Wednesday, 14 September 2011

Electronic Espionage

The UK differs from the United States with its efforts at codification through the Restatement and Uniform Trade Secrets Act[1] to introduce a legislative set of controls preventing electronic espionage. The English law as it relates to a breach of confidential information is exclusively derived from the common law as it has evolved through the cases. A duty of confidence arises when confidential information comes to the knowledge of an individual in circumstances where it would be unfair were that information to be divulged to another. This could be a result of the receiver of the information being on notice, or having an agreement, that the information was to be so handled. A breach of confidence is the contravention of a duty which can result in a civil action[2]. Breach of confidence will regularly occur in association with the disclosure of data with a commercial value. It can also comprise of personal information regarding individuals.

Breach of confidence is complex. It enlarges to “reflect changes in society, technology and business practice[3]. Furthermore, Art. 8 of the European Convention on Human Rights (concerning the right to privacy) have expanded the available actions connected with a breach of confidence to include safeguarding against the misuse of private information[4]. Under English law, it is required the plaintiff proves three things in order to succeed in an action for a breach of confidence:

  1. the information must be confidential, but does not apply to information which is trivial[5];
  2. the information was provided in circumstances importing an obligation of confidence;
  3. there must be an unauthorized use or disclosure of the information, and, at least, the risk of damage[6].
The jurisdictional basis in English law of the action for breach of confidence is unclear. The foundation most regularly relied upon is contract[7]. Frequently the parties will have incorporated express terms relating to confidentiality, but the courts have also commonly acted on the basis of an implied confidentiality provision in an existing contractual relationship. The courts have also created an equitable obligation of confidentiality autonomous of any contractual relationship. This obligation applies to the initial beneficiary of the information, and to third parties who receive unauthorized disclosures of confidential information. This has also been used in addition to a contractual obligation, and at times in substitution for a contractual obligation.

The duty that confidence should be preserved may be outweighed by a variety of other civic causes. These call for disclosure in the public interest. Either the world at large or the appropriate authorities should be informed. It is generally necessary for a court to seek equilibrium for the protection of the public interest. This balance is judged in placing confidentiality against a use or disclosure that favors society and creates quantifiable gains[8]. Disclosure of confidential information will not be reserved where there is a ‘just cause or excuse for disclosing it’[9].

An ISP or ICP needs to consider both the public interest as well as the need to protect client data. Failing to safeguard the interests and data of their clients increases the risk to the intermediary. This risk comes from damages in civil actions if the intermediary is found liable. This issue is a particular concern for ICPs (who have some obligation unless explicitly excluded in contract) and particularly service providers specializing in the provision of security services. These providers are contracted to ensure that the security of their clients is maintained and are open to actions in both contract and negligence if they fail in their duties.

The appropriate law of a contract is the system of domestic law that defines the obligations assumed by the parties to the contract. International law does not thoroughly define the requirement needed in a contract. The status is clearest where the parties have explicitly chosen the law that will apply in the contract. The parties may expressly choose the body of law, which will apply to all or part of their contract including offer and acceptance.

The UK requires that the parties must expressly choose to include the Hague Uniform law (Art.3, s.1 (3) Uniform Laws on International Sales Act 1967) [ULIS] in the contract terms before it applies to the sale of goods. This can if included have an impact on the process of offer and acceptance. Where there is knowledge of the residence or place of business of the contracting parties who each exist in a different state, several results arise in the case of a web site operation (for instance). Either “the contract concerns the sale of goods which are to be carried from one state to another or the acts constituting offer and acceptance have been effected in different states or the goods are to be delivered to a state other than that where the acts constituting offer and acceptance have been effected” [10].

Complications may occur if parties reside in a different state from where they hold their e-mail (Hyde v Wrench 1840) or other accounts. Treitel also notes that the communication of acceptance determines the time and place at which the contract is created. The general rule is that a contract is formed at the time and place that the acceptance is received, unless accepted by post, in which case the contract is formed at the time and place of postal of the acceptance. In cases such as this, the location the e-mail is accessed becomes an issue and the time at which the acceptance is made are both critical points. The place where the user accesses their e-mail may affect the acceptance. In many jurisdictions, the time and place of receipt of a message derives from when it is available to the recipient (Art.1335 Italian Civil Code; US: Restatement 2d of Contracts, S 56; Germany: case RGZ 144, 292). In the case of e-mail, the time it is available to the recipient is when it arrives on the client’s mail server. In this way, the timing and even validity of an offer and acceptance to a contract may come into dispute and may even come into effect in two or more places (Apple Corps Limited v Apple Computer, Inc. [2004]).

One of the greatest difficulties arises as an ISP or content hosting operator will clearly not be in a contractual relationship with the owner of the confidential information. The equitable doctrine, imposing an obligation of confidentiality in respect of information which the recipient knows or ought to have known to be confidential, and further which was proffered under circumstances implying confidentiality may be appropriate in selected circumstances. Nevertheless, it is clear that there remains a substantial dilemma for the plaintiff in proving that such an obligation exists. This would be predominantly true where an ISP or ICP declares unawareness of what content was on the site.

[1] The Restatement and Uniform Trade Secrets Act (1985) USA. “In view of the substantial number of patents that are invalidated by the courts, many businesses now elect to protect commercially valuable information through reliance upon the state law of trade secret protection. Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974), which establishes that neither the Patent Clause of the United States Constitution nor the federal patent laws pre-empt state trade secret protection for patentable or unpatentable information, may well have increased the extent of this reliance”.
[2] Lord Nicholls in Campbell v MGN Ltd [2004] A.C.457 at 464-5 summarized the law of confidence as “[the imposition] of a duty of confidence whenever a person receives information he knows or ought to know is fairly and reasonably to be regarded as confidential”
[3] Douglas v Hello! Ltd [2001] QB 967, per Keene LJ.
[4] Campbell v MGN Ltd [2004] A.C.457
[5] Faccenda Chicken Ltd v Fowler [1987] Ch. 117
[6] Coco –v- AN Clark (Engineers) Ltd. [1969] RPC 41; Murray –v- Yorkshire Fund Managers Ltd [1968] 1 WLR 951. See generally Clerk & Lindsell on Torts, 19th edition (2006), Chapter 28, paragraphs 28-01 and 28-02
[7] The formation of electronic contracts subsists as a subset of all contractual formation. By their very nature and as it is expressed in a large number of contractual disputes which occur every year without dispute as to the content of the contract, contracts are uncertain. Thus it must logically follow that there will always remain a level of uncertainty in electronic contract formation. At best, if all uncertainty associated with the electronic nature of a contract was removed leaving no dispute between the natures of formation whether written, verbal or electronic; there remains room for uncertainty.
[8] Attorney General v Observer Ltd. and Others (on appeal from Attorney General v Guardian Newspapers (No.2)) [1990] 1 AC 109, see especially pages 281 B-H and 282 A-F, per Lord Goff of Chieveley. See: Clerk and Lindsell on Torts, 19th Edition (2006), Chapter 28, paragraph 28-05
[9] Malone v Metropolitan Police Commissioner [1979] 2 WLR 700 at 716, per Sir Robert Megarry V-C and see also W v Edgell [1990] Ch. 389; and R v Crozier [1991] Crim LR 138, CA.
[10]   Schu, Reinhard “Consumer Protection and Private International Law in Internet Contracts” International Journal of Law and Information Technology (1997) 5 Int J L & IT 192. (1997)

No comments: