All questions

Intellectual property

i Brand search

The key intellectual property rights that will form part of a franchise business concept are trademarks; domain names; copyright – particularly in respect of materials such as the operations manuals, website and social media text and advertising, marketing and promotional literature – and database rights. To a lesser extent patents, design rights and image rights may play a role in the franchise business concept.

As copyright is a non-registrable right the key registered (or registrable) right is the trademark, or the franchisor's brand rights as they are commonly referred to. For the franchisor looking to register its trademarks in the United Kingdom and the EU, the recommended searches are, with respect to registered trademarks, the centralised systems offered on the trademarks section of the UK Intellectual Property website and the trademarks section of the European Union Intellectual Property Office (EUIPO) website (for European Union trademarks, or EUTMs).

Searches should be carried out for both identical and similar marks and consideration given as to whether the trademarks are being used against identical or similar goods and services to those of the franchisor.

It is also recommended that general internet searches be carried out to check what trademarks are being used in the public domain, particularly those that are not registered and thus not identifiable on the trademark registers but that could still pose a threat to the franchisor's trademarks because of their use in the public domain.

If the franchisor's trademark is not registered and there are no registered trademarks identified through the searches that are identical or similar to that of the franchisor's trademark, an application for registration should be made as quickly as possible. If, however, searches identify that there are already registered trademarks identical or similar to that of the franchisor, the franchisor could be at risk of having infringement proceedings brought against it for the use of its trademark and should therefore stop all use of its trademark and consider what changes could be made to its trademark so that the mark cannot be deemed identical or similar to any others currently registered. The new trademark should then be registered to ensure it is protected going forwards.

In addition to carrying out regular trademark searches, it is advisable – particularly so that expensive opposition, invalidity or infringement proceedings can be avoided – that a trademark-watching service be set up to ensure that the franchisor or franchisee is continually notified of any potentially conflicting trademarks that other parties are applying to have registered with one of the trademark registries. The costs of such a service varies depending on the search criteria, in particular the number of trademarks required to be watched and what trademark classes need to be covered.

With regards to domain name searches, there is no centralised system as there is for trademarks. It is, however, possible to check whether a domain name has been registered using a WHOIS service.

ii Brand protection

To protect the franchisor's brand it is important that the franchisor's trademarks and domain names are correctly registered.

For UK trademarks, applications are made to the UK Intellectual Property Office (UKIPO). For franchisors looking at additional expansion in Europe it is advisable to obtain (depending on the precise European markets that a franchisor is looking to promote and provide its goods and services in an EUTM, which provides trademark protection in each Member State of the EU. An EUTM application is made to the EUIPO in Alicante, Spain. Alternatively, an international registration can be applied for (specifying the individual countries in which it is desired to protect the trademarks) through the World Intellectual Property Organisation (WIPO) under the Madrid Protocol.

The franchisor will need to determine which of its goods and services should be subject to registered trademark rights for the purposes of the franchise business and provide a description of each. It is often advisable to seek the advice of a specialist trademark solicitor when preparing the trademark application, in particular which goods and services should be included in the trademark specification. For UK and EU trademarks registered with the UKIPO and the EUIPO respectively, the classification system is divided into different classes, with goods in classes 1 to 34 and services in classes 35 to 45.

It is important to ensure that the franchisor's registered trademark specifications are sufficiently broad to cover all the goods and services currently offered by the franchise business to ensure that no other entity can use identical or similar trademarks in relation to identical or similar goods and services, thus causing the consumers of the franchise business to be confused as to the origin of the goods and services being offered to them. The trademark specification should also cover goods and services that the franchise business might be looking to expand into in the future and thus not limit the direction of the franchise business.

In relation to domain names, as with the searches, there is no centralised system for domain name registration, therefore registration of a domain name is carried out through a registrar. There are a large number of registrars and the choice of registrar will be determined by price, reputation for reliability and other services offered such as website hosting, and domain name portfolio management. A domain name is registered for a set period (for example, two years) and will have to be renewed once that period is up.

iii Enforcement

There is an array of potential protection techniques enforcing intellectual property rights (IPRs), as well as protection in the event that a franchisor's franchisee (or master or developer) infringes the franchisor's IPRs. A number of IPR enforcement strategies are, however, equally applicable to the scenario in which an independent third party infringes the franchisor's IPRs.

Part of an effective strategy is to ensure that the franchisor's IPRs are correctly protected in the first place.

Contractual provisions

In addition to formal or registered protection for IPRs such as trademarks, domain names, patents and designs (as discussed above) a well-drafted franchise agreement should provide the franchisor (at least in terms of its franchise network) with contractual protection against infringement of its IPRs by franchisees.

