1. Back from the dead? DEA initial obligations code DOA no more

Ofcom has published a revised version of the Initial Obligations Code for ISPs and copyright owners in an effort to tackle online copyright infringement as per the provisions of the controversial Digital Economy Act.


In 2010, the outgoing Labour Government passed the Digital Economy Act ("DEA"), including a number of controversial provisions designed to tackle online copyright infringement.

The DEA inserted amendments to the Communications Act 2003 to create two new obligations for ISPs. These are referred to as the "initial obligations". Essentially, they require ISPs to:

  • notify subscribers (i.e. internet users) if the IP addresses associated with them are reported by copyright owners in an copyright infringement report ("CIR") as being used to infringe copyright; and
  • keep track of the number of CIRs about each subscriber, and compile, on an anonymous basis, a list of those subscribers who are reported on above a certain threshold. This list is referred to as a "Copyright Infringement List".

The DEA further provided that the implementation and regulation of these initial obligations must be set out in a code to be published by Ofcom.

In May 2010, Ofcom published its draft Initial Obligations Code for consultation. However, progress was subsequently delayed whilst BT and Talk Talk instigated a judicial review of the legality of the DEA copyright provisions as a whole.

As a result, Ofcom has only recently published a revised version of the Initial Obligations Code (the "Revised Code"). Despite numerous stakeholder responses to the original draft code, there has been little development of the fundamental principles set out therein. Given the divergent nature of many of the responses, this is perhaps unsurprising. Nevertheless, several notable amendments have been made by Ofcom to "tighten-up" the code, some of which are examined in more detail below.

The Code

The term ISP has been redefined by Ofcom in the Revised Code so that only ISPs providing fixed internet access supplying services to 400,000 or more subscribers will be subject to the obligations. Consequently, the Revised Code will initially only apply to the likes of BT, Talk Talk, Virgin Media, O2, Everything Everywhere and Sky. In contrast, mobile network operators and providers of Wi-Fi services will not be subject to the Revised Code. This amendment was made on the basis that the costs of participation for such providers would be disproportionately high compared to the expected low reduction in overall levels of online copyright infringement that participation would bring. It should also alleviate the concern of those worried that the provision of open-access wireless internet (e.g. in coffee shops) may attract liability under the DEA for "allowing infringement."

Secondly, Ofcom has introduced several changes to the evidence gathering procedures required to be followed in relation to copyright infringement reports ("CIRs"). The DEA prescribes the information that a copyright owner should put in a CIR when the owner wants to report a copyright infringement. Under the Revised Code, copyright owners may only send a CIR if they have gathered evidence in accordance with approved Ofcom procedures which give reasonable grounds to believe that:

  • a subscriber to an internet access service has infringed the owner's copyright by means of the service; or
  • has allowed another person to use that service and that person has infringed the owner's copyright by means of that service.

The procedural requirements around CIRs have also been amended. Ofcom had initially proposed that CIRs must be sent to the ISPs within ten days of the evidence of infringement being gathered. This timeframe has now been amended to one month. Similarly, the timeframe for ISPs to send a notification to the relevant subscriber has also been extended to one month from ten days. The Revised Code requires CIRs to be submitted by copyright owners in electronic format and using a standard form. However, the form of the notification from ISPs to subscribers has been amended in the Revised Code so that ISPs are now required to post all notifications to subscribers using first class mail.

Finally, Ofcom has also removed ISPs discretion under the code to reject CIRs based upon their "reasonable opinion" that a CIR is invalid. Consequently, an ISP's discretion as to how to respond to CIR requests from copyright owners has been significantly narrowed.

Next Steps

The Revised Code will make interesting reading for both ISPs and copyright owners, who will be required to comply with its provisions. Ofcom anticipates that the Revised Code will appear in its final form in 2013, with the first CIRs being sent in 2014. Separately, the Department for Media, Culture and Sport has also announced that it will seek to repeal sections 17 and 18 of the DEA as it believes them to be unnecessary. These sections contain reserve powers to allow courts to order that access to websites dedicated to copyright infringement be blocked.

