• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

Protecting your inventions: fintech patents

IP Senior Associate Peter Dalton looks at the case for patent protection in the fintech sector.  

Almost all fintech innovations are implemented through software, and there is a commonly held view that patents for software, especially in Europe, are difficult if not impossible to obtain.  This is  not correct – the good news is that inventions implemented through software can be patented in all major jurisdictions, if certain criteria are met.

Fintech is seeing a particularly high level of activity in this area. A recent report found that there are 80,000 individual fintech-related innovations covered by published patent documents, covering innovations across a range of services including payments, banking, wealth management, capital markets, insurance and lending with a technology angle (such as IOT, big data, mobile etc).[1]

Large companies tend to dominate due to their understanding of the importance of patenting; Companies such as VISA, Bank of America, Hitachi, MasterCard and eBay all hold hundreds or even thousands of fintech-related patents. However, the landscape is by no means dominated solely by large organisations. The top 200 patent proprietors only hold 39% of the total patents in the fintech space; the other 61% is taken up by smaller market players. A number of newer, tech-focused companies are seeing the importance of protecting their intellectual property and obtaining patent protection for their inventions.[2]  Examples in fintech include Wonga, Mozido, OnDeck and WePay, all of which have been granted patents relating to their software innovations in recent years.

Why think about patenting?

We often receive complaints from clients that a third party has copied the functionality of their software, perhaps by obtaining and studying the software itself and the accompanying manual. Copyright does not help you here. If a third party analyses your software to understand what it does, and independently creates original software code which replicates this functionality, it will not usually be an infringement of copyright. Copyright allows you to prevent the copying of particular aspects of software: for example, the code itself, a particular GUI, images or text used, etc. It does not protect the underlying idea or concept.

Unlike copyright, patents protect the functionality of the invention itself, regardless of the code implementing the invention. Once granted, the owner of a patent can prevent third parties from exploiting the method, process or apparatus protected by the patent, even if they developed the technology independently. This monopoly on the invention lasts for up to 20 years from the date of filing the patent.

This allows patent holders to exercise a monopoly on their invention, so only they can commercialise it, or license it to third parties either independently, or through international standards. This can provide a valuable revenue stream and increase the company’s profile substantially.

Patents are seen as highly valuable by investors and by the market generally, and an indication of the strength of the underlying business. Indeed, patent applications are still valuable to companies in terms of attracting investment, as potential investors view them as indicating a proactive and strategic approach to IP protection.

What do I need in order to be able to obtain a patent?

Any patented invention needs to be novel and involve an inventive step. This means it must be new and inventive over any invention which has been disclosed previously. These could be inventions which have already been marketed, or which have been published in papers or advertising materials. This includes disclosures made prior to the filing of a patent application. Therefore, it’s important to think about patenting as soon as possible in the development process and before any full product launch. It is also important to make sure that any disclosure of potentially patentable material in discussions with potential business partners is covered by a confidentiality agreement.

In Europe and the UK, in order to be patentable an invention which is implemented in software must also make some form of “technical contribution”. This means it must provide a technical benefit which goes beyond the normal operation of a computer. In the fintech context, this might (for example) be a software invention which speeds up trading, allows customers to connect to services in a new way, or a new and unique payment method. It may not be immediately obvious what parts of a product may be patentable; we work with skilled patent attorneys to help clients identify potential patentable rights and uses of their technology which they may not even have thought of.

Patents are national rights and a granted patent applies only to the country in which it is granted. Companies limit their patent applications to key jurisdictions. The decision of where to file will usually be guided by where they are trading and intend to trade in the future. For fintech patents, it is common to see US, European, Japanese and increasingly Chinese applications.

Common objections

There are a number of objections that are often raised when discussing patent protection. Two of the most common are:

1. It’s not worth patenting software, as the sector moves so quickly.

  • This is a common objection; it may take 2-3 years for a patent to be granted in a single jurisdiction, longer if multiple jurisdictions are sought. On the other hand, technology moves quickly and software is quickly replaced.
  • However, a good patent will be drafted so that it captures the method / process which is the core of the invention, rather than the particular implementation. So it doesn’t matter if the actual software code becomes outdated; the patent should still cover new implementations of the invention in more modern code.  It is very common to see patents from the late 90s and early 2000s which are still highly relevant to today’s world.
  • Also, patent applications can have a financial value even if they do not ultimately go on to grant. The existence of an application is attractive to investors, and puts competitors on notice of the potential for a patent to be granted

2. Patenting is costly

  • Whilst there is a cost to obtaining patent protection, various things can be done to reduce the impact. Further, costs are not paid all upfront and can be planned for over a number of years, allowing you to budget and manage the costs effectively
  • Once the patent is drafted, it can be filed in multiple jurisdictions without significant amendment. At any point, if it looks like the patent is not going to proceed to grant, or may be costly due to objections raised by patent offices, you can decide to abandon the application and cut off any further expenditure.
  • Ultimately, the value of having patent protection, if managed effectively as part of an IP strategy, can be huge, both financially and from a strategic standpoint.

Next steps

Given the potential value of patents, and the attention being given to patenting by other players in the fintech space, the protection of inventions should be considered as part of your overall IP strategy. In order to maximise the potential options, you should be considering this at the concept stage, before an innovation is put on the market (as publication can prevent patentability.

Patents are not suitable in all cases, but even where you ultimately decide not to proceed, the exercise of reviewing an innovation for patentability can be a very beneficial exercise. It can lead to the identification of other more suitable forms of protection, increase developer participation in the IP protection process, and lead to the identification of other uses of or enhancements to your innovations which may you may not have considered.

We regularly provide consultations for clients considering patentability, and IP protection more widely. If you would like to find out more about protecting your IP, please contact Peter Dalton or Jeremy Harris.   


[1] Relecura, Inc: “FinTech – an IP Perspective”, 20 October 2015

[2] ibid

FCA starts dialogue on distributed ledger technology

The Financial Conduct Authority (“FCA”) yesterday released a discussion paper on distributed ledger technology (“DLT”). The FCA states that it will generally take a ‘technology neutral’ approach to regulating financial services and is interested in considering whether there is anything distinctive about DLT that would require it to take a different approach. This discussion paper is intended to start a dialogue on the future development of DLT.

DLT is a relatively recent advance that has received increasing amounts of industry, media, political and other stakeholder attention in recent years. The most well-known example of DLT is blockchain. DLT combines various existing tools such as shared databases, cryptography and peer-to-peer networking to offer firms the ability to share data efficiently and securely. Technology companies seeking to provide DLT-based solutions have grown sharply in number and size, and regulated firms are increasingly using this technology to provide financial services. 

The FCA notes that DLT has the potential to provide various benefits for regulated markets. Most of these benefits will likely emerge in sectors where multiple participants need to share data and/or processes safely, particularly where firms are still reliant on paper-based records. DLT’s ability to remove the need for certain intermediaries, increase the speed of reconciliation and reduce costs has made it a popular subject of research for both regulators and industry. DLT’s increasing popularity has underlined the growing challenge of managing data safely and efficiently across all sectors. However, the adoption of DLT will take place only in areas where the advantages of increased efficiency are large enough to outweigh the costs of the associated technology transformation.

