LexisNexis IP&ITA LexisNexis mini-mag focusing on wearable technologies

Wearing your data on your sleeve—thoughts from the ICO’s office

Ian Inman Information Commissioner’s Office (ICO)

Wearing your data on your sleeve—sheer data protection

Eduardo Ustaran Hogan Lovells

Employing wearable technology in the workplace Warren Wayne

Bird & Bird

In ‘vest’ing in crime fighting technology— accountability versus privacy rights?

Javier Ruiz Diaz and Pam Cowburn Open Rights Group

Taking the pulse of wearable medical technology

Vin Bange, Tim Worden and Ed Vickers Taylor Wessing LLP

Beauty and the geek—technology in fashion Sarah Pearce

Edwards Wildman Palmer UK LLP

Autumn 2014

2

Welcome to our LexisNexis mini magazine, which focuses on a range of legal and practical issues surrounding wearable technology.

Technology is already an integral and inescapable part of our everyday lives. It’s big (data) and it’s smart (phones, meters and even cities), but it’s also risky business. Technology is becoming increasingly personalised too and we are now being sold devices that attach to our bodies and connect us with the world around us in different ways.

Wearables might simply allow us the increased convenience of being able to access information on the move – so far so good...

They might also collect data about the wearer and their behaviours and about the objects and other people that the wearer comes into contact with – not quite so comfortable with that...

And, at their most advanced, wearables might also process data collected from users of those devices in order to transmit useful information back to the user and also to enable the device manufacturers to inform new developments in own their products or, for more noble purposes, such as medical research, which may have broad-ranging benefits for society – probably OK with that, subject to appropriate protections...

However, such data is also very attractive to advertisers, which can potentially use it to then push marketing communications to the user at the optimal time... Not to mention what the cyber criminals might do if they got their hands on that data – REALLY not OK with that...!

As so often happens in the world of high-tech, the technology advances at breakneck speed and the law is left clipping at its ‘intelligent sneaker’-clad heals. There is the potential for society to benefit profoundly from innovation in the wearable technology space. However, privacy needs to be sewn into the seams of wearables, rather than just being an afterthought.

We hope you enjoy the magazine!

Best wishes Katherine Eyres Solicitor Head of LexisPSL Intellectual Property & Information Technology

pslipit@lexisnexis.co.uk

From the Editor Contents

Lexis®PSL IP & IT

4 Meet the Experts Consulting Editorial Board Contributing Authors

8 Wearing your data on your sleeve—thoughts from the ICO’s office Ian Inman, Information Commissioner’s Office (ICO)

10 Wearing your data on your sleeve—sheer data protection Eduardo Ustaran, Hogan Lovells

13 Are workplace wearables a violation of privacy? Hazel Grant, Bristows

14 Employing wearable technology in the workplace Warren Wayne, Bird & Bird

16 In ‘vest’ing in crime fighting technology— accountability versus privacy rights? Javier Ruiz Diaz and Pam Cowburn, Open Rights Group

18 Taking the pulse of wearable medical technology Vin Bange, Tim Worden and Ed Vickers, Taylor Wessing LLP

20 Beauty and the geek—technology in fashion Sarah Pearce, Edwards Wildman Palmer UK LLP

22 Intellectual property rights and the fashion sector Produced in partnership with Boyes Turner LLP

26 Get your head out of the clouds Andrew Joint, Kemp Little

28 Is your app policy compliant? Gayle McFarlane, Wragge, Lawrence Graham & Co

Halsbury’s Law Exchange

12 Google Glass: a serious privacy risk? David Cooke, Pannone

Lexis®Library

30 Key information property and information technology titles

Lexis®Webinars

31 Intellectual Property Information Technology Hot Topics Sports Law

Editorial

Editor: Katherine Eyres Production Editor: Rachel Buchanan Design: LexisNexis Creative Solutions

Offices: Lexis House, 30 Farringdon Street, London, EC4A 4HH Tel: 020 7400 2500

Reproduction, copying or extracting by any means of the whole or part of this publication must not be undertaken without the written permission of the publishers.

This publication is intended to be a general guide and cannot be a substitute for professional advice. Neither the authors nor the publisher accept any responsibility for loss occasioned to any person acting or refraining from acting as a result of material contained in this publication.

3

LexisPSL

LexisPSL IP&ITLexis PSL IP & IT provides comprehensive, concise and clear guidance on a range of intellectual property and information technology law issues, catering for both transactional lawyers and litigators.LexisPSL IP & IT contains a substantial number of IP and IT related precedents with detailed drafting notes that explain key provisions and provide negotiation pointers. Detailed and practically focused guidance is provided in the form of Practice Notes, Checklists and Flowcharts, drilling down to primary law resources such as key cases, legislation and regulations, and external resources such as guidance from regulators.

Checklists and audit questionnaires are aimed at assisting to manage risk and comply with legal and regulatory obligations in areas including data protection and website cookies. PowerPoint training materials on a range of topics, such as confidentiality, BYOD and online brand protection save time in preparing for internal training and external client presentations (which are often non-chargeable).

To find out more about LexisPSL IP&IT, or to have a free trial, visit lexisnexis.co.uk/IPMag/PSL

Receive daily or weekly legal update alerts with LexisPSL IP&IT, highlighting the implications of judgments, legislative changes consultations and more. Monthly highlights aggregates a range of Lexis PSL IP & IT content, providing a comprehensive go to point for key developments in IP and IT law in the previous month.

4

Lexi

s PSL

LexisPSL Meet the ExpertsLexis PSL IP&IT is made up of an in house team with extensive experience, dedicated to producing content specifically for IP and IT specialists.In building this product we also commissioned many experienced lawyers and other heading experts from industry to write for us. This brings the benefit of both legal and commercial experience to our guidance and keeping Lexis PSL IP & IT relevant to and in tune with the needs of lawyers practising in these areas. Our contributor and author team, and expert Consulting Editorial Board include many of the top performers in the IP and IT law arena today

Katherine Eyres

Katherine specialises in IT contracts, outsourcing and emerging technologies. She is dual-qualified in Western Australia and England & Wales. Katherine’s UK experience includes working in-house for global business process outsourcing company Williams Lea and in the Technology and Litigation team at CMS Cameron McKenna. She is the Head of Intellectual Property & Information Technology Law for Lexis®PSL.

Ben Horton

Ben has seventeen years’ experience in IP & IT law. A former PSL at CMS Cameron McKenna LLP and Solicitor at Manches LLP, he has an in-depth understanding of technology law and industry together with good experience in the application of IT to legal practice and the management of technology businesses. Ben has particular interest in internet related agreements, cloud, software copyright and social media issues and a postgraduate diploma in Knowledge Management for Legal Practice.

Cristiana Rossetti

Cristiana is an Italian qualified lawyer with several years’ experience as an in-house in multinational companies and professional support lawyer in the Corporate department of the City law firm Withers LLP. She has gained expertise ranging from corporate transactions, such as cross-border acquisitions, reorganisations, joint ventures to a number of IP & IT matters, which include trade marks protection and disputes, patents and designs protection, confidentiality and know-how agreements. Throughout her legal studies and career she has also acquired a valuable knowledge of general international commercial and EU law related matters.

Jessica Stretch

Jessica is an experienced intellectual property litigator specialising in trade marks, copyright and digital media. She has also run non-contentious projects for clients including IP audits and brand protection strategies. Jessica trained at Osborne Clarke and later moved to Kemp Little LLP, a niche technology and digital media law firm.

Anthony Taylor

Anthony is an IP & IT lawyer who studied at the University of Edinburgh and BPP law school. Prior to joining LexisNexis Anthony trained and qualified at Penningtons Solicitors LLP and subsequently worked in Sydney at Corrs Chambers Westgarth. Anthony has particular interests in information security, data protection, freedom of information as well as software, website and social media related issues.

Joshy Thomas

Joshy specialises in intellectual property and has a wide range of experience of IP litigation in all areas of IP. Joshy trained at Eversheds, qualifying in September 2000, where she worked for a number of high-profile brands. After six years she moved to Thomas Eggar, where she spent just under four years acting on a diverse range of contentious IP matters, conducting training and writing on IP issues.

Laura Thompson

Laura has extensive experience conducting IP litigation, particularly over patents in the high-tech and pharmaceutical sectors. After graduating from Cambridge University, she qualified as a solicitor in 2001, and spent over six years at Bristows, followed by over five years at Wragge & Co. in London as a senior associate.

5

Lexis PSL

Consulting Editorial Board

8 New Square

Tom Moody-StuartBird & Bird

Christian BartschRoger BickerstaffBristows

Andrew BowlerCadence Design Systems

Lawrence MilnerCMS Cameron McKenna

Emma BurnettField Fisher Waterhouse

Simon BriskmanPWC Legal

Stewart RoomLinklaters

Ian KaretHitachi Data Systems

Don HughesPearson International

Franziska SchulzePenningtons Manches

Anna FrankumTaylor Wessing

Roland Mallinson

Contributing Authors

5RB

Nigel AbbasGodwin BusuttilAnna CoppolaDavid HirstAtlas Chambers

Anne FairpoAnura Consulting

Caroline WilsonAppleyard Lees

Robert CummingArnold & Porter

Michael H. RyanBaker & McKenzie

Julia DickensonSteve HolmesAlex MorganDoris MylesRachel Wilkinson-DuffyBird & Bird

Christian BartschCarolyn BurbridgePatrick CharnleyIan EdwardsTessa FinlaysonAdam GillertRonald HendrikxMathew OliverMichael RuddPhil SherrellGraham SmithIan WilliamsonBoyes Turner

Sarah Hadland

Sarah PlayleBristows LLP

Gregory BaconAlan JohnsonCMS Cameron McKenna

Alex BowtellAnna ClementsStuart HelmerLucy KilshawTom ReidTom ScourfieldDechert

Peter CrockfordDLA Piper

Mike ConradiEdwards Wildman

Jatinder BahraEllen Hughes-JonesField Fisher Waterhouse

Nick BallHuw Beverley-SmithSimon BriskmanJohn BrunningJames BuckinghamVictoria HordernPhil LeeAndrew LucasDee MillerAntonis PatrikiosLowri ReesSian RudgardNeil WallisFreelance Author

Peter Brudenall

Stephen MasonGuard UK Limited

Emily TaylorIP & IT Consultant

John LaneIP Asset

Vicki SalmonK&L Gates

Neil BaylisKeystone Law

Nicholas TallLatham & Watkins

Laurence J. CohenDeborah Kirk-GasteenAlana TartOlswang

Charles KerriganRuth MarkenOne Brick Court

Sarah PalinKate WilsonOnside Law

Adam LeadercramerOsborne Clarke

David BlairTina LaiPenningtons Manches

Anna FrankumJoanne VengadesanReynolds Porter Chamberlain

Clive ThorneRichemont

Richard Graham

Rouse

Nicole JadejaJason RuttCatriona SmithDiana SternfieldSheridans

Morris BentataAndrew NixonPaul O’DowdSimmons & Simmons

Nicholas FoxSquire Patton Boggs

Lianne BulgerAndrew ClayCarlton DanielGillian DennisImogen McCarthyNessa McGillAlex Newman

Carl RohslerTaylor Wessing

Chris BensonTom CarlJoanna GrayRoland MallinsonTimothy PintoLouise PoppleThomas Eggar

Katie ByrneWragge Lawrence Graham

Brett IsraelDavid LoweDan Smith

6

LexisPSL World of IP and IT blogWIPIT is a blog for curious intellectual property and information technology lawyers who want to stay ahead of the pack in the world of IP and IT.The blog has a nose for business, innovation and technology, and includes news, views, commentary, events and other tasty IP and IT-flavoured treats.

