FAST Legal Update Member Bulletin – September 2023

Case Law Updates

Wright & Ors v BTC Core & Ors

In the June 2023 FAST newsletter, we went through the important copyright case of Craig Wright (the Claimant) in the High Court regarding his status as the purported inventor of Bitcoin. The Australian computer scientist and self-proclaimed Satoshi Nakamoto (the pseudonymous creator of Bitcoin) had a copyright claim for Bitcoin rejected by a UK Court. Mr Wright claimed that he should be able to block the operation of Bitcoin and the system that forked from it, Bitcoin Cash, because they breach his intellectual property rights.[1]

In the latest update to the proceedings, the Court of Appeal reversed the decision and held that Justice Mellor had made a mistake in holding that the Claimant had no real prospect of establishing that the concept of fixation was satisfied. In order for a work to be protectable, it must be fixed in a tangible medium of expression. A work is considered ‘fixed’ when it is stored on some medium in which it can be perceived, reproduced, or otherwise communicated.

Background

The Claimant appealed the Order of Justice Mellor dated February 2023 which refused the Claimant’s permission to serve the claim form on those Defendants who are outside the jurisdiction of England and Wales, in so far as the claim form advanced a claim for infringement of copyright in a work referred to as the Bitcoin File Format. Justice Arnold held that the Claimant had no real prospect of establishing that copyright subsisted in the Bitcoin File Format because it had not been “recorded, in writing or otherwise” in accordance with section 3(2) of the Copyright, Designs and Patents Act 1988.

In his Judgment, Justice Arnold used the following example to set out his reasoning:

“Suppose, for example, an author A who satisfies the qualification requirements extemporises an original literary work orally before an audience, and the work is digitally recorded by B (whether with or without A’s consent). Next suppose that C is also present in the audience and memorises the work, and that a week later C transcribes the work from memory and publishes it without A’s consent. On these facts A can rely upon the recording by B as satisfying the fixation requirement, and so copyright will subsist from that moment. Moreover, A has a good claim for infringement against C despite the absence of any causative link between B’s fixation and C’s infringement. I would add that it makes no difference if the digital recording is erased shortly after it is made, because fixations do not have to be permanent and may be destroyed either deliberately or accidentally. This shows that one should not place too much weight upon the evidential and definitional purposes served by fixation.”[2]

Mr Wright’s claim whether he is really the author of the Bitcoin white paper (the foundational document of Bitcoin which was published in October 2008 by Satoshi Nakamoto) will be the subject of later rulings.

Meta Platforms Inc. v Bundeskartellamt

In July 2023, the European Court of Justice (CJEU) delivered its judgment in Meta vs Bundeskartellamt Case C-252/21, which imposes requirements in relation to the interpretation of the GDPR and the relationship between competition authorities and data protection supervisory authorities, with regards to the personalised use of consumers’ personal data for targeted advertising by social media platforms.

Background

In 2019, the German Federal Cartel Office (FCO) found that Meta had exploited its dominant position on the German market for social networks by making the use of Facebook conditional upon the collection of user data from Facebook and other online services belonging to the Meta group (such as Instagram and WhatsApp). The FCO decided that this practice violated the GDPR for the following reasons:

A user’s consent was not freely given; and
The amount of data Meta collected and combined into user profiles was not necessary.

As a result, the FCO ordered Meta to amend its terms of service and combine the data it collects from other sources with Facebook user profiles only if users have freely given consent.

An appeal was filed by Meta with the Düsseldorf Higher Regional Court against this decision which questioned the authority of the FCO to enforce data protection rules under antitrust laws. The appeal led the Düsseldorf Higher Regional Court to request a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union from the CJEU. The court addressed various questions to the CJEU concerning the competition authority’s competence to enforce rules of the GDPR as well as the interpretation of various Articles of the GDPR.

The CJEU concluded that competition authorities of a Member State have the authority to investigate and sanction an infringement of the GDPR, if companies exploit their dominant market position. In the event of a data protection violation, the competition authorities must consult with the competent data protection supervisory authority.

The CJEU also imposes strict limitations on the interpretation of the ‘necessity for the performance of a contract’ legal basis which, according to the decision, “must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject”. The CJEU significantly limits Facebook’s legitimate interests to process a user’s personalised social network data and imposes limitations and strict requirements for obtaining lawful consent for a company dominant on the market.[3]

Key takeaways

The decision will have far-reaching implications for those organisations that are in a dominant marketing position and accumulating large amounts of personal data from various sources.

The CJEU judgment confirms the Bundeskartellamt’s reasoning, recognising the relevance of data protection compliance in abuse of dominance investigations. Dominant companies should carefully review their data processing policies from a competition law angle, given the possibility of investigations related to their GDPR compliance by competition authorities, in addition to investigations initiated by GDPR authorities.[4]

Article 86(1) of the UK’s Withdrawal Agreement with the EU states that:

“The Court of Justice of the European Union shall continue to have jurisdiction in any proceedings brought by or against the United Kingdom before the end of the transition period. Such jurisdiction shall apply to all stages of proceedings, including appeal proceedings before the Court of Justice and proceedings before the General Court where the case is referred back to the General Court.”[5]

Article 86(3) goes on to say:

“For the purposes of this Chapter, proceedings shall be considered as having been brought before the Court of Justice of the European Union, and requests for preliminary rulings shall be considered as having been made, at the moment at which the document initiating the proceedings has been registered by the registry of the Court of Justice or the General Court, as the case may be.”[6]

On this basis, given Meta’s appeal was brought before the end of the transitional period, the UK would not deviate from this decision.

