data transfers

Data Transfers: EU Adopts New Model Clauses

Data transfers and their legal mechanisms are changing. Standard Contractual Clauses (SCCs) have been an integral part of international data transfers. Under EU data protection law, organisations handling EU personal data cannot transfer such data to third countries without some form of protection. SCCs have become the most practical, and hence most used, form of ensuring such protection. Following the publishing of new draft SCCs back in November and a subsequent consultation period, the EU commission announced on the 4th June 2021 that they had adopted two new sets of SCCs, updating previous clauses which were adopted before the introduction of GDPR. Hence the new SCCs are a product of the ramped up regulatory environment created by GDPR. Additionally, and significantly, the new SCCs respond to the ruling last summer (July 2020) in Schrems II.

What are Standard Contractual Clauses?

SCCs are essentially a set of clauses to enable lawful data transfers of EU personal data. They can be copied into a contract or form an independent agreement between a data exporter (based in the EU or UK) and a data importer (based in a third country) to ensure an adequate level of protection for personal data being transferred between two entities. Two sets of clauses have been published by the EU commission: one for the transfer of personal data to third countries and one for use between controllers and processors based in the EU.

Schrems II

The ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18)was significant for SCCs for two reasons. Firstly, it invalidated the EU-US Privacy Shield. Which many US organisations relied upon to transfer personal data out of the EU. In the same way that SCCs are considered to give personal data transfers out of the EU adequate protection, the Privacy Shield, if all principles were adhered to, could also offer such protection. Now that it has been invalidated more US organisations will be relying upon SCCs to ensure adequate protection of personal data transfers.

Secondly the ruling reviewed the effectiveness of the SCCs in place at the time and, whilst considering them to be a valid mechanism for data transfers, introduced new obligations on both data importers and data exporters. It was said that organisations should review the agreements they have in place by assessing whether to implement additional technical and organisational as well as contractual measures. This amounts to what has been described as a ‘data transfer impact assessment’ and is directly addressed in the new SCCs published by the EU commission.

New SCCs for data transfers

The new SCCs have therefore been introduced to make sure they align with the high standards of data privacy introduced by GDPR, amend previous deficiencies, such as a lack of variety of potential arrangements, and to address uncertainties into how to assess whether or not to implement organisational/technical measures after the ruling in Schrems II. These are dealt with respectively below.

New obligations/liabilities

Firstly, the new SCCs impose a ‘light-weight’ form of the GDPR on data importers. This comes in the form of third party rights for data subjects. This includes data importers considering the following obligations: purpose limitation, transparency, accuracy, data minimisation, retention, security, onward transfers, data subject rights, complaints mechanism and submission to jurisdiction. The final obligation means a data importer must submit to the laws of the EU country from which the personal data is being exported, including its courts and data protection regulatory authority.

Secondly, the data importer must now notify the data exporter in case of requests from public authorities or any direct access by public authorities to data transfers protected by SCCs. Data importers are also expected to try and obtain a waiver of a prohibition for a data exporter to be notified of such public authorities’ access.

And thirdly, data importers and exporters are now liable in relation to any damages to data subjects caused by a breach of the SCCs – material or non-material. In contrast to the GDPR, which requires a breach of both parties in case of joint liability, in some scenarios created by the new SCCs (controller-to-processor and processor-to-processor), the data exporter in Europe is now liable for violations by its processor or even sub-processor.

Modular approach for data transfers

The new SCCs employ a modular approach i.e. they create potential for an increased number of data transfer scenarios/modules. This includes:

  • controller to controller;
  • controller to processor;
  • from processor to sub-processor; and
  • processor to controller.

The processor to sub-processor module solves a long-standing problem. Up until now processors have been unsure of how to justify transfers to third countries. Now specific clauses exist to enable such data transfers. The only possible issue with the new modules is that any sub-processor wishing to engage a further sub-processor will have to get the permission of the original controller.

The new SCCs also allow the clauses to be used in a multi-party agreement without having to be replicated for each individual relationship. In practice this has been going on for a while but now it has been officially sanctioned. A related innovation in the new SCCs is also the possible introduction of a docking clause. The docking clause allows new parties to be added to the agreement over time.

