Singlelaw www.singlelaw.com - Eversheds Sutherland

September 2016 • Volume 24 • Number 8

Europe’s law and practice update for specialists in information technology

Editorial

IN THIS ISSUE

Recently clearing out over 25 years of legal articles in about 30 volumes some 1992 issues of IT Law Today (then “Applied Computer and Communications Law”) from 1992 were discovered by IT Law Today’s editor who was then the editor too. It was interesting to note how similar topics then were to those today even if technology has moved on. From competition law (IBM and Microsoft then) to disclosure issues and hacking offences the same issues arise month after month. In this September 2016 issue Adi Elliot, VP, Market Planning, Epiq Systems looks at edisclosure. Simon Jones, Partner at Eversheds looks at outsourcing an issue which is always relevant to readers. Taylor Wessing look at the newly agreed EU Network Information Security Directive which entered into force in August 2016 – Directive 2016/1148. Data protection law is never far from most readers’ minds and this issue contains an article from Pepper Hamilton LLP on the newly agreed “privacy shield”. Hannah Mitchell of Shoosmiths looks at a court decision holding that marketing computer software as a commercial agent did bring protection under the 1993 agency regulations. Given that that this issue follows the gap after the joint summer issue it has been expanded to more pages in order to give readers all the developments which they need.

Susan Singleton

In the News

1 In the news Cartier International v BskyB Customs Notice 34: intellectual property rights CMA issues final decision in online cartel case

3 Where next for eDisclosure? 4 The flexible solution for outsourcing contracts 11 EU Court Rules That Royalties for Unpatented Technology Are Not Necessarily Anticompetitive 12 Network Information Security Directive 14 The European Commission Formally Adopts the Privacy Shield 17 Google’s comparison shopping and advertising-related practices 21 Moving with the Times – the Commercial Agents Regulations 1993

Cartier International v BskyB CA upholds site-blocking injunction The Court of Appeal has given judgment in Cartier International and Others vs BSkyB and others [2016] EWCA Civ 658. The court followed the High Court in agreeing that Cartier might force major ISPs to block access to websites selling fake Cartier products. See http://ipkitten.blogspot.co.uk/2016/07/breaking-court-of-appeal-of-england-and.html and www.twobirds.com/en/news/articles/2016/uk/court-of-appeal-upholds-site-blocking-injunctionfor-brand-owners.

Customs Notice 34: intellectual property rights HMRC have published a revised version of Notice 34: intellectual property rights, which cancels and replaces the November 2012 version. The Notice has been amended to update the contact details of the Intellectual Property Authorisation Unit and correct a few minor issues.

www.singlelaw.com

Editorial board Jagvinder Kang, Director Technology Law Alliance Graham Hann, Partner and Head of Technology, Taylor Wessing Richard Kemp, kempitlaw

Susan Singleton Editor

Singlelaw

IT Law Today • July/August 2016

Notice 34 can be found at www.gov.uk/government/publications/notice-34-intellectual-propertyrights/notice-34-intellectual-property-rights.

CMA issues final decision in online cartel case In August the CMA issued a formal decision that two online sellers of posters and frames broke competition law. This follows the announcement on 21 July 2016 that Trod Ltd had admitted agreeing with GB eye Ltd (trading as ‘GB Posters’) that they would not undercut each other’s prices for posters and frames sold on Amazon’s UK website (see below). The Competition and Markets Authority’s (CMA) decision imposes a fine on Trod of £163,371 for its participation in the cartel. GB eye received immunity, having reported the cartel to the CMA and co-operated with the investigation. Trod, based in Birmingham, and GB eye, based in Sheffield, sold licensed sport and entertainment merchandise and related products, with popular images from the sport and entertainment world, such as One Direction and Justin Bieber. The arrangement applied to posters and frames sold by both parties on Amazon Marketplace via Amazon’s UK website from 24 March 2011 (at the latest) to 1 July 2015 (at the earliest). The July announcement said: “An online seller has agreed to accept a fine after admitting using automated repricing software to implement an illegal cartel.Trod Limited has admitted agreeing with one of its competing online sellers, GB eye Limited (trading as ‘GB Posters’), that they would not undercut each other’s prices for posters and frames sold on Amazon’s UK website. The agreement was implemented by using automated repricing software which the parties each configured to give effect to the illegal cartel. Trod, based in Birmingham, and GB eye, based in Sheffield, sold licensed sport and entertainment merchandise and related products, including posters, frames, badges, stickers and mugs, with popular images from the sport and entertainment world, such as One Direction and Justin Bieber. The cartel applied to posters and frames sold by both parties on Amazon Marketplace via Amazon’s UK website from 24 March 2011 (at the latest) to 1 July 2015 (at the earliest). Amazon Marketplace is an online retail platform that allows retailers to sell their products directly to end consumers via Amazon’s websites. Following an investigation by the Competition and Markets Authority (CMA), Trod has agreed to accept a fine of £163,371 for taking part in the cartel. This is after deducting a 20% discount to reflect the resource savings to the CMA as a result of Trod’s admission and co-operation with the CMA’s investigation. Provided it continues to co-operate and complies with the other conditions of the CMA’s leniency policy, GB eye will not receive a fine, having reported the cartel to the CMA and co-operated with the investigation, in accordance with the CMA’s leniency policy. Amazon itself was not involved in the cartel and has not been investigated by the CMA”. Stephen Blake, Senior Director and head of the CMA’s Cartels and Criminal Group, said: “The internet is an increasingly important way in which people buy products or services in their everyday lives. Online marketplaces such as Amazon allow sellers to sell their goods directly to consumers, who often benefit from more choice and lower prices as a result. Online pricing tools, such as automated repricing software, can also help sellers compete better, for the benefit of consumers. In this case, however, the parties used repricing software to implement an illegal agreement to deny consumers these benefits. Sellers on online platforms need to be aware that agreeing with each other to limit price competition in this way is illegal and can have serious consequences for the companies and individuals involved. The CMA is committed to tackling such anti-competitive behaviour, 2

September 2016 • IT Law Today

which jeopardises online markets and consumer trust in e-commerce. Making sure online and digital markets are working effectively is a particular priority for the CMA. Earlier this year, the CMA investigated two cases where suppliers admitted illegally restricting the prices at which retailers could sell their products online.”

Where next for eDisclosure? eDisclosure (or eDiscovery as it is known in the U.S.) can be defined as the identification, collection, review and production of electronically stored information (ESI) in response to litigation or regulatory investigation. For example, if a company is suspected of wrongdoing and is investigated by a regulatory body, it will need to work with its legal team to access and review any supporting information such as emails, text messages and telephone calls, in order to support its case or build its defence. eDisclosure is the process of searching for that information, reviewing it to determine which information is relevant and then disclosing the information as required. Proliferation of data

Several aspects of modern working life are making eDisclosure an increasingly complex operation. Indeed data is erupting from email accounts, smart phones, tablets, social communities, and search engines; it crosses borders, takes new forms, and is housed in virtual clouds. Each employee is likely to send and receive multiple e-mails per day. And each email is likely to cross the desktops of dozens if not hundreds of individuals. That data is then archived and replicated, and grows exponentially. An IDC (International Data Corporation) study estimates digital information will double every two years between now and 2020 to 40 trillion gigabytes, which equates to 5.2 terabytes of data for every man, woman and child alive in 2020.1 The sheer volume of data and the number of places in which it is stored complicate the eDisclosure challenge.

