Sunday 15 December 2019

Internet legal developments to look out for in 2020

Never mind Brexit, what is coming up on the UK internet legal scene in the coming year? The highlight of 2020 is of course the January publication of the 5th edition of Internet Law and Regulation :-). That apart, here are some cases and legislation to look out for. (In accordance with long tradition this feature does not cover data protection.)


DSM Copyright Directive Member States’ implementation of the Digital Single Market Copyright Directive is due by 7 June 2021. This includes the so-called snippet tax (the press publishers’ right) and the Article 17 rules for online sharing service providers (OSSPs).

A CJEU challenge to Article 17 by the Polish government (Poland v Parliament and Council, Case C-401/19) is pending. Poland argues that Article 17 makes it necessary for OSSPs, in order to avoid liability, to carry out prior automatic filtering of content uploaded online by users, and therefore to introduce preventive control mechanisms. It contends that such mechanisms undermine the essence of the right to freedom of expression and information and do not comply with the requirement that limitations imposed on that right be proportionate and necessary.

SatCab Directive The EU Directive extending the country of origin provisions of the Satellite and Cable Broadcasting Directive to online radio and news broadcasts was adopted in April 2019 and has to be implemented by 7 June 2021.

Linking and communication to the public In the UK case of Warner Music/Sony Music v TuneIn permission has been granted to both sides to appeal the High Court’s judgment of 1 November 2019.

Pending CJEU copyright cases Several copyright references are pending in the EU Court of Justice. Judgment in the Dutch Tom Kabinet case on secondhand e-book trading (Case C-263/18) is due was delivered on 19 December 2019. The CJEU decided against Tom Kabinet, holding that its service was a communication to the public, not a distribution subject to exhaustion of rights.
The YouTube and Uploaded cases (C-682/18 Petersongs v YouTube and C-683/18 Elsevier v Cyando) pending from the German Federal Supreme Court include questions around the communication to the public right, as do C-392/19 VG Bild-Kunst v Preussischer Kulturbesitz (Germany, BGH), C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-597/19 Mircom v Telenet (Belgium).
Questions about injunctions against intermediaries are also raised in C-682/18 Petersongs v YouTube, C-442/19 Brein v News Service Europe and C-500/19 Puls 4 TV.
C-264/19 Constantin Film v YouTube asks questions about the permissible scope of court orders against intermediaries requiring provision of information about alleged infringers to rightholders under the IP Enforcement Directive.
Intermediary liability

The UK government published its Online Harms White Paper on 8 April 2019. The subsequent Conservative manifesto for the December 2019 election promised to legislate for online safety, while at the same time defending freedom of expression and in particular recognising and defending the invaluable role of a free press. The government’s response to its consultation on the White Paper was originally due to be published before the end of 2019. The Queen’s Speech immediately before the election indicated that draft legislation would be subject to the pre-legislative scrutiny process.

The German Federal Supreme Court has referred two cases (YouTube and Uploaded  – see above) to the CJEU asking questions about (among other things) the applicability of the ECommerce Directive hosting protections to UGC sharing sites. C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-500/19 Puls 4 TV (Austria, Supreme Court) also ask questions around the Article 14 hosting protection, including whether it is precluded if communication to the public is found.

On 19 December 2019 the CJEU issued its AirBnB (C-390/18) judgment on the scope of the eCommerce Directive, holding that the kind of service provided by AirBnB is an information society service within the scope of the Directive. It also held that in criminal proceedings with an ancillary civil element, it is a defence to measures restricting an information society service incoming from another Member State that the measures had not been notified to the European Commission and the Member State concerned under Article 3(4) of the Directive.

The new European Commission is proposing a Digital Services Act, starting with a public consultation in early 2020. This will include a review of the ECommerce Directive liability shields.

On 12 September 2018 the European Commission published a Proposal for a Regulation on preventing the dissemination of terrorist content online. This followed its September 2017 Communication on Tackling Illegal Content Online and March 2018 Recommendation on Measures to Effectively Tackle Illegal Content Online. It is notable for proposing one hour takedown response times and for the ability for Member States to derogate from the ECommerce Directive Article 15 prohibition on imposing general monitoring obligations on conduits, caches and hosts. Discussions on the proposed Regulation continue.

