Skip to content .

Tech Bytes

20 March 2008

Welcome to the first Tech Bytes of 2008.  There's lots to fit in, so without further ado... 

With the media spotlight on recent data protection breaches, we consider the Information Commissioner's recent call for wider powers.

They may be seven years away, but it's not too soon to start getting to grips with new EU VAT rules.       

Exclusion and limitation of liability clauses are among the most fiercely negotiated provisions in outsourcing and technology contracts. Our article considers some practical steps that can be taken as part of preparation for negotiations. 

Finally, across the EU, Internet Service Providers (ISPs) are coming under increasing pressure to bow to demands that they play a greater role in policing their services. With the release of a new Government strategy paper that puts the creative industries "at the heart of the economy", it seems that rights-holders have much to celebrate.  So how is the landscape changing for ISPs?     

We're always pleased to receive your comments.  Please feel free to email Rob Shooter or Emily Parris.

Articles

Data Security - An Issue For You All

Last November was a watershed moment for all organisations handling sensitive data.  The loss of HMRC's data disks moved data security from a position of relative obscurity to the front pages of newspapers all over the globe.  And since then the media has been filled with security breach cases. 

Of course, this kind of media interest does not go unnoticed by politicians and regulators and the Information Commissioner, a canny operator where publicity is concerned, saw that HMRC gave him a unique, once-in-a-lifetime chance to change the law and get new powers.  So, in December he rushed out a document calling for new powers, titled "The Case for Amending the Data Protection Act".  Among other things he is calling for new rights of access into organisations, to check their security ratings, new criminal offences for failing to comply with data protection laws and more funds, to enable him to deliver. 

Parliament is listening: in January a House of Commons report titled "Protection of Private Data" made it clear that new legislation will be forthcoming and we are now led to believe that a public consultation on increased powers for the Information Commissioner will be launched by the Ministry of Justice in March.  Once these laws go through, all organisations will be exposed to criminal penalties for bad data handling.

We are encouraging our clients to take these developments very seriously indeed. They are part of a wider move to increased protections for data, evidenced by a raft of new laws in the United States and proposals for new laws coming from the EU.  It is only a matter of time before we see the first corporate conviction for data loss.

In the meantime the Commissioner is expecting organisations to beef up their security for laptop computers: in January he launched a new enforcement strategy that tells us that loss of unencrypted laptops will result in sanctions. 

If you want to know more about your data security obligations please contact Stewart Room, partner in our Privacy and Information Law Group.  We are holding regular "Data Security Breakfast Briefings" throughout 2008 and you are all invited to attend.

EU VAT Shake-Up In The Pipeline 

"In this world nothing can be said to be certain, except death and taxes".

Benjamin Franklin's quote still rings true today, particularly in relation to the charging of VAT. The winds of change, however, are blowing across the current landscape of VAT laws. On 12 February 2008, the Economic and Financial Affairs Council adopted legislation to implement a package of new VAT arrangements.  These changes (contained in Council Directives 2008/8/EC and 2008/9/EC, and in Council Regulation (EC) No. 143/2008) will have a big impact on suppliers of telecoms, broadcasting and electronic services, particularly online retailers, digital service providers, online gambling operators, telecommunications companies and satellite broadcasters.

The changes are driven by a need to prevent distortions of competition between member states operating different VAT rates. Compare Sweden's rate of 24% against Luxembourg's at 15%, which is the lowest in the EU. For obvious reasons, Luxembourg, favoured by many internet and telecoms businesses which have established business presences there, is set to lose its advantage and potentially its significant VAT revenue because of the upcoming change in the "place of taxation" rules. 

Currently, if a business based in the EU supplies services to other EU businesses, VAT is charged according to where the supplier is based.  However from 2010, the reverse will apply and the place of taxation will be the place where the business customer is located.  This is a general rule that will apply to all business to business transactions, including the supply of telecoms, broadcasting and electronic services.

