Monthly Archives: April 2014

Google Facing Lawsuit for Scanning Data of Students.

Google will be facing the courts again soon in California where a class action lawsuit has been brought against the company for data-mining emails. This is certainly not Google’s first encounter with the court system and not even the first time that the company has been accused of violating the privacy of its users. Google has been called to answer for data privacy violations all over the world: the French have warned, fined and are currently suing the company, the Spanish, British, Dutch, Germans and Italians are following a similar path with the company as well. Google’s particular trouble in Europe stems from the EU’s data protection rules overhaul that Google is strongly resisting. In the US, claims have been made against the company for violation of federal wiretapping laws by scanning Gmail emails as well as state privacy laws and with the most recent allegation, violation of the Family Educational Rights and Privacy Act (hereinafter “FERPA”) for scanning of students using Google’s Apps for Education.

Google’s Apps for Education is part of the growing group of Google Apps. The education Apps do differ from the other Apps as these are aimed specifically at K-12, college and university students, staff and faculty for which there are no Google Adwords targeted ads displayed. The accusation by two students party to the class action is that Google has violated their rights under FERPA by scanning and indexing their Google emails, used as tools for education, to provide certain features that cannot be turned off. FERPA was written and contemplated before cloud computing and Google believes that it will be interpreted by the courts in such a way that they will find success. Check back for updates!

If your company has a presence online and is concerned that it is not meeting the standards set forth in legislation about gathering and protecting customer or user data, or perhaps you have international users and customers and worry about different legal standards from the differing jurisdictions, then please contact us for more assistance. Also, check out our newest e-book, Data Privacy: A Practical Guide. This guide is the perfect way to get your business started on the path to complete data security for your customers and employees. With easy access to the authors for follow-up or more specific jurisdictional advice and updates, this e-book is the perfect read for any business.


Small to Medium-Sized Business with Data Security Worries?

Data security is not something that only large businesses and corporations need to be worried about. Any business with an online presence must be even more worried about it. However, securing customer and employee data is something that is either passed on to a third party to deal with or is largely ignored because businesses are unaware of their obligation to do protect the data or because it is just too overwhelming and confusing. It is true that data protection regulation and legislation can be confusing especially when having to meet the standards of both domestic and international legislation. A breach in data security could range from the system being hacked and held for ransom or a retired employee’s access not being closed by mistake. The result of misuse, loss or theft of data could be a lawsuit, loss of reputation and business or fines. Whilst these may not be devastating for a large business or corporation such as Google, a repeat offender, to a small to medium-sized business, the result could mean closing the doors.

Owing to these problems faced by the small to medium-sized businesses and even some of the newer larger businesses, two of our top consultants of Interstice Consulting have gathered together their valuable insight to help guide businesses through the process of setting up data security measure to meet the stringent requirements of legislation. Data Privacy: A Practical Guide examines global trends in data security and data privacy, analyses in depth the larger jurisdiction’s legislation and how to be in compliance, touches on business-to-business issues as well as data breach insurance, informs on what to do in the case of a data breach and provides ways to be continually updated. There is no to wait for your book to arrive in the mail because it is available immediately as an e-book only.

This guide will give small to medium-sized business not only the information they need to set up their data protection scheme but will also give them to confidence to be able to reach out to the authors should they have a more specific question or assistance in a jurisdiction not covered by this guide. By starting on the right path to data security for your business, you can assure your customers that they made the right choice to continue their business relationship with you.

To purchase your copy of Data Privacy: A Practical Guide, please follow this link:


Need-to-Know: International Arbitration.

Arbitration is often a choice made by those who find the court systems to be too out of their control and costly. In arbitration, those who are having the unsettled dispute can either test their case before heading to court with non-binding arbitration or forgo the court system entirely and agree to binding arbitration. For these reasons and more, arbitration clauses are written into many business contracts leading those who are forming the contract to believe that they will have more control of the process if an unresolvable dispute or breach of contract is to occur. Whilst choosing arbitration for domestic business contracts may make sense, in cases where arbitration is chose by businesses located in or operating in different countries, it is often more complex and governed by more sets of laws than one would have anticipated.

Whilst almost all contracts contain an express choice of law clause in the case of a contractual dispute, the parties often fail to choice a seat of arbitration. Many will think that the express choice of law clause will cover the entirety of the contract, including the arbitration clause, but this is not the case. The arbitration clause is read as a contract on its own and therefore must also have the seat of arbitration defined. The seat of arbitration determines the procedural law of the arbitration. Procedural laws of arbitration differ from country to country and can be researched by examining the national arbitral laws of each given state. National arbitral laws can override procedural laws set out in contract, so choosing and agreeing upon the seat of arbitration is important for retaining the idea of arbitration that was agreed upon.