Cross-border liability and jurisdiction

In the law enforcement field the EU has proposed a Regulation on EU Production and Preservation Orders (the ‘e-Evidence Regulation’) and associated Directive that would set up a regime for some cross-border requests direct to service providers. The UK has said that it will not opt in the Regulation.
The US and the UK signed a Data Access Agreement on 3 October 2019, providing domestic law comfort zones for service providers to respond to data access demands from authorities located in the other country. Final implementation in each country awaits completion of review by the US Congress and the UK Parliament. The EU will commence negotiations with the USA for an EU-wide agreement.
Discussions continue on a Second Protocol to the Cybercrime Convention, on evidence in the cloud.

State surveillance of communications

The UK’s Investigatory Powers Act 2016 (IP Act), has come into force, including amendments following the Watson/Tele2 decision of the CJEU. The government has said that it will introduce ‘thematic’ certification by the Secretary of State of requests to examine bulk secondary data of individuals believed to be within the British Islands.

A pending reference to the CJEU from the Investigatory Powers Tribunal in litigation brought by Privacy International (Case C-623/17) raises questions as to whether the Watson decision applies to national security, and if so how; whether mandatorily retained data have to be held within the EU; and whether those whose data have been accessed have to be notified.

Liberty has a pending judicial review of the IP Act bulk powers and data retention powers. It has been granted permission to appeal to the Court of Appeal on the question whether the data retention powers constitute illegitimate generalised and indiscriminate retention. Other aspects (including bulk powers) are stayed pending the Privacy International reference to the CJEU or (a challenge based on the Human Rights Act) were refused by the Divisional Court.

The IP Act (in particular the bulk powers provisions) may be indirectly affected by other cases pending in the CJEU: Schrems 2 (C-311/18), challenges by La Quadrature de la Net to the EU-US PrivacyShield (T-738/16) and to the French data communications data retention regime (C-511/18 and C-512/18), and a challenge to the Belgian communications data retention regime (C-520/18); in the European Court of Human Rights (in which Big Brother Watch and various other NGOs challenge the existing RIPA bulk interception regime) and by a pending domestic judicial review by Privacy International of an Investigatory Powers Tribunal decision on equipment interference powers.

The ECtHR gave a Chamber judgment in the BBW case on 13 September 2018. That and the Swedish Rattvisa case were subsequently referred to the ECtHR Grand Chamber and are awaiting judgment. If the BBW Chamber judgment had become final it could have affected the IP Act in as many as three separate ways.

In the Privacy International equipment interference case, the Supreme Court held on 15 May 2019 that the IPT decision was susceptible of judicial review. The litigation will now continue.
Compliance of the UK’s surveillance laws with EU Charter fundamental rights will be a factor in any data protection adequacy decision that is sought once the UK becomes a non-EU third country post-Brexit.

Here is an updated mindmap of challenges to the UK surveillance regime:

Software - goods or services?

Judgment is awaited from the UK Supreme Court as to whether software supplied electronically as a download and not on any tangible medium is goods for the purposes of the Commercial Agents Regulations (Computer Associates (UK) Ltd v The Software Incubator Ltd).

[Updated 20 December 2019 to add Tom Kabinet and AirBnB CJEU judgments; and 22 December 2019 to add C-511/18 and C-512/18); and 20 October 2020 with updated mindmap]

