This IT & Outsourcing e-bulletin contains summaries of the following recent developments in law and regulation in the EU and the UK:  

  1. Going straight to the Source: Judgment on escrow and access to source code
  2. Through the Looking Glass: ICO wants more transparency in outsourcing
  3. Going Stale? Report investigates average age of website cookies
  4. Making a nuisance of yourself: New law to deal with nuisance calls  

1. Going straight to the Source: Judgment on escrow and access to source code

The interpretation of various clauses of a commercial master services agreement, including the intellectual property and escrow provisions, to determine whether or not the claimant ("FilmFlex") was entitled to delivery up of the source code to an online delivery platform (the "Platform") developed and maintained by the defendant ("Piksel") have been considered in a recent High Court judgment which provides important practice points for those involved in the drafting of IT and IP agreements (FilmFlex Movies Ltd v Piksel Ltd [2015] EWHC 426 (Ch) (24 February 2015)).

Business Impact

  • Escrow: Whilst not a determining factor on the facts of this case, it is nonetheless advisable for parties to ensure that the release events set out in any escrow agreement mirror any specific trigger events provided for in the main commercial agreement. This will save the parties from arguments as regards order of precedence of the agreements.
  • Access to source code: In order to avoid confusion, when granting access rights in relation to software, the parties should consider ensuring that the agreement either specifies delivery up of source code and/or the purpose for which access is required (being a purpose for which delivery up of the source code is necessary).
  • Definitions: The definition of "intellectual property rights" does not need to specifically include the words "source code". However, the parties should consider whether or not to include such words or else make it clear in the purpose of the licence that delivery up of a copy of the source code would be necessary.


FilmFlex, a video-on-demand service provider had entered into a Master Services Agreement ("MSA") with Piksel, pursuant to which Piksel would design, build and maintain the Platform used by FilmFlex in the delivery of its services to clients. The Platform performed a number of functions for FilmFlex, including delivering the video content itself, managing which content is available to each of FilmFlex's clients, and interfacing with the billing systems of those clients so that they could incorporate the fees for viewing video content into the bills for their individual end customers. Herbert Smith Freehills advised on the drafting and negotiation of the MSA.

The MSA was entered into in June 2012 and included specific provisions in relation to: (i) the ownership and licensing of intellectual property rights in the Platform; (ii) the escrow arrangements in relation to elements of the software being developed (including the circumstances which would trigger the release of the source code for the software from escrow); and (iii) additional access rights in relation to the software.

An Escrow Agreement was subsequently entered into by the parties and NCC Group Escrow Limited ("NCC") as the escrow agent in November 2012. This agreement also included "release events", pursuant to which the source code deposited would be released from escrow. However, the release events contained in the Escrow Agreement did not mirror the trigger events separately set out in the MSA.

In September 2014, FilmFlex asked Piksel for a copy of the source code to the Platform. Piksel provided a file which it believed complied with the request but which FilmFlex claimed was functionally useless. In November 2014, FilmFlex appointed a third party developer to work on developing the Platform (a trigger event under the MSA), but Piksel refused to provide the source code. FilmFlex subsequently sought delivery up of the source code and related materials, and damages for breach of contract.

The Judgment

Mrs Justice Rose DBE found in favour of FilmFlex. The judgment raises several interesting points from a drafting and interpretation perspective.

Escrow Agreement: The judge found that, although the release events listed under the terms of the Escrow Agreement did not mirror the trigger events listed in the MSA, they were not inconsistent with each other. The broader trigger events in the MSA (including the specific event which had been triggered by FilmFlex appointing a third party developer) dealt with the obligations of FilmFlex and Piksel as and between themselves to bring about release of the source code. In contrast, the release events listed in the Escrow Agreement dealt with the circumstances in which FilmFlex could unilaterally demand release of the source code from the NCC.

Although none of the release events in the Escrow Agreement had been satisfied, there was an implied additional requirement for NCC to release the source code where both FilmFlex and Piksel agreed that it should be released. FilmFlex was therefore entitled to require Piksel to procure NCC to release the source code pursuant to the trigger event in the MSA which had been satisfied. In addition, it did not matter that the Escrow Agreement had been entered into after the date of the MSA. Piksel had argued that the narrow terms of the Escrow Agreement superseded the broader terms of the MSA. However, the judge found that there was no evidence to suggest that that was the case.

The meaning of "access": The case considered the meaning of the term "access" pursuant to a provision of the MSA which provided that FilmFlex, in addition to circumstances in which the MSA trigger events were satisfied, would have "access" upon request to the source code throughout the term of the MSA. Piksel had argued that "access" did not entitle FilmFlex to a copy of the source code. However, the judge found that what is included in a right of access to something must depend upon the nature of the thing and the purpose for which access was given. If a contract gives one party access to certain material and the scope of that material is defined as including everything necessary to carry out certain specific activities, then it makes sense to construe the access granted as including whatever is needed to carry on those activities. In this instance, given that FilmFlex was granted the right to use, reproduce, modify or enhance the software, it must not only be able to look at the source code but also have a copy of such source code that it could use.

