Computer Law And Security Report. Telecommunications, broadcasting and the Internet EU competition law and regulation 0-421-76470-8, 0-421-85140-6, 0-85296-444-7

Citation preview

Computer Law & Security Report (2005) 21, 1e2

EDITORIAL

European Court of Justice interprets key aspect of Database Directive

The European Court of Justice (ECJ) has handed down an important ruling on the application of the Database Directive (96/9/EC) and, in particular, the so-called ‘sui generis’ or ‘database right’. This relates to databases where the motivation for protection is found in the investment that has gone into the contents of the database as opposed to the level of intellectual creativity put into the selection and arrangement of those contents. The database right is protected for fifteen years, compared with the normal protection period for literary works of the life of the author plus 70 years. The case e The British Horseracing Board Ltd & Others v. William Hill Organization Ltd.,1 concerned British Horseracing Board’s (BHB) database containing a large volume of information about horses, riders and race events, of interest to the industry, but also to the media, bookmakers and their clients. The bookmaker William Hill (WH) subscribed to the database through a service provider and regularly extracted data from this source which it transferred to two internet sites from which it ran an online betting service. In March 2000, BHB sued alleging infringement of its sui generis right under Article 7 of the Directive. Following a ruling in BHB’s favour at first instance, William Hill appealed to the Court of Appeal which stayed the proceedings pending advice on the interpretation of the Database Directive from the ECJ. The ruling of the full chamber of the ECJ was handed down in November with the, perhaps, unexpected result that will limit the scope of the

1 Judgment of the Court (Grand Chamber), 9 November 2004 (Case C-203/02).

Directive for databases reliant, up to now, upon the sui generis right for protection. In narrowing the scope of the rule, the court said, firstly, that the investment required by Article 7 must relate to the resources used for collection i.e. development of the contents of the database rather than the creation of the data in the first place. Qualifying investment included the ‘‘systematic or methodical arrangement [of data] in the database, the organisation of their individual accessibility and the verification of their accuracy’’. Secondly, the court addressed the requirement of Article 7 that infringement of the sui generis right would occur when, either the whole database, a substantial part of it, or repeated systematic extraction of insubstantial parts and/or utilization of these contents had taken place. In the court’s view the relative criterion for judging the issue of substantial part was not to be based on the intrinsic value of the extracted data but to the scale of investment put into the obtaining, verification or presentation of the contents of that data, other than that required for their creation in the first place. In the present dispute there was no substantial investment here since this had been expended by BHB in the creation of content, rather than in its collection into the database. This decision will potentially narrow the scope of protection for databases where the distinction between investment in creation and collection of data cannot easily be identified, such as in relation to share price information or where the collection is automated. This could mean that some databases that have, hitherto, relied on licence fees for sustaining their operation may find that source of income is eroded. On the other hand, some will

0267-3649/$ - see front matter ª 2005 Stephen Saxby. Published by Elsevier Ltd. All rights reserved

2

Editorial

welcome the direction that the court has moved in as there has been concern among some commentators that the sui generis right might become an even stronger form of protection than copyright since no ‘fair dealing’ exception exists to mitigate the sui generis provision. The UK has always stressed the economic importance of the ‘copy’ right and in recent years, supported by the domestic courts, has maintained a more liberal protection regime for factual data than the United States. It may be that this decision, promoted by the ECJ, takes a small step towards convergence of UK law with its partners. What is clear is that finding the balance between the need to ensure the ‘progress of science and the useful arts’ while providing due compensation of authors for their works, has never been harder to locate. Stephen Saxby E-mail address: [email protected] doi: 10.1016/j.clsr.2005.01.022

New Report Correspondents CLSR is pleased to welcome Conor Ward, David Schollenberger and Stephen Rawson to the Correspondents’ panel of the Journal:

Conor Ward, Partner, Lovells Conor Ward exclusively practises contentious and non-contentious aspects of computers and communications law. A former barrister, he was also a development programmer at IBM United Kingdom Laboratories during the 1980s and now advises clients where the technology involved is complex and/or the legal issues are novel. Conor advises numerous financial institutions in connection with the use of encryption, secure trading and with the outsourcing of IT and telecommunications systems. He has acted in connection with numerous IT disputes including systems development disputes and disputes relating to ownership and licensing of

IPR. He has acted in relation to several criminal prosecutions under the CMA 1990.

David Schollenberger, Partner, Charles Russell David Schollenberger is a partner in the IT & Telecoms Group at Charles Russell and also heads its Gaming Team. He is dual qualified in the UK and US and has spent several years as an in-house lawyer for multinational technology companies and the parent company of Harrah’s Entertainment. He is an advisor to technology suppliers, domestic and international users and gaming operators with respect to commercial business transactions. He has substantial experience in e-commerce and Internet and mobile content and distribution legal issues and agreements, outsourcing projects, hardware and software systems procurement, software and website development, licensing of intellectual property and franchising arrangements and direct and indirect commercial sales and distribution agreements. He is an active member and on the regulatory committee of the Interactive Gaming Gambling and Betting Association, the International Association of Gaming Attorneys, Intellect, the Society for Computers and Law, and the Westminster Media Forum.

Stephen Rawson, Senior Counsel, ˙trault McCarthy Te Stephen Rawson is a senior counsel in the international telecommunications and technology practice of McCarthy Tetrault in Toronto, Canada. He advises on both the regulatory and commercial aspects of telecommunications, as well as a broad range of e-commerce and information technology matters. Steve has substantial international experience, including having practised for a number of years in the UK and as a senior in-house lawyer with an internationally recognized telecommunications operator. His international experience includes advising businesses and governments on telecommunications and e-commerce laws, policies and commercial practices in compliance with European Union Directives and WTO commitments and rules. doi: 10.1016/j.clsr.2005.01.001

Computer Law & Security Report (2005) 21, 3e21

CLSR BRIEFING

News and comment on recent developments from around the world Compiled by Stephen Saxby, Editor

United Kingdom Remote gaming covered under Gambling Bill The Gambling Bill, introduced to Parliament on 18 October 2004, will legalise and regulate remote gambling and betting for the first time in the UK. The Bill has now passed two readings of the House of Commons and is headed for a third reading in mid-December when it will be moved on to the House of Lords. It is expected to be enacted in March 2005. The law will modernise and reform the existing legislation contained in the Gaming Act 1968. The Bill will put the UK in the spotlight as the first major world country to legalise and regulate online gambling and betting. Current UK law regarding remote gaming Under the current UK legislation, remote gambling operations are not permitted onshore. It is not currently possible to obtain any form of licence to operate remote gaming in the UK. It is a grey and unresolved issue, however, what factors make a company onshore or offshore. The prevailing view is that it depends on whether the server and random number generator is onshore. The Gaming Board has been taking a relaxed position to date about support services such as customer support, banking support and marketing being conducted onshore. It is not currently prohibited for punters to participate in online gaming. doi:10.1016/j.clsr.2005.01.021

The permission with respect to remote betting is different. Currently bookmakers and betting exchanges are permitted to operate remote betting operations under a bookmakers licence. Under current law, overseas gaming and betting operations are prohibited from making advertisements inviting or soliciting the making of bets or gambling. Advertisements must simply constitute a notice that the services exist but must stop short of encouraging play e although the line between the two is a thin one. The current law does not allow legal enforcement of gambling debts. Gambling Bill changes Under the new Gambling Bill, a new Gambling Commission will be created with responsibility for regulating remote gaming. ‘‘Remote’’ gaming and betting includes gambling or betting on the Internet, mobile telephones and interactive television. The Gambling Commission will issue licences for remote gambling and remote bookmaking operations and a new licence will be created for betting exchanges called a betting intermediary licence. At least one Director level person in an organisation will also need to obtain a personal licence. The Bill provides that only one piece of equipment located in the UK will trip the requirement to obtain a UK licence. That means that remote gaming operators with operations currently partly onshore will either need to move their equipment entirely onshore and obtain a UK licence or move entirely offshore.

4 All forms of advertising from online (emails, ISP banner ads, etc) to broadcasting to printed media such as billboards, flyers, posters and magazine and newspaper ads will be caught by the definition of advertising in the Bill. Advertising of remote gaming operations will only be permitted for companies licensed in the UK or in other EEA jurisdictions, subject to restrictions on form, content, timing and location as required by the Gambling Commission. The Secretary of State will also have the power to white list certain non-EEA jurisdictions to advertise in Great Britain. Certain Dependencies such as Alderney and the Isle of Mann (where several online gaming companies already operate) have been given assurances that they be included on the white list. Gibraltar, which also hosts a number of blue chip online gaming and betting operations, is not considered an EEA jurisdiction and will have to apply for approval. The Bill will make gambling debts enforceable for the first time. The exception for this is where the losses were incurred by an under age person. The Bill will require that all losses must be refunded where a child made the losses. Operators are concerned that this will lead to fraudulent abuses where an adult gambler makes a loss and blames it on his child. The Bill will require ‘‘reasonable steps’’ to be taken to determine that only customers over 18 are accepted. The Secretary of State will have the authority to restrict accepting customers from certain jurisdictions although no prohibited territories are currently included in the Bill. The Conservatives have proposed an amendment to the Bill to specifically list the US as a prohibited territory, but the sentiment of the Government is not to support this at this stage.

The world is watching Interestingly, the provisions of the Gambling Bill with respect to remote gaming have not been that controversial to date either in the press or in the House of Commons. The moral panic and most of the debate on the Bill has been focused on the proposals for regional land based casinos. There is an enlightened understanding in the UK that the remote gaming industry is not going away and it is better to legalise and regulate it rather than to leave it in the hands of possibly unscrupulous operators offshore. The world will be watching the UK and the effect of this legislation. The EU, the US and Australasia likely follow in its footsteps in due course.

CLSR briefing David Schollenberger, Report Correspondent, Partner, IT & Communications and Head of Gaming Team, Charles Russell.

Home Office publishes Identity Cards Bill The government has published its controversial Identity Cards Bill which it intends to introduce in the new session of Parliament. The Government argues that the scheme will provide a ‘‘simple and secure ‘gold standard’ proving identity, protecting people from identity fraud and theft and providing them with a convenient means of identity in every day transactions’’. The scheme is aimed particularly at disrupting the use of false and multiple identities used by organized crime and in some terrorist related activity; tackling illegal working and immigration abuse; to ensuring free public services are used only by those entitled to use them; and enabling British citizens to travel freely at a time when international requirements for secure biometric documents are developing. The scheme is also intended to build on ongoing work designed to make passports more secure by including biometrics e unique personal identifiers such as facial image, fingerprints or iris images. Biometric identifiers combined with a secure database will, in the government’s view, ‘‘enable people’s identity to be accurately verified and will prevent fraud in attempts to register multiple identities’’. The Home Office has carried out detailed consultation with a range of community organizations and refugee organizations to ensure that the final legislation corresponds to concerns and complies with the Race Relations (Amendment) Act 2000. This requires the elimination of unlawful discrimination while promoting equality of opportunity and good relations between people from different backgrounds. Home Office Minister Fiona MacTaggart said: ‘‘The identity card scheme will be inclusive, designed to cover anyone who has the right to be in the UK e whether they were born here, have chosen to make their home here or are just staying for a while to study or work’’. Editor’s note A new Executive Agency will issue identity cards, starting in 2008. It will incorporate the functions of the UK passport service and work closely with Home Office’s Immigration and Nationality Directorate. The Bill is available on line at www. publications.parliament.uk/pa/pabills.htm.

CLSR briefing

Data protection law needs urgent review ‘‘Shambolic, weak, impotent and chaotic’’ is how one legal expert has described the current state of data protection. This comment comes as plans to reform EU Data Protection laws look set for protracted consideration. However, the Government’s Data Protection Working Party has acknowledged that work needs to be done to tackle the lack of enforcement measures against people who break the law. Stewart Room, head of data protection at law firm Rowe Cohen, has offered three key reasons why the current system is chaotic: the enforcement effort by the authorities is under-resourced; there is a perceived low risk of getting caught by offending data controllers; and public ignorance of individual rights is widespread. ‘‘Without an urgent improvement, businesses and individuals will continue to suffer uncertainty, ambiguity and mixed messages about the DPA. At the moment, the law is seen as impotent and a bit of a shambles’’, he said. ‘‘The DPA allows discretion amongst EU member states and this inevitably results in disparities between countries. This is compounded by the fact that national data protection laws across the EU vary e particularly where they concern enforcement. This causes problems for pan-European business, as well as for individual rights. Countries like Sweden have much tighter enforcement regimes than, say, the UK or Ireland. But this is only part of the picture. Major funding problems mean that resources are stretched and compromises have to be made. There is likely to be little change over the next twelve months. In the UK most of the Information Commissioner’s time is taken up with the Freedom of Information Act, which comes fully into force on 1st January 2005, with the inevitable knock-on effect for data protection compliance.’’

Lord Falconer announces Freedom of Information Act fees regime The vast majority of requests made under the new Freedom of Information rights will be free, the Government has announced. For information which costs public bodies less than £450 to retrieve and collate, there will be no charge. This is roughly equivalent to two and a half days of work, for free. Government departments will only be able to charge where costs rise above £600 (which equates to about three and a half days work). Constitutional Affairs Secretary Lord Falconer, said:

5 ‘‘This Government introduced the legislation to change the culture of official information, and we believe it should be free. A fees structure which is simple to understand and easy to operate follows the spirit of the legislation. We don’t want cost to deter people from asking about the policy discussions which influence their children’s education, the way hospitals treat and care for their parents or the way police patrol their neighbourhoods.’’ From 1 January people will have a right to information about the way decisions are made, and public money is spent, by more than 100,000 public authorities, including Government departments, schools, NHS Trusts, police forces and local authorities. Anyone, of any nationality, and living anywhere in the world, will be able to make a written request for information, and expect a response within 20 working days. Public authorities have already published details of the types of information which will be released proactively on websites e far more will be available on request. The Government regards the Freedom of Information Act as an important component of the constitutional reform programme. Lord Falconer said: ‘‘Greater access to information will improve the dialogue between public bodies making decisions and the people affected by them. We want people to play a greater role in policy-making at all levels, not just through the ballot box, but through consultations, forums and other, less formal, contacts with public bodies. The longterm aim of this greater scrutiny and dialogue is to improve decision-making. The legislation is designed to strike a balance between people’s right to know, and the need for Government to be able to govern effectively and to achieve this there are exemptions to cover areas such as defence, national security, commercial confidentiality and personal data.’’

Editor’s note Further information about the Freedom of Information can be found at: www.foi.gov.uk. About 100,000 public authorities are subject to the Act. For a full list of types of public body: www.foi.gov.uk/coverage.htm. The Freedom of Information Act was passed on 30 November 2000. See full text at: www.legislation.hmso.gov.uk/acts/acts2000/20000036.htm.

6

CLSR briefing

Office of Fair Trading sets out priority areas for action

Organizations failing to protect computer evidence

Five priority areas have been identified by the Office of Fair Trading (OFT) as part of its draft annual plan. The draft plan sets out key issues that the OFT will focus on over the next three years. The core activity will continue to be enforcing the law to ensure vigorous and open competition and to eliminate unfair trading practices. This will be combined with market studies and communication activities to explain to businesses and consumers their rights and responsibilities. Five areas are highlighted for particular attention:

As reliance on computers and e-communication grows, so do the opportunities for criminal activity to flourish according to IMS, Press Office for Computer & Internet Exhibition. The DTI’s recent information security breaches survey showed that 87% of businesses are now highly dependent on electronic information. Although organizations are now recognising the problem and actually identifying a larger proportion of the crimes taking place, many run the risk of failing to provide the evidence to prosecute e leaving them in a position where they either have to retain or reinstate an employee suspected of a crime or let the external individual get away with it scott free. As time goes on, concern is growing about how to stop computer and Internet crime. This is partly fed by the growth in activity and lack of ability to locate the source of the offence, and then present admissible evidence in court. Companies are spending all of their energy trying to formulate barriers to stop cyber crime occurring by keeping up with the latest software and firewall upgrades, without sufficient consideration of how to cope with the evidence when a breach occurs. Penny Harper, Director of Professional and Expert Witness Group at Bond Solon Training, London, the UK’s legal training consultancy for non-lawyers says that many organizations are failing to protect the evidence required to prosecute or even reprimand an individual. ‘‘I have worked with many firms filing criminal proceedings against individuals who have carried out this type of crime. Constantly courts are faced with evidence that for one reason or another is not admissible or reliable. When organizations have been hit by cyber crime they often frantically rush to trace sources of evidence by trawling through laptops and company networks. But by doing this, they may unwittingly be changing evidence. For example, simply turning on a PC can alter the data’’. Prosecuting for any crime requires that the evidence to be presented in court is both reliable and convincing. ‘‘The problem that many companies encounter is that on the onset of an investigation they may consider the issue to be a minor internal one, and attempt to carry out investigations themselves. As they delve deeper into the issue they begin to realise that criminal proceedings may be required,’’ said Penny Harper. Computer based electronic evidence is very fragile, it can easily be altered, damaged or destroyed by improper handling. If the data have

 credit markets;  construction and housing markets, including services related to them such as estate agency;  healthcare markets;  interaction between government and markets, e.g. through public procurement, regulation and public sector bodies competing with the private sector;  mass-marketed scams. John Vickers, OFT Chairman, said: ‘Our draft annual plan sets out how the OFT intends to enhance its efficiency and effectiveness, building on experience gained under new law. Our responsibilities, and hence our work to make markets work better, will be economy-wide, but we have for the first time signalled the priority areas in which we plan to make the most positive difference.’

Editor’s note Under the Enterprise Act 2002, the OFT is required to produce an annual plan setting out its main priorities and objectives for the financial year ahead. The final plan will be published by 31 March 2005. The draft plan is now open for consultation. The OFT is particularly interested in views on how priorities have been selected; what the OFT can do to better inform and educate businesses and consumers; the best means of selecting new market studies; and how the OFT can best monitor its performance. Responses to the consultation should be sent to Jonathan Dinmore ([email protected]) by 31 January 2005.

CLSR briefing not been dealt with correctly, the judge will not allow it to be used in legal proceedings. As a result, anyone gathering or collecting digital evidence must have procedures in place that enable them to show the court it has not been tampered with e ‘continuity of evidence’ or an audit trail. The evidence must also have weight, linking it directly to a particular individual. In the case of the Soham trial, one of the officers on the case was charged with downloading pornographic images. As no telephone line could be located to these downloads, the defence was able to argue that other people had access to the laptop as well. In all cases advice from a forensic investigator should be sought. If this is not possible, the following guidelines proposed by the Association for Chief Police Officers Good Practice Guide for Computerbased Electronic Evidence, should be followed:  ‘‘Move people away from any computer or power supplies;  Don’t in any circumstance switch the computer on;  Label and photograph all the components in situ or draw a sketch plan;  Search areas for diaries, notebooks or pieces of paper with passwords on which are often stuck to or close to the computer;  Make detailed notes of all actions taken in relation to the computer equipment;  Never take advice from the owner/user of the computer;  If switched on, disconnect the modem if attached: - Remove and retain all connection cables leading from the computer; - Allow the equipment to cool down before removal; - Record what is on the screen by photograph and by making a written note of the content of the screen; - Do not touch the keyboard or click the mouse; - If no specialist advice is available, remove the power supply from the back of the computer without closing down any programs.’’ Penny Harper concluded: ‘‘In large companies the average cost of a serious security incident was estimated by the DTI as £120,000. With costs so high, it is essential for businesses to wise up and fight back.’’ Editor’s note Other issues concerning computer and Internet crime were addressed during the Computer and Internet Crime (CIC) 2005, conference and

7 exhibition that took place on 24e25 January 2005; www.cic-exhibition.com.

Security expert warns of sophisticated new holiday phishing scam It is not only traffic around the shops that is on the rise this holiday season, but Internet traffic from scammers is also on the increase according to a security expert from CyberGuard Corporation, the security solutions provider. Citing reports from the Anti-Phishing Working Group (APWG) that indicate a 100% increase in the number of phishing sites between September and October 2004, Paul Henry, a senior vice president at CyberGuard, remarked that ‘‘between 80 and 100 new phishing Web sites are starting up daily. Scammers are getting much more sophisticated and they are harder for a user to detect.’’ Urging people to beware of emails offering holiday deals that seem too good to be true, Henry added that consumers should be on guard against a particularly nasty new phishing scam this holiday season. While many common phishing cons involve fake emails from banks or other financial interests that lead individuals to fake bank sites, Henry warns consumers to take care when buying holiday gifts online this year because scammers are using fake e-commerce sites: ‘When people search on the Internet for items they want to buy and click on a link, they are directed to a legitimate looking Web page and instructed to ‘‘Click here to download images’’ of what they want to buy. What they can end up downloading is a selfextracting zip file that installs a Trojan on their PC. Trojans can then redirect links to legitimate financial institutions to fraudulent Web sites allowing the scammer to harvest the user’s credentials.’ ‘‘If it looks too good to be true,’’ says Henry, ‘‘it probably is. Don’t let the Grinch steal your Christmas.’’ Editor’s note The Anti-Phishing Working Group (APWG) is an international industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. See: www.antiphishing.org. For CyberGuard see: www.cyberguard.com.

Local authority watchdog reports big increase in Scam complaints Over 1100 complaints concerning scams such as premium rate phone numbers, scratch cards and unsolicited mail were received during a two week

8 period in September 2004. This equates to approximately 60,000 complaints a year according to research published by The Local Authorities Co-ordinators of Regulation Service (LACORS) in November. The research was conducted between 6 and 17 September 2004 to find out the frequency and nature of scams targeted at both consumers and businesses. During this two week period, 70% of complaints were received from consumers and 30% from businesses. The majority of scams reported by consumers were received by post (67%) and mainly consisted of lottery type scams, with most originating from South Africa, replacing Canada as the main source of this type of fraud. These scams tend to follow the same format and inform the recipient that they have won a prize of two million dollars or Euros. The bogus company operating the scam states that the money will only be released once the recipient forwards details of their current address and telephone number. They are then asked to pay a ‘processing fee’ of several thousand Euros or the equivalent in dollars. If the recipient is based in Europe, then they might be requested to hand over the money in Amsterdam or pay via an untraceable Western Union service. The consumer can potentially lose thousands of pounds this way. A total of 24% of the scams aimed at consumers originated from the EU (mainly Spain) and 46% from the UK. Whilst the majority of scams arrive via the postal route telephone scams accounted for 19% and electronic scams such as Internet and email, 14%. A common factor across all the scams reported is the use of a premium rate service. These scams are entirely geared towards misleading recipients into making a premium rate call in the belief that they have won a prize. Twenty-four percent of all consumer complaints involved premium rate services with 80% originating from a UK source. Most are in direct breach of the Committee for the Supervision of Standards of Telephone Information Services (ICSTIS) Code of Practice. Consumer detriment is obvious given the misleading nature of these premium rate schemes and equates to approximately £53 per consumer. Derek Allen, Executive Director of LACORS said: ‘This research highlights the increasing potential for scams and the significant consumer detriment it gives rise to. The variety of scams and means for targeting consumers is huge and the scammers are continually finding new and innovative ways of targeting the public. LACORS will be working with the OFT and other regulatory bodies to ensure this

CLSR briefing problem is addressed but would like to warn consumers, particularly the more vulnerable in society to be vigilant about offers that seem to good to be true’. Editor’s note LACORS will be presenting these findings to the Department of Trade and Industry (DTI) and the Office of Fair Trading (OFT). LACORS has also compiled a directory which helps local authorities share good practice and assists the Office of Fair Trading (OFT) in producing the relevant educational material for advisers to use. See: www. lacors.gov.uk.

Laptop users pose security threat to European businesses Websense Inc, the employee Internet management software provider, has announced results of independent ‘Laptop Liabilities’ research, which suggests that European businesses are leaving themselves and their employees open to attack from the hidden dangers of the Internet. Of the 500 European work laptop users surveyed, many were found to be exposing their companies to legal and financial damage, as well as opening themselves up to their personal data being captured. Employees were found to be downloading nonwork-related software, allowing people outside of work to use their laptops, and many were using their laptops to surf peer-to-peer websites and download illegal music files and movies. These activities unwittingly allowed the spread of malicious code such as viruses and spyware and posed corporate security risks when the laptop was connected to the network. Just over half of the companies surveyed (55%) manage Internet access on laptops, but this breaks down to only a quarter enforcing this physically and 30% relying on their employees adhering to written policies. The fact that employees are downloading software remotely means that any network-based security measures are rendered useless, exposing business and personal data to key-loggers, hackers and phishing attacks. Commenting on the findings, Geoff Haggart, VP Europe for Websense said, ‘‘Our survey shows that mobile workers are unaware of many of the hidden dangers of the Internet. Not only do they not fully understand the risks of many of the activities they are doing on the Internet, but more worryingly, they are leaving themselves and their employers open to attack from all manner of malicious content. Companies need to educate and empower

CLSR briefing employees to ensure they are able to make conscious decisions to ensure safer surfing on their laptops e both in the office and at home.’’ In 2002 the number of European mobile workers stood at 80.6 million, with analyst group IDC anticipating that this will grow to 99.3 million by 2007. Whilst IT directors must consider the burden that any mobile security strategy might place on laptop users, potentially hindering their job function, they cannot ignore these worrying facts. Consequently, any organisation considering offering remote or mobile working to its employees must look to create a mobile security policy. Editor’s note The ELLS report is an independent report undertaken by Dynamic Markets on behalf of Websense Ltd, the provider of employee Internet management software. This report details quantitative research based on response from laptop users in companies with over 250 employees from the UK, Germany, France, Italy and the Netherlands. Before and during the interviews, respondents were not aware that Websense had commissioned the research. For Websense see: www.websense.com.

Cyber tax loophole for laptops Roy Maugham, tax partner at UHY Hacker Young has commented on a tax break for laptops. Shrewd bosses are profiting from a legitimate tax loophole that allows them to promote staff loyalty while avoiding the expense of cash bonuses. Generous employers can reward their employees with valuable computer equipment for private use without incurring expensive PAYE and National Insurance costs or passing on the burden of employee National Insurance. The employer retains the title to the goods, and classifies them as being ‘on loan’, thus bypassing the rules on conventional gifts and bonuses. However, the scheme only applies to computer equipment. Roy Maugham said: ‘‘Laptops are becoming a popular cost-efficient employee benefit. An employer who buys a £2000 laptop as a perk for a member of staff to use for work and as a perk can reclaim the VAT of £297.87. Furthermore, the employee receiving the equipment avoids both National Insurance charges of £220 and an income tax bill of up to £800, assuming it is returned to the employer within five years.’’ ‘‘Annual bonuses are proven to encourage staff loyalty and performance. In this way they can

9 offer even more value for money,’’ added Mr. Maugham.

Bank vetting procedures alone are not enough to stop criminals intent on insider fraud Detica, the specialist IT & fraud consultancy, has warned that banks which rely solely on new or improved vetting procedures will only succeed in weeding out a small proportion of potential insider fraudsters. This comes just a short time after warnings from the Financial Services Authority (FSA) that ‘‘organized’’ criminals are applying for jobs in finance firms to commit fraud. Imam Hoque, Head of the Technology Innovation Group at Detica, said: ‘‘Most organised crime syndicates use people with a ‘clean’ criminal record. This is backed up by statistics from the US Association of Certified Fraud Examiners stating that just 12% of fraudsters have a conviction for a fraud-related offence. As such, whilst better vetting is to be welcomed, it is not a stand-alone solution as most fraudsters appear to be honest individuals with good backgrounds. Financial institutions need to be much more proactive and make better use of the data they collect already to spot fraud patterns.’’ Detica advises financial institutions to follow a five-point plan:  Understand what types of fraud are already being perpetrated, then formalise the capture and categorisation of known crimes in order to set up effective anti-fraud policies.  Use the frauds you know about to heighten awareness of those you haven’t yet come across. By creating rules and employing monitoring techniques based on existing crimes, you can start to generate potential alerts. For example, if an insurer has established that fraudulent employees are accessing closed files to make further insurance claim payouts, a rule can be introduced to detect and draw attention to any closed file activity.  Pull together all available data e from computer log-on times to phone call usage e in order to spot odd trends or patterns of behaviours. The techniques used for this include data mining, trend analysis and clustering, and can provide valuable insight into discovering frauds you don’t know that you don’t know about.  Use searchable, electronic approaches to manage cases, as fraudsters repeat their behaviour

10 and evidence may only become conclusive over a period of time. Allow the system to be your memory.  Fully understand the impact of fraud on the business and have an ongoing process to keep policies and rules up-to-date through analysis. Hoque concluded: ‘‘This is about a more ‘holistic’ approach to detecting fraud. Because financial institutions already have to archive masses of data, the information they need to combat fraud is often there. It’s really just a question of being much smarter at working with existing systems and complementing these with sophisticated techniques to spot anomalies which could point to fraudulent activity.’’ Editor’s note Further information from: www.detica.com.

PWC 2004 Data Quality Survey finds organizations continue to lose money through poor quality data According to the PricewaterhouseCoopers Global Data Management Survey for 2004 of 452 companies in the US, UK and Australia, almost half of all respondents do not believe that senior management places enough importance on data quality. Surprisingly, board level engagement in data management issues has actually declined in the past three years, in spite of significant changes to global business operating environments triggered by events such as major corporate scandals and new regulatory compliance requirements Although 67% of all organizations surveyed claim to have a company-wide data management strategy in place, up from 63% in 2001, only two in five respondents are certain that their data management strategy has board approval. Again, only 59% of all respondents think that the senior management of their company place sufficient importance on data management. The survey also revealed that 63% of respondents consider privacy, security and compliance with external regulations as the most important business driver, further raising the questions as to why there has not been a more substantial increase in board-approved data strategies. Henry Kenyon, partner at PricewaterhouseCoopers commented: ‘‘The decline in board engagement with data management issues is at odds with companies increasing dependence on data. With corporations establishing objectives of improving their level of transparency, and the clear linkage

CLSR briefing between data quality and reporting accuracy, it is surprising that having a data quality strategy is not a priority for board level executives.’’ This year’s survey also highlighted the fact that most organizations still view data quality management as an IT issue. About two thirds of respondents with a data strategy claimed that responsibility for driving that strategy resided within IT. The remaining respondents assigned responsibility for data management to senior management within their organisation, such as the CFO, CEO managing director or corporate board. Over half of the respondents indicated that sharing of data to third parties is likely to increase over the next three years. Yet while respondents also indicated they are at least ‘‘somewhat’’ dependent on third party data, only 18% of respondents whose organizations share data with third parties were very confident in the quality of that data. Only 24% of companies claiming to use third party data are actually measuring the quality of that data. Fifty percent of respondents are at best only ‘fairly confident’ in others’ data while 24% express little to no confidence. Kenyon said: ‘‘With today’s collaborative e-commerce economy, it’s surprising that companies are not more formally engaged in validating the integrity of third party data. With an expected increase in the need to share data externally among companies, regulatory bodies and stakeholders, senior management must resolve to create and execute a strategic and actionable data quality program to validate not only data they receive from third parties, but the data they share with third parties.’’

Editor’s note The Global Data Management Survey 2004 interviewed the Chief Information Officer, IT director or equivalent executive at 450 companies across the US, UK and Australia. The sample included a broad mix of major ‘‘Top 500’’ corporations and middle-market businesses, providing a representative cross-section of corporate activity in each of the three countries. See: www.pwc.com/dataquality for report information.

UK domain name registry victorious in copyright court battle Nominet, the .uk Internet domain name registry, is celebrating success in its Australian court battle

CLSR briefing against several parties accused of copyright infringement and breaches of Australian fair trade laws by issuing misleading notices. The case was brought by Nominet against Chesley Rafferty and Bradley Norrish and three of their companies in the Federal Court of Australia following Nominet’s discovery in January 2003 that its WHOIS database had been the subject of concerted data mining attacks. This database is commonly used by Internet users to check who is the registrant of a domain name. The sheer scale of these assaults subsequently forced Nominet to suspend its WHOIS system for the only time in its six year history. The attacks captured details of many .uk domain name holders and resulted in 50,000 registrants receiving misleading notices from ‘‘UK Internet Registry’’ regarding their domain name registrations. Justice French said that the notices sent by UK Internet Registry were ‘‘nothing less than deceitful’’. The judgment of Justice French in the Federal Court is a powerful precedent for Nominet and domain name registries worldwide. The Court has confirmed and enforced Nominet’s copyright in the .uk Register and WHOIS database. The existence of these rights allows Nominet to prevent information on its databases being inappropriately used by third parties and reinforces Nominet’s authority to impose terms and conditions on the use of the data it holds. ‘‘We are delighted by this result, particularly as it upholds our ability to protect information relating to .uk registrants,’’ said Nominet Managing Director, Lesley Cowley. ‘‘Naturally, we want to control use of the intellectual property that we hold and to have succeeded in protecting our copyright ownership is a significant outcome for us, the industry globally and for registrants who do not want to receive scam notices. By fighting, and winning, this case we are saying very clearly that scamming is a serious industry issue which will not be tolerated and anyone caught doing it will be pursued and brought to justice.’’ Editor’s note Nominet UK is the national registry for all Internet domain names ending in .uk. Its purpose is the management of this central database, for all users of .uk domain names. Nominet is a not-for-profit company limited by guarantee. Nominet has over 2800 members representing all areas of the Internet industry and is recognised as the .uk domain name registry by the Internet industry and the UK Government.

