Data Protection (“DP”)
DP in the UK and Europe is a hot topic and 2014 should see the finalisation of a new Regulation implementing major reforms across Europe with even tougher regulation and fines for serious data breaches of as much as 2% of global turnover. There has also been a proposal from one of the European Parliament committees that this should be increased even further to an eye-watering 5% of global annual turnover. In the meantime, the current UK legislation remains the Data Protection Act 1988 (“DPA”), enforced by the Information Commissioner’s Office (“ICO”).
Although individuals may take action against companies for breaches of the DPA, this is not common. It is more usual that the ICO will take action – fines could be up to £500,000. The ICO also has other powers under the DPA and some breaches can be a criminal offence.
Attractively for US clients, the UK is currently one of the more laid back jurisdictions in Europe when it comes to data protection and the ICO takes a pragmatic approach to issuing fines or taking other action for breaches. The most common reason for issuing fines in the UK is personal data security breaches. Action is also regularly taken by the ICO where organisations fail to comply with rights of ‘data subjects’ (ie the individuals to whom the personal data relates) – usually failing to comply with direct marketing obligations or rights of access to personal data. Direct marketing is also subject to a layer of additional laws, known as the ‘Privacy and Electronic Communications Regulations’ which sits alongside the DPA.
European data protection laws focus mainly on the “data controller” i.e. the person/entity which determines the purpose for which data is “processed” (a broad concept), and is underpinned by 8 “Data Protection Principles” addressing issues of transparency, necessity, accuracy and security. In the UK only the data controller has to comply with the DPA – not the ‘data processor’ (the data processor is an entity that is acting on behalf of the data controller). There are a few things that US companies should pay particular attention to:
- Where the US entity is a ‘data controller’, it must ensure it has certain contractual provisions in place with its data processors (risk of non-compliance by the data processor lies with the data controller).
- The eighth DPA principle prohibits the ‘transfer’ of personal data outside Europe unless ‘adequate protection’ for the rights of the data subject is ensured unless the data is transferred to a county that has been ‘approved’ by the European Commission. The US is not an approved country. This doesn’t prevent the personal data transfers from the UK but there are a number of hoops organisations must jump through to legitimise the transfers. Safe Harbor can be an effective hoop to jump through although Safe Harbor is currently subject to some heated debate between Europe and the US. Also keep in mind that a ‘transfer’ could include someone at US headquarters viewing personal data located on a server in the UK so it is easy to get caught by these data transfer laws.
Intellectual Property (“IP”)
UK IP legislation tends to be employer-friendly. Where a work is made by an employee in the course of his employment, the employer owns the copyright in the work, subject to any agreement to the contrary. However, the converse is true for independent contractors or commissioned works, so it’s important to make sure all your contracts cover the issue so that intellectual property is assigned. Unfortunately ‘know how’ is not considered a ‘real’ intellectual property right so when an employee leaves a company, they will take with them the general transferable knowledge and skills developed during their time in the job.
Registration of company names and logos as UK trade marks is a must – without registration, you may still have a right of action (under what is known as ‘passing off’) in the event of infringement, but your position is much less robust than if the trade mark were registered. If expanding out into Europe then you should consider obtaining a Community trade mark.
Thank you to Richard Goold (@gooldrichard), Corporate Partner and Co-Chair of the Tech team at Wragge and Co.
To find out more about available office property in the Silicon Roundabout area contact Kushner here.
Artwork by award winning British Artist JJ Adams visit www.eyeballgallery.co.uk for details