Draft Adequacy Decisions

Draft Adequacy Decisions: Data Flows EU to UK

Draft adequacy decisions were published on 19 February 2021 by the European Commission (EC) for personal data transfers from the EU to the UK. The significance of the drafts are considerable given they are the first to be produced since the European Court of Justice’s (ECJ) ruling in Schrems II which struck down the adequacy decision previously granted to the EU-US Privacy shield.

The EC’s press release on the draft adequacy decisions stated that it has carefully assessed the UK’s law and practice on personal data protection, including the rules on public authorities access to personal data, and concluded that the UK ensures an ‘essentially equivalent’ level of protection to that guaranteed under the EU GDPR and Law Enforcement Directive.

What does adequacy mean?

‘Adequacy’ is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU. An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The UK is seeking adequacy decisions under both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).

The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary. The trade deal agreed between the UK and the EU means that the UK has a bridge until 30 June 2021 where data can continue to flow from the European Economic Area (EEA) to the UK whilst the adequacy decisions process takes place. The bridge can finish sooner than this if the EU adopts adequacy decisions in respect of the UK.

Transfers of data from the UK to the EEA are permitted. The UK Government has recognised EU Commission adequacy decisions made before the end of the transition period. This allows restricted transfers to continue to be made from the UK to most organisations, countries, territories or sectors covered by an EU adequacy decision.

Adequacy criteria

In order to draw conclusions on the UK’s data protection regime, the EC assessed a number of factors when producing the draft adequacy decisions:

  • UK constitution – especially in relation to the UK’s adoption of the rights in the European Convention on Human Rights in its UK Human Rights Act 1998.
  • UK data protection laws – particularly how the UK has adopted EU data laws following Brexit through the implementation of the UK GDPR and maintenance of the DPA 2018. This includes the incorporation of both the territorial and material scope of EU data law as well as definitions, principles and rights afforded to individuals. The main point being that they are all equivalent to those in the EU GDPR.
  • Restrictions on transfers outside of the UK – how, via the implementation of the UK GDPR, the rules on international transfers of data are as restrictive as under the EU GDPR, and how data subjects in the EU can therefore have confidence that onwards transfers of data will be effectively restrained.
  • Enforcement – the Information Commissioner’s Office (ICO) is the “independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules” and is equivalent to the various data protection authorities to be found throughout the member states of the European Union. The EC considered the number of cases investigated and fines imposed by the ICO, as a method by which to deduce its legitimacy.
  • Redress – here the EC highlighted the ability of data subjects to make complaints with the ICO, prosecute for damages under the UK GDPR and utilise the Human Rights Act 1998 to express their data rights, with the European Court of Human Rights as an ultimate source of authority.

Consequences of adoption

If adopted, the draft adequacy decisions will be valid for an initial term of four years, only renewable if the level of protection in the UK continues to be adequate. The drafts include strict mechanisms for monitoring and review, suspension or withdrawal, to address any problematic development of the UK system which will no longer be bound by EU privacy rules.

UK government response to the draft adequacy decisions

The UK government has welcomed the draft adequacy decisions, urging the EU to fulfil its commitment to complete the approval process swiftly. The Information Commissioner described the progress as "an important milestone in securing the continued frictionless data transfers from the EU to the UK".

The draft adequacy decisions are now with the EDPB for a "non-binding opinion", following which the EC will request approval from EU member states' representatives. It could then adopt final adequacy decisions. Until then, organisations continue to be able to receive personal data from the EU under the temporary "bridging mechanism", agreed in the EU-UK Trade and Cooperation Agreement.

Schrems II

The draft adequacy decisions also include a detailed assessment of the conditions and limitations, as well as the oversight mechanisms and remedies applicable in case of access to data by UK public authorities, in particular for law enforcement and national security purposes. These are likely included to address the ECJ's ruling in Schrems II and concerns over the UK's use of mass surveillance techniques.

In Schrems II, the ECJ ruled that free data flows moving from the EU to certain US organisations under the EU-US privacy shield did not offer an essentially equivalent level of protection as under EU law. This was substantially based on the fact that national security laws in the US were deemed to undermine citizens’ data rights. When assessing the UK, the ECJ, in light of the ruling in Schrems II, was always going to pay close attention to UK national security laws. Additionally, Schrems II introduced more stringent obligations on organisations when carrying out cross border data transfers and so there has been a general concern that this newly stringent approach may reduce the UK’s chance of receiving an adequacy decision. The drafts can therefore be seen as a highly positive step.

What stands in the UK’s way?

Although the process for an adequacy decision under the EU GDPR is now underway with the draft adequacy decisions in place and, although the UK government has stated on a number of occasions that it is confident that the EU will deem the UK data protection regime ‘essentially equivalent’, it is worth noting that a number of issues may impact on the UK's ability to satisfy the EU:

  • The UK's use of mass surveillance techniques may lead to EU member states raising concerns about data protection in the UK, which might jeopardise an Adequacy Decision. The ruling of the ECtHR which held that aspects of the UK's surveillance regimes under the Regulation of Investigatory Powers Act 2000 (RIPA) did not comply with Articles 8 and 10 of the ECHR, is particularly relevant (Big Brother Watch and others v United Kingdom). The human rights groups which brought the claim were not satisfied with the judgment and appealed to the Grand Chamber, the ECtHR's highest judicial bench.
  • Membership of the Five Eyes intelligence sharing community means EU citizens' data could be transferred by UK security services to third countries (including the US) which are not considered to have adequate data protection.
  • Potential for unprotected onward data transfers as the UK will be able to decide which countries it deems adequate and what arrangements to have with them.

The draft adequacy decisions - a positive step

Although nothing can be taken for granted, the draft adequacy decisions are a positive step and the fact that the UK has committed to remaining party to the ECHR and "Convention 108", will likely carry some leverage as adherence to such international conventions is important for the stability and durability of adequacy findings.

If you have any questions on the draft adequacy decisions, data protection law more generally or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


E-privacy

E-Privacy – PECR and Brexit

E-Privacy regulations complement data protection laws by setting out privacy rights for electronic communications. The idea being that whilst widespread public access to digital mobile networks and the internet has opened up new possibilities for businesses and users, they have also created new risks for privacy. E-Privacy regulations have been a point of contention within the EU and reform has been expected for some time. On 10 February 2021, 4 years after the European Commission’s initial legislative proposal and to the surprise of many, the European Council reached a compromise agreement on their position on the E-privacy Regulation. What this means for E-privacy rules in the UK remains to be seen. With Brexit behind us, and therefore no obligation to introduce new EU legislation in the UK, but with an adequacy decision pending, and therefore a desire for the UK to align with the EU on data protection, it is hard to say whether or not the UK will choose to implement them. For more information on data protection and a potential adequacy decision after Brexit read our blog.

E-Privacy and PECR

PECR are the Privacy and Electronic Communications Regulations which comprise the E-privacy regulations in the UK. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003. They are derived from European law. PECR have been amended a number of times. The more recent changes were made in 2018, to ban cold-calling of claims management services and to introduce director liability for serious breaches of the marketing rules; and in 2019 to ban cold-calling of pensions schemes in certain circumstances and to incorporate the GDPR definition of consent.

What kind of areas do PECR cover?

PECR cover several areas:

  • Marketing by electronic means, including marketing calls, texts, emails and faxes.
  • The use of cookies or similar technologies that track information about people accessing a website or other electronic service.
  • Security of public electronic communications services.
  • Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg caller ID and call return), and directory listings.

How does this fit with the UK GDPR?

The UK GDPR sits alongside PECR. PECR rules apply and use the UK GDPR standard of consent (which is a high threshold). This means that if you send electronic marketing or use cookies or similar technologies you must comply with both PECR and the UK GDPR. Unsurprisingly, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the UK GDPR, and vice versa – but there are some differences. In particular, it’s important to realise that PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.

If you are a network or service provider, Article 95 of the UK GDPR says the UK GDPR does not apply where there are already specific PECR rules. This is to avoid duplication, and means that if you are a network or service provider, you only need to comply with PECR rules (and not the UK GDPR) on:

  • security and security breaches;
  • traffic data;
  • location data;
  • itemised billing; and
  • line identification services.

Electronic and telephone marketing

PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies. Companies will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you.

