Commercial and tech update - April 2019
Welcome to this month's edition of our commercial and tech update, which has a particular technology focus this month.
UK Government launches consultation on regulation of non-UK DSPs following Brexit
In light of the UK's planned exit from the EU, the UK Government has launched an open consultation calling for views on the UK's proposed approach to regulating non-UK based digital service providers ("DSPs") that operate in the UK under the Network and Information Systems Regulations 2018 (the "NIS Regulations") which implement the EU's Network and Information Security Directive (EU2016/1148) in the UK.
Critical infrastructure organisations are required to implement stronger cyber security under the NIS Regulations. In order to fall under the definition of "relevant DSPs" under the NIS Regulations, organisations must:
- Provide online marketplace, online search engine and/or cloud computing services in the UK;
- Employ at least 50 members of staff or have a turnover of more than €10million a year; and
- Have their head office in the UK or have nominated a representative established in the UK.
However, the NIS Regulations do not include an obligation for non-UK based DSPs to nominate a representative in the UK unlike the EU Directive which requires non-EU based DSPs operating in the EU to appoint an EU based representative. The lack of this provision in the NIS Regulations means that the relevant Competent Authority (the ICO) is currently unable to exercise its enforcement powers in relation to non-UK based DSPs operating in the UK. The Government has therefore proposed to introduce a requirement in the NIS Regulations following the UK's departure from the EU for non-UK established DSPs operating in the UK who, but for the lack of nominated representative, would otherwise fall under the definition of relevant DSPs, to designate a representative in the UK. The representative would have to comply with the NIS Regulations and be regulated by the ICO. If the amendment comes into force, on the UK's exit from the EU non-UK based DSPs would have three months to provide their representative's contact details and register with the ICO.
The consultation is open until 11.45pm on Tuesday 11 June, additional information can be found here.
How open is open-source software?
With the ever-increasing use of Software-as-a-Service (SaaS) and cloud service solutions in all industries, legal issues around the use of open-source software (OSS) continue to arise. Some recent developments in this space highlight the importance of understanding what OSS licence terms you are dealing with and what you need to do in order to achieve compliance with them.
By way of refresher, OSS is software that is freely distributed under a licence that grants the licensee certain freedoms in how the software can be used, distributed and modified. There are many different types of OSS licence available, each with different terms of use. The use of OSS is not without obligations, and the question of how burdensome these obligations are to the licensee ultimately comes down to the terms on which the OSS is licensed.
Broadly speaking, there are two categories of OSS licence:
- Permissive OSS licences (e.g. MIT License, BSD and Apache License 2.0) which usually only require that distribution of the original OSS is made on the same OSS terms as those on which it was provided; and
- Restrictive OSS licences (e.g. GPL 2.0 and GPL 3.0, AGPL) which impose licensing restrictions and may require that any works derived from such OSS are licensed on an open-source basis under the same (restrictive) OSS licence terms.
However, many OSS licences do not require the source code of OSS hosted by a SaaS provider to be made available to the user, and as a direct consequence of this, the GNU Affero General Public License (AGPL) was designed to address this particular loophole. AGPL requires the operator of a network service to provide the source code of the modified version of the AGPL program running there to the users of that server. A number of OSS vendors have adopted AGPL, but cloud service vendors have sought to circumvent the obligation to provide source code by offering paid-for services that interact with an unmodified version of the AGPL program. Unsurprisingly, open-source vendors have complained that cloud service vendors are taking a narrow interpretation of the AGPL terms in order to use OSS and offer it as a service to their (paying) customers, without necessarily adding value or supporting future development in OSS.
As a result of this situation, open-source vendors such as MongoDB and Redis have taken steps to change their licence terms to ensure that the open source principles are followed by licensees applying OSS to their SaaS or networked services. There has been considerable backlash from commercial users of OSS with threats to drop the use of certain OSS provided by the open-source vendors who have sought to extend the scope of the licences governing its OSS.
For companies that use OSS, they should ensure that they are aware of:
- what type of OSS they are using (or if the software they are using isn't OSS at all);
- what the OSS they use does;
- how they use and distribute the OSS;
- the terms on which the OSS is licensed to the company; and
- what implications those terms have on the way in which they commercially exploit the OSS.
