• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

The UK government's new innovative finance ISA

The UK Government is to introduce the Innovative Finance ISA (‘IFISA’), which will enable an investor to pay into a tax-free ISA wrapper payments made by a borrower under a loan facilitated by an authorised P2P platform. An individual will be able to lend up to the ISA allowance threshold (currently £15,240). Lucy Frew and Chris Boylan discuss the IFISA.

 The IFISA is brought into being through an amendment to the Individual Savings Accounts Regulations 1998[1]. Also, the RAO[2] will be amended to make advising on P2P agreements a regulated activity (RAO article 53(2)). The new IFISA and new regulated activity necessitate a number of the changes to the FCA’s rules and guidance, with the FCA due to publish a policy statement making final rules in March in time for the IFISA’s launch on 6 April 2016.

The new IFISA will not be extended to include equity crowd funding investments - a type of investment that is often seen as similar to, but is in fact very different to, P2P lending. The loans that are eligible for IFISA inclusion are loan-based crowd funding (‘LBC’) investments, specifically ‘Article 36H agreements’ as defined at Article 36H(4) of the RAO, usually referred to as P2P loans. Broadly speaking, an Article 36H agreement is an agreement between a borrower and a lender by which the lender provides the borrower with credit and either: (i) the lender is an individual; or (ii) the borrower is an individual and the loan is £25,000 or lower and the agreement is not entered into by the borrower wholly or predominantly for the purposes of the borrower’s business. An individual will be able to set up an IFISA via an FCA-authorised P2P platform. Firms operating regulated P2P platforms carry on the activity of ‘operating an electronic system in relation to lending’ as specified in Article 36H of the RAO.

Current regulatory regime

The FCA took over responsibility from the Office of Fair Trading for regulating firms that operate LBC lending platforms on 1 April 2014. Individuals can use these platforms to lend money to other individuals or businesses, or businesses can use them to lend to individuals, in the hope of receiving a financial return in the form of interest payments, together with repayment of capital. The FCA does not regulate donation-based crowd funding or firms when they operate platforms that facilitate corporate-to corporate loans that fall outside the scope of an Article 36H agreement. In 2014 the FCA introduced rules and guidance to protect consume

Investing in the regulated part of the LBC market. For LBC, these provisions focus on requiring that certain information is provided to consumers. The aim is to ensure information is given to consumers to help them assess the risks applying to LBC, understand who will ultimately borrow the money invested, and to make informed decisions. Firms operating regulated LBC platforms must also follow other core consumer protection requirements in the FCA Handbook. For example, client money must be protected and firms must meet minimum capital standards. The FCA also requires firms operating these platforms to have resolution plans in place so that, should the firm operating the platform collapse, loan repayments under P2P agreements will continue to be collected and those lending money do not lose out.

New regulatory regime

To reflect the introduction of the IFISA, and the fact that providing advice on investing in P2P agreements will be a regulated activity, the FCA is amending certain definitions, adding guidance, and extending the application of certain provisions in the FCA Handbook. The FCA published a Discussion Paper (DP15/6) in November 2015 and a Consultation Paper (CP16/5) in February 2016 outlining the proposed changes to the FCA handbook to incorporate the new IFISA and the new FCA-regulated activity of advising on P2P agreements. In particular, the FCA will:

  • Add guidance on existing disclosure rules to clarify what information firms should disclose in relation to IFISAs. This guidance requires firms to disclose details about the potential tax disadvantages arising if a consumer invests in a P2P agreement, held in an IFISA, which is not repaid. Firms should also disclose the potential tax disadvantages if the firm operating the platform fails as well as the procedure applying, tax consequences arising, and timeframes if an investor wants to cash in a P2P agreement held in an IFISA wrapper. Firms should also explain the procedure for transferring some or all of the P2P agreements held in an IFISA wrapper from one ISA manager to another and how long this may be expected to take.
  • Apply FCA rules on suitability to firms making personal recommendations in relation to P2P agreements. The FCA will treat advice to invest in P2P agreements in broadly the same way as other regulated advice. The new activity will be included within the definition of ‘advising on investments’ and added to the list of ‘designated investment business.’
  • Apply rules that ban the payment or receipt of commission by firms in relation to personal recommendations involving advice on P2P agreements. The FCA will make advice provided to retail clients in relation to investment in P2P agreements subject to the rules that ban the payment or receipt of commission for personal recommendations, and the rule on inducements. As is the case when advising on other investments, advisers will need to have a charging model for advice in relation to P2P agreements that does not rely on the payment of commission. The commission ban will apply only to personal recommendations to invest in P2P agreements. It is not extended to other situations, such as unadvised sales arranged on aggregator websites via firms who do not provide regulated advice.
  • Ensure that financial advisers who advise on P2P agreements are appropriately supervised and assessed as competent to carry out that activity (including attaining an appropriate qualification). The FCA will not require advisers to hold qualifications specific to this type of business.
  • Provide consumers who receive advice on P2P agreements with access to the Financial Ombudsman Service and Financial Services Compensation Scheme (‘FSCS’).

The FCA is not currently proposing that firms holding themselves out as independent should be obliged to consider P2P agreements when recommending retail investment products but may review this approach in future. Provisions in the FCA Handbook that apply to ISAs generally, such as rules relating to a consumer’s cancellation rights, and client money, will apply to IFISAs in the same way as they apply to stocks and shares ISAs. The effect of the cancellation rules will differ depending on the nature of the firms’ business models, and whether the investment is considered a distance contract or a non-distance contract. Firms that recommend investments to clients are generally required to meet minimum capital resources requirements and, in some cases, to hold a minimum level of professional indemnity insurance. Firms that advise on

P2P agreements will be subject to these requirements in the same way. The rules will be changed to ensure that firms given permission to advise on P2P, if already authorised remain subject to the same prudential sourcebook when calculating their prudential requirements. Firms that only wish to advise on P2P agreements will be treated as personal investment firms and subject to the rules in IPRU (INV).

Impact on firms

All firms now need to assess their regulatory status to determine whether they need to become authorised or extend their existing authorisation and on how the changes to the FCA rules impact their business models. Firms with permission to carry on the current

RAO Article 53 activity of ‘advising on investments’ will be treated as having that permission automatically varied, with effect from 6 April 2016. From that date, such firms’ permissions will be varied to include both the activity of ‘advising on investments’ (recast as the RAO Article 53(1) activity) and the new RAO Article 53(2) activity of ‘advising on Article 36H agreements’ (except where a firm is not lawfully able to carry on the new activity). This change will be displayed on the Financial Services Register, so firms impacted by this variation will not need to take any action. It will be possible for a firm to provide advice on P2P agreements by becoming an appointed representative of an authorised firm with appropriate permissions. Firms without an existing permission to advise on investments for the purposes of Article 53 of the RAO that want to provide regulated advice on P2P agreements from 6 April 2016, will need to apply for permission to carry on the new activity in Article53 (2) of the RAO. Firms that are currently operating a LBC platform on an interim permission from the FCA, until it considers their application for full authorisation, will not be able to offer the new IFISA until they carefully authorised by the FCA.