A copy of the Revised Code is available here.

  1. ECJ finds that UsedSoft can sell used soft(ware)

The ECJ has delivered its judgment in the Oracle v UsedSoft case in relation to the application of the principle of exhaustion to software licences.

In the case, UsedSoft resold Oracle software licences. Oracle brought proceedings against the company, arguing that its resale of these pre-owned licences for downloadable Oracle software amounted to a breach of Oracle's copyright.

Under Article 4(1) of the Software Directive (2009/24/EC), the owner of copyright in a computer program has an exclusive right over distribution to the public, although this protection is 'exhausted' following the first authorised sale of the program within the EU. UsedSoft argued that this principle of exhaustion meant that its practices of reselling second-hand software licences did not amount to a breach of Oracle's copyright. In contrast, Oracle maintained that the principle of exhaustion did not apply, because Oracle's customers had only been granted a right to download its software from the internet, rather than being sold a tangible object.

In its judgment, the ECJ held that

  • Provision of software over the internet by Oracle did amount to a first sale, and so did exhaust Oracle's distribution rights. Oracle could not prevent its customers or UsedSoft from further distributing its software.
  • The download of software via the internet was a sufficient first sale and transfer of ownership of property required for exhaustion of the distribution right, where the licence was for a right to use the copy of the software for an unlimited period in return for payment.  There was no relevant distinction for exhaustion of the distribution rights between downloaded software and that provided on a CD or other physical medium.
  • Acquirers of used licences were lawful acquirers and could reproduce the software without infringing Oracle's reproduction rights.  The contractual provision seeking to restrict transfer was void.
  • On resale, the original licensee must make his copy of the software unusable, or Oracle's reproduction right would be infringed.  

This decision will not please software licensors, as it gives a green light to the business of selling-on software licences within certain parameters.

For further information on this judgment, please see our IP Newsflash available here.  

  1. Commission consults on take-up of take-down procedures

In addition to the provisions of the UK Digital Economy Act designed to tackle online copyright infringement (see feature article above), the European Commission has also published a consultation on the "notice and take down" procedures used to inform online service providers of illegal content on the internet.

The eCommerce Directive (2000/31/EC) seeks to prevent Member States from imposing penalties on ISPs in relation to content that they do not create or monitor. It also seeks to prevent Member States imposing obligations on ISPs that might compel them to police illegal activity on their service.

In particular, the eCommerce Directive provides that online service providers may not be held liable for illegal content that they "host" on condition that:

  • the provider does not have 'actual knowledge' of illegal content and is not 'aware' of facts or circumstances from which the illegal content is apparent; or
  • the provider, upon obtaining such knowledge or awareness acts 'expeditiously' to remove or disable access to the content.  

This rule forms the basis for so-called "notice-and-action" procedures. These procedures start whenever someone "notifies" a hosting service provider about illegal content on the internet. The procedures are concluded when an online intermediary acts against the alleged illegal content. Acting may take the form of removing or disabling access to the illegal content.

The European Commission has now issued a questionnaire, seeking "an updated vision of stakeholders" on how they perceive the current rules. In its questionnaire, the Commission asks for views on which service provider should be responsible for removing or disabling access to illegal material where more than one such provider is said to be hosting it. It also asks for views on what form takedown notices should take and how best to avoid legal content being removed following takedown requests.

The consultation will end on 5 September 2012 and the European Commission will use the results to help formulate its future proposals on notice-and-action procedures.

A copy of the consultation is available here.  

  1. Taking the bite out of cookies rules? Article 29 Working Party considers cookie exemptions

On 7 June 2012, the Article 29 Data Protection Working Party adopted an Opinion on "Cookie Consent Exemption" regarding the requirement for informed consent vis-à-vis the use of cookies and similar technologies.

In November 2009, amendments to the European "ePrivacy Directive" (2002/58/EC) introduced a requirement for informed consent to be obtained from subscribers in relation to the use of cookies and similar technologies, for example, on websites. The changes were required to be implemented by Member States by May 2011, and were implemented in the UK via the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. However, it is worth noting that the amendments have not yet been implemented by all Member States and the European Commission has commenced enforcement proceedings against those Member States who have not yet complied with the implementation deadline.