The potential for increased regulatory oversight of DLT is particularly significant. The FCA recognises that, while DLT is a new technology, some of the products and business models it enables may require consideration of whether regulatory requirements are appropriate. While DLT has great potential to help promote competition through disruptive innovation, this must be balanced against the FCA’s other statutory objectives of consumer protection and market integrity. The paper notes that DLT has the potential to offer digitised assets that can be delivered directly to consumers, legal agreements that can be composed in software and enshrined in cryptographic layers, and secured data provenance for property or identity. 

The FCA states that while specific areas exist where DLT does not fit with its requirements, it can still achieve its desired outcomes. Therefore, the FCA understands the need to consider whether its rules prevent or restrict sensible development that would benefit consumers and hence whether changes may be needed.

Industry participants are invited to respond to the discussion paper by 17 July 2017. The FCA will then review any responses received and decide on its next steps. This might take the form of a Summary of Responses or a Consultation Paper. 

The discussion paper can be found at www.fca.org.uk/publication/discussion/dp17-03.pdf .

Hot property: defending IP when employees walk away

Imagine if a key employee, who had worked for an organisation for 15 years, announced his retirement, only to recommence work a year later with the organisation's closest competitor. Or if, within the space of four months, three members of a research and development team resigned in order to join the same start-up. These scenarios might well raise red flags that there has been unlawful activity or intellectual property (IP) infringement, but how should a company go about investigating and reacting to these scenarios?

If an employee's departure raises concerns, the key is to act quickly and co-ordinate the investigation across the company. It is usually, but not always, the in-house legal team that carries out this co-ordinating role, pulling in different parts of the company, including senior executives, HR, IT and public relations (PR).

Employment contracts

One of the first actions to take is to consult the departing employee's employment contract. This can be led by HR, in conjunction with the in-house legal team. Ideally, there should be clear obligations on the departing employee relating to:

Protection of confidential information.

  • Assignment of all IP created by the employee to the company, on creation.
  • Delivery up of all confidential information, IP and IT equipment.
  • Non-solicitation of customers and employees.
  • Non-compete provisions.

It is worth bearing in mind that, while the latest version of the employment contract being used by HR may contain all of the desired IP and confidentiality protection, some of the longest-serving key employees may be on old employment contracts that contain less stringent legal protections. It is therefore worth periodically performing an audit of the employment contracts for key employees to identify those high-risk contracts.

Simultaneously, HR should also look to see if any specific terms were agreed with the departing employee relating to his exit.

Internal communications and disclosure

As soon as litigation against the departing employee becomes even a possibility, the company is under an obligation under the Civil Procedure Rules to preserve all documents relevant to the dispute, including those that prejudice its own case. The in-house legal team should therefore send round a "litigation hold" email as soon as possible, informing colleagues of the impending litigation and requiring key documents to be preserved.

The duty to preserve documents extends to electronic documents that would otherwise be deleted in accordance with the company's document retention policy or in the ordinary course of business. The in-house legal team should therefore liaise with the IT team to ensure that all electronic data relevant to the dispute, including deleted data and metadata and backup servers, are preserved.

This duty to preserve documents is a continuing duty, which means that the company needs to be careful about internal communications as these may also be disclosable. During this investigation period, the HR and IT teams may be communicating with each other; for example, with regard to what IP they believe the departing employee might have taken, and whether they consider it to be confidential. These emails could harm the company's legal case if they have to be disclosed. The in-house legal team should therefore control what documents and notes are created at this time and instruct the investigatory team on how to ensure that any documents they create benefit from legal privilege.

As well as thinking about the documents that the company may have to disclose, it pays to think early on about what documents might be useful from the other side too. It is common to seek disclosure of the departing employee's personal laptop, USB sticks and text messages sent on personal and business mobile phones, in order to build up a fuller picture of what wrongdoing might have taken place. A company can also make a number of court applications in order to protect or gain early sight of key documentary evidence. These include an order for pre-action disclosure, a search and seizure order, a freezing order, or a Norwich Pharmacal order.

Forensic examination

Forensic analysis is important to try to establish an evidence trail linking the departing employee to an unlawful act of IP infringement.

A key mistake that companies often make is to ask the internal IT team to carry out an initial investigation on the departing employee's laptop or other devices. This can lead to key evidence not being preserved, for example, "date last modified" data for files. Not only does this compromise the evidence trail, it also means that the company risks failing to preserve key evidence. Anyone within the company who carries out an initial forensic IT investigation should be willing to give a witness statement about the steps they carried out, therefore, it is best to avoid instructing junior IT assistants who may not want to be witnesses in a later court claim.

It can be worth getting a professional forensic examiner on site, at an early stage, to preserve evidence (by taking image copies of the devices) and to prepare an expert report that can be used in any subsequent court proceedings. Internal IT teams still play a vital role in terms of liaising with the external expert (see box "Preserving IT evidence").

Legal action and remedies

Once the forensic examination has uncovered evidence as to which IP might have been taken, it falls to the in-house legal team and external counsel to decide what causes of action might exist against the employee and which remedies to pursue.

Usually a company will rely on breach of confidence, however, it pays to think widely about what IP infringements the departing employee might have committed. For example, a departing employee who copies emails from key clients onto his personal USB stick not only commits a breach of confidence, but also a copyright infringement each time that employee copies and pastes the content onto a USB and then downloads them onto his laptop, or uploads them on his new employer's servers. It is therefore worth consulting an IP specialist to make sure that legal claims are cast as far and wide as possible.

It is a well-established legal principle that departing employees can take know how they have acquired during the course of their employment to their new employer, however, they cannot use trade secrets. There is no fixed legal definition for what amounts to a trade secret but it is likely only to include information with a very high degree of specificity and confidentiality such as secret processes of manufacture like chemical formulae, designs or special methods of construction (see feature article "Trade secret protection: guarding against a global threat", www.practicallaw.com/5-637-7032). Many companies are caught out by the fact that they do not consider in advance what trade secrets are key to the business and do not protect them accordingly, for example, by limiting their disclosure to a limited number of individuals within the company.

As well as considering potential causes of action, it is also important to consider what remedies are important to the company. Typically, a company will seek damages for lost profits, lost customers and increased recruitment fees, or alternatively an account of profits from the other side. For this reason, it is often worth including the new employer of the former employee as a co-defendant in any legal claim because the new employer may be vicariously liable.

The most valuable remedy can be an injunction: this can be sought at an early stage in proceedings to keep the former employee and the new employer from using the IP and confidential information, or to mandate the delivery up of the IP and confidential information. If granted, an injunction can have significant commercial implications for the former employee as well as the new employer. Injunctions therefore tend to be a strong inducement to settle the case early on.

Taking court action can be very helpful in conveying a public message of strength, that is, that the company will protect its IP assets at all costs. However, litigation is not always the favoured option: some companies may prefer to avoid the publicity of employees leaving and instead to channel their efforts into bringing forward their latest product launch date and, for example, being the first to bring their product to the market.

Internal and external PR

It is highly likely that customers will hear about any significant employee or team moves and the company will need to consider how to convey a message to those customers, and the market more widely, about how those departures are being handled.

As well as external PR, the company should also manage the morale of the remaining workforce which may be deflated following the exit of a significant employee or team. As far as possible, any issues should be contained to avoid further resignations and escalation of the situation into a larger-scale team move.

Reproduced from Practical Law with the permission of the publishers. For further information visit www.practicallaw.com or call 020 7542 6664.

The Internet of Toys: A leap forward in stimulating children's creativity or a privacy and security nightmare?

In March 2017 the European Commission published a report entitled “Kaleidoscope on the Internet of Toys: Safety, security, privacy and societal insights”[1] a technical report produced by the Joint Research Centre (JRC). The report addresses questions emerging from the rise of the Internet of Toys by offering the views on six specific topics analysed by different experts.

This article first examines what is meant by a connected toy and then explores privacy and security concerns surrounding some of these toys. Thereafter the conclusions of the JRC report will be discussed and finally some predictions will be made about the future of connected toys.

What are connected toys?

The JRC report refers to the concept of “Internet of Toys” namely internet-connected toys which constitute a subset of the Internet of Things (IOT).  In order for a toy to be connected it is not necessary for it to have a screen or otherwise resemble devices we traditionally associate with a connection to the internet, such as a computer, iPad or smart phone. The toys can take many different forms and be anything from a teddy bear or a doll to a watch. The common feature they all share is that they are all connected to the internet in some way. Some are also “smart” toys.

A distinction can be drawn between smart and connected toys. Smart toys are toys that have electronic features, for instance a camera, sensor, or microphone that facilitate interaction between the toy and a child and allow the toy to adapt to a child’s actions. Smart toys do not, however, necessarily have a connection to the internet. Robots that can interact with humans in an autonomous and socially meaningful way (i.e. not necessarily toys), also referred to as “social robots”, can be a smart toys as well.[2] Connected toys, by contrast, are toys designed to connect to the internet, but they are not necessarily smart. This distinction between smart and connected toys has been described by the Future of Privacy Forum & Family Online Institute.[3] Toys that are both connected and smart can record, among other things sounds, images, movement, and location but their key distinguishing feature is that they can also share the data which it has recorded, the so-called “play data”.[4]

Toys that record sounds, images and the like and interact with a child are not new but have in fact existed for decades. Social robots have also been used in toys for some time already; for instance a robot dinosaur called Pleo[5] was introduced nearly ten years ago. Because social robots and other smart toys often look very much like ordinary toys, a child’s interaction with them is much like it would be with a non-smart version, however, the interactive features allow the child and the toy to engage reciprocally. What is new, however, is the connection to the internet.[6]

The purpose of the internet connection is the sharing the play data. The internet connection can allow the toy to adjust the interaction to the child by personalising it, for example based on previous interactions or information about other toys’ interactions with similar children. Analysis of the play data may also facilitate learning by providing feedback to the child. One specific area where such learning may be facilitated is foreign languages where connected toys may serve as a virtual language tutors.[7]

An example of a connected toy is the Furby,[8] a furry robotic toy that somewhat resembles a hamster, first released in 1998 and whose most recent version is connected to a mobile app. A Furby can be fed and can use a toilet via the app and children can for instance collect and swop virtual Furby eggs. When the app is used the toy has an actual physical reaction such as flashing its eyes or talking in “Furbish”. It is also connected to popular songs and videos. One of the contributors to the JRC report referenced observations of a two-year old playing with a Furby. She explained that the toddler engaged in extensive imaginative play, leading to the conclusion that although children have always pretended that toys are alive, the fact that the Furby talks, sings and flashes its eyes makes that leap easy.[9]

It has therefore been argued that when playing with connected toys the key differences compared to conventional toys are: the extent to which children may connect with others; the merging of online and offline domains and public and private spaces; and the extent to which play can be shaped by global factors, such as music or videos. Play and social interactions by children are no longer confined to where they are located physically, and the Internet of Toys enables children’s imaginations to encompass a different kind of virtuality, with the toy operating as a “boundary object”.[10]

According to the JRC report the connected toys market was worth $2.8 billion in 2015, compared to $22 billion for the toy industry as a whole, but is projected to grow to $11.3 billion by 2020.

Are there reasons to be concerned about these toys?

The fact that connected toys are directly connected to the internet has, however, raised a number of concerns. The sharing of play data raises the question of who is able to access that data. For data that allows interaction with the toy access should most obvious be had by the child him/herself or the parents. In some cases, analysis of play data may even help parents, teachers and health care providers to monitor the child’s use of the toy or even bodily functions such as heart rate. However, other entities may also have access.

The service provider of the connected toy also not only has access to the data but can record and manipulate it. One contribution to the JRC report discusses this topic, explaining that what play data is recorded, and the purpose for which it is stored, analysed and shared is usually set out in the toy company’s privacy policy, although in reality not many parents actually read these policies. Play data is personal data and it is therefore crucial that toy companies and their service providers treat it with the required precautions. In addition to play data, depending on the toy, other personal data that it may also be possible to collect and manipulate include the name, age, location, email address, and postal address. Other data, including IP addresses and online behaviour can also potentially be collected.[11]

An even greater concern is presented if there are data security problems and what may transpire if the toys are vulnerable to being hacked. Such concerns have been brought to light by white hat hackers who have tested toys.

One such case is the Fisher-Price Smart Bear, reported in March 2016. The toy is a connected teddy bear advertised as having the ability to learn about a child. The bear is accompanied by an app through which parents can enter information that enables the bear to interact with a child. Testers, however, found multiple security flaws in the app that would allow easy access to the information about the child that had been entered by a parent via the app such as name, birthdate and gender. Fisher-Price has since remedied the security flaws but it was suggested that they could, for instance, have been used to gather information on a child’s family to trick the family in a phishing attack.[12]

Another case is Mattel’s Hello Barbie which was first publicised in late 2015. This Barbie doll is marketed as interactive and able to listen to a child and respond. It has a microphone that records the child’s speech, and through a Wi-Fi connection sends it out to Mattel’s voice-processing partner, Toy-Talk, for processing and the doll then responds in natural language. Testing revealed, however, that the doll was vulnerable to hacking. In fact, it was not difficult to gain access to its system, account information, stored audio and microphone.  Although the doll only records when a button is pressed and the recordings are encrypted, a hacker only needs to gain control of the doll’s system and once that has been achieved all privacy features can be turned off and the microphone can be used as a surveillance device.[13] Mattel has since addressed the problem and offered a bug bounty program with ToyTalk. Since then Mattel has received positive feedback for its privacy policy and for minimising data collection.[14]

A third example is two connected toys by Genesis Toys, a doll named My Friend Cayla marketed to girls, and a robot named i-Que marketed to boys, which are said to be able to hold a conversation with a child. They access the internet by connecting to smartphones using Bluetooth and with speech recognition software use a child’s statements to find answers from for instance Google or Wikipedia. The toys can understand and nearly instantaneously respond to almost anything, including sing, tell stories, play games, and share photos from an album. According to the Genesis privacy policy all data can be stored and shared with certain third parties. In January 2015 testers at Pen Test Partners revealed that My Friend Cayla and I-Que were vulnerable to hacking, however, two years later the problem still has not been rectified.[15]  Concerns about these toys were raised in December 2016 in a complaint by consumer groups before the Federal Trade Commission in the US, alleging that the toys ask for personal information, such as parents’ names, school name and home city, and record conversations without any limitations on the use or disclosure of the recorded information.[16]

