data transfers

Data Transfers: EU Adopts New Model Clauses

Data transfers and their legal mechanisms are changing. Standard Contractual Clauses (SCCs) have been an integral part of international data transfers. Under EU data protection law, organisations handling EU personal data cannot transfer such data to third countries without some form of protection. SCCs have become the most practical, and hence most used, form of ensuring such protection. Following the publishing of new draft SCCs back in November and a subsequent consultation period, the EU commission announced on the 4th June 2021 that they had adopted two new sets of SCCs, updating previous clauses which were adopted before the introduction of GDPR. Hence the new SCCs are a product of the ramped up regulatory environment created by GDPR. Additionally, and significantly, the new SCCs respond to the ruling last summer (July 2020) in Schrems II.

What are Standard Contractual Clauses?

SCCs are essentially a set of clauses to enable lawful data transfers of EU personal data. They can be copied into a contract or form an independent agreement between a data exporter (based in the EU or UK) and a data importer (based in a third country) to ensure an adequate level of protection for personal data being transferred between two entities. Two sets of clauses have been published by the EU commission: one for the transfer of personal data to third countries and one for use between controllers and processors based in the EU.

Schrems II

The ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18)was significant for SCCs for two reasons. Firstly, it invalidated the EU-US Privacy Shield. Which many US organisations relied upon to transfer personal data out of the EU. In the same way that SCCs are considered to give personal data transfers out of the EU adequate protection, the Privacy Shield, if all principles were adhered to, could also offer such protection. Now that it has been invalidated more US organisations will be relying upon SCCs to ensure adequate protection of personal data transfers.

Secondly the ruling reviewed the effectiveness of the SCCs in place at the time and, whilst considering them to be a valid mechanism for data transfers, introduced new obligations on both data importers and data exporters. It was said that organisations should review the agreements they have in place by assessing whether to implement additional technical and organisational as well as contractual measures. This amounts to what has been described as a ‘data transfer impact assessment’ and is directly addressed in the new SCCs published by the EU commission.

New SCCs for data transfers

The new SCCs have therefore been introduced to make sure they align with the high standards of data privacy introduced by GDPR, amend previous deficiencies, such as a lack of variety of potential arrangements, and to address uncertainties into how to assess whether or not to implement organisational/technical measures after the ruling in Schrems II. These are dealt with respectively below.

New obligations/liabilities

Firstly, the new SCCs impose a ‘light-weight’ form of the GDPR on data importers. This comes in the form of third party rights for data subjects. This includes data importers considering the following obligations: purpose limitation, transparency, accuracy, data minimisation, retention, security, onward transfers, data subject rights, complaints mechanism and submission to jurisdiction. The final obligation means a data importer must submit to the laws of the EU country from which the personal data is being exported, including its courts and data protection regulatory authority.

Secondly, the data importer must now notify the data exporter in case of requests from public authorities or any direct access by public authorities to data transfers protected by SCCs. Data importers are also expected to try and obtain a waiver of a prohibition for a data exporter to be notified of such public authorities’ access.

And thirdly, data importers and exporters are now liable in relation to any damages to data subjects caused by a breach of the SCCs – material or non-material. In contrast to the GDPR, which requires a breach of both parties in case of joint liability, in some scenarios created by the new SCCs (controller-to-processor and processor-to-processor), the data exporter in Europe is now liable for violations by its processor or even sub-processor.

Modular approach for data transfers

The new SCCs employ a modular approach i.e. they create potential for an increased number of data transfer scenarios/modules. This includes:

  • controller to controller;
  • controller to processor;
  • from processor to sub-processor; and
  • processor to controller.

The processor to sub-processor module solves a long-standing problem. Up until now processors have been unsure of how to justify transfers to third countries. Now specific clauses exist to enable such data transfers. The only possible issue with the new modules is that any sub-processor wishing to engage a further sub-processor will have to get the permission of the original controller.

The new SCCs also allow the clauses to be used in a multi-party agreement without having to be replicated for each individual relationship. In practice this has been going on for a while but now it has been officially sanctioned. A related innovation in the new SCCs is also the possible introduction of a docking clause. The docking clause allows new parties to be added to the agreement over time.

Data transfer impact assessments

Clause 14 lays out the ways in which parties to an agreement can ensure compliance with the obligations introduced by Schrems II for data transfers. It says the parties must take due account of:

  • the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved, and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs, and the storage of the data transferred.
  • the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities.
  • any relevant contractual, technical, or organisational safeguards put in place to supplement the safeguards under the SCCs, including measures applied during transmission and to the processing of the personal data in the country of destination.

Additionally:

  • the parties agree to document the assessment described and make it available to supervisory authorities on request.
  • the data importer warrants that it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with this assessment.
  • the data importer must notify the data exporter either of a public authority’s request to access data or where the public authority directly accesses personal data. If the data importer is unable to make that notification it must use best efforts to obtain a waiver.
  • the data importer must review access to personal data requests for legality and challenge them if there are reasonable grounds to do so. It must document its legal assessment and minimise the data disclosure as much as possible.

Moving forwards with data transfers

Organisations will be relieved to know that the European Commission has allowed for an 18-month transition period in which the previous SCCs will still be legally recognised (opposed to the 12-month transition period suggested in the drafts). This should give time to review current data transfers, agreements and update clauses where needed.

We are also still waiting for the final ‘Recommendations for Supplementary Measures’ in relation to the ruling in Schrems II from the European Data Protection Board (EDPB), which were open for feedback after being published in draft form in November. The EDPB have said ‘the recommendations… were subject to a public consultation. The EDPB received over 200 contributions from various stakeholders, which it is currently analysing’.

UK perspective

As it stands the new SCCs are not recognised in the UK and it will be up to the ICO to decide whether to accept their usage. The ICO is currently preparing its own contractual clauses and will consult on them over the summer. Allowing the use of both EU and UK approved SCCs will no doubt be of benefit to the EU’s adequacy decision for the UK (meaning whether the EU considers the UK adequate for data protection purposes and hence allow free flows of data to occur between the two regimes).

It is important to note however that the UK has been wanting to liberalise data transfers for some time and so the new ICO sanctioned clauses may well be less cumbersome than the new EU ones. Finally, for clarity, the old EU SCCs remain valid in the UK and should be, for the time being, the place where organisations transferring UK personal data go when putting agreements in place. You can find the clauses on the ICO’s website here.

Here to help

Data transfers have up until now often been a case of signing up to some clauses or entering into an agreement and then leaving it be. With the introduction of GDPR, the ruling of Schrems II and now the old pre-GDPR SCCs outdated, organisations need to be mindful of new obligations and most significantly the need for transfer impact assessments. Such assessments may need to be undertaken by a third party. If you need your current data transfer agreements reviewed, we are here to help.

EM law specialises in technology and data protection law. Get in touch if you need advice on data protection law or if you have any questions on the above.


employee references

Employee References – A Guided Tour Of Eventful Case Law

Employee references can often be a rewarding experience. A chance to pass on well-earned positive feedback for the benefit of a colleague’s future career. Many references are straightforward to give and useful to receive. They can, of course, cause complications when feedback is not entirely positive or when organisation’s fail to have a clear policy in place. Here is our guided tour through an eventful array of cases which illustrate their potentially contentious nature. The aim being that along the way you will pick up some tips on how you should go about giving (or receiving) employee references.

First things first – do you have to provide employee references?

There is no legal obligation to provide a reference for an employee or ex-employee and so if an employer wants to, they can refuse to give a reference. This was stated in the case Lawton v BOC Transhield Ltd [1987] IRLR 404. Employers should be careful, however, to treat employees consistently so they are not accused of discriminatory behaviour or of breaching an implied term of trust and confidence in employment contracts. It follows that organisations should have a policy in place to decide whether to give employee references at all and also on the nature of the information to be given.

On or off-the-record – be careful whenever making a statement

Case Number 1: McKie v Swindon College [2011] EWHC 469 (QB)

What happened? The claimant worked in higher education management. Leaving Swindon College in 2002, he went on to work at Bath College based on positive employee references he had received from Swindon College. In 2007 he went to work at Bristol College and then in 2008 he accepted a position with the University of Bath. Part of his role involved making site visits to Swindon College. This led to the University of Bath receiving an email from Swindon College saying they would not be able to give the claimant access for safeguarding concerns. The claimant was subsequently dismissed by the University of Bath. Such issues had not been mentioned in any reference and Swindon College claimed no investigation took place because the claimant left before it could go ahead.

Judgement: it was found that Swindon College was liable for negligent misstatement to the claimant in its employee references. The judge stated that ‘I am satisfied damage was foreseeable, the relationship was sufficiently proximate [and that], it is fair, just and reasonable and there is a causal connection between the negligence in and about the sending of the email and the damage whereof the claimant complains’.

Lesson: this case highlights why employers should be cautious when making any statement about a former employee. Even if a statement is not intended to be a reference, employers should remember that the tort of negligent misstatement can apply.

Recipient of employee references? – you could still be liable

Case Number 2: Bullimore v Pothecary Witham Weld Solicitors and another UKEAT/0189/10

What happened? The claimant had left her job with Witham Weld Solicitors (WW). She claimed unfair dismissal and sex discrimination against WW. After leaving she was offered a job subject to satisfactory employee references. A partner of WW wrote a damaging reference including that the claimant had brought proceedings against them. As a result, the claimant’s new employment contract was revised to include a six-month probationary period. The claimant refused to accept this change in terms and conditions.

Judgement: The Tribunal ruled that the claimant had been unlawfully discriminated against by both her former and prospective employers. Before the remedy hearing the claimant settled her claim against the prospective employer for £42,500 and was awarded £7,500 for injury to feelings against her former employee. The claimant then successfully appealed the case, claiming that the former employee was liable for future loss of earnings.

Lesson: The recipients of employee references must also be careful about any action they may take following receipt of a potentially discriminatory reference.

Liability only to the subject of the reference? – No, it can also be to the recipient

Case Number 3: Playboy Club London Ltd and others v Banca Nazionale del Lavoro SPA [2014] EWHC 2613 (QB)

What happened? Playboy Club Ltd operated a casino in London called The Rendezvous. In October 2010 Mr Bakarat, a member of the club, requested a cheque cashing facility of £800,000. As per Playboy’s policy, the club made a request for a positive banker’s reference for twice the amount of the cheque cashing facility. Mr Bakarat’s bank, Banca Nazionale del Lavoro SPA, was able to support such a financial commitment. Later, when Playboy tried to cash the cheques, Mr Bakarat had deposited, it was discovered they were counterfeit. Mr Bakarat’s account with the bank turned out to have always maintained a zero balance.

Judgement: It was held by the High Court that the bank could not have exercised reasonable skill and care in preparing the reference and was liable. However, on appeal, the Court of Appeal held that the bank did not assume responsibility to the casino, it being relevant that  reference had been requested but the bank did not know for what purpose.

Lesson: The reference giver is generally being asked by a prospective employer for information about an ex-employee because it has specialist knowledge. If the employer fails to do this and the prospective employer relies on the reference, then the reference giver could be liable for negligent misstatement to the prospective employer. However, this can be avoided by using an effective disclaimer or when a reference is given for an unknown purpose (as shown in the case described). Given that employee references are given for a specific purpose, i.e. to judge suitability for employment, it is less likely that an employer could argue that it did not know the purpose of the reference, which was the effective defence of Banca Nazionale del Lavoro in the case described.

Disclaimers and sickness absence

Case Number 4: AB v A Chief Constable [2014] EWHC 1965 (QC)

What happened? The claimant was a senior police officer with the defendant chief constable’s police force. Disciplinary proceedings were commenced against him alleging that he had improperly sought to influence a recruitment and selection process. During this time, he applied to a regulatory body for a job and was led to believe that any reference would not refer to the outstanding disciplinary proceedings. The claimant was offered the job subject to employee references being ‘entirely satisfactory’. A reference was sent which did not include information about the disciplinary proceedings and did not answer questions regarding the claimant’s sickness absence, which was extensive. After getting the job, the claimant received correspondence from the chief constable of the police force saying the initial reference had not answered all the questions and they intended to send a corrected response which they enclosed.

Judgement: The claimant argued that the corrected reference was in breach of the Data Protection Act 1998. There was no question that the contents of the reference amounted to personal data to which the Data Protection Act applied. Illness records would amount to sensitive personal data and no argument was advanced by the chief constable that this had been processed lawfully. The information about the disciplinary proceedings was deemed to be lawful for data protection purposes with the processing being ‘necessary for compliance with any legal obligation to which the data controller is subject’ – that obligation being the public law duty of honesty and integrity. However, given that the force had earlier given the claimant an assurance that employee references would be sent without such information, which was their policy and practice, and he had resigned from his position to take the new job, the force was found to be liable.

Lesson: The content of a reference amounts to personal data under the Data Protection Act 1998. Which means data must be disclosed fairly and lawfully. It is also important to note that the court mentioned that public sector workers have additional public law duties to act with honesty and integrity which would ordinarily mean that, in circumstances such as this case, providing a basic standard reference would be misleading.

Practical advice

Employers should have a clear policy, preferably in writing, about whom within the organisation can provide employee references, in what circumstances, what they can include and what they should not include. It would be useful for the policy to set out a template reference so that consistent wording is used. As shown by the case law, finding the line between providing useful information to a prospective employer and respecting the rights of the subject of the reference can be a delicate business. Taking a step back and making sure that all the information provided is fair and useful can be a good starting point. And finally, do remember to mark any reference ‘private and confidential for the addressee only’.

If you have any questions or need help dealing with employee references or other employment law issues please contact any one of our employment lawyers, Helen Monson or Imogen Finnegan, or call us on 0203 637 6374.