The new rules allow some cookies to be exempted from the requirement of informed consent if they satisfy one of the following criteria:

  • the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • the cookie is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.  

The Working Party's analysis has looked at the type of cookies which may fall within these exemptions and identified certain cookies, provided that they are not used for additional purposes. Such exempt cookies include user-input cookies (used to keep track of the user's input when filling online forms or a shopping cart) and multimedia content player session cookies.

The Working Party also provides some guidelines in relation to the analysis of cookies for the purpose of the exemptions:

  • when applying the "strictly necessary" exemption, it is important to examine what is strictly necessary from the point of view of the user not the service provider;
  • if a cookie is used for several purposes, it can only benefit from an exemption to informed consent if each distinct purpose individually benefits from such an exemption; and
  • first party session cookies are far more likely to be exempted from consent than third party persistent cookies.

A copy of the Working Party Opinion is available here.  

  1. Data Protection Unprotected? Revised Data Protection Regulation leaked

A revised version of the European Commission's January 2012 draft Data Protection Regulation has been leaked showing the changes suggested by Member States.

The revised draft has been produced by the Council of the European Union and is marked up to show changes proposed by Member States. It is prefaced by a general observation that "almost all" Member States considered that the proposed Regulation deferred too many decisions to be made at a later stage by way of delegated legislation.

The revised draft only shows changes to the first 10 Articles of the Regulation, but the changes are broadly speaking in favour of data controllers. Interesting highlights of the revised draft include:

  • Definition of Personal Data: The definition of personal data has been broadened to include information relating to an "identifiable" natural person. However, a carve-out has been introduced so that if identification requires a disproportionate amount of time, effort or material resources, the natural living person shall not be considered identifiable.
  • Definition of Health Data: The definition of health data has been narrowed to only include such information related to health which reveals significant information about health problems, treatments and sensitive conditions of an individual.
  • Consent: The revised draft makes it clear that consent will not provide a legal basis for processing where there is an imbalance between the parties which makes it unlikely that consent was freely given. In the footnotes, the draft shows that the UK had suggested removing this provision and including a recital instead to say that the existence of imbalanced situations should be taken into account in determining whether consent is freely given and informed.
  • Exemptions: The revised draft extends the carve-out from the Regulation for processing concerning public security, defence, and State security (including the economic well-being of the State when the processing relates to State security matters).  

The draft Regulation is scheduled for a first reading in the European Parliament in January 2013.

A copy of the leaked revised Regulation is available here.  

  1. Cloudy with prolonged DP showers? Article 29 Working Party publishes Cloud Computing opinion

The Article 29 Working Party has published an opinion on various data protection issues relevant to cloud computing service providers operating in the European Economic Area.

The opinion outlines how the Working Party believes that the wide scale deployment of cloud computing services can trigger a number of data protection risks. These risks mainly relate to a lack of control over personal data, as well as insufficient information with regard to how, where and by whom the data is being processed/sub-processed.

The Working Party concludes that businesses wishing to use cloud computing should first conduct a comprehensive and thorough risk analysis and cloud providers offering services in the EEA should provide the cloud client with all information necessary to rightly assess the pros and cons of adopting such a service.

The Working Party recommends that organisations should select a cloud provider that guarantees compliance with EU data protection legislation and that any contract between the cloud provider and the cloud customer should include sufficient guarantees in terms of technical and organisational security measures. The Working Party further recommends that cloud customers should verify whether the cloud provider can guarantee the lawfulness of any cross-border international data transfers. In relation to the US in particular, the Working Party said that companies cannot rely on cloud providers' "self-certification" that they comply with Safe Harbor standards.

Although not binding, the data protection risks and recommendations suggested by the Working Party in its opinion may not provide much comfort for customers currently seeking to take advantage of cloud services.

A copy of the Working Party opinion is available here.