176 10 3MB
English Pages [339] Year 2021
E-Commerce and Convergence: A Guide to the Law of Digital Media
Fifth Edition
E-Commerce and Convergence: A Guide to the Law of Digital Media
Fifth Edition
Susan Singleton, LLB Solicitor, Singletons
Singletons is a London firm of solicitors specialising in commercial, information technology, intellectual property, data protection and competition law and is authorised and regulated by the Solicitors Regulation Authority. www.singlelaw.com
BLOOMSBURY PROFESSIONAL Bloomsbury Publishing Plc 50 Bedford Square, London, WC1B 3DP, UK 1385 Broadway, New York, NY 10018, USA 29 Earlsfort Terrace, Dublin 2, Ireland BLOOMSBURY and the Diana logo are trademarks of Bloomsbury Publishing Plc First published in Great Britain 2021 Copyright © Bloomsbury Professional, 2021 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage or retrieval system, without prior permission in writing from the publishers. While every care has been taken to ensure the accuracy of this work, no responsibility for loss or damage occasioned to any person acting or refraining from action as a result of any statement in it can be accepted by the authors, editors or publishers. All UK Government legislation and other public sector information used in the work is Crown Copyright ©. All House of Lords and House of Commons information used in the work is Parliamentary Copyright ©. This information is reused under the terms of the Open Government Licence v3.0 (http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3) except where otherwise stated. All Eur-lex material used in the work is © European Union, http://eur-lex.europa.eu/, 1998–2021. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN:
HB 978 1 52651 265 9 Epub 978 1 52651 266 6 Epdf 978 1 52651 268 0
Typeset by Evolution Design and Digital Ltd (Kent) To find out more about our authors and books visit www.bloomsburyprofessional.com. Here you will find extracts, author information, details of forthcoming events and the option to sign up for our newsletters
Foreword When the fourth edition of E-Commerce: A Guide to the Law of Electronic Business was published in 2011 the impact of the internet on the lives of individuals had increased substantially. However people tended to use personal computers and laptops to access the internet. The biggest change in the last ten years since then has been the movement from computers to sophisticated mobile telephones – the iPhone and the like – both here in the UK and across the globe, and the use of electronic devices to view films and other online content. The 2020 global coronavirus (COVID-19) pandemic has quickened the pace of change to online working and home working in many sectors and countries, perhaps achieving in 12 months what might in less extreme times have taken ten years. Accordingly, the publication of this e-convergence text is timely. While some sections pay homage to its e-commerce origins (eg when looking at online contracting), this book, like the previous edition, covers many more issues than just that. Its central aim is to explain how a range of new and existing law is interpreted in the context of digital media. While many of these laws are well known and well examined, they are not always considered in the context of digital content and delivery. As the technology has changed and converged, the focus of the book has also had to change. Increasingly, businesses are seeking to develop an interactive relationship with their customers. This book takes the full range of legal issues relevant to digital content and explains them in that context. It is necessarily a broad sweep of law, but it has been taken from my experience and that of the writers of earlier editions in advising on these issues. Susan Singleton Author, E-Commerce: A Guide to the Law of Electronic Business, fifth edition Solicitor, Singletons, Solicitors
Preface What is e-convergence? ‘E-convergence’ means the convergence – the coming together – of the internet, information and communications technologies, content, mobile technologies, broadcasting and related services and products. This convergence is driven first by technology change and secondly by consumer behaviour. At the heart of the technology change has been the spread of internetprotocol technologies. Perhaps it is clearer to talk about ‘digital content delivery convergence’ – data, text, voice and moving pictures all now able to share a common delivery platform. Where technology leads (eventually) the law will follow. Traditionally, laws and lawyers relating to electronic delivery platforms and content were discrete specialisations. Lawyers were (and still are) called ‘film’ lawyers, ‘telecoms’ lawyers, ‘information technology’ lawyers and of course not forgetting ‘e-commerce’ lawyers. All of these lawyers also needed to have a good knowledge of intellectual property laws, especially copyright and trade mark laws. These distinctions are becoming more and more blurred and less and less relevant. What sort of lawyer do you call yourself when you have to advise on advertising as it relates to video-on-demand? More importantly, what skills and knowledge do you need to advise, for example, a rights holder streaming audiovisual content or if you advise a business such as Facebook, Instagram, Twitter, Whatsapp, TikTok or Snapchat? This book is an attempt to weave together previously disparate legal disciplines and provide guidance across a range of legal topics. Its focus is on how multiple laws – copyright, data protection, advertising regulation – apply to digital content. The book also recognises that the digital world has become ever-more central to the procurement and delivery of products and services in physical form. Accordingly, it reviews the legal issues around contracting digitally. The COVID-19 pandemic in 2020 also quickened the pace of change in relation to movement to remote working, video calls on platforms such as Zoom and Teams, electronic shopping and electronic signatures, which even prior to 2020 were increasingly extensively used.
Who should read this book? This book is aimed at both in-house counsel and commercial executives (in particular finance directors, marketing directors and commercial directors). Its key aim is to highlight issues which may not always be readily apparent to those who
vii
Preface
may practise in a content area. For example, a film lawyer or executive will be very familiar with copyright issues but may not be familiar with the AVMS Directive and how this may affect a move to video-on-demand. Those familiar with contentbased issues may not be aware of the data protection issues which are becoming increasingly important. While the book will be of particular interest to content businesses and online businesses, it is relevant to any business looking to expand in the online space. The book covers issues such as domain names, key words and contracting online which are important to any ‘bricks and mortar’ business trading online.
Date of law and Brexit The law in the book is accurate as at 1 January 2021. In the ten years since the fourth edition, e-commerce has become even more a feature of the lives of most people. The law moves rapidly in this area and certain sections of the book will need regular updating. Readers should always check the latest position. While the book reports on English law only, wherever possible the authors have sought to flag key issues in other jurisdictions. The UK left the EU on 31 January 2020, so where relevant the post-Brexit position is set out in this fifth edition and the position in the UK and in the EEA after the post-Brexit transitional period ended on 31 December 2020 is described.
Earlier editions Solicitors Hammond Suddards (now Squire Patton Boggs) are responsible for the four earlier editions of this book. In 1999 the first edition was published by Butterworths as E-commerce: A Guide to the Law of Electronic Business written by Hammond Suddards’ lawyers Stephen D York and Ken Chia (Mr Chia now being at Baker McKenzie, Singapore) just as the internet was becoming prevalent. The second edition followed quickly in 2000. Lexis Nexis published the third edition in 2002 then edited by Robert Wegenek, Jonathan Moore and Ged O’Neill, again then all of Hammond Suddards. The fourth edition was published under the current book title by Bloomsbury Professional in 2011 edited by Mike Butler then of Squire Sanders Hammonds (now lecturer at the University of Law, previously known as the College of Law) and his then colleagues. These earlier writers and editors are responsible for the structure and much of the text of the book. This strong foundation has been worked on and updated for the fifth edition published in 2021 by the current author, Susan Singleton of Singletons Solicitors, to reflect changes in the law over the last ten years since the fourth edition was published. There have been many such changes over the last decade, from the UK leaving the EU to new laws on distance selling and data protection and much else.
The chapters The book is broken up into ten chapters each of which contains a ‘key message’ summary at the end of the chapter (other than Chapter 1). This summary is viii
Preface
principally aimed at readers coming to these issues for the first time, as opposed to more seasoned campaigners in this space. The following is a brief summary of each of the chapters: Chapter 1 (Technological convergence): This chapter contains a description of the technologies which have driven convergence and those which are now used to deliver digital content. In particular, the reader’s attention is drawn to PARAGRAPH 1.8 which introduces a useful description of the different types of technologies (eg it explains the difference between downloading and streaming). Chapter 2 (Digital rights): This chapter provides a detailed description of copyright, the foremost right to be considered in the context of digital content. The chapter contains practical guidance on protecting copyright works and contains an interesting discussion as to how infringements may actually in some cases be revenue enhancing. Finally, it considers the Digital Economy Act 2017 and mentions the EU 2019/790 Copyright Directive (implementation date 21 June 2021 which is after the UK left the EU). The UK has chosen not to implement the Directive. Chapter 3 (Brands): The bulk of this chapter sets out in detail how the domain name system works and explains trade mark laws in summary terms. The chapter also contains a very useful description of the issues which arise with respect to keyword searching and the effect on brand owners of Google’s AdWords’ policy. Chapter 4 (Data in the digital world): This is a critical chapter. It explains how the collection of data through the use of technologies (eg cookies) is becoming increasingly prevalent and how both existing data protection laws in the Data Protection Act 2018 (and UKGDPR) and sector-specific laws have an impact on this use. It also sets out the specific rules relating to electronic direct marketing known as PECR which are due to be updated in 2021/22. Chapter 5 (Digital marketing): Digital marketing covers a wide range of electronic activities from online advertising to paid-for search. This chapter looks at the types of industry regulation and outlines the CAP Codes administered by the Advertising Standards Authority. It also looks in detail at comparative advertising and the rules around sales promotions. Chapter 6 (User-generated content and social media): The ability of consumers to post comment (and copyright infringing material) is the hallmark of Web 2.0. This chapter looks at the specific issues raised and in particular the defences available to ISPs and website operators to issues such as defamatory postings. The chapter considers how brand owners can mitigate risks when exploiting user generated content and whether or not to moderate online content. In the ten years since the fourth edition was published there has been a regular battle between those wanting more internet freedom with little or no liability imposed on platforms which simply enable free speech and in the words of one judge are merely providing a ‘passive wall’ on which consumers can post their comments and those who want to control, curtail and censor the internet. Chapters 7 and 8 (AVMS Directive and Video-on-demand): These two chapters should be read together. Chapter 7 outlines the reasons for and provisions of the AVMS Directive (as amended, in the UK, by Audiovisual Media Services Regulations 2020 (SI 2020/1062)) in regulating ‘television-like’ services provided over the ix
Preface
internet. Chapter 8 contains a summary of the different types of VoD providers in the UK and the regulation of VoD as a consequence of the AVMS Directive. Chapter 9 (Contracting): This chapter looks at the specific issues relating to contracting online. It examines electronic signatures and the additional requirements imposed as a result of distance-selling legislation in the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. The chapter contains a useful summary of best practice when establishing an online contracting presence. Chapter 10 (Jurisdiction and enforcement): The question of whose law applies is often a vexed one. This chapter explains in depth the laws which go to determine the appropriate jurisdiction for resolving disputes in particular in the light of the EU having left the EU on 31 January 2020. The chapter also explains Norwich Pharmacal orders, an important piece of any rights enforcement strategy. The law is as stated at 1 January 2021. Susan Singleton, Solicitor, Singletons, www.singlelaw.com
x
Acknowledgements and dedication The fifth edition of this book has been written by me, Susan Singleton. However the authors of editions 1–4 of the book should be acknowledged. Squire Patton Boggs (formerly Hammond Suddards), Solicitors, wrote all earlier editions of the book from the first edition in 1999 written by Stephen Yorke and Ken Chia, to the fourth edition published in 2011 edited by Mark Butler. Without their hard work the book would not exist. For the fifth edition the regular requests for legal advice from clients of my law firm, Singletons, relating to the law of digital media from data protection to intellectual property licensing, competition law to litigation issues, have played a large role in ensuring no stone is unturned and no difficult legal issue left hidden in the complex converged world that is the law in this field. Finally, thanks are due to the Singleton family for their forbearance and ideas whilst I was preparing this edition of the book – my solicitor daughters Rachel and Rebecca and my law student twin sons Joe and Sam who start the Legal Practice Course in September 2021 and my older son Ben who is not a lawyer, but has always been our family IT expert from his early teens, although I was advising on IT (and competition) law at Slaughter and May back in 1985 before he was born. In those days I advised on the many computer contracts that were suddenly needed when stock exchange trading went online in what was known as ‘Big Bang’ in 1986. After ten years from the previous edition and in probably the fastest moving legal field, updating the book for this 2021 fifth edition has been a labour of love which was made easier by being written during the COVID-19 pandemic in 2020, when there were so few distractions other than work. This edition is dedicated to my grandchildren Rose and Frederick. The future is yours, whether online or off line, digital, or otherwise. Susan Singleton
xi
Contents Foreword v Preface vii Acknowledgements and dedication xi Glossary xvii Table of Cases xxiii Table of Statutes xxix Table of Statutory Instruments and Codes of Practice xxxiii Table of EC and International Materials xxxvii Chapter 1: Technological convergence Introduction – the world of bits Key changes driving content convergence IP technology Traditional content delivery Types of converged technology Overview of legal issues in the converged world The rise of Google Web 2.0 Next generation broadband Net neutrality and open internet access The role of government
1 1 1 3 3 4 6 8 8 9 10 11
Chapter 2: Digital rights 13 Introduction 13 The rights protecting digital content 13 Jurisdictional issues around copyright 19 An explanation of copyright and the works protected by copyright 20 The Copyright Directive 2001 – restricted acts 31 Copyright Directive 2019 – Article 17 37 Statutory exceptions 39 Copyright licences and collecting societies 42 Refusals to infer copyright transfers – a word of warning 44 The Digital Economy Act 2017 45 Key messages 45 Chapter 3: Brands 52 Introduction 52 Legal protection 52 Passing off 52 Domain names 57 Adwords 81 Brand names as keywords 81 Key messages 86 Chapter 4: Data in a digital world 88 Introduction 88
xiii
Contents
How the cookie crumbles – an overview of data-collection technologies and techniques Collection versus protection? Personal data in a digital world The future of personal data? The E-Privacy Regulations Issues around specific US/EU conflicts of law Key messages
88 93 103 111 112 119 128
Chapter 5: Digital marketing 129 Introduction 129 What is digital marketing? 129 Why advertise digitally? 131 Whose law applies? 132 Overview of applicable laws 133 Regulation 134 The CAP Code and the Advertising Standards Authority 135 The CAP Code 135 Types of advertising covered by the CAP Code 135 Other rights 145 Linking 150 Copyright Directive 2019/790 and linking 150 Keywords 151 Copyright 152 Free prize draws 152 Key messages 154 Chapter 6: User-generated content and social media 155 Introduction 155 What is user-generated content? 156 User-generated content revenue models 156 The legal risks associated with user-generated content 158 Unlicensed copyright material 159 Creative commons 161 Privacy 161 Defamation 163 Consumer Protection from Unfair Trading Regulations and other associated issues 173 Obscenity and harmful content 174 Malicious falsehood 177 Minors 178 Managing the risk 180 Key messages 186 Chapter 7: The Audiovisual Media Services Directive 187 Introduction 187 What is an audio visual media service? 188 Regulatory obligations – linear v non-linear 192 Key message 201 Chapter 8: Video-on-demand 202 Introduction 202 Types of VoD 203 Platforms and business models 204 xiv
Contents
Regulation of VoD services in the UK Key message
209 216
Chapter 9: Contracting 217 Introduction 217 Electronic contracts 218 What does ‘in writing’ mean? 219 The need for a signature 222 Electronic signatures 222 Digital signatures 222 Verification of authenticity 223 Regulation of electronic signatures 224 What is the status of an electronic signature? 225 Use of digital signatures 225 Trading online 226 Key messages 239 Appendix 1 Information to be provided on the supplier’s website and prior to formation of a contract with a customer
241
Appendix 2 Information to be provided in a ‘durable medium’ (eg an email or in permanent form online)
244
Appendix 3 Wholly and partially exempt contracts
245 245
Appendix 4 Execution of deeds
248 248
Appendix 5 Model form for cancellation of distance contract
250 250
241
244
Chapter 10: Jurisdiction and enforcement 253 Introduction 253 General principles of jurisdiction 253 Applicable law – contract 264 Norwich Pharmacal Orders 268 Enforcement 270 Key messages 275 Index
277
xv
Glossary Article 29 Working Party ASA AVMS Directive AVMS Regulations
Bandwidth Banner ad
BCAP Code Bit
BitTorrent BPRs Brussels Convention Brussels Regulation Cache
CAPCode ccTLD CDPA
See European Data Protection Board. Advertising Standards Authority (independent body responsible for proactively monitoring the UK advertising industry), discussed further in CHAPTER 5. European Council Directive 89/552 as amended, discussed further in CHAPTERS 7 and 8. Audiovisual Media Services Regulations 2009, Audiovisual Media Services Regulations 2010 and Audiovisual Media Services Regulations 2020, discussed further in CHAPTER 7. The amount of data that can be sent through a given communications circuit. The higher the bandwidth, the greater the amount of data that may be sent. Advertisement where advertiser pays an internet company for space to display a static or hyperlinked banner or logo on one or more of the internet company’s pages, discussed further in CHAPTER 5. The UK Code of Broadcast Advertising, discussed further in CHAPTER 5. ‘Binary digit’ (ie 0 or 1),which is the smallest unit of data which a computer can recognise. Used as the basic unit of digital information storage and communication, discussed further in CHAPTER 1. A type of P2P file-sharing protocol used for distributing large amounts of data, discussed further in CHAPTER 1. Business Protection from Misleading Marketing Regulations 2008, discussed further in CHAPTER 6. Brussels Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters 1968, discussed further in CHAPTER 10. European Council Regulation 1215/2012 (sometimes known as the Recast Brussels Regulation), discussed further in CHAPTER 10. A temporary data store, operated by browser software for the purposes of keeping an impression of web pages most recently visited, discussed further in CHAPTER 6. UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing, discussed further in CHAPTER 5. Country code top level domain, discussed further in CHAPTER 3. Copyright, Designs and Patents Act 1988, discussed further in CHAPTER 2.
xvii
Glossary
Click wrap agreement
An agreement (often a software licence) in respect of which you are asked to click an ‘I agree’ button online before proceeding to use the software or other product or service to which the agreement relates, discussed further in CHAPTER 9. Comparative Advertising European Council Directive 06/114, discussed further Directive in CHAPTER 5. Competition and Markets The UK consumer and competition authority. Authority or CMA (previously OFT) Cookie A software application embedded in a website which causes the user to provide to that website information previously stored by the user (or about the user) when the user next logs onto it, discussed further in CHAPTER 4. Copyright Directive European Council Directive 01/29 and EU Copyright Directive 790/2019 which is due to be implemented in the EU in 2021), discussed further in CHAPTER 6. Copyright Regulations Copyright and Related Rights Regulations 2003, discussed further in CHAPTER 6. CPRs Consumer Protection from Unfair Trading Regulations 2008, discussed further in CHAPTERS 5 and 6. Creative Commons A licensing scheme designed to make copyright works more widely accessible by providing creators with a range of ready-made licences, permitting various uses of copyright works by third parties, discussed further in CHAPTER 6. CSPs Certification Service Providers, discussed further in CHAPTER 9. CTM Community trademark, discussed further in CHAPTER 3. Cyber squatting Registering a popular domain name with a view to selling it to its rightful owner, discussed further in CHAPTER 3. General Data Protection EU Data Protection Regulation 2016/679 (replaced in Regulation (GDPR) 2018 European Council Directive 95/46) as modified for the UK in UKGDPR and the Data Protection Act 2018 as amended, discussed further in CHAPTER 4. Database Directive European Council Directive 96/9, discussed further in CHAPTER 2. Deeplinking Where a link takes the user directly into part of the linked site beyond the homepage, so that the homepage itself is bypassed, discussed further in CHAPTER 5. Distance Selling Consumer Contracts (Information, Cancellation and Legislation Additional Charges) Regulations 2013, discussed further in CHAPTER 9. Domain name An easily recognisable and memorable name which is mapped to the IP address, discussed further in CHAPTER 3. Downloading The process by which information is transferred from a central server to a device able to store and retain that information (opposite of uploading), discussed further in CHAPTER 1. xviii
Glossary
DPA
Data Protection Act 2018 as amended, discussed further in CHAPTER 4. DRM Digital rights management (technology used to control acts in relation to a copyright work which are not authorised by the copyright owner), discussed further in CHAPTERS 2, 3 and 8. DSL Digital Subscriber Line (technology enabling broadband internet to be provided over a normal telephone line), discussed further in CHAPTER 1. E-Commerce Directive European Council Directive 00/31, discussed further in CHAPTER 9. E-Commerce Regulations Electronic Commerce (EC Directive) Regulations 2002, discussed further in CHAPTERS 6 and 9. E-Privacy Directive European Council Directive 02/58, discussed further in CHAPTER 4. E-Privacy Regulations Privacy and Electronic Communications (EC Directive) Regulations 2003, discussed further in CHAPTER 4. ECHR European Convention on Human Rights 1950, discussed further in CHAPTER 4. EEA European Economic Area, being the 27 EU Member States and Iceland, Liechtenstein and Norway. EFTA European Free Trade Association (consisting of Iceland, Norway, Switzerland and Liechtenstein). Encryption The process by which data is encoded before being transmitted in such a way as prevents any person from decoding it unless the recipient has the key to decrypt the code. EUIPO (previously OHIM) European Union Intellectual Property Office (previously known as the Office for Harmonization in the Internal Market), discussed further in CHAPTER 3. European Data Protection EU entity (previously called the Article 29 Working Board Party) responsible for protection of individuals in relation to data protection, discussed further in CHAPTER 4. FTP File Transfer Protocol, discussed further in CHAPTER 1. gTLD Generic top level domain, discussed further in CHAPTER 3. Gowers Review Gowers Review of Intellectual Property 2006, discussed further in CHAPTER 1. Harvested data Data that is derived automatically from a user’s online activities to build up a profile of the user, discussed further in CHAPTER 4. HRA Human Rights Act 1998, discussed further in CHAPTER 4. HTML HyperText Markup Language. A series of codes (or tags) which are embedded in text and images that appear on webpages. The ‘markup’ terminology derives from the manner in which webpages used to be created, whereby plain text would have codes edited into them.
xix
Glossary
HTTP
Hyperlink ICANN
ICO Internet Video IP
IPO IPTV
IP Address
ISP JavaScript
Lugano Convention Metatag
Hypertext Transfer Protocol. A series of rules which govern the manner in which hypertext files are transferred around the internet. Discussed further in CHAPTER 1. A piece of text on a web page in which an HTML code is embedded that enables the user to progress to another webpage, discussed further in CHAPTER 5. Internet Corporation for Assigned Names and Numbers. A non-profit corporation with responsibility for IP address space allocation, protocol parameter assignment, domain name system management and root server system management. Discussed further in CHAPTER 3. Information Commissioner’s Office (independent body responsible for protecting information rights and data privacy in the UK). Method of content delivery whereby home television users select individual programmes one at a time. Internet Protocol. The system of rules which allows a person at one IP address to contact a person at another IP address, be recognised by the latter and receive back from them information via the internet. Discussed further in CHAPTER 1. IP is also used to refer to ‘Intellectual Property’. Intellectual Property Office (the government body for granting intellectual property rights in the UK), discussed further in CHAPTER 3. Internet Protocol Television (method of content delivery whereby home television users receive a mix of continuous television content and video on demand content using IP technology and a set top box with an internet connection), discussed further in CHAPTER 1. A physical point on the internet. That point is represented by a series of numbers that are recognised by internet protocol. That series of numbers is in turn reflected (for the user’s benefit) in his (or his server’s) domain name. Internet Service Provider. A company which provides individuals and companies with connection to the internet. A script language that is commonly used to provide unusual animated effects on web pages because it interacts easily with HTML source code. Discussed further in CHAPTER 2. Lugano Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters 1988, discussed further in CHAPTER 10. An HTML tag which contains general information concerning the nature and content of a web page (rather than specific detail as to how part or all of that web page should be displayed).
xx
Glossary
Net Neutrality
The principle that data packets on the internet should be moved impartially without regard to content, destination or source. See CHAPTER 1. Nominet A non-profit organisation set up by the UK internet industry, which administers the allocation of domain names with suffixes such as.co.uk, .org.uk etc, discussed further in CHAPTER 3. Norwich Pharmacal Order A court order requiring a respondent to disclose certain documents or information to the applicant, discussed further in CHAPTER 10. Ofcom The independent regulator and competition authority for the UK communications industries. peer-to-peer (P2P) A type of network where content is stored and exchanged among a diverse array of independent devices and which does not depend on a centralised server, discussed further in CHAPTER 1. Phone-paid Services Authority (previously PhonepayPlus) The body that regulates premium rate telephone services in the UK. Provided data Data which is submitted directly by a user in the traditional manner, discussed further in CHAPTER 4. Streaming Method of digital media delivery whereby data is delivered to the recipient device in a ‘stream’ that lasts for the duration of a multimedia programme, discussed further in CHAPTERS 1 and 8. Targeted advertising Advertising that is based on information held about the user it is directed to, discussed further in CHAPTER 4. TLD Top level domain, discussed further in CHAPTER 3. TMA Trade Marks Act 1994, discussed further in CHAPTER 5. UCPD Unfair Commercial Practices Directive European Council Directive 05/29 as amended by Council Directive 2019/2161, discussed further in CHAPTER 4. UDRP Uniform domain name dispute resolution policy and procedure, discussed further in CHAPTER 3. UGC User-Generated Content (a variety of media content that is supplied by an end-user), discussed further in CHAPTER 6. UKGDPR An amended version of the EU GDPR which took effect in the UK on 1 January 2021 running alongside the amended version of the Data Protection Act 2018. Uploading The process by which information is transferred from a remote device to a central server (opposite of downloading). Video-on-Demand (VoD) Any system that allows users to view any audiovisual content selected by the user (eg movies) at any time that they choose, discussed further in CHAPTER 8.
xxi
Glossary
Web2.0
WIPO XML
A fundamental shift towards a more dynamic and interactive internet, where content is generated by users and uploaded and shared easily with others, discussed further in CHAPTER 1. World Intellectual Property Office. Extensible mark-up language. A more sophisticated version of HTML, in that in addition to being able to tell a browser how to display data downloaded from a website, it can tell the browser what type of data this is.
xxii
Table of Cases [All references are to paragraph numbers] para
A A and another v Priory Healthcare (2008), QBD....................................................4.48 Applause Store Productions Ltd v Raphael [2008] EWHC 1781 (QB), [2008] 7 WLUK 746, [2008] Info TLR 318 ..................................................................6.16 Arkin v Borchard Lines Ltd [2003] EWHC 2844 (Comm), [2004] 1 LLR 88, [2004] 1 Lloyd’s Rep 88, [2004] 2 Costs LR 231, QBD.................................................9.28 Arsenal Football Club Plc v Reed [2002] EWHC 2695 (Ch), [2003] 1 All ER 137, [2002] 12 WLUK 360, [2003] 1 CMLR 13, [2002] Eu LR 806, [2003] ETMR 36, (2003) 26(2) IPD 26008, (2003) 100(3) LSG 32, (2002) 152 NLJ 1923, Ch D.............................................................................3.22 ASA Adjudication on Metrodome Group plc (6 May 2009)...................................4.35 Author of a Blog v Times Newspapers Ltd [2009] EWHC 1358, [2009] All ER (D) 155 (Jun), QBD................................................................................................4.48
B Ben Haim v Islamic Republic of Iran......................................................................3.10 Bewry v Reed Elsevier (UK) Ltd [2014] EWCA Civ 1411, [2015] 1 WLR 2565, [2014] 10 WLUK 915, [2015] EMLR 6..............................................................6.12 Blaney v Persons Unknown, Unreported, October 2009........................................10.18 Blumenthal v Drudge US District Court for the District of Columbia: Civil Action No 97–1968 (PFL)...........................................................................................6.18 Boehringer Ingelheim Ltd v Vetplus Ltd [2007] EWHC 972 (Ch), 2007] 4 WLUK 464, [2007] FSR 28, (2007) 30(6) IPD 30043, Ch D...........................5.26 Boring v Google Inc, No 09-2350 (3d Cir Jan 28, 2010))......................................4.48 Boring v Google, Inc, 598 F Supp 2d 695, 699-700 (WD Pa. 2009)......................4.48 Boston Scientific v Cordis Corpn (1997) IPD 20 (10), CA......................................10.7 Britannia Building Society v Prangley [2000] Masons CLR 31, LTL 12 June 2000, ChD.................................................................................................................3.16 British Airways Plc v Ryanair Ltd [2000] 12 WLUK 109, [2001] ETMR 24, [2001] FSR 32, (2001) 24(3) IPD 24013, Ch D.................................................5.26 British Horseracing Board Ltd v William Hill Organisation Ltd [2005] EWCA Civ 863, [2005] 7 WLUK 318, [2006] ECC 16, [2005] ECDR 28, [2005] RPC 35, (2005) 155 NLJ 1183.......................................................................................2.5 British Telecommunications Plc v One in a Million Ltd [1999] 1 WLR 903, [1998] 4 All ER 476, [1998] 7 WLUK 467, [1999] ETMR 61, [1997–98] Info TLR 423, [1998] ITCLR 146, [2001] EBLR 2, [1999] FSR 1, [1998] Masons CLR 165, (1998) 95(37) LSG 37, (1998) 148 NLJ 1179, CA.............................3.16 Brown v Mcasso Music Productions [2005] EWCA Civ 1546, [2005] 11 WLUK 334, [2006] 3 Costs LR 404..............................................................2.18 Bundesverband der Verbraucherzentralen und Verbraucherverbande v Deutsche Internet Versicherung AG (Case C-298/07) [2008] ECR I-7841, [2008] All ER (D) 266 (Oct), ECJ...........................................................................................9/App 1 Bunt v Tilley [2006] EWHC 407 (QB), [2007] 1 WLR 1243, [2006] 3 All ER 336, [2006] 3 WLUK 311, [2006] EMLR 18, [2006] Info TLR 151, (2006) 103(14) LSG 29...............................................................................................6.27
xxiii
Table of Cases
para
C Campbell v Mirror Group Newspapers Ltd [2004] UKHL 22, [2004] 2 AC 457, [2004] 2 WLR 1232, [2004] UKHRR 648..........................................................4.48 Cartier v BSkyB [2018] UKSC 28, [2018] 1 WLR 3259, [2018] 4 All ER 373, [2018] 2 All ER (Comm) 1057, [2018] Bus LR 1417, [2018] 6 WLUK 226, [2018] ECC 29, [2018] ETMR 32, [2018] ECDR 16, [2018] EMLR 22, [2018] RPC 11.............................................................................................. 3.26, 6.6 CBS Songs Ltd v Amstrad Consumer Electronics Plc [1988] AC 1013, [1988] 2 WLR 1191, [1988] 2 All ER 484, [1988] 5 WLUK 131, [1988] 2 FTLR 168, [1988] RPC 567, (1988) 132 SJ 789, HL...........................................................2.20 Chang v Virgin Mobile (2007)..............................................................................6.10 Clearsprings Management Ltd v BusinessLinx Ltd [2005] EWHC 1487 (Ch), [2005] 7 WLUK 382, [2006] FSR 3...................................................................2.31 Coin Controls Ltd v Suzo International (UK) Ltd [1999] Ch 33, [1998] 3 WLR 420, [1997] 3 All ER 45, [1997] 3 WLUK 616, [1997] FSR 660, (1997) 20(8) IPD 20073, Ch D....................................................................................10.7 Coty Germany GmbH v Parfumerie Akzente GmbH (C-230/16) [2018] Bus LR 1371, [2017] 12 WLUK 111, [2018] 4 CMLR 9, ECJ.....................................9.28 Crookes v Wikimedia Foundation Inc [2008] BCSC 1424...................................... 6.17 D Doctor’s Associates Inc v QIP Holders LLC and IFilm Corp, Case No 3:06-cv-1710 (VLB) 19 February 2010...................................................................................6.23 Douglas and others v Hello Ltd [2005] EWCA Civ 595, [2006] QB 125, [2005] 3 WLR 881, [2005] 4 All ER 128, [2005] 2 FCR 487..........................................4.48 DPP v Whyte [1972] AC 849, [1972] 3 WLR 410, [1972] 3 All ER 12, [1972] 7 WLUK 83, (1973) 57 Cr App R 74, [1972] Crim LR 556, (1972) 116 SJ 583, HL...................................................................................................................6.20 E Easycar (UK) Ltd v Office of Fair Trading (C336/03) [2005] ECR I-1947, [2005] 3 WLUK 335, [2005] 2 CMLR 2, [2005] All ER (EC) 834, [2005] CEC 577 , ECJ.9.25 Exxon Corp v Exxon Insurance Consultants International Ltd [1982] Ch 119, [1981] 3 WLR 541, [1981] 3 All ER 241, [1981] 6 WLUK 106, [1982] RPC 69, (1981) 125 SJ 527, CA.....................................................................................2.8 F Football Dataco Ltd v Brittens Pools Ltd [2010] EWHC 841 (Ch), [2010] 4 WLUK 384, [2010] 3 CMLR 25, [2010] ECC 31, [2010] RPC 17....................2.5 G G v Wikimedia Foundation Inc [2009] EWHC 3148 (QB), [2009] 12 WLUK 47, [2010] EMLR 14...............................................................................................10.18 Godfrey v Demon Internet Ltd (Application to Strike Out) [2001] QB 201, [2000] 3 WLR 1020, [1999] 4 All ER 342, [1999] 3 WLUK 522, [1999] EMLR 542, [1998–99] Info TLR 252, [1999] ITCLR 282, [1999] Masons CLR 267, (1999) 149 NLJ 609, QBD...................................................................................... 6.13, 6.21 Golden Eye (Int) Ltd and others v Telefónica UK Ltd [2012] EWCA Civ 1740, [2013] Bus LR 414, [2012] 12 WLUK 742, [2013] 2 CMLR 27, [2013] EMLR 26, [2012] Info TLR 419, [2013] RPC 18.....................................10.18 Goodman v J Eban Ltd [1954] 1 QB 550, [1954] 2 WLR 581, [1954] 1 All ER 763, [1954] 3 WLUK 22, (1954) 98 SJ 214, CA........................................................9.8 Google France SARL v Louis Vuitton Malletier SA, Google France v (1) Viaticum (2) Luteciel and Google France v CNRR (C-236/08, C-237/08 and C-238/08) [2010] All ER (D) 23 (Apr), ECJ............................................................ 3.23, 3.24, 3.25 Grant (Helen) v Google UK Ltd [2005] EWHC 3444 (Ch), [2006] 5 WLUK 451....................................................................................................10.18
xxiv
Table of Cases
para
Grupo Torras SA v Sheikh Fahad Mohammed Al-Sabah [1995] 1 Lloyd’s Rep 374, QBD..........................................................................................................10.5, 10.13 Gutnick v Dow Jones & Co Inc [2001] VSC 305 (28 August 2001), Australia.........1.17 I Imperial Tobacco Ltd v Attorney General [1981] AC 718, [1980] 2 WLR 466, [1980] 1 All ER 866, [1980] 3 WLUK 47, (1980) 124 SJ 271.........................5.33, 5.34 Infection Control Enterprises Ltd v Virrage Industries Ltd [2009] EWHC 2602 (QB), [2009] 10 WLUK 615..............................................................................2.31 Interflora v Marks & Spencer [2014] EWHC 4168 (Ch), [2014] 12 WLUK 55, [2015] FSR 13..................................................................................................3.26 Irvine v Talksport Ltd (Damages) [2003] EWCA Civ 423, [2003] 2 All ER 881, [2003] 2 All ER (Comm) 141, [2003] 4 WLUK 33, [2003] EMLR 26, [2003] FSR 35, (2003) 26(5) IPD 26029, (2003) 147 SJLB 421.........................3.3 K Kaschke v Gray [2010] EWHC 690 (QB), [2011] 1 WLR 452, [2010] 3 WLUK 793, [2010] Info TLR 275.........................................................................................6.27 Kogan v Martin [2019] EWCA Civ 1645, [2019] 10 WLUK 163, [2020] ECDR 3, [2020] EMLR 4, [2020] FSR 3, CA....................................................................2.11 L Lane et al v Facebook, Inc et al, case no 5:08-CV-03845-RS..................................4.49 L’Oreal SA v Bellure NV (Case C-487/07) [2010] Bus LR 303, [2009] ECR I-5185, [2009] 6 WLUK 482, [2010] All ER (EC) 28, [2010] CEC 453, [2009] ETMR 55, [2010] RPC 1, ECJ............................................................................................5.26 L’Oreal SA v eBay International AG (C-324/09) [2012] Bus LR 1369, [2011] 7 WLUK 313, [2012] All ER (EC) 501, [2011] ETMR 52, [2012] EMLR 6, [2011] RPC 27, ECJ..........................................................................................3.26 Loutchansky v Times Newspapers Ltd (No 2) [2001] EWCA Civ 1805, [2002] QB 783, [2002] 2 WLR 640, [2002] 1 All ER 652, [2001] 12 WLUK 101, [2002] EMLR 14, [2002] Masons CLR 35, (2002) 99(6) LSG 30, (2001) 145 SJLB 277.................................................................6.12 Lush v Amazon [2014] EWHC 181 (Ch), [2014] 2 WLUK 282, [2014] ECC 28, [2014] FSR 31..................................................................................................3.26 M Mercom & Golden Eye v Virgin Media and others [2019] EWHC 1827 (Ch), [2019] 7 WLUK 245, [2020] FSR 5 ..................................................................10.18 Mercury Communications Ltd v Communication Telesystems International [1999] 2 All ER (Comm) 33, [1999] 5 WLUK 426, [1999] Masons CLR 358, QBD................................................................................................................10.5 Meridian International Services Ltd v Richardson [2008] EWCA Civ 609, [2008] 6 WLUK 50, [2008] Info TLR 139, (2008) 152(23) SJLB 28...............................2.31 Mosley v News Group Newspapers [2008] EWHC 1777 (QB), [2008] EMLR 679, [2008] All ER (D) 322 (Jul)................................................................................4.48 N Navitaire Inc v EasyJet Airline Co Ltd (No 3) [2004] EWHC 1725 (Ch), [2004] 7 WLUK 961, [2005] ECC 30, [2005] ECDR 17, [2005] Info TLR 1, [2006] RPC 3, Ch D.........................................................................................2.2 Nazi memorabilia case. See UEJF and LICRA v Yahoo! Inc and Yahoo! Norowzian v Arks Ltd (No 2) [1999] 11 WLUK 107, [2000] ECDR 205, [2000] EMLR 67, [2000] FSR 363, (2000) 23(3) IPD 23026, (1999) 96(45) LSG 31, (1999) 143 SJLB 279, CA.........................................................2.9 Norwich Pharmacal Co v Customs and Excise Commissioners [1974] AC 133, [1973] 3 WLR 164, [1973] 2 All ER 943, [1973] 6 WLUK 112, [1973] FSR 365, [1974] RPC 101, (1973) 117 SJ 567, HL...............................10.1, 10.18, 10.19, 10.27
xxv
Table of Cases
para
O O2 Holdings Ltd and O2 (UK) Ltd v Hutchison 3G Ltd (Case C-533/06) [2009] Bus LR 339, [2008] ECR I-4231, [2008] 6 WLUK 279, [2008] 3 CMLR 14, [2008] CEC 899, [2008] ETMR 55, [2008] RPC 33, (2009) 32(1) IPD 32001 ...5.26 P Parmiter v Coupland 151 ER 340, (1840) 6 M & W 105, [1840] 1 WLUK 37, Ct of Exch............................................................................................................6.11 Pearce v Ove Arup Partnership Ltd (Jurisdiction) [2000] Ch 403, [2000] 3 WLR 332, [1999] 1 All ER 769, [1999] 1 WLUK 613, [1999] ILPr 442, [1999] FSR 525, (1999) 22(4) IPD 22041, (1999) 96(9) LSG 31, [1999] NPC 7, CA............................................................................................10.7 Performing Right Society, Ltd v Hawthorn’s Hotel (Bournemouth) Ltd [1933] Ch 855, [1933] 6 WLUK 31.............................................................................2.18 Petrotrade Inc v Smith (Jurisdiction) [1998] 2 All ER 346, [1998] 2 All ER 346, [1997] 12 WLUK 428, [1998] CLC 298, QBD.............................................10.5, 10.13 Phones 4U Ltd v Phone4u.co.uk Internet Ltd Phones 4U Ltd [2006] EWCA Civ 244, [2007] RPC 83, CA...................................................................................3.16 Pippig Augenoptik GmbH & Co KG v Hartlauer Handelsgesellschaft mbH (C-44/01) [2003] ECR I-3095, [2003] 4 WLUK 232, [2004] 1 CMLR 39, [2004] All ER (EC) 1156, [2004] ETMR 5, ECJ...................................................5.24 Plastus Kreativ AB v Minnesota Mining & Manufacturing Co (Jurisdiction: Declaration) [1994] 12 WLUK 132, [1995] RPC 438, Ch D...............................10.7 Portakabin v Primakabin (C–558/08) [2011] Bus LR 1339, [2010] ECR I-6963, [2010] 7 WLUK 209, [2011] CEC 552, [2010] ETMR 52, ECJ............................3.25 R R v Perrin (Stephane Laurent) [2002] EWCA Crim 747, [2002] 3 WLUK 691.........6.21 Radio Taxicabs Ltd (t/a Radio Taxis) v Owner Drivers Radio Taxi Services Ltd (t/a Dial-a-cab) (2001) [2004] RPC 351, ChD.........................................................3.16 Ray v Classic FM Plc [1998] 3 WLUK 354, [1998] ECC 488, [1999] ITCLR 256, [1998] FSR 622, (1998) 21(5) IPD 21047, (1998) 95(17) LSG 32, (1998) 148 NLJ 445, Ch D...................................................................................... 2.12, 2.31 Readers Digest Association v Williams [1976] 1 WLR 1109, [1976] 3 All ER 737, [1976] 7 WLUK 149, [1976] Crim LR 628, (1976) 120 SJ. 570, DC.............. 5.32, 5.33 S Sawkins v Hyperion Records Ltd [2005] EWCA Civ 565, [2005] 1 WLR 3281, [2005] 3 All ER 636, [2005] 5 WLUK 433, [2005] ECDR 33, [2005] EMLR 29, [2005] RPC 32, 2 ALR Int’l 761, (2005) 28(6) IPD 28044 ................................2.9 Shetland Times Ltd v Wills, 1997 SC 316, 1997 SLT 669, 1997 SCLR 160, [1996] 10 WLUK 407, [1997] EMLR 277, [1997-98] Info TLR 1, [1998] ITCLR 49, [1997] FSR 604, (1997) 16 Tr LR 158, [1998] Masons CLR 159, [1998] Masons CLR Rep 117, 1997 GWD 1-5, CSOH..................................................5.27 Siemens AG v VIPA gesellschaft für Visualisierung und Prozebautomatisierung (Case C-59/05) [2006] ECR I-2147, [2006] 2 WLUK 621, [2006] 2 CMLR 32, [2006] CEC 752, [2006] ETMR 47, ECJ.............................................................5.26 Sim v Stretch [1936] 2 All ER 1237, [1936] 7 WLUK 52, HL...................................6.11 Smith v ADVFN Plc [2008] EWHC 1797 (QB), [2008] 7 WLUK 799.......................6.11 Smithkline Beecham Plc v Advertising Standards Authority [2000] EWHC Admin 442..................................................................................................................5.13 Sony Computer Entertainment v Owen [2002] EWHC 45 (Ch), [2002] 1 WLUK 411, [2002] ECDR 27, [2002] EMLR 34, [2002] Masons CLR 24, (2002) 25(5) IPD 25031, (2002) 25(5) IPD 25030...........................................2.22 Stichting Brein v Wullems (t/a Filmspeler) (C-527/15) [2017] Bus LR 1816, [2017] 4 WLUK 447, [2017] 3 CMLR 30, [2017] ECDR 14, ECJ........................5.27 Sube v News Group Newspapers Ltd [2020] EWHC 1125 (QB), [2020] 5 WLUK 61, [2020] EMLR 25...........................................................................6.23
xxvi
Table of Cases
para
T Times Newspapers Ltd v United Kingdom (3002/03) [2009] 3 WLUK 229, [2009] EMLR 14 , ECtHR..................................................................................6.12 Tiscali UK Ltd v British Telecommunications Plc [2008] EWHC 3129 (QB), [2008] 12 WLUK 454..................................................................................................5.25 Totalise Plc v Motley Fool Ltd [2001] 2 WLUK 502, [2001] EMLR 29, [2001] EBLR 44, [2001] Masons CLR 87, (2001) 98(19) LSG 37, (2001) 151 NLJ 644, (2001) 145 SJLB 70, QBD...........................................................10.18 U UEJF and LICRA v Yahoo! Inc and Yahoo! France 22 May 2000, Tribunal de Grande Instance de Paris; further considerations 11 August 2000 and 20 November 2000.................................................................................... 5.4, 10.13 University of London Press v University Tutorial Press [1916] 2 Ch 601, 115 LT 301, Ch D...............................................................................................2.2 V Victoria Plum Ltd (t/a Victoria Plumb) v Victorian Plumbing Ltd [2016] EWHC 2911 (Ch), [2017] Bus LR 363, [2016] 11 WLUK 520, [2017] ECC 35, [2017] ETMR 8, [2017] FSR 17................................................3.26 W Wainwright and another v Home Office [2003] UKHL 53, [2004] 2 AC 406, [2003] 3 WLR 1137, [2003] 4 All ER 969, HL....................................................4.48 Wilson v Yahoo! UK Ltd [2008] EWHC 361 (Ch), [2008] All ER (D) 27 (Aug)..... 3.22, 3.23 Y Yahoo! Inc v LICRA, Case No C00–21275-JF-RS, filed 13 April 2001, (US District Court for the Northern District of California)...................................10.1, 10.13, 10.26 Youssoupoff v Metro-Goldwyn-Mayer Pictures Ltd (1934) 50 TLR 581, CA............6.11
xxvii
Table of Statutes [References are to paragraph number and appendices] para
A Administration of Justice Act 1920..10.24 Arbitration Act 1996.......................10.26 s 9..............................................10.6 B Broadcasting Act 1990....................7.32
C Communications Act 2003.......5.20, 7.28, 7.30, 7.31, 7.32, 8.7 s 233..........................................7.30 368A........................................8.8 368B........................................8.7 368D(2)...................................8.9 (3)(za), (zb)......................8.9 (3A).................................8.9 368F.........................................8.12 368G, 36H...............................8.10 368I..........................................8.14 368K........................................8.14 Companies Act 2006................... 9/App 4 s 770..........................................9.3 Competition Act 1998.............. 9.22, 9.28, 9.31 Consumer Credit Act 1974........... 9/App 3 s 84............................................9.27 Consumer Rights Act 2015......... 9.1, 9.16, 10.8, 10.15 Contempt of Court Act 1981 s 10............................................10.18 Contracts (Applicable Law) Act 1990..............................10.14, 10.16 Copyright, Designs and Patents Act 1988........................ 2.4, 2.6, 2.7, 2.12, 2.18, 2.21, 2.22, 2/App, 6.6 s 3(2)..........................................2.7 3A(1)........................................2.4 (2)........................................2.5 6(1)..........................................2.8 9(1)..........................................2.10 10(1)........................................2.11 11(1)........................................2.10 (2)........................................2.11 12............................................2.13
xxix
para
Copyright, Designs and Patents Act 1988 – contd s 12(7)........................................2.13 13A..........................................2.13 13B..........................................2.13 14............................................2.13 15............................................2.13 16............................................2.16 (2)........................................2.20 16–21.......................................2.14 17....................................2.15, 2/App (3)........................................2.15 (6)........................................2.15 18.................................... 2.16, 2/App (2), (3)..................................2.16 18A..........................................2.17 (1)–(3)................................2.17 19.................................... 2.18, 2/App (1), (2), (4)...........................2.18 20.....................................2.19, 2/App (2)........................................2.19 21(1), (3)..................................2.20 28A..........................................2.26 29–50.......................................2.29 50A..........................................2.29 50B..........................................2.29 50C..........................................2.29 51(1)........................................2.15 70............................................2.29 77............................................2.4 80............................................2.4 84............................................2.4 85............................................2.4 90............................................9.3 (1), (3)..................................2.7 91............................................2.7 92(1)........................................2.7 153–156...................................2.7 182–185...................................2.3 222..........................................9.3 296–296ZF...............................2.22 296ZG......................................2.25 Criminal Justice Act 1988 s 160..........................................6.22 Criminal Justice and Immigration Act 2008 s 63............................................6.22
Table of Statutes
para
para
D Data Protection Act 1984...............4.12 Data Protection Act 1998......... 4.12, 4.19, 6.31 s 10............................................6.23 Data Protection Act 2018......... 1.21, 3.19, 4.1, 4.12, 4.13, 4.15, 4.17, 4.19, 4.20, 4.29, 4.30, 6.24, 6.25 s 207(7)......................................4.13 Sch 1 Pt 1.........................................4.17 Pt 2.........................................4.17 Defamation Act 1952.....................6.11 Defamation Act 1996................6.11, 6.27 s 1................................6.13, 6.27, 6.28 (3)..........................................6.13 (5)..........................................6.13 2..............................................6.16 Defamation Act 2013...... 6.11, 6.12, 6.15, 6.23, 6.27, 6.28 s 2..............................................6.13 3(1)–(8)....................................6.13 4..............................................6.13 5..............................................6.27 (1)–(11)..................................6.13 (12)...................................6.13, 6.14 8..............................................6.12 (3)..........................................6.12 9..............................................6.15 (1)–(4)....................................6.18 10............................................6.15 13(1)–(3)..................................6.15 Digital Economy Act 2010........1.18, 1.26, 2.32 Digital Economy Act 2017........1.18, 1.26, 2.1, 2.32
Gambling Act 2005 – contd Sch 2 – contd para 5.....................................5.34 8.....................................5.34
E Education Act 1996........................9.3 Electronic Communications Act 2000..................................... 9.2, 9.9 s 7...........................................9.6, 9.10 8...........................................9.3, 9.10 Elementary Education Act 1870......9.8 European Union (Withdrawal Agreement) Act 2020........10.2, 10.14 F Foreign Judgments (Reciprocal Enforcement) Act 1933...........10.24 G Gambling Act 2005......... 5.34, 5.35, 7.32 s 14............................................5.32 Sch 2 para 2.....................................5.34
H Human Rights Act 1998............. 4.48, 6.11 I Intellectual Property Act 2010.........1.26 Intellectual Property Act 2014.........2.12 Interpretation Act 1978 Sch 1..........................................9.3 J Justice and Security Act 2013..........10.18 s 17(3)........................................10.18 L Law of Property Act 1925 s 52..........................................9/App 4 85–87.....................................9/App 4 Law of Property (Miscellaneous Provisions) Act 1989 s 1(2)(a)....................................9/App 4 2..............................................9.3 Limitation Act 1980...................6.11, 6.12 s 4A............................................6.12 32............................................6.12 O Obscene Publications Act 1959.......6.20, 6.21, 6.22 s 1(1), (3)....................................6.20 2..............................................6.21 (1)..........................................6.20 (5)..........................................6.21 3..............................................6.21 Official Secrets Act 1911.................4.48 P Patents Act 1977............................9.3 s 30............................................9.3 Powers of Attorney Act 1971 s 1............................................9/App 4 Protection of Children Act 1978 s 1..............................................6.22 Protection from Harassment Act 1987.......................................6.23 Public Records Act 1958.................9.3 R Registered Designs Act 1949 s 15B..........................................9.3 Regulation of Investigatory Powers Act 2000.................................4.8 Regulation of Investigatory Powers Act 2016..............................4.8, 4.50
xxx
Table of Statutes
para
para
S Safeguarding Vulnerable Groups Act 2006.................................6.24 Sale of Goods Act 1979...............9.1, 9.16 Statute of Frauds 1677 s 4..............................................9.3
U Unfair Contract Terms Act 1977......9.16
T Trade Marks Act 1994................. 3.6, 5.26 s 10(3)................................... 3.16, 5.26 (6)........................................5.26 11(2)...................................3.16, 5.26
xxxi
V Video Recordings Act 1984.............6.25 W Wills Act 1837................................9.4 s 9..............................................9.2 Wireless Telegraphy Act 2006.........7.32
Table of Statutory Instruments and Codes of Practice [References are to paragraph number] para
A ASA Code................... 4.1, 5.9, 5.11, 5.12, 5.13, 5.14, 5.15, 5.17, 5.25, 5.26, 5.35, 8.12, 8.14 Alternative Dispute Resolution and Online Dispute Resolution and Provision of Services Regulations 2009....................10.8 Association for Television on Demand (ATVOD) 2010........8.7, 8.9, 8.14 Audio Visual Media Services (Codification) Regulations 2010, SI 2010/1883 (the ‘Codification Regulations’).......7.28, 7.32 Audio Visual Media Services Directive Guidance on compliance with Articles 16 and 17 (2010).........................7.33 Audiovisual Media Services (Product Placement) Regulations 2010, SI 2010/831............. 7.28, 7.31, 7.33 Audiovisual Media Services Regulations 2009, SI 2009/2979..........................7.28 Audiovisual Media Services Regulations 2010, SI 2010/419............................7.28 Audiovisual Media Services Regulations 2020, SI 2020/1062............... 7.1, 7.28, 8.8, 8.11, 8.12, 8.13, 8.15 B BCAP Code................................. 5.8, 5.25 BEREC (Body of European Regulators for Electronic Communications) Open Internet Access Regulation 2020.......................................1.25
xxxiii
para
Business Protection from Misleading Marketing Regulations 2008, SI 2008/1276....5.22, 5.24, 5.25, 5.26 reg 6...........................................5.24 C CAP Code (UK Code of NonBroadcast Advertising, Sales Promotion and Direct Marketing)............ 4.35, 5.1, 5.8, 5.9, 5.10, 5.11, 5.12, 5.13, 5.14, 5.15, 5.19, 5.25, 6.10, 6.24, 6.25, 8.12 r 10.13........................................4.35 15.............................................8.12 22.1..........................................4.35 43.4(c).....................................4.35 General Sections (01–11)............5.11 Specific Category Sections (12–21).......................................5.11 Civil Jurisdiction and Judgments Order 2001, SI 2001/3929......10.4 Civil Procedure Rules 1998, SI 1998/3132..........................10.18 Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing r 6.1............................................6.10 Code of Practice of the Direct Marketing Association.............6.25 Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, SI 2013/3134..................... 9.1, 10.14 reg 36(1), (4), (5).......................9.25 43(2)(b)................................9.26 Sch 4..........................................9.27 Consumer Protection (Amendment etc) (EU Exit) Regulations 2018, SI 2018/1326..........................9.16 Consumer Protection (Amendment) Regulations 2014, SI 2014/870..................5.25
Table of Statutory Instruments and Codes of Practice
para
para
Consumer Protection (Distance Selling) Regulations 2000, SI 2000/2334..........................9.14 Consumer Protection from Unfair Trading Regulations 2008, SI 2008/1277........... 5.22, 5.24, 5.25, 5.26, 6.19, 6.24, 10.8 reg 9...........................................5.24 Sch 1..........................................6.19 Consumer Rights (Payment Surcharges) Regulations 2012, SI 2012/3110................9.1 Copyright and Related Rights Regulations 2003, SI 2003/2498..........................2.21 reg 28A.......................................6.6 Copyright and Rights in Databases Regulations 1997, SI 1997/3032..........................2.5 reg 13......................................... 2.5 Copyright and Rights in Performances (Disability) Regulations 2014, SI 2014/1384..........................2.29 Copyright and Rights in Performances (Personal Copies for Private Use) Regulations 2014, SI 2014/2361..........................2.29 Copyright and Rights in Performances (Quotation and Parody) Regulations 2014, SI 2014/2356..........................2.29 Copyright and Rights in Performances (Research, Education, Libraries and Archives) Regulations 2014, SI 2014/1372..........................2.29 Copyright (Public Administration) Regulations 2014, SI 2014/1385..........................2.29 Crown Prosecution Service Guidance................................6.21 Culture, Media and Sport Committee – Second Report into Press standards, privacy and libel (9 February 2010).....4.48
Defamation (Operators of Websites) Regulations 2013, SI 2013/3028 reg 1-5........................................6.13
D Data Protection (Conditions under Para 3 of Pt II of Sch I) Order 2000, SI 2000/185 art 4, 5........................................4.28 Data Retention (EC Directive) Regulations 2009, SI 2009/859............................4.50
E Electronic Commerce (Amendment etc) (EU Exit) Regulations 2019, SI 2019/87.9.4 reg 3, 4.......................................9.4 Electronic Commerce Directive (Miscellaneous Provisions) Regulations 2018, SI 2018/477............................9.3 Electronic Commerce (EC Directive) Regulations 2002, SI 2002/2013.......... 2.28, 6.14, 6.27, 9.3, 9.13 reg 17.........................................6.27 19.........................................6.27 Electronic Communications Code 1984.......................................2.32 Electronic Signatures Regulations 2002, SI 2002/318..................9.9 European Enforcement Order, European Order for Payment and European Small Claims Procedure (Amendment etc) (EU Exit) Regulations 2018, SI 2018/1311..........................10.25 F Financial Services (Distance Marketing) Regulations 2004, SI 2004/2095............... 9.14, 9/App 3 G Gambling Commission’s guidance Prize competitions and free draws: The requirements of the Gambling Act 2005, December 2009......................5.34 Geo-Blocking Regulation (Revocation) (EU Exit) Regulations 2019, SI 2019/880............................9.30 Google Public Policy Blog: Are IP addresses personal? (22 February 2008).................4.26 Gowers Review of Intellectual Property 2006.........................1.26 H Home Office – Good Practice Guidance for Providers of Social Networking and other Interactive Services..................6.23
xxxiv
Table of Statutory Instruments and Codes of Practice
para
para
House of Commons report – Harmful Content on the Internet and in Video Games.....................................6.28
Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426............4.8, 4.18, 4.30, 4.31, 4.51 reg 4...........................................4.30 6...........................................4.27 (3)......................................4.27 14.........................................4.46 19.........................................4.31 20.........................................4.31 21.........................................4.31 22.........................................4.32 (3)....................................4.33 23.........................................4.32 Provision of Services (Amendment etc) (EU Exit) Regulations 2018, SI 2018/1329................10.8 Provision of Services Regulations 2009, SI 2009/2999.............9.1, 10.8 reg 7...........................................10.8 10.........................................10.8 12.........................................10.8 PSA Code.......................................5.20
I ICO Data Protection Good Practice Note – Collecting personal information using websites (v2.0, 5 June 2007) at p 2..............................................4.27 3..............................................4.26 4..............................................4.28 ICO Age Appropriate Design Code.6.31 Information Commissioner’s Office Age Appropriate Design Code 2020.......................................6.25 Intellectual Property (Exhaustion of Rights) (EU Exit) Regulations 2019, SI 2019/265 reg 4...........................................2.16 International Chamber of Commerce ‘Guidelines on Marketing and Advertising Using Electronic Media’...........5.18 L Law Applicable to Contractual Obligations and NonContractual Obligations (Amendment etc) (EU Exit) Regulations 2019 (Draft).........10.14 O Ofcom Broadcasting Code (with the Cross-promotion Code and the On Demand Programme Service Rules) (2019).....................................7.33 Ofcom in policing – Video-sharing platform regulation.................7.34 Ofcom consultation: Competition in Premium Pay TV Movies: Proposed reference to the Competition Commission 31 March 2010......................8.2, 8.3 P Phone-paid Services Authority Code of Practice......................5.20
xxxv
U Unfair Terms in Consumer Contracts Regulations 1999, SI 1999/2083..........................10.15 United Kingdom General Data Protection Regulation (UKGDPR)...................... 4.13, 4.15, 4.16, 4.17, 4.19, 4.20, 4.22, 4.30, 4.45, 6.24, 6.25, 6.31, 10.18 reg 3...........................................4.13 4(1)................................. 4.24, 4.46 13(f).....................................4.36 21.........................................4.20 45(1)....................................4.36 46(2)....................................4.38 49.........................................4.38 W Wills Act 1837 (Electronic Communications) (Amendment) (Coronavirus) Order 2020, SI 2020/952.......9.2, 9.4
Table of EC and International Materials [References are to paragraph number and appendices] para
CONVENTIONS, TREATIES AND AGREEMENTS ETC Agreement between the BBC and Her Majesty’s Secretary of State for Culture, Media and Sport (‘2006 Agreement’).......8.8 Amendment to the Agreement March 2010................................8.8 Agreement on Trade Related Aspects of Intellectual Property Rights 1994 (TRIPs Agreement).............................2.6 Berne Convention for the Protection of Literary and Artistic Works (Berne Convention).......................... 2.6, 2.7 Brussels Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters 1968.......10.3 Commission Press Release IP/09/570 – ‘Telecoms: Commission launches case against UK over privacy and personal data protection’ (14 April 2009)........................4.49 Commission Staff Working Document, Guidance on the Implementation/Application of Directive 2005/29/EC on Unfair Commercial Practices, 3 December 2009...................6.19 Convention for the Protection of Producers of Phonograms against the Unauthorised Duplication of their Phonograms............................2.6 Convention on the Recognition and Enforcement of Foreign Arbitral Awards 1958...............10.6, 10.22, 10.26 Convention on Transfrontier Television (ECTT).....................7.29
para
European Commission Guidance – Frequently Asked Questions Relating to Transfers of Personal Data from the EU/ EEA to Third Countries............4.39 European Convention for the Protection of Human Rights and Fundamental Freedoms art 8....................................... 4.47, 4.48 10..........................................4.48 12..........................................6.11 European Union Guidelines on Vertical Agreements 2010........9.28 Lugano Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters 1988.......10.3, 10.14, 10.23 Lugano Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters 2007......., 10.23 Rome Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention)................2.6, 2.7 Rome Convention on the Law Applicable to Contractual Obligations 1980..........10.14, 10.15, 10.16 Self-Regulatory Principles for Online Behavioral Advertising.. 4.10 Treaty on the Functioning of the European Union (TFEU) art 101.................................. 9.22, 9.28, 9.28, 9.31 102..........................9.22, 9.28, 9.31 Universal Copyright Convention........................... 2.6, 2.7 WIPO Copyright Treaty 1996..........2.6 WIPO Performances and Phonograms Treaty 1996........2.6
xxxvii
Table of EC and International Materials
para
para
Working Document on Determining the International Application of EU Data Protection Law to Personal Data Processing on the Internet by Non-EU Web Sites WP 56, 5035/01/EN/FINAL (May 30, 2002).......................4.13 Working Party on the Protection of Individuals with regard to the Processing of Personal Data (Article 29 Working Party).......4.26, 4.27, 4.39, 4.44 p 17............................................4.26
Directive 97/36/EC amending Council Directive 89/552/EEC on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the pursuit of television broadcasting activities OJ L202/60...............7.1 Directive 1999/93/EC on a Community framework for electronic signatures OJ L13/12.................................9.9, 9.10 art 2............................................9.9 5............................................9.9 Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market OJ 2000 178/1..............2.28, 3.26, 6.14, 6.27, 9.3, 9.4, 9.12, 9.13, 9.15, 9.17, 9.31, 10.13, 10.15 art 3..................................... 9.16, 10.13 5............................................9.17 5(1)............................ 9.18, 9/App 1 (a)–(g).......................... 9/App 1 5(2).................................... 9/App 1 6(1).................................... 9/App 2 9............................................9.3 10..........................................9.18 11..........................................9.20 14..........................................6.27 16........................................9/App 2 Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society OJ L167/10................... 2.21, 2.25, 2.26, 2.27, 5.27 Recital 28....................................2.16 art 3(k)........................................2.29 5............................................2.29 6............................................2.23 Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services OJ L108/51..........1.25 art 21(3)(a).................................1.25 Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector OJ L201/37............ 1.25, 4.1, 4.16, 4.18, 4.27, 4.30, 4.34
DIRECTIVES Directive 97/7/EC on the protection of consumers in respect of distance contracts OJ L144/19.............................9.12 Directive 89/552/EEC on the coordination of certain provisions laid down by Law, Regulation or Administrative Action in Member States concerning the pursuit of television broadcasting activities OJ L298/23......7.1, 7.7, 7.8, 7.20, 7.21, 7.22, 7.28, 7.32, 8.7 Directive 89/104/EEC to approximate the laws of the Member States relating to trade marks OJ 1989 L40/1................................. 3.24, 5.26 Directive 90/314/EEC on package travel, package holidays and package tours OJ L158/ 599........................ 9/App 3 Directive 93/13/EEC on unfair terms in consumer contracts OJ L95/ 29............................ 9/App 1 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L281/31..................................4.40 art 29..........................................4.13 Directive 96/9 (Database Directive)................................2.5 art 3.1.........................................2.5 Directive 97/7/EC on the protection of consumers in respect of distance contracts OJ L144/19......... 9.12, 9.14 art 7............................................9.26 8............................................9.27
xxxviii
Table of EC and International Materials
para
para
art 5(3).......................................4.27 9............................................4.46 Directive 2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council OJ L149/22..... 5.22, 5.24, 5.25, 6.19 art 2(d).......................................5.24 Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC OJ L105/54..................................4.50 Directive 2006/114/EC concerning misleading and comparative advertising (codified version) OJ L376/21.......... 5.22, 5.23, 5.24, 5.25, 5.26 art 2(b).......................................5.24 (c)........................................5.23 3............................................5.24 4............................................5.24 Directive 2007/65/EC on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the pursuit of television broadcasting activities OJ L332/27...............1.20 art 34..........................................7.1 Directive 2008/122/EC on the protection of consumers in respect of certain aspects of timeshare, long-term holiday product, resale and exchange contracts OJ L33/10.............. 9/App 3
Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws OJ L337/11........................1.25, 4.27 Recital 66....................................4.27 Directive 2010/13/EC on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services OJ L95/1...................... 7.1, 7.2, 7.4, 7.5, 7.6, 7.9, 7.11, 7.14, 7.15, 7.16, 7.18, 7.22, 7.26, 7.28, 7.29, 7.30, 7.31, 7.32, 7.33, 7.34, 7.35, 8.7, 8.8, 8.10, 8.11, 8.12, 8.13, 8.15 Recital 21....................................7.14 Recital 22....................................7.14 Recital 25....................................7.4 Recital 27....................................7.15 Recital 28....................................7.14 Recital 31....................................7.14 Recital 34....................................7.17 Recital 41....................................7.19 art 1(a)..................................... 7.1, 7.3 (aa)......................................7.3 (b).......................................7.6 (c)........................................7.4 (d).......................................7.5 (e).......................................7.7 (g).......................................7.8 (h).......................................7.9 (i)........................................7.10 (k)........................................7.11 (l)........................................7.12 3............................................7.18 5............................................7.23 6............................................7.23 (1)(a)...................................7.18 6A..........................................7.23 8............................................7.23 9............................................7.20 9.1.........................................7.20
xxxix
Table of EC and International Materials
para
para
art 9.2.........................................7.20 11..........................................7.20 12(2).....................................7.19 13..........................................7.29 17..........................................7.23 19..........................................7.20 23(1).....................................7.25 28..........................................7.27 28B(3)...................................7.34 Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare OJ L 88/ 45 art 3......................................... 9/App 3 Directive 2011/83/EU on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/ EEC and Directive 97/7/EC OJ L304/64.................. 9.12, 9.14, 9.15, 9.17, 9.24, 9/App 3 Recital 17....................................9.13 art 2(7).......................................9.14 6............................................9.23 (1).......................................9.23 8(2)............................ 9.22, 9/App 3 9............................................9.25 10..........................................9.25 19....................................... 9/App 3 22....................................... 9/App 3 Directive 2018/1808/EC amending Directive 2010/13/ EU on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services in view of changing market realities OJ L303/ 69.................7.1, 7.6, 7.7, 7.9, 7.11, 7.13, 7.18, 7.20, 7.23, 7.35 Directive 2019/790/EC on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC OJ L130/92................... 2.15, 2.16, 2.19, 2.29, 5.28, 6.4, 6.17 Recital 57....................................5.28 Recital 70....................................6.4 art 15..........................................5.28 17.....................2.1, 2.15, 2.27, 2.28 (1), (4), (5)........................2.28
REGULATIONS Regulation (EC) 40/94 on Community Trade Marks OJ L11/1......................................5.26 Regulation (EC) 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters OJ L12/1........................... 10.2, 10.3, 10.4, 10.6, 10.22, 10.24 art 1(2)(d)...................................10.6 4............................................10.3 5(3).......................................10.7 7............................................10.11 (1).......................................10.11 (a), (b)............................10.11 (2)................................ 10.7, 10.12 (5).......................................10.10 8(1).................................. 10.7, 10.9 18(1), (2)...............................10.8 19..........................................10.22 24..........................................10.22 (4).....................................10.7 25....................................10.5, 10.22 29..........................................10.5 36..........................................10.22 45..........................................10.22 46–51....................................10.22 52..........................................10.22 62..........................................10.4 63..........................................10.4 75(a).....................................10.22 Regulation (EC) 6/2002 on Community Designs OJ L3/1........................................3.4 Regulation (EC) 733/2002 on the implementation of the .eu Top Level Domain OJ L113/1 art 4(2)(b)...................................3.10 Regulation (EC) 805/2004 Creating A European Enforcement Order for Uncontested Claims....... 10.25, 10.26 Regulation (EC) 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (the Regulation on consumer protection cooperation) OJ L364/1....................................1.25 Regulation (EC) No 864/2007 on the Law Applicable to Non-Contractual Obligations (Rome II) OJ L199/40..............10.17 art 8(2).......................................10.17
xl
Table of EC and International Materials
para
para
Regulation (EC) 593/2008 on the law applicable to contractual obligation (Rome I) OJ L177/6........................... 10.14, 10.16 art 4............................................10.16 Regulation (EU) No 330/2010 on the application of Article 101(3) of the Treaty on the Functioning of the European Union to categories of vertical agreements and concerted practices – Vertical Block Exemption Regulation OJ L102/1...............................9.28 Regulation (EC) 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters OJ L351/1............................... 10.2, 10.3 Regulation (EC) 524/2013 of the European Parliament and of the Council of 21 May 2013 on online dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Regulation on consumer ODR OJ L165/1.......10.8 art 14..........................................10.8 Regulation (EC) 2015/2120 laying down measures concerning open internet access and amending Directive 2002/22/ EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union OJ L310/1....1.25 Regulation (EC) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L119/1............. 1.21, 3.13, 3.19, 4.1, 4.12, 4.13, 4.16, 4.17, 4.20, 4.22, 4.26, 4.27, 4.29, 4.30, 4.39, 4.45
Recital 22....................................4.13 Recital 32....................................4.27 art 4(6).......................................4.12 6............................................4.17 9............................................4.17 (2)(g)...................................4.17 Regulation (EU) 2018/302 on addressing unjustified geoblocking and other forms of discrimination based on customers’ nationality, place of residence or place of establishment within the internal market and amending Regulations (EC) No 2006/2004 and (EU) 2017/2394 and Directive 2009/22/EC OJ L60I/1....... 9.28, 9.29, 9.30 Regulation (EC) 51/2019 on the implementation and functioning of the .eu top-level domain name and amending and repealing Regulation (EC) No 733/2002 and repealing Commission Regulation (EC) No 874/2004 OJ L91/25.........3.10
xli
FRANCE Loi Toubon (Loi No: 94-88 du 1 Fevrier 1994)...........................5.4 UNITED STATES OF AMERICA Audio Home Recording Act 1992....2.25 Child Online Privacy Protection Act 1998............................6.24, 6.25 Constitution.......................... 10.13, 10.26 First Amendment........................6.18 Sarbanes-Oxley Act 2002................4.44 Telecommunications Act 1996 (Communication Decency Act 1996) Title V s 230..................................6.18, 6.23
Chapter 1
Technological convergence Introduction – the world of bits 1.1 A bit is a binary digit taking a value of either 0 or 1. Bits are the basic units of digital information storage and communication. Information comes in the form of text, voice, sound and pictures, all of which can be stored and communicated in bits. Technological convergence has resulted in content becoming bits. For example, music was previously recorded onto vinyl, cassette and compact disc; now it is also created, stored and delivered digitally over the internet. As a result of technological convergence, content (products) and services can now be exclusively created, stored and delivered digitally. This chapter: •
examines the rise of IP (intellectual property) protected technology (IT technology) as underpinning convergence;
•
explains and differentiates key technologies such as downloading, streaming, peer-to-peer and IPTV;
•
examines the effect on the legal environment of technological convergence;
•
explains Web 2.0; and
•
touches on the rise of Google and the role of government in intellectual property laws.