Data transfer impact assessments

Clause 14 lays out the ways in which parties to an agreement can ensure compliance with the obligations introduced by Schrems II for data transfers. It says the parties must take due account of:

  • the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved, and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs, and the storage of the data transferred.
  • the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities.
  • any relevant contractual, technical, or organisational safeguards put in place to supplement the safeguards under the SCCs, including measures applied during transmission and to the processing of the personal data in the country of destination.

Additionally:

  • the parties agree to document the assessment described and make it available to supervisory authorities on request.
  • the data importer warrants that it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with this assessment.
  • the data importer must notify the data exporter either of a public authority’s request to access data or where the public authority directly accesses personal data. If the data importer is unable to make that notification it must use best efforts to obtain a waiver.
  • the data importer must review access to personal data requests for legality and challenge them if there are reasonable grounds to do so. It must document its legal assessment and minimise the data disclosure as much as possible.

Moving forwards with data transfers

Organisations will be relieved to know that the European Commission has allowed for an 18-month transition period in which the previous SCCs will still be legally recognised (opposed to the 12-month transition period suggested in the drafts). This should give time to review current data transfers, agreements and update clauses where needed.

We are also still waiting for the final ‘Recommendations for Supplementary Measures’ in relation to the ruling in Schrems II from the European Data Protection Board (EDPB), which were open for feedback after being published in draft form in November. The EDPB have said ‘the recommendations… were subject to a public consultation. The EDPB received over 200 contributions from various stakeholders, which it is currently analysing’.

UK perspective

As it stands the new SCCs are not recognised in the UK and it will be up to the ICO to decide whether to accept their usage. The ICO is currently preparing its own contractual clauses and will consult on them over the summer. Allowing the use of both EU and UK approved SCCs will no doubt be of benefit to the EU’s adequacy decision for the UK (meaning whether the EU considers the UK adequate for data protection purposes and hence allow free flows of data to occur between the two regimes).

It is important to note however that the UK has been wanting to liberalise data transfers for some time and so the new ICO sanctioned clauses may well be less cumbersome than the new EU ones. Finally, for clarity, the old EU SCCs remain valid in the UK and should be, for the time being, the place where organisations transferring UK personal data go when putting agreements in place. You can find the clauses on the ICO’s website here.

Here to help

Data transfers have up until now often been a case of signing up to some clauses or entering into an agreement and then leaving it be. With the introduction of GDPR, the ruling of Schrems II and now the old pre-GDPR SCCs outdated, organisations need to be mindful of new obligations and most significantly the need for transfer impact assessments. Such assessments may need to be undertaken by a third party. If you need your current data transfer agreements reviewed, we are here to help.

EM law specialises in technology and data protection law. Get in touch if you need advice on data protection law or if you have any questions on the above.


employee references

Employee References – A Guided Tour Of Eventful Case Law

Employee references can often be a rewarding experience. A chance to pass on well-earned positive feedback for the benefit of a colleague’s future career. Many references are straightforward to give and useful to receive. They can, of course, cause complications when feedback is not entirely positive or when organisation’s fail to have a clear policy in place. Here is our guided tour through an eventful array of cases which illustrate their potentially contentious nature. The aim being that along the way you will pick up some tips on how you should go about giving (or receiving) employee references.

First things first – do you have to provide employee references?

There is no legal obligation to provide a reference for an employee or ex-employee and so if an employer wants to, they can refuse to give a reference. This was stated in the case Lawton v BOC Transhield Ltd [1987] IRLR 404. Employers should be careful, however, to treat employees consistently so they are not accused of discriminatory behaviour or of breaching an implied term of trust and confidence in employment contracts. It follows that organisations should have a policy in place to decide whether to give employee references at all and also on the nature of the information to be given.

