The challenge against Apple is bringing in more supporters and expanding to other jurisdictions. To recap, in our first blog we explained how Microsoft applied to the US Patent and Trade mark Office to oppose Apple’s trade mark for APP STORE on the grounds that it is a generic term.  In our second post we explored that Apple was on the offensive against Amazon for using the term APPSTORE for their software download store (to date Amazon have already filed their defence).

These actions both are taking place in the US.

Now the challenge to APP STORE has extended to Europe, where Apple has CTMs registered for APP STORE and APPSTORE since 2009.

As part of Amazon’s overall strategic defence to the lawsuit filed by Apple, they applied on 15 April to cancel Apple’s CTM trade mark registrations.

Microsoft have now followed suit by filing a declaration of invalidity of these EU marks.

What is interesting here is that Microsoft has pursued this challenge with the support of 3 other phone manufacturers: HTC, Sony Ecrisson and Nokia.

After issuing an invalidity application Microsoft released the following statement saying they were “seeking to invalidate Apple’s trademark registration for APP STORE and APPSTORE because [they] believe that [the trade marks] should not have been granted because they both lack distinctiveness. The undisputed facts establish that ‘app store’ means exactly what it says, a store offering apps, and is generic for the services that the registrations cover.”

This is not going to be the last we will hear in this ongoing dispute. The interest in this trade mark is growing and one wonders who else is going to join the bandwagon? Also, there is sufficient interest in the outcome of the EU trade mark proceedings, to see any decision made by OHIM being appealed up the steps to the Court of Justice of the European Union.

Aggressive protection of intellectual property is essential to America’s current economic prosperity and future success

Proposals aimed at clamping down on IP offences by the Obama Administration in the White Paper on Intellectual Property Enforcement Legislative Recommendations are varied and far reaching, recommending a raft of changes including:

1. The use of wiretaps in cases of copyright and trademark infringements
2. Clarification that unlawful streaming of copyright material is a felony
3. More serious penalties for repeat IP offenders
4. The creation of a new US right of public performance for works broadcast over-the-air

These are just some of the proposed reforms aimed at tackling what some consider to be an increasingly relaxed public attitude towards piracy and IP infringement.  The problem of how to enforce copyright online is significant to businesses in a wide range of fields, and a proper understanding of the relevant issues can be a considerable advantage when deciding if, and how to distribute content.  This is the motivation behind an upcoming webinar to be delivered by Azrights: Controlling Copyright in the Cloud.

Digital Economy Act Update

Meanwhile, the UK High Court recently rendered its opinion following the application by BT and TalkTalk for judicial review of the DEA and Copyright (Initial Obligations) (Sharing of Costs) Order 2011.  You might recall that our earlier post touched on the compatibility of the Act with European law, now the results are in (the case report is available here).

Of the objections raised by the Telecoms providers, only one was accepted by Justice Kenneth Parker, while four claims were dismissed confirming the courts view that the law is consistent with European legislation. The successful claim concerned an obligation on ISPs to bear a proportion of the costs involved in implementing the new legislation, and a number of parties have expressed dissatisfaction not only at the rejection of the remaining issues but at the degree of success that this claim enjoyed.  While elements of the charges to be borne by ISPs relating to Ofcom’s setting up, monitoring and enforcement of the rules were found to be unlawful, the judge maintained that they would remain liable for a significant proportion of the costs of operating the system and the appeals process – a burden likely to lead to higher prices for consumers, possibly to the extent that tens of thousands of people may be excluded from faster broadband access.

Data Protection

Of particular interest to this writer, is that the Judge makes the case for the classification of IP addresses as personal information.  The reasoning behind this is that, despite the IP address only identifying an internet connection (or an internet subscriber) rather than a particular user, it may still constitute personal data because:

the subscriber, who can be identified through the dynamic IP address, is inevitably linked to the data … as the person who, in a broad sense, has facilitated the infringement.

The suggestion here is that IP addresses, coupled with information about the time particular material was accessed by a subscriber assigned that address, may themselves be protected under Data Protection law.

