• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

The Cloud and the impact of the Data Retention and Investigatory Powers Bill

On 15th July 2014, Parliament passed the Data Retention and Investigatory Powers Bill (DRIP) using a fast-track procedure.  The bill is highly unusual in that it is an emergency legislation that is being introduced without the normal scrutiny which accompanies most pieces of legislation.  DRIP is likely to have an impact for some business that provide or use cloud services.

Background  

DRIP concerns “communications data” - data that providers of telephone and Internet services have about their customers that shows the context of a call or Internet usage. Communications data can show who was communicating and with whom, the time and duration of a communication, the phones number or email addresses, and the location of the device, but not the content of the communication.

Mandatory requirements for the retention of communications data have previously been covered in the UK by the Data Retention (EC Directive) Regulations 2009 (2009 Regulations), which require certain providers to retain communications data for 12 months to help prevent, detect and prosecute crime. The 2009 Regulations implemented the Data Retention Directive 2006/24/EC (Data Retention Directive) which requires retention of communications data for between six and 24 months.

On 8 April 2014 the European Court of Justice (ECJ) handed down a decision in the joined cases Digital Rights Ireland Ltd (C-293/12) and Seitlinger (C‑594/12), where the court was asked to examine the validity of the Data Retention Directive. 

The ECJ noted that the retained data made it possible to know with whom the user has communicated and by what means.  It included the time, place and frequency of communications, which taken together provide precise information about a person’s private life, such as habits, place of residence, and relationships. This seriously interfered with the fundamental rights to privacy and to the protection of personal data enshrined in other parts of EU legislation.

The ECJ noted that the retention does satisfy an objective of general interest, namely the fight against serious crime and public security but the Data Retention Directive is, nevertheless, not proportionate, as the interference is not sufficiently constrained to be limited to what is strictly necessary

As the retention was not proportionate and therefore not justified, the court declared the Directive Retention Directive invalid.

Impact for the Cloud: Following the ECJ’s decision many cloud providers expressed confusion about the law, including whether they were obligated to delete data they had thus far been obligated to maintain. Cloud providers that operate in the UK but are based elsewhere, also expressed confusion about what rules apply to them.

The New DRIP Legislation 

In the wake of the ECJ decision and the reaction it prompted, the Government saw an urgent need to legislate in order to clarify the legislative framework for data retention.  It justified the fast-track legislation as necessary to protect the public on grounds that retained communication data is vital to law enforcement. 

DRIP has two distinct parts:

  • Part one - the retention of relevant communications data; and
  • Part two – the clarification of investigatory powers and the reach of the Regulation of Investigatory Powers Act 2000 (RIPA).

DRIP also includes a sunset clause whereby it will be repealed on 31 December 2016 such that it is up to the next Government to consider the questions again.

To strengthen transparency and oversight a ‘Privacy and Civil Liberties Oversight Board’ will be established to advise the government in the formulation of government policy, and an annual transparency report that will list the number and type of requests made to service providers under the legislation will also be published.

Part One - Retention of Relevant Communications Data

Under DRIP, certain cloud service providers may be given notice by the Secretary of State to require them to retain such data.  The data types to which this applies include Internet access, Internet e-mail or Internet telephony. These are the same as under the 2009 Regulations.

The notice must be necessary and proportionate and for a purpose specified in RIPA, including national security; preventing or detecting crime or preventing disorder or by an order by the Secretary of State.  A retention notice can specify the period for which data is to be retained, and may require the retention of all data or only specific data. 

DRIP also specifies that regulations relating to the retention of data, to replace the 2009 Regulations, may be introduced.  These may include:

  • security measures to protect the data retained;
  • a code of best practices; and
  • reimbursement of expenses incurred in complying with the requirements.

The maximum retention period under the new regulations will be 12 months.

DRIP v Data Retention Directive

Although much of DRIP does appear to reinstate the 2009 Regulations there are some differences. 

DRIP amends the RIPA definition of “telecommunications service.”  The previous definition was:

any service that consists in the provision of access to, and of facilities for making use of, a telecommunications system.

Whereas the new one includes:

any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.

The Government has indicated that clarifying the definition ensures that Internet-based services, such as webmail, are included. 

Other differences include:

  • a need to consider necessity and proportionality before issuing a retention notice;
  • the maximum retention period is 12 months (but the period may be shorter if it is not necessary or proportionate to keep it longer);
  • data retention is limited to the list of data types;
  • access to retained data require requests under RIPA or a court order; and
  • data security requirements.

The Government maintains that the measures are in pursuit of a legitimate aim and proportionate to that aim. Nevertheless, the data retention appears to still generally cover most individuals, means of electronic communication and data without differentiation.  It remains to be seen whether the safeguards are sufficient.

Part Two - Investigatory Powers

DRIP also addresses the authorities’ ability to carry out so-called legal intercept, such as monitoring and listening to phone calls and other communications, which are currently governed by RIPA.

DRIP provides that RIPA applies to non-UK companies that provide communications services to the UK public. DRIP specifies that a capability maintenance notice may be issued for a service provider based outside the UK or for conduct outside the UK.  Similarly, a warrant or communication data acquisition notice may relate to conduct outside the UK, and may be given to a person outside the UK. DRIP also offers details on how to serve a warrant on a person based outside the UK to make them subject to the relevant obligation.

Although the Government refers to the provision related to extra-territorial application of RIPA as a clarification it seems clear that it broadens the scope of the legislation.

Impact for the Cloud: The scope of providers captured by retention obligations by DRIP has expanded and more cloud providers are likely to find themselves within the remit of the DRIP obligations.  In addition, there are additional levels of complexity to the operation and management of retention obligations as imposed by DRIP.  Those providing or using cloud services which fall within the ambit of DRIP will need to be aware that they may be required to retain data, or the rules under which their data may be retained and disclosed.

For further information, please contact Andrew Joint - Commercial Technology Partner