Government announces amendments to Online Safety Bill

In June 2023, the Government announced the following amendments to the Online Safety Bill which will “bolster protections for children, empower adults and make it easier to put online abusers behind bars”[7]:

Children are to be better protected from content that promotes suicide, self-harm, or eating disorders.
Pornography companies, social media platforms and other services are to be explicitly required to use age verification or estimation measures to prevent children accessing pornography.
New changes to make it easier for coroners and bereaved parents to access data from social media platforms.
Updated powers that will require Ofcom to conduct research into the harms arising from app stores.

Paul Scully, Minister for Technology and the Digital Economy, stated the following, “this Government will not allow the lives of our children to be put at stake whenever they go online; whether that is through facing abuse or viewing harmful content that could go on to have a devastating impact on their lives… To prevent any further tragedy and build a better future for our children, we are acting robustly and with urgency to make the Online Safety Bill the global standard for protecting our children.” [8]

Other reforms included in amendments to the Online Safety Bill include:

Action on harms from app stores: Ofcom will research the role of app stores in allowing children to access harmful content, requiring firms to take action to reduce risk where necessary.
Boosting media literacy: Ofcom will be tasked with improving the general public’s ability to identify disinformation and evaluate trusted sources of information. The regulator will need to publish a strategy every 3 years on how it plans to deliver this.
Four new revenge porn offences:

Protections for women and girls: A new requirement for Ofcom to publish guidance which summarises, in one clear place, measures that services can take to reduce the risk of harm to women and girls, and which demonstrates best practice. Ofcom will need to consult with the Domestic Abuse Commissioner and Victims Commissioner when producing the guidance, to ensure it reflects the voices of victims, as well as the views of experts on this important issue.

Moving forwards

The Online Safety Bill returns to the House of Commons on in December 2023. However according to Ofcom, which will be the regulator enforcing the bill, it may not be fully operational until 2024.[9]

Security requirements for connectable products under Product Security and Telecommunications Infrastructure Act 2022

Many network-connected devices have lacked sufficient security, putting their users and others at risk of cyberattacks. The UK’s Product Security and Telecommunication Act (the PSTIA) aims to prevent this by requiring minimum security requirements.[10]

Security requirements

The draft security requirements include the following:

Schedule 1 to the Draft Security Requirements sets out the security requirements that will apply to manufacturers of relevant connectable products, including (i) requirements for default passwords; and (ii) information that must be provided to the public on how they can report security issues.

Paragraph 3 of Schedule 1 deals with the information requirements for minimum support periods i.e. manufacturers must publish a minimum support period, expressed with an end date, for which security updates will be provided to in-scope products. ‘In-scope’ is defined as:

The product is, or has been, made available to consumers in the UK and has not been supplied by a relevant person to any customer (whether or not in the UK) at any time before being so made available; or

Products identical to the product meet Condition A and the product:
- is or has been made available to customers in the UK who are not consumers; and
- has not been supplied by a relevant person to any customer (whether or not in the UK) at any time before being so made available.

The security regime will come into effect on 29 April 2024. From this date, the law will require manufacturers of UK consumer connectable products to comply with minimum security requirements.[11]

Sky court order blocks illegal streaming

For over 10 years, Sky has found its ISP division named as a respondent in injunction applications filed at the High Court. With the aim of reducing availability of pirated content, movie studios, recording labels, publishers and even Nintendo, have named Sky and rival ISPs including Virgin Media, BT, TalkTalk, Plusnet and EE, as facilitators of their customers’ illegal piracy habits.[12]

Sky has now obtained a High Court order that will force internet service providers to block piracy services from being able to illegally stream its bestselling football games and blockbuster TV shows.[13] The blocking order will require UK online platforms to stop people from illegally accessing streams across a range of channels – where viewers must tune in at a specific time to watch a programme – including Sky Sports and Sky Atlantic.

The use of internet TV media boxes that facilitate illegal streaming has seen a rise in recent years. The majority come preloaded with software capable of streaming channels from around the world.[14]
Sky will now be able to shut down individual pirate sites at certain times, using a third-party group that identifies the source of illegal streams via IP addresses or dedicated servers. This is then passed to ISPs to block access to those locations on their network.

A Sky spokesman said that this would “help limit the supply of pirated Sky content… Blocking has been shown to be an extremely effective tool in tackling content piracy and is just one of a range of measures we take to protect our content and our business.”

[1] Craig Wright Loses Bitcoin Copyright Claim in UK Court (coindesk.com)

[2] Wright v BTC Core judgment (judiciary.uk)

[3] CJEU’s landmark decision in Meta vs Bundeskartellamt | DLA Piper

[4] Meta: Court of Justice Confirms That Competition Authorities Can Assess GDPR Compliance In Abuse of Dominance Cases | Cleary Antitrust Watch

[5] https://www.legislation.gov.uk/eut/withdrawal-agreement/article/86/adopted

[6] https://www.legislation.gov.uk/eut/withdrawal-agreement/article/86/adopted

[7] Online Safety Bill bolstered to better protect children and empower adults – GOV.UK (www.gov.uk)

[8] Online Safety Bill bolstered to better protect children and empower adults – GOV.UK (www.gov.uk)

[9] Online Safety Bill – Parliamentary Bills – UK Parliament

[10] What the Product Security and Telecommunications Infrastructure Act means for UK industry | Computer Weekly

[11] The UK Product Security and Telecommunications Infrastructure (Product Security) regime – GOV.UK (www.gov.uk)

[12] Sky Obtains Novel Injunction to Prevent Piracy of Live Sports & ‘House of the Dragon’ * TorrentFreak