The European Parliament has adopted its position on the controversial proposed Copyright Directive, which includes a proposal for online content sharing service providers to remunerate artists (notably news publishers, journalists, musicians, performers and script authors) for their work when it is used by sharing platforms such as YouTube, Facebook or Twitter. The reform of EU copyright rules is part of the European Commission’s Digital Single Market Strategy. The Commission recognises that whilst online services provide ease of access to creative works and offer opportunities for creative industries to develop, it also generates challenges when copyright protected works are uploaded without prior authorisation from copyright holders.
The Scottish Courts have given an interesting decision in relation to IT contracts, relating to the allocation of delivery risk between supplier and customer and the importance of doing what it says in the contract.
In David MacBrayne Limited v Atos IT Services (UK) Limited (2018), Atos, a supplier, had entered into an agreement with David MacBrayne Limited to supply a digital platform. The engagement was not successful and the parties claimed and counter-claimed against each other for material breach of the contract (amongst other things).
Customer Dependencies – Whose Responsibility is Delivery?
IT contracts will often include dependencies on customers to provide the supplier with information/documentation, some negotiated more than others.
In this case, the dependency was on the customer to use all reasonable endeavours to provide such documentation, data and/or information that the supplier reasonably requested and which was necessary to perform its obligations under the contract.
The question was whether this obliged the customer to provide the supplier with detailed specifications of their requirements in sufficient time to allow the supplier to comply with their obligations under the contract. In other words, to what extent should the customer be pro-active in telling the supplier what to do and thereby share delivery risk.
The Court said such general obligations are indicative of a responsive obligation (i.e. respond to queries from the supplier) as opposed to an obligation on the customer to be proactive in setting out their requirements. The Court said such obligations did not displace the obligation of the supplier to be primarily responsible for ascertaining the requirements for the service.
When negotiating IT transactions, it is very important to carefully consider (and negotiate) the scope of dependencies. While this decision points to a pragmatic approach by the courts which favours the customer, the very existence of general (or worse, unclear) dependencies can lead to disputes becoming more protracted and costly than they need to be.
Delay – Managing The Fall Out
The contract required the supplier to provide notice and follow a particular procedure in order to deal with delays. Here that process wasn’t followed. The supplier said it instead opted for a ‘co-operative and facilitative approach’ rather than ‘reaching for the contract’.
The Court said that the supplier was in breach for not following the procedure and this did not assist the supplier in its defence of the claim for material breach for delay. Ultimately, damages were awarded against it.
The judgment of the Court in this case highlights the inherent danger of choosing to ignore the procedural requirements in a contract; it will make claims all the more difficult to successfully prove or defend. The more removed from the letter of the contract the parties conduct is, the more uncertain their legal positions. It is essential to properly manage contracts.
The Law Reform Commission has published an Issues Paper on Privilege for Reports of Court Proceedings under the Defamation Act 2009. The Paper examines and make recommendations on whether changes should be made to the Defamation Act 2009 relating to absolute privilege for reports of court proceedings. Section 17 of the Defamation Act 2009 currently provides that there is absolute privilege (i.e. complete immunity) from a defamation action where the claim is about a “fair and accurate report of proceedings” heard in any court in Ireland, Northern Ireland, or certain European and international courts.
New Regulations require organisations to obtain an individual’s explicit consent in advance of processing personal data for health research purposes. The Regulations, known as the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (SI 314/2018), set out a number of mandatory suitable and specific safeguards to be put in place when processing personal data for health research purposes. The Regulations came into effect on 8 August 2018.
The CJEU has ruled that an unauthorised reposting of a photograph on a website which is already publicly accessible, with the consent of the photographer and without restriction preventing it from being downloaded, on another website, can infringe the copyright rights of a photographer (Renckhoff, C-161/17). It is of little importance if, as in the present case, the copyright holder does not limit the ways in which the photograph may be used by internet users.
New court rules were introduced on 1 August 2018 which will give members of the media permission to access court documents. These measures, which apply in both the civil and criminal courts, will formalise the media’s access to information. The rules give effect to Section 159 (7) of the Data Protection Act 2018 to facilitate fair and accurate reporting of court proceedings.
The European Parliament has voted for the suspension of the Privacy Shield unless the U.S. complies by 1 September 2018. The non-binding resolution was passed 303 to 223 votes, with 29 abstentions. Parliament takes the view that the current Privacy Shield arrangement does not provide the adequate level of protection required by EU data protection law and the EU Charter as interpreted by the European Court of Justice (CJEU). It considers that, if the US is not fully compliant by 1 September, then the Commission has failed to act in accordance with Article 45(5) GDPR and the Commission should suspend the Privacy Shield until the US authorities comply with its terms. Continue Reading Parliament calls on US to comply with Privacy Shield by September
The Data Protection Commission (DPC) has published Guidelines to support the Government with drafting future regulations restricting the rights of individuals afforded by the GDPR. Whilst the GDPR strengthens the rights of individuals, Article 23 allows Member States or the EU to restrict the scope of individuals’ rights and controllers’ obligations in certain circumstances. Section 60 of the Irish Data Protection Act 2018 (the Act), which came into effect alongside the GDPR, provides for a number of such restrictions, as well as allowing Government Ministers to make regulations further restricting individuals’ rights. It is a mandatory requirement that the Government Minister consults with the DPC before making such regulations.
Last week MoneyConf firmly put Dublin in the Fintech spotlight. The pressure on financial services firms to make better use of technology to reduce costs and improve customer service shows no sign of relenting. At the same time they need to carefully navigate the related regulatory challenges around technology outsourcing. A member of the ECB Supervisory Board recently observed that banks are not “technological houses” and said that the fragmentation of banks’ services across a range of external providers creates a “challenge” for banks’ leaders, who retain responsibility. This statement will resonate, in particular, with financial institutions looking to understand how much they are currently using, and how they can make more and better use of, cloud based technology solutions.
The Data Protection Commission (DPC) has revamped its website and published online forms to help organisations comply with their new obligations under the GDPR.
The website contains a new Data Protection Officer (DPO) Notification Form, which must be completed by organisations to inform the DPC of their DPO’s contact details. The GDPR requires the appointment of a DPO in the following circumstances: (i) where the processing is carried out by public bodies or authorities; (ii) where an organisation’s core activities consist of large-scale regular and systematic monitoring of data subjects; and (iii) where an organisation’s core activities involve large-scale processing of special categories of data (i.e. sensitive data) or personal data relating to criminal convictions and offences. A DPO may also be appointed on a voluntary basis. However, organisations should be aware that a DPO designated on a voluntary basis will be subject to the same obligations and tasks under the GDPR as if the designation had been mandatory.