The consumer groups also say the toys do not employ basic Bluetooth security, such as requiring a pairing code which means that when the toys are on and not already paired with another device, any smartphone within a 50-foot range can establish a connection which in turn means that anyone within that distance can use the toy as a surveillance device. [17] In addition, although the toymaker states that the toys contain software to block hundreds of inappropriate words, testers found it fairly easy to hack into the toy and program it to say words from the blocked list.[18]

A complaint similar to the one in the U.S. has already been filed an Norway and complaints will also be filed in France, Sweden, Greece, Belgium, Ireland and the Netherlands, with further calls for investigations into the privacy concerns surrounding these toys.[19] The latest development is that in February 2017 Germany went as far as banning the My Friend Cayla doll ordering parents to destroy or disable it on grounds that it could be used for surveillance.[20] Jochen Homann, President of Germany's Federal Network Agency, or Bundesnetzagentur, stated that "Objects that conceal transmittable cameras or microphones and thus pass on data unintentionally endanger the privacy of the people” and that the ban was "about the protection of society's most vulnerable."[21]

What can we learn from the JRC report?

As highlighted in the examples set out in the previous sections, sharing play data from connected toys can have useful purposes, but depending on the toy company the play data, other personal data and other information may be passed on to third parties. Most critically if the toys contain flaws or vulnerabilities the connection to the internet may make them susceptible to hacking which may pose serious privacy and security concerns. The JRC report has set out the findings of several experts in connection with the current state of connected toys.

One contribution to the report focused on the fact that play data as personal data must be carefully managed. Accordingly, the conclusion was that while it is generally parents who make decisions about play data there should also be an obligation on the part of the toy industry to address data protection concerns in a child- and family-friendly way.[22]

Another author called the impact of connected toys the “dataification” of children. This term refers to tracking of human activity using smart devices and storing the data, which in the case of children, unlike with adults who voluntarily choose to track themselves, is either done by adults or by children based on incentives to do so. The author hence cautioned that such practices turn the concept of surveillance into something normal.  Such surveillance, however, raises exactly the kinds of concerns referred to previously, namely threats to children’s privacy considering that at the moment there a lack of transparency about how the data is recorded and  manipulated.[23]

A third author had a somewhat different outlook, feeling that connected toys do not require a fundamental re-thinking of what play is, nor that they suggest that children are less creative, but that they offer further opportunities for children. She concluded that it is necessary to consider a number of factors, including the concerns raised by other authors of the JRC report, but emphasised that , the focus should be on considering the quality of play that takes place when they are used not on anxiety about the potential loss of play and creativity.[24]

A fourth author felt that connected toys likely present both opportunities and risks for children; specifically, for cognitive, socio-emotional, and moral-behavioural development. On the socio-emotional level, for example, interacting with toys may compensate for deficits in interactions with humans which could be a positive consequence unless it is used to displace actual interaction with humans.[25]

To date, little discussion regarding connected toys has taken place and as a result there is at present scant regulatory oversight of these products. One author discussed that fact that very recently, however, consumer groups in Norway and the US have raised privacy and security concerns related to connected toys, including by petitioning the US Federal Trade Commission to take action against toy companies. The author concluded by hoping that the steps taken by these consumer groups will bring about a more nuanced discussion, as well as policy and regulatory attention as to what needs to be done in terms of policy, industry practice and parenting advice in order to mitigate risks and maximise benefits of the Internet of Toys.[26]

Finally, one author explained that the knowledge of child development, play and communication varies among toy manufacturers, and that as a result some of the connected toys are not as well made as they could be, while at the same time changes are sometimes called for by academics that are not easily possible or commercially viable. She therefore concluded that academics, designers and the industry need to work together to produce the best products possible.[27]

There was general consensus among all of the authors that increased research into connected toys and their influence on children is needed in order to better understand what impact they have on children, including on their development.

Finally, the JRC report provides an overall conclusion that refers to an urgent need for a framework for the use of connected toys.

Are connected toys here to stay?

The argument can easily be made that it is better for children to focus on real human interaction than to play with toys that emulate human interaction. Considering the pace of technological development and the development of the internet in particular, it is, however, probably not realistic to imagine that toys can be eliminated from among internet-connected devices now that they have been developed and are on the market.

That being said, the concerns highlighted by the Smart Bear, the Hello Barbie, and the My Friend Cayla and i-Que toys, discussed above, particularly vulnerabilities to hacking and a lack of clarity on the part of toy companies about their use of the personal data they collect, suggest that there is a rush to get connected toys onto the market before their possible repercussions have been fully analysed. This in turn makes it plain that there definitely are serious questions concerning privacy and security that must be looked into and addressed.

As evidenced by researches testing and seeking to hack into these connected toys and the recent consumer group complaints that have resulted it appears, however, that these toys are already being subjected to greater scrutiny. It is therefore possible that this increased scrutiny might lead to regulators also taking a greater interest in the subject. Such regulations might include requiring improved security features to prevent hacking, greater transparency and clarity about the intended use of play data and other personal data, including specifically the ability to for parents to opt out, as well as requiring privacy policies that minimise the use of any personal data that is collected. It should be emphasised, however, that in connection with data protection in particular the law already places significant restrictions on the use of personal data which therefore need to be effectively implemented.  

The commissioning of a research report by the European Commission with a conclusion that there is an urgent need for a framework to address the topic in and of itself already highlights that the issue is already receiving more attention and is now at the very least on the radar of decision makers within the EU. As is often the case, however, it appears as though connected toys are a case where policy and regulations must try to play catch-up with an industry that has already put the new products on the market. In light of the latest development in connection with the My Friend Cayla doll with Germany already having gone as far as banning the product it will remain to be seen whether other countries will take a similar approach.

Due to the added publicity that these concerns are receiving it can also be hoped that parents and carers become better informed about connected toys so as to be able to make more informed decisions about whether to purchase them for their children. For better or for worse connected toys are probably here to stay.

To read more about connected toys, read our article One voice to rule them all: Smart home devices, AI children and the law

[2] Jochen Peter, Social robots and the robotification of childhood, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[3] Future of Privacy Forum - Family Online Institute (FOSI), Kids & the connected home: privacy in the age of connected dolls, talking dinosaurs and battling robots, 2016.

[4] Stephane Chaudron, Rosanna Di Gioia, Monica Gemo, Internet of Toys – Safety and Security considerations, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[6] Stephane Chaudron, Rosanna Di Gioia, Monica Gemo, Internet of Toys – Safety and Security considerations, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[7] Jochen Peter, Social robots and the robotification of childhood, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[8] https://www.hasbro.com/en-gb/brands/furby

[9] Jackie Marsh, The Internet of Toys and the Changing Nature of Play, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[10] Jackie Marsh, The Internet of Toys and the Changing Nature of Play, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[11] Stephane Chaudron, Rosanna Di Gioia, Monica Gemo, Internet of Toys – Safety and Security considerations, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[12] https://www.theguardian.com/technology/2016/feb/02/fisher-price-mattel-smart-toy-bear-data-hack-technology

[13] https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children

[15] http://www.bbc.co.uk/news/technology-38222472.

