Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

Federal District Court Decision in Microsoft Case re Warrants for Content Stored Outside US

Posted in International Privacy, Privacy and Data Security, Technology and Commercial, US Federal Law

Written by Sydney White

On July 31, the district court judge issued a ruling in the case involving the US Government’s warrant issued to Microsoft to compel production of data stored on the servers of its wholly owned Irish subsidiary located in Ireland (In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp. (S.D.N.Y.)).  The judge upheld the magistrate’s decision that Microsoft must produce the emails stored in servers located in Ireland stored by its Irish subsidiary.  The decision is stayed as Microsoft appeals.

This case could have profound implications for US companies storing or hosting data overseas because foreign competitors will be able to argue that data stored outside the US is not safe from not only US intelligence but also US law enforcement.  It likewise could lead to chaotic choice of law disputes as other countries begin to demand reciprocal treatment in the US for law enforcement process.  This follows on increasing requirements in other countries for data localization following the Edward Snowden revelations.

The judge agreed with the magistrate that the issue is not the location of the data but instead control over the data.  As such, Microsoft is required to produce the data regardless of where it is stored.  This follows the Bank of Nova Scotia line of cases.

Ultimately, this case could end up before the Supreme Court or it could lay the ground work for Congress to step in and clarify the legal standards for law enforcement access to electronic information.

What?? The Target Company Does Not Own its IP!?

Posted in Licensing, Technology and Commercial

Written by Mark Lehberg

We have been working on a number of private company mergers and acquisitions transactions this year where the technology and the intellectual property of the target company (the “Target”) are the key value drivers for the transaction.  It is always surprising when the Target has not used “good housekeeping” with regard to its intellectual property and when the Target has transacted business without regard to what might happen in the event of an acquisition.  This is especially a surprise since the exit strategy for many (if not most) private companies is an acquisition.

In a current transaction, our client is buying a private software company based in Europe.  The software, technology and intellectual property are the key value drivers in the deal.  The following are some of the issues in the transaction.  These are key issues for acquirers in M&A transactions and are issues that private companies can easily avoid.

  • IP Developed by Employees.  The agreements between the Target and its employees do not include a present assignment of intellectual property from the employees to the Target.  Consider the Stanford v. Rochedecision.
  • IP Developed by Contractors.  Similarly, the agreements between the Target and its contractors do not include a present assignment of intellectual property from the contractors to the Target.
  • IP Developed by Engineers’ Personal Management Companies.  In this transaction, some of the key engineers (who are also significant shareholders) were not employees of the Target, but instead contracted with the Target under separate “personal management companies.”  These personal management companies are common in the particular European jurisdiction for tax reasons.  So the key engineers are the sole employees of a personal management company, which in turn provides services to the Target and may, in some cases, provide services to other companies.  In some cases the personal management company has an agreement with the Target, while in other cases there is no agreement with the Target.  If there is an agreement with the Target, the agreement does not include an assignment of intellectual property to the Target.  To make matters more complicated, the engineer has no agreement with the management company.  As a result, it is not clear who owns the intellectual property – the engineer, the management company or the Target.  In one case, the personal management company was liquidated.
  • Patents.  The Target received an assignment of a patent from a European University, but the patent assignment was incomplete and did not fully assign the patent to the Target.  Other patent assignments were sloppy and incorrectly identified the Target as the assignee.
  • Inbound Licenses.  As a result of the Target’s relationship with the European University, the Target used “academic” as opposed to “commercial” licenses to certain third party software.
  • Tax Subsidies from Local Government.  The Target received tax subsidies for product development efforts and the subsidies included restrictions on the “transfer” of the result of the development work.  However, the term “transfer” is not defined.

If you are a private software or technology company and your “exit plan” is an acquisition, follow good housekeeping when it comes to your ownership of your intellectual property and your transaction will go much more smoothly.  If you are an acquirer, do not overlook the diligence around these “fundamental” issues.


FRANCE: A French Court orders a Swiss company selling French game tickets over the Internet to prevent French Internet users from accessing part of its websites

Posted in E-Commerce and Social Media, Gambling & Gaming, Licensing

By Florence Guthfreund-Roland & Mathilde Hallé

On April 10, 2014, the Court of First Instance of Paris found that VIAGOGO, a Swiss company operating a website selling sports tickets on the Internet, had no right to sell tickets for a French soccer game organized by the French Professional Soccer League. On that basis, the Swiss company was ordered to take appropriate steps to prevent French Internet users from accessing the content of its online communication service on several of its websites.

The French Professional Soccer League (the “LFP”) is the French entity in charge of the organization of professional soccer competitions, including the French national soccer cup.

In February 2014, the LFP sent a cease and desist letter to the Swiss company VIAGOGO asking the latter to cease the commercialisation of game tickets for the French national soccer cup final, on the grounds that VIAGOGO was in breach of the LFP’s monopoly as it was not authorised by the LFP to sell such tickets online. The LFP also claimed that the tickets were sold by VIAGOGO at a price much higher than the one set by the LFP when they brought an action against VIAGOGO before the interim relief judge of the Court of First Instance of Paris in March 2014. The LFP  asked the Court to order VIAGOGO to withdraw from its websites, and especially from the website www.viagogo.fr, any offer for sale of tickets for the French national soccer cup final.

In defence, VIAGOGO contended the following:

  • the French Courts had no jurisdiction over the disputed matter since the LFP had not demonstrated that the websites www.viagogo.lu and www.viagogo.com targeted the French public, nor that there was a substantial and significant link with the French public;
  • the fact that part of the content posted on the disputed websites was in French was not sufficient to grant the French Courts jurisdiction over the disputed matter;
  • the website www.viagogo.com did not target the French public since prices were displayed in dollars on the website;
  • VIAGOGO was not responsible for the offer of the website viagogo.fr; and
  • the Paris professional soccer team had entered into an agreement with VIAGOGO in relation to the website www.viagogo.fr.

However, the Court found that it had jurisdiction over the disputed matter considering that: (i) the three disputed websites could be accessed from France and target the French public. Moreover, online transactions could be made in Euros; and (ii) the fact that the company operating the website was not located in France was not relevant, nor was the fact that the hosting providers involved were not incorporated in France.

In line with previous case law on the monopoly of sports organizations, the Court further held that the offering for sale of the tickets by VIAGOGO consisted in an obviously illicit disorder since VIAGOGO does not have the right to commercialise such tickets and does not abide by the conditions of sale set forth by the LFP. In other words, and even if not innovative from a legal standpoint, the Court confirmed that the sale of tickets for any soccer game organised by the LFP falls within LFP’s monopoly, and therefore remains subject to the LFP’s prior authorisation and to its general conditions of sale.

On that basis, the Court ordered VIAGOGO to take any measures to prevent French Internet users from accessing the content of its online communication service accessible from the websites www.viagogo.fr, www.viagogo.lu and www.viagogo.com, without distinguishing between soccer tickets submitted to the LFP’s monopoly and other sports tickets. It can be noted that such measures may put a disproportionate burden on VIAGOGO as, under French law, the interim relief judge is in theory only allowed to grant measures which are strictly necessary to put an end to the acknowledged disorder and prevent any damage.

For further information, please contact Florence Guthfreund-Roland (florence.guthfreund-roland@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlaiper.com).

Why Ximpleware May establish New Rules in the Open Source World

Posted in Licensing

Written by Vicky Lee

Ever since the GPLv2 was released in 1991, lawyers and software professionals have analyzed its terms, blogged about them and argued about them.  Interpretations of GPLv2 have evolved over the years and there is a consistent pace of enforcement actions by the Software Freedom Law Center.  There have been cases interpreting the GPLv2 over the years also but mostly out of Europe.  Now we have a case here in the United States that may finally provide some clarity on what it takes to comply with GPLv2.

The Ximpleware  case actually started as the Versata case.  In Versata v. Ameriprise, Versata licensed some software to Ameriprise that Amerirpise used in its financial services business.  Ameriprise’s license included a prohibition on using the software to develop competitive products.  Versata sued Ameriprise alleging that Ameriprise breached the license because it made the software available to competitors of Versata.  As a defense to what started off as “run of the mill” commercial dispute between two sophisticated companies, Ameriprise claimed that Versata incorporated into its software an open source component released by Ximpleware under GPLv2, and pursuant to the terms of GPLv2, Versata was obligated to make the object code and the source code of its software available to Ameriprise.  Once Ximpleware found out about the alleged non-compliance with GPLv2 (since it was now part of the public record in the Versata/Ameriprise dispute), Ximpleware then sued Versata and Ximpleware alleging a violation of GPLv2.

