PART 2 – The regulatory outlook for the Internet of Things

Posted on October 22nd, 2014 by

In Part 1 of this piece I posed a question asking: the Internet of Things – what is it? I argued that even the concept of the Internet of Things (“IoT“) itself is somewhat ill-defined making the point there is no definition of IoT and, even if there were, that the definition will only change. What’s more, IoT will mean different things to different people and talk to something new each year.

For all the commentary, there is not specific IoT law today (sorry there is no Internet of Things (Interconnectivity) Act in the UK (and nor will there be any time soon)). We are left applying a variety of existing laws across telecoms, intellectual property, competition, health and safety and data privacy / security. Equally, with a number of open questions about how the IoT will work, how devices will communicate and identify each other etc., there is also a lack of standards and industry wide co-operation around IoT.

Frequently based around data use and with potentially intrusive application in the consumer space (think wearables, intelligent vehicles and healthtech) there is no doubt that convergence around IoT will fan privacy questions and concerns.

An evolving landscape

This lack of definition, coupled with a nascent landscape of standards, interfaces, and protocols leaves many open questions about future regulation and the application of current laws. On the regulatory front there is little sign of actual law-making or which rules may evolve to influence our approach or analysis.

Across the US, UK and the rest of Europe some of the regulatory bodies with an interest in IoT are diverse with a range of regulatory mandates and sometimes with a defined role confined to specific sectors. Some of these regulators are waking up to potential issues posed by IoT and a few are reaching out to the industry as a whole to consult and stimulate discussion. We’re more likely to see piecemeal regulation addressing specific issues than something all encompassing.

The challenge of new technology

Undoubtedly the Internet of Things will challenge law makers as well as those of us who construe the law. It’s possible that in navigating these challenges and our current matrix of laws and principles that we may influence the regulatory position as a result. Some obvious examples of where these challenges may come from are:

  1. Adaptations to spectrum allocation. If more devices want to communicate, many of these will do so wirelessly (whether via short range or wide area comms or mobile). The key is that these exchanges don’t interfere with each other and that there is sufficient capacity available within the allocated spectrum. This may need to be regulated;
  2. Equally, as demand increases, with a scarce resource what kind of spectrum allocation is “fair” and “optimal” and is some machine to machine traffic more important than other traffic? With echoes of the net neutrality debate the way this evolves will be interesting. Additionally, if market dominance emerges around one technology will there be competition/anti-trust concerns;
  3. The technologies surrounding the IoT will throw up intellectual property and licensing issues. The common standards and exchange and identification protocols themselves may be controlled by interested party or parties or released on an “open” basis. Regulation may need to step-in to promote economic advance via speedy adoption or simply act as an honest broker in a competitive world; and
  4. In some applications of IoT the concept of privacy will be challenged. In a decentralised world the thorny issues of consent and reaffirming consent will be challenging. This said, many IoT deployments will not involve personal information or identifiers. Plus, whatever the data, issues around security become more acute.

We have a good idea what issues may be posed, but we don’t yet know which will impose themselves sufficiently to force regulation or market intervention.

Consultation – what IoT means for the policy agenda

There have been some opening shots in this potential regulatory debate because a continued interconnectivity between multiple devices raises potential issues.

In issuing a new Consultation: “Promoting investment and innovation in the Internet of Things“, Ofcom (the UK’s communications regulator) kicked off its own learning exercise identify potential policy concerns around:

  1. spectrum allocation and providing for potential demand;
  2. understanding of the robustness and reliability issues placed upon networks which demand resilience and security. The corresponding issue of privacy is recognised also;
  3. a need for each connected device to have an assigned name or identifier and questioning just how those addresses should be determined and potentially how they would be assigned; and
  4. understanding their potential role as the UK’s regulator in an area (connectivity) key to the evolution of IoT.

In a varied and quite penetrable paper, Ofcom’s consultation recognises what many will be shouting, their published view “is that industry is best placed to drive the development, standardisation and commercialisation of new technology“. However, it goes on to recognise that “given the potential for significant benefits from the development of the IoT across a range of industry sectors, ][Ofcom[ are interested in views on whether we should be more proactive; for example, in identifying and making available key frequency bands, or in helping to drive technical standards.”

Europe muses while Working Party 29 wades in early warning about privacy

IoT adoption has been on Europe’s “Digital Agenda” for some time and in 2013 it reported back on its own Conclusions of the Internet of Things public consultation. There is also the “Connected Continent” initiative chasing a single EU telecoms market for jobs and growth.   The usual dichotomy is playing out equating technology adoption with “growth” while Europe wrestles with an urge to protect consumers and markets.

In just one such fight with this urge, in the past month the Article 29 Working Party (comprising the data privacy regulators of Europe) published its own Opinion 8/2014 on the Recent Developments on the Internet of Things. Recognising that it’s impossible to predict with any certainty the extent to which the IoT will develop the group also calls out that the development must “respect the many privacy and security challenges which can be associated with IoT“.

Their Opinion focuses on three specific IoT developments:

  1. Wearable Computing;
  2. Quantified Self; and
  3. Domotics (home automation).

This Opinion doesn’t even consider B2B applications and more global issues like “smart cities”, “smart transportations”, as well as M2M (“machine to machine”) developments. Yet, the principles and recommendations their Opinion may well apply outside its strict scope and cover these other developments in the IoT. It’s one of our only guiding lights (and one which applies high standards of responsibility).

As one would expect, the Opinion identifies the “main data protection risks that lie within the ecosystem of the IoT before providing guidance on how the EU legal framework should be applied in this context”. What’s more the Working Party “supports the incorporation of the highest possible guarantees for individual users at the heart of the projects by relevant stakeholders. In particular, users must remain in complete control of their personal data throughout the product lifecycle, and when organisations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific.”