It is written from a mainly UK and European viewpoint, with the aim of sparking lively and meaningful dialogue on the issues that matter. Join in the discussion by posting a comment on the site or email us with your feedback.

And follow us on Twitter: @LexisUK_IPIT

To find out more, visit lexisnexis.co.uk/IPMag/BLOG

Wip

it Bl

og

7

HLE

Halsbury’s Law ExchangeHalsbury’s Law Exchange is a legal think tank, hosted by LexisNexis. It aims to communicate ideas on reform or legal direction to decision makers and the legal sector and promote debate through papers, reports, events and media pieces.

Although law constitutes the fabric of our society in the UK and reflects our norms, the principles that underpin our laws are seldom open to reasoned and informed debate that will change or shape legislation. Halsbury’s Law Exchange seeks to change this state of affairs. Through our papers and current projects, it seeks to be a legal think tank in the true sense of the term; to debate the legal issues of the day without political or commercial agenda and to influence and prompt change.

One of the central planks of our philosophy to bring about this legal change is to open up a platform to offer you a voice; to encourage intelligent debate and nurture progressive thinking about the law and our legal system. We are therefore keen to know what you think; to share and exchange views in order to develop the spread of ideas. Do you think the law is behind the times? Do you think a particular law, or the application of it, is unfair and should be changed? If so, how? Let us know by commenting on our blog. http://www.halsburyslawexchange.co.uk/

We want to be your bridge to the law makers and for you to be able to make a difference.

Our Mission:

‘Support the rule of law in the UK by promoting an effective legal framework and stimulating public debate on major issues’.

Our Objectives:

i. Examine the rule of law, the structure of the legal system and the development of the legal sector.

ii. Contribute to the development of an efficient statutory framework.

iii. Comment on current legal issues that impact on society and put forward proposals to ensure the law is just.

To find out more, visit lexisnexis.co.uk/IPMag/HLE

8

Wearing your data on your sleeve— thoughts from the ICO’s officeInterviewed by Alex Heshmaty.

Do you know your LBD from your DPA? As the fashion for wearable technology shows no sign of abating, Ian Inman, group manager of policy delivery at the Information Commissioner’s Office (ICO), considers some of the data protection issues of wearable technology.

The ICO has recently confirmed that wearable technology will need to operate in line with applicable data protection laws. What specific challenges is this likely to present for the current law and the regulators?

Wearable technology is an emerging and potentially significant market sector. The term wearable technology covers a wide range of different devices from body worn video (BWV) through to Google glass, heart rate monitors and GPS tracking devices. In a technical sense we’ve seen very little so far that hasn’t already been seen in other fields, most notably the mobile phone market. For some, a mobile phone is already a piece of wearable tech—many people are becoming comfortable with the idea of carrying around a smartphone constantly, which includes features such as video and audio recording, GPS location, accelerometers, and wireless technologies such as WiFi, Bluetooth and near field communication.

As a result, the privacy issues raised so far have largely not been unique to wearable technology. Where there’s a particular privacy issue—for example, a lack of clarity as to who will carry out data processing—it has also been an issue in the field of mobile devices and apps. These issues will no doubt overlap a great deal with other concepts such as the ‘internet of things’.

What wearable tech most likely will do is increase the overall volume of data being processed, and the nature of lots of wearable technology will mean that much of this data is personal (think of fitness trackers or heart rate monitors for example).

What types of data protection, privacy and security issues need to be dealt with at the following stages?

The design stage

A fundamentally important step in the design stage is to define:• what data will be collected and used

• how it will be transferred and stored, and by whom

Without a clear design, it will be extremely difficult to demonstrate compliance with the Data Protection Act 1998 (DPA 1998)—not least because it may well damage your ability to be transparent and open with your customers.

Organisations should also undertake a privacy impact assessment or some other form of risk assessment. This should focus on what it is that they are trying to achieve, the means by which they are trying to achieve it and the associated privacy risks. It should help organisations establish what other options are available to them to achieve their goals and whether any of them are less privacy intrusive than using wearable technology.

Organisations should adopt a privacy by design approach, using technologies with privacy friendly features built in. It is more cost effective to adopt this approach than to attempt to ‘bolt-on’ privacy at a later stage.

The point of data capture

The most important data protection issue at the point of collecting the personal data is to ensure individuals are aware that their personal data is being collected. DPA 1998 requires that individuals are made aware of the fact that their personal data is being collected, why it is being collected and who the data controller is. In many cases, this can be achieved by having signage in place providing this information to those whose personal data is being captured.

With certain types of wearable technology, such as BWV, it is more obvious that personal data is being collected than it is with others, such as GPS tracking devices. The less clear it is to individuals that their personal data is being collected, the more essential it is that organisations are clear and transparent with individuals about how their personal data will be used.

Once the data has been collected

Organisations should have strong policies and procedures in place regarding the handling of information once it has been collected. They should have retention policies in place setting out how long they will keep the personal data for. Individuals will also have a right to access personal data held about them. Organisations must have proper procedures and systems in place to deal with these requests.

DPA 1998 also requires organisations to ensure that they take appropriate technical and organisational steps to keep personal data secure. What is appropriate will depend on various factors, such as the nature of the personal data being processed and the harm that could result from its loss or theft.

Lexi

sPSL

To find out more about LexisPSL IP&IT, or to have a free trial, visit lexisnexis.co.uk/IPMag/PSL

9

What practical compliance issues do the proposed EU data protection reforms raise in the context of wearable technology?

The proposed EU General Data Protection Regulation does provide individuals with more rights in relation to the processing of their personal data as well as improved transparency. However, these rights are heavily qualified and, generally speaking, provided the processing is fair, necessary and lawful then data controllers will still be able to process the personal data.

Would sorts of measures would device manufacturers need to consider if adopting a ‘privacy by design’ approach?

A good first step is to consider data minimisation from the very beginning—don’t collect data unless it is necessary for your purposes. A follow-on from that is to consider whether all data that is collected on a wearable device really needs to be transferred elsewhere (eg to a cloud service for processing) or whether some or all of it can remain local, maybe processed on the device itself, or transferred to another local device such as a home PC. Offering customers the choice would be one way of reducing the privacy impact while still providing any advantages that cloud processing might provide.

Security will be an important aspect to consider, for instance:

• consider using secure sockets layer (SSL) or transport layer security (TLS) where possible to ensure secure transmission of personal data, especially for sensitive personal data and login credentials

• if your device connects to a remote service (a web API for instance), make sure that the service is coded securely

• consider how you’ll maintain the security of your software or firmware over time: – If someone discovers a security bug, how will you respond? – How will you roll out an update? – How long will you provide this support for and does it match the

predicted lifetime of the device hardware?

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

LexisPSL

10

Wearing your data on your sleeve— sheer data protectionInterviewed by Alex Heshmaty.

As wearable technology grows and grows, data protection concerns remain à la mode. Eduardo Ustaran, a partner in the global privacy and information management practice of Hogan Lovells, considers how device manufacturers can remain ahead of the trend.

The Information Commissioner’s Office has recently confirmed that wearable technology will need to operate in line with applicable data protection laws. What specific challenges is this likely to present for the current law and the regulators?

Wearable technology is the latest manifestation of how our interaction with technology may generate massive amounts of information about ourselves. This information may of course be of great use to individuals and even provide health benefits, as seen with fitness apps in mobile devices. However, as we see every day in relation to our use of the Internet and mobile devices, this information is becoming a valuable asset that can be exploited for the benefit of public sector bodies and private sector businesses. Data protection regulators are aware of the potential benefits, but are also very concerned about the risks. For example, one risk is the lack of control and excessive self-exposure for the user. Communication between objects can be triggered automatically without the individual being aware of it. If the user is not aware of the data collection and use taking place, such lack of information constitutes a significant barrier to demonstrating valid consent under EU law (as the data subject must be informed). In such circumstances, consent cannot be relied upon as a legal basis for the use of such data under EU law.

Similarly, wearable items allow location tracking of individuals. This can be very powerful information to have as it brings together our offline and online lives. However, this can also be intrusive if done in a way that exceeds the expectations of the users. Given the complexity of the technology involved, bridging the gap between data exploitation on one hand and transparency and user control on the other will become increasingly complicated.

What types of data protection, privacy and security issues need to be dealt with at the following stages?

The design stage

At the design stage, it is crucial to assess the legal basis for the potential data collection as well as the reasonableness of such potential. This should be done through methods like ‘privacy impact assessments’,

Lexi

sPSL

11

which involve carrying out an in-depth assessment of how a given technological development or application may affect people’s privacy and how data protection obligations and rights should be addressed. The importance and prevalence of this type of exercise is only set to increase and, in an ideal world, it should become an integral part of the development stage of any technology that involves collecting or using information about people.

The point of data capture

The point of data capture is crucial from a transparency perspective because it is at this stage users should be informed about the likely uses of their data. However, while this is relatively easy to do through an interface like a computer screen or a smartphone, it becomes a cumbersome challenge in the context of wearable technology—clearly a pair of Internet connected running shoes is not an ideal place to display a privacy policy. Looking further into the future, if screen sizes become smaller or disappear altogether, it is likely that privacy policies will be replaced by icons or become akin to nutritional labels or wash care tags, where some of the key technological factors that may affect someone’s privacy will have their own symbol and, possibly, some grading indicating the level of intrusiveness.