As a minimum, the franchise agreement should include:

  1. an appropriately worded grant of rights clause defining the extent and limits of the franchisee's right to use the franchisor's IPRs;
  2. confidentiality provisions obliging the franchisee to only use and disseminate the franchisor's IPRs, know-how and confidential information to the extent necessary for the operation of the business;
  3. IPRs clauses regarding the franchisee's permitted uses of the franchisor's IPRs, together with express provisions regarding non-infringing use of the IPRs and how infringement actions are to be dealt with; and
  4. provisions regarding the collection, use and sharing of data and related database rights.

In addition to the above in-term provisions regarding the appropriate use of IPRs and materials featuring IPRs, it is important that the franchise agreement expressly details appropriate post-termination or expiration provisions regarding a terminated or expired franchisee's non-use of the franchisor's IPRs, including debranding obligations and time lines for so doing.

Operational and organisational methods

Closely tied in with and backed up by contractual provisions should be certain operational and organisational measures, including:

  1. initial and ongoing training emphasising key messages regarding the use of IPRs, know-how and confidential information;
  2. appropriate confidentiality, copyright and no copying notices on key operational documentation, including the manual – as well as technical and IT safeguards for such operational information as the franchisor makes available online;
  3. template stationery and promotional materials provided by the franchisor to ensure that the franchisor's IPRs are used in the correct manner; and
  4. appropriate policies and training regarding the franchisee's use of branded email accounts and branded social media.
Legal enforcement

With regard to enforcement for registered trademarks, if 'cease-and-desist'-style letters fail to resolve the issue, then a franchisor can seek injunctive relief to stop the infringing use by the franchisee (or third party) together with a claim for damages or an account of profits unlawfully made by the franchisee. In determining whether injunctive relief should be granted the court will have regard to the balance of convenience between the parties' interests and the prospect of unquantifiable or irreversible harm (or both).

With unregistered trademarks, a claim can be brought under the common law for the tort of 'passing off'. The franchisor will be required to establish that:

  1. it has goodwill in its unregistered marks;
  2. that the franchisee has made misrepresentations to customers or prospective customers that amount to a false imitation of the franchisor's branded goods or services; and
  3. that as a consequence of the franchisee's actions, the franchisor has suffered loss (i.e., loss or diversion of business).

As passing-off actions tend to be more complex and costly as compared with relatively simple trademark infringement actions, well-advised franchisors tend to invest in a brand protection (including searches) and registration programme at the outset.

In respect of domain name actions, proceedings can be initiated against cybersquatters and others infringing trademarks through use of a domain name. The relevant rules and procedure differ depending on the type of domain name. For example, disputes over .com, .net and .org domain names are governed by the ICANN Uniform Domain Name Dispute Resolution Policy (UDRP) and by the Nominet Dispute Resolution Service policy. Disputes under the UDRP are heard by a number of tribunals, for example, WIPO.

Disputes in relation to UK domain names are heard by the Nominet Dispute Resolution Service. Domain name dispute resolution proceedings are generally simple and low cost. Proceedings are conducted on paper and hearings are extremely rare.

With regard to the protection of IPRs such as copyright and items such as know-how and confidential information, much like with trademarks, the franchisor's enforcement options will initially start with correspondence between the franchisor's and franchisee's legal advisers, which, if unsuccessful, may result in an application for an injunction by the franchisor and depending on the nature of the franchisee's conduct, a subsequent court-based trial to determine the franchisor's possible remedies.

iv Data protection, cybercrime, social media and e-commerce

After a period of incremental development, the laws that regulate data protection, privacy and security in Europe have undergone considerable change.

For many years the key pieces of data protection and privacy legislation in the EU were Data Protection Directive 95/46/EC (the Data Protection Directive) and Privacy and Electronic Communications Directive 2002/58 EC (the ePrivacy Directive). The former regulated all personal data processing, the latter electronic and telephone direct marketing, the use of online tracking technologies such as cookies and a number of other communications issues.

In May 2018, the Data Protection Directive was replaced by Regulation (EU) 2016/679 – the General Data Protection Regulation (GDPR). While the GDPR did not have to be implemented by domestic legislation in EU Member States, it affords a significant degree of leeway for Member States to supplement, and derogate from, various provisions. The United Kingdom has implemented this by passing the Data Protection Act 2018 (DPA 2018).

A pan-EU replacement for the ePrivacy Directive has been expected for some time; however, at the time of writing, its progress through the legislative process has been slow. It is increasingly unlikely that it will be passed before the United Kingdom is scheduled to leave the EU in March 2019. It therefore remains to be seen how the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (which currently implement the ePrivacy Directive) will be updated once the EU's replacement for the ePrivacy Directive has been finalised.