Saturday 14 December 2019

Cyberleagle Christmas Quiz 2019

This year the answers (such as may exist) can be found in the about to be published 5th edition of Internet Law and Regulation.
  1. What is the essence of TV-ness?
  2. For the purposes of interception legislation, is there such a thing as a communication with no intended recipient?
  3. In which country did the first reported extradition for criminal copyright infringement take place?
  4. English defamation law recognises a targeting test for cross-border publication. True or false?
  5. A web site proprietor can be liable in negligence to users who rely on incorrect information on its site. True or false?
  6. Can new sites can be added to a site blocking injunction without the approval of the court?
  7. Is it defamatory to accuse someone of copying?
  8. English law recognises the concept of a dishonest device. True or false?
  9. The Electronic Commerce (EC Directive) Regulations 2002 implement the EU Electronic Commerce Directive in English law. True or false?
  10. In English law, site blocking injunctions are limited to intellectual property infringement. True or false?
  11. Only a qualified electronic signature has legal effect equivalent to a handwritten signature. True or false?
  12. Under the Investigatory Powers Act 2016, is the web address ‘’ treated as content or as communications data?
  13. Can dishonest exploitation of a patent be a criminal offence?
  14. The Defamation Act 1996 superseded the common law subordinate disseminator defence. True or false?
  15. Can copyright subsist in a URL?
  16. Can an online intermediary can be bound by an injunction in proceedings to which it is not a party?
  17. Under the ECommerce Directive intermediary liability provisions, what is the difference between liability ‘because’ of a third party’s infringement and liability ‘in respect of’ it?
  18. How many times in a single judgment did one judge use stealing, theft, or similar epithets to describe internet copyright infringement?
  19. Linking to grossly offensive material can constitute an offence under S.127 Communications Act 2003. True or false?
  20. For a computer to computer communication, what is the meaning of meaning?

Tuesday 15 October 2019

Whose e-signature is it anyway?

Last month the Law Commission issued its Report on Electronic Execution of Documents. The report reinforced the Commission's view, first expressed in 2001, that electronic signatures are generally capable of satisfying a statutory requirement for a signature. That applies to informal signatures such as typing a name in an e-mail, as well as to sophisticated digital signatures.

The report includes a high-level statement of the law, designed to reassure those who still harbour residual doubts about the validity of electronic signatures. Inevitably, however, the statement is subject to some important qualifications. These are not unique to electronic signatures. They have always applied to traditional wet ink signatures. Thus:

1.       The person signing the document must intend to authenticate it. Not every insertion of a name, or ticking a box or clicking on a button, is intended to be a signature.
2.      Any applicable execution formalities must be satisfied. These can be of various types, from witnessing to a stipulated form of signature.  
So if a statute specifies that a document can be signed electronically only by typing a name in a box, then ticking an online box or clicking on a button will not be a valid signature. If the statute specifies that the signature must be in a particular place in a form, then typing a signature somewhere else in the form will not suffice.
Other restrictions may also be important. Thus if a statute stipulates that the document must be signed by someone personally, someone else cannot sign on that person's behalf.
As often as not, disputes about whether a document has been validly signed with an electronic signature are not about electronic form versus wet ink as such, but about compliance with surrounding formalities and stipulations.

My 2017 article 'Can I Use an Electronic Signature?' identified five steps in analysing whether an electronic signature can be used:

1.       Is there an applicable formality requirement of signature, medium, form or process? 

2.      In principle can electronic form and signature comply with any applicable formality requirements?

3.     In the light of 1 and 2, what particular kinds of signature, medium, form or process can in principle be used?

4.     For a given solution and process, how strong would be the evidence of compliance with any applicable formality requirement? Is the risk acceptable?
5.     For a given solution and process, how strong would be the evidence of signature (i.e. who signed what, how, when and – if relevant – where)? Is the risk acceptable?
So although the Law Commission has provided helpful reassurance about the use of electronic signatures, electronic signatures require no less thought about how they are used — in particular how to comply with any applicable statutory formalities — than their counterparts in the wet ink world.

A salutary tale
The August 2018 Birmingham County Court decision in Kassam v Gill is a salutary tale, illustrating the care that still has to be taken when complying with signature formalities in the electronic environment.

The case contains lessons not only for users, but also for those designing an online process intended to enable users to comply with stipulated formalities.

Kassam v Gill involved Possession Claims OnLine, the facility provided by the Court Service that enables claimants to draft and issue property repossession proceedings online.

As with any English legal proceedings, the claim form and particulars of claim must be verified by a statement of truth: a statement declaring that the claimant believes that the facts stated are true.

The court rules (CPR 22.1(6)) stipulate, as a general rule, that the statement of truth must be "signed by the party, their litigation friend or legal representative". 

CPR Practice Direction PD55B provides a PCOL-specific rule, presumably intended to dispel any possible uncertainty about how, in a dedicated online system, a statement of truth would be signed.