Once the data has been collected

Once the data has been collected, long standing principles like purpose limitation, accuracy and data security will continue to apply. The same is true of individuals’ rights like the right of access or the so-called ‘right to be forgotten’, which will allow users to have any information they generate deleted forever.

What practical compliance issues do the proposed EU data protection reforms raise in the context of wearable technology?

The proposed provisions dealing with profiling are particularly relevant in this context. Much of the value generated by our use of wearable technologies will rely on the ability of the providers of the technology to understand and profile their users. Many applications of user profiles will be beneficial but the proposed EU data protection regime may not make a distinction and simply place a very high bar on all types of profiling activities. If this is the case, it could become extremely burdensome for providers of wearable technology to fully exploit the information generated by their users.

Would sorts of measures would device manufacturers need to consider if adopting a ‘privacy by design’ approach?

Key recommendations include:

• device manufacturers should inform users about the type of data that is collected by sensors and about how that data will be used by them and disclosed to third parties

• device manufacturers should provide granular choices when granting access to applications—the granularity should not only concern the category of collected data, but also the time and frequency at which data is captured

• device manufacturers should allow users to limit location tracking

• personal data collected by wearable technologies should be collected and stored in a format that facilitates the right of access and, ideally, data portability

• devices should be engineered in such a way that provide the most appropriate level of data security

• device manufacturers should provide simple tools to notify users and to update devices when security vulnerabilities are discovered

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

LexisPSL

12

Google Glass: a serious privacy risk?By David Cook, Solicitor Advocate, Pannone

It is difficult to have missed the hype surrounding Google Glass (referred to simply as “Glass”), not only because of its futuristic technological capabilities and design, but also the concerns it raises for an individual’s Art 8 right to privacy.

Glass is, relatively speaking, inconspicuous. The camera enables the wearer, simply by voice command, to take photographs or record videos and upload these to the internet much more quickly and covertly than would be the case with a camera or smartphone. The difference between the technologies is three-fold:

1. It is expected that far more images will be captured.

2. It is less likely that those present in the images will be aware that the footage has been captured.

3. The network provider or headset manufacturer has potentially got control over the images and associated metadata.

While issues around infringement of intellectual property, and the use of Glass while driving and to cheat in casinos, are all examples of valid concerns, it is the privacy aspect that particularly worries me. The impact on data protection may be significant.

Current statutory framework 

The Data Protection Act 1998 (DPA) effected the European Data Protection Directive of 1995, and previously sought to control data issues of this nature. The Information Commissioner’s Office (ICO) is the public body set up to uphold the requisite information rights in this regard, but has frequently been blighted by the suggestion that it is a toothless and feckless organisation.

However, the impotence of the ICO is clearly a result of the limited powers provided to it by the DPA. For example, a data loss would only have to be reported to the ICO if it was a serious personal data breach. It is notable that the phrase “serious” is not defined, aside from some basic examples that the ICO provide, and it is really down to businesses to decide if the breach is sufficiently serious.

This concept of businesses policing themselves is evidently fraught with problems. The risk of enforcement against a non-compliant business is minimal and, with some exceptions, the most serious enforcement action is limited to fairly low fines.

GDPR 

Growing concerns about privacy have, in some ways, already been considered by way of the General Data Protection Regulation (GDPR) of the European Commission, which is due to be adopted in 2014 and properly enforced from 2016 onwards. The drafted GDPR is a massive jump in terms of stricter controls of data.

The GDPR, as originally proposed, included an obligation that valid consent must be explicit and verifiable for any data collected and the purpose of its use – for children under 13, that consent must be given by their parent or custodian. In that respect, the data controllers must now be able to prove definite “consent” (an opt-in), and consent may be withdrawn at any time.

The related principle of a “right to be forgotten” is an important aspect of the GDPR, which provides for an obligation that personal data be deleted when an individual withdraws consent, or the data is no longer necessary and there is no legitimate reason for an organisation to keep it.

It is an irony that the informal corporate motto of Google is, “Don’t be evil”. This is a multinational corporation who, according to the European Commissioner for Justice, would have had to pay penalties of around $1bn for breaches in 2012 if the GDPR was already in force. It is fair to say that Google do not have an unblemished record with regard to the privacy of its users. That position can only be worsened if the use of Glass becomes as commonplace as has been suggested.

On 12 March 2014, the European Parliament voted overwhelmingly in support of amendments to the GDPR, including fines for companies that breach the GDPR of up to €100m or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater. The potential fines are now greater than previously anticipated and the vote hopefully gives an indication that the GDPR will not only “have teeth”, but will also be properly enforced.

Many commentators believe that the GDPR will either be amended into insignificance or simply not enforced properly. Clearly it is crucial that the GDPR is kept in its current format and enforcement is as aggressively followed as initially proposed.

The protections of the GDPR are not only needed now, but will be absolutely vital in future. Glass is sure to be only a transitory phase in the evolution of technology which, if unchecked, could present a very real risk to our Art 8 right to privacy.

Originally published on the Halsbury’s Law Exchange blog.

HLE

To find out more, visit lexisnexis.co.uk/IPMag/HLE

13

LexisPSL

Are workplace wearables a violation of privacy?Interviewed by Jenny Rayner.

What challenges do workplace wearables pose to employees and employers? Hazel Grant, IT lawyer and data protection specialist at Bristows, spells out the key privacy and intellectual property issues in this advancing technology, and advises employers and lawyers alike to stay one step ahead.

What are the central legal challenges posed by wearable devices in the workplace?

In the UK, employees are protected through privacy, employment and data protection laws. The collection of data through wearable devices is very likely to include information on identifiable living individuals, and therefore privacy and data protection laws will be relevant, and as the individuals will often be employees, employment law issues will also arise.

The challenge is the potential conflict of different expectations of privacy. So for example, if the wearable device involves a camera or computer with access to facial recognition or similar technology, then other employees in the workplace may feel that their privacy at work is being violated.

If the device is worn by an employee, but data from the device is seen by the employer, then the employee may feel his/her privacy is violated, and issues of employee monitoring may arise.

How can a company develop an enterprise-grade privacy policy to keep pace?

An employer needs to:• consider which jurisdictions the policy is intended to cover, as

different jurisdictions may have different expectations, and

• liaise with employees on the issues that they see in the devices

It may not be sensible or even possible to have a policy that covers all jurisdictions, so an employer may need to consider one central policy with country-specific additions. A policy should be drafted to be technology-neutral, but in case the employer finds a new issue with a new device, the employer must ensure that the policy can be rapidly updated and rolled out.

With companies struggling to keep pace with bring your own device (BYOD), how might the rise of additional devices complicate business management?

It’s important for companies not to stifle new developments, so having a very restrictive policy may mean that the company falls behind its competitors (for example banning or restricting BYOD may be unenforceable and/or limit employee interaction). The development of wearables is an area that companies will need to keep under review and be ready to move in quickly in terms of policy development and implementation.

Are there legal issues surrounding the ownership of information captured while at work?

Apart from privacy issues, use of wearables, such as cameras, could affect intellectual property rights (for example capturing images or text could infringe a company’s copyright in those images/text). Additionally, confidential information could be captured (and potentially sent outside the company). Equally, an employee may argue that health data captured by a wearable device worn by the employee should be considered ‘his/her’ data, rather than belonging to the company (or the device provider).

Could these devices be turned to an employer’s advantage?

It’s easy to see that some wearable devices could give an employer a clear advantage--if the device helps employees become healthier by providing feedback on their exercise regime or dietary intake, for example, then the employer could have a more productive workforce. From a societal perspective though, we will need to be clear about any potential downsides in the collection of data from wearables--for example, will employees be disciplined if they are not ‘healthy’ enough? Will employees be required to provide information from wearables to their insurers?

How can lawyers stay one step ahead?

By keeping an eye on the technology and by keeping an open mind.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

To find out more, visit lexisnexis.co.uk/IPMag/HLE

14

Employing wearable technology in the workplaceInterviewed by Alex Heshmaty.

In 2014 various items of wearable technology have become available to the public, from Google Glass to Apple and Android watches including a number of medical and fashion related accessories. Warren Wayne, partner in Bird & Bird’s employment group in London, considers the legal implications of wearable tech in the workplace.

What are the perceived potential benefits of allowing employees to use wearable technology (ie Google glass) at work?

The first thing we need to do is to define what we mean by ‘wearable tech’, as we’re talking about a potentially huge and expanding range of consumer devices. The range of equipment shown at the 2014 Consumer Electronics Show included smart watches, smart wristbands, smart jewellery, glasses, and earbuds which provide comprehensive health and fitness data through the ear. The range of available devices and their functionality is only going to keep expanding.

At the moment, most smart wristbands, jewellery and earbuds focus on health data. So, these are unlikely to impact on the workplace very much—although they might encourage staff to be healthier or simply to take the stairs more often. Until those devices expand their capabilities, we’re left with things like Google glass and the Apple watch.

Google glass bring rich text, notifications and other data to the wearer’s eyes and have a five megapixel camera, video recorder and 12GB of storage with cloud connection. Smart watches like the Apple watch beam messages, social media updates, simplified apps and Siri to the users wrist. They also facilitate watch-to-watch communication at the tap of a button.

At the moment, I don’t think the available functionality is seen to benefit most employer very much. Perhaps they might speed up communications and help people keep in touch at busy trade fairs, but these are relatively limited benefits compared to what we might see in future. The potential for these devices to run business apps which are really helpful is pretty broad and it’s going to be interesting to see if wearable tech catches on to the same extent that smartphones have and if they develop a similar level of penetration into working life. If that happens, there are bound to be a lot of new uses being developed for them.

What potential risks or issues are there with employees bringing personal wearable technology into work?

The main issue is going to be an even greater level of device and internet distraction than we have at the moment, which is a real issue when it affects people’s efficiency and concentration. Various studies have shown that multi-tasking can reduce workplace efficiency by up to 40% and that the distraction of emails and internet notifications can reduce IQ score by 10 points. Wearable tech isn’t going to improve that picture.

Lexi

sPSL

15

A further threat which these devices pose at the moment is that they make it easier for more people to remove valuable confidential information from the workplace. Because they are personal devices there is no way that employers can track their use if they are being used to photograph, video, or transmit live images.

I think we also have to see how other employees react to the idea that their privacy might be affected by people covertly taking pictures or videos at work. The day we see employees using these sorts of videos as evidence in grievance or disciplinary meetings probably isn’t far away.

What if organisations want to provide wearable technology for employee or customer use?