The Fieldfisher team will shortly publish its thoughts and explanation of this Opinion. As one may expect, the IoT can and will challenge the privacy notions of transparency and consent let alone proportionality and purpose limitation. This means that accommodating the EU’s data privacy principles within the application of some IoT will not always be easy. Security poses another tricky concept and conversation. Typically these are issues to be tacked at the design stage and not as a legal afterthought. Step forward the concept of privacy by design (a concept recognised now around the globe).

In time, who knows, we may even see the EU Data Protection Regulation pass and face enhanced privacy obligations in Europe with new focus on “profiling” and legal responsibilities falling beyond the data processor exacting its own force over IoT.

The US is also alive to the potential needs of IoT

But Europe is not alone, with its focus on activity specific laws or laws regulating specific industries, even the US may be addressing particular IoT concerns with legislation. Take the “We Are Watching You Act” currently with Congress and the “Black Box Privacy Protection Act” with the House of Representatives. Each now apparently have a low chance of actually passing, but may regulate monitoring of surveillance by video devices in the home and force car manufacturers to disclose to consumers the presence of event data recorders, or ‘black boxes’, in new automobiles.

A wider US development possibly comes from the Federal Trade Commission who hosted public workshops in 2013, itself interested in privacy and security in the connected world and the growing connectivity of devices. In the FTC’s own words: “[c]onnected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The workshop brought together academics, business and industry representatives, and consumer advocacy groups to explore the security and privacy issues in this changing world. The workshop served to inform the Commission about the developments in this area.” Though there are no concrete proposals yet, 2014 has seen a variety of continued commentary around “building trust” and “maximising consumer benefits through consumer control”. With its first IoT enforcement action falling in 2013 (in respect of connected baby monitors from TRENDnet whose feeds were not secure) there’s no doubt the evolution of IoT is on the FTC’s radar.

FTC Chairwomen, Edith Ramirez commented that “The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet“.

No specific law, but plenty of applicable laws

My gut instinct to hold back on my IoT commentary had served me well enough. In the legal sense with little to say, perhaps even now I’ve spoken too soon?   What is clear is that we’re immersing ourselves in IoT projects, wearable device launches, health monitoring apps, intelligent vehicles and all the related data sharing already. The application of law to the IoT needs some legal thought and, without specific legislation today, as for many other emerging technologies we must draw upon:

  1. Our insight into the existing law across and its current application across different legal fields; and
  2. Rather than applying a rule specific to IoT, we have to ask the right questions to build a picture of the technology, the way it communicates and figure out the commercial realities and relative risks posed by these interactions.

Whether the internet of customers, the internet of people, data, processes or even the internet of everything; applied legal analysis will get us far enough until we actually see some substantive law for the IoT. This is today’s IoT challenge.

Mark Webber – Partner, Palo Alto California




Part 1: Cutting through the Internet of Things hyperbole

Posted on October 15th, 2014 by

I’ve held back writing anything about the Internet of Things (or “IoT“) because there are so many developments playing out in the market. Not to mention so much “noise”.

Then something happened: “It’s Official: The Internet Of Things Takes Over Big Data As The Most Hyped Technology” read a Forbes headline. “Big data”, last week’s darling, is condemned to the “Trough of Disillusionment” while Gartner moves IoT to the very top of its 2014 emerging technologies Hype Cycle.

Something had to be said. The key point for me is that the IoT is “emerging”. What’s more, few are entirely sure where they are on this uncharted journey of adoption. IoT has reached an inflexion point and a point where businesses and others realise that identifying with the Internet of Things may drive sales, shareholder value or merely kudos. We all want a piece of this pie.

In Part 1 of this two part exploration of IoT, I explore what the Internet of Things actually is.

IoT –what is it?

Applying Gartner’s parlance, one thing is clear; when any tech theme hits the “Peak of Expectations” the “Trough of Disillusionment” will follow because, as with any emerging technology, it will be sometime until there is pervasive adoption of IoT. In fact, for IoT, Gartner says widespread adoption could be 5 to 10 years away. However, this inflexion point is typically the moment in time when the tech industry’s big guns ride into town and, just as with cloud (remember some folk trying to trade mark the word?!), this will only drive further development and adoption. But also further hype.

The world of machine to machine (“M2M“) communications involved the connection of different devices which previously did not have the ability to communicate. For many, the Internet of Things is something more, as Ofcom (the UK’s communications regulator) set out in its UK consultation, IoT is a broader term, “describing the interconnection of multiple M2M applications, often enabling the exchange of data across multiple industry sectors“.

The Internet of Things will be the world’s most massive device market and save companies billions of dollars” shouted Business Week in October 2014, happy to maintain the hype but also acknowledging in its opening paragraph that IoT is “beginning to grow significantly“. No question, IoT is set to enable large numbers of previously unconnected devices to connect and then communicate sharing data with one another. Today we are mainly contemplating rather than experiencing this future.

But what actually is it?

The emergence of IoT is driving some great debate. When assessing what IoT is and what it means for business models, the law and for commerce generally, arguably there are more questions than there are answers. In an exploratory piece in ZDNET Richie Etwaru called out a few of these unanswered questions and prompted some useful debate and feedback. The top three questions raised by Ritchie were:

  1. How will things be identified? – believing we have to get to a point where there are standards for things to be sensed and connected;
  2. What will the word trust mean to “things” in IoT? – making the point we need to redefine trust in edge computing; and
  3. How will connectivity work? – Is there something like IoTML (The Internet of Things Markup Language) to enable trust and facilitate this communication?