Key changes driving content convergence 1.2 The changes in the way information and content is created, stored and delivered have been driven by a series of technological developments. At the heart of these changes has been the rise of the internet and the increasing ability to use IP technology for the delivery of all content. This ability has arisen from a series of technological advances as follows:
Moore’s law 1.3 The ubiquitous nature of personal computers and the consistent reduction in their price has continued since the late 1980s and early 1990s. In particular, the continued trend of Moore’s law (which states that the number of transistors that can be placed inexpensively on an integrated circuit doubles approximately every two years) has resulted in both cheaper and more powerful personal computers
1
1.4 Technological convergence
and devices. The idea that internet access might be obtained on a device as small as a mobile phone would have seemed fanciful to many in the 1980s.
The rise of broadband penetration 1.4 Some 93% of British households had access to the internet at home in 2019. Digital Subscriber Line (‘DSL’) technology enables broadband internet to be provided over a normal telephone line. DSL technology was introduced in the UK in 2000, but initial consumer uptake was slow, due to its high cost and limited speed. DSL speeds have increased dramatically with intense competition between cable broadband operators which has resulted in the price of a broadband connection dropping significantly. Increased accessibility and penetration has driven further take-up and innovation. The launch of BBC iPlayer, for instance, enabled people to stream entire TV programmes direct to their desktop. In the past, consumers would have had to make do with looking up TV listings online. Ofcom’s 2020 research showed that 87% of people aged 16+ in the UK used the internet in 2019, broadly consistent since 2014. In September 2019, 81% of time spent online was on a mobile or tablet device. The number of internet users who used only their computers or laptops to go online continued to decline steadily from 12% in 2017 to 4% in 2019. Ofcom said: The shift away from computer-only use may also have been partly due to the take-up of new connected devices. Our research shows that in 2020, a fifth (22%) of UK adults had a smart speaker in the home and 11% of all UK households own some kind of ‘smart home’ technology (including devices such as smart home security, smart lighting or smart heating). The number of households with internet-connected smart TVs rose to 51% of all adults in 2020, up from 40% in 2019. In 2020 Ofcom found that in the UK 13% of adults never went online (see www. ofcom.org.uk/__data/assets/pdf_file/0028/196408/online-nation-2020-summary. pdf).
Access to better compression technology 1.5 Data compression is the processing of digital data so that it takes fewer bits to reproduce the same (or similar) information. For example, one hour of music can be stored as 600 megabytes of data at CD quality. When an audio CD is ‘ripped’ to create an MP3, data compression techniques are used to convert the data so that it takes only 60Mb of space on an MP3 player. Smaller files are more suited to being distributed over the internet, so it has become possible for users to share music, videos and photographs online. Many people now store their music in the cloud or download it as needed from the internet including websites such as Spotify to their digital devices such as laptops, computers, tablets and mobile phones. There are two downsides to data compression. First, the use of some compression techniques can result in a slight loss of quality from the original. This can be 2
Technological convergence 1.7
addressed by selecting the most suitable compression technique to minimise the perceived loss of quality. Secondly, compression algorithms are computationally intensive because the process of analysing data to encode it more efficiently requires processing the data through several sequential steps, each consisting of many mathematical operations. As a result, a trade-off must be made between quality and speed. The increase in processing power has largely mitigated these considerations and current personal computers are powerful enough to perform complex compression and decompression operations in real time. This opened the door for the provision of audio and video streaming services over the internet which has been one of the biggest additional uses of the internet in the last 15 years particularly as homes in some (but not all) areas of the UK have been able to obtain faster broadband connections suitable to stream video/TV programmes.
IP technology 1.6 Internet Protocol (‘IP’) technology is a common international language that allows a range of devices – from refrigerators to super computers – to communicate anywhere in the world. IP technology was the communications protocol developed to permit communication on the internet. The internet began as a project of the US Government and Massachusetts Institute of Technology in the 1970s and was called ARPANET. It was the first attempt to connect computers into a loose community of inter-related processing centres. ARPANET’s objective was to build a fully reliable communication system that would operate even in the event of a catastrophic crisis such as nuclear war. In ARPANET and subsequently the internet, all communications occur in a packet base system: data files and digital objects are divided into sub-sets of the whole and wrapped in digital packets. These packets are then sent over the network using standard protocols such as Hypertext Transfer Protocol (‘HTTP’) and File Transfer Protocol (‘FTP’). At its simplest, therefore, the internet is a vast series of connected computers. However, its power and versatility results from the way those computers talk and transmit data. This model – the Open System Interconnection (‘OSI’) model – is a layered model. Each layer is itself contained and communicates only with the layer above or below it. The communication between the layers is standardised, while the details of the operations inside the layers are not. The power to this approach is that, if the details of a single layer change, this does not affect the other layers. The relevance of the OSI model is to allow technologists to utilise the applications and services at any particular level without needing to worry about the details of the levels underneath. It is a way of managing the complexity behind the internet.
Traditional content delivery 1.7 Traditional content delivery includes all distribution channels available to move audio and video content from where it is created and/or stored to where it is consumed. Traditional broadcasting is where content is delivered (‘pushed’) over 3
1.8 Technological convergence
wavelengths and frequencies: its most well-known applications are television and radio broadcasting. Traditional models also include distribution of audio and video on physical media (eg CDs) and applications such as closed circuit TV. In technology and business terms, traditional content delivery has the following characteristics: •
there are normally high fixed costs in setting up any traditional content delivery platform where content is ‘pushed’ (eg establishing a television platform or a public telephone network);
•
the service is generally a ‘one-to-many’ service with central control by the content creator or distributor and little ability for the consumer to interact (and consequently, little ability on the part of the rights holder to obtain personal data about its consumers at an individualised level);
•
there is wide divergence of technological standards (eg the standards developed for analogue television are different from those developed for GSM);
•
there is generally a territorial limitation on the content service.
The effect of these characteristics has created a legal model which itself has a number of common factors: •
different content ‘industries’ have been subject to regulation by different regulators (eg until Ofcom was established, there were five legacy regulators in the UK);
•
the ability to prevent copying has been – in general terms – adequately served by the existing intellectual property rights and rights of enforcement (eg stopping the production of infringing CDs is more straightforward than preventing illegal file sharing);
•
there has been little need to consider in depth the laws governing personal data as there has been little opportunity for interaction with the consumer;
•
the views of consumers have created few legal issues as these views cannot be ‘broadcast’ in an interactive manner;
•
it has been possible to regulate effectively content which may be considered harmful to children.
Types of converged technology 1.8 With the growth of the internet and the pervasiveness of IP technology, a range of technologies have arisen which enable digital exploitation of content in different manners. The most important of these are as follows:
Downloading 1.9 Downloading is the process by which information is transferred from a central server to a device able to store and retain that information (eg a personal computer). Uploading is the reverse process by which information is transferred by the remote device to the central server. Downloading is different from streaming (see below). 4
Technological convergence 1.12
Streaming 1.10 This is an alternative method of digital media delivery whereby data is delivered to the recipient device in a ‘stream’ that lasts for the duration of a multimedia programme. The device plays the media content to the end user during the streaming process, which means that the device does not need to store the entire media file before the user can use it. In fact, the device discards the data as soon as it has been used to render the media output to the user. This has advantages for the end user in that the device does not require a large amount of storage space to play media files; it also has important advantages for the content provider as it makes it more difficult for the end user to copy or distribute the media as no file is ever left on his device. The disadvantage of streaming is that it is highly dependent on the network between the server and the consumer device and during periods of high demand users may experience jitter and corrupted output if data cannot be provided to the device in a timely manner although this is becoming less of a problem due to better broadband connections in the UK. These connections were put to the test during a huge increase in working from home during the Covid 19 (coronavirus) pandemic in 2020 which showed a ‘digital divide’ between those homes with good broadband connections and devices and those either with none, on cost or other grounds, or where geographically coverage was poor.
A peer-to-peer network 1.11 A peer-to-peer (P2P) network is one where content is stored and exchanged among a diverse array of independent devices and which does not depend on a centralised server. These systems make it possible for pieces of content to be simultaneously delivered from more than one distributor. For example, when a movie is delivered over a P2P network, the first and second frames may come from two different distributors. P2P networks and P2P file sharing have received a degree of notoriety over the past twenty years as the underlying technology that facilitates the sharing of digital music files operates in a manner which infringes copyright laws. Back in 1999, Napster was released as a centralised unstructured P2P system. This resulted in a host of litigation by the music industry, which only settled after seven years. By 2020 Napster was operated by Rhapsody International offering a subscription download service in 33 countries.
BitTorrent 1.12 This is a type of P2P file sharing protocol used for distributing large amounts of data. Using BitTorrent protocols, a file is broken into ‘pieces’. Users connect to each other directly to send and receive the pieces of the file. However, a central server (called a tracker) coordinates the action of all such peers. The tracker only manages connections; it does not have any knowledge of the contents of the file being distributed. The aim of BitTorrent is that users should upload (transmit outbound) at the same time as they are downloading (receiving inbound). In this manner, network bandwidth is utilised as efficiently as possible. BitTorrent is designed to work better as the number of people interested in a certain file increases. 5
1.13 Technological convergence
Internet Protocol Television 1.13 Internet Protocol Television (IPTV) is a method of content delivery whereby home television users (note – not computer users) receive a mix of continuous television content and video-on-demand content (VoD) using IP technology and a set top box with an internet connection. IPTV services are delivered by ISPs over private networks, which although based on IP technology and which allow access to the internet, are separate from the internet and are not available to users who are not physically connected to the private network. This is known as a ‘walled garden’ private network. Such private networks give ISPs more control over network traffic and therefore control over the quality of the end-user experience, but they require significant infrastructure investment and are typically owned and run by existing telcos and ISPs.
Internet video 1.14 In contrast with IPTV, internet video does not deliver continuous programming, but instead users must select individual programmes one at a time. Internet video also relies on IP technology but does not make use of a private network and users can access programming using any type of internet connection and from any ISP. Internet video is typically viewed on a home computer or internet-enabled devices such as smart phones. An example of internet video is the BBC’s iPlayer.
Video-on-demand (VoD) 1.15 VoD is a generic term for any system that allows users to view any media content selected by the user, such as movies, at any time that they choose. This is in contrast with the traditional broadcasting model where users must wait until their selected programme is broadcast before it can be viewed. Internet Video is a VoD system and IPTV has the capability to provide VoD.
Overview of legal issues in the converged world 1.16 New and converged technologies have driven new business models and customer behaviour. This, in turn, has presented new legal issues.
Jurisdiction 1.17 The ability to view and use digital content anywhere in the world has resulted in the rise of cross-border legal ramifications. For example, in Gutnick v Dow Jones & Co Inc1 the High Court of Australia upheld the right of an Australian citizen to sue for defamation over an article published by Dow Jones. Dow Jones is the publisher of the Wall Street Journal and a related periodical known as Barrons magazine. Barrons is customarily published online and is a subscription-based
1 [2001] VSC 305 (28 August 2001).
6
Technological convergence 1.21
website. Dow Jones operates from New Jersey where its website is located. Both the court at first instance and the High Court of Australia ruled that Gutnick had the right to sue for defamation in Australia, even though only a limited number of subscribers in Victoria, Australia had subscribed to the service containing the offending article. Dow Jones eventually settled with Mr Gutnick.
Immediate and customer-driven copying 1.18 Previous models of copying relied on a physical distribution network (eg a factory reproducing CDs). Convergent technologies (especially P2P) have resulted in the ‘middle-man’ – the distributor – becoming more marginalised. For rights holders, this has resulted in the difficult issue of taking legal action against consumers or looking for other ‘throats to choke’ including, in particular, ISPs. This has led to the controversial Digital Economy Act 2010, which the UK never fully brought into force and then the Digital Economy Act 2017.
Rise of ‘third-party’ liability 1.19 The traditional models of ISPs were akin to infrastructure or telco providers where liability for content is not generally a key issue. Technology convergence has put these businesses in the front-line in dealing with copyright infringements; a role they do not want and did not ask for. But all businesses engaged online now face legal issues as a consequence of Web 2.0 (see paragraph 1.23 below). Web 2.0 allows far deeper engagement with consumers with the corollary that consumers can now answer back. This puts increased focus on liability including for defamatory comments posted by consumers.
Regulatory change 1.20 For audiovisual content, traditional models were broadcast based. There was a ‘one-to-many’ relationship which enabled regulatory control at the point of broadcast. Technology convergence has resulted in a plurality of delivery methods with the result that traditional broadcast models suffer a regulatory disadvantage against internet-based models such as internet video or VoD. This has resulted in the Audio Visual Media Services Directive in an attempt to level the playing field for television-like services. In 2020 the European Commisson issued Guidelines on the Revised Audiovisual Media Services Directive – Questions and Answers following amendments to the directive in 2018 which now is extended to cover videosharing platforms, including certain ‘hybrid’ services such as social media, where the provision of videos and programmes is not the principal purpose of the service, but still constitutes an ‘ essential functionality’ thereof. The guidelines clarify which services will be covered by the rules under this criterion.
Personal data 1.21 Technology convergence is also having a profound effect on the information available about the consumer. Web-based technologies (eg cookies) enable service and content providers to understand consumers and their behaviours at a truly 7
1.22 Technological convergence
individual level. Already technologies are emerging which will enable ad serving to television watching based on internet-browsing behaviours. The importance of data protection laws cannot be understated and few will have missed the introduction of the EU General Data Protection Regulation coming into force in 2018 (and UK Data Protection Act 2018).
The rise of Google 1.22 When the third edition of this book was published in 2002, Google had only just established a sales office in the UK and had worldwide revenues of US$439 million. In 2009, Google had worldwide revenues of over US$23 billion by the time of the 4th edition. At the date of publication of this 5th edition in 2021 it was US$160 billion. The rise of Google requires a different analysis of legal issues, particularly with respect to branding. Previously, issues of trade mark infringement (eg in metatagging) were fundamentally competitor-to-competitor issues. However, now any brand owner must be aware of and understand the limitations of brand protection as a consequence of policies adopted by Google. This is particularly the case with respect to key word searching which we examine in detail in Chapter 3.
Web 2.0 1.23 Before the launch of YouTube in 2005, there were few simple methods available for ordinary computer users who wanted to post videos online. With its easy to use interface, YouTube made it possible for anyone who could use a computer to post a video that millions of people could watch within a few minutes. Since 2005 the World Wide Web has evolved to become an increasingly dynamic and interactive medium. Led by services such as Facebook, YouTube, Wikipedia, Twitter, Instagram, Snapchat, Tik Tok and Whatsapp, social networking and user interactive services are now hugely popular and have become a compelling activity for many internet users. The huge rise in user-generated content is largely due to the evolution of the internet, which is now frequently referred to as ‘Web 2.0’.2 Rather than being characterised by ‘static’ websites, the use of search engines and the ability to surf from one website to another (referred to as ‘Web 1.0’), Web 2.0 represents a fundamental shift towards a more dynamic and interactive internet, where content is generated by users and uploaded and shared easily with others. It is ‘conversational media’ – the role of the audience has changed from being passive to that of a participatory user that takes advantage of interactive opportunities and produces independent content. This participatory and creative user, with access to media, tools and applications, has ultimately affected the underlying strategy of media companies and advertisers who crave and rely upon global audiences. 2 There have been suggestions to name more recent changes to Web 2.0 as ‘Web 3.0’ as artificial intelligence and other changes occur, but there is as yet no agreement on whether to use the term Web 3.0.
8
Technological convergence 1.24
The development of new media and the variety of mobile recording devices have provided the user with the ability to capture and create original and personal content that can easily be uploaded and published on websites. As a result, with user-generated content having become mainstream, it is not surprising that there has been a proliferation of social networking sites. There has been a significant shift in favour of interacting more heavily with the site user and offering greater opportunities for the site user to share personal content through a variety of distribution platforms, such as blogs, wikis, podcasts, social networking sites or virtual worlds. Whether sharing photos, videos on YouTube or Tik Tok, written reviews on Amazon, customising publicly accessible profiles on Facebook, contributing to articles on Wikipedia, contributing to blogs or providing comments to a discussion board or on Twitter, the rise and exploitation of ‘user-generated content’ (or alternatively referred to as consumer-generated media) has been unmistakable and is today’s fastest growing online segment. Society is becoming increasingly dominated by the onset of social media and television broadcasters and advertisers are also embracing user-generated content. No media company can ignore the fact that, where the consumer’s attention is scarce, one of the most effective mechanisms to engage with them is by interacting by user-generated content.
Next generation broadband 1.24 ‘Next Generation’ Network is the term used to describe the replacement of traditional copper telephone networks with a high-speed fibre optic network that can carry a wide range of services including video-on-demand (VoD), internet data and telephony services. They are based on packet-based IP technology in contrast to traditional telephone networks, which are circuit-based. This makes Next Generation Networks more efficient and better suited to carrying large volumes of traffic, especially data traffic. Next Generation Networks consist of NGNs (‘Next Generation Networks’) and NGAs (‘Next Generation Access Network’): •
NGN – this is the upgrade of the backbone networks owned by telcos and ISPs. For instance, BT rolling out a network, based on IP and optical fibre in some areas.
•
NGA – this is the upgrade of the local loop that links the backbone network to residential homes. This requires significant levels of investment, and progress in the UK has been slower than in other developed countries. BT and Virgin Media have begun this.
Next Generation Networks should, in theory, provide the technical underpinning of continued convergence – that is, a single transport platform on which previously distinct service types (video, voice and data) converge. The pace and style of convergence will to some extent be determined by whether the traditional ‘telecom’ commercial model (centralised network management and control) or the ‘internet’ commercial model (open and unfettered access to 9
1.25 Technological convergence
networks) prevails.3 As more and more individuals access the internet on their mobile phones network coverage becomes increasingly important for those without broadband at home. In 2019 5G technology with greater bandwidth began to replace 4G.
Net neutrality and open internet access 1.25 Net neutrality is the principle that ISPs must treat all web traffic equally. No one piece of data should be prioritised over another because of its content, destination or source. ISPs must be truly impartial in merely providing the network over which the data is transferred. But they must not interfere with the availability of that data to end users. There is currently no national, EU or international legislation which enshrines the principle of net neutrality in law. At EU level, an amendment to the Universal Services Directive (2002/22/EU) provides that ‘national regulatory authorities must be able to require undertakings providing electronic communications networks or electronic communications services to provide information about the presence of any traffic-shaping processes operated by the ISP’.4 Whilst this provision does not guarantee net neutrality it does require information to be given to end users where ISPs intend to interfere with net neutrality by introducing ‘traffic shaping processes’. The EU’s Regulation on open internet access grants end users a directly applicable right to access and distribute the lawful content and services of their choice via their internet access service. The EU says that the regulation ‘enshrines the principle of open internet access: internet traffic shall be treated without discrimination, blocking, throttling or prioritisation. At the same time, the EU open internet access rules allow reasonable traffic management and, with the necessary safeguards, “specialised services”’. The EU rules on open internet access came into effect on 30 April 2016, following the adoption of Regulation (EU) 2015/2120 which amended the Universal Services Directive of 2002 mentioned above.
3 For further discussion on this, see the OECD ‘Convergence and Next Generation Networks’ Ministerial Background Report DSTI/ICPP/CISP(2007)2/FINAL. See also Ofcom’s 2020 fixed Terrestrial Links update. 4 Article 21(3)(a) of the Universal Services Directive as amended by Directive 2009/136.
10
Technological convergence 1.26
The EU illustrates this on the graphic below as follows:
On 16 June 2020, the Body of European Regulators for Electronic Communications (BEREC) reviewed and published its updated guidelines to implement the Open Internet Access Regulation. The EU summarised this in the following terms: ‘The new version of these guidelines, prepared based on the experience of national regulators and of the Commission during the last 4 years, provides clarity on commercial offers with differentiated pricing or differentiated quality. The guidelines are adjusted better to fit to future 5G use cases that will offer more flexibility, better quality and specialised services for connected objects.’
The role of government 1.26 Technology convergence has created a conflict between rights holders and platform providers, for example ISPs. As a result, there has been a reassessment of whether current intellectual property laws are ‘fit for purpose’ in this environment. This has, in turn, led to a number of government reviews in this area. The most significant of these reviews in the UK was the Gowers Review of Intellectual Property. In 2005, the government asked Andrew Gowers to head an independent review into intellectual property rights in the UK. He was asked to examine, in particular, whether these rights were appropriate for the digital age and, if not, what changes were needed. Gowers’ report was published in 2006. His overall conclusion was that the IP system was, on the whole, performing satisfactorily and that wholesale reform was unnecessary. The report did, however, make 54 recommendations for improvements to the system some of which have been brought into force, such as the introduction of a limited private-copying exception which allows consumers 11
1.26 Technological convergence
to format-shift legitimately purchased content (eg copying music from a CD to an MP3 player). This measure, Gowers said, had been made necessary by advances in digital copying technology and the way in which consumers recorded, stored and played media. In addition, a private copying exception already existed in a number of other jurisdictions including the US, France and Germany. This change has now been brought into force in the UK. The Digital Economy Act 2010 was controversial and most of its provisions were not brought into force. The Digital Economy Act 2017, a shorter measure, made some changes such as to criminal penalties for copyright infringement. Further discussion of the 2017 Act is in Chapter 2. The Intellectual Property Act 2014 made some minor changes to intellectual property law in the UK, such as changing the default position on ownership of registered design and unregistered design rights where works are commissioned to ensure it was the same as that relating to ownership of copyright.
12
Chapter 2
Digital rights Introduction 2.1 The rise of digital technologies has profoundly affected the way that media – in particular, film and music – is created, delivered and consumed. In 2003, global digital revenue for music was only US$240 million; in 2018, this had risen to US$19.1 billion1. Nevertheless, in the same period total revenues for music fell, reflecting the increasing ease with which music files can be distributed without regard for intellectual property rights and the difficulty of enforcing legal rights. In 2019, revenue fell below US$1 billion for the first time since 2006, dropping 18% year on year to sink to US$856 million. Album downloads fell 21% to US$395 million, while individual track sales dropped 15% to US$415 million. Like adsupported streaming, downloads only accounted for 8% of all revenues from the previous year (2018). In this chapter: •
Copyright – the key intellectual property right that protects digital media – is examined and the limitation of this right is considered in a world where it is possible to make and disseminate perfect copies globally.
•
The EU Copyright Directive 2019/790’s Article 17 provisions are considered.
•
The 2014 changes to copyright fair use and related rights are addressed.
•
The means by which rights holders can enforce their copyright is reviewed together with the law relating to digital rights management (DRM).
• The Digital Economy Act 2017 is mentioned.
The rights protecting digital content Copyright 2.2 Copyright is the right to control the copying and exploitation of certain types of works which are the expression of the creator’s ideas – it does not protect ideas themselves. Put simply, copyright protects against copying.2 A more comprehensive explanation is that copyright is a bundle of specific rights relating to specific types of work, namely: 1 IFPI Digital Music Report 2019. 2 ‘What is worth copying is worth protecting’; a much-quoted statement of Peterson J in University of London Press v University Tutorial Press [1916] 2 Ch 601.
13
2.2 Digital rights
•
original literary, dramatic, musical or artistic works;
•
sound recordings, films, broadcasts or cable programmes; and
•
the typographical arrangements of published editions.
It is important fully to appreciate the scope of the terms mentioned above. For example, a literary work means any work, other than a dramatic or musical work, which is written, spoken or sung. A computer program (namely, the code comprising it) is classed as a literary work. Similarly, photographs are ‘artistic works’. A typical website will contain a large number of individual copyright works, such as graphics, text, animations, video clips, sound recordings, HTML or XML coding and photographs. Whilst it is possible to rely on this copyright to prevent the copying of each of these specific website features, it is much more difficult (at least in the UK) to prevent the ‘look and feel’ of a website from being copied. This was demonstrated in the Navitaire v Easyjet3 case where the claimant was unsuccessful in its claim for copyright infringement in relation to a website of similar appearance and functionality. The specific rights referred to above are the rights of the copyright holder to control the performance of certain ‘restricted acts’ in relation to works subject to copyright (considered in more detail at paragraph 2.14 below). These rights last for particular periods of time (see the table of copyright durations at paragraph 2.13 below). In the website example given above, each of the component copyright works may be the copyright work of one or more persons, and the right protecting each of those works will have a different duration. In a digital world, using a work often involves creating a copy of it (eg loading software onto a computer, downloading an MP3 to a computer and then copying it to an MP3 player, even viewing a website in a web browser). As ‘use’ amounts to copying, copyright laws are triggered giving the owner of those rights the right to (at least in theory) control the use of content protected by these rights.
3 Navitaire Inc v Easyjey Airline Company (1) and Bulletproof Inc (2) [2004] EWHC 1725 (Ch).
14
Digital rights 2.2 Digital Rights 2.2
1
3
2
2 3
4 5
Works protected in website 1 Brand name –property trade marks (see Chapter 3) Typical intellectual rights protected in website 2 Text – copyright in the literary work 1 Brand name – trade marks (see Chapter 3) 3 Images/pictures – copyright in the artistic work 2 Text – copyright in the literary work 4 Download song – copyright in sound recording; separate copyright in 3 Images/Pictures score and lyrics – copyright in the artistic work 5 4 5 6
Download song video –– copyright in film (and separate rights in component Download sound recording parts, eg soundtrack) Download video – copyright in film (and separate rights in component Text –egcopyright in the literary work part, soundtrack) 1515
2.3 Digital rights
Performers’ rights 2.3 Performers (eg the singer and musicians performing a song) are entitled to various rights in their performances, whether these take place on the stage, during a concert and so on. A performance is defined as a dramatic performance (which includes dance and mime), a musical performance, a reading or recitation of a literary work, or a performance of a variety act or any similar presentation, which is, or so far as it is, a live performance given by one or more individuals. Performers also have rights in any recordings, films or broadcasts of their performances. These rights are separate from copyright and moral rights and arise automatically. There are two separate categories of performers’ rights: (a) performers’ nonproperty rights, and (b) performers’ property rights. The non-property rights are set out in CDPA 1988 ss 182–185 and relate to matters such as the performer’s consent being required for recording or live transmission of a performance and certain rights in relation to the importation of illicit recordings. These non-property rights cannot be assigned (although they are transmissible on the performer’s death). The property rights are assignable and give the performer rights in relation to reproduction, distribution, lending and rental and making available of recordings. As property rights, such rights can be transferred and assigned. In November 2013 the term of protection for performers’ rights in sound recordings was extended to 70 years from release. The new protection becomes applicable following the 50th year since the release of the recording.
Moral rights 2.4 In addition to the rights of ownership, the author of a literary or artistic copyright work has certain so-called ‘moral rights’ which are protected under the law. Unlike copyright, which is a property right, moral rights cannot be assigned or licensed, but remain with the author and his or her heirs. As with copyright, moral rights are conferred by the CDPA 1988. In addition to those moral rights granted to authors of such copyright works, the CDPA 1988 also confers certain other moral rights on any person, not just authors. The moral rights conferred by the CDPA 1988 are: •
the right of an author of a literary, dramatic, musical or artistic work, and the director of a film, to be identified as the author or director respectively;4
•
the right of an author of such a work to not have it subjected to derogatory treatment; 5
•
the right of any person to not have a work or film falsely attributed to him as author or director, respectively;6 and
•
the right of any person to privacy in respect of photographs which he commissioned for private and domestic purposes.7
4 5 6 7
CDPA 1988, s 77. CDPA 1988, s 80. CDPA 1988, s 84 CDPA 1988 s 85.
16
Digital rights 2.5
Database rights 2.5 Databases are ubiquitous in the digital world – whether as part of customer relationship management systems, website content management systems or otherwise – and are regarded by businesses as valuable assets in their own right. Databases therefore need special mention. Databases can range from compilations of digital music files to websites with sporting fixture lists. In legal terms, a database is defined as a collection of independent works, data or other materials which (a) are arranged in a systematic or methodical way, and (b) are individually accessible by electronic or other means.8 A database can constitute a copyright work (as a literary work) where it satisfies the relevant criteria. For example, a systematically arranged collection of independent data that is original in creation would qualify as a copyright work, presuming it has been created by a qualifying person (see below). However, a separate standalone ‘database right’ was created by the Database Directive and implemented in the UK through the Copyright and Rights in Databases Regulations 1997. Database right protects the data stored in a database, whereas copyright protects the structure of a database. A person infringes a database right if they extract or re-utilise all or a substantial part of the contents of a protected database without the consent of the owner. Like copyright, database right arises automatically, without requiring registration. It is a property right, meaning it can be sold (assigned) or licensed by the owner. If a database is not original in terms of its selection or arrangement of data, it could attract database right protection but would not attract copyright protection. Of course, certain database rights will attract both copyright and database right protection. Database right subsists in a database if there has been ‘a substantial investment in obtaining, verifying or presenting the contents of the database’.9 It is important to note that the reference to ‘obtaining the contents of the database’ does not refer to resources expended in creating the material contained in the database – rather, it relates primarily to finding existing independently created materials and collecting them as a database. This can pose problems for organisations, such as sports bodies, which attempt to charge others for use of fixture lists and the like. Those sporting bodies claim that database right subsists in the fixture lists themselves, meaning a licence is required to use them; however, the same sports bodies actually create the information comprised in such database themselves.
The problems faced by sports bodies were highlighted in two cases; British Horseracing Board v William Hill 2005 EWCA Civ 863 and Football Dataco v Brittens Pools 2010 EWHC 841. In William Hill, the British Horseracing Board expended significant time, effort and money in compiling an electronic database relating to horse races. The database included such information as the horses running, their owners 8 CDPA 1988 s 3A(1). 9 Regulation 13 of the Copyright and Rights in Databases Regulations 1997, reg 13.
17
2.5 Digital rights
and trainers, the jockeys riding in each race and the dates and location of race meetings. In the Football Dataco case, Dataco produced annual fixture lists for English and Scottish football Premier League and Football League matches. Both BHB and Dataco argued that their database was protected by database right. However, this argument was rejected at trial. The courts looked at the wording in the Database Directive and implementing legislation; a database will only be protected by database right where there is ‘substantial investment in obtaining, verifying or presenting its contents’. These words did not refer to the act of actually creating the material to go into the database in the first place. Rather, they referred to what was subsequently done with that material in terms of collating it and presenting it in database form. There must be some ‘substantial investment in obtaining, verifying or presenting’ the contents of the database at that stage rather than at the earlier collection stage. Both BHB and Dataco were involved primarily in creating the content of their databases and the extra effort made in subsequently ‘obtaining, verifying and presenting’ that material was trivial and so not sufficient to attract database right. Note, however, that Dataco was successful in persuading the court that its database qualified for copyright protection. Whilst the rulings at first glance seem clear, they are difficult to apply in practice. The distinction between what is creating the contents of the database and what is subsequently putting the database together is difficult to apply in practice. One very much overlaps with the other. Also, how should essentially ‘utilitarian’ lists of data, such as football fixture lists or horse-race information, be presented to meet the threshold for database right? There is an obvious limit to how such information can be ‘creatively’ presented such that there will be the required ‘substantial investment in obtaining, verifying or presenting’ it.
Database right lasts for 15 years from the end of the calendar year in which the making of the database was completed, or, if the database was made available to the public before the end of this period, 15 years from the end of the calendar year in which it was first made available to the public. This is a considerably shorter period of protection than for copyright. However, in practice, the contents of databases are constantly being updated and therefore this 15-year period can in effect be a rolling term. Where updates result in a substantial change to the contents of the database, which result in the database being considered to be ‘a substantial new investment’, the updated database will qualify for a new 15-year term of protection. It has been suggested that the threshold of originality for UK copyright protection of a database may be higher than the threshold which applies to other copyright works, because s 3A(2) of the CDPA 1988 (implementing Article 3.1 of the Database Directive) refers to ‘the author’s own intellectual creation’, a concept which does not apply to UK copyright in general. 18
Digital rights 2.6
The first owner of the database right in a particular database will be the creator of it. The creator of a database is defined as the person who ‘takes the initiative in obtaining, verifying or presenting the contents of a database and assumes the risk of investing in that obtaining, verification or presentation’. It is not clear if this means that unlike with copyright the person commissioning/paying for the work might own it by default unless a contract says otherwise (the opposite position than that which applied to copyright ownership). If that were so that is a difficult problem, because many databases have both copyright and database right in them, and it would be very complex were the default ownership position to differ between the rights. This makes it all the more important that contracts are drawn up in advance before any work on the database is undertaken and that the contract states which party will own the resulting intellectual property rights. Sometimes rights only pass on payment in accordance with a term in the agreement too. Where a database is created by an employee in the course of his employment, the employer will be regarded as the creator of the database, subject to any agreement to the contrary.
Jurisdictional issues about copyright 2.6 Copyright law in the UK is derived from national and European legislation and international conventions and treaties to which the UK is party. In the UK, the key piece of legislation is the Copyright, Designs and Patents Act 1988 (as amended). However, it is important to appreciate that although governed by national law, the rights and protections afforded by copyright are not confined to national borders. As a result of various international treaties and conventions, which have sought to harmonise aspects of intellectual property laws across the world, copyright works created in one country which is a signatory to those treaties and conventions will be treated as copyright works in the other signatory countries and will be afforded certain minimum protections (eg minimum terms of protection). Therefore copyright is very much an international right, albeit with the specific terms and scope of protection subject to variation from country to country. This concept is vitally important to ensuring the protection of copyright works in the internet age when use and exploitation of copyright works inevitably takes place on a global basis. Furthermore, these treaties and conventions also mean that performers’ rights and moral rights are also harmonised to an extent. The main copyright conventions and treaties to which the UK is a signatory are as follows. None of them are EU bodies so the UK’s position is unaffected despite leaving the European Union on 31 January 2020: •
The Berne Convention for the Protection of Literary and Artistic Works (more commonly known simply as the ‘Berne Convention’);
•
The Universal Copyright Convention;
•
The Rome Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (more commonly known simply as the ‘Rome Convention’);
•
The Convention for the Protection of Producers of Phonograms against the Unauthorised Duplication of their Phonograms; 19
2.7 Digital rights
•
The Agreement on Trade Related Aspects of Intellectual Property Rights 1994 (known as the ‘TRIPs Agreement’);
•
The WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty (which amended the Berne and Rome Conventions).
An explanation of copyright and the works protected by copyright Automatic protection 2.7 Copyright subsists in works capable of copyright protection regardless of the media on which they happen to be recorded or accessed. It arises automatically provided certain conditions are met and without the need to register to benefit from its protection. In the US, registration is not required but registration will confer certain additional advantages on the copyright owner and is possible there. Often it is registered in the US just before litigation is started. In the UK, copyright cannot be registered.10 Copyright is a very flexible and powerful legal tool with which to control another’s use of and access to the works it protects and to enable the copyright holder to exploit the works for commercial gain. However, unlike trade marks and patents, copyright protection does not confer a monopoly – provided that no copying has taken place, a work that happens to be similar or even identical will not infringe the copyright in another work. In order for a work to be protected by copyright in the UK it must (a) be original, and (b) in the case of a literary, dramatic or musical work, be recorded (or ‘fixed’) (eg in writing or otherwise such as film, audio or video tape or computer disk).11 ‘Original’ does not mean that the work must be an expression of original or inventive thought, but that the expression must be original and created by the author and not copied (eg an arrangement or edition of an eighteenth century piece of music which is produced today can be, as to the arrangement but not the base original work, the copyright work of the arranger or editor, even though the original music will not be protected by copyright). In addition to the requirement of originality for literary, dramatic, musical or artistic works (but not for other kinds of work) copyright will be protected within the UK only if: •
the author is a qualifying individual;
•
the country in which the work was first published is a qualifying country; or
•
in the case of broadcast or cable programmes, the country in which the broadcast was made or the cable programme was sent is a qualifying country.12
10 In particular, if registration is made within three months of publication or prior to an infringement, statutory damages and attorney’s fees will be available to the copyright owner in court actions (see www.copyright.gov). 11 CDPA 1988 s 3(2). 12 CDPA 1988, ss 153–156.
20
Digital rights 2.8
‘Qualifying individual’ means a British national, a UK resident or a UK body corporate. It also includes the subjects of some British colonies. ‘Qualifying countries’ include the UK, EEA and countries with which the UK has a treaty obligation. As the UK is a party to the Berne Convention, the Rome Convention and the Universal Copyright Convention (see paragraph 2.6 above), there will be very few works that do not qualify. Copyright is a property right that can be dealt with. It can be ‘sold’ which is usually actioned through an assignment. It is personal or movable property and may be charged or licensed.13 An assignment can be partial. Even future copyright works can be assigned or licensed.14 A copyright may be licensed exclusively, but an exclusive licence must be in writing and signed by or on behalf of the copyright owner.15 A non-exclusive copyright licence need not be in writing. An assignment of copyright must be in writing and signed by16 or on behalf of the assignor in order to be effective.17
Do I need a copyright notice? The Copyright, Designs and Patents Act 1988 does not require a work to incorporate a copyright notice. However, it is advisable to include one because it puts the world on notice that copyright exists and that action may be taken if the work is copied. The notice may also be useful in infringement proceedings as it raises a presumption that the person named on the work is the author of it and will protect the claimant’s right to damages for the infringement. It may also help to found a criminal action. The notice should be in the following form and order: © [name of copyright owner and date of creation or publication] eg © Bloomsbury Publishing Plc 2020
Types of copyright work 2.8 The following are the general categories of copyright: •
Literary works encompassing any work, other than a dramatic or musical work, which is written, spoken or sung. They include a table or compilation and computer programs. Examples of literary works would include (apart from obvious materials such as newspapers, magazines and books) works such as software, software documentation, flow charts, tables and electronic
13 CDPA 1988, s 90(1). 14 CDPA 1988, s 91. 15 CDPA 1988, s 92(1). 16 See para 9.3 for an explanation of the issues connected with assignments of intellectual property in a wholly electronic context. 17 CDPA 1988, s 90(3).
21
2.8 Digital rights
directories, graphics, HTML coding and JavaScript. A text of a document reproduced on the internet would constitute a literary work as would texts of emails and texts appearing on websites and the layout of a web page. Literary works would also include directories, translations, abridgements, adaptations, etc, provided that sufficient ‘skill, labour and judgment’ has been expended in their creation. •
Dramatic works including works of dance or mime and scenarios or scripts of films. Some of these may exist separately as literary works. However, titles would be excluded on the basis that they are too insignificant18 (unlike, for example, Italian copyright law which specifically protects titles of work).
•
Musical works including works consisting of music, exclusive of any words or action intended to be sung, spoken or performed with it. Certain secondary activities such as arrangement of scores and orchestrating would qualify as protectable copyright works provided sufficient skill, labour and judgment is involved in their creation. They may exist in various physical forms, such as sheet music, CDs, audio and digital tapes or any other electronic medium.
•
Artistic works irrespective of artistic quality this includes all manner of graphic art, photography, sculpture and collages, works of architecture and works of artistic craftsmanship, bitmaps, diagrams, engravings, architectural and technical drawings. Graphics, photographs and artwork used within a website would constitute artistic work.
•
Film including recordings in any medium from which a moving image made by any means may be produced. It includes an accompanying soundtrack (but has not always done so). Moving images include video clips on websites.
•
Broadcasting meaning a transmission by wireless telegraphy of visual images, sounds or other information which (a) is capable of being lawfully received by members of the public, or (b) is transmitted for presentation to members of the public. Contents of a radio and television broadcast which are digitally reproduced over the internet would amount to broadcasting.19
•
Sound recording, recording of sounds, from which sounds may be reproduced, or a recording of the whole or any part of a literary, dramatic or musical work, from which sounds reproducing the work or part may be produced. Soundtracks are included and the sounds do not have to be musical or have any meaning to the listener. Digital sound effects would constitute sound recordings. However, the sound recording has to be original and should not be a copy of a previous sound recording or film.
•
Cable programme including any item comprised in a cable programme service. Cable programme service means a service which consists of visual images, sounds or other information through a telecommunication system other than by wireless telegraphy for reception at two or more places or for presentation to members of the public.
18 Exxon Corporation v Exxon Insurance Consultants International Ltd [1982] Ch 119. 19 CDPA 1988, s 6(1).
22
Digital rights 2.10
Multi-layered copyrights 2.9 A single work may actually embody several individual copyright works. For example, in a music video which appears on a video sharing website, the following copyright works will be relevant: Category of work
Examples
Literary Works
The lyrics to the song (if any) The song title would probably not be protected as it is unlikely to qualify as a literary ‘work’.
Dramatic Works
A dance routine provided that it is something which could be performed and reproduced.20
Musical Works
Music – defined as ‘combining sounds for listening to’ (Sawkins v Hyperion Records Ltd [2005] EWCA Civ 565) and more than ‘mere noise’. Not just the actual notes covered but can include the performing directions or ornamentation.
Sound Recording
The actual recording of the song being played. Note that in respect of a sound recording, each recorded track will have two main elements, with separate copyrights subsisting in each, namely: the copyrights in the musical and lyrical composition and the copyright in the sound recording itself.
Film
The video element of the song. The recording of a moving image.
Ownership of copyright 2.10 The first owner of copyright is the author (CDPA 1988, s 11(1)). The author is the person who creates the work (CDPA 1988, s 9(1)). In relation to the following types of works, the creator is taken to be: •
literary works – the writer;
•
sound recordings – the producer;
•
photographs – the photographer;
•
films – the producer and principal director;
•
broadcast – the person transmitting the programme (if he has any responsibility for its content) and any person providing the programme, who makes with the person transmitting it the arrangements for the transmission;
•
cable programme – the person providing the cable programme service in which the programme is included;
•
typographical arrangement of a published edition – the publisher; and
20 Norowzian v Arks Ltd and others (No 2) [1999] All ER 1214 – film was not a dramatic work as the dance in it could not be something a person could reproduce. The effect of the dance was created by the filming and editing techniques used.
23
2.11 Digital rights
•
computer-generated works – the person by whom the arrangements necessary for the creation of the work are undertaken.
Joint authorship 2.11 It is also possible to have works of joint authorship where a work is produced by the collaboration of two or more authors whose respective contributions are not distinct from that of the other author or authors.21 This is of particular relevance to websites as they comprise various composite works created by different people who could claim authorship. In order to do so, the contribution of each author has to amount to sufficient skill and labour. Helping to fix errors, carrying on testing or suggesting ideas would not constitute sufficient skill and labour to justify joint authorship.22 Where a literary, dramatic, musical or artistic work is created by an employee in the course of his employment, the employer is the first owner of any copyright in the work, subject to any agreement to the contrary.23 In Kogan v Martin and others [2019] EWCA Civ 1645 the court examined a screenplay a couple had devised which ended up a blockbuster success as the film Florence Foster Jenkins grossing US$56 million for the film company. The Court of Appeal overturning the court below held that despite a lesser role in the devising of the screenplay Ms Kogan was a joint author. The court reviewed the law in this field and noted that there were four requirements for joint authorship – collaboration, authorship, contribution and that contributions must not be distinct (CDPA 1988 s 10(1)) and set out eleven important requirements of joint authorship at paragraph 53 of the judgment as follows: 1. A work of joint authorship is a work produced by the collaboration of all the people who created it. 2. There will be a collaboration where those people undertake jointly to create the work with a common design as to its general outline, and where they share the labour of working it out … 3. Derivative works do not qualify. Works where one of the putative authors only provides editorial corrections or critique … do not qualify. Ad hoc suggestions of phrases or ideas … do not qualify. 4. In determining whether there is a collaboration to create a literary or artistic work it is never enough to ask ‘who did the writing?’… For example there may be joint authorship if one person creates the plot and the other writes the words … 5. Joint authors must be authors, in the sense that they must have contributed a significant amount of the skill which went into the creation of the work … The statutory concept of an author includes all those who created, selected or gathered together the detailed concepts or emotions which the words have fixed in writing. 21 CDPA 1988, s 10(1). 22 Copinger and Skone-James on Copyright (18th edn). 23 CDPA, 1988 s 11(2).
24
Digital rights 2.12
6. Contributions which are not ‘authorial’ in the above sense do not count … 7. The question of what is enough of a contribution is to be judged by the Infopaq test, ie whether the putative joint author has contributed elements which expressed that person’s own intellectual creation. The essence of that term is that the person in question must have exercised free and expressive choices. The more restrictive the choices the less likely it will be that they satisfy the test. 8. The contribution of a putative joint author must not be distinct. 9. There is no further requirement that the authors must have subjectively intended to create a work of joint authorship. 10. The fact that one of the authors has the final say on what goes into the work may have some relevance to whether there is a collaboration, but is not conclusive … 11. It follows that the respective shares of joint authors are not required to be equal, but can reflect, pro rata, the relative amounts of their contributions.
Commissioned work 2.12 The employer automatically owns works created by employees under CPDA 1988, similar to the US law of ‘work for hire’. However those who are not employees (ie not PAYE employees but contractors, consultant, freelancers and the like) retain their copyright. This is a particular problem with sectors such as software development or advertising, where assignments have to be taken from independent or freelance contractors, even if under local law the commissioner owns the copyright. This means that if an independent contractor is used to generate a copyright work, he (or his employer) will be the first owner of the copyright. If the party commissioning the work (ie the client) wishes to become owner, then he or she must take an assignment. Otherwise at best the client either has equitable title or is an equitable exclusive licensee. Since the Intellectual Property Act 2014 the same principle applies to commissioned registered designs and design right. It is important to acquire the rights from the outset as the commissioner of the works cannot sue a third party for infringement unless he owns or has an exclusive licence to use the copyright work. Where there is no written clarity on ownership of rights the courts have held that the most limited licence necessary to give efficacy to the contractual arrangement will apply (often a non-exclusive limited licence – see Ray v Classic FM Plc [1998] EWHC Patents 333). Even though the commissioner may not own the copyright in the work, the commissioner is likely to be able to use the work under a licence (see paragraph 2.27 below). If the consultant is an employee of his or her own limited company such as a personal service company, in the same way the copyright will vest in that limited company although not all such consultants are employees of their own company – some are directors but not employees for example. The situation can also be complicated where a company director of a small company does not assign copyright such as in software to the company he or she founds with their business partner and later wishes to leave the company taking the copyright which is probably only 25
2.13 Digital rights
implied licensed and which licence could be terminable on reasonable notice. The question of a director’s fiduciary duties to his company can also be relevant where he or she wishes to take back their intellectual property which they had allowed the company to use. This illustrates the importance of ensuring that even shareholders’ agreements and partnership and LLP agreements deal with ownership of IP issues.
Table of copyright durations 2.13 Work
Duration
Literary, dramatic, musical or artistic work (including a photograph)
70 years from end of the calendar year when the author dies. If author is unknown, 70 years from end of the calendar year when made or when first made available to the public (CDPA 1988, s 12).
Computer-generated work
50 years from end of the calendar year when made (CDPA 1988, s 12(7)).
Sound recording
70 years from end of the calendar year when made or released (CDPA 1988, s 13A).
Film
70 years after the calendar year of the death of the last to survive of the principal director, the authors of the screenplay and dialogue, and the composer of any music specially created for the film (CDPA 1988, s 13B).
Broadcast and cable programme
50 years from end of the calendar year when broadcast or included in cable programme service (CDPA 1988, s 14).
Typographical arrangement of published edition
25 years from the end of the calendar year from which the edition was first published (CDPA 1988, s 15).
Acts restricted by copyright 2.14 CDPA 1988 ss 16–21 set out the acts which are restricted by copyright in the absence of permission from the copyright holder. In other words, the copyright owner has an exclusive right to do, or authorise others to do, these acts. In the absence of express indication to the contrary, the restricted acts apply to each of the various categories of works, insofar as is possible. The acts fall into two broad groups: the first relating to the reproduction of a copyright work; the second dealing with temporary use of a copyright work (eg playing a sound recording).
