The future of EU IP laws in the UK

UK-based readers will be aware of the proposed “bonfire” of EU laws that certain [former] members of the UK government have pushed for. The original idea was to repeal, en masse, all EU-derived laws during the lifetime of the current government. This would have involved thousands of items of legislation, including many in the field of IP. Depending on how influential you thought the UK Intellectual Property Office was going to be in persuading the head-bangers in government to make exceptions for IP laws, this could have caused major issues for the IP system in the UK.

Fortunately, in IP Draughts’ view, the current leadership of the UK government is driven more by practicality than romantic notions of freedom from the EU “yolk”. Earlier this month, the government announced major changes to the Retained EU Law (Revocation and Reform) Bill. Instead of repealing all EU-derived laws other than those specifically retained, the position is reversed, and only those laws that are listed in the Bill are to be repealed.

In the field of IP, the UK IPO has briefed the profession that the government is only proposing to repeal seven pieces of IP legislation which have been assessed as inoperable or redundant. They are:

 

It seems that discussions are continuing within government as to whether there should be an opt-out for IP laws, in relation to the government’s plan to stop English courts from using EU case precedents in the interpretation of English law.

Overall, IP Draughts say phew! IP is one of those areas of law where international harmonisation and cooperation is in the interests of the UK, and we seem to have been saved from a highly undesirable outcome.

(Thanks to Beatriz San Martin of Arnold & Porter for her helpful briefing notes to IPLA on the progress of this Bill and reporting on IPO stakeholder briefing.)

Fining Meta: legal implications

IP Draughts’colleague, Francis Davey, advises our clients on data protection law. IP Draughts asked Francis for his comments on the enormous fine that has recently been imposed by the Irish Data Protection Commission on Meta, the owner of Facebook. His very personal take on the situation follows.

And so we reach, if not the final curtain, at least a logical stopping point in the saga that has given us Schrems and Schrems II.

The fine

The governments of the United States and EU have twice been compelled to renegotiate a treaty for transferring personal data between the two territories. In doing so, they have stressed, alarmed and challenged many of our clients to varying degrees. The latest stopping point is yesterday’s fine by the Irish Data Protection Commission (DPC) of FacebookMeta of Euro 1.2 billion – slightly more than 1% of the Irish government’s tax revenue from last year – and an order that Meta cease unlawful processing of personal data in the United States.

Already much ink has been spilled, many tweets tweeted and opinions aired on this very topic – some of which I might even agree with. To this I add the musings of someone who has been thinking about data protection for several decades.

Lawful basis of processing

Let us start with the lawful basis under which Meta processes personal data for behavioural advertising.

In the olden days (before 2018) an online service provider would generally rely on consent. That consent would be obtained by publishing a page setting out all manner of ways in which the controller would be processing personal data, and then including consent in the provider’s terms of service, or more commonly by using the magic words “by using this website, you agree to our processing your personal data in accordance with our privacy policy”. Consent unlocked many other useful things, such as the ability to export personal data or process sensitive personal data.

But all that is now past. Consent must be free, informed and definite. No longer can it be implied simply by use of a service or demanded as a condition of a contract. If you have to do it, it isn’t really consent is it? Privacy policies were no longer the useful consent-obtaining documents they once were, but since the GDPR required much transparency, the practice came of renaming them “privacy notices” to emphasise they had ceased to be engines of consent.

Contractual necessity

Meta, it seems, had a cunning plan. Consent in that form had to be abandoned but was replaced with the lawful basis known as “contractual necessity”. By including behavioural advertising in their terms of service it became necessary for Meta to carry it out since it now formed part of a contract with the customer.

If one could simply get around the stringencies of consent by including a few words in the terms of a contract – and at times this did seem to be the position Meta was contending for — consent would again become merely a formality, at least for online service providers. Even the Irish DPC would not accept that, I think. What the DPC did accept was Meta’s argument that behavioural advertising was a core part of the service it offered. It would seem that users signed up to Facebook in order to receive a nicely curated feed not only of things said and done by the user’s friends, but also things that might interest them (in other words, advertising directed at them).

But wait, is that really what users are signing up for? I am sceptical. Many other data protection supervisors were also. And here was the undoing of Meta and the Irish DPC. Ireland has long been considered to be a good place to set up a social media website in Europe because the Irish DPC is the supervisory equivalent of the nice teacher who turns a blind eye to all but the worst behaviour. The authors of the GDPR foresaw just such an eventuality when creating the “consistency mechanism” by which disagreements between data protection supervisors could be resolved, ultimately by the European Data Protection Board (EDPB).

There are many problems with Meta’s contractual argument. Are the relevant terms even binding on users (some countries having quite strong rules about the formation of contracts that are to be binding on consumers)? If you read the terms, Meta is not actually under any obligation to provide behavioural advertising. It is hard to see how something can be contractually “necessary” if it is entirely optional. There are (or at least there are from time to time, Facebook’s unstable system of permissions being legendary) mechanisms by which you can turn off some or all of the behavioural advertising. Being able to “opt out” of something makes it seem less than necessary. And so on.

But here is an important point that I think much of the commentary misses. It is certainly possible to offer a contract which really does promise behavioural advertising and in which its provisions is contractually necessary.

The EDPB was struck by the extreme nature of Meta’s processing. It does not just take data that its users enter into Facebook – it combines data across all its services as well as drawing in data from many other sources, including cookies, tracking pixels and other devices that might track you in places far away from Facebook without your knowledge. So complicated is Meta’s data infrastructure that I very much doubt anyone outside Meta (or possibly even within) really understands it. Meta is probably the most extreme example of a behaviour tracking/advertising system and so it is hardly surprising that an argument that this is what its users want it to do was doomed to failure.

So, interesting though this is, we have to bear in mind the very extreme end of the spectrum Meta occupies.

Data transfer to the USA

While Meta got into trouble for other failures, such as that of transparency, the failure that has generated the most discussion today is the ruling about transfer of personal data to the United States.

This cannot possibly have been surprising since it was this very export of personal data that was considered so negatively by the Court of Justice in Schrems II. There are a number of different sets of guidance on how one might be able to butch-up the standard contractual clauses so as to give adequate protection to data sent to the USA. The EDPB takes an extremely uncompromising position – really only strongly pseudonymised or encrypted data can hope to be lawfully exported. The European Commission and our own ICO have taken more generous positions, but none of them could permit the data sharing carried out by Meta.

Meta tried various defences. For example, while in theory data was at risk in practice all was well. Or, to put it rather nastily, the US government had not abused its power yet. I cannot see how that could be reassuring.

How to comply with the law

And so Meta has been told to stop. This morning’s Twitter commentary from data protection lawyers and academics seems to assume this means the deletion of Facebook user’s data, but that is a misunderstanding. There could be, so the EDPB thought, a number of ways that Meta could comply. For example, it could store “European” data in Europe (or somewhere Europe considers safe, such as the UK or Japan). It is up to Meta to decide what and how to do it. If any company has the resources to do it, that’s Meta.

Frustrating for clients

All I can say to all this is: good and about time. Many of our clients cannot just ignore the law in the same way that Meta has been doing for the last five years, but it is frustrating for them to have to comply with law that Meta is flouting. Meta’s infrastructure of behavioural tracking also draws its business clients into its law breaking – many are unable to resist because they have little other option. While there are businesses on Meta’s scale whose GDPR compliance is questionable (GoogleAlphabet I am looking at you) Meta really surpasses any comparable organisation with the degree to which it breaks the law.

Now it is said, often, that some of these laws, particularly on exporting personal data to the USA, are impractical. Maybe they are. The solution would be to fix the law, not let the largest corporations ignore it. At least that is how it seems to me.

This story is by no means over.

Three more cheers for the manicule

This is one of IP Draughts’ favourite blog posts, from a decade ago. It is still relevant, so he thought he should post it again.

Lord Denning MR was arguably the most important English judge of the twentieth century.  As first-year law students at university, IP Draughts and his fellow student, Andy Livesey, sent Lord Denning a telegram to congratulate him on his 81st birthday, and received a very nice letter in reply.