None of these questions are new, but his piece reinforces that we don’t quite know what IoT is and how some of its technical questions will be addressed. It’s likely that standardisation or industry practice and adoption around certain protocols and practices will answer some of these questions in due course. As a matter of public policy we may see law makers intervene to shape some of these standards or drive particular kinds of adoption. There will be multiple answers to the “what is IoT?” question for some time. I suspect in time different flavours and business models will come to the fore. Remember when every cloud seminar spent the first 15 minute defining cloud models and reiterating extrapolations for the future size of the cloud market? Brace yourselves!

I’ve been making the same points about “cloud” for the past 5 years – like cloud the IoT is a fungible concept. So, as with cloud, don’t assume IoT has definitive meaning. As with cloud, don’t expect there is any specific Internet of Things law (yet?). As Part 2 of this piece will discuss, law makers have spotted there’s something new which may need regulatory intervention to cultivate it for the good of all but they’ve also realised that there’s something which may grow with negative consequences – something that may need to be brought into check. Privacy concerns particularly have raised their head early and we’ve seen early EU guidance in an opinion from the Article 29 Working Party, but there is still no specific IoT law. How can there be when there is still little definition?

Realities of a converged world

For some time we’ve been excited about the convergence of people, business and things. Gartner reminds us that “[t]he Internet of Things and the concept of blurring the physical and virtual worlds are strong concepts in this stage. Physical assets become digitalized and become equal actors in the business value chain alongside already-digital entities“.   In other words; a land of opportunity but an ill-defined “blur” of technology and what is real and merely conceptual within our digital age.

Of course the IoT world is also a world bumping up against connectivity, the cloud and mobility. Of course there are instances of IoT out there today. Or are there? As with anything that’s emerging the terminology and definition of the Internet of Things is emerging too. Yes there is a pervasiveness of devices, yes some of these devices connect and communicate, and yes devices that were not necessarily designed to interact are communicating, but are these examples of the Internet of Things? Break these models down into constituent parts for applied legal thought and does it necessarily matter?

Philosophical, but for a reason

My point? As with any complex technological evolution, as lawyers we cannot apply laws, negotiate contracts or assess risk or the consequences for privacy without a proper understanding of the complex ecosystem we’re applying these concepts to. Privacy consequences cannot be assessed in isolation and without considering how the devices, technology and data actually interact. Be aware that the IoT badge means nothing legally and probably conveys little factual information around “how” something works. It’s important to ask questions. Important not to assume.

In Part 2 of this piece I will discuss some early signs of how the law may be preparing to deal with all these emerging trends? Of course the answer is that it probably already does and it probably has the flexibility to deal with many elements of IoT yet to emerge.


How can I use my US sales terms in Europe?

Posted on October 14th, 2014 by

Nearly every US in-house counsel has faced the task of tackling an impending overseas deal when only US State law governed terms are at hand. Staring down the barrel at an unknown legal system, a familiar scene plays out:

Do you push to use the US terms unamended?

Often, there is an overwhelming desire to use what you have. You have invested time in these terms, you understand their structure and where you would concede on them. What’s more, they are based on your home law. If you get embroiled in litigation, it is not far to travel to litigate in the Santa Clara County courts and you will be defending your position with California law and with terms you drafted.

However, if you use them abroad, are they enforceable?

Should you fully localise the US terms?

If there is the budget and time available, another option is to take the US form and have someone with the right expertise “localise” the contract. They can make the necessary amendments to ensure the provisions comply with the relevant local law and local market practices. Inevitably, this involves relinquishing the relative sanctity of local courts and familiar law.

When localised, you know the contract will now be enforceable and acceptable. But what have you lost? Unfamiliar with your systems and appetite for risk, has the local counsel “given away” ground? Why are there now fewer exclusions and wider warranty provisions? Inevitable, some control is ceded.

The contractual dilemma

Depending on the scenario, it may be reasonable to take either approach. Seasoned advisors will know where to draw the line. The decision is a fundamental one which sets the tone and shape of negotiations immediately. Where each side favours their own system and laws, building an entrenched position in favour of home advantage may, in practice, turn out to be the wrong decision.

Yes, each party could agree to local law and the right to apply for their home courts when defending an action under the contract. But what will a French court make of a US style exclusion of liability clause crafted for Washington State law? At that point you may wish you had localized.

Yes, local counsel can attempt to cobble together an agreement which would “work” in every EU Member State as well as the US, but do you understand and accept the consequential risks of an imperfect document? With a true blend of applicable systems, can anyone actually understand the extent of the compromises being made?

The legal dilemma

Like it or not, different territories have different laws. There are 28 states in the European Union and across these states there are tranches of relatively harmonised laws in certain areas. The basic underlying laws of contract and case law or codes which aid their interpretation are, however, all different.

Faced with just such a decision regarding localisation – what are 10 issues should you consider?

One: Freedom of contract

In Europe we have “freedom of contract”. For most business-to-business (B2B) contracting scenarios, it is possible for the parties to negotiate freely and choose the law that should apply to the contract and to the forum that should hear any resulting dispute. Yes, particular local regulation may intervene in a few areas, but there is nothing to outlaw a Delaware State law deal between two consenting businesses in Italy.

The instinctive reaction is to go with what is familiar. Instead, step back and consider the likely scenarios in which the contract could be enforced. Consider also which legal concepts/provisions on which you are most likely to rely.