Copying (CDPA 1988 s 17) 2.15 Copyright is infringed by copying the whole, or a substantial part of, any form of copyright work. Copying means the reproduction of a work in any material form, including by producing an electronic copy of a work (eg on downloading a song and storing it on a computer). Copying in the case of a film or broadcast includes making a photograph of the whole or any substantial part of any image that 26
Digital rights 2.16
forms part of the film or broadcast, or a substantial part of that film, is copied. This means that each frame of a film or broadcast is therefore protected by copyright. The EU Copyright Directive 790/2019 will make some changes to copyright in the EU in 2021, but not in the UK as the UK has chosen not to implement this directive as its implementation date is not only after the UK left the EU on 31 January 2020 but also after the end of the post-Brexit interim period (ie after 31 December 2020). This section addresses UK copyright law but those operating in the EU should also bear in mind the provisions of Directive 790/2019 once it is in force. In the 27 EU Member States from 2021 that directive will make some changes to EU Copyright Law such as a limited new right for research purposes to engage in data mining and Article 17 imposes stricter liabilities on companies such as YouTube to check material does not infringe IP rights. Such was the controversial nature of the measure that thousands of people took to the streets in Germany to demonstrate against it. In the case of artistic works, a two-dimensional artistic work is protected from being converted into a three-dimensional work and vice versa.24 This protection is limited in relation to engineering or design drawings as copyright in a design document, which can be any form of record of a design, or a model of anything which is not an artistic work will not be infringed if something is made to the design in question or if an article which itself was made according to the design is copied.25 Particularly of relevance to the digital era is the restriction on creating copies which are transient in nature or incidental to the use of the work.26 For example, computers routinely store transient copies of web pages accessed during a browsing session and copyright subsisting in works that are stored on a temporary basis could potentially infringe copyright. An exemption to protect ISPs was introduced as part of the amendments to UK and European Union (EU) copyright laws implemented by the Copyright Directive, discussed below at paragraph 2.25. The concept of copying is wide. It could, for example, apply where a photograph is copied by painting the subject matter of the photograph, or where a story is turned into a play, provided that in any case the whole or a substantial part of the copyright work has been copied. Whether a substantial part of a work has been copied will be a question of fact in each case, based on whether the part copied forms a substantial part of that work as a whole. In assessing whether a substantial part has been copied, the qualitative nature of the part copied is assessed, rather than the quantity of copied material. This means that in some instances, copying only a very small part of a work could infringe copyright, for example if a well known line of a song is copied.
Issuing copies to the public (CDPA 1988, s 18) 2.16 The issuing of copies of a copyright work to the public is a restricted act for each category of work. The restriction relates to the first release of copies into circulation. Issuing copies means putting into circulation, in the case of the EEA, copies which were not previously circulated in the EEA by or with the consent of 24 CDPA 1988, s 17(3) . 25 CDPA 1988 s 51(1). 26 CDPA 1988 s 17(6).
27
2.16 Digital rights
the copyright owner, and in relation to outside of the EEA, where copies were not previously circulated in the EEA or elsewhere.27 The restriction in relation to issuing copies of a work concerns the first circulation of copies or the first circulation of the original work. There will be no issuing of copies to the public where there is a distribution, sale, hire or loan in the EEA or distribution into the UK of copies that have previously been circulated in the EEA.28 This principle of ‘exhaustion of rights’ means that the secondary trade of copyright works is not restricted in the EEA, upholding the doctrine of free movement of goods in the EU. A copyright owner cannot object to the circulation of his works anywhere in the EEA after copies have been issued in one member state of the EEA with the copyright owner’s consent. For example, if a book were published in France and sold 100 copies, the owner of the copyright in the book could not prevent, on the grounds of copyright infringement, those 100 copies from subsequently being sold to someone in the UK. The wording of the restriction on the issuing of copies refers to the EEA and on a literal reading suggests that copyright could be infringed if copies are put into circulation in the UK, the EEA or anywhere in the world. Copinger and Skone James29 suggest that such an interpretation cannot be correct due to the territorial nature of copyright protection. Section 16 of the CDPA 1988 summarises the acts that a copyright owner has the exclusive right to do in terms of the UK. Copinger and Skone James’s reason is that the wording in s 18 relating to the issuing of copies to the public is subject to s 16 and therefore the interpretation of s 18 should be that if a copy has not been put into circulation in the EEA or anywhere in the world, it is a restricted act to put it into circulation into the UK for the first time. It is not clear whether the act of making available electronic copies of a work would be considered to be putting such copies into circulation. The Copyright Directive seems to suggest that the copyright owner’s exclusive right to authorise or prohibit distribution of their work requires there to be a tangible article.30 In contrast, the wording of the CDPA 1988 is wide enough to cover both tangible and intangible (including transient) copies. In the digital era, it would be prudent to assume that electronic copies will be caught by s 18. In relation to the UK’s departure from the EU on 31 January 2020 – and in particular the position after the post-Brexit interim period ie from 1 January 2021 – the UK has legislated to amend CDPA 1988 s 18(2) through the Intellectual Property (Exhaustion of Rights) (EU Exit) Regulations 2019 with the effect that copyright-protected works imported from the EEA still have rights exhausted in relation to them by virtue of a first sale in the EEA. Thus a UK copyright owner could not stop the import. Whether a first sale in the UK would exhaust rights of eg a French copyright owner and prevent the owner from asserting copyright to prevent an import from France under the December 2020 EU–UK Trade & Cooperation Agreement will be for the EU to decide as this agreement allows the UK and EU to set their own IP exhaustion of rights rules. 27 CDPA 1988 s 18(2) as amended by reg 4 of the Intellectual Property (Exhaustion of Rights) (EU Exit) Regulations 2019 (SI 2019/265) with effect from ‘exit day’ 31 January 2020, to add ‘the UK’. 28 CDPA 1988 s 18(3). 29 Copinger and Skone James on Copyright (15th edn), para 7-80. 30 Recital 28 of the Copyright Directive.
28
Digital rights 2.18
Rental/lending to the public (CDPA 1988, s 18A) 2.17 The rental or lending of a copyright work is restricted in relation to: •
a literary, dramatic, musical work;
•
an artistic work (but not works of architecture in the form of a building or model for a building, or works of applied art – where an artistic work has been applied, usually by an industrial process, to an object); or
•
a film or sound recording.31
‘Rental’ covers the provision of copies on terms that the copies will or may be returned for ‘direct or indirect economic or commercial advantage’. ‘Lending’ means the temporary loan of copies on the basis that they will or may be returned, otherwise than for direct or indirect economic or commercial advantage, through an ‘establishment which is accessible to the public’, most obviously public libraries.32 The provision of electronic copies is thereby not restricted by this right as rental or lending requires there to be an expectation that the copy will or may be returned. Three activities are expressly excluded from renting or lending: the use of copies for the purpose of a public performance; showing, communicating or playing a work, or exhibiting it in public; or on the spot use of a copy for reference purposes.33
Performance in public (CDPA 1988, s 19) 2.18 Performance of a work in public is restricted in relation to a literary, dramatic or musical work.34 Performance has a broad meaning under the CDPA 1988 and includes lectures, addresses, speeches and sermons, as well as any mode of visual or acoustic method of presentation of the work, which includes sound recordings, films or broadcasts of the work.35 There is a limited exception in relation to broadcast performances. Where copyright in a work is infringed as a result of it being performed, played or shown in public through the use of apparatus for receiving visual images or sounds conveyed by electronic means, the person by whom the images or sounds are sent and the performers shall not be regarded as responsible for the infringement.36 This will mean in practice that the broadcaster or ISP will not be held responsible for the infringement. Similarly, the performers in the performance that is broadcast or made available online will not infringe copyright (CDPA 1988 s 19). The courts have interpreted what will be considered to be a public performance broadly; it seems that only domestic or family situations will not be considered to be public in the context of performances in public. It is clear that there is no
31 CDPA 1988 s 18A(1). 32 CDPA 1988 s 18A(2). 33 CDPA 1988 s 18A(3). 34 CDPA 1988 s 19(1). 35 CDPA 1988 s 19(2). 36 CDPA 1988 s 19(4).
29
2.19 Digital rights
requirement for payment (either by the audience or payment to performers) for a performance to be ‘public’.37 Also, music played on a website can amount to a performance of the musical work in public, provided that the website is generally accessible by the public.38
Communication to the public (CDPA 1988, s 20) 2.19 The restriction on public performance of a copyright work is expanded by CDPA 1988 s 20 amended as a result of the Copyright Directive. This restricts any communication to the public of: •
a literary, dramatic, musical or artistic work;
•
a sound recording or film; or
•
a broadcast.
Communication under this section means all communications by electronic transmission and includes not only broadcasting of the work but also the ‘making available to the public of the work by electronic transmission in such a way that members of the public may access it from a place and at a time individually chosen by them’ (CDPA 1988, s 20(2)). A broadcast means the transmission of the work for simultaneous reception by members of the public where the person making the broadcast determines the time the transmission is made. Making a work available particularly applies to streamed, on-demand and other interactive content accessible over the internet. Making the copyright work available for streaming etc is sufficient for there to have been a communication to the public and an infringement of copyright.
Other restricted acts 2.20 The making of an adaptation of a literary, dramatic or musical work is a restricted act39 and such an adaptation will infringe copyright in the original work. The adaptation is made when it is recorded in some form, for example in writing or in the form of a sound recording. All of the restricted acts set out above also apply to adaptations of a copyright work and making an adaptation from an existing adaptation is also restricted. An adaptation includes:40 •
a translation;
•
a version of a dramatic work which has been converted into a non-dramatic work (eg copying the dialogue of a film and turning into a script);
•
a version of a non-dramatic work which has been converted into a dramatic work (eg turning a novel into a film screenplay);
37 Performing Right Society, Ltd v Hawthorn’s Hotel (Bournemouth) Ltd [1933] Ch 855. 38 Brown v Mcasso Music Productions [2005] EWCA Civ 1546. 39 CDPA 1988 s 21(1). 40 CDPA 1988 s 21(3).
30
Digital rights 2.22
•
a version of a work whereby the story or action is conveyed wholly or mainly by pictures in a form suitable for reproduction in a book, newspaper, magazine or similar periodical (eg making a cartoon of a novel);
•
in relation to a computer program, an arrangement or altered version of the program or a translation of it (eg translating the source code of a computer program into binary code);
•
a different arrangement, altered version or translation of a database;
•
a different arrangement or transcription of a musical work.
It is therefore possible that in some circumstances the same act will infringe both the copyright owner’s reproduction right and adaptation right. The act of authorising another person to do one or more of the restricted acts above is itself an infringing act unless the permission of the copyright owner has been obtained.41 Authorisation requires there to be a grant or purported grant (which may be express or implied) of the right to carry out a restricted act. Simply enabling another to infringe copyright will generally speaking not constitute an authorisation. This principle was expressed in CBS Songs Ltd v Amstrad Consumer Electronics Plc.42 In the case, twin deck cassette hi-fis sold by Amstrad were not held to be authorising copyright infringement, although they provided a means by which a person could infringe copyright.
The Copyright Directive 2001 – restricted acts 2.21 The Copyright Directive (also known as the Information Society or ‘InfoSoc’ Directive) was implemented into English law on 31 October 2003 through the Copyright and Related Rights Regulations 2003 and introduced various amendments into the CDPA 1988. The Copyright Directive was a step forward in adapting copyright law to the digital era, characterised by the exponential increase in content that is now accessed over the internet. The key changes introduced by the Copyright Directive are summarised below. Many of the changes reflect the shift in technology towards ever-greater use of the internet.
Digital rights management 2.22 Member States are required to provide adequate legal protection to prevent the circumvention of technological measures that have been designed to protect a copyright work.43 Technological measures mean any device, technology or component which is designed, in the normal course of its operation, to prevent or restrict acts in relation to a copyright work which are not authorised by the copyright owner. For example, encryption technology may be used to prevent unauthorised copying, or a CD may be designed so that it cannot be played on 41 CDPA 1988 s 16(2). 42 [1988] AC 1013. 43 Implemented in the UK in CDPA 1988 ss 296–296ZF.
31
2.23 Digital rights
a PC. The use of such technology is also referred to as digital rights management or ‘DRM’. This new right incentivises rights holders to design effective DRM as they have a right to pursue persons who design and sell equipment which is intended to circumvent DRM, in addition to being able to sue the individuals using such equipment to try to circumvent DRM. For example, the manufacturers of a computer chip, which made it possible to play copied games on a games console were successfully pursued by Sony, in relation to Sony’s PS2 console.44 Under the CDPA 1988 it is also an offence for a person to manufacture, import or sell in the course of business any device or other component for the circumvention of DRM.
The mechanics of DRM 2.23 The mechanics of DRM are simple. In most cases the content provider takes an unprotected digital media file, for example an MP3 music file, and scrambles it using a DRM encryption key. The resulting media file is unreadable except to systems that have been given the corresponding DRM encryption key. By controlling which industry partners or suppliers have access to its decryption keys, the content publisher can ensure that only authorised hardware and software can read encrypted files. In this way, DRM can be analogised to a digital ‘lock and key’ arrangement where the copyright owner controls the distribution of keys. By contrast, digital media without DRM can be played by end-users without requiring a decryption key, including by hardware or software that allows unauthorised reproduction or manipulation of the content. One of the earliest mass-market uses of DRM was to protect DVD movies. DVDs use a DRM system called the Content Scrambling System (CSS). CSS works by encrypting the digital bit stream of a DVD using a 40-bit key (roughly equivalent to a 40-character password), which is stored in an area of the disc that can only be accessed by an appropriately licensed DVD player. CSS licences are controlled by the DVD Copy Control Association (CCA), an industry body set up to regulate DVD protection, thus allowing them to control which devices can play DVDs. However, CSS was compromised in 1999 when it was reverse engineered by a Linux user who wished to play DVDs on his computer. As CSS was not licensed to Linux, Jon Johansen of Norway created a piece of software called DeCSS that allows a user to decrypt a DVD without having a key, effectively bypassing CSS. DeCSS was subsequently made available on the internet, leading to legal action by the CCA against Johansen. Another well-known example of DRM is FairPlay, used by Apple on music purchased from its iTunes store. Every time a user buys an audio track from iTunes, he downloads an encrypted music file along with the key that is required to play it. However, the key itself is encrypted and the user requires a second key (the ‘user key’) that is transferred to the user at the time of purchase and is stored on the user’s computer and on Apple’s servers. Although complex, this system is more flexible than CSS as it permits Apple to keep track of how many user keys it has
44 Sony Computer Entertainment v Owen [2002] EWHC 45 (Ch).
32
Digital rights 2.24
granted to any one user, and thereby limit the number of computers the audio track can be played on. If a user distributes 1,000 copies of a FairPlay music track on the internet for example, Apple can use their centralised servers to restrict the issue of user keys so that only five of those copies are playable. As noted above, Article 6 of the Copyright Directive provides for ‘adequate legal protection against the circumvention of any effective technological protection measures (TPM)’. The definition of TPM is wide and includes any technology designed to prevent any act not authorised by the rights holder. Since copying is not usually authorised, InfoSoc makes it illegal for anyone to circumvent any type of copy protection, including DRM. Article 6 thereby renders the bypassing of DRM, such as the use of DeCSS (see above), illegal. As a result, Article 6 has provoked outcry amongst digital liberty groups for tipping the balance of power too much in favour of rights holders.
The backlash against DRM 2.24 DRM has proven controversial with consumers, who are accustomed to playing media on devices of their choosing. Since DRM protection is primarily software-based, it is difficult for end users to know what restrictions are imposed on a media file merely by inspection of the product, for example a DVD or MP3 audio track. Moreover, users are not accustomed to reading lengthy terms and conditions before downloading a song from iTunes, for example. Embedded in the iTunes Store terms and conditions are eight different ‘rules’ about the usage of content purchased from the store, including stipulations about how many devices the content may be stored on at any one time and restrictions on the permitted number of burns for audio playlists, with links to other sites, such a PRS for Music provided for a further explanation on restrictions and rights to use the purchased content. The shift in the balance of power towards media providers has proven unpopular, and attempts to impose DRM on consumers have not been entirely successful. Sony BMG’s attempt to incorporate DRM on their music CDs backfired when their DRM software, XCP, which was covertly embedded in their CDs, automatically installed itself onto users’ computers and subsequently created system vulnerabilities on the user’s PC that could be exploited by malicious software. The resultant class action suits in Texas, New York and California45 attracted high-profile negative publicity around the world that led to a product recall and an embarrassing U-turn of its DRM policy by Sony BMG. In response to these developments, the recent trend has been for content providers to move away from DRM and to provide unprotected digital media to users. It is hoped that the increased flexibility and convenience for end users will lead to larger volumes of sales and that this will offset the risk of piracy that is ever-present in digital media.
45 2005 statement of ‘Texas Attorney General’ and related documents under Sony BMG Spyware at www2.texasattorneygeneral.gov/consumer/lawsuits.php.
33
2.25 Digital rights
Rights management information 2.25 Copyright works may contain unique identification codes from which it is possible to track and trace activity in relation to a copyright work. This kind of information is known as electronic rights management information and may include information identifying the rights holder and terms of use. For example a person who buys a music CD legally containing rights management information could be traced if he or she then illegally uploaded the songs to a file-sharing platform. The Copyright Directive introduces a civil remedy against any person who knowingly and without authority removes or in some way alters such electronic rights management information, provided that such person knows or has reasonable grounds to believe, that by the removal or alteration of the rights management information her or she will induce, enable, facilitate or conceal copyright infringement.46
Communication right 2.26 The Copyright Directive introduced the ‘communication right’, which provides that the communication of a copyright work to the public by wire or wireless means is a restricted act. This is discussed in further detail at paragraph 2.19 above. The rights conferred on copyright owners also enable them to exploit their works through the legitimate communication of their works over the internet, for example through iTunes.
Protection for ISPs for copyright infringement on the transmission of copyright works 2.27 The Copyright Directive introduced an exemption from copyright infringement in relation to: temporary acts of reproduction …, which are transient or incidental and an integral and essential part of a technological process whose sole purpose is to enable a transmission in a network between third parties by an intermediary, or a lawful use of a work or other subject-matter to be made, and which have no independent economic significance. This exemption is aimed at protecting ISPs when they temporarily copy works during caching processes. As implemented in the UK,47 the wording of the exemption does not cover ISPs alone. The exemption may be far narrower in scope than initially appears as there are arguments to say that caching is not always ‘transient’ or ‘incidental’ to the technological process and whilst caching is beneficial in that it speeds up internet communication, it is not necessarily ‘integral and essential’. However, under current business practices, caching takes place without a licence from the copyright owner and at least where content is uploaded with the consent of the copyright owner, it could be argued that there is an implied licence to cache.
46 Implemented in CDPA 1988 s 296ZG. 47 See CDPA 1988 s 28A.
34
Digital rights 2.27
The YouTube phenomenon and why infringement may be revenue producing Whilst the rise in digital technology has made creating perfect copies of copyright works a trivial matter, the other major technological development of the last 50 years, namely the rise of the internet, now provides individuals with a global mechanism for sharing and distributing those copies. On the one hand, this allows services like iTunes to sell legal, authorised digital copies of musical and audiovisual works (ie the online equivalent of the traditional record store). On the other hand, services such as YouTube provide a platform for users to upload contents to be viewed by other users free of charge. The goal of services such as YouTube is not to create direct venues from sales of videos or music tracks (at least at this stage); rather it is to generate revenue from sales of the advertising space appearing on the website. As with all advertising, the more exposure the content (and therefore the advertising around it) receives, the better. If that advertising can be targeted to particular demographics through association with particular content, all the better. Where advertising is the main source of revenue for a service or website, then attracting users in significant numbers is one of the key goals which needs to be achieved in order to establish a commercially viable service: the more eyeballs seeing the advertising on the site, the more money can be charged to advertisers. Whilst video sharing websites such as YouTube place great emphasis on providing users with a platform to showcase their self-created content to the wider world, in reality it is not those videos that attract the most views on a regular basis. Rights holders argue that in fact it is their ‘rich’ content, uploaded by users of the relevant service, which attracts the vast majority of users and therefore enables the operators of such websites and services to sell the majority of advertising on their websites. Most of this content is uploaded without express permission from the rights holders. As we have seen above, in the absence of permission and without the ability to rely on statutory exceptions, those clips, videos and music tracks therefore infringe the copyright in the original works. There is no suggestion that the sole purpose or intent of services like YouTube is to provide a platform to facilitate copyright infringement. Indeed, original user-generated content is a big draw for visitors to those sites. With other services, such as some of the Bit Torrent tracker sites like the headline-grabbing Pirate Bay, the desire to provide users with the ability to access, share and use copyright infringing works is clearer and, in some cases, the stated purpose of those services. If all these services facilitate copyright infringement, or in some cases host infringing works, the key question for rights holders is ‘how can I protect my content and enforce my rights’? While legal remedies can be pursued, often it is regarded as undesirable or inconvenient to take action against the end users uploading and/or downloading the copyright infringing material. Individuals often do not have the financial resources to make claims for damages against them 35
2.27 Digital rights
worthwhile. It can also be difficult to take action successfully against the operators of sites, particularly those which do not host content, either due to the difficulties associated with positively identifying those entities or individuals (eg where services are hosted from obscure jurisdictions) or because of perceived gaps in the current legal framework. There is, for example, no offence of ‘facilitating copyright infringement’, which in part frustrated action taken against the operator of OiNK, a private Bit Torrent tracker. OiNK did not host material itself, rather it provided its users with the ability to share files amongst themselves via BiT Torrent.48 However, leaving the legal technicalities aside, when looking at this issue from a commercial perspective the issue is sometimes not so clear cut. While sites like the Pirate Bay, and those sites which provide access to unauthorised streams of sporting and other live events, provide no benefit to rights holders and indeed cause them harm through loss of royalties and/or subscriptions, other websites operated by more reputable owners, of which YouTube is the most obvious example, undoubtedly provide a certain amount of exposure to the content featured on the service (even if it is technically infringing), which it may not have otherwise received. Take for instance, the example of clips from a television series being uploaded to YouTube. The clips uploaded are unlikely to comprise the whole episode or series but are merely short snapshots of some of the ‘best bits’. Users who view those clips may decide they want to see more and may go on to purchase the DVD or the clips may act as trailers and encourage users to watch a forthcoming series being broadcast on television. Undoubtedly the clips themselves are copyright infringing – it is extremely unlikely that the users that uploaded the clips receive any permission to do so from the rights holders. However, if a certain proportion of users who view the clips go on to buy the DVD, or watch the other episodes, the use of the unauthorised content has had the effect of advertising the legitimate product thereby driving customers to the rights holder. However, unsurprisingly, rights holders are not enthusiastic about unauthorised material appearing on such sites. Other rights holders take the view that they will not be able to entirely stop the appearance of unauthorised clips on video sharing websites and that, instead, their efforts would be better focused on partnering with the operators of those sites. By providing higher quality, legitimate clips, rights holders can show off their product in the way it is intended to be seen, exercise more control over which clips are shown and when, while at the same time cutting deals to share in the advertising revenue generated from the use of their clips. This scenario demonstrates the existence of a grey area when it comes to the question of how and whether to enforce legal rights. It calls for a wider consideration of the commercial and practical realities, as well as the legal misuse, and aptly demonstrates the benefits as well as the challenges brought by the rise in digital technologies and the internet.
48 This was in January 2010.
36
Digital rights 2.28
When Article 17 of the EU Copyright Directive 2019/790 is implemented in 2021 by the 27 EU Member States (but not the UK which has left the EU and has said it will not implement the controversial directive) more liability will attach to online content-sharing services such as YouTube so legal advice should be taken in each relevant jurisdiction. See further below.
Copyright Directive 2019/790 – Article 17 2.28 Although the UK does not propose to implement Copyright Directive 2019/790 in 2021 the 27 EU Member States are obliged to do so. It is worth readers familiarising themselves with all its provisions. Below Article 17 is set out, as it is a major change to liabilities of platforms such as YouTube. Article 17 is entitled ‘Use of protected content by online content-sharing service providers’. Article 17(1) provides that: 1. Member States shall provide that an online content-sharing service provider performs an act of communication to the public or an act of making available to the public for the purposes of this Directive when it gives the public access to copyright-protected works or other protected subject matter uploaded by its users. An online content-sharing service provider shall therefore obtain an authorisation from the rightholders referred to in Article 3(1) and (2) of Directive 2001/29/EC, for instance by concluding a licensing agreement, in order to communicate to the public or make available to the public works or other subject matter. After some other provisions Article 17(4) goes on to provide some important exceptions which will help mere platforms avoid liability: 4. If no authorisation is granted, online content-sharing service providers shall be liable for unauthorised acts of communication to the public, including making available to the public, of copyright-protected works and other subject matter, unless the service providers demonstrate that they have: (a) made best efforts to obtain an authorisation, and (b) made, in accordance with high industry standards of professional diligence, best efforts to ensure the unavailability of specific works and other subject matter for which the rightholders have provided the service providers with the relevant and necessary information; and in any event, (c) acted expeditiously, upon receiving a sufficiently substantiated notice from the rightholders, to disable access to, or to remove from their websites, the notified works or other subject matter, and made best efforts to prevent their future uploads in accordance with point (b). The concept of acting quickly to remove illegal material and thus avoid liability has been in place since the EU Ecommerce Directive and is still in force in the UK too 37
2.28 Digital rights
through the Electronic Commerce (EC Directive) Regulations 2002. This principle has worked well in practice and has largely not led to undue censorship of the internet. There are concerns however that the changes in Article 17 of Directive 2019/790 may have a chilling effect on internet freedom to such an extent that there were street protests against the draft directive. Article 17(5) et seq goes on to provide: 5. In determining whether the service provider has complied with its obligations under paragraph 4, and in light of the principle of proportionality, the following elements, among others, shall be taken into account: (a) the type, the audience and the size of the service and the type of works or other subject matter uploaded by the users of the service; and (b) the availability of suitable and effective means and their cost for service providers. 6. Member States shall provide that, in respect of new online content-sharing service providers the services of which have been available to the public in the Union for less than three years and which have an annual turnover below EUR 10 million, calculated in accordance with Commission Recommendation 2003/361/EC, the conditions under the liability regime set out in paragraph 4 are limited to compliance with point (a) of paragraph 4 and to acting expeditiously, upon receiving a sufficiently substantiated notice, to disable access to the notified works or other subject matter or to remove those works or other subject matter from their websites. Where the average number of monthly unique visitors of such service providers exceeds 5 million, calculated on the basis of the previous calendar year, they shall also demonstrate that they have made best efforts to prevent further uploads of the notified works and other subject matter for which the rightholders have provided relevant and necessary information. 7. The cooperation between online content-sharing service providers and rightholders shall not result in the prevention of the availability of works or other subject matter uploaded by users, which do not infringe copyright and related rights, including where such works or other subject matter are covered by an exception or limitation. Member States shall ensure that users in each Member State are able to rely on any of the following existing exceptions or limitations when uploading and making available content generated by users on online content-sharing services: (a) quotation, criticism, review; (b) use for the purpose of caricature, parody or pastiche. 8. The application of this Article shall not lead to any general monitoring obligation. Member States shall provide that online content-sharing service providers provide rightholders, at their request, with adequate information on the functioning of their practices with regard to the cooperation referred to in paragraph 4 and, where licensing agreements are concluded between service providers and rightholders, information on the use of content covered by the agreements. 9. Member States shall provide that online content-sharing service providers put in place an effective and expeditious complaint and redress mechanism that is available to users of their services in the event of disputes over the 38
Digital rights 2.29
disabling of access to, or the removal of, works or other subject matter uploaded by them. Where rightholders request to have access to their specific works or other subject matter disabled or to have those works or other subject matter removed, they shall duly justify the reasons for their requests. Complaints submitted under the mechanism provided for in the first subparagraph shall be processed without undue delay, and decisions to disable access to or remove uploaded content shall be subject to human review. Member States shall also ensure that out-of-court redress mechanisms are available for the settlement of disputes. Such mechanisms shall enable disputes to be settled impartially and shall not deprive the user of the legal protection afforded by national law, without prejudice to the rights of users to have recourse to efficient judicial remedies. In particular, Member States shall ensure that users have access to a court or another relevant judicial authority to assert the use of an exception or limitation to copyright and related rights. This Directive shall in no way affect legitimate uses, such as uses under exceptions or limitations provided for in Union law, and shall not lead to any identification of individual users nor to the processing of personal data, except in accordance with Directive 2002/58/EC and Regulation (EU) 2016/679. Online content-sharing service providers shall inform their users in their terms and conditions that they can use works and other subject matter under exceptions or limitations to copyright and related rights provided for in Union law. 10. As of 6 June 2019 the Commission, in cooperation with the Member States, shall organise stakeholder dialogues to discuss best practices for cooperation between online content-sharing service providers and rightholders. The Commission shall, in consultation with online content-sharing service providers, rightholders, users’ organisations and other relevant stakeholders, and taking into account the results of the stakeholder dialogues, issue guidance on the application of this Article, in particular regarding the cooperation referred to in paragraph 4. When discussing best practices, special account shall be taken, among other things, of the need to balance fundamental rights and of the use of exceptions and limitations. For the purpose of the stakeholder dialogues, users’ organisations shall have access to adequate information from online content-sharing service providers on the functioning of their practices with regard to paragraph 4. The directive is quoted in detail above as to Article 17 as in the 27 EU Member States platforms of all kinds from YouTube to Tik Tok will need to consider its provisions carefully and also take local law advice as each Member State implements its provisions. There are many other provisions in Directive 2019/790 which are not considered here as the directive will not be implemented in the UK but are worth consideration by readers operating in the EEA.
Statutory exceptions 2.29 There are certain specific exceptions to copyright, which permit the performance of restricted acts in relation to copyright works without requiring the copyright holder’s permission for certain purposes. 39
2.29 Digital rights
The concept of ‘fair dealing’ is an important element in several exceptions to copyright, including the first four exceptions, considered below, which conceptually predate the computer age. UK and US fair dealing rules differ which can lead to some UK businesses assuming they have greater rights to use copyright material without paying a licence fee nor seeking consent when there is no such right in the UK. There were five new statutory instruments in the UK in 2014 amending the law in this field which are described below and the Copyright Directive 2019/790 will make further changes but only in the EU not the UK in 2021. Three further instances are worth consideration and have a specific frame of reference for users of computer systems, suppliers of software and programs and therefore for the internet and the web in general: •
Fair dealing for the purposes of research or private study.49 This is the primary exception that will be relied on by most individual domestic web users. This exception does not extend to films, sound recordings, broadcasts or cable programmes, however, and an online seller cannot use these on its website without permission.
•
Fair dealing for the purposes of criticism, review or reporting current events, provided it is accompanied by a sufficient acknowledgement of the author and the title of the work.50 The exception for news reporting does not cover photographs. No acknowledgement is required if the reporting is by means of a film, sound recording, broadcast or cable programme.
•
Incidental inclusion of copyright material, for example musical works and words spoken or sung with music, and pieces of a sound recording. If broadcast or cable programmes include such music deliberately, the copyright material will not be regarded as incidentally included.51 A news broadcast which catches a snatch of a piece of music played at an event covered in the news will typically fall within the scope of this exception. However this is unlikely to benefit the online seller, as the inclusion of even very short video and sound clips on a website is unlikely to be incidental.
•
Copying (other than by reprographic means) in the course of instruction or preparation for instruction by the person giving or receiving instruction.52 Essentially the copying must be done by hand (one thinks of a teacher writing something down on the classroom blackboard) and the work cannot be photocopied or copied and stored using electronic means, so it is of limited application to the internet.
•
The making of back-up copies of a computer program by a lawful user.53
•
Decompiling a computer program to obtain information necessary to create an independent interoperable program where the information is not readily available.54 One solution which the online seller may adopt is to state clearly in its licence terms that interoperability information will be made available on reasonable request.
49 CDPA 1988 s 29. 50 CDPA 1988 s 30. 51 CDPA 1988 s 31. 52 CDPA 1988 s 32. 53 CDPA 1988 s 50A. In fact, in shrink-wrap and click-wrap licence agreements, there may well be an express licence for the making of a single such back-up copy. 54 CDPA 1988 s 50B.
40
Digital rights 2.29
•
Copying and adapting a computer program where the copying is necessary (eg for error correction) and not expressly prohibited.55 This right can be excluded by the supplier of the program in its licence terms; when supplying such software, a supplier should carefully consider whether it is appropriate to do so.
•
The making in domestic premises for private and domestic use of a recording of a broadcast solely for the purpose of enabling it to be viewed or listened to at a more convenient time does not infringe any copyright in the broadcast or in any work included in it.56 This is the so-called ‘time-shifting’ exception and applies regardless of whether the recording is made digitally (eg on a personal video recorder) or on a video cassette and now extends to cloud storage and other domestic copying of works legitimately acquired.
There are further exceptions for education establishments,57 librarians and archivists,58 and for public administration purposes.59 Readers should also consider for the EU the provisions of the Copyright Directive 2019/790 once in force. The principle of fair dealing under the CDPA 1988 is strictly confined to the scope of each exception to which it applies, for example reporting current affairs, criticism or review. It is important to note that no direct UK equivalent of the concept of ‘fair use’ of copyright works which exists in the US. The UK statutory exceptions are much narrower and, while the Gowers Review has considered whether the exception to copyright for the purpose of caricature, parody or pastiche contained in the Copyright Directive60 should be incorporated into UK copyright law (and a change has now resulted – see below), UK fair use exemptions are much narrower than in the US. Another important point to note is that private copying or format shifting, for example an individual creating an MP3 copy of a sound recording from a music CD to transfer to his MP3 player, is now permitted under UK copyright law following the Gowers Review. It was previously illegal. In the US for much longer than the UK private copying is expressly permitted.61 Five sets of regulations changing copyright exceptions in the UK came into force in 2014: 1.
The Copyright and Rights in Performances (Personal Copies for Private Use) Regulations 2014 These allow the format shifting for private purposes mentioned above. It also includes cloud storage.
2.
The Copyright and Rights in Performances (Quotation and Parody) Regulations 2014
55 CDPA 1988 s 50C. 56 CDPA 1988 s 70. 57 CDPA 1988 ss 33–36A. 58 CDPA 1988 ss 37–44. 59 CDPA 1988, ss 45–50. 60 The Copyright Directive, Art 5, 3(k). 61 17 USC §1008 as legislated by the Audio Home Recording Act of 1992.
41
2.30 Digital rights
These cover fair dealing for criticism or review so that quotes can be made provided the quote gives sufficient acknowledgement. Academic citation in examination papers is permitted. Some copying for caricature, parody or pastiche is allowed as long as it is fair dealing (usually that only a very small amount of material is taken). 3.
The Copyright and Rights in Performances (Disability) Regulations 2014 These regulations allow individuals and charities to make books available for the disabled without infringing copyright in a more extended fashion than previously allowed.
4.
The Copyright and Rights in Performances (Research, Education, Libraries and Archives) Regulations 2014 Research and private study: This exception now covers all kinds of copyright works and some other areas such as allowing students to view materials online which would be too delicate or precious/old to handle by hand. Text and data analysis for non-commercial research: Researchers may carry out non-commercial research to use text and data mining technologies. These must be an acknowledgement of source. Education: This provision gives more rights to teachers to copy material for educational purposes although it is not a carte blanche to copy everything and the rules are complex.
5.
The Copyright (Public Administration) Regulations 2014 Public bodies may make relevant copyright material which they hold available to the public online.
The exceptions and fair dealing provisions even after the 2014 changes are complex and indeed entire books are devoted to them. The above is simply a brief summary. In commercial practice those who advise the advertising industry in particular need to consider very carefully use of IP protected material, as many clients will suggest ‘fair dealing’ means that commercial use can be made of copyright material without paying fees and they are usually wrong. Fair dealing exceptions are very limited in the UK and EU, even after the EU Copyright Directive 2019/790 which applies to the EU only. There is a page of recitals in that directive directed at educational fair dealing uses alone.
Copyright licences and collecting societies 2.30 Subject to the statutory exceptions listed in paragraph 2.29, a licence is required to do any of the acts restricted by the copyright in a work. As the terms of a licence can be express or implied, it is preferable for the copyright owner to set out fully the rights that it intends to grant to its licensees so it can retain control. It will also be important for the licensee in taking a licence from a copyright owner to check equally that it has all the rights it may need. Different rights can be licensed to different persons. In relation to a published work, it may be the case that one party has the exclusive right to develop electronic publication but another has the exclusive right to publish in any format in a particular country. Taking a 42
Digital rights 2.31
licence from one and not also from the other may lead to an inadvertent conflict between the rights of the different licensees and/or the licensor. Where multimedia works are concerned, the licensee may need a licence from a number of different parties. Many copyright owners will be represented by a ‘collecting society’, that is an organisation whose role is to administer the collection of royalties and the grant of collective licences (eg licences which grant the licensee rights to use a wide range of works administered by the collecting society). A table containing a summary of UK collecting societies and the rights they administer can be found at the Appendix to this chapter.
Explanation of implied licences 2.31 When commissioning a third party to provide services which involve the creation of works capable of copyright protection, it is very important that the contract between the parties clearly sets out who will own the rights in any copyright works. It may be that the commissioning party will take an assignment of copyright (ie ownership will transfer to it), or it may merely be granted a licence to use the copyright works. The scope of the licence could be broad (eg it may be exclusive, worldwide and include the right to grant sub-licences) or narrow (eg restrict use of the copyright works to the client’s internal purposes only) depending on the nature of the services and, more importantly, the agreement reached between the parties. In any case, a properly drafted contract will at least provide the parties with certainty as to their respective rights regarding the copyright works. However, circumstances do arise where a contract is not put in place or intellectual property rights are not addressed properly, leading to uncertainty regarding ownership of those rights. Although dependant on the specific circumstances, in the absence of agreement to the contrary, the default position is likely to be that the creator of the copyright works (ie the supplier) owns the copyright. The commissioning party may therefore be left to argue that there is an implied (as opposed to express) term in the contract either assigning the rights in the copyright works to it or granting it a licence to use the copyright works for certain purposes. However, in the case of a dispute between the parties as to the scope of such a licence (or whether a licence should be implied at all) the matter will need to be resolved by the courts. The courts have set out specific guidance on when the law may imply a licence into a contract.62 However, courts will take a minimalist approach, implying a licence only where necessary and then only to the extent necessary, and the ambit of any licence granted must only be the minimum required to give business efficacy to the contract.
62 Robin Ray v Classic FM Plc [1998] FSR 622 affirmed by Clearsprings Management Limited v (1) BusinessLinx Limited and (2) Mark Hargreaves [2005] EWHC 1487 (Ch) – see box above.
43
2.31 Digital rights
Refusals to infer copyright transfers – a word of warning Clearsprings Management Limited v (1) BusinessLinx Limited and (2) Mark Hargreaves63 Clearsprings commissioned a software company to develop a database system but the contract was silent on the issue of ownership so the software company retained the copyright. Clearsprings had to argue that there was an implied term that copyright would vest in them as they wanted to sell the database on. The court held that only a licence to use the system could be implied into the contract, not an assignment of copyright. Clearsprings could not sell the software to third parties as the implied licence did not include the right to grant sub-licences. Meridian International Services Ltd v Richardson and others64 Two developers employed by Meridian’s predecessor were commissioned to write a financial forecasting system but left the company after not being paid. They took the system with them and completed it under the name of another company (IPE). It was orally agreed that IPE would complete the project and that Meridian would be paid a finders’ fee. However no formal contract was signed. Meridian, however, wanted to own the copyright in the system so that it could sell it on to third parties. It was argued that a transfer of copyright should be implied for the business efficacy of the arrangement. The court refused to imply this term as it was not ‘strictly necessary’. IPE retained the copyright. Infection Control Enterprises v Virrage Industries Ltd and Aidan Cartwright65 Link Information Systems was commissioned by ICE to develop software to be used to control infections in hospitals. LIS was unable to complete the work, so Virrage was commissioned by ICE to do so. An argument as to copyright ownership arose, based upon a clause in the previous LIS agreement stating that ‘Title to product passes on full payment of purchase price. At that time, title, copyright and all other property rights in the Software System shall remain vested in ICE.’ However, at the time of the dispute, no sales of the software had been made. The judge considered that copyright did not pass and remained vested in Virrage.
63 [2005] EWHC 1487 (Ch). 64 [2008] EWCA Civ 609. 65 [2009] EWHC 2602 (QB).
44
Digital rights 2.33
The Digital Economy Act 2017 2.32 The Digital Economy Act 2017 followed an earlier Digital Economy Act 2010 which was controversial and never fully brought into force. The 2017 Act deals with electronic communications infrastructure and services, including the creation of a broadband Universal Service Order (USO) and aims to give all premises in the UK a legal right to request a minimum standard of broadband connectivity. The Act also introduced reform of the Electronic Communications Code and provided greater clarification on data sharing between public bodies. The original 1984 Code was replaced by a new version issued with the 2017 Act. The Act contains a wide variety of measures. It includes measures such as increased penalties for copyright infringement and nuisance calls. Its original plan to include age verification of access to pornography websites was however dropped as this was impractical.
Key messages 2.33 •
Copyright is an automatic right which arises without the need for registration. However, it is advisable to put copyright notices on works created – see paragraph 2.7 above.
•
Copyright is a multi-layered right, which protects different ‘works’. You may be licensed for the use of one ‘work’ but not another. In particular, downloading is protected by copyright in film and sound recordings but streaming is protected by copyright in the broadcast.
•
Ensure that, if you are commissioning a copyright work (eg having a website developed), you obtain a written assignment of the copyright from the developer or creator. Paying for the services will not result in ownership of copyright being transferred and you will be reliant on an implied (and necessarily vague) licence in such circumstances.
•
In the online world, it is not black and white for a rights holder to regard all copyright infringements as harmful. There is a symbiotic relationship with certain functions such as YouTube where limited infringement may be revenue enhancing.
45
ALCS Authors’ Lending and Collecting Society PLS Publishers’ Licensing Services CLA Copyright Licensing Agency
Name
46
2,200 (PLS)
90,000 (ALCS)
Approxi mate number of members Type of media
• Writers (ALCS) • Books • Publishers (PLS) • Journals • Magazines • Poetry • Other printed works
Membership
Main collection societies in the UK
• Copying (of text) • Email (of text) • Public lending • Broadcasting rights • Readings (eg poetry festivals) • Photocopying (of pages) • Scanning (of pages) • Photocopying • Fax • Scanning • Email
Restricted acts
Notes
• s 17 (copying) • The ALCS (eg transcription of a and PLS book or magazine article administer the to make an electronic photocopying version) right for authors and • s 18 (issuing copies) publishers (eg distributing the text respectively of a book by email) • s 18A (rental or lending) • The CLA is (eg public lending of a owned by book) ALCS and PLS and issues • s 19 (public collective performance) licences on (eg reading poetry at a behalf of the poetry festival or on the ALCS and PLS radio) • s 20 (communication to public) (eg posting the text of a book online)
Relevant provision in CDPA 1988
Digital rights
MPA 200 (incl Music the five Publishers’ major music Association publishers) Limited
NLA 1,400 NLA Media newspapers Access (previously publishers rights Newspaper managed Licensing Agency)
Name
Approxi mate number of members
• Music publishers • Music writers
• National newspapers • Regional newspapers
Membership
• Musical works • Musicals, operas, ballets
• Newspapers • Digital newspapers, including websites
Type of media • s 17 (copying) (eg photocopying a newspaper article) • s 18 (issuing copies) (eg emailing the text of an article) • s 20 (communication to public) (eg posting the text of a newspaper article online)
Relevant provision in CDPA 1988 Notes
• Printed sheet music • s 17 (copying) • Does not take (eg photocopying sheet assignment of • Arrange music music or making an rights arrangement of music) • s 18 (issuing copies) (eg making a music score available on the Internet)
Restricted acts
Digital rights
47
PRS for Music Performing Right Society Limited
Name
50,000
Approxi mate number of members
• Composers • Songwriters • Music publishers
Membership
• Musical works • Lyrics
Type of media
Relevant provision in CDPA 1988 Notes
• Public performance • s 19 (public • PRS and MCPS of musical works performance)((i) are separate (regardless of how eg making a live entities which performed) performance of a operate musical work at a music together as • Live performance of venue) the MCPSmusical works PRS Alliance • Recording of • ((ii) eg playing a music Limited performed musical CD in an office or in a works retail shop). NB: In this • PRS takes a example a PPL licence is mandatory • Blanket licences also required assignment to TV and radio of the stations performance • Broadcasting rights right and film • Cable transmission synchronisation • Film right synchronisation right • Online use (eg publication of lyrics
Restricted acts
Digital rights
48
Approxi mate number of members
20,000
Name
Mechanical Copyright Protection Society Limited
• Composers • Songwriters • Music publishers
Membership
• Sound recordings (including video sound recordings)
Type of media • Use of sound recording
Restricted acts • s 18 (issuing copies to the public) (eg uploading songs from a CD and making the songs available online)
Relevant provision in CDPA 1988 • MCPS appointed as agent to administer mechanical copyright (rights in the actual recording) • MCPS negotiates collective licence schemes with record companies • Can take legal action in name of members
Notes
Digital rights
49
50
MPLC Motion Picture Licensing Company
PPL Phono graphic Perform ance Limited VPL Video Perform ance Limited
Name
370
9,000 (VPL)
50,000 (PPL)
Approxi mate number of members
• Producers • Distributors
• Record labels (PPL) • Recording performers (PPL) • Music video companies (VPL)
Membership
• Pre-recorded movie videocassettes and DVDs
• Sound recordings • Music videos
Type of media
Relevant provision in CDPA 1988 Notes
• Public performance • s 19 (public of films and movies performance) (eg showing a DVD of a movie in an office or in a bar)
• Public performance • s 19 (public • Takes of sound recordings performance) assignment of and music videos (eg playing a music CD some/all rights or DVD in an office or in • In the process • Dubbing (rea retail shop) NB in this recording) of sound of re-branding example a PRS is also recordings to ‘PPL Video’ required • Broadcasting of sound recordings • s 20 (communication to and music videos public) (eg uploading a music MP3 or video • Multimedia MPEG to a file-sharing • Digital diffusion website, broadcasting (eg online or making it available distribution) online)
Restricted acts
Digital rights
Digital rights
Fuller Listing as at 2020 •
Authors’ Licensing and Collecting Society (ALCS)
•
Artists’ Collecting Society (ACS)
•
Broadcasting Data Services (BDS)
•
British Equity Collecting Society (BECS)
•
Christian Copyright Licensing International, United Kingdom
•
Christian Video Licensing International United Kingdom
•
Copyright Licensing Agency (CLA)
•
Design and Artists Copyright Society (DACS)
•
Directors UK (D-UK), formerly the Directors’ and Producers’ Rights Society (DPRS)
•
Educational Recording Agency (ERA)
• inMusic •
Mechanical Copyright Protection Society of Great Britain
•
Motion Picture Licensing Corporation (MPLC)
•
NLA Media Access (NLA)
•
Open University Worldwide (OUW)
•
PPL PRS Ltd
•
PRS for Music, formerly MCPS-PRS Alliance
•
Phonographic Performance Limited (PPL)
•
Publishers’ Licensing Services (PLS)
•
Soundreef Ltd Independent Management Entity
•
Sync Music, Music and Performer Rights Clearance Agency
•
Video Performance Limited (VPL)
51
Chapter 3
Brands Introduction 3.1 The rise of both the internet and IP technologies driving content convergence has made the brand protection of a business even more fundamental. At a basic level, every organisation must consider at an early stage what domain name(s) it would like to use and the legal protection (eg trade mark registrations) which underpins these online brands. However organisations need to be increasingly alive to the issues created by Google’s Adwords policy, which has cut across the ability of a brand owner to protect its brand in the fullest manner possible. In this chapter: •
Registered trade mark protection – which is essential to any brand protection policy – is explained in outline.
•
A full explanation of domain names is provided including the different types of domains (eg TLDs, ccTLPs and IDNs) and the strategies for protecting domain names).
•
The limitations of brand protection as a consequence of Google’s Adwords policy are explained and highlighted.
Legal protection 3.2 Trade mark rights can be established in two ways: by use and by registration.
Passing off 3.3 Use-based rights can be enforced in a passing-off action if the owner of these rights has generated a reputation or goodwill, notably defined in case law as ‘the attractive force which brings in custom’, and the conduct of another individual or company constitutes misrepresentation. This is an English law tort. Many countries do not have passing-off laws although some have laws prohibiting unfair competition, so always take local law advice. It is worth noting that the concept of misrepresentation in establishing the tort of passing off does not require intent, rather that the conduct results in misrepresentation. The other requirement is that the conduct causes damage to the owner of the rights (eg financial damage by loss of sales or damage to the owner’s business by the third-party products being of a lower quality than those of the owner).
52
Brands 3.4
Passing off requires the owner to prove reputation or goodwill in the brand he or she is protecting. Moreover, passing off is a common law concept and may not serve to protect a brand in non-common law countries (eg Continental Europe).
Eddie Irvine – a new form of passing off Following the case of Irvine v Talksport Ltd [2003] EWCA Civ 423, an action in passing off may be available if one party falsely represents that another has endorsed his business or product. Eddie Irvine, the well-known Formula 1 driver, brought proceedings for passing off alleging that Talksport had falsely represented that it had been endorsed by Irvine. It assessed the damages payable on the basis of licence fee which would have been agreed by a notional willing endorser and endorsee. Accordingly, any brand owner should consider applying for a registered trade mark to protect its key brands. The registration system allows a brand to be protected across a range of 42 classes of goods and services without the need to demonstrate prior reputation or goodwill. Moreover, it can enable international protection for a brand if the correct filing process (as set out below) is followed.
Registered trade marks Types of registration 3.4 A trade mark is any sign which is capable of being represented graphically (such as shapes, sounds and colours) and capable of distinguishing the goods and/ or services of one undertaking from others. They are frequently used to protect a company’s names and logos but they can extend beyond these common uses. An application is made to register a trade mark in respect of specific goods and services. Therefore, when an entity obtains a registration for a particular mark they will own that mark for specific goods and services subject to certain exceptions such as subject to revocation for non-use or invalidity of the mark or reduction in the scope of protection. It is now possible to obtain registered trade mark rights in three different ways in the UK. A national UK trade mark application is filed through the Intellectual Property Office (IPO) (www.gov.uk/government/organisations/intellectual-property-office) and will result in a registration covering the UK which will have an initial duration of ten years, renewable for further ten-year periods on payment of a renewal fee. Alternatively, using the registration system of WIPO, the World Intellectual Property Office (www.wipo.int), it is possible to designate the UK as part of a bundle of national applications filed and administered centrally by WIPO. Such an application will be examined by the UK office in the same way as an application filed direct at the IPO. The third route is to file a European (previously ‘Community’) trade mark application (EUTM) at the European Intellectual Property Office (EIPO) (previously called the 53
3.4 Brands
Office for Harmonization in the Internal Market (OHIM)). On registration, this will give protection across the Member States of the European Union (EU) with a single trade mark registration for an initial duration of ten years, renewable in the same way as a UK registration. From 2021 companies expecting to trade in Europe in various countries and the UK are probably best advised to apply for a UK trademark and an EUTM. From 1 January 2021, existing EUTMs obtain a UK trademark automatically – see further at www.gov.uk/guidance/eu-trademark-protection-and-comparable-uktrademarks. After the end of the transition period (ie from 1 January 2021): • any application for a European Union trade mark or for a registered Community design pending at the end of the transition period will no longer cover the United Kingdom; •
any right granted by the European Union Intellectual Property Office will only cover the EU Member States;
• unregistered Community designs made available to the public in the manner provided for in Union law (Regulation (EC) No 6/2002) will only be valid and have effect in the EU Member States. (From EUIPO notice – see the EU–UK Trade and Cooperation Agreement, December 2020 and the UK’s European Union (Withdrawal Agreement) Act 2020) It should be noted that Guernsey, Jersey and the Isle of Man are not covered by a UK or EUTM registration and that registration or re-registration (ie extending a UK registration to these territories by providing evidence of its existence to the authorities in these territories) is required. More information can be found on the IPO website at www.gov.uk/government/publications/extension-of-uk-intellectualproperty-rights-abroad. The first two routes produce a registration which is more or less identical. However, a significant difference is that a UK registration obtained as a designation of a WIPO registration will remain linked to what is known as the base registration, ie the requisite national (or EUTM) registration on the basis of which the application for the WIPO registration was filed, for five years. The significance of this is that if the base registration is successfully attacked by a third party within five years, the entire WIPO registration (ie all countries designated, will be cancelled). However, there is the option of transforming the designations, such as the UK designation, into national applications, so there is not a total loss of rights, although there will be additional costs in processing any national applications. This is because the transformed national applications will attract fees from the relevant national trade mark offices. The EUTM is different from the UK registration obtained through the IPO or WIPO. As a single registration covering the EU (although not now the UK as it left the EU), it is an all or nothing, federal right. If an EUTM application encounters objections from EUIPO or from third parties, it is therefore not possible to resolve these by excluding certain countries. For example if an opposition is filed on the basis of earlier French rights and that opposition is successful, the whole EUTM will fail. In other words, if an EUTM application faces an insurmountable objection, it must be completely abandoned or will be completely refused, assuming that 54
Brands 3.6
the objection cannot be overcome by limitation of the specification of goods or services. However, there is a mechanism known as conversion, which is similar to the process of transformation at WIPO, discussed above, whereby the EUTM can be converted into national applications in any of the Member States where the objection was not applicable. So for example if the successful opposition was based on a UK and an Irish trade mark registration, the applicant could convert its EUTM application into national applications in any of the other EU Member States. Again, further costs in the form of official fees will be incurred in making such applications. To complete this inter-relationship, it is possible to designate the EUTM in a WIPO registration. So when considering how to obtain trade mark protection in the UK, the options make this a more complex issue than it might at first appear to be.
Fees for registration 3.5 The current official fee for a UK registration covering one class of products or services is £200 if filed by hand, post or fax, or £170 if filed electronically (2020 prices). The current official fee for a EUTM application is €850 (for one class, 2020 prices). If there are no objections, there will be no further official fees until renewal of the registration in ten years and then every subsequent ten years. There are also fees for opposition, cancellation and appeals as well as for additional classes. However, if a trade mark attorney or other trade mark specialist such as a solicitor is engaged to do this work, there will be additional costs, some of which will generally be fixed and some of which will depend on the nature of any objections which have to be addressed, such as a third-party opposition. WIPO fees depend on the countries designated and it is therefore not possible to give a realistic cost estimate, other than to note that the application fee is currently 653 Swiss francs for a word mark application, but each country designated will add a fee to this base fee.
National or EUTM registration? 3.6 When considering whether to apply for registration in the UK or via the EUTM, there can be an instinctive tendency towards the EUTM on the basis of cost. This has some merit because the EUTM covers the 27 Member States of the European Union. Therefore, assuming no major objections to an EUTM application, it will on registration give a ten-year monopoly right in each Member State at a cost per Member State of just over €33. This is clearly extremely cheap indeed. However, the attractiveness of the system has brought problems. Since the EUTM came into existence in 1996 (then the CTM) there have been over 9 million applications. This has at times led to very slow processing of applications and oppositions, but EUIPO is addressing this as an ongoing issue and has accelerated many of the aspects of the registration system. None of this effectively reduces the merit of the EUTM, but the scope of an EUTM application inherently means that in comparison with a national trade mark application in a Member State, the likelihood of an opposition from the owner of an earlier right, be it on the basis of earlier use, an earlier application, and/or an earlier registration, is much greater because it can come from any of the Member 55
3.6 Brands
States. Such objections have varying degrees of merit, but can substantially delay or prevent registration of a EUTM. On balance, the EUTM should be given serious consideration in any trade mark filing programme despite the relatively high prospect of an opposition, because if there is no opposition an EUTM registration can be obtained in around seven months from the application date. Additionally, most opposition can be resolved by means of an undertaking, a co-existence agreement and limitations to the scope of an application. So whilst there have been over 344,000 trade mark oppositions from 1997 to 2019, there is a very good prospect indeed that an EUTM application will not face any opposition. By having at least some trade mark register searches conducted before filing an application, it is possible to quantify and mitigate the risk of an opposition, so this course of action is advisable. Taking a UK application as an example, the timescale from application to registration of an unopposed application is around the same as that of an EUTM, seven months. The cost is clearly much lower and the prospect of an opposition greatly reduced because the earlier rights have to exist in the UK (eg in the form of a UK or EUTM registration). A wholly reasonable filing strategy would be to file a UK application, triggering a six-month term during which an EUTM or other application can be filed and benefit from the application date of the UK application. Also now EUTMs do not apply in the UK, UK-only traders will just register the trade mark in the UK and those expecting to trade in the UK and EU in both jurisdictions. This means, subject to some limitations, that a third-party EUTM application for a conflicting mark filed after the UK application date, but before the application date of the EUTM application for the same mark, will be deemed to be a later application than the EUTM application benefiting from the application date of the UK application, before the post-Brexit transitional period is over. An additional and important benefit of this strategy is that costs can be staggered. However, there is duplication between the UK and the EUTM application. This can be resolved after registration, by recording the existence of the UK registration against the corresponding EUTM registration and then allowing the UK registration to expire when it is due for renewal. In addition to the saving made by not renewing the UK registration, there is reduced administration from having one less trade mark in a portfolio without any loss of rights.
TM or ®? The symbol TM has no official meaning in the UK but is generally understood to mean either that there is a pending trade mark application for the mark covering the UK or that the individual or entity in question considers the mark to be its trade mark, whether or not there is a pending application. By contrast, ® implies that the mark is registered in the UK, either nationally or as an EU trade mark, and should only be used if this is the case. It is a criminal offence, punishable by a fine, under the UK Trade Marks Act 1994 to represent that a mark is registered in the UK if it is not. This is the same in many other countries such as Australia, so it is best to use ® where there are registered trade marks (not TM), unless local legal advice says otherwise.
56
Brands 3.8
Registered designs 3.7 It is also worth considering registered designs as part of a rights protection strategy. As with trade marks, registered designs can be obtained nationally (eg through the IPO and the EUIPO for protection across the EU). Generally, they can be renewed for additional periods of five years and have a maximum term of 25 years. Registered designs can be used to protect a number of aspects of a product. For example, an iPod® MP3 player could be protected in relation to its overall shape, the shape of aspects of the product such as the wheel, the appearance of the information on the display and the logos on the back of the player. A registered design is cheap to obtain. A UK registered design currently costs £60 (£50 if filed online) and an EU-registered design costs €350 (2020 prices). Both systems provide for more than one design to be filed in a multiple application and for a reduction in official fees per design in such an application. In addition to the low cost, there is no examination of the validity of an application, which has to be tested in court if there is a dispute involving the design. This means that it is possible to obtain a registered design very quickly. EUIPO has been known to register a design on the same day that it was filed. This is an exception, but if an application is filed electronically at EUIPO and there are no issues such as poor-quality representations of the design, it is reasonable to expect registration within a week of filing. On a practical note, this means that a monopoly right, enforceable against third parties, subject to validity, can be obtained within a matter of days. When this is combined with the ‘grace period’, which allows filing of an application up to 12 months after the product in question has been sold or marketed without jeopardising its novelty, the flexibility of the registered design makes it a highly cost-effective addition to the IP portfolio of any business with a design aspect.
Domain names 3.8 A domain name is an easily recognisable and memorable name which corresponds to a string of numbers known as the internet protocol address or more commonly, the IP address. The reader will no doubt be familiar with domain names in the following form, www.bloomsbury.com but they are less likely to be aware of the corresponding IP address. Domain names were introduced because, while computers that make up the internet find one another using their IP addresses, it would be impossible for an internet user to recollect the thousands of IP addresses that he or she would use each year. A domain name is made up of a number of parts separated by dots. The part furthest to the right is the domain name’s top-level domain or TLD and these have been split into two categories: the generic top level domain (gTLDs) and the country top-level domain (ccTLDs). The former are used in domain names that represent certain categories of names across jurisdictions (ie ‘.org’ and ‘.info’ for organisations and information sites respectively across the world) and the latter are country specific (ie ‘.uk’ for individuals or organisations with a UK presence). To the 57
3.9 Brands
left of the TLD is the second-level domain (ie ‘bloomsbury’ in the above example) and second-level domain names are typically open to end users to register. You can also have domain names with third-level domains. The Internet Corporation for Assigned Names and Numbers (ICANN) manages the domain name system. ICANN is an independent non-profit corporation based in the US. It was formed in 1998 in order to take responsibility for co-ordinating the assignment of protocol parameters, allocate IP address space, manage the root server system and manage the domain name system. ICANN oversees the companies that are responsible for each TLD by entering into specific contacts with them. These companies are referred to as a registry or sponsor and each one retains a full list of domain names that use TLD as well as a list of the corresponding IP addresses. The domain names under each TLD are sold to a large number of registrars around the world who are free to charge what they wish to the end user. When an end user purchases a domain name from a registrar, he or she is often referred to as the ‘owner’ of that domain name; in actual fact, the end user only has an exclusive right to use the domain name provided he or she complies with the terms and conditions of use. Despite this, if an organisation is registered and uses the domain names that are considered appropriate for its commercial or organisational purposes, being the registrant of the domain names is an important and extremely valuable right for that entity.