[18] https://article.wn.com/view/2015/02/09/Talking_Doll_Cayla_Hacked_To_Spew_Filthy_Things/

[19] http://www.bbc.co.uk/news/technology-38222472.

[21] http://www.dw.com/en/german-regulator-tells-parents-to-destroy-spy-doll-cayla/a-37601577.

[22] Stephane Chaudron, Rosanna Di Gioia, Monica Gemo, Internet of Toys – Safety and Security considerations, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[23] Giovanna Mascheroni, The Internet of Things and the Quantified Child, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[24] Jackie Marsh, The Internet of Toys and the Changing Nature of Play, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[25] Jochen Peter, Social robots and the robotification of childhood, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[26] Donell Holloway, The Internet of Toys: media, commercial and public discourses, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

[27] Dylan Yamada-Rice, Designing connected play: Perspectives from combining industry and academic know-how, http://publications.jrc.ec.europa.eu/repository/bitstream/JRC105061/jrc105061_final_online.pdf

Intellectual property on the line in new era of app wars

Where’s the line between “inspiration” and copying? If you don’t copy code, but you introduce functionality that’s never been seen before except in an app that you happen to know really well, are you really copying? If you’re the originator of a new concept, how do you keep the hounds away? These questions are arising more and more as established apps look to maintain their dominance, and the new players look to muscle in.

In a world where the US president is telling us that fake news pervades, there appears to be a driven human need for real stories. We are, through social media apps, each individually now able to be the news, to be the story. Our followers know us – they know when we are putting it on, when we’re showing our world how it actually is.

SnapChat started with a streak – messages, photos and 10-second videos keep the messages going back and forth. They’re not interesting enough to keep, but make the recipient or sender laugh or groan. Stupid faces, half your head, your feet walking along in wet shoes, someone with a weird haircut.

Then SnapChat introduced Stories. You post photos or videos that can keep being viewed, rather than disappearing, but only stay up for 24 hours. You add content as you go through your day. You can add messages or distort the pictures with editing tools. You can reveal your story to everyone, or just a few.

In August 2016, Instagram introduced a new feature called “Instagram Stories”. It seemed remarkably similar to Snapchat. But was it copied? There were differences. It’s pretty unlikely that any code was copied. There was clear inspiration – but where does the line lie?

This has been pushed further, with Facebook’s “My Day”, and WhatsApp releasing its new “Status” feature, introduced in February 2017.

If you’re an innovator and want to introduce a new feature, what protection can you get, and what is protectable?


Firstly, you have to prove that something’s been copied – can you prove that WhatsApp copied SnapChat – perhaps they copied Instagram or Facebook, either of whom may have been inspired by Snapchat. Will Instagram do anything – can they?

If WhatsApp, for example, started with say Instagram’s version, not Snapchat’s one, Instagram are limited in what they can protect or enforce – where is the originality? Any argument they run will require them to reveal where the idea originated – not something they will want to tell the world. Then, there’s the test: has a substantial part of an original work been copied?

Given that the main part of Stories and Status is the user’s own copyright content (photo or video), and the relevant app is merely providing a means to do that, the value is in the functionality.

So, copyright is tricky. Tricky for the originator, because there’s not much copyright in a functional feature other than the code (the idea holds the value, not the code), but tricky for the first copier too. If the first copier is far enough away that they might avoid their work being a derivative of the first work, the second tier copier is in a much stronger position. The me-toos are following quickly, and who can stop them?


From a search of the EU register of designs, it seems that neither Snapchat, nor Instagram think designs are the way to go, unless they’re filing in the names of obscure subsidiaries. Unregistered designs last for three years from first being made public, so why bother filing? If copyright doesn’t give you real protection, you need to find something, and designs are a powerful tool when used well.

Apple and Facebook file copious numbers of designs for user interfaces, and it gives them a much stronger starting position, not least to prove that a design concept was their idea, and to have something more solid to use as a litigation weapon.


Patents are expensive, slow, but if it’s about functionality, combining things that have never been married up before, there is decent argument that there is a technical effect. If you get threatened even with an application, it’s going to be off-putting.

But the arguments that it’s just another way to present information are going to make getting a patent to grant pretty hard. But before you release your new feature, you can file a patent application. You lose nothing in terms of confidentiality, because it’s out there before your patent files – and if your patent application gets a battering, no one even needs to know you filed it. You can opt to withdraw it before publication 18 months later.

The conclusion? Aiming to create a battery of rights gives you some collateral to fend off the competition. That has to be worth quite a lot.

This article was first published in Lawyer 2B.

"I do" [tick] - how to get consent under the GDPR

On 2 March, the ICO released a consultation on the meaning of consent under the GDPR and, as part of this, published its draft guidance on consent (“Guidance”).  Organisations have an opportunity to respond to the consultation before 31 March 2017 and the ICO is aiming to publish the final guidance in May 2017.  Note that the Article 29 Working Party is also scheduled to publish guidance on consent later in 2017.  This article provides a summary of the main themes coming out of the draft guidance.

Consent under the GDPR

The Guidance says that “the GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms”.  Some elements of the definition of consent under the GDPR are the same as the definition under the current Directive – it must still be freely given, specific and an informed indication signifying agreement.  Under the GDPR the indication signifying agreement must also be “unambiguous” and involve a “clear affirmative action”.  Individuals have enhanced rights under the GDPR where an organisation is processing their personal data based on their consent (for example, a right to erasure/to be forgotten and a right to data portability).

Explicit consent

Organisations will need to obtain explicit consent for automated decision making, including profiling and if relying on consent as the lawful basis for processing sensitive personal data or for transferring personal data outside of the EEA.  The Guidance clarifies what is meant by “explicit consent” as this concept appears in the GDPR but isn’t defined. 

Explicit consent requires a very clear and specific oral or written statement of consent.  For example, having the wording “I consent to receiving emails about your products and special offers” with an unticked opt in box.  Explicit consent cannot be obtained using any other positive action such as a clear affirmative action not involving a clear statement.  For example, having the wording “By entering your email address you agree to us sending you emails about our products and services” and a box for individuals to enter their email address, as this is implied consent rather than explicit consent.  To obtain explicit consent, organisations will also need to provide individuals with sufficient information about what they are consenting to, such as, the nature of the sensitive personal data, the automated decision and its likely effect or the data to be transferred outside of the EEA and associated risks. 

Implied consent

The Guidance says that the idea of an “affirmative act” still allows organisations to use implied consent in some circumstances and that the “key issue is that there must be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.  This is positive for business who may still be able to use statement such as “By clicking submit, you consent to us contacting you by email with monthly offers”.  The Guidance, however, flags that implied consent “won’t always be appropriate” and “would not extend beyond what was obvious and necessary

Bundling consents

Organisations should avoid making consent a precondition of a service.  The guidance says “consent requests must be separate from other terms and conditions.  Consent must not be a precondition of signing up to a service unless necessary for that service”.  Consents may be bundled where the processing is genuinely necessary to provide the services, however, the ICO flags that a different lawful basis for processing may be more appropriate if this is the case.