Two: When consumers are involved in Europe, work to their local law

Across the European Union, when consumers are contracting, the game changes. EU consumers are always entitled to have any contract they are entering into subject to the law of the land in which they are domiciled. This is the case whether the Dutch consumer is offered Californian or Belgium law. Any attempt to over-ride this will fail.

Additionally, an EU-based consumer cannot be denied their local court. And, no matter how hard you try, you cannot force a consumer into arbitration.

If a court will apply the consumer’s local law, to get the best protections for the business, you should try to craft terms around these laws. Take time to assess the local system and approach of peers and regulators. In Germany consumer organisations and even competitors have standing to object. Elsewhere, there are potentially more lenient enforcement regimes. US terms maybe unenforceable but, if it’s a free product, perhaps retaining US State law is an acceptable risk to take?

Additionally, European consumers are entitled to terms which are:

  • fair” and “reasonable“; and
  • accessible in “plain and intelligible” language.

This means not only the use of clear and non-technical language, but also local language (English language terms for a French customer are always “unfair” and unenforceable). The law also overreaches to restrict how aggressive and one-sided you can be. There cannot be a “significant imbalance” in approach. Admittedly, drafting to this vague and flexible notion can be a challenge. 

Three: Be aware of legalese and differences in terminology

Words familiar and acceptable in the US sometimes have a different interpretation in the EU. For example, only an individual goes “bankrupt” in the UK and- at times- restrictions permissible in the US are outlawed in the EU. The use of stock phrases like “save as maybe permitted by law” or “including the occurrence of any analogous event in any jurisdiction“, can get you so far but, as in any legal system, there is an art to crafting restrictions within laws and limitations.

As discussed below, this is particularly the case with vocabulary used to exclude liability

Four: Consider and assess mandatory laws

Make the necessary amendments for local mandatory laws“- this is a common instruction which is rarely understood. Few have the confidence to get to the bottom of whether there is value in doing this kind of review. The answer varies depending on the context and market.

Sometimes, including a provision which over-steps a mandatory law simply renders the provision unenforceable. Occasionally, it may be tactical to include the restriction, knowing that some opposing parties may believe it to be enforceable and not open to challenge. However, over-step in areas of competition/anti-trust law (e.g. by fixing prices or imposing minimum pricing in a vertical agreement) could lead to significant fines and pain.

Five: Dealing with intellectual property

There are a number of nuances to be aware of when dealing with intellectual property (IP). First, be aware that “Works for Hire” concepts do not apply in Europe. If you want to own the IP created, you will need to get an express written assignment.

If the circumstances dictate, ensure a developer of IP waives any moral rights (rights to be recognised as author). These moral rights can be waived but only by the author. Consider contractual obligations to ensure the appropriate waivers are provided by legal persons other than the contracting party.

Thanks to international treaties many IP concepts are similar, but be aware of Europe’s unique beast – the database right. Where there is specific effort involved in compiling a database (even absent any element of creativity), an IP right known as database right may arise. Does the contract consider this right and do you need any specific rights to use, transfer, or protect any database?

Six: Effectively excluding liability

If you do anything, consider provisions limiting or excluding liability:

(1) There are certain liabilities which cannot be excluded by law (e.g. causing death or personal injury as the result of negligence in the UK).

(2) Case law or codified law in various European countries ascribes particular meaning to commonly used words like “indirect“, “consequential“, and “direct” loss. In the UK loss of profit can be a direct loss. In most jurisdictions the courts will never make exemplary or punitive awards. Use of any of these words in exclusions is likely to be unfair when dealing business-to-consumer.

(3) There is often an over-riding concept of reasonableness which pervades contractual exclusions. This applies where a vendor deals on non-negotiated standard terms or to provisions which are not negotiated. Under unfair contract legislation, in many circumstances, clauses which exclude too much, and leave no real remedy other than refund of monies paid, may well contain unreasonable exclusions which are open to challenge in the courts (even B2B).

While evolving case law applies at common law, if you move to France, Germany or Austria your exclusion clause may need to say much less because the applicable codes imply core principles around recovery and exclusions.

Seven: Effectively dealing with privacy

A common mistake when deploying a US-style contract in a European situation is to forget to consider what is not there; privacy is seldom sufficiently dealt with. As you will be aware, European privacy laws are rigorous and have ubiquitous application to personal data, unlike the US situation where particular privacy wrongs have been addressed on a sectoral basis.

In a nutshell, in Europe, the “data controller” (as the entity than makes decisions about the manner in which personal data is used) has a legal responsibility in relation to the use and sharing of that data. As data controller, rules which apply across the EU require them to handle data in accordance with eight broad principles. The seventh principle requires the data controller to ensure it has a written contract with a data processor (i.e. an entity processing or using the data on their behalf) requiring certain contractual protections to ensure that the data remains adequately protected. Under that same principle, they also have an obligation to ensure they take technical and organisational steps to keep those data secure.

Data controllers are required to pass on certain contractual requirements to ensure that data is protection both by their data processor but also ensuring these obligations are flowed down to any sub-processors. Of course, European rules equally restrict the transfer of personal data outside of the European Economic Area (the 28 EU Member States plus Norway, Iceland, and Lichtenstein), unless there is adequate protection for that data. Typically this is a key point of contractual friction.

Eight: Assess and understand what terms are automatically implied into a contract

On the basis that implied provisions usually add risk and liability, it is important to understand what terms will be implied into any contact. Broad-brush exclusions can be effective but be aware some implied terms are conditions and not warranties like the US. Standard US language often misses this or alternative concepts like “satisfactory quality“.

Not all implied terms can be excluded in all situations. Importantly, know where these can be excluded and, where possible, ensure that you effectively exclude them.