In the area of contract drafting, one of the more striking of Lord Denning’s judicial comments was about the need for a “red hand” in the margin of a contract, to point to a one-sided contract term.  This comment was made, obiter dictum, in the case of J Spurling Ltd v Bradshaw [1956] EWCA Civ 3.  What he actually said was:

I quite agree that the more unreasonable a clause is, the greater the notice which must be given of it. Some clauses which I have seen would need to be printed in red ink on the face of the document with a red hand pointing to it before the notice could be held to be sufficient.

In practice, this comment has not led to a proliferation of marginal manicules (the printer’s name for a pointing hand) in English law contracts.  Lord Denning’s comment has largely been ignored by contract drafters, and can be viewed as a historical curiosity.  Sometimes, IP Draughts includes a warning statement at the beginning of a set of terms of sale, pointing out that the terms limit or exclude liability.

Manicules have fallen out of fashion, but at one time they were frequently seen in street signs and other public places.  Nowadays, a simple arrow tends to be used.

A beautiful, 1933 edition of Aesop’s Fables, printed by Oxford University Press, used them as a design feature.

In modern typography, the quickest way of finding them may be to look in the Wingdings font of Word.

The closest equivalent to Lord Denning’s red hand in US laws may be the requirement, under Article 2-316(2) of the Uniform Commercial Code, for disclaimers of certain implied warranties to be “conspicuous”:

…to exclude or modify the implied warranty of merchantability or any part of it the language must mention merchantability and in case of a writing must be conspicuous, and to exclude or modify any implied warranty of fitness the exclusion must be by a writing and conspicuous.

Conspicuous is defined in Article 2-103 as follows:

“Conspicuous”, with reference to a term, means so written, displayed, or presented that a reasonable person against which it is to operate ought to have noticed it. A term in an electronic record intended to evoke a response by an electronic agent is conspicuous if it is presented in a form that would enable a reasonably configured electronic agent to take it into account or react to it without review of the record by an individual. Whether a term is “conspicuous” or not is a decision for the court. Conspicuous terms include the following:

(i) for a person: (A) a heading in capitals equal to or greater in size than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same or lesser size; and

(B) language in the body of a record or display in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from surrounding text of the same size by symbols or other marks that call attention to the language; and

(ii) for a person or an electronic agent, a term that is so placed in a record or display that the person or electronic agent may not proceed without taking action with respect to the particular term.

IP Draughts understands that many US States have adopted these provisions of the Uniform Commercial Code, but is not an expert on this subject and would welcome comments from US readers on how widespread is the adoption of this part of the UCC, and whether any other contractual provisions must be displayed in conspicuous text under US State laws.

In many US contracts, it is common to see disclaimers typed in BLOCK CAPITAL LETTERS, which would appear to comply with paragraph (A) quoted above.  Very few drafters of US contracts make use of the other available methods of making text conspicuous within the above definition, such as use of bold text, or a different colour or font.  IP Draughts would like to encourage US contract drafters to be more creative, and to consider using a manicule.  This method is anticipated by the wording quoted above, which refers in paragraph (B) to “symbols …that call attention to the language”.

M&A due diligence after the Oxford case

IP Draughts is delighted to post this article from his friend and colleague Gina Bicknell, an IP partner at Pinsent Mason. The article is about the Oxford University case, which has previously been the subject of several articles on this blog. Unlike previous articles, Gina’s focuses on the implications of the case for IP due diligence in M&A transactions. Now read on…

Oxford University Innovation Limited v. Oxford Nanoimaging Limited has been widely reported, including by IP Draughts, and by colleagues in my firm here.

This was the case brought by Oxford University’s technology transfer arm, Oxford University Innovation Limited (which, together with Oxford University, is referred to as “University” in this post) against one of its spin-out companies, Oxford Nanoimaging Limited (“ONI”), for unpaid royalties under a patent licence agreement.

ONI argued that it shouldn’t have to pay royalties because the University wasn’t entitled to license the patents, asserting they were actually owned all along by ONI’s CEO, Mr. Jing. ONI pointed to the University’s IP policy (particularly the portion of the IP policy concerning ownership and equity splits) and argued that the terms of such policy, which applied to Mr. Jing when he was a research intern and then as a DPhil student, were unfair under EU-derived consumer protection laws. The Patents Court agreed that consumer protection laws apply to undergraduate students, and that they normally apply to DPhil students. However, based on the facts presented, the Court held that the terms of the IP policy were not unfair and, consequently, that the underlying licence was not void.