This is probably very dependent on the industry. There are going to be times when it’s useful to have a large number of people receive an alert simultaneously, but at the moment these devices are not providing any functionality that smart phones and tablets don’t. So it’s hard to see many businesses investing in the extra hardware until smart devices offer something else.

The problems in supplying tech to staff or customers will probably be around liability if anything goes wrong. Privacy breaches are the most likely problem, but people have a habit of creating all sorts of unforeseen legal problems when they are given new technology.

What types of contractual and practical measures should employers implement if they are thinking about allowing such uses?

Employers’ social media and bring your own device (BYOD) policies are going to need to keep pace with the technology as it develops, so those are going to need to be reviewed as wearable tech becomes more widely used. We may also see specific policies around wearable tech use develop as more applications become available for them. Some employers have learned a lot, sometimes painfully, through getting to grips with smartphones and BYOD, so they will find that useful. A lot of employers are still only starting to work out how to

approach BYOD though and they may find the experience more multi-faceted than they expected.

In the short term the areas that will need to be looked at closely are those around confidentiality and privacy. The only safe practical measure is to exclude all wearable tech and smart devices from secure areas, but that doesn’t cover all eventualities. Employers are going to have to get to grips with what information they have and how far they need to go to protect different types of information. At the moment that’s too often put off, despite its commercial importance.

The starting point, as always, is to make sure that existing contracts and policies are fit for purpose and give a good base to protect the company’s data. Unfortunately, most employers have pretty inadequate contractual arrangements to protect their confidential information and trade secrets, even large multinationals. Too often they use clauses drafted at a time when there were only hard copies and those just aren’t fit to cover all the things that can happen in the modern workplace. Given how important innovative ideas and developments are to the success of most modern businesses, it’s quite surprising. The issue is only going to get worse as consumer technology gets smaller and even less detectable than it is now. There aren’t many businesses that wouldn’t benefit from a modern review of their confidentiality arrangements, but there are relatively few lawyers who have a special interest in these issues.

Warren Wayne is a partner in Bird & Bird’s employment group in London and is recognised as a leading international employment lawyer. He also jointly leads the firm’s international trade secrets protection group and is ‘renowned for his handling of contentious confidentiality matters & restrictive covenants’ (Chambers Global 2011).

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

LexisPSL

16

In ‘vest’ing in crime fighting technology—accountability versus privacy rights?Interviewed by Alex Heshmaty.

In 2014 various items of wearable technology have become available to the public, from Google Glass to Apple and Android watches and even various medical and fashion related accessories. Javier Ruiz Diaz, policy director, and Pam Cowburn, communications director, at the Open Rights Group consider the legal implications of wearable tech and crime fighting.

Background

The London Met has recently indicated that officers will be fitted with body cameras. Other wearable technology such as wi-fi enabled clothing that allows real-time tracking, vital sign monitoring and constant communications is being trialled in the US.

What impact is wearable technology likely to have on police safety and effective crime fighting? Conversely, what’s the impact on police accountability and reliability of evidence?

This initiative would further increase the scope of surveillance in the UK. Already, we have one of the highest rates of CCTV cameras by population in the world. A 2013 survey estimated that there could be up to 5.9 million surveillance cameras in the UK, one for every 11 people.

Wearable technology may be even more intrusive than CCTV, capturing up-close visuals and audio recordings which, in the case of the police, could be of victims and perpetrators involved in violent and graphic crimes.

While it’s important to make policing more transparent and accountable, we need to make sure that we don’t over-rely on technology to achieve this. Change must also come through wider policies and attempts to change cultural working practices.

Similarly, the effectiveness of surveillance as a crime prevention measure should not be over-stated and may not always be justified by the cost. Other more low-tech measures—such as better street lighting—may be more effective in preventing crime.

Although video recordings may provide useful evidence that can help to secure convictions, as with other kinds of evidence, they can also be misleading if presented without relevant context.

If cameras are on all the time, the police are effectively filming the public on a continual basis regardless of whether they are involved in a crime. In terms of making sure the police are accountable, it is less likely that police abuses would happen in public places. But, it might be preferable to have cameras in police vehicles—where there have been accusations of abuse and where it is less likely that bystanders will be filmed—in the same way that there are cameras in police stations.

Issues may arise on how audio-visual materials are used and how long they are kept for, particularly when the police are filming members of the public not involved in criminal activity.

Arguably there may be benefits to the police wearing cameras at demonstrations. Protesters may feel that this might deter heavy handed dispersal tactics by the police—or provide evidence of them if they occur. Conversely, police officers may feel that they have evidence to counter any claims of police brutality or provide evidence of provocation. But cameras would also give the police a visual record of everyone who attended a particular demonstration. How might

that footage be used afterwards? Could facial recognition software be used to identify people to keep a note for future demonstrations or investigations?

Won’t it just be possible to turn the camera off (in the same way as a recording can be stopped)?

If it is possible to turn a camera off, there would need to be mechanisms within the camera to keep a proper audit of when it has been switched on and off, and why.

Continual recording would mean that all of a police officer’s daily activities would be recorded and they would be fully accountable for their actions. But it would also mean that many members of the public, not involved in crimes, would be captured on film and this would be an unnecessary intrusion on their privacy. In addition, there are times when police officers have to use their discretion. If they were wearing cameras, they might feel obliged to pursue minor infractions, which they might deal with differently otherwise.

Conversely, selective recording could lead to accusations that video footage is misleading, has been taken out of context, or deliberately manipulated to secure a conviction.

Does the use of such technology present any challenges to current criminal law and police practice?

The use of CCTV by public authorities is regulated under the Protection of Freedoms Act 2012 (PFA 2012). The Surveillance Camera Code of Practice pursuant to PFA 2012 provides guidance to public authorities:

This guidance acknowledges that, ‘there may be additional standards applicable where the system has specific advanced capability... for example the use of body-worn video recorders’.

However, it does not give much detail about what these standards are.

The Information Commissioner’s Office (ICO) has published more detailed guidance, which spell out further what these mean—‘In the picture: A data protection code of practice for surveillance cameras and personal information’

This recognises the threats to privacy:

‘BWV [body-worn video] systems are likely to be more intrusive than the more “normal” CCTV style surveillance systems because of its mobility. Before you decide to procure and deploy such a system, it is important that you justify its use and consider whether or not it is proportionate, necessary and addresses a pressing social need.’

It also outlines the data protection issues and offers guidance that data should be stored, ‘in a way that remains under your sole control, retains the quality of the original recording and is adequate for the purpose for which it was originally collected’.

Lexi

sPSL

17

What are the potential human rights or privacy implications for individuals?

The police spend a lot of time talking to victims, witnesses and other members of the public, not just apprehending criminals. By wearing a camera they could essentially be continuously filming in public places and this has privacy implications for everyone in those places.

The government’s guidance says, ‘people in public places should normally be made aware whenever they are being monitored by a surveillance camera system’ but it is difficult to see how this could work in practice if the camera is being worn by an officer.

Given the appetite for footage of real criminals being arrested, there are also risks of videos being leaked, hacked or shared inappropriately and this is likely to breach rights of privacy.

What measures would police need to take to ensure that their use of such technology complies with data protection laws?

The police have broad powers to hold and process data, and there are a number of data protection opt-outs available to them. If they are to record and keep video footage, they must have systems in place that store audio-visual material securely. There also need to be strict controls over who can access it. The guidance from the ICO outlines these requirements clearly. However, it is not only data protection law but also the Human Rights Act 1998 that the police must comply with.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

LexisPSL

18

Taking the pulse of wearable medical technologyInterviewed by Alex Heshmaty.

In 2014 various items of wearable technology have become available to the public, including various medical related accessories. Vin Bange, Tim Worden and Ed Vickers of Taylor Wessing LLP consider the legal implications of medical wearable tech.

What is wearable medical technology? What kinds of devices already exist?

The term covers a wide variety of products but they are generally devices worn on the body for a prolonged period that are able to capture and process data about the patient’s physiology. The data may be stored for the patient to use, transmitted to a clinician for analysis, or used for calculating the correct medical response and then notifying the patient.

An example of a wearable medical device is the continuous glucose monitor (CGM) used by diabetes patients to:

• alert the patient when their glucose levels are rising or falling too quickly

• to predict in advance an oncoming high or low, or

• simply to allow the patient to keep track of their glucose status throughout the day

The data collected by a CGM can also be used with the appropriate software to establish a record of how the patient reacts to exercise, food and insulin. The profile of a patient’s disease that can be assembled in this way is then useful to clinicians advising on treatment.

What happens to the sensitive personal data which is recorded by these devices?

Sensitive personal data in the healthcare environment is subject to a higher degree of scrutiny under EU data protection laws. Any storage of personal data on devices and apps would not be exempt. In fact, greater consideration should be afforded—for example, data minimisation and appropriate protection which may include encryption or converting the personal data into pseudonymous form.

Lexi

sPSL

19

How are data protection issues being addressed by device manufacturers and app developers and what more can be done?

In making sure that the data protection principles have been taken into consideration, it is key to carry out a privacy impact assessment (PIA). This is deemed to be best practice now and under the proposals for a new EU Data Protection Regulation this could become mandatory. The PIA provides a framework to check and document the data collection and data flow to ensure that it is data protection compliant. The PIA also provides a form of audit trail if the data processing is challenged for data protection compliance.

Under what circumstances can health apps sell or share data?

Consent and anonymisation is the key here. However, consent needs to be transparent, informed and freely given so beware the simple checkbox approach as that may not be enough for consent to sell or share personal data.

Are the device manufacturers and app developers susceptible to medical negligence claims?

Products that fall within the definition of a medical device, which may include apps, may only be placed on the market in Europe if the manufacturer has ensured that they are in conformity with the essential requirements of European legislation and have been provided with a CE mark. One of the key aims of the legislation is to ensure that devices that are placed on the market have a favourable risk/benefit profile, and are as safe as possible when used in treating patients. Cases of patients being injured by devices marked with a CE mark should, therefore, be rare.

Nevertheless, patients may use apps that have not been assessed for conformity, but should have been, and even devices that have been CE marked may sometimes be used improperly.

In these relatively rare cases, negligence claims could arise in relation to medical devices. In the event that an injury arises, not because of the actions of a medical professional, but because of an inherent defect in the medical device itself, then there is scope for a negligence claim to be made against the manufacturer/developer. For example, if the software in an item of wearable medical technology miscalculates the dosage of a drug that it recommends for a patient, this is likely to fall below the standard of care expected of the manufacturer, and give rise to a negligence claim.

