You are here: Home / Archives for Internet Law

The Electronic Communications Privacy Act (ECPA) Applies to Any Data Stored in the USA

January 27, 2012 By Leave a Comment

The US Court of Appeals has ruled that the ECPA, an American law, protects the data of non-USA citizens when their data is stored on servers in the USA.


Suzlon Case

Korean firm, Suzlon Energy Ltd, wanted Microsoft to disclose email documents belonging to an Indian citizen stored on a server in the USA. They argued that the emails were not protected from disclosure by the privacy protections of the ECPA, as these only applied to US citizens.

The US court determined that the ECPA covered “any person” and not just a US citizen. Part of the reason for this was the impracticality of expecting Microsoft to assess whether or not account holders were US citizens, when receiving a disclosure request. Accordingly the court decided that the ECPA applied to any documents stored in the USA.

Increased Protection for Data?

Following this decision any data stored in the USA will be protected by the provisions of the ECPA, regardless of the citizenship of the data owner. This may help to alleviate some of the concerns being raised in Europe about the inadequacy of data protection provisions in the USA. However, if the server on which the data is stored is located outside of the USA the data will not be protected.

On a practical level, data owners often have no idea where their data is actually being stored, so this rule may be of little assistance in protecting their data. Also, service providers will need to know exactly where all data is stored in order to correctly respond to disclosure requests.

Filed Under: Data Protection, Internet Law

Proposed Change to Liability for Online Comments

January 10, 2012 By 2 Comments

The Joint Committee on the Defamation Bill, a Parliamentary committee reviewing proposed new UK defamation laws recommends that web hosts and ISPs should be allowed to keep allegedly defamatory comments online, as long as the author of the comment is identified and a notice of complaint is published alongside the comment.

Current Law

Currently web hosts and ISPs must immediately remove online comments upon gaining actual knowledge that the comments are defamatory i.e. they are informed that the comments are defamatory or they moderate comments on the website. Failure to remove defamatory comments exposes the web host or ISP to a claim for damages for defamation.

Under the provisions of the E-Commerce Regulations web hosts can currently avoid liability for defamation if they act as a mere conduit or cache or host material. This generally covers service providers who:

  • do not initiate the transmission of defamatory comments;
  • do not select who receives the comments; or 
  • do not select or modify information in the transmission of the comments. 

Proposed Changes

Due to the above, many service providers do not moderate comments or content on websites to avoid having “actual knowledge” of defamatory comments. In order to remove this disincentive to moderate websites, the Parliamentary committee has proposed that there should be different rules for dealing with defamation which depend upon whether or not a comment is made anonymously.

Anonymous Comments

Upon receipt of a complaint a web host or ISP should immediately take down anonymous comments unless;


  • the ISP believes that it is in the public interest for the material to remain on the website i.e. whistle blowing; or 
  • the author promptly responds positively to a request to identify themselves, then a notice of complaint should be posted. 

Anonymous authors of comments can be sued for defamation if they can be identified, and web hosts or ISPs that refuse to take down anonymous material can also be sued.

Identified Author Comments

Upon receipt of a complaint a web host or ISP should;

  • publish a complaint notice beside the comment; and
  • then have a judge decide whether or not the comment should be removed.

Liability

If web hosts and ISPs comply with the above they should not be liable for online comments. However, if they fail to comply with the above anonymous authors of comments should be sued for defamation if they can be identified, and hosts or ISPs that refuse to take down anonymous material could also be sued as publisher of the material.

Filed Under: Internet Law, Online PR, online public relations, social media

Escrow Agreement needed when providing Software via a Website?

December 9, 2011 By Leave a Comment

As a website operator you may want to consider offering escrow agreements to your customers, particularly if you run SaaS (software as a service) applications via your website, which are critical to your customer’s business.

What is Escrow

Escrow refers to a third party holding a copy of the software source code on behalf of the customer and the supplier.

What is an Escrow Agent

An escrow agent is a third party who stores a copy of the software source code. The escrow agent will release a copy of the source code to the customer if any of the events set out in the escrow agreement occur.

Why use Escrow

This is usually a customer driven requirement resulting from the fact that the source code for the SaaS software, the expertise to implement it and rights to the software are only licensed to, and not owned by, the customer for the term of the SaaS agreement.

Customers are concerned that the supplier may:

  • fail to maintain the software;
  • transfer ownership of intellectual property rights in the software;
  • become insolvent;
  • or become unable to carry on supporting and maintaining the software for some other reason.

By having an escrow agreement in place the customer has the right to continue to use the software, if the supplier is in default of its obligations under the SaaS agreement i.e. it no longer operates the website.

Advantages of an Escrow Agreement

Having an escrow agreement in place protects all parties involved in the development, supply and use of business critical SaaS applications. It provides customers with peace of mind for securing long-term availability of a critical software application by enabling customers to update software and fix any bugs even if the supplier is no longer able to support them.

Disadvantages of an Escrow Agreement

Having the right to use the software under an escrow agreement is in reality of little use if the customer does not have the know-how and resources to actually use, maintain and support the source code itself.

Also, the costs of setting up an escrow agreement and maintaining it are relatively expensive. Escrow costs are usually paid for by the customer.

Filed Under: Internet Business, Internet Law, SaaS

Google Analytics, German Customer and Extra Privacy Statement Requirements

November 25, 2011 By Leave a Comment

If your website uses Google analytics and you provide services to customers based in Germany you are now required to provide specific information to users in order to comply with recent changes to German data protection law.