In the UK, the courts have given guidance as to what to do when determining where the seat of arbitration is to be. The court determined that there are three ways in which the seat of arbitration can be found: 1) it is expressed in the arbitration clause in the contract, 2) it is implied or 3) the system of law with which the arbitration agreement has the closest and most real connection. The court will consider the express choice of law clause as the evidence of the intention of the parties but it is not decisive.

If your business is contracting with a foreign business and you require assistance in drafting contracts, please contact us for help.


Employees Need to Understand Data Security Risks.

Business organisations do and should have big worries about data security. The potential losses to business and reputation by a breach of data privacy can be great enough to have to shut the doors for good.

But whilst data privacy and data security may weigh heavy on the minds of the organisation’s leaders, employees usually fail to understand how essential data security is to their job as well. Employees will often think that there is a department or person that hangs those things or that there is software that protects them. However, educating and training employees on the importance of data security to everyone in the organisation sets the organisation on a path towards locking up any gaps in their data security network.

An important concept to focus on throughout employee training is that data security is the responsibility of everyone. Whilst a department or individual may manage security, individual security obligations should be undertaken by everyone employed by the company. Not only does this make the security managers more accessible for the employees, but also encourages the employees to release the important of and to take pride in the organisation’s data security.

Data security training shouldn’t be a one-time event but should be addressed at every training session from orientation to farewells. Building data security training into every training session will highlight the importance of it and continue to remind employees of their individual security obligations. This could also be a time to update employees on news in the data security field and updates that the organisation has made to its own data security network.

Employees also need to be made aware of the responses that the organisation has planned for data security failures. For employees to know that there are plans and what the plans are, even just generally, executing them will be much less confusing and perhaps even more effective because the employees have been trained to handle the situations.

If you require assistance in training your employees about the risks in security breaches and data privacy then please contact us.

Also, be on the lookout for our new e-book, Data Privacy: A Practical Guide to assist you further in this matter and with other important issues surrounding data privacy.


France is finished with Big Data Privacy Violations.

A French consumer protection group is fed up with unreadable, inaccessible and illegal user agreements of three major companies: Facebook, Twitter and Google.

The UFC-Que Choisir, France’s top consumer rights group, isn’t the only European consumer group with major concerns about how these websites are run and collect data on their countrymen. In December, Spain fined Google €900.000 for breaking data protection laws, another French group CNIL fined Google €150.000 for failing to meet a three-month long deadline to align the practice of tracking and storing user information with France’s law and the Netherlands have accused Google of violating privacy protection laws. Several other European consumer protection groups have been investigating the Google privacy policy as well.

The UFC-Que Choisir argues that the user agreements presented by these websites are only available on the website, are too long with too many hypertext links that often aren’t available in French. UFC-Que Choisir sent letters to these companies in June of last year asking that they bring their policies within the letter of French law. The user agreement is a contract between the user of the website and the company itself. French contract law requires that the entire contract be in French. Additionally, UFC-Que Choisir argues that the enormous number of hypertext links make it unclear to the consumers whether or not they form part of the agreement. Because the letters to the companies yielded no responses, the consumer group has issued the companies with summons to appear before the Paris High Court. UFC-Que Choisir has asked that the court strike out what they allege to be unfair or illegal clauses in the user agreements.

Check back with us soon for an update on what the French courts decide in this matter and for our new e-book, Data Privacy: A Practical Guide for more information about data privacy issues and solutions!


Protecting Your Business from Data Breach and Cyber Attack.

Carrying insurance as business is commonplace and depending on what type of business one is involved in there are a myriad of different insurance policies and coverage types that may be used to ensure that the business is protected in the event of some sort of unplanned event. As an increasing number of businesses are falling victim to cyber attack during which sensitive personal data is stolen many businesses are purchasing Data Breach Insurance or Cyber Security Liability Insurance, all depending on which plan a business chooses to protect them in the event of a data breach. So, is this insurance coverage the right thing for your business?

Deciding on whether or not coverage of this sort is something that your business must consider shouldn’t hinge on whether or not data is stored on the Internet. In some cases, data breach insurance covers stolen laptops and computers and even paper files, though it is a coverage aimed at protecting against cyber attack, in general. If your business collects, stores or transmits personal data of others, including employees, or would suffer monetarily in the event of an attack then this coverage is something that should be investigated.