Cross-border data transfers Cross-border data transfers are not only frequent, but often crucial components of everyday business. However, when it comes to retrieving and disclosing that data, companies need to make sure that they can do so without violating data transfer regulations and privacy laws. Not all countries have rigorous privacy laws in place, and therefore data can be at risk when it is transferred outside of Europe. One of the biggest challenges for companies responding to regulatory investigations is the short timeframe allowed. In many cases, just a few short weeks are given to review all the necessary data and build a case. Dealing with data breach

Over the last 5-10 years, companies across all industries have experienced cyber breaches on a fairly consistent basis, with hackers pursuing data for the sake of profit. Organisations can face lawsuits from consumers and shareholders, as well as regulatory fines and potential loss of clients and reputation. As the breach runs through its life cycle, litigation may arise, depending on factors such as the size of the breach, the company and consumers involved, and the nature and scope of what was taken or compromised. In the event of litigation, an organisation will require an eDisclosure service, which enables it to efficiently manage the collection, processing and review of electronic documents and communications.

Considering costs

When assessing litigation costs, the expense of eDisclosure is a key consideration. Only by ensuring that the exercise is completed efficiently and with the requisite expertise can the cost of eDisclosure be effectively managed. Costs will be significantly reduced if those managing the disclosure exercise gain an early appreciation of the nature of the data, and are able to assess what is likely to be relevant to the investigation and what can safely be removed from the data set prior to review. 3


Managing changing trends A range of factors are conspiring to increase the complexity of data governance and eDisclosure. In order to keep costs to a minimum, meet the stringent time constraints often applied by regulators, and ensure the smooth running of the eDisclosure process, forward planning is key. Companies need to compile a comprehensive data map and put an eDisclosure strategy in place before an investigation happens. For many, the most reliable way to meet the challenges of eDisclosure will be to partner with an expert, to guide them through the process and make sure they ready and able to respond.

Adi Elliot, VP, Market Planning, Epiq Systems

The flexible solution for outsourcing contracts Introduction

In our recent research into the future of outsourcing which was published by the National Outsourcing Association in 2016, one of the key findings was that many companies are looking for flexibility in their outsourcing contracts. This is because the needs of many businesses are changing quickly as new technologies open up new ways of conducting business. Outsourcing can certainly help many businesses become more efficient and adopt new technology whilst, at the same time, driving business change. However, customers have long complained that the bold promises of service providers do not always materialise. Now that technology is developing very quickly, this is more of a challenge than ever. In today’s market, businesses need to be able to take full advantage of the latest developments in technology very quickly if they are to keep up with their competitors, let alone gain market advantage. In particular, businesses need to be able to interact with their customers using the very latest technologies in a consistent way and in a way which can adapt quickly to embrace the ever increasing capabilities of these technologies.

The question is, how can flexibility be delivered? One potential solution is to apply some of the principles of agile to the transformational and operational stages of an outsourcing project. Whilst the core transition activities can be planned with certainty, the operational requirements of a business will change during the life of a project and, also, during to process of procuring and implementing a new outsourced service. With this in mind, instead of creating a large transformational project with fixed deliverables, we suggest that the initial list of transformational requirements is converted into an agile style backlog. Then, when it is time to start the transformation, the business can decide which of these requirements should be implemented and in what order of priority. In addition, some requirements may no longer be relevant or may be changed whilst other new requirements may exist. All of this flexibility can be absorbed with agile. In addition, in order to prevent this flexibility turning into budgetary chaos, a fixed annual budget can be set for transformation activities. This budget may well be larger in the initial years but it should be capable of continuing through the life of the contract so as to facilitate regular investment which will keep the services as fresh as possible. In so doing, there will be a much greater chance that an outsourced service will actually deliver a service that is closer to what a business needs at the time that it needs the service and that much less money is wasted on developing services which are out of date by the time that they are implemented. Accordingly, a flexible approach to outsourcing should deliver better user satisfaction at a lower overall cost. 4


In the remainder of this report, we look more closely at why traditional outsourcing projects will struggle to cope with fast moving technological change and as to why an agile approach has the potential to deliver the flexibility that will allow outsourced services to adopt new technology as rapidly and efficiently as possible. Diagram 1

Daily review

Sprint 2-4 weeks

Product backlog

Sprint backlog

Release

Where we have come from Traditionally, an outsourcing of services has involved a number of distinct sequential phases which resulted in many months (if not years) of activity from project inception to the commencement of operational service activity. In so doing, most BPO projects have involved the following activities: • project inception – a business takes the decision that it needs to outsource an activity • the business spends some time developing its requirements • the business prepares and issues an Invitation to Tender to a number of potential suppliers • the interested suppliers prepare Responses to Tender (including indicative solutions) which may contain their proposals regarding potential transformation • the business evaluates the tenders and selects one or more “preferred” supplier” for detailed negotiations around the proposed solution, price and contractual terms until a contract is finally awarded to the successful supplier. These contracts are usually for 5 to 10 years and the services will include transition and ongoing operational services and, in many cases, a programme of transformation which is designed to implement an agreed programme of change • the parties transition the existing service to the new supplier who, from completion of the transition, takes over the provision of a “business as usual” operational service. At this point, nothing has changed in terms of the manner in which the services are delivered (other than the identity of the supplier). As such, the existing service provision may well have stagnated through lack of investment during the procurement phase (which could be as much as 2 years from beginning to end) • the supplier starts the agreed programme of transformation to reflect the requirements of the business which were set out at the commencement of the procurement process. At the time of delivery, some of these requirements may well have been superseded by the impact of new technologies whilst the delivery of the planned transformation, in itself, may take over a year to complete • once the transformation is complete, the supplier is often required to make suggestions regarding continuous improvements or innovation in technology or process which may be of interest to the customer • regimes of gain share and benchmarking are also introduced post transformation to help the customer ensure that the services deliver value for money • at all times from contract award, a change control procedure allows for changes to be suggested, scoped and agreed by either party The implications

Traditional outsourcing projects take a long time to procure and implement. All of this means that many outsourcing arrangements may effectively be redundant by the time they 5


start operation. In addition, the structured nature of the change control procedures often results in a time consuming and costly process to get matters changed. Both of these issues can easily result in dissatisfaction right from the outset because the contracted services do not reflect the impact of the new technologies and channels which have become available since the decision to outsource was taken. In addition, the contracts themselves are then slow to adapt and there can be a feeling that the costs of implementing the services spiral through the change control procedure. As a result some businesses may be attracted by shorter term contracts so as to avoid being locked into an outsourcing relationship that is inflexible. However, this is not the answer because a short term contract will only ever deliver a fixed solution. As such, in delivering a short term contract, it will be difficult for a supplier to justify making significant investments into the delivery of flexible solutions and/or the adaptation of new technology at as competitive a price as would be in the case with a longer contract. In addition, the services will be forever operating in an environment where the next procurement is being planned. This, in turn, will be unsettling to the affected staff. Therefore, short contracts will create instability and will not encourage investment in the relationship. A Traditional Outsourcing

Diagram 2

ve ei c Re

Supplier

Customer

develops

develops

evaluates RFP’s

requirements

Proposal

and down selects

Are output based measures the answer?