I’ve since been asked whether this case will impact the way we diligence IP transactions. My litmus test for this is whether I’d change my due diligence (DD) questions as a result. M&A lawyers have a standard “laundry list” of DD questions that they ask sellers. Ideally, each section of questions is reviewed by specialist lawyers and tailored (and whittled down) as much as possible to fit the deal at hand based on what is publicly known about the target and what the target has disclosed as part of the Q&A process.

It’s interesting how these standard DD request lists change from time-to-time. For example, a decade ago data protection and cybersecurity questions were often grouped together at the tail end of the list, comprising only a handful of questions. Nowadays, they are front and centre, and voluminous.

From an IP transactional lawyer’s perspective, there have been only a handful of cases that have led to re-jigging the standard list. Until the OUI decision, only two spring to mind in terms of inventor ownership:

• The 2011 US Supreme Court decision in Stanford University v. Roche Molecular Systems, Inc. (563 U.S. 776) was so important that it impacted IP diligence across multiple territories. Among the many interesting aspects of the case was the clear guidance (particularly in the Federal Circuit’s opinion) about how present assignments of future IP rights should be drafted from an enforceability perspective. Although geared towards US practice, where the default laws on IP ownership differ from those of the UK, it quickly became best practice (to the extent not already done) to review the seller’s template employment contract and relevant variations to ensure they contained IP assignment provisions sufficient to meet the requirements of the US and other major jurisdictions. After the Stanford decision it also became more common to see specific DD questions about US federal funding (to determine whether the U.S. Government might have any rights to the invention under the Bayh-Dole Act).
• In 2019, the UK Supreme Court found in Shanks v Unilever Plc & Ors [2019] UKSC 45 that Professor Ian Shanks was entitled to compensation from his former employer, Unilever, under section 40 of the Patents Act 1977 (the section dealing with inventions that are of “outstanding benefit to the employer”) for his contribution to an invention for determining blood sugar levels. As a result of this decision, IP lawyers began to more closely examine whether there were any disputes (actual or threatened) between targets and their employees regarding inventorship and some DD request lists were updated to include specific inventor compensation warranties.

Now the OUI decision presents us with a new twist from the transactional perspective. Should we be (i) asking whether any of the target’s IP was created by students, and (ii) evaluating the fairness of the underlying IP policy that governs the relevant inventions?

Fortunately, the creation aspect should already be covered by standard questions. If the IP is material to the target’s business, then IP lawyers would ask questions about whether the IP is owned by the target or in-licensed, and they would closely examine the target’s rights to that IP in any case. If the target is a spin-out company, or if a critical component of the target’s IP is in-licensed from a university, then I would expect IP lawyers would ask more specific questions about student inventorship/contribution, and likely home in on these during management interviews.

In terms of assessing the fairness of student IP policies, however, my gut feeling is this would be the exception and not the rule. I suspect that such policies would only be reviewed in exceptional circumstances, perhaps where other issues have been uncovered during the DD process. There is a very practical reason for this. Due diligence moves fast in M&A, particularly if there is a competitive auction process. It would be difficult to decide, on the face of it, whether the terms of a university IP policy could cause a significant imbalance between the university and its student inventors, and whether those terms were made in good faith (key factors outlined by the Court when it considered the fairness of the University’s policy). While it’s possible that, for business-critical IP, an opinion of counsel could be sought to help make this determination, for most transactions I anticipate this level of DD would not be necessary and SPA warranties could be relied on instead.

One hopes that, in time, UK universities may agree on standard “fair” terms to include in their IP policies (e.g. perhaps an IP policy toolkit could be drafted similar to the toolkit for  the model Lambert Agreements). At present, there appears to be quite a spread on how universities approach IP policies, as shown by the interesting UK University Intellectual Property Ranking report. In the meantime, however, it is likely that universities across the UK are already examining and, if necessary, updating their IP policies to fit more squarely within the Court’s guidance. So perhaps an additional question for the master DD request list is needed after all, asking about the last time any relevant university IP policy was reviewed and updated!

-Gina Bicknell