The case is complicated and likely will undergo much procedural maneuvering before the court will get to the substance of the case.  However, a key question that the courts will likely look at is whether a violation of GPLv2 gives a plaintiff a right to a contractual remedy or a claim for copyright infringement.

We will keep an eye on the case and provide updates as they are available.

PCI Security Standards Counsel: Recently Published Recommendations

Posted in Privacy and Data Security, Technology and Commercial

Written by Ryan Sulkin

The PCI Security Standards Council has recently published recommendations for ensuring that payment data and systems entrusted to third parties are maintained in a secure and compliant manner, in accordance with PCI-DSS requirements.  The recommendations are available at the following link: https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf.

A merchant, prior to engaging a supplier that will access its cardholder data environment or that will otherwise process, store or transmit cardholder data on the merchant’s behalf, must consider how that supplier will satisfy PCI-DSS requirements in a manner that will allow the merchant itself to remain PCI-DSS compliant.  The Council’s guidance provides merchants with a framework for understanding: (i) how a supplier’s own PCI-DSS compliance folds into the merchant’s PCI-DSS compliance requirements; (ii) how to evaluate a supplier’s level of compliance pre-engagement and allocate compliance responsibilities for applicable PCI-DSS requirements during the engagement; and (iii) options for addressing scenarios when a supplier may not be formally certified as a PCI-compliant service provider or have a ROC that can be provided to the merchant.

The dynamic between merchant and service provider is often one can that spawn unique scenarios and challenging questions, and this new guidance from the Council provides merchants and suppliers with a deeper perspective than was previously available and is a must-read.


Posted in Privacy and Data Security, Security Breaches

Written by Aravind Swaminathan and Tara McGraw Swaminatha

The New York Times reported this week that an organized Russian criminal group stole approximately 1.2 billion user name and password credentials associated with more than 500 million email addresses from hundreds of thousands of websites around the world.

The article notes that the hackers used a large botnet (a group of computers that a hacker has taken control of for his or her own use) to probe websites methodically for vulnerabilities that would give the hacker access to the websites’ databases containing sensitive information such as email addresses, user IDs and passwords.

Although the victims have not been identified, there are certain steps you should consider taking, all in close consultation with your experienced IT staff.

Find out more.

NEW RELEASE: Chapters 14 and 15 – Termination AND Exit Management

Posted in Technology and Commercial

DLA Piper’s award-winning global Technology and Sourcing team is pleased to release the newest chapter of the Sourcing Reference Guide, our handbook to conducting successful sourcing transactions.

Chapter 14 looks at termination and Chapter 15 looks at exit management.

To create the complimentary Sourcing Reference Guide, we’ve combined best practices from our leading global team, covering a range of sourcing transactions – ITO, AD/AM, BPO, F&A, HRO, FM, infrastructure, networks and more.

Following are the chapters included to date – the newest chapters are in bold face:

1. Sourcing Structures
2. Sourcing Agreement Structures
3. The Services Description
4. Offshoring
5. Timing, Delivery and Delay
6. Service Levels
7. Service Credits
8. Charging Models
9. Tax
10. Benchmarking
11. Compliance
12. Data Protection
13. TUPE and Employee Issues
14. Termination
15. Exit Management

We will be adding additional chapters to the Sourcing Reference Guide throughout the year and will keep you abreast of new updates.

For more information, please contact sourcingreferenceguide@dlapiper.com.

FCA guidance for firms thinking of using third-party technology (off-the-shelf) banking solutions

Posted in Cloud Computing, Commercial Contracting, Security Breaches, Strategic Sourcing, Technology and Commercial

Written by Nichola Prescott, Associate, London

The Financial Conduct Authority has published a document setting out a list of points for financial services firms to consider when preparing for and evaluating third-party technology banking solutions.

Where a third-party provides services which are critical to a regulated firm’s business operation, it will be considered an outsource service provider (“OSP“) and the firm will be subject to certain regulatory obligations as a result.

Primarily firms must meet the FCA’s “appropriate resource” and “suitability” threshold requirements set out in COND 2.4 and 2.5 respectively, and comply with the general outsourcing requirements set out at SYSC 8.1.  The FCA document reminds firms of the overall aim of the regulatory objectives with regards to outsourcing, namely that:

  • firms must appropriately manage and remain responsible for the operational risk associated with its use of third-parties; and
  • the arrangements with third-parties must not impair the regulator’s ability to regulate the firm.