E-Privacy: Cookies and similar technologies

Companies must tell people if they set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given. There is an exception for cookies that are essential to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking). The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.

Communications networks and services

PECR are not just concerned with marketing by electronic means. They also contain provisions that concern the security of public electronic communications services and the privacy of customers using communications networks or services. Some of these provisions only apply to service providers (e.g. the security provisions) but others apply more widely. For example, the directories provision applies to any organisation wanting to compile a telephone, fax or email directory.

EU Council position on E-Privacy rules

On 10 February 2021, EU member states agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services. These updated E-privacy rules will define cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices. The agreement allows the Portuguese presidency to start talks with the European Parliament on the final text. The agreement included:

  • The regulation will cover electronic communications content transmitted using publicly available services and networks, and metadata related to the communication. Metadata includes, for example, information on location and the time and recipient of communication. It is considered potentially as sensitive as the content itself.
  • As a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the E-privacy regulation.
  • Permitted processing of electronic communications data without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.
  • Metadata may be processed for instance for billing, or for detecting or stopping fraudulent use. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed. Metadata may also be processed to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and man-made disasters.
  • In certain cases, providers of electronic communications networks and services may process metadata for a purpose other than that for which it was collected, even when this is not based on the user’s consent or certain provisions on legislative measures under EU or member state law. This  processing for another purpose must be compatible with the initial purpose, and strong specific safeguards apply to it.
  • As the user’s terminal equipment, including both hardware and software, may store highly personal information, such as photos and contact lists, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific transparent purposes laid down in the regulation.
  • The end-user should have a genuine choice on whether to accept cookies or similar identifiers. Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.
  • To avoid cookie consent fatigue, an end-user will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment.

Brexit

PECR continues to apply after the UK's exit from the EU on 31 January 2020. The draft ePR, described in detail above, which is still in the process of being agreed, was not finalised before 31 January 2020 and will therefore not become directly applicable in the UK. Once it is directly applicable to EU member states (which is likely 24 months after its coming into force), the UK will then need to consider to what extent to mirror the new rules. In any case, given that UK companies will continue to process data of EU end users, it will still be necessary to be aware of any discrepancies created by E-privacy reform in the EU.

The deadlock is over

It has long been considered that EU E-privacy regulations have lagged behind the technological progress seen in online marketing techniques and EU negotiations around reform have at times seemed never-ending. The agreement reached by the EU council will therefore be seen as a necessary improvement in legal certainty, although plenty of questions still abound.

PECR in its pre-reformed state will continue to apply in the UK. On 19th February 2021, the European Commission issued its draft adequacy decision that would allow EU-to-UK data transfers. While the E-privacy Regulation is not strictly relevant to the UK’s continued adequacy status, alignment on E-privacy rules would likely be viewed positively by the EU institutions, which could prompt the UK to update its laws in line with the new EU regime. The reforms will of course also be relevant to any UK business that operates in the EU. Even if the Regulation is finally adopted this year, it will not apply for a further two years meaning, these changes will likely not come into effect until 2023 at the earliest.

If you have any questions on E-privacy and data protection, data protection law more generally or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Space Law

Space Law: The Commercial Space Race Begins

Space law is the body of law governing space-related activities, encompassing both international and domestic agreements, rules, and principles. Parameters of space law include space exploration, liability for damage, weapons use, rescue efforts, environmental preservation, information sharing, new technologies and ethics. SpaceX, in May 2020, became the first private company to send humans to space. What this implies is hard to say. A recent article in the Harvard Business Review sees the sky, or should I say heavens, as the limit. With a healthy interplay between public and private investment, international co-operation and a rule of law suited to this harsh environment, it suggested that NASA’s prediction, in their 1977 report ‘Long-Term Prospects For Developments In Space’, that extra-terrestrial economies could one day out-strip terrestrial ones, was not so far-fetched. The Artemis Accords, signed in 2020 by the directors of 10 national space agencies, also indicates a shift in space law that better accommodate commerce.