Nine: Boilerplate

An area often ignored is the boilerplate. Sometimes, localisation focuses only on how and where to serve notices within the EU. Precedent law has evolved to require terms be drafted in a particular manner. Whilst the boilerplate in US and EU agreements may appear similar at first glance, there are subtle differences which are there for a reason. Fraudulent misrepresentations cannot be effectively excluded with an entire agreement clause in the UK. Some EU jurisdictions have laws which dispense with the rules of privity of contract- do you want a third party who is not a party to this contract taking a benefit?.

Ten: “Look and feel”

So, you think this final point is trivial? While many agreements used in Europe have their roots in the US, it’s amazing how easy it is to spot a US agreement. Whether it is the lengthy paragraphs, references to “Section” and not “Clauses”, CAPITLISATION, or simply the tone, a US agreement is easily identified. This is not always an issue, but, if you’re a vendor competing with other European businesses or trying to get your own terms accepted in a battle of the forms scenario – “look and feel” counts.

In Europe, it’s not necessary to capitalise to ensure the effectiveness of clauses. Equally, if you’ve not fully localised, a single unenforceable clause or concept included within a large paragraph this may cause the entire clause to fail. If you are not fully localising, sometimes breaking up concepts and clauses and considering severability counts.


There is lots to think about and the devil is in the detail. Striking a clear balance and making a determination based on the actual risk is important. Risks will vary depending on the circumstances. In a business-to-consumer context, more careful and more piecemeal localisation is typically required.

Ultimately, do you want to understand why a provision works effectively in the EU, or are you prepared to risk it?

Mark Webber, Partner – Fieldfisher (Palo Alto, California)




Local Digital Terrestrial Television Licensing Update

Posted on October 1st, 2014 by

In July 2011, the then Culture Secretary, Jeremy Hunt, set out his proposed framework for local television in the UK*, and the Local Digital Television Programme Services Order 2012 was passed amending the Broadcasting Act 1996 and the Communications Act 2003 to enable the provision of local digital television services.  Also passed were the Wireless Telegraphy Act 2006 (Directions to OFCOM) Order 2012, providing for spectrum to be kept available for the broadcast of local television services; and the Code of Practice for Electronic Programme Guides (Addition of a Programme Service) Order 2011, amending s.310 of the Communications Act 2003 to make local television services a ‘public service channel’, requiring them to be given preference along with the other public service offerings.

On 15th September Ofcom, which has responsibility for licensing local television stations, issued an update to summarise the progress made over the last two years – the headlines are that:

– 30 local television licences have been granted to a number of different organisations across the UK – these include not-for-profit community ventures, as well as commercial ventures involving TV production companies, local newspapers, and the education sector; and

– there are currently six local channels on air (in London, Nottingham, Glasgow, Norwich, Brighton & Hove, and Grimsby), broadcasting local services to a potential audience of 6 million viewers. Ofcom believes that, to date, around 6,400 hours of local programming has been transmitted.

A second phase of licensing is now underway**.

*The framework is available at

**For further information regarding the licensing of local television, see Ofcom’s website –



The Smart Metering Implementation Programme – an update

Posted on September 15th, 2014 by

The latest report of the Public Accounts Committee on the preparations for the UK Smart Metering Implementation Programme was published on 10 September 2014.  The report provides an insight into the progress of the Programme along with recommendations on how to tackle a steadily growing list of potential issues.

The Smart Metering Implementation Programme is an initiative led by the Department of Energy and Climate Change which requires UK energy suppliers to replace existing gas and electricity meters in homes and small businesses with smart meters.  The cost of this (currently estimated to be £215 per household) will be passed on to consumers by energy suppliers via a small increase in energy bills over the course of several years but offset by increased savings to consumers as a result of their new found ability to keep track of and optimise their energy use.  Along with establishing the necessary infrastructure to facilitate the Programme, the Department of Energy and Climate Change has established the regulatory framework requiring suppliers to install the meters and to establish and fund a new central body whose role is to increase awareness of the Programme and promote long-term behavioral changes in consumers.

Although a number of potential issues are identified by the Committee, the two key concerns (besides predictable reservations over the increasing cost of the Programme) were as follows:

1. “The [Department of Energy and Climate Change] is primarily relying on assumed competition in the industry to control costs and deliver benefits. This may well prove insufficient on its own to protect consumers”; and

2. “There is also a danger that the Government gets locked into an existing technology when technologies are changing fast – leading to consumers paying for investment in a system which is already out of date.”

With regards to the latter, of particular concern to the Committee is that certain aspects of the Programme could be out-of-date by the time it is fully rolled out. The example given in the report to illustrate this is that of the in-home displays which allow consumers to view real time data of their energy usage becoming redundant even before they’re installed owing to the increasing likelihood that such a function could be carried out using a consumer’s smart phone instead.

The UK wide roll-out is currently penciled in to be completed by the end of 2020.


EU Cloud Strategy — a step towards model SLAs?

Posted on September 10th, 2014 by

In late June 2014 the Cloud Select Industry Group (C-SIG) delivered guidelines to help EU businesses contract in the cloud. This output is one of a number of pillars within the Commission’s European Cloud Strategy and emanates from the work stream tasked with the development of model safe and fair contract terms. These Guidelines are not prescriptive cloud terms but aim to be the first step towards standardised building blocks for Service Level Agreements (SLAs) and associated metrics. Not law, but it may influence the development of contracting standards.