6

ue Iss

T IT

Ts RT

Customer

Contractual process

PHAS

ng ni n a Pl

n w Do

ct le e s

Negotiation

d ar w a ct tra n Co

er ov d n Ha

Transition and Migration

Commencement of BAU operational services & commencement of transformation

ed rm o sf an Tr

ice rv se

Commencement of transformed Operational Services – possibly on a phased basis

Change control Continuous improvement Gain share Benchmarking

Traditionally, most BPO contracts have measured service inputs, such as Average Call Handling Times, as a means of measuring efficiency. Whilst these measures may still have a place, they do not necessarily help a business measure the quality of the customer experience. Taking the example of a call centre, this is particularly the case where the subject matter of may calls is also changing – now, the answers to most simple calls can be resolved via web based services whilst the calls that are received are for more complicated queries which can take time to resolve. Also, KPIs such as the Average Handling Times do not measure the output of the outsourced service such as the number of products sold as a result of the delivery of the outsourced services. Whilst there is certainly a move to output based contracting, on the basis that a supplier is given flexibility to deliver the outputs in the way it considers best, most businesses are still retain a keen interest in the “how” and will often be prescriptive about the manner in which the supplier goes about delivering the service. This in turn, reduces the supplier’s


opportunity to flex the manner in which the services are delivered. In addition, careful thought needs to be given to the Outputs which can be influenced by the supplier of an outsourced service. For example, product sales figures can be affected by the effectiveness of an outsourced call centre but sales are also influenced by the attractiveness of a businesses products and services, quality and price competitiveness, delivery arrangements and aftercare. Also, looking at different ways to measure the quality and effectiveness of service delivery will not, of itself, offer any guarantee that the service will keep pace with all new technology in a way that will be fully aligned with the customer’s strategy. So, what is the answer?

The speed of change is only increasing and, in this environment, the most flexible of businesses are likely to stand the best chance of success. In so doing, service providers and their customers must work to avoid the dissatisfaction traps of traditional outsourcing projects in terms of the delivery of out of date solutions combined with a lack of flexibility. These issues can be avoided by applying some of the principles of agile software development so as to create an outsourcing model which is specifically designed to evolve over the lifetime of the contract so as to meet the needs of the customer’s business in a fast changing market whilst providing a contract structure which provides for the longer term assurance required for supplier investment. In addition, this model can also flex towards outcome based performance measures as the business needs and priorities change.

What is an agile methodology?

In its pure form, agile methodologies provide for working software to be developed quickly by joint teams who are tasked with creating a working solution to a specific business issue which can be implemented within a short period of time. Whilst this approach was created with software development in mind, there is no reason why it cannot be applied to a business process outsourcing project. In a pure sense, software development projects which are undertaken using agile methodologies feature the following characteristics: • iterative, short, frequent and incremental development cycles • requirements and solutions being developed in tandem though collaboration between the supplier and its customer so as to ensure the rapid development of working solutions which are fully aligned to customer needs • adaptive and flexible planning, development and delivery Looking at this in more detail, an agile development process (based on the SCRUM methodology) involves: • a set of business goals are defined at the outset which constitute the vision of the project • a development project is divided into a number of so called sprints, each of which are designed to deliver a particular piece of software via iterative and collaborative working practices utilising joint teams made up of supplier and customer representatives. The collection of sprints is referred to as the backlog – an unfortunate term – but this is effectively the menu of all items of software which are to be delivered to meet the vision of the project as understood at the outset • each sprint will involve a time bound set of collaborative activities which involve planning, design, coding, testing and deployment which are carried out simultaneously rather than sequentially. As such, the results of each sprint are tested in real time with the objective that each sprint is delivered in the form of working software which can be used by the customer there and then • the fact that the Project is divided into a number of sprints means that the development team focus on one sprint at a time and that the results of each sprint build iteratively on each other. However, another key feature of an agile project is that the order of the 7


•

Applying agile methodologies to an outsourcing contract

8

sprints can be changed to reflect changing business priorities and, in fact, some proposed sprints can simply be deleted from the backlog if no longer required whilst new sprints can be added to the backlog as requirements and priorities evolve. In so doing, there is no need to refer to a change control procedure. Rather, the sequence in which the software (or business process) is developed can be varied as a business priorities change whilst new features and requirements can be slotted in at any time. In so doing, no effort will have been wasted in delivering sprints which are not called off from the backlog and new sprints can be added to the backlog as new requirements arise through the life of the project without the need for complex change control procedures all of the above requires close co-operation and project governance between the customer and the supplier.

Whilst the transition phases of an outsourced service project should not be procured using agile methodologies, it is certainly possible to utilise agile methodologies during any transformation phase and to continue these practices through the life of the outsourced service contract so as to always keep the solution as fresh as possible. This, in turn, mitigates against the risk that traditionally delivered services will be seen as out of date from the outset or during the life of the contract. This, in turn means that: when procuring an outsourced service project, thought should be given to the following key stages: • transition – in terms of transitioning Business As Usual (BAU) services from the customer or an incumbent service provider, it is still necessary to plan the required activities in much the same way as in any traditional project • core transformation – there may be certain activities which must happen in a particular way and by a pre-determined time. For example, this may apply to the implementation of new systems or processes to address certain must have requirements which are known at the outset and which are fundamental to the whole project. It may also apply, to a large extent, in relation to the delivery of services which must meet specific regulatory requirements. Either way, if the requirements are clearly identified at the outset and if a solution can be fixed at the outset, these core transformational requirements can still be procured in a traditional sense although there may well be opportunities to refine some elements of any solution utilising agile processes. In addition, agile processes can also be used to evolve these services during the life of the contract • agile transformation – for many new items of service delivery and/or technology, a purely agile approach can be taken to their implementation and, in so doing, outsourced service solutions can flex as technologies evolve through the life of the contract. Thus, by delivering elements of the transformation via agile procedures, the originally planned transformation activities can be easily flexed as some of the original requirements become redundant and/or new ways of delivering customer experience evolve. Therefore, the methods of delivering the outsourced services can be adapted quickly to respond to changing technologies and these changes can be implemented incrementally and quickly as the business decides how to respond to the full potential of the new technology. In addition, there is no reason why this way of working cannot continue through the life of the contract. In so doing, this will reduce the risk of the outsourced services being delivered in a way that is out of step with what the business needs at any stage during the life of the contract • the adoption of agile methodologies ensures that longer term outsourced service contracts can deliver lasting value which can utilise the latest technologies whilst avoiding the risk of short term contracting. The problem with shorter contracts in an outsourced service context is that the services (and people) will constantly be being


•

•

transitioned from one provider to another (which is costly and inefficient in itself) whilst a short term outsourced service contract will mean that the customer will only ever receive the service that can be defined at the outset of such contracts. In addition, even with a short term solutions, the solution could still be 12 months or more out of date by the time the service is delivered in order to succeed (for both customer and supplier) in a fast moving technological environment, solutions and services need to be able to continually adapt to the new pressures on the business they serve.This can mean making new services or new channel operations available quickly. It may also mean changing the mix of service or even closing down certain functions. In so doing, perhaps the only certainty is that the service mix at the start of an outsourced service relationship is very likely to be different to be the service mix when the relationship and contract reaches its renewal point new commercial and contractual arrangements need to be created and fully understood by both parties, so as to facilitate the successful completion of projects using an agile methodology, particularly with regard to good governance and financial discipline. Making the new partnership models work will of course be challenging from an operational, commercial and contractual perspective. However, this is possible. For example, the following structure can work: • the contract can define the operational services, service level regime and charges as they apply to the BAU services as at the time of transition • the operational service descriptions, service levels and charges, as affected by the core transformation activities, can also be agreed up front (as is the case in a traditional outsourcing deal) • the baseline service descriptions, service levels and charges can be varied by the application of each sprint in ways which are agreed whilst the sprint is being delivered as based upon the high level objectives for each sprint which are agreed at the outset • if the supplier is to invest in agile methodologies through the life of the contract, the cost of the resulting activity needs to be recoverable. In an agile software development, these costs are typically paid for on a time and materials basis as each sprint is delivered. However, it is also possible to construct a model whereby either the development time or the development effort is fixed at the outset of each sprint. In addition, applying this to an outsourced service scenario, the funding for all sprints which can be ordered in each contract year can be agreed at the beginning of each contract year with the costs being built into the operational service charges via a process of smoothing. Of course, should additional changes be required, the required funding can be separately agreed • the backlog of potential sprints can be refreshed in real time through the life of the contract with a forward view being taken of the likely funding costs and on the basis that no money will have been wasted in accepting functionality that is no longer required it is quite likely that the agile transformational activity will have an impact on the core operational services, for example in terms of the volume of voice calls that need to be handled. Here, at the outset, the contract may contain assumptions regarding the expected impact on particular channels and the numbers of staff and/or seats which are required to service the contract. These expected changes can be built into the pricing and resourcing models (along with any agreed tolerances) whilst the impact of any exceptional changes on such resourcing requirements (over and above any agreed flex and/or tolerances) will need to be agreed via change control. Applying this to an outsourced service project, a budget can be established for all transformational activity which is to be conducted on an agile basis for, at least, for a 12 month period. Then, the agile transformations which are to be called off in that period can managed within agreed budgets (accepting that the actual costs may vary from the budget). In addition, it should also be recognised that if the core assumptions of the deal change, the impact on the supplier’s fixed investments need to be considered 9