Future developments

The inclusion of P2P lending in the IFISA, and the associated tax break, is likely to accelerate growth in the P2P lending sector. According to the P2P Finance Association the P2P lending market has doubled over the past year, with cumulative lending of£4.4 billion in the last quarter of 2015 compared with £2.2 billion in the same period of 2014. However, there is inherent risk involved. With so many new entrants it is those firms that can set themselves aside with the correct level of customer offering and security that will rise quickest to the top.

For further information, please contact Chris Boylan or Lucy Frew.

This article was originally featured in the E-Finance & Payments Law & Policy March newsletter. 

[1] Statutory Instrument 2015/TBC Individual Savings Account (Amendment No.2) Regulations 2016.

[2] Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI 2001/544) (‘RAO’).


Data Privacy, Brexit and a British Bill of Rights

The possibility of the United Kingdom leaving the EU, colloquially known as a Brexit, or replacing the Human Rights Act 1998 with a British Bill of Rights has generated many pages of news print and interesting academic debate about the constitutional impact. At the same time, the EU’s proposal for a General Data Protection Regulation (“GDPR”) is finally beginning to emerge from its legislative cocoon but with a two-year implementation timetable the GDPR will not become law until 2018. How would these potential constitutional changes affect the regulatory landscape for data protection and privacy in the UK?

There is an array of scenarios in which these changes could play out, with various different types of Brexit mooted, and there would most likely be lengthy transitional arrangements. Following the UK government’s agreement with the EU Commission for certain reforms, the Conservative government is following its manifesto commitment to put the United Kingdom’s continued membership of the EU to a public vote, with a referendum scheduled for 23 June this year. On the other hand, the government’s plans for a British Bill of Rights to replace the HRA have been delayed due to the complexity of untangling the constitutional knot[1].

In this article, we consider the possible impact for data protection and privacy in the UK, taking into account some of the various permutations in which a Brexit or British Bill of Rights could come about.


The precise form of Brexit would have a big impact on how the UK legislative landscape will change. The Data Protection Directive 95/46/EC (the “Directive”) and the E-Privacy Directive 2002/58/EC were implemented as UK law by the Data Protection Act 1998 (“DPA”) and PECR[2], and so their status in the UK as binding legislation would presumably be unaffected by a Brexit. The UK government would need to consider how EU case law is treated, but could be free to revisit the DPA and PECR and propose changes which differ from the respective Directives.

Following the Lisbon Treaty, the Charter of Fundamental Rights of the European Union (the “Charter”) has been part of EU law and binds member state national governments[3]. Article 8 of the Charter provides everyone to have a right to the protection of personal data concerning them, a requirement for data to be processed fairly for specified purposes and on the basis of consent or some other legitimate basis laid down by law, a right of access and a right to rectification. A Brexit is likely to break the link between the UK and these fundamental rights, including the right to protection of data. It would be interesting to see how this might unfold, as the nature of data protection as a fundamental right has been important to some more recent court decisions.

The Data Protection Directive and the GDPR both include restrictions on transfers of personal data outside the EEA, which can only be made if certain conditions are fulfilled. One possible Brexit scenario is that the UK becomes a member of the EEA like Norway and the other members of the European Free Trade Area. These countries are obliged to adopt certain EU legislation (including in relation to data protection), so in this scenario the UK would be required to comply with the Directive and the GDPR.

Alternatively, if the UK does not join the EEA following a Brexit, it may consider applying to the European Commission to be added to the white list of countries providing adequate protection of personal data. This could be granted on a temporary basis as part of transitional arrangements, but a permanent white-listing would not necessarily be a formality given GCHQ’s role in the PRISM allegations and other criticisms of the UK’s implementation of the Directive[4] as well as the effect of any potential UK legislative reforms such as the Investigatory Powers Bill.

If EEA membership or a whitelist adequacy finding are not achieved, then the UK could seek to agree an arrangement along the lines of the “Safe Harbor” and “Privacy Shield” deals agreed between the EU and the US. Pending any such arrangement, UK businesses would need to follow one of the other compliance routes to enable lawful transfers of personal data from the EU to the UK, such as entering into Standard Contractual Clauses with the European provider of personal data; implementing binding corporate rules; or ensuring the European provider of personal data has obtained the consent of the data subject to the transfer.

The timescales involved in a potential negotiated exit from the EU and the implementation of the GDPR are unclear, but there is a chance that the GDPR will have become live before the UK in fact leaves the EU. In the interim period between any final decision being taken to leave the EU and before the UK actually leaves, would the UK be bound by new EU regulations or required to implement EU directives?

In any case, following the implementation of the GDPR by the EU, a Brexit may have little impact on data protection in a post-Brexit UK due to the extra-territoriality requirements of the GDPR. British firms offering goods or services to EU residents or monitoring their behaviour will need to comply with the GDPR, regardless of whether the British firm is based in the EU. British firms, outside the EU, would need to examine their customer base to assess the extent to which they are required to comply with the GDPR.

There may, however, be increased compliance costs for British firms and firms wishing to trade in Britain, as they would be regulated by both the ICO in the UK and a lead regulator in an EU member state under the “one-stop-shop” approach. This is still an improvement on the current situation, where firms must deal with the regulator in each of the member states in which the firm is established or processes personal data. However, if the UK adopts the GDPR, then the ICO could be the lead regulator for British firms.

British Bill of Rights

At the moment, the content of any British Bill of Rights is a matter of speculation. However, Article 8 (right to respect for private and family life) of the Human Rights Act 1998 is a likely candidate for amendment given that the UK government has had a number of recent clashes, in particular in relation to the hastily-enacted (and soon to expire) Data Retention and Investigator Powers Act 2014[5].

The HRA and the Data Protection Directive both have their origins in the European Convention of Human Rights (“ECHR”). Article 8 concerns respect for privacy rather than data protection, but the two frameworks are mutually supportive. We first examine the relationship between the HRA as it stands and the DPA before looking at the potential consequences of a move to a British Bill of Rights.

Article 8 (right to respect for private and family life)

The Article 8 right is a qualified right, which means that interference by a public authority is only permitted where in accordance with law and necessary in a democratic society for specified purposes (e.g. national security, public health and prevention of crime). The Data Protection Act 1998 sets out certain circumstances where personal information may be processed (by private entities as well as public authorities).


Article 8 requires that any interference by a public authority in an individual’s right to privacy must be lawful. This corresponds with the lawfulness requirements in:

  • Principle 1 of the DPA: processing of personal data must be fair, lawful and satisfy one of the Schedule 2 conditions and, in the case of sensitive personal data, one of the Schedule 3 conditions;
  • Principle 2 of the DPA: processing of personal data must be for specified and lawful purposes; and
  • Principle 7 of the DPA: data controllers must protect personal data against unauthorised and unlawful access.

Necessary in a democratic society

Many of the Schedule 2 and 3 conditions include a necessity test, as does Principle 5 which requires that personal data processed for any purpose “shall not be kept for longer than is necessary for that purpose”. The courts have interpreted the DPA necessity test as analogous to the necessity test in the HRA[6]. If a public authority is retaining personal data longer than is necessary for the specified, lawful purpose, then (where this concerns an individual’s privacy) this may not be a justifiable interference in the individual’s privacy.

The European Court of Human Rights (“ECtHR”) assesses “necessity” by reference to whether there is a pressing social need for any interference with a right and whether that interference is proportionate. It will also look at any safeguards that have been put in place[7]. Similarly, when assessing necessity under the DPA, the proportionality, safeguards and justification will be examined by the courts.

Article 10 (freedom of expression)

The obverse of the right to privacy granted by Article 8 is the right to freedom of expression granted by Article 10. This right applies to everyone, and is again a qualified right subject to the same lawfulness and necessity tests for any interference.

Principle 1 of the DPA permits data controllers to process personal data where the processing is fair and lawful (see above) and satisfies a Schedule 2 condition and (in the case of sensitive personal data) a Schedule 3 condition, including in the case of regular personal data where the processing is necessary for the legitimate interests of them or the person to whom the personal data are disclosed, balanced against any unwarranted prejudice to the rights, freedoms or legitimate interests of the data subject. This restriction on the ability of data controllers to process personal data reflects the requirements of the HRA, that any interference must be necessary in a democratic society, i.e. that individuals should be protected from unwarranted prejudice to their rights, freedoms and legitimate interests.

The DPA sets out situations which limit freedom of expression, imposing conditions on the processing (including dissemination) of personal data, and the DPA itself is subject to Articles 8 and 10. In addition, the Information Commissioner’s Office is a public authority for the purposes of the HRA, so must act in a manner compatible with the ECHR, including when interpreting and enforcing legislation.

Potential consequences

A British Bill of Rights is likely to break the link between the DPA and the ECHR rights. The UK courts’ interpretation of “necessary” may therefore change to depart from the ECtHR’s interpretation. The HRA and ECHR currently treat public and private bodies differently, as the balance is weighted in favour of private rights and freedoms.

Repealing the HRA would give the UK government greater scope to amend data protection laws and to introduce data retention and investigation laws without the possibility of a court ruling that they are incompatible with rights under ECHR.

The EU acceded to the ECHR following the Lisbon Treaty[8], and as a result the UK is subject to the ECHR as a matter of EU law. As a result, repeal of the HRA is likely to impact the UK’s relationship with the EU. On the other side of the coin, a Brexit may facilitate the UK’s withdrawal from the ECHR by removing one of the barriers.


The GDPR will remain the centre of attention for data protection lawyers for the foreseeable future, but there could be changes to the regulatory landscape in the UK as a result of a Brexit or a British Bill of Rights. However, given the extra-territoriality of the GDPR’s requirements, British firms which trade with the EU are likely to be caught by the GDPR and so the effect of a Brexit on UK business may be limited.

The British state is less likely to be caught by the GDPR, so the main outcome of a Brexit or British Bill of Rights would be to increase the powers of the state to process, retain and monitor the data generated by its citizens.

For further information please contact Nicola Fulford, Michael Butterworth or James Leaton Gray.

[2] The Privacy and Electronic Communications (EC Directive) Regulations 2003

[3] Article 6, Treaty on European Union

[4] See European Commission press release IP/10/811 at http://europa.eu/rapid/press-release_IP-10-811_en.htm

[5] R (on the application of David Davis MP and Tom Watson MP) v Secretary of State for the Home Department [2015] EWHC 2092 (Admin)

[6] The Information Commissioner v Southampton City Council EA/2012/0171

[8] Article 6, Treaty on European Union


EU reforms law on Community Trade Marks

Trade marks in the European Union recently underwent their most significant reform since the EU harmonized trade mark laws within its borders some twenty years ago.  During that period, the EU’s unitary Community Trade Mark (CTM) system, administered by the Office for Harmonization in the Internal Market (OHIM), has enabled the registration of a single trade mark to cover all 28 EU Member States. 

EU Trade Mark Regulation 2015/2424 (the Regulation)[1] came into force on 23 March 2016 throughout the Single Market with a number of reforms to the CTM system.  The Regulation introduces a wide range of changes, but this article focuses on those with key commercial implications for businesses with European trade marks.

New names for the CTM and OHIM

A CTM is now known as a European Union Trade Mark (EUTM); OHIM is now known as the European Union Intellectual Property Office (EUIPO).  These amendments bring European trade mark terminology into line with the changes to EU nomenclature introduced by the Treaty of Lisbon that removed all references to the European ‘Community’.  If you are the proprietor of a European trade mark, then you will need to ensure that both you and your finance team are familiar with the new names.

Broader European trade mark definition from 1 October 2017

The very definition of a European trade mark has been updated with effect from 1 October 2017.  Previously, in order to be registered, a CTM had to be a sign capable of being “represented graphically”, but this will no longer apply to an application for an EUTM once this amendment comes into force.  Instead, an EUTM will have to be a sign capable of representation “in a manner which enables the competent authorities and the public to determine the clear and precise subject matter of the protection afforded to its proprietor”.[2]  In addition, sound and colour signs are now specifically listed as examples of suitable marks in the Regulation itself.

The rationale behind the outgoing test of graphical representation was that, if a trade mark proprietor is to be granted a registered monopoly right, it is only fair that the scope of the monopoly right is clear and made publicly available to avoid inadvertent infringement by third parties.  In the early 1990s, graphical representation was seen as the best way of recording a sign unambiguously for deposit on a public register.  But in the Internet age there are other means of achieving this end in a consistent and accessible manner, for example, by uploading to the public register an electronic sound or video file.

In theory, this reform will broaden the scope of signs that it is possible to register as a trade mark.  In practice, however, this reform may prove to be more of a legislative update to reflect evolving practice at the EUIPO.  For example, Metro‑Goldwyn‑Mayer Studios’ application to register its familiar lion’s roar as a trade mark, by providing a spectrogram and verbal description, was initially refused by the OHIM for a lack of certainty; however, a further application in 2008 was then granted by the OHIM when the spectrogram and description were accompanied by an .mp3 file.[3]

The express approval to non-graphical signs provided by this reform is thus likely to increase the number of applications and registrations for sound and video marks, but it remains to be seen whether there will also be more applications and registrations of even more untraditional marks.  For example, it will likely remain very difficult to register scent marks because such marks are inherently difficult to record clearly and precisely.  Scents will always be perceived very personally and subjectively by each individual and there remains a lack of technology to record them in a sufficiently “clear and precise” method to satisfy even the updated definition of a trade mark.

Class headings only in your mark’s specification?  Take action by 24 September 2016

In order to register an EUTM, it is necessary to specify certain goods and services for which the mark will be used.  Since the Nice Agreement of 1957, these goods and services have been recognised internationally as being divided into 45 classes.  Before 22 June 2012 it was possible to register a trade mark to cover an entire class of goods or services by the shortcut of simply including only the words of the class heading itself in the specification for the trade mark application.  For example, Class 38 “Telecommunications” would cover services for telephone, television broadcasting and radio (among many other more specific sub-classes). 

But the judgment in the IP Translator case (C‑307/10) ruled that any such application after that date would only cover the literal wording of the class heading itself and not any of the more specific sub-classes within that class as well.  The Regulation has now put the IP Translator judgment on a statutory footing and, more importantly, the Regulation will also apply the ruling to trade marks registered before 22 June 2012, which were previously exempt.[4]

In light of this amendment, if you have a CTM registered before 22 June 2012 for only the words of an entire class heading, you need to file a declaration at the EUIPO by no later than 24 September 2016 if you do, in fact, wish your trade mark to also cover more specific goods or services within that class.  Otherwise, your mark will be deemed to be limited to only the literal wording of the class heading.

