EU ADOPTS TOUGH NEW IP ENFORCEMENT DIRECTIVE

The European Union has adopted a tough new Directive on Enforcement of Intellectual Property Rights. The Directive, which must be implemented in the UK law within 18 months, is an anti-piracy measure aimed at counterfeiters.

The Directive allows companies who believe their intellectual property is infringed, to obtain interim court orders to raid homes, seize property and arrest bank accounts without the need for a full court hearing. The Directive is wide in its scope, aimed at detecting everything from fake handbags to illegal music downloads.

Civil liberties groups and legal experts have warned that the Directive creates real and fundamental concerns in that it may lead to quasi-criminal enforcement sanctions being applied by private bodies, and have drawn parallels with the US Digital Millennium Copyright Act which has led to music industry bodies targeting children and their parents for illegal music downloads in the USA. Although some parts of the Directive are limited to piracy on a “commercial scale”, others can be used to target consumers.

Much will depend on how the Directive is implemented in the UK over the next 18 months. Watch this space!

NEW PRIVACY AND DATA PROTECTION GUIDANCE

The Information Commissioner has issued new Guidance on the interpretation of the Data Protection Act 1998 (the “DPA”) in the wake of December’s landmark English decision in Durant v Financial Services Authority.

The Guidance focuses on two key issues considered by the Court in Durant:-

1. What makes data ‘personal’ within the meaning of ‘personal data’?

The DPA applies only to ‘personal data’. Previous guidance issued by the Information Commissioner had suggested that where a living individual could be identified by data, this was sufficient to constitute ‘personal data’. This was a relatively easy test to meet. The Court in Durant took a different approach and stated that ‘personal data’ “is information that affects [a person’s] privacy, whether in his personal or family life, business or personal capacity”. The Court went on to say that the information should be “biographical in a significant sense… going beyond the mere recording of [the individual’s] involvement in a matter or event which has no personal connotations”; and that the information should have the individual as its focus, rather than some other person with whom that individual had some involvement.

This sets a higher threshold for determining what constitutes ‘personal data’. The Information Commissioner has suggested that information such as an individual’s medical history, salary details, bank statements, spending preferences, hobbies, address and telephone number will be ‘personal data’, but the mere mention of an individual in a document will not necessarily constitute ‘personal data’.

2. What is a ‘relevant filing system’?

Under the DPA, ‘data’ includes information which is held on computer or manually (e.g. paper files) provided the manual data is part of a ‘relevant filing system’. The Court in the Durant case took the view that only manual files which are sufficiently sophisticated so as to provide the same or similar ready accessibility as a computerised filing system are covered by the DPA. Again, this is a high standard and the Information Commissioner’s guidance suggests that few manual files will be sufficiently sophisticated to consistute ‘a relevant filing system’. Ordinary files containing correspondence and documents filed in sequential order will not be ‘relevant filing systems’ and so will not be covered by the DPA. A rolodex of names and addresses might. The rule of thumb, it seems, is that if the manual file is organised and indexed in such a way to take the searcher to the correct search category and retrieve the information right away then the manual file will be covered by the DPA. If the searcher has to leaf through the file to search for the information, then it will not.

The shift in emphasis from the personal data merely identifying a living individual to actually containing information relating to that individual’s privacy, and the exclusion of all but the most highly organised manual files from the ambit of the DPA represents a fundamental shift in data protection law, and has far reaching practical implications for Data Protection Compliance teams. However these changes are welcome because they make sense.

NEW CCTV GUIDELINES

The Durant case and the change of emphasis in the Information Commissioner’s approach to ‘personal data’ also has far reaching implications for users of CCTV systems, and the Information Commissioner has accordingly revised its guidance in this area.

Previously, the Information Commissioner’s guidance suggested that the mere capturing of an individual’s image on CCTV footage was enough to constitute ‘processing personal data’ in relation to that individual. Now it seems that only if the viewer learns something about that individual’s activities will those images be ‘personal data’.

The new guidance has two main implications. The first is that very basic CCTV systems may no longer be covered by the Act. Cameras that simply record a general scene, that can’t move or zoom, or are not used to observe people’s behaviour and which capture images which are not shared with anyone other than a law enforcement body such as the police are unlikely to be covered by the DPA. Secondly, for those more sophisticated systems which are still covered by the DPA, not all the images of individuals that they capture will be ‘personal data’. This means there are less restrictions on disclosing or sharing such images, and individuals may not have the legal right to view images of themselves caught on a CCTV camera.

SnIP/ITs

· Local authorities are still lagging behind in their efforts to prepare for impact of the Freedom of Information Act, according to a survey carried out by the Information Commissioner. The new regime will come into force in only ten months and will radically overhaul the way local authorities deal with requests for information from the general public. Local authorities must act now if they are to be ready in time.

· The US Patent Office has invalidated a patent held by Eolas Technologies which protects the execution of remote code embedded in internet hypertext pages. If the decision is upheld on appeal then Microsoft will be spared paying out over $521M in damages awarded by an Illinois court to Eolas last year in relation to patent infringement and will avoid having to make costly changes to its Internet Explorer code. Few cases can stress the commercial value of patents as much as this one.