Intellectual Property ownership and licensing: The final aspect of the case considered whether the terms of the intellectual property licence in the MSA also entitled FilmFlex to delivery up of a copy of the source code from Piksel. Counsel for Piksel argued that omission of the words "source code" from the scope of the licence and subsequent use of the words in the escrow provisions meant that source code was only relevant to escrow. The judge however disagreed that such significance should be attached to the precise phrase "source code" and looked instead at the purpose for which the licence was granted. Under the terms of the MSA, the intellectual property licence granted to FilmFlex allowed it to carry out various activities (use, copy, modify) which, according to the unchallenged evidence of the expert witness put forward by FilmFlex, could only sensibly be carried out if FilmFlex had a copy of the source code.

To view a copy of the judgment, please click here.   

2. Through the Looking Glass: ICO wants more transparency in outsourcing

The Information Commissioner's Office ("ICO") has published a document highlighting the need for greater transparency when it comes to public sector outsourcing. The document, "Transparency in outsourcing: a roadmap" looks at the question of how to achieve greater transparency about services and functions outsourced by public authorities and the role that the Freedom of Information Act ("FOIA") plays in this.

It is estimated that expenditure on outsourced public services accounts for about half of the £187 billion that the government (including the NHS and local government) spends on goods and services. In a survey carried out for the ICO, 75% of people said it was important that private companies acting on behalf of public authorities should be subject to FOIA. FOIA currently allows people to request information held on behalf of a public authority. This can include information held by contractors, but it can be complicated to define precisely what that means in particular cases.

The report focuses on why transparency in outsourcing matters, and highlights four key steps to greater transparency:

  • Better contracts: A fundamental problem in relation to FOIA requests in an outsourcing content is whether or not a contractor is holding information on behalf of a public authority. Whilst the report acknowledges that one approach to solving this problem could involve legislative change, it advises public authorities and contractors to better consider the issue at the outset of their relationship and in their contracts.
  • Transparency by design: When the contract is being drawn up, the public authority and the contractor should agree what types of information are held on behalf of the public authority and set out the responsibilities of both parties in relation to how requests are handled.
  • Legislation: The ICO feels that there is a strong case for designating outsourced services as falling under FOIA when they are of significant monetary value and long duration (e.g. over £5 million in value or continuing over 5 years). This would involve a change in legislation and would therefore be a decision for government to make.
  • Standard contract terms: It has been suggested that, rather than making legislative changes, standard contract terms could instead be used to maintain levels of transparency. The ICO suggests improving the requirement in standard contracts such as the Model Services Contract so that the FOIA clauses include a requirement for proactive publication of certain information, including the contract itself and performance against KPIs.

The ICO has also produced a separate document on outsourcing and transparency, which gives practical guidance for public authorities.

To view a copy of the Roadmap, please click here

To view a copy of the Guidance Document, please click here.   

3. Going Stale? Report investigates average age of website cookies

An international survey into cookies has been conducted by the UK Information Commissioner's Office ("ICO") in conjunction with other privacy regulators from the EU Article 29 Working Party.

Cookies are small files that websites store on browsing devices for multiple purposes. 'First party' cookies are set by the website visited, which can record the user's preferences, or the contents of their shopping basket or count visitor numbers. Meanwhile, 'third party' cookies are set by some websites to record how the user interacts with other websites.

The use of cookies in the UK is governed by the Privacy and Electronic Communications Regulations ("PEC Regulations"), which were amended in 2011 to great fanfare and industry consternation as businesses tried to work out how to comply with rules requiring them to get consent from website visitors to store or retrieve any information on a computer, smartphone or tablet.

The survey involved an automated and manual examination of 478 websites by eight privacy regulators from the European Article 29 Working Party and other national regulators who have responsibility for enforcing the rules on cookies. The key findings of the survey were that:

  • the average website places 34 cookies on the first visit (UK average is 44, the highest of any country surveyed);
  • 70% of cookies placed are third party;
  • 86% of cookies placed were persistent (remain on the device after use) as opposed to session cookies (removed after the single browsing session);
  • and the average cookie expires after 1-2 years, but some were set for 10 or 100 years, and in three cases for 7,984 years.

In respect of regulatory compliance, the survey found that 94% of UK websites provided a proper level of information on how cookies were used, comparing favourably to the survey average of 74%. The 'cookie information banner' approach was used by 59% of websites surveyed.

The ICO noted that organisations should think carefully about the justification of cookies which outlive the device on which they are placed, and the users that they track. Despite this, the ICO commented that the results show that UK organisations are performing better on average than their European counterparts, but that further action is being contemplated in relation to those websites that continue without proper privacy information on cookies.

To view a copy of the report, please click here.   

4. Making a nuisance of yourself: New law to deal with nuisance calls and texts

The Government has published the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 (the "Revised PEC Regulations") to make it easier for firms responsible for nuisance calls and text messages to be penalised with fines of up to £500,000.

Following its consultation in 2014, the Government has published the Revised PEC Regulations. These Regulations will come into force on 6 April 2015 and remove the need to prove "substantial damage or substantial distress" in respect of a serious breach of regulations 19 to 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which relate to unsolicited direct marketing calls, texts and emails, automated calls, fax messages, identification of sender (when concealed) for email, and the information regulations.

The change will make it easier for the Information Commissioner’s Office to take action against offenders and issue monetary penalties – which can be up to £500,000.

The Government has also said that it is going to look at whether the powers the Information Commissioner's Office has to hold to account board level executives for such behaviour are sufficient. This follows a report from a Which?-led task force last December, which called for a review of the rules in order to act as a stronger deterrent to rogue companies.

To view a copy of the Revised PEC Regulations, please click here.