Tribunal Rules That Use of Personal Data by UK Intelligence Services Breached Human Rights

In a landmark ruling, the Investigatory Powers Tribunal has held that UK Intelligence Services, including MI5, MI6 and GCHQ, collected and used personal data in breach of Article 8 of the European Convention on Human Rights (ECHR), in some cases for up to 17 years.

The ruling was given in proceedings brought by the human rights organisation, Privacy International and concerned:

  1. the collection and use of personal data by UK Security and Intelligence Agencies (SIAs) themselves. This was known as ‘Bulk Personal Datasets’ or ‘BPD’ and covered broad categories of data, including biographical, travel, communications and financial data. BPD was acquired and used by GCHQ, MI5 and MI6 pursuant to their general powers to obtain information in support of their functions under the Intelligence Services Act 1994 and the Security Service Act 1989; and
  2. the transfer of communications data, by telecommunications and internet service providers, to MI5 and GCHQ, as required by directions issued by the UK government under s94 of the Telecommunications Act 1984. This was known as ‘Bulk Communications Data’ or ‘BCD’. It included the “who, when and where” of both telephone and internet use, including the location of mobile and fixed line phones from which calls were made or received and the location of computers used to access the internet, but not the content of these communications.

Both BPD and BCD would be searched by the SIAs to discover details about “persons of intelligence interest”.  Privacy International contended that the BPD and BCD regimes infringed Article 8 ECHR. Article 8 provides:

Everyone has the right to respect for his private and family life, his home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

The UK government and the SIAs argued in response that the collection and use of personal data was lawful and essential for the protection of national security.

The Tribunal was satisfied that the legislation underpinning the collection and use of both BPD and BCD was lawful but held that Article 8 had been infringed because of the lack of adequate safeguards around this process. The Tribunal highlighted that there were no applicable codes of practice (or anything approximating to them), no statutory oversight and a “fragmented” system of independent Commissioners responsible for monitoring what the SIAs were doing.  Furthermore, said the Tribunal, the public had no knowledge of what the SIAs were doing.  Not even Parliament was aware, although several opportunities had arisen when it would have been possible to explain this to Parliament.

Accordingly, both the BPD and BCD regimes had not been Article 8 compliant up until 2015 when safeguards had been put in place. This meant that the BPD regime infringed Article 8 for around a decade and the BCD regime for up to 17 years. The Tribunal expressed reservations about whether transfers of BPD and BCD by SIAs to other bodies, such as foreign partners and UK Law Enforcement Agencies, were currently Article 8 compliant. In terms of compensation for affected individuals, the Tribunal said:

It does not follow that a complainant who establishes that his or her complaint falls within the jurisdiction of this Tribunal… but who has no ground to believe that his or her data have been accessed and examined, would have an actionable personal complaint on the grounds that the BCD and BPD regimes under which such data were obtained and retained were, until [2015], non-compliant with Article 8 and therefore unlawful

For more information on this ruling, or data privacy matters generally, please feel free to call Asel Ibraimova.

The Federal Circuit Clarifies When Claim Scope is Disavowed

The claims of an issued patent describe the metes-and-bounds of the invention. However, that depends on the court’s interpretation, i.e., construction, of the claimed terms. Statements made by an inventor in her patent application, or those made during prosecution, may be deemed during claim construction to have disavowed subject matter which an inventor thought was embraced by her patent. When considering whether or not subject matter was disavowed, two recent opinions emphasize that such disavowal must be unambiguous and made in the context of the issued claims. Statements made in a patent application hold greater weight than do statements made during prosecution since “[u]ltimately, the only meaning that matters in claim construction is the meaning in the context of the patentPoly-America, L.P. v. API Industries, Inc., p. 10 (emphasis added).