The context

The European Commission consulted on the future for cloud computing within the digital economy in 2011. This led to the Cloud Computing Strategy published with great fanfare in September 2012. Setting out its vision of the future, the Commission indicated it would be “unleashing the potential of cloud computing in Europe”. In a communication bearing this phrase, it set an objective of “enabling and facilitating faster adoption of cloud … throughout all sectors of the economy”. Aimed squarely at finding “ways to maximise the potential offered by the cloud” this Cloud Strategy is the result of analysis of the overall policy, regulatory and technology landscape.

Preparatory work

In announcing its Cloud Strategy the Commission highlighted an urgent need for actions to address three key areas :

  • Fragmentation of the single market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location;
  • Problems with contracts related to worries over data access and portability, change control and ownership of the data; and
  • A jungle of standards generates leading to confusion by a proliferation of standards and a lack of certainty as to which standards provide adequate levels of interoperability of data formats to permit portability.

Select industry groups The Strategy explains that: “several of the identified actions are designed to address the perception, by many potential adopters of cloud computing, that the use of this technology may bring additional risks.” Working groups were set up via DG Connect and, in November 2013, the European Cloud Partnership launched to assess and potentially coordinate common and transparent public sector cloud procurement processes throughout the EU. This is something which could be of great benefit to large enterprise cloud vendors seeking simplified and more consistent procurement models across multiple jurisdictions in the EU.

The working groups have started to feedback their early findings. In November 2013 the European Telecommunications Standards Institute (ETSI) published its final report titled “Cloud Standards Co-ordination” concluding that “cloud standardization is much more focussed than anticipated”. They portrayed the landscape as “complex but not chaotic and by no means a ‘jungle’”. ETSI’s report tries to define the cloud and classify numerous use cases. It then goes on to list some 20 relevant organisations with a hand in cloud standardisation and over 150 associated documents, specifications and whitepapers. These are all cloud enablers but are maturing and ETSI recommends further monitoring and reporting. Interesting stuff, but far from definitive, and offering little guidance to today’s cloud adopters.

Safe and Fair Contract Terms and Conditions

The EU Cloud Strategy is seeking a new approach and is in part based upon the idea that the EU may be able to ease the pain of adoption via new regulation (including data privacy reform). Thankfully, this is not solely about new potential laws. There are wider policy and political commitments. The EU’s Digital Agenda set the objective to “simplify copyright clearance, management and cross border licensing” now viewed as an element of the necessary steps to make Europe more cloud friendly. Part of this vision also involves the Common European Sales Law (CESL) proposals which envisage a single EU wide consumer contract law which could displace national contracting regimes and jurisdictional issues thus facilitating more cross border trading in the EU.   The political belief is that current contract laws potentially impact digital confidence as consumers have a lack of certainty about their rights.   It’s hoped that a uniform law may change this but any such change is a long way away today.

With all of the above in mind, the Cloud Strategy aimed to address issues not being considered within the CESL and the wider Digital Agenda. Importantly four elements were called out:

  • Data preservation after termination of the contract;
  • Data disclosure and integrity;
  • Data location and transfer / Ownership of the data; and
  • Direct and indirect liability, change of service by providers and subcontracting.

The EU plans to identify and then publish best practices in relation to model contract terms. The hope is that by socialising this information, and providing better optics in relation to the “how to” of cloud contracting, this should lead to more supplier consistency and transparency but will also accelerate cloud adoption by building trust in the cloud.

C-SIG reporting on SLAs

The June 2014 report from C-SIG (made up on a select group of industry bodies and IT service providers) offered up a 41 page

cause. What the Cloud Service Level Agreement Standardisation Guidelines do well is set out and further define a range of concepts which, depending of the nature of the cloud model and the type applicable services, could be employed in a cloud SLA. The intention is to set out a “set of principles that can assist organizations, through the development of standards and guidelines for cloud SLAs and other governing documents”.   The C-SIG makes it clear that the principles are not intended to be limiting nor to even set model terms. They are “guidelines“ and could be used as a checklist or prompt during drafting and negotiations.

The Guidelines are intended to be technology neutral, to have worldwide applicability and attempt to set out some unambiguous definitions of common cloud concepts and terminology.

Comparable Service Level Objectives (SLO)

The C-SIG believes that in order for cloud customers to easily make like-for-like comparisons and be informed about the services of competing cloud vendors, it would be best if the service level objectives derive from the same roots. They explain that the SLO does not need to be determined by identical means, but sufficient information about the SLO needs to be provided. This is why they are setting out standardized terminology, metrics and templates — they hope these will be used to provide extra insight in making these decisions.

The Guidelines go on to expand upon what the C-SIG believes to be the some of the most common SLOs and the performance of related aspects of the interface between the cloud service customer and the vendor.   There is an outline SLO and associated description for:

  • Performance including : Availability; Response Time; Capacity; Capability indicators; Support; Reversibility and the Termination Process;
  • Security including : Service Reliability, Authentication & Authorisation, Cryptography; Security Incident Management and Reporting, Logging and Monitoring; Auditing and Verification and Governance;
  • Data Management including : Data Classification, Data Monitoring, Backup and Restore, Data Lifecycles and Data Portability; and
  • Personal Data Protection including : Codes of Conduct, Standards and certification mechanisms, Purpose Specification, Data Minimisation, Use, Retention and disclosure limitation, Openness, Transparency and notice, Accountability, Geographical location of data, Intervenability

What next?

Whether this information rather than structure approach will be adopted remains to be seen. The next step is for the Commission to test the Guidelines with users and discuss it within an expert group in October 2014. If the Guidelines are to gain traction there needs to be significant vendor buy-in (particularly from the dominant US players). If the International Standards Organisation (ISO) or other bodies move to incorporate or adopt these Guidelines this may in turn feed new international standards on SLAs for cloud.

