Safe Harbor Update: What you need to do NOW

As discussed in our last newsletter, the European Court of Justice has effectively ruled the ‘Safe Harbor’ agreement between Europe and the US invalid. This means that European businesses can no longer use this as a way to show that the protection offered by a US company is “adequate” for the purposes of the Data Protection Act 1998.

Therefore, from 31 January 2016, any business transferring personal information to a US service provider (which includes any use of very popular online services, such as Amazon Web Services, Salesforce.com, SugarCRM and MailChimp) risk being fined if they do not put the correct alternative measures in place.

What does this mean for your business?

You may believe that this ruling doesn’t affect you, because you do not transfer any personal information to the US.  However, with over 4,000 companies registered under the Safe Harbor agreement – many of whom provide online, digital and hosting services to European businesses – you are more likely to be affected than you might think.  If you input any personal information, either of your customers, prospects, staff, suppliers, or anyone else, to an online service, then you should check where they are based and the steps they are taking to provide adequate protection, in the absence of Safe Harbor.

What should you now do to protect yourself?

• Identify all of the online services you are using into which you might input personal information.
• Work out where these providers are based. Usually a quick look on their website will provide this information.
• If they are within the EU you need to seek confirmation that all “processing” is done within the EEA i.e. all of their offices and servers dealing with EU personal data are located within the EEA.  This information is often provided via a company’s privacy policy.
• If they are outside the EU then you need to check whether the protection they afford is “adequate” for the purposes of the Data Protection Act 1998.  This can usually be done by looking at their privacy policies.  A few examples can be found at the following URLs:

• https://mailchimp.com/legal/forms/data-processing-agreement/.
• https://aws.amazon.com/compliance/eu-data-protection/.
• https://www.sugarcrm.com/sugarcrm-inc-privacy-policy
• https://www.salesforce.com/uk/company/privacy/full_privacy.jsp

1. If the service provider is in the US you will need to check whether they are solely relying on the Safe Harbor agreement.  This information can often be found in their privacy policy.  Some will display the Safe Harbor logo.

If this is the only way in which they are protecting personal information (and Salesforce.com and SugarCRM, amongst many other seem to be in this position at the moment) then, as discussed above, this will not be adequate.

1. The current simplest alternative is to put in place a data processor agreement containing the EU prescribed “model clauses” with your service provider.  This can be agreed between the parties to contractually bind the service provider to the applicable laws.  Some companies, such as Amazon and MailChimp, have already put in place a standard form contract for their customers to sign up to.  Others will be happy to sign a document sent to them by you, their customer.
2. Another option is for the service provider to put in place “binding corporate rules”, which would allow them to share information from the EU with parts of the organisation outside.  This is a complicated and time consuming process and is primarily carried out only by the largest multinational corporations.
3. If your current service provider does not provide adequate protection for personal information then you have a number of options.
4. As mentioned above, you should identify whether they have provided a data processor agreement for their EU customers – if they have done so then the easy option is for you to execute it (having first checked that it is drafted correctly!).
5. If the service provider has not offered to provide a data processor agreement for their EU customers off its own bat, you could still ask them to do so to see whether they will comply – you need to do this promptly as the deadline of 31st January 2016 is fast approaching!
6. As an alternative, you could ask the service provider to sign a data processor agreement that you have prepared for them.  This might make sense if you have a number of different non-EU services providers as they would all then be signed up to the same terms.
7. If none of the above options are available then you may need to move to a different service provider that can give the necessary assurances.

What can Waterfront do for you?

We can advise you on all aspects of data protection and the Safe Harbor ruling.  In particular, we can look at all of your service provider arrangements and tell you whether there are any that do not comply with the law.  We also routinely draft and review data processor agreements and can therefore assist you with ensuring the compliance of your overseas service providers.

Do not delay!  As mentioned above, the Information Commissioner’s Office has agreed that until 31st January 2016 no action will be taken in respect of non-compliance in light of the Safe Harbor ruling, however, after this data the ICO may commence enforcement action against any businesses that continue to transfer data to the US under the Safe Harbor regime without putting in place any other protective measures.  Such enforcement action could take the form of significant fines (the ICO has the ability to award fines of up to £500,000).

Get up, stand up, stand up for your (intellectual property) rights

Dec 17, 2015

In the latest twist in the battle over 13 Bob Marley songs, including the famous ‘No Woman, No Cry’, the Court of Appeal has handed down a judgment dealing with copyright ownership of those works. The case involved the interpretation of contracts, the extent to which the contracting parties’ intentions matter and what forms part of the ‘factual matrix’.