Official fees

The OHIM previously charged a flat-rate official filing fee of €900 for registration in up to three classes, with a further official filing fee of €150 per additional class.  The EUIPO no longer offers a flat-rate system for filing in three classes.  Instead, the new official filing fees are €850 for one class, €900 for two classes and €1,050 for three.  An additional €150 remains payable for the fourth and every subsequent class.  Overall, the official filing fees are therefore slightly more expensive and only applicants for protection in a single class will see a reduction from this change. 

Conversely, official renewal fees have been reduced slightly for trade marks with registrations in fewer than four classes.  Previously, a renewal fee of €1,350 covered up to three classes.  The new renewal fee structure is €850 for one class, €900 for two classes, €1,050 for three classes and an additional €400 for every further class.  Official fees for opposition, invalidity, revocation or appeal proceedings have also been slightly reduced across the board.

Additional reforms

Further amendments of particular commercial interest include:

  • Absolute grounds of refusal – it has long been the case that CTM applications have been refused when the sign is a 3D shape[5] that:
    1. exclusively arises from the nature of the goods;
    2. is necessary to obtain a technical result; or
    3. gives substantial value to the goods.

This was seen as being unfairly and illogically restricted to signs with a 3D shape as a characteristic, so these prohibitions have been extended to all characteristics of a sign, not just its shape. [6]  For example, if a sign’s colour, sound or smell fulfilled one of the above criteria, it would now also be prohibited.  This restriction is also a sensible limitation given the updated broader definition of a trade mark (see above).   It remains to be seen how often this restriction will apply in practice—in many cases, the sign would already not be registrable as a mark because of a lack of distinctiveness.

  • Company names – it is now expressly set out in the Regulation that only natural persons and not companies may benefit from the ‘own name’ defence (for example, where an individual named ‘John Lewis’ trading under his own name may have a defence to an infringement action brought by the popular retailer).[7]  In addition, using a registered trade mark as a company name is now in itself expressly an infringement.[8]  These amendments emphasise the importance of proper searches when choosing a company name.
  • New infringing acts – the Regulation introduces new infringing acts to close some gaps in the existing law.  Certain preparatory acts, such as affixing infringing signs to packaging, labels or tags is now in itself an infringing act.[9]  Further, a trade mark owner may now take action against goods in transit containing an infringing sign that merely pass through the EU and are not released into circulation there.[10]
  • Challenges for non-use – Existing EUTMs or national marks may be relied upon by their owners to oppose the registration of new trade mark applications in opposition proceedings. As part of opposition proceedings, the trade mark applicant may challenge the opponent’s existing mark for a lack of genuine use and require the opponent to provide proof of use, but only if the EUTM has been registered for five or more years. The Regulation has amended the date for calculating the five-year period, which will now be calculated from the existing trade mark’s date of filing or priority rather than its date of publication in the Official Journal kept by the EUIPO. As the date of filing is usually earlier than the date of publication by a few months, this means that, in future opposition proceedings, there will be some instances of trade mark owners who will have to show proof of genuine use, who would have still been within the five-year immunity period under the old law.[11]
  • Certification and guarantee marks – the Regulation provides for a framework whereby a quality certification body for goods or services based in the EU, e.g., the British Standards Institute, may obtain an EU ‘certification mark’ for its symbols of quality that are affixed to products meeting those quality standards.[12]  This change will first take effect from 1 October 2017 and will be highly relevant to all certification bodies based in the EU.  Under the Regulation, anyone can set up such a certification body and obtain an EU certification mark by applying to the EUIPO with a proposed sign and set of proposed regulations, provided that they do not themselves supply the goods or services in question.

There are a number of further changes introduced by the Regulation that are outside the scope of this article, but which may be relevant to proprietors of EUTMs.  If you are the proprietor of a EUTM, we recommend that you speak with your legal advisers to determine how the reforms will specifically affect you—Kemp Little’s brand experts would be happy to assist.

Harmonization of Member States’ national trade mark laws to come

The EU also passed Trade Mark Directive 2015/2436 (the Directive) at the same time as the Regulation to ensure harmonization of Member States’ national trade mark laws across the EU.  Member States have another three years to implement the Directive. 

Unless Brexit happens this summer, we will wait to see when the UK Government will implement the Directive and how closely the legislative reforms to UK trade marks will align with the reforms to EUTMs.

 For more information, please contact Nick Allan

[1] Accessible at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2015:341:TOC in the Official Journal of the European Union, L 341, 24 December 2015.

[2] Article 1(8) of the Regulation, amending Article 4 of Regulation (EC) No 207/2009 (the CTM Regulation).

[3] Registered number EUTM 005170113.

[4] Article 1(28) of the Regulation, amending Article 28 of the CTM Regulation.

[5] For an example of a successful shape EUTM, see Toblerone’s chocolate prism packaging with registered number EUTM 000031203.

[6] Article 1(9) of the Regulation, amending Article 7(1) of the CTM Regulation

[7] Article 1(13) of the Regulation, amending Article 12 of the CTM Regulation

[8] Article 1(11) of the Regulation, amending Article 9 of the CTM Regulation

[9] Article 1(12) of the Regulation, inserting new Article 9a into the CTM Regulation

[10] Article 1(11) of the Regulation, amending Article 9 of the CTM Regulation

[11] Article 1(40) of the Regulation, amending Article 42(2) of the CTM Regulation

[12] Article 1(67) of the Regulation, inserting new Section 2 to Title VIII of the CTM Regulation

EU consumer ODR platform launches - is your business ready?

The official Online Dispute Resolution website (the ODR Platform) of the European Commission (EC) went live on 15 February 2016 at http://ec.europa.eu/consumers/odr.  The ODR Platform is intended to provide EU consumers and traders with a “simple, efficient, fast and low-cost” platform for settling disputes without going to court, according to the establishing EU 2013 Regulation on online dispute resolution for consumer disputes (the ODR Regulation).  The ODR Platform does not itself resolve disputes, but it provides an online platform to link consumers and traders with competent Alternative Dispute Resolution (ADR) providers in the relevant sector.  The EC hopes that this will increase the confidence of both consumers and traders to participate in online cross‑border sales of goods and services within the European Union.

The ODR Platform is relevant to all traders based in an EU Member State who provide online goods or services to consumers also based in an EU Member State.  There does not need to be a cross‑border element.  Online marketplaces are also affected.

If your business is within the ODR Platform’s scope, you will need to comply with new information requirements and be prepared to deal with consumers who want to use the ODR Platform to resolve any disputes they have with you.  Non-compliance following 15 February 2016 could lead to enforcement action.


The ODR Regulation was passed along with the EU Directive on consumer ADR (the ADR Directive). The ADR Directive, implemented into UK law by three statutory instruments, requires each EU Member State to appoint a competent authority for each market sector (such as financial services, telecoms, gambling or energy) to regulate and ensure the quality of the ADR providers in its sector.  In addition, the ADR Directive provides that each EU Member State shall facilitate the establishment of ADR providers in each market sector and maintain a list of those providers.

According to the ODR Regulation, the time for compliance by both Member States and affected online traders was 9 January 2016.  Nevertheless, the EC delayed the launch of the ODR Platform until 15 February 2016, to give certain Member States additional time to comply.  The UK’s Department for Business, Innovation & Skills (BIS) has confirmed, however, that no enforcement action against traders will take place for non-compliance before the ODR Platform went live. 

New website and email information requirements

As a result of the ADR Regulation, traders within the scope of the ODR Platform must include on their websites:

  • an easily accessible hyperlink to the ODR Platform; and
  • an email address to act as a first point of contact for resolving disputes.

BIS suggests that “a logical place” for the link and email address “would be alongside existing complaints procedure information on a trader’s website”.

Traders who are required to use an approved ADR provider by legislation, a trade membership or contract, have additional information requirements.  These traders must, in addition to the above information requirements, also:

  • inform consumers of the existence of the ODR Platform and the possibility of using it alongside any existing information about ADR providers;
  • include a link to the ODR Platform in any email offering goods or services; and
  • also include the above information in their general terms and conditions.

Examples of traders to whom the additional information requirements apply would include gambling operators or telco companies under licensing requirements from the Gambling Commission or Ofcom respectively.

The ODR Regulation will be enforced in the UK by the Trading Standards Institute, using court orders.  The maximum penalty for non-compliance with such a court order is an unlimited fine or two years’ imprisonment or both.  In practice, BIS has said that the Trading Standards Institute would seek to work with the trader, in the first instance, to ensure it understands the ODR Platform’s requirements.

How the ODR Platform works

As mentioned above, the ODR Platform is a website run by the EC that links EU consumers and traders with an appropriate ADR provider to settle disputes.  The EC and the ODR Platform do not themselves adjudicate individual complaints from consumers against traders.

The process for a consumer to bring an ADR complaint against an online trader through the ODR Platform is as follows:

  1. Submit a complaint.  The consumer first fills in an online complaint form on the ODR Platform.  Compared with a traditional claim form for court proceedings, the ODR Platform’s form is straightforward with questions and drop-down boxes.  The platform then sends the complaint form to the trader.  The ODR Platform only permits a nominal charge to the consumer, but the trader may have to pay a more substantial fee to the ADR provider if the trader wants to engage in the process.
  2. Choose an ADR provider.  Once the trader has received the complaint, the consumer and trader have 30 days to agree on an ADR provider to resolve the complaint.  The rules and procedure, and even whether the decision is binding, will depend on the ADR provider chosen.  The ODR Platform will provide the consumer and trader with a list of ADR providers relevant to the market sector and Member States concerned.  If agreement on an ADR provider cannot be reached within 30 days, the ODR Platform process fails and the consumer must consider a different dispute resolution option.
  3. Follow the process with the ADR provider.  The ODR Platform will automatically send the complaint to the chosen ADR entity, which must decide within three weeks whether it is competent to decide the complaint.  Once the ADR provider has agreed to hear the dispute, the procedure will then depend on the ADR entity and the form of ADR chosen (such as online mediation or arbitration).  The process must be conducted entirely online through the ODR Platform or through the ADR provider’s own process, unless both parties agree to an offline process.  The ODR Platform also includes an online translation tool for all EU languages to assist in resolving cross-border disputes.
  4. Outcome of the ADR process.  The ADR provider has 90 days to reach a decision on the complaint, unless the case is “highly complex”. This timeframe compares favourably with traditional offline litigation, even in the small claims court.  Regardless of whether the ADR process is conducted through the ODR Platform, offline or through the ADR provider’s online system, the decision will still be communicated to the consumer and the trader through the ODR Platform.

Neither the consumer nor the trader can be forced to use the ODR Platform or engage in the ADR process, although the information requirements about ODR Platform set out above are mandatory for traders.  The ADR Directive confirms that an agreement between a consumer and a trader to submit complaints to an ADR entity is not binding on a consumer, if the agreement is concluded before the dispute arose.  This would include, for example, an agreement to use ADR in standard terms and conditions of sale.  Once a consumer and a trader agree to use an ADR process (following a dispute arising), the parties will be subject to the rules of the relevant ADR provider which may include that any decision will be binding and final.

Usefully, both the ODR Platform and BIS provide a lot of information for traders for responding to ODR Platform complaints, including FAQs and guidance on the websites for the ODR Platform.  Each Member State is also required by the ODR Regulation to establish a National Contact Point to assist both consumers and traders with using the website or handling a dispute.


At this very early stage the ODR Platform looks promising.  Only time will tell whether the ODR Platform achieves its stated goals of facilitating simple, efficient, fast and low-cost dispute resolution across EU borders, but it will require buy-in from both consumers and traders - as well as Member States.  Despite the impending possibility of a ‘Brexit’, we note that the UK implemented the ODR Platform in a timely fashion; however, France and Germany have not yet created a National Contact Point while Spain and Italy do not yet have any ADR providers on their registers.

As neither consumer nor trader can be forced to use the ODR Platform or engage in ADR, it will be necessary to convince potential users that online dispute resolution can bring about justice between the parties.  There is clearly support for an online dispute resolution process in the UK—see, for example, the Chancellor’s 2015 Autumn Statement which pledged £700m of investment in a new HM Online Court (HMOC) following the recommendations of the Civil Justice Council in February 2015.  Access to justice for litigants in person has been a common theme of both the UK government and the EU over the past few years.

But online-only dispute resolution is a new and relatively untested concept (other than more informal processes, such as found on eBay) and it is not without its potential issues.  In the Internet age, it would make huge cost savings to carry out mediations or court hearings online using video call or submit to an online document‑only arbitration without any form of hearing or oral submissions.  Yet online justice in such forms is likely to be a lot more rough-and-ready without the benefit of the time, legal advice, documentary evidence, oral cross-examination of witnesses, and other features of what we expect from our dispute resolution processes.

Nevertheless, as consumers are generally not being required to pay more than a nominal sum to use the ODR Platform, it could result in many claims being pursued that would otherwise not have been and increased consumer confidence to buy goods and services from other EU Member States.  Traders may also be more inclined to sell to consumers in another EU Member State with the option of online ADR if something goes wrong, rather than risking being sued in another Member State with unfamiliar court processes. 

As a business based in the EU you already need to be compliant with the information requirements set out above, and you should carry out a review of your website, your complaints handling process, your emails sent to consumers and your terms and conditions, if you have not already done so.  Remember that you may bind yourself to engage in ADR with your terms and conditions, but you may not bind a consumer. 

You also need to be ready to start dealing with any ODR complaints that may be filed against you.  While you are not obliged to engage in ADR or use the ODR Platform, you should include it as part of your consumer complaints handling strategy.  It would also be advisable to set up a process for reviewing individual ODR complaints to determine whether engaging in the ODR Platform will be advantageous or whether more traditional complaints handling and dispute resolution methods will be more suitable.

 For more information, please contact Nick Allan or David Konviser.