Any predictions for the future?

Developments in wearable medical devices are also expected to enable further advances in remote monitoring, such that a patient can be monitored by a hospital from home with treatment initiated or altered without the patient having to first report to a clinician.

Data anonymisation techniques and standards will increasingly play an important role to ensure you can defend your data aggregation plans as being robust and not inadvertently leading to a non-compliant disclosure of personal data. This will also be important as part of the secondary use of the data. Once again, the PIA will play a central role here.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

LexisPSL

20

Lexi

sPSL

Lexi

sPSL

Beauty and the geek—technology in fashionInterviewed by Alex Heshmaty.

A recent collaboration between Intel, Opening Ceremony, Barney’s New York and the Council of Fashion Designers of America is only one of the many examples that wearable technology has entered the fashion world. Sarah Pearce, partner at Edwards Wildman Palmer UK LLP, takes a look at some of the legal issues around wearable tech in relation to collaborations like this in the fashion industry.

What are the key features of wearable technologies such as the smart bracelet described?

The wearable technologies currently available on the commercial market generally fall within three categories:

• smart accessories (such as the smart bracelet created by the Intel-Opening Ceremony collaboration, and smart watches)

• specific-use devices (the majority being, to date, related to health and fitness, such as Jawbone, Fitbit and other fitness trackers), and

• those aimed at broader usage such as self-sufficient devices which connect directly to the internet (for example, Google Glass)

Most wearable technologies synchronise with smart phone operating systems and allow for the running of apps, with features typically including:

• the sending and receipt of emails phone calls and messages through the device

• fitness and health monitoring

• GPS

• music control

• timers and alarms, and

• payment capabilities

While the features of wearable technologies vary between devices, one commonality between all devices is the ability to collect substantial volumes of data from the wearer of the device.

What intellectual property rights may come into play for each collaborator?

A number of intellectual property rights come into play for wearable technology collaborators. The name of the wearable device is vital, particularly in such an important period where such devices are just being developed/entering the market and the name should therefore be registered as a trademark—not only can this protect the manufacturing brand’s goodwill and reputation but a well thought out and catchy name can draw customers to, or widen the appeal of, the device in question.

It goes without saying that the aesthetic design of wearable technologies, particularly if aimed at the more fashion-conscious/luxury market (where high tech products may be considered more ‘geeky’ and undesirable than in the traditional market for wearable technologies), will be pivotal to their success. Protection of the appearance of a particular product or graphical user interface also becomes vital—for example, through registering the design, a short and inexpensive process which, in the UK, confers a 25 year monopoly right in the design.

In the UK, obtaining patents for the innovations involved will protect how the technology operates through a 20 year monopoly right. Patent litigation over technology has been well documented, for example, the long running Apple/Samsung litigation, and disputes over wearable technologies have already begun to emerge—earlier this year Under Armour were sued by Adidas who claimed that their watches, chest straps and technologies in their MapMyFitness platform infringed a number of Adidas’ patents relating to fitness monitoring and training.

What commercial issues might arise for each collaborator?

The features of wearable technologies pose a number of privacy and data protection concerns—wearable devices are typically switched on for prolonged periods of time or are in constant use, the volume and range of data which can be collected is significant and small screens make communicating with, and obtaining consent for data processing from, consumers more challenging. Developers will need to design wearable technologies and applications with these privacy concerns in mind. This will include incorporating clear and transparent privacy information creatively in approachable, user-friendly interfaces, ensuring any personal data collected is appropriate to the function of the wearable device and within the reasonable expectations of users, and investing in secure data security controls to safeguard personal data.

A thorough data protection and privacy review would need to be carried out in respect of any such proposed collaboration due to the large range and volume of data which can be collected on wearable devices. Data security breaches pose a risk of significant reputational damage and careful investigation of potential collaborators from the outset would provide an opportunity to check and ensure compliance with applicable data protection legislation, including the requirement to have adequate security measures in place.

Any collaboration will need to contractually address data protection issues, primarily establishing who holds responsibility for data collection. While the legal implications remain unclear and, as yet, untested in the courts, a supplier partner is likely to be considered a ‘data processor’ under the Data Protection Act 1998 (DPA 1998) by virtue of its organisation and consultation of data. That partner may also wish to have input into the manner in which, and the purposes for which, the data is processed. Such involvement would make the supplier partner a data controller under DPA 1998. Those developing and retailing wearable technologies would need therefore to develop a clear corporate/group view/policy as to how it wishes to use data available from those devices. Companies may decide to limit their use of available data, which will reduce data protection obligations, however, doing so will disregard an opportunity to market more efficiently and effectively. Whatever approach taken, data protection obligations, both in relation to the point the data is captured and its storage thereafter, would need to be clearly identified between collaborators and set out in contractual documentation, together with appropriate limitations of liability.

Who will be the winners with wearable tech in collaborations like that described above?

The winners are likely to be those who strike a balance between technological functionality and style. As with any accessory, strength of brand, fashion and style will play a significant role—the winners will be those with the ‘must-have’ product. Some of the products currently on the market have fallen somewhat short in striking this balance—users of the Google Glass being dubbed ‘glassholes’ being a case in point.

21

LexisPSL

What legal issues might arise from future wearable tech products (as opposed to those already on the market)?

The wearable technologies on the market currently are predominantly introspective, that is, they monitor and display information about the individual, be that fitness data or communication data. However, the development of wearable technologies is fast developing in an outward looking, or ‘extrospective’, manner, allowing individuals to monitor the world around them. While introspective devices pose little concern to others, devices with the ability to capture individuals in the vicinity of the wearer (through video, audio or camera), perhaps imperceptibly, raise third party privacy concerns which run deeper than wearable technology ‘etiquette’. Questions are also raised about the ease of recording, and potential misuse of, confidential information by employees in the workplace.

The increasing capabilities of wearable devices, coupled with the substantial volumes and range of data able to be collected and shared, present data security concerns. These considerable new flows and sources of data provide opportunities for businesses, but also pose risks. Personal data may be uploaded to the Cloud and analysed, with opportunities for businesses to better understand their customers and market more effectively. In the EU, this is permitted provided that the technology provider is being transparent about how the data is used, shared and transferred, the wearer has given informed consent about what is being done with the data and the provider has put in place adequate security measures. Whether this happens in practice is another matter, and these concerns will simply grow with the increasing capabilities of wearable technologies.

Where data is collected but is made anonymous, data protection principles will not apply. Anonymising data is becoming more and more a popular means of accessing and analysing data without the burden of compliance. However, considering the increasing capabilities of wearable technologies, there may come a point where so much anonymous data is pieced together that it no longer anonymises the wearer—a realistic concern not to be overlooked.

Will technology influence fashion?

Technology already has influenced the fashion industry—one need only look at the turnaround of Burberry, which has been driven by digital innovation, or the proliferation of fashion trends through Instagram, Facebook and Pinterest, to see that technology has firmly influenced fashion.

However, the extent to which wearable technology will influence fashion is not yet clear. As the Apple Watch makes its fashion debut this month on the cover of Vogue China, commentators are still uncertain of just how popular these devices will be. The luxury watch market presents an interesting illustration of how fashion trumps utility—as time telling devices, watches have been made redundant by mobile phones for some years, however, their appeal is not based upon utility but upon notions of tradition, craftsmanship and symbolic wealth, and some of the most prestigious devices often increase in value over time.

Wearable technologies, by contrast, are functional devices with a shelf life, soon to be made obsolete in favour of the latest model. So it is perhaps less of a question of technology influencing fashion, and more a question of whether wearable technologies can capture the eye of fashion. The launch of the Apple Watch has been particularly interesting in this regard—Apple have resisted labelling the Apple Watch a ‘smart watch’ and have attempted to align the watch in the luxury jewellery market, for example, exhibiting the Apple Watch at the high-fashion boutique Colette earlier this month during Paris Fashion Week.

Companies should be wary of overlooking tech enthusiasts, however. Fashion is all about aesthetics, yet the tech enthusiast is not immune to aesthetics; there will undoubtedly be overlap between those who are attracted to and find beauty in slimmer, faster, higher functionality devices and the demands of the fashion conscious/luxury market. Commercially, the winners will be those who appeal to both.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

22

Intellectual property rights and the fashion sectorProduced in partnership with Boyes Turner LLP

It is virtually impossible to pick up a glossy magazine that does not include style articles encouraging consumers to seek out cut-price high street and supermarket alternatives to expensive couture. While the large fashion houses need to be seen to define the newest trends they must also be vigilant in order to prevent high street ‘interpretations’ from coming too close to the originals. High street stores face similar issues in respect of supermarket and budget high street collections which are often ‘inspired’ by other high street collections. In both cases, deciding how close is too close can be a difficult decision to make.

The fashion industry is also plagued by counterfeiting where low quality merchandise is branded with luxury fashion brands. Counterfeiting takes place on a massive scale in the fashion industry and can have a significant impact on brand values.

The fashion industry is notoriously fast moving with high street stores changing their stock every six weeks or so. The transient nature of fashion and the speed with which new collections are produced makes it a difficult industry to police. Designers, fashion houses and brand owners need a quick, effective strategy that provides strong intellectual property (IP) protection while keeping costs under control.

Putting in place appropriate IP protection

Consider which form(s) of IP rights will deliver the most effective protection. Key issues include:

• the importance/longevity of the designs in question. House brands and iconic designs merit stronger protection than transient fashions.

• whether ownership of the design is clear

- if in doubt, appropriate assignments should be executed

- evidence of creation of designs should be preserved

- is joint ownership an issue?

- do simultaneous rights exist in one design?

• in which jurisdictions designs will be marketed/sold

• the resources that are available. IP protection is worthless if there are no resources available to enforce it

Design protection

The scope of design right protection has expanded in recent years making it more relevant to industries where aesthetics are key. Protection is now available, not only for three-dimensional shapes, but also for two-dimensional design features such as colour, surface decoration and texture (Council Regulation (EC) 6/2002, Council Directive (EC) 98/71).

This has resulted in registered and unregistered design protection becoming the fashion designers’ new weapon of choice against the endemic copying in the fashion industry.