Once a business has decided that further investigation is warranted, the next place to start is with the business’ current insurance coverage plans as some types of data breach events may already be coverage. A small business may find that for its needs the current coverage is sufficient. Following, the business should acquire as many coverage plans as they can and read them thoroughly as to find the coverage that meets their needs. In this case the business will consider the types of attacks that they would be looking to prevent, breach of customer data or distributed denial of service attack, for example. As well as considering the type of the attack, the type of damage covered also needs to be considered: first-party expenses and third-party liabilities. First-party expenses will be the costs to the business in notifying customers of the breach and offering data monitoring services, forensic analysis, boosting bandwidth or even paying an extortionist’s ransom to prevent an attack. Third-party liabilities will be lawsuits brought by customers or employees whose data has been compromised, fines or redress sought by regulators.

Reputational damage and loss of business will probably not be covered by insurance therefore it is important to safeguard the business’ data holdings. Insurance alone will not suffice to cover all potential damage that could arise in the event of a cyber attack.

If your business is evaluating its data security or considering purchasing cyber attack insurance or data breach insurance, then please contact us for assistance with this matter.


Africa Takes a Stand Against Base Erosion and Profit Sharing.

Africa has historically been a place where foreigners come and take; take people, take land, take resources and opportunity. Unfortunately, even as we progress into modern times, Africa is still a place where foreigners come and take advantage. Tax avoidance is not unique to Africa or other developing countries, but African nations recently banded together to take a stand against tax avoidance by foreign nationals and domestics as part of a worldwide new global tax agenda action plan set out by the Organisation for Economic Cooperation and Development (hereinafter “OECD”).

The OECD’s 15-point action plan was recently considered in a historic meeting by the council of the African Tax Administration Forum (hereinafter “ATAF”).  The ATAF joined twenty-nine African nations to deliberate the action plan assuring Africa’s participation in the new rules of the global tax agenda.

High on the list of matters discussed by at the ATAF conference was the developing nations’ struggle with base erosion and profit shifting (hereinafter “BEPS”). BEPS is a practice usually associated with large, multinational corporations where taxable income is shifted to other low-tax locations thus eroding the taxable base of the country. This practice has resulted in overall lower prices for natural resource in Africa paired with tax incentives to multinational corporations working in those industries. The result is that African nations are robbed of good prices for their resource wealth, and taxes they would have been able to collect if profit shifting had not been occurring, thus keeping them as developing nations always reaching for developed status.

South Africa, in particular, has come up with three measures to defend against foreign tax evasion. The first, transfer pricing rules to ensure that any foreign debt is introduced at a reasonable interest rate and that the capitalisation of the local company does not rely too heavily on that debt. Second, an interest withholding tax that will impose a tax rate of 15-percent on non-resident South African earnings. Finally, a new rule applying to interest earned by non-residents where the debtor in the arrangement is a connect person to the creditor and where the non-resident creditor is not subject to South African tax on the interest earned. There may be a specific exemption for the non-resident depending on the double tax agreements between their country and South Africa.

If you are involved with a multinational corporation with ties to Africa or specifically South Africa and would like more information about these changes and their coming impact, then please contact us for help navigating the ever-changing domestic and global tax agenda.


Choosing to Use Online Targeted Advertising.

Online targeted advertising, such as Google’s Adwords, uses potential customer demographics and behaviour online to specifically target brands, products and services to that individual. When using these services, a business can purchase advertising rights to certain searched words and locations and geographical locations. As courts around the world are finding, many businesses are choosing to use their competitor’s trademark in addition to their own for keyword searches that will trigger their own advertisement to be shown. Depending on where you are advertising and targeting, different rules and judgments will apply to what situations use of a competitor’s trademark as a keyword to activate your advertisement is allowed, because believe it or not, it isn’t always against the law.

In Australia, a high court decision of Google v. ACCC found that Google itself wasn’t responsible if an Adwords customer used an infringing trademark however, did not expand on whether or not the Adwords customer would be held liable for damages if using an infringing trademark.

In the UK, two cases have shone light on situations when it is legal and illegal to use a competitor’s trademark in online targeted advertising. The Interflora case gave a more specific guide in the case of business networks. In this case, Interflora is a vast network of florists that trade under individual names but all are part of the Interflora network. M&S, not a part of the Interflora network of florists, used the Interflora trademark as a keyword indicator for their advertisement. The court found that because of the nature of the business network, it was misleading to the customers that they did not indicate that they were not a part of the Interflora network and thus, the use of the trademark was illegal. In a case involving and Lush, Amazon used Lush’s trademark in Google Adword advertising suggestive that Amazon had for purchase Lush products. The court determined that the average customer would not be able to ascertain without difficulty that the Amazon goods did not originate from Lush.

Whilst these decisions are based on different sets of laws, they do help to guide future customers of such advertising companies on the best manner in which to make use of trademarks. If you are advertising using Google Adwords or a similar company and want to get the most from your advertising or are unsure if your advertising constitutes a trademark infringement, or if you have found that a competing business has been using your trademark then please contact us so that we examine the situation and advise you further.