What getting consent right looks like

  • Positive opt in – The individual is given a genuine choice and control over how their personal data is used and takes a deliberate action to opt in.  For example, signing a statement, giving oral confirmation or making a binary choice (and both choices have equal prominence)
  • Unbundled, specific and granular - Consent for processing personal data is separate from other terms and conditions and obtained separately for each distinct processing operation (where consent is the basis for processing).  If the processing is a condition of a service but not actually required for the service, the Guidance says that this consent will be presumed invalid as it is not freely given.
  • Prominent, clear and concise – Consent mechanisms must be easy to use and the language used must be clear, concise and easy to understand.
  • Third parties – Organisations will have to name the third parties who will rely on consent being given.  This is going to be a challenge for many organisations and the Guidance is clear that naming the types of organisation won’t be good enough to satisfy this requirement.
  • Withdrawing consent – You tell people how to withdraw consent and make it easy people to do so.
  • Clear records – You keep evidence of who provided consent, when the consent was provided, how the consent was provided and what the individual was told.
  • Review – You keep consent under review and refresh it if anything changes.  The ICO emphasises that consent is an ongoing and actively managed choice and not a one-off compliance tick box.

What is clearly banned

  • Pre-ticked boxes - Pre-ticked opt-in boxes and other forms of consent by default.  The Guidance makes it crystal clear that a failure to opt out is not consent and it also says that “You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.”
  • Confusing language - Double negatives or inconsistent language that is likely to confuse individuals.
  • Disruptive mechanisms - Consent mechanisms that are unnecessarily disruptive to individuals. 
  • Imbalance in the relationship - Employers and public authorities will find it hard to rely on consent and the Guidance says it should be avoided.  This is because where there is a dependence on an organisation for services or a fear of adverse consequences, individuals may feel that they do not have a genuine choice and so consent is not freely given.
  • Vague or blanket consent – Consents worded so vaguely that they do not provide clear and specific information about what the individuals is consenting to.


  • If consent is difficult, it is an indication that you should be considering another lawful basis.  The ICO says that if you would still process personal data without consent, asking individuals for consent is “misleading and inherently unfair”.  Consent will still be needed for direct marketing (unless soft opt-in is available but note that the European laws on direct marketing are currently under review) and for using personal data for a new incompatible purpose.
  • You should review where you rely on consent and consider whether another lawful basis might be more appropriate.  For example, is the processing necessary to fulfil a contract with the individual or to comply with a legal obligation? Or do you have a genuine and legitimate reason, which includes a commercial benefit, that is not outweighed by harm to the individual’s rights and interests (note that you will still need to be fair, transparent (i.e. tell people) and accountable). 
  • Where consent is still needed, review the consent mechanisms that are currently used and identify gaps between current practices and the higher standards that are mandated under the GDPR. 
  • Develop an approach to refreshing consents that don’t meet the GDPR standards in advance of 25 May 2018.
  • Implement a process for regularly reviewing consents, quickly responding to withdrawals of consent and for updating/refreshing consents if things change.

Note that the GDPR contains specific provisions on children’s consent and consent for scientific research which this article does not go into. The Guidance is out for consultation until 31 March if you would like to comment or contact us if you would like our assistance.

Amazon and the $150 million typo: cloud risks for early stage companies, and how to mitigate them

Although the impact was not quite as big as some headlines had suggested (“Amazon Just Broke the Internet”), the outage of Amazon’s Simple Storage Solution (S3) in the US-East-1 region on Tuesday 28 February caused significant disruption. The Wall Street Journal quoted Cyence Inc., a start-up specialising in cyber-risks, as estimating that the Amazon outage cost companies in the S&P 500 index $150 million. Apica Inc., a website-monitoring company, said 54 of the internet's top 100 retailers saw website performance slow by 20% or more. Connected lightbulbs, thermostats and other IoT hardware were also impacted, with many unable to control their devices as a result of the outage. Nest warned customers that its internet-connected security cameras and smartphone apps were not functioning properly as a result of the Amazon issue. Amazon was unable to update its own Amazon Web Services (AWS) status dashboard for the first two hours of the outage because the dashboard itself depended on the unavailable systems.

Amazon’s explanation was that “an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended." Removing a significant portion of the server capacity required full restarts and this problem was compounded by the fact that parts of the system had not been completely restarted for several years, a process which took longer than expected.

As a result of the outage, Amazon said it is making several changes to the way its systems are managed and promised to make changes to improve the recovery time of key subsystems.

In signing up to cloud hosting contracts, a lot of companies assume everything will be fine and their websites, applications and data will always be available when needed, particularly if they are choosing one of the leading providers of hosted services such as AWS. In August 2016 Gartner identified AWS and Microsoft as the only two companies in its “Leader” category for cloud infrastructure as a service (IaaS) worldwide (ranking AWS ahead of Microsoft) and said that “The market for cloud IaaS has consolidated significantly around two leading service providers.”. This consolidation increases the impact of outages such as the one impacting Amazon’s S3 service.

Given the potential impact of an outage on critical services, customers may need to reconsider how they mitigate the risk of downtime, and we discuss the possible options below.

Increasing the target for availability

Taking Amazon’s S3 service as an example, when used in a single region it is said to be designed for 99.99% of availability with a service level agreement for availability of 99.9%. However, relying on a service in a single region offers the potential for a single point of failure. The Amazon outage on 28 February involved just one region, US-East-1 in northern Virginia USA, but the impact of the outage was so significant as this is the most heavily-used regions in the AWS global infrastructure.

The impact would not have been so significant if AWS customers had chosen a multi-region architecture as sites and applications using S3 in a different region would not have been affected. AWS currently operates 42 availability zones (AZs) within 16 geographic regions around the world. AZs consist of one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities, miles apart from each other on separate flood plains. By contrast, another of AWS’s services, EC2, provides an SLA of 99.95% but this greater availability threshold is based on deployment to at least two AZs (although S3 can only be selected by region, not by AZ).

The disadvantage of this approach is that multi-region implementations will increase cost and complexity. Customers are understandably reluctant to achieve an extra ‘9’ of availability by selecting another region and potentially doubling their hosting costs. However, the additional costs and complexity will need to be measured against the risks of operational disruption, financial loss and reputational damage arising from significant unavailability of critical data and/or applications in a worst case scenario.

Negotiating a stronger contractual position

Contracts with major hosting providers usually restrict the customer’s remedy to service credits if the provider fails to meet its availability target. For Amazon’s S3 service for example, if availability falls below the service level of 99.9% in a month customers would typically be awarded a service credit of 10% of the monthly fee. This may well be wholly insufficient recompense to customers who need to ensure that they can access their data or keep their sites and applications up and running at critical times, particularly if the service credits do not cover customers’ liability to their own customers as a result of unavailability.

The major hosting providers have shown some willingness to offer more contractual protection for their customers by offering increased limits on their liability for damages caused by service level failures but this has come with a significant cost in terms of fees or only been available to customers spending very significant sums with the hosting provider. Such additional legal protection has typically not been afforded to customers spending less, and this is understandable: from the hosting providers’ perspective, they are offering a low-cost and largely commoditised solution and it is simply not realistic to expect them to carry significant legal risks at the price point at which the lower end services are offered. In other words, you don’t get what you don’t pay for, and so at the cheaper end of the market where commoditised services are being provided, customers are very unlikely to be able to negotiate better legal protections.