11

United States District Court finds violation of DMCA in demand to take down protective material Online Policy Group v. Diebold Inc. (No. C 03 04913 JF USDC ND Ca. 30 September 2004) The US District Court for the Northern District of California has ruled that defendants Diebold Inc and Diebold Election Systems (Diebold) violated the Digital Millennium Copyright Act (DMCA) 1998 in demanding that plaintiff’s Online Policy Group (OPG) and others remove an email archive from their website which was subject to the ‘‘fair use’’ exception. The plaintiffs were students who used Internet access provided by their college to post on various websites an email archive containing internal emails exchanged among Diebold employees that contained evidence that some employees had acknowledged problems associated with the electronic voting machines produced by their employer. An online newspaper IndyMedia published an article criticising Diebold’s electronic voting machines and contained hyper-link to the email archive. Plaintiff (OPG) provided IndyMedia’s Internet access and OPG in turn obtained Internet access from an upstream Internet Service Providers (ISPs) e Hurricane Electric. In response to the activities of the plaintiffs and in an alleged effort to prevent further public viewing of the email archive, Diebold sent cease and desist letters to many ISPs including Swarthmore, OPG, and Hurricane, pursuant to the safe harbor provisions of the Digital Millennium Copyright Act (DMCA). Swarthmore, OPG and Hurricane were advised that, pursuant to these provisions, they would be shielded from a copyright infringement suit by Diebold if they disabled access or removed the allegedly infringing material. Swarthmore thereafter advised students Pavlosky and Smith to remove the email archive from their website. At the same time, Hurricane notified OPG that it might be required to terminate OPG’s Internet access if IndyMedia’s hyper-link to the email archive was not removed. Hurricane agreed, however, not to act during the pendency of the present action, and consequently OPG did not disable access or remove any material. Diebold had not filed law suits related to the publication of the archive but plaintiffs Smith, Pavlosky and OPG nonetheless sought injunctive declaratory and monetary relief from the court alleging that Diebold’s claim of copyright infringement was based on knowing material misrepresentation and that Diebold had interfered with the plaintiffs’ contractual

12 relations and their respective ISPs. The plaintiffs sought a judicial declaration that publication of the email archive hosting or providing colocation services to web sites that linked to allegedly infringing material, and provided Internet services to others who hosted websites that linked to allegedly infringing material were lawful activities. Section 202 of the DMCA contains various nonexclusive safe harbors designed to limit the liability of ISPs for incidental acts of copyright infringement. It provides: ‘‘immunity to ISPs that satisfy the conditions of eligibility [see 17 U.S.C. section 512(i)] from copyright infringement liability for ‘passive’, ‘automatic’ actions in which [an ISP’s] system engages through a technological process initiated by another without the knowledge of the ISP’’ (ALS Scan Inc. v. RemarQ Communities Inc. 239 F.3d 619, 625 (4th Cir. 2001)). Once the ISP had actual knowledge of the infringing material it lost the safe harbor protections unless it complied with the DMCA. At court Diebold had presented that it had withdrawn and in future would not send a ‘cease and desist’ letter pursuant to the DMCA to any ISP concerning the email archive. However, the plaintiffs’ claims for damages, attorney fees and costs relating to Diebold’s past use of DMCA’s safe harbor provisions still required adjudication. At the hearing on plaintiffs’ motion for preliminary injunction, Diebold’s counsel asserted that portions of the email archive contained material that was copyrighted and had no ‘‘public interest’’ value. The email archive had been posted or hyper-linked for the purpose of informing the public about the problems associated with Diebold’s electronic voting machines. In the court’s view it was hard therefore to imagine a subject the discussion of which could be more in the public interest: ‘‘If Diebold’s machines in fact do tabulate voters’ preferences incorrectly, the very legitimacy of elections would be suspect. Moreover, Diebold has identified no specific commercial purpose or interest affected by publication of the email archive, and there is no evidence that such publication actually had or may have any effect on the putative market value, if any, of Diebold’s allegedly copyrighted material. Even if it is true that portions of the email have commercial value, there is no evidence that plaintiffs have attempted or intended to sell copies of the email archive for profit.’’ The plaintiffs’ use of the archive was to support criticism that was in the public interest and not to develop electronic voting technology. The plaintiffs argued that Diebold had ‘‘knowingly materially misrepresented’’ the publication of the archive and that this constituted copyright

CLSR briefing infringement and was therefore liable for damage pursuant to 17 U.S.C. section 512(f). On this point the court agreed that Diebold had materially misrepresented that the plaintiffs had infringed its copyright interest at least with respect to the portions of the archive that were subject to the fair use exception. No reasonable copyright holder could have believed that the portions of the archive discussing possible technical problems with Diebold’s voting machines were protected by copyright, and there was no genuine issue of fact that Diebold knew e and indeed that it specifically intended e that its letters to OPG and Swarthmore would result in prevention of that content. The misrepresentations had been material in that they resulted in the removal of the content from the web site and the initiation of the present law suit: ‘‘The fact that Diebold never actually brought suit against alleged infringers suggest strongly that Diebold sought to use the DMCA’s safe harbor provisions e which were designed to protect ISPs, not copyright holders as a sword to suppress publication of embarrassing content rather that as a shield to protect its intellectual property’’. The court granted the plaintiffs’ motion with respect to its claim under 17 U.S.C. section 512(f).

Anticircumvention provisions of DMCA held in check Chamberlain Group, Inc v. Skylink Technologies, Inc. (No. 04-1118 Fed. Cir., 31 August 2004). The United States Court of Appeals for the Federal Circuit has ruled that the District Court was correct in its construction of the Digital Millennium Copyright Act (DMCA) as placing a burden on plaintiffs to prove that any circumvention of its technological measures by others amounted to unauthorized access to its copyrighted software. Plaintiff Chamberlain sued Skylink alleging violations of patent and copyright laws. The court granted Skylink’s motion for summary judgment on the DMCA claim but dismissed all other counts. The technology at issue involved garage door openers (GDOs). A GDO consisted of a hand-held portable transmitter and a garage door opening device mounted into a homeowner’s garage. The opening device in turn includes both a receiver with associated signal processing software and a motor to open or close the garage door. When a homeowner purchased a GDO system the manufacturer provided both an opener and a transmitter. Homeowners who desired replacement or

CLSR briefing spare transmitters could purchase them in the aftermarket. Such consumers had long been able to purchase universal transmitters that they could program to interoperate with the GDO system regardless of make or model. Skylink and Chamberlain were the only significant distributors of universal GDO transmitters. Chamberlain placed no explicit restrictions on the types of transmitter that a homeowner might use with its system at the time of purchase. Its customers therefore assumed that they enjoyed all of the rights associated with the use of their GDOs and any software embedded therein that the copyright laws and other laws of commerce provided. The dispute involved Chamberlain’s ‘SecurityC’ line of GDOs and Skylink’s ‘Model 39’ universal transmitter. Chamberlain’s SecurityC GDOs incorporated a copyright rolling code computer program that constantly changed the transmitter signal needed to open the garage door. Skylink’s model 39 transmitter did not incorporate a rolling code but, nevertheless, allowed users to operate SecurityC openers. Chamberlain alleged that Skylink’s transmitter rendered the SecurityC insecure by allowing unauthorized users to circumvent the security inherent in rolling codes. Of greatest legal significance was Chamberlain’s contention that, because of this property of the Model 39, Skylink was in violation of the anti-trafficking clause of the DMCAs anticircumvention provisions under section 1201(a)(2). Although the parties disputed whether or not Skylink had developed the Model 39 independent of Chamberlain’s copyrighted products, the court noted that Chamberlain had not alleged either that Skylink infringed its copyright or that it was liable for contributory copyright infringement. What Chamberlain alleged was that, because its opener and transmitter both incorporated computer programs protected by copyright and because rolling codes of technological measures that control access to those programs, Skylink was prima facie liable for violating section 1201(a)(2). The District Court concluded that because Chamberlain had never restricted its customers’ use of competing transmitters with its SecurityC line, those customers had implicit authorization to use Skylink Model 39. Because of that implicit authorization, Chamberlain could not possibly meet its burden of proving that Skylink trafficked in a device designed to circumvent a technological measure to gain unauthorized access to Chamberlain’s copyrighted computer programs. The District Court therefore granted Skylink’s motion for summary judgment on Chamberlain’s DMCA claim. Chamberlain then appealed the District Court’s

13 judgment which was the subject of the present consideration. On appeal Chamberlain argued that Skylink violated the prima facie requirement of anti-trafficking and that Skylink had not seriously disputed that the operation of its transmitters bypassed Chamberlain’s rolling code security measure to gain access to its copyrighted GDO receiver operating software. Chamberlain also challenged the District Court’s assertion that the burden of proof that access was unauthorized belonged to the plaintiff rather than placing the burden on the defendant to prove that the access was authorized. With the burden thus shifted, Chamberlain argued that Skylink had failed to meet it and that the District Court’s grant of summary judgment was therefore in error. In reply Skylink asked the court to adopt both the District Court’s construction and its application to the facts of the case. It urged the court not to place the burden of proving authorization on the defendant arguing that it would be tantamount to reading a new authority requirement into the DMCA. On consideration of this issue the Federal Court of Appeals noted that the most significant and consistent issue running through the entire legislative history of the anticircumvention and antitrafficking provisions of the DMCA (Section 1201(a)(1), (2)) was Congress’ attempt to balance competing interests. It had endeavoured to specify, with as much clarity as possible, how the right against anticircumvention would be qualified to maintain balance between the interests of content creators and information users. The crux of the present dispute over statutory construction, therefore, stems from a dispute over the precise balance between copyright owners and users that Congress captured in the DMCA’s language. The aim of Congress in drafting these provisions was to help bring copyright law into the information age: ‘‘Advances in digital technology over the past few decades have stripped copyright owners of much of the technological and economic protection to which they had grown accustomed. Whereas large scale copying and distribution of copyrighted material used to be difficult and expensive, it is now easy and inexpensive. The Reimerdes court [University City Studios v. Reimerdes, 111 F.Supp. 2d 294 (S.D.N.Y. 2000)] correctly noted both the economic impact of these advances and their consequent potential impact on innovation. Congress therefore crafted legislation restricting some, but not all, technological measures designed either to access a work protected by copyright (section 1201(a)) or to infringe a right of a copyright owner (section 1201(b)).’’

14 On this view circumvention was not a new form of infringement but a new violation prohibiting actions or products that facilitated infringement. Chamberlain had urged the court to read the DMCA as if Congress has created a new protection for copyright works without any reference either to the protections the copyright owners already possessed or to the rights that the Copyright Act granted to the public. Chamberlain had not alleged that Skylink’s Model 39 infringed its copyrights, nor did it allege that the Model 39 contributed to third party infringement of its copyrights. Chamberlain’s allegation was more straightforward, namely that the only way for the Model 39 to interoperate with SecurityC GDO was by accessing copyrighted software. Skylink had, therefore, committed a per se violation of the DMCA. On this basis Chamberlain urged the court to conclude that no necessary connection existed between access and copyright. In the court’s view Congress ‘‘Could not have intended such a broad reading of the DMCA.’’ Neither could Chamberlain rely on the Reimerdes decision e a case involving the same statutory provision. Though Chamberlain was correct in considering that some of its language was supportive, it was the differences between the cases rather than their similarities that were most instructive in demonstrating precisely what the DMCA permitted and what it prohibited. In Reimerdes a group of movie studios sought an injunction under the DMCA to prohibit illegal copying of digital versatile discs (DVDs). The plaintiffs presented evidence that each motion picture DVD included a content scrambling system (CSS) that permitted the film to be played, but not copied, using DVD players that incorporated the plaintiffs’ licensed decryption technology. The defendant provided a link on his website that allowed an individual to download DeCSS, a program that allowed the user to circumvent the CSS protective system and to view or copy a motion picture from a DVD, whether or not the user had a DVD player with the licensed technology. In this case Chamberlain’s proposed construction of the DMCA ignored the significant differences between defendants whose accused products enabled copying and those, like Skylink, whose products enabled only legitimate uses of copyrights software. Chamberlain’s repeated reliance on language targeted at the defendants, trumpeting their electronic civil disobedience apparently led it to misconstrue significant portions of the DMCA. Many of Chamberlain’s assertions in its Brief to this court ‘‘conflate the property right of copyright with the liability that the anticircumvention provisions impose’’. If

CLSR briefing section 1201(a) allowed copyright owners to use technological measures to block all access to their copyrighted works it would effectively create two distinct copyright regimes. In the first, the owners of a typical work protected by copyright, would possess only the rights enumerated in 17 U.S.C. section 106, subject to the additions, exceptions and limitations outlined in the rest of the Act including fair use provisions of section 107. Such owners who used technological measures to protect their works would gain the additional ability to hold traffickers in circumvention devices liable under section 1201(b) for putting their rights at risk by enabling circumventors who use these devices to infringe. Under the second regime that Chamberlain’s construction implied, the owners of a work protected by both copyright and a technological measure that controlled access to a work under section 1201(a) would possess unlimited rights to hold circumventors liable under that section merely for accessing that work, even if that access enabled only rights that the Copyright Act granted to the public. Such an implied regime would be problematic for as stated by the Supreme Court in Eldred v. Ashcroft (537 U.S. 186, 205 n.10 (200)) ‘‘. it is Congress that has been assigned the task of defining the scope of the limited monopoly that should be granted to authors . in order to give the public appropriate access to their work product.’’ In the court’s view: ‘‘Chamberlain’s proposed construction of section 1201(a) implied that in enacting the DMCA, Congress attempted to give the public appropriate access to copyrighted works by allowing copyright owners to deny all access of the public. Even under the substantial deference due Congress, such a redefinition borders on the irrational’’. In a similar vein: ‘‘Chamberlain’s proposed construction would allow any manufacture of any product to add a single copyrighted sentence or software fragment to its product, wrap the copyrighted materials in a trivial encryption scheme, and thereby gain the right to restrict consumers’ rights to use its products in conjunction with competing products. In other words, Chamberlain’s construction of the DMCA would allow virtually any company to attempt to leverage its sales into aftermarket monopolies e a practice that both the antitrust laws, (Eastman Kodak Co. v. Image Tech. Servs., 504 U.S. 451, 455 (1992)) and the doctrine of copyright misuse, Assessment Techs of WI, LLC v. WIREdata, Inc., 350 F.3d 640, 647 (7th Cir. 2003)) normally prohibit.’’ The court concluded that DMCA did not create any property right for copyright owners, nor did it divest the public of the property rights that the

CLSR briefing Copyright Act has long granted to it. There had to be a reasonable relationship between the circumvention at issue and a use relating to a property right for which the Copyright Act permitted the owner to withhold authorization. A copyright owner seeking to impose liability on an accused trafficker would need to demonstrate that the trafficker’s device enabled either copyright infringement or a prohibited circumvention. In this case the District Court had correctly ruled that Chamberlain had pleaded no connection between unauthorized use of its copyrighted software and Skylink’s accused transmitter. Disconnection was critical to sustaining a cause of action under the DMCA. The court, therefore, affirmed the District Court’s summary judgment in favour of Skylink.

DOJ task force reports on intellectual property A task force of the Department of Justice has published a report on the growing threat of intellectual property crime in the United States. The task force was entrusted to examine all of the DOJ’s intellectual property efforts and to explore methods whereby the department could strengthen its protection of the nation’s intellectual resources. The task force formed five working groups to explore specific areas and these were criminal enforcement, international corporation, civil and antitrust enforcement, legislation and prevention. In the course of its work the task force also consulted other government agencies and gathered information from multiple sources outside the government including victims of intellectual property theft, creators of intellectual property, community groups and academia. The recommendations outlined in the report are substantive and propose tangible methods for the DOJ to expand and enhance its efforts in relation to intellectual property protection. In addition to recommendations regarding civil and antitrust enforcement of IP laws the task force’s proposals include: charging and prosecuting all IP crimes whenever Federal law applies, including organized crime, fraud and illegal importation cases, in addition to strengthening the Justice Department’s ability to bring those cases; updating the legal tools that help the US to charge IP criminals oversees under American law; encouraging respect for IP rights through youth education programs; and increasing co-operation with individuals, businesses and industries that have been victimised by IP theft.

15 Editor’s note The Report of the Department of Justice’s Task Force and Intellectual Property (October 2004) is available from the DOJ website at: www.usdoj. gov. Intellectual property industries make up approximately 6% of the gross domestic product in the US employing more than five million people and contributing $626 billion to the US economy.

EPIC and Privacy International publish the 2004 Global Privacy and Human Rights Report This annual report by the Electronic Privacy Information Center and Privacy International has been published reviewing the state of privacy in over 60 countries around the world. It outlines legal protections for privacy, and summarizes important issues and events relating to privacy and surveillance. Each country report covers the constitutional, legal and regulatory framework protecting privacy and the surveillance of communications by law enforcement, new landmark court cases, advocacy work of non-governmental organizations (NGOs) and human rights groups, various new developments, and major news stories related to privacy. A major focus of the 2004 report has been to document the effects of the terrorist attacks of 11 September 2001 and subsequent ones on the state of privacy and civil liberties in the world between June 2003 and June 2004. In response to the need for security those events created, many countries around the world have pursued policy and legislative efforts that aim at increasing identification schemes and the surveillance of communications for law enforcement and national security agencies, which weaken data protection regimes, and intensify data sharing and collection practices, thanks to a growing co-operation between government entities and the private sector. Among the issues identified in the Report are the new governmental measures to combat terrorism whereby most governments have pursued policies to identify people travelling across national borders. New anti-terrorism laws and governmental measures are providing for increased search capabilities and sharing of information among law enforcement authorities. Secondly, governments have not limited themselves to these measures. Recent areas of interest for surveillance technologies, for example, have included video surveillance, smart cards and DNA and health information databases. A few countries have pursued censorship policies as a means to control

16 people’s activities, especially online. Thirdly, there has been an increase in private sector surveillance whereby private companies have engaged in various practices, including the use of radio frequency identification technologies and video surveillance. Fourthly, new data protection law and data protection authorities have been established including within the 10 new member states of the European Union. New data protection laws or pending bills dealing with the processing or medical or health care personal information are also permanent in a number of countries including Bulgaria, Japan, Ukraine and Uruguay. Other aspects of the Report cover recent developments such as spam and cases of mismanagement of personal data; the activities of civil liberty groups and non-governmental organizations in their opposition to privacy intrusions; developments in open government; and action of international governmental organizations in developing counter-terrorism policy tools and mechanisms for national policy discourse on laws aimed at combating terrorism. Privacy International’s director, Simon Davies, said the Report highlighted a ‘‘disturbing’’ trend towards greater state power. ‘‘Governments are systematically removing the right to privacy. Surveillance of every type is being instituted throughout society without any thought about the need for safeguards. The spectre of terrorism has at last become the device that any government can deploy to entrench the powers they always sought. The situation has become a dangerous farce’’.

Editor’s note The Seventh Annual Privacy and Human Rights Survey is published by Privacy International and the US based Electronic Privacy Information Center. The 800 page Report is available free of charge at: www.privacyinternational.org/survey/phr2004.

FTC cracks down on spyware operation The Federal Trade Commission has asked a U.S. District Court to shut down a spyware operation that hijacks computers, secretly changes their settings, barrages them with pop-up ads, and installs adware and other software programs that spy on consumers’ Web surfing. The spyware may cause computers to malfunction, slow down, or even crash. The FTC alleges the spyware operation violates federal law and will ask the court to bar the practices permanently and order the defendants to give up their ill-gotten gains. ‘‘Consumers don’t deserve to be pestered and spied on by people who illegally hijack their

CLSR briefing computers,’’ said Lydia Parnes, Acting Director of the FTC’s Bureau of Consumer Protection. We’re putting purveyors of spyware on notice: This is our first spyware case, but it won’t be our last.’’ Earlier last year, the FTC received a complaint from the Center for Democracy and Technology concerning pop-up ads for ‘Spy Wiper’ and ‘Spy Deleter’. In response to this complaint and other information, the Commission commenced an investigation of Seismic Entertainment Productions, Inc., Smartbot.Net, and Sanford Wallace. Since December 2003, they have operated Web sites that distribute spyware. According to the FTC, the defendants used a variety of techniques to direct consumers to their Web sites. At these Web sites, consumers had spyware downloaded onto their computers. The spyware attacks a feature of Internet Explorer’s Web browser to download software, so consumers receive no notice that it is being installed and do not consent to its installation. The spyware changed the consumers’ home pages, changed their search engines, and triggered a barrage of pop-up ads. According to the FTC, the spyware also installed additional software, including spyware that can track the computer use of consumers. As a result of the spyware and other software the defendants installed, many computers malfunctioned, slowed down, or crashed, causing consumers to lose data stored on their computers. Having created serious problems for consumers, the defendants then offer to sell them a solution. The spyware causes the CD-ROM tray on computers to open, and then tells consumers ‘‘FINAL WARNING!! If your cd-rom drive(s) open. You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Spyware programmers can control your computer hardware if you fail to protect your computer right at this moment! Download Spy Wiper NOW!’’ Spy Wiper and Spy Deleter, another purported anti-spyware product the defendants promoted, were sold for approximately $30. The FTC charged that the defendants engaged in unfair acts and practices in violation of the FTC Act in connection with downloading spyware onto the computers of consumers. The agency alleged that the defendants acted unfairly in downloading software without any notice or authorization that modified the Web browser to change consumers’ home pages and search engines and that downloaded additional software (including spyware) that caused harm to consumers. The FTC also charged that the defendants acted unfairly in downloading spyware that caused serious harm to consumers, thereby compelling them either to purchase the anti-spyware product the defendants offer or spend substantial time and money to fix their computers.

CLSR briefing The defendants received a commission on the sales of anti-spyware products that result from their activities. The FTC has asked the court to issue an order preventing the defendants from disseminating spyware and giving up their ill-gotten gains. Editor’s note The FTC has issued tips for consumers to help them prevent spyware from being installed on their machines. Experts at the FTC and across the technology industry suggest that you:  Update your operating system and Web browser software. Your operating system (like Windows or Linux) may offer free software ‘‘patches’’ to close holes in the system that spyware could exploit.  Download free software only from sites you know and trust. It can be appealing to download free software like games, peer-topeer file-sharing programs, customized toolbars, or other programs that may change or customize the functioning of your computer. Be aware, however, that some of these free software applications bundle other software, including spyware.  Don’t install any software without knowing exactly what it is. Take the time to read the end-user licence agreement (EULA) before downloading any software. If the EULA is hard to find e or difficult to understand e think twice about installing the software.  Minimize ‘‘drive-by’’ downloads. Make sure your browser security setting is high enough to detect unauthorized downloads, for example, at least the ‘‘Medium’’ setting for Internet Explorer. Keep your browser updated.  Don’t click on any links within pop-up windows. If you do, you may install spyware on your computer. Instead, close pop-up windows by clicking on the ‘‘X’’ icon in the title bar.  Don’t click on links in spam that claim to offer anti-spyware software. Some software offered in spam actually installs spyware.  Install a personal firewall to stop uninvited users from accessing your computer. A firewall blocks unauthorized access to your computer and will alert you if spyware already on your computer is sending information out. If you think your computer might have spyware on it, experts advise that you take three steps: get an anti-spyware program from a vendor you know and trust. Set it to scan on a regular basis e at least once a week e and every time you start your

17 computer, if possible. And, delete any software programs the anti-spyware program detects that you don’t want on your computer. For more information see: www.ftc.gov/infosecurity.

Nineteen individuals indicted in Internet ‘Carding’ conspiracy Attorney General John Ashcroft, has announced the indictment of 19 individuals who are alleged to have founded, moderated and operated ‘‘www.shadowcrew.com’’ e one of the largest illegal online centers for trafficking in stolen identity information and documents, as well as stolen credit and debit card numbers. The 62-count indictment, returned by a federal grand jury in Newark, New Jersey in October, alleges that the 19 individuals from across the United States and in several foreign countries conspired with others to operate ‘‘Shadowcrew,’’ a website with approximately 4000 members that was dedicated to facilitating malicious computer hacking and the dissemination of stolen credit card, debit card and bank account numbers and counterfeit identification documents, such as drivers’ licences, passports and Social Security cards. The indictment alleges a conspiracy to commit activity often referred to as ‘‘carding’’ e the use of account numbers and counterfeit identity documents to complete identity theft and defraud banks and retailers. The indictment is a result of a year-long investigation undertaken by the United States Secret Service, working in co-operation with the U.S. Attorney’s Office for the District of New Jersey, the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice, and other U.S. Attorneys’ offices and law enforcement agencies. The undercover investigation led to the arrests of 21 individuals in the United States on criminal complaints earlier this week. Additionally, several individuals were arrested in foreign countries in coordination with the domestic arrests. The indictment charges that the administrators, moderators, vendors and others involved with Shadowcrew conspired to provide stolen credit card numbers and identity documents through the Shadowcrew marketplace. The account numbers and other items were allegedly sold by approved vendors who had been granted permission to sell by operators and moderators of the Shadowcrew site after completing a review process. Shadowcrew members allegedly trafficked in at least 1.7 million stolen credit card numbers and caused total losses in excess of $4 million dollars. Victims of ‘‘carding’’ can include banks and credit card companies,

18 which often suffer significant financial losses due to fraud, as well as individuals whose identities and credit histories are damaged by such identity theft. Attorney General Ashcroft said: ‘‘Identity theft carries a heavy price, both in the damage to individuals whose identities are stolen and the enormous cost to America’s businesses. This indictment strikes at the heart of an organization that is alleged to have served as a one-stop marketplace for identity theft. The Department of Justice is committed to taking on those who deal in identity theft or fraud, whether they act online or off.’’ Secret Service Director W. Ralph Basham said: ‘‘Information is the world’s new currency. These suspects targeted the personal and financial information of ordinary citizens as well as the confidential and proprietary information of companies engaged in e-commerce.’’

International ICANN takes steps to move VeriSign contract dispute from litigation to arbitration ICANN has initiated efforts to enforce the arbitration clause of VeriSign’s .net Registry Agreement and move the VeriSign lawsuit into an international arbitration forum. ICANN has filed its demand for arbitration pursuant to the terms of the current .NET Registry Agreement and in response to litigation VeriSign re-initiated in a California state court following the US Federal District Court’s dismissal of its antitrust allegations earlier this year. ICANN is hopeful that the arbitration proceeding will provide a quick and efficient resolution to the outstanding dispute between the parties. ICANN sent its arbitration demand to the International Chamber of Commerce in Paris which is designated within the current .NET agreement as the arbitration forum for disputes arising relating to the terms of that agreement. In addition to ICANN’s arbitration demand, ICANN has filed an answer to VeriSign’s California state court complaint, and also a counterclaim asking the court to find that VeriSign is in breach of its .COM registry agreement with ICANN. ICANN has also asked the court to stay the .COM litigation initiated by VeriSign until the conclusion of the .net arbitration, since the arbitration will examine and resolve the same issues. John Jeffrey, ICANN’s General Counsel said: ‘‘ICANN’s goal is to resolve this dispute as quickly and efficiently as possible, for the benefit of the Internet Community. When VeriSign chose to file

CLSR briefing a lawsuit in federal district court in Los Angeles alleging antitrust violations by ICANN and seeking a declaratory judgment with respect to various disputes about the interpretation of the .com Registry Agreement, ICANN was not in a position to insist that those disputes be arbitrated. Subsequently, VeriSign’s antitrust claims were dismissed with prejudice by the district court, which removed any jurisdictional basis for that court to resolve the contract disputes. VeriSign then re-filed its contract claims in state court.’’ ICANN has said that it is ‘‘aware that this is not a private dispute but one in which has a direct impact on the Internet Community, which has an important stake in the outcome of these matters. At the heart of this dispute is the form of agreement between ICANN and Verisign. Registry agreements provide for the Internet community (through ICANN) to oversee the operation of monopoly top-level domains (TLDs) to ensure that they are operated for the benefit of the community. Through arbitration, ICANN expects to have the Registry Agreements terms affirmed, while minimizing the costs imposed by the litigation.’’ Editor’s note ICANN is an internationally organized, public benefit non-profit responsible for co-ordinating Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) and country code (ccTLD) toplevel domain name system management, and root server system management functions. For more information see: www.icann.org.

United Nations establishes working group on Internet governance Secretary-General Kofi Annan has announced the establishment of the Working Group on Internet Governance. The Working Group will prepare the ground for a decision on this issue by the second phase of the World Summit on the Information Society, to be held in Tunis in November 2005. The Secretary-General was requested to establish a working group on Internet governance by the first phase of the World Summit on the Information Society held in Geneva in December 2003. The task of this Working Group is to organize an open dialogue on Internet Governance, among all stakeholders, and to bring recommendations on this subject to the second phase of the Summit. The two documents adopted by the Geneva Summit e the Declaration of Principles and the Plan of Action e asked the Working Group ‘‘to

CLSR briefing investigate and make proposals for action, as appropriate, on the governance of the Internet by 2005’’. The Group was requested to:  develop a working definition of Internet governance;  identify the public policy issues that are relevant to Internet governance; and  develop a common understanding of the respective roles and responsibilities of governments, international organizations and other forums, as well as the private sector and civil society from both developing and developed countries. The Working Group on Internet Governance will be chaired by Nitin Desai, Special Adviser to the Secretary-General for the World Summit. It includes 40 members from governments, private sector and civil society, representing all regions. ‘‘The Working Group is not a negotiating forum’’, said Mr. Desai. ‘‘Its purpose is to facilitate the negotiations that will take place in Tunis. We come into this process as facilitators, and will strive to establish a dialogue of good faith among all participants.’’ The two Summit documents call for an ‘‘open and inclusive’’ process and ‘‘a mechanism for the full and active participation of governments, the private sector and civil society from both developing and developed countries, involving relevant intergovernmental and international organizations and forums’’. On the basis of these guidelines, the Working Group will hold regular consultations and will seek to make the best possible use of electronic working methods, including online consultations. The first meeting of the Working Group took place in Geneva in November. Markus Kummer, Executive Co-ordinator of the United Nations secretariat of the Working Group said: ‘‘There is a general convergence of views on the need to treat Internet governance from a broad perspective and to build on what has been done elsewhere. Issues that we expect to address include the management of Internet resources, network security, cyber crime, spam and multilingualism.’’ The report of the Working Group is expected to be submitted to the Secretary-General in July 2005 and will be made available to the WSIS second phase in Tunis.

Report on privacy implications of the USA Patriot Act released Information and Privacy Commission for British Columbia David Loukidelis has released his office’s

19 advisory report on the privacy implications of the USA Patriot Act. The Office of the Information Commissioner’s report follows 10 weeks of research and analysis triggered in 2004 by a BC Government & Service Employees Union lawsuit that raised concerns about personal information in the custody of a US linked outsource provider located in Canada being vulnerable to secret disclosure to the FBI under the USA Patriot Act. The report concludes that outsourcing of public services to the private sector is not prohibited by the Freedom of Information and Protection of Privacy Act, but that, because there is a ‘‘reasonable possibility’’ of unauthorized disclosure of British Columbians’ personal information under the USA Patriot Act, ‘‘rigorous other measures must be put into place to mitigate against illegal and surreptitious access.’’ Loukidelis added that the report contains ‘‘significant recommendations for protecting British Columbians’ personal information in the possession of private contractors from disclosure to the FBI under the USA Patriot Act.’’ He noted that, ‘‘A number of our recommendations go beyond the measures the government recently introduced through Bill 73’’, the Freedom of Information and Protection of Privacy Amendment Act, 2004. Among the report’s 16 recommendations are the following:  Legislation should be passed to make it an offence for a public body or a contractor to disclose personal information or send it outside Canada in response to a foreign court order, subpoena or warrant, with violation being punished by a fine of up to US$1 million or a term of imprisonment, or both.  Public bodies should be required to ensure that outsourcing contracts contain provisions designed to preclude control by a US company over records containing British Columbians’ personal information.  The British Columbia government should adopt a litigation policy under which it will initiate or participate in legal proceedings abroad, including the US, to resist demands for personal information of British Columbians made by a US or other foreign court or agency.  The British Columbia government and government of Canada should seek assurances from relevant US officials that they will not attempt to access, under the USA Patriot Act, personal information of British Columbians located in British Columbia.  There should be an immediate and comprehensive audit of interprovincial, national and

20 transnational information sharing agreements affecting all public bodies in British Columbia.  There should be an immediate and comprehensive audit of all operational and planned data mining activities by all public bodies in British Columbia.  Legislated controls should be passed to deal with information sharing and data mining activities, in order to better protect privacy and ensure transparency around these activities. In releasing the report, Loukidelis said, ‘‘We have considered the complex issues with great care and tried to offer as responsible and effective a set of recommendations as we can. Our review of the USA Patriot Act and the outsourcing of public services in British Columbia has caused us to confront the most challenging and important privacy issues my office has faced since I took this job just over five years ago,’’ the Commissioner stated. ‘‘Privacy risks don’t come only from the US.’’ He added. ‘‘Canada’s laws contain powers similar to those in the USA patriot Act. When government enacts strong national security measures, it need to make sure that human rights e including privacy rights e continue to be protected. In Canada, we have to be sure that national security powers are not used for ordinary law enforcement purposes. We have to watch for blurring of the lines between national security and ordinary law enforcement powers. This is why the upcoming Parliamentary review of the Anti-terrorism Act must ensure that the law properly balances public safety with privacy rights.’’ Editor’s note The full text of the report can be found through ‘What’s New’ at: www.oipc.bc.ca.