Space-for-space economy

An important distinction made in the Harvard Business Review article was between a space-for-earth economy and a space-for-space one. The space-for-earth economy uses space to deliver benefits to those on earth. The use of satellites for telecommunications, internet infrastructure, or earth observation capabilities and national security. The real shift will be when companies are able to offer services in space for use in space – the space-for-space economy. However, creating such a market will require the existence of consumers beyond the stratosphere. Which may not exist for some time. In the meantime private companies will have to rely on public contracts. Hopefully, being able to supply to government space agencies will enable and invigorate supply to future commercial markets. Here are some examples of work being done:

  • SpaceX hopes to support transportation for large numbers of private space travellers. Currently their space-for-space transport solutions have been for government bodies (NASA) only. But with future decreases in the cost of launching spacecraft, SpaceX could be instrumental in putting people into space and creating the demand necessary for a space-for-space economy to develop.
  • Made In Space, Inc. is currently exploring high-quality fibre-optic cable, manufactured in zero-gravity for sale on earth. The company also recently received a $74 million contractto 3D-print large metal beams in space for use on NASA spacecraft. Such construction capabilities will be essential in a developing space-for-space economy.
  • In February 2020, Maxar Technologies was awarded a $142 million contractfrom NASA to develop a robotic construction tool that would be assembled in space for use on low-Earth orbit spacecraft. Such tools will be just as useful for a future private sector.
  • In 2015 Argotec and Lavazza collaborated to build an espresso machine that could function in the zero-gravity environment of the International Space Station. Such luxuries will be crucial for the development of an economy in space, even if for the moment they are mostly publicity stunts.
  • In 2010, Planetary Resources, Inc.and Deep Space Industries, were set up with space mining as their objection (lunar mining). Both failed because the lack of a space-for-space economy made the cost of extracting minerals to be brought back and sold on earth too high to be viable. The natural resources known to exist on the moon will, if a space-for-space economy develops, become big business.

Space law

In what legal system is this commercial activity taking place? Space law is by its nature extra-terrestrial and extra-territorial. Accordingly, its usage is governed by an extensive international legal framework, under the aegis of the United Nations (UN), made up of treaties, agreements and conventions governed by international law, which may be implemented into national law. The Artemis Accords have reinforced many of these frameworks and laid the groundwork for more commercially orientated space law.

The Artemis Accords

The Artemis Accords are named after the NASA project which aims to send the first woman and another man to space by 2024. They are an international agreement for cooperation in the civil exploration and use of the Moon, Mars, comets, and asteroids for peaceful purposes, and are grounded in what is often considered the foundation of space law, the Outer Space Treaty of 1967. The stated purpose of the Artemis Accords is to "provide for operational implementation of important obligations contained in the Outer Space Treaty and other instruments." The provisions:

  • Affirm that cooperative activities under these Accords should be exclusively for peaceful purposes and in accordance with relevant international space law.
  • Confirm a commitment to transparency and to share scientific information, consistent with Article XI of the Outer Space Treaty.
  • Call for a commitment to use reasonable efforts to utilize current interoperability standards for space-based infrastructure, and to establish standards when they do not exist or are inadequate.
  • Call for a commitment to take all reasonable efforts to render necessary assistance to personnel in outer space who are in distress.
  • Specify responsibility for the registration of objects in space.
  • Call for a commitment to publicly share information on their activities and to the open sharing of scientific data.
  • Include an agreement to preserve outer space heritage, which they consider to comprise historically significant human or robotic landing sites, artifacts, spacecraft, and other evidence of activity, and to contribute to multinational efforts to develop practices and rules to do so.
  • Include an agreement that extraction and utilization of space resources should be conducted in a manner that complies with the Outer Space Treaty and in support of safe and sustainable activities. The signatories affirm that this does not inherently constitute national appropriation, which is prohibited by the Outer Space Treaty. They also express an intent to contribute to multilateral efforts to further develop international practices and rules on this subject.
  • The Accords provide for the announcement of "safety zones", where operations of other nations or an anomalous event could reasonably cause harmful interference.
  • Include a commitment to mitigate space debris and to limit the generation of new, harmful space debris in the normal operations, break-up in operational or post-mission phases, and accidents.

