January 21st, 2004, 10:01 AM
Mark_Boyle2002 UK Law and IT News (Jan04)
BURNING TO COMMIT A CRIME?
Protection afforded to holders of copyright have been significantly tightened with the recent implementation of the Copyright and Related Rights Regulations 2003, which Regulations attempt to close loopholes in previous legislation brought about by advances in technology.
Three key rights have been created under the new Regulations. Firstly, it is now an offence to remove any code which has been embedded in a copyright work to trace subsequent use of the material (with the intention of alerting the copyright holder of unauthorised copying). Secondly, holders of copyright may take civil action against individuals who circumvent certain technological protection measures, by for example using a technical device in a computer programme in the reasonable expectation that the programme or device will be used to make infringing copies.
Thirdly, the Regulations create an offence of communicating the work to the public in the course of a business, or if not in the course of a business to such extent as to affect prejudicially the owner of the copyright, where it is known that such an act is infringing copyright. Whilst it has always technically been possible for the holder of copyright works to raise a civil action against anyone who made a copy of a book or burned a CD for a third party, the new regulations have now rendered such copying a criminal offence. Whether the courts will seek to enforce these provisions against entrepreneurial schoolboys burning CDs for their pals for non-commercial purposes remains to be seen.
A salutary lesson to us all can be learned from Morgan Stanley’s recent misfortune, which arose when a Seattle computer consultant successfully bid on eBay for a BlackBerry RIM device.
For the princely sum of $15.50, the purchaser soon realised the true value of his purchase when he discovered after powering up the device that, stored within its memory were in excess of 200 e-mails, a database of more than 1000 names, e-mail addresses and telephone numbers, including home contact details of Morgan Stanley executives. To Morgan Stanley’s further embarrassment, not all the details related to the bank, but related to clients and customers, including details of loan terms, corporate strategies and even details of a potential merger.
The device had been sold on eBay by no less than a former vice president of Morgan Stanley. Whilst the bank doubtless had some form of recourse against their former employee under the terms of his Services Agreement, such action is of little comfort given the serious outcome of his actions. The lesson to businesses is to ensure that they take practical steps to ensure that all confidential information retained by employees, consultants, secondees, agents etc are returned or destroyed when their services are no longer required, or when equipment used by them is decommissioned by the business.
Having a Confidentiality Agreement or confidentiality obligations within employment or services contracts is only half the battle.
DATA PROTECTION CONVICTION
Another recent judgement from the European Court of Justice (ECJ) has served to remind all web content developers of the significance of complying with data protection principles.
Whilst this case was remitted to the ECJ from a Swedish court, the fact that the UK’s data protection legislation stems from a European Directive means that the decision is directly relevant to the UK.
In this case, Mrs Lindqvist, a Swedish parishioner for her local church set up a Website containing information she considered to be of use to people in her parish preparing for confirmation. However, included in these pages were the names of some 18 colleagues in the parish, together with personal details (such as telephone numbers) and, in one case, the fact that a colleague had suffered an injury and was accordingly working part-time.
Mrs Lindqvist did not ask permission from the other people involved before posting their details on the site and she also omitted to notify the Swedish data protection authority.
There have not been many reported cases under the ‘new’ data protection legislation, and the case is significant for a number of reasons.
Firstly, there is an exception under the European Data Protection Directive, which allows the processing of personal data by a person for the purpose of purely household activity. The ECJ ruled that whilst the purposes here were intended to be of limited application and interest, this fact was irrelevant – the exception under the Directive could not apply where the ‘processing’ (in this case ‘posting’) of the personal data is on the Internet so as to make the personal data accessible to an indefinite number of people.
Secondly, the reference to the colleague who had injured her foot amounted to ‘data concerning health’ and was therefore ‘sensitive’ personal data under the Directive, which meant that Mrs Lindqvist should have obtained the express consent (ie. probably the written consent) of the person concerned. Sensitive personal data includes such things as details of racial origin, political, religious, opinions or beliefs, physical, mental health and sexual life or criminal convictions, trade union membership and details relating to criminal proceedings. Certain exemptions exist to allow for instance, journalistic reporting of such facts, but Mrs Lindqvist’s use of the data was not for such exempted purposes.
Thirdly, the ECJ ruled that there was no transfer of personal data to another country outside the European Union by virtue of the fact that an individual in a member state loads personal data onto a Web page, albeit that the Web page can be accessed in other non EU countries. The Directive prohibits transfers to such countries where the country does not offer adequate protection of personal data unless certain contractual provisions are put in place – as Web pages are generally freely accessible, with no contracts operating between the person posting the Web page, and the person viewing the web page, these contractual provisions are never used. Had the court ruled that such a transfer had taken place, then if even one country from which Mrs Lindqvist’s Web page could be accessed was deemed by the ECJ not to provide an adequate level of protection for personal data, personal data would require to be banned from being placed on the Internet.
Unfortunately for Mrs Lindqvist, her appeal was accordingly unsuccessful, and her conviction for breaching Swedish data protection laws, along with her considerable fine was upheld.
· Fox News Channel threatened to sue the makers of “The Simpsons”, after taking exception to its parodied version of the Fox News rolling news ticker. Legal proceedings were reportedly well advanced, before the fundamental question was asked as to the value of Rupert Murdoch paying for Fox to sue itself, given that ‘The Simpsons’ is broadcast on Fox’s sister nertwork, Fox Entertainment…
January 27th, 2004, 10:43 PM
That was sone scary and entertaining stuff. Makes you think twice about your employees and their PDAs.
January 28th, 2004, 12:24 AM
I think that the strengthening of the criminal laws against piracy are to give more power to our "Trading Standards Officers". So far they have beeen only able to use "conterfeighting", "fraud" and "passing off".
[affect prejudicially the owner of the copyright]
I do not see them going after the odd copy for a third party, as you would really have great difficulty in proving that the third party would have bought it, and that the copyright owner would really have lost out?
Just a couple of thoughts,