WIPO Committee accelerates work on the protection of broadcasting organizations Member states of the World Intellectual Property Organization (WIPO) have advanced towards development of a treaty to update intellectual property standards for broadcasters in the digital age, following a meeting of the 12th session of the Standing Committee on Copyright and Related Rights (SCCR) in Geneva during November 2004. Delegates made substantial progress in narrowing differences on key issues contained in a Revised Consolidated Text of treaty proposals and member states called for accelerated progress towards conclusion of the Treaty. Noting the central role of broadcasting in developing countries, SCCR Chairman, Mr. Jukka

CLSR briefing Liedes of Finland, said that ‘‘Broadcasters are motors of social, economic and cultural development. Progress during the SCCR session was quite promising, as member states’ positions showed increased flexibility and a will to move forward towards the formal treaty negotiation process.’’ Under the Chair’s conclusions, consultation meetings will be organized by the secretariat over the next few months in Geneva and in regions where requested by member states. The Chair will prepare a second Revised Version of the Consolidated Text and a working paper to address whether and how protection should extend to webcasters, entities that transmit over the Internet either directly or as an adjunct to traditional broadcasting activities. Consensus was also sought on the scope and duration of rights under the Treaty. Some delegations wanted to limit protection to the rights needed to fight signal piracy. On duration of rights, support was shown for a term of protection of 20 years. Proposals of most member states call for a 50-year term of protection. ‘‘Most member states are confident that differences on these key issues can be narrowed in the final negotiating process. The next session of the Standing Committee will take into account the progress made in regional consultations, paving the way for the adoption of a new treaty,’’ said Mrs. Rita Hayes, Deputy Director General who oversees WIPO’s work in the copyright field. Updating the IP rights of broadcasters, currently provided by the 1961 Rome Convention on the Protection of Performers, Producers of Phonograms and Broadcasting Organizations, began at WIPO in 1997. A growing signal piracy problem in many parts of the world, including piracy of digitized pre-broadcast signals, has made this need more acute. In a move applauded by consumer and user groups, the SCCR agreed to place on the agenda of the next session of the SCCR an item proposed by Chile concerning exceptions and limitations to rights for the purposes of education, libraries and disabled persons. Before the SCCR, an information session on the protection of audiovisual performances took place, featuring a presentation by Professor Andre ´ Lucas from Nantes University, France, on the transfer of rights of audiovisual performers to producers. Numerous delegations, and representatives of intergovernmental and non-governmental organizations expressed interest in making headway on outstanding issues left over from the Diplomatic Conference on the protection of audiovisual performances in December 2000.

CLSR briefing

ICANN Domain Name transfer policy becomes effective The Internet Corporation for Assigned Names and Numbers (ICANN) has announced that its new inter-registrar domain name transfer policy has gone into effect. The new policy was created through ICANN’s ‘‘consensus-based, bottom-up policy development process’’ and approved unanimously by both ICANN’s Generic Names Supporting Organisation (GNSO) and its Board of Directors. Similar to how telephone number portability works in many countries, enhanced domain name portability will provide for greater consumer and business choice, enabling domain name registrants to select the registrar that offers the best services and price. The new policy also simplifies and standardises the process to prevent abuses and provide clearer user information about the transfer process and options. The policy was originally announced on 12 July 2004. Central to the new policy will be its efforts to provide strong protections against unauthorized transfers and to facilitate choice in domain name registration. All registrars will now be required to use a clear standardised form of authorization that provides for the express consent of the domain name registrant prior to the initiation of any transfer. Additional policy elements include the following:  requiring registrars to verify the identity of the registrant or administrative contact requesting the transfer by one of a number of approved methods to deter fraud;  preserving the ability of registrants to ‘‘lock’’ their domains so they may not be transferred from the registrar, but requiring registrars to provide a readily accessible way for registrants

21 to have their current registrar remove this lock at their request;  enabling registrants to transfer their domain names without having to ‘‘double-confirm’’ the transfer once the transfer has been reliably authenticated per the new policy; and  providing a robust dispute resolution process for resolving disputes between registrars, including registries implementing a ‘‘transfer undo’’ functionality to provide for efficiently reversing any transfer initiated in violation of the policy. Through the new transfer policy ICANN expects to expand the domain name user benefits of increased generic top-level domain (gTLD) name market competition, including the separation of the registry and registrar functions, that have decreased domain name costs for consumers and businesses by up to 80%. A recent report by the OECD concluded that ‘ICANN’s reform of the market structure for the registration of generic top-level domain names has been very successful. The division between registry and registrar functions has created a competitive market that has lowered prices and encouraged innovation. The initial experience with competition at the registry level, in association with a successful process to introduce new gTLDs, has also shown positive results.’ Domain name users also have benefited from ICANN’s implementation of a Redemption Grace Period Service that provides a 30-day period for domain name holders to reclaim their names if deleted unintentionally from a registry database. Through ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP), established in 1999, more than 10,000 domain name disputes also have been efficiently and cost effectively resolved. For the full policy see: www.icann.org/ transfers.

Computer Law & Security Report (2005) 21, 22e29

CROSS-BORDER CONTRACTS AND CHOICE OF COURT

An update on the proposed Hague Convention on exclusive choice of court agreements Dan Jerker B. Svantesson Bond University, Australia

Abstract This article discusses the background to, and main features of, the Convention on Exclusive Choice of Court Agreements. Further, it highlights the lack of protection afforded to weaker parties in the current convention text of April 2004 (The full Convention text is available at: http://www.cptech.org/ecom/ jurisdiction/hague-100e.doc.). Suggestions for improvement are provided in this respect, and some thoughts are expressed about the direction of the future work of the Hague Conference on Private International Law. ª 2005 Dr Dan Jerker B. Svantesson. Published by Elsevier Ltd. All rights reserved.

A. Background In response to the difficulties of getting judgments recognised and enforced outside the state from which they originate, work on a new and ambitious convention was initiated in 1992, at the Hague Conference on Private International Law. The proposed convention, which was an initiative of the US Government,1 is titled the Hague Convention on Jurisdiction and Foreign Judgments in Civil and Commercial Matters, but is commonly referred to as the ‘judgments project’. Now, more than 10 years later, it seems clear that there will be no Hague Convention on Jurisdiction and Foreign

Judgments in Civil and Commercial Matters. Due to a range of factors, including difficulties raised by the Internet, the wide scope and great ambitions of the ‘judgment project’ have proven impossible, and in late 2003, the ‘judgments project’ was replaced, also in name,2 by a much more narrow convention proposal titled Convention on Exclusive Choice of Court Agreements. With some restrictions, the Convention on Exclusive Choice of Court Agreements is to regulate choice of forum clauses in civil and commercial contracts, and the recognition and enforcement of judgments rendered pursuant to such clauses. The work on this convention proposal is in its final stages and a Diplomatic Conference, at which the

1

Martin Davis, Time to Change the Federal Forum Non Conveniens Analysis, 77(2) Tulane Law Review 309 (2002), at 381.

2 It could rightfully be said that the ‘judgments project’ was abandoned, in spirit, already in 2002.

0267-3649/$ - see front matter ª 2005 Dr Dan Jerker B. Svantesson. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.01.020

Cross-border contracts and choice of court convention text is expected to be finalised, is scheduled for early 2005.3 With contracts concluded via the Internet constituting a large portion of crossborder contracts, the proposed Convention is likely to have serious effects on electronic commerce. Before the current text of the Convention on Exclusive Choice of Court Agreements is analysed and discussed, it is useful to briefly examine the main features of the previously proposed Hague Convention on Jurisdiction and Foreign Judgments in Civil and Commercial Matters and the organisation through which the work on the conventions is facilitated.

1. The Hague Conference on Private International Law The Hague Conference on Private International Law has been working to harmonise and improve the application of the rules of private international law for over 100 years. It has been a permanent intergovernmental organisation since the 1950s, and has since then adopted 35 Conventions dealing with a multitude of issues, such as civil procedure, family law, protection of minors, international child abduction, contracts law and products liability. There are presently 64 member states, including, for example, Australia, most European states, the US, the PRC, Japan, and an increasing number of African and South American states taking part in the negotiations of the proposed Convention on Exclusive Choice of Court Agreements.4

2. The Hague Convention on Jurisdiction and Foreign Judgments in Civil and Commercial Matters Despite the fact that it seems overwhelmingly likely that there will be no Hague Convention on Jurisdiction and Foreign Judgments in Civil and Commercial Matters, important lessons can be learned from the large part of excellent work done on the convention. Drawing upon the draft text of June 2001, this part of the article examines the main features of the ‘judgments project’, which could be said to represent the foundation for the Convention on Exclusive Choice of Court Agreements. The ‘judgment project’ was what can be called an open double convention. It set out to determine under which circumstances a member state can 3

Tentative dates for that meeting are January 31eFebruary 16, 2005 but those dates are not confirmed. (www.cptech.org/ ecom/jurisdiction/hague.html). 4 For a complete list see: www.hcch.net/e/members/ members.html.

23 exercise jurisdiction over an international dispute involving one or several parties from another member state, and establish under which circumstances a member state should recognise and enforce a judgment rendered in another member state in such disputes. This can be contrasted to a single convention, which only sets out to regulate recognition and enforcement and leaves the issues of jurisdiction to national laws. There are other examples of double conventions, the most well-known being the Brussels Regulation5 of the European Union. The difference between the ‘judgments project’ and the European instrument is that the Brussels Regulation is a closed double convention, which means that only the grounds for jurisdiction that are provided for that convention itself are available, while under the ‘judgments project’, grounds for jurisdiction available under national law were to be valid unless black-listed (see below). The ‘judgment project’ being an open convention would obviously have provided for more flexibility than, for example, the Brussels Regulation, and such flexibility was motivated by the great differences that exist between the different states taking part in the negotiations. The ‘judgments project’ was to be divided into four Chapters. Chapter I provided limitations to the territorial and substantive scope of the proposal. Chapter II determined which grounds for jurisdiction are valid and Chapter III regulates recognition and enforcement. Finally, Chapter IV consisted of general provisions dealing with matters such as the interpretation of the Convention and the relation between the Convention and other conventions.6 A similar structure was adopted for the Convention on Exclusive Choice of Court Agreements. As the name indicates, the Hague Convention on Jurisdiction and Foreign Judgments in Civil and Commercial Matters is set out to regulate civil and commercial matters only. Thus, criminal matters like, for example, the French/US Yahoo! dispute7 would have fallen outside the scope of the proposed convention. In addition Article 1 listed a range of matters that were not to be covered by the ‘judgment project’. Most notably anti-trust disputes, tax and arbitration were to be excluded. It was also suggested that provisional and protective measures should be excluded. Further, it 5

Brussels Regulation 44/2001. Concern was, for example, being raised as to how the ‘judgments project’ was to relate to the Brussels Regulation. 7 International League Against Racism & Anti-Semitism (LICRA) and the Union of French Jewish Students (UEJF) v. Yahoo! Inc. High Court of Paris, 20th of November 2000, and Yahoo!, Inc. v. La Ligue Contre Le Racisme et L’Antisemitisme, 169 F.Supp. 2d 1181 (N.D. Cal. 2001). 6

24

D.J.B. Svantesson

seems likely that the ‘judgment project’ would have been applicable only when the relevant parties are habitual residents in different states or the dispute at least had some international elements. Looking closer at Chapter II, there were three groups of grounds for jurisdictional claims; ‘‘whitelisted’’ grounds, ‘‘grey-listed’’ grounds and ‘‘black-listed’’ grounds. White-listed grounds are those that are specifically provided in Chapter II of the Convention. Judgments based on white-listed jurisdictional grounds should be recognised and enforced by other member states under Chapter III, and included certain jurisdictional grounds such as the defendant’s habitual residence8 and choice of court provisions.9 Further, Chapter II outlined white-listed jurisdictional grounds in relation to, for example, non-business-to-business (non-B2C) contracts,10 business-to-consumer (B2C) contracts11 and torts.12 The black-listed grounds are prohibited grounds for jurisdictional claims, and judgments rendered on these grounds should not be recognised and enforced by other member states under Chapter III. Finally, grey-listed grounds for jurisdiction are grounds that are allowed if they exist under national law. Whether or not a judgment rendered under a grey-listed ground should be recognised and enforced in another member state is for that state to decide independently of the Convention’s Chapter III. In addition, certain limitations were placed on under which circumstances grey-listed grounds of jurisdiction were to be allowed. When the work on the Hague Convention on Jurisdiction and Foreign Judgments in Civil and Commercial Matters (hereinafter, the ‘judgments project’) was first initiated, in 1992, little regard was had to the special needs created by the Internet. In recent years it became apparent that the Internet raises several complex issues that made the finalising of the ‘judgments project’ more difficult. At the same time, it should be noted that the widespread use of the Internet amplifies the importance and necessity of international instruments like the previously proposed Convention, and indeed, the importance of an instrument such as the Convention on Exclusive Choice of Court Agreements. In 1999 a draft proposal was presented and a detailed expert report was written outlining how 8 9 10 11 12

Article Article Article Article Article

3. 4. 6. 7. 10.

the Convention text was to be interpreted. But during the following couple of years the debate intensified and several other drafts have been presented since, the most comprehensive being from June 2001. Consultations have taken place both within countries, and on a regional level (e.g. the European Union). The diplomatic conference held in June 2001 illustrated just how far from agreement the ‘judgments project’ was. In April 2002 a Commission I meeting, that is the top representatives from a range of states, was held and it was concluded that the ‘judgments project’ is of such importance that continued work was motivated. The Commission I decided that an expert group would be formed and that, that group would be meeting for the first time in October 2002. Following the meeting held in October 2002, the expert group met regularly and produced a draft, which constituted the foundation for the Convention on Exclusive Choice of Court Agreements now under negotiations. At points, criticism has been raised that there has been a lack of transparency in the proceedings and negotiations surrounding the Convention proposal. In part this critique has been addressed as the Hague Conference has been issuing a range of valuable working documents giving an insight to the ongoing discussions,13 and indeed opening up for a degree of public consultation the last couple of years.

B. The Hague Convention on Exclusive Choice of Court Agreements As the name indicates, the latest proposal, the Convention on Exclusive Choice of Court Agreements, aims at regulating choice of forum clauses. However, being a double convention, it also regulates recognition and enforcement. In other words, this proposed Convention will ensure the recognition and enforcement of judgments

13

See for example, Preliminary Document No. 16, Avril D. Haines, Some reflections on the present state of negotiations on the judgments project in the context of the future work programme of the Conference (ftp.hcch.net/doc/gen_pd16e. doc), Preliminary Document No. 17, Avril D. Haines, The impact of the Internet on the Judgments Project: thoughts for the future (ftp.hcch.net/doc/gen_pd17e.doc), Preliminary Document No. 18, Avril D. Haines, Choice of court agreements in international litigation: their use and legal problems to which they give rise in the context of the interim text (ftp.hcch.net/ doc/gen_pd18e.doc) and Preliminary Document No. 19, Andrea Schultz, Reflection paper to assist in the preparation of a convention on jurisdiction and recognition and enforcement of foreign judgments in civil and commercial matters. (ftp.hcch.net/doc/jdgm_pd19e.doc).

Cross-border contracts and choice of court rendered in a court having jurisdiction based on the parties nominating that forum. In doing so, the Convention is limited to areas that could be described as civil and commercial.14 Furthermore, the Convention is not to apply to business-tobusiness (B2C) contracts, consumer-to-consumer (C2C) contracts, or employment contracts.15 Article 5, which is the most central Article in the proposed Conventions, consists of three paragraphs and provides: 1. The court or courts of a contracting state designated in an exclusive choice of court agreement shall have jurisdiction to decide a dispute to which the agreement applies, unless the agreement is null and void under the law of that state. 2. A court that has jurisdiction under paragraph 1 shall not decline to exercise jurisdiction on the ground that the dispute should be decided in a court of another state. 3. The preceding paragraphs shall not affect rules: (a) on jurisdiction related to subject matter or to the value of the claim; or (b) on the internal allocation of jurisdiction among the courts of a contracting state [unless the parties designated a specific court]. Article 7 essentially states that other courts should suspend or dismiss any proceedings interfering with the exclusive jurisdiction of the nominated court, and only under very limited circumstances may a court claim jurisdiction in contravention of the exclusive choice of court agreement. The most relevant ground under which such an exception could be made is where: ‘‘giving effect to the agreement would lead to a very serious injustice or would be manifestly contrary to fundamental principles of public policy’’.16 It is, however, not immediately clear how the rather peculiar phrase ‘‘very serious injustice’’ should be interpreted. The explanatory draft report drawn up by Masato Dogauchi and Trevor C. Hartley states that this exception is intended to apply ‘‘only in

25 the most exceptional circumstances’’.17 They further state that: The phrase ‘‘very serious injustice’’ would cover the case where one of the parties would not get a fair trial in the foreign State, perhaps because of bias or corruption, or where there were other reasons specific to that party that would preclude him or her from bringing or defending proceedings in the chosen court. It might also relate to the circumstances in which the agreement was concluded e for example, if it was the result of fraud.18 Finally, Chapter III of the proposed Convention outlines the recognition and enforcement process to be used. Essentially, contracting-states are obligated to recognise and enforce judgments rendered in accordance with the jurisdictional provisions of the Convention, except in certain strictly limited situations such as ‘‘where recognition or enforcement would be manifestly incompatible with the public policy of the requested State, including situations where the specific proceedings leading to the judgment were incompatible with fundamental principles of procedural fairness of that State’’.19 While it is submitted that the proposed Convention may become an important and welcomed instrument in international trade, and that the work carried out by the Hague Conference on Private International Law is to be encouraged, the current Convention proposal contains, at least, one great problem e it lacks appropriate protection of weak parties where such protection is needed. In constructing the Convention, focus has been placed on predictability. In other words, the drafters have set out to make sure that the Convention text allows for an as mechanical application as possible. The reason for this approach seems to be twofold. First, provisions leaving discretion to the courts to make some sort of value judgments are associated with the risk of diverging interpretations (particularly when courts from potentially over 60 states are involved), and secondly, the Convention seeks to meet the legitimate expectations of the parties by providing for a high level of party autonomy. In pursuing

14

Convention on Exclusive Choice of Court Agreements, Article 2(2) lists a range of areas to which the Convention will not be applicable, such as for example, family law matters, insolvency, and anti-trust. Furthermore, Article 2(4) excludes arbitration related matters. 15 Convention on Exclusive Choice of Court Agreements, Article 2(1). 16 Convention on Exclusive Choice of Court Agreements, Article 7(c).

17 Masato Dogauchi and Trevor C. Hartley, Preliminary Draft Convention On Exclusive Choice of Court Agreements (Prel. Doc. No 26 of August 2004), at 27. 18 Masato Dogauchi and Trevor C. Hartley, Preliminary Draft Convention On Exclusive Choice of Court Agreements (Prel. Doc. No 26 of August 2004), at 27. 19 Convention on Exclusive Choice of Court Agreements, Article 9(1)(e).

26 predictability, however, the drafters have underestimated the need for flexibility (i.e. justice in the individual case).20 It is not always possible to rely on predictability to achieve a fair outcome, and it is certainly not always possible to rely on predictability to achieve an outcome in line with the parties’ legitimate expectations. If the parties actively and in an informed manner reach an agreement as to, for example, which law shall be applied in, or which court shall determine, a potential dispute, we can speak of genuine party expectations being created from the point such agreement is reached. By allowing for party autonomy (i.e. allowing the parties to make such choices and ensuring that the parties’ choice is respected), private international law rules can achieve an outcome in line with the parties’ legitimate expectations. Indeed, authors have gone as far as to suggest a ‘‘human rights basis for party autonomy’’.21 However, there are several situations in which one cannot speak of any genuine party expectations. For example, a consumer entering into a cross-border contract might not at all have considered in which forum a potential dispute would be heard or which laws would be applied if a dispute should arise. Indeed, many, not to say most, consumers would not have sufficient legal knowledge to properly evaluate the relevance of these questions. Further, the victim in a tort action would, ordinarily, have even less of an expectation; after all, the victim could not ordinarily know that he or she would become a victim. Yet, one could perhaps speak of a party expectation also in relation to these types of parties. Perhaps it could be said that each and every one of us has some basic expectation as to how we will be treated in the eyes of the law, in case something happens. We could here speak of constructive party expectations, as opposed to the genuine party expectation of a party that has properly considered the issues to which the expectations relate. It is submitted that while sophisticated22 contracts, such as a multimillion dollar contract

D.J.B. Svantesson between Ericsson and Sony, requires a high level of predictability and a much lower level of flexibility, an unsophisticated contract, such as a lowvalue B2C contract, requires a high level of flexibility and a lower level of predictability. The reason for this is primarily that high-value contracts between large corporations are invariably under the supervision of legally trained people. This means that, in most cases, there is an inherent high level of legal awareness behind any such contract.23 The parties may have negotiated and agreed upon a certain law to apply and a certain forum to decide any potential dispute. With such a degree of planning, certainly amounting to what could be called genuine party expectations, the most important sub-quality of conflict of law rule is of course predictability e the parties expect their expectations to be met. This can be contrasted to low-value contracts between less sophisticated parties, such as amongst smaller businesses or between smaller companies and consumers or amongst consumers. In such contractual situations, the above-mentioned level of legal planning and awareness, and consequently genuine party expectations, are lacking e there are only constructive party expectations. In such circumstances the importance of predictability is obviously at a minimum while the importance of flexibility is at its peak. As far as contractual situations are concerned, the relationship between the need for predictability and the need for flexibility can, thus, be illustrated by the following simple graph24:

20

The Dogauchi/ Hartley report contains a two-page Appendix discussing ‘‘The problem of flexibility’’. See: Masato Dogauchi and Trevor C. Hartley, Preliminary Draft Convention On Exclusive Choice of Court Agreements (Prel. Doc. No 26 of August 2004), at 54e55. 21 Peter Nygh, The Reasonable Expectation of the Parties as a Guide to the Choice of Law in Contract and in Tort, 251 Recueil des cours (1995), at 303. 22 The level of sophistication of a contractual relation must be judged based on several different factors including: the parties’ level of sophistication, the monetary value of the transaction and the extent of legal knowledge applied in forming the contract.

23 Since it allows the parties to make conscious decisions, this legal awareness is of greatest importance also in a situation where the parties are not evenly matched, and perhaps one party is seeking to impose certain conditions on the other party. 24 This graph may also be useful on a more general level as it illustrates that, if we see predictability as black and flexibility as white, most private international law rules would be some shade of grey.

Cross-border contracts and choice of court Particular considerations are present in relation to contracts between one sophisticated party and one unsophisticated party. In such contractual relations there are never, or very rarely, any real negotiations and all the legal planning is done by the sophisticated party. An emphasis on predictability, in such a case, would merely lead to the fulfilment of one party’s expectations. Or in other words, the stronger party’s genuine party expectations would be met, while the weaker party’s constructive party expectations would be unlikely to be met. Determining the respective importance of predictability and flexibility in such a situation, necessarily involves a value judgment as to the respective rights of the stronger party and the weaker party. If we take the position that the law must aim at creating a society that is as fair and just as humanly possible, one simply cannot ignore the inherently unequal bargaining powers present, for example, in a typical B2C contract or a contract between a small not-for-profit organisation and a huge corporation. Furthermore, it would seem that there are several factors indicating that businesses are in a better position to adapt their conduct to the risks involved in cross-border trade than, for example, consumers and small not-forprofit organisations are. For example, they can adopt a business model that minimises their risks. This can be done in a multitude of manners but, for example, they could take measures to limit the geographical extent of their legal exposure. In addition, as is already often the case, businesses can demand payment before delivery of goods or services are made. Finally, business organisations can help work out appropriate business behaviour. Against this background, it is submitted that, in any contractual case involving at least one unsophisticated party, flexibility is more important than predictability, both in relation to jurisdiction and the choice of law. While no foolproof rule of thumb can be used to determine which contractual situations involve genuine party expectations (and thereby require more predictability than flexibility), and which contractual situations involve constructive party expectations by at least one party (and thereby warrant a higher degree of flexibility than predictability) it is submitted that fairly reliable guidance can be found in the contracting process. Unless both parties have given their consent to the forum or choice of law clause, at least one party lacks genuine party expectations. In this context it should be noted that the term ‘‘consent’’ is given different meanings in different contexts. It is here submitted that there are three elements necessary to create a proper consent. The consent has to be:

27  identifiable;  informed; and  free. Consent is identifiable when it is expressed or implied. While consent ordinarily becomes identifiable through some positive act, under certain circumstances, consent can be implied from passivity. Thus this requirement would not be hard to overcome in most cases. However, it would perhaps be difficult to prove an identifiable consent in a situation where choice of law or choice of forum clauses are simply listed in, for example, website terms and conditions. There are several different degrees of informed consent. In assessing what constitutes a sensible degree of ‘‘informedness’’ in the context discussed here, it must be remembered that requiring too much information may in fact have rather unhealthy consequences as the amount of information a business would have to provide could be burdensome both for the one party to provide, and for the other party to receive. It would seem that quality is of greater importance than quantity in this context. Yet the level of ‘‘informedness’’ must be reasonable, and the simple fact that one party, for example, has clicked on an ‘‘I agree, and am informed’’ button in a contract concluded via the Internet, is not sufficient. In fact, bearing the complexity of private international law in mind, it would seem that this, the second, requirement would ordinarily not be met in non-negotiated strong partyeweak party transactions, at least under the majority of business models in use today. Consent has to be given freely for it to be valid. Although there can be little controversy regarding the sensibility of this requirement, the degree of freedom to choose has been the source of numerous disputes. However, ordinarily the requirement that consent is given freely would not constitute a problem in the type of contractual situations discussed here. In light of this, it is obviously crucial that conflict of law rules are structured in a manner that, both in relation to the applicable law and the question of jurisdiction, provide predictability in situations where predictability is needed and flexibility in situations where flexibility is needed. Ordinarily, this would warrant the application of separate rules in the absolute majority of B2C contracts, but it also illustrates a need for a sensitive arrangement in relation to all other contracts involving at least one unsophisticated party. While the Convention proposal excludes B2C and C2C contracts from its scope, not all contracts

28 that do not fit into those two categories are of such a level of sophistication that it is justified to only cater for predictability. In fact, with the current limitations, the proposed Convention will cover a large number of relatively unsophisticated contracts. For example, the Convention proposal would cover a situation where a small community library enters into a contract with a huge publishing company. It is not difficult to think of other vulnerable parties, such as not-for-profit organisations, that would fall within the scope of the proposed Convention. This fact, although undeniable, has for some reasons largely been overlooked in the discussion. One reason for this is presumably found in that the Convention frequently, but wrongfully, is referred to as a business-to-business (B2B) Convention. It could, of course, be said that the term B2B is used for convenience, but this simplification distorts the picture of what is actually under negotiation. First, the Convention will not only deal with business-to-business contracts (e.g. it also covers not-for-profit organisations), and secondly, the two Bs lead the mind to think of two equal parties, which of course is not always the case. A contract between a one-man bakery and Microsoft is a B2B contract, but the parties are far from equal in their strength. In other words, the proposal only caters for predictability, but covers also contracts that need flexibility. The validity of the choice of court agreement is to be determined by the court nominated in the agreement, under the current proposal. This is troubling for several reasons. There can be no doubt that the talented company lawyers that construct the choice of forum clauses will be able to identify forums that not only provide them with favourable liability limitations but also with party autonomy of the kind that would uphold also unfair choice of forum clauses. In other words, a stronger party nominating a forum would not choose a forum that would hold their choice to be invalid. This can certainly lead to injustices. If a party wishes to challenge the validity of the choice of court agreement, he/she has two options. An action can be taken in another court than the one nominated, and reliance placed on Article 7(c) (see above). However, it is submitted that Article 7(c) appears to be too limited, particularly in light of the Dogauchi/Hartley report, and could preferably be replaced by an Article along the following lines: If the parties have entered into an exclusive choice of court agreement, a court in a Contracting State other than the State of the chosen court is to suspend or dismiss the proceedings unless the

D.J.B. Svantesson forum in which the action is brought finds that a balance of the parties interests, the convenience of the parties, the parties’ individual power and the circumstances of the formation of the contract indicates that declining jurisdiction would render the plaintiff, effectively, without reasonable access to justice. This suggested Article is loosely based upon Article 3625 of the Swedish contracts law,26 and aims at providing a plaintiff with the possibility of initiating proceedings in an alternative forum to the one specified in the contract, under certain limited circumstances. While the majority of the proposed Article is rather self-explanatory, a few words may be said about the reference to ‘‘reasonable access to justice’’. The inclusion of the word ‘‘reasonable’’ was deemed necessary to avoid a party having the right to sue in an alternative forum simply to, for example, avoid being barred by the limitation period of the forum identified under the contract. Under the current draft of the proposed Convention, the best option for a party wishing to challenge the validity of the choice of forum agreement is, however, probably found in the public policy clause (Article 9(1)(e)) in relation to recognition and enforcement. The typical contractual party deserving extra protection would ordinarily only have assets in one state and if enforcement cannot be effected there, due to this provision, the weaker party is rather well protected. However, there are at least two serious

25

Contractual terms may be modified or disregarded if the term is unreasonable with regard to the content of the contract, the circumstances of the contract formation, subsequent changes to the conditions and other circumstances. Where the term is of such importance for the contract that it [i.e. the contract] cannot reasonably be upheld if unchanged [after being modified in relation to the unreasonable contractual term], the contract may be modified also in other regards or be disregarded in full. In the application of [the above] particular regard shall be had to the need for protection for those who in the capacity of consumer, or otherwise, assume an inferior position in the contractual relation.’’ (Author’s translation of: ‘‘Avtalsvillkor fa ˚r ja ¨mkas eller la ¨mnas utan avseende, om villkoret a ¨r oska ¨ligt med ha ¨nsyn till avtalets inneha ˚ll, omsta ¨ndigheterna vid avtalets tillkomst, senare intra ¨ffade fo ¨rha ˚llanden och omsta ¨ndigheterna i o ¨vrigt. Har villkoret sa ˚dan betydelse fo ¨r avtalet att det icke ska ¨ligen kan kra ¨vas att detta I o ¨vrigt skall ga ¨lla med ofo ¨ra ¨ndrat inneha ˚ll, fa ˚r avtalet ja ¨mkas a ¨ven I annat ha ¨nseende eller i sin helhet la ¨mnas utan avseende.Vid pro ¨vning enligt fo ¨rsta stycket skall sa ¨rskild ha ¨nsyn tagas Till behovet av skydd fo ¨r den som i egenskap av konsument eller eljest intager en underla ¨gsen sta ¨llning i avtalsfo ¨rha ˚llandet.’’). 26 Lag (1915: 218) om avtal och andra ra ¨ttshandlingar pa ˚ fo ¨rmo ¨genhetsra ¨ttens omra ˚de.