PD55B states:
"any CPR provision which requires a document to be signed by a person is satisfied by that person entering his name on an online form".
The general signature requirement of CPR 22.1(6) is therefore deemed to be satisfied if the PCOL-specific formality in PD55B is complied with.

Significantly, both CPR 22.1(6) and PD55B stipulate that the stated actions must be “by” — not “by or on behalf of” — the party.

The PCOL system

The most obvious way for PCOL to implement PD55B might have been for the system to provide a box next to the statement of truth into which claimants (in this case a Mr and Mrs Gill) would enter their names by typing them.

However the system was not designed in that way. The only point at which a claimant could type their name into a form would be when initially registering on the system.

When a claimant subsequently went through the online steps to draft, generate and issue a claim form and statement of case, towards the end of the process they would encounter a screen summarising the claim form information and setting out the statement of truth. The claimant would have to tick a box on that screen next to the statement of truth. The system would populate the 'Claimant details' box in that screen with the pre-entered registration information. However the claimant's name would not be shown in or next to the statement of truth box itself, either before or after ticking the box.
The arrangement of that screen can be seen below [1]. The first screenshot is before ticking the box, the second is after. The only difference between the two is the addition of the tick in the tick box.

Later on in the process, once the claimant had paid the fee and finally requested issue of the proceedings, the system would generate the Claim Form and Particulars of Claim as a PDF document.

It appears that at that point the system would use the pre-entered registration details automatically to populate the 'Signed' and 'Full name' boxes under the Statement of Truth in the final PDF. The judgment in Kassam v Gill sets out the wording of the PDF generated in that case:

"Statement of Truth
I believe that the facts stated in this form are true
Signed MrMrs Harjit / Jagbir Gill date 09 May 2018
Full name Mr/Mrs Harjit / Jagbir Gill"
Perhaps unsurprisingly, the judge commented about the automatic name insertion system: "No doubt that makes the form less time consuming to complete, but it is not a happy fit with the requirements of the rules or the [Practice Direction]."

Was PD55B satisfied in this case?

In the case before the court the names 'Mr/Mrs Harjit / Jagbir Gill' were entered into the system upon registration not by Mr or Mrs Gill but, in advance of a meeting with them, by an agent whom they had retained to assist them with recovering possession of their property. The agent was neither a legal representative nor a litigation friend (either of whom under CPR 22.1(6) could have signed on behalf of the claimants).

At the meeting the agent took Mr Gill through the forms. Mr Gill, with the approval of Mrs Gill, ticked the online Statement of Truth box on behalf of both of them. 

In these circumstances, was the Statement of Truth "signed by the party, their litigation friend or legal representative" as required by the CPR?

The judgment proceeded on the basis that what mattered was whether the PCOL-specific deemed signature provision in PD55B was satisfied. In other words, had the relevant person entered their name on an online form?

The design of the system meant that entry of the names on an online form could take place only at the initial registration stage. But that had been done by the agent, not Mr or Mrs Gill.

When, later in the process, an online form displayed the Statement of Truth, Mr Gill ticked the box next to the Statement of Truth. He did that with his wife’s agreement, but did not (and could not) enter either his own or his wife's name.

Nor did their names appear on the online entry form next to the Statement of Truth (see screenshots above). Those fields were populated only in the PDF, generated at the final stage once the request to issue proceedings had been made.

In those circumstances the judge held that the signature rules were not satisfied. The wrong person had entered the names at initial registration:

"This “signature” was applied by [the agent] when he entered the Claimants names on the online form. Mr Gill accepted that he did not enter his name on the form".
Since CPR Part 22(1)(6) required the statement of truth to be signed ‘by the party’ and PD55B required the name to be entered on the online form ‘by that person’, that action could not be taken by some other person on the party’s behalf (unless by a litigation friend or legal representative).

A requirement that a signature be applied ‘by’, rather than ‘by or on behalf of’, someone is a classic potential pitfall. In 1930, in Re Prince Blücher, it invalidated delegation of signing to a solicitor. Today it can invalidate delegation of an electronic signature[2a].