Otherwise, these companies run the risk of non-compliance, potential litigation, lost revenue streams, potentially expensive remedial action, and, in the context of a proposed acquisition, offering unnecessary warranty and indemnity protections to buyers.
Stephenson Harwood advises a number of clients, both customers and suppliers, on the management and use of their software, including their use of OSS. Stephenson Harwood is also a member of the Federation Against Software Theft and can advise on how best to deal with non-compliance of software licences. For further information please email david.berry@shlegal.com.
Tech companies to have duty of care to prevent online harm
The UK Government has announced that new legislation will be coming into force that will impose a new statutory duty of care on online platforms operating in the UK. Tech companies will be obliged to take reasonable steps to keep users safe and prevent harm which is a direct consequence of activity on their platforms. This new legislation will affect numerous businesses including social media platforms, file hosting sites, online discussion boards, messaging services and search engines.
The 'online harm' that companies will need to protect against will include terrorist content, child sexual exploitation and abuse, organised immigration crime, incitement of violence, harassment and cyberstalking, hate crime, encouraging or assisting suicide, the sale of illegal goods or services, modern slavery, revenge pornography, cyberbullying and children accessing inappropriate material. The legislation will also attempt to tackle the harm caused by fake news and the spread of disinformation.
The sanctions for non-compliance may include substantial fines for companies, banning certain companies from operating in the UK and/or personal liability for individual members of senior management. Terrorism content will also need to be taken down in a "short pre-determined timeframe". The government is yet to decide whether a new regulator will be established to monitor and enforce this new duty, or whether an existing regulator's remit will be expanded. However, it has been decided that the regulator will be funded by the tech industry, and that there will be a code of conduct that online businesses must adhere to. Companies will need to show that they are actively fulfilling their obligations under the new duty, and this will need to be clearly evidenced in their terms and conditions.
The UK is the first to implement a regulatory framework that tackles this kind of online harm and it reflects the growing worldwide concern about the role of social media in spreading harmful content.
While there is no doubt that the plans are promising progress, there are a number of bumps yet to be ironed out. The proposals have faced some criticism relating to the potential threat to freedom of speech and the practicality of the proposals. One of the questions raised is how the regulator will rule on material that is not illegal but may still be considered harmful. The challenge will be in identifying the line between protecting the public from perceived harm, for example from disinformation and fake news, and overt censorship.
The Department for Digital, Culture, Media and Sport (DCMS) and the Home Office have opened a joint public consultation on the proposals which can be found here and they are welcoming views from those impacted on various aspects of the proposals until 1 July 2019.
Parent company can be sued for the actions of a foreign subsidiary
In Vedanta Resources PLC and another v Lungowe and others [2019] UKSC 20 the Supreme Court was asked to consider, amongst other questions of jurisdiction that will not be covered here, the circumstances in which a parent company will be held liable for the actions of its subsidiary.
The first appellant, Vedanta Resources PLC ("Vedanta") is the UK parent of Zambian subsidiary, Konkola Copper Mines PLC ("KCM"), the second appellant. The respondents to the appeal are Zambian villagers (the "Respondents") who, in the substantive action, brought a claim against both Vedanta and KCM for loss arising from the discharge of toxic waste from a cooper mine, owned and operated by KCM, resulting in the pollution of local waterways, injury to local residents and damage to property.
The Supreme Court determined that it was critical to assess whether Vedanta was involved in the management of the mine to such a degree so as to have a duty of care to the Respondents in connection with the release of waste from the mine. In material published by Vedanta, Vedanta claimed that it had the responsibility of establishing and implementing appropriate group-wide environmental control and sustainability standards and training. It also assumed responsibility for the monitoring of those standards and training for enforcement. It was on this basis that the court found that it would be arguable at trial that Vedanta had a sufficient level of intervention in the conduct of the mine, and therefore owed a duty of care directly to the Respondents.
The judgment demonstrates that parent companies may be found to be liable for the actions of their subsidiaries. Multinational parent companies should consider how they approach group policies, management/shareholder agreements and public statements in future to assess if they may be judged to have sufficiently intervened in the operations of, or exercised control over, a subsidiary, as this decision may open the floodgates for more class actions against UK companies with global operations.
It should be noted that this appeal is purely procedural and the merits of the case will need to be determined at a later trial.