Poly-America relates to a patent infringement suit about trash bags. The accused infringer successfully argued that the claimed term “short seal” should be interpreted to include, inter alia, a feature extending inwardly from the interior edge of the side seal, even if this additional feature was not recited in the claim.  The defendant argued that the inventor had disavowed a broader interpretation. The defendant’s allegedly infringing bag did not have this inwardly extended feature but rather had a single width for the entire bag. The patent taught that prior trash bags would not wrap securely around the rim of a trash receptacle. Instead, the bags disclosed in the patent specification, with inwardly extended short seals, did wrap so securely. Despite intentionally reciting the inwardly extended feature in some but not all claims, the court noted that “[e]very embodiment described in the specification has inwardly extended short seals and every section of the specification indicates the importance of inwardly extending short seals.” Id. at p. 10. The abstract even stated that the bag of the present invention had a reduced upper opening. Moreover, the patentee argued during prosecution that prior art trash bags were distinguishable because they had linear and parallel side seals, not inwardly facing ones. The court found that the inventor had disavowed an interpretation of “short seal” that didn’t include this inwardly extended feature.

The court in Poly-America instructs in dictum that while disavowal must be clear and unequivocal, it need not be explicit. An inventor may disavow claims lacking a particular feature when the specification describes the “present invention” as having that feature. An inventor may also disavow claims lacking a particular feature when the specification distinguishes or disparages prior art based on the absence of that feature. The specification thus remains the single best guide for claim construction.

The court will look at a patent’s prosecution history to see if disavowal by prosecution history disclaimer is appropriate. In M.I.T. v Shire Pharmaceuticals, Inc., the court looked at prosecution history but found it was insufficient to meet the disavowal standard. MIT’s patent claimed a cell-scaffold which included cells derived from vascularized tissue. Shire argued that vascularized tissue excluded skin cells due to MIT’s allegedly disavowing statements, but this argument failed. Unlike in Poly-America, the clear and unequivocal disavowal standard was not met because the allegedly disavowing statements were made out of context. While Shire was able to select statements MIT made during an examiner interview that the prior art was distinguishable because it was limited to skin cells, the court found these statements insufficient to disavow skin cells from the claims. When MIT made these statements, the then-pending claims were not those that ultimately issued. Shire’s advantageous selection of MIT’s declarant remarks were also unpersuasive as to whether skin cells were disavowed from the claims. Though these declarant’s remarks, absent context, suggested that vascularized tissue did not include skin cells, the court stated that in “the context of the overall prosecution history” the isolated statements didn’t meet the high standard for prosecution disclaimer. When the statements were made, the claim limitations at issue were not under examination. Thus, these statements did not alter or disclaim the ordinary meaning of vascularized organ tissue as used in the specification.

As evident from the holding in Poly-America and M.I.T., claim scope disavowal must be proven by clear and unequivocal evidence. Courts will limit claim scope when the patentee unambiguously states that the present invention does or does not include certain features even if those features are not recited in the claims. Such unambiguous disavowal is most readily found, if at all, in the patent application though it may also be found in the prosecution history if it is made in the context of the claimed terms which ultimately issue. Practitioners should consider whether statements in a patent application or those made during prosecution may be deemed to have disavowed claim scope which is valuable to the inventor. Where appropriate, practitioners should qualify these statements or provide the correct context for interpreting them to avoid claim scope disavowal.

Weekly Data Privacy Alert – 17 October 2016

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Protection & Cybersecurity team. This week’s alert covers news from:


  • ICO Issue Record Fine to TalkTalk
  • ICO Commissioner’s First Speech in Offce


  • Baden-Württemberg Commissioner Presents Assessments of IoT Products
  • International Company Sues Germany for Remote Signal Monitoring


  • Yahoo Discloses Data Breach – Questions Follow
  • States Take DHS Up on Offer to Provide Election Cybersecurity Help


Annette Demmel (Germany)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

IP addresses constitute personal data according to the CJEU

In a decision dated 19 October 2016, the Court of Justice of the European Union (CJEU) has provided much needed clarification on a long-standing issue in EU data protection law.