Image courtesy of opensourceway, click the image for their page on Flickr

This ruling is a significant blow to opponents of the Act, but the AG’s opinion in Scarlet v. SABAM, continuing efforts by the Open Rights Group, and the possibility of appeal by BT and TalkTalk mean that the future of the Act is far from certain.  The Initial Obligations Code, which sets out in more detail the operation of the Act, has yet to be published, and the Costs Order will now need to be reviewed in light of the decision.  So, it is likely to still be some time before we can expect to see the full impact of the law.

Freedom of Expression
This right is deeply entrenched in law with the European Convention of Human rights (in the UK with the Human Rights Act) and now the EU’s version the Charter of Fundamental Rights.

That is not to say it is an absolute right, rather, it is expected that countries are able to encroach on this when needed.
However the Convention and Charter regulate how this is done and for how long.

One of the main controls is to ensure any encroachment has a solid legal basis (see article 52 (1) ).

Another consideration is that the inroad into an individual’s freedom of expression should be proportionate to the outcome sought (don’t use a sledge hammer to crack a nut).

Practically speaking, with the onset of the Lisbon treaty the CJEU must now consider the Charter to have the same validity as any other EU treaties, meaning when they address a problem, which affects the single market for example and the application of EU laws, they must also consider the effect on the Charter.

It is precisely within this frame that the AG last week considered a measure taken by a Court in Belgium to address illegal file sharing.

Scarlet v SABAM
The SABAM is the Belgian equivalent of PRS, a royalty collecting agency representing music artists.

They successfully applied to the lower court of Bruxelles for an injunction against an ISP named Scarlet.

The scope of the injunction was to monitor, identify, filter and block communications where illegal file sharing was taking place, the duration of the injunction was indefinite and the cost of managing this was to be borne by the ISP entirely.

Scarlet appealed against the legality of this injunction to the Court of Appeal of Bruxelles, who deferred the question to the CJEU.

The particular question put to the CJEU was whether the domestic law relied upon by the judge, set in the context of the Charter and other EU laws including data protection, could legitimise granting such a far-reaching remedy.

Important to note here the lower Court relied upon a domestic law, which allows it to give an order to cease copyright infringement. But even more interesting was that this law was in itself a transposition of EU law (article 8(3) of directive 2001/29 and article 11 of directive 2004/48).

So the question essentially touched on not only whether Belgian law could warrant such an injunction but also whether the underpinning EU law could support this type of action.

The AG’s Opinion
The AG thought not (see in particular section E  of Opinion; currently the opinion is only available in French but can be auto translated by Google Translate ) For the AG, under the Charter, the quality of any law should be sufficiently precise that others can be certain of its effects and adjust their behaviour accordingly. Using the words of the European Court of Human Rights the AG said the law should be “formulated with sufficient precision […]  to foresee […] the consequences which a given action may entail” (para 94)

To expand further on this notion, the AG referred to a Turkish case brought to the European Court of Human Rights where the law in question gave the power to chief prison officers to intercept and retain prisoner correspondence if the officer thought the contents were “embarrassing” (Footnote 85 of the Opinion). It was thought such a law did not indicate with sufficient clarity the scope and conditions for the exercise of this power by those authorities.

So details are crucial if a law is to be in line with the Charter, primarily, so people can foresee the consequences.

In this case, from the point of view of Scarlet, the adoption by the lower court of this injunction was an extraordinary measure, both difficult to foresee and due to the serious economic consequences smacked more of being arbitrary.

The ISP was demanded to achieve the result of blocking illegal file sharing but the solution of how this could be done was completely innovative.

Also the injunction gave no guarantee of how subscribers’ personal data would be protected. Nor did it provide any recourse for appeal by affected subscribers.

On this basis, the AG concluded the national law and by implication EU law could not have given authorisation for such a measure. Essentially there was no solid basis in law for this remedy when read in light of the Charter.

Digital Economy Act
If the Court decides to follow this Opinion then other EU countries who are rolling out new laws to combat internet copyright infringement may take more time to stamp out the details of their laws rather than handing over general powers to the judiciary or executive.