Generic top-level domains (gTLDs) 3.9 When ICANN was first set up, eight gTLDs were already in existence. Since then ICANN has carried out application rounds for the introduction of further gTLDs. Some of the many gTLDs are overseen by ICANN. Some of these are intended for general use such as .com and .info; others are restricted to specific types of organisation such as .gov which is reserved for the US Government and .travel which is reserved for entities whose primary area of activity is in the travel industry. A full and up-to-date list of the current gTLDs and any restrictions associated with them can be found at www.iana.org/domains/root/db/. In addition to the main gTLDs ‘alternative top level domains’, are also available in the marketplace. These are not overseen by ICANN but have been introduced by individual domain name registries and some are sponsored. The most renowned of which was New.net which at one stage offered many alternative domain name extensions such as .club’, ‘.family’, ‘.ltd’, ‘.sport’ etc but has ceased operation. The advantage of alternative extensions is that there are more extensions available to the marketplace. However, as a result of such alternative TLDs not being overseen by ICANN, the issue with these domain name extensions is that unless a business or its ISP have installed some special software, these domain names will not be recognised. In other words the domain name may not have the ability to translate into the IP address and the practical result is that this type of domain name extension may not be available to everyone on the internet. Two further negatives of using alternative TLDs is that because they are controlled by independent registries as opposed to ICANN: 58
Brands 3.9
•
the purchaser of the domain name is dependent on the registry remaining solvent; and
•
if ICANN adopts new gTLDs which are the same or confusingly similar to the alternative TLDs, the ability of an internet user to be directed to one site using one domain name will be compromised.
ICANN recognises that with an estimated 4.1 billion internet users worldwide in 2020 and increasing numbers of people using the internet each year, there is ample scope for there to be a greater choice of TLDs. As a result ICANN has extended the domains available. While in theory any individual or entity is able to make an application for a new extension, the reality of the situation is that when applying to make this application, the applicant is actually applying to create and operate a registry business for the suggested new extension. Making and pursuing an application requires the payment of fees (eg the fee to make an application is $US185,000). For the above reasons, applicants for a new TLD extension are limited to a few appropriate organisations. By March 2018 the number of gTLD exceeded 1,200 domains. There are now many more domain names available as a result of the various new extensions. Increasing the number has also assisted with one of the main issues that has arisen with the introduction of domain names which is that, unlike trade marks, an owner of a domain name, say a ‘.com’, has an exclusive right to use that domain name across jurisdictions irrelevant of the goods and services. The effect is that once one company with legitimate rights to the domain name becomes the owner of that domain name, another company that also has legitimate rights to the same second-level domain, but in a different sector or jurisdiction, cannot use it. For example, the word ‘POLO’ is associated with the sport, a designer brand, a car and a mint sweet with a hole in the centre. The introduction of new gTLDs for ‘.sport’, ‘.retail’, ‘.motor’ and ‘.sweet’ would allow the representatives for each organisation to share the ‘POLO’ name. The use of such domain name extensions would make it easier for the consumer to know which domain name extension leads to the website it requires. This allows all four organisations to be represented fairly on the internet. On the flip side, the introduction of a potentially unlimited number of domain name extensions into the marketplace has caused brand owners and the consumer further issues in terms of new domain names being registered by cyber squatters, spammers, advertisers and all other persons/organisations who hope to encourage consumers to their websites by piggy-backing on a rights holder’s reputation. The introduction of the new domain name extensions is therefore carefully monitored by rights holders in the following instances: •
when applications for the new domain name extensions are made to ICANN and when the approved domain names are released;
•
when any further domain name extension applications are made to ICANN and they are released in subsequent application rounds;
•
to the extent that a second-level domain for a new extension has not been registered by the rights holder, at all times after any new extensions have been introduced to combat cyber squatters etc that have registered a domain name that is using the rights holder’s brand name as a second-level domain. 59
3.9 Brands
It should be highlighted that ICANN has made provision in the application procedure for any person/entity with standing to oppose the application of a particular gTLD extension. After the application period has closed and the applications have been evaluated to ensure that they are complete, a list of the proposed TLD extensions will be placed on the ICANN website. This list will include the applicant’s name and any further non-confidential elements of the application. If a person/entity with standing wishes to object to a proposed gTLD, they must ensure that they fall within one of the following categories of objection: (a)
string confusion objection – existing TLD operators or gTLD applicants in the current round only;
(b)
legal rights objection – rights holders only;
(c)
morality and public order objection – no limitations on who can object; or
(d)
community objection – established institutions only.
If that person/entity does fall within one of the above categories, it must file an objection electronically within the deadline directly to the appropriate dispute resolution service provider (DRSP). At the time of writing, the DRSP for string confusion objections is the International Centre for Dispute Resolution, the DRSP for legal rights objections is the Arbitration and Mediation Center of the World Intellectual Property Organisation (WIPO) and the DRSP for morality and public order objections and community objections is the International Center of Expertise of the International Chamber of Commerce. At the time of filing, the objector is required to pay a non-refundable filing fee to the relevant DRSP. This is between US$1,000 and 5,000 per party (note the applicant has to pay a fee when it files any response to the objection). Details of UK domain dispute resolution via DRSP are at www.nominet.uk/domain-support/uk-domain-disputes/. Once the objection is filed, the applicant has a choice – it can try to reach a settlement with the objector, it can withdraw the application in which case the application will not proceed any further or it can pay a fee, file a response to the objection and enter the dispute resolution process. Where a response is filed, in the absence of the parties agreeing to negotiation/ mediation, an adjudication will take place with either one or three appropriately qualified experts. Once a panel is appointed, the parties will receive a schedule of costs setting out how much the adjudication will cost and the DRSP will request full payment of those costs from both the applicant and objector. After looking at the objection and response, the expert(s) will decide whether they require written statements. It is expected that the majority of disputes will be decided without an in-person hearing and only in exceptional cases will an in-person hearing being held. The decision of the panel will be set out in writing and will set out a summary of the dispute, the prevailing party and any reasoning for the expert’s determination. Each DRSP will publish its decisions on its website. In summary, it is the responsibility of a rights holder to check when ICANN invites organisations to apply for new gTLD extensions and it is the responsibility of the rights holder to object to any gTLD extension which infringes its rights. To combat the more likely issue for rights holders (eg once the new gTLD extensions are introduced, without the proper procedures in place, there will 60
Brands 3.10
be ample opportunity for cybersquatters etc to hold registered brand names as second-level domains to ransom) ICANN has asked applicants for new gTLDs to describe the rights protection mechanism they propose to use for secondlevel domains. ICANN has confirmed that these will be made. It should also be highlighted that all the new gTLDs will be subject to the ICANN Domain Name Dispute Resolution Policy (UDRP). For more information on this see paragraph 3.17. So while it is clear that there will be obvious benefits deriving from the introduction of new gTLDs in the marketplace, there could also be numerous disadvantages which will prove costly particularly for a rights holder who will have to continually update and monitor its: •
domain name portfolio;
•
domain name strategy; and
•
protection and enforcement measures.
Following the ICANN review, .biz, i.info and .museum were issued amongst others. In 2014 .guru and .club were very popular new gTLDs. New ones are issued regularly and the latest position should always be checked on the ICANN website. In 2011 .xxx was issued for adult/sex content.
Country-code top-level domains (ccTLDs) 3.10 At the time of writing there are hundreds of country-code top-level domains that are generally reserved for use in connection with a specific country, region or location. These ccTLDS are always two-letter top-level domain names and, as with gTLDs, IANA provides a list of the available ccTLDs, the corresponding country/jurisdiction and the body responsible for the delegation of each ccTLD (see www.iana.org/domains/root/db/). In 2018 IANA began bringing into force international country code top-level domains which when viewed by the end user are ‘language-native characters’ (ie foreign characters different from, for example, the English representation of the alphabet). For ccTLDs in the UK, the responsible body is Nominet UK (www.nominet.org.uk) and in the European Union, the responsible body is EURID (www.eurid.eu/). While some of these bodies have a contract or a working agreement with ICANN, some have yet to enter into any formal agreement. We refer above to ccTLDs being ‘generally reserved’ for use in connection with a specific country, region or location. However it is true to say that many of the organisations that control the use of ccTLDs do not have a restriction on who can register the ccTLD in question. For example, ‘.uk’ allows any legal entity to register a domain name that uses ‘.uk’ whether or not that entity is based in the UK and whether or not that entity is targeting the UK market. Other countries like Japan have stricter requirements (ie if an entity wanted to register ‘.jp’ any entity can do so provided they have some form of Japanese postal address (this can be provided for an entity without a Japanese presence by a domain name administration service provider)). If, however, that same entity wanted to register ‘.co.jp’, it would be unable to do so unless it was a local registrant, or it owned a valid Japanese business licence. The key when 61
3.10 Brands
considering whether to register a particular ccTLD is to go to the responsible body’s website or a domain name administration service provider to find out whether there are any restrictions. In addition to the above, each responsible body may impose rules on what how the TLD must be registered (ie in the UK, the ‘.uk’ TLD can only be registered with a particular second-level domain). Those second-level domains that a managed by Nominet are: •
co.uk (commercial entities and purposes);
•
ltd.uk (private limited companies);
•
me.uk (personal names);
•
net.uk (internet service providers infrastructure);
•
org.uk (not-for-profit-entities);
•
plc.uk (public limited companies);
•
nic.uk – restricted use;
•
sch.uk – restricted use.
There are also second-level domains that are administered by trustees other than Nominet. These include: •
ac.uk (higher and further education and research institution);
•
gov.uk (national, regional and local government bodies and agencies);
•
mod.uk/mil.uk (military and related purposes);
•
nhs.uk (national health service); and
•
police.uk (police forces).
Some countries/locations with ccTLDs that are appealing to entities for reasons other than the association with the country or location, have relaxed all restrictions to take advantage of the popularity of their assigned ccTLD. For example the following are some of the ccTLDs that are popular with particular industries and are therefore often registered by those in the industry as opposed to the country of the allocated ccTLD: •
.tv – allocated to Tuvalu but often registered by television stations;
•
.fm – allocated to the Federal States of Micronesia but often registered by radio stations;
•
.ad – allocated to Andorra but often registered by advertising agencies; and
•
.pr – allocated to Puerto Rico but often registered by public relations agencies.
Particular types of entity may want to consider registering such a ccTLD and again it is advisable to examine any restrictions by contacting the responsible body. In the third quarter of 2009, VeriSign reported that the base of ccTLDs rose to 76.3 million domain names which is an 11% increase on the same quarter in 2008. Of 62
Brands 3.10
these ‘.ru’ for the Russian Federation and ‘.pl’ for Poland grew the fastest but ‘.de’, ‘.uk’ and ‘.cn’ continue to be the most popular ccTLDs. This shows not only a desire to own and use ccTLDs in emerging internet markets, but also the continued desire for ccTLDs in countries which already have an established internet presence. There have been further increases in the decade since then. ccTLDs represent 40% of all domains (as at 2020). It is clear from these statistics that ccTLDs are globally recognised as a valuable commodity. Provided an entity complies with any restrictions set by the relevant body, a ccTLD is easy to obtain and due to its geographical basis, the chance of an entity competing for the same domain name is reduced as compared to an application for a gTLD. It is also true that a ccTLD can be particularly useful when an entity has a global reach but one generic website would not be appropriate for all countries (eg where there are strict laws on alcohol). Practically, ccTLD portfolios need to be frequently monitored to ensure that an entity has sufficient ccTLDs for its current and intended geographical reach. This will be of particular importance for all entities that operate in non-Latin script geographical regions when the new Internationalised Domain Names are introduced. This is discussed in more detail below. In 2014 a US court in the case of Ben Haim v Islamic Republic of Iran etc was asked to consider awarding a group of US and Israeli victims of Iranian terrorist activity the rights to the .ir domain and those for Syria and North Korea and the corresponding IP addresses then being used by the Iranian and the other governments and their agencies. However a federal judge held that the domains were not ‘property’ under relevant US law and sided with ICANN which also was against a precedent being set to allow such seizure when debts are owed. The US decision is at www.icann. org/en/system/files/files/order-memo-granting-motion-to-quash-writs-10nov14en.pdf and ICANN’s submissions are at www.icann.org/resources/pages/icannvarious-2014-07-30-en. ICANN supported the result and agreed with the court that domain names are not ‘garnishable property’ and are simply the provision of a service.
Brexit and .eu The departure of the UK from the EU on 31 January 2020 and the end of the postBrexit transitional period on 31 December 2020 have the result that UK companies can no longer use .eu domain names. Below is the June 2020 UK Government guidance: What you need to do 1. Check your eligibility From 1 January 2021, you’ll no longer be able to register or renew .eu domain names if: •
Your organisation, business or undertaking is established in the UK but not in the EU/European Economic Area (EEA) or
•
You live outside of the EU/EEA and are not an EU/EEA citizen
You can only register or hold .eu domain names if you are: 63
3.10 Brands
•
an EU/EEA citizen, independently of where you live
•
not an EU/EEA citizen but resident in the EU/EEA
•
an organisation, business or undertaking that is established in the EU/EEA
If you already have a .eu domain or are considering obtaining one, you should check the eligibility criteria set out in Article 4(2)(b) of Regulation (EC) No 733/2002, as amended by Regulation (EU) 2019/517, and seek legal advice if necessary. You may still satisfy the eligibility criteria if you have your registered office, central administration, or principal place of business within the EU/EEA, are established within the EU/EEA, or are a natural person resident in the EU/ EEA. The European Commission and EURid have confirmed that EU citizens who are resident in the UK will be able to retain their .eu addresses. If you are an EU citizen living in the UK and have registered a .eu domain name, discuss with your registrar whether you will need to provide proof of eligibility. 2. What will happen if you don’t meet the eligibility criteria On 3 June 2020, EURid, the registry which is responsible for the day-to-day running of the .eu Top Level Domain, published guidance for UK registrants and the steps it will take around the end of the transition period. The notice states that: •
UK registrants will receive an email notification from EURid on 1 October 2020 informing them that they will lose their eligibility to retain their .eu domain name as of 1 January 2021 unless they can demonstrate their compliance with the .eu regulatory framework by updating their registration data before 31 December 2020.
• EURid will then send a further email on 21 December 2020 notifying all UK registrants who did not demonstrate continued compliance with the eligibility criteria and their registrars of risk of forthcoming noncompliance with the .eu regulatory framework. •
The notice then states that as of 1 January 2021, any UK registrant who cannot meet the eligibility criteria will have their .eu domain names withdrawn. A withdrawn domain name no longer functions, as the domain name is removed from the zone file and can no longer support any active services (such as websites or email).
•
The EURid notice states that withdrawn domain names will not be available to any other entity for a further twelve months. On 1 January 2022, all the withdrawn domain names will be revoked and made available for registration by other entities.
If you no longer meet the eligibility criteria 1. Discuss with your local domain name registrar whether to transfer your internet presence to another top level domain. Examples include .com, .co.uk, .net or .org. Your registrar will be able to offer advice on how to let your customers know that you’re moving or have moved to another 64
Brands 3.11
domain, such as a holding page to redirect web traffic towards a new domain, or advice on how to update your search engine optimisation. 2. You may wish to seek advice from your local domain name registrar on whether the terms of your contractual agreement provide for any recourse in the event of withdrawal or revocation of a .eu registration. 3. Consider developing a migration plan for services and functions that your .eu domain, website or associated email address is linked to or supports, such as: –
.eu email addresses that access critical business processes, including online banking services, online payment providers, government services like HMRC online, or payment verification systems
– .eu email addresses that access services that use an email and password for registration, including membership organisations and clubs, social media, and two-factor authentication services –
.eu email addresses used to communicate with customers, clients, internal communications or to distribute mailing lists
– .eu websites or email accounts that hold data that you need to transfer before any loss of access – Virtual Private Network (VPN) or other services that use your .eu domain name –
Trademark or intellectual property rights impacted by the loss of your .eu domain name.
This list is not exhaustive, and you may also wish to consider and address any other areas that depend on your .eu domain name. Registering a .eu domain name after the end of the transition period If you are a UK resident, company or organisation planning to acquire a .eu domain name, check whether you remain eligible from 1 January 2021. If you’ve registered Top Level Domains for EU member states Similar eligibility restrictions may apply to EU Member State Country Code Top Level Domains such as .fr or .it. You should check with your registrar that you’re still eligible to retain the use of that domain from 1 January 2021. (See www.gov.uk/guidance/eu-domain-names-what-you-need-to-do-to-get-readyfor-brexit.)
International domain names (IDNs) 3.11 English is the dominant language on the internet, yet 60% of Internet users are non-English speakers. While many websites contain multilingual content it is acknowledged that the use of only Latin-script in domain names meant that there were a large number of people throughout the world who were unable to access the internet. ICANN therefore made changes to deal with this issue. It has long 65
3.11 Brands
been considering this issue and in 2003, technical guidelines were released which provided a mechanism for dealing with non-Latin characters in a domain name. In very simple terms, the problem was overcome by domain names that were in non-Latin characters being converted to Latin labels which could be understood by the Domain Name System. As a result, it became possible to register second- and third-level domain names in script such as Chinese, Arabic, Japanese etc. Today, if an entity wants to register a second- or lower-level domain in non-Latin script, it can choose a TLD that provides such a service. Any person requiring this service can check whether the service is offered by contacting any registry. Despite the introduction of IDNs as second/lower-level domains, it was recognised that for languages such as Arabic, which are written and read from right to left, an Arabic speaker would have to change the way that it read or input a domain name on the internet halfway through the domain name. To provide complete access to the internet, it was decided that the TLD should also be available in local language script and therefore ICANN has now introduced a number of ways in which IDN TLDs can be introduced and applied for: •
IDN ccTLD Fast-track process – the introduction of a limited number of IDN TLDs in non-Latin script for certain countries/territories. The application process was opened on 16 November 2009 and the first registrations by entities for such IDN ccTLDs began in 2010. The latest version of the Final Implementation Plan for this process is dated March 2019.
•
IDN ccTLD long-term policy development – ICANN describes this as follows: The IDN ccTLD policy development process is a long-term process for countries and territories that do not qualify for the Fast Track Process. ICANN has a ‘New gTLD Program’. ICANN says that this ‘focuses on expanding choices for generic top-level domains, or gTLDs. This expansion includes IDNs at the top level in order to meet growing diversity and encourage competition for more innovation, choice and change to the Internet’s addressing system.’ The first of these were issued in 2013. For example in 2016 the EU was granted the Cyrillic domina .ею
•
New gTLD programme – this has been referred to in detail above and will include the introduction of new IDN gTLDs.
In most cases, the only relevant issue in relation to IDN ccTLDs is what it means in terms of an entity being able to register new domain names. The introduction of the IDN ccTLDs will affect any individual or organisation that currently or in the future intends to enter any market where Latin characters are not used in the local language. Take, for example, an English-based company that has developed a market in Japan. At the present time, they may have a ‘.com’, ‘.jp’ and/or a ‘.co. jp’ domain name depending on their requirements and presence in Japan. With the introduction of IDN ccTLDs, however, that company would have to consider whether there is an IDN ccTLD in Japanese language script available and, if so, whether the company wants to register this domain name for use in Japan. The rules for registration of each IDN will vary from one country/territory to the next and that includes whether or not a particular territory will allow trade mark holders to register IDN ccTLDs for their registered rights before registration is open to the masses. A number of IDNs are currently available, so if an entity has a 66
Brands 3.11
particular interest in an IDN ccTLD, we suggest that it ensures that it monitors the introduction of that IDN ccTLD through the responsible body in the country in question (ie the equivalent body to Nominet UK). The final comment to make in relation to IDN ccTLDs is that the issues that are set out above for the rights holders in relation to new gTLD extensions will also be relevant in certain circumstances to new IDN ccTLDs. A rights holder will need to ensure that they either register their brand name in new script when the IDN ccTLD is released or face the possibility that a third party will register the new script domain name in a new territory with the effect that the third party may benefit from the original brand’s success. The effect of the new IDN ccTLDs may also affect a business’ strategy for the registration of its trade marks in a particular jurisdiction. For example, if a local script brand name is available as a second-level domain in a IDN ccTLD, then it may make sense for the brand owner to ensure that the local script brand name is also registered with the trade mark registry in the local territory: •
to cement earlier rights to the local script brand name in that territory;
•
to have first registration rights to the local script domain name for that brand, where the said territory has a policy of first registration rights; and
•
to be able to challenge a later registration of the local script brand name as a domain name where it is registered by a competitor, cybersquatter etc.
ICANN has a fast-track process described by ICANN as follows: Overview of the IDN ccTLD fast track process
Source: www.icann.org/resources/pages/fast-track-2012-02-25-en (August 2020). 67
3.12 Brands
DN ccTLD strings successfully evaluated
Source: www.icann.org/resources/pages/fast-track-2012-02-25-en (August 2020).
Deciding which domain names to register 3.12 This must be addressed on a case-by-case basis having regard to the nature of the intended registrant. If an individual wants to register a domain name for its own use, one domain name will normally suffice and the decision as to which TLD to use will largely depend on what is appropriate and available. Where the intended registrant is anything from a start-up to a full service global operator intending to continue and build on its internet presence, specific advice on its domain name portfolio will again depend on the particular company. However, we note the following: (a)
A business will often have a domain name that it wishes to use such as its company name, trading name or brand name, but also consider that a generic name may be appropriate and may result in the owner receiving increased internet traffic (eg B&Q, the UK-based home improvement store uses the domain name, www.diy.com).
(b) Once you have the ‘main section’ of the domain name in mind, consider which TLD would be most beneficial to your business. A ‘.com’ TLD is still one of the most popular to register and is certainly considered to be valuable when it comes to purchase costs and being included in the domain name portfolio upon the acquisition of a business. However, given the new TLDs 68
Brands 3.13
that will be introduced over the next few years, every business will need to think about: •
its geographic reach and which ccTLDs it needs;
•
whether a particular TLD would be appropriate for its industry;
•
whether it wants to register its domain name in connection with numerous TLDs for defensive purposes rather than simply because certain domain names are required for the commercial purposes of the business. A business should also consider whether the registration of obvious misspellings of the domain name would be appropriate, again for defensive purposes.
(c) Once you have a domain name in mind, check whether it is available to purchase using a ‘Who is’ search (see full details below). If the domain name that you require is taken, you have a number of options: •
the domain name may be available using a different TLD (ie ‘.org’ instead of ‘.com’);
•
if you want a specific TLD that is already registered, carry out some investigative work about the registrant listed; and then: –
if appropriate, attempt to contact the owner to see if they will transfer the domain for free or a sum of money;
–
if you feel that they have registered the domain name to take advantage of your businesses rights, discuss your legal options for getting the domain name transferred to the business (detailed below).
(d) Finally, once you have the domain names that you need and or want in place, keep the domain name portfolio up to date. Ensure that: •
you have domain names which match the expansion of the business into different territories;
•
you consider and, if appropriate, register domain names which correspond with any new brands;
•
you monitor the introduction of new TLDs including new gTLDs and IDNs; and
•
you monitor any third-party registrations of similar domain names and challenge those registrations where deemed necessary.
How to check that a domain name is available 3.13 If you want to determine whether a particular domain name is available, you must carry out an online ‘who is’ search. There are a large number of ‘who is’ services available on the internet and these can be found by carrying out a search for ‘who is’ on Google. In most cases, a ‘who is’ search will provide information about the registrant (the person who has the exclusive right to use the domain name), the registrar (the company that controls the domain name for the registrant) and it will also give details of any technical and administrative contacts, billing information and the date the domain name expires. 69
3.14 Brands
While numerous ‘who is’ searches are available, some are better than others. Netnames at www.netnames.co.uk and Who.is at who.is/whois/ are useful ‘who is’ searches that allow the user to carry out multiple gTLD and ccTLD searches in a single search. For additional information about a particular registrant, the ‘who is’ search at www.domaintools.com may prove useful. This may also provide information about the number of domain names owned by a particular registrant – this can be useful if you are trying to recover a domain name from a particular registrant who you believe is a cyber squatter. To search for the availability of details of a particular ccTLD, it may be advisable to check the registry where that registry provides a ‘who is’ search. For example, Nominet provides this service for any ‘.uk’ domain at www.nominet.org.uk. If the domain name you require uses one of the gTLDs or IDNs that are not yet available, the current ‘who is’ searches will not help you. The only way to monitor the release of these TLDs is to monitor the ICANN website. ‘Who is’ searches have been useful for intellectual property litigators in ascertaining the registrant’s details. However since the EU General Data Protection Regulation came into force much less information is available, which is good for privacy rights but not for those trying to track down fraudsters. See Temporary Specification for gTLD Registration Data as at May 2018 at www.icann.org/resources/pages/gtldregistration-data-specs-en.
How do I register a domain name? 3.14 Registration of domain names is quick and easy. Registrations are for a specified period, with a minimum of one year and a maximum of ten years available, depending on the extension and subject to renewal.
gTLDS •
Registration of a gTLD is through one of ICANN’s accredited registrars, a list of which can be found at the registrar directory at ICANN’s website at www.icann.org/en/registrars/accredited-list.html. Every time a purchaser wants to register a second-level domain with a particular gTLD, accredited registrars submit a domain name application to the gTLD’s corresponding registry. For example, .info, .biz and .name will be submitted to Afilias, NeuStar and VeriSign Information Services respectively. UK registrars include Easyspace Limited, Demys Limited and Lexsynergy Limited, which can be found at www.easyspace.com, www.demys.com and www.lexsynergy.com respectively.
•
Following the establishment of ICANN and the introduction of a system which promotes competition in domain name registration, ICANN reported that competition at the accredited registrar level is robust, leading to significantly lower prices and a larger array of service offering from which to choose.
•
Prior to the establishment of ICANN and the introduction of the above system, VeriSign Inc had been the sole accredited registrar. It remains the 70
Brands 3.16
sole registry through which an ICANN accredited registrar can submit a domain name application on your behalf for .com and .net extensions. Further information on VeriSign and VeriSign’s global registry services may be obtained from their website at www.verisign.com.
ccTLDs •
Each ccTLD has its own national registry that will process domain name applications and maintain the database of domain names; for the UK this is Nominet. Although not specifically accredited by ICANN, the ccTLD registries are appointed by the ccTLD’s corresponding country, territory or geographical locality.
•
A domain name application may be submitted directly to Nominet or indirectly through an ISP, who effectively acts as your agent. There are hundreds of ISPs to choose from and Nominet’s website provides useful guidance on choosing an ISP. It is advisable to shop around before selecting your ISP, as the services offered will vary. A list of Nominet members that provide registration services can be obtained from Nominet’s website.
Domain name disputes 3.15 Due to the unique nature of domain names, it is inevitable that on occasions an entity/entities will: (a)
disagree as to who is entitled to a domain name;
(b)
refuse to hand over a domain name that the current owner is not entitled to;
(c)
hold a domain name to ransom; or
(d)
use a domain name to direct customers to its website as opposed to a rightful owner’s website.
This will frequently result in a dispute between the current owner and the entity that believes it is entitled to the domain name in question. There are generally four methods of dealing with a domain name dispute: (a)
court proceedings;
(b)
a domain name dispute resolution procedure;
(c)
negotiation and agreement to purchase the domain name; and
(d)
alternative dispute resolution (ie mediation or arbitration).
We consider (a) and (b) below. However, as a practical matter, it should be noted that it is generally a cost-effective strategy to attempt to acquire the domain name by negotiation before resorting to the dispute resolution procedure or court proceedings.
Court proceedings 3.16 Historically, domain name disputes before the courts have been problematic as the entity that believes it is entitled to a particular domain name will have to rely on having certain rights (normally registered or unregistered trade mark rights) 71
3.16 Brands
in the relevant jurisdiction. However, even determining which jurisdiction is the relevant jurisdiction can be difficult. It could be where the current registrant is based or otherwise where the ‘infringing act’ is taking place. If the correct jurisdiction can be established, the ‘rightful owner’ may find that in the jurisdiction in question it does not have the necessary rights to challenge the registration of the current owner or even if it does have the necessary rights, it may not be able to enforce the judgment against the current owner. The situations where legal action is normally considered appropriate are: (a)
where there is no domain name dispute resolution procedure for that TLD, ie Germany does not operate a domain name dispute resolution procedure for its ccTLD, ‘.de’;
(b) where the ‘rightful owner’ does not have the necessary grounds to make a complaint under a domain name dispute resolution procedure; (c) where there are two competing legitimate interests and these cannot be agreed by negotiation/mediation; (d) where there is a domain name dispute resolution procedure for that TLD but the current owner of the domain name is infringing a number of rights belonging to the ‘rightful owner’, for example, the situation where the domain name owner is also using the ‘rightful owner’s’ brand name(s), company name, corporate colours etc; or (e)
where legal remedies are required, such as an injunction, costs and damages.
Where legal proceedings are initiated in relation to a particular domain name or a number of domain names, it is advisable to contact the relevant domain name registry to ensure that a ‘lock’ is placed on the domain name. A lock ensures that the current registrant cannot transfer the domain name while proceedings are in progress. Each registry has different procedures and rules for placing a ‘lock’ on a domain name, but most will be willing to do so upon the provision of an order from a relevant court. Circumstances where court proceedings have been successful in the UK are where the rights owner is dealing with a cybersquatter and that cybersquatter has registered a well-known mark as a domain name. The leading case in the UK on cybersquatting is British Telecommunications Plc v One in a Million Ltd (1998), commonly referred to and hereafter referred to as the ‘One in a Million’ case. One in a Million was a dealer in domain names. As part of its business, it secured registrations of prestigious names (whether they be company names or brand names) as domain names without the consent of the organisation owning the goodwill in those names. It intended to make a profit by either selling them to collectors or other persons who could have a legitimate reason for using them. Amongst the domain names registered were bt.org, marksandspencer.com, sainsbury.com and virgin.org. Consequently, BT, Marks and Spencer, Sainsbury, Virgin and others relying on their trade mark rights brought an action for trade mark infringement and passing off. With regard to passing off, the court found that the mere creation of an ‘instrument of deception’ without either using it for deception or putting it 72
Brands 3.16
into the hands of someone else to do so, was not passing off. There is no such tort as going equipped for passing off. Thus, mere registration of a deceptive domain name is not passing off. But where a domain name is registered with the intention, or is calculated, to infringe in the future, then mere registration will amount to passing off. The court found that, since it is accepted that the name Marks & Spencer denotes Marks & Spencer and nobody else, anybody hearing the name realises that what is being referred to is the business of Marks & Spencer. It followed that the registration of a domain name including the name Marks & Spencer makes a false representation that the registrant, One in a Million is associated or connected with Marks & Spencer. Since a person who carries out a ‘Who is’ search will be told that the registrant is One in a Million, a substantial number will conclude that there must be a connection or association with Marks & Spencer. This false representation the court found constitutes passing off. Furthermore, the registration of the domain name including the words Marks & Spencer is an erosion of the exclusive goodwill in the name, which damages or is likely to cause damage to Marks & Spencer. The court rejected the defendant’s argument that the domain names were being used in the course of trade (ie trading in business names) and was thus fair use. Although not actively using the domain names, by registering them they were blocking the registration of such names by the respective claimants. It was quite clear that the defendants’ intention was to offer to sell the domain names back to the respective claimants. The defendants were ‘equipping themselves’ for misrepresentation, and so were involved in passing off. As for trade mark infringement, assuming section 10(3) of the Trade Marks Act 1994 required the use to be trade mark use and confusing use, threats to infringe had been established. The defendants sought to sell the domain names, which were confusingly similar to registered trade marks. The domain names indicated origin (ie the purpose for which they were registered) and they would be used in relation to services provided by the defendants who traded in domain names. The domain names were therefore registered to take advantage of the distinctive character and reputation of the marks, which was in the court’s opinion unfair and detrimental. The threat of passing off and trade mark infringement and the likelihood of confusion arising from the infringement of the mark were, in the court’s opinion made out beyond argument in this case. The position in the UK since One in a Million is that where the registration of a domain name is intended or calculated to infringe the rights of another, even in the future, the registration amounts to passing off. Domain names comprising names such as Marks & Spencer are instruments of fraud and any realistic use of them would result in passing off. In circumstances where no intention to infringe can be shown, for example where the name used in the domain name does not solely denote the name of the business in question, it is unlikely that the registrant will be found to be making a false representation unless other factors are relevant such as the registrant having registered a significant number of domain names relating to third party businesses or brand names which are considered to be instruments of fraud. 73
3.17 Brands
It should be stressed that while One in a Million was a very important case in relation to rights holders’ ability to recover domain names, the circumstances where recovery is possible under this case are limited and the costs of taking such a matter to court means that the One in a Million case has not made a significant difference to SMEs’ ability to recover domain names through the courts. For those circumstances which fall within the requirements of One in a Million, however, the attitude of the court in One in a Million has been followed, including Britannia Building Society v Prangley LTL 12 June 2000, Radio Taxicabs Ltd (t/a Radio Taxis) v Owner Drivers Radio Taxi Services Ltd (t/a Dial-a-cab) (2001) and Phones 4U Ltd and another v Phone4u.co.uk Internet Ltd and others (2006). In this case, the registrant set up an internet business selling mobile phones (ie the same goods and services that were provided by the claimants). The claimants brought an action against the registrant for trade mark infringement of its red, white and blue logo and for passing off in relation to the registrant’s website. The Court of Appeal confirmed that where a defendant registered the name of a well-known company as a domain name, the domain name was an instrument of fraud and any realistic use of that domain name would result in passing off. It went on to find that on the facts of the case, the claimants had proved that the name ‘Phones 4U’ was an attractive force at the time of registration of the domain name; that goodwill had been established in the name; that the name was not descriptive in the sense that anyone would describe a shop selling mobile phones as ‘Phones 4U’; that as a result there could have been no use of Phone4u.co.uk without deception and that damage had been caused to the claimants as customers were being lured to the defendant’s website by such deception. Accordingly, passing off was established. The court found, however, that there had been no trade mark infringement because the claimants had specifically limited the trade mark application to the colours red, blue and white to ensure that the mark was registered. As such the domain names had to be assessed against the specifics of the trade mark and no infringement resulted. While the above cases prove that a rights holder can persuade a court that its rights have been infringed in certain circumstances, as referred to above, the reluctance to start proceedings for the recovery of a domain name before the courts largely relates to time and expense. In England and Wales, for example, the rightful owner would need to pursue an action before the High Court, which from issue of the claim form to judgment will take approximately 9–12 months and cost upwards of £100,000. It should be highlighted, however, that taking such an action in other jurisdictions such as Germany can be significantly quicker and cheaper and although the introduction of legal costs limits in the UK IPEC (Intellectual Property and Enterprise Court, formerly called the Patents County Court) has not meant that intellectual property actions in the UK are cheap to run, it has helped to a certain extent. Outside these situations, however, the time and cost of proceedings is likely to be the reason why domain name dispute resolution services have become increasingly popular for domain name recovery in the last decade.
Domain name dispute resolution services 3.17 On the recommendation of WIPO, domain name dispute resolution services were introduced by ICANN in 1999. It was thought that there was a requirement for a quick and cost-effective procedure which specifically dealt with registrations that had been made in bad faith, for example, by cybersquatters, and accordingly, 74
Brands 3.17
the uniform domain name dispute resolution policy and procedure (‘UDRP’) was introduced on 26 August 1999 (www.icann.org/resources/pages/policy-2012-0225-en and the associated ICANN UDRP policy rules, www.icann.org/resources/ pages/udrp-rules-2015-03-11-en). Tip Use the UPRP dispute resolution system for top-level domains such as .com, .net or .org. When purchasing a domain name, the UDRP is part of the terms and conditions of agreement and accordingly all domain name owners must accept the policy when they purchase a gTLD domain name from a registrar. Domain names that are purchased using a ccTLD may also use the UDRP but this will depend on the ccTLD in question. For example, the .co.uk ccTLD uses a slightly different policy which is overseen and managed by Nominet (discussed below). Proceedings under ICANN’s UDRP are conducted in accordance with rules of procedure and are subject to any supplemental rules of the selected administrative dispute resolution service provider accredited by ICANN that will administer the proceedings. ICANN does not become involved in the administration or conduct of proceedings (in contrast with Nominet, discussed below). There are five such service providers: WIPO, the National Arbitration Forum, the Asian Domain Name Dispute Resolution Centre, the Arab Centre for Dispute Solution and the Czech Arbitration Court. The terms and conditions of purchase mean that if a dispute arises about the ownership of a particular gTLD or a ccTLD that uses the UDRP, the owner of the domain name must submit to the UDRP and accept the findings of the panel. This does not, however, prevent the parties to the dispute from issuing court proceedings, either before or after the administrative proceedings have been concluded. In general to initiate the procedure, a complainant completes a complaint form in accordance with certain guidelines and sends it to the administrative dispute resolution service provider. Within 20 days of the date of commencement of the administrative proceedings, the respondent (ie the current domain name owner), must respond to the allegations in the complaint. The response must detail the reasons why the domain name owner’s registration of the domain name is justified and thus why the complaint is unjustified. Once the response is received, the procedure depends on whether both parties have elected to have the dispute heard by a single panellist or whether one or both parties have elected a three-member panel. If a single panellist is being used, the service provider will choose that panellist from its approved list and the service provider will forward the file to that panellist. Where a three-member panel is used, each side will have submitted a list of preferred panellists and once the service provider has considered the requests and appointed the three-member panel, again the file is send to these panellists. A panel can request further documents from each of the parties in a dispute but it is very unlikely that they will ever require an in-person hearing. The panel makes its decision based on the written evidence before it and will, in most cases, forward its decision to the service provider within 14 days of being appointed. The decision 75
3.17 Brands
will be in writing and will set out the reasons for the decision, the date the decision was made and will provide the name(s) of the panellist(s). The panel can decide to maintain the status quo (ie keep the current domain name owner as the domain name owner; cancel the current domain name or order that the domain name be transferred to the complainant). Within three days of receiving the decision, the service provider communicates the decision to each party, the concerned registrar and ICANN. The concerned registrar will then implement the decision and will inform the parties, the service provider and ICANN of the date on which the decision was implemented. Where one party does not agree with the decision, it is possible to challenge a decision by a panel in certain courts. However, where the decision is to cancel or transfer the domain name in question, the respondent will need to initiate proceedings before the court in question and present a copy of those proceedings to the registrar before it takes steps to implement the decision of the panel. Provided the respondent does this, the registrar will take no action in line with the panel’s decision until the registrar has evidence that the dispute has been finally resolved one way or the other. The proceedings carried out under the UDRP are not confidential. Service providers publish limited information about the domain name that is in dispute, the status of the case and the date of the commencement of administrative proceedings on their websites once the complaint has been filed and at the conclusion of proceedings. All written decisions are available under a search function on the relevant website. The complainant will, in most cases, be responsible for all their costs of initiating a complaint, including if it should ‘win’ and have the domain name transferred to it. The only circumstances where a respondent will be liable for anything other than its own costs of filing the response will be where it has elected a three-member panel and the complainant requested a single panellist to decide the dispute. It is clear that ICANN’s UDRP is much more efficient in terms of time and cost than court proceedings, however, as mentioned above, a complaint using the UDRP can only be used in particular circumstances. The requirements for a complaint and response are set out below. In summary, when a complainant files a complaint under the UDRP, it must show three things: •
that the domain name owner has registered a domain name which is identical or confusingly similar to a trade/service mark in which the complainant has rights;
•
that the registrant has no rights or legitimate interests in the domain name in question; and
•
that the domain name in question has been registered and is being used in bad faith.
Each of these elements must be examined in more detail because the utilisation of the UDRP over the years has provided more information about each of the above elements. For example, in relation to the requirement set out at the first bullet point above, the consensus view of panellists is that the rights owned by the 76
Brands 3.17
complainant do not have to have registered rights in an identical or confusingly similar mark to the disputed domain name. The complainant can also make a complaint if it has acquired unregistered rights in such a mark provided that it can show that the mark has become a distinctive identifier associated with the complainant or the complainant’s good and services. It is also generally accepted that the complainant can refer to registered rights which post-date the registration of the domain name (although the complainant should note that it may be difficult to prove a bad faith registration in such a case). It is therefore very important that a complainant looks at both the rights it owns and the rights which can be referred to in a complaint so that the best arguments are provided to the panel. Panellists appreciate that it is difficult for the complainant to prove the second element of the grounds for a complaint (ie that the respondent has no rights or legitimate interests in a domain name). Thus, rather than having to prove a negative, the complainant has to show that it is not aware of any legitimate rights or interests owned by the current domain name owner and the reasons for those beliefs. Once the complainant has made out a case for the respondent not having such rights, it is for the respondent to prove otherwise in the response. Finally, the ground which is often considered the most difficult one to prove by the complainant is the requirement to show that the registration and use of the mark by the domain name owner was made/used in bad faith. ICANN’s UDRP sets out a non-exhaustive list of circumstances which will give rise to a finding that there has been a bad-faith registration and use: •
the domain name was registered or acquired primarily for the purpose of selling, renting or otherwise transferring it, either to the complainant or a competitor of the complainant, for consideration in excess of the registrant’s out-of-pocket expenses;
•
the domain name was registered in order to prevent the owner of the trade/ service mark from obtaining a corresponding domain name (provided that the registrant has engaged in a pattern of such conduct);
•
the domain name was registered primarily for the purpose of disrupting the business of a competitor; or
•
the registrant, by using the domain name, intentionally attempted to attract internet users to its website or other on-line location for financial gain, by creating a likelihood of confusion with the complainant’s mark as to the source, sponsorship, affiliation or endorsement of the registrant’s website or location or of a product or service on the website or location.
If the domain name owner’s registration/use of the domain name falls within one of the above circumstances and the respondent does not have a valid response to the complaint, the panel will find that the respondent has registered/used the domain name in bad faith. It is clear, however, from the UDRP and cases decided under the UDRP that circumstances outside of the above examples may also result in a decision that the registration or use of the disputed domain name was made or used in bad faith by the respondent. For example, bad faith can be found where the domain name was registered before the complainant’s rights existed in circumstances where the respondent was aware of the complainant’s intended use of the mark and registered 77
3.18 Brands
in anticipation that the domain would become valuable to the complainant. It is also possible to show a bad faith registration under the UDRP where the domain name owner is not actively using the domain name or offering it for sale. A finding of bad faith will be dependent on the facts of the dispute in question but persuading factors will include the use of a well-known mark, no response to a complaint, the domain name holder concealing his identity and contact details and the domain name holder not having any possibility of having made a good faith registration. Where a complainant feels it can prove that the domain name holder has made a bad faith registration but cannot prove it on the basis of the non-exhaustive list of reasons, it would be advisable for the complainant to seek advice from a legal specialist before making a complaint. Where a complaint has been received, the respondent can respond in one of two ways. It can choose to ignore the complaint or it can file a response. If it ignores the complaint, the panel can draw inferences from this failure but they will not automatically find in favour of the complainant. If the complainant has not provided adequate grounds for the complaint, a panel could still find in favour of the respondent. If the complainant has established sufficient grounds, it is likely that the respondent’s lack of response will result in the panel finding in favour of the complainant. Paragraph 4(c) of the UDRP policy provides non-exhaustive examples of how the respondent can demonstrate that it has legitimate rights to a domain name, namely: (a) before notice of the dispute, the registrant’s use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name was in connection with a bona fide offering of goods or services; (b) the registrant has been commonly known by the domain name (even if no trade/service mark rights have been acquired); or (c) the registrant is making a legitimate non-commercial or fair use of the domain name, without intent for commercial gain to misleadingly divert customers or to tarnish the trade mark or service mark at issue. This latter example would include legitimate criticism websites (ie where a person registers a domain name which uses another’s legitimate rights so that the latter can legitimately criticise the rights holder). It should be noted that depending on the facts, panel decisions have been divided on whether the use of domain names which use the rights holder’s marks can be justified on this ground.
Nominet procedure 3.18 The body responsible for overseeing the ‘.uk’ ccTLD referred to as Nominet. Nominet has introduced its own domain name dispute resolution policy and procedure known as DRS (www.nominet.uk/domain-support/uk-domaindisputes/). This is similar to ICANN’s UDRP but is not the same in terms of the grounds that must be proved or the procedure that must be followed. The main differences of the Nominet procedure when compared with the ICANN UDRP are: 78
Brands 3.18
(a)
the dispute is overseen by Nominet itself;
(b)
at the time of writing, the complaint/response can be filed in hard copy, fax and/or by electronic communication, although electronic communication is preferred;
(c)
there is an informal mediation period prior to an expert(s) being appointed to reach a decision on the dispute. So briefly, the procedure is complaint, response, mediation, payment of fee and expert determination;
(d) the fee is paid only if informal mediation fails and that fee varies depending on whether the respondent responds to the complaint or not; and (e) a decision can be appealed by a body within Nominet called the Appeal Panel. The main differences with the grounds for complaint are: (a)
the grounds which a complainant must prove are slightly different – there is an ‘abusive registration’ requirement instead of a bad faith registration; therefore
(b) the grounds which a respondent must invoke to dispute the complaint are slightly different; and finally (c)
the Nominet policy provides more examples of what constitutes an abusive registration and more examples for the respondent as to how they can rebut the complainant’s allegations of an abusive registration.
In order to illustrate abusive registration, the complainant must show on the balance of probabilities that: (a)
at the time registration or acquisition took place, the domain name(s) took unfair advantage or was unfairly detrimental to the complainant’s rights; or
(b)
the domain name was based in a manner which took unfair advantage of or was unfairly detrimental to the complainant’s rights.
Guidance as to the factors that may be evidence of such a registration can be found in Nominet’s policy. There is a non-exhaustive list of factors including circumstances that indicate that the domain name was registered (or otherwise acquired): (a) primarily for the purposes of selling, renting or otherwise transferring it to the complainant or to its competitors at a premium (ie in excess of the registrant’s out-of-pocket registration expenses); (b)
as a blocking registration against a name/mark in which the complainant has rights; or
(c)
primarily to unfairly disrupt the complainant’s business,
or is being used: (a) in a way in which does or threatens to confuse people or businesses into believing that the domain name is registered to, operated by or otherwise connected with the complainant; or 79
3.18 Brands
(b) as part of a pattern of making registrations by the registrant where the registrant has registered a well-known domain name in which it has no apparent rights; or (c)
with false contact details provided that fact is independently verified; or
(d) as a result of a relationship between the complainant and respondent and the complainant has: •
used the domain name registration exclusively;
•
paid for the registration and/or renewal of the registration.
It should be noted that the policy makes it clear that failure by the registrant to use the domain name for the purposes of email or a website will not in itself be evidence of an abusive registration. It also indicates that there will be a presumption of an abusive registration where the complainant shows that the respondent has been found to have made an abusive registration on three previous occasions under the Nominet procedure in the two years before the complaint was filed. Nominet provides more detailed guidance in its policy as to how a respondent demonstrates that the disputed domain name was not registered abusively. The non-exhaustive list includes circumstances where, prior to the complaint: (a) the registrant has used or made demonstrable preparations to use the domain name or one similar in connection with a genuine offering of goods or services; (b) the registrant has been commonly known by the name or legitimately connected with a mark which is identical or similar to the domain name; (c) the registrant has made a legitimate non-commercial or fair use of the domain name (fair use including sites operated solely in tribute to or in critics of a person/business). Further: (a)
the domain name is generic or descriptive and the registrant is making ‘fair use’ of it (again, fair use including sites operated solely in tribute to or in criticism of a person/business);
(b) where the complainant has claimed that there was a previous relationship between the parties but that it exclusively used the disputed domain name and paid to maintain it, the respondent shows that its holding on the disputed domain name is consistent with an express term of a written agreement; (c)
in relation to an allegation that the registration is part of a pattern of abusive registrations whether ultimately determined by Nominet or otherwise – the respondent shows that the presumption of an abusive registration should be rebutted because in this case the disputed domain name is of a different character or type to the other domain names that it had or has registered.
In summary, provided the circumstances of a domain name dispute fall within the grounds of a domain name dispute resolution service, be it for a gTLD or a ccTLD, a rights holder with a concern about the use of a domain name by a third party is likely to be better pursuing such a service rather than court proceedings. Accordingly, domain name dispute resolution services are important tools to be 80
Brands 3.20
aware of either to be used solely for recovery of a domain name(s) or as part of a wider strategy of action by a rights holder against a person infringing its rights in a variety of ways.
Adwords Online advertising 3.19 As described in Chapter 5, online advertising covers a range of advertising activities on the internet including advertising by email, display advertising (banner adverts), marketing by use of social networking sites such as Twitter, LinkedIn, and Facebook as well as use of services such as WhatsApp, Snapchat and TikTok, blogs and search engine marketing and driving traffic through affiliate websites. Since the last edition of this book was produced over the last ten years the changes and growth of internet advertising, how it is undertaken and the way the law including the EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 apply to this area have been some of the largest areas of change. Search engine marketing covers a number of different marketing practices, including search engine optimisation, paid inclusion and paid-for listings or ‘paid search’. The latter involves the acquisition (usually through a competitive auction) by advertisers of ‘keywords’, which when entered as search terms by users of the relevant search engine, trigger the display of the advertisers’ listing next to the so-called ‘organic’ or ‘natural’ search results. These are known as the ‘sponsored links’. The sponsored links usually consist of a line or so of text together with a link to the advertiser’s website. Google’s AdWords system is the most widely known and the most popular example of paid search by far but Yahoo! and Microsoft’s Live Search also offer similar systems. This type of paid-for search engine marketing is one of the cornerstones of an online advertising market in which advertisers spent well over £1.7 billion in the first half of 2009 in the UK and 6.72 billion in 2018.1 In 2018 search engine advertising was 50% of the total UK ‘ad spend’; 51% is now on smartphones, a big change from ten years ago when people tended to access the internet on their personal computers, laptops and other large devices. The 2018 figures showed that UK advertisers spent £13.44 billion on digital advertising in 2018.
Brand names as keywords 3.20 One of the major selling points of paid search is its ability to deliver contextualised, targeted information to search engine users. In a nutshell, users are shown only sponsored links which are relevant to the topic(s) for which they are searching, thereby increasing the likelihood of advertisers being able to convert those users into customers. The key way this is achieved is through 1 Source: The Internet Advertising Bureau Online Adspend Study – H1 2009 and IAB 2018 Digital Adspend Study.
81
3.21 Brands
the use of keywords. Unsurprisingly, given the strong association of many brands with particular goods and services, brand names have become highly sought after keywords, particularly by competitors offering the same or similar goods and services. An example would be Pepsi purchasing the keyword ‘Coca-Cola’ in order to ensure Pepsi sponsored links are displayed when users search using that keyword.
Controls on use by unauthorised parties 3.21 Historically, outside the United States and Canada, brand owners have been able to rely on search engines to restrict not only the display of sponsored links featuring their trade marks but also the purchase by unauthorised third parties (including competitors) of keywords incorporating trade marked terms to trigger the display of sponsored links. The only requirement in each case was that brand owners notified the search engines of the relevant trade marks, produced reasonable proof of their rights to those trade marks and specified which entities were authorised to use them. These restrictions applied both to registered and unregistered trade marks. However, legal developments since 2008 have caused some search engines to change their policies on this issue, leading to a substantial relaxation of these restrictions and thereby significantly weakening the ability of brand owners to control the exploitation of their brands online. Not only has this increased the cost to brand owners of bidding for keywords incorporating their own trade marks, which many will feel compelled to do in order to protect their rights in those marks, but it has also allowed competitors to benefit from the goodwill and reputation in those trade marks by ensuring their adverts are displayed when users search for another brand.
The ‘Mr Spicy’ ruling 3.22 The first key development came in the English High Court decision in Wilson v Yahoo! UK Ltd and another (known as the ‘Mr Spicy’ case) in 2008. Mr Wilson carried on a mobile catering business selling fast food from a trailer at festivals throughout London under the name ‘Mr Spicy’. He had registered ‘Mr Spicy’ as a Community Trade Mark for food, sauces and spices and providing food and drink. Mr Wilson complained that when ‘Mr Spicy’ was typed into the Yahoo! search engine sponsored results for Sainsbury’s and PriceGrabber.co.uk, a price comparison site, were triggered. He claimed that this amounted to trade mark infringement by Yahoo! and brought proceedings in the High Court. On the facts, Mr Wilson’s claim failed. Neither Sainsbury’s nor Pricegrabber.co.uk had ever bid on ‘Mr Spicy’ as a keyword. They had, in fact, bid on the word ‘spicy’ and the Yahoo! search engine technology was therefore responding to the input of ‘Mr Spicy’ with sponsored results for these advertisers. The High Court found that using that the word ‘spicy’ in this way could not amount to an infringement of Mr Wilson’s trade mark. The court went on to consider what the position would have been had Yahoo! made ‘Mr Spicy’ available as a keyword. Would this have amounted to trade mark 82
Brands 3.23
infringement? The court considered the earlier case of Arsenal Football Club Plc v Reed (2003). In that case the High Court had held that a trade mark owner may only prohibit the use of a sign identical to its trade mark if that use affected the function of the trade mark as a guarantee of the origin of the goods bearing it. Applying the Arsenal decision to this case, the court found that use of ‘Mr Spicy’ as a keyword would not have affected Mr Wilson’s interest in the mark or caused it to fail as a guarantee of origin as no-one seeing the sponsored results of Sainsbury’s and PriceGrabber.co.uk would think that they had any connection to Mr Wilson or that the goods they sold had Mr Wilson’s business as their origin. Furthermore, the text of the Sainsbury’s and PriceGrabber.co.uk adverts made no reference to Mr Wilson’s business. This decision opened the way for search engines to make brands freely available as keywords. On 5 May 2008, Google amended its keyword policies in the UK and Ireland to allow anyone to bid for and use trade marked terms as keyword triggers – this included keywords that had been previously blocked following complaints by trade mark owners.2 The prohibition on unauthorised parties incorporating another’s trade marked terms in advertisements themselves was not, however, changed. This harmonised Google’s approach in the UK and Ireland with that in the United States and Canada. From 14 September 2010, Google’s existing US, Canada, UK and Ireland policy was extended to the rest of the EU. Also from 14 September 2010, Google introduced a new complaints policy for Europe (not the US or Canada). Trade mark owners are able to complain about selection of their trade mark as an Adword by the third party if they believe that it leads to ad text which confuses users about the origin of the advertised goods or services. Google will then conduct a limited investigation and, if necessary, remove the ad. This brings Google’s position into line with one ruling of the then ECJ in Google France (see below). The trade mark policies of both Yahoo! and Microsoft Advertising remain more restrictive than those of Google. Microsoft prohibits bids on keywords ‘whose use would infringe the trademark of any third party’.3 Yahoo! only allows keyword bids on trade marked terms if ‘the advertiser presents content on its website that: (a) refers to the trade mark or its owner or related product in a permissible nominative manner without creating a likelihood of consumer confusion (eg sale of a product bearing the trade mark, or commentary, criticism or other permissible information about the trade mark owner or its product); or (b) uses the term in a generic or merely descriptive manner’.4
Trade mark infringement 3.23 Although significant, the decision in the Mr Spicy case has been criticised. The fact that the claimant did not have legal representation also undermines the usefulness of the judgment. Consequently, it never really settled the law conclusively in the UK and uncertainty on the legality of using trade marked terms as keyword triggers also remained in Europe. In contrast, in the United States and Canada,
2 Google Adwords Trademarks Complaint Procedure. 3 Microsoft adCentre Trademark Policy. 4 Legal Guidelines from Yahoo! Search Marketing.
83
3.24 Brands
previous court decisions had ruled that use of trade marked terms as keywords to trigger the display of advertising, without the trade mark owner’s permission, was not trade mark infringement.
A legal ruling from Europe 3.24 In March 2010 a ruling of the then European Court of Justice (ECJ) provided some much needed clarity on this issue. The ruling came in three joined references from the French courts in the cases of Google France v Louis Vuitton Malletier, Google France v (1) Viaticum (2) Luteciel and Google France v CNRR (2005). In each case the brand owners’ trade marks were being used as keywords in Google’s Adwords system. Entering these words into Google’s search engine triggered the display of sponsored results consisting of advertisements for sites offering identical products to those sold by the brand owners. In the Louis Vuitton reference, advertisements for sites offering counterfeit goods were triggered. The brand owners had sued Google for trade mark infringement in the French courts and Google had been found liable both at first instance and on appeal. The highest appeal court subsequently referred the cases to the ECJ for a preliminary ruling on whether the use by Google in its Adwords advertising system of keywords corresponding to trade marks was in fact trade mark infringement under the EU Trade Marks Directive. The ECJ held that offering registered trade marks as keywords and displaying adverts in response to the keywords was not trade mark infringement by Google. There was no use of the keywords by Google itself that could amount to trade mark infringement. Google was simply creating the online environment in which advertisers could operate. In relation to the liability of the advertisers buying the keywords, the ECJ held that using keywords corresponding to trade marks would be trade mark infringement if the sponsored link triggered by the keyword did not make it clear who the advertiser was. For example, the one or two lines of text in the sponsored link might suggest some economic connection between the advertiser and the brand owner or be vague on this issue such that an internet user would be confused about the identity of the business behind the sponsored link. Only in these circumstances would use of the keyword amount to trade mark infringement. Here the brand owner would be able to prevent further use of the keyword by bringing an action for trade mark infringement. However, if the sponsored link were clear about the identity of the business behind it and left no room for confusion on this issue amongst internet users then there would be no trade mark infringement by the advertiser and the brand owner could not object to the continued use of the keyword. Trade mark laws across Europe are harmonised (by the Directive) and so the ECJ’s judgment binds the courts of all the EU Member States including the UK as the decision was before the UK left the EU and there are no plans for divergence as at the date of writing in 2020. From a brand owner’s perspective the decision was disappointing (although helpful in so far as that brand owner might want to use a competitor’s trade mark in its own AdWords use to entice the competitor’s 84
Brands 3.26
customers to itself). At the time of writing, the current legal position in Europe is that a brand owner cannot prevent a competitor using a keyword which is identical to its trade mark in relation to goods identical to those sold by the brand owner unless the competitor’s sponsored link suggests an economic connection between the brand owner and competitor or is ambiguous about this.
Another European ruling 3.25 Since the Google France cases, the ECJ has given another ruling on the keywords issue. This time the reference to the then ECJ was made by the Dutch courts in the case of Portakabin v Primakabin (Case C–558/08). Portakabin manufactured and supplied mobile buildings and was the proprietor of the registered trade mark ‘PORTAKABIN’. Primakabin sold and leased new and secondhand mobile buildings. In particular, it sold second-hand Portakabin buildings. Primakabin reserved PORTAKABIN and the misspellings PORTACABIN, PORTOKABIN and PORTOCABIN as search engine keywords. Portakabin brought proceedings for trade mark infringement and the Dutch appeal court referred various questions on the law in this area to the ECJ. Unsurprisingly, the ECJ confirmed its earlier ruling in Google France. However, it went further in that it considered the position in relation to three keywords which were misspellings of Portakabin, namely PORTACABIN, PORTOKABIN and PORTOCABIN. It said that these keywords were similar to Portakabin’s trade mark (rather than identical to it which had been the position in Google France). It held that a brand owner could only stop a competitor from using a keyword which was similar to its trade mark in relation to goods identical to those sold by the brand owner if there was a likelihood of confusion amongst Internet users. There would be such confusion where the advertisement in the competitor’s sponsored link suggested an economic connection between the brand owner and the competitor or was ambiguous about this. This is, in effect, the same test as where a competitor uses a keyword identical to a registered trade mark in relation to goods identical to those sold by the brand owner. So, the Portakabin case does not change the position of brand owners for better or worse. Currently, they may not stop a competitor from using a keyword which is identical or similar to their trade mark in respect of goods identical to those sold by the brand owner unless the competitor’s advert triggered by the keyword suggests an economic link between competitor and brand owner, or is ambiguous about whether such a link exists.