On or off-the-record – be careful whenever making a statement

Case Number 1: McKie v Swindon College [2011] EWHC 469 (QB)

What happened? The claimant worked in higher education management. Leaving Swindon College in 2002, he went on to work at Bath College based on positive employee references he had received from Swindon College. In 2007 he went to work at Bristol College and then in 2008 he accepted a position with the University of Bath. Part of his role involved making site visits to Swindon College. This led to the University of Bath receiving an email from Swindon College saying they would not be able to give the claimant access for safeguarding concerns. The claimant was subsequently dismissed by the University of Bath. Such issues had not been mentioned in any reference and Swindon College claimed no investigation took place because the claimant left before it could go ahead.

Judgement: it was found that Swindon College was liable for negligent misstatement to the claimant in its employee references. The judge stated that ‘I am satisfied damage was foreseeable, the relationship was sufficiently proximate [and that], it is fair, just and reasonable and there is a causal connection between the negligence in and about the sending of the email and the damage whereof the claimant complains’.

Lesson: this case highlights why employers should be cautious when making any statement about a former employee. Even if a statement is not intended to be a reference, employers should remember that the tort of negligent misstatement can apply.

Recipient of employee references? – you could still be liable

Case Number 2: Bullimore v Pothecary Witham Weld Solicitors and another UKEAT/0189/10

What happened? The claimant had left her job with Witham Weld Solicitors (WW). She claimed unfair dismissal and sex discrimination against WW. After leaving she was offered a job subject to satisfactory employee references. A partner of WW wrote a damaging reference including that the claimant had brought proceedings against them. As a result, the claimant’s new employment contract was revised to include a six-month probationary period. The claimant refused to accept this change in terms and conditions.

Judgement: The Tribunal ruled that the claimant had been unlawfully discriminated against by both her former and prospective employers. Before the remedy hearing the claimant settled her claim against the prospective employer for £42,500 and was awarded £7,500 for injury to feelings against her former employee. The claimant then successfully appealed the case, claiming that the former employee was liable for future loss of earnings.

Lesson: The recipients of employee references must also be careful about any action they may take following receipt of a potentially discriminatory reference.

Liability only to the subject of the reference? – No, it can also be to the recipient

Case Number 3: Playboy Club London Ltd and others v Banca Nazionale del Lavoro SPA [2014] EWHC 2613 (QB)

What happened? Playboy Club Ltd operated a casino in London called The Rendezvous. In October 2010 Mr Bakarat, a member of the club, requested a cheque cashing facility of £800,000. As per Playboy’s policy, the club made a request for a positive banker’s reference for twice the amount of the cheque cashing facility. Mr Bakarat’s bank, Banca Nazionale del Lavoro SPA, was able to support such a financial commitment. Later, when Playboy tried to cash the cheques, Mr Bakarat had deposited, it was discovered they were counterfeit. Mr Bakarat’s account with the bank turned out to have always maintained a zero balance.

Judgement: It was held by the High Court that the bank could not have exercised reasonable skill and care in preparing the reference and was liable. However, on appeal, the Court of Appeal held that the bank did not assume responsibility to the casino, it being relevant that  reference had been requested but the bank did not know for what purpose.

Lesson: The reference giver is generally being asked by a prospective employer for information about an ex-employee because it has specialist knowledge. If the employer fails to do this and the prospective employer relies on the reference, then the reference giver could be liable for negligent misstatement to the prospective employer. However, this can be avoided by using an effective disclaimer or when a reference is given for an unknown purpose (as shown in the case described). Given that employee references are given for a specific purpose, i.e. to judge suitability for employment, it is less likely that an employer could argue that it did not know the purpose of the reference, which was the effective defence of Banca Nazionale del Lavoro in the case described.

Disclaimers and sickness absence

Case Number 4: AB v A Chief Constable [2014] EWHC 1965 (QC)

What happened? The claimant was a senior police officer with the defendant chief constable’s police force. Disciplinary proceedings were commenced against him alleging that he had improperly sought to influence a recruitment and selection process. During this time, he applied to a regulatory body for a job and was led to believe that any reference would not refer to the outstanding disciplinary proceedings. The claimant was offered the job subject to employee references being ‘entirely satisfactory’. A reference was sent which did not include information about the disciplinary proceedings and did not answer questions regarding the claimant’s sickness absence, which was extensive. After getting the job, the claimant received correspondence from the chief constable of the police force saying the initial reference had not answered all the questions and they intended to send a corrected response which they enclosed.