How may this affect the UK and the Digital Economy Act?

The UK is obliged to check compatibility with the Human Rights Act (HRA) when passing any new law.

Lord Mandelson okayed the Digital Economy Bill in the Commons but when the bill reached the House of Lords Joint Committee of Human Rights, concerns were raised about so-called ‘skeletal measures’ where powers are granted under the Act and the detail worked out in secondary legislation.

In fact, the Joint Committee said it was “impossible [to] assess fully” whether the Bill is compatible with the HRA due to the lack of detail. Not a good sign. (see in particular 1.28).

One such example of a ‘skeletal measure’ is Article 18 of the Act which allows for the secretary of state to introduce ‘technical measures’ to limit access to the internet for alleged infringing subscribers.

This particular measure is currently under judicial review by the high court but this SABAM Opinion could be the tipping point for a declaration of incompatibility with the Human Rights Act, or maybe there is a referral to the CJEU in the waiting.

Luckily for the government a referral to the CJEU would not see the Digital Economy Act being scrutinised in the same way as Belgium law has been under the Charter. The UK added a few provisos when giving the Charter the force of law with the Lisbon treaty, one of those was to preclude the CJEU from judging whether a UK law violates the Charter (see article 1 of protocol 7).

Interestingly the Telegraph have noted that the Government are circumventing the need to even rely upon article 18 Digital Economy Act by opening “talks between ISPs and the music industry to encourage a voluntary agreement on a list of websites that would be blocked”.

In conclusion, in the UK, it is understandable for the government to grant some general powers rather than type out every possible detail in the law when addressing copyright infringement. This is particularly true in the field of technology and the internet, where flexibility is needed to adapt to this ever changing environment. But at the same, it is equally important in light of the essence of the SABAM opinion to ensure sufficient precision in the law to ensure its validity when placed under European human rights scrutiny.

Data must be retained so that it can be handed over to the authorities on demand, and must be kept for at least one year, so that it can be used by the authorities if necessary. The data that the law will require the sites to retain includes personal information such as customer names, addresses, telephone numbers and even passwords.

However, Google and over 20 other companies want to reverse the new legislation. The ASIC argues, “It doesn’t make sense to have different requirements in France than what we have in Spain and England. Also we do not feel comfortable turning our customers’ passwords over to the police”

The new law raises a number of concerns over privacy, something for which Google and Facebook have already faced criticism as a result of their collection and retention of personal information. In fact Google has been the target of legal action brought by France itself, and was last month fined $142,000 after collecting data through wireless access points around the world.  On a related note, Facebook has found it necessary to change is privacy settings in light of concerns over access to user information.

With a number of the companies affected by the legislation having suffered damage to their reputation themselves following the efforts of privacy advocates, it is no surprise that they are objecting to a new law which will now require them to retain, and release on demand, their users’ personal data.

The new law could be could prove particularly problematic in cases where security is breached. If companies are bound to retain a broader range of user data, including passwords which might be used with a variety of services, it is more likely that an attacker would be able to gain complete access to millions of Internet users’ accounts across not only social networking sites, but email, intranets and possibly even online banking.

The head of ASIC, Benoit Tabaka, has highlighted a range of problems with the new law. One issue he raises is that ‘there was no consultation with the European Commission.’ He goes on to explain that, ‘Our companies are based in several European countries. Our activities target many national markets, so it is clear that we need a common approach’. And he claims that collecting and retaining passwords is a ‘shocking measure’.

In light of the increasing concern over privacy online it is not surprising that the new law has caused a stir. Especially among those companies which have come under attack as a result of their collecting personal information.  Furthermore, is this yet another burden for new IT business to bear, as touched on previously in our post covering Regulation and Start Up Britain, and could it lead to a less competitive marketplace here if similar measures are adopted in the UK?

Proposed reforms to data protection law in Europe, including the right to be forgotten online, and changes to laws which affect when cookies may be stored and accessed by websites, are aimed at developing a “comprehensive set of existing and new rules to better cope with privacy risks online”.  However, while entrepreneurship is hailed as a means for economic recovery, over regulation would certainly represent a significant obstacle  to start ups.  While the barriers for entry to the online marketplace have traditionally been very low, and while web based businesses have been relatively free to design their systems and user experiences as they wish, these freedoms are increasingly weighed against the privacy of users.

Regular scandals serve to highlight the importance of more effective safeguards on the use of personal information, for example the loss of address, bank, and national insurance details for 25 million people in 2007; a BP laptop going missing with personal data for thousands of oil spill victims on board last month; and the exposure of names and email addresses following a cyber attack aimed at Epsilon, who provide e-mail services to several high profile businesses.  There is good reason for concern over the safety of information we provide online, but notably, in each of the cases mentioned here, the exposure of personal details was not necessarily attributable to a lack of consent or misuse of data, but to a breach of security.

Freedom to do business online must be balanced with controls on the use of data, especially as the growth of social media sees more and more interaction taking place on the web. However, if the scales are tipped too far one way or the other, regulation may have a severe negative impact on businesses, or the privacy of web users.

Following the increase last year in the maximum fine which can be levied by the ICO from £5000 to £500,000 and calls for the law to provide mechanisms for enforcement against global companies, the growing reach and impact of data protection law means a steadily increasing burden on website operators to obtain consent for the collection of visitor data, to control its use, and to control access to it.  While compliant businesses are likely to develop trust, and while stricter rules may give web users greater peace of mind, it might be argued that education could play a more significant part in preventing breaches of privacy online, and reduce the need for regulation.  It will be interesting to see whether the reforms strike the right balance, and allow entrepreneurship to thrive, or whether they eventually raise the bar to entry such that only larger players have access to the market.

In this respect, last week the EU Commissioner announced that privacy reform was back on the top of the agenda for this year.
She mentioned the changes envisaged will be based on the pillars of transparency; privacy as default; protection regardless of data location and the right to be forgotten.

Pillars of reform
Transparency or the ‘openness principle’ is a pre-requisite to building trust on the internet and is an agreed necessity voiced by data protection commissioners (see chapter 10 ).   According to the RAND report “where and how personal information is stored and used is becoming increasingly opaque due to technological advances”.

The ‘Privacy as Default’ approach described by the Commissioner aims to make it easier for individuals’ to configure their privacy settings on social networking sites – a possible reaction to the controversy last year surrounding Facebook’s settings (see previous post)

The Commissioner considers the same principle of ‘Privacy as Default’ could also be used to control the collection of data by software applications. This view is consistent with the proposed changes to cookies law due to be implemented where the starting principle is that consent is required every time a cookie is used (although there are exceptions).

The EU Commissioner wants EU citizens to be protected regardless of where their data is processed: “Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.” Currently companies ‘established’ in the EU are subject to the Act. It is not clear, short of an international treaty, how the EU intends to protect EU citizens outside of its jurisdiction. From looking at the report of the Commission in November 2010, they seem undecided yet how this will happen in practice.

Lastly and more intriguingly is the so-called ‘right to be forgotten’.

The EU Commissioner refers to the ambition behind this right as being “a comprehensive set of existing and new rules to better cope with privacy risks online”. Individuals will be given the “right – and not only the “possibility” – to withdraw their consent to data processing.”

Although it is not yet clear what the scope of this right will entail, there have already been some doubts surrounding its practicability. The New Scientist have commented “Once you put something online it can easily be copied and widely distributed, and deleting the original will do nothing to stop people finding a copy elsewhere ”.

Also, an interesting consideration is what would happen when a right to be forgotten implicates third parties. Say for instance, I take an unflattering photo of you at a party upload it on Facebook and tag you. As I am tagging you with the photo this become personal data which Facebook is processing.

If, under this new right to be forgotten, you decide to withdraw your consent to have your data processed will Facebook have to remove it from my photo album? If this is the case then immediately social media sites will be drawn into mediating between people exercising the right to be forgotten and the rights of others who are affected by that right.
Although the principles announced by the Commissioner seem to be reasonable and needed, it remains to be seen what exactly is being proposed and how they intend to deal with the practical issues raised.