The publication addresses six main areas for assessment by firms considering the use of third party technology, each of which is then further defined by reference to a series of questions for firms to ask themselves as a checklist of their own “thinking” in connection with satisfying their regulatory objectives.  The six principal areas cover:

  • the rationale behind the decision to outsource the delivery of critical technology services;
  • the selection of the OSP and the solution;
  • oversight and governance of the OSP, including service levels;
  • operational elements, including support and maintenance, quality and incident management;
  • service protection, including security, disaster recovery and testing; and
  • data protection.

The document makes clear that the questions are not-exhaustive (either of the points that firms should consider in preparing third party arrangements, or of the points that the regulator(s) will consider when assessing an application for the delivery of regulated services), so of course each firm will need to consider its own specific requirements, internal operation and other relevant issues.  However, the document will be helpful in structuring that process, and also potentially useful in identifying the “right” terms to be included in any relevant contract.

The document is available at http://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf

New – Agile Software Development Contract Template

Posted in Technology and Commercial

Written by Callum Sinclair

The DLA Piper IPT team in Edinburgh has developed an innovative new contract template which they are piloting with selected clients.  The template is an agile software development contract.

Agile methodologies (such as Scrum) are an alternative to more traditional “waterfall” means of software development.  They are based around iterative stages of development with a high degree of customer collaboration throughout and offer flexibility and an ability to deal with evolving customer requirements where projects are managed well.  Whilst some agile methodologies have been around for 20 years or more, they have been slow to gain traction, in part due to a lack of well-developed contract forms.

Development of our template has involved a substantial investment in time and application of combined know-how and experience from a range of our fee-earners across the world. By “crowd-sourcing” feedback from our internal teams and selected clients beta-testing the template, we will continue to improve the template and develop other useful variants.

If you would be interested in receiving an early copy of the template and providing your input, please get in touch with Callum Sinclair.

Callum Sinclair also presented a recent global client webinar on agile alongside Scott Thiel (Hong Kong) – click here for a link to the webinar slides and recording.

The Internet of Things: Ofcom call for input

Posted in EU Data Protection, Mobile Privacy, Telecoms

Written by Nichola Prescott, Associate, London

Ofcom has issued a call for stakeholder input on the emerging Internet of Things.  The Internet of Things describes the inter-connection of multiple “things”, be they devices or sensors, that are able to communicate and share data with one another.  It is set to enable the collection and analysis of data, from many different types of connected devices, in ways that were previously far out of reach.  The predicted growth in the number of interconnected devices is almost 370 million in the UK by 2022 (M2M Application Requirements and Their Implications for Spectrum, April 2014, http://stakeholders.ofcom.org.uk/market-data-research/other/technology-research/2014/M2MSpectrum).

Ofcom highlights the potential benefits across the healthcare, transport and energy sectors in particular, including by way of example: the ability to monitor and manage a patient’s condition remotely rather than in hospital, thus reducing healthcare cost; managing traffic flow by tracking vehicles; and connecting household, office and industrial equipment to enable their use of energy to be monitored and changed accordingly (e.g. to a cheaper tariff).  More generally, the Internet of Things has the ability to enable businesses to collect data from the things most important to it, and to use that data for the benefit of its business.

Ofcom wants to gain a better understanding of the actions needed in order to ensure that the UK takes a leading role in driving the development of the Internet of Things.  It asks for views on a number of matters, including spectrum and network requirements, network security and resilience, data privacy, and the type of address (telephone number or IP) that could be used to allow devices to communicate.  It also recognises the potential for new policy issues that might arise.  Citing its duty (under Article 13a of the European Framework Directive) to ensure that measures are taken to prevent and minimise the impact of security incidents, it is not surprising that many of the policy issues identified are security-focussed.  Some of the potential policy issues are: the vulnerability of devices to cyber threats and malware; the security and privacy of data collected, stored and processed by devices; and the ability of applications to be able to access and utilise “big-data” generated and shared by connected devices.

Submissions are requested by 1 October 2014, following which Ofcom expects to develop a view on next steps during the last quarter of this year.  The call for input was published on 23 July and is available at http://stakeholders.ofcom.org.uk/binaries/consultations/iot/summary/iot-cfi.pdf

Back to Top of Page