An introduction to current obligations under the GDPR and DPA 2018

The GDPR and DPA 2018 impose obligations upon franchisors and franchisees with respect to any personal data that is processed by them or on their behalf. They also grant data subjects rights in respect of their personal data.

Personal data is information that relates to an identified or identifiable living person, such as a customer, member of staff or a supplier. The laws impose obligations on data controllers (those who alone or jointly determine the purposes and means of processing personal data), and data processors (those who process personal data on behalf of data controllers, such as their suppliers). In many situations, franchisors and their franchisees will each process personal data as a data controller, but the specifics of data processing arrangements will need to be reviewed to determine the precise role of each.

The GDPR has introduced significant new obligations and much higher fines than were previously imposed under the Data Protection Directive – the maximum fine that can be imposed under the GDPR is a figure equivalent to the greater of 4 per cent of the non-compliant data controller or processor's worldwide turnover or €20 million.

Franchisors and franchisees will have to notify the UK Information Commissioner's Office of their data processing activities and pay an annual registration fee, which is calculated with respect to their annual turnover.

Other obligations include the requirement to abide by the data protection principles. For instance, this will mean ensuring that notice is given to relevant individuals about what data will be collected, with whom the data will be shared and how the data will be used. Also, data controllers must ensure that they can point to a lawful basis for their personal data processing activities, such as: for the purposes of fulfilling a contract; the legitimate interest of the controllers or a third party; or because the data subject's consent has been obtained. The data should not be used in any other way that is incompatible with the specified purposes, and appropriate steps should be taken to ensure data is accurate, kept secure and only for as long as necessary and that it does not go beyond what is necessary to meet the purpose.

Individuals will obtain significant new rights under the GDPR and DPA 2018, including the right to demand, in certain circumstances, that their personal data is transferred to a replacement service provider (the 'right to data portability'), rights in respect of automated decisions and the right to demand erasure (the 'right to be forgotten').

The GDPR and DPA 2018 have also introduced a requirement for data breaches to be proactively notified to regulators and to individuals affected by the breach. The terms of this notification are onerous with controllers obliged to notify the regulator without undue delay and, in any event, within 72 hours of the controller having become aware of a breach.

New accountability or data governance measures will also have to be implemented by data controllers and data processors, including running data protection impact assessments, audits, policy reviews, activity records and (in certain prescribed circumstances) the obligation to appoint a data protection officer. Where a data processor is engaged to process personal data, a long list of provisions set out in the GDPR must be agreed in writing in favour of relevant data controllers. Where two or more data controllers act jointly to agree processing activities, they must enter a written agreement confirming their respective responsibilities for meeting the obligations imposed by the GDPR and the DPA 2018.

Another significant requirement of the GDPR and DPA 2018 relates to international transfers of personal data. If such data is being made available from the United Kingdom to a third party located outside the EEA, then the UK organisation (i.e., most typically a UK master franchisee or developer) will have to consider the data transfer restrictions, which only allow transfers to a country that ensures adequate data protection for the rights of data subjects (measured against the protections offered under EU data protection laws). Transfer adequacy mechanisms such as standard contractual clauses or certification schemes (e.g., the US–EU Privacy Shield) approved by the European Commission are options.

Taking all the above points together, franchisors and franchisees would be well advised to review their contractual and operational procedures to ensure that they have appropriately amended these to comply with the changes that Europe's new data protection laws have brought.


On 19 July 2016, the European Parliament published its Directive on network and information security across the EU (the Cybersecurity Directive). The Cybersecurity Directive is the first comprehensive piece of EU legislation addressing the area of cybersecurity risk. Its objective is to achieve a high level of commonality of approach in the way that Member States address the urgent need to improve security in networks and information systems. Following the publication of the Cybersecurity Directive, Member States had until 9 May 2018 to implement the Directive in national law, and a further six months thereafter to declare for their jurisdiction the identities of 'operators of essential services'. In the United Kingdom, the Directive was implemented on 10 May 2018 in the form of the Network and Information Systems Regulations 2018 (NISRs).

The NISRs apply principally to two categories of organisation: (1) operators of essential services (OES) and (2) relevant digital service providers (RDSP). The United Kingdom's enactment of the Directive includes a number of compliance obligations and carries material sanctions for non-observance. It is therefore important for businesses to determine whether they qualify as an OES or a RDSP, or both.