The Football Association Premier League ltd. (FAPL) sells its rights in the broadcast of matches individually on a territory by territory basis. In order to access the service one needs a territorial decoder card from a licensee such as Sky. This is enforced by contractual provisions prohibiting the licensee from providing decoders and decoder cards outside the licensed territory.

This approach was challenged by intermediaries who have been offering decoders and decoder cards in the UK that had been obtained abroad, but not directly from the licensees. The rates were lower than those of the official UK licensee. This has now led to various prosecutions. Two test cases which are still pending could have far-reaching ramifications for sport, broadcasting and consumers.

Background

Karen Murphy (the landlord of the Red White & Blue in Southsea) was taken to court by Media Protection Services Ltd over her decision to import a Greek decoder to show the league games to her customers rather than using a Sky decoder, despite the fact that Sky holds the licence rights to show these games in UK.

The UK courts held that Murphy committed a criminal copyright infringement by circumventing the exclusive rights of the Premier League’s authorised domestic broadcasters (Sky). Karen Murphy thought this unjust and took her case to the highest European Court claiming that the prohibition against foreign decoders in the UK violates the European competition and free movement of goods legislation.

The second case focuses on the companies which supply publicans such as Karen Murphy with the decoder cards that enable them receive and view foreign broadcasts. The Football Association Premier League ltd. brought an action against QC Leisure & ors claiming that QC’s supply of decoder cards in the UK would infringe its copyright. The central point of the legal dispute was whether FAPL could enforce its licence terms to protect its copyright in the broadcasts. This case is now pending on the EU’s highest court as well.

Pubs win first round

According to the advice of the general Advocate of the European Court of Justice Juliane Kokott Karen Murphy as well as QC Leisure & ors will win the court battle over cheaper TV football. She held that the FAPL’s territorial exclusivity agreements of Premier League football matches are contrary to European Union law, because it is a “serious impairment of freedom to provide services”.  She added that the “economic exploitation of the [broadcast] rights is not undermined by the use of foreign decoder cards as the corresponding charges have been paid for those cards”.

However, this opinion is not binding. It remains to be seen if the court follows her advice.  Generally, in 80% of cases they do.

These cases are of huge significance for the Premier League and any incumbent UK broadcaster and could change the European landscape for the way right holders sell their rights. The cases underline how even well established businesses are facing new challenges through technology developments and changes in the legislation in connection with the protection and exploitation of their intellectual property rights.

A recent judgment from the General Court of Justice has confirmed an important distinction when registering foreign language trade marks in separate EU countries and when using the CTM system.  Essentially it seems far riskier to register a CTM when the word, in any one of the 23 official languages in the EU, is descriptive of the registered goods.

National registrations in the EU
The resounding principle in EU law is that descriptive foreign language trade marks can be registered where the relevant consumers in the country where registration is sought can not identify the clear meaning of the term.

So if I register the word ‘TABELA’ (‘table’ in Portuguese) in the UK for furniture the question is whether British consumers would identify that ‘TABELA’ actually means ‘table’. If not then the registration would be accepted. This principle was established in the MATRATZEN case where the word MATRATZEN, which means ‘mattress’ in Germany, was successfully registered in Spain as a trade mark for beds.

This is significant as the level of knowledge of German is seen from the perspective of the Spanish consumer.

CTM registrations
However what is the position of registering foreign language CTMs where the foreign language happens to be one of the official 23 languages?

Here the relevant territory would be that of the whole of the EU. And the relevant public, regardless of where the products are predominately being sold, is the consumer of the product in the particular language of the mark. So a CTM application for ‘TABELA’ would be assessed from the point of view of Portuguese speakers in Portugal, even though I may never sell a product there.
This has been confirmed in the recent ‘WIENER WERKSTATTE’ case. Here the applicants applied to register a CTM for WIENER WERKSTATTE, which translates to VIENNESE WORKSHOP from German to English and refers to a style of product design of the early 20th century.  All of the products registered were for a variety of objects from frames to lights to vases.