Judgement: The claimant argued that the corrected reference was in breach of the Data Protection Act 1998. There was no question that the contents of the reference amounted to personal data to which the Data Protection Act applied. Illness records would amount to sensitive personal data and no argument was advanced by the chief constable that this had been processed lawfully. The information about the disciplinary proceedings was deemed to be lawful for data protection purposes with the processing being ‘necessary for compliance with any legal obligation to which the data controller is subject’ – that obligation being the public law duty of honesty and integrity. However, given that the force had earlier given the claimant an assurance that employee references would be sent without such information, which was their policy and practice, and he had resigned from his position to take the new job, the force was found to be liable.

Lesson: The content of a reference amounts to personal data under the Data Protection Act 1998. Which means data must be disclosed fairly and lawfully. It is also important to note that the court mentioned that public sector workers have additional public law duties to act with honesty and integrity which would ordinarily mean that, in circumstances such as this case, providing a basic standard reference would be misleading.

Practical advice

Employers should have a clear policy, preferably in writing, about whom within the organisation can provide employee references, in what circumstances, what they can include and what they should not include. It would be useful for the policy to set out a template reference so that consistent wording is used. As shown by the case law, finding the line between providing useful information to a prospective employer and respecting the rights of the subject of the reference can be a delicate business. Taking a step back and making sure that all the information provided is fair and useful can be a good starting point. And finally, do remember to mark any reference ‘private and confidential for the addressee only’.

If you have any questions or need help dealing with employee references or other employment law issues please contact any one of our employment lawyers, Helen Monson or Imogen Finnegan, or call us on 0203 637 6374.


Data Compliance

Data Compliance – Updates You Need To Make To Your Policies

Data compliance is an essential part of everyone’s business. There have been several shifts in UK law’s data compliance regime following Brexit and the ruling in Schrems II. This means that plenty of businesses’ privacy policies are not up to date. Changes range from simply swapping in different references to legislation, to considering the effect that Brexit has had on cross-border transfers of data. For those transferring data to the US, the invalidation of the Privacy Shield framework should also be considered. Here is our guide on the updates businesses should consider making to their privacy policies (and the issues we frequently spot when dealing with clients’ data protection documentation or doing due diligence on other companies’ privacy policies).

Data compliance post Brexit

With the start of 2021, and the end of the EU-UK transition period, the retained EU law version of the General Data Protection Regulation ((EU)2016/679), called the UK GDPR, applies in the UK, along with the Data Protection Act 2018 (DPA 2018). Therefore, the main body of data protection law in the UK is now made up of the UK GDPR and the DPA 2018.

So as a simple starting point for updates that need to be made to privacy policies, it should be made sure that all references to GDPR are changed to the UK GDPR. There may also be references to ‘Applicable Data Protection Laws’ and so the definition of these applicable laws needs to be changed to include the UK GDPR and the DPA 2018.

It is important to note that the EU GDPR (the data protection regime in the EU) will continue to have extra-territorial effect and so may apply to UK controllers or processors who have an establishment in the EU, or who offer goods or services to data subjects in the EU, or who monitor their behaviour as far as their behaviour takes place within the EU. So, if you operate in the EU as well as the UK you should consider including references to the EU GDPR. Additionally, it is important to be aware that even though your privacy policy may now refer to the UK GDPR, if you operate in the EU, you should consider the consequences of operating in two data protection regimes. This may include a review of your mechanisms for cross-border transfers of data to the EU.

Data compliance: cross-border transfers of data

Now that the UK has left the EU, all data transfers from the UK to the EU or vice-versa are defined as cross-border transfers for the purposes of data protection law. This means that to address data compliance additional safeguards need to be in place, for example Standard Contractual Clauses or reliance upon an adequacy decision (a decision made by a relevant authority that data protection is adequate in a particular country and hence data can flow there freely). As it stands, in June 2021, the UK has granted the EU an adequacy decision but the EU are yet to grant one to the UK.