GDPR adopted by EU: key points

The European Parliament has today adopted the text of the General Data Protection Regulation (“GDPR”). This marks the beginning of the end for the GDPR’s lengthy legislative process which began with the EU Commission’s original proposal in January 2012. The GDPR will be translated into the EU’s official languages prior to publication in the Official Journal, and will take effect two years following the date of publication, and so is likely to come into force some time in the summer of 2018.

The text of the GDPR as published by the Council of the EU is available here. The key features of the text have not changed significantly since the compromise text was agreed by the “trilogue” in December 2015.

Despite a number of high profile events and cases occurring during the GDPR’s legislative life-span, including the PRISM revelations, right-to-be-forgotten cases and the Schrems judgment with the resulting EU-US Privacy Shield, the text and structure of the GDPR still bear resemblance to the Data Protection Directive 95/46/EC (the “Directive”) albeit with a number of headline changes, summarised below.

  • Fines: The maximum fines under the GDPR will be up to EUR 20 million or 4% of annual worldwide turnover, whichever is the greater. This is a stark increase on the current maximum fine of £500,000 under the Data Protection Act 1998 which implemented the Directive in the UK.
  • Extra-territoriality: Firms offering goods or services to EU residents or monitoring their behaviour will need to comply with the GDPR, regardless of whether the firm is based in the EU.
  • Data processor liability: The GDPR introduces data processor liability for certain data protection requirements, including data security, sub-processing, record keeping and data breach notifications, among others.
  • Lead authority: The GDPR aims to increase harmonisation across the EU for data protection and includes a mechanism for national supervisory authorities to co-operate in order to provide a “one-stop-shop” for businesses.
  • Data breach reporting: Data controllers must report data breaches to their supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
  • Transparency and data protection by design: The GDPR introduces new principles of “data protection by design” and “data protection by default” which expand on the Directive’s principles that data processing should be adequate, relevant and not excessive, encouraging “pseudonymisation” and “data-minimisation”.
  • Others: Further changes include a requirement for more information to be provided to data subjects by data controllers in their fair processing notices, a stricter definition of consent, enhanced rights and remedies for data subjects, a requirement to implement data protection by design and by default in IT projects, updates to subject access requests and the requirements in relation to international transfers and mandatory appointment of data protection officers for organisations processing sensitive personal data or monitoring data subjects

It is worth noting that, in the event of a vote for the UK to leave the EU in the referendum on 23 June 2016, the impact of the GDPR may be reduced, although many UK firms are likely to be caught by the extra-territoriality requirement and will therefore need to comply with the GDPR regardless of the outcome of the referendum. For more information on the impact of Brexit on data protection, see our article on Data Privacy, Brexit and a British Bill of Rights, available here.

For further information please contact Nicola Fulford or Michael Butterworth. 


Privacy Shield: back to the drawing board?

Author: Shirine Corboy

On 3 February 2016 we reported that the European Commission announced that it and the United States had agreed on a new framework for transatlantic data flows to replace Safe Harbor – the EU-US Privacy Shield. 

The Article 29 Working Party (‘WP29’) announced today that it has reviewed the documents setting out the EU-US Privacy Shield and has come to a common position. 

As expected following leaked extracts of the WP29’s assessment of the Privacy Shield last week, the WP29 has concerns. The WP29’s Opinion released today expressed 3 main concerns with the Privacy Shield:

  • the language used in the Privacy Shield does not oblige organisations to delete data if they are no longer necessary, which is an essential element of EU data protection law;
  • the Privacy Shield does not exclude massive and indiscriminate bulk collection of personal data by the US authorities; and
  • while the creation of an Ombudsperson is welcomed as a new redress mechanism, the WP29 expressed concerns that it is not sufficiently independent and does not have enough powers to guarantee a satisfactory remedy to protect individuals’ rights.

The WP29 also commented that:

  • the Privacy Shield is lengthy and complex and needs to be clarified in a number of areas;
  • it needs to be consistent with the EU data protection legal framework including, in future, the General Data Protection Regulation;
  • the Privacy Shield did not reflect some key data protection principles as outlined in European law, so the Privacy Shield does not ensure an ‘essentially equivalent’ level of protection for individuals when personal data is processed under the Privacy Shield;
  • it has concerns about protection for onwards transfers of personal data to third countries; and
  • the new redress mechanisms might be too complex in practice, difficult for EU individuals to use and therefore ineffective.

The WP29 noted the major improvements of the Privacy Shield over the invalidated Safe Harbor for transfers of personal data to the US for processing, but there is still work to be done on the Privacy Shield to clarify and improve it. It urged the European Commission to improve the draft so that the protection offered by the Privacy Shield is equivalent to that of the European Union. 

The WP29 said that negotiations between the US and the Commission are ongoing and that it would put itself at the disposal of each party to assist it. 

In the meantime, the WP29 confirmed that, until the Commission takes its final decision on the Privacy Shield, binding corporate rules and model clauses are still valid means of transferring data to the US. It also confirmed that transferring personal data to the US under the invalidated Safe Harbor decision is illegal. 

The next step is for the representatives of the Member States to express their opinion on the Privacy Shield. The Commission’s final decision is currently expected mid-June 2016, although there was a suggestion from the WP29 that this might happen later, possibly in September 2016. 

 For more information, please contact Nicola Fulford, Head of Data Protection & Privacy or Shirine Corboy, Associate, Commercial Technology.

New FCA business plan: in a nutshell

The Financial Conduct Authority (‘FCA’) published its Business Plan 2016/17 on Tuesday, 6 April 2016. The FCA Business Plan sets out its work programme and priorities for year. It explains how it intends to meet its three operational objectives of protecting consumers, promoting competition and enhancing market integrity to meet its overarching strategic objective of making markets function well.

Risk outlook

As was the case last year the FCA has not published a separate Risk Outlook, but has instead included this as part of the Business Plan. The FCA notes that macro-economic, socio-economic, regulatory and technology developments   have   created   new   demands,   risks   and opportunities for both financial services consumers and firms. It also specifically notes the UK’s  referendum  on  remaining  part  of  the  European Union  will  take  place  on  23  June  2016.  The FCA has stated that as part of its normal activities it will consider the immediate and short-term consequences of any vote to leave the EU, such as the potential for increased market volatility.

FCA’s priorities

The FCA identified seven key priorities for 2015-16:

  • Pensions
  • Financial crime and Anti-Money Laundering
  • Wholesale financial markets
  • Advice
  • Innovation and technology
  • Firms’ culture and governance
  • Treatment of existing customers

In relation to pensions the FCA plans to conduct consultations on a cap on early exit charges and on the proposed new a consumer protection model for the secondary annuities market, along with the launch of a review on Retirement Outcomes.

In terms of financial crime and anti-money laundering the FCA plans to complete work on a proportionate and effective response to de-risking by banks along with an increased focus on firms and individuals who perpetrate investment scams.

On the wholesale financial markets front, the FCA plans to continue work on the Fair and Effective Markets Review (“FEMR”), implementing the new Markets in Financial Instruments Directive (“MiFID II”) and completing the asset management market study to assess if competition is working effectively and whether investors get value for money when they purchase asset management services.

Under the heading of advice the FCA hopes to deliver recommendations from the Financial Advice Market Review (“FAMR”), which was established with the aim of identifying ways to make the UK’s financial advice market work better for consumers, and continue its supervisory work on professionalism and the suitability of advice.

In terms of innovation and technology the FCA states that it will continue its work with Project Innovate and launch the “Regulatory Sandbox” that will give firms which meet the eligibility criteria a safe space to test innovation without immediately having to meet all the normal regulatory requirements. The FCA will also consider whether to proceed with a market study on Big Data in general insurance markets, and it will communicate expectations on operational resilience to firms. The FCA will continue to work collaboratively with the Treasury, the Bank of England and other authorities to ensure a joined-up and risk-based approach to cyber-crime.

In relation to firms’ culture and governance the FCA intend to continue to embed the Senior Managers and Certification Regime (SM&CR) and Senior Insurance Managers Regime, begin developing policy on extending the SM&CR to all regulated firms, and continue to review the regulatory framework governing remuneration.

As regards the treatment of existing customers the FCA intends to implement key recommendations from the Competition and Markets Authority retail banking investigation (expected to be published in summer 2016), consult on a second package of remedies from the cash savings market study in 2015 and continue supervisory work on the fair-treatment of legacy customers in the life insurance sector.

Core activities and tasks for firms

In addition to the seven key priorities outlined above the FCA also outlines some additional key work streams that include issues around sustainable regulation, payment protection insurance, prudential regulation and ring-fencing.

The FCA has set out some further detail on its core day-to-day activities including authorisation of firms carrying out regulated activities, supervision of firms and enforcement, its competition powers and responsibilities, supervising exchanges and administrators of benchmarks and overseeing primary and secondary markets.

Firms should take the FCA priorities into account when developing their strategies and as part of their governance processes. Boards and senior management should investigate to what extent these risks apply to their activities, and how they are taken into account when trying to ensure appropriate risk management procedures.

The table below is taken directly from the FCA Business Plan 2016/17.

It lists a number of thematic reviews and market studies which the FCA has publicly committed to, with timings for key delivery points in 2016/17. The list is not exhaustive and the FCA will undertake additional market-based work throughout the year in line with the priorities identi­fied in the Business Plan, and as necessary to address emerging issues that arise in the year.

For more information please contact Lucy Frew or Chris Boylan.

Driverless car regulation: UK attempts to overtake rivals

In March 2016 the Chancellor announced that driverless cars will be allowed on UK roads by the year 2020, in a sign that the government continues to strongly support the technology.[1]

The government’s announcement follows the increasing prominence of driverless cars in the media in recent years, with Gartner (a leading technology research and advisory company) describing 2015 as the peak of the driverless car “hype cycle”, as the battle between established car manufacturers and technology companies intensified to produce “driverless” or “fully automated” cars.[2] 

Google, perhaps most famously, has led the charge in the development of driverless cars, which are being heralded for their potential to improve road safety and reduce emissions and congestion.  At the end of 2014, Google unveiled its prototype[3] which it plans for public sale in 2020.[4]  More recently, Tesla announced the release of its Autopilot software (an advanced cruise control system) and Ford began testing its prototype on private roads.[5]  At the beginning of 2016 a number of other major car manufacturers, such as Toyota, Nissan-Renault, Audi and Volvo, each announced their plans to introduce driverless cars.[6]

With leading technology companies pioneering driverless systems, and the concept of driverless cars backed by established players in the automotive industry, it seems likely that driverless cars (or at least other advanced, new, driverless technologies) will be publicly available within the next few years. Although the government has announced its aim to see driverless cars on the roads by 2020, have lawmakers and regulators moved quickly enough to match the pace of innovation?

In February 2015 the UK’s Department for Transport (DfT) published The Pathway to Driverless Cars (Summary report and action plan)[7] setting out the government’s plan to update UK laws and regulations to permit the sale of driverless cars to the public.  The government’s publication is a signal to the technology and automotive industries that the UK welcomes the development of driverless technology and encourages car manufacturers to establish their testing and manufacturing operations in the UK.

In the Summary report and action plan the government confirmed that the testing of driverless cars is legal in the UK and in July 2015 released The Pathway to Driverless Cars: A Code of Practice for testing.  The Code of Practice prescribes a road safety framework under which such technology should be tested (the “Code”).[8]

The Code emphasises the importance of safety on public roads and, prior to this, the testing of the technology on the test track.  Although most of the Code is not mandatory, instead setting out new guidelines specific to driverless cars, it does require that driverless cars comply existing road traffic laws (such as those covering the licensing of drivers and the road worthiness of vehicles).

For more information on developments in driverless technology regulation, please see our recent article on the Government’s proposal to require insurers to compensate the victims of driverless cars . You can also access our whitepaper here.

[1] http://www.independent.co.uk/life-style/gadgets-and-tech/news/google-driverless-cars-george-osborne-budget-uk-roads-2020-a6926736.html

[2] http://www.gartner.com/newsroom/id/3114217

[3] http://www.mercurynews.com/business/ci_27190285/googles-goofy-new-self-driving-car-sign-things

[4] http://www.ibtimes.com/google-inc-says-self-driving-car-will-be-ready-2020-1784150

[5] http://jalopnik.com/ford-is-now-testing-driverless-cars-on-the-streets-of-a-1742535477

[6] http://www.marketwatch.com/story/renault-nissan-gives-details-on-driverless-vehicle-plan-2016-01-07

[7] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/401562/pathway-driverless-cars-summary.pdf

[8] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/446316/pathway-driverless-cars.pdf


Playing with cyber trouble: toys and the internet of things

The concept of the ‘Internet of Things’ (‘IoT’) has become a driver of growth in technology production in recent years, as manufacturers have sought to embed internet connectivity into everyday objects and gadgets, hoping to ride the next wave of tech-industry hype. Toymakers are no exception, and as the tastes of their target demographic – kids – evolve, so too must their toys. Today children grow up taking the internet and smartphones for granted, so it makes perfect sense for manufacturers to build some 21st Century pizzazz into their toys – or face high pitched accusations of being ‘boring’. Cue the current eccentric range of ‘smart’ toys, including Lego’s programmable ‘Mindstorms EV3’ smartphone controlled robots, or Sphero’s Star Wars themed BB-8 Droid which exudes Jedi-levels of coolness.

However, in the rush to gain early market traction (or keep development costs down), it seems various toy manufacturers have failed to ensure strong cybersecurity protocols are being thoroughly baked into their products. Consequently, a troubling trend emerging recently has been the spate of cyberattacks deliberately targeting ‘smart’ toys. The most high profile victim so far appears  to be VTech, a global supplier of electronic learning products, which revealed in November that various services, including their proprietary app store database, had been infiltrated by hackers.

Details of VTech hack

According to VTech, the cyberattack occurred on or around 14 November 2015, targeting the company’s ‘Learning Lodge’ app store customer database, ‘Kid Connect’ servers and ‘PlanetVTech’ website[i]. In relation to Learning Lodge, the company revealed that over 4.8 million parental user accounts had been compromised, along with over 6.3 million child accounts (of which 1.2 million had the Kid Connect service enabled).[ii] Additionally, in relation to PlanetVTech, the company admitted that around 235,000 parental accounts, and 227,000 child accounts had been compromised[iii]. Initial reports suggest the method of attack was a simple SQL injection (whereby an attacker inserts structured query language statements into a web form, attempting to modify, extract or remove information from the underlying database)[iv]. According to cybersecurity experts, this should have been picked up by any standard security testing protocols.