The background to this dispute, the Court’s decision and our take on what it means is set out below. The full case can be accessed here.

Background

Bob Marley was signed as a recording artist with a number of different entities during the course of his career. During the 1970s, when he wrote the 13 songs the subject of this dispute, he was (reportedly) unhappy with the arrangements he had with those entities because he was (he said) not being fairly compensated for his work. As a consequence, he misattributed 13 songs – including the famous song ‘No Woman, No Cry’ – to other artists as a way of gaining remuneration from them. The court called this the “Misattribution Ploy”.

In 1981 he died intestate.  At that point, Chris Blackwell (founder of the record and publishing company Island & other companies in the group) took steps to try to preserve his legacy. One of the things he did was to arrange for Island Logic Ltd (“ILL”) to enter into an agreement with Cayman Music Inc (“CMI”) in 1992 to acquire the rights in a number of Marley’s works.  It did not mention the misattributed songs specifically.

Subsequently, BSI Enterprises Limited (“BSI”) entered into an agreement whereby it purported to buy and licence back to CMI the copyright in the misattributed songs, on the basis that the 1992 agreement had not assigned that copyright to ILL.  BSI and CMI then brought proceedings against Blue Mountain Music Limited, a company that had been receiving royalty collection society payment in relation to these songs, demanding that these royalties be paid over to them.

Therefore the key issue in those proceedings was whether or not CMI’s interest in those songs had passed to ILL under the 1992 agreement.

The High Court Proceedings

In 2014, the High Court refused BSI and CMI’s application for a declaration that pursuant to the 2008 agreement, copyright in the misattributed songs vested in BSI and that CMI was the licensee. It decided that the 1992 agreement did assign the copyright to ILL, because – amongst other things – the definitions of “Compositions” and “Catalogue” referred to all existing musical compositions written by Marley and it would have made no sense for the parties to agree not to include the misattributed songs.

The Appeal

BSI and CMI appealed but the Court of Appeal refused to allow it. A summary of the appellants’ main arguments, and the Court’s reasons for rejecting those arguments, included the following:

1. Argument: the “Preliminary Statement” in the 1992 agreement that ILL wished to purchase and CMI wished to sell “certain” publishing interests indicated that only some of CMI’s publishing interests were to be transferred under the agreement.

The Court’s response: the appellants sought to attach far more weight to the word “certain” than it could possibly bear. It could simply mean that the extent of the assets being sold was to be determined by reference to the terms of the agreement.

2. Argument: Clause 2.1 provided for the transfer of the “Acquired Assets”, which were defined in clause 1.1 as including “Compositions”. However, the term “Compositions” was not defined in clause 1.1 and clause 1.8 only defined the term “Catalogue”. While the terms “Composition” and “Catalogue” appeared in the heading to clause 1.8, this heading had to be disregarded pursuant to clause 16.7, which provided that “….The Article and Section headings contained in this Agreement are for reference purposes only and shall not affect in any way the meaning or interpretation of this Agreement.”

The Court’s response: the term “Compositions” was defined in the 1992 agreement. The words “Composition” and “Catalogue” in clause 1.8 did not have to be disregarded pursuant to clause 16.7 because, appearing at they did at the head of clause 1.8, they identified the particular terms defined in the clause. In any event, the words in the middle of clause 1.8 “individually a ‘Composition’ or collectively the ‘Compositions'” clearly signified that all of the works identified in the preceding words, including specifically musical compositions written and recorded by Bob Marley, were indeed “Compositions” for the purposes of the agreement.

3. Argument: the High Court had made an error in insisting that the language of the 1992 agreement had to accommodate ILL’s stated commercial objective to obtain as many rights in Bob Marley’s creative output as possible.

The Court’s response: that was not an error. The judge had directed himself entirely properly as to the relevant principles of contractual construction. He had emphasised that the intention of the parties was to be determined objectively and that the meaning of the agreement was to be determined from the document itself having due regard to the factual matrix, which he had fairly and properly elaborated.

Comment

The lesson here is that words used in a contract are far more likely to be given their ordinary meaning than be reinterpreted so as to mean something different. It is therefore important to ensure that contracts generally, and copyright assignments in particular, are drafted with care so that important terms are clearly and correctly defined.