In relation to updating your privacy policy, it will now be important, if transferring data to and from the EU, to show which safeguards you are relying upon to do so. It should be noted, however, that on 24th December 2020, the UK and the EU reached a trade and co-operation agreement addressing the arrangements following the end of the Brexit transition period on 31st December 2020. The agreement includes an interim provision (bridging mechanism) for transmission of personal data from the EU to the UK which could last up to six months. Therefore, under the current circumstances (as in June – the time of this blog), companies do not need to have additional safeguards in place for transfers of personal data to the EU. Regardless of these developments businesses should, however, state in their privacy policies that they are relying upon these provisional agreements and adequacy decisions to transfer data to the EU. This could start by including a simple acknowledgement in a privacy policy that any personal data transfers from the UK to the EU, are transfers taking place between two separate data protection regimes.

Privacy Shield invalidated

The EU-US Privacy Shield was a framework constructed by the US Department of Commerce and the European Commission to enable transatlantic data protection exchanges for commercial purposes. The Privacy Shield enabled companies from the US to comply with data protection requirements and enable free flows of personal data to and from the EU, without the need for additional safeguards (such as those expected for third countries – countries not deemed to have adequate levels of protection by the EU for personal data - such as the US).

The Privacy Shield was invalidated in July 2020 following the ECJ’s preliminary ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) and should therefore no longer be relied upon for transfers to the US. The standard contractual clauses controller-to-processor were not invalidated and so organisations can still rely upon them when transferring data to the US. This means that any reference to the Privacy Shield in a privacy policy needs to be erased and the mechanisms which an organisation is now using to transfer data to the US need to be clearly stated. In the majority of cases this will mean mentioning the use of standard contractual clauses.

Data compliance checklist

Here is a list of things to consider when editing your privacy policy to ensure data compliance:

  • All references to UK data protection laws and legislation needs to be a reference to the UK GDPR and DPA 2018.
  • Transfers of data to the EU need to be treated as cross-border data transfers and so the legal basis for making these transfers needs to be stated (such as an adequacy decision, the current bridging mechanism, standard contractual clauses, binding corporate rules etc.).
  • Any reference to the EU-US Privacy Shield need to be erased for data transfers to the US and if standard contractual clauses are now being used this needs to be mentioned.

Data Compliance and Transparency

As part of the UK GDPR principles, businesses must comply with the transparency requirements set out in Articles 13 and 14 of the UK GDPR. The transparency principles require all controllers to notify data subjects about their personal data handling practices through a privacy policy, at the time that data is collected. It therefore follows that if your business has changed the way it processes the personal data of its customers, due to developments discussed in this blog,  and is relying on a new basis for that processing (i.e. UK GDPR instead of the previous regime), it goes without saying that, in order to comply with the transparency principles, such businesses should update their privacy policy to reflect this. For an online business, that will usually mean updating their website privacy policy.

Multiple jurisdictions

Organisations with entities in multiple jurisdictions face data compliance challenges when trying to implement website privacy policies as part of a global privacy compliance programme. Multinationals must choose between implementing a single, global privacy policy applicable for all its customers globally or jurisdiction specific policies. Taking into account that even within the EU, member states are likely to have varying rules on data protection. This will mean paying attention to the references to legislation in jurisdiction specific policies and being clear about how exactly cross-border data transfers are taking place between different branches of an organisation. Given the potential complexity of the structure of such data transfers it would be worth seeking legal advice. Many privacy policy regulators, including the ICO, recommend a layered policy format, which pairs a short summary with a linked detailed disclosure, as the most effective way to simplify a complex privacy policy and make it clearly and conspicuously accessible.