• it might be possible to consider a commercial arrangement whereby the supplier may take some of the risks of funding some changes on the basis that the changes will drive increased volumes and/or profits. A flexible approach to outsourcing which adopts agile methodologies

Diagram 3 ng ni n a Pl

ng ni n a Pl

ng ni n a Pl Expiry

CORE REQUIREMENT

Transition and Migration The legacy service needs to be migrated to the new service provider on an as is basis as quickly as possible

BAU Operational Services BAU Charges BAU service levels property and staff transfers Transformation

Transformed Services new service levels new pricing

core technology platform and functions (especially for regulated businesses) consider agile methodologies to flush out Requirements

In parallel with the transition, BAU and core transformation activities, specific improvements to the Services can be implemented via agile processes at any time during the life of the contract. In summary, the contract will need to reflect the following issues: •

establish and manage joint teams via strong governance

CONTRACTUAL

• establish a process to refine the requirements, dependencies and likely costs of each sprint before the sprint is called off from the Backlog • flexible procedures to deal with changing priorities and emerging technology – in so doing, the Backlog should be managed through the life of the contract so as to prioritise and reprioritise the proposed sprints as business priorities evolve • the adoption of agile processes allow for early wins which deliver business benefits and value early and throughout the life of the contract • agile processes keep the customer engaged and locked into the continual evolution of the outsourced solution and services in such a way that ensures that the same are always up to date • need to document and track the impact of the results of any sprints on the service descriptions, core resources, service levels and charges carefully • need to consider how the costs of implementing each sprint will be funded, for example by way of calling off funds from an agreed investment fund, the cost of which is built into the pricing model and smoothed though the life of the contract

Conclusion

In constructing outsourced service contracts to be future- proof, careful consideration should be given to: • defining the core base services that will remain true through the life of the contract • create an agile framework for flexing the services around the core in a way that will ensure that the core services can be adapted and evolved to enable the parties to take full advantage of new technologies and channels. This framework will define: • the agile processes by which parties will work together to flex the services so as to adapt to new channels and technologies through the entire life of the contract • a process for agreeing how the core resources may be affected • a framework for pricing the development of new solutions via agile processes.

Simon Jones, Partner, Eversheds T: +44 113 200 4049 M: +44 7771 610459 10


EU Court Rules That Royalties for Unpatented Technology Are Not Necessarily Anticompetitive On 7 July 2016, the Court of Justice of the European Union (CJEU) handed down a judgment on whether Article 101 of the Treaty on the Functioning of the European Union (TFEU) must be interpreted as precluding effect being given to a licence agreement requiring the licensee to pay royalties for the use of a patent which has been revoked (SanofiAventis v Genentech, Case C-567/14). Background

In 1992, Hoechst granted a licence to Genentech for a human cytomegalovirus enhancer. The licensed technology was subject to one European patent and two patents issued in the United States. In 1999, the European Patent Office revoked the European patent. Under the licence agreement with Hoechst, Genentech was obliged to pay a one-off fee, a fixed annual research fee and a running royalty based on sales of finished products. Genentech never paid the running royalty, however, and in 2008 it notified Hoechst and Sanofi-Aventis (Hoechst’s parent company) that it was terminating the licence. Hoechst and Sanofi-Aventis believed that Genentech had used the enhancer to manufacture its blockbuster drug Rituxan and was therefore liable to pay the running royalty on its sales of that drug. Sanofi-Aventis initiated two separate actions. In the United States, it brought an action alleging that Genentech infringed the two US patents. The US courts ultimately decided that there was no infringement of the patents in question. Sanofi-Aventis also submitted an application for arbitration against Genentech before the International Court of Arbitration to recover the royalties. In the arbitral award, the sole arbitrator held that Genentech had manufactured Rituxan using the enhancer and that the company was therefore required under the licence to pay Sanofi-Aventis the running royalties. According to the arbitrator, the commercial purpose of the licence was to avert all litigation on validity. Thus, payments already made under the licence could not be reclaimed, and payments due had to be made regardless of whether the patent had been revoked or was not infringed. Genentech brought an action before the Paris Court of Appeal seeking annulment of the arbitral award. The company relied on public policy arguments, claiming that a requirement to pay for the use of technology that Genentech’s competitors could use without charge put Genentech at a competitive disadvantage and contravened Article 101 TFEU. The Paris Court of Appeal stayed the proceedings and made a preliminary reference to the CJEU.

CJEU Judgment

The CJEU explained that royalties reflect the parties’ assessment of the value that is attributable to the possibility of exploiting licensed technology, and that this assessment may still apply after expiry of the period of validity of the patent.The court referred to established case law (Case 320/87 Ottung) and held that, where the licensee is free to terminate the licence agreement by giving reasonable notice, an obligation to pay a royalty throughout the validity of the agreement (i.e., not the validity of the IP rights) does not fall within the purview of the Article 101(1) TFEU prohibition. The CJEU argued that Article 101(1) TFEU does not prohibit the imposition of a contractual requirement providing for payment of a royalty for the exclusive use of a technology that is no longer covered by a patent, on condition that the licensee remains free to terminate the contract. In this respect, the court noted that a royalty reflects (i) the price that is paid for the commercial exploitation of the licensed technology and (ii) a guarantee 11

IT Law Today • September 2016

that the licensor will not enforce its IP rights against the licensee. As such, if the licence agreement is still valid and can be freely terminated by the licensee, the royalty payment is due even if the period of validity of the IP rights in question has expired. Concluding remarks

This judgment by the CJEU highlights a number of practical considerations that licensors and licensees should be aware of when negotiating and concluding licence agreements. First, licence agreements ought to expressly provide for what should happen with respect to the payment of royalties where and if the patents in question are revoked. Second, if a licensor intends to extract royalties for patents that are no longer protected, the licence agreement should expressly state that the licensee is free to terminate the agreement by giving reasonable notice. Licensors should also ensure that licensees are not otherwise restricted in using the licensed technology following termination of the licence agreement. In order to limit antitrust scrutiny, licensors should consider including (e.g., in the preamble of a licence agreement) a brief commercial explanation of why royalties are charged for unpatented technology. Third, if negotiations regarding royalties for unpatented technology prove difficult (e.g., because of the licensee’s bargaining power), licensors may consider applying a lower royalty rate following expiry of patent protection. Doing so would ensure that the licence agreement remains valid after expiry of the IP rights. Fourth, extra caution is required when concluding international licence agreements that have a US element. This is because US law does not permit licensors to collect royalties accruing after patent expiry.