Where services are supplied to EU consumers, the place of taxation will, in most cases, be where the supplier is established, and accordingly, the Supplier's home VAT rate will apply. However, different rules will apply to telecoms, broadcasting and electronic services.  For these specific services, from 2015, taxation will be determined at the place of consumption.      

In effect, suppliers of business-to-businesses services and suppliers of business-to-consumer telecoms, broadcasting and electronic services across member states will face a significantly higher administrative burden, grappling with different VAT regimes for each member state in which their customers are based.

To simplify matters, a "one stop shop" scheme will be established for service providers delivering telecoms, broadcasting and electronic services to consumers.  A single set of obligations for registrations, declarations and payments will apply and will be fulfilled in the service provider's home member state, both for services provided in the home state and in member states where the service provider is not established.  VAT revenue will then be transferred from the country in which the supplier is located to the country where the customer is situated.

Up until January 2019, the member state of establishment will retain a proportion of VAT receipts collected through the one stop scheme. This proportion will amount to 30% from 1 January 2015 and will gradually reduce to 0% by 1 January 2019.

The "VAT package" has been welcomed by larger member states that will stand to benefit from an increase in revenues.  However, critics argue that:

  • these rules will create an unnecessary administrative burden for service providers
  • there is no clarity on how taxpayers ought to apply the rules to identify the place of consumption
  • there appear to be no provisions to counter the risk of multiple claims from more than one member state.

It remains to be seen whether the seven-year lead time until full implementation will present an opportunity for business and tax authorities to work together to formulate the appropriate framework to implement these changes.

Liability: Some Practical Steps For Apportioning Risk

In outsourcing and technology contracts, the allocation of liability between the parties is one of the most keenly negotiated areas.  The process of determining appropriate levels of liability requires an assessment of the risks inherent in the proposed contract.  This article covers the more typical situation in large scale outsourcing and technology projects where the contract is not on the supplier's standard terms, but is specifically negotiated between the parties - a situation where liability will be a matter between the parties and will fall outside the statutory reasonableness requirements in the Unfair Contract Terms Act 1977 "UCTA".  Here we explain some of the practical steps that can be taken in making this assessment as a prelude to a structured negotiation process.

1.         The Balance

The customer's requirement to cover its potential losses if the supplier fails to meet its obligations must be balanced against the supplier's need to cap its risk at a level which is commercially acceptable.  A customer may have an expectation (realistic or unrealistic) that the supplier will accept high or even unlimited liability for all losses. A supplier on the other hand will want to tie the liability limit as closely as possible to the contract price to avoid a net outflow of revenue.  Opposing positions can become entrenched at the negotiation stage often due to a lack of planning and proper analysis on both sides.

2.         Independent Risk Assessment

The appropriate cap is often expressed as a multiple of the contract value, although this should not replace a more sophisticated assessment of the appropriate limits of liability.  A successful negotiation will require more than a rough trade-off between 'standard' contract multiples.  For example, in relatively low value contracts, the operational risks to the customer's business may be quite significant.  Equally some long-term outsourcing arrangements (although of significant contract value) may involve essentially low-risk processes.

The customer's requirements should ideally be based on its assessment of the losses that might be suffered in the event of supplier default and the likelihood of those losses occurring.  This analysis should be conducted without reference to the contract price.  Nevertheless, this independently calculated figure will often be expressed as a percentage of the contract price or a finite sum. Customers seeking to shift risk entirely to the supplier, with unrealistically high expectations for liability caps, may not necessarily end up with the best value-for-money contract.

3.         Practical Steps in Assessing the Risks

At an early stage, and certainly before the detailed contract negotiations start, the Customer should identify the risks related to the services under the contract.  In particular, the Customer will need to consider:

  • those areas of the customer's business and the delivery of the services that might be affected by the supplier's default.
  • how often a risk is likely to materialise:  for example, if a supplier proposes aggregate caps, the customer's risk assessment should include an analysis of the likely number of events that might exhaust those caps

Where services are currently provided in-house or by an existing supplier, the customer should analyse the business processes and any historical disruptions under existing arrangements to determine the operational impact of service failures.  For new services, a detailed risk assessment will be required, ideally involving input from a diverse range of stakeholders from end-users, technical and operational personnel, through to senior management and financial and legal advisers.

The customer should also consider the extent to which any such risks can be mitigated (for example, through alternative processes or workarounds or through business continuity arrangements).  The 'worst case' analysis is not always appropriate, given that in most circumstances there would be an obligation on the customer to mitigate its losses.

4.         Limiting Specific Heads of Liability

A 'one size fits all' cap is not usually appropriate.  Customers and suppliers should give real thought to:

  • what needs to remain uncapped
  • what should be covered by a general cap
  • what should come under specific (higher) caps.  Liability for some types of losses, for example those which cannot be excluded by virtue of UCTA, such as liability for death or personal injury or liability for fraud, will almost always remain uncapped. Similarly, customers are increasingly demanding (and suppliers are increasingly more willing to accept) unlimited liability for infringement of third party intellectual property rights and some cases of gross negligence or wilful misconduct.  Losses flowing from other defaults, such as breach of confidentiality or loss or destruction of data, will usually be the subject of keen negotiation.

Suppliers will invariably seek to exclude liability for indirect and consequential loss. Customers should think carefully about their particular circumstances and the nature of the losses that might arise.   Specific types of loss that are to be recover able should be set out in the contract so that they are not caught by blanket exclusions of indirect or consequential losses (for example, anticipated financial savings, which might be the very reason underlying the customer's decision to outsource).

This risk analysis should not be carried out in isolation but should form part of the overall contract planning process, feeding in to other issues such as price, service levels, remedies for service failures (from service credits through to step-in rights), business continuity and disaster recovery provisions, and exit arrangements.  Setting a liability limit is ultimately a question of identifying the risks and deciding who should bear those risks or how such risks might be shared.  A refined understanding of the customer's needs in all of these areas will help to avoid the worst form of positional negotiation and can lead to the best outcome for both customer and supplier.

Don't Get Caught In Your Own Web

On 22 February, the Department for Culture, Media and Sport published a strategy to provide support for the creative industries, entitled "Creative Britain: New Talents for the New Economy".  According to the strategy, the Government will consult on legislation which would require ISPs and rights holders to co-operate in taking action on illegal content sharing with a view to implementing legislation by April 2009.  The Government has acknowledged that content owners and ISPs are in discussions to come to a voluntary solution and has stated that such a solution is its preference.  However, if a solution is not forthcoming or is inadequate the Government will proceed with implementing legislation to address the issue.

In the EU, the extent of ISP liability is regulated in part by the EC Directive on Electronic Commerce.  The Directive was implemented in the UK through the Electronic Commerce (EC Directive) Regulations 2002.  Broadly, the regulations shield ISPs from liability from damages and criminal penalties in respect of the transmission of information (Reg 17), caching (Reg 18) and hosting (Reg 19) provided the ISP plays a passive role in relation to the infringing or unlawful content.  The ISP will lose its immunity if it strays into a quasi-editorial role by modifying the infringing content, or if it fails to take prompt action to prevent the unlawful activity once it has notice of it.

Industry groups representing rights-holders have been campaigning hard for ISPs to play an active role in tackling IPR infringement and in particular, in tackling infringing P2P file sharing.  There have been calls in the UK for ISPs to operate a "three strikes" approach, similar to that adopted recently in France where group of French ISPs and content providers entered into an agreement with the French Government in November 2007.  The agreement  (once implemented) will require ISPs to send warning notices to users who download infringing material and to disconnect persistent offenders.  An independent authority (yet to be established) will administer the agreement and will act as a channel for warning notices to customers. 

In the UK, ISPs have so far resisted such measures, arguing that they are simply carriers.  Nonetheless, the agreement reached in France and the UK government's Strategy Paper signal a shift, within the European Union, towards placing more responsibility on ISPs; a shift that can also be seen in recent court judgements.  

  • Germany: The German Federal Supreme Court confirmed, in a judgment on 19 April 2007 (Internet Auction II, reference number 1 ZR 35/04), that operators of online auctions such as "eBay" must not only remove illegal content of which they have been informed, but must take "all technically possible and reasonable measures" to avoid counterfeit products from being offered for sale at the online auction.   If the operator fails to take such measures, a rights holder may seek injunctive relief to prevent future infringements
  • France: In France last year, the producers of a documentary served a notice on Google requiring it to remove the documentary from Google's Video website.  Google did so, but when the documentary re-appeared on Google's site, the producer's began court proceedings.  The Court held that Google was shielded from liability with respect to the first notice.  However, once put on notice, Google should have implemented necessary technical means to prevent future uploading of the documentary
  • Belgium: A court recently ruled that, rather than wait to receive a notice to takedown infringing material, an ISP must take steps to ensure that infringing content is not posted in the first place by introducing filtering technology to block infringing material

It is premature to think that, in the UK at least, a consensus is emerging on the issue of the role that ISPs should play in policing infringing activities carried out via their services.  What is clear is that the proliferation of user-generated content and innovative web-offerings have outpaced the law.  The threat of legislation made by the Government in the "Creative Britain" Strategy Paper gives urgency to the need for all sides to agree a form of self-regulation soon.  In the meantime, in order to minimise potential liability, ISPs should continue to ensure that they are able to benefit from the defences set out in the E-Commerce Regulations.  An ISP's user terms and conditions should:

  • prohibit users from posting or publishing any offensive, libellous, defamatory, illegal or unlawful material
  • contain a statement that, although the ISP reserves the right to monitor the content of third party postings, it does not exercise editorial control over the material being posted
  • reserve the right for the ISP to change or remove libellous, defamatory, illegal or unlawful materials and to disable access to content
  • exclude liability for linked content

Finally, it is essential that ISPs have procedures in place for dealing with complaints relating to content. 

News Bytes

Government Copyright Consultation:  The Government is seeking views on proposals to widen the fair use exceptions to copyright.  The proposals (which can be viewed on the UK Intellectual Property Office website) are intended to implement recommendations made in December 2006 following the Gowers Review of Intellectual Property.  They include proposals to:

  • allow consumers to copy legitimately purchased content from one format to another (for example from CD to MP3)
  • allow schools and universities to make the most of digital technologies and to facilitate distance learning
  • allow libraries and archives to use technology to preserve valuable material before it deteriorates or before the format that the material is stored on becomes obsolete.  The deadline for responses is 8 April 2008. 

Maestro fails in bid to secure domain name:  Maestro - the debit arm of MasterCard International - has failed in its bid to secure the domain name "maestro.co.uk".  Nominet rejected Maestro's appeal against an earlier finding in favour of domain name dealer Mark Adams.  Maestro claimed that Mr Adams's registration of the domain name maestro.co.uk contravened Nominet's policy which prohibits "Abusive Registrations".  A registration is abusive under Nominet's policy if it takes unfair advantage of or is unfairly detrimental to the person bringing the claim.  The appeal panel's decision hinged on the fact that "maestro" is an ordinary word and is known as much for its dictionary meaning as for anything else.  The panel emphasised that where a trademark comprising a single dictionary word, the owner should not be able to monopolise the use of that words for domain names.  However, where combinations of ordinary English words (for example "Big Brother" or "Pop Idol") were associated with such strong brands that their common meaning had been "overwhelmed by their fame as trademarks", then this might lead to a different outcome.  "Maestro" had no such secondary meaning and therefore the panel required very persuasive evidence of abuse.  

Consumer Credit Act - Overseas Purchases:  A long running dispute between the Office of Fair Trading and a group of credit card issuers has finally reached its conclusion.  The dispute centred on s75 of the Consumer Credit Act 1974.  Under this section a credit card issuer will be jointly liable (along with the supplier) to a consumer for the supplier's misrepresentation or breach of contract in relation to goods or services purchased by the consumer with a credit card, provided the cash price was above £100 and not more than £30,000.  The House of Lords has confirmed that s75 affords the same protection to consumers who use their credit cards for overseas purchases as for domestic purchases. The decision is good news for consumers and is likely to bolster confidence in online overseas purchases, but has not been welcomed by card issuers, who now face additional risk on overseas purchases falling within the specified cash price-band. 

Software Patents - A Change in UK Practice:  Following the recent High Court decision in Astron Clinica Ltd and Others [2008] EWHC 85 (Pat), the UK-Intellectual Property Office (UK-IPO) has changed its stance on software patents. The change corrects an anomaly that allowed the patenting of a method performed by executing software, and the patenting of a computer programmed to carry out a method, but not of the software itself. UK-IPO has revised its practice so that software that implements a patentable invention can now be patented in the UK.

The legislation that determines the patentability of software is contained in Article 52(2) of the European Patent Convention.  This provides that computer programs "as such" are not to be regarded as inventions, and so are not patentable.  Article 52(2), (in particular, the phrase "as such") has generated a body of complex case law and academic discussion. Until 2006, the European Patent Office (EPO) and the UK-IPO took similar interpretations. Software was patentable if, when executed, it was capable of bringing about a technical effect "beyond the normal physical effects which result from the running of any program".  However in 2006, UK-IPO interpreting a test set down by the Court of Appeal in a case known as Aerotel/Macrossan, concluded that software was not patentable.  A group of patent applicants challenged UK-IPO in the High Court.  They argued that if their computer-implemented methods and apparatus were patentable, the computer programs themselves should be too.  The Court agreed expressing particular concern that there was a conflict between the approaches taken by UK-IPO and the EPO. 

Unfair Commercial Practices:  Two new Regulations (the Consumer Protection from Unfair Trading Regulations ("CPRs") and the Business Protection from Misleading Marketing Regulations) are scheduled to come into force in April this year.  The regulations will implement the EU Unfair Commercial Practices Directive.  The aim of the Directive is to harmonise the EU's unfair trading laws.  National laws that currently regulate business-to-consumer commercial practices are to be replaced with a standardised set of EU-wide regulations which will apply across business sectors.  The Directive imposes a general obligation on all businesses not to treat consumers unfairly before, during and after a transaction.  Further, businesses must not mislead consumers or subject them to aggressive selling techniques.  A breach of the rules will in most cases be a criminal offence punishable by a fine or even imprisonment of directors and managers for up to two years.  The Government has now published its response to a consultation on the draft regulations.  In addition, BERR has published a useful guide to the draft CPRs (although the regulations have yet to be published in final form).  The new laws will be enforced by the Office of Fair Trading, Trading Standards officers, and media regulator Ofcom. Businesses should begin to review their practices in readiness for the introduction of the new rules in order to ensure that what they do (and don't do) will comply with the law.  The key difficulty will be in assessing whether current practices are unfair.  This may be open to interpretation and may require a judgment call.  We advise a cautious approach.

Limitation and Exclusion Clauses - A Cautionary Tale:  A recent High Court decision highlights the need for careful drafting of exclusion and limitation clauses.  In euNetworks Fiber UK Ltd V Abovenet Communications UK Ltd [2007] EWHC 3099 (Ch), the court had to consider the appropriate method for calculating damages to be awarded to euNetworks for loss of use duct across Abovenet's London network.  The court determined that it would take into account profits lost by euNetworks, notwithstanding that the contract contained a clause excluding liability for loss of profits.  The court determined that the exclusion clause was effective in excluding liability for loss of profits as a head of damage in its own right.  However, the exclusion was not effective in preventing the court from using loss of profits as a measure for assessing damages for loss of use of the duct.  This did not mean that compensation was being awarded for loss of profit. It was simply the best means of calculating appropriate damages for loss of use in this case.

Contacts

Michael Chissick
Eduardo Ustaran
Felix Wittern
Andrew Lucas
David Naylor
Paul Barton
Stewart Room
Robert Shooter
Simon Briskman
Marcus Turle

Search all publications by type


Related expertise


Related sector focus


Related locations