Interflora v Marks & Spencer and other cases 3.26 In Interflora v Marks & Spencer [2014] the Court of Appeal, overturning the court below, held that when M&S bought AdWords such that those searching the internet for ‘Interflora’ (flowers) would be shown an M&S sponsored link for M&S flowers this did not breach Interflora’s trade mark rights. Customers could easily see the results were ‘sponsored’ and not the natural search result and would not be confused. 85
3.27 Brands
Victoria Plum Ltd (t/a Victoria Plumb) v Victorian Plumbing Ltd [2016] EWHC 2911, L’Oreal v eBay and Lush v Amazon have all reached similar conclusions. In Victoria Plum the keywords purchased led to advertising which was confusingly similar and therefore there had been infringement of the registered trade mark concerned. In L’Oreal v eBay [2011] Case C-324/09 (L’Oréal SA, Lancôme parfums et beauté & Cie, Laboratoire Garnier & Cie, L’Oréal (UK) Limited v eBay International AG, eBay Europe SARL and eBay (UK) Limited) the CJEU held that companies such as eBay could be liable if the resulting advertisements did not allow users to distinguish the genuine product from the counterfeit. If the intermediary such as eBay plays an active role, then liability may attach to it notwithstanding the provisions of the Electronic Commerce Directive. In Lush v Amazon [2014] EWHC 181 (Ch) Amazon used ‘Lush soap at Amazon’ to promote products which were not ‘lush’ soap. Infringement of trade mark was found. In Cartier v BSkyB [2016] EWCA Civ 658, Court of Appeal, the court looked at similar issues. It held that trade marks owned by Cartier (itself owned by Richemont) had been infringed by internet service providers (‘ISPs’) including BskyB. ISPs should block access to content which infringes trade mark rights where the ISP has knowledge of the infringement. The Supreme Court ([2018] UKSC 28) subsequently held that the brand owners should however pay the legal costs of any blocking injunction applications against ISPs. In the words of Lord Sumption giving the principal judgment of the Supreme Court ‘When an injunction is obtained against an innocent intermediary to prevent the use of his facilities by wrongdoers for unlawful purposes, who should pay the cost of complying with the order?’ The answer was that the brand owners should pay. As costs often determine if litigation takes place, the costs judgment in practice is just as important as the Court of Appeal’s substantive decision in the action that the injunctions could be obtained against the ISP intermediaries where they had knowledge of infringement.
Key messages 3.27 •
Brand owners should not rely on their ‘common law’ rights to protect their brands but should ensure they register their brands as trade marks in the UK and in the EU.
•
A domain name strategy needs to take account not only of Generic Top Level Domains (eg .com) but also newer forms of domain name such as the new Internationalised Domain Names in non-English jurisdictions.
•
In taking action against persons who use domain names that contain infringing trade marks, brand owners should always consider the dispute resolution services offered by ICANN and Nominet prior to any court action. While similar, the ICANN and Nominet procedures contain important distinctions on which advice should be sought.
86
Brands 3.27
•
Brand owners should adopt a proportionate and cost-effective response as a consequence of the effect of the Adwords’ policy. Brand owners may wish to acquire keywords for their own trade marks (as well as those of their competitors). Whilst this will incur cost, it is likely to disrupt their competitors’ keywords advertising strategies. In addition, it is still open to brand owners to challenge competitors in respect of specific instances of authorised use of their trade marks in the advert content.
87
Chapter 4
Data in a digital world Introduction 4.1 Today there is more and more personalisation of the internet experience. A noticeable trend associated with this is the way the consumer can set his or her privacy standards on key networking sites such as Facebook. Website privacy policies are also coming under unprecedented public scrutiny not least in the EU through the then new General Data Protection Regulation in 2018 (and the UK Data Protection Act 2018). Even back in 2009, Facebook was forced to reverse a change to its policy on ownership of user data within days of a media storm arising around the issue. This may be contrasted with the more traditional view that personal data is just a commodity to be used and transferred globally with minimum compliance with data protection laws. Even California and New York have or are moving towards EU-style data protection legislation. This chapter: •
reviews the way that personal data is collected in an electronic environment;
•
provides an overview of the Data Protection Act 2018 and EU General Data Protection Regulation where relevant and explains the obligations in respect of cross-border data transfers by service providers;
•
examines the meaning of personal data on the internet, including specific issues such as whether Internet Protocol (IP) addresses constitute personal data;
•
reviews the higher standards that now apply to electronic marketing as a result of both the E-Privacy Directive (due to be replaced by a similar directive in the EU in 2021 once it is agreed) and the ASA Code;
•
provides an overview of the law of privacy in an online context;
•
reviews the rules on the use of location data, data retention, monitoring and surveillance.
How the cookie crumbles – an overview of datacollection technologies and techniques and Big Data – the new Gold Rush 4.2 Data is the currency of the internet. Collecting, analysing and selling data forms an increasingly crucial part of the business models of the world’s biggest and most successful online companies. Much of this data is obtained from internet users themselves and is used for developing business strategy and often to sell
88
Data in a digital world 4.5
advertising. In this way, ‘free’ services such as search engines, email accounts and social networking sites can be financially viable business models and thus they are available to consumers. Without the advertising revenue, companies would in many cases be unable to provide those services to consumers. ‘Big Data’, as it is called, was in a sense by 2020 the new ‘Gold Rush’. Those tech companies trading in data even during the COVID-19 pandemic found their business continued and expanded and thrived in a way that companies which depended on ‘bricks and mortar’ (physical retail shops) did not. The importance of data collection on the internet is shown by the multitude of technologies and methods by which data is collected from users. Such data can be divided into two broad categories: ‘provided data’ and ‘harvested data’.
Provided data 4.3 This is data submitted directly by a user in a ‘traditional’ manner (eg by typing it into a website). Examples of provided data include: •
transactional data (eg credit card data and postal addresses);
•
website registration details (eg email addresses and dates of birth); and
•
information posted on UGC websites (eg social networking sites and blogs; see Chapter 5).
Harvested data 4.4 Data harvesting is a technique that builds up a profile of a user over time by aggregating information that is derived automatically from their online activities. It relies on a method of recognising individual users as they visit websites as a consequence of the technologies by which personal computers access the internet. At a basic level, a user can be ‘remembered’ when they revisit a website and perhaps receive a personalised greeting on the homepage. By tracking users’ activities as they move through websites and indeed when their mobile telephones pass a particular advertising display on a street and the like, more sophisticated data harvesting can allow data collectors to analyse their users’ location and language and their hobbies, interests and purchasing habits. Several alternative technologies can be used in the process of obtaining harvested data, which are essentially different ‘labels’ that can be applied to individual users so that they can be recognised. Data about the user can be harvested by recording information every time the data collector sees the label (eg which web pages the user visits, when they visit them and the order in which they move between different web pages).
IP addresses 4.5 An Internet Protocol (IP) address is a numerical label (eg 123.234.123.234) assigned to a device that is communicating using the Internet Protocol (see Chapter 1). Every internet user obtains an IP address from their internet service 89
4.6 Data in a digital world
provider (‘ISP’) when they connect to the internet. Every website has an IP address to which users are directed when they visit the website. Some users’ IP addresses are ‘static’, meaning that every time the user connects to the internet they will have the same IP address. However, most domestic internet users have a ‘dynamic’ IP address, meaning that their ISP assigns them a new IP address each time they connect to the internet. Dynamic IP addresses are of limited value for data harvesting. If a data collector labels a user by their IP address alone when they visit a website, the next time the user visits the website their IP address will probably be different, meaning the data collector will not recognise them and will not associate the previous harvested data with the user. Accordingly, most data collectors use IP addresses for aggregated demographic purposes (eg working out which countries provide the most visitors to their websites) rather than for profiling individual users.
Cookies 4.6 Cookies were developed (in part) to resolve the shortcoming of dynamic IP addresses for user profiling. When a user visits a website that uses cookies, the website sends a cookie (a small text file that contains a unique label or ‘cookie ID number’) to the user’s browser software and (if it is a ‘persistent’ cookie rather than a temporary ‘session’ cookie) it is stored on their computer even after they leave the website and disconnect from the internet. When the user revisits the website at a later date, their browser software returns the cookie ID number to the website, allowing the website to recognise the user and therefore to acquire further harvested data about that user. A widely used analogy is that cookies are like dry-cleaning tickets: cookies are the ‘tickets’ which allow websites to recognise returning users in the same way as dry-cleaning tickets allow laundrettes to return the correct clothes to each customer.
Web-bugs 4.7 Web-bugs are small, often invisible, graphics files embedded into individual web pages. These are used to track users as they move through websites. When the image is loaded, the user’s browser software sends additional data to the website, such as the user’s IP address, browser type and the time that the web page is visited. Web-bugs can interact with cookies on the user’s computer which relate to the same website, maximising the amount of useful harvested data that can be obtained about the user. Web-bugs are also commonly used in emails to determine whether a particular user has read an email.
Webwise/Phorm 4.8 Webwise was a data harvesting system operated by the advertising technology company Phorm. Unusually, Webwise operated at ISP level (rather than at the level of individual websites) and used ‘deep packet inspection’ technology to enable ISPs to analyse their users’ network traffic, thereby identifying keywords on every search they make and website they visit. Phorm used this harvested data to produce targeted advertising. This is of historical interest and has been retained for this 2020 edition of the book. 90
Data in a digital world 4.10
BT’s trial of the Webwise software in 2006–7 proved controversial, not least because its users were not informed that their browsing habits were being tracked (see further paragraph 4.49 below). Several companies, including Amazon and the Wikimedia Foundation (the organisation behind Wikipedia), chose to opt out of the Webwise system and blocked Phorm from scanning visits to their websites. The controversy surrounding Webwise focused on two issues: first, whether its unusual use of cookies complied with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (see paragraph 4.30 below); and, second, whether its surveillance of users’ browsing habits was in breach of the then Regulation of Investigatory Powers Act 2000 (‘RIPA’) (this Act has now been replaced by RIPA 2016).1 In 2008, the Information Commissioner’s Office (ICO) gave its qualified approval to the system as long as it was on an opt-in, not opt-out basis. In 2016 Phorm ceased trading.
Combining harvested data and provided data 4.9 A powerful tool in the data collector’s toolkit is to combine harvested data with provided data which the data collector already holds about the user. This can allow the data collector to ‘put a face to a name’ in digital terms by adding valuable harvested data to its record of an identified user. For example, Amazon uses cookies to recognise users when they visit its website. If the user has already provided their personal details and registered an Amazon account, then the cookie ID number is automatically linked to their account. This means that Amazon knows who the user is as soon as they arrive at its website, so the user can make new purchases without providing any further personal information. Amazon also makes recommendations to users based on their previous purchases, and (by default) displays personalised third-party advertising based on certain data it holds about the user. Users on Amazon can opt out of receiving ‘interest based ads’ at any time.
Targeted advertising 4.10 One of the state-of-the-art uses for harvested data is in targeted or behavioural advertising: advertising that is based on information held about the user to whom it is directed. This information may comprise: •
harvested information about the user’s perceived interests based on their previous browsing habits; or
•
(less commonly) a mixture of this harvested information and certain provided information about the user such as their age, sex, location or interests.
This process is managed by ad-serving companies (effectively an intermediary between advertisers and publishers) such as what was Doubleclick (a company now owned by Google and merged into Google in 2018), and depends on cookies.
1 A detailed analysis of RIPA is beyond the scope of this book. The latest RIPA replacing the original statute is RIPA 2016 – see www.gov.uk/government/collections/investigatory-powers-bill.
91
4.10 Data in a digital world
When a user visits a web page that includes advertisements provided by a third party ad-server, a so-called ‘third party cookie’ communicates between the user’s browser and the ad-serving company. The ad-serving company notes the cookie’s ID number, thus learning that the user whom that cookie is labelling has viewed the web page. The web page also sends information to the ad-serving company about the contents of the web page – for example, it may be a page about sports. The resulting data (which may be owned by the ad-serving company or its advertiser client) is harvested data about the user’s interests. Over time, a profile of the user is tel − LRIB PAGE: 5 SESS: 22 OUTPUT: Fri Dec 3 15:43:52 2010 SUM: 5D49A658 built up – if the user visits a lot of web pages about sport, the ad-serving company l/booksxml/ecc/chap04 learns that the user is interested in sport. This takes place without any provided data being supplied by the user. Later, the user may visit another web page that includes an ad-served advertisement provided by the same ad-serving company on behalf of the same advertiser client. When the web page asks the ad-serving company for an advertisement, even if the user has never visited that particular web page before, the ad-serving company now knows that the user is interested in sport, so it is more likely to supply a sports-related advertisement for display on the 4.10 Data in athe Digital World web page. Thus, advertisement is targeted at the user based on their previous behaviour. advertisement on the web Thus, the is targeted at Provided data for candisplay be combined withpage. harvested dataadvertisement in targeted advertising. If the user based on their previous behaviour. the user provides data to one website that uses targeted advertising (eg when
registering with the theywith mayharvested give demographic information about Iftheir Provided data can bewebsite combined data in targeted advertising. the age, sex and location or their interests) this data may sometimes be shared with user provides data to one website that uses targeted advertising (eg when ad-serving with companies who then to better target advertisements on other registering the website they use mayitgive demographic information about their websites. However, ad-serving companies generally avoid using information age, sex and location or their interests) this data may sometimes be shared such with as users’ names, addresses and email targeted advertisingon without ad-serving companies who then use it addresses to better in target advertisements other users’ express consent. websites. However, ad-serving companies generally avoid using information such as users’ names, addresses and email addresses in targeted advertising without Targeted advertising users’ express consent.is controversial from a data protection and privacy angle, not least because users may well be unaware that they are being tracked (see paragraphs 4.16 and 4.49 belowfrom for further analysis of and the relevant law). In Targeted advertising is controversial a data protection privacy angle, nota study because carried out by the of California Pennsylvania September least users mayUniversities well be unaware thatand they are being intracked (see 2009,2 84%4.16 of respondents objected targeted advertising they law). foundIn outa PARAGRAPHS AND 4.47 below fortofurther analysis of thewhen relevant it would happen them on websites. In July 2009, in a coalition of study carried out by by tracking the Universities ofother California and Pennsylvania September 2 84% American marketing trade bodies agreed a set of advertising seven ‘Self-Regulatory Principles 2009, of respondents objected to targeted when they found out Online Behavioral Advertising’ included a proposal to introduce a logo itforwould happen by tracking themwhich on other websites. In July 2009, a coalition of to indicatemarketing when antrade advert was aagreed behavioural The principles came into American bodies a set ofadvert. seven ‘Self-Regulatory Principles effect in the US in early 2011 as3part of included a self-regulatory programme in the US for Online Behavioral Advertising’ which a proposal to introduce a logo (source: https://youradchoices.com/) and one of theThe companies, to indicate when an advert was a behavioural advert. principles the will Interactive come into Advertising has rolled the of usea of a similar logoprogramme across the UK and EU. effect in theBureau, US in early 2011 out as part self-regulatory and one of the companies, the Interactive Advertising Bureau, has since announced that it Figure to 1: The logothe that will used tologo labelacross behavioural intends roll out use ofbe a similar the UKadvertisements. and EU. Figure 1: The logo that will be used to label behavioural advertisements in the US.
(source: www.aboutads.info) In May 2010, the Office of Fair Trading (‘OFT’) published the results of a market study online targeting of advertising and prices,4 which included an exami2 See into http://graphics8.nytimes.com/packages/pdf/business/20090929-Tailored_Advertising.pdf. nation of behavioural advertising and customised pricing. The study particularly focused on situations where prices are 92 individually tailored using information collected about a consumer’s internet use. The OFT found that 60% of consumers would take no action at all if given the option to opt out of behavioural advertising. It recommended the development of ‘clear ad’ notices alongside behavioural adverts including information about opting out, and encouraged the
Data in a digital world 4.12
In May 2010, the then Office of Fair Trading (‘OFT’) (now the Competition and Markets Authority) published the results of a market study into online targeting of advertising and prices,3 which included an examination of behavioural advertising and customised pricing. The study particularly focused on situations where prices are individually tailored using information collected about a consumer’s internet use. The OFT found that 60% of consumers would take no action at all if given the option to opt out of behavioural advertising. It recommended the development of ‘clear ad’ notices alongside behavioural adverts including information about opting out, and encouraged the IAB to introduce a ‘one-button’ opt-out tool for all its members.
Collection versus protection? 4.11 Data collection in 2020 pushes the boundaries of data protection law. The increasing personalisation of websites and services, and the growing reliance on sophisticated methods of targeted advertising to provide these services at no cost to their users, requires data collectors to collect and process more and more data about these users. Much of this data may be ‘personal data’ for the purposes of data protection legislation. However data protection laws (in Europe, at least) generally restrict data collection and processing on the basis that the less personal data is collected, the better. Data protection rules are only relevant to ‘personal data’ – broadly, data which relates to an identifiable individual (see further paragraph 4.12 below). Clearly, not all data that is provided or harvested in the digital world is personal data. But, increasingly, the most useful and valuable information collected is data which does fall within this definition. As such, data protection law is now more relevant than ever to the world of digital media.
An overview of the Data Protection Act 2018/GDPR 4.12 The UK Data Protection Act 2018 as amended (‘DPA’) and UKGDPR regulate the use of ‘personal data’ by organisations that control that data (called ‘data controllers’). On 1 January 2021 UKGDPR, a modified version of the EU General Data Protection Regulation came into force in the UK. Personal data is data about living identifiable individuals (called ‘data subjects’) held either electronically or manually as part of a ‘relevant filing system’. Article 4(6) of GDPR defines ‘filing system’ as any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. Personal data thus will generally include most data held about employees as well as certain data about customers and suppliers. Broadly, compliance with the DPA requires that the data controller: •
notifies the Information Commissioner that the organisation processes personal data and it is a criminal offence not to notify unless an exemption applies; and
•
complies with the data protection principles when processing personal data.
3 OFT 1231.
93
4.13 Data in a digital world
These principles are: •
lawfulness, fairness and transparency;
•
purpose limitation;
•
data minimisation;
• accuracy; •
storage limitation;
•
integrity and confidentiality (security); and
• accountability. The DPA replaced the Data Protection Act 1998 which had earlier replaced the Data Protection Act 1984 (which was the first UK data protection legislation). A comparison with the 1998 Act is useful as to the principles and is provided by the Information Commissioner’s Office and set out below: 1998 Act
DPA 2018/ GDPR Principle 1 – fair and lawful
Principle (a) – lawfulness, fairness and transparency
Principle 2 – purposes
Principle (b) – purpose limitation
Principle 3 – adequacy
Principle (c) – data minimisation
Principle 4 – accuracy
Principle (d) – accuracy
Principle 5 – retention
Principle (e) – storage limitation
Principle 6 – rights
No principle – separate provisions in Chapter III
Principle 7 – security
Principle (f) – integrity and confidentiality
Principle 8 – international transfers
No principle – separate provisions in Chapter V
(no equivalent)
Accountability principle
Application of the DPA to foreign companies 4.13 The UK left the EU on 31 January 2020 and from 1 January 2021 the UK operates DPA but also UKGDPR, an amended version of the EU General Data Protection Regulation. Article 3 of UKGDPR, which is different from GDPR as it applies in the EU states, includes a provision that the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the United Kingdom or not. UKGDPR applies to: the [relevant] processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to: 94
Data in a digital world 4.13
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or (b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom. Note that if the data subject is ‘in the UK’ then UKGDPR applies. That may include someone who is only briefly in the UK such as on holiday or here on business, although the extent and duration of the presence is not yet clear in the absence of relevant case law. Section 207 of DPA confirms that UKGDPR determines the territorial ambit. Also section 207(7) states that: (7) In this section, references to a person who has an establishment in the United Kingdom include the following – (a) an individual who is ordinarily resident in the United Kingdom, (b) a body incorporated under the law of the United Kingdom or a part of the United Kingdom, (c) a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and (d) a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom. It is the final words which will be helpful to those seeking to ascertain when foreign companies are subject to UKGDPR. Under GDPR the EDPB has issued guidelines on territoriality – see https://edpb. europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_ en.pdf which mentions that stable arrangements are mentioned in recital 22 of GDPR. This EU guidance reminds readers that the provisions are similar to those in the previous Data Protection Directive to which reference could be made and gives the following example: Example 1 A car manufacturing company with headquarters in the US has a fully-owned branch and office located in Brussels overseeing all its operations in Europe, including marketing and advertisement. The Belgian branch can be considered to be a stable arrangement, which exercises real and effective activities in light of the nature of the economic activity carried out by the car manufacturing company. As such, the Belgian branch could therefore be considered as an establishment in the Union, within the meaning of the GDPR. In addition, the Article 29 Working Party4 (now the European Data Protection Board) under the previous legislation has considered the international application 4 The independent EU Advisory Body on Data Protection and Privacy established by Directive 95/46/EC, Article 29.
95
4.14 Data in a digital world
of EU data protection law to personal data processing on the internet by non-EU based websites.5 Its non-binding report suggests that making use of equipment, does not require the data controller to own or even exercise full control over the equipment and that the legislation would apply where cookies or spywares were used by a non-EU web site to collect personal data from subjects accessing sites using their PCs in the EU. Cookies and spyware are discussed in more detail at paragraph 4.27 in the context of privacy.
Notification 4.14 It is a criminal offence to process personal data without notifying the Information Commissioner’s Office (the ‘ICO’). However there are some exemptions to this requirement, but they are few. The notification process is relatively straightforward and cost effective. The application form can be completed online and generally without the need for specialist advice and the fee starts at £35 for small organisations paying by direct debit (2020 price). Even if a data controller takes the view that it is exempt from the notification requirement, it will still be required to comply with the other obligations under the DPA.
The first principle: fair, lawful and transparent processing 4.15 ‘Lawful’ is the more straightforward of the concepts. Processing would be unlawful if, for example, it resulted in the committing of a criminal offence, a breach of contract or an infringement of copyright. ‘Fair processing’ is harder to define but generally requires that certain information is given to the data subject, usually when the data controller first processes or collects the data. This is usually achieved by way of a readily accessible privacy policy or data protection notice. The processing will not be fair unless the following information is provided (or made readily available): •
the identity of the data controller (or its nominated UK representative);
•
the purpose or purposes for which the information is to be processed;
•
any further information necessary to make the processing fair having regard to the circumstances.
Essentially, a data controller should handle people’s personal data only in the ways in which the data subject has been notified or would reasonably expect. Transparency has come to the fore with UKGDPR and DPA 2018. Organisations should ensure users know how their data will be used and keep full records in case they are audited later.
5 5035/01/EN/Final WP56 now known as the EDPB.
96
Data in a digital world 4.16
Lawful bases for processing data 4.16 UKGDPR contains seven different lawful bases for processing personal data. One at least must apply in each case. The ICO summarises these as below: (a)
Consent: the individual has given clear consent to process their personal data for a specific purpose.
(b)
Contract: the processing is necessary for a contract with the individual, or because they have asked the organisation concerned to take specific steps before entering into a contract.
(c)
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
(d)
Vital interests: the processing is necessary to protect someone’s life.
(e)
Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
(f)
Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if the organisation is a public authority processing data to perform official tasks.)
Consent is not the only, or even necessarily the most effective, method of legitimising processing of personal data. There is, for example, some doubt in the UK over whether consent can be truly ‘freely given’ in an employment context. Certainly, guidance indicates that in an employment context reliance on consent should be confined to cases where the worker has a genuinely free choice and is subsequently able to withdraw that consent without detriment. Therefore consent is usually not used for employment purposes and contract or legal obligation or legitimate interests are often used instead. However for email marketing where regulations known as PECR as well as UKGDPR must be followed, consent is frequently and rightly used. For processing of non-sensitive/special category personal data consent is commonly achieved, not by seeking the active agreement of data subjects (ie signature or tick box) but by providing the data subject with sufficient information in a privacy policy/data protection notice. The ICO in its privacy notices codes of practice states that in addition to the basic legal requirements to ensure that the data subject knows who the data controller is, what it intends to do with their information and who it will be shared with or disclosed to, depending on the circumstances, the data controller should also consider notifying the data subject: •
if it intends to pass information on (and the name of the organisations involved and details of how they will use the information);
•
how long the data controller or other organisations intend to keep the information – this data-retention notification has become more important since 2018 when GDPR came into force;
•
whether the information will be transferred overseas;
•
what measures are in place to ensure the security of personal data; 97
4.17 Data in a digital world
•
about their rights and how they can exercise them – for example, the fact that a data subject can obtain a copy of their personal data or object to direct marketing and in some cases the right to be ‘forgotten’ (the erasure right);
•
who to contact if the data subject wants to complain or know more about how their personal data will be used; and
•
about the right to complain to the Information Commissioner if there is a problem.
However, whilst the implied/opt-out form of consent for email marketing is often used including a right known as the ‘soft opt-in’ under regulations known as PECR this is under review and the rules may change in 2021 if the EU agrees a new email marketing regulation and if the UK decides to follow that lead despite Brexit. See also paragraph 4.30 below in relation to the impact of the E-Privacy Directive.
Special category/Sensitive data 4.17 Sensitive personal data means: •
personal data revealing racial or ethnic origin;
•
personal data revealing political opinions;
•
personal data revealing religious or philosophical beliefs;
•
personal data revealing trade union membership;
• genetic data; •
biometric data (where used for identification purposes);
•
data concerning health;
•
data concerning a person’s sex life; and
•
data concerning a person’s sexual orientation.
There are separate provisions in DPA/UKGDPR about information on criminal convictions. Sensitive personal data cannot be processed fairly unless one of the conditions in UKGDPR is met. The ICO gives the following useful summary: What are the rules for special category data? You must always ensure that your processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the GDPR. To ensure that your processing is lawful, you need to identify an Article 6 basis for processing. In addition, you can only process special category data if you can meet one of the specific conditions in Article 9 of the GDPR. You need to consider the purposes of your processing and identify which of these conditions are relevant. 98
Data in a digital world 4.18
Five of the conditions for processing are provided solely in Article 9 of the GDPR. The other five require authorisation or a basis in UK law, which means you need to meet additional conditions set out in the DPA 2018. You must also identify whether you need an ‘appropriate policy document’ under the DPA 2018. Our template appropriate policy document shows the kind of information this should contain. You must do a DPIA for any type of processing that is likely to be high risk. This means that you are more likely to need to do a DPIA for processing special category data. For further information, please see our guidance on DPIAs. If you process special category data you must keep records, including documenting the categories of data. You may also need to consider how the risks associated with special category data affect your other obligations – in particular, obligations around data minimisation, security, transparency, DPOs and rights related to automated decision-making. What are the conditions for processing special category data? Article 9 lists the conditions for processing special category data: (a) Explicit consent (b) Employment, social security and social protection (if authorised by law) (c) Vital interests (d) Not-for-profit bodies (e) Made public by the data subject (f) Legal claims or judicial acts (g) Reasons of substantial public interest (with a basis in law) (h) Health or social care (with a basis in law) (i) Public health (with a basis in law) (j) Archiving, research and statistics (with a basis in law) If you are relying on conditions (b), (h), (i) or (j), you also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018. If you are relying on the substantial public interest condition in Article 9(2)(g), you also need to meet one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018. In most cases the explicit consent of the data subject will need be obtained prior to the processing of sensitive personal data.
Rights of data subjects: Direct marketing 4.18 The DPA provides that the data subject is entitled at any time by notice in writing to require the data controller to stop processing his personal data for the purposes of direct marketing (ie marketing which is specifically addressed to an individual). In other words the data subject must be provided with the opportunity 99
4.19 Data in a digital world
to opt-out of such communications. In addition, there are specific rules that relate to direct marketing by email which were implemented under the UK regulations,6 which gave effect to the E-Privacy Directive. This is due to be revised in 2021 although the UK may choose not to revise the law due to Brexit.7 Under the regulations individuals must actively agree to receiving marketing by electronic mail (ie opt-in consent is required) although certain exceptions apply under what is known as the ‘soft-opt in’ right. This is covered in more detail at paragraphs 4.32–4.33.
Rights of data subjects: Access requests 4.19 Subject to certain exemptions, where a data subject makes a request in writing (including by email) he is entitled to be informed if a data controller (or a data processor) is processing data of which he is a subject and if so, to be given a description of: •
the personal data;
•
the purposes for which they are being processed;
•
those to whom they are or may be disclosed;
•
any information as to the source of the personal data; and
•
in the situation where automated decision making takes place, there are certain other rights to information.
There used to be a £10 charge but this is no longer the case under DPA/UKGDPR. In addition, the data subject is entitled to details of the data held but not necessarily copies of the data itself. The data subject is not necessarily entitled to copies of original documents; it is the information constituting the personal data contained in the document that must be supplied in an intelligible and permanent form. It is therefore permissible to create a new document which sets out the information which constitutes personal data particularly if, for example, the original document contains third-party personal data or includes irrelevant information. •
The data controller must supply the information promptly and in any case within a month (under DPA 1998 it was 40 days) of having received the request. However, it is possible to delay responding if: further information is required to verify the data subject’s identity (but this may be obvious from the postal address and signature); or
•
more time is needed to locate the information which the data subject seeks (the more specific the request is, the less likely this is to apply).
The data controller would then be required to reply within a month of receipt of the further information.
6 The Privacy and Electronic Communications (EC Directive) Regulations 2003. 7 EC Directive on Privacy and Electronic Communications (2002/58/EC).
100
Data in a digital world 4.21
Rights of data subjects: preventing processing/erasure/ rectification/portability 4.20 UKGDPR Article 21 provides that a data subject can, by providing notice in writing, require a data controller to stop using data for direct marketing purposes. There is also a right of erasure (known as the right ‘to be forgotten’), to rectification of inaccurate data and to cessation of data processing for other reasons. There is a right under UKGDPR to ‘data portability’ to be given and to move to another service provider one’s own data. There are many duties under GDPR and they cannot all be addressed here. In certain cases breaches of UKGDPR must be notified to the Information Commissioner. Some organisations are required to have a Data Protection Officer in place. For a full description of UKGDPR/DPA duties and obligations, the Information Commissioner’s website is the best starting point. A substantial amount of work has been done by the ICO which has hired data advertising experts to help advise the ICO on digital marketing.
ICO and AdTech work 4.21 The ICO has an Adtech webpage on which it provides updates to its investigations into the sector – see https://ico.org.uk/about-the-ico/what-we-do/ our-work-on-adtech/. Below is the ICO’s description as at 2020 of some of its work on the subject of ‘real time bidding’ which is particularly relevant to the subject matter of this book. The adtech real time bidding (RTB) industry is complex, involving thousands of companies in the UK alone. Many different actors and service providers sit between the advertisers buying online advertising space, and the publishers selling it. There is a significant lack of transparency due to the nature of the supply chain and the role different actors play. Our June 2019 report identified a range of issues. We are confident that any organisation that has not properly addressed these issues risks operating in breach of data protection law. This is a systemic problem that requires organisations to take ownership for their own data processing, and for industry to collectively reform RTB. We gave industry six months to work on the points we raised, and offered to continue to engage with stakeholders. Two key organisations in the industry are starting to make the changes needed. The Internet Advertising Bureau (IAB) UK has agreed a range of principles that align with our concerns, and is developing its own guidance for organisations on security, data minimisation, and data retention, as well as UK-focused guidance on the content taxonomy. It will also educate the industry on special category data and cookie requirements, and continue work on some specific areas of detail. We will continue to engage with IAB UK to ensure these proposals are executed in a timely manner. 101
4.22 Data in a digital world
Separately, Google will remove content categories, and improve its process for auditing counterparties. It has also recently proposed improvements to its Chrome browser, including phasing out support for third-party cookies within the next two years. We are encouraged by this, and will continue to look at the changes Google has proposed. Finally, we have also received commitments from other UK advertising trade bodies to produce guidance for their members. If these measures are fully implemented they will result in real improvements to the handling of personal data within the adtech industry. We will continue to engage with industry where we think engagement will deliver the most effective outcome for data subjects. This progress has only been possible through the investment of substantial time and goodwill by many industry participants. However, while many organisations are on board with the changes that need making, some appear to have their heads firmly in the sand. It is now clear to us that engagement alone will not address all these issues. For instance, we have reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB. Our current view is that the justification offered by organisations is insufficient. Furthermore, the Data Protection Impact Assessments we have seen have been generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual. We have also seen examples of basic data protection controls around security, data retention and data sharing being insufficient. We are using the intelligence gathered throughout last year to develop an appropriate regulatory response. We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis. The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same. I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers. Simon McDougall, Executive Director for Technology and Innovation at the ICO
Data processing agreements 4.22 A data processor means any person who processes personal data on behalf of a data controller. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must, in order to comply with its security obligations under the DPA: 102
Data in a digital world 4.24
•
choose a data processor providing sufficient guarantees in respect of technical and organisational security measures; and
•
take reasonable steps to ensure compliance with those measures.
The processing must also be carried out under a written contract which states that the data processor: •
is to act only on instructions from the data controller; and
•
is required the comply with obligations equivalent to those imposed on the data controller by UKGDPR particularly as to data security.
Liability for data processing under the DPA remains with the data controller so it is important that the data processing agreement imposes adequate contractual obligations on the data processor. However, if a data processor exceeds or disregards the instructions of the data controller it is likely to be in breach of contract and it may find that it is liable as a data controller by virtue of the independence it has exercised in respect of that personal data. GDPR tightened up the rules in this area and as a result it is often essential for companies to put in place a data-processing schedule to their commercial agreement or where data is shared between them a data-sharing agreement. Many data processors are also data controllers and it is important to take legal advice to ascertain the status of the organisation concerned – processor or joint controller – as it is not always easy to ascertain.
Sub-processing agreements 4.23 Increasingly data processors will sub-contract some element of their services and the data-processing services to one or sub-contractor (ie appoint a sub-processor). A data controller can be liable for any acts of its sub-processors, even though there may be no privity of contract between them. Consequently, where sub-processing is likely it is important to deal with it in the data-processing agreement so that it is possible to demonstrate a contractual chain of liability. Include in the data processing agreement clauses which provide that the data processor may only appoint a sub-processor by way of a written agreement which: •
imposes the same obligations on the sub-processor as are imposed on the data processor under the data processing agreement; and
•
provides at least the same level of protection for the personal data and the rights of data subjects as exist under the data processing agreement.
Personal data in a digital world 4.24 As the above summary shows, data protection laws regulate the use of personal data. However, not all data that is harvested or provided online is personal data – and data that is not personal data falls outside the scope of the DPA. Drawing the line between what is and is not personal data is therefore an important distinction for data collectors to understand. 103
4.25 Data in a digital world
UKGDPR Article 4(1) defines personal data as: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Harvested data 4.25 In respect of harvested data, there are two separate issues to address – whether the ‘labels’ used to recognise users when collecting harvested data (IP addresses and cookies) can be regarded as personal data, and whether the harvested data itself falls under this definition. It is usually illegal to process personal data harvested online without consent from the data subject.
IP addresses 4.26 An IP address in itself contains a limited amount of freely available information. IP addresses are typically assigned to ISPs in batches, which means that a user’s choice of ISP and some geographical data (but typically only down to a city or region) can generally be derived from their IP address. The ICO draws a distinction between static and dynamic IP addresses. As dynamic IP addresses change each time a user connects to their ISP, the ICO suggests that ‘if it is only the ISP who can link the IP address to an individual it is difficult to see how the [DPA] can cover collecting dynamic IP addresses without any other identifying or distinguishing information’.8 Further, since ‘it is not easy to distinguish between dynamic and static IP addresses’, the ICO considers that there is limited scope to use static IP addresses for personalised profiling either (see further paragraph 4.27 below). The Article 29 Working Party, now the EDPB, has a more restrictive approach which states that unless a data collector (be they an ISP or a website operator) can be absolutely certain that a user cannot be identified from their IP address, ‘it will have to treat all IP information as personal data, to be on the safe side’.9 Google’s view is that IP addresses should not be categorised in ‘black-and-white’ as always being personal data because this: … incorrectly suggests that every IP address can be associated with a specific individual. In some contexts this is more true: if you’re an ISP and you assign an IP address to a computer that connects under a particular subscriber’s account, and you know the name and address of the person who holds that account, then that IP address is more like personal data, even though multiple
8 ICO Data Protection Good Practice Note – Collecting personal information using websites (v2.0, 5 June 2007) at p 3. 9 Article 29 Working Party Opinion 4/2007 on the concept of personal data (20 June 2007) at p 17.
104
Data in a digital world 4.27
people could still be using it. On the other hand, the IP addresses recorded by every website on the planet without additional information should not be considered personal data, because these websites usually cannot identify the human beings behind these number strings.10 This argument implies that whether an IP address is personal data depends on whose hands it is in. If a data collector can connect an IP address with other personal information it holds about the user of that IP address, the IP address becomes personal data, because it then falls within the DPA definition (ie it relates to an individual who can be identified from the data and other information which is in the possession of the data collector). Google’s argument is that whilst an ISP is in a position to make that connection as it maintains records of which dynamic IP addresses are assigned to which users, other websites cannot usually do this as they do not maintain such records. Although the above guidance was issued before GDPR it remains relevant in 2020 as the principles are the same.
Cookies 4.27 Generally, cookie files do not contain any personally identifiable information and as such cookies in themselves are unlikely to fall within the definition of personal data. However, unlike dynamic IP addresses, (persistent) cookies are lasting labels that continue to attach to users over multiple internet sessions. Therefore, if a data collector connects harvested data obtained through the use of cookies with other personal data it holds about the user (eg provided data about the user’s contact details), the ICO’s view is this harvested data will also become personal data – meaning that data collectors must comply with the DPA requirements in relation to such data: Website operators using cookies are able to track the on-line movements of an individual and may be used to develop a profile of them. If the operator intends to link this profile to a name and postal address, or an e-mail address, this is personal information covered by the [DPA]. However, operators can develop and use profiles by using cookies without collecting traditional identifiers. Our view is that, in the context of the on-line world, the information that identifies an individual is that which uniquely locates them in the world, by distinguishing them from others. So, profiles based on the information collected by cookies which are linked to other information which uniquely identifies the individual are personal information and covered by the [DPA].11 Data collectors must also comply with several further legal requirements in relation to the use of cookies. (Note that where cookies are used in connection with processing personal data, the data collector must comply with both the DPA and these further requirements.) The extra regulations for cookies derive from the E-Privacy Directive, Article 5(3). This states that the use of technology such as cookies is permitted, provided that the user is:
10 Google Public Policy Blog: Are IP addresses personal? (22 February 2008). 11 ICO Data Protection Good Practice Note – Collecting personal information using websites (v2.0, 5 June 2007) at p 2.
105
4.27 Data in a digital world
•
given ‘clear and comprehensive information’ about the purposes of the use of the technology; and
•
offered ‘the right to refuse’ (ie opt out of) the use of the technology.
Exceptions from these requirements apply where: •
the sole purpose is to facilitate electronic communication; or
•
the use of the technology is strictly necessary to provide a service explicitly requested by the user.
These provisions were implemented in virtually identical form in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the ‘E-Privacy Regulations’), reg 6.12 However, reg 6(3) makes it clear that if cookies are used by the same data collector to store or access information from the same user on more than one occasion, it is sufficient for the above conditions to be met in respect of the initial use. These regulations remain in force despite GDPR although the EU Directive on which they are based may well be revised in 2021. In the UK, it was originally considered sufficient to include the information on cookies and details of how to opt out in a privacy policy, for example: [Website] makes use of cookies which are files placed on your computer that enable us to track certain information relating to your use of [Website]. Cookies allow us to better customise your visit to individual preferences helping us to provide you with the best possible service on [Website]. We use cookies to (1) simplify the logging on process; (2) ensure the security and authenticity of users; (3) provide mechanisms for online shopping; and (4) enable traffic monitoring. You may be able to configure your web browser to prevent the use of cookies although some functions or services may not then be available. For more information on the use of cookies and how to disable them, we recommend www.allaboutcookies.org. However, the position changed by an amendment to the E-Privacy Directive, Article 5(3) which was introduced by a Directive (2009/136/EC). Member States had to implement it by 25 May 2011 and the UK did so. The amendment replaced the requirement for a right to opt out with a requirement that the user has given their consent. Before giving such consent, the user must first (as before) have been provided with ‘clear and comprehensive information’ about the purposes of the use of the technology. The same exceptions apply with minimal amendments. Recital 66 to the amending Directive says that ‘where it is technically possible and effective … consent to processing may be expressed by using the appropriate settings of a browser’. Arguably, this suggests that something less than explicit consent may be required. The Recitals also state that ‘the methods of providing information and offering the right to refuse should be as user-friendly as possible’ and call for enhanced powers to be granted to national authorities so that they may enforce these requirements more effectively.
12 Ibid.
106
Data in a digital world 4.27
In June 2010, the then Article 29 Working Party issued an opinion13 which concluded that to comply with the amended E-Privacy Directive, users are specifically to opt-in to cookie use; that is, on each visit to a website, pop-up boxes should be displayed on entry to the site informing the user about the use of cookies on that site and asking users positively to agree to their use. In respect of the caveat in Recital 66 to the amending Directive, the Article 29 Working Party’s view is that browser settings should only deliver consent in very limited circumstances. This, it said, is because the current default on most browser settings is to accept cookies and many users would simply not bother (or not know how) to change that. In its view, browser settings should only deliver consent to cookie use where the browser was set up by default to reject cookies. This would mean that users would have to change the setting affirmatively to accept cookies (in other words, specifically opt-in). Although the opinion is not legally binding, it has caused concern amongst website operators and online advertising providers because of the potential costs of complying with a strict opt-in regime and, more significantly, the likely disruption to the user experience which could result in loss of customers. However, following the publication of the Article 29 Working Party opinion, in September 2010 the UK government launched a consultation14 on the implementation of the amended Article 5(3) into UK law. Interestingly, in its impact assessment to accompany the consultation, the government rejected creating an opt-in regime for cookie use generally, stating its view that such a regime would require users to consent to every cookie placed on their computer and this would lead to a permanent disruption of online services and to online providers suffering substantial losses. Instead, it proposed simply to copy the amended Article 5(3) verbatim into UK law and leave it to the ICO to specify what website operators/ online advertisers are required to do in terms of obtaining consent to cookies, saying this would allow greater flexibility to keep track with changes in technology and usage. The government’s impact assessment also proposed to allow online providers to take advantage of Recital 66; that is, users would be allowed to demonstrate consent to cookies simply by their browser setting being set to accept them. However, the government’s view was that users should be given clear and comprehensive information about cookie use and how to opt out if they wish. They should also be given information about using browser settings for this purpose, including how to alter settings to accept or reject cookies as required. The government declined to give guidance on when cookie use will be ‘strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service’ saying that, given the fast-paced nature of the internet, it would be almost impossible to do this without risking damaging innovation. Concerns have also been raised about the ‘Flash cookie’, a more recent form of cookie which is stored separately from normal (http) cookies on computers and
13 See http://ec.europa.eu/justice/policies/privacy/news/docs/pr_26_06_10_en.pdf. 14 See www.bis.gov.uk/assets/biscore/business-sectors/docs/i/10-1133-implementing-revised-electroniccommunications-framework-impact.pdf.
107
4.27 Data in a digital world
which remains largely undetected by web browser privacy settings. A survey carried out by researchers at the University of California, Berkeley15 showed that Flash cookies were used by 54 of 100 leading websites, but that they were mentioned in the privacy policies of only four of these websites. Some websites even used Flash cookies to ‘respawn’ (recreate) http cookies that had been deleted by the user. There is some doubt as to whether such practices would comply with the E-Privacy Regulations, particularly if the user is unaware of them. The latest guidance from the ICO on how to obtain consent etc to cookies is given below and should be followed where possible. This also takes account of GDPR which the above-mentioned guidance following the 2011 changes in cookies law did not, as it predated GDPR. How should we request consent in practice? How you request consent for cookies will depend initially on what the cookies in use are doing and, to some extent, on the relationship you have with your users. When considering how to provide information about cookies and how to request consent there are different techniques you can use to draw users’ attention to information and the choices available to them. You may also find it helpful to look at the methods other online services already use. You need to ensure that any consent mechanism you put in place allows users to have control over all the cookies your website sets, not just your own. For example, if you want to set third-party content such as tracking pixels and beacons from social networks, you need to ensure that users are given information about these and appropriate controls to signify whether or not they consent. In practice, this can be challenging as not all consent mechanisms presently enable users to disable cookies from third parties directly. However, designing and implementing a consent mechanism that works only for some of the cookies would not be compliant with PECR, as the user is not provided with any control over these cookies – they must visit different websites and take different actions to disable them. Ultimately, you are the one who determines what cookies are set on your website, and in particular the number and type of third-party cookies involved. One of the considerations before incorporating a third-party cookie should therefore be whether your consent mechanism allows the user to control whether the cookie is set or not. May we use message boxes and similar techniques? Message boxes such as banners, pop-ups, message bars, header bars or similar techniques might initially seem an easy option for you to achieve compliance. However, you need to consider their implementation carefully, particularly in respect of the implications for the user experience. For example, a message box designed for display on a desktop or laptop web browser can be hard for 15 See http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862.
108
Data in a digital world 4.27
the user to read or interact with when using a mobile device, meaning that the consents you obtain would be invalid. Similarly, long lists of checkboxes might seem like a way to make your consent mechanism appropriately granular, but this approach carries different risks in that your users may simply not interact with the mechanism or may not understand the information you’re providing. At the same time, Recital 32 of the GDPR is clear that electronic consent requests must not be unnecessarily disruptive – so you need to consider how you go about providing clear and comprehensive information without confusing users or disrupting their experience. However, this does not override the need to ensure that consent requests are valid – so some level of disruption may be necessary. Consent can still be sought in this way provided it makes the position absolutely clear to users. Many websites routinely use pop-ups or ‘splash pages’ to make users aware of changes to the site or to ask for their feedback. Similar techniques could be a useful way of highlighting the use of cookies and consent. There are challenges with using these techniques. If users do not click on any the options available and go straight through to another part of your site, and you go ahead and set non-essential cookies on their devices, this would not be valid consent. This is because users who fail to engage with the consent box cannot be said to consent to the setting of these cookies. May we rely on settings-led consent? Some cookies are deployed when a user makes a choice over a site’s settings. In these cases, consent could be sought as part of the process by which the user confirms what they want to do, or how they want the site to work. For example, some websites ‘remember’ which version a user wants to access, such as a version of a site in a particular language, or what font size to use. These cookies are sometimes known as ‘preference cookies’ or ‘user interface’ cookies. If this feature is enabled by the storage of a cookie, then this should be explained to the user, meaning they needn’t be asked every time they visit the site. You can explain to them that by allowing their choice to be remembered they are giving consent to set the cookie. Agreement for the cookie could therefore be seamlessly integrated with the choice the user is already making. This would apply to any feature where the user is told that a website can remember settings they have chosen. It might be the size of the text they want to have displayed, the colour scheme they like or even the ‘personalised greeting’ they see each time they visit the site. You must however take care that any processing of personal data related to the setting of preference cookies or other personalisation features is limited to what is necessary for this purpose. May we rely on feature-led consent? Your site could include video clips or remember what users have done on previous visits in order to personalise the content … Some cookies would then be stored if the user chooses a particular feature of your site. However, you still need to provide clear and comprehensive information and obtain consent. 109
4.28 Data in a digital world
Where the feature is provided by a third party, users will need to be made aware of this, and be given information on how the third party uses cookies and similar technologies so that the user is able to make an informed choice.
Provided data 4.28 Provided data is only personal data if it fulfils the requirements of the DPA definition itself or when it is connected to other personally identifiable information. This means that if a data collector holds provided data from which it is unable to identify an individual either from the data itself or in combination with other data it holds, the use of such provided data falls outside the DPA. This is central to the targeted advertising strategies of companies such as Facebook and Google. Although advertisers may choose whom they wish to target, no personally identifiable data is passed back to the advertisers. Rather, advertisers will only see aggregated and non-specific information (eg the number of times their advertising has been viewed). Hence – the argument goes – as no personal data is shared with a third party, no DPA issues will arise. Conversely, the DPA applies where provided data that is personal data is passed to third parties. The ICO has issued guidance in relation to such a situation: If you get information from a third party, for example, directly from another website operator or harvested from a website, you still have a duty to make sure any subsequent processing of the information is fair. This may involve making sure that the individual knows that you hold their information and what you are using it for.16 When should the individual be informed? Sometimes, the ICO says, it may be possible to inform the individual before their information is collected from the third party. In other cases, the third party may have already informed the individual. If not, the data collector should provide the requisite information to the individual ‘as soon as possible after obtaining their personal information’. An exception from the requirement to contact the individual applies where this would involve ‘disproportionate effort’, but the ICO’s view is that this only applies in very limited circumstances. If the data collector decides the exception does apply, the information must still be provided to any individual who requests it, and the data collector must keep a record of the reasons for its decision.17 Although this guidance was issued before GDPR it remains good law. This has ramifications for both provided and harvested data: •
Where the data is shared with third parties, the parties sharing the data should agree who will inform the user of this – preferably this should occur before the data is shared (eg by making clear reference to such practices in the privacy policy of the website which originally received the data).
16 ICO Data Protection Good Practice Note – Collecting personal information using websites (v2.0, 5 June 2007) at p 4. 17 See Data Protection (Conditions under Para 3 of Pt II of Sch I) Order 2000 (SI 2000/185), articles 4 and 5.
110
Data in a digital world 4.29
•
Where harvested data is collected by or passed to third-party ad-serving companies, the parties should ensure that the user is aware of this practice.
Additional rules apply to contact details such as telephone numbers and email addresses which users may provide to data collectors – see paragraphs 4.30 and 4.31.
The future of personal data? 4.29 In October 2010, the ICO published a statement18 calling for a clarification of the definition of personal data, particularly online, and suggesting that using information from IP logs to identify individuals (eg for targeted advertising) should attract some (appropriate) form of data protection: There is a lack of clarity in the current data protection legislative framework in the UK in determining what is ‘personal data’. This arises in part because the wording of the UK DPA is different to that in the EU [Data Directive]. Whilst both definitions can be interpreted as meaning essentially the same thing, case law and the advances in technology have led to confusion about what the definitions mean in practice, and the data that comes within their scope. Any revision of the current legislative framework should be seen as an opportunity to remove this area of doubt and provide data controllers with greater legal certainty as to what constitutes personal data. In the Commissioner’s opinion, a future framework must deal better with the new forms of identification that are coming into being all the time, particularly in the online environment. It is clear that information such as IP logs held by search engines are being used to identify individuals and to take action affecting them, in contexts ranging from behavioural advertising to digital rights management or national security. It is clear that data protection ought to apply to this sort of information. However, we have to be realistic about how such information is treated under the law, what standards we expect those processing it to reach and what outcomes we are seeking for the individual. Whilst we may want this information to be kept secure and protected from inappropriate disclosure, it may be impossible in practice to grant conventional subject access to it or to expect individuals to consent to its processing. The Commissioner hopes that a future framework will treat this sort of information more realistically, perhaps recognising that a simple ‘all or nothing’ approach to the application of data protection requirements no longer suffices, given the breadth of information now falling within the definition of personal data. Since the above GDPR and now DPA 2018 have come into force and the UK ICO has done considerable work on ad-tech and personal data. Reference should be made to the ICO website for further guidance.
18 See www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/response_to_moj_ dpframework.ashx.
111
4.30 Data in a digital world
The E-Privacy Regulations 4.30 The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the ‘E-Privacy Regulations’) implement in the UK the requirements of the EC Directive on Privacy and Electronic Communications (2002/58/EC) (the ‘E-Privacy Directive’) and, amongst other things, regulate telephone marketing and marketing by unsolicited electronic mail. These are unchanged by GDPR and the DPA although revision of them within the 27 EU Member States (but not the UK) is likely in 2021. Regulation 4 makes clear that the E-Privacy Regulations are supplemental to, and do not replace, the requirements of the DPA in respect of such communications. This means that there is a higher standard imposed on data collectors who use provided data for such activities. Consideration should always be given in relation to email and telephone marketing to the E-Privacy Regulations also often known as PECR and DPA/UKGDPR on these matters.
Telephone marketing 4.31 The E-Privacy Regulations impose a number of restrictions on telephone marketers. In particular: •
Regulation 19 prohibits the use of automated calling systems (systems which automatically initiate a sequence of calls to more than one destination and transmit recorded messages to recipients) for direct marketing purposes without the prior consent of the recipient of the call; and
•
Regulation 21 prohibits unsolicited calls for direct marketing purposes where the recipient has asked the caller not to receive such calls or has registered with the Telephone Preference Service. Regulation 20 sets out similar restrictions on direct marketing by fax.
Electronic direct marketing 4.32 Regulation 22 significantly restricts direct marketing by electronic means, by prohibiting the sending of unsolicited communications by electronic mail for direct marketing purposes, unless the recipient has given his prior consent or the soft opt-in exception applies (see below). ‘Electronic mail’ in this context means any message directed to particular individuals or companies consisting of text, voice, sounds or images. Hence, this prohibition includes email but also text, picture and video messages, answer phone and voicemail messages. The ICO’s definition of consent is ‘some form of communication where the individual knowingly indicates consent’. Essentially, this means the explicit consent of the recipient. This requirement to obtain consent to emails and other electronic communications is commonly achieved by means of tick boxes on website registration forms. For instance, to register on eBay.co.uk, the user must tick a box to confirm their 112
Data in a digital world 4.33
agreement that: ‘I may receive communications from eBay and I understand that I can change my notification preferences at any time in My eBay.’ Additionally, Regulation 23 requires that in any direct marketing communications by electronic mail: •
the sender’s (ie the data collector’s) identity must not be disguised or concealed; and
•
a valid contact address for data collector so that the recipient can opt out of future communications must be included.
Soft opt-in 4.33 Regulation 22(3) contains a limited exception from the general requirement for data collectors to obtain explicit consent from the recipient to engage in electronic direct marketing, where the following three conditions are all met: •
the data collector has obtained the recipient’s contact details in the course of a sale or negotiations for the sale of a product or service to that recipient;
•
the direct marketing material the sender is sending relates to the data collector’s similar products and services only; and
•
the recipient was given a simple means of opting out free of charge except the cost of transmission (eg a standard SMS, tick-box, email or website link) at the time their details were initially collected and also at each subsequent communication.
The ICO has issued guidance on its interpretation of the E-Privacy Regulations and the soft opt-in exception in particular. In the ICO’s view, the requirement to obtain details ‘in the course of a sale or negotiations for a sale’ does not require that the sale was completed. Rather, it is sufficient that ‘a person has actively expressed an interest in purchasing a company’s products and services’ and not opted out of further marketing of that product or service or similar ones. The ICO takes a purposive approach to the definition of ‘similar products or services’, stating that ‘the intention is to make sure an individual does not receive promotional material about products or services that they would not reasonably expect to receive’. This does not preclude marketing by companies affiliated with the original sender. The ICO has stated that details obtained as part of a competition (to raise interest in a product or service) may constitute negotiations if the reason for collection was clear at the time. However, the use of cookie technology to identify a person’s interests while browsing a website does not constitute negotiations. The soft optin exception does not apply to lists of recipients bought in externally, or to viral advertising (as to which see Chapter 5). In each case, the explicit consent of the recipient to receive the communication is required. Ultimately, if recipients are unhappy at receiving communications sent by data collectors by virtue of the soft opt-in exception, they can opt out of receiving future 113
4.34 Data in a digital world
communications. The ICO has stated that marketers must act on and respect optouts, and indicated that it will focus particular attention on failures to comply.
Other jurisdictions 4.34 The E-Privacy Directive is interpreted more strictly in other European jurisdictions. In France, consent is subject to a strict opt-in regime, and direct marketing may not be sent via email unless the sender has the prior consent of the recipient. In Germany, the laws on direct marketing by post have been amended. An organisation must have a consumer’s permission to use their address unless: •
they have an existing relationship; or
•
the sender names the source of the address on the direct mail envelope.
Furthermore, ‘unfair competition’ laws – which do not exist in the UK – prohibit unwanted advertisements and further restrict the use of provided data in France, Germany and other European jurisdictions.
CAP Code rules 4.35 As noted in Chapter 5 the Committee of Advertising Practice (‘CAP’) is the self-regulatory body for all non-broadcast advertising. It is responsible for the British Code of Advertising, Sales Promotion and Direct Marketing (‘the CAP Code’), which covers non-broadcast marketing communications across a range of media, and extends to email, text messages and the internet (including banners, pop-ups, virals and sponsored searches). The CAP Code echoes and reinforces the provisions of the E-Privacy Regulations relating to unsolicited electronic marketing communications. Rule 10.13 (previously 43.4(c)) states: 10.13 When relying on legitimate interests as the basis for processing personal data, marketers must stop such processing if the consumer objects. Marketers must explicitly inform consumers, clearly and separately from any other information, of their right to object no later than the time of their first communication with the consumer. The Advertising Standards Agency (‘the ASA’) has reprimanded several advertisers for failure to comply with the CAP Code regarding unsolicited direct marketing.19
19 For a rather unusual example of an email advertisement that was held to breach both rr 22.1 and 43.4(c), see the ASA Adjudication on Metrodome Group plc (6 May 2009), concerning an email which led recipients to believe that they were under criminal investigation for drugs offences. In fact, the email was a promotion for the British film ‘Shifty’.
114
Data in a digital world 4.37
Cross-border data flows 4.36 Article 45(1) of UKGPDR (which is not the same as GDPR which applies in the EU only) says: A transfer of personal data to a third country or an international organisation may take place where it is based on adequacy regulations (see section 17A of the 2018 Act). Such a transfer shall not require any specific authorisation. Article 13(f) of UKGDPR states that data subjects should be told: (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of relevant adequacy regulations under section 17A of the 2018 Act, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Which countries outside the UK ensure an adequate level of protection? 4.37 The EU Trade and Cooperation Agreement December 2020 provides that from 1 January 2021 for up to six months in what is known as ‘the bridge’, EU and UK data exports and imports may continue whilst the EU decides if the UK’s data laws are ‘adequate’ to be granted an adequacy finding which would allow thirdcountry exports of data from the EU to the UK. As at the date of writing as regards export from the 27 EU Member States the EU has said: The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Adequacy talks are ongoing with South Korea. The EU approval of the specific US/EU Privacy Shield as a means for EU companies to export data to those (few) US companies who have privacy shield approval was challenged in 2020 in a case before the ECJU in Schrems II. The UK ICO issued the following guidance: Anyone transferring personal data internationally will have been watching the recent judgment of the CJEU with some trepidation. International data transfers, that are so vital for the global economy, suddenly became open to question. The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU–US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK. 115
4.38 Data in a digital world
The European Data Protection Board (EDPB) has now issued its FAQs [see https:// edpb.europa.eu/our-work-tools/our-documents/ovrigt/frequently-askedquestions-judgment-court-justice-european-union_en] on the invalidation of the Privacy Shield and the implications for the Standard Contractual Clauses (SCCs), and this guidance still applies to UK controllers and processors. Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this. The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy. The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.’ Those seeking to export data to the US should take advice and consider the position. It would be safer to use the approved standard contractual clauses than the privacy shield arrangements. In November 2020 the EU began consulting on a proposed new version of the standard contractual clauses – see https://ec.europa.eu/info/law/better-regulation/ have-your-say/initiatives/12741-Commission-Implementing-Decision-onstandard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.
Exceptions to the prohibition on transfers 4.38 For the purposes of most businesses, the key exceptions with regard to data export are as follows (from UKGRPR, Article 46(2): (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules in accordance with Article 47; (c) standard data protection clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Act and for the time being in force [the UK equivalent of the standard contractual clauses mentioned above]; (d) standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force; 116
Data in a digital world 4.39
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights. Article 49 of UKGDPR provides: 1. In the absence of adequacy regulations under section 17A of the 2018 Act, or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken at the data subject’s request; (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; (d) the transfer is necessary for important reasons of public interest; (e) the transfer is necessary for the establishment, exercise or defence of legal claims; (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; (g) the transfer is made from a register which according to domestic law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by domestic law for consultation are fulfilled in the particular case.
Consent 4.39 In the UK, data controllers frequently obtain consent by providing the data subject access to clear notices (usually contained in a privacy policy) prior to collecting the data. The ICO guidance provides that such a notice should specify the reasons for transfer and, as far as possible, the countries involved, as well as any particular risks involved. A consent clause that is drafted too broadly risks being invalid. Always read UKGDPR carefully including those parts quoted above before deciding if consent has been properly obtained. 117
4.40 Data in a digital world
European Commission guidance on this subject (though non-binding) clearly sets out that ‘consent must be a clear and unambiguous indication’ of the data subjects’ wishes and that this ‘is likely to mean that many situations where consent is implied (eg because an individual has been made aware of a transfer and has not objected) would not qualify’ for this exception.20 It also points out that where consent is sought in an employment context ‘the employee must have a real opportunity to withhold his consent without suffering any harm’ and the Article 29 Working Party recommends that employers should not rely solely on employee consent when transferring data. This remains good advice even since GDPR replaced the previous EU Data Protection Directive. In addition, consent is very unlikely to be practical where the data has already been collected (eg where a company is restructuring or outsourcing part of its operations to a third country it is unlikely to want to provide notice to each of its customers and employees).