What is interesting with this case is that the Court’s approach seems to look at the language of the sign and decide whether consumers, where that language is spoken in the EU, would find the term to be descriptive (see para 20 of judgement).  The Court thought as German speakers would perceive the descriptiveness of the term Wiener Werkstätte, this was sufficient to have the trade mark refused in the whole of the EU.

In a previous ruling, the Swedish owner of the brand ELLOS applied for a CTM in various classes including class 25 for clothing. The word ELLOS is the third personal male plural pronoun in Spanish. On appeal to the General Court the latter found that, from the perspective of Spanish consumers, the mark ELLOS would denote that the goods concerned were intended for men. The result of the case was to remove the class 25 clothing description from the application (see here).

The impact of the WIENER WERKSTATTE judgment is to confirm that, strategically, a national approach to trade mark registration in the EU could be safer approach where the term in question happens to be one of the official languages of the EU and is descriptive of the products sold in that language.

Where, however, the function of a product dictates how the design is formed then Intellectual Property law provides few solutions, bar patents, to protect the design. In general, Design law is clear that it does not protect the functional elements of registered designs.

So, take for example a design of a new light bulb. The shape may be registerable in that it may display novel features or contours, but it would not obtain protection for the bayonet or thread solution, as that part of the design would be dictated by the function of connecting to the electrical socket.

Trade marks and designs
Although trade marks are not commonly associated with product designs, they can in fact be registered for shapes. Take, for example, the coca cola bottle this is a registered trade mark, or the Chiquita banana box.

Yet, again, the same principle of excluding functional shapes from protection is found in trade mark law and a recent decision of the Court of Justice of the European Union (CJEU) on the fate of the Lego brick strengthens this view.

Lego have been in a long standing dispute regarding their application for the red coloured brick. This case found its way to the CJEU which concluded that such a trade mark was not registrable.

This was due to the brick shape being a sign which was deemed ‘exclusively’ of the ‘shape of goods… necessary to obtain a technical result’ – one of the absolute grounds for refusing a trade mark.

In terms of what is exclusively a functional shape, the Court would look at its ‘essential elements’.

It was considered the ‘essential element’ of the lego brick to be the row of studs on the top side of the brick. This part of the brick was designed to achieve the result of interlocking with other bricks and on this basis the mark was refused.

If the shape had other elements which were aesthetic, “decorative or imaginative” and which played an “important role in the shape”, then there may have been a chance for the lego brick to be registered. However, the distinctive red colour for the bricks was deemed not significant enough.

Limiting the role of trade marks
The rationale behind this somewhat restrictive stance for trade marks is to prevent trade mark owners from having a “monopoly over technical solutions or functional characteristics of a product” (see Philips judgment C-299/99, para 78).

Trade marks have a particularly wide scope of protection, as they extend their arm to prevent not only identical copying but also similar copying of a sign.

When applied to logos or words the impact is superficial. But when applied to shapes of products the impact could stifle competition within markets.

The registration of a red toy brick could hinder other toy manufacturers selling similar bricks to the market for better prices or providing better solutions to consumers. This would not be akin to promoting a “healthy and fair system of competition” – a prime consideration for the Court.

Trade marks as substitute patents
What also transpires in the reasoning of the Court is the desire to keep a clear demarcation line between patents and trade marks.

Patent rights last 20 years and are not renewable. Trade marks are renewable. To allow patented products to be trade marked without limitation could effectively undermine the credibility of the patent system.

In fact in identifying the ‘essential elements’ of the lego brick the previous Courts referred to the patents applied for by the owners.
There they found an overlap of the elements in both applications. The elements the owners sought to protect with patents were the same elements displayed in their trade mark application.

This finding was ‘practically irrefutable evidence’ of the functionality of the sign and of clear detriment to their trade mark application.

Product designs may be fine to trade mark, but beware of the limitations of this solution where the elements of shape are overly functional.