Michal Kocon of McDermott Will & Emery

Network Information Security Directive On 6 July 2016, the final text of the Network and Information Security (NIS) Directive was adopted by the European Parliament. The main objective of the Directive – to strengthen the security of network and information systems underpinning key economic and social services across Member States – is undoubtedly commendable. However, the real benefit in the Directive is likely to be in raising overall security standards across the Union, as aspects of the Directive are already in place in many Member States or covered (at least in part) by pre-existing national or European legislation. There also remains uncertainty around the extent of the obligations being placed on the organisations operating in these key sectors. A national framework for cyber security

One of the main features of the Directive is the establishment of national infrastructures for the notification of cyber-security incidents and the sharing of information and expertise. Each Member State will be required to set up and resource: • a “competent authority” for network and information security, responsible for monitoring the application of the Directive; • a “single point of contact”, to act as a liaison between Member States and ensure effective cross-border cooperation on cyber security matters; and • a “Computer Security Incident Response Team (CSIRT)”, responsible for handling cyber security risks and incidents. These functions may be performed by one or more national bodies within each Member State. Member States are also required to ensure that these organisations have the power to obtain information from organisations and, where appropriate, impose “effective, proportionate and dissuasive penalties” for breaches of the Directive. At this stage, it is unclear how such penalties will be applied, particularly for cross-border organisations.

12


In the UK, much of this framework is already being put in place. CERT-UK, set up in March 2014, acts as the body for reporting and handling cyber security breaches.The British government is also in the process of setting up the National Cyber Security Centre (NCSC), which will take on most (if not all) of these functions. The government has yet to provide an indication of the NCSC’s likely position on incident response, investigation and penalties. Member States must also adopt national strategies on the security of network and information systems.These strategies will be required to cover a wide range of cyber security issues; from government support and supervision, to incident identification and response, to education and training. A structured government plan to tackle cyber security risks is an essential part of providing a meaningful response to threat of cybercrime. However, the implementation of such policies is not new in much of the EU. In practice, the majority of Member States have already established cyber security plans. For example, in the United Kingdom, a detailed cyber security strategy covering each of the areas set out in the Directive has been in place since 2011 – with the next 5-year strategy due later this year. Appropriate technical and organisational measures

The Directive also requires Member States to place specific notification and information security obligations on what are defined as, “operators of essential services” and “digital service providers”. “Operators of essential services (OESs)” include providers of economically or socially critical services in the transport, energy, healthcare, banking, financial markets infrastructure, water and digital infrastructure sectors. Essentially, this will cover organisations such as key utilities providers, banks, internet service providers and stock exchanges insofar as the critical services they provide depends on a network or information system. “Digital service providers (DSPs)” include online marketplaces, search engines and cloud computing providers with over 50 employees and whose annual turnover and/or annual balance sheet total exceeds €10 million. Both OESs and DSPs will be required to implement “appropriate technical, organisational and security measures” to manage the risks posed to their network and information systems. This reflects the wording of the security obligations already in place under the Data Protection Act 1998 (DPA 1998). However, unlike the requirements under the DPA 1998, these organisations are also explicitly required to have “regard to the state of the art” in ensuring that the level of the security is appropriate to the risk posed. At the very least, this emphasises that such organisations are under an obligation to continually monitor and review the level of their network security in line with advancement or development of cyber security threats. However, it is important to note that this security obligation will extend to the security of the network and system as a whole, rather than just the personal data processed within. The precise technical requirements of the measures to be taken will depend on the risks to each entity’s network and information systems and the potential consequences of any related security incident. Given that many of the systems concerned, by definition, relate to the provision of economically or socially critical services, it is likely that a very high level of security will be required to ensure compliance with the Directive. However, what is, or is not, “state of the art” is up for debate in some areas, and this is a continually moving target for organisations to have regard to.

Notification of cyber security incidents

OESs and DSPs will also be required to notify either the competent authority or CSIRT of any incidents having a “significant” (in the case of OESs) or “substantial” (in the case of DSPs) impact on the continuity/provision of the services they provide. Where an OES relies on network services provided by a third-party DSP, the OES will also be required to notify the relevant authority of qualifying incidents affecting the DSP, where these affect the continuity of the service the OES provides. 13


In both cases, the significant/substantial nature of an incident will be determined by reference to the number of users affected by the incident, the duration of the incident and the geographical spread of the incident. DSPs will also be required to consider the extent of the disruption on the functioning of their service and of any related impact on economic or social activities. As with similar notification obligations under the GDPR, it is far from clear exactly when these notification obligations will “bite”. Whilst some clarity is likely to be gained from national and European technical guidance, this will still ultimately boil down to a judgment call for the organisation concerned. The Directive also provides for the voluntary notification for incidents or organisations that fall outside of the scope of these mandatory obligations. Cross-border cooperation

The Directive provides for the establishment of a European “Cooperation Group” for sharing expertise, strategies and best practice, and a “network of CSIRTs” for dealing with cross-border incidents. The establishment of such a pan-European framework may well help provide for more consistent support for cross-border organisations that are heavily reliant on network and information systems. It can be hoped that communication between national competent authorities through the Cooperation Group may lead to a more uniform application of the provisions of the Directive, particularly in respect of penalties. The Directive also allows for the sharing of information relating to cyber security incidents, particularly where these may involve a cross-border element. In doing so, the Directive has sought to strike a balance between facilitating an effective cross-border response to cyber security threats, whilst also protecting the privacy, confidentiality and personal data of those affected by the incident. When passing information to another Member State, the relevant national authority will be required to preserve the confidentiality, security and commercial interests of the relevant OES or DSP. National authorities will also need to ensure all such transfers comply with the European data protection law. However, organisations which are subject to NIS will need to be aware that while they may be comfortable with how their CSIRT will deal with notifications, different CSIRTs in other jurisdictions may take different approaches.This may also discourage organisations which are not technically subject to NIS, but which can make voluntary notifications to their relevant CSIRT, from doing so.

Taylor Wessing Note – the directive bears number 2016/1148 and came into force in August 2016. See https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive

The European Commission Formally Adopts the Privacy Shield The Privacy Shield heightens the level of scrutiny and the burden on organizations that voluntarily self-certify. On October 6, 2015, the Court of Justice of the European Union invalidated the European Commission’s (the Commission’s) Safe Harbor Decision, which (previously) allowed for U.S.-based companies to transfer personal data of European Union (EU) citizens from the EU to the United States if they complied with certain principles. “Personal data” is a broad term encompassing all data through which a unique person can be identified or 14


is identifiable. Pepper previously reported on this invalidation,[1] and U.S. companies waited with bated breath to see what would take the Safe Harbor Decision’s place. On February 2, 2016, the U.S. Department of Commerce (the Commerce Department) and the Commission announced the new EU-U.S. Privacy Shield (Privacy Shield), which Pepper also reported.[2] Finally, Pepper can now report on the Commission’s July 12, 2016 formal adoption of the Privacy Shield. Overview

On the EU side, the Commission and the European Data Protection Authorities (DPAs) will administer the Privacy Shield. The Commerce Department, the Federal Trade Commission (FTC) and the Department of Transportation (DOT) will monitor and enforce the Privacy Shield on the U.S. side, though other subject-matter regulators may subsequently express interest. The Privacy Shield allows for personal data of EU citizens to flow from entities located in EU member states and European Economic Area member countries to organizations in the United States. By implementing the Privacy Shield, the Commission has deemed that the transfer of data under the Privacy Shield provides an “adequate level of protection for personal data transferred to the U.S.” (Adequacy). The Privacy Shield consists of several components. The first is the Privacy Shield Principles (the Principles), which is a code of conduct governing how U.S.-based organizations that make an enforceable commitment to abide by the Principles may handle personal data transferred from the EU to the United States (EU-U.S. transfers). Second, the Privacy Shield provides for Oversight and Enforcement, which outlines how U.S. governmental agencies will administer and enforce the Privacy Shield. Third, the Privacy Shield creates an Ombudsperson Mechanism to facilitate EU-U.S. transfers relating to national security. Fourth and finally, the Privacy Shield puts in place Safeguards and Limitations that require an annual review of Adequacy, including how national security and law enforcement agencies access and use data. Notably, while the Privacy Shield includes many new, first-time requirements for law enforcement and national security agencies (many of which may implicate the commercial sector), this article focuses on the Principles, which are most applicable to companies seeking Privacy Shield self-certification.

Privacy Shield Principles

While adherence to the Principles is voluntary, U.S. organizations seeking self-certification subject themselves to monitoring and enforcement from the Commerce Department, FTC and/or DOT for failure to comply. There are seven requirements under the Principles.[3] These principles have long been the basis for EU data protection. Notice: Organizations must provide data subjects with information concerning how their data will be processed, for example, the type of data collected, the purpose of processing, etc. Organizations must also provide links to the Commerce Department’s website regarding details on self-certification and the Privacy Shield List (the list of self-certifying entities). Data Integrity and Purpose Limitation: Organizations must only use personal data for the limited purposes for which it was originally collected and/or authorized by the data subject. Organizations must also ensure that personal data is “reliable for its intended use, accurate, complete and current.” Choice: If the purpose of collection or use changes, the organization must give data subjects the right to opt out of continued use. In the case of sensitive data, organizations must obtain affirmative express consent (opt in) prior to use. Security: Organizations must take “reasonable and appropriate security measures” to make sure personal data remains protected. Organizations must also contract with third parties that the organizations use for sub-processing to ensure that these third-party processors provide the same level of protection as provided under the Principles. Access: Organizations must ensure that data subjects have the right to confirm whether 15


an organization has a data subject’s personal data and, if so, be able to access and correct the data for free or for a nonexcessive fee. Organizations may not deny access except under exceptional circumstances. Recourse, Enforcement and Liability: Organizations must implement policies to ensure compliance with the Principles. Organizations must also annually recertify their compliance with the Principles and verify that their published privacy policies conform to the Principles. The latter can be achieved through self-assessment or by outside compliance reviews. Additionally, organizations must put in place redress mechanisms that allow the organizations to redress any complaints by data subjects. These new requirements are explored further below. Accountability for Onward Transfer: Organizations must ensure that any onward transfer of personal data is only for “(i) limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles.” This requirement is even more explicit than the version under the Safe Harbor Decision. Self-Certification

16

While self-certification is not available until August 1, 2016, organizations may begin to prepare for the process. Self-certification requires that an organization certify, on an annual basis, that the organization agrees to adhere to the Privacy Shield’s requirements, including “notice, choice, access, and accountability for onward transfer.” In helping organizations prepare for self-certification, the Commerce Department has provided the following guidelines: Confirm your organization’s eligibility to participate in the Privacy Shield. Under the Commerce Department’s current guidance, only organizations subject to the jurisdiction of the FTC or DOT may participate in the Privacy Shield. However, the number of subject-matter agencies may expand over time. Develop a Privacy Shield-compliant privacy policy statement. To self-certify, an organization must ensure that its external privacy policy conforms to the Principles. The organization must also make specific reference to its Privacy Shield compliance and provide a link to the Commerce Department’s Privacy Shield website. If the privacy policy is online, it must also link to the organization’s independent recourse mechanism (IRM). The organization must also provide the Commerce Department with the web address of the privacy policy or a physical address where the public may view the privacy policy. Identify your organization’s independent recourse mechanism. While the first step should be for the organization itself to resolve complaints from data subjects, an organization must also provide an IRM that can investigate unresolved complaints at no cost to the data subject. The IRM can utilize private-sector dispute resolution programs, such as the Council of Better Business Bureaus, JAMS or TRUSTe. Alternatively, the organization may choose as its IRM to cooperate and comply with DPAs for all data types. But, for human resource-related data, cooperation and compliance with DPAs is mandatory. Moreover, cooperation with the Commerce Department or the FTC is mandatory, independent of data type. The organization must also submit to binding arbitration by the Privacy Shield Panel for any disputes unresolved by its IRM. Ensure your organization’s verification mechanism is in place. An organization must be able to verify compliance with the Privacy Shield’s requirements. An organization can conduct a self-assessment or third-party assessment to verify compliance. An organization must ensure that, if it chooses or is no longer able to be compliant with the Privacy Shield, it notifies the Commerce Department and it continues to protect, destroy or return personal data it already has received.


Designate a contact within your organization regarding the Privacy Shield. An organization must provide a contact for handling inquiries regarding the Privacy Shield. An appropriate designee is usually a corporate officer, such as a Chief Privacy Officer. An organization must respond to a data subject within 45 days of receiving a complaint. Pepper Point

From a commercial sector aspect, the Privacy Shield, its Principles and self-certification embody many of the previous requirements under the Safe Harbor Decision. However, the Privacy Shield heightens the level of scrutiny and the burden on organizations that voluntarily self-certify. It makes any subsequent noncompliance subject to federal agency enforcement, including Section 5 of the Federal Trade Commission Act. It also requires organizations to provide data subjects with the ability to seek redress for their complaints. Furthermore, by annually requiring self-certification renewal and periodic verifications, the Privacy Shield increases an organization’s due diligence obligation for assessing whether its privacy program adequately protects EU citizens’ personal data. Additionally, it explicitly requires self-certifying organizations to impute the Principles to third-party processors by making them contractually required to provide the same level of privacy and security to personal data transmitted to them. Thus, even if an organization has not self-certified, it may still be required to adhere to the Principles if it is a vendor to a self-certifying organization. As organizations start to self-certify and the Privacy Shield progresses, Pepper will continue to track these developments.

Endnotes 1. See Sharon R. Klein & William M. Taylor, EU Court of Justice: Safe Harbor Decision Permitting EU-U.S. Personal Data Transfers is Invalid, Pepper Hamilton Client Alert (Oct. 6, 2015), available at www.pepperlaw.com/publications/eu-court-of-justice-safe-harbor-decisionpermitting-eu-us-personal-data-transfers-is-invalid-2015-10-06/. 2. See Sharon R. Klein & Alex C. Nisenbaum, U.S. and EU Authorities Announce New Privacy Shield for Data Transfers, Pepper Hamilton Client Alert (Feb. 4, 2016), available at www.pepperlaw.com/publications/us-and-eu-authorities-announce-new-privacy-shield-for-datatransfers-2016-02-04/). 3. Notably, EU member state laws supersede the Principles regarding any collection, use and processing of human resource data collected in the employer-employee context.The Commerce Department has also provided Supplemental Principles for further guidance on implementation of the Principles.

© 2016 Pepper Hamilton LLP. This article was republished with permission. All other rights are reserved by Pepper Hamilton LLP

Google’s comparison shopping and advertising-related practices The Commission has sent two Statements of Objections to Google. The Commission has reinforced, in a supplementary Statement of Objections, its preliminary conclusion that Google has abused its dominant position by systematically favouring its comparison shopping service in its search result pages. Separately, the Commission has also informed Google in a Statement of Objections of its preliminary view that the company has abused its dominant position by artificially restricting

17


the possibility of third party websites to display search advertisements from Google’s competitors. Commissioner Margrethe Vestager, in charge of competition policy, said: “Google has come up with many innovative products that have made a difference to our lives. But that doesn’t give Google the right to deny other companies the chance to compete and innovate. Today, we have further strengthened our case that Google has unduly favoured its own comparison shopping service in its general search result pages. It means consumers may not see the most relevant results to their search queries.We have also raised concerns that Google has hindered competition by limiting the ability of its competitors to place search adverts on third party websites, which stifles consumer choice and innovation. “Google now has the opportunity to respond to our concerns. I will consider their arguments carefully before deciding how to take both cases forward. But if our investigations conclude that Google has broken EU antitrust rules, the Commission has a duty to act to protect European consumers and fair competition on European markets.” The supplementary Statement of Objections on comparison shopping follows a Statement of Objections issued in the same case in April 2015. Both Statements of Objections are addressed to Google and its parent company, Alphabet. Sending a Statement of Objections does not prejudge the outcome of the investigation. Comparison shopping

Following the Statement of Objections issued in April 2015 and Google’s response in August 2015*, the Commission has carried out further investigative measures. Today’s supplementary Statement of Objections outlines a broad range of additional evidence and data that reinforces the Commission’s preliminary conclusion that Google has abused its dominant position by systematically favouring its own comparison shopping service in its general search results. The additional evidence relates, amongst other things, to the way Google favours its own comparison shopping service over those of competitors, the impact of a website’s prominence of display in Google’s search results on its traffic, and the evolution of traffic to Google’s comparison shopping service compared to its competitors. The Commission is concerned that users do not necessarily see the most relevant results in response to queries – this is to the detriment of consumers, and stifles innovation. In addition, the Commission has examined in detail Google’s argument that comparison shopping services should not be considered in isolation, but together with the services provided by merchant platforms, such as Amazon and eBay. The Commission continues to consider that comparison shopping services and merchant platforms belong to separate markets. In any event, today’s supplementary Statement of Objections finds that even if merchant platforms are included in the market affected by Google’s practices, comparison shopping services are a significant part of that market and Google’s conduct has weakened or even marginalised competition from its closest rivals. By sending a supplementary Statement of Objections the Commission has reinforced its preliminary conclusion whilst at the same time protecting Google’s rights of defence by giving it an opportunity to respond formally to the additional evidence. Google and Alphabet have 8 weeks to respond to the supplementary Statement of Objections.

AdSense

The Commission has also sent a Statement of Objections to Google on restrictions that the company has placed on the ability of certain third party websites to display search advertisements from Google’s competitors. The Commission’s preliminary view set out in today’s Statement of Objections is that these practices have enabled Google to protect its dominant position in online search advertising. It has prevented existing and potential competitors, including other search providers and online advertising platforms, from entering and growing in this commercially important area.

18


Google places search ads directly on the Google search website but also as an intermediary on third party websites through its “AdSense for Search” platform (“search advertising intermediation”). These include websites of online retailers, telecoms operators and newspapers. The websites offer a search box that allows users to search for information. Whenever a user enters a search query, in addition to the search results, also search ads are displayed. If the user clicks on the search ad, both Google and the third party receive a commission. The Commission considers at this stage that Google is dominant in the market for search advertising intermediation in the European Economic Area (EEA), with market shares of around 80% in the last ten years. A large proportion of Google’s revenues from search advertising intermediation stems from its agreements with a limited number of large third parties, so-called “Direct Partners”. The Commission has concerns that in these agreements with Direct Partners, Google has breached EU antitrust rules by imposing the following conditions: • Exclusivity: requiring third parties not to source search ads from Google’s competitors. • Premium placement of a minimum number of Google search ads: requiring third parties to take a minimum number of search ads from Google and reserve the most prominent space on their search results pages to Google search ads. In addition, competing search ads cannot be placed above or next to Google search ads. • Right to authorise competing ads: requiring third parties to obtain Google’s approval before making any change to the display of competing search ads. The Commission takes the preliminary view that the practices, which have been in place for ten years, hinder competition on this commercially important market. The Statement of Objections takes issue with the exclusivity practice as from 2006.This was gradually replaced from 2009 in most contracts by the requirement of premium placement/minimum ads and the right for Google to authorise competing ads. The Commission is concerned that the practices have artificially reduced choice and stifled innovation in the market throughout the period. They have artificially reduced the opportunities for Google’s competitors on this commercially important market, and therefore the ability of third party websites to invest in providing consumers with choice and innovative services. The Commission takes note that, in the context of its antitrust proceedings, Google has recently decided to change the conditions in its AdSense contracts with Direct Partners to give them more freedom to display competing search ads. The Commission will closely monitor these changes in Google’s practices to assess how they will impact the market. Google and Alphabet have 10 weeks to respond to the Statement of Objections. Background

Google’s flagship product is general internet search. This provides search results to consumers, including online ads which respond to search queries. Google generates a significant proportion of its revenue from search ads. Google therefore has an interest to maximise the number of users that see the ads it places, either on its own websites or those of third parties. The Commission considers that Google has a dominant position in providing general internet search services as well as in placing search advertising on third party websites throughout the EEA, with market shares above 90% and 80%, respectively. Dominance is, as such, not a problem under EU competition law. However, dominant companies have a responsibility not to abuse their powerful market position by restricting competition, either in the market where they are dominant or in neighbouring markets. The Commission had opened proceedings in November 2010 on Google’s favourable treatment of its own comparison shopping service as well as restrictions it placed on the ability of certain third party websites to display search advertisements from Google’s 19


competitors. Today’s Statements of Objections outline the Commission’s preliminary views that the way in which Google has sought to maximise traffic to its own websites and limit the ability of competitors to place search ads on third party websites is in breach of EU antitrust rules. The Commission has at the time also opened proceedings and it will continue to investigate the favourable treatment by Google in its general search results of its other specialised search services, and concerns with regard to copying of rivals’ web content (known as ‘scraping’), and undue restrictions on advertisers. Furthermore, today’s Statements of Objections are independent of the Commission’s ongoing antitrust investigation in relation to Google’s Android operating system and certain mobile applications. In this regard, in April 2016, the Commission addressed a Statement of Objections to Google and Alphabet. Procedural background

Today, the Commission decided to initiate proceedings also against Alphabet, Google’s parent company, which was created after the Commission had initiated proceedings against Google. Both Statements of Objections summarised above are addressed to Google and Alphabet. In addition, the April 2015 Statement of Objections has been notified to Alphabet. Article 102 Treaty on the Functioning of the European Union (TFEU) prohibits the abuse of a dominant position which may affect trade and prevent or restrict competition. The implementation of this provision is defined in the Antitrust Regulation (Council Regulation No 1/2003), which can be applied by the Commission and by the national competition authorities of EU Member States. A statement of objections is a formal step in Commission investigations into suspected violations of EU antitrust rules. The Commission informs the company concerned in writing of the objections raised against them. The company can then examine the documents in the Commission’s investigation file, reply in writing and request an oral hearing to present their comments on the case before representatives of the Commission and national competition authorities. A supplementary statement of objections allows the Commission to reinforce its preliminary conclusions and address points the company has raised in its reply to the first Statement of Objections. They also protect the company’s rights of defence by giving it an opportunity to respond formally to additional evidence. Sending a (supplementary) statement of objections does not prejudge the outcome of the investigation, as the Commission takes a final decision only after the parties have exercised their rights of defence. There is no legal deadline for the Commission to complete antitrust inquiries into anticompetitive conduct. The duration of an antitrust investigation depends on a number of factors, including the complexity of the case, the extent to which the undertaking concerned cooperates with the Commission and the exercise of the rights of defence. More information is available on the Commission’s competition website, in the public case register under the case numbers 39740 (Google comparison shopping) and 40411 (Google AdSense).