National framework – UK

The UK has some of its own space law. The UK Outer Space Act 1986 sets out the UK's obligations under the various international treaties and principles covering the use of outer space. This Act also covers entities in certain of the UK's overseas territories and the Channel Islands, as well as the Isle of Man, and requires all those seeking to launch or procure the launch of a space object, operate a space object or undertake any activity in outer space, to obtain a licence. Licensing and other powers are conferred on the Secretary of State for the Department of Business, Energy and Industrial Strategy (BEIS), who carries out these powers through the UK Space Agency (UKSA). The UKSA was launched in April 2010, bringing all UK civil space activities under one single management. The UKSA began operation as a full executive agency on 1 April 2011.

The Space Industry Act 2018 is space law intended to make provision for space activities including vertical launches and suborbital activities in the UK. The UK government intends that licences under it, including for launch and sub-orbital activities, will be granted by 2021. Secondary legislation will be enacted to cover specific aspects of the Act, including licensing and insurance requirements.

Liability

The status and liability of commercial use of outer space, including the moon and other celestial bodies, is not very clear under the existing space law regimes. According to Article VI of the Outer Space Treaty 1967 and Articles II and III of Liability Convention 1972, the country in which the launch of the spacecraft takes place is liable for any activities in outer space. Even in the case of non-governmental activities, the launching state is liable. The possible litigation relating to the commercial activities are mainly the financial consequence of damage caused and also the technical complications that private entities face in case of supply of defaulted parts to national space agencies.

Legal status of resource exploitation

No nation claims ownership of any part of the Moon's surface, and the international legal status of mining space resources is unclear and controversial.

Russia, China, and the United States are party to the 1967 Outer Space Treaty (OST), which is the most widely adopted treaty, with 104 parties. The OST treaty offers imprecise guidelines to newer space activities such as lunar and asteroid mining, and it therefore remains under contention whether the extraction of resources falls within the prohibitive language of appropriation in the treaty. Although its applicability on exploiting natural resources remains in contention, leading experts generally agree with the position issued in 2015 by the International Institute of Space Law (ISSL) stating that, “in view of the absence of a clear prohibition of the taking of resources in the Outer Space Treaty, one can conclude that the use of space resources is permitted”.

Seeking clearer regulatory guidelines, private companies in the US prompted the US government, and legalized space mining in 2015 by introducing the US Commercial Space Launch Competitiveness Act of 2015. Similar national legislations legalizing extra-terrestrial appropriation of resources are now being replicated by other nations, including Luxembourg, Japan, China, India and Russia. This has created an international legal controversy on mining rights for profit. James R. Wilson, a legal expert stated in 2011 that the international issues "would probably be settled during the normal course of space exploration." In April 2020, U.S. President Donald Trump signed an executive order to support moon mining.

The final frontier

With the huge commercial potential that space offers comes the huge mobilisation required for its realisation. More than a little bit of luck will be needed to see dreams realised in the near future. Three things are certain: the private sphere will need invigoration by both government contracts/investment and their willingness to deregulate, such as allowing private space travellers to take on more safety risks than government funded ones; a vigorous upholding of the rule of law will create a bedrock for competitiveness; and a transcendence of geopolitical divides will ensure safe and unimpeded economic development.

Whilst the Artemis Accords have introduced some co-operation between nations on the question of how to regulate activity in space, it lacked two signatories: China and Russia; and failed to clarify whether, under space law, resource extraction could constitute national appropriation of areas in space.

EM law specialises in technology law. Get in touch if you have any questions on the above.


Robot Manufacturing

Robot Manufacturing: Product Liability Law

Robot manufacturing is a growth industry as the costs of producing robots are going down while the savings in labour costs are rising. With the rise and rise of automation in all areas of life, the word robot has come to mean a wider variety of things. Artificial intelligence (read our blog on some legal issues) has received the most amount of attention recently especially given its crossover with big data (read our blog). But what about the more conventional notion of a robot – the walking, talking lump of steel, more willing to do jobs we’re not so keen on. The sort that product liability law applies to more obviously. This blog covers some issues that a robot manufacturer may encounter when putting such a product on the market.

Robot Manufacturing - product liability and safety risk management

Product liability lies in the accountability faced by a manufacturer of a sub-standard, defective or dangerous product. Such accountability applies to the members of the public who purchase such a product and those below a manufacturer in the supply chain. Contractual protections, insurance and effective risk management can be used to protect a manufacturer from such liability.