Registered designs

Registered design protection has the following benefits:

• registration can be achieved quickly and simply and involves relatively low costs

• there is no detailed examination procedure as with trade mark applications

• the designs do not need to be linked to specific classes of goods

• multiple designs can be included in one application

• protection can last up to 25 years if renewed correctly

• key elements of a design can be registered as well as the design as a whole to prevent third parties taking just specific features

• graphics/logos can also be protected offering an alternative to trade mark registration

• there is no need to show that a design has been copied as it is a monopoly right. This makes litigation cheaper as it decreases the evidential burden on the claimant

• infringement proceedings can be brought in the Intellectual Property Enterprise Court (a specialist list within the High Court), which offers a relatively quick and low cost forum

Obtaining registered design protection is worthwhile if a design is of particular importance or intended for longer-term use. The existence of a one year grace period prior to registration allows designers to test the success of a design before seeking registration (Council Regulation (EC) 6/2002, art 7).

Both UK and European Community registered design rights (RCDs) can protect the appearance of the whole or part of a product including (Registered Designs Act 1949):

• lines/contours (Council Regulation (EC) 6/2002)• colours

• shape

• textures/materials

provided the design is new and has individual character.

A design will only have individual character if it produces a different overall impression on an informed user to other designs on the market.

In Choo v Towerstone, a case involving infringement of registered and unregistered design rights in a Jimmy Choo bag, it was held that the informed user was not the woman on the street nor a handbag designer but someone somewhere between the two who would know about the design constraints relating to handbags (J Choo (Jersey) Ltd v Towerstone Ltd and others [2008] IP & T 866).

The overall impression test is also relevant to infringement. (See Procter & Gamble). A design that was developed independently will still infringe if it fails to create a different overall impression on an informed user (Procter & Gamble Co v Reckitt Benckiser (UK) Ltd [2008] IP & T 704).

For more information about registered design protection in the UK and EU, see Practice Notes: Registered design rights in the UK and European Union and Applying for UK and European registered design protection.

Lexi

sPSL

23

EU unregistered design rights

EU unregistered design rights are similar in scope to registered design rights (Council Regulation (EC) 6/2002).

Rights arise automatically once a design that is new and has individual character has been disclosed within the EU. For this reason they are frequently relied upon by designers who do not have the resources or the inclination to register rights in all their designs.

Disadvantages include:

• protection lasts only for three years from first disclosure in the EU. Given the fast moving fashion industry this does not usually pose a significant problem in practice

• subsistence and/or ownership of the rights may be hard to prove

• unregistered design rights do not provide a monopoly protection and only protect against unauthorised copying

In Karen Millen Fashions v Dunne Stores, the CJEU confirmed that a claimant does not need to prove individual character, its existence is assumed (Karen Millen Fashions Ltd v Dunnes Stores C-345/13 [2014] All ER (D) 156 (Jun), Council Regulation (EC) 6/2002, art 85).

In practice the courts will often infer copying where the articles in question are very similar, particularly if the infringement involves more than one similar design. (Dahlia Fashion Co Ltd v Broadcast Session Ltd and another [2012] All ER (D) 127 (May)).

In Jimmy Choo the judge found that when considering the bags side by side the inference of copying was overwhelming. Given the number of identical features, the likelihood that the two designs could have been arrived at independently was ‘fanciful’ (J Choo (Jersey) Ltd v Towerstone Ltd and others [2008] IP & T 866).

Unregistered community design rights can be a powerful weapon against copying. In Mattel Inc v Woolbro Distributors, Simba Toys (Hong Kong) & Simba Toys GmbH [2003] EWHC 2412, [2004] FSR 217 (unavailable), which involved toys, another fast moving industry, a successful infringement claim resulted in a Europe-wide injunction being granted.

UK unregistered design rights

UK Design rights protect the shape or configuration (whether internal or external) of the whole or part of an article. Until recently, unregistered designs protected ‘any aspect’ of the shape or configuration of the whole or part of an article. Following calls to clarify and narrow the protection afforded by unregistered designs, specifically to remove protection for trivial elements of a design, the words ‘any aspect’ were removed from the legislation by the Intellectual Property Act 2014, with effect from 1 October 2014. Whether the amended legislation does prevent designers basing claims on small elements of their designs remains to be seen. Attempts to rely on UK unregistered designs in the fashion sector have had mixed success (CDPA 1988, s 213).

In the Jo-Y-Jo case it was found that floral embroidery on vests was commonplace and so not protected. However, in Guild there was sufficient originality in items of clothing to attract design right (Jo-Y-Jo Limited v Matalan Retail Ltd and another [1999] All ER (D) 374 Guild v Eskandar Limited Guild v Eskandar Ltd and another [2002] All ER (D) 202 (Mar)).

For more information on UK unregistered designs, see Practice Note: Unregistered design rights in the UK and European Community -- UK design rights.

LexisPSL

24

Copyright

Copyright can be useful in protecting designs; however, proving that copyright subsists in a design and who owns it can be problematic.

The Lucasfilm case involved a copyright claim in respect of the storm trooper helmets for the Star Wars films. The Supreme Court made it clear that the definition of what constitutes a work of artistic craftsmanship/sculpture is narrow. If a design has a functional rather than artistic purpose no copyright will subsist in it. This is frequently an issue in relation to clothing (Lucasfilm Ltd and others v Ainsworth and another [2011] IP & T 733).

If copyright protection subsists in an artistic work made by an industrial process, protection is limited to 25 years from first marketing under CDPA 1988, s 52. The Enterprise and Regulatory Reform Act 2013, s 74 provides for the repeal of CDPA 1988, s 52. The repeal of s 52 means that the protection for artistic works that have been industrially exploited will match that for regular artistic works, ie creator’s life plus 70 years. The government has proposed a repeal date of 6 April 2018 and is currently conducting a Consultation on transitional provisions and repeal of CDPA 1988, s 52 with a closing date of 27 October 2014 (CDPA 1988, s 52 Enterprise and Regulatory Reform Act 2013, s 74).

For further information about copyright in artistic works, see Practice Note: Works that are protected by copyright--Artistic works.

Passing off

No passing off claim can be successful without the existence of goodwill and the transient nature of the fashion industry means that few designs will be around long enough to acquire it.

For this reason passing off claims are generally limited to situations involving the misuse of house brands or iconic designs that have some longevity.

In the Gina Shoes case, Gina Shoes Ltd brought a successful passing off and trade mark infringement claim against Medici for applying the GINA name to a range of wedding shoes. An injunction was issued preventing Medici from using the brand on shoes (Gina Shoes Ltd v Medici Ltd [2001] All ER (D) 241 (Jan)).

In French Connection Ltd & Others v Fresh Ideas Fashion Ltd, summary judgment was awarded against Fresh Ideas in respect of their use of ‘French Connection’ and ‘FCUK’ on handbags (French Connection and others v Fresh Ideas Fashion Ltd and another [2005] All ER (D) 52 (Nov)).

A passing off claim can also be used to prevent false endorsement. In Fenty v Arcadia, well known pop-star and fashion designer Rihanna succeeded in a passing off claim against Topshop who used her image on a t-shirt without permission. The court held that consumers are used to celebrity endorsed merchandise and would therefore believe Rihanna’s brand was associated with Topshop. For an in-depth analysis of this case, see news article: Is Rihanna Topshop ruling a warning for retailers? (Fenty v Arcadia [2013] All ER (D) 410 (Jul)).

A common problem facing claimants in passing off actions is the difficulty in arguing that consumers purchasing clothing for a fraction of the price of the couture original are confused about what they are buying.

In the L’Oreal case the High Court emphasised the fact that there could not be passing off without misrepresentation and consumer deception. See also the comments in Specsavers (L’Oreal SA and others v Bellure NV and others [2006] All ER (D) 39 (Oct), Specsavers International Healthcare Limited and others v Asda Stores Limited [2010] EWHC 2035 (Ch)).

Barriers to successful passing off claims:• the presence of a different brand name on the defendant’s goods

may prevent passing off being established even if the overall style

is very similar

• establishing goodwill places a heavy and expensive evidential burden on the claimant. Unlike registered rights there is no presumption that any rights exist

• good evidence of confusion/deception is both difficult and expensive to come by

• goodwill/reputation is difficult to establish in relation to a new design

For further information about passing off, see Practice Note: An introduction to passing off.

Trade mark protection

Registered trade mark protection is an effective way of protecting house brands and logos intended for long term use provided that they have the necessary quality of distinctiveness. A trade mark is the strongest form of IP protection there is since, provided that the brand owner continues using it in respect of the goods and services for which it is registered, once registered it can last indefinitely(TMA 1994).

However, the expense and time involved in obtaining protection and the substantive examination and opposition process means that short term designs/logos or slogans that lack the necessary distinctiveness are not suitable subjects for applications.

While evidence of consumer confusion is useful in trade mark infringement cases, it is not strictly necessary. It is a matter for the judge to decide what the average consumer of the goods or services would have thought about the respective marks, it is quite possible to answer this question without any witness evidence (see Jack Wills case for a recent example). See the Gina Shoes and French Connection cases for examples of successful infringement claims (Jack Wills Ltd v House of Fraser (Store) Ltd [2014] All ER (D) 09 (Feb), French Connection and others v Fresh Ideas Fashion Ltd and another [2005] All ER (D) 52 (Nov) Gina Shoes Ltd v Medici Ltd [2001] All ER (D) 241 (Jan).

For further information about trade mark protection, see Practice Note: Application to register a UK trade mark.

Counterfeits

Minimal criminal penalties, under-resourced authorities and elusive defendants can make dealing with counterfeits a frustrating process. Counterfeiting has strong links to organised crime and is a major problem for the fashion industry. The impact of cheap imitations on the value of luxury brands can be significant.

Trading in counterfeits carries both criminal and civil penalties but unfortunately these are not stringent enough to act as a real deterrent (CDPA 1988, s 107, TMA 1994, s 92).

Legal strategies for combating counterfeiting are best used in combination with business tactics. Effective tools include:

• putting in place strong IP protection and clearly notifying third parties of brand owner’s rights

• working closely with authorities such as customs and excise and trading standards to identify and seize counterfeits and where possible prevent them entering the country

• taking advantage of new technologies that make it harder for counterfeiters to copy original labels, etc and make it easier to identify counterfeits

• putting business measures in place to keep tight control over manufacturing and supply chains

• manufacturing in countries where there is more awareness and respect for IP rights

For further information about counterfeiting, see Practice Note: Creating an effective anti-counterfeiting strategy.