A RDSP is an operator that provides (1) an online search engine, (2) cloud computing service, or (3) an online marketplace. It should be noted that the NISRs do not apply to RDSPs that are considered small or micro businesses, which are companies employing fewer than 50 people and with an annual turnover or balance sheet total below €10 million. The operator must also offer its services within the EU and be headquartered in the United Kingdom or have nominated a UK-based representative.

The NISRs detail the sectors in which OESs are identified by the UK government, which include energy, transport, health, drinking water supply and distribution, and digital infrastructure where the relevant entity provides a service that is essential for the maintenance of critical societal or economic activities; the provision of the service is dependent on network and information systems; and an incident affecting the network and information systems of that service would have significant disruptive effects on its provision. The NISRs also provide detailed thresholds to ensure they apply only to material operators.

The requirements of the NISRs for RDSPs and OESs include the need to take appropriate and proportionate technical and organisational measures to manage risks to network and information systems. They also require the relevant entities to take appropriate and proportionate measures to prevent and minimise the impact of incidents that affect security of the networks and information systems used, with a view to ensuring continuity of those services.

The NISRs impose reporting obligations requiring RDSPs to report 'any incident having a substantial impact on the provision of any of the [relevant] digital services'. Similarly, OESs are required to report any incident that 'has a significant impact on the continuity of the essential service which that OES provides'. In each case, organisations must report the incident to the competent authority within 72 hours of the incident occurring.

While the legislation focuses on RDSPs and OESs, it is inevitable that suppliers to those entities will be contractually drawn into compliance as the entities pass down their own compliance obligations to their supply chains.

The sanctions regime for breach is significant, with competent authorities having rights to serve information notices, conduct inspections, and serve enforcement and penalty notices. The ultimate fine available under the NISRs is £17 million for a 'material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in immediate threat to life or significant adverse impact on the United Kingdom economy'.

Whether franchisors will be affected or not by the NISRs, what should they be doing now?

Key concepts:

  1. accept that a cybersecurity incident is a matter of 'when', not 'if';
  2. stop regarding cybersecurity as solely an IT issue;
  3. balance your approach between prevention and preparation for when an incident occurs;
  4. adopt a multidisciplinary approach, including: IT and IT forensics, legal and compliance, and PR; and
  5. do not seek to address cybersecurity resilience without simultaneously looking at compliance with the requirements of the GDPR, and vice versa.

Action points:

  1. establish your cybersecurity team – with senior board engagement;
  2. review your current cybersecurity technology and, if necessary, implement data monitoring and behaviourally based detection systems;
  3. prepare a cyber-response strategy – cyber-response plan, cyber-response teams and reporting mechanisms;
  4. train and test; and
  5. review cybersecurity-related insurances.
Social media

When the franchisor or franchisee posts personal data on a social networking site, message board or blog, or downloads personal data from one of these sites, they must ensure they have complied with the GDPR (and, for marketing materials, the CAP code). Anyone running an online forum or downloading personal data for business purposes should take the following steps:

  1. have clear acceptable-use policies;
  2. clearly inform individuals (by way of a privacy notice) how their personal data will be used. Where an intended practice is unusual, unexpected or particularly invasive, it may be necessary to draw specific attention to this use – such as through the use of pop-ups and other more active notices;
  3. consider whether you require consent – and whose consent to get. For example, posting sensitive information (such as data concerning health, race, ethnicity, political or religious views, criminal activity or sexual orientation) or any information that is particularly embarrassing is likely to need prior consent. You may also need consent if you use an individual's name or likeness for promotional purposes. Where posts or data relate to children, parental consent may be required;
  4. give individuals the opportunity to opt out or correct inaccurate information. Individuals must have access to easy-to-find procedures to dispute the accuracy of posts and ask for them to be removed. Organisations must respond to such requests quickly (and at the latest within one month) and have procedures to remove or suspend access to content at least until any disputes have been settled; and
  5. before downloading information from a third-party website, check that site's terms of use. Many websites have anti-scraping policies that prohibit the collection and re-use of information from their sites. Where the information contains personal data, the risk is not just that there could be a commercial claim; violating a third-party's terms of use could cause the franchisor or franchisee to run afoul of the GDPR.

Franchisors should also consider whether they want to manage social media platforms on behalf of their franchisees or place restrictions on franchisees' use of social media (such as requiring pre-approval of the platforms, profiles and any trademarks or brand logos being used; ensuring compliance with all laws and relevant codes of practice, including the GDPR, relevant laws and codes on advertising such as the CAP code; mechanisms to take down content at the franchisor's request or following a third-party complaint; and obligations to comply with the franchisor's social media policy). The level of control a franchisor wishes to exert – which to a large extent will depend on the franchisor's level of resources – will thereby determine the level of brand consistency for the franchise business across the internet, including on social media.