Can liability for a dangerous or defective product be excluded or limited?

Contractual protections create a variety of scenarios. Whilst a manufacturer may wish to limit its own liability to parties beneath it in the supply chain, they may well wish to enhance the liabilities of a manufacturer above it. The terms of a contract are the vehicle by which this can be achieved. Additionally a robot manufacturer will want to be certain that quality and safety standards are judiciously applied to every level of its supply chain, especially key suppliers. Given the potential technological complexity of such an industry, it may even be useful to seek the advice of specialist consultants who have the know-how to ensure all the liability that should be attributed to suppliers is and that a comprehensive set of standards is agreed to in the contract.

There are various ways that robot manufacturing companies can do this. Limiting and excluding liabilities within their contracts can be one way – but this is only possible for certain things. There are restrictions on limiting liability for dangerous or defective products. Restrictions that overrule contractual clauses. Robot manufacturers should therefore look to other means, i.e. non-contractual, to control their risk.

Different considerations need to be taken into account when dealing with the various parties within the supply chain. For example, manufacturers, distributors, importers and retailers will all have concerns specific to the role that they undertake.

Is there an effective quality and safety assurance programme in place?

Effective quality assurance is at the heart of non-contractual risk aversion for product manufacturers. This is particularly important in the robot manufacturing industry given that the products usually involve a lot of automation and therefore the blame for something going wrong is more likely to fall on the manufacturers’ shoulders, rather than the customers. Setting up an internal committee to oversee product safety is useful first step. The team should incorporate members from all over the business to ensure nothing is missed. The committee's function should be: to review products and their associated documents; ensure that all appropriate regulatory and internal procedures have been followed and documented before and after marketing; authorise any necessary action (for example, changing warnings or design); review after-sales monitoring reports for trends and significant incidents; review insurance arrangements.

Additionally, keeping good records of exactly what was supplied when and by whom can simplify such a committee’s job.

Is there an effective enquiries and complaints system in place?

A robot manufacturing company must be able to respond to any complaints or enquiries with regard to a product’s safety. This is a legal requirement as well as being based on a desire to look out for your customers and improve your product. Things to think about: does the company have a system to handle customer enquiries and complaints? If so, could it be improved? Are staff adequately trained? Does the company have a policy of recovering allegedly unsafe items and investigating and recording the items and circumstances? Is there a systematic review of adverse incident information involving multi-disciplinary input from different departments? Can the company identify repeat claimants who may not be genuine?

The Services Directive (2006/123/EC), before Brexit, created an obligation to inform customers of how to make complaints and how manufacturers should deal with such complaints. The Services Directive is implemented in the UK by the Provision of Services Regulations 2009 (SI 2009/2999) (PSRs). The PSRs apply to most product manufacturers in the UK and introduce obligations around how to respond to enquiries or complaints about their products.

After Brexit, the Provision of Services (Amendment etc.) (EU Exit) Regulations (SI 2018/1329) implemented this EU law into UK law. All of the obligations around how to deal with enquiries or complaints essentially remain the same. Although some changes were made to EEA-specific provisions. This included the revocation of a requirement not to discriminate against customers based on their place of residence. This means that manufacturers in the UK could treat customers in the EEA differently to customers in the UK now that we have left the EU. The practical implications of this change are yet to be seen.

Robot Manufacturing - Data protection and privacy

The use of robots (drones being a good example) fitted with cameras or other sensors which can collect personal data such as images of people or vehicle plate numbers, geolocation data or electromagnetic signals relating to an individual's device (for example, mobile phones, tablets, Wi-Fi routers, and so on) can have privacy implications.

At EU level, there is no data protection legislation specific to the use of robots/drones; the applicable legal framework is contained in the General Data Protection Regulation (EU) 2016/679 (GDPR). In the UK, the processing of personal data via robot/drones is subject to the GDPR and the Data Protection Act 2018 (DPA) and the legal provisions applicable to CCTV systems. After Brexit, the GDPR will be retained in UK law and amended to become the UK GDPR. For more information on data protection after Brexit read our blog.