In Kassam v Gill the judge went on to find that the failure to comply with the signature requirement did not justifying striking out the claim on that ground. Nevertheless, the case well illustrates the important point that even where an electronic signature is capable in principle of satisfying a statutory requirement for a signature, attention must be paid to other statutory requirements that may affect the validity of the signature.
Neocleous v Rees
There continues to be judicial support for the Law Commission's positive view of the general validity of electronic signatures. An example is the recent case of Neocleous v Rees, in which a solicitor sent an e-mail offering terms for the sale of land by his client. He finished ‘Many thanks’, then when he pressed ‘send’ the firm’s e-mail system automatically appended his name and contact details to the foot of the e-mail. The other side accepted the offer.

Since this was a sale of land, the court had to consider whether the offer was “signed by or on behalf” of the solicitor’s client, as required by the Law of Property (Miscellaneous Provisions) Act 1989.

The judge held that the statute was satisfied. He adopted the approach of the Law Commission that what mattered was whether the name was applied "with authenticating intent". The name and contact details had consciously been entered into the firm’s e-mail settings by a person at some stage. The solicitor knew that the system would automatically append his name and contact details. Indeed the judge found that writing ‘Many thanks’ suggested that he was relying on that happening.

In those circumstances it was difficult to distinguish that process from manually adding the name each time an e-mail was sent. The recipient would have no way of knowing whether the details had been added manually or automatically. Objectively, the presence of the name indicated a clear intention to associate oneself with the e-mail – to authenticate or sign it.

While English law is generally accommodating towards the use of electronic signatures (even relatively informal signatures) any specific applicable formalities (such as the deemed signature provision in Kassam v Gill) cannot be ignored.

Often, the most relevant constraints — whether as to medium, form process — do not relate to the form of signature itself, but to surrounding formalities. For instance, the Law Commission’s view in its Report is that a requirement that a document be signed in the presence of a witness cannot be satisfied by someone observing remotely by video link.

To return to the illustration provided by Kassam v Gill, it may be critical that the right person takes the right step, whether in a dedicated platform such as PCOL or on a general purpose signing platform. A busy executive who delegates use of a signing device or procedure to an assistant could fall foul of a legal requirement that the executive’s signature be applied personally – not because the signature is in electronic form, but because the wrong person applied it.

Epilogue: tweaking Kassam v Gill

It is instructive to contemplate two variations on Kassam v Gill: first, if the facts had been a little different; and second if, instead of the deemed "entry of names on an online form" provision in PD55B, the court rules had consisted only of the general signature requirement in CPR 22.1(6): that the Statement of Truth be signed by a party.

(1)  Different facts

What if Mr or Mrs Gill, rather than the agent, had entered the claimant names at registration time? Even in this scenario only one or other of Mr or Mrs Gill, not both claimants, would have entered the names at registration.

If, as the judge found, entering the names at registration was the deemed signature, how could it be said that both claimants had done what was required by PD55B?

(2) No PD55B
What if PD55B did not exist, and only the general signature requirement of CPR 22.1(6) had applied: i.e. that the Statement of Truth must be signed by a party? How might CPR 22.1(6) have mapped on to the PCOL process, assuming for simplicity a single claimant rather than the two claimants in Kassam v Gill? [2]
Mapping the rule on to the process

A mapping analysis can be broken down as follows:
(1)   What constitutes the document to be signed?
(2)  What step(s) constitute applying the signature?
(3)  Who has taken the step(s) that constitute applying the signature?
(4)  If the statutory or other requirement does not permit delegation of authority to sign, has the right person applied the signature?
What is the document to be signed?
An analysis of a statutory or other applicable general signature requirement has to start by asking what constitutes the document to be signed. There must be a document. For legal purposes [3] the notion of ‘signed’ without a document is as challenging a concept as the smile without the Cheshire Cat.
However, “document” does not necessarily imply paper. Generally speaking a document can be any kind of recorded information, including (say) entries in a database. Electronic data constituting a document may be signed by means of other data logically associated with it.
In the case of PCOL the document to be signed is the Statement of Truth verifying the Claim Form and the Particulars of Claim. The PCOL process includes the statement of truth in the Claim Form and Particulars of Claim themselves.
It therefore seems likely that for PCOL the document to be signed would be the Statement of Truth contained in the Claim Form and Particulars of Claim. Those documents, it should be re-iterated, are generated as PDFs at the end of the PCOL process when the instruction to issue proceedings is given by pressing the appropriate online button after payment has been made.
Document v entry form We can already see a significant difference between the general signature requirement of CPR 22.1(6) and the deemed signature provision of PD55B. The general signature requirement focuses on signing the relevant document, whereas PD55B focuses on entry of names on an online form.
For the purpose of CPR 22.1(6), considered without PD55B, it is difficult to see how any of the data entry forms in the PCOL process could realistically be regarded as constituting the document to be signed. Their purpose is to gather the data required to generate the relevant documents at the end of the process: the Claim Form and Particulars of Claim, including the signed Statement of Truth for each document.
What step(s) would constitute applying the signature?
If that analysis is right, which of the various steps involved in the PCOL process could be regarded as signing the Statement of Truth under the general provisions of CPR 22.1(6)?