However, where high levels of availability are essential to their business model customers should insist on having visibility over who is hosting their data and applications and ensure that during contract negotiations suppliers are required to identify all key subcontractors (and their subcontractors) so that the customer can identify potential vulnerabilities in the supply chain and consider steps to mitigate the risk of downtime before becoming committed to the contract.

Taking more control over hosting arrangements

Moving away from a massive scale, multi-tenant model towards a single-tenant, private cloud or even on premise deployment provides an opportunity for more control but at a cost both financially and in terms of operational flexibility. The cost benefits of deploying to the cloud are a significant source of advantage for start-ups and smaller organisations which do not have a major investment in existing on premise hardware, combined with the agility and flexibility of cloud computing and instant access to global infrastructure. In contrast, large enterprises deploying to the cloud face a considerable incremental cost in addition to maintaining legacy on premise resources until these can be retired, a process which may take several years.

Even for start-ups though, the need to take control over how critical services are delivered may outweigh the costs. Digital challenger bank Monzo, which offers a contactless prepaid Mastercard and plans to offer a free current account this year, said that a severe outage resulting in its cards and app not working for most of Sunday 5 March was caused by a third party processor used by Monzo to connect to payment networks. When it first started it made sense for Monzo to use a third party processor because the process for connecting directly to the payment networks was long, costly and complex and at the time there seemed to be no benefit to its customers. However, Monzo has just finished a 12-month project to connect directly to Mastercard so that it can process transactions entirely using its own technology. Announcing this change in a blog post published on 6 March, Monzo's head of engineering Oliver Beatties said that "We see ourselves as a technology company as much as a bank, and going forward our strategy is to bring all critical systems in-house and continue to develop our own platform atop modern technology which we control.”.

Local back-ups as a safety net

Despite the attractiveness of short-term savings in moving data and applications to a single region, cloud-based solution, this approach could end up being very costly if businesses are dependent on a single point of failure without having an alternative solution which they can access quickly. From a practical perspective, whatever model they adopt for hosted services customers need to ensure that they make regular back-up copies of their data stored by a hosting provider, downloading copies of the data to their own systems or to an alternative hosting provider so that if absolutely necessary they can quickly implement an alternative solution.

The same applies to software: keeping full back-up copies of key applications on-site means that, should a hosting provider have an extended outage, there is at least an option to redeploy elsewhere rather than risk an indefinite interruption in service.

Worth paying the extra hosting fees?

While cloud storage and processing does offer significant price and operational advantages for start-ups, it may well be worth even for early stage start-ups thinking about the relative costs of paying for hosting in an extra region and / or with alternative provider, relative to the impact on operational stability, reputation and customer retention that a prolonged full outage might have on a growing business. Even the most heavily negotiated hosting contracts are highly unlikely to afford adequate recompense for the effects of a full outage after it has happened. As such, while it is still strongly advisable to review the contracts (not least to ensure compliance with, for instance, data protection legislation), the strongest way to deal with the risks emanating from an outage is probably still to use an architecture for the hosting of data and software that will minimise the risk of there being a full outage in the first place.



Banking Standards Board publish SMCR good practice statement

The introduction of the Senior Managers and Certification Regime (“SMCR”) a year ago has seen an increased focus on accountability and standards of fitness and propriety. For those firms within the new regime, this has meant reviewing how they assess individuals as fit and proper, both when hiring senior managers and certification staff and when running their first annual certification process.

To assist firms looking for specific guidance as to how best to do this we set out links below to documents published by the Banking Standards Board (“BSB”).

Although these publications are aimed at banks and building societies, they will also be of use to other regulated firms, particularly in view of the proposed extension of the regime next year to all FSMA regulated firms.

 Please see below for quick links to the BSB statements:

If you have any questions or would like to discuss how best to integrate this guidance into your internal processes, please contact a member of the Kemp Little team.

InsurTech: deadline approaches for Pensions Dashboard prototype

As the March 2017 deadline approaches for the implementation of a Pensions Dashboard prototype, we consider the purpose of the Dashboard and its features, the key legal issues that will arise, and the timeline to full implementation


The concept of a Pensions Dashboard was introduced in the 2016 Budget, as part of the Government’s strategy to encourage the public to engage with retirement planning and follows earlier initiatives, such as auto-enrolment into workplace pension schemes and the 2015 reforms enabling pensioners more flexibility in drawing down from their pensions pots.

The Dashboard will allow individuals to view all of their pension products through an online portal, as the Government, together with industry, recognised that the public is increasingly engaging with financial services through the internet and other digital platforms.[1]  It is hoped that the dashboard will facilitate better accessibility and management of personal financial information and financial products.

The project follows the results of research from the Department of Work and Pensions (DWP) which found that, on average, individuals will work for eleven employers during their working life, which means that upon retirement individuals often have several pensions, some of which cannot be easily located.  The intention is that the dashboard will provide a link to “lost” pension pots with previous employers and could help release the £400 million worth of pension savings that the DWP estimates remain unclaimed.

The Treasury (as the Government department responsible for supporting the project) is aiming for the Dashboard to be made available to the public by 2019 and, in advance of this, has targeted March 2017 as the launch date for a prototype capable of proving that the concept is workable.[2] 

The Association of British Insurers (ABI) is tasked with leading the development of the Dashboard, along with industry stakeholders, including insurance companies[3], regulators and trade bodies (the “Project Group”).


The Project Group has been asked to work with insurance companies to: (i) agree the design of the infrastructure for data sharing; (ii) build and demonstrate a basic working prototype using anonymised customer data; and (iii) propose potential solutions for the development of an industry-wide dashboard.[4]

In December last year, six fintech firms were selected to join the Project Group to develop the technology behind the Dashboard[5].  The development has been split into the following categories:

  • Dashboard user interface (how people will interact with the Dashboard);
  • Pensions finder services (how the system retrieves information on people’s different pension pots);
  • Identity providers (verification of people’s identity);
  • Integration service providers (providing the networks and support some pension firms will need to share data with the Dashboard); and
  • Matching / data quality analysis (overcoming the challenges of locating everyone’s pension(s) such that they appear in the Dashboard).[6]

The Project Group has been asked to consider how the platform will be made available to the public, including the following options:

  1. Single destination model: A single dashboard user interface, accessible through one source (for example a consumer guidance brand or a not-for-profit website).
  2. White-labelled model: As above, a single dashboard user interface, but white-labelled and accessible through the websites of several financial services providers (such as banks, pension providers, financial advisers and fintech start-ups).
  3. Federated model:This approach would consist of many different types of dashboard user interfaces, so that each provider could independently develop the look and feel and the user journey to suit its own customers.

Customer research carried out by the Project Group has indicated that the single destination model is favoured by consumers (because of the trust placed in one reputable provider, and the simplicity this provides), and the Project Group has recommended that this model is taken forwards through the initial stages of development, but it remains to be seen whether this model prevails over the others and is ultimately taken forward as a live product.

Key legal issues


While the project has been supported from the outset by major insurers, there is a concern that without legislation some insurers, including smaller insurance companies and those providing defined benefit schemes (which, ostensibly, have less to gain by participating), will not provide the necessary data such that individuals can access all their pension scheme information in one place.