The GDPR and the DPA set out the conditions under which personal data can be processed and provide for certain exemptions and derogations, the most relevant being:

  • Household exemption: This applies to the processing of personal data in the course of a purely personal or household activity. This exemption could potentially apply to individuals using robots/drones for their own purposes. However, the ECJ has narrowly interpreted this exemption in the context of the use of CCTV camera. As a result, its application will depend on the specific circumstances of each case. The Information Commissioner's Office (ICO), the UK data protection regulator in charge of enforcing GDPR and DPA requirements, has issued guidance in relation to the use of drones. The ICO makes a distinction between the use of drones by "hobbyists" and their use for professional or commercial purposes. Although "hobbyists" would be likely to be exempted from the GDPR and the DPA on the basis of the household exemption, the ICO has provided tips for the responsible use of drones, inviting people to think of privacy considerations and to apply a common sense approach when recording and sharing images captured by a drone.
  • Journalistic exemption: In cases where personal data is collected through drones with a view to the publication of some journalistic, academic, artistic or literary material. In this case, processing would, under certain conditions, be exempt from many data protection obligations to the extent that such obligations would be incompatible with the purposes of journalism, academic, literary or artistic purposes which are sought by the processing.

Here to help

Robot manufacturing companies come up against many of the same legal issues as other product manufacturing companies. Having risk assessment procedures in place, as well as mechanisms to deal with potential faults, should reduce liability. However, robots are likely to be able to collect data and so data protection law also becomes important.

EM law specialises in technology and contract law. Get in touch if you need advice on Robot Manufacturing or have any questions on the above.


Selling A Software Business

Selling a Software Business - Things to Consider

Software comes in all shapes and sizes, serving a diversity of customers broadened by the internet and strengthened by the onset of generations for whom its application is second nature. Whilst selling a software business will meet unique challenges, there are a number of common threads when considering the legal side. This blog covers a range of topics that, if the seller takes on board, could ensure a buyer’s trust and cooperation when negotiating an agreement.

Selling a Software Business - Intellectual Property Rights

A likely first thing on the mind of a buyer will be to secure all intellectual property rights in the target software. This will mean obtaining an assignment or confirmatory assignment from the owners of such rights. The owners could be employees or consultants. Difficulties arise when dealing with previous employees or consultants who take such rights with them after leaving the developers or business which originally created such software. A seller should therefore do all it can to review intellectual property rights when creating a software it may one day wish to sell. If all else fails, indemnities may be the only way to ensure a buyer is comfortable with the purchase.

Software often uses licenced-in intellectual property rights from third parties. Having a strong understanding of exactly what these are and whether it is possible to grant sub-licences under them should be considered. This will mean reviewing the software’s process of production to ensure that no such rights are missed.

Open source software (OSS) is software code that is usually made available to developers for free and can be licenced in a variety of ways. It would be a incorrect to assume that OSS is licenced in an unrestricted manner at all times, even though in recent years it has generally become less restrictive. BlackDuck is a tool which offers companies the opportunity to search the source code of products for any OSS. Any unclear licences can then be satisfied and again it is likely that a buyer will want indemnities or warranties to ensure that all the OSS has been dealt with. At the very least OSS usually requires an acknowledgement of the original author.

Selling a Software Business - Existing Customers

When selling a software business, a buyer is going to want to assess the revenues of your business, the reliability of such revenue and risks involved with providing services to each customer. Issues likely to arise in customer contracts include:

  • Limits and exclusions of liability.
  • Post-contract services such as maintenance and support obligations.
  • Termination rights - whether through an explicit change of control clause or termination periods, or by unclear drafting in the contract. Much can rest upon whether or not a buyer can rely upon long-term customers to continue to use the software after purchase.
  • Non-compete, exclusivity and similar restrictions. As well as affecting the software’s freedom to operate under such restrictions, they may give rise to competition law issues.

Selling a Software Business - Employee retention

Employees can in some cases be as valuable as the software itself, especially if the buyer is looking to develop the software. Employees often have a breadth of knowledge and experience with a piece of software that is difficult to put onto paper. If key employees are lost then as much information as possible should be put down in the software documentation. Employee retention or at least a point of contact with former employees of a software business may well be the pre-requisite of such an acquisition.

