Talking Olympic advertising

In a recent post, I discussed the laws prohibiting advertising activity round Olympic venues in the summer.

One of the affected venues is the Ricoh Arena in Coventry, which will be renamed the City of Coventry Stadium for use in Olympic football matches. Shane O’Connor from BBC Radio Coventry & Warwickshire interviewed me at 7.40 this morning to talk about the law behind these advertising restrictions. Here’s a recording of our conversation:

Data protection: out with the old, in with the new

The widely-trailed revision to EU data protection law has been unveiled today by the European Commission, who have proposed a “comprehensive reform” to EU data protection legislation.

The fundamental change is moving from national laws made under a harmonising directive, to a single regulation which will apply directly across Europe. While it’s going to take a little while to work through all the details – and the proposal still has to be discussed and ratified by EU member states and the European parliament – the key changes as summarised in the Commission’s press release are:

  • A single set of rules on data protection, valid across the EU.
  • Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.
  • Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.

In addition, there will be a new directive to “apply general data protection principles and rules for police and judicial cooperation in criminal matters”.

The “right to be forgotten” has been the most widely-publicised measure under consideration, and will certainly raise some tricky practical issues. However, I suspect that the biggest practical impact will come from the requirement for explicit consent, where consent is required. At present, certainly under UK data protection law, a lot of reliance is placed on implied consent; see, for example, the Information Commissioner’s guidance on the new cookies law, as discussed in a previous post. Explicit consent will greatly increase the practical burden on many businesses.

The new law, if adopted, will come into force two years after it is adopted, giving businesses and other organisations time to prepare for the new regime.

Photographic copyright: higher but wider?

The IP Kat blog has an interesting discussion of copyright infringement of photographs.

To cut a long story short, the High Court was asked to judge on whether copyright in the following image (created by a Mr Fielder, with the copyright owned by Temple Island Collections):

was infringed by the following image (used by New English Teas on the packaging for one of their products):

The court decided that the answer was yes, since the creators of the second image had been aware of the existence of the first image, and were unable to show they hadn’t copied it.

The case highlights a couple of points of general application.

1. Copyright in photographs

The court confirmed that a photograph will only attract copyright if it is the photographer’s own “intellectual creation”, and the judge suggested three aspects which could make a photograph “original”:

  • “specialities of angle of shot, light and shade, exposure and effects achieved with filters, developing techniques and so on”;
  • “creation of the scene to be photographed”;
  • “being in the right place at the right time”.

In this case, the court had no difficulty finding that the first image was Mr Fielder’s own intellectual creation, by reason of its composition and the visual contrasts involved. However, this is a long way from the traditional English law approach in which (as one IP textbook puts it) “pointing the camera at a subject and pressing the shutter” was considered enough to gain copyright protection.

This suggests that many photographs over which copyright is asserted may in fact fall outside the scope of its protection – though elements such as “being in the right place at the right time” would still seem to cast the net quite widely.

2. Infringing copyright in photographs

Again the traditional approach has been that infringing copyright in a photograph involved actually reproducing that photograph (or a substantial part of it). There was nothing to stop you taking your own photograph which happened to incorporate the same features as another image. As the IP Kat observes, this does seem to extend the scope of protection for photographs to include “an idea, a lay-out or a scheme for such a photograph”.

For this reason, it may be that the losing party in this case will hop on the next bus (sorry…) to the Court of Appeal. In the meantime, though, this case highlights some interesting issues in what can be a very sensitive area for photographers: on the one hand confirming that the bar for copyright protection is higher than previously thought, but on the other suggesting that the scope of protection, if acquired at all, may be wider than previously thought.

Cookies: the rules become clearer

Businesses and other website operators looking for a belated new year’s resolution should take a look at the revised guidance on the use of cookies (PDF) issued by the Information Commissioner’s office just before Christmas and start thinking about how to comply.

Launching the guidance, the Information Commissioner said that businesses “must try harder” in preparing to comply with the new law, which came into force in May 2011 and will be fully enforced from the end of May 2012. More constructively, the revised guidance sets out some practical measures which websites can adopt to help ensure compliance with the new law.