Cross-border contracts and choice of court downsides to this approach. First, it would seem that in many, not to say most, weak partyestrong party relations it is the weaker party that is trying to get a judgment against the stronger party. In such situations, the structure of the suggested Convention provides little comfort, and the alternative of relying on Article 7(c), discussed above, is the only option. Secondly, the chosen structure is extraordinarily wasteful when it comes to the costs associated with international litigation. By the time, in the process, a party can rely on nonenforcement, it is possible that both the parties to the dispute, as well as the society at large, have spent considerable amounts of money on the litigation. In light of the above, it is submitted that it would be desirable to include a balancing provision already at the stage of the initial trial (i.e. not to uphold unfair forum selection clauses). As I have suggested elsewhere,27 the proposed Convention would do well to include a provision along the lines of Article 4 Paragraph 3 of the 1965 Hague Convention on the Choice of Court: ‘‘The agreement on the choice of court shall be void or voidable if it has been obtained by an abuse of economic power or other unfair means’’. This would admittedly lower the predictability of the Convention, but predictability must always be balanced with flexibility (i.e. justice in the individual case). A will to strive towards such a balance exists already in many states (e.g. the US and the PRC), it exists in Europe and it certainly should exist in the proposed Convention. Should the fear of introducing flexibility into the proposed Hague Convention on Exclusive Choice of Court Agreements be of such magnitude that it is politically impossible to introduce an Article along the lines of Article 4 Paragraph 3 of the 1965 Hague Convention on the Choice of Court, the least that can be done is to expand the ordre public exception in relation to recognition and enforcement (i.e. Article 9(1)(c)), and to rework Article 7(c) as outlined above. If both of these options prove impossible, the scope of the proposed Convention must be adequately adjusted. This could suitable be done through a change in the definition of ‘‘consumer contract’’, and inspiration could be drawn from the definition of consumer contracts as found in

27 See e.g. Submission by Dan Svantesson to (EU) European Commission, Directorate-General Justice and Home Affairs, Hague Convention on Exclusive Choice of Court Agreements, February 2004.

29 the Trade Practices Act 1974 (Cth) of Australia. A little simplified, in that Act, a person is viewed as a consumer if the price of the goods or services did not exceed a prescribed amount,28 or if the goods or services were of a kind ordinarily acquired for personal, domestic or household use or consumption. With such a definition of consumer contracts, the proposed Convention would have a more limited scope, but would still be applicable in relation to the type of sophisticated contracts it is suited for in its current shape.

C. Concluding remarks and thoughts on the future of the ‘judgments project’ It should be borne in mind that the ‘judgments project’ is the largest project, so far, facilitated by the Hague Conference on Private International Law, and adding the complications raised by the Internet, it is perhaps not surprising that the project has followed the course it has. Either way, this article submits that, while the Convention on Exclusive Choice of Court Agreements clearly has the potential to become an important and valuable international instrument, further work is needed in relation to the problem areas identified above. Furthermore, irrespective of the Convention on Exclusive Choice of Court Agreements it is of the outmost importance that the Hague Conference on Private International Law continues the work on a more comprehensive ‘judgments project’ covering the sort of areas previously proposed to be covered by the ‘judgments project’. In doing so, it would be useful to learn from the experiences from the work on the ‘judgments project’, and one of the main lessons to be learnt is that it may be better to construct a range of area-specific conventions (e.g. one convention addressing cross-border defamation and another addressing cross-border copyright disputes), rather than one convention covering a very wide and diverse range of areas. Dr Dan Jerker B. Svantesson, Assistant Professor, Faculty of Law, Bond University (Australia). Research Associate, Baker & McKenzie Cyberspace Law and Policy Centre.

28 The prescribed amount is currently 40 000 Australian dollars, or approximately 23 300 Euro.

Computer Law & Security Report (2005) 21, 30e37

FORENSIC EVIDENCE AND MUSIC PIRACY

Music piracy, universities and the Australian Federal Court: Issues for forensic computing specialists Vlasti Brouceka, Paul Turnera, Sandra Fringsb a

University of Tasmania, Australia Fraunhofer Institut fuer Arbeitswirtschaft und Organisation, Stuttgart, Germany

b

Abstract This article examines a recent judgement in an Australian Federal Court case involving three Australian Universities and representatives of the Music Industry. From a forensic computing perspective, this case is of concern because of how the judgement reveals serious flaws in understanding amongst all participants in the case over the nature of digital evidence and how it should be best collected, analysed and presented. More broadly, the judgement also appears to have worrying implications for individual privacy and data protection. In this context, this article reviews the case and explores the approaches of the three parties involved e applicants, respondents and federal court judge. The article considers the implications of this case for the forensic computing domain and highlights the need for the development of standard frameworks for the conduct of forensic computing investigations. In this regard, the article concludes by briefly presenting the framework proposed by the European project ‘CTOSE’ (Cyber Tools On-line Search for Evidence). ª 2005 Vlasti Broucek, Paul Turner and Sandra Frings. Published by Elsevier Ltd. All rights reserved.

A. Introduction This article examines a case in the Federal Court of Australia in 2003 involving three Australian E-mail addresses: [email protected] (V. Broucek), [email protected] (P. Turner), [email protected] (S. Frings).

Universities e the University of Tasmania, University of Melbourne and University of Sydney (the respondents) and representatives of the music industry e Sony Music Entertainment (Australia) Limited, Universal Music Australia Pty Limited and EMI Music Australia Pty Limited (the applicants). This case, which has generated a high level of public interest and debate in Australia, raises

0267-3649/$ - see front matter ª 2005 Vlasti Broucek, Paul Turner and Sandra Frings. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.01.014

Forensic evidence and music piracy concerns about understanding amongst participants in the case on the nature of digital evidence and how it should best be collected, analysed and presented. Significantly, much of the public discussion of the case has been adversely influenced by inaccurate or incorrect reporting in a number of media reports. These reports have variously suggested the case was about the Universities being sued for copyright infringement and/or that eleven Australian Universities were involved in ‘MP3 Piracy’.1 In reality this Federal court case was procedural in nature and involved the Music Industry applicants seeking a ‘‘discovery ruling’’ against the only three Universities that offered any resistance to the requests by the music industry for access to their Universities’ digital files and networks.2 This article examines the case and explores the approaches of the three parties involved (applicants, respondents and federal court judge) to identify issues, challenges and implications for forensic computing specialists. In response, the article also highlights the need for the development of standard frameworks for the conduct of forensic computing investigations and in this regard briefly presents details of the European project ‘‘Cyber Tools On-line Search for Evidence’’ (CTOSE) and its reference process model that has begun to have a major impact on standardising European approaches to the conduct of forensic computing investigations and presentation of digital evidence.3

1 Aust unis in court over file-swapping (2003) ZDNet Australia www.zdnet.com.au/newstech/communications/story/ 0,2000048620,20272193,00.htm at 18 February 2003; Leonie Lamont, Recording firms ask to scan university computers (2003) smh.com.au www.smh.com.au/articles/2003/02/18/ 105330603596.html at 19 February 2003; Amanda Morgan, It’s war on a generation of cyber pirates (2003) smh.com.au www.smh.com.au/articles/2003/02/17/105330539310.html at 18 February 2003; Danny Rose, ‘Uni hit by Net piracy action’, The Saturday Mercury (Hobart), 2 August 2003, 13. 2 For details see: Sony Music Entertainment (Australia) Limited v. University of Tasmania [2003] FCA 532; Sony Music Entertainment (Australia) Limited v. University of Tasmania [2003] FCA 724; Sony Music Entertainment (Australia) Limited v. University of Tasmania [2003] FCA 805; Sony Music Entertainment (Australia) Limited v University of Tasmania [2003] FCA 929. 3 Sandra Frings, Mirjana Stanisic-Petrovic and Robin Urry, ‘Holistic Approach for Processing Electronic Evidence Related to High-Tech Crime and Severe Disputed Electronic Transactions: Cyber Crime Advisory Tool e C*CAT’ in Urs E Gattiker (ed), EICAR 2003 Conference Best Paper Proceedings (2003); Robin Urry and Neil Mitchison, ‘CTOSE Project. Electronic Evidence: gathering, securing, integrating, presenting’ (Paper presented at the CTOSE Conference, Faculte ´s Universitaires Notre-Dame De la Paix, Namur, Belgium, 8e9 May 2003).

31

B. History of the case to date The Australian Record Industry Association (ARIA) on 23 January 2003 released information into the public domain claiming that the recording industry as a whole was experiencing dramatic losses in earnings due to on-line piracy. ARIA went on to state that the recording industry had made it a priority to take actions to directly combat this on-line piracy4 and cited the actions of its US counterpart, the Record Industry Association of America (RIAA), in relation to peer-to-peer networks and their users. While peer-to-peer (P2P) networks were not specifically targeted in the case discussed in this article, the statements by ARIA and actions of RIAA highlight the environment in which this case evolved. At the same time as these pronouncements from ARIA, three Australian Universities (University of Tasmania, University of Melbourne and University of Sydney) were contacted by members of the Australian music industry (Sony Music Entertainment (Australia) Limited, Universal Music Australia Pty Limited and EMI Music Australia Pty Limited) and requested to store digital evidence on their systems of the distribution of MP3s by staff and students at these Universities.5 These MP3s and evidences of their distribution activities were viewed by the music industry as potentially constituting breaches of copyright law. Following this request the music industry also approached these Universities with a request to be provided with access to this evidence for discovery purposes. In each instance the three Universities directly refused to provide the music industry with access to this evidence.6 As a result of these Universities’ refusals to provide access, the music industry (applicants) commenced legal proceedings against the Universities (respondents) on 18 February 2003. These proceedings aimed to enable the applicants to gain access to the evidence preserved by the respondents on their systems at the initial request of the music industry. The legal basis for these proceedings were procedural in nature, with applicants 4

Online piracy hurts 2002 music sales: ARIA (2003) ZDNet Australia www.zdnet.com.au/newstech/communications/ story/0,2000048620,20271487,00.htm at 24 January 2003. 5 In the case of the University of Tasmania, the music industry legal representatives sent an e-mail regarding one particular www site that was hosting copyright MP3 files. These were found using a GoogleÔ search. Subsequently, these machines were copied/backed up as requested (using the command ufsdump not dd ) and stored in a fire-proof safe in late January 2003. 6 At the University of Tasmania, this occurred in the context of on-going concerns about privacy in contracts with external research collaboration projects.

32 aiming to acquire access rights to the preserved ‘potential’ evidence on the Universities systems, in order to conduct discovery investigations that might result in the identification of person(s) involved in copyright infringement who would subsequently be the focus of litigation by the applicants. At the first hearing on 18 February 2003 the case was adjourned with the judge making orders to the respondents to preserve all digital data. This order immediately produced a strong reaction from academics, students and civil liberty groups who viewed this as the start of a significant encroachment on the privacy of individuals. The demands made by the applicants at this initial hearing were labelled by many as ‘‘witch-hunting’’ with staff, students and Australian universities being used as ‘‘scapegoats’’ for actions against on-line piracy. These reactions also led to some public debate over whether Universities should be forced into the role of policing and/or taking responsibility for the on-line activities of their staff and students.7 Subsequently, on 30 May 2003, after several further court sessions and out-of-court attempts to find a mutually acceptable solution, the presiding judge, Justice Tamberlin, made his decision in favour of the applicants8 and on 18 July 2003 ordered the respondents to hand over the digital evidence to the applicants and their forensic expert for further investigation.9 Although the jurisdictional authority of the court to make this ruling cannot be doubted, the court’s judgement does raise a series of concerns about the court’s understanding of the nature of the digital evidence in question. These concerns can be illustrated by the statements made during the case by Justice Tamberlin who, for example on 29 July 200310 ordered the respondents to bear the cost of the discovery process and in determining the data to be handed over to the applicants argued that ‘‘deleted files are equal to overwritten files’’ when one of the respondents pointed out that the backup tapes in question had accidentally been overwritten and therefore did not have any forensic value for the applicants.11 These judgements reveal the 7 Amanda Morgan, It is war on a generation of cyber pirates (2003) smh.com.au www.smh.com.au/articles/2003/02/17/ 105330539310.html at 18 February 2003. 8 Sony Music Entertainment (Australia) Limited v. University of Tasmania [2003] FCA 532. 9 Sony Music Entertainment (Australia) Limited v. University of Tasmania [2003] FCA 724. 10 Sony Music Entertainment (Australia) Limited v. University of Tasmania [2003] FCA 805. 11 James Pearce, Evidence of piracy allegedly destroyed (2003) http://news.zdnet.co.uk/business/0,39020645,2138165,00.htm at 25 July 2003.

V. Broucek et al. limited understanding of the court of the technical nature of digital logs and data storage and although there was ‘‘suspicion over the accidental overwriting’’, from a technical perspective it was inappropriate to consider overwritten backup tapes as part of the evidence. Significantly, this suspicion was subsequently used by the recording industry in mounting ‘‘a possible contempt of court’’ challenge against the University of Sydney. However, this challenge resulted in a small but significant victory for the respondents, as it was dismissed and the applicants were ordered to pay costs.12

1. Nature of the concerns about the judgement While initially all three Universities rejected the request for the discovery, as the case evolved these respondents were forced to find additional arguments to oppose the case being made by the applicants. For the Universities their initial opposition was based on the premise that providing the music industry with access to their digital data could lead to breaches of privacy, commercial confidentiality and intellectual property due to the nature of the data held. However, from the beginning of their communications with the music industry the Universities had been willing to provide some digital evidence to the applicants, providing that this evidence was collected by respondents and then handed onto the applicants. Several offers of this kind were made; however, the applicants were dissatisfied with the amount of data and discovery offered and so proceeded with their legal action. From the outset the applicants demanded the right to conduct full forensic investigations of the preserved data, it is important to acknowledge that the vast majority of the data preserved contained information on the on-line activities of thousands of ‘‘presumably innocent’’ users and not simply data on users that were alleged to be guilty of on-line piracy. It is also very clear that the vast percentage of these data highlighted activities pertaining to personal, confidential and commercial activities of the Universities’ staff and students as part of their research, teaching and commercial activities. In this context, the judgement in this case has resulted in the provision of unprecedented access to representatives of the music industry to engage in discovery activities on huge amounts of potentially highly sensitive data on the basis of a suspicion

12 Sony Music Entertainment (Australia) Limited v. University of Tasmania [2003] FCA 929.

Forensic evidence and music piracy that some of it contains evidence of on-line piracy and other copyright infringement activities. More worryingly, far from ensuring that these discovery activities are conducted by an independent third party (for example, an external forensic investigation team), the judgement has empowered the applicants to conduct these activities themselves. These applicants are then allowed to ‘‘mine’’ the data in search of what they themselves deem ‘‘illegal practices’’. Quite apart from the intrusion into the data of thousands of ‘‘presumably innocent’’ users, issues of data tampering/manipulation (except where MD5 check-sums are calculated and stored by respondents), breaches of privacy, commercial dealings, intellectual property are all only protected by confidentiality provisions placed on the applicants. As a result of this case and concerns over the issues at stake in such ‘‘data hand-overs’’, the majority of Australian Universities have now started to conduct their own forensic investigations. Numerous Universities have embarked on ‘‘scare campaigns’’, reminding staff and students about the importance of copyright protection and possible outcomes for breaches. They have also engaged in network traffic monitoring and scanning computers for mp3 files often without the knowledge of the users.13 Many of these searches are being conducted in a manner that further creates dangerous precedents and opens up the possibility of violations of personal privacy and academic freedoms. In many instances the techniques employed are very amateur. For example, in one instance computers and servers were searched using the find command with a *.mp* mask.14 Searches of this type clearly produce numerous false positives and identify files that do not have anything to do with audio or video recordings (e.g. files with extension *.mpp that belong to Microsoft Project program). Furthermore, many audio card drivers and software themselves contain sample mp3 format files (e.g. the Microsoft Software Development Kit (MSDK) contains mp3 and mpg samples). As a consequence, many users were harassed by overly active and poorly instructed network and computer administrators and forced to delete legitimate files because of the fear of possible action against them by the University or external organisations. Combined, this case and the responses of Australian Universities have resulted in making many network administrators at the Universities 13 Daryl Nelson, ‘Protecting intellectual property’, Next, The Age 5 August 2003, Next 3. 14 It should be noted that these techniques were only used as initial indicators.

33 afraid to report suspected computer misuse of their systems. This is because they are either afraid that they will be held responsible or that they will have to conduct or be involved in forensic investigation for which they feel unqualified.15

C. Implications for forensic computing From a forensic computing perspective, this case and the responses of its participants highlight a number of issues worthy of consideration. Firstly, from the users’ perspective, education about appropriate behaviour in digital environments remains a major issue.16 The majority of users are not aware of the legality of creating mp3 copies from their CDs and are not aware that ‘‘state-swapping’’ remains illegal in Australia.17 This is perhaps partly because the market is flooded with MP3 players and that some operating systems now come with ‘‘ripping software’’ preinstalled. There is therefore an urgent need for improved user education.18 Secondly, it is noticeable that none of the Universities involved in the case were prepared for the initial request for the preservation of the evidence and few if any have an awareness of forensic computing issues regarding the nature, collection and storage of evidence in a manner that will retain its legal admissibility. In this case, the initial digital data collection was conducted by the Universities’ network and system administrators, who displayed their lack of training by the way that they collected and stored the evidence. For example, file level copies of file systems were made to CD-ROMs or standard backup procedures were used to preserve the evidence e in the case of the University of Tasmania, the standard backup tapes created were subject to the discovery and the evidence from one particular computer allegedly containing evidence of illegal MP3 files was collected by the standard UNIX backup command ufsdump. Although these tapes may contain the necessary evidence of files being stored on the 15

Also resource requirements in SW, HW and HR. Vlasti Broucek and Paul Turner, ‘A Forensic Computing perspective on the need for improved user education for information systems security management’ in Rasool Azari (ed), Current Security Management & Ethical Issues of Information Technology (2003). 17 Daryl Nelson, ‘Student piracy row may leave IT to face the music’, Next, The Age 5 August 2003, Next 3. 18 Vlasti Broucek and Paul Turner, ‘A forensic computing perspective on the need for improved user education for information systems security management’ in Rasool Azari (ed), Current Security Management & Ethical Issues of Information Technology (2003). 16

34 computers, in the opinion of the authors, this evidence will be of very low value in a subsequent legal proceedings as it was not collected using binary copies and neither the chain of custody nor the rules of evidence were followed.19 Thirdly, the approach adopted in the case is potentially short-sighted in that it is probable that many University users will now proceed to encrypt all of their communications to impede subsequent ‘‘snooping’’.20 Overall this highlights a lack of ‘‘forensic readiness’’ on the part of all participants and the need for set procedures, covering all possible variants of investigations involving digital evidence to reveal any criminal, illegal or other inappropriate behaviour. Forensic procedures should be in place to protect organisations and in this context the next section briefly examines the CTOSE framework that has made a significant contribution to the development of a generic process model and advisory tools for conducting forensic investigations in Europe.21

D. The CTOSE project The European Union (EU) funded project ‘‘Cyber Tools On-Line Search for Evidence (CTOSE)’’ has developed a methodology that aims to provide a consistent approach for identifying, preserving, analysing and presenting digital evidence. The primary motivation behind the establishment of the CTOSE project was to improve the ability of 19

Vlasti Broucek and Paul Turner, ‘Forensic Computing: Developing a Conceptual Approach for an Emerging Academic Discipline’ in Helen Armstrong (ed), 5th Australian Security Research Symposium (2001) 55; Vlasti Broucek and Paul Turner, ‘Bridging the Divide: Rising Awareness of Forensic Issues amongst Systems Administrators’ in 3rd International System Administration and Networking Conference (2002); Vlasti Broucek and Paul Turner, ‘Risks and Solutions to problems arising from illegal or Inappropriate On-line Behaviours: Two Core Debates within Forensic Computing’ in Urs E Gattiker (ed), EICAR Conference Best Paper Proceedings (2002) 206; Vlasti Broucek and Paul Turner, ‘Intrusion Detection: Issues and Challenges in Evidence Acquisition’ (2004) 18(2) International Review of Law, Computers and Technology 149. 20 i.e. use PGP or SSL with keys 1024 or greater. Of course, it can be argued that pushing the introduction of encryption would inhibit the availability of illegal material because most P2P Networking is not possible or hampered by this technique. 21 Sandra Frings, Mirjana Stanisic-Petrovic and Robin Urry, ‘Holistic Approach for Processing Electronic Evidence Related to High-Tech Crime and Severe Disputed Electronic Transactions: Cyber Crime Advisory Tool - C*CAT’ in Urs E Gattiker (ed), EICAR 2003 Conference Best Paper Proceedings (2003); Robin Urry and Neil Mitchison, ‘CTOSE Project. Electronic Evidence: gathering, securing, integrating, presenting’ (Paper presented at the CTOSE Conference, Faculte ´s Universitaires Notre-Dame De la Paix, Namur, Belgium, 8e9 May 2003).

V. Broucek et al. technical processes to collect, secure, validate and transfer electronic evidence

CTOSE reference process model

CTOSE demonstrator

legal requirements presentation requirements

Figure 1

CTOSE project.

companies to respond to computer misuse incidents. In this regard, the CTOSE project began by developing a reference process model resembling organisational, technical and legal guidelines on how a company should proceed when computer misuse occurs. The focus of the model is on the acquisition of digital evidence and on how it is to be collected, conserved and analysed in a manner that will be legally admissible should court proceedings be instigated. Fig. 1 illustrates how this reference model links to a detailed examination of technical, legal and presentational requirements, which inturn link to the project software demonstrator. The reference process model is composed of five phases: preparation, running, assessment, investigation and learning phases. It articulates the flow of actions and decisions that have to be considered or executed in the case of an investigation of computer misuse. Moreover, additional information is necessary (including roles and their necessary skills, checklists, references to documents and tools, and legal advice) to support the action or decision in each step (see Fig. 2). In this way a user can consult a checklist, prior to reporting an IT incident, which covers what technical information about the incident law enforcement agencies may require from the person involved. This should result in optimising communication between the two parties. Significantly, the CTOSE project emphasizes the preparation phase, also referred to as ‘‘Forensic Phases Preparation phase Running phase Assessment phase Investigation phase Learning phase

Figure 2

Subprocesses – identification of incidents Components – Collection – action – validation – decision – storage – role – access – skill / special skill – analysis – advice – collation – checklist – legal – document – documentation – advice presentation – technology/tool – of

– – – –

training literature reference advantage/disadv. risk

CTOSE phases of response.

Forensic evidence and music piracy

35

Readiness’’, because IT security measures critical to the whole process are defined and implemented in this phase. For example, this phase includes a technical aspect like implementing a firewall and/or an intrusion detection system and assures that qualified staff is present to administer the systems and evaluate their logging.

1. The software prototypes As a consequence of the complexity of the process reference model (see Fig. 3 for a fragment of it), it was decided that the CTOSE project would develop an electronic version. This prototype is called the ‘‘Cyber Crime Advisory Tool’’ (C*CAT) and is made

up of a database connected to a database administration tool containing all actions, decisions, relationships (sequence of flow charts) and all additional information. The architecture of C*CAT is presented in Fig. 4. The Web based front end of C*CAT (see Fig. 5) connected via an Apache Web server to the database is the interface between the information to be processed and the people involved in investigating a computer misuse incident. From the evaluation of C*CAT it is clear that it is easy to use, and allows users to define the situation (by selection among different choices). Following this phase C*CAT presents the necessary actions and decisions that should be taken. In each case the

formally decide which legal forum is appropriate (civil, criminal, other)

suspect internal and/or external to company or impossible to answer at this stage

internal

external legal prosecution wanted

no, no prosecution wanted

external

impossilble to answer if internal and/or external

yes, prosecution wanted

no, stop internal investigation

company dicipline

go on with investigation

yes, go on with internal investigation (no external prosecution)

what kind of standards of proof is required for evidence (criminal/non-criminal standard of proof)

civil stds. of proof (non criminal) & low cost

criminal stds. of proof

non-criminal stds. of proof & high cost / high interest

is LE to be involved

Figure 3

Fragment of the process model.

36

V. Broucek et al.

MySQL Database

Database Admin Tool

Apache Web Server

Figure 4

Figure 5

C*CAT architecture.

C*CAT’s web based interface.

Web Interface

Forensic evidence and music piracy user is able to ask for more advice and guidance. Since the integrity of the chain of custody is critical, following correct procedures is of vital importance. At the end of the process, the user will be able to give feedback concerning the usage of the model to further improve its operation and utility. The future aim of CTOSE is to refine and improve the methodology and distribute it as widely as possible. As part of these activities the CTOSE project has developed a simulation environment (CTOSE Demonstrator) as an educational awareness and validation tool. The demonstrator describes the process model using several different scenarios. Each scenario provides the user with a clear and understandable way to proceed with do’s and don’ts when handling digital evidence for each phase. The project anticipates that the widespread utilisation of the CTOSE methodology will assist companies in being able to recover more rapidly from computer misuse incidents and improve their ability to conduct computer forensic investigations.21 The CTOSE project has made a very significant contribution to developing a methodology for a standardised approach to computer misuse.

E. Conclusion This article has reviewed and examined the recent Australian Federal Court case between the music

37 industry and three Australian Universities. From a forensic computing perspective the case reveals the strong and urgent need for development of standard procedures for collecting and preserving the digital evidence and the need for greater ‘‘forensic readiness’’ whether dealing with criminal, civil or inappropriate on-line behaviours. While it remains unclear what the end result of the ‘‘discovery’’ activities of the music industry will be, it is evident that the case also has a number of worrying implications for individual users’ privacy and the confidentiality of data held within institutions. It has also led to at least one of the Universities involved developing and implementing a forensic response policy and process. In responding to the need for a standard approach, the CTOSE project has made a significant contribution in this regard. Indeed, recently a CTOSE foundation has been established with the aim of making CTOSE available to a wider audience. Additionally, one of the authors is actively researching how best to integrate the investigative process model into business process models utilised by organisations.

Vlasti Broucek and Paul Turner, School of Information Systems, University of Tasmania, and Sandra Frings, Fraunhofer Institut fuer Arbeitswirtschaft und Organisation, Competence Center Software-Management, Stuttgart, Germany.

Computer Law & Security Report (2005) 21, 38e45

e-COMMERCE IN GREECE

e-Commerce directive e The Greek response Ioannis Iglezakis University of Thessaloniki, Greece

Abstract This article explores the implementation of the e-Commerce directive into Greek law and the hopes and expectations that this measure will enhance competition in the market for online services. ª 2005 Ioannis Iglezakis. Published by Elsevier Ltd. All rights reserved.

A. Introduction Electronic commerce (e-commerce) revolutionises the way, in which business is conducted.1 It encompasses a wide spectrum of activities,2 most of which are new, since they have been introduced after the advent of Internet e in its present form e and of World Wide Web (WWW).3 Steered by technological innovation, mainly the Internet, e-commerce is today expanding and undergoing 1

See European Commission, A European initiative in electronic commerce, COM (97), 157 (16.4.1997); OECD, Electronic commerce: opportunities and challenges for government (The ‘‘Sacher Report’’), 1997; M. Chissick, A. Kelman, Electronic commerce: law and practice (2002), p. 1 et seq. 2 For example, electronic trading of goods and services, online delivery of digital content, electronic fund transfers, electronic share trade, electronic bills of lading, commercial auctions, collaborative design and engineering, online sourcing, public procurement, direct consumer marketing and after-sales service. 3 However, electronic commerce is not an entirely new phenomenon, since companies have exchanged business data in closed user groups (e.g. in EDI networks) long before the expansion of Internet and business-to-consumer transactions have also been practiced in some form; for example, in Germany bildschirmtext and in France minitel were used for the ordering of goods and services.

fundamental change. It includes indirect electronic commerce (electronic ordering of tangible goods) as well as direct e-commerce (online delivery of intangibles, e.g. software). Moreover, it covers a wide variety of transactions, such as Businessto-Business (B2B), Business-to-Consumer (B2C), Consumer-to-Consumer (C2C) and Administrationto-Business and Administration-to-Consumer.4 The development of e-commerce, however, is hindered by obstacles such as the lack of security, which is inherent to open networks,5 and the need for a coherent legal framework.6 In Europe, divergent legislative approaches and emerging case law in the Member States, where no legal framework exists, risk fragmenting the Single market and hindering the development of e-commerce. The creation of a regulatory framework for e-commerce at European level is, therefore, considered essential. In this context, the E-Commerce 4

European Commission, ibid. European Commission, ‘‘Ensuring security and trust in electronic communication. Towards a European Framework for Digital Signatures and Encryption’’, at: www.ispo.cec.be/ eif/policy/97503.html. 6 European Commission, A European initiative in electronic commerce, ibid. 5

0267-3649/$ - see front matter ª 2005 Ioannis Iglezakis. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.01.019

e-Commerce in Greece Directive, which was adopted in 8 June 2000, is an important piece of legislation that provides specific harmonised rules concerning electronic business activities. This Directive has been implemented in Greece with Presidential Decree 150/2003.

B. The transposition of Directive 2000/31 in Greece7 The Directive on electronic commerce (2000/31/ EC) lays down specific rules to ensure the free movement of information society services between Member States, i.e. of e-commerce activities. The aim of the European legislator was to establish a clear and general framework to cover certain legal aspects of electronic commerce in the internal market, only where it was considered necessary, in accordance with the principle of subsidiarity.8 It is drafted in a technologically neutral way to avoid the need to adapt the legal framework constantly to new developments. It covers a wide variety of online services, i.e. information society services under the Directive, and applies horizontally across all areas of law, which refer to the provision of information society services and to B2B and B2C e-commerce.9 Greece transposed the E-Commerce Directive (Directive 2000/31/EC) on April 2003. The transposition took place through a single legislative act, the Presidential Decree No. 131/2003,10 which entered into force e retroactively e on 17.1.2002. This act constitutes the general legal framework for e-commerce only. Thus, it is supplemented by other legislative acts, such as the Decree No 150/2001 on e-signatures and the provisions for consumer protection (Law No. 2251/1994).

C. Information Society Services and other definitions The Decree applies to Information Society Services (ISS) as defined in the Transparency and the 7

For the transposition of the Directive in other EU countries see European Commission, First report on the application of Directive 2000/31/EC, COM(2003) 702 final, pp. 6e7. 8 See P. Lindholm, F.A. Maennel, Directive on Electronic Commerce (2000/31/EC ), CRi 2000, p. 65. 9 See European Commission, supra (note 7), pp. 2e3. 10 Presidential Decree no 131 transposing Directive 2000/31 of the European Parliament and the Council on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), Official Journal A/116 of 16 May 2003, p. 1747; see I. Iglezakis, The legal framework on electronic commerce, 2003 [in Greek].

39 Conditional Access Directives (Directives 98/34/ EEC and 98/48/EC), and, in particular, in Article 2(2) of Presidential Decree 39/2001.11 Under Article 1a of the Decree, ISS means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of a service. This provision is exemplified by Recital Nr. 18 of the Directive, which states that these activities can, in particular, consist of selling goods online, whereas activities such as the delivery of goods as such or the provision of services off-line are not covered and, furthermore, that information society services are not solely restricted to services giving rise to online contracting but also, in so far as they represent an economic activity, extend to services which are not remunerated by those who receive them, such as those offering online information or commercial communications, or those providing tools allowing for search, access and retrieval of data. It is also stated that information society services also include services consisting of the transmission of information via a communication network, in providing access to a communication network or in hosting information provided by a recipient of the service. Therefore, such activities are not deemed as telecommunication activities that fall outside the field of application. The Decree does not apply to certain services or areas, such as the field of taxation, issues relating to data protection (Law Nos. 2492/1997 and 2774/ 1999) and to agreements or practices governed by cartel law or activities of notaries or equivalent professions the legal representation of a client and defence before the courts, gambling activities.12 All other definitions, which are provided in Article 1 (service provider, recipient of the service, etc.), derive from Article 2 of the Directive 2000/ 31. The definition of established service provider, that is a service provider who effectively pursues an economic activity using a fixed establishment for an indefinite period, is of importance; it makes clear that the mere presence and use of the technical means and the technology required to provide services does not constitute an establishment. Therefore, the place of establishment of a business is not there where the servers, which run the e-commerce service, are located, or where the technology supporting its website is located, but where the service provider actually pursues an economic activity through a fixed establishment.13 11

Government Gazette A 28 of 2001. Article 20 of Decree 131/2003. 13 See Recital Nr. 22 of the Directive 2000/31; Iglezakis, ibid, p. 73 et seq. 12

40 The Decree applies to consumers and professionals or businesses, but with some additional protection for consumers. It is worth noting that the notion of the consumer is defined as it is stated in the Directive, i.e., ‘‘as any natural person who is acting for purposes which are outside his or her trade, business or profession’’. This definition, however, is not compatible with the broader term of the consumer in the Consumer Protection Act (Law No. 2251/1994). In this Act, the consumer is defined ‘‘as any natural or legal person, for whom products or services offered in the marketplace, are destined, or who makes use of such products or services, provided that he/she is the final recipient of them’’ (Article 1(4) lit(a) of Law No. 2251/ 1994).