A German politician brought an action concerning websites operated by the Federal Republic of Germany that stored personal data, including IP addresses, on logfiles for two weeks.  The question before the CJEU was – are IP addresses personal data?  According to Article 2(a) of EU Directive 95/46 “personal data” is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly from the data.

The CJEU ruled that dynamic IP addresses constitute personal data for an online media service provider (here the Federal Republic of Germany) that makes a website accessible.

A dynamic IP address means that the computer’s IP address is newly assigned each time the website is visited.  Unlike static IP addresses, it is not possible for dynamic IP addresses, using only files which are accessible to the public, to create an identifiable link between the user’s computer and the physical connection to the internet provider’s network . Hence, the data included in a dynamic IP address does not enable the online media service provider to identify the user.

However, according to the CJEU, a dynamic IP address will be personal data if the additional data necessary to identify the user of a website is stored by the user’s internet service provider. The website provider only needs to have the legal means which enables him to identify the user. Legal means are, for example cyber attacks and does not have to be applicable for the specific case.

This decision has significant practical implications for all website providers, because the storing of user information by internet service providers falls under data protection laws. Ultimately, the website provider needs the consent of the user to store the dynamic IP address. This will also apply after the General Data Protection Regulation (GDPR) comes into force in May 2018, because Article 2 of Directive 95/46 is incorporated in almost the same words in Article 4 (1) of the GDPR.




Our UK Intellectual Property Team leads our client to High Court Victory

We are pleased to report that our client, Process Components Limited (PCL), has been victorious in the High Court in a case concerning the sale and licence of intellectual property rights.  PCL was represented by our UK Intellectual Property team and secured a win on every issue in the claim. The decision is of interest in and of itself as it deals with some interesting issues around the interpretation of contracts and the scope of the doctrine of ‘estoppel’.  We have produced a briefing which gives more information about the issues in the case.

Our UK IP team continues to advise clients on a wide range of IP matters.  For more information on this High Court ruling, or IP issues more generally, please feel free to contact Carlton Daniel or Carl Rohsler – both IP partners who led PCL’s High Court claim.




Nokchan v Lyft: Since the Spokeo Decision Privacy Continues to be a Hot Topic as Circuit Courts Fracture

On October 5, 2016, in Nokchan v. Lyft, Inc, United States District Court for the Northern District of California dismissed Nokchan’s putative class action, finding his claim of privacy violations under the Fair Credit Reporting Act (“FCRA”) failed to meet the requirements of Article III standing established by Spokeo, Inc. v. Robins.  This was because Nokchan failed to show a concrete injury. In Spokeo, the Supreme Court held that plaintiffs must show they have a “concrete injury” to establish standing under Article III, and, in certain circumstances, the breach of a “procedural right” amounts to a concrete injury. In a matter of days after Spokeo, several cases invoking the decision arose, with plaintiffs alleging privacy violations due to data breaches.

Nokchan is no exception to the long line of cases post-Spokeo, as it follows hot on the heels of the Sixth Circuit’s decision in Galaria et al. v. Nationwide Mutual Ins.  In this case, the court held in favor of the plaintiff’s FCRA claim. The plaintiff’s claim was based on a data breach and the court found that the theft of data placed the plaintiff at a higher risk of fraud and identity theft, and that this constituted a concrete injury.  Although Nokchan and Galaria each deal with different injuries, the application of Spokeo is similar in both cases and continues to diverge from the 11th Circuit’s recent interpretation of the case. The Circuit split and lack of consistency in applying the Article III standing requirements post-Spokeo suggest this issue will likely be analyzed again by the Supreme Court.

In particular, the Nokchan decision diverges from case law post-Spokeo because it puts the burden on the plaintiff to prove cognizable harms in addition to alleging a statutory violation. This interpretation of Spokeo conflicts with some courts’ interpretation, such as the 11th Circuit, that interpreted Spokeo more broadly to confer standing to plaintiffs with just “informational injuries” without additional articulated harms.

