingly sophisticated.

 

Cyber security isn’t just a practical requirement, it’s a legal one. Almost every business will hold personal data, and data protection legislation requires them to have adequate security measures in place to protect that data. Businesses who suffer a breach may be subject to fines or sanctions from their professional bodies or the Information Commissioner’s Office (ICO). Holiday insurance company Staysure were fined £175,000 by the ICO after their cyber security failings allowed hackers access to customer credit card and medical details. SME’s can no longer afford to ignore the risks.


1 2 3 17