D. Country of origin and internal market The country of origin principle finds its expression in Article 2, paragraph 1. In this provision it is stated that as regards the provision of ISS in Greece or in any other member state, provided by a service provider established in Greece, the relevant provisions of the national law, which fall within the coordinated field, must be complied with. This means that a service provider has to comply with the requirements in national legislation that could be applied to an ISS or a provider of an ISS, such as the conditions of establishment and access to the activity, the legal provisions on content (e.g., illicit content, defamation, etc.), on commercial communication (with the exception of unsolicited communication), on unfair competition, on contract law, etc.14 This provision, however, does not contain rules of international private law, but only addresses the question which material law is to be applied in judging whether the ISS provided by a service provider is lawful.15 In addition, in Article 2, paragraph 2 it is stated that restrictions to the freedom of ISS from another member state, for reasons falling within the coordinated field, are not allowed. As a result, ISS provided from another Member State of the EU in Greece cannot be restricted.16 However, derogation is provided for in Article 2(3) of the Decree. The country of origin and the 14

See I. Iglezakis, ibid, p. 75 et seq. H.-J. Vogel, E-Commerce: Directives of the European Union and Implementation in German Law, in: The comparative law yearbook of international business, Special Issue 2002, E-Commerce: Law and Jurisdiction, 49 pp. 16 Cf. P. Lindholm, F.A. Maennel, ibid, p. 66.

I. Iglezakis internal market principles do not apply to copyright, neighbouring rights, rights referred to in Directive 87/54/EEC(1) and Directive 96/9/EC(2) as well as industrial property rights, to advertising of valuables pursuant to Article 44(2) of Directive 85/611/EEC(4), to Article 30 and Title IV of Directive 92/49/EEC(5), Title IV of Directive 92/96/ EEC(6), Articles 7 and 8 of Directive 88/357/EEC(7) and Article 4 of Directive 90/619/EEC(8), to the freedom of the parties to choose the law applicable to their contract, to contractual obligations concerning consumer contacts, to formal validity of contracts creating or transferring rights in real estate where such contracts are subject to mandatory formal requirements of the law of the Member State where the real estate is situated and to the permissibility of unsolicited commercial communications by electronic mail.

E. Establishment and information requirements Article 3 establishes the principle, according to which the taking up and pursuit of the activity of an ISS provider is free. This is without prejudice, however, to authorisation schemes which are not specifically and exclusively targeted at ISS or which are provided for in the telecommunications sector, according to the Telecommunications Act (Law No. 2867/2000) and Decree 157/1999. Thus, it grants to all individuals and undertakings a right to establish a website and, in general, to make use of the full potential of Internet technology.17 Authorisation requirements may only be valid if they do not address ISS exclusively; for instance, in distance contracts there is a duty on suppliers to register in a special record in the Ministry of Development (Article 4(14) Law No. 2251/1994), which is not affected by the above-mentioned principle. On the contrary, prohibitions of online services are contravening this provision. It is notable that a law on gambling games (Law No. 3037/2002),18 which prohibited all kinds of electronic games (gambling and recreational games), performed online and off-line, has been considered to contravene basic provisions of the Constitution, such as Article 5 on freedom of economic activity, Article 4(1) on equality and also the principle of proportionality established in Aricle 25(1). This is because the general and undifferentiated

15

17

J. Dickie, Internet and Electronic Commerce Law in the European Union, 1999, p. 24. 18 See: !www.netcafe.gr/files/law.txtO.

e-Commerce in Greece prohibition on games imposed on Internet-Cafes is not an appropriate means of achieving the purpose of the law here, which is the prohibition on gambling games.19 Furthermore, Article 4 provides for the information requirements, which are to be given by information society service providers to consumers and competent authorities. This type of information is supplemental to the information provisions in the regulations concerning distance contracts (Article 4 paragraphs 2 and 9 of the Consumer Protection Act). On the other hand, the information requirements apply regardless if there is a contract or not. In particular, Article 4 states that any service provider shall render easily, directly and permanently accessible information to the recipients of the service and competent authorities, apart from the information provided for in Article 4(2) and (9) of Law No. 2251/199420:  the name of the service provider;  the geographic address at which the service provider is established;  the details of the service provider, including his electronic mail address, which allow him to be contacted rapidly and communicated with in a direct and effective manner;  where the service provider is registered in a trade or similar public register, the trade register in which the service provider is entered and his registration number, or equivalent means of identification in that register;  where the activity is subject to an authorisation scheme, the particulars of the relevant supervisory authority;  as concerns the regulated professions: - any professional body or similar institution with which the service provider is registered, - the professional title and the Member State where it has been granted, - a reference to the applicable professional rules in the Member State of establishment and the means to access them;  where the service provider undertakes an activity that is subject to VAT, the identification number referred to in Article 36 of Law No. 2859/2000. Furthermore, in case when information society services refer to prices, these are to be indicated 19 Trimeles Efetio Armenopoulos 2004, p. 133; Trimeles Plimeliodikeio Thessaloniki No 16251/2002, Armenopoulos 2002, p. 1666. 20 Iglezakis, ibid, p. 89 et seq.

41 clearly and unambiguously and, in particular, must indicate whether they are inclusive of tax and delivery costs. The obligation to provide information in an easy, direct and permanently accessible form means that information contained in a website, which is accessible after numerous clicks,21 or information only accessible during the first visit or after use of a service, does not meet the requirements set in this provision.22 However, the existence of an icon with a hypertext link to the information would be sufficient to meet this requirement.23

F. Commercial communications Further information requirements are established in relation to commercial communications.24 These requirements apply to the different kinds of online advertising, i.e. website presentation, banner advertising, ‘‘pop-up’’ or ‘‘pop-under’’ advertising and ‘‘spam’’.25 It should be noted, however, that the specific provisions relating to online advertising do not exclude the application of the general law of advertising (Articles 1 and 3 of Law No. 146/1914, Article 9 of Law No. 2251/ 1994).26 More specifically, Article 5 states that commercial communications, which are part of, or constitute, an ISS, may comply with certain information requirements. In particular, commercial communications must comply at least with following conditions:  the commercial communication shall be clearly identifiable as such;  the natural or legal person on whose behalf the commercial communication is made shall be clearly identifiable; 21

See, e.g., OLG Karlsruhe, CR 2002, 682; OLG Mu ¨nchen, CR 2002, 445. 22 Vogel, ibid, p. 51. 23 See the Draft Directive (Commission, Proposal for a European Parliament and Council Directive on certain legal aspects of electronic commerce in the internal market), COM (98) 586, OJ 1999, C30/4 (at 20). 24 The definition of commercial communications in Article 1 lit(f) of the Decree, includes ‘‘any form of communication designed to promote, directly or indirectly, the goods, services or image of a company, organisation or person pursuing a commercial, industrial or craft activity or exercising a regulated profession’’. 25 See in particular, A. Joint, Selling Cyberspace: new legal issues emerge as the online advertising industry continues to grow, [2003] 19 CLSR 39 et seq. 26 See in particular, Iglezakis, ibid, p. 95 et seq.

42  promotional offers, such as discounts, premiums and gifts, where permitted in the Member State where the service provider is established, shall be clearly identifiable as such, and the conditions which are to be met to qualify for them shall be easily accessible and be presented clearly and unambiguously;  promotional competitions or games, where permitted in the Member State where the service provider is established, shall be clearly identifiable as such, and the conditions for participation shall be easily accessible and be presented clearly and unambiguously. An example of an identifiable commercial communication is that of a header on a webpage, which is clearly labelled. On the other hand, examples of hidden communications include that of an article praising a product with no indication that it was commissioned and financed by the product’s manufacturer, and that of a site, which does not give a hint that it is sponsored by a private interest for the purpose of advertising.27 According to this provision, commercial communication should be transparent and not misleading. In order to meet the requirements of this provision, a website may have hyper-linked webpage icons that identify those for whom communications are made or provide access to the conditions of promotional offers.28 These requirements supplement the existing legislation and jurisprudence in the fields of consumer protection and advertising and, therefore, provide additional protection to consumers in order to increase consumer trust in e-commerce. It is noteworthy that the legal framework on commercial communications will be complemented by future European legislation, such as the proposed Regulation on Sales Promotions,29 the proposed Directive on Unfair Commercial Practices30 and the proposed Regulation on Enforcement Cooperation.31 Unsolicited commercial communication (socalled spam) is also dealt with in the Decree. According to Article 6(1), commercial communication that is sent by electronic mail, with a recipient who has not requested it, as far as it is not forbidden, shall be clearly and unambiguously identifiable as such, as soon as it is received by

I. Iglezakis the recipient. This provision should be interpreted as an information requirement, which aims at ensuring transparency, and not as a rule stating that spam is admissible, since the provisions of the Greek legislation basically provide for an opting-in of unsolicited electronic communication (Article 9 of Law No. 2774/1999 and Articles 4 and 9, paragraph 10 of Law No. 2251/1994). The issue of unsolicited commercial communications via e-mail is also regulated by the Directive 2002/58/EC on Privacy and Electronic Communications,32 which has not been yet transposed into Greek law. This Directive allows the sending of unsolicited electronic communications only after prior consent by the recipient, when the recipient is a natural person, or, within an established commercial relationship. The opting-in approach adopted by this Directive is in conformity with existing provisions in Greek Law, so its transposition would not cause problems. Furthermore, according to Article 6(2), without prejudice to the provisions of Ministerial Decision Z1-496/2000 concerning distance contracts, of Law No. 2472/1997 on the processing of personal data and Law No. 2774/1999 on protection of private life in the telecommunications sector, service providers shall consult opt-out registers, in which natural persons not wishing to receive unsolicited e-mails can register themselves. However, although this provision refers to opt-out registers, it must be underlined that Greek law provides for an opting-in of spam, so it is rather superfluous. Article 7 of the Decree, which implements Article 8 of the Directive, enables members of regulated professions to make use of modern Internet technology. In particular, it states that the use of commercial communications which are part of, or constitute, an information society service provided by a member of a regulated profession, is permitted subject to compliance with the professional rules regarding, in particular, the independence, dignity and honour of the profession, professional secrecy and fairness towards clients and colleagues. Indeed, this provision facilitates the use of Internet from professionals, given that advertising of professionals in Greece is subject to prohibitions and restrictions.33 These prohibitions are deemed by many as out-dated, but would impose restrictions to online presentation

27

See the Draft Directive at 20; Dickie, ibid, p. 26 et seq. Draft Directive, ibid. 29 COM (2001) 546 final, amended proposal COM (2002) 585 final. 30 COM (2003) 356 final. 31 COM (2003) 443 final. 28

32

OJ L 201, 31.7.2002, p. 37. See for example Article 6 of Law No. 2194/1994 relating to advertising of medical doctors and dentists and Articles 9 and 10 of the Code for Attorneys of 1986. 33

e-Commerce in Greece of professionals, in the absence of a provision making the use of commercial communications admissible.34

G. Contracts concluded by electronic means Directive 2000/31 addresses the issue of electronic contract formation and lays down information requirements and obligations of the service providers in taking orders. Article 9 provides for the obligation of Member States to ensure that their legal system allows contracts to be concluded by electronic means. In particular, electronic contracts must not be deprived of legal effectiveness and validity because they are having been made by electronic means. While other countries have modified their Civil Code and Civil Procedure Code in order to implement this provision, in Greece the relevant provisions have been introduced in the Decree 131/ 2003. Namely, Article 8 states that without prejudice to Decree 150/2001 on ‘‘electronic signatures’’,35 the conclusion of contracts by electronic means is permitted, with the exception of contracts that create or transfer rights in real estate, contracts requiring by law the involvement of courts, public authorities or professions exercising public authority, and contracts governed by family law or by the law of succession. This provision means that an electronic document will have the same legal validity and probative effect as private documents. The prerequisite for the validity of electronic documents is that they have advanced electronic signatures, which are based on a qualified certificate and are created by a secure-signature-creation device.36 Furthermore, the provisions of the Directive concerning certain minimum information about the formation of the contract and placing of the order are implemented in Articles 9 and 10. Article 9 of the Decree provides for that the service provider is under obligation to provide specific information

43 in relation to a contract, prior to its conclusion. The following information shall be given:  the different technical steps to follow to conclude the contract;  whether or not the concluded contract will be filed by the service provider and whether it will be accessible;  the technical means for identifying and correcting input errors prior to the placing of the order;  the languages offered for the conclusion of the contract; and  the codes of conduct, which the service provider is subject to. The next provision, establishes a requirement to explain how the contract is concluded. Article 10 states that in cases where the recipient of the service places his order through technological means, the following principles apply: - the service provider has to acknowledge the receipt of the recipient’s order without undue delay and by electronic means; - the order and the acknowledgement of receipt are deemed to be received when the parties to whom they are addressed are able to access them; - the service provider makes available to the recipient of the service appropriate, effective and accessible technical means allowing him to identify and correct input errors, prior to the placing of the order. However, like the Directive, the law does not provide specifically for sanctions, in the case these requirements are circumvented. A lack of validity of the contract is not an ipso jure consequence,37 but there may be reasons to annul the contract in case of misapprehension (Article 140 Civil Code); this circumvention is also deemed as a breach of a secondary obligation of the service provider, which gives the recipient of the service a right to compensation (Article 382 Civil Code et seq).38

34

See in particular Iglezakis, ibid, p. 119 et seq. It is worth noting that Decree 150/2001 implements the provision of Directive 1999/93/EC, OJ L 13, 19.1.2000, p. 12. 36 See D. Maniotis, The electronic formation of contracts and the liability of third parties responsible for the authenticity of the electronic document, 2003, p. 26 et seq [in Greek]; G. Georgiades, Contract formation on the Internet, 2003, p. 204 et seq [in Greek]; K. Christodoulou, Electronic Documents and Electronic Contract, 2001, passim [in Greek]. For the issue of validity of electronic documents before the enactment of Decree 131/2003 see Athens Single-Member Court of first Instance 1327/2001, RHDI 2002, p. 531 et seq. 35

H. Liability of Internet intermediaries The provisions of the Directive concerning exemptions of liability as regards acts of mere transmission 37

See Vogel, ibid, p. 54. See in particular, Iglezakis, ibid, p. 155; Ulmer, Online Vertragsschluss e ein Verfahren wird popula¨r?, CR 2002, p. 208 et seq. 38

44 and provision of access, and those concerning the limitation of liability as regards caching and hosting, as well the provision of absence of general obligation to monitor, are verbatim implemented in Articles 11e14.39 Like the Directive, the Decree does not establish ‘notice and takedown-procedures’ and does not provide for injunctions.40 The limitations on the liability of intermediaries were considered necessary to ensuring both the provision of basic services, which safeguard the continued free flow of information in the network, and the provision of a framework allowing the Internet and e-commerce to develop.41 The liability of the service provider is limited in cases where he merely serves as an intermediary, not having influence over the content of online material.42 Article 11 exempts providers from liability for mere transmission of information or the provision of access to a communication network on condition that the provider does not: (a) initiate the transmission; (b) select the receiver of the transmission; and (c) select or modify the information contained in the transmission. This provision applies to Internet Access and to Network Providers, including routing as well as e-mail and mailing list services.43 Service providers are also exempted from liability, according to Article 12, where the service provided consists of the transmission in a communication network of information provided by a recipient of the service, that is where they simply temporarily store or ‘‘cache’’ information. The exemption of liability for caching, i.e., the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients of the service upon their request, applies on condition that:  the provider does not modify the information;  the provider complies with conditions on access to the information;

39 For an overview of this issue see A. Brown, G. Donald, Liability of Internet Service Providers: recent developments, in: The comparative law yearbook of international business, ibid. p. 95 et seq. 40 See in particular, European Commission, First report, supra (note 7), pp. 14e16. 41 European Commission, ibid, pp 12e13. 42 Vogel, ibid, p. 56. 43 Iglezakis, ibid, p. 171 et seq; Freytag, Verantwortlichkeit fu¨r rechtswidrige Inhalte nach der E-Commerce Richtlinie, CR 2000, p. 600 et seq.; Spindler, E-Commerce in Europa. Die ECommerce Richtlinie in ihrer endgu¨ltigen Fassung, MMR-Beilage 7/2000, p. 7; Eck, Ruess, Haftungsprivilegierung der Provider nach der E-Commerce-Richtlinie, MMR 2003, p. 363 et seq.

I. Iglezakis  the provider complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry;  the provider does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and  the provider acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement. Further, Article 13 provides for the exemption of liability for hosting, that is, the storage of information provided by a recipient of the service for an indefinite period of time. A service provider storing information of users will not be held liable for the information stored if he does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent. As soon as the service provider obtains such knowledge or awareness, it is under the obligation to act expeditiously to remove or to disable access to the information. Under penal law, the service provider will be held liable only if he has acted fraudulently and not in negligence. However, under civil law the service provider will be held liable even if he acted in (gross) negligence, since the law clearly states that he will not be liable as regards claims for damages, if he is not aware of facts or circumstances from which the illegal activity or information is apparent.44 Further, the question raised, is when the provider can be deemed to have knowledge of illegal activity.45 The prevailing opinion is that secure knowledge of facts is demanded, such as a notification or a decision from competent authorities or a proper notice from a private person.46 In addition, the provider does not have a duty to monitor the information, which he transmits or stores, nor a general obligation actively to seek facts or circumstances indicating illegal activity.47 44

See Iglezakis, ibid, p. 179 et seq.; Freytag, ibid, p. 608; Eck, Ruess, ibid, p. 364. 45 See Vogel, ibid, p. 57. 46 Iglezakis, ibid, p. 181. 47 Article 14.

e-Commerce in Greece However, in accordance with Article 14(2), information society service providers are under the obligation to inform promptly the competent public authorities of alleged illegal activities undertaken or information provided by recipients of their service or obligations to communicate to the competent authorities, at their request, information enabling the identification of recipients of their service with whom they have storage agreements, but without prejudice of the provisions regarding confidentiality and data protection.

I. Implementation and self-regulation Finally, the Decree establishes self-regulation schemes and provides regulations concerning the enforcement of its provisions. It states that Codes of Conduct are established by interesting professional organisations and consumer associations and are approved by the Minister of Development (Article 15). According to Article 16, disputes arising in the course of e-commerce are subject to the same procedure, which applies for ordinary consumer disputes, i.e. the amicable settlement (Article 11 of Law No. 2251/1994).

45 Moreover, the Decree provides for interim measures, in case of infringement of rights, arising from the provision of ISS (Article 17), and also for sanctions applicable to infringements (Article 19). The control of the implementation of the Decree lies upon the Ministry of Development, which is also designated to co-operate with other Member States and the EU-Commission.

J. Concluding remarks The transition from a traditional to a knowledgebased economy requires an appropriate legal framework. The legislation on e-commerce established after the transposition of the Directive 2000/31 in Greek Law is a flexible framework, which would enhance competition in the market of online services. Furthermore, it creates legal certainty and clarity needed and enhances consumer trust in e-commerce. However, there is still no practical experience with the framework on e-commerce and it would be necessary to anticipate case law on related issues. Ioannis Iglezakis, Attorney at Law, Visiting Lecturer at the Law School, University of Thessaloniki, Greece.

Computer Law & Security Report (2005) 21, 46e50

TECHNOLOGY PROCUREMENT AND PRE-CONTRACT WORKING

Liability for pre-contract working e Balancing the risks in technology procurements Justin Harrington Technology Law Group, Field Fisher Waterhouse, UK

Abstract Pre-contract working is commonplace in large scale technology procurements since the parties assume that potentially it may benefit (or certainly is unlikely to harm) either side. On the one hand, the customer perceives a benefit because pre-contract working is likely to ensure that milestones are met once the contract is signed and customers assume that a supplier who has been actively involved in its business before contract signature is likely to have a better understanding of its business. For a supplier too there are benefits; it obtains greater familiarity with the customer and the key personnel involved. It also means that the supplier may have the ‘‘inside track’’ in respect of any competitive procurement exercise that the customer may wish to hold. However, there are also potential risks to this approach for both parties. While pre-contract working may also give rise to risks for a public authority under applicable procurement legislation, the focus of this article is the risk of uncertainty facing both parties arising from the ability of the supplier to claim a quantum meruit for work completed. ª 2005 Field Fisher Waterhouse. Published by Elsevier Ltd. All rights reserved.

Problems typically arise where the customer has carried out a procurement exercise, made its requirements clear and lined up a preferred bidder.1 The parties are certain that they are close to resolving those open issues that remain and that a contract will be signed shortly. In anticipation of 1

Of course, this is also an issue for a supplier who is tendering for a contract and who has lined up a subcontractor. See for example the Countrywide case referred to below.

signing a contract, the supplier (possibly encouraged by the customer) starts work. In some cases the work carried out prior to and in anticipation of contract signature may be substantial in value; by way of example, in Regalian Properties v. London Docklands Development,2 the fees incurred by the claimant were in excess of £2.5 million. If a final contract is signed, the work will be subsumed into 2

[1995] 1 WLR 212.

0267-3649/$ - see front matter ª 2005 Field Fisher Waterhouse. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2004.11.012

Technology procurement and pre-contract working

47

the fees payable under that contract. But what happens should a contract not be concluded? As noted already, this is an issue of concern for both customer and supplier. In the event a final contract is not awarded, will the customer be liable to the supplier for the work that has already been commenced by the supplier? In what circumstances will the supplier be able to successfully make such a claim?

v. Davis,6 Mr Justice Barry, discounting the argument of the defendants to the effect that there ought to be a contract before there could be any liability, commented:

A. Is there a contract in place? An obvious starting point is to consider whether there is a contract in place for the provision of the relevant hardware or services. Typically, this may be recorded in a letter of intent or memorandum of understanding or alternatively there could be an oral agreement.3 It may be arguable on the facts that there is offer and acceptance, consideration and an intention to create legal relations. However, an essential requirement for a binding contract may be missing. Negotiations or any recorded letter of intent may be ‘‘subject to contract’’ or else there may be substantial uncertainty as to the essential terms that apply, such that it is not possible to identify the existence of a contract. This was the case in British Steel Corporation v. Cleveland Bridge and Engineering Co.4 While that case was concerned with the heavy engineering sector, the factual matrix echoes circumstances frequently encountered in the context of negotiations for the supply of information technology services or hardware. Each party tried to obtain the other’s agreement to its standard conditions of contract, but each party objected strongly with the result that it could not be said that the parties reached agreement. Nonetheless, work proceeded on the basis that a contract would soon be agreed and, perhaps unsurprisingly, the issue of payment for that work subsequently became the subject of a claim for a quantum meruit.

1. Where there is no contract in place L quantum meruit claims Where there is no contract, another alternative is to look at what some judges have called ‘‘implied contract’’ or ‘‘quasi contract’’.5 In William Lacey 3 For example an oral agreement was pleaded in Yule v. Little Bird e an unreported decision of Buckley J of 5th April 2001. 4 [1984] 1 All ER 504. 5 For example see Goff J in British Steel above: ‘‘BSC’s primary contention was that no binding contract was ever entered into and that they were entitled to be paid a reasonable sum for the nodes on a quantum meruit, a claim sounding not in contract but in quasi contract’’.

‘‘.in its early history, it was no doubt a genuine action in contract, based upon a real promise to pay, although the promise had not been agreed. Subsequent developments have however considerably widened the scope of this form of action and in many cases the action is now founded upon what is known as quasi-contract, similar in some ways to the action for money had and received.’’ There is growing acceptance that this is now to be viewed as an action in restitution for a quantum meruit.7 Customers can take comfort, but suppliers should note with caution, that the cases emphasise that such a claim will succeed only in ‘‘exceptional circumstances’’. As Nicholas Strauss QC sitting as a deputy judge stated in Countrywide v. ICL Pathway8: ‘‘There is no doubt that in most cases a person who carries out work in the hope of obtaining a contract, for example a builder who prepares an estimate, cannot claim the cost of doing so. In general, parties are free to withdraw from negotiations at anytime before a contract is entered into for good or bad reasons or for none at all, without incurring liability. If it were otherwise, persons seeking quotes for work might routinely find themselves liable for expenses of several disappointed bidders.’’ The sorts of circumstances that will be exceptional enough to justify a quantum meruit claim are briefly discussed below. But it is worth noting that this area is made all the more difficult due to conflicting case law; it is extremely difficult to discern any principles of general application save for the classic restitutionary requirements of benefit and unconscionability. As Strauss QC went on to state in Countrywide: ‘‘I have found it impossible to formulate a clear general principle which satisfactorily governs the different factual situations which have arisen, let alone those which could easily arise in other cases’’.

6

[1957] 2 All ER 712. Most commentators regard the quantum meruit claim to be a species of unjust enrichment. But see the comments of Buckley J in Yule (see footnote 3) where separate consideration was given to quantum meruit and unjust enrichment. 8 Unreported decision of 21st October 1999. See [2000] CLC 324 for a summary. 7

48

2. Requirements for a restitutionary claim A restitutionary claim for a quantum meruit will seek evidence of unjust (or unconscionable) enrichment (or the unjust or unconscionable receipt of a benefit) by the defendant at the expense of the claimant.

B. Benefit In particular, what may constitute a benefit or an enrichment has been the subject of debate. There is unlikely to be a difficulty in concluding that a defendant has gained a benefit if he accepted computer hardware or software delivered to him at his request. Thus in British Steel Corporation9 when negotiations broke down, Goff J held that the claimants in that case were entitled to a quantum meruit payment for the 137 cast-steel nodes which had been delivered by them to the defendants’ specifications. In part, this was because the nodes had been completed by the claimants at the request of the defendants.

1. Are services different? For some time there has been additional uncertainty as to whether the provision of services could amount to a benefit unless those services have been requested by the defendant.10 Thus in Brewer Street Investments Limited v. Barclays Wool & Co Ltd.11 the parties were negotiating ‘‘subject to contract’’ a lease to be granted to the defendants. The plaintiffs agreed to make alterations at the defendants’ request but negotiations broke down and no contract was signed. In the Court of Appeal, Denning LJ (with whom one of the other judges appeared to agree) held that the defendants had been enriched by the performance of services (even though they never actually took possession of the premises) by the plaintiffs at the defendants’ request and should therefore pay a quantum meruit. Certainly a request for services by the defendant is a common ingredient in many of the cases relating to the provision of services, but its necessity has recently been questioned by commentators.12 While it is true that historically services have been perceived differently, the law appears to have now 9

[1984] 1 All ER 504. Or else been the subject of an ‘‘implied request’’ as in Marston Construction v. Kigass Limited. 11 [1954] 1QB 428. 12 See Paul Key ‘‘Detrimental Reliance in Anticipation of a Contract’’ III LQR 576 who argues that it is not essential and that this requirement should generally be viewed as part of the question of unconscionability. 10

J. Harrington moved on. As a result, in Marston Construction v. Kigass Limited,13 Mr Justice Bowsher was able to comment: ‘‘When considering benefit, a distinction has to be made between the delivery of money and goods on the one hand and the provision of services on the other hand.. There is however some authority that treats a service as beneficial where it results in an ‘‘incontrovertible benefit’’ to the defendant... Goff and Jones state that an incontrovertible benefit is established where the defendant has made an ‘‘immediate and realisable financial gain or has been saved an expense which he otherwise would have incurred.’’ In that case, the obtaining of consents for the construction of a factory, the production of designs and working drawings together with an implied licence to build the factory in accordance with those drawings (though the licence is limited to having the factory built by the claimants in that case) were held to have conferred a benefit. While this was not a benefit that had been realised at the time of the hearing, it was a benefit capable of realisation by the defendant. It is worth noting that this broad view of benefit contrasts with the approach of Mr Justice Rattee in Regalian Plc v. London Docklands Development Corporation14 where he held that payments made by the claimants to third parties, the production of designs and the obtaining of planning permission for a proposed property development, were made in order to obtain the contract and did not result in any direct or indirect benefit to the defendant. In this respect Rattee J, in contrast to most academic writers, sought a positive accretion to the defendant’s wealth, even though (arguably) the defendant was ultimately saved the expense of paying those third parties.

2. Is the purported benefit something that would normally have been paid for? In considering whether a benefit has accrued, the cases indicate that a key issue will be to distinguish the tendering costs of the supplier (and other costs that the defendant would not normally expect to pay for) from any other benefit afforded to the defendant. In this respect, the supplier’s tendering costs are unlikely to amount to a benefit, but other work may constitute a benefit, particularly if it is work that would normally be paid for. In this last respect, the following are worthy of note. 13 14

15 Con LR 116. [1995] 1 WLR 212.

Technology procurement and pre-contract working

49

(i) In William Lacey v. Davis the defendant had bought a house which he planned to rebuild. Having obtained a number of quotes, the claimants were informed by the defendant that they would be awarded the contract. They subsequently carried out work which would enable the defendant to reclaim costs from the War Damage Commission. This work was nothing to do with their original tender. When the defendants informed the claimants that they would use another firm, the claimants sought recovery of their costs. Barry J held that the claimants were entitled to recover on a quantum meruit for their advice because ‘‘it fell outside the normal work which a builder by custom and usage normally perform gratuitously when invited to tender for the construction of a building’’ and since the defendants had obtained a real benefit. The claimant’s work had been instrumental in obtaining the approval of the reconstruction plans and the grant of a licence to build as well as a much higher ‘‘permissible amount’’ for the war damage claim. Normally the defendant would have had to have paid for these services. (ii) A similar analysis was carried out in Countrywide where the claimants sought payment of a quantum meruit for their communications and public relations work for a consortium run by ICL in respect of an IT system for the Benefits Agency. ICL was awarded the contract, but Countrywide was subsequently not appointed as subcontractor for the communications and public relations work. The judge found that ICL had obtained a benefit since Countrywide assisted ICL to formulate the correct approach to communications and public relations work and to provide an estimate of costs for which allowance would be made in ICL’s final tender. The advice was of benefit to ICL because ICL would have had to have paid for these services in the absence of the assurance they had given to Countrywide.

(b) the failure to disabuse the plaintiff of a mistake or false expectation; or (c) the attempt to retain without payment a benefit conferred in circumstances where the defendant knew that there was no intention to confer a gift.

C. Unconscionability/unjustness. It has been suggested that the element of unconscionability is likely to take one of three forms15: (a) the contradiction of a promise or representation;

15

Carter in ‘‘Essays on Restitution’’ pp. 211e12. In other cases (e.g. Yule, see footnote 3) the judge found an ‘‘implied request’’.

Essentially, each of these appears to require an assumption as to payment and some unconscionable denial of this assumption by the defendant. In many ways, unconscionability is ground covered by estoppel, an area that the Australian courts are expanding.16 In England and Wales by contrast this has hitherto been limited by the sword/shield rule set out in Combe v. Combe.17 As a consequence the normal action in the United Kingdom is for a quantum meruit. But there is a further issue here; establishing whether unconscionable behaviour has occurred may be difficult in light of case law. While a number of the cases (such as British Steel and Regalian) involve no substantive discussion of the question of unconscionability, others analyse the issue in depth. Thus in Lacey the requirement for unjustness or unconscionability was found in the assurance that the plaintiffs would be given the contract to reconstruct the building. It was unjust or unconscionable to withhold payment once the assurance was broken. Similarly in Countrywide, the claimant incurred fees on the basis that, if ICL were successful in its tender, ICL would negotiate a contract with Countrywide. In this last respect, Countrywide were given repeated verbal assurances that ‘‘Countrywide was on’’, that is, they would be part of ICL’s consortium. It is worth noting that a number of factors may be crucial for a finding of unconscionable behaviour. (i) In Countrywide, the judge noted that he would have held against Countrywide if there was evidence that the reason why Countrywide did not get the work was that its work was defective. In that sense, defective workmanship would have gone to the issue of benefit, but would also affect the issue of unconscionability; if there was a rational reason (not affecting the conscience of the defendant) for choosing a third party supplier, there would be no grounds for a restitutionary claim. (ii) Likewise, whether there can be said to be an assumption of risk outside that originally undertaken by the claimant at the outset may be material. Again, in Countrywide, the 16

For example Waltons Stores (Interstate) Ltd v. Maher (1988) 164 CLR 387. 17 [1951] 2KB 215.

50

J. Harrington judge commented that, in performing the services, Countrywide did not take the risk of a change of personnel at ICL deciding that its reputation was not good enough for the job. The question of Countrywide’s suitability to be involved in the ICL consortium had been agreed at the outset; the only risk Countrywide took related to whether the ICL consortium was awarded the main contract. By contrast, in Regalian, Rattee J believed that the deliberate use of the words ‘‘subject to contract’’ meant that, on the facts of that case, each party assumed any costs incurred would be at its own risk; on that basis there could not be any unconscionable behaviour.

D. Lessons learnt In many ways, the issue of quantum meruit payments for pre-contract wording could be resolved by having a general duty of good faith negotiations in English law. In the absence of such a duty, freedom of contract means that claims such as these are always going to be problematic. This section seeks to wind-up by considering some of the practical lessons to be learnt from the case law discussed above.

1. For suppliers Avoid beginning work without a written agreement. Make sure such an agreement is not expressly or impliedly ‘‘subject to contract’’, is sufficiently precise and deals with payment of your fees with regard to work carried out before any anticipated contract is entered into. Keep detailed and separate records of your tendering costs and any other costs involved in providing a pre-contract benefit. If you rely on a statement or assurance from the customer, keep contemporaneous notes e you may need them in court!