In Nokchan, the plaintiff’s claim arose as a result of an employment application with Lyft which required Nokchan to complete a credit and background check. Nokchan alleged that Lyft violated his privacy and statutory rights by failing to comply with the disclosure requirements under the FCRA and state laws. Nokchan also alleged that Lyft failed to provide a “clear and unambiguous” disclosure of his rights under the FCRA and state laws at the time of the disclosures.  Lyft, relying on Spokeo, moved to dismiss the complaint based on a lack of standing because Nokchan had failed to prove a concrete injury.  The court agreed.

Nokchan attempted to distinguish his claim from the position under Spokeo. First, without citing any support, Nokchan argued that the invasion of privacy is a traditionally recognized injury and that his authorization to Lyft was not proper. Second, Nokchan also argued that he suffered an “informational injury,” which was sufficiently concrete to meet the requirements of Spokeo. The court disagreed, recognizing the case law post-Spokeo has not been consistent with respect to “how broadly to read the language in Spokeo with respect to informational injury.” The court noted it disagreed with the Eleventh Circuit’s “broad reading” in Church v. Accretive Health, Inc. (where it was found that a hospital’s failure to provide certain disclosures to a patient under the Fair Debt Collection Practices Act resulted in a concrete injury under Spokeo because the patient’s “right to receive the disclosures is not hypothetical or uncertain”) but agreed with the reasoning of the federal district court in New York in Dolan v. Select Portfolio Servicing, (in which it was held that a loan servicer’s failure to provide disclosures required under Section 2605 of the Real Estate Settlement Procedures Act  did not constitute an intangible harm sufficient to confer standing).

In coming to its decision, the court noted that pre-Spokeo case law would have helped Nokchan establish his claim, because these cases established that “violation of a disclosure requirement under the FCRA, by itself, is sufficient to confer Article III standing on a plaintiff.”  However, that is not the case post-Spokeo. Time will tell how other courts interpret Spokeo with regard to informational injuries, but it is likely that further U.S. Supreme Court clarification on what exactly constitutes a “concrete injury” to confer Article III standing will be necessary.   For now, U.S. companies should continue to argue and push for courts to interpret Spokeo as requiring an articulated concrete harm in addition to “informational injuries” to confer Article III standing.

Patent Prosecution and Defeating Abstractness: Minimizing the Risk of Sect. 101 Rejection

We invite you to attend “Patent Prosecution and Defeating Abstractness: Minimizing the Risk of Sect. 101 Rejection,” a webinar co-presented by James Reed, Senior Patent Counsel in our Intellectual Property & Technology Practice Group. The program will examine recent Federal Circuit decisions on patent eligibility for software and discuss the Court’s different approaches and offer best practices for demonstrating patent eligibility.

Speakers will cover key issues such as:

  • How are the courts applying the framework for patent eligibility created in Alice?
  • What guidance can be gleaned from the Federal Circuit’s decisions in Enfish, BASCOM, DDR Holdings, Rapid Litigation and McRo?
  • What are best practices for patent counsel to avoid patent-eligibility issues?

The webinar will take place at 1 p.m. EDT on Thursday, November 10. The program is eligible for up to 1.5 MCLE credits in certain states provided by Strafford, an accredited provider. For more information and to register, visit the Strafford website.

We have 10 complimentary registrations available on a first-come, first-served basis. If you would like to take advantage of this offer, please email Strafford at

Jury Awards Tiffany & Co. Punitive Damages of $8.24 Million in Costco Infringement Case


On Wednesday, a Southern District of New York jury awarded punitive damages of $8.25 million to Tiffany & Co. in its case alleging Costco infringed the TIFFANY trademark by selling rings labeled “Tiffany” at its warehouse stores.  This award is on top of the $5.5 million in damages the jury awarded on September 29, 2016 based on Costco’s profits.  Today’s award brings the total damages to nearly $14 million.