Here to help

Hopefully this blog should give you enough scope to update your privacy policy and address data compliance. But we can also help you do so. With Brexit and the ruling in Schrems II, data compliance has become legally complex but that doesn’t mean a practical approach for businesses isn’t possible. The next big step in UK data law is whether or not an adequacy decision will be granted. The decision is currently in the comitology procedure which means all EU member states need to agree the drafting. If an adequacy decision is reached, then data flows will be unimpeded between the EU and UK. Regardless of such a decision however, references to legislation and the mechanisms relied upon for cross-border transfers will still need to be updated.

Other developments include the recent publishing of updated Standard Contractual Clauses by the European Commission. This means that agreements which export EU data to a third country and rely upon Standard Contractual Clauses should be updated. The new versions also incorporate means by which to adhere to new requirements for cross-border transfers following the decision in Schrems II. Schrems II introduced an obligation to assess local data laws before going ahead with a transfer.

EM law specialises in technology and data protection law. Get in touch if you need advice on data protection law or if you have any questions on the above.


Ending A Lease

Ending A Lease Of Commercial Property - Legal Aspects

Ending a lease doesn’t mean your liabilities are over and you have nothing more to pay. Thinking this way is a common mistake that businesses make. In fact, there may be some very expensive bills, so this stage needs to be approached in a carefully planned way. The lease sets out most of what the tenant has to do but it may also be silent on other things that will happen and which may cost the tenant dearly.

Be Prepared When Ending A Lease

Above all, be prepared well in advance! If you decide not to renew the lease because you are moving to another premises, you will need to start that process in sufficient time to look at new offices, win the bid to be the tenant, agree the rent and length of the lease with the agent, decide on fit-out works, agree the new lease, plan the office move so as to minimise disruption and then pack up, move and unpack. All this to say, you may need to make plans well in advance. If a lease includes security of tenure, well advised landlords will be making plans 18 months in advance of when the commercial lease is ends. This is because a series of notices will need to be planned carefully and may be 12 months in advance of the end of the lease. It is in everyone’s interest to get organised early when ending a lease.

Understand Your Obligations

When you have decided you are vacating the premises, make sure you understand your obligations under the lease:

  • If your lease is silent on the Landlord and Tenant Act 1954, you likely have a lease protected by security of tenure. That means in most cases you can either insist on a new lease of the same premises or get compensation from the landlord.
  • If you are not protected by the LTA 1954, the lease will insist that you rectify any alterations you have made. This may simply be a necessary legal device to ensure the tenant does not demand compensation from the landlord, in other words, when it comes to the end of the lease, the landlord will not actually make you rip out the air conditioning etc. However, the landlord can insist on it, so you need to ask the landlord about this well in advance – allow enough time before your commercial lease is ending to reach a commercial agreement with the landlord, to sign something to formalise it and enough time to rectify the alternations if the landlord at any time decides you must.
  • If the lease demands that you restore the property to its original state, the landlord may take the view that you are still in possession of the property because e.g. you forgot to remove the data cables you put in the wall.
  • If the lease demands that you hand over the premises with vacant possession, you have to be well prepared: if your workmen are still in the premises after the end of the lease, you will not have given vacant possession, even if the landlord knew all about it. If you are vacating the premises by exercising a break clause, that could make your break notice invalid retrospectively and you will have to pay the rent until the end of the lease or the next break date.
  • On repairs, be sure you know what you have rented. Does your premises include the windows or just the inside of the window frames? Does your premises include only the surface of the floor or does it include the floorboards as well? If so, how can you check that they are all in good repair? If, during the lease, the tenant made no repairs through the lease, after the lease ends, the Tenant may still have to pay for repairing the property up to the required standard. Generally, the only cost effective way of approaching this is to meet the landlord at the premises, agree on what needs to be done and then do it. The tenant will usually need to pay all or part of the cost of having this done professionally. An alternative, is that the landlord inspects the premises many months after you have vacated, decides by itself what needs to be done, hires someone to do it and then sends you an invoice which could be for a large amount.
  • On service charges, you may have a balancing charge to receive or pay after the service charges have been audited after the end of the year – this can be more than a year after you have left the premises.

If you are ending a lease of commercial property contact James Williamson so that he can guide you through the process and make sure you are protected. Click here to email James.