Beyond the Data Protection Act there are a number of other laws which clarify and add to the obligations placed upon businesses when using data.

The Privacy and Electronic Communications Regulations seeks to regulate the collection and use of an individual’s contact details for marketing purposes. This would cover sending marketing emails to individuals after having obtained their email address in exchange for a newsletter or an eBook.

A key question here is whether the individual has to specifically opt in to receive certain types of communication, or is it sufficient to give them an opportunity to opt out of certain uses you may want to make of their data?

For most forms of marketing, the general principle under the Regulations is that of ‘prior consent’, namely the individual should ideally give consent to the use of their details envisaged by the business before they can be contacted. In practice this consent can be sought by providing an ‘opt-in’ or an ‘opt-out’ tick box at the point of collection. The difference between the two is that of an individual expressly permitting or prohibiting marketing emails from the business.

An alternative means of showing consent under the Regulations are through ‘soft-opt-ins’. This is where essentially prospective customers or clients provide their details.  Soft opt ins have a number of conditions attached, namely: the details should be collected in the context of a sale or negotiation of a sale to the individual; the marketing emails should relate to similar products and services only; the individual must be provided with an opportunity to opt out at the point when the details are collected and every time they receive a marketing email (this can be done by way of an ‘unsubscribe’ link in the email). For more details on best practice for email marketing see Direct Marketing Association’s guidelines.

For B2B marketing emails, however, the above restrictions do not apply. The opt-in restrictions in article 22 of the Regulations only apply to ‘individual subscribers’ and not ‘corporate subscribers’.  But beware of sole traders and partners who are effectively businesses in the guise of individuals.  If there are any such individuals in your business database, they need either to be treated separately as individuals, or the whole database needs to provide the opt-out and other facilities required for individuals.

Obviously individuals from companies may, in practice, be providing their individual details, but where, for example, the marketing email is addressed to the company itself and the recipient’s email address is non-personal then no opt in provisions should be necessary. That being said every marketing email should always display the identity, contact details of the sender and, if sent by a company, contain the respective details of the organisation such as the company’s registration number.

In addition to this, any individual can at any time under the Data Protection Act request an organisation to cease or not to begin direct marketing to him. Such a request does not need to wait for the organisation to contact him. It must be complied with in a reasonable time.  In practice it often takes time to set up the mechanism, so it may be worth sending him a brief email saying that his message has been received and will be acceded to, but that it may take a week or so to set this up, in which case it is just possible he will receive another direct marketing email in the mean time. It is good practice to keep all such requests in a Stop List, to be run against any future emailing before it goes out, so that if at some future date the organisation acquires his details again it does not start sending him more direct marketing material. This particular opt-out is not confined to emails but may apply to other types of communication.

An interesting point to flag up is that the legislation may set the threshold of what is acceptable in relation to email marketing, but the contract with the Email Service Provider may have even more stringent clauses. Some hosting companies may be contractually entitled to seek damages from customers engaged in unsolicited bulk mail. So as a rule of thumb the terms of business from a hosting service should always be reviewed before engaging in direct marketing.

In all, best practice for  ensuring compliance with legal requirements is by using  opt-in based marketing as much as possible, and stating how you will use  personal details (for example, by featuring a link to your privacy policy).

Ultimately, it depends on the business you are in as to how you comply with the requirements of the legislation.

Organisations must in any event provide individuals with information as to their identity, and the purposes for which the data is sought from the individual and other relevant matter (eg if the data is to be passed to a third party), and all this is usually wrapped up in the general Privacy Policy on which the Commissioner’s guidance can be found here . You can either link your Privacy Policy to the easy way for individuals to opt out of your emails, or you may wish to put both these requirements (Privacy Policy and Opt-out) in one web page.

However, if you intend to share data with third parties, or to sell the data then you do need to be careful how you set up your data collection facility, and ensure that the data stays ‘clean’.

Also it is important to have a good system in place for handling complaints about unwanted emails. Failure to comply with data protection regulations could prove embarrassing in certain situations, and could even lead to a criminal conviction.