The candidates are:

1.    Entry of names at initial registration.

2.      Ticking the Statement of Truth verification box.

3.      Pressing the final button requesting issue of proceedings.

4.      Some combination or cumulative result of the above.
Once divorced from the deemed signature provision of PD55B, with its specific focus on entering names into an online form, the analysis of such a process in terms of the general law of signatures could be more flexible.
It could be less significant that ticking the Statement of Truth verification box did not itself insert a name into the online form, since it might be possible to regard the overall process as amounting to a signature: the automated insertion of the pre-entered name next to the Statement of Truth in the finally generated PDF documents, verified by the ticking of the box at an earlier stage in the process.
More radically, it might be possible to regard the ticking of the box alone — an act not dependent on names having been inserted in any online data entry form at any stage — as signing the Statements of Truth produced on the ultimately generated PDF forms. Clicking the tick box could be regarded as itself communicating an intention to authenticate the ultimately generated documents (by analogy with Bassano vToft at paragraphs [43] to [45]). Such an analysis might avoid signature issues arising if the names had been entered on registration by someone other than the claimant.
Who has taken the step(s)?
Even then, in the case of two claimants could one claimant's click on a single tick box amount to signature by both claimants? Would both claimants have to join hands together to wield the mouse and tick the box in unison?
Has the right person taken the step(s)?

Furthermore, what if (for instance) the final step in the process – the click on the button to instruct the system to issue the proceedings - were executed by an agent (other than a legal representative or litigation friend), not by the claimant themself? If that is the step in the process that actually generates the document required to be signed, could it be said that the document was signed by the claimant? Would all the steps in the process have had to be taken by the claimant personally?

These would not necessarily be easy questions. They, and the example of PD55B, all illustrate the importance where a dedicated online process is concerned of matching the process to applicable statutory or other requirements.
[1] The screenshots are from a dummy session that I conducted in October 2019 to observe the PCOL system. The session was terminated before payment of a fee. The arrangement appears to be the same as that described in the judgment.
[2] This is a hypothetical discussion for the purposes of illustration. If the deemed signature provisions of PD55B constitute a complete code for signature under the PCOL process, the general signature provisions of CPR 22.1(6) would take second place to PD55B.
[2a] In 2006 the Privy Council in Whitter v Frankson said that it would be the exception rather than the rule to construe 'by' as precluding the possibility of delegation: "The general principle is that when a statute gives someone the right to invoke some legal procedure by giving a notice or taking some other formal step, he may either do so in person or authorise someone else to do it on his behalf. Qui facit per alium facit per se." Indeed it held that Prince Blücher was wrongly decided. Nevertheless, there can be exceptional cases and it is ultimately a matter of construction of each statute or other rule whether that is permissible.
[3] It makes sense to talk of ‘my signature’ as something that can potentially be applied to a document in order to sign it. We can speak of providing a sample of ‘my signature’. However a signature in that sense has no legal consequence unless or until it is used to authenticate a document. At that point we can speak in legal terms of the document having been signed and of it bearing a signature.

[Updated 18 October 2019 to add footnote 2a and 'potential' pitfall. With thanks to Nicholas Bohm for drawing my attention to Whitter v Frankson.]