Tiffany filed the suit in February 2013, claiming violations of the federal Lanham Act, as well as state unfair competition laws.  During the litigation, Costco consistently took the position that the TIFFANY mark is invalid because it has become generic for a particular type of ring setting.  However, late last year U.S. District Judge Laura Taylor Swain granted Tiffany’s motion for summary judgment on its trademark infringement and counterfeiting claims, holding that Costco’s use of “Tiffany” on ring labels caused consumer confusion.

The most recent jury award may have been a surprise to some, given that punitive damages are not available under federal trademark law.  The Lanham Act does contain a treble damages provision to enhance awards in certain circumstances, but that provision explicitly states such an award “shall constitute compensation and not a penalty.”  Nevertheless, the jury was able to base its award on New York state law, which allows for punitive damages where a defendant’s conduct constitutes “gross, wanton, or willful fraud or other morally culpable conduct to an extreme degree”

Before the award is final, Judge Swain must decide if she accepts the jury’s findings.  Even then, Costco is widely expected to appeal to the Second Circuit.

Weekly Data Privacy Alert – 26 September 2016

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Protection & Cybersecurity team. This week’s alert covers news from:


  • Parliament Hears First Reading of Unsolicited Marketing Communications (Company Directors) Bill 2016-17
  • Worldwide Data Breaches Increase in 2016


  • Advocate General of the Court of Justice of the European Union Finds That “RTBF Not Absolute”
  • Guernsey Plans to Keep in Line With the GDPR
  • Advocate General: Draft Agreement Between Canada and the EU on PNR Data Partly Illicit


  • The “Deutsche Juristentag” Votes on Digital Reforms of Civil and Labour Law


  • New York State Proposes Cybersecurity Regulation for Financial Institutions
  • Developments Regarding International Communications Privacy Act

Annette Demmel (Germany)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

Calls for Federal Breach Notification Law Continue After Yahoo Data Breach

Data breach prevention and response are again at the forefront of the public consciousness with the recent news of a massive data breach by Yahoo. The call for federal breach notification legislation was revived by the FTC on September 27, 2016, five days after the Yahoo breach was announced. During testimony before the U.S. Senate Committee on Commerce, Science and Transportation, the FTC reiterated “its longstanding, bipartisan call for federal legislation that would (1) strengthen its existing data security authority and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach.” Just twelve days prior, John Carlin, assistant attorney general for national security at the Department of Justice, called for a unified federal breach notification law, referring to the existing spread of 47 state laws as “ridiculous.”

Yahoo reported the largest data breach to date, affecting at least 500 million user accounts. The tech giant is not alone in experiencing a significant data breach as many American companies have suffered high profile data breaches in the last couple years. In light of major hacking events becoming increasingly prevalent in the news, consumers, regulators and legislators alike are focusing more intently on data breach response and prevention standards. Earlier this year, the FTC reported receiving 490,220 identity theft complaints from consumers during 2015—a 47% year over year increase.

Past attempts at federal breach legislation have stalled. In January 2014, the Data Security Breach Notification Act of 2014 was introduced in the Senate but did not move past referral to a Senate subcommittee. The following year, President Obama addressed the FTC and announced the introduction of new federal data breach notification legislation, among other measures to protect individual privacy and guard against identity theft. The Personal Data Notification and Protection Act of 2015 was introduced in the House of Representatives two months later in March 2015, but it also did not move past subcommittee review.

Currently, data breach notification laws exist at the state level— with 47 states plus D.C. each having their own breach notification law. Thus companies storing the personal information of residents of multiple states—an increasingly common situation thanks to Internet commerce—may need to comply with dozens of separate breach notification standards in the event of a security incident.

It remains to be seen whether federal breach notification legislation will be enacted in the coming months or years. In the meanwhile, U.S. companies should understand that data breaches are here to stay—and will only become more prevalent. Accordingly, companies should be proactive in establishing functional policies to respond to a breach, and actively engage in table-top exercises to ensure they are ready to address breach incidents swiftly and appropriately.