Lexi

sPSL

25

Practical points for rights owners

Points to consider include:

• ensure use of appropriate notices of IP rights to prevent claims of innocent infringement

• take full advantage of unregistered rights that arise automatically

• consider the strength of any rights being relied upon. Design rights are not subject to substantive examination and may prove vulnerable to attack. Ownership needs to be clear

• speed is often crucial so consideration should be given to tactics such as applications for interim injunctions or summary judgment. See Dahlia and Jimmy Choo (J Choo (Jersey) Ltd v Towerstone Ltd and others [2008] IP & T 866, Dahlia Fashion Co Ltd v Broadcast Session Ltd and another [2012] All ER (D) 127 (May))

• consider transfer to IPEC to keep costs down (DKH Retail Ltd v Republic (Retail Ltd) [2012] All ER (D) 22 (Apr)).

Avoiding infringement

Avoid the following actions:

• careless use of words/phrases that may be subject to trade mark rights on items of clothing

• close ‘interpretations’ of third party designs. Owners of luxury brands in particular have deep pockets and a lot to lose in terms of brand value. They are likely to have an aggressive enforcement strategy

• being ‘inspired’ by distinctive designs in which design right protection may exist LexisPSL

26

Get your head out of the cloudsInterviewed by Alex Heshmaty.

Most of us use it every day (possibly without knowing), but what exactly is the ‘cloud’? Andrew Joint, commercial technology partner at Kemp Little, explains the legal challenges posed by this intangible technology and explores the most significant case law in this area.

What is the cloud?

In September 2014 the Daily Mail ran a story regarding the ‘iCloud celebrity photos hack’ which noted that the iCloud uploaded photos:

‘not to an actual cloud--but to a bank of gigantic humming and whirring computers...’

I don’t suppose many people think that cloud computing uses actual clouds but there is still a large amount of uncertainty about what the ‘cloud’ actually is. There isn’t a uniform single definition but in general it is understood that a cloud is used as a metaphor to represent the internet--historically it was used graphically to represent the telephone network. Replacing the word ‘cloud’ with ‘internet’ can sometimes be helpful for understanding the ever expanding jargon that is associated with cloud computing. Cloud computing therefore usually refers to the delivery of IT services over the internet.

What are the dangers of automatic uploading to the cloud (particularly in light of the recent iCloud scandal)?

Good advice will always tell you that, prior to placing any data into the cloud, you should assess whether the confidentiality, criticality or sensitivity of the data means it should be treated differently.

There should be a pre-upload assessment as to whether it is the sort of data which should be placed where the location of the data may not be known and its security can’t be easily checked.

Automatically uploading any data without these sorts of pre-upload assessments means that the wrong sort of data, the highly personal and sensitive sort, might be placed somewhere where it is more vulnerable than it should be. Anything connected to the internet is potentially accessible via the internet.

Who owns data in the cloud?

As cloud data is intangible data, the rules governing its ownership are governed by intellectual property statute, and typically those laws relating to copyright (the Copyright, Designs and Patents Act 1988 in the UK). Copyright is generally owned by the creator/author of the work. Therefore, the data uploaded to the cloud is typically owned by the person looking to upload it to the cloud.

Most cloud service providers are not looking to take ownership of any data uploaded to the cloud--their terms and conditions will normally readily express this. However, inadvertently the operation of a cloud service might manipulate, amend and modify data to best suit the operation of the cloud service--for example, the reconstitution of data into different formats to best suit storage. This can mean that some form of reconstitution of the data is theoretically owned by the cloud service provider (its creator/author).

The terms and conditions with the cloud provider need to deal with this issue and amend this position to avoid an unwanted result.

Who is responsible for the security of cloud data?

Typically it will be the data owner who has obligations to the data in relation to either confidentiality or under data protection legislation. The cloud provider typically won’t have security obligations, unless they are imposed on the provider under contract.

Have there been any significant legal cases involving cloud data?

There have been two really interesting cases involving cloud data in 2014:

Common law lien over cloud data?

In March 2014 the Court of Appeal gave judgment in Your Response Ltd v Datateam Business Media Ltd [2014] EWCA Civ 281, [2014] All ER (D) 156 (Mar). The appeal concerned whether a common law possessory lien can be exercised by a supplier over an electronic database it operated and maintained for a customer, where the customer owed unpaid charges.

The previous judgment had decided that it could, but the Court of Appeal has now decided a common law lien cannot be exercised over intangible data.

The common law concept of a possessory lien--the right to retain another’s property until a claim is met--is well-established. Precedent cited in the case include reference to cases cited by Lord Ellenborough in Chase v Westmore (1816) 5 M & S 180, [1814-23] All ER Rep 730.

On face value the position presented to the Court of Appeal seemed fairly straightforward. They were asked to extend a right that exists over tangible goods to intangible data--in this case information relating to subscribers of the publisher of a number of magazines, such as their names, addresses, the publications they receive and other information necessary to enable the publisher to operate its business efficiently.

However, the Court of Appeal allowed the appeal and rejected that a common law lien could apply to intangible data.

All the judgments made clear reference to how easy it would be to update 18th century case law to apply to 21st century technology, as Davis LJ said:

‘That appeal to modernism has its attractions: indeed, it was that approach which seems to have decided matters on this issue so far as the district judge was concerned.’

However, all three Lord Justices were not keen to expand the law where there was the potential for significant impact which hadn’t been thoroughly thought through, as Floyd LJ stated, ‘the potential unintended consequences constitute a further reason for not taking the step which we were invited to take by the respondent’.

Lexi

sPSL

27

US jurisdiction over data in Irish data centres

For a number of years, one of the most hotly-debated topics involving cloud computing has been around the security, confidentiality and integrity of the data that is being inputted and stored in the cloud. This being the case, customer focus is often targeted at the measures the cloud provider will implement to ensure data is being held securely. However, one aspect which is sometimes overlooked is the extent to which data that is stored in the cloud is capable of being forcibly disclosed to government and law enforcement agencies.

The US Patriot Act, for example, allows for US governmental surveillance and capture of certain types of data. The US Patriot Act is just one example of the latest evolution of long-standing laws that has permitted various forms of governmental access to personal data and communications in the context of national security and law enforcement. These types of powers are not just confined to the US and are becoming increasingly commonplace across the globe--the UK for example has similar types of legislation in the form of the Regulation of Investigatory Powers Act 2000 and more recently the controversial Data Retention and Investigatory Powers Act 2014. While the extent of these powers varies between countries, they raise the primary question as to whether the jurisdiction in which data is hosted by cloud providers is the only jurisdiction which can forcibly require the disclosure of that data.

Microsoft has recently been involved in this very question. In January 2014, Microsoft announced that, in response to customer concerns over governmental surveillance in the US, it would let its non-US customers choose where their data is hosted, right down to the location of the data centre(s) used.

Shortly before this announcement, in December 2013 a warrant was issued by a magistrate judge of the Southern District of New York following an application on behalf of the US Government under the Stored Communications Act. The warrant authorised the disclosure of data related to a web-based email account that was hosted by Microsoft in Dublin, Ireland.

Microsoft partially appealed the issuing of this warrant to the extent that it related to data stored on servers located outside of the US. However, in April 2014 Judge James C Francis IV denied Microsoft’s motion to set aside the warrant. While the reasoning for the decision was varied, the core theme throughout was concern from the judge that if the court agreed with Microsoft, US-based service providers could circumvent and severely hinder US law enforcement investigations by simply moving data offshore (the judge cited Google’s publicised proposal to create data centres in international waters as an example as to why he could

not allow Microsoft’s motion). The judge concluded:

‘Even when applied to information that is stored in servers abroad, an [Stored Communications Act] Warrant does not violate the presumption against extraterritorial application of American law. Accordingly, Microsoft’s motion to quash in part the warrant at issue is denied.’

Microsoft challenged this decision, and was supported by a number of other technology companies that filed briefs in support of Microsoft’s position. In essence, the arguments were that the courts of one country cannot exercise their power unilaterally outside of their territorial jurisdiction. Where they wish to do so, they must follow established international agreements involving the jurisdiction in question, known as mutual legal assistance treaties. If internationally operating US businesses complied with these types of orders, they would breach foreign data protection laws. However, refusing to comply would breach domestic US law, placing these businesses in an impossible position.

On 31 July 2014, the US District Judge Loretta Preska nonetheless rejected these arguments and found in favour of the US government, upholding the warrant. The Judge found that:

‘Congress intended...for ISPs to produce information under their control, albeit stored abroad to law enforcement in the United States [...]. As Judge Francis found, it is a question of control, not a question of the location of that information.’

Following this hearing, Microsoft was provided five days to hand over the emails as per the original order or face being found in contempt of a court order. Microsoft announced shortly after the hearing that it would not be complying with the court order. Microsoft’s executive vice president and general counsel, Brad Smith, continued:

‘The only issue that was certain this morning was that the District Court’s decision would not represent the final step in this process. We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the US and around the world.’

Microsoft’s resistance to the warrant and court orders clearly and openly demonstrate the importance of this topic. Customer concerns about data location, security, access and integrity are genuine and have the impact to make or destroy a cloud business. These were always key discussion points for the cloud but the last 18 months’ of news stories regarding government surveillance have heightened the awareness and importance.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

LexisPSL

28

Is your app policy compliant?Interviewed by Evelyn Reid.

A study by the pan-governmental Global Privacy Enforcement Network (GPEN) shows that most mobile app developers are failing to clearly explain how they are collecting, using and disclosing personal information. Gayle McFarlane, director at Wragge, Lawrence Graham & Co, discusses some key concerns and offers tips to ensure compliance.

What are the key issues raised in the study by the pan-governmental GPEN?

I consider myself to be a pretty savvy user of technology. I use an iPad, an android phone, and my photos are uploaded automatically to the cloud. I’m also a privacy lawyer, and am acutely aware that every time I use one of these services, I am often making a bargain--a free or cheap service in return for the exploitation of my data--but do we really know what that bargain is?

Mobile apps are becoming ubiquitous. We rely on them to keep in touch with friends and family, to store memories: photos, messages, emails. We might use them as a virtual memory--clipping articles from the internet, or reminding us of calendar appointments wherever we are.

They often offer functionality that we’re used to getting from websites. But by the very nature of being on our phone, mobile apps are very well placed to collect a huge amount of additional data about us. Not just approximately where you are, based on your IP address, but exactly where you are using both GPS and triangulation, and it remembers where you’ve been--or even how fast you went. In some cases they will also predict where you are likely to go next. They can hear your telephone calls, know who has been calling you, see images through your camera and hear through your microphone. In many cases, however, they don’t, probably.

What are the key concerns regarding the way that mobile apps use and disclose personal information?

The problem, confirmed by the GPEN’s recent survey is that app providers don’t do a good job of telling us what they do.

We all know that website privacy notices are often tedious and vague, but they do contain some useful information.

Apps however rarely give clear information about how they are going to use your data (only 15% of those surveyed did so), and 59% offered little information about why the data was being collected or how it was being used prior to download.

Part of the problem may be an unhealthy reliance on ‘permissions’. Permissions are the rights to access other services on your phone that an app must request when you download it. According to the survey, almost one in three apps appeared to request an excessive number of permissions to access additional personal information. However, this

can be deceiving. When an app asks for a permission to have access to your phone log, it probably doesn’t want to listen to your calls, but it does want to know when you get one so that it can run its app in the background. The mobile OS provider (in most cases Apple or Android) controls the names of these permissions, and they don’t necessarily reflect what will actually be done.

Another problem is format. Mobile phone apps have developed substantially from the original SMS and WAP services, and the screens have grown substantially, and so you would have thought that there would be more room to provide information. However, the survey showed that 43% of apps failed to tailor the privacy statements to the small screen. If provided at all, policies were lengthy and required scrolling or clicking through multiple pages--you might cynically suggest to prevent people from reading them.

What legal issues would this raise for developers?

App developers need to remember that despite their insistence that users don’t want to be bothered by unnecessary information when downloading an app, they are still bound by the requirements of the Data Protection Act 1998 (DPA 1998) in the UK.

One of the founding principles of DPA 1998 is that you may not process personal data unless you have informed the data subject of the purpose of that processing, and processing will not be fair if you have not supplied sufficient information.

There is no grey area here--a failure to comply with the basic principles of DPA 1998 will result in the processing being unlawful, and that fantastic database losing its value very quickly.

It doesn’t have to be difficult to provide this information. App developers do not need to build in lengthy privacy policies, but they do need to inform people in a timely manner (eg before a functionality is switched on or data inputted) about what is going to happen to the information in question. The information should be easily found, and should be brief and easy to read.

How are mobile apps regulated?

Considering privacy when developing an app goes further than just drafting a privacy policy. You shouldn’t collect more information than you need for the functionality that your customer has signed up for. Think carefully about what you might need and make sure you know why.

App providers are also bound by consumer regulations. The overriding message here is also clarity--you must not mislead consumers, make them liable to make extra payments they do not expect, or make things so confusing that they don’t understand what their rights are. The GPEN survey didn’t consider more general compliance with consumer law, but the new Consumer Contracts (Information, Cancellation and Additional Payments) Regulations 2013, SI 2013/3134 which came into force this summer make specific provision for digital content--so app providers will need to be aware of their obligations here too.

Lexi

sPSL

Original news

Mobile apps lacking data protection information, LNB News 10/09/2014 140

A survey has found that 85% of mobile apps fail to adequately explain how people’s private information is being used. The survey by the GPEN found a large amount of personal information is accessed by the apps but 85% did not clearly explain how it was collected, used or disclosed.

29

How can app developers ensure they are compliant with the relevant privacy and consumer legislation?

While enforcement action hasn’t been widespread, the wide use of apps is likely to change that. In any event, market forces are already showing that consumers are interested in an apps’ terms and conditions--as the social media outcry about Instagram changing their copyright terms, or the perceived excess permissions requested by the Facebook Messenger app have shown. Getting it right can be a market differentiator, and show your commitment to the community that make your app a success.

What actions should app developers take?

• carry out a basic privacy impact assessment:

- do you need to collect the data you are collecting for the functionality of your app?

- is that functionality worth the invasion of the user’s privacy?

- are you collecting information ‘just because you can’?

- do you have the balance right between function and privacy?

• only collect the data you need, and don’t store it for longer than you need

• allow users to delete data if they no longer want to use the app

• make sure users are well informed:

- don’t ask for more ‘permissions’ than you need

- provide a statement in iTunes, the Play Store, or whatever marketplace you are using explaining why your app needs the permissions it is asking for so that users are informed before downloading the app

- tell the user what you are not using the permissions for--allay their fears

- ensure that when personal data is provided by a user (directly by inputting text, or indirectly by using a function of the mobile device), you inform the user of what that data will be used for--consider using in-app statements which provide ‘just-in-time’ notification to the users at the appropriate times rather than a privacy policy

- use plain English--make it as simple as you can

- don’t tell users what they don’t need to know--if it’s truly obvious, don’t waste the space

- consider ‘layering’ your privacy information--make important or unusual information prominent, and provide links to more detail if required

• if your app is aimed at children, minimise the data you collect--this is a high risk area

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

LexisPSL

30

Lexi

sLib

rary

LexisLibraryInstant online access to a comprehensive collection of key intellectual property and information technology titles.

Commentary• Atkin’s Court Forms (Commentary)• Carter Ruck on Libel and Privacy• Cook: Pharmaceuticals Biotechnology and the Law• Duncan & Neil on Defamation• Electronic Evidence • Encyclopaedia of Forms and Precedents (Commentary)• Fysh, Roughton, Johnson and Cook: The Modern Law of Patents• Halsburys Laws of England• Laddie, Prescott and Vitoria: The Modern Law of Copyright and

Designs• Morcom, Roughton and St Quintin: The Modern Law of Trade Marks• Stair Memorial Encyclopaedia• Sykes: Intellectual Property in Designs

Precedents• Atkin’s Court Forms• Tolley’s Commercial Contracts Checklists• Encyclopaedia of Forms and Precedents• Fysh, Roughton, Johnson and Cook: The Modern Law of Patents

(Precedents)

Primary law• All England European Cases• All England Law Reports• All England Reprints• All England Reprints Extension• Appeal Tracker, Practice Directions and Court Information• Bill Tracker• Butterworths E-commerce and Information Technology Law

Handbook• Butterworths Intellectual Property and Technology Cases• Butterworths Intellectual Property Law Handbook• Halsburys Laws Annual Abridgment Intellectual Property Digests

(1995-1998) (archive)• IP & T Digests (archive)• IP/IT EU and International Legislation (archive)• Reports of Patent Cases (a selection from 1936)• UK Parliament Acts• UK Regulatory Materials Summaries• EPO Boards of Appeal Decisions• OHIM decisions• United Kingdom Intellectual Property Office Decisions

Journals• Bio-Science Law Review• Communications Law• Compliance and Risk• Data Protection Ireland• Freedom of Information• International Journal of Law and Information Technology• International Review of Intellectual Property and Competition Law• Journal of International Commercial Law and Technology• New Law Journal• Privacy and Data Protection• The Journal of Law and the Biosciences• The Journal of Media Law

International content• Getting the Deal Through

User Benefits:• More relevant expert opinion and commentary than any other legal research service.

• Up to 555,000 individual cases available to search from the home page.

• Fast delivery of new and updated legislation.

To find out more about LexisLibrary, or to have a free trial, visit lexisnexis.co.uk/IPMag/LIBRARY

31

Lexis WebinarsLexisLibrary

Forthcoming Webinars

Here is the schedule of forthcoming webinars for this practice area.

26th Nov 2014 15:30Taxation and image rights

11th Dec 2014 15:30Doping

On Demand Webinars

Here is a list of previously broadcast webinars that are now available on demand.

29th Oct 2013 15:30Dealing with the economic downturn – the impact on sport

20th Nov 2013 15:30Sport and broadcasting

24th Feb 2014 15:30Sports broadcasting - media rights digital content

4th Mar 2014 15:30Financial Regulation in sport

25th Mar 2014 15:30Integrity and match-fixing

19th May 2014 15:30Sports sponsorship and ambush marketing

25th Jun 2014 15:30Dispute resolution in sport

23rd Sep 2014 15:30Sport and EU law

Forthcoming Webinars

Here is the schedule of forthcoming webinars for this practice area.

21st Oct 2014 12:30Drafting effective commercial contracts

28th Oct 2014 12:30Data Protection following Google

On Demand WebinarsHere is a list of previously broadcast webinars that are now available on demand.

6th Nov 2013 12:30Cybersecurity – what are the obligations?

15th Nov 2013 12:30Big data – legal implications

26th Sep 2014 12:30Intellectual property and competition law

Forthcoming Webinars

Here is the schedule of forthcoming webinars for this practice area.

19th Nov 2014 12:30How to manage disputes and keep workflow going

3rd Dec 2014 12:30How to manage your online presence

On Demand Webinars

Here is a list of previously broadcast webinars that are now available on demand.

17th Oct 2013 12:30Cloud-based solutions – addressing the risks

19th Nov 2013 12:30Public procurement of IT

13th Feb 2014 12:30Update on IT contracts

6th Mar 2014 12:30Legal issues for mobile apps

29th Apr 2014 12:30How to mitigate the risks of open source software

12th May 2014 12:30Latest developments in privacy and data protection

12th Jun 2014 12:30Legal issues in social media

11th Sep 2014 12:30Latest developments in public procurement

14th Oct 2014 12:30Outsourcing, insourcing and crowdsourcing

Forthcoming Webinars

Here is the schedule of forthcoming webinars for this practice area.

7th Nov 2014 12:30IP licence disputes

4th Dec 2014 12:30Surveys and witness gathering in trade mark and passing off cases

On Demand WebinarsHere is a list of previously broadcast webinars that are now available on demand.

4th Oct 2013 12:30Rights in databases and data

29th Nov 2013 12:30Enforcement of IP

3rd Feb 2014 12:30Liability of ISPs and other intermediaries

17th Mar 2014 12:30Image rights and passing off

4th Apr 2014 12:30The Unified Patent Court

9th Jun 2014 12:30Keyword advertising and use of trade marks online

12th Jun 2014 15:30Linking and framing on the internet

26th Jun 2014 12:30IP and social media

18th Jul 2014 12:30IP and competition law

12th Sep 2014 12:30Trade secrets and confidentiality

30th Sep 2014 12:30Brand protection and ICANN’s new gtld programme

10th Oct 2014 12:30The future of designs

Intellectual Property

Information Technology

Hot Topics

Sports Law

To find out more, visit lexisnexis.co.uk/IPMag/WEBINARS

To find more free updates and comment:

Visit our blog: lexisnexis.co.uk/IPMag/BLOGAnd follow us on Twitter: @LexisUK_IPIT

Reed Elsevier (UK) Limited trading as LexisNexis. Registered office 1-3 Strand London WC2N 5JR Registered in England number 2746621 VAT Registered No. GB 730 8595 20. LexisNexis and the Knowledge Burst logo are trademarks of Reed Elsevier Properties Inc. © LexisNexis 2014 1014-024. The information in this brochure is current as of October 2014 and is subject to change without notice.