2. For customers (and suppliers in respect of their subcontractors) If you wish to ensure that you are not liable for pre-contract expenses, make sure any letter of intent and all negotiations are expressly ‘‘subject to contract’’ and that there is absolute clarity as to where the risk for pre-contract liabilities rest. Do not encourage suppliers to run up costs unrelated to their tender. Finally, if you must give assurances to suppliers, honour those assurance and make sure you document precisely what was said. Justin Harrington, Partner, Technology Law Group, Field Fisher Waterhouse.

Computer Law & Security Report (2005) 21, 51e55

SOFTWARE CONTRACTS

Software contracts and the acceptance testing procedure* Ruth Atkins Department of Law, University of Wales, Aberystwyth

Abstract This article considers the contractual issues raised in drafting arrangements for the conduct of acceptance testing procedures in software supply contracts. Consideration is given both to express terms in the software contract as well as those which may be implied by law. ª 2005 Ruth Atkins. Published by Elsevier Ltd. All rights reserved.

‘Acceptance’ is a significant stage in the contractual process e commercially, it is likely to operate as a payment milestone and legally it will affect the application of any warranty provisions and potential remedies which may be available to the customer. Particularly in the context of supplying software, the function and scope of acceptance testing can be a problematic and controversial issue. This article considers the potential for conflict between the commercial aspects which may be pertinent in drafting an appropriate acceptance testing procedure, and the terms which may be imposed upon that procedure by virtue of statutory provision. In doing this, the issue is approached from two contractual positions: express provisions which may be laid down in the software contract and terms which may be implied * This is an updated version of a paper presented at the 19th Annual BILETA Conference, March 2004, available at: www. bileta.ac.uk. E-mail address: [email protected]

into the contract by law. This reveals the impact each may have upon the other, highlighting the challenges to be considered and confronted by the contracting parties when drafting acceptance testing procedures for software contracts.

A. Express provisions Principles of good commercial practice prescribe that express provisions for any acceptance testing procedure should be clearly set out, determining under which circumstances and upon what basis ‘acceptance’ of the software will be deemed to have occurred. The scope and application of the acceptance testing procedure (the ATP) will vary considerably, depending upon the type of project and the nature of the software which is being supplied. For example, the supply of a standard off-the-shelf software package to meet a straightforward software requirement, such as the supply of a word processing package, may employ a relatively simple acceptance test. In this instance, the

0267-3649/$ - see front matter ª 2005 Ruth Atkins. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2004.11.010

52 acceptance test may be passed if the software has been used in a live environment for a period of 30 days without rejection. In contrast, a complex bespoke software development project is likely to demand detailed acceptance testing against a series of specified functions and facilities, each of which is to be achieved within particular performance requirements. The Office of Government Commerce in its guidelines on acceptance testing for bespoke software explains that: ‘Acceptance tests usually investigate correct function in handling data, resilience of the system to incorrect input, performance, quality attributes such as usability and documentation.’1 Inevitably there will be variance between the nature and scope of acceptance tests that are employed in different software projects. However, as Newton notes, ‘vital features’ of any acceptance procedure are ‘that it provides for an objective and measurable yardstick as to the standards of performance and functionality to be achieved’ which in turn should demonstrate to the buyer that the system meets its requirements.2 Testing the software against specific acceptance criteria will enable the customer to determine whether the software which has been delivered is in conformity with that for which he had contracted.

1. Defining the scope of the ATP To define and draft the ATP in respect of the supply of bespoke software may prove to be a difficult and intricate task for the contracting parties. Although each project is likely to demand individualised testing criteria, at a more general level, in any ATP, it will be necessary to show the required levels of functionality and standards of performance which are to be demonstrated by the software being supplied. The acceptance testing may be a lengthy procedure which may comprise of the testing of several components in a variety of circumstances and with a range of information and test data. The standards to be met will need to be clearly defined and expressed. These in turn, should hopefully serve as an accurate reflection of the customer’s requirements of the software.3

1

See Office of Government Commerce website: !http:// www.ocg.gov.ukO. 2 See Newton, J (2003) ‘System Supply Contracts’ in Reed, C and Angel, J (eds.) 5th ed. Computer Law, Oxford University Press, Oxford, 2003 at p. 33. 3 See further, Atkins, RD ‘Computer contracts: capturing requirements and apportioning responsibilities’, International Review of Law Computers & Technology, vol 17(2), pp. 219e230, July 2003.

R. Atkins Of equal importance to defining the basis upon which the software will be accepted, the ATP will also need to address what will happen in the possible event of any failure to pass any part or indeed, all of the prescribed acceptance tests. The circumstances under which the supplier may be allowed the opportunity to rectify any defects, to retest the software and, of particular relevance, the time given in which to carry out this corrective work, should be clearly laid out in the contractual documentation. For this reason, it can be seen that incorporating detailed and thorough acceptance test clauses into the contractual documentation may serve to promote the contract itself as a highly effective project management tool. Indeed, the contract can be used as a point of reference for all involved in the implementation and continual monitoring of the project. If the scope of the ATP is clearly laid out, everyone involved in the project should be in a position to know, for example how the tests are to be carried out, what is to be done in order to successfully complete the tests, and what is to be done in the event of failure of any part of the tests. In the event that there is repeated failure of the acceptance tests, despite the supplier having been given a further period for rectification of any problems with the software, the contract is likely to provide that the customer may choose to reject the software and receive a refund of all monies paid.

2. Passing the ATP If the software successfully passes the ATP, this is likely to activate a payment milestone, whereby the customer will be required to pay either the full fee for the software or the final instalment if there has been a staggered payment profile. It is possible that at this stage the contract may enter a warranty period. The scope of the warranty provision will obviously vary from contract to contract, but a common practice is to offer a 90-day warranty period which will commence immediately upon acceptance of the software. During the warranty period there will be the opportunity to identify any software bugs, not previously detected during the acceptance tests and these will often be corrected free of charge.4 The level of severity of these errors will be such that they would not have been

4

See Morgan, R and Burden, K Morgan and Stedman on Computer Contracts, 6th ed., Sweet & Maxwell, London, 2001 at pp. 50e53.

Software contracts fundamental in preventing the customer from accepting the software during the acceptance tests, but rather, will be minor software bugs which were beyond the scope of the ATP. It has been recognised in the courts that software will inevitably require testing and modification. In the case of Saphena Computing, Staughton LJ stated that ‘. software is not a commodity which is delivered once, once only, and once and for all, but one which will necessarily be accompanied by a degree of testing and modification’.5 The view was expressed that: ‘it would not be a breach of contract at all to deliver software in the first instance with a defect in it.’6 However, the concept that software can be delivered, with both property and risk passing to the customer, while allowing the supplier time to improve the software so that it complies with, for example, terms implied by statute, creates significant uncertainties for determining the time at which a system may be in breach.7 In the St. Albans case,8 Nourse LJ disapproved of such an approach and in doing so, appeared to lend support for the use of contractual provisions which clearly define what constitutes acceptance of a computer system. Nourse LJ stated: ‘Parties who respectively agree to supply and acquire a system recognising that it is still in the course of development cannot be taken, merely by virtue of that recognition, to intend that the supplier shall be at liberty to supply software which cannot perform the function expected of it at the stage of development at which it is supplied.’9 Such dicta as expressed in the cases of Saphena and St. Albans raise the question of ‘when does a bug constitute a breach?’ In SAM v. Hedley10 Judge Bowsher Q.C. suggested that the system at the centre of the dispute presented a much stronger case against toleration of bugs as had been demonstrated in the St. Albans case by virtue of the fact that it was sold as a developed system rather than as a bespoke system. The Judge stated that he was: ‘. in no doubt that if a software system is sold as a tried and tested system it should

53 not have any bugs in it and if there are any bugs they should be treated as defects.’11 Expert evidence in the case made reference to a minor bug which was promptly fixed and the submission was made that this therefore did not constitute a breach. The Judge rejected this line of reasoning stating that the bug ‘was a breach, but because promptly fixed there was probably no damage and certainly none proved’.12 The Court noted that there was an element of inevitability of bugs within software but the point was emphasised that bugs are defects and responsibility and expense for rectifying those defects rests with the supplier.13 A fundamental problem with this conclusion is that it implies all bugs can be identified. Although testing of software systems can, and should be comprehensive, it is impossible to cover every possible permutation and therefore to eradicate any potential bug. Indeed, in the case of complex systems, ‘exhaustive testing of software is out of the question; there are simply too many possible combinations of events.’14 The Court’s comments in respect of the rectification of bugs bring into question the potential danger of conferring responsibility and expense for fixing all software bugs upon the supplier, to the extent that the supplier may be exposed to an unacceptable level of liability. The inherent difficulties in determining whether a minor defect may constitute a breach of contract, which at the most extreme level could entitle the customer to reject the system, may be alleviated by express terms in the contract. Within this context, the above-mentioned cases serve to illustrate the importance of incorporating detailed and comprehensive ATP. Clearly, if the ATP is set out comprehensively within the contract this may have the effect of preventing the customer from delaying the contract progressing from the acceptance testing stage into the warranty period on the basis of there being minor software errors. It can be seen that from a supplier’s perspective, detailed ATP, setting out decisively the basis on which the software is to be accepted and therefore for what and when payment is to be received, are valuable express provisions in any software or systems supply contract.

5

Saphena Computing Ltd. v. Allied Collection Agencies Ltd. [1995] FSR 616 at 652. 6 Ibid at 652. 7 See Rowland, D and Macdonald, E Information Technology Law, 2nd ed., Cavendish Publishing Ltd, London, 2000 at p 104. 8 [1996] 4 All ER 481. 9 [1996] 4 All ER 481 at 487. 10 SAM Business Systems Ltd v. Hedley & Co (QBD (T&CC)) [2002] EWHC 2733.

11

Ibid at para 20. Ibid at para 137. 13 Ibid at para 166. 14 Bott, F, Coleman, A, Eaton, J and Rowland, D Professional Issues in Software Engineering, 3rd ed. Taylor & Francis, London, at p. 292. 12

54

B. Terms implied by statute Invariably, contracts for the supply of bespoke software and from a more broader perspective, systems supply contracts in general, will contain details of acts which will constitute an acceptance. Such contracts will specify the acceptance criteria to be met and the consequences arising from that acceptance, such as payments due and the commencement of any warranty provisions. However, the ATP and the corresponding notion of acceptance as expressly provided for in the contract may evoke a different effect to any ‘acceptance’ under statutory provisions.

1. Application of the legislation Section 35 of the Sale of Goods Act 1979, as amended by the Sale and Supply of Goods Act 1994, sets out three ways in which the buyer is deemed to have accepted the goods. These are: (i) when he intimates to the seller that he has accepted them (s.35(1)(a)); or (ii) when the goods have been delivered to him and he does any act in relation to them which is inconsistent with the ownership of the seller (s.35(1)(b)); or (iii) after the lapse of a reasonable time, he retains the goods without intimating to the seller that he has rejected them (s.35(4)). Each of the three grounds for accepting the goods are subject to the buyer’s right to examine the goods. In the event that the buyer has had this opportunity, the legislation provides that each method of acceptance will have the effect of removing the buyer’s right to reject the goods (s.11(4)). Therefore, in a contract for the sale of goods, if the goods are ‘accepted’, any breach of a condition will merely be treated as a breach of warranty, and on this basis, the breach will not give rise to a ground for rejecting the goods.

2. Acceptance and its implications Having a reasonable opportunity to examine the goods is a decisive factor in determining the application of the sale of goods legislation. A consumer buyer will be afforded the right to a reasonable opportunity to examine the goods and this is a right which cannot be lost by ‘agreement, waiver, or otherwise’ (s. 35(3)). On this basis, if the buyer does any act which is inconsistent with the seller’s ownership, or even

R. Atkins if he informs the seller that he has accepted the goods, this will not be binding until the buyer has had a reasonable opportunity to examine those goods. It can be seen that this factor may have particular significance in relation to the contract for the supply of a computing system, given that an opportunity to examine the constituent parts of the system by the customer through means of individual and separate testing may prove to be difficult. Of particular relevance to this aspect of the discussion is the application of section 35(7) of the Sale of Goods Act 1979 relating to ‘commercial units’. This section provides that if ‘the contract is for the sale of goods making one or more commercial units, a buyer accepting any goods included in a unit is deemed to have accepted all the goods making the unit’. A ‘commercial unit’ is defined to be a unit, ‘division of which would materially impair the value of the goods or the character of the unit’. It can be seen that a contract for the supply of a complete computing system may fall within the definition of a ‘commercial unit’ and that the delivery of a number of goods under the contract, for example, software media, hardware, and other equipment such as cabling, may serve to represent unit divisions of that ‘commercial unit’.15 Here it can be seen that the effect of the legislation is such that acceptance of any of the goods, for example, the hardware, will constitute acceptance of the whole system.

C. Conclusion For the reasons outlined above it can be suggested that express provisions in the contract, i.e. setting out on what basis acceptance is deemed to have occurred, are to be preferred. However, it has also been noted that the commercially prescribed ‘acceptance test’ may evoke a different effect than ‘acceptance’ under the relevant legislation. One option available to the parties, as provided for by the Sale of Goods Act 1979 (ss.11 & 35A), is to incorporate an express term into the contract to avoid the statutory effect of ‘acceptance’. Yet, it is important to note that if the ATP, as set out in the contract, is more restrictive upon the buyer, or, if the consequences of acceptance afford less protection to the buyer than may be provided by statute or under common law, then in the event of a breach, the terms may be tested for effectiveness under unfair terms legislation. 15

See op cit no. 2 at p. 29.

Software contracts Of course, the above examination is only relevant to systems supply contracts as a whole, and to software specifically, if software is classified as goods for the purposes and application of the Sale of Goods legislation. It is beyond the scope of this article to examine whether software should be considered to be goods or services, or indeed whether it may be preferable to afford it sui generis protection. However, it is hoped that the points raised within this article may make a contribution to

55 that debate, to the extent of highlighting the importance of the acceptance stage and recognising that whichever classification is considered to be most appropriate for software, the significance of the acceptance milestone and the effects which may ensue from that acceptance, are issues which should be taken into account by contracting parties. Ruth Atkins, Lecturer, Department of Law, University of Wales, Aberystwyth.

Computer Law & Security Report (2005) 21, 56e60

LIABILITY FOR SOFTWARE ERRORS

Who should bear the cost of software bugs? Dominic Callaghan, Carol O’Sullivan IP/IT Department of the London office of Herbert Smith

Abstract This article looks at how the law currently treats attempts by suppliers to exclude liability for software bugs. The focus will be on the law in the UK to determine if it provides a workable solution and suggests some modifications which could encourage a reduction in bugs. ª 2005 Herbert Smith. Published by Elsevier Ltd. All rights reserved.

A. Introduction

B. By what standard is software currently judged?

A ‘‘true’’ story circulating on the web attributes Bill Gates with the comment, ‘‘If GM had kept up with technology like the computer industry has, we would all be driving $25.00 cars that got 1000 miles to the gallon’’. General Motors was said to have responded that if Microsoft made cars then occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna. (a.k.a. Control Alt Delete). Although this story has been circulating since at least 1998 it highlights a problem that is still frustrating software users across the world. Recent estimates put the annual cost of software bugs in the USA alone at more than $100 billion in lost productivity and repair costs.1 Part of this is due to flaws in the software itself and part is caused by the viruses that exploit them.

In a number of countries in Europe (e.g. Belgium, Denmark, Italy, Spain and the UK), the curious situation exists that the mode of delivery of the software can impact on the standard by which the software will be judged and also whether it is possible to exclude liability for failing to meet that standard.2 For example, in the UK if the customer buys a disk, CD or computer containing the software (i.e. the customer receives legal title to a tangible item) the software will be treated as goods and statute will imply a term into the contract that the software is of ‘‘satisfactory quality’’. Normally, a supplier cannot contract out of that obligation in consumer contracts and can only contract out of it in business contracts if it is ‘‘reasonable’’ to do so. Alternatively if the supplier visits the customer’s premises and loads the software onto the customer’s

1 ‘‘A lemon law for software?’’, The Economist, Opinion, 14 March 2002.

2 St Albans City and District Council v. International Computers Ltd [1996] 4 All ER 481 per Glidewell J at p. 492.

0267-3649/$ - see front matter ª 2005 Herbert Smith. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.01.015

Liability for software errors computer (i.e. the customer does not receive legal title to a tangible item) it will be treated as a supply of services.3 In that situation there will be a statutory obligation on the supplier to use ‘‘reasonable skill and care’’. That obligation can be excluded provided it is reasonable to do so. To add a further level of complexity the ability to exclude these implied obligations will change if supplier and customer are in two different countries.4 If the software is provided via a download from the Internet it would appear that using the UK Courts, ‘‘transfer of a tangible assets test’’ it may be treated as a supply of services and the corresponding ‘‘reasonable skill and care’’ implied warranty would apply. This is notwithstanding that a customer who ordered a CD containing the very same software would have an implied warranty that the software would be of ‘‘satisfactory quality’’.

C. When do bugs give rise to legal remedies? Courts around the world are still struggling to determine guidelines as to when the severity or frequency of bugs will give the customer the right to claim damages and/or terminate the contract. This is a key issue as the types of damages that could be claimed include the lost profits of the customer, the lost time of its employees as well as the cost of obtaining replacement software. In a recent UK dispute the software was sold for £100,000 and the customer claimed damages of £5.5 million!5 The law in the UK on this point is still developing but it is clear that even if software is supplied on the basis that it is still ‘‘in the course of development’’, it cannot be riddled with bugs. The software must still perform the functions expected of it at that stage of development.6 Suppliers, however, are not totally exposed, as the UK Courts have recognised that even if the bugs are so significant that the customer can legally terminate the contract, the customer will not be entitled to recover the full cost of the

3

These were the facts in the St Albans case. Section 26 of the UK’s Unfair Contract Terms Act 1977 permits the supplier to contract out of implied terms as to quality if it is an ‘‘international supply contract’’. 5 Watford Electronics Limited v. Sanderson CFL Limited [2001] EWCA Civ 317. The Court of Appeal, however, found that the defendant’s exclusion and limitation of liability clauses were both enforceable. 6 St Albans City and District Council v. International Computers Ltd at 487. 4

57 software if the customer has derived some benefit from it.7 Recently in Sam Business Systems Limited v. Hedley and Company the Court took a very procustomer approach to liability for fixing bugs. The Court confirmed that if a software system is sold as a tried and tested system it should not have any bugs in it and if there are any bugs they should be regarded as defects.8 While the Court did permit the supplier to contractually limit its liability for damages, it did not permit the supplier to recover the costs of rectifying the bugs under a separate support and maintenance contract. That decision understandably sent a shockwave through IT suppliers as most popular software, including operating systems, word processing packages, spreadsheets, etc. are sold as ‘‘tried and tested’’. In the past, less scrupulous suppliers have been accused of deliberately using a maintenance contract as a long term revenue stream to counterbalance the discounts offered on software which the supplier knows to contain a number of bugs. Such ‘‘stiffing’’ practices, however, are hopefully now rare. The decision in Sam’s case will encourage all suppliers to ensure that the contract more carefully specifies what the software will and will not do, so that there is less possibility of argument over whether it is a bug or simply a stated limitation in the functionality of the program.

D. Can suppliers contract out of liability for bugs? Software suppliers understandably will try to exclude or at least cap their liability for losses the customer may suffer due to faults in the software. Such attempts will not always be successful. In most EU countries, including Denmark, France, Germany, Italy, the Netherlands, Spain, Sweden and the UK, any contract clause that attempts to exclude or restrict liability is either not permitted or must pass a test akin to reasonableness to be enforceable. In general it is more difficult to enforce such clauses in consumer contracts. Prior to the decision in Watford Electronics v. Sanderson9 in 2001, the UK was one of the European countries in which the supplier was least likely to be able to enforce any clause which

7 Sam Business Systems Limited v. Hedley and Company [2002] EWHC 2733 at paragraph 143. 8 See per Judge Bowsher QC at paragraph 19. 9 [2000] 2 All ER (Comm) 984.

58 limited or excluded liability.10 Now, at least in IT contracts between two commercial parties, the Courts in the UK have been more reluctant to invalidate such clauses. The Court’s view is that such commercial parties will have negotiated a price which reflects the allocation of risk that has been achieved by the exclusion or capping of liability.11 In general in the UK, clauses that limit rather than exclude liability and that are capped at an amount that is justifiable rather than arbitrary are more likely to be enforced. For example, a cap that is proportionate to the value of the contract and the amount of the supplier’s insurance policy is likely to be enforced. In addition the use of an acceptance/warranty period in which the customer has the right to a full refund if the software does not perform according to the contract specifications will allow the supplier more scope for excluding liability.12

E. The way forward The decision in Sam v. Hedley raises the following questions in relation to the way liability for software bugs should develop in the UK.

1. Do we need a new standard by which software bugs can be judged? Both counsel and the Court in Sam’s case struggled with the issue of when a bug entitles the customer to a remedy.13 The business software industry is currently dominated by a few very large suppliers. In practice, most smaller customers (i.e. consumers and smaller businesses) will be obliged to accept a supplier’s standard contract. Off-the-shelf software such as PC operating systems and basic applications will typically not include a detailed specification so it may be difficult to judge solely by reference to the specification whether a bug is in fact a defect entitling the customer to damages.

10

See for example the decisions in Pegler v. Wang (UK) Limited [2000] EWHS Technology 137 and South West Water Services Limited v. ICL Limited [1999] B.L.R. 420. 11 Watford Electronics Limited v. Sanderson CFL Limited at paragraph 54. The Court was not prepared to adopt such a commercially pragmatic approach in a later case which did not involve software, Messer UK Limited v. Britvic Soft Drinks Co Limited [2002] EWCA Civ 548. 12 Sam Business Systems Limited v. Hedley and Company. 13 See particularly Judge Bowsher QC’s frustration over this lack of clarity in Sam’s case at paragraph 19.

D. Callaghan, C. O’Sullivan Where the customer is a larger business it is more likely to be able to include detailed specifications in the contract (particularly for bespoke software) so that the standards against which the software are judged and the grounds upon which the customer can terminate and/or claim damages will be clearer. Even in such contracts, however, there may be defects which fall outside the specifications for a variety of reasons. The specification may itself contain errors, the software may contain design defects which have been transposed into the specification, the specification may not be sufficiently detailed or it may not have been upgraded to reflect the changes that inevitably occur during the course of development. These difficulties can be compounded by the supplier and customer approaching the specifications from different perspectives. If it is bespoke software the customer may understandably have difficulty clearly articulating their requirements and will often talk in terms of general business requirements. In contrast, the supplier’s technical staff will want to produce a technical document. The result may be a communication failure where each party is acting in good faith, but is taking different meanings from the same specification. These problems mean that defining a defect solely on the basis that there has been a failure of the software to comply with the specification is not a practical solution. Software testing and quality control literature suggests that a general test is more suitable i.e. ‘‘a software error is present when the software does not do what the user reasonably expects it to do.’’14 This test is very similar to the existing requirement in the Sale of Goods Act 1979 mentioned earlier i.e. ‘‘goods must be of satisfactory quality’’. As discussed, the satisfactory quality test incorporates the concept that the goods must be fit for all of the purposes for which goods of the kind in question are commonly supplied.15 This test has sufficient flexibility to cope with the great variety of software and its uses but is still rigid enough to prevent recovery of substantial damages if the functionality of the software is only impaired in a trivial way. It will also allow the Courts to consider any specifications for the software that exist. The satisfactory quality/fitness for purpose test also has the advantage of having been considered in case law in the UK and many European countries. 14

Myers, Glenford J (1976) ‘‘Software Reliability: Principles and Practice’’, John Wiley and Sons, pp. 4e6. 15 Section 14 of the Sale of Goods Act 1979.

Liability for software errors Although a standard that is more precise is tempting, the US experience would suggest that it may not result in any greater clarity.16 In light of these conclusions, the best solution may be for statute to apply the satisfactory quality test to all software regardless of the mode of delivery rather than attempting to introduce a more detailed standard against which software can be judged. Suppliers may view such a broad test with suspicion, but this test does not mean that specifications are irrelevant. It does, however, place the onus on suppliers particularly in relation to bespoke software to ensure that the specification is both technically accurate and also able to be understood by the customer. All parties (and the courts) will then have a clearer understanding of what the software will and will not do.

2. Should an acceptance/warranty period influence the supplier’s ability to exclude/limit liability? In assessing the enforceability of clauses that seek to limit or exclude the liability for defective software, the Unfair Contract Terms Act 1977 (UCTA) already applies a test of reasonableness and requires a number of factors to be considered. Those factors include the bargaining position of the parties, whether the goods are bespoke, the resources of the parties and the cost and availability of insurance.17 A criticism of this test has been that it has created uncertainty as to the enforceability of such clauses in IT contracts. Sam’s case provides an organic development of the law which has the potential to introduce greater certainty. In particular it suggests that if a software supplier undertakes to fix free of charge all bugs during an acceptance/warranty period coupled with a money back guarantee during that period, the Courts should be willing to allow suppliers greater scope for limiting liability. In Sam’s case the presence of such a clause led the Court to conclude that it was reasonable in the circumstances of that case for the supplier to exclude all liability other than that arising from misrepresentation. In the writers’ view even in the

59 absence of a money back guarantee, the presence of an undertaking to fix all bugs during an acceptance/warranty period should logically also give the supplier some scope for reducing their exposure. Although Sam’s case involved a contract between two commercial parties there is no reason why the courts should not be similarly influenced by acceptance/warranty periods and money back guarantees when assessing the reasonableness of exclusion and limitation of liability clauses in contracts with consumers. UCTA is drafted sufficiently broadly to accommodate this organic development as the factors that it requires the Courts to consider when assessing the reasonableness of limitation/exclusion clauses are not exhaustive. It is not proposed that acceptance/warranty periods and money back guarantees should automatically mean all exclusions or limitations of liability by the supplier are enforceable. As was made clear in Sam’s case, the satisfaction of reasonableness cannot be determined with reference solely to the contractual clauses, but must be determined in the entire context of the circumstances.18 Rather, what is proposed is that the Courts promote these as relevant factors when considering the reasonableness under UCTA of any limitation or exclusion of liability by the supplier. Alternatively as part of the current review of UCTA, a statutory amendment could add acceptance/warranty periods and money back guarantees to the list of factors the Court must take into consideration when assessing reasonableness.19

F. Conclusion The adoption of the ‘‘satisfactory quality’’ test for all software, regardless of mode of delivery together with greater scope for limiting liability if an acceptance/warranty period is in place would offer benefits to both suppliers and customers. It would encourage suppliers to incorporate such acceptance/warranty periods in their contracts and this in turn would encourage suppliers to: (a) spend more time removing bugs prior to releasing software, (b) promptly rectify bugs that are

16

Kaner, C, ‘‘What is a Serious Bug? Defining a ‘Material Breach’ of a Software License Agreement’’, January 10e12, 1997 meeting of the Article 2B Drafting Committee (www.badsoftware.com/uccdfect.htm). 17 See s 11 of the Unfair Contract Terms Act 1977. Although the Act only requires these factors to be taken into consideration in respect to specified sections of the Act, in practice the Courts have considered them in any situation where UCTA has required a test of reasonableness to be applied.

18 At paragraph 72, the Court made it clear that even if another contract was signed on the same terms it would still depend on the circumstances as to whether such an exclusion was reasonable. 19 See the joint consultation paper by the UK and Scottish Law Commission, ‘‘Unfair Terms in Contracts’’ Law Commission C o n s u l t a t i o n Pa p e r N o 1 6 6 ( w w w. l a w c o m . g o v. u k / 239.htm#lccp166).

60 uncovered after software is released, and (c) clearly explain in simple terms in the contract specifications what the software will and will not do. Suppliers may validly argue this will drive up the cost of software. Customers should realize, however, that the increase in the upfront cost may

D. Callaghan, C. O’Sullivan in the long run be less than they are currently spending on attempting to fix bugs or to replace faulty software. Dominic Callaghan and Carol O’Sullivan are associates in the IP/IT Department of the London office of Herbert Smith.

Computer Law & Security Report (2005) 21, 61e67

IT LEGAL RISK MANAGEMENT

Legal risk management for the IT industry Rachel Burnett Burnett Solicitors, Burnett, London

Abstract This article reviews the current status of IT Legal Risk Management as an approach to providing legal services strategically in the business context. The major ways of managing legal risk are through contracts, procedures and dispute management, together with information and document management, including regulatory compliance. Methodologies have not yet reached any level of sophistication and have not been generally adopted. ª 2005 Rachel Burnett, Burnett Solicitors. Published by Elsevier Ltd. All rights reserved.

A. Complex IT project failures The latest report on the failure of many complex IT projects to deliver key benefits on time and to target cost and specification was published jointly by the Royal Academy of Engineering and the British Computer Society.1 It makes the point that a striking proportion of project difficulties stem from failure to implement best known practice. Specifically there is a broad reluctance to accept that complex IT projects have many similarities with major engineering projects and would benefit from greater application of well established engineering and project management procedures. ‘‘For example’’, it states, ‘‘the importance of risk management is poorly understood..’’. One of the key findings is that ‘‘risk management is critical to E-mail address: [email protected] The Challenges of Complex IT Projects http://www.raeng. org.uk/policy/reports. 1

success in complex projects but is seldom applied effectively in the case of IT and software’’.

B. Concepts in legal risk management The management of risk in meeting commercial objectives has become a recognised function of business. The risks may be of different kinds. They may primarily be commercial, for example, whether payment will be made for goods already delivered. They may be technical, such as whether response times can be guaranteed when further routines are integrated into a system. Alternatively the risks may be legal. For instance, will a supplier be able to enforce an online contract with a customer to supply software in a different jurisdiction, if the software is delivered but the customer does not pay? These risk categories are not self-contained. There may well be legal aspects to commercial and

0267-3649/$ - see front matter ª 2005 Rachel Burnett, Burnett Solicitors. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2004.11.011

62 technical risks, and risks which are basically legal may also combine technical and commercial elements. It is generally the case that legal services are treated reactively, and not invoked until a problem has occurred. If attributable loss or damage is caused, legal remedies may be available. The claimant is reacting to an event which has already happened. Thus with a complex IT system development, where during the course of development some of the original requirements have changed, and where delivery is late or budgets have escalated, the parties may be in dispute and legal proceedings may ensue. By contrast, the IT legal risk management approach is strategic and continuous. It concerns the identification, evaluation and control of the significant risks which may lead to liability, legal processes and associated effort, losses, costs and expenses within an IT context. The losses may not necessarily be directly financial e for example, loss of reputation may be extremely damaging. Dispute ‘‘resolution’’, therefore, becomes dispute ‘‘pre-emption’’, by anticipating, deterring and preventing legal and commercial risks. Time can be invested in negotiating contracts to reach consensus for mutual benefit; administrative procedures can be followed to monitor business transactions and to prevent infractions; knowledge of regulatory requirements can facilitate compliance. This pro-active approach is both commercially prudent and legally sensible. The perspective becomes more broadly business- and management-orientated instead of merely legalistic. The three principal methods of managing the legal risks inherent in IT commercial relationships are:  By contract, as the focus of a commercial transaction or ongoing arrangement;  By administrative procedures, from order, through negotiation, to post-contract administration; and  By dispute management. Other methods include policies for the management of documents, data and information, both the substance and format of what is produced and held. These policies must be developed and maintained in the light of up-to-date knowledge of intellectual property rights; of legislation relating to the probity of information, including personal data, and the increasing numbers of regulations concerning compliance.

R. Burnett

C. IT contracts 1. The contract as a technique for risk management A contract enables the parties to achieve their strategic and commercial aims by regulating the commercial relationship and allocating risks between them. It should establish the relevant details of the transaction. It should address both parties’ respective requirements, to represent each party’s commitments and different interests. The contract binds the parties, so that if any of its terms and conditions is not met, it will be legally enforceable. It therefore plays a crucial part in risk management. The parties to the contract should intend to form a legal relationship, on terms and conditions which they both understand and positively accept. Each party to a contract needs to be precisely identified. Is the company a plc? Is a group of companies involved? For example, in a software licence, the licensor may be asked to permit subsidiary companies of the licensee to use the software, subject to indemnities from the licensee. Is the licence being granted to the correct party?

2. Limitations in IT contracts The actual words of a contract may not tell the whole story. For risk management purposes, it is important to be aware of the limitations in a contract, both in terms of what is stated but which may not be enforceable, and what is omitted but will nevertheless bind the parties. In the UK, certain terms are ‘‘implied’’ at law into contracts relating to the sale of goods, or the supply of goods or services. They do not have to be expressly stated. Thus in general, goods being sold must correspond with their description and be of satisfactory quality, except for defects drawn to the purchaser’s attention or where the purchaser has had the opportunity to examine the goods.2 Services must be carried out with reasonable skill and care, within a reasonable time and for a reasonable price (although a price or rate will usually be contractually agreed).3 These implied terms cannot be excluded if the purchaser is a consumer. In commercial contracts one means of risk management is to exclude and limit liability for

2

Sale of Goods Act 1979, modified by the Sale and Supply of Goods Act 1994. 3 Supply of Goods and Services Act 1982.