In terms of stolen account data, the Learning Lodge and PlanetVTech profiles included a mixture of name, email address and password details, plus IP address and download history, while child profiles contained the child’s name, gender, birthdate and avatar details. However, of extreme concern to many parents was the loss of Kid Connect data, which along with user account information, included child profile photos, chat logs (including audio recordings of conversations) and photo files sent by children and their parents. In total, over 190 GB of photos were hacked, although it should be noted that no credit or debit card details were accessed during the breach. News of the vast data breach immediately triggered alarm from parents, law enforcement and business stakeholders, amid fears the stolen data could appear on underground black markets, where there is demand from criminal organisations for this type of data.


In short, the incident has been a PR disaster for VTech, shares in which were temporarily suspended from the Hong Kong Stock Exchange following the hack becoming public. Along with the reputational damage incurred from the loss of sensitive personal information, VTech has been forced to take various services offline, as a precaution. Matters got worse on Christmas day, as many children who unwrapped new VTech devices, found they were unable to play with their new toys (due to the offline services and an inability to register the devices), much to the irritation of many parents, who took to Facebook to publicly vent their frustration at the company.

Dubious T&Cs

In a further, somewhat unorthodox development, VTech has recently come under heavy media scrutiny for a legal update the company issued to the Learning Lodge Terms and Conditions on 24 December 2015 (i.e. Christmas eve), which attempted to pass responsibility for hacking incidents, from VTech, to the consumer. Examples of these provisions are set out below:

  • "You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.”
  • "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.”
  • "You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk."

It remains to be seen whether these new terms are actually enforceable. In the UK, the Consumer Rights Act 2015, determines that ‘unfair’ consumer contracts are prima facie unenforceable. A ‘fairness test’ is used to determine whether a particular term is unfair – essentially, the test seeks to prevent consumers being put at a disadvantage by considering whether there is a significant imbalance to the detriment of the consumer. Additionally, VTech’s right to unilaterally vary the terms, with the effect of reducing the consumer’s rights, without a valid reason, is also potentially unfair.

Problems for other toy manufacturers

Cybersecurity incidents within the toy industry are not confined to VTech. Last year, Mattel’s internet connected doll, ‘Hello Barbie’ was also criticised by security researchers, for inadequate security protocols. The doll, which syncs with a companion smartphone app, and connects to a Wi-Fi network, contains a built-in microphone, allowing children to talk to the Barbie, in a Siri-like manner, whereby conversation is instantly processed over a server, allowing the doll to respond in real-time to the child. However, it transpired that there were various authentication vulnerabilities, both server-side and within the toy’s companion app, in addition to vulnerability to the POODLE exploit, which was first disclosed in 2014. The combined effect of these vulnerabilities (which have since been patched by the manufacturer), could have included a determined hacker being able to intercept and redirect the doll’s voice traffic, replacing responses with inappropriate content, and taking control of the microphone, potentially allowing the doll to be used to eavesdrop on the user.

Meanwhile, other toy industry titans experiencing recent cybersecurity incidents include SanrioTown.com, an online community for Hello Kitty fans, (which exposed the user account details of around 3.3 million users), along with Sony, who previously experienced a well-documented cyberattack knocking out the PlayStation Network, to the dismay millions of users – and the UK’s Information Commissioner, who fined Sony £250,000 for the incident.

Data protection compliance issues

The upward trend in IoT related cybersecurity incidents demonstrates that manufacturers of IoT connected devices and toys must ensure devices are thoroughly screened for cybersecurity vulnerabilities, before going to market. Along with bad publicity, there is a real risk of financial damage to businesses ignoring these warnings.

In the UK, although there is no specific data protection law concerning children or internet connected toys aimed at children, it is generally accepted that there is a higher standard expected of data controllers while handling children’s personal data. Indeed, in May 2015, the ICO launched a review of children’s websites and apps. Commenting on principles under the Data Protection Act 1998, Steve Eckersley, ICO Head of Enforcement, stated: “In the UK, we’re clear that apps and websites should not gather more personal data than they require, and operators should be upfront about how and why they collect information and how they use it. These principles are true whatever the audience, but they are especially true where children are concerned.” The review conducted by the ICO, in a joint collaboration with the Global Privacy Enforcement Network (GPEN), saw 29 data protection regulators from around the world examine over 1,494 websites and apps aimed at children, with a view to how personal information was collected and shared:

  • Only 31% of children’s sites / apps had effective controls in place to limit the collection of personal information from children.
  • 50% of children’s sites / apps shared personal information with third parties.
  • 71% of children’s sites / apps did not offer an accessible means for deleting account information.

Under the Data Protection Act 1998, the maximum fine the ICO can impose for the most serious data breaches is £500,000. However, at EU level, the long awaited General Data Protection Regulation (GDPR) has finally been agreed and is likely to become law in 2018. Under the new regime, businesses will be required to notify the relevant data protection authority within 72 hours of becoming aware of certain data breaches, while maximum fines will be dramatically increased, as set out below:

  • €10 million or, if an undertaking, 2% of total worldwide annual turnover in the preceding financial year for breaches by data processors; and
  • €20 million or, if an undertaking, 4% of total worldwide annual turnover in the preceding financial year for breaches by data controllers.


To conclude, businesses should remember that just because a smart toy is aimed at a younger demographic, this is no excuse for not implementing industrial standard security protocols and a clearly defined policy in relation to collection of user data. Regulatory penalties for failure to comply are becoming more serious, while parents are likely to be very hostile towards any news of a cybersecurity incident affecting their children.

Serious Fraud Office obtains first conviction

Following a Serious Fraud Office (SFO) investigation into the activities of Sweett Group plc (Sweett) in the United Arab Emirates, Sweett has been ordered to pay £2.25 million after being convicted of failing to prevent an act of bribery intended to secure and retain a contract with Al Ain Ahlia Insurance Company.

Section 7 of the Bribery Act 2010 provides that a “relevant commercial organisation” (RCO) is guilty of an offence if a person or company associated with the RCO bribes another person, intending to obtain or retain business or a business advantage for the RCO.  The offence occurred between December 2012 and December 2015 and related to conduct of Sweett’s wholly-owned Cypriot subsidiary Cyril Sweett International Limited (SWI) in respect of a project management contract expected to provide a gross profit of around £900,000.  The judge noted that a professional advisor charged with auditing the group’s financial processes had expressed serious concerns about the operations of SWI and had made clear recommendations for changes in group policy.  Sweett had failed to implement any of the suggestions, effectively ignoring them.

Sweett pleaded guilty to the charge.  It was fined £1.4 million and had a sum of £851,152.23 (equal to Sweett’s gross profit) confiscated.

David Green CB QC, director of the SFO said:

This conviction and punishment, the SFO’s first under section 7 of the Bribery Act, sends a strong message that UK companies must take full responsibility for the actions of their employees and in their commercial activities act in accordance with the law.

For further information, please contact Andy Moseby.

  • Page 14 of 25