Selling a Software Business - Technology Infrastructure

The issue of technological infrastructure is changing. Before the existence of such readily available online platforms with which companies can access and build their own software, technological infrastructure was, for the most part, hardware. This meant that infrastructure was often difficult to integrate into a buyer’s system.

A seller needs to consider whether the technological infrastructure is shared with anyone (say a subsidiary or other company in the seller’s group), whether they plan to integrate the software into the buyer’s technological infrastructure and whether the software is in any way being provided by a third party:

  • Infrastructure shared with other members of the seller’s group – a number of solutions exist to this issue, the most common being licensing or transitional services arrangement within the group that is often limited in time and to particular services.
  • Integration in to buyer’s infrastructure – as well as technical issues of integration and compatibility, if the infrastructure is duplicated, the target should undertake an assessment of whether these duplications can be eliminated and if the seller can terminate relevant supplier contracts.
  • Third parties – it used to be the case that companies using software would share a server with other companies and such hardware would have to be maintained to reach the requirements of each company. With the trend towards virtualisation of the computing environment, seller’s will often be beholden to a variety of third-party platforms to provide cloud space and hosting capabilities. Sellers should therefore review their position in relation to all such third parties to ensure they have the necessary rights to transfer ownership of any such agreements.

Selling a Software Business - Data protection

Data protection is an increasingly important issue for any software business. In assessing your business, and its IT systems, it is important to understand what personal data is handled, the protections and policies surrounding this, including any instances of breach of these policies, and the applicable laws such as the UK GDPR (for information on how Brexit has affected data protection law read our blog). It is attractive for a buyer to know that the seller takes data protection seriously and has built-in mechanisms to support it.

Developments in software supply have accounted for an increased risk in data protection. Subscription based services which often store customer data on the sellers platform (for instance, if it supplies software under a software as a service (SaaS) model) run into such issues as an obligation is created to secure and lawfully process the personal data being stored by the seller. Software often used to be sold anonymously, and without updates, external content, or other means to identify the user, and the seller was not storing personal data for its customers (because there were usually no logins or other data collections linked to a cloud-based platform). Data protection law is forever morphing in response to the rapidly developing technological landscape and so it could be wise to review your position at multiple points along the timeline of implementing the acquisition of a software business.

Cybersecurity

Cybersecurity is set to become an increasingly important issue for sellers in any software acquisition. On 10 May 2018, the Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) came into force. They place minimum cybersecurity and incident notification obligations on relevant digital service providers. If the software qualifies as an in-scope digital service provider under the relevant legislation, then it will be important for the seller to understand:

  • What network and information systems it relies upon to provide its services.
  • What measures it takes to manage the risks posed to the security of those systems (including with a view to ensuring continuity of its digital services).
  • What means it has of monitoring and assessing any incidents that have a substantial impact on the provision of its digital service.
  • How it reports such incidents to the Information Commissioner's Office (ICO), the UK regulator in this area, and in what timescales.
  • Failure to abide by the minimum cybersecurity standards and incident notification requirements set out in the NIS Regulations, can attract substantial regulatory fines in the UK of up to £17 million. Relevant digital service providers are also under an obligation to ensure that they have adequate documentation available to enable the ICO to verify compliance with the relevant security obligations, meaning that in practice the ICO may request to see (and buyers will want to diligence) various policies including those relating to system security, incident handling, security monitoring, business continuity management, and compliance with international standards.

Here to help

Selling a software business comes with a range of challenges, whether or not it involves software. Software does, however, introduce some specific issues. The greatest change in recent times has been from software sold for on-premises installation, to software being available to sell via, in most instances, a SaaS platform. This means that, as a software business owner, you are more likely to rely upon third parties to deliver your services. Making sure that your relationship with these third parties is transferrable to a buyer is important. Equally significant is the likelihood of intellectual property rights being scrutinised by a potential buyer. Knowing that you own all aspects of the business you intend to sell will always be high on a buyer’s list of assurances. Software has a uniquely high chance of infringing IPR’s without being aware of it. For more information on this read our blogs Open Source Software and Legal Protection of Software.

EM law specialises in technology and corporate law. Get in touch if you need advice on selling a software business or have any questions on the above.