Performance of the contract 4.40 To rely on this exception, the data controller has to demonstrate that the transfer is genuinely necessary for the performance of the contract. This would usually apply if the data controller were providing service or order fulfilment at the data subject’s request (eg a customer ordering a product from a retailer in the UK, the retailer providing the customer’s name and address to a manufacturer/supplier in the US for shipping) but it is unlikely to be effective simply because of the way a business is structured (eg an international group of companies which chooses to process its payroll centrally and outside the UK).
Contracts approved by the ICO 4.41 Personal data can be transferred outside of the UK/EEA where a contract ensuring adequate safeguards for the rights and freedoms of data subjects is in place. These contracts can be based on the standard contractual clauses approved by the European Commission (known as the model form contracts) for the EU and in the UK such contracts can be in a bespoke form. As stated above the Schrems II case in 2020 held that the SCCs were legally valid in the EU in most cases. The UK also follows this rule. Standard contractual clauses or model contracts are contractual terms that have been approved by the European Commission and the ICO. There are two sets of model contracts: controller-to-controller transfers and controller-to-processor transfers. Whilst a data controller will need to insert certain information into the model contracts (eg names of the parties, security measures, governing law), the data controller must not make any amendments to the terms or the contract will no longer (automatically) be deemed to provide an adequate level of protection. Model contracts have been criticised as being long and unduly onerous. In particular, parties are often reluctant to accept the provisions allowing data subjects to seek compensation from data exporters and (if it is not possible to enforce against the exporter) to enforce against the data importer. However, they
20 Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries.
118
Data in a digital world 4.44
are the only form of contracts which can be used Europe wide and which provide legal certainty in relation to transfers. Bespoke contracts should only be used in respect of data transfers solely from the UK but as the ICO is not able to give detailed advice or approve contracts other than in exceptional circumstances bespoke contracts are likely to be too legally uncertain for transfers of sensitive or high-risk personal data. Binding corporate rules are essentially a stringent form of intra-group privacy policy, which can be approved by the ICO. Few companies including GE, Philips, Accenture, Atmel and the Hyatt Hotel Corporation have obtained authorisation.
Issues relating to US/EU conflicts of law 4.42 A tension exists between disclosure obligations under US regulatory rules and the application of the EU data protection requirements; the tension is not so acute in the UK which is no longer in the EU due to the manner in which the UK has implemented and interprets its data protection obligations, but in other European Member States these contradictory requirements can be actively incompatible. In many ways the divide is cultural, with European suspicion of centrally held personal data arguably a reaction to the control and manipulation of personal data that occurred in many Member States under fascism and under communism in the Eastern bloc during Soviet days. However California and New York now have GDPR-style data rules – the California Privacy Rights Act and California Consumer Privacy Rights Act and New York Shield Act – so always take legal advice on a stateby-state basis.
Equal opportunities monitoring 4.43 In the US many companies are required to file a report, for the purposes of equal opportunities monitoring, which provides statistical data on the race, ethnicity and gender of its employees and job applicants. In the UK processing of sensitive personal data relating to racial or ethnic origin can be fair in the context of equal opportunities monitoring, but that is not the case in all European Member States, even if express consent is sought. In such circumstances, a US company with a presence in Europe that is required to process such data, will have to ensure that no processing of that data occurs in the EU, in other words the data should only be requested for US jobs and only accessed (and ideally stored) in the US. Even if such measures are implemented, legal advice should be sought as GDPR applies where the individual is in the EU which would apply to US employees seconded to the EU.
The Sarbanes-Oxley Act 2002 4.44 The Sarbanes-Oxley Act 2002 (SOX) requires publicly held US companies to provide a confidential and anonymous mechanism for its employees to report questionable accounting or auditing matters. By contrast whistle-blowing, in particular anonymous whistle-blowing, remains controversial in Europe as it is 119
4.45 Data in a digital world
uncertain whether collecting/storing/investigating a claim made by a whistleblower against another individual (a ‘data subject’) without that person’s knowledge or consent complies with GDPR. There is no prohibition on anonymous whistle-blowing in the UK, but in many European Member States anonymous hotlines are not permitted, or are only permitted in exceptional circumstances. As yet the CJEU has not ruled on this issue, but the then Article 29 Working Party has published an opinion on this matter. The Working Party considered that a whistle-blowing policy can be lawful if it is ‘necessary for the purposes of a legitimate interest pursued by the controller’ but that ‘such a reason would only be acceptable on the condition that such legitimate interests are not ‘overridden by the interests for fundamental rights and freedoms of the data subject’, in other words the data subject’s rights must be adequately protected.21 This is also likely to be the case under GDPR.
Enforcement 4.45 Fines are high for breach of UKGDPR and GDPR in the 27 EU Member States. GDPR increased penalties for breach of the legislation substantially. Previously in the UK the maximum fine was £500,000. Whereas now the maximum fine under GDPR is €20 million (about £18 million) or 4% of annual global turnover – whichever is greater. Below are fines imposed by the UK ICO in 2019: •
Bounty (UK) Ltd: £400,000 for sharing personal data unlawfully.
•
Making it Easy: £160,000 for making spam calls to people registered with TPS.
•
London Borough of Newham: £145,000 for disclosing data of 200 people on a police database.
•
Hall and Hanley Ltd: £120,000 for sending messages without consent.
•
True Visions Products Ltd: £120,000 for unfair and unlawful filming in a maternity clinic.
•
EE: £100,000 for sending direct marketing messages without consent.
•
Smart Home Protection Ltd: £90,000 for making unauthorised calls.
•
Life at Parliament View Ltd: £80,000 for leaving data exposed for two years
•
Alistar Green Legal Services Ltd: £80,000 for calls to TPS subscribers
•
Eldon Insurance Services Ltd (Go Skippy): £60,000 for sending unsolicited emails.
21 WP 117 Opinion 1/2006 on the application of EU data protection rules to internal whistle-blowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime.
120
Data in a digital world 4.46
•
Grove Pension Solutions: £40,000 for sending marketing emails without consent.
•
Vote Leave Ltd: £40,000 for sending text messages without consent.
•
Leave.EU Ltd: £15,000 and £45,000 for unsolicited emails and texts.
Use of location data 4.46 A raft of online applications now allow users to download information relevant to their current geographical location and to post information about their whereabouts onto UGC sites. These applications, whose popularity is booming with the growth of internet-enabled portable devices such as mobile phones, tablet computers and netbooks, use location data to pinpoint a user’s location and transmit it back to the data collector, where it can be used to plot the user’s position either individually or relative to other physical objects, places or other users. This can then be used to supply relevant local content to the user. In addition, friends often consent to track each other’s location on various applications such as SnapChat which has ‘Snap Map’ allowing this to be done. Personal data as defined in Article 4(1) of UKGDPR includes location data and the definition of ‘profiling’ in UKGDPR includes location data. The E-Privacy Directive, Article 9 (implemented in the UK in almost identical terms by the E-Privacy Regulations, reg 14) regulates the use of location data. The key concern is where data indicates a specific location at a point in time (eg a Wi-Fi connection or a mobile phone with GPS), rather than a more general ongoing location (eg an IP address indicating user based in the UK). The processing of such specific location data is permitted only if the user is anonymised, or has consented to such processing. Before consent is obtained, the user must be: •
told what location data is being used, why and for how long and whether it will be passed on to third parties; and
•
given the opportunity, in a simple manner and free of charge, to withdraw consent at any time, both generally and for each individual communication. (Note that a service which asks a user once for their consent and never again might therefore not comply with this requirement. In any case, it is debatable whether a user would really be consenting to continued processing in such circumstances, as they may well forget that they had given consent at an earlier date.)
Processing of location data must also be restricted to what is necessary for the purposes of providing the ‘value added service’ (ie a service which requires the processing of traffic or location data beyond what is necessary for transmitting or billing a communication) for which the user has given their consent. The ability of users to post location data on UGC sites is proving to be extremely popular – so much so, in fact, that there are concerns that users are compromising their own security by doing so. During early 2010, the website PleaseRobMe.com extracted and republished location information posted on Twitter by Foursquare users, explaining that ‘the danger is publicly telling people where you are. This is because it leaves one place you’re definitely not … home.’ Nevertheless, the use of location data to provide relevant content looks set only to increase in the 121
4.47 Data in a digital world
coming years beyond its already extensive use in 2020. Indeed the 2020 COVID-19 pandemic led to the UK ICO and the EU having to issue guidance on proposed mobile telephone applications which would allow those who chose to use such technology being able to see who close to them was later diagnosed with the virus. The extensive use in China often in breach of international recognised human rights of tracking, location and facial recognition technology has been another cause for concern.
Privacy rights in the digital world 4.47 In view of the growing trend for interactivity and information sharing by users in the online world, it is ironic, but perhaps inevitable, that privacy issues are increasingly causing friction between data collectors and users. In recent years, perceived privacy violations have given rise to unwanted headlines for a number of high-profile businesses, including Facebook, Google and BT. However what does a right to privacy actually entail and how far does it extend? Many data collectors direct users to their website privacy policies to demonstrate their commitment to privacy. Such documents generally set out what information will be collected about a user, how long it will be retained, and the types of purpose for which it will be used. Despite the name ‘privacy policy’, such issues are actually more to do with compliance with data protection, a highly technical and welldefined area of law. Privacy is a more fundamental right, which comes down to the distinction between the public and private persona – in other words, the idea that some information is private to an individual by its very nature and should not be wrongfully used by anyone else. In fact, privacy is considered so basic a human right that it forms Article 8 of the European Convention on Human Rights (‘ECHR’): ‘Everyone has the right to respect for his private and family life, his home and his correspondence’.
Is there a ‘right to privacy’ on the internet (or at all)? 4.48 A problem for the data-collector seeking to understand what the privacy laws prevent it from doing is that there is no clear definition of how far privacy rights extend. Although there is no standalone ‘privacy law’ on the English statute book and no separate tort of invasion of privacy under English law,22 the Human Rights Act 1998 (‘HRA’) requires courts, as far as possible, to construe English law in a way which is compatible with ECHR rights, including the Article 8 right to privacy. In addition under English law there are common law human rights such as to personal security, liberty and private property and rights to protect those such as access to justice and freedom of speech. However very few privacy cases have been decided by the courts since the HRA came into force in 2000 (indeed, only two privacy cases were heard in the High Court in the two years since January 2008 to the publication of the last edition
22 Confirmed in Wainwright and another v Home Office [2003] UKHL 53.
122
Data in a digital world 4.48
of this book in 2010 and one of those settled five days into the trial).23 Most privacy cases have concerned the publication of information about celebrities. The cause of action in such cases is breach of confidence, into which the courts have (reluctantly) ‘shoe-horned’ an assessment of how the celebrity’s Article 8 right to privacy weighs up against the publisher’s Article 10 right to freedom of expression.24 The leading modern decision in the English courts was Naomi Campbell’s claim against the Mirror newspaper for publication of photographs of her leaving Narcotics Anonymous meetings.25 Lord Hope summed up the test that must be applied:26 The underlying question in all cases where it is alleged that there has been a breach of the duty of confidence is whether the information that was disclosed was private and not public. There must be some interest of a private nature that the claimant wishes to protect … The broad test is whether disclosure of the information about the individual (‘A’) would give substantial offence to A, assuming that A was placed in similar circumstances and was a person of ordinary sensibilities … The law of privacy is not intended for the protection of the unduly sensitive. Reliance on case law to define the scope of privacy rights means that the concept of privacy remains something of a moveable feast. It should also be noted that privacy laws vary widely across Europe and other jurisdictions. For instance, in February 2010, an Italian court held three Google executives to be personally criminally liable for privacy breaches by the corporation, after a clip was posted by a user on Google’s video service which featured the bullying of an autistic child – a decision described by the former UK information commissioner Richard Thomas as ‘simply inconsistent with the way the internet works. There is no UK data law or European law that I know which could lead to this result.’27 Considering the cross-border nature of many internet services, this inconsistency between national privacy laws is a cause for concern for e-commerce businesses. In February 2010,28 the UK Culture, Media and Sports Committee considered whether Parliament should introduce a law defining a right to privacy. It noted that there was no consensus as to whether privacy legislation was desirable or how it could be drafted, and it was concluded that a codified privacy law was not currently desirable: The Human Rights Act has only been in force for nine years and inevitably the number of judgments involving freedom of expression and privacy is limited … [but the] law relating to privacy will become clearer as more cases are decided by the courts … Given the infinitely different circumstances which can arise in different cases, and the obligations of the Human Rights Act, judges would inevitably still exercise wide discretion. We conclude, therefore, that for now 23 A and another v Priory Healthcare (February 2008). The other case was Max Mosley’s claim against the News of the World (Mosley v News Group Newspapers [2008] EWHC 1777 (QB)). 24 Douglas and others v Hello Limited and others [2005] EWCA Civ 595, per Lord Phillips, MR at 53. 25 Campbell v Mirror Group Newspapers Ltd [2004] UKHL 22. 26 Ibid. at paras 92–94. 27 See www.independent.co.uk/news/world/europe/google-guilty-of-privacy-crime-in-web-test-case- 1909915.html. 28 Culture, Media and Sport Committee – Second Report into Press standards, privacy and libel (9 February 2010).
123
4.49 Data in a digital world
matters relating to privacy should continue to be determined according to common law, and the flexibility that permits, rather than set down in statute. On this basis, and assuming that there were no issues of defamation, it is likely that any claim made by a ‘normal’ individual (ie a non-celebrity) that the use of information about them by a data collector infringed their privacy rights would have to follow the same cause of action as a privacy claim by a celebrity, namely by showing that: •
the information in question was genuinely private (which, if not obvious,29 would require an assessment of whether the disclosure of the information would give substantial offence to the individual if they were a person of ordinary sensibilities);
•
a duty of confidence existed between the individual and the data collector in relation to the information; and
•
this duty was breached, causing the individual to suffer some loss or damage.
This is by no means an easy test to satisfy. For instance, what private information is misused and what loss does an individual suffer when a picture of the outside of their house is shown on Google Street View (especially as faces are automatically blurred and users can request the removal of inappropriate images)? Google has already won a case in the USA against a Pennsylvanian couple who claimed that the inclusion of their house caused them ‘mental suffering’ and diluted the value of their home. The court concluded in that case that the claimants were ‘unable to show that Google’s conduct was highly offensive to a person of ordinary sensibilities’.30 The view taken by many data collectors on the issue was summed up by Google’s CEO, Eric Schmidt: ‘If you have something you don’t want anybody to know, maybe you shouldn’t be doing it in the first place.’ (It is, however, interesting to note Google’s change of tone later in 2010 when it faced criticism and regulatory investigation of data which it had unintentionally collected from domestic wireless networks while mapping the street view service. Google said in a statement that it was ‘profoundly sorry’ for collecting the data and promised to delete it as soon as possible.) This is however at odds with the views of many who want the default to be privacy. Indeed Google is not allowed to record street view on private roads, although it does show Google earth images of such places. In 2010 Google was obliged to remove images of some military, security and intelligence locations as signs prohibiting photographing had been ignored and the use of the images breached the UK Official Secrets Act 1911 (as amended).
Privacy protests and the power of reputation 4.49 If ill-defined privacy rights hold little fear for data collectors in a strict legal sense, the power of reputation goes much further to shape privacy practices in e-commerce.
29 A blog is an example of a type of information which is obviously public and not private – Author of a Blog v Times Newspapers Ltd [2009] EWHC 1358 (QB) per Eady J at 11. 30 Boring v Google, Inc., 598 F. Supp. 2d 695, 699-700 (W.D. Pa. 2009). The privacy elements of the claimants’ appeal against this decision were also later dismissed (Boring v Google Inc., No. 09-2350 (3d Cir. Jan. 28, 2010)).
124
Data in a digital world 4.49
Given the amount of bad publicity that has surrounded privacy issues in recent years, data collectors are anxious to be seen to take privacy issues seriously. A sign of this is the somewhat cagey wording to be found in the privacy policies of many popular websites. (For example, Amazon’s privacy policy opens with the words, ‘We know that you care how information about you is used and shared and we appreciate your trust in us to do that carefully and sensibly.) As a result, concerns about reputation can influence a data collector’s whole approach to privacy issues.
Beacon – not a shining light An example is the demise of Facebook’s Beacon application. Beacon was launched in November 2007 and was heralded by Facebook as being ‘a core element of the Facebook Ads system for connecting businesses with users and targeting advertising to the audiences they want.’31 Beacon collected harvested data about the online activities of Facebook users on other participating websites, such as purchases made or products rated by those users, and sent that harvested data back to Facebook using thirdparty cookies. Originally, the system operated on an ‘opt-out’ basis so that unless the user actively opted out when asked whether they wished to share the information with Facebook, it was used for targeted advertising and was also transmitted to those other Facebook users listed as the user’s ‘friends’. There was no way to permanently opt out of the application. Beacon was heavily criticised on privacy grounds by Facebook users, who launched a high-profile campaign through a Facebook group called ‘Facebook, stop invading my privacy!’ which gained 50,000 members within the first ten days.32 Facebook responded by changing the application so that it operated on an ‘opt-in’ rather than ‘opt-out’ basis and introduced a permanent opt-out feature. However, despite these changes, Beacon continued to attract widespread adverse publicity. A class action lawsuit was filed against Facebook in the United States,33 which settled in September 2009 with Facebook agreeing to discontinue Beacon and pay US$9.5 million to fund a non-profit foundation to promote online privacy, safety, and security.34
Several other examples of the bad publicity associated with perceived privacy breaches highlight the importance of the issue to data collectors: •
One of the most controversial aspects of BT’s trial of Phorm’s Webwise software in 2006–07 (see paragraph 4.8 above) was that the trials were carried out on BT customers without their knowledge (according to the European Commission, the company admitted as much in April 2008).35 In view of the
31 See www.facebook.com/press/releases.php?p=9166. 32 See www.facebook.com/group.php?gid=5930262681. 33 Lane et al v Facebook, Inc et al, case no 5:08-CV-03845-RS. 34 See www.beaconclasssettlement.com/FAQs.htm. 35 Commission Press Release IP/09/570 (14 April 2009).
125
4.49 Data in a digital world
software’s ability to track its users’ web browsing habits, some users viewed this as a serious breach of their privacy. The European Commission has since stated that BT’s trials had resulted in a number of complaints to both the ICO and the police.36 On 6 July 2009, BT announced it had ‘no immediate plans’ to roll out the Webwise software to its broadband customers across the UK.37 Phorm ceased trading in 2016. •
Facebook faced another public outcry when it changed the terms of its privacy policy in February 2009, including the deletion of text which stated: You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content. A blog called ‘The Consumerist’ highlighted the potential significance of this change in a post entitled ‘Facebook’s New Terms of Service: We Can Do Anything We Want With Your Content. Forever.’38 which received substantial media coverage across the world. Within three days, Facebook had reverted to the previous version of its privacy policy and reinstated the deleted wording.
•
Yet another privacy furore emerged with the launch of Google Buzz in February 2010. When users logged into Buzz, a social networking application, the application was set up so that they would automatically be ‘following’ (ie linked to) their most frequent contacts from Google’s email and instant messaging services. Concerns were raised that Buzz’s default settings meant that a user’s list of contacts was made public (meaning that third parties could discover who the user had sent emails to in the past) and that in certain circumstances this list might even reveal a contact’s email address. Google was forced into a public apology four days after the launch of Buzz, and made changes to the application to address the issues raised.39
•
There have been many others in the ten years since and indeed ‘Big Data’, perhaps the gold rush of the twenty-first century, and the struggle between internet freedom and rights to keep information and data hidden is a very difficult and important issue on which people can hold very different views from each other.
Privacy in the online world is a fast-developing area and one where the law has often been slow to keep up with the twin tides of technological development and public opinion. As the above examples show, public opinion and the threat of litigation or regulatory investigation (together with the associated threats to the reputation of data collectors) are more commonly the determining factors for digital privacy practices. Ultimately, on ‘the notoriously fickle internet, where today’s cultural icon is tomorrow’s passing fad’,40 maintaining goodwill and 36 Ibid. 37 See www2.bt.com/static/i/btretail/webwise/. 38 See http://consumerist.com/2009/02/facebooks-new-terms-of-service-we-can-do-anything-we-want- with-your-content-forever.html. 39 See http://gmailblog.blogspot.com/2010/02/new-buzz-start-up-experience-based-on.html. 40 Many online businesses have a limited shelf life at the best of times (eg consider the rapid rise and fall of other social networking sites: www.guardian.co.uk/technology/2009/mar/29/myspace-facebookbebo-twitter.
126
Data in a digital world 4.50
popularity is essential for an online business’s survival. Peter Fleischer, Google’s Global Privacy Counsel, summed this up: At Google, our success depends on trust. If our users don’t trust us, they won’t use our services. And they won’t trust us, if we don’t protect their privacy … our users are just one click away from switching to a competitor’s services.41
Data retention 4.50 Data retention is an issue with privacy implications for certain types of data collector. As part of the EU’s counter-terrorism measures, the Data Retention Directive (2006/24/EC) imposed obligations on ‘public communications providers’ (principally ISPs, notified of their obligation by the Secretary of State) to retain records of certain types of communication information. The UK implemented the retention rules relating to internet access, internet telephony and email in the Data Retention (EC Directive) Regulations 2009. The measures are intended to assist criminal investigations and an investigating authority can issue a notice under the Regulation of Investigatory Powers Act 2016 for disclosure of the records, subject to satisfying the requirements of that section. The Regulations require affected data collectors to retain information such as user identification numbers, IP addresses, names and postal addresses of users, dates and times of login and log-off, and email addresses of the recipients of emails are retained for a period of 12 months from the date of the communication in question. There is no requirement to retain the content of emails or calls. Conversely, privacy campaigners often complain that data collectors retain users’ data for too long. Search providers such as Google and Microsoft have introduced data retention policies whereby IP address and cookie data stored alongside search results is deleted after a certain time period. However in GDPR the ‘right to be forgotten’ or right of erasure is clearly enshrined. This does not entitle individuals to have all data about them removed on a whim but it does apply a useful check and balance in the internet age. For data collectors who are not subject to the legal data retention requirements described above, and in relation to types of data which fall outside the scope of those regulations, the issue comes down once again to a balancing act between a data collector’s commercial and technical interests in retaining data and its desire to keep a good reputation for privacy.
41 Speech to European Parliament Committee on Civil Liberties, Justice and Home Affairs Public seminar: Data Protection on the Internet (21 January 2008) online at www.google.com/events/docs/ policyblog_peter_fleischer_statement.pdf.
127
4.51 Data in a digital world
Key messages 4.51 •
While data protection has traditionally been seen as a ‘compliance-only’ issue, the reputational effects of not addressing privacy matters properly can be severe and dramatic, particularly since 2018 and GDPR.
•
Any business operating internationally needs to take account of the fact that data protection laws are not interpreted or enforced equally across the EU and UK.
•
All businesses should keep up to date with new regulations and particularly data protection guidance as it is issued (eg in the EU in 2021 new replacement electronic marketing/eprivacy legislation is expected).
•
A higher standard is required for electronic direct marketing (as opposed to non-electronic direct marketing) as a consequence of the E-Privacy Regulations. Organisations should familiarise themselves with the ‘soft optin’ exemption which enables direct marketing to users without needing consent.
•
GDPR is a complex beast with many aspects which have not been considered in this chapter. In addition the UK ICO is leading the way to some extent in hiring staff and exploring the legal issues arising from new technology, adtech and the increasing use of smart phones. In 2020 the UK ICO was looking carefully at the real-time bidding (RTB) industry, a sector which involves thousands of companies in the UK alone.
128
Chapter 5
Digital marketing Introduction 5.1 The growth of online advertising has been inexorable. The Internet Advertising Bureau notes that ‘Internet advertising spend grew 2,200% during the noughties’.1 Online advertising revenues in 2008 were US$49,470 million and were projected to grow to US$80,188 million by 2012.2 In 2009, UK online advertising expenditure overtook TV advertising spending for the first time.3 By 2019 UK expenditure had reached £14.73 billion. Digital marketing is one of the most effective ways for a brand to promote its goods and services. Consequently, brand owners and those instructed to help them in their quest to grow business and increase brand value, are ever keen to utilise the new ways in which the digital age offers businesses the opportunity to reach a wider audience – more cheaply and more effectively than ever before. This chapter: •
explains the different types of digital marketing;
•
reviews the regulation of online advertising and explains the role of the Advertising Standards Agency and the CAP Code. The chapter also reviews in outline the regulation of premium rate mobile phone services;
•
reviews the tortious rights available to businesses to protect their intellectual property in the context of digital marketing. This section focuses in particular on comparative advertising;
•
outlines the laws relating to free prize draws.
What is digital marketing? 5.2 In this chapter, reference is made to ‘digital marketing’ as opposed to ‘digital advertising’. This reflects the fact that online marketing is made up of many things and not just traditional ‘advertising’; this includes email, classified ads, ads on media such as Twitter, Instagram and TikTok, display ads (including online TV advertising) and, overwhelmingly, search marketing. The 2010 report published by the Internet Advertising Bureau in partnership with PricewaterhouseCoopers contains a useful list of the types of digital marketing which remains relevant in 2020: 1 Statement on International Advertising Bureau website dated 30 March 2010. 2 Zenith Optimedia press release dated 18 October 2010. 3 Report published by the Internet Advertising Bureau in partnership with PricewaterhouseCoopers and the World Advertising Research Centre, September 2009 (www.iabuk.net/en/1/adspendgrows300909.mxs).
129
5.2 Digital marketing
Classifieds and auctions – fees advertisers pay internet companies to list specific products or services (eg online job boards and employment listings, real estate listings, automotive listings, auction-based listings, yellow pages). Digital video commercials – TV-like advertisements that may appear as in-page video commercials or before, during, and/or after a variety of content in a player environment including but not limited to, streaming video, animation, gaming, and music video content. This definition includes digital video commercials that appear in live, archived and downloadable streaming content. Display advertising (Banner ads) – advertiser pays an internet company for space to display a static or hyperlinked banner or logo on one or more of the internet company’s pages. Email – banner ads, links or advertiser sponsorships that appear in email newsletters, email marketing campaigns and other commercial email communications. Includes all types of electronic mail (eg basic text or HTML-enabled). Lead generation – fees advertisers pay to internet advertising companies that refer qualified purchase inquiries (eg auto dealers who pay a fee in exchange for receiving a qualified purchase inquiry online) or provide consumer information (demographic, contact, behavioural) where the consumer opts into being contacted by a marketer (email, postal, telephone, fax). These processes are priced on a performance basis (eg cost-per-action, -lead or -inquiry), and can include user applications (eg for a credit card), surveys, contests (eg sweepstakes) or registrations. Rich media – advertisements that incorporate animation, sound, and/ or interactivity in any format. Rich media can be used either singularly or in combination with the following technologies: sound, Flash, and with programming languages such as Java, JavaScript, and DHTML. It is deployed via standard Web and wireless applications including static (eg .html) and dynamic (eg .asp) Web pages, and may appear in ad formats such as banners, buttons and interstitials. Interstitials are included in the rich media category and represent full- or partial-page text and image serverpush advertisements which appear in the transition between two pages of content. Forms of interstitials can include splash screens, page takeovers and pop-up windows. Search – fees advertisers pay internet companies to list and/or link their company site domain name to a specific search word or phrase (includes paid search revenues). Search categories include: •
Paid listings – text links appear at the top or side of search results for specific keywords. The more a marketer pays, the higher the position it gets. Marketers only pay when a user clicks on the text link.
•
Contextual search – text links appear in an article based on the context of the content, instead of a user submitted keyword. Payment only occurs when the link is clicked. 130
Digital marketing 5.3
•
Paid inclusion – guarantees that a marketer’s URL is indexed by a search engine. The listing is determined by the engine’s search algorithms.
•
Site optimisation – modifies a site to make it easier for search engines automatically to index the site and hopefully result in better placement in results.
Sponsorship – represents custom content and/or experiences created for an advertiser which may or may not include ad elements such as display advertising, brand logos, advertorial or pre-roll video. Sponsorships fall into several categories: •
Spotlights – custom-built pages incorporating an advertiser’s brand and housing a collection of content usually around a theme.
•
Advergaming can range from an advertiser buying all the ad units around a game or a ‘sponsored by’ link to creating a custom branded game experience.
•
Content and section sponsorship is when an advertiser exclusively sponsors a particular section of the site or email (usually existing content) re-skinned with the advertiser’s branding.
•
Competitions and prize draws can range from branded prize draws on the site to a fully-fledged branded competition with submissions and judging.
Why advertise digitally? 5.3 The benefits for the modern advertiser of the myriad of new delivery platforms are, once a few of the facts and statistics are examined, obvious.4 For example:
•
The internet is a globally accessible medium without any time restrictions on access (to modify content or to consume). This offers significant advantages over traditional forms of advertising, such as in printed newspapers or on television, where there are geographical, territorial and time restrictions.
•
Although the cost of television advertising has declined in recent years, an advertising slot between items on UK breakfast television for example costs between £3,000 and £4,000 in 2020, although rates were dropping due to the COVID-19 pandemic and a lack of sporting events,5 and a peak rate could be between £10,000 to £30,000.6 This is in addition to the costs of producing the advert. In contrast, the cost of using the internet to display and distribute advertising is virtually nothing if hosted on the advertiser’s own website and sent via email.
4 For an examination of the technologies involved see Chapter 1, ‘Technological Convergence’. 5 See www.toasttv.co.uk/tv-advertising-costs/. 6 See www.thedrum.com/news/2017/02/22/how-much-does-it-cost-advertise-uk-tv-heres-whatchannel-4-itv-and-more-charge-slots.
131
5.4 Digital marketing
Even where the advertiser pays a search engine or third-party website to host its advertising, the costs are minimal in comparison. •
In particular aided by the growth of search engines, such as Google, the consumer is now accustomed to using the internet to locate advertisers’ websites to access information about them and purchase goods and services.7
•
The ability of the advertiser to target its advertising depending on the consumer, and similarly, the ability for the consumer to tailor their consumption of digital media, offer unique opportunities to deliver the advertising message in a more effective way than ever before. There are many ways in which digital media has evolved from the simple use by the consumer of an internet browser’s ‘favourites’ settings, to the more sophisticated bespoke services offered by websites such as the BBC. A fascinating example of targeted advertising can be found on the popular social-networking sites, such as Facebook, where the aim is to make the user feel like the advertising is specifically directed at them. Similarly, given advances in the customisation of digital TV and Internet Protocol Television (IPTV), an advertiser can now much better understand each consumer and target them with products more likely to be relevant to them. SkyGo and Netflix for example will suggest programmes to users of the kind they expect that user to prefer.
•
Given that the medium of the internet was first made available commercially 20 years ago, the amount of time the average person spends online is phenomenal. In 2020 the average UK citizen spent 2 hours 37 minutes online per day. An earlier Ofcom study found that the UK spent an average of 24 minutes a day on the internet for personal use (up from just six minutes in 2002).8 A poll reveals that, globally, 29% of leisure time was spent online; the UK figure is 28%.9 In 2017 young people spent about a third of their leisure time online including playing computer games according to the UK Office for National Statistics. There has been a fairly recent move from internet use mostly on personal computers to use mobile telephones as the latter devices become more powerful.
Whose law applies? 5.4 The content of any website raises a number of issues relating to jurisdiction over the internet. Does the content of the website need to comply with the laws of all of the territories of the world? Does it need to comply with the laws of the ‘country of origin’? Or does it need to comply with the laws of all of the 7 As noted in the preface, the online spend in the UK alone in 2009 was £5.46 billion. 8 Ofcom Communications Market Report, 14 August 2008, p 27, http://stakeholders.ofcom.org.uk/ binaries/research/cm/context.pdf. 9 TNS Global Interactive, Digital World, Digital Life poll, reported in the Guardian, 1 January 2009, available at www.guardian.co.uk/technology/2009/Jan/01/internet-web-worldwide-international.
132
Digital marketing 5.5
territories at which it is targeted? The problem of jurisdiction and advertising over the internet is compounded by the vast differences in advertising law from territory to territory. For example in France, adverts must be in the French language10 and failure to do this can be a criminal offence. Alcohol advertising is prohibited in a number of Islamic countries, and is severely restricted in many other territories, including France and Sweden. Advertising aimed at children is prohibited or severely restricted in a number of territories, including Denmark and Sweden. The US has much stricter laws relating to obscenity than the UK, but still these vary greatly from state to state. Based on some of the above examples, a UK-based brand of alcohol producing a website in English could face a number of potential legal problems. The reason for such a proliferation and difference in approach to the regulation of advertising from country to country comes down to the simple fact that advertising and marketing reflects cultural identity. It goes without saying that cultural identity and social ideas of perceived risk differ widely from country to country. The issue of jurisdiction is dealt with in detail in Chapter 10 but the issue of jurisdiction is especially pertinent within online advertising for the reasons outlined above.
The Nazi memorabilia case A good example of this came in the French courts, when the League Against Racism and Antisemitism (LICRA) and the French Union of Jewish Students brought an action against Yahoo! Inc and Yahoo! France. They alleged that Yahoo! Inc hosted an auction website which contained for sale thousands of items of Nazi paraphernalia (an offence under French law) and that Yahoo! France provided a link and access to this content through the American website, Yahoo.com. In a protracted case, the French courts ordered Yahoo! to take all necessary steps to block the access to French citizens to sites hosted on Yahoo.com. In addition, Yahoo! were ordered to put in place a warning system whereby French internet users who access Yahoo. com through the French based Yahoo.fr are warned that accessing certain material on the US website may contravene French law. Yahoo! eventually failed in its appeal to make the French court’s order against the company unenforceable in the US.
Overview of applicable laws 5.5 Despite the common assumption that almost anything can be said online without breaking the law (although many know careers are frequently ended through careless comments on Twitter and the like), digital advertising is, in fact, highly regulated. Such regulation exists with the key aims of: (1) protecting 10 Loi Toubon (Loi No: 94-88 du 1 Fevrier 1994).
133
5.6 Digital marketing
consumers; and (2) preventing unfair competition. In broad terms, this regulation can be divided between the rights exercised by industry-appointed regulators and the rights available to businesses to protect their intellectual property.
Regulation Self-regulation of advertising 5.6 Advertising in the UK is regulated by self-regulatory codes of conduct. This means that the advertising industry has written its own codes of good advertising practice and agreed to comply with them. The codes reflect the legislation and other legal requirements for advertising discussed later in this chapter but they usually also contain additional ‘good practice’ rules that are not required by law. The industry has appointed a number of bodies to administer and enforce these codes of conduct. These are regularly updated and changed so always check the latest position. Self-regulation is effective because advertisers have an interest in maintaining it. Self-regulation: •
ensures that consumers are not misled, harmed or offended by adverts. This helps to maintain consumer confidence in the integrity of advertising. Advertising that is welcomed by consumers is good for business;
•
is flexible in its scope and is able to adapt to market conditions, unlike legislation. This is particularly important in the fast-moving advertising industry;
•
maintains a level playing field amongst advertisers; and
•
is cheaper for advertisers than paying the legal costs of a court action to resolve an advertising dispute.
Self-regulation framework 5.7 The framework of the regulatory regime is illustrated in the diagram below. UK
Legal
Legislation specifically dealing with advertising practice
International
Self-regulation
Broadcast media
Non-broadcast media
ASA and BCAP Code
ASA and CAP Code
134
International Chamber of Commerce
EASA
Advertising code of practice
Facilitates cross border complaints, resolved by national regulator
Digital marketing 5.10
The CAP Code and the Advertising Standards Authority 5.8 Advertising in the UK is primarily regulated by the Advertising Standards Authority (ASA) pursuant to the CAP and BCAP codes. The BCAP Code covers broadcast advertising (ie advertising on television and radio). The focus of this chapter is advertising online rather than broadcast advertising, so what follows only describes the workings of the CAP Code. The code applies to non-broadcast advertising, including advertising online.
The CAP Code 5.9 The CAP Code is properly known as the UK Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing. It is currently in its twelfth edition, which came into force on 1 September 2010.11 It remains the current version in 2020 although is regularly updated. The CAP Code was written by the advertising industry through the Committee of Advertising Practice (CAP), hence the name CAP Code. All of the main trade and professional bodies representing advertisers, agencies, service suppliers and media owners are members of CAP and they agree not to accept any advertising which contravenes the Code.12 The CAP Code is enforced by the ASA. The ASA is independent of both the government and the advertising industry and is funded by an industry levy on advertising space.13
Types of advertising covered by the CAP Code 5.10 The CAP Code currently covers the following types of non-broadcast advertising:14 •
advertisements in newspapers, magazines, brochures, leaflets, circulars, mailings, emails, text transmissions (including SMS and MMS), fax transmissions, catalogues, follow-up literature and other electronic and printed material;
•
posters and other promotional media in public places, including moving images;
•
cinema, video, DVD and Blu-ray advertisements;
•
advertisements in non-broadcast electronic media;
•
Viewdata services;
•
marketing databases containing consumers’ personal information;
11 A copy of the CAP Code is available at www.asa.org.uk/uploads/assets/47eb51e7-028d-4509ab3c0f4822c9a3c4/The-Cap-code.pdf. 12 More information about CAP can be found at www.cap.org.uk/About-Us.aspx. 13 Read more about the ASA at www.asa.org.uk/About-ASA.aspx. 14 Which is explained in the introduction to the Code available at www.cap.org.uk/The-Codes/CAPCode/CAP-Code-Item.aspx?q=CAP+Code+new_Scope+of+the+Code.
135
5.11 Digital marketing
•
sales promotions; and
•
advertisement promotions (‘advertorials’).
The ASA currently applies the CAP Code to: •
online advertisements in ‘paid-for’ space (ie banner or pop-up advertisements and online video advertisements);
•
advertisements in emails;
•
sales promotions (including prize draws and prize competitions) wherever they appear online, for example, on companies’ websites or in their email communications;
•
commercial text messages;
•
viral marketing emails;
•
paid-for entries in search engine results;
•
preferential listings on price comparison sites;
•
ads on electronic kiosks and billboards;
•
ads in electronic games; and
•
use of email addresses for marketing purposes (eg spam).
The following areas are currently outside the ASA’s remit: •
the content of personal emails or text messages; and
•
items posted on bulletin boards and newsgroups unless placed by a commercial company.
•
Previously most editorial content on websites (other than paid-for ads and sales promotions) was excluded.
The last bullet point had been controversial. It has meant that the ASA has not been able to apply the CAP Code to marketing communications appearing on the advertiser’s own website. It has only been able to look at adverts in paid-for space. However, this changed in March 2011 when the ASA’s remit was extended to cover advertising on an advertiser’s own website and in other non-paid for space online under their control, such as on social networking sites like Twitter and Facebook.
Contents of the CAP Code 5.11 The CAP Code is detailed and lengthy. When printed out, it runs almost to 100 pages. It is divided into two sections. The first is called ‘General Sections’ and sets out the rules applicable to advertising generally in all industry sectors. For example, it contains rules prohibiting misleading advertising, regulating adverts aimed at children ad protecting privacy. The second section is called ‘Specific Category Sections’ and sets out the rules applicable to advertising in particular industry sectors, typically ‘high risk’ sectors such as betting and gaming, alcohol, tobacco and pharmaceuticals. Given the extent of the Code, it is not possible here to set out all that the Code requires of advertisers. What is set out instead is 136
Digital marketing 5.11
a flavour of the general messages from the Code and readers are referred to the Code itself15 for a more detailed review its requirements. The general messages from the CAP Code are these: •
all adverts should be legal, decent, honest and truthful;
•
adverts must be prepared with a sense of responsibility to consumers and society;
•
adverts must respect the principles of fair competition generally accepted in business;
•
adverts must not materially mislead or be likely to do so;
•
no advert should bring advertising into disrepute;
•
adverts must be obviously identifiable as such;
•
all claims within adverts must be substantiated by documentary evidence held by the advertiser;
•
advertisements must not cause serious or widespread offence; and
•
advertisers are urged to obtain written permission before using individuals or referring to them in adverts.
In addition, the Code contains the general principles that: •
unreasonable delay in responding to ASA enquiries may be considered a breach of the Code; and
•
the Code is applied in the spirit as well as in the letter.
The CAP Code is written in ‘everyday’ language, rather than ‘legal’ language. However, the fact that it is applied in spirit as well as in the letter means that advertisers cannot argue that they have complied with the technical language of the Code if the effect of the advertising is such that it is not within the spirit of the Code. Primary responsibility for observing the CAP Code falls on the advertisers themselves. Third parties involved in creating and publishing marketing communications, such as agencies and publishers, also accept an obligation to abide by the Code.
Casting an eye over the ad … The ASA was asked to investigate an online sales promotion by the wellknown supermarket, Asda. During the 2010 World Cup, a Uruguayan referee controversially disallowed an England goal during a crunch match with arch-rivals, Germany. Subsequently, Asda ran the following online sales promotion for its opticians’ services:
15 Available at code.pdf.
www.asa.org.uk/uploads/assets/47eb51e7-028d-4509-ab3c0f4822c9a3c4/The-Cap-
137
5.12 Digital marketing
Our special World Cup offer: Free eye tests for all Uruguayans. Like everyone in England, we couldn’t believe our eyes when the Uruguayan referee and linesman failed to recognise Frank Lampard’s equalising goal against Germany. We’re responding by offering all Uruguayans a free eye test to avoid anything like this happening again. All you have to do is bring your passport into any Asda opticians … Optical buying manager Nik Langrish-Dixon says: ‘Let’s face it – it could have been a very different game had the disallowed goal been counted. After the linesman’s slip-up our expert opticians are concerned about the state of his Urug-eyes, so we’re offering anyone with a Uruguay passport a free eye test.’ Fifteen customers took advantage of the offer. The complainant, a British-Uruguayan, objected that the ad was offensive and complained to the ASA. The ASA investigated whether the ad fell foul of the basic principle in the CAP Code that ads should be ‘decent’ and assessed whether it was likely to have caused widespread offence. It did not uphold the complaint. The ASA said that it understood that the promotion was intended to be light-hearted and humorous, exploiting the controversy resulting from the Germany and England World Cup game. In that context, whilst it acknowledged the attempt at humour might be distasteful to some, it considered that most readers of the ad would interpret it as football banter rather than malice towards Uruguayans. Because of that, it concluded that the ad was unlikely to cause serious or widespread offence. There was no breach of the CAP Code.
Enforcement of the CAP Code by the ASA 5.12 The CAP Code does not have the force of law. Rather, it operates alongside the law. Advertisers must comply with all applicable laws as well as adhering to the CAP Code. The Code is enforced by the ASA. Members of the general public, competitors or other interested parties may complain to the ASA that an advert breaches the Code and, if the case falls within its remit and it thinks there is a case to answer, the ASA will conduct a formal investigation.16 In addition, the ASA may itself investigate an advertisement. When assessing compliance with the Code, the ASA’s approach is to consider the general impact of the advert on the particular audience. For example, when assessing decency it will consider whether there has been serious or widespread offence. There is no ‘minimum numbers’ test so that if, for example, an advertiser sends out advertising material to ten million people but only receives five complaints
16 For more information on how to make a complaint, see www.asa.org.uk/Complaints-and-ASA-action/ How-to-complain.aspx.
138
Digital marketing 5.13
the ASA may still uphold those complaints if it considers that the advert was in breach of the Code.
Sanctions for breach of the Code 5.13 If the ASA finds that an advert breaches the CAP Code, it will ask the advertiser to withdraw it or change it. It cannot actually compel an advertiser to do so. However, the ASA does have a number of sanctions that it can use to ‘encourage’ compliance in these circumstances: •
Recorded on the ASA’s website. The fact that the ASA has asked an advertiser to change its advert will be recorded on the ASA’s website. This creates the possibility of adverse publicity (see below).
•
Imposition of a pre-vetting requirement for some or all of the advertiser’s future adverts. This means advertisers must seek copy clearance from the CAP copy advice team before they can publish some or all advertising (see later).
•
Refusal of further advertising space. The ASA can ask publishers and media owners to refuse more space for an advert until it has been changed.
•
Adverse publicity. The ASA publishes reports of its adjudications on its website, which members of the public can access freely. Adverse rulings may also attract adverse media coverage. This is perhaps the ASA’s most powerful sanction, as the media will often report on adjudications, especially if they are about well-known organisations or brands.
•
Withdrawal of trading privileges. Trading privileges, financial discounts and other incentives available through membership of some of the advertising trade bodies can be withdrawn from advertisers who do not comply with the ASA’s adjudications.
Critics of the ASA and the self-regulatory system say that the ASA has no teeth. It is true that it cannot levy fines or award damages in respect of adverts that breach the CAP Code. Nor can it force an advertiser to comply with its requests to withdraw or amend an offending advert. However, the vast majority of advertisers do comply with the terms of any ASA adjudication because of the commercial impact of the sanctions outlined above and because of pressure within the advertising industry. The ASA can refer advertisers that refuse to comply with an ASA ruling to local trading standards departments. An advertiser unhappy with an ASA adjudication can appeal to the ASA’s independent review procedure within 21 days of receiving notification the ruling. An appeal may only be made on the following grounds: •
where additional relevant evidence becomes available; or
•
where there has been a substantial flaw in the adjudication or the investigation process.
On accepting a request for an appeal, the independent reviewer will undertake an investigation, at the end of which he will make a recommendation to the ASA Council about whether their original adjudication should be changed. As the independent reviewer is only able to recommend rather than actually overturn an adjudication, the independent review procedure is not an appeal procedure in the true sense of the word. 139
5.14 Digital marketing
An advertiser unhappy with the outcome of an appeal may apply for judicial review.17 Since March 2011, the ASA has had two additional sanctions available in respect of marketing communications on an advertiser’s own website or in other online space within the advertiser’s control. It may: •
name and shame advertisers that fall foul of the code via the ASA website and by way of paid-for adverts on internet search engines, which link to the ASA’s website; and
•
remove paid-for advertisements that link to the offending advert on the advertiser’s own website or other non-paid for online space.
Clearance 5.14 CAP has a Copy Advice Team which gives free advice on the content of advertising to try and pre-empt potential problems and breaches of the CAP Code. The advice is generally provided quickly. Straightforward queries are usually dealt with within 24 hours although more complex queries may take longer.18 In fact, CAP states that 90% of all queries are answered within 24 hours. However, the ASA is not bound by CAP’s advice. This means that the ASA may subsequently uphold a complaint about an advert that CAP has previously cleared. Generally, advertisers seeking comfort that their advert will not fall foul of the CAP Code can look at the ASA’s previous adjudications. These provide guidance on how the CAP Code should be interpreted. However, this route also has limitations as the ASA is not bound by its previous adjudications.
Benefits of ASA regulation 5.15 ASA regulation enables the quick and cheap resolution of advertising disputes. It also offers a real avenue by which members of the public can complain about adverts and see action being taken. Without the CAP Code and the ASA, complaints would have to be made via the courts relying on breaches of the general law and it is most unlikely that most members of the public would willingly go down this route. However, it should be noted that an adjudication by the ASA does not preclude court action. The courts can be asked to rule on whether an advert breaches the applicable laws at the same time as the ASA is investigating the matter under the Code. The availability of the ASA route is likely to reduce the number of court actions concerning adverts. Why pay the costs involved when the dispute can be resolved easily and cheaply by the ASA? However, one reason why a complainant may take the matter before the courts is that the courts can often award damages 17 See, for example, the judicial review proceedings issued by Smithkline Beecham concerning its advertising for Ribena Toothkind. In the end its challenge was unsuccessful. See Smithkline Beecham Plc v Advertising Standards Authority [2000] EWHC Admin 442. 18 More information about CAP Copy Advice is available at www.asa.org.uk/advice-and-resources/ bespoke-copy-advice.html.
140
Digital marketing 5.17
in respect of an advert which falls foul of the law whereas the ASA does not have the power to do so. The ASA is really about getting an advert withdrawn or changed in the short term rather than looking at wider consumer protection or competitor business damage issues. Notwithstanding the above, it should be noted that the ASA will usually halt an investigation if legal proceedings have been commenced.
Self-regulation internationally 5.16 There is no international system regulating online advertising as such. Instead, there are voluntary codes of practice drawn up by international bodies and an alliance of countries across the world which co-operate in enforcing advertising self-regulation. Further details of each are set out below.
International alliance 5.17 The European Advertising Standards Alliance (EASA) was first formed in 1991.19 EASA’s name is misleading, as it is actually an alliance of the national selfregulatory bodies of various countries across the world, including most European countries as well as those of Australia, New Zealand, Canada, Chile, Brazil, India and South Africa.20 The UK’s member organisation is the ASA. The EASA does not itself produce and enforce an advertising code. Instead, it provides a co-ordinated means of regulating advertising (including online advertising) across national boundaries. Until EASA was formed, there was no easy means of complaining about an advert that originated in one country but was seen in another. It was highly unlikely, for example, that a UK citizen would make a complaint to the national German advertising regulator about an offensive advert that originated in Germany but was seen in the UK, not least because of the potential language barrier. Complaining to the ASA would be pointless, as it would not have jurisdiction over the advert. EASA creates a system whereby complaints can easily be made in these circumstances. Using the example above, under the EASA system the UK citizen can make a complaint directly to the ASA who will refer the matter to the German regulator. The German regulator will then investigate the complaint according to the laws and codes applicable in Germany and apply the appropriate sanctions. EASA would co-ordinate the cross-border complaint, support information exchange and report on the outcome of the case. Details of cross-border complaints are published on the EASA website.21 However, take-up of this cross border process has been low, with EASA receiving just 75 complaints in 2009 compared with the 28,978 received by the ASA. Since then complaints have continued to increase. In addition to facilitating cross-border resolution of advertising complaints, EASA meets regularly to co-ordinate the promotion and development of self-regulation at a European level.
19 For more information about EASA, see www.easa-alliance.org. 20 For more information about EASA membership, see www.easa-alliance.org. 21 These can be found www.easa-alliance.org.
141
5.18 Digital marketing
International Codes 5.18 The International Chamber of Commerce produced guidelines, called the ‘Guidelines on Marketing and Advertising Using Electronic Media’ aimed at promoting good practice in online advertising and now in the ICC Advertising and Marketing Communications Code which is available in four countries. The Code says that all advertising should be legal, decent, honest and truthful. ‘Legal’ in this context means that marketing messages should be legal in their country of origin. The Code also requires advertisers to disclose their own identity so that the user can contact them easily. They also require advertisers not to send unsolicited emails to users who have indicated that they do not want to receive them. There are also provisions dealing with advertising to children, advertising on public groups (such as forums and bulletin boards), data protection and respect for the potential sensitivities of a global audience.22
Sector-specific regulation 5.19 There are additional layers of regulation, both legislative and voluntary, in certain industry sectors. These additional controls cover the advertising of ‘high risk’ goods or services such as alcohol, diet products, pharmaceuticals and tobacco. For example, as mentioned above, the CAP Code contains specific provisions dealing with advertising in some of these ‘high risk’ sectors. A discussion of the regulation in each of these areas is outside the scope of this chapter.
Premium rate services and Phone-paid Services Authority (“PSA”) 5.20 Phone-paid Services Authority (formerly PhonepayPlus and before that the Independent Committee for the Supervision of Standards of Telephone Information Services or ICSTIS) is the body that regulates premium rate services in the UK. ‘Premium rate services’ are services accessed through a fixed or mobile telecommunication device, including voice services, SMS text, interactive digital TV and the internet which offer some form of content, product or service charged to a user’s phone bill. Examples are ringtones, chat lines, directory enquiries and TV voting lines. Ofcom has overall responsibility for the regulation of premium rate services under the Communication Act 2003. Ofcom has delegated these responsibilities to PSA, which is an industry-funded self-regulatory body. PSA regulates the premium rate services industry through a code of practice which it administers and enforces.23 The Code concerns the advertising, content and operation of premium rate services. Ofcom has issued a ‘PRS Condition’ which binds all communication providers involved with ‘controlled premium rate services’ to comply with the Code, which applies to premium rate services accessed by a user in the UK or provided by a services provider which is situated in the UK. Ofcom summarises its role in this area as follows:
22 See https://iccwbo.org/publication/icc-advertising-and-marketing-communications-code/. 23 See the Code of Practice at https://psauthority.org.uk/for-business/-/media/Files/PSA/For-Businesses/ Your-phone-paid-service/Code-of-Practice/PSA_Code_of_Practice_14th_Digital.ashx?la=en&hash=49 BE1A6A76303EEBCF254A692015059D4D4171A3.
142
Digital marketing 5.20
Ofcom has responsibility for the regulation of premium-rate services (PRS) which enable consumers to purchase goods and services by charging the cost to their phone bills and pre-pay accounts. The day-to-day regulation of PRS is carried out on Ofcom’s behalf by the Phone-paid Services Authority through its enforcement of a code of practice approved by Ofcom. The Competition and Markets Authority (CMA) has concurrent powers under specific consumer protection legislation and within the framework of competition law for the communications sector. We work with the CMA to ensure that a consistent and co-ordinated approach is taken in relation to issues where we have concurrent powers, and we discuss which body is best placed to lead in each case. (From Ofcom 2019/20 Annual Report) The Code itself applies to the three main players in the provision of premium rate services: service providers (the actual providers of the premium rate services); network operators (who supply the network facilities for service providers to use); and information providers (who provide premium rate service content, exercise editorial control over the content, package the content or make available a facility within the premium rate service). The Code imposes the greatest regulation on service providers; the least on information providers.
What are ‘premium rate services’? Although most people have their own ideas about what premium rate services are, the actual definition of premium rate services in the Communications Act 2003, borrowed in the PSA Code, is complex and unclear. Technically, they are defined as services that provide content or communications transmitted by means of an electronic communications service or that allows a user of an electronic communications service to make use of a facility through such a service. They are provided for a charge levied through the electronic communications service in question by the provider of such service. This is actually a much-simplified version of the definition used in the legislation and Code but it illustrates the difficulties of determining whether any particular service amounts to a premium rate service or not. For example, a phone app might well fall within this definition although it would probably not be conventionally regarded as a premium rate service.
The Code places a variety of general obligations on service providers, network operators and information providers with regard to the provision of premium rate services. It also deals specifically with the advertising and promotion of these services. It requires that premium rate services promotions must: •
comply with the law;
•
not cause any harm or offence (such as the invasion of privacy or inciting dangerous practices);
•
be fair and not mislead or take unfair advantage of ‘vulnerable’ consumers; 143
5.20 Digital marketing
•
not encourage unauthorised use.
In addition, the advertising of premium rate services must comply with the following specific provisions of the Code: •
Service providers must ensure that all users of premium rate services are fully informed, in a clear and straightforward way about the cost of using a service prior to incurring any charge.
•
Written pricing information must be easily legible, prominent, horizontal and presented in a way that does not require close examination. Spoken pricing information must be easily audible and discernible.
•
In cases where it is unlikely that a consumer will have seen or heard any promotional material containing pricing information, the service provider must place a short, distinct pricing message at the beginning of the service.
•
All operational or instructional messages necessary to obtain access to a premium rate service must be available free of charge to a user.
•
The identity and contact details in the UK of either the service provider or information provider, where not otherwise obvious, must be clearly stated. A customer service phone number must also be clearly stated unless reasonable steps have previously been taken to bring it to the attention of the user or it is otherwise obvious and easily available.
•
In all promotional material, any code, prefix, short access number or similar provision must be presented in such a way that it can be readily identified as a premium rate code or, as appropriate, an international prefix.
•
If the premium rate service operates on an international number, it must be made clear in the promotional material that an international call is required.
•
In the case of premium rate services which are promoted in publications or other media which are likely to have a shelf-life of three months or more, the promotion must include a statement to the effect that the information given is correct as at the time of publication and that time must also be stated. If the charges for the service increase during the life of the promotion, such services must be prefaced with a short message informing users of the new charge levels.
•
Except in certain circumstances, no premium rate service or product obtained through it may be promoted as being free.
The Code creates a Tribunal which will hear complaints relating to premium rate services.24 The Tribunal may impose a range of sanctions on providers whose advertising of premium rate services does not comply with the requirements of the Code. These include in particular the imposition of a fine and ordering a refund to be given to users. The fines levied by PSA can be significant. In one recent matter, 4D Interactive was initially fined £50,000 for breach of the Code in respect of its adult entertainment premium rate service. Another company, Colgant Data Services, was fined £8,000 for re-routing calls to legitimate local council telephone numbers to its premium 24 For more information on the Tribunal, see https://psauthority.org.uk/.
144
Digital marketing 5.23
rate lines. In its Sanctions Guide, PSA has indicated that it will apply a scale of fines for breaches of the Code ranging from £5,000 for minor breaches, up to £50,000 for significant breaches and from £100,000 to £250,000 for serious or very serious breaches of the Code. By 2020 the maximum fine remained £250,000 under the latest (14th edition 2016) version of the Code.
Other rights Comparative advertising 5.21 Widely recognised as an effective marketing technique, advertisers may seek to engage in comparative advertising, to demonstrate to the consumer those qualities and advantages that the advertiser’s product/service has over a rival. For example, ‘these goods will last longer than brand X’s goods’. The consumer’s ability to compare the offerings of rival marketers has been made all the more easy by digitisation, where the user simply uses their computer or mobile to visit a series of digital outlets to assess which offers the best value for money. Alternatively, they use a comparison tool, such as comparethemarket.com. For over a decade now, the consumer has not had to traipse up and down the high street in their search for a bargain. The issue with comparative advertising is that, in order to be most effective, it will usually use a rival’s name or logo, which may be, for example, a registered trade mark. As noted above, use of another’s trade mark in the course of trade may lead to liability for trade mark infringement. It may also amount to ‘passing off’ which is a tort or legal wrong under English law.
Legislative framework 5.22 Misleading and comparative advertising is now regulated by a consolidated EU regime in the form of the Misleading and Comparative Advertising Directive 2006 (‘the Comparative Advertising Directive’) and the Unfair Commercial Practices Directive 2005 (‘UCPD’). The Comparative Advertising Directive and the UCPD have now been implemented into English law in the form of the Consumer Protection from Unfair Trading Regulations 2008 (‘CPRs’) and the Business Protection from Misleading Marketing Regulations 2008 (‘BPRs’). These have remained in force since the UK left the EU on 31 January 2020.
What is comparative advertising? 5.23 Comparative advertising is defined very widely by the Comparative Advertising Directive. The exact wording is as follows: any advertising which explicitly or by implication identifies a competitor or goods or services offered by a competitor.25
25 Article 2(c).
145
5.24 Digital marketing
The definition of ‘advertising’ is similarly wide, and catches pretty much all of the marketing and advertising activity a business is likely to undertake online. Therefore, any superiority or parity claim, such as ‘one of the fastest’ or ‘nothing lasts longer’, will be subject to regulation under the Comparative Advertising Directive.
Legal requirements for comparative advertising 5.24 The Comparative Advertising Directive requires that all comparative advertisements are not ‘misleading’. ‘Misleading’ advertising is: advertising which in any way, including its presentation, deceives or is likely to deceive the persons to whom it is addressed or whom it reaches and which, by reason of its deceptive nature, is likely to affect their economic behaviour or which, for those reasons, injures or is likely to injure a competitor.26 It can be seen then that an economic or injurious effect is required in order to fall foul of the legislation. This makes sense, after all the EU is fundamentally an economic union. When looking at whether an advertisement is misleading, the Comparative Advertising Directive states that all the circumstances are relevant, including the following: the characteristics of the advertised goods and services, how they are delivered, how prices are calculated and the nature and attributes of the marketer.27 The Directive then lists a set of conditions with which comparative advertisements must comply:28 •
it is not a misleading action or misleading omission under the UCPD (see further below);
•
it compares goods and services meeting the same needs or intended for the same purpose (ie it compares ‘like-for-like’);
•
it objectively compares one or more material, relevant, verifiable and representative features of those goods and services, which may include price (ie it is a fair comparison);
•
it does not discredit or denigrate the trade marks, trade names, other distinguishing marks, goods, services, activities or circumstances of a competitor;
•
for products with designation of origin, it relates in each case to products with the same designation;
•
it does not take unfair advantage of the reputation of a trade mark, trade name or other distinguishing marks of a competitor or of the designation of origin of competing products;
•
it does not present goods or services as imitations or replicas of goods or services bearing a protected trade mark or trade name; and
•
it does not create confusion among traders, between the advertiser and a competitor or between the advertiser’s trade marks, trade names, other distinguishing marks, goods or services and those of a competitor.
26 Article 2(b). 27 Article 3. 28 Article 4.
146
Digital marketing 5.25
It has long been established that simply making a comparison is not ‘discrediting’ in itself provided the requirements of the Comparative Advertising Directive are complied with. In the Pippig case an Austrian opticians made a series of comparisons, some of which compared products where the price difference exceeded the average. The Court of Justice of the European Community (formerly the European Court of Justice) found nothing objectionable in such practice.29 The UCPD also contains a specific provision with respect to comparative advertisements. Unfair ‘commercial practices’ (which explicitly includes advertising and marketing activity and is of course applicable to the digital environment)30 are prohibited. Inter alia, a commercial practice is unfair if it is misleading. A practice is misleading if, taking into account all the circumstances, it causes or is likely to cause the average consumer to take a ‘transaction decision’ (eg whether or not to make a purchase the terms on which to make a purchase or whether or not to retain a product) that they would not otherwise have taken and involves any marketing, including comparative advertising, which creates confusion with any products, trade marks, trade names or other distinguishing marks of a competitor. The BPRs and CPRs faithfully reproduce the requirements of the Comparative Advertising Directive and the UCPD largely with identical wording. Breach of certain elements of the Regulations is a criminal act.31
Enforcement of the Comparative Advertising Directive 5.25 While the Comparative Advertising Directive and the UCPD were implemented by the CPRs and BPRs, enforcement of that legislation largely falls to trading standards officers and the Advertising Standards Authority (‘ASA’). Both the CAP Code and BCAP Code enforced by the ASA were amended to take account of the requirements of the CPRs and BPRs. The OFT also has the right to apply to court for injunctive relief under the CPRs and BPRs but these powers are exercised very sparingly. Thus, there is no direct right of enforcement of the legislation for consumers under the CPRs or for businesses under the BPRs. This restrictive approach angered some, in particular because other jurisdictions, such as Germany, chose to implement the Comparative Advertising Directive and the UCPD in such a way as to give the public direct access to the courts to prevent infringements of the legislation. The UK chose another path, following the overarching theme that not only is comparative advertising generally permissible (within the bounds of the rules) but it is also to be encouraged, since it promotes competition and therefore helps to further the economic aims of the single market. Attempts to construct an argument which would effectively give businesses a direct right to enforce the BPRs and CPRs are not likely to succeed as this would seem to go directly against Parliament’s intentions.32 However the UK then changed the original regulations by the Consumer Protection (Amendment) Regulations 2014 which amended the original 2008 regulations. They provide consumers with rights 29 Pippig Augenoptik GmbH & Co KG v Hartlauer Handelsgesellschaft mbH (Case C-44/01) ECJ. 30 Directive 2005/29/EC, Article2(d). 31 For example, under the BPRs reg 6 it is an offence to engage in misleading advertising. Under reg 9 of the CPRs it is an offence to engage in a misleading action (including creating confusion with a competitor’s products or marks). 32 Tiscali UK Ltd v British Telecommunications Plc [2008] EWHC 3129, QB.
147
5.26 Digital marketing
to redress in respect of misleading and aggressive commercial practices. These changes came into force on 1 October 2014 and apply to contracts entered into, or payments made, on or after that date.
Trade marks and comparative advertising 5.26 Under the Trade Marks Act 1994 (TMA 1994), advertisers have struggled to convince the courts to support them in their complaints against rival advertising using their trade marks where the comparison with a competitor’s products is fair. Trade mark actions in the comparative advertising context usually involve a ‘double identity’ scenario (ie the rival making the comparison uses the competitor’s trade mark (identical mark) in relation to its own (identical) goods or services). Where the party seeking to make a comparison has not used an identical mark (or has only similar products or services) the complaining party may not be able to establish that the requisite confusion on the part of the public is present, since the point of comparative advertising is to distinguish between the origin of two separate offers rather than to confuse the consumer as to what is available from where. There are a number of UK cases where mark owners have failed to prevent a rival from using their trade mark in a comparison. For example, the court dismissed a thinly veiled reference by Ryanair to British Airways as ‘Bastards’ as just ‘vulgar abuse’.33 The courts clearly prefer rivals to resolve such disputes either between themselves or with the ASA instead. (Indeed, British Airways was successful in its complaint before the ASA whereas it failed in the courts.) When the mobile network, 3, took O2’s trade marked bubbles and distorted them in a comparative TV advertising campaign the then European Court of Justice held that the Comparative Advertising Directive is a complete code for the regulation of comparative advertising. That is to say that the TMA cannot be used to prevent comparative advertising if there has been compliance with the requirements of the Comparative Advertising Directive. However, the European Court of Justice also held that if the advertiser’s use of its rival’s trade mark causes confusion, then there may be a breach of the rules in the Comparative Advertising Directive as implemented in Member States and as such may also constitute trade mark infringement. In this case the European Court of Justice decided that there was no confusion between 3’s mobile services and those of O2.34 Absence of confusion will usually be the case with an effective comparative advertisement. Following this case, it seemed that trade mark owners would be left to the whims, financial constraints and timetables of the regulatory authorities (ASA, trading standards and then OFT) under the CPRs and BPRs to enforce their trade mark rights against unwanted comparative advertisements. More recently, the Court of Justice has given further hope to brand owners in the L’Oreal case.35 Here the defendants marketed perfumes as ‘smell-alike’ to famous L’Oreal bands and made reference to L’Oreal’s trade marks in comparative lists. Notwithstanding that consumers were not under any illusions about the fact that
33 British Airways Plc v Ryanair Ltd [2001] ETMR 24. 34 O2 Holdings Ltd and O2 (UK) Ltd v Hutchison 3G Ltd (Case C-533/06) ECJ. 35 L’Oreal SA and others v Bellure NV and others (Case C-487/07) ECJ.
148
Digital marketing 5.26
the defendant’s goods were not manufactured by L’Oreal, the European Court of Justice said that the defendants had sought to take unfair advantage of the distinctive character or reputation of L’Oreal’s trade marks by ‘riding on the coat tails of the mark with a reputation in order to benefit from the power of attraction, the reputation and prestige of that mark’. Accordingly, as the advertiser had failed to comply with the local law implementation of Comparative Advertising Directive’s requirement of not taking unfair advantage, then the defendants could be liable for trade mark infringement. While this ruling is helpful for trade mark owners, they will need to establish that a trade mark has a reputation in order to claim trade mark infringement under TMA 1994, s 10(3). The European Court of Justice’s approach to ‘unfair advantage’ has traditionally been that where an advertiser seeks to use a mark solely to distinguish between its goods or services and those of its competitors in order to highlight the differences between them, such advertising does not take unfair advantage of the reputation of the competitor’s mark.36 Even where there has been no compliance with the local law implementing the Comparative Advertising Directive and thus an action for trade mark infringement is open, the defendant will be likely to attempt to rely on a specific exception for comparative advertising under TMA 1994, s 10(6). The provision says that comparative advertising is permitted, provided that it is in accordance with honest practices in industrial and commercial matters and may not without due cause take unfair advantage of, or be detrimental to, the distinctive character or repute of the trade mark. However, the courts have consistently cast doubt on the extent to which litigants should seek to rely on this ‘home grown’ exception. Instead, the courts prefer the wording found in s 11(2), which derives directly from the Trade Marks Directive37 and is mirrored in the provisions of Community Trade Marks Regulation.38 See for example the approach of Pumfrey J in the Boehringer case.39 This provision permits the use of another’s trade mark purely in a descriptive sense (eg ‘these cartridges are designed to fit the Brand A X9AW7 model printer’). Similarly however, use of a rival’s trade mark must be fair (ie ‘in accordance with honest practices in industrial and commercial matters’). In cases where the local law implementing the Comparative Advertising Directive has been breached it is highly likely that the advertiser will not satisfy these criteria. It is unclear whether the trade mark position with respect to digital comparative advertising differs from the position in relation to copyright – the courts have not yet faced the question whether the Comparative Advertising Directive would also provide a defence to copyright infringement. If it does not, the danger is that, without clearance of the full set of requisite rights, an advertiser may find itself able to rely on a defence in relation to a registered trade mark but falling foul of the copyright (or indeed any design rights or rights to sue for passing off) in relation to the very same mark.
36 Siemens AG v VIPA gesellschaft für Visualisierung und Prozebautomatisierung (Case C-59/05) ECJ. 37 Directive 89/104 EC. 38 Regulation 40/94/EEC. 39 Boehringer Ingelheim Limited and others v Vetplus Ltd [2007] EWHC 972 at para 45.
149
5.27 Digital marketing
Linking 5.27 The 2nd edition of this book, published in 2002, discussed ‘hyperlinking’ in some detail, specifically the issues raised by ‘deep linking’. Hyperlinking refers to one website creating a link to another website. Deep linking occurs when the link takes the user directly into part of the linked site beyond the homepage, so that the homepage itself is bypassed. There was, and still is, very little case law in this area and it remains unclear whether this practice amounts to copyright infringement, passing off or an infringement of any other legal rights of the owner of the linked site. The issue was highlighted in the first English law case on deep linking so far: Shetland Times Ltd v Willis.40 In this case Shetland News’ website included a number of headlines that served as hyperlinks to articles on the Shetland Times’ website. As a deep link, Shetland Times’ home page was bypassed, including the advertisements displayed there which affected Shetland Times’ advertising revenue. There was, however, no court judgment on this issue as the parties settled on terms that Shetland News would link only to the Shetland Times’ homepage and would not deep link. The question of the legality of deep linking is not entirely clear but, as a practical matter, is of less concern given the changed online advertising formats. In Stichting Brein v Filmspeler (Case C-527/15), the CJEU looked at multimedia players with already installed links to unauthorised streamed copyright works such as music and films. The court held that the supply of these players breached the copyright owner’s rights and stated that users could also have breached copyright. The court looked at the Information Society Directive 2001/29 in assessing what was reproduction and broadcast of a work. If the device is distributed for profits the company doing so should check the legal position and was not a mere conduit or passive wall. The model which placed reliance on advertising revenue through adverts placed on the homepage of a website is a legacy of older times of Web 1.0. Now revenue models render this issue of less relevance. In particular: •
a significant amount of online revenue is driven through paid-for searching. This, in particular, includes Google Adwords (see Chapter 3 for a full explanation);
•
a significant amount of advertising is generated through ad-serving which utilises IP addresses, as opposed to being reliant on links to homepages as well as advertising on Instagram and the like.
Copyright Directive 2019/790 and linking 5.28 For those within the EU the Copyright Directive due to be brought into force in the 27 EU Member States from 7 June 2021 will also be relevant. The Directive has been subject to much controversy and in part has been dubbed the ‘link tax’. 40 [1997] FSR 604.
150
Digital marketing 5.29
Recital 57 of the Directive states that publishers are not given exclusive rights in relation to hypertext links (ie ‘the rights granted to publishers of press publications should not extend to acts of hyperlinking’). Article 15 (Protection of press publications concerning online uses) paragraph 1 is worth stating in full: 1. Member States shall provide publishers of press publications established in a Member State with the rights provided for in Article 2 and Article 3(2) of Directive 2001/29/EC for the online use of their press publications by information society service providers. The rights provided for in the first subparagraph shall not apply to private or non-commercial uses of press publications by individual users. The protection granted under the first subparagraph shall not apply to acts of hyperlinking. The rights provided for in the first subparagraph shall not apply in respect of the use of individual words or very short extracts of a press publication. The UK has said it will not implement the Directive in 2021 as the post-Brexit transitional period ends on 31 December 2020 and the Directive has been so unpopular as it arguably curbs rights of free speech online. However the position above with the exemption for linking in most cases reflects current English law in any event.
Keywords 5.29 Keywords are words reserved by search engines so that when a search is conducted using that keyword, it triggers the display of certain sponsored links or advertising. The advertiser usually pays a fee for this service offered by the search engine and although a number of advertisers can select the same keyword, their advertisement will appear higher in the search result rankings, typically dependant on how much they are willing to pay for each ‘click-through’ onto the link.41 In Chapter 3 we set out in detail the legal issues and lack of protection for brand owners in connection with the acquisition of keywords. The procuring of keywords is a key plank of any brand owner’s online marketing strategy so this is an important issue. Indeed many competition and commercial solicitors will include in selective distribution agreements clauses restraining association of the licensed brand with any words which cheapen the premium image of brands including in relation to purchase or ad words. This should be done carefully in contracts and only after taking competition law advice.
41 For example, Google’s AdWords service, which also employs ranking determination factors such as the number of previous clicks on the link and the quality of the advertisement.
151
5.30 Digital marketing
Copyright 5.30 The issue of copying a copyright work without permission has been dealt with in detail in Chapter 2 and is also dealt with in the context of user-generated content (see Chapter 6). It is worth reiterating that, in the context of digital marketing, it cannot be assumed that content already placed online can be freely used. Therefore, the temptation to cut and paste, adapt, or simply copy material already available online must be resisted as it will be breach of copyright in most cases. As many internet users are wilfully blind to this fact it can be worth: (i) stating on websites that material must not be copied; (ii) making it hard to copy using technical means; and (iii) tracking infringement through use of web searches and software tools.
Free prize draws Introduction 5.31 The concepts of a free prize draw remains popular with a variety of organisations. They are commonly used by retailers to act as incentives for consumers to purchase products, to provide feedback, or in return for a potential reward. There is a risk that a free prize draw may be classed as a lottery. This requires a licence to operate, and organisers can be subject to criminal penalties if they operate such a lottery without a licence. To avoid a free prize draw being classed as an illegal lottery, strict requirements must be adhered to.
When is a prize draw a lottery? 5.32 Under the Gambling Act 2005, s 14 (‘GA 2005’), an arrangement is a simple lottery if: •
participants are required to pay;
•
one or more prizes are allocated to one or more members of a class; and
•
the prize is/prizes are allocated by a process which relies wholly on chance.
(This definition was first stated by Lord Widgery CJ in the Reader’s Digest case (see below) and was subsequently incorporated into legislation.) A free prize draw (as opposed to a competition) will inevitably involve allocating a prize (or prizes) by a process which relies wholly on chance. If, therefore, participants are required to pay to enter then the draw will constitute a lottery. It may seem illogical that a ‘free’ prize draw could entail payment by participants to enter. However, the notion of payment is interpreted widely. As a result, many prize draws involve some form of payment taking place (even if this is not obvious), such as premium rate telephone call to enter and are therefore classed as illegal lotteries if they operate without a licence.
The pre-2005 position 5.33 Under previous legislation, prize draws were not classified as lotteries if they genuinely did not require a payment to enter. Many organisers structured free 152
Digital marketing 5.34
prize draws to include two entry routes – one free, and one that required payment. The case of Reader’s Digest Association v Williams42 provided further clarification on the notion of genuinely not requiring a payment to enter. Lord Widgery CJ stated that a prize draw constituted a lottery where ‘the persons taking part in the operation, or a substantial number of them, make a payment or consideration in return for their chance of a prize’. This test was applied in Imperial Tobacco v Attorney General,43 where the House of Lords went one step further and held that a free entry route could be disregarded entirely where the vast majority of participants were required to pay to enter the draw. The case of Imperial Tobacco also discussed what constituted a payment where entry for a prize draw depended on the purchase of a product. The Court held that it was immaterial whether the price of the product was the same regardless of whether the participant entered into the draw (ie if it was still sold at its usual price). If the participant paid for two things for one price, it was impossible to say that he paid only for one and not the other. Consequently, if any money changed hands then the prize draw was taken to be requiring a payment and therefore would be classified as a lottery unless there was a free entry route.
The post-2005 position 5.34 The later and current legislation, in the form of the GA 2005, provides clarity regarding whether a prize draw can involve a degree of payment. The meaning of payment under GA 2005, Sch 2, para 2 includes paying for goods or services at a price which reflects the opportunity to participate in the draw. This is a departure from the approach under Imperial Tobacco where, even if products/services were purchased at their usual price, all of the consideration could not be attributed to the products/services alone. The GA 2005 has provided guidance on free entry routes. Under GA 2005, Sch 2, para 8 an arrangement is not treated as requiring participants to pay if they have a choice to participate by either paying or choosing a free entry route. A free entry route should involve a method of communication that is neither more expensive nor less convenient than entering by paying. The Gambling Commission’s guidance is that using a free entry route via the web ‘may not offer substantial proportions of those who wish to enter a genuine choice’ given that many would not have home web access.44 As a result, participants should be given at least three working days to use a web entry route. If free prize draw organisers are only offering one route of entry, they should exercise caution in relation to the method of communication used for entry to ensure that it does not constitute a payment to enter. The GA 2005 states that paying above the ‘normal rate’ to use a method of communication constitutes a payment to enter. The ‘normal rate’ is, for postal entries, via first-class or secondclass post (GA 2005, Sch 2, para 5). For telephone entries, the normal rate would be the usual cost of a non-commercial call.
42 [1976] 1 WLR 1109. 43 [1981] AC 718. 44 Prize competitions and free draws: The requirements of the Gambling Act 2005, December 2009.
153
5.35 Digital marketing
Key messages 5.35 •
Organisations need to be aware that from March 2011 the ASA’s remit was extended to cover advertising on an advertiser’s own website and in other non-paid-for space online under their control, such as on social networking sites like Twitter and Facebook.
•
In the UK, the courts take a robust approach towards comparative advertising which may make it difficult to challenge a competitor’s ‘unfair’ use of a brand. In such case, advice should be sought as to whether there are other routes of challenge such as through the ASA.
•
Organisers of free prize draws should be aware of the risks of their draw being classified as an illegal lottery. It is necessary to look at all stages of the process to ensure that either no payments are made by participants, or that free entry routes are compliant with the requirements of the GA 2005.
154
Chapter 6
User-generated content and social media
Introduction 6.1 ‘People like to express themselves and they want to be famous.’ This, according to Richard Rosenblatt, the co-founder of the social networking site MySpace, is why consumers have embraced social media and why so many consumers spend significant amounts of time and effort creating and sharing content, without the expectation of remuneration or profit, with a vast network of individuals, and potentially with the world, through the internet. By 2021 the World Wide Web has evolved to become an increasingly dynamic and interactive medium where content is generated by users and uploaded and shared easily with others. Whereas internet audiences used to be passive, they are now participatory, and often creative. Given the ability to access the internet on their own mobile devices individuals have used the internet more and more compared with the days of having to queue for time on the family computer. Now having new media and a variety of mobile recording devices, these users now have the ability to capture and create content, whether it be video, music or photos that can ultimately be uploaded on a website or published in an advertising campaign. Social networking and user interactive services are now very popular and have become a compelling if not compulsive activity for many internet users. Businesses are increasingly communicating with consumers through social media. This chapter: •
explains user-generated content and highlights the importance of advertising as a revenue model;
•
examines the legal risks associated with social media and user-generated content;
•
explores the risk of defamation and looks at the potential defences to defamation claims in the light of recent cases;
•
reviews the issues relating to the commercial and legal risks associated with minors;
•
gives practical guidance as to how brand owners can mitigate risks when exploiting user-generated content and considers the issue of whether or not to moderate content.
155
6.2 User-generated content and social media
What is user-generated content? 6.2 User-generated content (‘UGC’) describes a variety of media content that is supplied by an end-user, and is commonly associated with social networking sites on the internet. Many people will be familiar with UGC through their daily internet activities. Examples of UGC include sharing videos on YouTube or Tiktok, written reviews on Amazon, customising publicly accessible profiles on Facebook, contributing to articles on Wikipedia, contributing to blogs and providing comments to a discussion. Users also communicate with words, video and photographs on Instagram, Snapchat, Whatsapp and many other similar services. In the third quarter of 2012 Facebook user numbers went over 1 billion people for the first time and had over 2.7 billion monthly active users as of the second quarter of 2020.
User-generated content revenue models 6.3 User-generated content is used by businesses to fulfil two primary functions. First, a social networking site, such as Facebook, encourages its users to post personal content such as photos and comments. These websites rely on their members (membership is typically free) to access the site and upload content. This behaviour creates communities and entices users to return to the site on a regular basis to socialise with other users/members. With a regular and expanding list of users, the owners of these sites are then able to generate revenue from selling advertising space, much of which can be tailored and placed on areas of the site that match the preferences of the specific user. Secondly, many brand owners incorporate UGC into their advertising and marketing strategies. The evolution of the internet and the change in the behaviour of the average consumer to that of a ‘creator’ has presented media owners, advertisers and agencies with significant opportunities to become involved in user-generated content, and benefit from the interactivity consumers can have with the brand. This may increase their loyalty and even make consumers unofficial brand advocates. In essence, the use of UGC offers a relatively low-cost opportunity to reach a new audience and ensure its core market is dedicating sufficient time to the brand. Posted content may be used by the brand in wider advertising and marketing campaigns.
Viral marketing Viral marketing operates on the principle that internet users will want to share interesting, fun or ‘different’ content with other users. If content like this, that concerns a brand, is uploaded to a social networking site or UGC site such as YouTube it is likely that it will be viewed many times by users and shared. As a result, the brand message is relayed to millions of users, who themselves relay it on to other users. The brand message spreads like a virus. The content in question could be an article, a blog or video content. 156
User-generated content and social media 6.3
A good example of viral marketing is a video from Nike, uploaded to YouTube, in which the famous footballer Ronaldinho takes delivery of some new Nike boots but, more importantly from a marketing perspective, then spends over two minutes demonstrating some of the most amazing football skills ever seen. Some 23.5 million people watched this ad on YouTube making it one of the top ten viral marketing campaigns of all time. Another, perhaps better known, example of viral marketing is the ad on YouTube for Cadbury’s Dairy Milk chocolate in which a gorilla is shown playing the drums along to a Genesis track. Again, this is one of the most successful viral advertising campaigns to date.
A report published by Informa in March 2010 indicated that US mobile social networking ad revenue would reach revenues of US$421 million during 2010, and was projected to break through the US$1 billion revenue mark in 2013.1 This has continued to grow in the last ten years. Social network advertising revenue in the US in 2019 was about US$30 billion for Facebook, Instagram US$9.45 billion, LinkedIn US$3.19 billion, Twitter US$1.57 billion, Pinterest US$1 billion, Snapchat US$0.92 billion (figures from Statista in 2020 (www.statista.com/statistics/1103339/socialmedia-ad-revenue-platform/)). The popular appeal and growth of social networking and content-sharing sites has made them assets worth acquiring, as demonstrated by the following acquisitions: Year
Acquisition
2002
Yahoo! bought Flickr for an undisclosed sum, reported to be approximately US$30 million
2005
News Corporation bought MySpace (social networking site) for US$580 million
2006
Viacom/MTV bought Atom Films (games, films and animations site) for US$200 million
2006
Google bought YouTube (video sharing site) for US$1.65 billion
2007
Microsoft bought a 5% stake in Facebook for US$500 million
2008
AOL bought Bebo for US$850 million
2012
Twitter bought Vine for US$970 million
2012
Facebook bought Instagram for US$1 billion
2012
Microsoft bought Yammer for US$1.2 billion
2013
Google bought Waze for US$966 million
2013
Yahoo bought Tumblr for US$1.1 billion
2014
Facebook bought WhatsApp for US$19 billion
2020/21
Discussions on sale of a significant share in TikTok’s US operations put the price at likely to be over US$10 billion
1 Source: Mobile Marketing Watch at www.mobilemarketingwatch.com/report-social-network-adrevenue-to-double-in-2010-reaching-revenues-of-421m-5851/.
157
6.4 User-generated content and social media
The legal risks associated with user-generated content 6.4 Ideally, users upload their own original material to UGC platforms. In practice, however, users will also upload materials that infringe copyright works, or contain content that is defamatory, obscene or breaches an individual’s right of privacy. In 2021 the EU Copyright Directive 790/2019 should be implemented in the EU, but not the UK. Its Recital 70 provides a useful summary of the provisions which should be in force by 7 June 2021 throughout the 27 Member States. The steps taken by online content-sharing service providers in cooperation with rightholders should be without prejudice to the application of exceptions or limitations to copyright, including, in particular, those which guarantee the freedom of expression of users. Users should be allowed to upload and make available content generated by users for the specific purposes of quotation, criticism, review, caricature, parody or pastiche. That is particularly important for the purposes of striking a balance between the fundamental rights laid down in the Charter of Fundamental Rights of the European Union (‘the Charter’), in particular the freedom of expression and the freedom of the arts, and the right to property, including intellectual property. Those exceptions and limitations should, therefore, be made mandatory in order to ensure that users receive uniform protection across the Union. It is important to ensure that online content-sharing service providers operate an effective complaint and redress mechanism to support use for such specific purposes. Online content-sharing service providers should also put in place effective and expeditious complaint and redress mechanisms allowing users to complain about the steps taken with regard to their uploads, in particular where they could benefit from an exception or limitation to copyright in relation to an upload to which access has been disabled or that has been removed. Any complaint filed under such mechanisms should be processed without undue delay and be subject to human review. When rightholders request the service providers to take action against uploads by users, such as disabling access to or removing content uploaded, such rightholders should duly justify their requests. Moreover, cooperation should not lead to any identification of individual users nor to the processing of personal data, except in accordance with Directive 2002/58/ and Regulation (EU) 2016/679. Member States should also ensure that users have access to out-of-court redress mechanisms for the settlement of disputes. Such mechanisms should allow disputes to be settled impartially. Users should also have access to a court or another relevant judicial authority to assert the use of an exception or limitation to copyright and related rights. The above not only covers the issue of parody which is useful, but only confirms the pre-existing law in the EU and UK under earlier EU legislation about copyright law and parody, but also makes it clear the parody exceptions to infringement do apply to users online and would cover some use of material such as in memes. 158
User-generated content and social media 6.6
Harnessed by the ease with which content can be recorded and uploaded, the risks of infringing the rights of authors, artists, film studios or individuals on a potentially world-wide scale cannot be underestimated. Those whose rights are infringed will invariably pursue the platform as opposed to the individuals who posted the infringing content, not only on the basis that they have deeper pockets, but also because they will be easier to identify. The last few years have witnessed a raft of lawsuits involving UGC platforms. For example, organisations including Viacom and the English Premier League have issued law suits against YouTube, claiming that it has done too little to prevent the uploading of copyright material, while in November 2006, Universal Music issued proceedings in California against MySpace, claiming that the online network site was encouraging users to share music and videos illegally. Universal Music reportedly sought damages of US$150,000 per song or video posting, citing 60 allegations, totalling US$9 million and Universal argued that their music and videos played a key role in developing online communities that has netted the owners of MySpace millions of dollars. As was noted in Chapter 2, UGC which infringes a rights holder’s copyright may not (in economic terms) be harmful per se and may be revenue enhancing. Nevertheless, it is important that any organisation that wishes to utilise UGC – even for something as simple as a chat forum or bulletin board – is alive to the legal risks associated with UGC and the steps that can be taken to mitigate such risks.
Unlicensed copyright material 6.5 The popularity of UGC platforms emanates from users’ ability to upload information about themselves as well as other material, such as photographs, videos, blogs and music. While these materials may have been created by the user, where they have not and such content is either partially or wholly owned by a third party, the issues of copyright ownership and infringement need to be addressed, from the perspective of the UGC operator and a brand owner looking to exploit UGC as part of an advertising or marketing campaign.
UGC operator issues 6.6 As noted in Chapter 2, it will be an infringement of the copyright in a work under the Copyright Designs and Patents Act 1988 to: (a) show or play the work in public; or (b) communicate it to the public without the permission of the copyright owner. Chapter 2 included a discussion about the impact of the Copyright Regulations, reg 28A. In essence, the Regulations state that Internet Service Providers (ISPs) will not be liable for copyright infringement for caching. Caching involves copying which, in the absence of the Regulations, could amount to copyright infringement as it is done without the express consent of the copyright owner. The Regulations also apply to website operators. However, their usefulness to UGC providers is limited, because to qualify for this caching defence, the ISP or website operator must be involved in ‘temporary acts of reproduction’ whose sole 159
6.7 User-generated content and social media
purpose is to ‘enable a transmission in a network between third parties’ where this process has ‘no independent economic significance’. This provision is unlikely to protect a UGC provider if it makes an economic gain from its service, for instance through advertising. The test is whether an ISP moves from being a ‘passive wall’ to active such as where it buys adwords, encourages infringement or is paid for the infringement in some way. Chapter 3, paragraph 3.26 above listed some of the case law in this area including Cartier v BSkyB [2016] EWCA Civ 658 where the Court of Appeal held that trade marks had been infringed by ISPs including BskyB, and brand owners could require BskyB to block access to content which infringed trade mark rights where the ISP had knowledge of the infringement. The Supreme Court ([2018] UKSC 28) held that the brand owners should, notwithstanding the fact they won, pay the legal costs of any blocking injunction applications against ISPs. This requirement alone can make litigation too expensive.
Brand owner issues 6.7 In the event that a user supplies material to which he or she does not own the copyright, that material may infringe a third party’s copyright. If a brand owner then exploits that material or hosts the content on its website or uses the content as part of an advertising campaign, the brand owner will then itself commit a copyright infringement. Accordingly, prior to making use of UGC for advertising or marketing purposes, brand owners must have regard to the question of securing intellectual property rights usage.
Limitations of terms and conditions 6.8 Typically, a website operator will look to mitigate the risks of infringing material being used by including provisions in its terms and conditions which purport to transfer the ownership in the material to the website operator or require the user to grant them a perpetual, royalty-free licence to exploit the material. In addition, the user will be required to comply with ‘acceptable use’ policies which will specifically state that the user must not submit or post material in which the user does not own the copyright. These terms and conditions provide some protection against copyright infringement. However it is not complete protection. First, the terms do not bind a third party whose content may have been infringed and therefore have no effect on that third party. Secondly, a purported assignment of rights will have no effect under English law as a signature by the transferor is required to transfer copyright. Thirdly, brands will not wish to enforce breaches of terms and conditions against their consumers. The purpose of the terms and conditions is principally to enable the operator to block that user from future participation but does little to assist in relation to infringing postings already made by the user.
160
User-generated content and social media 6.10
Creative commons 6.9 Users of certain sites have the ability to publish their content under a ‘Creative Commons’ licence.2 Creative Commons is a licensing scheme designed to make copyright works more widely accessible by providing creators with a range of ready-made licences, which permits various uses of copyright works by third parties. In the absence of a licence from the copyright holder, a third party has no right to use or access the copyright material.3 Creative Commons modify standard copyright terms attached to a work by providing several types of licence. Authors select the Creative Commons licence they want to apply to their work and stipulate this clearly when communicating their work to others. Third parties may then copy, distribute, display or perform the work, subject to the specific conditions in the applicable Creative Commons licence, without needing to contact the author for permissions and safe in the knowledge that they will not be infringing copyright provided they stay within the terms of the licence. The purpose of these licences is to stimulate innovation and creativity by freeing up the use of copyright works. The concept of ‘free content’ has become increasingly popular. In 2003 there were approximately 1 million Creative Commons licensed works. By 2006 this figure had exceeded 50 million. By 2014 this had risen to 882 million. Although Creative Commons does enable copyright works to be used by others, the Creative Commons is still a licence and non-compliance with its licence terms will amount to copyright infringement. The same issue arises with ‘open source’ (source code released online with rights to use which again is often subject to conditions such as future use being free of charge when the work is incorporated in another and requiring particular copyright notices to be used when the ‘free’ material is re-used). It is important therefore that the terms of the licence are understood and that there is adherence to all its obligations. For instance, the ‘Attribution UK’ licence allows third parties to copy, distribute, display and perform the work, and to make derivative works under the condition that the original author is credited. Importantly, a user will often need to ensure that they do not infringe the author’s moral rights (see Chapter 2) as the majority of licences do not waive these rights.
Privacy 6.10 If UGC contains an identifiable image of an individual and or any other information that may assist in the individual’s identification, the user and/or
2 Creative Commons licences were developed by Creative Commons, a not-for-profit organisation founded in 2001 in San Francisco by Larry Lessig and others with the objective of expanding ‘reasonable and flexible copyright’. For more information, visit www.creativecommons.org. 3 The first licences were released in December 2002. The original licences granted four baseline rights namely the rights to copy, distribute, display and perform the work worldwide without charge. Four conditions were then introduced, namely attribution, non-commercial, no derivative works and sharealike. Creative Commons licences are a mix-and-match combination of the four baseline rights and the four conditions.
161
6.10 User-generated content and social media
operator of the UGC platform will also need to consider data protection legislation and the laws relating to the right to privacy, and as a result may need to obtain the consent of the individual prior to using such material. As was noted in Chapter 4, the ‘right of privacy’ in the UK has led to successful legal actions by celebrities. For any cross-jurisdictional campaign, it is preferable to obtain consent to the use of an individual’s image to avoid potential claims. Organisations looking to use images as part of UGC must also consider the CAP Codes. These state that marketers must not unfairly portray or refer to anyone in an adverse or offensive way unless that person has given their written permission to allow it (UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing, r 6.1). The CAP Codes ‘urge’ marketers to obtain written permission before referring to or portraying any member of the public. However, the use of a crowd scene or a general public location may be acceptable without permission from the individuals whose images are used. Where a reference is made to a person with a public profile, it is advisable to obtain their written permission particularly where they could be construed as personally endorsing a product. International advertising campaigns need to be planned bearing in mind the greater legal protection for privacy in jurisdictions such as France, Germany and the US. In practice, this means that campaigns of any description over the internet require express consents from identifiable individuals, whether famous or not. There is a big difference between the USA where generally images taken in public can be used and the UK/EU when that is not necessarily the case.
The Alison Chang incident This particular issue made the headlines in September 2007 when a family from Texas sued Australia’s Virgin Mobile phone company4 for using a photo of their teenage daughter in an advertising campaign without consent. The advertising campaign promoted Virgin’s text messaging service and used a selection of approximately 100 photographs that had been uploaded onto Flickr, Yahoo! Inc’s popular photo-sharing website, via a Creative Commons attribution licence and superimposed with the company’s ad slogans. The photograph featuring Alison Chang was taken in April 2007 by her youth counsellor, who posted it that day on his Flickr page. The lawsuit claimed that Virgin had violated Alison Chang’s right of privacy by misappropriating her image and likeness without the necessary consents and that use of her photo violated the open-source licence under which the photo was uploaded onto Flickr. The law suit also accused Virgin of libel in relation to the strap lines used in the advertisement. Although the lawsuit was dismissed over a discrepancy in jurisdiction, the case is a clear reminder that necessary consents should be sought – wherever possible – from individuals who may feature in a campaign. 4 Chang v Virgin Mobile (2007).
162
User-generated content and social media 6.11
In the Alison Chang case the photographer had chosen a licence from Creative Commons that allows other people to reuse images without violating copyright laws, on the condition they credit the photographer and state where the photo was taken. Although compliance with these conditions will lower the risk of being held liable for copyright infringement, it does not address the issue of obtaining personal consent from the subjects of the images, which will need to be addressed separately.
Defamation 6.11 Although an individual’s freedom of expression is protected by the Human Rights Act 1998, Article 12, this should be balanced against the right of individuals and corporate entities not to be the target of false or defamatory statements. The common law tort of defamation has developed through case law but also has been built on by statute such as the Defamation Acts 1952 and 1996. The Defamation Act 2013 made some changes to the law of defamation, but does not apply in Scotland or Northern Ireland and requires the victim to prove actual or probable harm. In addition unless otherwise specified by the court defamation actions are held without a jury. Given the ease in which content can be communicated via the internet and the audiences that can be reached, and the fact that individuals tend to treat the internet as a more informal medium than other forms of communication, defamation is perhaps one of the greatest risks associated with UGC. There are risks to employers who may be vicariously liable for the actions of their employees, while there are increased risks for anyone who operates a website, particularly one which invites visitors to engage in message forums, chat rooms or blogs. A statement published online may be actionable as a libel if it is defamatory in that it ‘would tend to lower the claimant in the estimation of right-thinking members of society generally or cause him to be shunned or avoided or tend to expose him to hatred, contempt, or ridicule’ (see Partmiter v Coupland;5 Youssoupoff v MetroGoldwyn-Mayer Pictures Ltd;6 Sim v Stretch7). A defamatory statement need not allege some scandalous conduct. Nor need the victim be an individual; corporations can be defamed as well. It is generally accepted that defamatory statements on web pages are to be regarded as libel, whereas chat on an internet bulletin board is more akin to slander than to libel (see the case of Smith v ADVFN Plc and others8).
5 6 7 8
(1840) 6 M & W 105. (1934) 50 TLR 581, CA. [1936] 2 All ER 1237, HL. [2008] EWHC 1797 (QB).
163
6.12 User-generated content and social media
Requirements for a defamation action 6.12 In an action for defamation, the claimant must show that the words complained of: (a) are defamatory; (b) identify or refer to the claimant; and (c) are published by the defendant to a third party. A statement on a web page would count as a publication. Once the claimant has satisfied these criteria, it will be for the defendant to prove the truth of the statement or that he can benefit from one of the other defences, such as fair comment (now contained solely in the Defamation Act 2013), privilege or innocent dissemination. Any action in defamation must be brought generally within one year from the date when the cause of action accrued (Limitation Act 1980, s 4A). The court has discretion to allow a case to proceed outside this time limit if it would be equitable to do so having regard to the relative prejudice to the claimant and the defendant. The court will have regard to a number of prescribed factors such as the reasons for the delay and the effects of the delay on the reliability of evidence. A fresh cause of action for defamation arises each time a defamatory statement is published and this means that the limitation period for bringing an action is extended each time the original statement is republished. Given the fact that many online archives exist and the ease with which information can be stored and republished, this rule is particularly relevant to the internet. In Loutchansky v Times Newspapers Ltd (No 2)9 the court held that publication occurs each time the defamatory comments are accessed on the website, not just when the articles are first posted. In light of this, operators of online archives will need to take care in deciding what articles to keep on their websites, particularly if an article has been the subject of a complaint. Section 8 of the Defamation Act 2013 introduced a single publication rule and a 12-month limitation period – see below. These rules are expanded upon in the Defamation (Operators of Websites) Regulations 2013 (SI 2013/3028). In Raymond Russell Bewry v (1) Reed Elsevier UK Ltd (t/a LexisNexis) (2) Reed Business Information Ltd (t/a Community Care Inform) (2013) the High Court extended the time limit to bring a defamation claim under Limitation Act 1980, s 32. A father was unhappy with a family case report summary which said he had engaged in inappropriate behaviour with his child. The full case report was only available to subscribers. He was unhappy with the first respondent’s action (the second had deleted the summary on request) which had been to publish that any embarrassment to him was regrettable. Section 32 allows time to be extended and here the defendant had only become aware of the matter just over 12 months after publication on the internet. Section 8 of the Defamation Act 2013 brought in a single publication provision in relation to the issue of limitation in defamation cases. This protects internet republication and archives. This followed the case in the European Court of Human Rights in the Times v UK case in 2009. Section 8(3) provides that ‘For the purposes
9 [2001] EWCA Civ 1805, [2002] QB 783.
164
User-generated content and social media 6.13
of s 4A of the Limitation Act 1980 (time limit for actions for defamation etc) any cause of action against the person for defamation in respect of the subsequent publication is to be treated as having accrued on the date of the first publication’. The section goes on to say: (4) This section does not apply in relation to the subsequent publication if the manner of that publication is materially different from the manner of the first publication. (5) In determining whether the manner of a subsequent publication is materially different from the manner of the first publication, the matters to which the court may have regard include (amongst other matters) – (a) the level of prominence that a statement is given; (b) the extent of the subsequent publication. (6) Where this section applies – (a) it does not affect the court’s discretion under section 32A of the Limitation Act 1980 (discretionary exclusion of time limit for actions for defamation etc), and (b) the reference in subsection (1)(a) of that section to the operation of section 4A of that Act is a reference to the operation of section 4A together with this section.
Publishers and defences 6.13 In the UK, liability for defamation extends to editors and publishers as well as the original author of the defamatory matter. At common law, the definition of ‘publisher’ includes anyone who has participated in the publication of the defamatory statement and encompasses both primary and secondary publishers. A primary publisher is one who exercises direct editorial control over the published material. This will include authors, editors and publishing houses. A secondary publisher on the other hand does not take an active editorial role, but simply makes the defamatory material available to third parties. This will catch libraries, bookshops and ISPs. The distinction between primary and secondary publishers is not always clear-cut, but it remains of particular importance in relation to the internet. As it will often be very difficult to identify the author of the defamatory material, or if they can be identified, they may not be worth bringing a claim against, it is often necessary to pursue a secondary publisher. To date, ISPs, who will also have ‘deeper pockets’ than the real author, have borne the brunt of defamation actions from those who claim they have been libelled on the internet. The Defamation Act 1996, s 1 does provide a statutory defence of ‘innocent dissemination’, which is aimed at protecting intermediaries who could otherwise be liable for publishing defamatory material. This was one of the first pieces of legislation enacted with the internet in mind and was intended to offer legal protection to ISPs. A person has a defence to an action for defamation if he can prove that: •
he was not the author, editor or publisher of the statement complained of; 165
6.13 User-generated content and social media
•
he took reasonable care in relation to its publication; and
•
he did not know, and had no reason to believe, what he did caused or contributed to the publication of a defamatory statement.
The Defamation Act 1996, s 1(3) provides a series of presumptions that a person shall not be considered the author, editor or publisher of a statement if they are involved only: •
in the processing, making copies of, distributing or selling any electronic medium in or on which the statement is recorded;
•
as an operator or provider of a system or service by means of which a statement is made available in electronic form; or
•
as the operator of or provider of access to a communications system by means of which the statement is transmitted, or made available, by a person over whom he has no effective control.
It is not only ISPs and online websites/discussion groups/ bulletin board service providers who should be wary of defamatory material posted to them or held on their websites. Simply forwarding a defamatory email to others would make an individual liable as a re-publisher of the statement and possibly also his employer if the employer could be held to be vicariously liable. In practice, the requirements referred to under the Defamation Act 1996, s 1 to show reasonable care and lack of knowledge represent considerable barriers to its application. The limits of this defence were shown in the UK in 1999, when the High Court held in Godfrey v Demon Internet,10 that the defendant could not rely on the s 1 defence in relation to defamatory material published on the ‘soc.culture. thai’ newsgroup, which the defendant carried and stored as part of its ISP services, because it had failed to remove the offending material (despite repeated requests) once it had been notified by the claimant. Once it was established that the defendant was a publisher, the defendant could not successfully argue that it ‘did not know, and had no reason to believe, that what it did caused or contributed to the publication of a defamatory statement’. By choosing to ignore the defamatory statement, the defendant contributed to its continuing publication. As soon as an ISP, or any other internet intermediary with no previous knowledge of the defamatory material, does not remove the material after being provided with notice, the ISP will lose the potential protection offered by the Defamation Act 1996. The ISP or internet intermediary would not be entitled to investigate the merits of the allegations nor to assess the availability of other libel defences, unless it suspends access to the posting while it does so. To benefit from this defence, an ISP must demonstrate that it has exercised reasonable care. If an ISP chooses to have editorial control over the content on its server, or to impose effective control over statements made by its users, it may fall outside the scope of the s 1 defence as it will likely fall within the definition of ‘editor’. In
10 [1999] 4 All ER 342.
166
User-generated content and social media 6.13
light of the costs associated with exercising editorial control, many ISPs will be dissuaded from exerting sufficient control to ensure that they do not fall out of the s 1 defence. In these circumstances, the ISP will then need to ensure that it exercises reasonable care and that it did not know or have reason to believe that what it did contributed to the publication of a defamatory statement. Although the Defamation Act 1996, s 1(5) provides limited guidance, it is not entirely clear what constitutes reasonable care or knowledge or reason to believe that what a person did caused or contributed to publication. In determining this, it will be necessary to consider: •
the extent of his responsibility for the content of the statement or the decision to publish it;
•
the nature or circumstances of the publication; and
•
the previous conduct or character of the author, editor or publisher.
It is generally accepted that an intermediary will not be expected to actively search for potentially defamatory material. However, what remains uncertain is what constitutes reasonable care once an intermediary has been notified of defamatory material, and when it might be held that an intermediary has contributed to its publication. At present there is no clear guidance as to what constitutes sufficient notice, what needs to be specified in a notice, how quickly an intermediary must react once put on notice or to what extent previous conduct will be influential in determining ‘reasonable care’. There is a defence of ‘public interest’ in Defamation Act 2013, s 4 which may be of use in some internet libel cases. Section 2 also updated defences by providing that it is a defence to defamation ‘for the defendant to show that the imputation conveyed by the statement complained of is substantially true’. The Act does not apply in Scotland or Northern Ireland. As stated above there is a defence of ‘fair comment’ in Defamation Act 2013, s 3. This provides: 3 Honest opinion (1) It is a defence to an action for defamation for the defendant to show that the following conditions are met. (2) The first condition is that the statement complained of was a statement of opinion. (3) The second condition is that the statement complained of indicated, whether in general or specific terms, the basis of the opinion. (4) The third condition is that an honest person could have held the opinion on the basis of – (a) any fact which existed at the time the statement complained of was published; (b) anything asserted to be a fact in a privileged statement published before the statement complained of. 167
6.13 User-generated content and social media
(5) The defence is defeated if the claimant shows that the defendant did not hold the opinion. (6) Subsection (5) does not apply in a case where the statement complained of was published by the defendant but made by another person (‘the author’); and in such a case the defence is defeated if the claimant shows that the defendant knew or ought to have known that the author did not hold the opinion. (7) For the purposes of subsection (4)(b) a statement is a ‘privileged statement’ if the person responsible for its publication would have one or more of the following defences if an action for defamation were brought in respect of it – (a) a defence under section 4 (publication on matter of public interest); (b) a defence under section 6 (peer-reviewed statement in scientific or academic journal); (c) a defence under section 14 of the Defamation Act 1996 (reports of court proceedings protected by absolute privilege); (d) a defence under section 15 of that Act (other reports protected by qualified privilege). (8) The common law defence of fair comment is abolished and, accordingly, section 6 of the Defamation Act 1952 (fair comment) is repealed. Defamation Act 2013, s 5 Section 5 of the Defamation Act 2013 provides a defence for those operating websites (although it does not apply in Scotland or Northern Ireland) relating to third-party posts. This provides significantly more protection than before to website operators for posts by other people on their websites and encourages them to disclose the identities to the claimant of the individual posting. Section 5 states as follows 5 Operators of websites (1) This section applies where an action for defamation is brought against the operator of a website in respect of a statement posted on the website. (2) It is a defence for the operator to show that it was not the operator who posted the statement on the website. (3) The defence is defeated if the claimant shows that – (a) it was not possible for the claimant to identify the person who posted the statement, (b) the claimant gave the operator a notice of complaint in relation to the statement, and (c) the operator failed to respond to the notice of complaint in accordance with any provision contained in regulations. 168
User-generated content and social media 6.13
(4) For the purposes of subsection (3)(a), it is possible for a claimant to ‘identify’ a person only if the claimant has sufficient information to bring proceedings against the person. (5) Regulations may – (a) make provision as to the action required to be taken by an operator of a website in response to a notice of complaint (which may in particular include action relating to the identity or contact details of the person who posted the statement and action relating to its removal); (b) make provision specifying a time limit for the taking of any such action; (c) make provision conferring on the court a discretion to treat action taken after the expiry of a time limit as having been taken before the expiry; (d) make any other provision for the purposes of this section. (6) Subject to any provision made by virtue of subsection (7), a notice of complaint is a notice which – (a) specifies the complainant’s name, (b) sets out the statement concerned and explains why it is defamatory of the complainant, (c) specifies where on the website the statement was posted, and (d) contains such other information as may be specified in regulations. (7) Regulations may make provision about the circumstances in which a notice which is not a notice of complaint is to be treated as a notice of complaint for the purposes of this section or any provision made under it. (8) Regulations under this section – (a) may make different provision for different circumstances; (b) are to be made by statutory instrument. (9) A statutory instrument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament. (10) In this section ‘regulations’ means regulations made by the Secretary of State. (11) The defence under this section is defeated if the claimant shows that the operator of the website has acted with malice in relation to the posting of the statement concerned. (12) The defence under this section is not defeated by reason only of the fact that the operator of the website moderates the statements posted on it by others. Consistent with the above provisions the government then brought in regulations under s 5 – The Defamation (Operators of Websites) Regulations 2013. These can be summarised as follows: 169
6.14 User-generated content and social media
•
Regulation 1 makes provision in paragraph (3) about the calculation of the time limits which apply to actions which must be taken by the website operator. Its effect is to exclude from the calculation of the 48-hour period any time which occurs on a weekend or public holiday.
•
Regulation 2 sets out the information which must be contained in a notice of complaint in order for it to be valid. These requirements are additional to the requirements set out in s 5(6)(a)–(c) of the Act.
•
Regulation 3 and the Schedule provide for the steps which a website operator must take on receiving a valid notice of complaint in order to benefit from the defence provided by s 5 of the Act.
•
Regulation 4 applies where a website operator receives a notice alleging that a statement on the operator’s website is defamatory but that notice does not comply with s 5(6) of the Act and these regulations. In such a case these provisions provide that, in order to benefit from the defence in s 5 of the Act, the website operator must notify the person making the complaint of the requirements of the Act and these regulations.
•
Regulation 5 gives the court discretion to treat any action which was taken outside the time required by reg 4 and the Schedule to be treated as though it was taken within that time limit. The court may exercise this discretion if it considers it in the interests of justice to do so.
To check or not to check posts before they appear? 6.14 The final point is important as in general terms if a website only removes posts that are illegal once brought to its attention it is safer under the E-Commerce Directive (2000/31) and UK regulations made under it (the Electronic Commerce (EC Directive) Regulations 2002). The regulations still apply despite the UK leaving the EU. However subsection (12) above is helpful as it also means if some checking is made of posts before they appear on a website (a practice some sites use) that is not fatal to a defamation claim.
Other Defamation Act 2013 provisions 6.15 Section 9 stops actions against defendants who are outside the jurisdiction being sued unless England and Wales were the most appropriate forum. Section 10 prevents claims against secondary publishers unless it not reasonably practicable to bring the action against the author, editor or a commercial publisher. The section is very helpful to online companies such as ISPs. Also under s 13, rights to remove material from websites are given as follows: S 13 (1) Where a court gives judgment for the claimant in an action for defamation the court may order – (a) the operator of a website on which the defamatory statement is posted to remove the statement, or (b) any person who was not the author, editor or publisher of the defamatory statement to stop distributing, selling or exhibiting material containing the statement. 170
User-generated content and social media 6.17
(2) In this section ‘author’, ‘editor’ and ‘publisher’ have the same meaning as in section 1 of the Defamation Act 1996. (3) Subsection (1) does not affect the power of the court apart from that subsection. Defamation is a very technical area and it is best to use expert defamation solicitors if litigation is envisaged, rather than an internet or IT solicitor who will usually not have enough experience of this area. It is also very expensive and risky, and sometimes litigating leads to more adverse publicity than had the defamed simply let ‘sleeping dogs lie’ so PR as well as legal advice and a careful consideration of risk versus reward is wise. For example, in 2020 the English High Court defamation proceedings by Johnny Depp against his ex-wife Amber Heard led to adverse publicity for both parties. Also as stated earlier above the 2013 Act only applies in England and Wales. Always take appropriate local law advice.
Damages and risk assessment 6.16 It is likely that a court will award a higher level of damages to a high-profile individual, or to a person whose livelihood depends on his reputation. It is also likely that a court, when assessing the level of audience exposed to the defamatory statement, will take into account the popularity of a webpage and the number of ‘hits’ such a webpage has received. In the case of Firsht v Raphael,11 the court took into consideration the fact that the defamatory pages set up by the defendant could be accessed by approximately 850,000 members and awarded damages of £22,000 against the defendant. However, website operators should remain aware that the risk of being dragged into defamation proceedings can be overstated. In practice, Community Legal Service funding (formerly Legal Aid) is not available for libel and slander actions. Risk can be further mitigated by the making of an ‘offer to make amends’ (essentially a retraction) under the Defamation Act 1996, s 2. Where very few people have seen a defamatory web post the court may indeed award no damages at all and this should be considered in all cases where litigation is being considered. On the other hand some defamatory reviews on websites such as Amazon, Ebay and TripAdvisor almost put some companies out of business so being able to assert rights to have defamatory posts removed can have a huge impact on some businesses.
Hyperlinks 6.17 Although there is no English case law in relation to the use of hyperlinks to a website containing defamatory material, the Canadian case of Crookes v Wikimedia Foundation Inc12 found that posting a link to defamatory material was not in itself 11 [2008] EWHC 1781 (QB). 12 [2008] BCSC 1424.
171
6.18 User-generated content and social media
a publication of that defamatory material. This was because the claimant had no evidence that people had followed the link to the material complained about and, in this context, the link was akin to a footnote. The defendant’s website did not contain an explicit approval of the defamatory material it was linked to. The judge recognised that if the defendant’s website had approved of the defamatory material and posted a link that could amount to publication. Chapter 5 at paragraph 5.27 considered linking and infringement including for the EU under the Copyright Directive 790/19 which is due to be implemented in the EU but not the UK on 7 June 2021.
Jurisdiction and the US position contrasted 6.18 Given the global nature of the internet and the fact that a defamatory statement is regarded as having been published at the place where it is read, heard or seen, not where the material was first published, and only requires a small number of people to have access to the material, it used to be easy to establish jurisdiction in England. However ‘libel tourists’ have been deterred Defamation Act 2013, s 9 mentioned above. Section 9 states as follows: 9 Action against a person not domiciled in the UK or a Member State etc (1) This section applies to an action for defamation against a person who is not domiciled – (a) in the United Kingdom; (b) in another Member State; or (c) in a state which is for the time being a contracting party to the Lugano Convention. (2) A court does not have jurisdiction to hear and determine an action to which this section applies unless the court is satisfied that, of all the places in which the statement complained of has been published, England and Wales is clearly the most appropriate place in which to bring an action in respect of the statement. (3) The references in subsection (2) to the statement complained of include references to any statement which conveys the same, or substantially the same, imputation as the statement complained of. (4) For the purposes of this section – (a) a person is domiciled in the United Kingdom or in another Member State if the person is domiciled there for the purposes of the Brussels Regulation; (b) a person is domiciled in a state which is a contracting party to the Lugano Convention if the person is domiciled in the state for the purposes of that Convention. The UK’s departure from the EU has not affected this section although in April 2020 the UK applied for membership of the Lugano Convention as it was no longer covered by the EU’s membership thereof. 172
User-generated content and social media 6.19
Even if a UK court does seize jurisdiction, foreign laws will still need to be considered as they may have an impact on the claim. If for instance a defamatory comment were published on the internet and a claimant decides to bring a claim in the UK for global damage sustained, the claimant would need to show that he had a good cause of action in these territories. The First Amendment, which protects free speech in the US Constitution, has the effect of ensuring that US defamation laws are less restrictive than those in the UK. This would impact on the claimant’s attempts to demonstrate that he had a sufficient cause of action in the US. ISPs and other online intermediaries are also afforded greater defence under US law. The US Telecommunications Act 1996 Title V (known as ‘Communication Decency Act 1996’), s 230 states that: ‘No provider of an inter-active computer service shall be treated as the publisher or speaker of any information provided by another information content provider’. As the case of Blumenthal v Drudge13 reinforced, the Act states that no liability may be imposed on the ISP, even where the ISP is itself the commissioner of the infringing content. In this case, which involved the defamatory remarks concerning the claimant’s alleged domestic violence contained within content commissioned by AOL, the court was reluctantly compelled to grant AOL statutory immunity in accordance with s 230. In 2020 changes to s 230 were proposed and by then it had been subject to many challenges but remains in force.
Consumer Protection from Unfair Trading Regulations and other associated issues 6.19 The internet has become an ideal forum for people to express their opinions. Consumers are frequently asked to provide blogs, comments and personal reviews, whether in relation to a news article or a product they have recently purchased. These reviews and comments can have the effect of rating content and assisting potential customers formulate their own views. One of the underlying aims of the Unfair Commercial Practices Directive 2005 (which was implemented in the UK by the Consumer Protection from Unfair Trading Regulations 2008) is to provide a high level of consumer protection, so that consumers are not misled or exposed to aggressive marketing and to ensure that any claim made by traders in the EU is clear, accurate and substantiated, enabling consumers to make informed and meaningful choices. It has been recognised by the EU Commission that social media, such as blogs and social networking sites, have become important avenues for commercial practices, in particular hidden ones, and that they are sometimes used by traders to promote and advertise their products. An example of such behaviour quoted by the EU Commission was the practice of paying bloggers to promote and advertise products on a blog aimed at teenagers, unbeknown to the other users. In such cases, the authorities considered that the bloggers concerned were engaged in hidden commercial practices.14 Whether the trading authorities in the UK would take action against companies in these circumstances remains unclear. What is likely to be regarded as a more serious issue in light of these regulations is if brand 13 US District Court for the District of Columbia: 97-1968 (PFL). 14 Commission Staff Working Document, Guidance on the Implementation/Application of Directive 2005/29/EC on Unfair Commercial Practices, 3 December 2009.
173
6.20 User-generated content and social media
owners post comments and/or blogs while pretending to be consumers. This is likely to fall foul of the Consumer Protection from Unfair Trading Regulations 2008, Sch 1 as amounting to a ‘blacklisted’ unfair commercial practice.
Obscenity and harmful content Obscene Publications Act 6.20 One of the biggest uses of the internet is to access pornography. Obscenity is, therefore, a huge legal issue although it does not affect many companies who offer services outside that area. This subject has particular relevance to entities that provide access to or encourage the posting of ‘adult’ content online. Measures to control access to such content broadcast on traditional media do exist (such as the 9pm television watershed), but these have been eroded by 24-hour availability of material on demand, the development of ‘recording’ machines and the increasing use of the internet. The Obscene Publications Act 1959, s 2(1) (the ‘OPA 1959’) prohibits the publication of any ‘obscene article’. An article shall be deemed to be obscene: if its effect or (where the article comprises two or more distinct items) the effect of any one or more of its items is, if taken as a whole, such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it. (OPA 1959, s 1(1).) Publication includes the transmission of electronic data (OPA 1959, s 1(3)). The suggestion from this definition is that this actually removes the need for the article in question to have an inherently lewd context, if it will merely deprave or corrupt as such. Although depravity and corruption may be relative terms, the courts have upheld convictions in cases where the defence tried to argue that the only recipients were persons already depraved and corrupted (see DPP v Whyte).15 In the assessment of obscenity, the OPA 1959 not only operates to prevent the corruption of the wholly innocent but will also apply to prevent further corruption and the feeding or increasing of an addiction. Also, sexual depravity is not the only sort which is inherent within the meaning of these words. In 2019 plans for compulsory age verification for use of pornography websites were dropped as unworkable.
Penalties 6.21 The maximum penalty in respect of a person guilty of publishing an obscene article under the OPA 1959, s 2 is imprisonment for a term not exceeding five years, a fine or both. There are also powers of search and seizure provided for under the OPA 1959, s 3. 15 [1972] 3 All ER 12, HL.
174
User-generated content and social media 6.21
Guidance published by the Crown Prosecution Service16 sets out a non-exhaustive list of categories which are considered to be suitable for prosecution. The guidance also makes it clear that the context in which material is presented is a significant factor when considering whether it is appropriate to prosecute. Factors to consider include the nature of the material and how it is presented, whether there is a commercial venture involved, to whom the material is made available, where the material is published and whether the material is easily accessible to children. Prosecution will be more likely where material is accessible by the general public and in particular children and vulnerable people. By way of an example of the application of the OPA 1959, in the case of R v Perrin,17 acts of coprophilia were considered to be obscene when published on the internet. The case concerned three separate web pages which depicted coprophilia. A distinction was drawn by the judge in relation to the first page to which access was apparently completely unrestricted, without the need to enter credit/debit card details, and the other two pages, which could only be accessed by paying members. The defendant was convicted in relation to the first page but not the two other pages that could only be accessed by subscription. This suggests that a website owner should particularly consider which material is accessed first and without restriction. The judge commented that all relevant circumstances were to be taken into account in considering whether material was obscene: All relevant circumstances, members of the jury, since we are talking about modern times, includes the sort of people who these days have personal computers and who have modems and who have access to surf the internet. I suppose ten years ago it would have been very few people, wouldn’t it, but now, it is a matter for you, you may think there are many people of all ages who sit possibly in their bedrooms at home surfing the internet. This passage highlights the issue of children accessing a website even though they are not the intended recipients of material from the site. In assessing whether material is obscene, the case sets out the following test: •
is the material likely to be seen by any person or persons; and
•
if so, is the effect of the material, taken as a whole, such as to tend to deprave and corrupt the person or persons likely, having regard to all relevant circumstances, to see the material.