IT legal risk management things which go wrong. However, there are legal restrictions on the ability to do this. If one of the parties is a consumer or if the contract consists of standard terms of business, liability cannot be restricted for breach of contract except to the extent that the clause concerned is ‘‘reasonable’’.4 What makes an exclusion or limitation of liability ‘‘reasonable’’? It depends on the facts in every case. What will be taken into account will include: the relative bargaining strengths of the parties; the context of the negotiations; and the availability of insurance. For example in relation to insurance, a supplier will normally more easily obtain insurance for the systems it is supplying than its customer. This was borne out by the evidence in one case, where the customer for the hardware and software was an insurance broker.5 Even here, the supplier was in a better position to obtain insurance against defective performance. Additionally, as it happened, the customer would have had difficulty obtaining alternative software. These were the relevant factors in the decision that the particular exclusions and limitations of liability in the contract at issue were unreasonable. Thus a contract provision attempting to exclude all liability for loss or damage would be unreasonable and therefore not enforceable. In a consumer contract, suppliers have greater responsibility to ensure that all the provisions are fair and reasonable, and the contract will be construed in favour of the consumer in the case of ambiguity or doubt. It might also give rise to criminal liability. It is useful for a supplier to have standard terms and conditions precisely in order to avoid negotiating every individual sale or supply. Yet even where contract clauses have been negotiated, the courts have held that the supply was on standard terms.6 In one case, where there were admitted breaches of contractual obligations to provide reliable software, the low limit of liability was at issue.7 It was agreed that the clause had been discussed between the parties. However, the wording had not changed as a result of that discussion. It was held that if a contract is entered into on the basis of standard terms, even if the clauses had been negotiated beforehand, the 4

Unfair Contracts Act 1977. Horace Holman Group Limited v. Sherwood International [2001] All ER [D] 83. 6 St Albans City & District Council v. ICL Limited [1996] FSR 251 CA; South West Water v. International Computers Limited [1999] WL 1048279 QBD (T&CC). 7 St Albans City & District Council v. ICL Limited [199] FSR 251 CA. 5

63 terms remained standard, and thus would be open to scrutiny under the Unfair Contract Terms Act. This came as a surprise to many people. In this case, the supplier’s standard clause limiting its liability for defects to £100,000, was struck from the contract, on the grounds that it was unreasonable. The guideline for a supplier is always to be able to justify the contractual limits of liability in standard terms and conditions e by reference to insurance provision, pricing and so on. In the UK, a supplier is not free to make unwarranted claims which persuade a customer to enter into a contract.8 There is liability at law for false statements or misrepresentations of fact. It is common to include an ‘‘entire agreement’’ clause, which purports to limit the contractual ambit by excluding pre-contractual representations. However, the clause cannot inevitably be relied on in standard form contracts, particularly if the misrepresentation is known to be untrue when it is made, and especially if the misrepresentation was made fraudulently. As with clauses on limiting liability, the test will be by reference to whether it was ‘‘reasonable’’ to include the clause. In a case brought by South West Water v. International Computers Ltd (ICL) (as it then was),9 there was a clause in the contract excluding liability for pre-contractual representations or warranties. ICL’s sales people had represented that there would be a back-to-back contract with a contractor when they knew that there would not be. The clause failed under the ‘‘reasonableness’’ test discussed above because, by its general nature, it excluded liability for fraudulent misrepresentation. It was unreasonable to do this and therefore unenforceable.

D. Order and contract administration procedures Procedures can be very useful for legal risk management, provided that they are not so extensive or bureaucratic that they will be ignored. Appropriate boundaries of authority should be set as part of the procedures, so that when something unusual or untoward occurs, reference can be made to the level of experience responsible for making the decision on how to proceed. The seniority of the person who is entitled to execute

8

Misrepresentation Act 1967. South West Water v. International Computers Ltd [1997] WL 1048279 QBD (T&CC). 9

64 a contract on behalf of an organisation may differ according to the value of the contract or where a contract departs from standard provisions in certain respects.

1. Order administration An IT supplier will be receiving orders in its normal course of business for its goods or services. A customer will be placing orders for IT products or services from time to time. For both suppliers and customers, written procedures will assist in managing the risks of the order process. The supplier’s procedures should incorporate references to its sets of standard terms and conditions, together with contract guidelines and business policies. The customer’s procedures for purchasing goods and commissioning services should allow for acceptance criteria, perhaps related to payment terms. The parties should be aware of what is meant by each of the definitions in the contract e for example whether ‘‘system’’ includes ‘‘hardware’’ and if so, what ‘‘hardware’’ covers. ‘‘Software’’ may comprise both third party and proprietary software, but there may also be a need for differentiation according to ownership. Do the definitions make sense in the context in which they are used in the contract? With standard terms variable information, such as volumes, prices and timescales, should be carefully checked. Sometimes apparently obscure mathematical formulas are used, for example in relation to discounts or service levels. These should be reviewed to check whether they are correct and whether they could be expressed more clearly.

2. Contract administration There is a common view articulated both by suppliers and by users that once the contract is signed, it can be hidden away ‘‘in a drawer’’. Yet the contract should be a reflection of the transaction. If the transaction is of any importance, and if concessions have been made in the bargaining process, then the parties should ensure that they are applied. Reference to the contract documentation does not automatically imply that a dispute is imminent. It is in order to confirm that the details of the transaction are being carried out as anticipated. It can easily happen that, following the signing of a contract, the originals get lost or mislaid, and when they are needed for any reason, all that can be found is one of the early drafts. There should be a procedure for filing the executed contracts in a known location. The file should include all

R. Burnett related schedules and appendices e properly completed e together with other associated documents, such as specifications, non-disclosure agreements, escrow service contracts and service level agreements, so that the whole contract is readily accessible. All relevant personnel should be informed of the salient details of a contract. These may simply be that a quantity of goods is being delivered on a certain date. On the other hand, there may be specifications to be met and performance criteria to be achieved, a comprehensive timetable with milestones for making stage payments, with consequences to be pursued in the event of delays or defaults. For the supplier, the ongoing obligations need to be identified, recorded and monitored. Failures in performance will be breaches of contract. Remedies which may be invoked by the customer include damages and a possible right to rescind or cancel the contract. What are the supplier’s rights? Is the customer making instalment payments, and will the supplier know that these are being made on time? Customers should satisfy themselves that what has been promised in the contract is fully received. Many computer contracts contain extensive supplier obligations which should be regularly reviewed until performance is complete. Customers’ confidential information must be protected. The customer must itself be aware of the consequences of its own breaches of contract in terms of damages, rescission of the contract or finding itself at a disadvantage in future negotiations with the supplier. At contract termination or expiry, there will be various immediately consequential obligations to action. A sign-off procedure should confirm the final completion of all obligations.

E. Dispute management A number of IT cases have reached the UK courts in the last decade, often in relation to standard form contracts. Claims in negligence tend to be more expensive to pursue and more difficult technically than claims in contract, and the outcome more uncertain. The English courts take a practical approach to problematic IT contracts. The circumstances of the particular cases and the behaviour of the parties weigh heavily in judges’ interpretation of the legal principles. The normal legal remedy for breach of contract is financial compensation, that is, damages. The legal principle is to try to put the injured party into

IT legal risk management the position it would have been in if the contract had been properly carried out. However, the legal system in England and Wales is intended to encourage compromise and settlement, and the majority of formal disputes are settled before the court hearing. The parties may negotiate at all stages of litigation to try and find a solution. Nevertheless, it is prudent to include a mechanism for dealing with potential disputes in the contract, in advance, before attitudes get entrenched. It is useful to establish the real issues early on, by discussion with the people directly involved and by analysing all the documentation e including the contract. To manage the inherent risks, an assessment should be carried out of the estimated time and costs involved, the strength of the case, the prospects of success, and the likely compensation to be received or payable. Software is available to support this process.

1. Contractual dispute management Solutions to specific problems or procedures for attempting to resolve differences should therefore be considered for including in the contract. Remedies for foreseeable failures may be specified. For example, defined rates or sums may be payable as ‘‘liquidated damages’’ for failure to meet a completion date for installation of a system, week by week, until completion takes place. These are a form of compensation estimated in advance. They should be agreed to be a genuine pre-estimate of the loss that would be caused by the defaulting party. One party may agree to bear liability in respect of specific damage or loss by indemnifying the other. For example, this is often seen in relation to data protection in a contract where the provider or supplier will be processing or holding personal data used by the client, and indemnifies the client in the event of breach of its obligations in this respect. A contractual provision can allow for a dispute to be referred upwards to senior management who are more remote from detailed working problems, and may be able to reach consensus by viewing a problem more dispassionately than those people who are closely involved day by day. The defaulting party may be given a number of days grace to remedy a breach, to prevent peremptory termination of the contract.

2. Formal means of resolving disputes If there is a technical dispute, provision may be included in the contract for determination by an

65 appropriate expert with both the technical and the industry knowledge: for example, an argument over what is included in a definition e whether a new release of software comprises a new version, upgrade or update, as these terms have been defined in the contract. The contract may allow for arbitration or alternative dispute resolution as an alternative to litigation if a dispute arises. Arbitration is an adversarial process with an impartial adjudicator, which takes place in private. The arbitrator is selected by the parties. There is a framework of formal rules, but there is scope for the rules to be adapted by the parties. Terms can therefore be set out in the contract in respect of venue, rules of evidence and formalities of procedure. Alternative dispute resolution is an umbrella term for formalised mediation and conciliation methodologies. The parties work to reach a mutually satisfactory solution with the assistance of a trained third party. It is important that the dispute is suitable for mediation. For example, if the dispute is about software copyright infringement, an application for an injunction may be a more effective way to proceed. The objective of dispute resolution must be kept in mind e to solve the problem and to minimise the effect on the business, to the extent possible. In the IT world, it is often desirable for the parties to maintain a continuing relationship. The supplier’s staff may have unique technical expertise for supporting software or services which are key to a customer’s commercial operations. If the problem has nothing to do with the nature of this expertise itself or the supplier’s integrity, but is about the speed of response or meeting agreed service levels, it is possible that alternative dispute resolution may provide a suitable means for reaching a solution. In such cases, this approach may be more conducive than litigation to a result which is in both parties’ interests, and which may be less confrontational.

F. Content management Businesses need clear policies in respect of content they create, use and circulate within their organisations and externally. Legal risks can arise in relation to the access to, use and dissemination of data and information. These risks increase with on-line material. Proprietary rights apply to software, databases, written works and other original materials. Care must be taken in dealing with any confidential information, and there are special rules for personal data.

66 Information used, updated and circulated should be accurate, both in order to avoid the risks of liability for defamation or for illegal content, and for any data protection compliance. Advertising is subject to regulation, in respect of misleading information, false descriptions, and with additional restrictions for certain businesses such as aviation, tobacco or gambling.

G. Document management Policies should also be created and enforced in respect of documents and emails.

1. Documents The volume of documents produced in offices has increased substantially with advancing technology. It is so easy to duplicate material by photocopying or by printing off extra copies. Yet it is not inevitably advisable to commit everything to writing. All relevant documentation may have to be disclosed in litigation or to regulatory authorities such as the Serious Fraud Office or the Department of Trade and Industry. This may range from formal minutes and correspondence to internal reports and memoranda. Documents which may be damaging to a litigant’s own case are not exempt from this requirement.

2. Emails Emails cause particular risks on account of their apparent informality, speed of transmission, and ease of circulation to a wider readership than advisable, or to the wrong addressee. They are not as ephemeral as they may seem, and may also remain recoverable even after deletion, on both sender’s and recipient’s machines. At court, they are discoverable documents. An email and internet policy should cover appropriate use and permitted monitoring.

H. Legal risk management processes 1. Fledgling methodologies Legal risk methodologies are in their infancy, in contrast to technical and commercial risk methodologies. One of the first formal analyses of legal risk management was made over a decade ago. It attempted to integrate legal risk management

R. Burnett analysis into a safety critical system technology project.10 The project was about the development and implementation of a rigorous and formal knowledge-based decision support system based on argumentation, an extended form of inference, using decision agents which could assemble and assess arguments about particular decisions relating to the goals. This was for use in safety critical systems in medical informatics. The legal risk management analysis was developed alongside the development of the decision support system, examining the legal implications of using decision support systems in safety critical situations with the objective of providing guidance in the management of legal liability to the developers and users of the system. The events and agents involved in a project from a legal point of view were related to the project life cycle model. A particular legal step or procedure was attached to each event in the life cycle, as a tool for the project manager to assess what the legal risks were at any stage, when they arose, how they should be dealt with and at what level of authority and expertise. A series of modules and checklists was developed for delivery as printed material, electronic text, such as hypertext, automated document assembly, checklists and expert systems. As a result the IT participants in the project learned more about the legal risks of safety critical systems, which they were able to take into account in the commercial development. Yet the analysis turned out to be rather arcane by comparison with the technology of the project, and detached from it. It was difficult to quantify its success.

2. Initiating a legal risk management framework In developing a legal risk management framework for an organisation, an analysis of relevant activities, both substantive and procedural, should be undertaken, in order to identify the main areas of legal exposure. Some risks will be unavoidable; others may be preventable. The calculation on whether they should be deliberately taken will include how best to minimise their potential impact. The analysis may form part of a wider process. Thus guidance on the Combined Code on 10 A collaborative venture ‘‘Rigorously Engineered Decisions’’ under the UK DTI (Department of Trade and Industry) and SERC (Science and Education Research Council) Safety Critical Systems Initiative.

IT legal risk management Corporate Governance (the Turnbull Report) requires directors to manage key risks through systems of internal control which themselves are monitored.11 In the light of the results, a legal risk strategy may be formed. This should be endorsed at a senior level to enhance the prospects of its successful implementation. This strategy will focus on prioritising the areas of legal risk which have been identified, so as to direct resources to controlling the highest risks. These areas will vary from business to business, and at different times in one business. Examples may be:  Confidentiality in developing a new software product;  Selling into different markets, for example the provision of software over the net to customers

11

‘‘Internal Control: Guidance for Directors on the Combined Code’’ (The Turnbull Report) Croner CCH. The Combined Code on Corporate Governance is available at www.fsa.gov.uk.

67 in countries where the laws value intellectual property differently from the publisher’s jurisdiction.

I. Conclusion Legal risk management for the IT industry is in its early stages, and often arises out of a specific situation (as happened with the perceived risks of the Year 2000 date change problem). It is essential to start from a business perspective, and to integrate legal risk management procedures into working practices which are manageable and practicable. Rachel Burnett, Solicitor, Report Correspondent, Principal, Burnett, London.

Computer Law & Security Report (2005) 21, 68e73

DYNAMIC CRISIS MANAGEMENT

Crisis management: combating the denial syndrome David Davies MIRM, Davies Business Risk Consulting Ltd

Abstract This article describes the psychological processes that affect crisis teams in both the private and the public sector, and describes the search for a way of combating those processes. Had the techniques outlined (Dynamic crisis management) become universal a decade ago, companies would have avoided the loss of millions of pounds in share and brand value, the UK would have avoided billions of pounds worth of damage to its economy, leaders of public sector institutions would have survived and many lives would have been saved. ª 2005 David Davies. Published by Elsevier Ltd. All rights reserved.

A. The nature of the problem No matter how many times it occurs, it is always cause for surprise when a major and, often, respected organisation makes serious errors in the way that it handles a major crisis. Their errors have been so serious that in most cases they have severely damaged their reputation and in some instances have caused loss of life or severe economic damage at a national level. Examples that spring immediately to mind include product contamination and product safety (Perrier, Coca Cola Belgium, and Mercedes ‘‘Moose test’’), serious contract over-run (QE2 refit), loss of life (NASA mission failures caused by ‘‘O ring’’ and foam damage), Government reaction to epidemics (UK E-mail address: [email protected]

BSE and foot and mouth, China’s initial response to the SARS virus) and major scandal (Andersen, paedophile priests). These are just a random handful of examples e with little difficulty this list could be expanded to fill several pages. The public sector has fared as badly as the private in the way that it has reacted to crises. Indeed, whereas companies in the private sector have suffered damage to their reputations and brand values, the dire consequences for public sector organisations have included greater regulation, loss of powers and even of entity, and, as in the case of the impact on the BBC of the findings of the Hutton report, the loss of jobs at the top. In the context of information technology and telecommunications, the potential for crises is great. Cyber crime, the unintentional disclosure or publication of client or customer data, the failure or serious overshoot of mission critical

0267-3649/$ - see front matter ª 2005 David Davies. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.01.016

Dynamic crisis management IT projects are examples. Such examples often happen to banks and other financial institutions who, desperate to retain public confidence, keep them as far away from the public domain as they can, although reports of such incidents continue to appear. It gets interesting when we move the camera more closely and look at the performance of the people entrusted to manage the crisis. In all of these cases, and hundreds more, the pattern of errors is very similar e and yet the circumstances, the type of organisation and the countries involved are all so different. What we are observing arises from the dynamics and pressures that are unique to crises. So what do we know about this strange environment, and why is it so different to the ‘‘normal’’ world in which the same people presumably perform with less catastrophic consequences?

69 the NASA O ring disaster. The engineers in the decision making group were pressured by the commercial majority into agreeing to a launch that they felt could be unsafe. Group think has been defined as ‘‘The tendency for members of a cohesive group to reach decisions without weighing all the facts, especially those contradicting the majority opinion’’. The circumstances necessary for group think are: 1. A cohesive group. 2. Isolation of the group from outside influences. 3. No systematic procedures for considering pros and cons of different courses of action. 4. A directive leader who explicitly favors a particular course of action. 5. High stress. The unfortunate consequences of group think, present in the handling of so many crises, are:

B. Defining a crisis We should start by defining a crisis. For the purposes of this study, a crisis is an unplanned (but not necessarily unexpected) event that calls for real time high level strategic decisions in circumstances where making the wrong decisions, or not responding quickly or proactively enough, could seriously harm the organisation. Because of the type of issues involved and the penalties of failure, the crisis response group, typically assembled ad hoc, usually includes board members plus the relevant technical specialists. A catastrophe that triggers a technical response, such as an IT resumption plan or a business continuity plan, is not a crisis for the purposes of this study. A crisis, within this context, is characterised by:  In the early stages of the crisis, the need to make major strategic decisions based on incomplete and/or unreliable information;  Massive time pressures;  Often, intense interest by the media, analysts, regulators and others;  Often, allegations by the media and others that have to be countered;  Usually, handling a crisis with the characteristics noted here is completely outside the experience of those involved. These characteristics were present in the examples noted above. In addition, there are two other characteristics that are common to the way in which crises are handled. The first, known as ‘‘Group Think’’, was first linked to crisis handling in the enquiry into

 Incomplete survey of the group’s objectives and alternative courses of action;  Not examining the risks of the preferred choice;  Poor/incomplete search for relevant information;  Selective bias in processing information at hand;  Not reappraising rejected alternatives;  Not developing contingency plans for the failure of actions agreed by the group. When we think about it, we find that these outcomes are, indeed, common to the way in which many crises are handled. The only factor that is difficult to judge from the outside is the leadership question. Was there strong leadership with a need to get consensus that the crisis was much nearer to the best case scenario than to the worse and, therefore, that a costly recall, mission abort, admission of high level fraud or unethical practices was unnecessary? It is only because of public enquiries in a small number of cases that the dynamics within a crisis group have been revealed at all. Another way to understand how a team will act in a crisis is to put them through a simulation. This has several advantages, the most significant being that they gain experience that will be invaluable in the real thing. Another advantage is that it allows you to differentiate the best leaders in a crisis from the best leaders. One of the lessons of 9/11 is that some excellent leaders broke down in a crisis, whereas others showed hidden qualities. The author has created and many such simulations,

70 some oriented around an IT crisis scenario. Whilst the scenario involved very strong commercial imperatives and issues, without exception these were ignored by the IT participants on the team, even when there was no one else to consider the commercial implications. They did what they liked doing best e focussing in on the purely technical aspects. Simulations with other non-IT scenarios where there was a similar technical core produced far less of a polarisation between the technical and commercial team members.

C. Central features of most crises A central feature of most crises is that at the outset, very little information is available, and even that may be unreliable. To quote one crisis team member, ‘‘We started with very few facts e and most of those turned out to be wrong’’. With most crises, there are a few fundamental questions to which answers are essential if the crisis is to be handled e but which are invariably unaddressed in the knee-jerk reactions of a traumatised crisis team:  Cause e What is the cause of the crisis? e Often, even this basic factor is unknown. Is the problem due to a virus, a programming error, or an intruder? Is it the work of an extortionist? Are the allegations against us true, exaggerated or totally false?  Breadth e How widespread could it be? e Confined to one application or site or widespread throughout the system?  Repeatability e Could it happen again? e Is it an isolated incident or, it is deliberate and therefore vulnerable to repetition? Is there a design or systemic defect? Are we being targeted? Could it trigger a string of copycat attacks or hoaxes?  Blame e Are we/will we be seen to be at fault, and if so how ‘‘offensive’’ or blameworthy will our actions be seen to have been? Are our stakeholder relationships and reputational capital strong enough for us to be forgiven? Despite initially having no reliable answers to these questions, action has to be taken, the media may be demanding answers (and making their own allegations) and there simply is not the luxury of waiting until all becomes clear e which it may never be unless the key information gaps are identified and targeted.

D. Davies It is at this point that the denial curve often takes over.

D. The denial curve In crisis after crisis, the common denominator is that the team handling the crisis:  Initially plays it down. There is no evidence that the four key questions above have ever been systematically addressed, but in probably a far less structured way the best case answer to each question would have been assumed, even if not actually expressed. At this stage the crisis handlers are merely interpreting the meager information that they have e but they are doing it with the strong influence of trauma-denial and often with the help of group think;  Ignores, or at least heavily discounts, any new incoming information that contradicts the optimistic view that they first formed. By now the team will be communicating their optimism to the media, even presenting alternative ‘‘no fault’’ or ‘‘not widespread’’ theories before they have been substantiated e not bad maintenance but vandalism (Jarvis/Hatfield rail disaster); not contamination of the source but cleaning fluid spilt by a cleaner into just one production line (Perrier); no design fault but a fluke (Mercedes ‘‘moose test’’);  Finally, when the wealth of evidence is overwhelming, the crisis group swings into line in one of three ways: (i) By underplaying the significance of the change of direction (Perrier). (ii) Quietly changes (most common). (iii) Grossly over-compensates (foot and mouth, BSE). It may not be a coincidence that overcompensation seems to take place most often when the (Government) organisation concerned will not suffer financially for the over-compensation. The denial curve can thus be seen as follows: (Fig. 1) Denial is the first stage of the grieving process, a process triggered by any traumatic event. (The other stages are anger, bargaining, depression and acceptance. Anger also features in some of the ways in which crises are badly handled e anger with the media, the regulators, and even the customers or consumers e the very groups of people with whom impeccable relations are needed during a crisis.) In the words of a consultant who helped

Dynamic crisis management

71 considering. Three things do, however, make a significant difference:

Figure 1

The denial curve.

one organisation recover from crisis, ‘‘For several days the senior management was incapable of making cogent decisions because of the shock of seeing their colleagues killed or maimed and their business destroyed’’. Whilst a reputation-threatening crisis may not be as traumatic as one that is accompanied by loss of life, trauma will still be present, and with it denial and, in the early stages, the inability to act. The reputation damage from underplaying the crisis and avoiding responsibility in the early stages can be considerable. The organisation appears to be arrogant, uncaring, and unsympathetic. Where there is loss of life relatives with their own emotional and psychological needs are given a bureaucratic response. They want sympathy, facts, expressions of regret and apologies and often get a buttoned up lawyer reading out a cold denying press statement. (Coca Cola Belgium.) Where denial delays or minimises remedial action, the tragic consequences can be loss of life (both NASA mission failures) or massive costs. (In the enquiry into the UK foot and mouth crisis, one scientist estimated that the unwarranted three day delay in introducing a national ban resulted in the scale of the disease being between two and three times as great. The crisis cost the UK economy £8 bn.)

E. Combating the denial curve So, how to avoid these unfortunate, very human, traits? No amount of crisis management planning will help here e indeed, the author has observed how, in crisis simulations where realistic pressure is applied, crisis plans are often ignored in the heat of the moment. Crisis management plans can be very valuable but they do not address the human reaction to the type of crisis that we are

 Crisis experience. Experience of handling a ‘‘full blown’’ crisis can be invaluable. As such things are comparatively rare a simulated crisis can provide just that experience with none of the consequences of the real thing.  Choice of leader. One of the salutary lessons of 9/11 is that some splendid leaders in a ‘‘normal’’ situation lost their leadership qualities in the trauma of the event whereas others not identified as natural leaders coped admirably. In the absence of a genuine crisis, only a crisis simulation will identify the best crisis leaders. It is also important that the leader is able to take a holistic view, embracing reputation, corporate values and stakeholder imperatives, rather than the more blinkered view that might possibly be imposed by, for example, a finance director or a corporate lawyer.  A process that imposes a structured reappraisal of the key questions (those outlined above, varied according to the nature of the crisis) each time new key information is received. Of course, such an approach will only succeed if the crisis group is encouraged, cajoled, or led by example to seek the unbiased decisions, and not allowed or encouraged to perpetuate their belief in a causeseverity-blame scenario that is commercially desirable but less than likely. All of this begs the question of what, in addition to crisis simulations, can be done to prepare. Crisis management plans are very useful to take care of the logistics of a crisis, but:  Very few organisations have crisis management plans of any quality (as opposed to emergency plans and IT resumption plans which are more common though still lamentably rare);  Crisis management plans tend to concentrate on crisis logistics as opposed to the psychological behaviour of the crisis team.

F. Creating a response to the denial syndrome In the author’s view, what was needed was a new type of process e one which would:  Apply particularly those types of crisis where the key facts surrounding the crisis are unknown at the outset (the majority);

72

D. Davies

Figure 2

The modular approach to crisis management.

 Supplement and compliment a crisis management plan and, if there is none, make a significant contribution in its absence to the performance of the crisis management team, particularly in overcoming the denial curve and group think;  Be capable of being run even with no preplanning, training or preparation e not a desirable situation but, regrettably, a realistic one; Where existing plans were in place or were being developed, the new process, Dynamic Crisis Management, would supplement and compliment existing crisis and business continuity plans to form a modular approach (Fig. 2). Initially the process was developed as a paperbased process e a collection of forms and instructions e so that it could be run without a computer. This initial version had the capability of:  Supporting a brainstorm that would establish or fine-tune the scenario alternatives for the four key questions outlined above (cause, breadth, repeatability, blame);  Providing a process for readdressing and monitoring the likelihood of the scenarios within the four key questions each time new critical information was received;  Track the allegations of the media, grouped if necessary (for example, the national quality press, international press, national tabloids) and the opinions of one or more stakeholder groups (customers, employees, shareholders.) and to display these on a series of time lines so that the movement in opinion could be tracked, extrapolated and pre-empted.

G. Real life testing In this format, it proved itself in two real crisis situations.

The first time it was used, there was only one certain fact: that there had been a fatality at the organisation’s premises. There was an unsubstantiated allegation that the deceased was a senior board member of a major client of the company in question. The death resulted from a tragic accident at a client-owned test facility and it was very possible that one or a combination of the organisation’s procedures, processes, employees or product would be found to be responsible. No more information was forthcoming, the police had sealed off the area and the media were pressing for news. There was no crisis plan and the organisation had no experience, actual or simulated, of managing a crisis. The process assisted the crisis group to firstly brainstorm the range of possible causes and the range of possibilities within the three severity measures listed above (breadth, repeatability and fault). It helped them to continually keep those under review as new information emerged, and to adjust their response accordingly. It also helped them to monitor and track the direction of the media’s questions and allegations. It is easy to see how, in the absence of so much information, group think and denial could have caused serious mistakes but, by using the reappraisal process to force the crisis team to look objectively at each emerging fact and respond accordingly, the crisis was handled effectively. The second time was a food contamination incident; the author had run a simulated crisis and provided training on the use of the structured reappraisal process and shortly thereafter the company in question faced a real crisis. They had not had the time to complete their crisis management plans but the experience of the simulation and the use of the reappraisal processes enabled them to handle the crisis without the mistakes of either group think or the denial curve. Possibly the best judgment is that although there was press interest in both incidents, both were handled quietly and competently, neither hit

Dynamic crisis management the headlines, and there was no impact on either their share price or their financial results.

H. Other vital crisis needs It was, however, evident from the author’s studies of the way in which crises are handled that in addition to the denial curve and group think, there was a second problem e that a process was needed to impose a structure on record keeping during the crisis, and to do this as unobtrusively and transparently as possible. The need for this was clear and had been highlighted in, for example, the official enquiry into the 2001 UK foot and mouth crisis. This criticised poor record keeping and confused accounts of events which had resulted in crucial information not being obtained. ‘‘While some policy decisions were recorded with commendable clarity, some of the most important ones taken during the outbreak were recorded in the most perfunctory way, and sometimes not at all’’.1 The author’s own observations of even the trauma of simulated crises are that basic management skills such as delegation and orderly record keeping can quickly disappear. Speculative and completely reliable information tends to get confused. The reasons for decisions and, even more important, the assumptions on which they are based and the actions that they trigger go unrecorded. It was decided therefore to convert the paper process into a computerised version so that automated record keeping could be incorporated. Therefore the writing of the software version of the process majored on not only recording information in a structured way (for example, by having a confidence rating for each item of

1

Andersen report, 7/02.

73 information and an importance rating for every action) but in having a clear way of recalling, sorting and searching all of the information, unknown information, decisions, assumptions and, most importantly, the links between them. Pressurised teams lose the ability to view the complete picture, instead focussing only on what is most pressing. The ability to pull the camera back into a long time sequence or to undertake a structured interrogation of all of the facts and issues can be invaluable. However, the key success factor is the behaviour of the crisis team leader. There is a great deal to be said for using an experienced external facilitator who is well versed in the process. That provides the advantages of specific facilitation skills as well as being distanced from both the emotions of the event and the hidden commercial and personal objectives that are so often imposed on the rest of the team. Whether imposed by the team leader or by a process, the desirability of openness and realism at the expense of denial will depend upon the extent to which the crisis team accepts that doing otherwise will, in the long run, cause significant harm to corporate and personal reputation. Of that there can be little doubt, as the list of casualties e organisations that, consciously or unconsciously, tried the denial route e so clearly demonstrates. David Davies, Report Correspondent, is Managing Director of Davies Business Risk Consulting Ltd (DBRC) and has considerable expertise of helping both the public and private sectors with reputation risk management and crisis management planning. He is also a member of idRisk, a network of independent risk consultants for whom he heads their reputation risk and crisis management stream. Contact: URLs: www.dbrc.co.uk; www.idRisk. com.

Computer Law & Security Report (2005) 21, 74e77

PRIVACY LAW AND PRESS FREEDOM

A celebrity fight-back ‘‘par excellence’’ Thorsten Lauterbach The Robert Gordon University, Aberdeen, UK

Abstract Having hardly had time to recover from the judgment in Campbell v. MGN Ltd., the Strasbourg judges’ decision in von Hannover v. Germany (Application no. 59320/00, judgment of 24 June 2004. While the judgment is not yet reported, it has been published on the ECtHR website: http://cmiskp.echr.coe.int/ tkp197/view.asp?itemZ1%26portalZhbkm%26actionZhtml%26highlightZ59320/ 00%26sessionidZ1094295%26skinZhudoc-en) has landed a potentially bigger blow to the tabloid press and paparazzi alike. This article examines the victory of Princess Caroline of Monaco against the German press and evaluates the likely impact of the judgment on the delicate balance between the individual’s right to privacy and the press’s freedom of expression. ª 2005 Thorsten Lauterbach. Published by Elsevier Ltd. All rights reserved.