*updated on 14/07/2016, 17:30 CET: replacing “September 2015” by “August 2015”

Newsletters

20

If you are interested in subscribing to Corporate Briefing, Finance & Credit Law and International Trade Finance we do a reduced rate subscription for new subscribers subscribing to more than one journal. Please contact [email protected] for more information.


Moving with the Times – the Commercial Agents Regulations 1993 A recent High Court decision has confirmed that the supply or sale of software constitutes a sale of goods for the purposes of the Commercial Agents (Council Directive) Regulations 1993 (SI 1993/3053) (the Regulations). Until this decision, only software bundled with hardware was deemed to be goods. The case – The Software Incubator Ltd v Computer Associates Ltd [2016] EWHC 1587 (QB) – brings welcome certainty on this point and shines a light on the Regulations, which despite the significant rights they confer, often go unconsidered before entering into agency arrangements. The ruling provides a useful opportunity to take a look at the application of the Regulations and some of the key provisions and for software licensors using agents to promote or sell their products to familiarise themselves with the Regulations, especially since many cannot be contracted out of. The background

The Regulations were implemented in the UK on 1 January 1994 (pursuant to EC Directive 86/653/EC (Directive)) to bolster a commercial agent’s contractual position due to the perceived imbalance of power between a commercial agent and that of their principal. The Regulations define a commercial agent as a self-employed intermediary (which subsequent case law has confirmed can mean an individual, a partnership or a company) who has continuing authority to negotiate (and in some cases conclude) the sale or purchase of ‘goods’, on behalf of or in the name of, another person.

The definition of goods (or lack thereof)

Absent of a definition in the Regulations, what constitutes ‘goods’ has been the subject of some debate. At the time the Regulations came into force, the DTI’s (now BIS) accompanying guidance provided that the definition of goods at s61 of the Sale of Goods Act 1979 (SGA) was a reasonable guide without being determinative. This approach however raised two main issues in respect of software: 1. The definition of ‘goods’ under the SGA refers to ‘chattels’ and therefore infers that goods must be tangible in nature, which, unless bundled with hardware, software is not; and 2. The Regulations refer to a sale or purchase, namely the transfer of title between a seller and a buyer, and software is customarily licensed (albeit often on a perpetual basis), not sold. In coming to his decision, Waksman J addressed such issues and made the following observations: • Although software cannot be physically handled or transported, its effects can be likened to gas and electricity (which previous case law has held to constitute goods); • The software in question was ‘commodified’ meaning it was capable of transfer and commercial exploitation; • While software itself is intangible, it can only operate in a tangible environment; and • The sale of goods should not exclude the supply of software just because the ownership of the IP rights in the software will not usually be transferred absolutely (ie by way of assignment).

Payments on termination

The case also looked at whether the claimant was entitled to a compensation payment on termination of the agency agreement. Such payments are a key tenet of the Regulations and we look at them in more detail below. 21


The general rule under the Regulations is that, subject to some exceptions (see below), if the principal terminates an agency agreement, the agent is entitled to receive a compensation or indemnity payment in recognition of the goodwill and business the agent has built up. This cannot be contracted out of to the agent’s detriment. Unless the contract says otherwise, an agent is entitled to compensation rather than an indemnity payment. The agent is required to give their principal notice of their intention to claim this payment within one year of termination. The payment may not be payable where the agent is in serious breach of the agreement or where the agent is terminating the agency agreement for convenience. If however the agent is terminating the agreement due to the end of a fixed term contract, the principal’s serious breach or their retirement, ill-health or death, the compensation/ indemnity payment will be due. The basis upon which such payments are calculated is summarised below:

Compensation • The amount of compensation is worked out by calculating the value of the agent’s business and goodwill (or part being terminated) at the date of termination.

Indemnity • The maximum that can be awarded is one years’ remuneration based on the average of the agent’s earning over the past five years (or, if the contract for less than five years, over that shorter period).

• The purpose is to compensate the agent for the loss it will suffer as a result of the end of its relationship with the principal.

• While the indemnity appears to provide greater certainty, the payment of the indemnity does not prevent an agent from seeking damages for loss it has suffered.

• There is no maximum cap.

Other strict provisions

In addition to a payment on termination, below is a summary of some of the other key provisions that cannot be opted out of to the agent’s detriment:

Provision Details Long-stop date for payment of commission Any commission due must be paid to the agent, at the latest, on the last day of the month following the quarter in which it became due. Commission statement & information The principal must supply the agent with a statement of commission by the last day on the month following the quarter when commission became due. The agent is entitled to all information necessary to check commission. Minimum notice periods

Each party must observe the following notice periods and cannot agree a shorter period: • one month for the 1st year of the contract; • two months once the 2nd year of the contract has commenced; and • three months once the 3rd year of the contract has commenced and for subsequent years of the contract. Where a longer period is agreed, the period of notice to be observed by the principal must not be shorter than that to be observed by the agent.

Good faith

22

Both parties must act dutifully and in good faith.


Conclusion

The case is a good example of how the courts must interpret laws in light of technology not envisaged at the time of its inception, but also of the wider challenge the legislature faces in keeping up to speed with the increasingly digitised environment in which we work. Following the UK’s vote to leave the EU, it is difficult not to reflect on the genesis of the Regulations. Of course, the effect of Brexit on our laws with European origins is uncertain. Just a few weeks ago the repeal of or significant amendment to legislation so embedded in the UK’s legal and commercial landscape would have seemed most unlikely yet now, what is certain is that, just as the courts have been doing, we will be moving with the times.

Hannah Mitchell, commercial solicitor at Shoosmiths LLP See also IT Law Today’s editor’s textbook – Commercial Agency Regulations (4th edition Bloomsbury) by Susan Singleton

Endnotes

1. IDC Study, ‘The Digital Universe in 2020’, December 2012.

23


Singlelaw publishes a range of newsletters for professionals. Contact us about subscriptions to Corporate Briefing, International Trade Finance and Finance & Credit Law.

www.singlelaw.com ISSN 0969 3297 © Singlelaw 2016 IT Law Today is published by: Singlelaw, The Ridge, South View Road Pinner HA5 3YD • Tel 020 8866 1934 www.singlelaw.com

Singlelaw

Editor: Susan Singleton, Singletons, Solicitors www.singlelaw.com Production: Frida Fischer • email: [email protected] Marketing: Susan Singleton • Tel: 020 8866 1934 or email: [email protected] Publisher: Susan Singleton Subscription orders and back issues, sales and renewals: Call 020 8866 1934 • email: [email protected] • fax 020 8866 6912. For legal advice and training on IT/ecommerce/internet and data protection law, email [email protected]. Copyright While we want you to make the best use of IT Law Today, we also need to protect our copyright. We would remind you that unlicenced copying is illegal. However, please contact us directly should you have any special requirements. While all reasonable care has been taken in the preparation of this publication, no liability is accepted by the publishers nor by any of the authors of the contents of the publication, for any loss or damage caused to any person relying on any statement or omission in the publication. All rights reserved; no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electrical, mechanical, photocopying, recording, or otherwise without the prior written permission of the publisher. Singlelaw is the trading name of E S Singleton.

24