If the answer to both of these questions is affirmative, the material will be considered obscene. The liability for transmission of obscene material extends to the organisation whose facilities are used to access the internet if it facilitates, by storing, the transmission of an obscene file. The OPA 1959 applies to the ‘producer’ of a website in the same way as it does to other forms of publication. There is a defence under the OPA 1959, s 2(5) of which provides that a person shall not be convicted of an
16 See /www.cps.gov.uk/legal/l_to_o/obscene_publications/. 17 [2002] EWCA Crim 747.
175
6.22 User-generated content and social media
offence if he proves that he had not examined the article in respect of which he is charged and had no reasonable cause to suspect that its publication would make him liable. Whilst most companies may not have problems with the first limb of the defence in relation to material uploaded by members of its website, given the analogy with the Godfrey v Demon18 internet case, it is likely that an ISP will have to operate a robust and efficient ‘notice and take down’ policy in order to be able to rely on the defence.
Other relevant laws 6.22 For the sake of completeness, it is also worth briefly mentioning potential prosecutions available under the Criminal Justice and Immigration Act 2008, s 63 for the possession of extreme pornographic images. For an offence to be committed the image must be: (i) pornographic; (ii) grossly offensive, or otherwise obscene; and (iii) a realistic and explicit portrayal of an act which threatens a person’s life, an act resulting in, or likely to result in, serious injury to a person’s anus, breast or genitals, an act involving sexual interference with a human corpse, or a person performing a sexual act with an animal, and a reasonable person would believe that the people and animals portrayed were real. In practice it is likely that the CPS will prosecute under the OPA 1959 and it is only likely to bring a prosecution under the CJIA if there has been no publication or distribution of the allegedly obscene material. The maximum sentence for this offence under the CJIA is three years’ imprisonment and/or an unlimited fine on indictment. Within the realm of obscene and harmful publications, paedophile pornography undoubtedly attracts the most concern. The Internet Watch Foundation, an independent self-regulatory body representing most of the ISPs in the UK, plays a particularly prominent role in policing illegal material on the internet with a particular focus on child pornography. By way of example, at the end of 2008, the UK’s access to a Wikipedia page was blocked by the IWF, as the organisation had taken exception to a page dedicated to a 1976 album by The Scorpions. The cover of that album, called Virgin Killer, included the image of a prepubescent girl. Following discussions with the Wikimedia Foundation, the decision was reversed. It is an offence under the Protection of Children Act 1978, s 1 to take, distribute, show, possess with a view to their being distributed or shown to others, or advertise that you intend to do so, any indecent photograph or image, whether made by computer graphics or otherwise, which appears to be a photograph of a child. It will be for a jury to decide whether an image is indecent, applying recognised standards of propriety, and the age of the child may be taken into account in reaching a conclusion. On conviction, a person may be fined and/or face a maximum sentence of ten years’ imprisonment on indictment. Under the Criminal Justice Act 1988, s 160 it is an offence to possess any indecent photograph or pseudo-photograph (ie a photograph doctored to look as if of a child) of a child, unless the person has a legitimate reason for having the photograph or pseudo-photograph in their possession or they have not themselves seen the image and did not know, nor had cause to suspect it to be indecent, or that the image was sent to them without any prior request in their part and that they did
18 [1999] 4 All ER 342.
176
User-generated content and social media 6.23
not keep it for an unreasonable time. A person may be sentenced for a term of up to five years’ imprisonment and/or a fine on indictment.
Malicious falsehood 6.23 Malicious falsehood, which is also referred to as trade libel, occurs when a false statement is published maliciously about a person or business to a third party, and although the statement may not be a negative comment about the character of a particular person or business, it still causes them financial loss. In the UK, the limitation of malicious falsehood (as its name suggests) is that a claimant is required to show malice by the defendant. In contrast, other jurisdictions (such as the US) allow claims based on false and deceptive advertising which may not require any malice. The case involving sandwich shop chains Subway and Quiznos in the US demonstrates this point. Although the suit19 brought by Subway related to false and deceptive advertising, the analogy in the UK would be equivalent to a claim for malicious falsehood. As part of Quiznos’ advertising campaign it paired with iFilm (owned by Viacom) and ran a web-based competition called the ‘Quiznos v Subway TV Ad Challenge’. It encouraged contestants to create a video demonstrating why Quiznos’ sandwiches were superior to Subway’s. The UGC advertisements were made available on the Quiznos website and on iFilm. About 115 videos were submitted, which were screened by Quiznos before being posted on their website. Subway claimed that many of these advertisements made false claims about Subway. Quiznos claimed (in accordance with the Communications Decency Act 1996, s 230) that it was not responsible for the content. The judge disputed this and did not grant Quiznos summary judgment on this point. In light of this in March 2010, the two sides agreed to settle out of court. Since the Defamation Act 2013 came into force in 2014 there has been a move towards alternative claims such as data protection law breaches, harassment and malicious falsehood as the Defamation Act 2013 introduced a requirement to show serious harm. In Sube v (1) News Group Newspapers Limited & (2) Express Newspapers [2020] EWHC 1125 (QB) Mr Arnold Mballe Sube and Mrs Jeanne Mballe Sube from the Cameroon in West Africa who had moved to France and then the UK had sued Express Newspapers in a series of cases following newspaper reports they had turned down a large house for themselves and their nine children offered to them by Luton Council and were receiving large sums in state benefits. Mr Sube obtained British citizenship and then qualified and worked as a psychiatric nurse in the NHS. He was not happy with the three-bedroomed house the council provided for the family when his initial private funds ran out and after using two firms of solicitors and the CAB for redress which did not result in better accommodation he went to his local newspaper which resulted in a story with which he was unhappy.
19 Doctor’s Associates Inc v QIP Holders LLC and IFilm Corp, Case No 3:06-cv-1710 (VLB) 19 February 2010. See www.citmedialaw.org/sites/citmedialaw.org/files/2010-02-19-Motion%20Denying%20 Quiznos%20Motion%20for%20Summary%20Judgment.pdf.
177
6.24 User-generated content and social media
The court held first that they had not been defamed. The Sun (with headlines Great British Rake Off) and others took up the story with unsympathetic tone. The family was then offered a larger four-bedroomed detached house by the council and journalists interviewed them again. A Viscount tweeted that the couple should be killed (and for that comment was imprisoned). In 2017 the family had new solicitors who began writing to the various newspapers asking them to remove public comments under the various articles. A letter of claim was written to the Express. In 2018 the couple’s libel claims were dismissed and an application to add malicious falsehood refused. In 2020 the then Data Protection Act 1998 claim (under s 10 – processing causing damage or distress) and harassment claims came to trial. The judge dismissed the data protection claims for various reasons including that the newspapers had taken down the comments promptly. The judge held also held that there had been no breach of the Protection from Harassment Act 1987, saying, ‘I accept that each of [the claimants] probably saw some of the Posts that are now complained of, at the time, and found them upsetting, I do not, however, accept that the claimants have established that they were the targets, or that they were victims, of harassment by News Group or by the Express Group’. The judge pointed out that Mr Sube had gone to the newspapers in the first place to put his predicament in the public domain and that the newspapers did not pre-moderate readers’ comments and had taken down those to which objection was made quickly. The judge found that most readers’ posts were not racist and ‘the main theme is that it is unreasonable and unfair for the claimants, who are foreigners who have not lived, worked and paid tax in the UK, to complain about the benefits provided at the expense of UK taxpayers’.
Minors 6.24 Children increasingly have access to the internet. In the US there is specific legislation directed at the protection of young people online in the form of the Child Online Privacy Protection Act 1998 which applies to websites directed at children under 13 years of age and requires sites to undergo a regulatory process. The UK instead manages matters by regulation and also the provisions of UKGDPR and the Data Protection Act 2018. Website operators of websites used by children must comply with the Safeguarding Vulnerable Groups Act 2006. This Act, which came into force in October 2009, makes it a criminal offence for an employer to allow a ‘barred person’ or anyone not registered with the Independent Safeguarding Authority, to work for any length of time in any regulated activity. Moderation of content of websites used ‘wholly’ or ‘mainly’ by children is a regulated activity. This has implications for any brand which operates a website aimed at children. The employer will also commit an offence by taking on a person to carry out a regulated activity if they do not check that person’s status. If an individual is barred from certain activities, they will commit an offence if they seek, offer or engage in such barred activity. Advertising to children is governed by the same law and codes of practice as those that are generally applicable to advertising (see Chapter 5). However, there is a specific reference in the Consumer Protection from Unfair Trading Regulations 2008 (and has also been incorporated into the CAP Code) which states that it will be considered to be unfair to include in an advertisement a direct exhortation 178
User-generated content and social media 6.25
to children to buy advertised goods or persuade an adult to buy the products for them.
Definition of a ‘minor’ 6.25 The CAP Code defines a child as anyone under the age of 16 and the Code of Practice of the Direct Marketing Association provides that minors are those under 18. These codes contain additional rules in relation to advertising to children, the precise nature of which depends on the age of the child. UKGDPR/ DPA 2018 use the age of 13 as the age at which a person can take their own data protection decisions. GDPR applying in the EU allows Member States to choose this age within a prescribed band of ages. Direct marketing campaigns must also take into account data protection issues in relation to children’s data which in this context means those under 18. In relation to data protection consent, a child is any person under the age of 14 but for marketing to ‘children’ and email marketing rules is any person under 18. Their data should not be collected without explicit consent of a parent or teacher. Information relating to other persons, for example parents, must not be collected from the child and the child must be informed of the need to obtain consent from a parent or teacher. Websites may not make access conditional on personal data being provided by a child. The general data protection requirements also apply. The Information Commissioner has issued guidance which recognises that children generally have a lower level of understanding than adults and website operators should not exploit this. The Information Commissioner takes the view that the capacity of the child and the complexity of what is put to the child are important factors to consider. As the popularity of social networking sites continues to grow and the mechanisms to interact with users continue to expand and develop, the issue of child safety has become an increasingly important area. Issues of cyber-bullying and child safety will need to be considered by website operators. Social networking sites that include functionality that appeals to children should consider installing a sufficiently robust and effective mechanism to alert it of suspicious behaviour, such as a child safety button. Website operators will also need to ensure that they comply with existing legislation such as the Video Recordings Act 1984 and that they do not supply a video recording (including films and computer games) to anyone who has not attained the age specified on the label of such recording. Arguably therefore if the platform is accessible by young people, the UGC will need to be reviewed prior to being uploaded to ensure that any age-sensitive UGC is uploaded into a suitable area of the site. The Home Office has also published ‘Good Practice Guidance for Providers of Social Networking and Other Interactive Services’, in which it recommends that service providers should ensure that adult-targeted services are not accessible to minors and that robust age-verification systems are in place. Many social networking service providers have set 13 years as the minimum age at which a young person can register as a user of a service. The Children’s Online Privacy Protection Act 1998 applies to US commercial providers and, amongst other 179
6.26 User-generated content and social media
things, states that commercial providers must only allow users of over 13 years of age to register for any service without parental consent. In 2020 the Information Commissioner’s Office Age Appropriate Design Code came into force in the UK. Companies were given 12 months from 2 September 2020 in which to implement the Code. It is a statutory code of practice under the Data Protection Act 2018. The Code of online at https://ico.org.uk/for-organisations/ guide-to-data-protection/key-data-protection-themes/age-appropriate-design-acode-of-practice-for-online-services/ and is best practice, not law. For example, it suggests children should be told if a product is set so that their parent can track them.
Managing the risk To moderate or not to moderate? 6.26 Organisations that wish to utilise UGC or operate social networking functions must from the outset have a clear policy and understanding of how they are to use such content. Perhaps the key question they will need to address is whether the content that is uploaded onto their site should be monitored by them or on their behalf. Often, UGC is partially or totally monitored by website administrators to avoid copyright infringement issues, offensive content, or simply to determine if the content that is posted is relevant to the site’s purpose. However, in considering what policy to adopt, the operator will need to weigh up the potential legal risks associated with pre- or post-moderation, as well as ensuring that the site remains active, vibrant and interactive and that the consumer’s experience is not unduly affected. As a general rule, it is sensible for the website operator to make it clear to the community whether and, if so, how the site will be moderated and what content will be accepted. This should ensure that users’ experience of the site is not compromised and clarify to users why their content may not be appearing instantaneously on the site. It is also advisable to provide users with the ability to flag or report any unacceptable content. Typically, it is uncommon for website operators to pre-moderate content, not only because the chances of spotting all infringing content is minimal, but more commonly because they feel that they act as the mere ‘host’ of the content and therefore can rely on statutory defences with respect to defamation (see above). Some website operators believe it would be detrimental to try to read content automatically other than setting tools such as those which remove posts which contain swear words as this could be interpreted by a court as meaning that they have ‘actual knowledge’ of all the content they host, causing them to become liable in law for content which is wrongly left on the site.
ISPs and hosting exemptions 6.27 The European Council Directive 2000/31/EC (the ‘E-Commerce Directive’) implemented into English law through the Electronic Commerce (EC Directive) 180
User-generated content and social media 6.27
Regulations 200220 (the ‘E-Commerce Regulations’), exempts ISPs from civil liability and criminal liability (to a certain degree) when they act as unknowing intermediaries. The provisions of the E-Commerce Regulations are broadly consistent with those in defamation law of the Defamation Act 1996. An ISP that provides hosting services will, in accordance with reg 19, which is based closely on the wording of the E-Commerce Directive, Article 14 be immune from libel actions provided that the ISP: (a) does not have actual knowledge of unlawful activity or information; or (b) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information; and (c) the recipient of the service was not acting under the authority or the control of the ISP. Again, as with the reasonable care requirement of the s 1 defence under the Defamation Act 1996, it is not clear how expeditious an ISP needs to be to avoid liability. An ISP will be granted complete immunity from liability for libellous content on the condition that they act as ‘mere conduits’ (in accordance with reg 17). Conduit implies the passive transmission of, or passive allowing of access to, information provided by third parties. The ISP’s liability for content transmission would be excluded where the service consists of transmission of information provided by a user of the service or the provision of access to a communication network. This would be limited to circumstances where the ISP does not monitor the transmission, does not determine to whom the transmission is sent and does not edit or modify the information being transmitted. This Regulation recognises that it is impossible for ISPs to effectively monitor their systems. The Regulations were given some clarity in the decision of Bunt v Tilley and others.21 This involved a claim brought by an individual, in relation to the publication of an alleged defamatory statement hosted on websites, against three individuals and their respective ISPs, namely AOL UK, Tiscali UK and British Telecommunications. The judge found that the three ISPs had acted as ‘conduits’ and had not been on notice of the alleged libels. It was held that the ISPs were protected by the E-Commerce Regulations, reg 17 and by the s 1 defence contained in the Defamation Act 1996. Importantly, Mr Justice Eady stated that: I am also prepared to hold as a matter of law that an ISP which performs no more than a passive role in facilitating postings on the internet cannot be deemed to be a publisher at common law. (para 36). Mr Justice Eady also considered the circumstances in which internet intermediaries should be held accountable for material which is hosted, cached, or carried by them but which they did not create. He confirmed that the s 1 defence would be removed if the ISP had notice of the complaint, but suggested that rather more detailed knowledge might be needed on the part of the ISP if it is to be deprived of the protection of the E-Commerce Regulations.
20 SI 2002/2013. 21 [2006] EWHC 407 (QB).
181
6.28 User-generated content and social media
Whether the E-Commerce Directive will continue to apply to social networking sites or corporate websites as they develop into increasingly interactive and dynamic user-generated content mechanisms, remains unclear. The Department of Trade and Industry, now the Department for Business, innovation and Skills (BIS), in its 2005 Consultation Document on the Electronic Commerce Directive: the liability of hyperlinks, location tool services and content aggregators, implied that the ‘hosting safe harbour’ would only apply to those website operators providing an ‘instant non-edited service’. This would steer website operators towards a policy of nonmoderation or steering moderation towards third parties. As stated above at paragraph 6.13 the Defamation Act 2013 contains important provisions in this area to which reference should be made, such as s 5 which provides a defence for those operating websites in England and Wales regarding third-party posts. One case22 illustrates that the hosting defence may be available even if some content on a site is moderated. In this case, the High Court considered whether the defendants, who ran a political internet blog, could rely on the s 19 E-Commerce Directive hosting defence in respect of a post appearing on the blog which was defamatory of the claimant. The defendants actively moderated certain information on the site (eg they uploaded articles and comment from politicians to keep the content of the site interesting and relevant). However, they did not actually moderate the post in question, not having seen it. But they did remove it once they were notified of it by the claimant. It was held that they could rely on the defence but the defence would not have been available had they modified the post (but they had not done so). Just because they modified some content on the site did not mean that they lost the defence in relation to the unmodified aspects of the site. In considering the Bunt v Tilley case, it is very important to note the limited scope of the E-Commerce Regulations, reg 17. In essence, while this regulation will protect ISPs, it may not provide protection for organisations who are the operators of the UGC sites themselves and certainly not if they engage in moderation of content. A good example of this is the Mumsnet incident described below.
Take-down policy 6.28 The safest course of action for those organisations hosting any form of web page is to react swiftly to any communication from an aggrieved party (or a third party providing moderation services), whether it be in relation to potentially defamatory statements or that the content infringes the intellectual property rights of a third party. As noted above, once an ISP has notice that defamatory material has been posted on its site, if it is not removed quickly, the protection of the Defamation Act 2013 defences will be lost. Although immediate removal of the material may reduce the risk of liability, if the complainant can prove that the ISP knew or had reason to believe that the material it caused or contributed to be published was defamatory, the defences will not
22 Kaschke v (1) Gray (2) Hilton [2010] EWHC 690, QB.
182
User-generated content and social media 6.28
be applicable. Therefore, websites that host or encourage users to participate in ‘hate campaigns’ directed against individuals or corporations, or other similar derogatory initiatives, run the risk that they may be held to have incited users to post defamatory remarks and that it has knowingly published infringing material. This issue is particularly relevant to social networking sites, some of which have dedicated areas for such ‘hateful’ interactivity. At present there is no case law on this area but it is conceivable that a judge would find in favour of a complainant on the basis that there is a risk of infringing material appearing on such a titled webpage and that bearing this in mind the ISP should have adopted a stringent proactive policy in order to monitor and remove defamatory material, rather than simply wait for a complaint to be received.
Mumsnet The problem of monitoring content was at the heart of a libel action that was brought against ‘Mumsnet’, a parenting website, and its ISP, by the baby and childcare author Gina Ford. The case settled out of court in May 2007, and as a result has unfortunately left several key questions unanswered. Gina Ford’s methods and advice on childcare, viewed by many parents as being controversially strict, stimulated significant debate around the world. The dispute with Mumsnet arose when, through a general chatroom on the Mumsnet website where its members initially discussed the methods and advice promoted by Gina Ford, its members instead began making personal attacks on her character. The website denied any responsibility for the content posted by its members and argued the total impracticality of being expected to monitor each and every message, especially when there were ’1,000 new discussions’ and ’10,000 comments’ posted each day and that Mumsnet were essentially a shoe-string operation. However, after 12 months of arguments and negotiations, Mumsnet settled the dispute by apologising to Gina Ford and making a contribution to her legal costs. Whether Mumsnet could have relied on the Defamation Act 1996, s 1 defence will never be known. The Mumsnet founder, Justine Roberts, admitted that Mumsnet took the decision to settle because of the ‘distinct lack of clarity about how the defamation law applies to web forums’.23 She also questioned, in light of the fact that operators of websites can, as discussed above, escape liability provided that in the event of a complaint, the operator removes or blocks access to the comment expeditiously, ‘How expeditious is expeditiously?’ In the Mumsnet case, some comments were not removed for more than 24 hours.
A practical suggestion, as seen on mainstream social networking sites such as Facebook, in potentially overcoming the burden of active monitoring is the 23 Source – Blog on Guardian Unlimited, Out-Law.
183
6.29 User-generated content and social media
inclusion of a facility to ‘report’ or ‘flag’ content to the website operator (ie ‘report content button’), thus making it easier to register objections and for website operators to monitor and deal with potentially troublesome content. A robust and well-maintained notice and take-down procedure should become a standard feature on sites so that potentially defamatory, derogatory or infringing content can be reported and aggrieved rights holders have an opportunity to request the withdrawal of particular content. However the danger with this is that those who wish to censor lawful views but with which they simply disagree will find it easy to have those comments removed as once an objection is made most websites do not consider the matter due to lack of time. They simply take it down.
Technological solutions 6.29 Some networking sites have developed and utilise technology that can block users from uploading content for which the user does not hold the copyright or assist the website operator with identifying unauthorised material. For instance, since Viacom issued its lawsuit, YouTube has developed and implemented a video identification management tool which checks uploaded videos against a database of copyrighted content with the aim of reducing violations. This tool claims to help copyright holders identify their works on YouTube following which copyright holders can then choose what they want done with their videos, whether to block it, promote it or consider a revenue partnership with YouTube. Age-verification procedures can involve placing a cookie on a user’s computer to prevent the user from attempting to re-register with false age details, using technical tools such as search algorithms to identify under-age children and offering free downloadable parental controls which allow parents to manage their children’s use of the service. Although age verification should assist a website operator with ensuring that the content displayed on its site is accessed only by individuals of the right age, it is commonly accepted that age verification is imperfect in its control and detracts from the user’s website experience. It is difficult to physically confirm the age of a potential user, and although some verification systems require use of a credit card as proof of age, this method excludes those individuals who prefer to use debit cards, which are available to people under the age of 18. The cost to the provider of obtaining verifiable consent can also be very high and placing the onus on the content provider to verify age may prompt providers to move to another jurisdiction where requirements are less onerous. It may also be sensible to include software that restricts the length of any uploaded content (such as a video or music) in order to restrict users’ ability to upload longer or more valuable types of content.
Terms and conditions – and disclaimers 6.30 The majority of websites that utilise UGC will attempt to minimise the potential risks associated with the content through consumer-friendly guidelines indicating what types of content is acceptable and a licensing agreement with 184
User-generated content and social media 6.30
their users, normally agreed to by requiring users to expressly agree to terms of submission by clicking the mouse on a relevant spot (a ‘click-wrap basis’) or by stipulating in the general terms governing use of the site that uploading of content amounts to the grant of a licence. Typical terms of such a licence will include: •
the user will grant the website operator the right to distribute free the user’s copyright work, on the proviso that the copyright is retained by the user;
•
the licence will permit the website operator to do all acts that are usually exercised by the copyright owner (ie to reproduce, distribute, adapt, perform, issue to the public copies of the work on all forms of media);
•
a waiver of the user’s moral rights in the submitted material;
•
a range of warranties and undertakings, similar to any other content distribution agreement that a TV broadcaster would typically seek from the originating producer. This will include the user warranting that the submitted content does not infringe copyright or contain any material that is grossly offensive, obscene, defamatory, or infringes privacy rights and that they have obtained the consent from individuals identifiable in UGC. The inclusion of such a provision is especially typical for those websites that do not operate a pre-moderation policy, but rather post-moderation on a reactive basis.
•
the right of the site operator to remove content at its discretion.
The House of Commons report: Harmful Content on the Internet and in Video Games strongly recommends that terms and conditions which guide consumers on the types of content which are acceptable on a site should be prominent. Equally, the report also states that ‘it should be made more difficult for users to avoid seeing and reading the conditions of use: as a consequence, it would become more difficult for users to claim ignorance of terms and conditions if they upload inappropriate content’. The report also indicates its concern that user-generated video content ‘on sites such as YouTube does not carry any age classification, nor is there a watershed before which it cannot be viewed’. Although agreeing to such terms may be a pre-requisite for the user to gain access to the website, as noted above, the practical protection afforded by terms and conditions is limited. The following should be noted in particular: •
Limits of disclaimers: ‘Disclaimers’ attempt to limit or exclude liability in the event of the occurrence of certain circumstances (as specified in the disclaimer). In the context of UGC, disclaimers will have little or no effect in reducing potential liabilities. For example, a brand owner operating a forum will not be able to disclaim liability for defamation but must rely on Defamation Act defences. The disclaimer will not protect the brand owner against a copyright infringement action from a third party whose content has been uploaded onto the UGC site by a user.
•
Difficulty of passing liability to consumer: Most terms will contain contractual undertakings from the user that the user will not submit material that infringes the intellectual property rights of a third party. However, in practical terms, attempting to enforce these contractual undertakings against a user will result in adverse publicity and undermine the ‘community’ the UGC site is attempting to create. 185
6.31 User-generated content and social media
•
Contracts with minors: The general principle under English law is that a contract entered into with a minor (being a person under the age of 18), other than contracts for ‘necessaries’, is voidable at the option of the minor. In the event, therefore, that a consumer who has ‘agreed’ to the terms of the licence is in fact a minor, it is unlikely that the undertakings will be binding on that individual user.
Key messages 6.31 •
Many brand owners incorporate UGC into their advertising and marketing strategies. Brand owners need to be alive to the legal risks created by the use of UGC as outlined in this chapter.
•
The key legal risks associated with the use of UGC and social media are the risk of defamation actions or copyright infringement actions from third parties. These risks are not mitigated by the use of disclaimers in terms and conditions. Another risk is adverse publicity if readers/posters have views with which the company does not agree.
•
Risks can be mitigated when using UGC and social media by the use of a robust and well-maintained notice and take-down procedure so that potentially defamatory, derogatory or infringing content can be reported and removed.
•
The use of pre-moderation on a UGC site (ie before content appears on the site) is not common and may result in the loss of certain defences, particularly with respect to Defamation Act defences. It may be preferable not to moderate at all or, alternatively, moderation services may be outsourced.
•
While there is currently no child-specific legislation in relation to the operation of websites in the UK and only codes such as the 2020 ICO Age Appropriate Design Code, UGC operators should be aware that it is a criminal offence for an employer to allow a barred person or anyone not registered with the Independent Safeguarding Authority to work in connection with the moderation of websites which are wholly or mainly accessed by children. The provisions of UKGDPR and the Data Protection Act 2018 should also be considered.
•
Businesses should be transparent in their use of social media. In particular, they should not pose as consumers on social networking sites and they should be aware of the potential criminal liability from engaging in ‘hidden commercial practices’.
•
If operating a website with a mixture of content, it is advisable to consider ‘ring-fencing’ certain content into a clearly separated area. This may allow ongoing moderation of other parts of the site while allowing a nonmoderation policy in respect of the separated part.
186
Chapter 7
The Audiovisual Media Services Directive Introduction 7.1 The Audiovisual Media Services Directive (‘AVMS Directive’) amends and updates the Television Without Frontiers Directive (‘TWFD’).1 It came into force on 19 December 2007, with a requirement that it be implemented by 19 December 2009. The codified version came into force in the UK on 5 May 20102 and repeals the TWFD and its amendments.3 It was revised by Directive 2018/1808 with Member States given until 19 September 2020 to implement the changes. The UK Government had intended to implement the video sharing provisions through its proposed ‘Online Harms’ legislation, but will take interim measures to meet the implementation date of 19 September 2020. It has said that even though the UK left the EU on 31 January 2020 and the post-Brexit transition period ended on 31 December 2020 the measures will become ‘retained UK law’ and the UK government will in due course assess this legislation in light of the future relationship with the EU. An unofficial consolidation of the AVMS Directive as revised by Directive 2018/1808 is available online, to which reference should be made. The UK implemented the updated Directive through the Audiovisual Media Services Regulations 2020 (SI 2020/1062) which had been submitted in draft to the EU in June 2020. Ofcom began consulting in July 2020 on new rules under the updated Directive. Ofcom is likely to be the new regulator in the UK of Video Sharing Platforms (VSPs) once the UK implements the 2018 Directive. The changes regarding VSPs are one of the biggest 2020 changes. The end of the post-Brexit transition period has led some broadcasters to register entities in the EU to make regulatory compliance and rights to broadcast simpler form 1 January 2021. The TWFD was the legislative device introduced in the then European Economic Community to create a single market for television broadcasting services. At the time of its introduction, the only widely available television services were those broadcast over wires and air, so the TWFD only regulates those services. Following
1 89/552/EEC amended by 97/36/EC. 2 2010/13/EU. 3 2007/65/EC Art 34.
187
7.2 The Audiovisual Media Services Directive
almost two decades of rapid development in audiovisual and digital technologies, the narrow confines of the TWFD were fast becoming redundant, and clearly needed updating to address these developments. The AVMS Directive updates and extends the TWFD and makes it relevant to today’s audiovisual and technological market. Its scope extends to all audiovisual media services, regardless of whether they are broadcast or on-demand services, thus encapsulating many ‘television-like’ digital services including audiovisual services provided over the internet. The 2020 changes modernise it still further for the position in 2020 and beyond. The intention of the AVMS Directive, as with the TWFD before it, is to harmonise television and television-like services throughout the EU. It attempts to do this by a series of regulations to be adopted by a competent authority in each Member State. The regulations cover a number of issues from the applicable national legislation governing a service to permitted content. The regulatory ambit, however, only extends to services which satisfy the definition of an audiovisual media service in Article 1(a) and the AVMS Directive’s relevance to the digital industry is as much about what services this definition excludes as what it includes. To be included is potentially stifling for a digital service as it has the capacity to deprive an emerging industry with the freedom to utilise and exploit audiovisual content without second guessing compliance with the AVMS Directive. This chapter: •
examines the services considered ‘audiovisual media services’ for the purposes of the AVMS Directive and considers those excluded services (whether excluded expressly or otherwise);
•
considers the regulatory provisions for services falling into the definition of ‘audiovisual media services’;
•
reviews the implementation of the AVMS Directive in the UK; and
•
refers to the 2020 changes in this area under Directive 2018/1808 and the UK implementing regulation Audiovisual Media Services Regulations 2020 (SI 2020/1062) which in relation to video on demand is covered in more detail in Chapter 8.
What is an audiovisual media service? 7.2 Not all services that appear to be audiovisual media services are regulated. Only those services falling into the AVMS Directive’s definitions are regulated. To evaluate whether or not a service is caught by the definition it is necessary to evaluate the full definitions.
Definitions 7.3 The AVMS Directive defines terms such as audiovisual media services. The 2020 changes in the 2018 Directive led to the following new definitions in Article 1(1)(a) and (aa) of the AVMS Directive as revised: 188
The Audiovisual Media Services Directive 7.4
(a) ‘audiovisual media service’ means: (i) a service as defined by Articles 56 and 57 of the Treaty on the Functioning of the European Union, where the principal purpose of the service or a dissociable section thereof is devoted to providing programmes, under the editorial responsibility of a media service provider, to the general public, in order to inform, entertain or educate, by means of electronic communications networks within the meaning of point (a) of Article 2 of Directive 2002/21/EC; such an audiovisual media service is either a television broadcast as defined in point (e) of this paragraph or an on-demand audiovisual media service as defined in point (g) of this paragraph; (ii) audiovisual commercial communication; (aa) ‘video-sharing platform service’ means a service as defined by Articles 56 and 57 of the Treaty on the Functioning of the European Union, where the principal purpose of the service or of a dissociable section thereof or an essential functionality of the service is devoted to providing programmes, user-generated videos, or both, to the general public, for which the video-sharing platform provider does not have editorial responsibility, in order to inform, entertain or educate, by means of electronic communications networks within the meaning of point (a) of Article 2 of Directive 2002/21/EC and the organisation of which is determined by the video-sharing platform provider, including by automatic means or algorithms in particular by displaying, tagging and sequencing. The definition above refers to essential functionality. The European Commission has published guidance on this term and states: For the first time [in 2020], the revised AVMSD extends certain audiovisual rules to video sharing platforms, including audiovisual content shared on certain social media services. The revised AVMSD strengthens also the promotion of cultural diversity, by introducing clear obligations for on-demand services to have at least a 30% share of European content in their catalogue and to ensure the prominence of this content. Under the revised AVMSD, the Commission is required to issue the following guidelines: •
Guidelines on Video sharing platforms (VSPs), clarifying to which extent social media actors will be covered by the new rules, paying due regard to the objectives of public interest to be achieved by the new rules and to the right to freedom of expression;
• Guidelines on European Works, on the calculation of the 30% share of European works in Video on Demand (VOD) catalogues and on the definition of low audience and low turnover exemptions.
Editorial responsibility 7.4 Editorial responsibility is defined as effective control over the selection and organisation of programmes. The control will be over the schedule on television services and the catalogue on on-demand services. It qualifies this by providing that editorial responsibility need not necessarily imply legal liability for the content 189
7.5 The Audiovisual Media Services Directive
or services provided.4 Member States are free to further elaborate on the extent of control required; however, it is worth noting that Recital 25 confirms that the AVMS Directive does not affect the liability exemptions in the E-Commerce Directive which release service providers from liability for information provided where they act as mere conduits, caching or hosting.
Media services provider 7.5 A media service provider for the purposes of the AVMS Directive is considered a person with editorial responsibility for the choice of the content and the manner in which it is organised.5
Programme 7.6 The AVMS Directive defines a programme as: a set of moving images with or without sound constituting an individual item, irrespective of its length, within a schedule or a catalogue established by a media service provider, including feature-length films, video clips, sports events, situation comedies, documentaries, children’s programmes and original drama. The original definition was replaced by the one above in the 2018 Directive.6 This excludes radio broadcasts but otherwise many forms of digital content could potentially satisfy the definition of a programme.
Television broadcasting or television broadcasts 7.7 A television broadcast is described as a linear service where programmes are available for simultaneous viewing.7 In other words the viewer has no choice as to when the programmes are available for viewing. It is a ‘push’ rather than a ‘pull’ service wherein the programme is pushed at the viewer. While the definition clearly includes television services covered under the TWFD it also includes services such as near video-on-demand and other services that are pushed at the viewer such as web-casting.
On demand 7.8 On-demand or non-linear services refer to services which are ‘pulled’ by the viewer.8 The viewer chooses when to avail of a service and what programming to view at any particular time. The viewer is in complete control of how or when he or she accesses a catalogue of programming provided by the service provider. The most obvious example of an on-demand service is video on demand (VoD). Including on-demand services in the definition of an audiovisual media service was recognition of the fact that traditional television services regulated under the TWFD were operating at a competitive disadvantage in the new wave of television and 4 5 6 7 8
Art 1(c). Art 1(d). Art 1(b) as amended by the 2018 Directive. Art 1(e). Art 1(g).
190
The Audiovisual Media Services Directive 7.13
television-like services available as a result of technological advances and largely unencumbered by regulation.
Audiovisual commercial communication 7.9 An audiovisual commercial communication is the second type of audiovisual media service regulated by the AVMS Directive. It is defined, as varied by the 2018 Directive, as ‘images with or without sound which are designed to promote, directly or indirectly, the goods, services or image of a natural or legal person pursuing an economic activity; such images accompany, or are included in, a programme or user-generated video in return for payment or for similar consideration or for self-promotional purposes. Forms of audiovisual commercial communication include, inter alia, television advertising, sponsorship, teleshopping and product placement’.9 The AVMS Directive aims to lay down a broad definition of what constitutes an audiovisual commercial communication and expressly includes television advertising, sponsorship, teleshopping and product placement as audiovisual commercial communications and defines them in more detail as follows:
Television advertising 7.10 Television advertising is described as any form of announcement or broadcast which is in return for consideration or is for self-promotional purposes in order to promote the supply of goods or services.10
Sponsorship 7.11 The AVMS Directive considers sponsorship in a new definition in the 2018 Directive as ‘any contribution made by public or private undertakings or natural persons not engaged in providing audiovisual media services or videosharing platform services or in producing audiovisual works to the financing of audiovisual media services, video-sharing platform services, user-generated videos or programmes with a view to promoting their name, trade mark, image, activities or products’.11
Teleshopping 7.12 Teleshopping is described as direct offers to the public with a view to the supply of goods or services in return for payment.12
Product placement 7.13 The definition of ‘product placement’ was revised in 2018 and is now ‘any form of audiovisual commercial communication consisting of the inclusion of, or reference to, a product, a service or the trade mark thereof so that it is
9 Art 1(h). 10 Art 1(i). 11 Art 1(k) as revised by the 2018 Directive. 12 Art 1(l).
191
7.14 The Audiovisual Media Services Directive
featured within a programme or a user-generated video in return for payment or for similar consideration’.13
Exclusions 7.14 Widening the net of regulation was a concern for a developing digital market in which audiovisual content plays a prominent role. In particular, the industry was concerned that services having elements of an audiovisual media service would unwittingly satisfy the test of a regulated service. In an attempt to recognise the concerns of the market, the recitals to the AVMS Directive make a number of wide-ranging exclusions and also expressly exclude a number of specific audiovisual services. Services not in competition for the same audience as a television audience are specifically excluded, as are services that do not provide a service available to a significant proportion of the public.14 Also expressly excluded are non-economic services, particularly private websites and services, which provide or distribute audiovisual content generated by private users. This would clearly exempt usergenerated services from its scope. Private correspondence such as email (provided they are sent to a limited number of recipients) is also expressly excluded, as are services whose principal purpose is not the provision of programming. Services which incidentally include audiovisual content are also expressly excluded and additionally games of chance, lotteries, betting and other forms of gambling services and online games, search engines15 and electronic versions of newspapers and magazines,16 public service announcements and charity appeals are expressly excluded.17
Regulatory obligations – linear v non-linear 7.15 Where a service satisfies all the components of an audiovisual media service for the purposes of the AVMS Directive, it is then subject to regulation. The AVMS Directive provides for a dual level of regulation. Linear or television broadcasts are subject to both first and second levels while on-demand services need only satisfy the first level. The more lenient approach to non-linear or on-demand services is intended to deal with the potential stifling effect a high level of regulation may have in an emerging digital market. As a well-established industry, the television broadcast or linear market is considered capable of absorbing the more stringent levels of regulation. It is worth noting that where a linear or broadcast service is also offered as an on-demand service by the same media provider, the more stringent regulatory provisions will apply to both the linear and non-linear offering.18 13 Art 1(m) as revised by the 2018 Directive. 14 Recital 21. 15 Recital 22. 16 Recital 28. 17 Recital 31. 18 Recital 27.
192
The Audiovisual Media Services Directive 7.20
First level of regulation 7.16 Most of the first level of regulation consists of principles core to the AVMS Directive. Among these are the country of origin principle, freedom of reception, co-operation between national regulatory authorities and also rules relating to qualitative advertising, sponsorship and product placement. This level also regulates European content quotas, identification, protection of minors, incitement of hatred and offence against human dignity, rights for cinematic works and accessibility for the disabled.
Country of origin principle 7.17 Audiovisual content has the potential to be distributed and received by a number of different states throughout the EU, so it is essential for service providers that they need only comply with one set of national laws and regulations. To comply with each Member State’s legal and regulatory regime would be unduly onerous. This principle provides that an audiovisual media service need only comply with the laws of the Member State in which the media service provider transmits the service. While this no doubt opens up the possibility for ‘forum shopping’ it is nonetheless deemed necessary for a strong, competitive and integrated audiovisual industry.19
Freedom of reception 7.18 Another core provision of the AVMS Directive is that all Member States must ensure freedom of reception. Member States are not permitted to restrict access for audiovisual media services although the AVMS Directive does provide for a derogation for content which would be harmful to children or incite hatred.20
Co-operation between national regulatory authorities 7.19 This is a new provision requiring Member States to co-operate with each other and report to the Commission at regular periods, not least on the success of the implementation of the Directive.21 It also requires Member States to co-operate with each other on issues such as forum shopping.22
Qualitative advertising rules 7.20 In a change from the TWFD where advertising was required to be separate from programming, the AVMS Directive provides that advertising and programming need only be recognisable and distinguishable from each other.23 This was a necessary amendment to deal with the fact that product placement is now permitted under the AVMS Directive, if only by derogation.24
19 Recital 34. 20 Art 3 and Art 6(1)(a), both as amended by the 2018 Directive. 21 Art 13(2). 22 Recital 41. 23 Art 19. 24 Art 11.
193
7.20 The Audiovisual Media Services Directive
The AVMS Directive also sets out a list of qualitative rules relating to audiovisual commercial communications.25 It provides that audiovisual commercial communications must not use subliminal techniques, must not be prejudiced or discriminatory, and prohibits audiovisual commercial communications for certain products including cigarettes, tobacco products and prescription medicines. The AVMS Directive also provides that audiovisual commercial communications for alcoholic products cannot be aimed at minors and audiovisual commercial communications must not cause moral or physical detriment to minors. Articles 9.1 and 9.2 of the revised Directive provide: Article 9.1. Member States shall ensure that audiovisual commercial communications provided by media service providers under their jurisdiction comply with the following requirements: (a) audiovisual commercial communications shall be readily recognisable as such; surreptitious audiovisual commercial communication shall be prohibited; (b) audiovisual commercial communications shall not use subliminal techniques; (c) audiovisual commercial communications shall not: (i) prejudice respect for human dignity; (ii) include or promote any discrimination based on sex, racial or ethnic origin, nationality, religion or belief, disability, age or sexual orientation; (iii) encourage behaviour prejudicial to health or safety; (iv) encourage behaviour grossly prejudicial to the protection of the environment; (d) all forms of audiovisual commercial communications for cigarettes and other tobacco products, as well as for electronic cigarettes and refill containers shall be prohibited; (e) audiovisual commercial communications for alcoholic beverages shall not be aimed specifically at minors and shall not encourage immoderate consumption of such beverages; (f) audiovisual commercial communications for medicinal products and medical treatment available only on prescription in the Member State within whose jurisdiction the media service provider falls shall be prohibited; (g) audiovisual commercial communications shall not cause physical, mental or moral detriment to minors; therefore, they shall not directly exhort minors to buy or hire a product or service by exploiting their inexperience or credulity, directly encourage them to persuade their parents or others to purchase the goods or services being advertised, exploit the special
25 Art 9 as amended by the 2018 Directive.
194
The Audiovisual Media Services Directive 7.23
trust minors place in parents, teachers or other persons, or unreasonably show minors in dangerous situations. 9.2. Audiovisual commercial communications for alcoholic beverages in ondemand audiovisual media services, with the exception of sponsorship and product placement, shall comply with the criteria set out in Article 22.
Sponsorship 7.21 The existing rules in the TWFD relating to sponsorship are now extended to all audiovisual media services meaning previously unregulated internet and other digital services will now be subject to the same regulation as television. The main provisions are that content and scheduling must not be influenced by the sponsorship in such a way that the editorial independence of the service provider is affected and a sponsored programme must not directly encourage the purchase or rental of goods or services.
Product placement 7.22 Unlike a number of other Member States, the UK interpreted the TWFD as having an implied prohibition on product placement. The AVMS Directive clarifies the position with regard to product placement, and while it is prima facie prohibited it expressly permits it in certain circumstances by derogation. The derogation permits Member States through their applicable regulatory body to adopt the derogation to the extent they deem necessary or appropriate. The derogation permits product placement for cinematographic works, films and series made for an audiovisual media service, light entertainment and sports programmes but does not extend to children’s programmes or news and current affairs.
Other regulations and the 30% rule 7.23 Other less controversial regulations include a requirement that national broadcasters devote a certain amount of airtime to European works and also either a certain amount of their time or a proportion of their budget (10%) to European works created by independent producers.26 On-demand services are only required to promote production of and access to European works. Audiovisual media services providers are additionally required by the AVMS Directive to identify themselves with their name, address, contact details and the body regulating or supervising them.27 Both on demand and broadcast audiovisual media services are required to monitor the availability of content available to minors and must ensure that audiovisual media services do not incite hatred or hatred based on race, sex or religion and their services must gradually be made available to people with a visual or hearing disability.28
26 Art 17. 27 Art 5. 28 Art 6 as amended in the 2018 Directive.
195
7.24 The Audiovisual Media Services Directive
Article 6A is a new addition to the AVMS Directive and includes provisions that: 1 Member States shall take appropriate measures to ensure that audiovisual media services provided by media service providers under their jurisdiction which may impair the physical, mental or moral development of minors are only made available in such a way as to ensure that minors will not normally hear or see them. Such measures may include selecting the time of the broadcast, age verification tools or other technical measures. They shall be proportionate to the potential harm of the programme. The most harmful content, such as gratuitous violence and pornography, shall be subject to the strictest measures. 2 Personal data of minors collected or otherwise generated by media service providers pursuant to paragraph 1 shall not be processed for commercial purposes, such as direct marketing, profiling and behaviourally targeted advertising. 3 Member States shall ensure that media service providers provide sufficient information to viewers about content which may impair the physical, mental or moral development of minors. For this purpose, media service providers shall use a system describing the potentially harmful nature of the content of an audiovisual media service. The AVMS Directive also provides that cinematographic works must not be transmitted outside periods agreed with rights holders.29 From September 2020 Article 13 of the AVMS Directive as amended provides that media service providers of on-demand audiovisual media services must secure at least a 30% share of European works in their catalogues and ensure prominence of those works.
Second level of regulation 7.24 An additional level of regulation is applicable only to television broadcasts and as a result is broadcast focused. As discussed earlier, this level was deemed unnecessarily onerous for the on-demand industry.
Quantitative advertising 7.25 Quantitative advertising rules apply to television broadcasts. News and children’s programmes have had the quantity of advertising allowed reduced; however, all other forms of programming have an increased advertising allowance. Notably, the AVMS Directive lifts the previous three-hour daily maximum for teleshopping content on channels that are not themselves teleshopping channels. Following the revisions in the 2018 Directive, Article 23(1) provides that ‘The proportion of television advertising spots and teleshopping spots within the period between 6.00 and 18.00 shall not exceed 20% of that period. The proportion of television advertising spots and teleshopping spots within the period between 18.00 and 24.00 shall not exceed 20% of that period’. 29 Art 8.
196
The Audiovisual Media Services Directive 7.29
Exclusive rights and short extracts 7.26 The AVMS Directive provides a right for broadcasters to use coverage of events in which another broadcaster has exclusive rights, but only for the purposes of making short reports for news broadcasts. The events must be of high interest to the public.
Right of reply 7.27 This gives entities the right to have any inaccurate facts published about them publicly corrected.30
Implementation in the UK 7.28 The UK, along with other EU Member States, was required to implement the AVMS Directive into national law by 19 December 2009. The codified version of the AVMS Directive,31 which supersedes the TVWF Directive and its amendments, came into force on 5 May 2010. The requirements of the AVMS Directive have been transposed into UK law by the amendment of the Communications Act 2003 with two sets of regulations, namely: the Audiovisual Media Services Regulations 200932 (the ‘2009 Regulations’) and the Audiovisual Media Services Regulations 201033 (the ‘2010 Regulations’) (together, the ‘AVMS Regulations’), the Audiovisual Media Services (Product Placement) Regulations 2010 (‘the Product Placement Regulations’) and the Audiovisual Media Services (Codification) Regulations 2010 (the ‘Codification Regulations’). The 2009 Regulations came into force on 19 December 2009 and the 2010 Regulations came into force on 18 March 2010, the Product Placement Regulations came into force on 16 April 2010 and the Codification Regulations came into force on 18 August 2010. As stated above UK implementation of the 2018 Directive was by the Audiovisual Media Services Regulations 2020 (2020/1062) which had also been submitted in draft to the EU in June 2020. Chapter 8 also mentions these regulations as they apply to video-on-demand services.
Brexit 7.29 Television and video-on-demand services must be in the EU from 1 January 2021 to benefit from the AVMS Directive, otherwise they no longer benefit from the country of origin principle. Using the Council of Europe’s Convention on Transfrontier Television (ECTT), is not regarded as sufficient from 2021 partly because countries such as Belgium, Denmark, Holland, Ireland and Sweden have not ratified it and ECTT does not apply to video-on-demand services. The guidance, updated in late December 2020 after the EU–UK Trade and Cooperation Agreement from the UK on these complicated Brexit issues, should be referred to at www.gov.uk/guidance/ broadcasting-and-video-on-demand-services-between-the-uk-and-euto. Broadcasters in the EU to the UK are covered by measures the UK has taken which overall mean many will be subject to UK regulations and those providing TV from 30 Art 28. 31 2010/13/EU. 32 SI 2009/2979. 33 SI 2010/419.
197
7.30 The Audiovisual Media Services Directive
ECTT countries and some Irish services are subject to the country of origin principle and regulation in their original country. For video-on-demand providers ECTT is no use as it just applies to TV so these will be subjected to Ofcom regulation where the head office and editorial decisions are in the UK and if not they may still operate in the UK although if Ofcom believes they breach the rules it will liaise with the relevant foreign regulator. The AVMS Directive has provisions to ensure works are available throughout the EU and prominence to EU works etc including time going to European independent producers. As the UK is a party to ECTT this should be sufficient to satisfy the EU content requirements. When in force the 2020 changes to the AVMS Directive require those providing video-on-demand services to make sure that 30% of their catalogue is European works. Article 13 states ‘Member States shall ensure that media service providers of on-demand audiovisual media services under their jurisdiction secure at least a 30% share of European works in their catalogues and ensure prominence of those works’. The EU has issued guidelines on the 30% criteria at https://ec.europa. eu/digital-single-market/en/news/commission-releases-guidelines-video-sharingplatforms-and-guidelines-european-works?utm_source=POLITICO.EU&utm_ campaign=198ad17526-EMAIL_CAMPAIGN_2020_07_02_12_31&utm_ medium=email&utm_term=0_10959edeb5-198ad17526-190068309.
AVMS Regulations 7.30 The AVMS Regulations amend the Communications Act 2003 to include a definition of on-demand services. They also confirm that product placement in on-demand services is permitted subject to the restrictions imposed by the AVMS Directive. It was also necessary for the AVMS Regulations to amend the definition of Licensable Content Services in the Communications Act 2003, s 233 so that the internet is now expressly included as are all other television broadcasting services regardless of how they are delivered. The AVMS Regulations also attempt to prevent forum shopping by introducing cooperation between Member States in maintaining the country of origin principle, although the implications of Brexit mean the UK’s positon is now different on this issue. Importantly, the AVMS Regulations modify the criteria used to determine which Member State is responsible for non-EU satellite television channels not established in the EU but uplinked to a Member State. Previously, it was the Member State responsible for the satellite capacity that had responsibility, now it is the Member State from which they are uplinked.
Product Placement Regulations 7.31 The Audiovisual Media (Product Placement Regulations) product placement in limited to those in the AVMS Directive alcoholic drinks.
Services (Product Placement) Regulations 2010 amend the Communications Act 2003 to permit circumstances. There are additional restrictions such as a prohibition on product placement of 198
The Audiovisual Media Services Directive 7.34
Codification regulations 7.32 The Codification Regulations amend the Wireless Telegraphy Act 2006, the Gambling Act 2005, the Communications Act 2003 and the Broadcasting Act 1990 to replace references to the TWFD with references to the AVMS Directive.
Ofcom consultations Product placement 7.33 Ofcom consulted on a code to incorporate the Product Placement Regulations into the law. In his statement of February 2010, the Minister for Culture Media and Sport confirmed that product placement would not be allowed to the fullest extent permitted under the AVMS Directive. Certain categories of products are prohibited from being used for product placement and for the remaining products placement is only permitted where there is editorial independence. Genres of programming where placement is permitted include cinematographic works, films and series made for television or on demand, sports and light entertainment. Product placement in news, current affairs, consumer, religious and children’s programming is specifically prohibited. BBC licence-fee funded services also continue to be prohibited. In respect of video on demand, see Chapter 8. The current version of the Ofcom rules which resulted from the consultation is the Ofcom Broadcasting Code (with the Cross-promotion Code and the On Demand Programme Service Rules) (2019) which is 156 pages long and online at www.ofcom.org.uk/__data/assets/pdf_file/0016/132073/BroadcastCode-Full.pdf. Ofcom also produces detailed guidance for broadcasters at www.ofcom.org.uk/tvradio-and-on-demand/information-for-industry/guidance/programme-guidance including Audio Visual Media Services Directive Guidance on compliance with Articles 16 and 17 (2010). However this will need to be updated to reflect the amendments to the Directive due to be implemented in the UK in 2020.
Video sharing platforms 7.34 Separately, as mentioned above, those 2020 changes include a new role for Ofcom in policing – ‘Video-sharing platform regulation’ and Ofcom began a consultation on this topic (with responses due by 24 September 2020) in which it summarises its role: We are seeking evidence and information related to the new requirements that will apply to video-sharing platforms. Video-sharing platforms (VSPs) are a type of online video service where users can upload and share videos. VSPs allow users to engage with a wide range of content and social features and are particularly popular among young people. 90% of adults and 98% of children aged 8–15 who use the internet have used a VSP in the past year. Ofcom will be given new powers this autumn [2020] to regulate UK-established VSPs. This will include a duty to ensure that VSPs have in place appropriate measures to protect young people from potentially harmful content and all users from illegal content and incitement to hatred and violence. Services will also need to ensure standards around advertising are met. 199
7.34 The Audiovisual Media Services Directive
The UK Government has confirmed that Ofcom will be the regulator for VSPs established in the UK. This is an interim regime until the new online harms framework comes into force. Ofcom’s new powers have been in force since 1 November 2020. See www.ofcom.org.uk/__data/assets/pdf_file/0021/205167/ regulating-vsp-guide.pdf. The revised AVMS Directive updates requirements for broadcasters and on-demand programme services, which Ofcom already regulated. VSPs will be required to have measures in place to protect young people from harmful content and all users from criminal content and incitement to hatred and violence. The AVMS Directive sets out the list of measures that VSPs should consider implementing (depending on the nature of their service and user base). These measures include, for example, having in place and applying terms and conditions, flagging and reporting mechanisms, parental controls, age assurance mechanisms and complaints functions. It is likely that Ofcom will be the online harms regulator. There is no requirement for operators to take a licence in the UK from Ofcom if they run VSPs. VSPs are providers who provide the following services as defined in the amended Directive: (aa) ‘video-sharing platform service’ means a service as defined by Articles 56 and 57 of the Treaty on the Functioning of the European Union, where the principal purpose of the service or of a dissociable section thereof or an essential functionality of the service is devoted to providing programmes, user-generated videos, or both, to the general public, for which the videosharing platform provider does not have editorial responsibility, in order to inform, entertain or educate, by means of electronic communications networks within the meaning of point (a) of Article 2 of Directive 2002/21/EC and the organisation of which is determined by the video-sharing platform provider, including by automatic means or algorithms in particular by displaying, tagging and sequencing. As stated at paragraph 7.3 above the EU has issued guidance on what is ‘essential functionality’. VSPs have a duty to protect minors from harmful content and to prevent incitement to violence and to protect the public from being provoked into terrorism, child pornography and the like and there are provisions relating to commercial communication. In regards to commercial communications from third parties the duties on VSPs are in Article 28B(3) of the AVMS Directive in the amended version in force from September 2020 once implemented in the UK and in EU Members States – to take appropriate measures which include the following. The ‘paragraph 1’ matters mentioned below include obligation to protect children, to prevent incitement to violence or hatred directed against certain groups and to seek to prevent incitement to terrorism, child pornography and to racism and xenophobia. The obligations on VSPs include the following but only where proportionate and practical and depending on the size of the VSP: (a) including and applying in the terms and conditions of the video-sharing platform services the requirements referred to in paragraph 1; 200
The Audiovisual Media Services Directive 7.35
(b) including and applying in the terms and conditions of the video-sharing platform services the requirements set out in Article 9(1) for audiovisual commercial communications that are not marketed, sold or arranged by the video-sharing platform providers; (c) having a functionality for users who upload user-generated videos to declare whether such videos contain audiovisual commercial communications as far as they know or can be reasonably expected to know; (d) establishing and operating transparent and user-friendly mechanisms for users of a video-sharing platform to report or flag to the video-sharing platform provider concerned the content referred to in paragraph 1 provided on its platform; (e) establishing and operating systems through which video-sharing platform providers explain to users of video-sharing platforms what effect has been given to the reporting and flagging referred to in point (d); (f) establishing and operating age verification systems for users of videosharing platforms with respect to content which may impair the physical, mental or moral development of minors; (g) establishing and operating easy-to-use systems allowing users of videosharing platforms to rate the content referred to in paragraph 1; (h) providing for parental control systems that are under the control of the end-user with respect to content which may impair the physical, mental or moral development of minors; (i) establishing and operating transparent, easy-to-use and effective procedures for the handling and resolution of users’ complaints to the video-sharing platform provider in relation to the implementation of the measures referred to in points (d) to (h); (j) providing for effective media literacy measures and tools and raising users’ awareness of those measures and tools. Personal data of minors collected or otherwise generated by video-sharing platform providers pursuant to points (f) and (h) of the third subparagraph shall not be processed for commercial purposes, such as direct marketing, profiling and behaviourally targeted advertising.
Key message 7.35 •
The applicability of the AVMS Directive to the digital market depends on the extent to which a digital service falls within the legislation.
•
Implementation of the 2018 Directive throughout the EU (now achieved in the UK in 2020) should be watched closely as should the impact of the end of the post-Brexit transition period and the need for UK broadcasters to set up in an EU state from 1 January 2021 in some cases.
201
Chapter 8
Video on demand Introduction 8.1 One of the most disruptive digital technologies to develop over recent years has been video on demand (‘VoD’). Indeed one of the biggest changes has been individuals ceasing to watch much live television and instead using services such as Netflix, SkyGo, Amazon Prime and YouTube. Whilst traditional ‘linear’ television broadcasting involves the pushing of programming to viewers in accordance with set schedules determined by broadcasters, technological developments have allowed that position to be reversed, giving users the ability to choose when and how they consume content. Whilst various types of VoD services exist across a number of platforms, the key distinguishing feature of all VoD services is viewer choice and control over when and where content is consumed. The continuing evolution of VoD services is one of the most striking examples of how ‘convergence’ is impacting the way we consume media. Over recent years, VoD services have come to play an increasingly important role in the way individuals consume television-like programming, including films. The total VoD and near-VoD (these terms are explained in more detail below) film market was estimated to be worth £124 million in 2009, up 3% on 2008.1 In total revenue terms, Screen Digest estimated that the UK TV platform on-demand market (ie excluding internet-based services) was worth £274 million in 2009, placing the UK on-demand market second only to the US in global revenue terms.2 By 2020 subscription video on demand (mostly Amazon and Netflix) in the UK made up 66% of UK home entertainment spending. The rapid pace of change in this sector, together with technological developments which have seen distribution of content move away from more traditional delivery platforms of terrestrial transmission and satellite broadcasting, has also meant the regulatory framework within which UK- and EU-based VoD services operate has also had to be reviewed and updated. In the ten years since the last edition of this book the growth of VoD services, particularly use of Netflix and Amazon Prime has been huge, never mind those watching Sky on-demand via SkyGo services. This chapter examines: •
the different types of VoD services currently available in the UK;
•
the platforms through which VoD services are offered and associated business models; and
1 UK Film Council Statistical Yearbook 2010; see http://sy10.ukfilmcouncil.ry.com/12.0.asp. 2 British Screen Advisory Council briefing paper: ‘TV Platform Video-on-Demand: Market Status Update. December 2009’ available at www.bsac.uk.com/files/tv_platform_vod_2009.pdf.
202
Video on demand 8.2
•
the regulatory framework governing the provision of VoD services in the United Kingdom.
Brexit As set out in Chapter 7 from 1 January 2021 the UK’s post-Brexit transitional period ends and broadcasters will need to consider their position if they are broadcasting to and from the UK/EU.
Types of VoD 8.2 VoD is an umbrella term used to describe a range of different methods of delivering television-like content to consumers. There are three main types of VoD service: •
‘Pull’ VoD, sometimes referred to as ‘True VoD’, where the content is delivered via a two-way network (commonly used by cable and IPTV). Operators of pull VoD typically offer thousands of hours of content on demand.
•
‘Push’ VoD, where content is downloaded to the hard drive of the set-top box and made available to view on demand. Push VoD services are limited by the capacity available to store programming on the set-top box, as well as by the need to predict what consumers will wish to watch, so offer a significantly reduced choice of programming as compared to pull VoD.
•
‘Near’ VoD (‘nVoD’), where multiple linear channels broadcast the same content at staggered start times.3
Table 8.1 below summarises some of the VoD services currently available to UK consumers, including the different distribution technologies utilised. Table 8.1: Selected VoD offers from key providers in the UK from 1999 to 2020 Provider
Distribution technology
VoD launch date
VoD content available
Talk Talk TV
IPTV (pull VoD)
1999 (as Thousands of hours of HomeChoice) VoD content. Free catchup, SVoD* films (Movies Now, Picture Box, Film4 On Demand), PPV VoD and SVoD TV packages