The new law requires websites to obtain prior, informed consent from users before placing cookies on those users’ computers or mobile devices. As the new guidance puts it, before setting cookies you must:

  • tell people that the cookies are there,
  • explain what the cookies are doing, and
  • obtain their consent to store a cookie on their device.

The only exception is where the cookie is “strictly necessary” for technical reasons. The guidance confirms that this is a narrow exception, and will not (for example) cover cookies used for analytics or to tailor a greeting when a user returns to a site.

As a start point for compliance, the ICO guidance recommends a three-step approach:

  1. Check what type of cookies you use and how you use them.
  2. Assess how privacy-intrusive your use of cookies is.
  3. Decide how to obtain consent from users.

The more privacy-intrusive your use of cookies is, the more you will need to do in order to inform users and get their consent.

Providing information

The ICO recommends that cookie information should not simply be hidden behind a link saying “Privacy policy”. Instead, links should either read “Privacy and cookies”, say, or there should be a separate link for information on cookies. The guidance gives several examples of how to make this information more prominent.

Inferring consent

One very helpful suggestion made by the ICO is that consent to placing could be inferred if a user continues to use a website after being told of the use of cookies. This would involve some kind of pop-up notification when the user first visits the site, with a confirmation that a cookie has been set if the user then continues on to another page without clicking the “refuse cookies” link.

I suspect that this approach will prove highly popular with websites, given it avoids the problem experienced by websites that require positive consent such as ticking a box before placing cookies. One analysis suggested that only around 5% of users of the ICO’s website (which follows this tick-box approach) were agreeing to cookies – a figure which would have been ruinous for many websites.

However, inferring consent does still require a clear message to be displayed to first-time visitors. It is not enough to rely on a general “Privacy and cookies”-type link.

Opportunities for consent

The ICO guidance also suggests that websites look out for opportunities to obtain positive consent from users. One opportunity comes where new registered users are asked to agree to its terms and conditions as part of the sign-up process – though existing registered users will need to be told about any change to the terms to allow for cookies.

Other opportunities may come where users set preferences or use new features for the first time: for example, a notice saying “We will use a cookie to remember this”, with a link to the cookies policy.

Analytics cookies

Analytics cookies – often for Google Analytics – are one of the most widespread types of cookie. The ICO’s position on analytics cookies is that they are not technically essential for websites, so consent will be required for them.

The ICO recognises that in some cases it is not practical to obtain consent before setting analytics cookies, as these are often set the moment a user first visits the site. However, in that case information on the use of cookies must be highlighted clearly on the site.

Having said all that, the ICO does drop a large hint that it does not regard analytics cookies as posing a serious risk to privacy. In the very last paragraph of the 27-page guidance document, they state that “it is highly unlikely that priority would be given to focusing on uses of cookies where there is a low level of intrusiveness” – which includes “first party cookies used only for analytical purposes”, provided clear information is given on the site.

Third party and advertising cookies

Third party cookies, especially those used for online advertising, are the most problematic from a privacy point of view. The ICO’s research suggests that even well-informed internet users are unaware of the distinction between first party and third party cookies – that is, cookies used by someone other than the website owner.

Information on the use of third party cookies will need to be clearly set out as part of informing users and obtaining consent. Both the website owner and the third party will want to ensure that their respective obligations are clear: if you run an advertising-supported website, you will want to ensure that the advertising provider is obliged to provide accurate and complete information on their use of cookies (so that you can put this in your own cookies information); conversely, the advertising provider will want to ensure that participating websites are compliant with the law, as otherwise this will put the advertising provider themselves in breach.

The guidance acknowledges, though, that third party cookies remain “one of the most challenging areas in which to achieve compliance”, given the higher privacy concerns over such cookies and their critical importance to online advertising.

Conclusion

It remains to be seen how the new law will operate in practice. Levels of compliance remain woefully low, so it is hard to discern any “best practice” emerging at present. However, the ICO’s guidance does at last suggest some practical ways in which websites can comply with the law without losing the benefits of using cookies.