Thought also needs to be given to the Guideline’s applicability to multi-tenanted services . Perhaps time should be invested gathering the views of smaller cloud vendors as the Guidelines contain more extensive SLOs than many standard cloud deals today. Vendors will be shifting uneasily if these are to shape all EU cloud deals in the future. Protecting buyers is one thing, but trust comes from balance and fairness. This is not law but it may force into being guidelines that are treated as EU law.



Ofcom consultation on mobile spectrum licence fees

Posted on August 1st, 2014 by

Ofcom has recently conducted research which shows that UK consumers now believe that the ability to obtain emergency assistance, contact friends and family, access information, education and entertainment make the provision of mobile telecommunications essential services. This demonstrates how access to voice services and mobile internet has become central to the way we live and work in the 21st Century.

Today, Ofcom has published its latest consultation document in relation to the revision of the annual licence fees for the use by mobile network operators (“MNOs“) of the 900MHz and 1900MHz bands of the electromagnetic spectrum. The bands are currently used for the delivery of 2G, 3G, and 4G mobile services. This review arises out of Ofcom’s mandate, imposed by the Government, to ensure that the annual licence fees reflect full market value following completion of the 4G auction.

MNOs currently pay a total of £24.8m per year for spectrum in the 900MHz band, and £39.7m for spectrum in the 1800MHz band. The revised figures currently proposed are £109.3m per year for spectrum in the 900MHz band, and £137.5m for spectrum in the 1800MHz band – an average increase of around 394%.

This is, however, around 29% lower than Ofcom’s previous proposal in October 2013, and reflects its updated analysis of the market value of the 800MHz and 2.6GHz spectra; international benchmark evidence; and calculations to convert lump-sum values into annual licence fees. The calculation also takes into account the anticipated co-existence costs in relation to avoiding unwanted interference with digital terrestrial television broadcast signals. The reduction from the last proposal is partly as a result of proposals made by certain of the MNOs (such as EE and H3G) as to calculation methods.

As part of the consultation, Ofcom has calculated what it believes to be the market values of the 800MHz and 2.6GHz spectra, and has valued spectrum within those bands at £32.63m/MHz and £5.5m/MHz (although it acknowledged that the latter figure may undervalue the spectrum band by up to £900k/Mhz).

The closing date for response to the consultation is 26th September 2014.


In other news, Ofcom has also invited applications for new local television channels in a further seven locations: Aberdeen; Ayr; Carlisle; Dundee; Forth Valley; Inverness; and Stoke-on-Trent. Local television is currently broadcast in the same spectrum bands as the national channels, typically in the range between 470MHz and 790MHz (albeit with the upcoming clearance exercise channels at the top end of this range are intended to be moved to frequencies below 694MHz). These will join the other locations for which licences have been granted, being: Basingstoke; Belfast; Birmingham; Brighton & Hove; Bristol; Cambridge; Cardiff; Edinburgh; Glasgow; Grimsby; Guildford; London; Leeds; Liverpool; Manchester; Maidstone; Middlesbrough; Mold; Newcastle; Norwich; Nottingham; Oxford; Preston; Reading; Salisbury; Scarborough; Sheffield; Southampton; Swansea; and York.


Queen’s Speech 2014: Legislative change imminent

Posted on July 14th, 2014 by

The Queen’s Speech, setting out the government’s legislative plans for the forthcoming year, was given on 4 June 2014.


This year the Serious Crime Bill (the “Bill”) will be the measure that is of particular interest to the technology and IT industries. The Bill sets out proposed amendments to the Computer Misuse Act 1990 (“CMA) which aim to ensure sentences for attacks on computer systems fully reflect the damage they cause.


The amendments to the CMA will:

  1. Create a new offence of unauthorised acts in relation to a computer causing, or creating risk of, serious damage (of various sorts).
  • Where such cyber-attacks result in (or give rise to a significant risk of): loss of life; serious illness or injury; or serious damage to national security, the maximum sentence for the new offence will be life imprisonment.
  •  Where a cyber-attack causes or creates a significant risk of severe economic, social or environmental damage, the maximum sentence will be 14 years’ imprisonment.
  1. Implement Directive 2013/40/EU on attacks against information systems. European member states are required to implement this directive by 4 September 1015. Key changes to the CMA include:
  • criminalising the making, distribution or use of tools that are primarily designed to be used in hacking offences; and
  • providing a legal basis to prosecute a UK national who commits a CMA offence outside the UK. This will be true even where the offence has no link to the UK, provided it was also an offence in the country in which it took place

The Bill had its second reading in the House of Lords on 16 June 2014 and is currently in the committee stage which will continue on 15 July 2014. Subject to its progress in parliament, the Serious Crime Bill is likely to come into force some time in 2015.


Ruled by Secrecy

Posted on July 9th, 2014 by

In 2010, the European Commission adopted a strategy for smart, sustainable and inclusive growth (Europe 2020) which requires strengthening knowledge and innovation as drivers of the Union’s economic growth.  In this context, in November 2013, the EU Commission submitted to the Council and the Parliament a draft directive on the protection of trade secrets.  Whilst it has yet to be discussed by the European Parliament the Council has recently given an opinion on the draft.

Recent studies by the Commission have highlighted the fragmented and diversified nature of the existing protection for trade secrets across the European Union and concluded that:

  • differences in trade secret protection can hinder cross-border research and development, and may place companies within the EU at a competitive disadvantage; and
  • harmonisation of the law in this area would improve conditions for businesses to develop, exchange and use information and know how.

The harmonisation process is intended make it easier for national courts to deal with the misappropriation of confidential business information, to remove infringing products from the market, and make it easier for victims to receive compensation for illegal actions.  All patents, designs and trade marks begin life as commercially sensitive information which is, until an intellectual property right is obtained, vulnerable to theft.  As the rate of innovation tends to be greatest in small and medium sized businesses, start-ups, and those in the technology industry, these tend to be the organisations most at threat and therefore could be the ones to benefit most from an update to the law.

To facilitate harmonisation the draft directive introduces a common definition of trade secret; that is, information that:

  • is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
  • has commercial value because it is secret; and
  • has been subject to reasonable steps by the person lawfully in control of the information to keep it secret.

This is useful as it gives a common understanding across the European Union as to what should, as a minimum, be protected.  As the definition of trade secret holder is fairly wide, being any person that lawfully controls a trade secret, this could arguably give licensees (as well as the ultimate ‘owners’ of the trade secret) a right to prevent and obtain redress for the unlawful us or disclosure of a trade secret.  This is not generally the case with other intellectual property rights.

However, there are a number of issues with the directive which lead commentators to believe that it may not give the full protection to trade secrets which is enjoyed in relation to other intellectual property rights, for example, the lack of availability of measures for collecting evidence of illegal disclosure, acquisition, or use.

It seems that whilst this may be a step in the right direction the best advice is, in the wise words of Gandalf the Grey – “Keep it secret, keep it safe”.



Update: New Consumer Rights Regime in Europe – now in force

Posted on June 13th, 2014 by

Who needs to read this update?

The EU’s Consumer Rights Directive (CRD) applies to all businesses selling products, services and digital content to European consumers.

The CRD represents a major change in Europe’s consumer regulatory landscape, bringing changes that carry a significant compliance impact, especially for online businesses.

As of 13th June 2014, the new rules have been implemented into national law across all key European markets. In the UK, the rules have been implemented by the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 and the Consumer Rights (Payment Surcharges) Regulations 2012.

This briefing note gives an overview of the key changes and addresses some of the common challenges digital businesses face when assessing how to balance user experience with robust compliance under the new framework.


What are the top 10 changes I need to know about?

1. 14 day cooling off period: Customers can cancel an order without charge within 14 days of purchase (for services) or receipt of goods (for goods)

2. Special cancellation rules for digital content: The 14 day period won’t apply to digital content purchases, provided the seller fully complies with sometimes complicated information requirements

3. Ban on pre-ticked boxes: Additional services must not be pre-selected in the transaction process and extra costs must be transparent

4. Payment buttons: If clicking a button will oblige the customer to pay, the button must clearly indicate this (e.g. “Pay Now” but not “Order and Proceed”)

5. No excess payment surcharges: Charges for using credit cards and other payment methods must reflect real cost to seller

6. Pre- and post-contract information obligations: The rules include a new list of information to be provided on a “durable medium”, which now has new definition

7. Information obligations now implied terms of contract: This means the contract may not bind the customer at all if you fail to fully comply (but business will still be obliged to perform)

8. Model cancellation form: Must be made available, but will not restrict customers’ options for communicating their cancellation

9. Ban on premium rate customer service numbers: If you have a customer service phone line, it must charge no more than the basic call rate

10. Delivery restrictions & accepted payment methods must be indicated upfront: This information must be clear before the consumer is obliged to pay


What compliance challenges does the CRD present for digital businesses?

Experience so far shows that digital businesses are facing challenges when deciding how to comply with the new distance selling rules under the CRD, especially with regard to cancellation rights and refunds. Available guidance from national regulators has often not addressed the kinds of practical compliance measures online businesses must now implement.

As a “maximum harmonisation” Directive, in order to avoid country specific variances, the EU Commission was itself keen to publish unifying guidance applicable across the EU.  In background briefings during 2013 members of this firm were promised practical high level guidance would be made available.

Yet, at the 11th hour, it seems this is still yet to materialise.  A flurry of thoughts in February this year socialised some suggestions for a transparency model for digital sales which suggested the use of icons to inform consumers during internet and mobile sales. Perhaps the proposed use of iconography was too much for industry to bear? We can at least borrow some ideas for what “good” would look like from Germany (whose current rules the CRD is based upon).  What is clear is that online merchants face extremely convoluted new rules and scant examples of how to proceed.

For example, businesses selling digital items generally want to rely on the exception from the 14 day cooling off period for digital content. This ensures that they are not obliged to refund customers who may have used and enjoyed fully functioning digital products. However, in order for this exception to apply, the business must:

– obtain the customer’s express consent to the content being provided right away and acknowledgement that they will lose their right to cancel; and

– confirm that consent and acknowledgment, plus other mandatory information, in a durable medium within a reasonable time.

Implementing this in practice may be straightforward, or more complex, depending on factors affecting your customers’ user journey, such as whether your business controls the full transaction flow, whether you are using a bespoke or multi-vendor platform (such as a social media network) and how payments are made (e.g. cash, credit, virtual currency).


What happens if we don’t comply?

National regulators will be keen to set examples during 2014 and 2015, and businesses that fail to comply with the new requirements run the risk of:

– civil or sometimes criminal action, for serious breaches;

– negative PR and customer backlash;

– customers not having to pay for your products and services, whilst the business remains obliged to provide them; and

– questions around revenue recognition where non-compliance with the CRD potentially renders online sales voidable by customers for extended periods.


What should I do now?

Since the new rules are in force as of 13th June 2014, you should act fast to assess the impact on your business and update your compliance programme as necessary. For more guidance, please contact David Lewis or Sonal Patel.