Google Analytics and German Data Protection

Google analytics collects statistics about website users by „tracking” an individual’s use of a website. This information is then made available to website operators free of charge. Following an agreement between Google and the German data protection authorities it is now the responsibility of the operators of websites to implement certain measures when using Google analytics.

Making your Website Compliant

Under German data protection law website users must be able to stop user profiles being created and prevent their complete IP address from being saved, unless they have specifically consented to this. If you are a website operator you now need to include the following in your privacy policy:

  • inform users that you use Google analytics; and
  • advise users that they can turn off Google analytics tracking in their browser settings

In addition you should use a Google software solution that masks the IP address of the user – this blog post from Google Analytics explains what website owners can do.

Application to UK and US Websites

Although this is a German data protection issue, if your website is directed at German customers, or the majority of your customers are located in Germany, it is advisable to make these changes in order to avoid any potential breach of German data protection law.

Filed Under: Data Protection, Google Analytics, Internet Law

Website – Recommended Legal Requirements

October 24, 2011 By 2 Comments

Following on from my previous article on the mandatory legal requirements for UK websites, I recommend adding the following non-mandatory information to your website.

Terms of Use/Disclaimer

Set out the rules applicable to persons using and accessing the goods and services on your website. For example state who may access the website e.g. consumers, businesses, over 18s.

You should also aim to limit your liability for information on the website. For example state which law applies, your limits on liability etc. However, please note that you cannot exclude or limit certain liabilities in particular circumstances – particularly in relation to consumers, injuries caused by or defects in your goods and services.

Copyright Notice

Protect the information on your website by inserting a copyright notice “© company name 2010. All rights reserved.” Without this notice, it may be difficult in some countries to take any action against a copyright infringement.

Mandatory Legal Requirements - a shortened list is shown below, click to see the full mandatory requirements 

  • About Us/Contact Information
  • Registration under the Data Protection Act
  • Privacy Policy
  • Disabled Access to your Website
  • Trade Marks and Logos
  • Copyright
  • Online Payment
Filed Under: Internet Law, Web Design

Website – Mandatory Legal Requirements

October 13, 2011 By 2 Comments

Does your website comply with the various legal requirements in the UK? Below, I have set out the main UK legal requirements that you should currently be complying with.

About Us/Contact Information

You must provide the following information in an easily accessible position on your website:

  • your legal name e.g. XYZ Ltd
  • your geographical address
  • contact details e.g. telephone number, fax number and email address
  • which country your business is registered in and the registration number 
  • details of any supervisory body which regulates your business e.g. the FSA. For regulated bodies more detailed information is required.
  • where you are registered for VAT and your VAT number
  • clear details of prices and whether or not delivery and/or tax is included 

Registration under the Data Protection Act

If you collect any personal data on your website – e.g. email address, name or address of a living individual, you will be processing personal data and must register as a data controller under the Data Protection Act. It is a criminal offence not to register.

Privacy Policy

If you are collecting, storing or processing personal data you need to set out how and why you are doing this to comply with the 8 principles of the Data Protection Act. In particular if you are sending marketing emails to potential customers you need to ensure that you have obtained specific consent, BEFORE such emails are sent. Consent should be covered in your privacy policy and the registration process on your website.

Disabled Access to your Website

If you offer goods or services on your website you need to make your website accessible to disabled users. Level 1 compliance with the WC3 standard will usually suffice.

Trade Marks and Logos

Do not use other people’s trademarks or logos without their consent on your website or you could be liable to pay damages for trademark infringements.

Copyright

Do not use other people’s content without their consent on your website, or you could be liable to pay damages for copyright infringements. If you have links to other people’s content, make sure that this is permitted in their terms of use and ensure that the information opens in a new frame.

Online Payment

If you accept online payment for goods or services you must provide customers with specific information about their right to cancel, VAT and prices, refunds and defective goods PRIOR to the sale being concluded.

Summary

The above are examples of the main legal requirements for websites in the UK. This is a very complicated area of law and the specific rules that apply to you will depend on what goods and services you are offering, whether you are acting BTB (business to business) or BTC (business to customer), where you are based, where your customers are located and many other factors.

Filed Under: Internet Law, Web Design

When E-Discovery breaches data protection

September 29, 2011 By Leave a Comment

Under English or American law (or any other common law system), you or your company may be ordered by a court to identify and disclose not just physical documents but also electronically stored information (ESI) as part of a litigation process. This could apply to you even if you are not a party to the court proceedings.

Location of the ESI

Data is often stored or replicated in an external hosting centre or within a software application – particularly in relation to SaaS software, or in a corporate data centre. If numerous data centres are used they are usually in different physical locations which could be in various countries. The court order to disclose data may well conflict with compliance and privacy requirements in relation to data in the countries in which the data is actually held. However for the purposes of complying with a court order the actual location of the data and the local rules applying to the storage of the data cannot be used as a reason to refuse disclosure.

For example in AccessData Corporation v ALSTE Technologies GmbH a US court ordered a German company to disclose emails stored in Germany as part of the disclosure process in a court case, although the company argued that this breached the German Data Protection Act.

Compliance Issues

In order to protect yourself against the above scenario, you should include clauses in your terms and conditions that permit you to comply with requests for disclosure of both physical and electronic information in relation to court orders. If you hold data on behalf of customers, you should also try to exclude liability for a technical or any other type of failure to properly comply with a disclosure request that they forward to you.

Filed Under: Data Protection, Internet Law