If the project fails to win wide enough support across the industry, the Government may consider legislating such that participation is made mandatory[7] – and this is a move which seems to be welcomed by those insurers already supporting the project.[8]  This approach is similar to that taken in respect of open banking, in which the Government and the Competition and Markets Authority (CMA) had encouraged retail banks to work towards standardising both customer data sets and accessibility but which ultimately saw the CMA introduce a final order requiring the co-operation of retail banks, in February 2017.[9]

Regulatory oversight

The potential role of regulators in oversight of the Dashboard will, to some extent, be determined by the Dashboard model which is adopted.  It is possible that insurers adopting the white-labelled or federated models will find that the activities they perform in relation to the Dashboard (such as inputting data and (potentially) promoting insurance products as part of the Dashboard offering) will be covered under existing oversight by the Pensions Regulator (TPR) and the Financial Conduct Authority (FCA).

It remains to be seen whether an independent third-party operator (such as a not-for-profit or a consumer guidance brand) operating a single destination model would need to be regulated and to what extent it is subject to regulatory oversight. If such activities were subject to burdensome regulation, the costs associated with compliance may deter not-for-profits from supporting the single destination model.

Data sharing

The regulatory bodies have duties and enforcement powers around use of data, communication with customers and acting in the best interests of customers, and are likely to have decisions to make on the data which flows into the Dashboard.

If legislation is required to ensure pension providers submit data to the Dashboard, regulators, such as the FCA and the TPR, may need to monitor providers to ensure that they are complying.

The integrity of the personal data in the Dashboard will be subject to data protection legislation (including the more onerous requirements of the General Data Protection Regulation from May 2018).  The insurers submitting data and the provider of the Dashboard (in the event that it is a third-party which is not a financial services provider) will need to work together to ensure that individuals’ data is accurate, kept up to date, and retained for as long as is necessary to meet the needs of those individuals.  It is unclear how the insurers, the Dashboard provider, and other stakeholders, will contract with each other and how the risks associated with data breaches will be apportioned between them.  This is likely to emerge as a key risk issue as participants scope and quantify their liability in relation to supporting the Dashboard.

Financial regulation

The issue of whether the provision of the Dashboard would be a regulated activity is – at this stage - of less concern to authorised firms as the Dashboard may fall within the scope of their existing regulated activities.

However, there remains the possibility that the provision of the Dashboard is found by the FCA to constitute a new type of regulated activity, which would mean that regulated firms would need to obtain additional authorisation for the new regulated activity.

Additionally, if the provision of the/a Dashboard is found to fall into existing or constitute new regulated activities, third party providers under the single destination model would find themselves within the scope of FCA oversight and would need to undergo the costly and time consuming process of becoming authorised.  As referred to further above, this regulatory burden could prevent not-for-profit organisations from participating.

In any event, any organisation considering supporting the Dashboard (through any of the three models set out in section further above) should consult with regulators early so that it can ensure it has the necessary authorisations in place in advance of the launch of the Dashboard.

Next steps

In its Pensions Dashboard white paper, published last year, the ABI stated its intention to oversee the production of an end-to-end prototype before the end of Q1 in 2017. At the time of writing, the prototype has not been announced and, until such prototype emerges, concerns will remain whether the project can be delivered on time, as a customer-facing product, in 2019.

As the development of the Dashboard continues behind the scenes, stakeholders should ensure they are prepared for its introduction and, in particular, consider the ways in which they are likely to contribute customer financial data to the Dashboard and the likely regulatory and data protection risks associated with participation.


[3] The sixteen insurance companies participating in the project in November 2016 are Abbey Life, Aon, Aviva, Fidelity International, HSBC, Legal & General, Lloyds Banking Group (Scottish Widows), LV=, NEST, Now: Pensions, People’s Pension, Phoenix, Prudential, Royal London, Standard Life, Willis Towers Watson and Zurich.

[5] The six fintech firms are Aquila Heywood, Experian, ITM, Origo, Runpath and Safran.

Scope of retainers

It is well established that, prima facie, the extent of any professional duty depends upon the terms and limits of the retainer. There have been several cases in recent times where the courts had to consider the issue of whether a professional owed his client a duty to advice on matters that were beyond the scope of the work as set out in their retainer letter. One such recent case is Denning v Greenhalgh Financial Services Ltd [2017] EWHC 143 (QB) where the court considered the scope of the duty of care owed, under the terms of a retainer, by a pensions adviser.


The claim concerns an allegation of professional negligence on the part of Greenhalgh Financial Services Limited (“GFS”) upon the basis that GFS was in breach of a professional duty (in tort and/or contract) owed to the claimant by not performing a detailed review of pension transfer advice given to the claimant some eight years earlier by unrelated advisers.

In 2000, the claimant instructed Alexander Forbes Financial Services Ltd (“AF”) to provide pensions advice. AF advised the claimant to transfer his occupational pension to another provider. In 2008, the claimant was dissatisfied with the service provided by AF and instructed GFS to provide advice on the management of his investments. In 2009 and 2010, the claimant complained to the Ombudsman regarding AF’s advice. But the Ombudsman found that the limitation period had passed in relation to the advice provided in 2000. In 2013, the claimant issued a claim against GFS that GFS was negligent and had failed to advise him on a potential claim against AF and applicable limitation periods. The claimant alleged that but for GFS’s negligence, he would have issued a claim against AF in 2008 and would have received substantial damages.

The claimant relied on the earlier case of Credit Lyonnais SA v Russell Jones & Walker [2002] EWHC 1310 where it was held that a professional may owe a duty to give advice outside the scope of a retainer if, in the course of performing the retainer, the professional comes upon information which would lead any competent professional to perceive and advise upon a legal risk. It was emphasised that although a solicitor was under no general obligation to expend time and effort upon issues outside the scope of the retainer if, in the course of doing that for which the solicitor was retained, he became aware of a risk or potential risk it was his duty to inform the client. If in the course of performing his instructions within his area of competence a lawyer noticed or ought to have noticed a problem or risk for the client, which it was reasonable to assume the client did not know about, the lawyer was required to warn the client.

The court distinguished this case from that of Credit Lyonnais based on the fact that GFS was instructed to advise upon the claimant’s present and future financial requirements – the retainer was prospective. The information on the earlier transfer was provided for history and context only and no fees was to be paid to GFS to review the previous advice. There was no commercial or factual connection between the earlier transfer and the advice that GFS was asked to give. Further, the nature of the advice which it was argued GFS should have provided was in any event different in its nature to that which was the subject matter of the retainer. Based on these facts, Green J held that GFS owed no duty to advise on the possibility of a claim against AF and the claim had no real prospect of success.


It is a relief to professionals that an extended duty to advise will only arise in “obvious cases”, and that there must be a “close and strong nexus” between the retainer and the matter on which it is said that the professional should have advised but failed to do so. This implies that if a client receiving professional advice wishes for any specific advice that is not covered in a retainer, then it should be discussed with the professional and the retainer amended accordingly. It is also a reminder of the importance of setting out the scope of work clearly in the retainer and if relevant, also specifying that there will be no review of past advice and that they will not consider on whether a client should complain about past advice.

  • Page 5 of 25