A. Introduction The recent attempts by a variety of so-called celebrities to defend their right to privacy against unwanted intrusion by the media have been well documented.1 While the English courts have so far resisted the temptation to create a tort of privacy in its own right, the extraordinary facts in the Campbell case allowed the House of Lords to stretch the common action of breach of confidence for protection against unwanted publication of E-mail address: [email protected] See, for example, the Douglas v. Hello! litigation, the recent decision of the House of Lords in Campbell v. MGN Ltd. [2004] 2 All E.R. 995, and Ewan McGregor obtaining an injunction against Eliot Press SARL in the English High Court to stop the publication of unauthorised photographs of his children playing while on holiday on Mauritius. 1

certain photographs. In assessing whether or not the publication of photographs is to be deemed lawful, the courts are faced with the dichotomy of a right to have one’s privacy protected and the media’s freedom of expression. Both are fundamental human rights protected by Articles 8 and 10 of the European Convention on Human Rights 1950. Since the coming into force of the Human Rights Act 1998, courts in the UK, while not bound by the jurisprudence of the Strasbourg-based European Court of Human Rights, are nonetheless required to take decisions by that institution into account on the basis of Section 2 of the 1998 Act. Many have been surprised by the, albeit narrow, victory of Naomi Campbell over The Mirror newspaper, although some commentators have pointed out that, in respect of the photographs at issue, these were held to be protected by the law of confidence, and

0267-3649/$ - see front matter ª 2005 Thorsten Lauterbach. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.01.018

Privacy law and press freedom not to be published in the public interest, as they formed part of private information relating to medical treatment. On this basis, photographs taken in public places were exceptionally actionable under the law of breach of confidence.

B. The application Princess Caroline of Monaco, a well-known media celebrity, had largely unsuccessfully embarked on a crusade against parts of the German Regenbogenpresse. She complained that as soon as she left her house she was subject to hounding by paparazzi following her every move, taking photographs of the most innocuous of situations, such as her picking up her children from school, riding a bicycle, or enjoying a drink in a restaurant. While Princess Caroline agreed that the press played an important role in a democratic society in respect of informing and forming public opinion, she maintained that in her case the media acted as ‘entertainment press desperate to satisfy the voyeuristic tendencies’ of its readership and making huge profits in the process. In addition, she argued that in contrast to the laws of other European countries, notably France, German privacy law offered her insufficient protection. In a litany of cases brought in the German courts she had been partially successful of restraining publication of photographs of her children, as well as herself being in a ‘secluded place’. That concept, she alleged, was unfairly restrictive and too difficult to satisfy, as she had to prove where and at what time such photos had been taken. Otherwise she would be deemed to have been in a public place, and left without a course of action. The German Government, unsurprisingly, argued that German law struck a fair balance between the individual’s right to privacy and the freedom of expression of the press. Princess Caroline was a ‘figure of contemporary society par excellence’, and as such the public had a legitimate interest in knowing how that person behaved in public. It was pointed out that photos taken in a public place could not be published if those were to shock the public; also, the Federal Court of Justice had held that publication of photos of the Princess with a close friend in a restaurant was unlawful, which indicated that her private life was protected even in public places. The German Government had a close ally in the Association of Editors of German Magazines, one of two intervening parties in the case. Having pointed out that German law in this area was somewhere in

75 between the strict French regime and English law, the Association pleaded that the press’s role as watchdog should not be interpreted narrowly with regard to the public’s legitimate interest in being informed on public figures who had become known for reasons other than being politicians. Moreover, Burda magazine, one of the publishers, argued that the Grimaldi family had sought media attention and therefore could not complain about the public interest in it.

C. The judgment The court unanimously found in favour of the applicant and held that there was a violation of Article 8 of the Convention.

1. Application of Article 8 The court stated that the notion of ‘private life’ includes aspects relating to personal identity, such as photographs of an individual. Pointing to its jurisprudence, for example Niemietz v. Germany,2 ‘private life’ extends to the physical and psychological integrity of an individual: ‘‘the guarantee afforded by Article 9 (.) is primarily intended to ensure the development, without outside interference, of the personality of each individual in his relations with other human beings (.). There is therefore a zone of interaction of a person with others, even in a public context, which may fall within the scope of ‘private life’(.).’’3 As a consequence, the court had no problems to conclude that photographs like those featuring in the application fell within the scope of Princess Caroline’s private life. She may indeed be a figure of contemporary society par excellence, but she still has a legitimate expectation of the protection of and the respect for her private life. In addition, while the application did not concern a direct complaint against an action of the State, it concerned an alleged failure by the State to protect adequately an individual’s fundamental human right. The court maintained that a State may be, regarding the effective respect for private or family life, under a ‘positive obligation’ to adopt measures designed to safeguard such

2

23 November 1992, Series A no. 251-B, at p. 33, paragraph

29. 3

Von Hannover v. Germany, op cit, paragraph 50.

76

T. Lauterbach

respect, ‘‘even in the sphere of the relations of individuals themselves.’’4

3. German law offers inadequate protection

2. Balancing privacy and freedom of expression

The court stressed that Convention rights are not theoretical or illusory, but practical and effective.8 Describing a person as public figure par excellence and using this as a basis to curb their legitimate expectation to privacy could only be used to justify the publication of information and photographs of such public figures exercising an official function. To extend this principle to such figures and their private lives was inappropriate. Moreover, to protect public figures’ privacy only if they are in a ‘secluded place’ and requiring them to prove this tilted the balance too much in favour of freedom of expression, as this turned individual into fair game and subject to be photographed almost at will by the entertainment press.

The court recognized that a balance had to be struck between the right to privacy on the one hand, and freedom of expression on the other in the light of such positive obligations. It agreed that the press played an important role within a democratic society in providing information and ideas on all matters of public interest, and the court’s case law indicated that exaggeration and provocation were to a certain extent legitimate tools of journalistic freedom.5 Information may even ‘‘offend, shock or disturb.’’6 However, in the present case, the publication of photographs showing the Princess on a shopping spree, for example, were not to be regarded as legitimate contribution to public debate. In the words of the court, ‘a fundamental distinction needs to be made between reporting facts e even controversial ones e capable of contributing to a debate in a democratic society relating to politicians in the exercise of their functions, for example, and reporting details of the private life of an individual who, moreover, as in this case, does not exercise official functions. While in the former case the press exercises its vital role of ‘‘watchdog’’ in a democracy by contributing to ‘‘imparting information and ideas on matters of public interest’’ (Observer and Guardian v. UK), it does not do so in the latter case.’7 The sole purpose of publishing the photographs at issue was, in the view of the court, to ‘‘satisfy the curiosity of a particular readership regarding the details of the applicant’s private life’’, and that, despite Princess Caroline being a well-known celebrity, would not be classed as a legitimate contribution to a debate of general interest to society. This merited a narrower interpretation of freedom of expression.

4. A unanimous decision, but concurring views While all seven judges were unanimous in their decision that German law protected individuals’ privacy insufficiently, two judges offered a slightly different viewpoint on it. Judge Barreto was not entirely convinced that the right balance was struck. He argued that Princess Caroline was still a public figure, even if she did not perform an official public function. While admitting that finding the correct balance here was not straightforward, he was of the opinion that individuals who are high-profile celebrities by definition give up some of their privacy and need to accept some media intrusion. Judge Zupanc ˇic ˇ’ opinion drifted into the same direction: ‘‘he who willingly steps upon the public stage cannot claim to be a private person entitled to anonymity.’’ While he opined that the German approach was too ‘‘Begriffsjurisprudenz-like’’, he argued that the courts have, under American influence, made a fetish of the freedom of the press. He called for the pendulum to swing ‘‘back to a different kind of balance between what is private and secluded and what is public and unshielded.’’ For this purpose, he suggested to return to a different test, namely the test on one’s reasonable expectation of privacy that featured in Halford v. UK.9

4

Ibid, paragraph 57. For example, Observer and Guardian v. UK (1992) 14 E.H.R.R. 153; Prisma Press v. France, Nos. 66910/01 and 71612/01, 1 July 2003. 6 Von Hannover v. Germany, op cit, paragraph 58. 7 Ibid, paragraph 63. 5

8 9

Ibid, paragraph 71. (1997) 24 E.H.R.R. 523.

Privacy law and press freedom

D. Possible consequences on the English approach? Since the German government decided not to call for a re-hearing of the case before the Grand Chamber, the judgment does now stand. Tellingly, Wolfgang Hoffmann-Riem, a judge on the Federal Constitutional Court, while admitting to ‘not being happy’ about the decision, he still supported the decision not to ask for a re-hearing.10 Fearing a confirmation rather than a reversal of the judgment, he maintained it would be better to wait on how the English courts, for example, react to it. Only if the tension between the right to privacy and the freedom of the press could not be relieved on the basis of this decision, would further clarification by the Grand Chamber be necessary. Arguably, the decision in von Hannover v. Germany is of great significance for the English courts, in particular in the light of recent judgments in Douglas v. Hello! and Campbell v. MGN Ltd. It is clear that, strictly speaking, decisions by the ECtHR are not binding on the courts in the UK. However, Section 2 of the Human Rights Act 1998 requires the courts to take them into account. Tomlinson and Thomson point out that Article 8 has horizontal effect: the ‘positive obligations’ of the State extend to the protection of individuals’ privacy against abuse by other private individuals.11 So far, the UK government has resisted repeated calls by the judiciary to consider the creation of a formal law of privacy, as well as the courts themselves have resisted to create a tort of privacy based on common law. Forthcoming disputes could well focus on the argument that the State, or the courts as one emanation of the state, appear not to have struck the right balance between Articles 8 and 10, and are therefore failing to fulfil that obligation. Another important point is that the publication of photographs showing a famous person in a public place was held only exceptionally to be unlawful under the law of confidence in Campbell v. MGN Ltd. In that case, the photographs of Naomi

77 Campbell leaving a Narcotics Anonymous meeting was more akin to sensitive personal information relating to the supermodel’s medical treatment. The decision in von Hannover appears to go much further, as it puts forward that the publication of individuals in public places is unlawful, unless they make a clear contribution to general public debate. This specific point could have far-reaching consequences on the entertainment press and paparazzi who may be forced to review their approach on how to ‘exploit’ celebrities for a revenue-raising story or photographs: how can photographs of members of the Royal Family on holiday, or strolling around a Scottish university town for that matter be possibly contributing to the general public debate? On the other hand, with regard to the rather paltry/conservative awards made by the UK courts for a breach of confidence (plus ‘nominal damages’ for unlawfully processing personal data contrary to the Data Protection Act 1998), will the entertainment press be willing to take the risk of court action by establishing contingency funds for this eventuality? Further cases dealing with such subject matter are awaited with interest. At the moment, the balancing act between the privacy and freedom of the press dichotomy appears to be surrounded by unpredictability. It will be intriguing to witness whether the ‘American influence’ bemoaned by Judge Zupanc ˇic ˇ will lead to an American-style protection of an individual’s image rights under the banner of the right to privacy, including the unlawful use of one’s name or likeness? The case of Irvine v. Talksport Ltd.12 where the former Formula One racing driver, Eddie Irvine, succeeded in a claim under the tort of passing off against Talksport for using his name without permission in advertising, and the action taken by the famous runner David Bedford against ‘The Number’ advertisements allegedly misappropriating his image or personality rights have already set the works in motion e will the movement gather in pace? Thorsten Lauterbach, Lecturer in Law, The Robert Gordon University, Aberdeen.

10

According to an article in Die Welt, 12 October 2004. H. Tomlinson OC and M. Thomson, ‘‘Bad news for paparazzi e Strasbourg has spoken’’ N.L.J., 9 July 2004, 1040, at 1041. 11

12

[2003] 2 All E.R. 881.

Computer Law & Security Report (2005) 21, 78e83

EU UPDATE

Baker & McKenzie’s annual review of developments in EU law relating to IP, IT and telecommunications David Halliday, Paul Ganley, Ruth Tomlinson, Miriam Andrews Baker & McKenzie

Abstract This is a summary of the Baker & McKenzie columns on developments in EU law relating to IP, IT and telecommunications. This summarises the principal developments which took place in 2004 that are considered important for practitioners, students and academics in a wide range of information technology, e-commerce, telecommunications and intellectual property areas and which were reported on in this column in 2004. It seeks also to update any further development which may have taken place in relation to the specific topics since originally reported. It cannot be exhaustive but intends to address the important points. This is a hard copy reference guide, but links to outside web sites are included where possible. No responsibility is assumed for the accuracy of information contained in these links. ª 2005 Baker & McKenzie. Published by Elsevier Ltd. All rights reserved.

A. Intellectual property enforcement 1. Intellectual property rights enforcement Directive On 29 April 2004 Directive 2004/48/EC of the European Parliament and of the Council on the enforcement of intellectual property rights was published. The Directive is controversial, not least because it was passed quickly, giving rise to complaints that not enough consultation time had been devoted to it. Also, there had been considerable debate as to whether small-scale IPR

infringement (e.g. occasional downloaders of MP3 files) should be caught by the Directive. The compromise position limits certain provisions to acts of infringement committed on a ‘‘commercial scale’’, and the recitals note that this will ‘‘normally exclude acts done by consumers acting in good faith’’. The Directive also gives Member Sates the option of introducing criminal sanctions for IPR infringement. The Directive requires Member States to provide courts with certain evidence-gathering powers, the power to issue interlocutory injunctions to prevent impending or continuing infringement, the

0267-3649/$ - see front matter ª 2005 Baker & McKenzie. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2005.01.017

Baker & McKenzie’s annual review of developments in EU law power to order the delivery-up of infringing goods and the power to seize certain assets of infringers. These provisions already form part of UK law and it is unlikely that many changes will be required. However, the Directive will require substantial amendments to the laws of certain Member States, particularly those which joined the EC on 1 May 2004. Member States have two years to implement the measures.  Directive: http://europa.eu.int/eur-lex/pri/en/ oj/dat/2004/l_195/l_19520040602en00160025. pdf. Original article in [2004] 20 CLSR 216.

2. Commission strategy on enforcement of intellectual property rights in third countries On 10 November 2004 the European Commission announced the adoption of a ‘‘strategy for the enforcement of intellectual property rights in third countries’’. The strategy is aimed at violations in third countries, as existing initiatives are not effective against infringements that directly affect Community right-holders but occur outside the Community borders. There are eight proposed actions set out in the strategy to address the problem: identifying the priority countries; multilateral/ bilateral agreements; political dialogue; incentives/technical cooperation and assistance; dispute settlement/sanctions; creation of publice private partnerships; raising awareness of both consumers and rights-holders; and institutional cooperation of the Commission services. The approach of the Commission in its Communication is not to put in place a stream of new legislation, but to focus instead on effective enforcement of existing and prospective means and actions, for the benefit of both right-holders and third countries.  Commission Communication: http://tradeinfo.cec.eu.int/doclib/html/120025.htm.

3. Regulation on customs action against counterfeit and pirated goods comes into force Council Regulation 1383/2003/EC came into force on 1 July 2004 to govern the regime for customs action against IP infringing goods. At the same

79

time, UK law was amended by the Goods Infringing Intellectual Property Rights (Customs) Regulations 2004 (SI 2004/1473) to implement the new regime. The new measures extend the IP rights for which sanctions are available to include plant variety rights, protected designations of origin and protected geographical indications. Customs officials are also given greater powers in relation to the detention of goods and the disposal of infringing articles. A number of procedural changes have been introduced, including the substitution of the right to ask for security to cover the costs of interceptions with a requirement that rights-holders provide written undertakings to pay such costs and accept additional liabilities if goods are later found to be non-infringing; a requirement that customs officials provide rights-holders with more details of interceptions made, and the possibility of lodging notice applications online.  EC Regulation: http://europa.eu.int/eur-lex/pri/ en/oj/dat/2003/l_196/l_19620030802en00070014. pdf.  UK statutory instrument:http://www.legislation. hmso.gov.uk/si/si2004/20041473.htm. Original article in [2004] 20 CLSR 413.

B. Patents and designs 1. Proposal for a directive on the patentability of computer implemented inventions The tortured history of the draft proposal on the patentability of computer implemented inventions took more twists and turns throughout 2004. Following the initial proposal from the European Commission in February 2002 (COM (2002)92) and the heavily amended proposal passed by the European Parliament in September 2003, the Competitiveness Council agreed a ‘common position’ on 18 May 2004. The common position rejected most of the amendments made by the European Parliament and under the co-decision procedure will need to be presented again to the Parliament. However, the Dutch parliament was reported to be unhappy with its government’s agreement of the common position, and on 17 November 2004, the Polish government announced that it could not support the proposed common position. The revised voting procedure in the Council following the enlargement of the EU means that the Polish government could block

80 the adoption of the common position, which will mean that there will need to be further political negotiations before the draft directive can go back to the European Parliament.  Common position: http://register.consilium. eu./int/pdf/en/04/st11/st11979.en04.pdf.

2. Draft directive amending the legal protection of designs On 14 September 2004 the European Commission published a draft Directive amending Directive 98/ 71/EC on the legal protection of designs, following a study of ways to harmonise the aftermarket in spare parts. The purpose of the proposal is to prevent design protection creating a complete monopoly right, and to complete the Internal Market already partially achieved by Directive 98/71/EC. The proposed Directive introduces a ‘‘repairs clause’’ so that visible component parts of a complex product will not be protected under design law for the purpose of repair of that complex product. The text of the repairs clause is taken from the Council Regulation (EC) No 6/2002 on Community Designs where there is already no protection for ‘‘must-match’’ spare parts in the aftermarket. As a result of this amendment visible car parts will only be protected by design law in the primary market and not in the aftermarket/ secondary market; however, the exclusive rights that vehicle manufacturers have over the use of designs for new parts and new vehicles will remain. The amendment will allow for a more competitive market to open up in the manufacture and supply of replacement vehicle parts. Both consumers and SMEs are expected to benefit from this change in the market. The proposal is to be considered by the European Parliament and Council. No formal timetable has yet been announced.  Draft Directive: http://europa.eu.int/comm/ internal_market/en/indprop/design/.  Directive 98/71/EC: http://europa.eu.int/comm/ internal_market/en/indprop/design/.

3. Draft regulation on compulsory licensing of patents for medicine exports On 29 October 2004 the European Commission published a proposal for a regulation on ‘‘compul-

D. Halliday et al. sory licensing of patents relating to the manufacture of pharmaceutical products for export to countries which have public health problems’’. The purpose of the proposal is to give effect to the WTO General Council Decision of 30 August 2003 on the Implementation of paragraph 6 of the Doha Declaration on the TRIPS Agreements and Public Health. Implementation of the Decision is necessary in all of the EU Member States to avoid distortion of competition. The proposed regulation aims to provide importing WTO members with the drugs needed to treat diseases, whilst also protecting the interests of the pharmaceutical manufacturers. It establishes a procedure for the grant of compulsory licenses by the competent authority in the Member State, to applicants who have received a specific request from authorised representatives of the importing WTO member. The grant of a license is subject to the applicant having first attempted to agree a negotiated license with the right owner. Compulsory licenses shall be non-exclusive, non-assignable, and necessary to meet the needs of the importing WTO member. The proposal calls for a review of the regulation three years after it enters into force. The proposal is to be considered by the European Parliament and Council. No formal timetable has yet been announced.  Draft Regulation: http://www.europa.eu.int/ comm/internal_market/en/indprop/patent/ draft_medicines_en.pdf.  Doha Declaration: http://www.wto.org/english/ thewto_e/minist_e/min01_e/mindecl_trips_e. htm.

C. Data protection/privacy 1. European Commission to investigate UK’s approach to the EU data protection directive The European Commission is to investigate the UK’s implementation of the EC Data Protection Directive in the Data Protection Act 1998 (the ‘‘Act’’). The Commission has issued a letter of formal notice requesting further information against which compliance will be adjudged. A key area of concern is the definition under UK law of ‘‘personal data’’ following the decision in Durant -v- Financial Services Authority [2003] EWCA 1746 in December 2003 where it was held that not all data that are retrieved from a computer against an individual’s name or unique identifier were ‘‘personal data’’ under the Act. The decision was criticised as giving

Baker & McKenzie’s annual review of developments in EU law a narrow interpretation of the definition of personal data, and the Commission favours a wider definition to include personal information that applies indirectly to an individual. Other issues thought to be under investigation include the scope of derogations to the prohibition on cross-border transfers of data and the powers granted to the Information Commissioner under the Act. Original article in [2004] 20 CLSR 414.

D. Competition law 1. Commission decision in the Microsoft case e 24 March 2004 e (Case COMP/C-3/37.792) On 24 March 2004 the European Commission delivered its judgment in the Microsoft case. The case concerned alleged breaches by Microsoft of Article 82 of the EC Treaty (which makes it an offence for an undertaking to abuse a dominant position). The Commission found that Microsoft had abused its dominant market position by leveraging its near monopoly in the market for PC operating systems onto the markets for work group server operating systems, and for media players. The case arose out of a complaint by Sun Microsystems to the Commission about Microsoft’s refusal to release interface information that would make it easier for Sun to develop products that could talk to the Windows operating system. The Commission extended the investigation to consider the manner in which the Windows Media Product was bundled with Windows. The Commission imposed a number of penalties on Microsoft including a record V497 million, an obligation to provide accurate interface information within 120 days, and an obligation to provide an unbundled version of Windows. The sanctions have been suspended pending the outcome of the appeal.  Full text of decision: http://europa.eu.int/ comm/competition/antitrust/cases/decisions/ 37792/en.pdf. Original article in [2004] 20 CLSR 328.

2. European technology transfer block exemption regulation On 27 April 2004, the Commission announced that it had adopted a new European Technology Transfer

81

Block Exemption Regulation. The Regulation came into force on 1 May 2004, although agreements entered into before under the previous TTBE Regulation 240/96 will continue to benefit from its ‘‘safe harbours’’ until 31 March 2006. The new TTBE Regulation is wider in scope than the old Regulation and applies to a number of patent, know-how or software copyright licensing agreements, or a combination of these. However, if the combined market share of the competing parties to an agreement exceeds 20% of the relevant market, or if the market share of each of the non-competing parties to an agreement exceeds 30% of the relevant market, the block exemption will not apply. Under the Regulation, even where the parties remain within the market share thresholds, an agreement will not benefit from the block exemption if it contains certain ‘‘hardcore’’ restrictions such as the fixing of prices charged to third parties. The Commission has published detailed guidelines on the application of Articles 81(1) and 81(3) of the EC Treaty to agreements that fall outside the block exemption. In the absence of hardcore restrictions, there is no general presumption that such agreements infringe Article 81(1) simply because they fall outside the scope of the Regulation.  TTBE Regulation: http://europa.eu.int/eur-lex/ pri/en/oj/dat/2004/l_123/l_12320040427en0011 0017.pdf.  Article 81 Guidelines: http://europa.eu.int/ eur-lex/pri/en/oj/dat/2004/c_101/c_1012004 0427en00020042.pdf. Original article in [2004] 20 CLSR 329.

E. Telecoms 1. Application of the e-Money Directive to Mobile Operators: Consultation paper of the Director General of the Internal Market (DGIM) The European Commission has published a consultation paper on the nature of pre-paid mobile phone cards and the application of the e-Money Directive (2000/46/EC) to mobile operators. This issue has come to the fore now that credit on pre-paid phone cards can be used to purchase a range of products and services from companies other than the mobile operator. The EU Banking Advisory Committee recently concluded that the

82

D. Halliday et al.

pre-paid phone cards fall within the definition of ‘‘electronic money’’ set out in Article 1 of the Directive when they are used to purchase third party products or services such as ringtones or news alerts. The consultation period is now closed and the responses have now been published on the DGIM website.  e-Money and mobile operators portal: http:// europa.eu.int/comm/internal_market/bank/ e-money/index_en.htm.  e-Money Directive: http://europa.eu.int/eurlex/pri/en/oj/dat/2000/l_275/l_27520001027 en00390043.pdf. Original article in [2004] 20 CLSR 330.

2. European Commission and OFCOM publish consultations on Voice over Internet Protocol (VoIP) With the proliferation of broadband services throughout the EU, the European Commission has issued a consultation document on the regulation of VoIP (i.e. the ability to make voice calls over the internet). The consultation addresses a number of technical issues including access to emergency services, network availability and the in-line powering of terminals. The consultation also seeks views on how existing rules applicable to operators of Publicly Available Telephone Services (PATS) should apply to VoIP providers. The results of the consultation process will form the basis of nonbinding guidelines which are expected to influence national regulators such as Ofcom which is also consulting on the issue. At present Ofcom appears to favour a light touch with the emphasis on making customers aware that service levels they are used to from PATS will not necessarily apply to VoIP, rather than imposing heavy-handed regulation. The Commission is expected to adopt a nonbinding position at the end of 2004/beginning of 2005. Ofcom’s consultation closed on 15 November 2004 and it expects to make a final statement, based on its own and the Commission’s consultation, in early 2005.  Commission consultation: http://europa.eu.int/ information_society/topics/ecomm/doc/ useful_information/library/commiss_serv_doc/ 406_14_voip_consult_paper_v2_1.pdf.  Ofcom VoIP and Voice over Broadband portal: http://www.ofcom.org.uk/ind_groups/ind_

groups/telecommunications/vob/vobqa/?aZ 87101. Original article in [2004] 20 CLSR 492.

F. e-Commerce 1. European Commission consultation concerning a new legal framework for payments in the Internal Market As part of the move towards creating a ‘‘Single Payment Area’’ in the EU the Commission sought comments from interested parties on the general principles that should govern the modernisation and simplification of the regulatory framework applying to payment services in the Internal Market. The Commission’s aim is to make it easy, cheap and secure to make cross-border payments. The consultation period closed on 31 January 2004. The Commission sought views on whether existing legislation in this area was sufficient or whether new regulatory measures may be necessary. When formulating measures in this area, the Commission has stated that it intends to observe the following principles:  improving efficiency as a permanent objective of the Internal Market;  enhancing the legal and technical security of payment instruments and systems;  boosting competition and easier access to the market;  strong safeguards for consumers; and  avoiding discrimination between payment instruments. The Commission specifically sought views on a number of issues including the appropriate regulatory environment for emergent payment systems, the use of digital signatures, the information requirements imposed on payment service providers, the conditions under which payment orders may be revoked, and the appropriate role of payment service providers in the case of merchant/customer disputes. The Commission also emphasised that any measures adopted should be technologically neutral.  Payment services portal: http://europa.eu. int/comm/internal_market/payments/framework/ index_en.htm. Original article in [2004] 20 CLSR 215.

Baker & McKenzie’s annual review of developments in EU law

G. Consumer protection 1. Financial Services (Distance Marketing) Regulations 2004 The Financial Services (Distance Marketing) Regulations 2004 (SI 2004/2095) came into force on 31 October 2004. The Regulations implement Directive 2002/65/EC on the distance marketing of consumer financial services and in doing so amend a number of existing legislative measures. The Regulations cover distance contracts for banking, credit, insurance, personal pension, investment or payment services. A distance contract is generally defined as one concluded by way of telephone, fax, mail or email. Two of the most important provisions govern the provision of information to consumers prior to the conclusion of a distance contract (Regulation 7) and consumer’s right to cancel a distance contract within a given

83

period (Regulation 9, subject to exceptions). Other provisions deal with the fraudulent use of credit cards in connection with a distance contract and the duties and powers of enforcement authorities.  Regulations: http://www.legislation.hmso.gov. uk/si/si2004/20042095.htm.  Directive: http://europa.eu.int/eur-lex/pri/ en/oj/dat/2002/l_271/l_27120021009en00160024. pdf. Original article in [2004] 20 CLSR 491.

For further information on any of the above, please contact Harry Small ([email protected]) of the Intellectual Property & Information Technology Department of the London office of Baker & McKenzie (tel: C44 20 7919 1000). Mr Small was assisted in the preparation of this article by Miriam Andrews, Paul Ganley, Ruth Tomlinson and David Halliday.

Computer Law & Security Report (2005) 21, 84e85

BOOK REVIEWS Photography law The law of photography and digital images Cristina Michalos (Ed.), Thomson and Sweet & Maxwell, 2004, 907 pp., Hard-cover, £155, V219, ISBN 0-421-76470-8 As the author states in the preface her original idea for this book arose after she had been instructed in a series of unrelated cases all of which involved photographic subject matter. Although the basic legal principles were dealt with by existing works: ‘‘the particular problems in respect of which I had been asked to advise were not dealt with any detail e and in some cases not dealt with at all. And these are problems likely to arise repeatedly in any comparable case concerning photographs. There is no text for the legal practitioner on this subject. The idea behind this work was to fill this gap for the litigation lawyer’’. The aim of this work, therefore, is to focus on the law in its application to photographs, i.e. images rather than moving images or stills from films. Copyright law in relation to its application to films is, therefore, not considered at all, the only exception being footage from CCTV which is dealt with in the context of data protection. A work of this kind has been long awaited, this being the first time the subject has been dealt with so comprehensively. It takes account, of course, of the revolution in photography by digital photography which has extended the scope of this medium for exploitation and presentation in ways not possible 20 years ago. There are three sections to the work: dealing with rights in the image; the place and subject matter of photographs; and the use of photographs. These sections are then broken into 14 chapters followed by six appendices containing relevant legislation, codes of practice and a table showing a comparison of statutory provisions in various national copyright laws for photograph works. Available from: Sweet & Maxwell, International Customer Service. Tel.: C44 1264 342906, UK 020 74491111, by mail: Sweet & Maxwell Group,

Freepost, Lon 12091, London NW3 4YS, Internet: http://www.sweet&maxwell.uk. doi: 10.1016/j.clsr.2005.01.004

Telecoms and broadcasting regulation Telecommunications, broadcasting and the Internet e EU competition law and regulation Laurent Garzaniti (Ed.). second ed., Thomson and Sweet & Maxwell, 2003, 675 pp., £139eV197, ISBN 0-421-85140-6 As the author notes in the preface: ‘‘Since the first edition of this book was published in April 2000, the telecommunications legislative environment has radically changed. The second edition of this book represents more than a mere update of the previous edition. The regulatory book was substantially redrafted to take into account the recently adopted EU telecoms package. The Internet has also seen a number of recent developments that needed to be reflected’’. The aim of this work is to offer a reference guide and research tool for legal practitioners involved in the application of EU competition law and regulation in the telecoms, broadcasting and Internet sectors. It focuses, therefore, on describing the regulatory regime and reviewing relevant case law. This new edition takes into account a large number of competition cases and merger decisions which have been adopted in recent years. The book aims to move beyond mere description of the regulatory framework since it also reviews in detail the application of competition in the telecoms sector, while examining carefully the decision making practice of the European Commission and the case law that emerges from the European courts. The work is divided into two parts e the regulatory issues of the EU regulatory framework and a second part concerned with the application of competition rules to telecoms, broadcasting and the Internet. There are also

Book reviews seven appendices containing a variety or primary and secondary sources of further information. Available from: Sweet & Maxwell, International Customer Service. Tel.: C44 1264 342906, UK 020 74491111, by mail: Sweet & Maxwell Group, Freepost, Lon 12091, London NW3 4YS, Internet: http://www.sweet&maxwell.uk. doi: 10.1016/j.clsr.2005.01.005

Telecoms regulation Telecommunications regulation John Buckley (Ed.), The Institution of Electrical Engineers, 2003, 240 pp., Hard-cover, £49.00, ISBN 0-85296-444-7 This text is one of the IEE telecommunications series 50 and aims to explain the nature of regulation of the telecommunications services

85 industry today. It aims further to explain what regulation is, what regulators do and how they approach their task, why they do it, how they receive their powers and how it bears on network operators and telecoms service providers. It goes on through a number of case studies to show how regulators engage with topical issues such as price control, interconnection, numbering, number portability, and loop unbundling. The author describes the book as being aimed at ‘‘intelligent’’ readers from engineering, technology, law, economics, business strategy and commercial management. Its aim is to equip readers to understand the work and pronouncement of telecoms regulators, to understand the language used and to engage critically in discussion about regulatory matters and to see how this affects their work. Available from: The IEE, Michael Faraday House, 6 Hills Way, Stevenage, SG1 2AY, Tel.: C44 (0) 1438 313311; e-mail: [email protected]; Internet: http://www.iee.org. doi: 10.1016/j.clsr.2005.01.006

Computer Law & Security Report (2005) 21, 86

Calendar of Events For a more detailed listing of IS security and audit events, please refer to the events diary on http://www.compseconline.com 9 February 2005 Privacy, Security & Cybercrime Location: Online seminar Website: www.abanet.org

26e28 April 2005 Infosecurity Europe 2005 Location: Olympia, London, UK Website: www.infosecurity.co.uk

9e10 February 2005 Legal IT 2005 Location: London, UK Website: www.legalitshow.com

5e6 May 2005 CLA 2005 World Computer and Internet Law Congress Location: Washington DC, US Website: www.cla.org

21 February 2005 SarbaneseOxley: Controlling corporate risk through governance Location: London, UK Website: www.unicom.co.uk 29e30 March 2004 E-crime and Computer Evidence Conference Location: Monaco Website: www.ecce-conference.com 5e10 April 2005 International Internet Law Conference Location: Belgrade, Yugoslavia Website: www.yalesmn.org

doi:10.1016/j.clsr.2005.01.002

28e29 April 2005 International Technology Licensing Agreements Locations: London, UK Website: www.hawksmere.co.uk 26 Junee1 July 2005 17th Annual Computer Security Conference Location: Singapore Website: www.first.org