Data Compliance

Data Compliance – Updates You Need To Make To Your Policies

Data compliance is an essential part of everyone’s business. There have been several shifts in UK law’s data compliance regime following Brexit and the ruling in Schrems II. This means that plenty of businesses’ privacy policies are not up to date. Changes range from simply swapping in different references to legislation, to considering the effect that Brexit has had on cross-border transfers of data. For those transferring data to the US, the invalidation of the Privacy Shield framework should also be considered. Here is our guide on the updates businesses should consider making to their privacy policies (and the issues we frequently spot when dealing with clients’ data protection documentation or doing due diligence on other companies’ privacy policies).

Data compliance post Brexit

With the start of 2021, and the end of the EU-UK transition period, the retained EU law version of the General Data Protection Regulation ((EU)2016/679), called the UK GDPR, applies in the UK, along with the Data Protection Act 2018 (DPA 2018). Therefore, the main body of data protection law in the UK is now made up of the UK GDPR and the DPA 2018.

So as a simple starting point for updates that need to be made to privacy policies, it should be made sure that all references to GDPR are changed to the UK GDPR. There may also be references to ‘Applicable Data Protection Laws’ and so the definition of these applicable laws needs to be changed to include the UK GDPR and the DPA 2018.

It is important to note that the EU GDPR (the data protection regime in the EU) will continue to have extra-territorial effect and so may apply to UK controllers or processors who have an establishment in the EU, or who offer goods or services to data subjects in the EU, or who monitor their behaviour as far as their behaviour takes place within the EU. So, if you operate in the EU as well as the UK you should consider including references to the EU GDPR. Additionally, it is important to be aware that even though your privacy policy may now refer to the UK GDPR, if you operate in the EU, you should consider the consequences of operating in two data protection regimes. This may include a review of your mechanisms for cross-border transfers of data to the EU.

Data compliance: cross-border transfers of data

Now that the UK has left the EU, all data transfers from the UK to the EU or vice-versa are defined as cross-border transfers for the purposes of data protection law. This means that to address data compliance additional safeguards need to be in place, for example Standard Contractual Clauses or reliance upon an adequacy decision (a decision made by a relevant authority that data protection is adequate in a particular country and hence data can flow there freely). As it stands, in June 2021, the UK has granted the EU an adequacy decision but the EU are yet to grant one to the UK.

In relation to updating your privacy policy, it will now be important, if transferring data to and from the EU, to show which safeguards you are relying upon to do so. It should be noted, however, that on 24th December 2020, the UK and the EU reached a trade and co-operation agreement addressing the arrangements following the end of the Brexit transition period on 31st December 2020. The agreement includes an interim provision (bridging mechanism) for transmission of personal data from the EU to the UK which could last up to six months. Therefore, under the current circumstances (as in June – the time of this blog), companies do not need to have additional safeguards in place for transfers of personal data to the EU. Regardless of these developments businesses should, however, state in their privacy policies that they are relying upon these provisional agreements and adequacy decisions to transfer data to the EU. This could start by including a simple acknowledgement in a privacy policy that any personal data transfers from the UK to the EU, are transfers taking place between two separate data protection regimes.

Privacy Shield invalidated

The EU-US Privacy Shield was a framework constructed by the US Department of Commerce and the European Commission to enable transatlantic data protection exchanges for commercial purposes. The Privacy Shield enabled companies from the US to comply with data protection requirements and enable free flows of personal data to and from the EU, without the need for additional safeguards (such as those expected for third countries – countries not deemed to have adequate levels of protection by the EU for personal data - such as the US).

The Privacy Shield was invalidated in July 2020 following the ECJ’s preliminary ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) and should therefore no longer be relied upon for transfers to the US. The standard contractual clauses controller-to-processor were not invalidated and so organisations can still rely upon them when transferring data to the US. This means that any reference to the Privacy Shield in a privacy policy needs to be erased and the mechanisms which an organisation is now using to transfer data to the US need to be clearly stated. In the majority of cases this will mean mentioning the use of standard contractual clauses.

Data compliance checklist

Here is a list of things to consider when editing your privacy policy to ensure data compliance:

  • All references to UK data protection laws and legislation needs to be a reference to the UK GDPR and DPA 2018.
  • Transfers of data to the EU need to be treated as cross-border data transfers and so the legal basis for making these transfers needs to be stated (such as an adequacy decision, the current bridging mechanism, standard contractual clauses, binding corporate rules etc.).
  • Any reference to the EU-US Privacy Shield need to be erased for data transfers to the US and if standard contractual clauses are now being used this needs to be mentioned.

Data Compliance and Transparency

As part of the UK GDPR principles, businesses must comply with the transparency requirements set out in Articles 13 and 14 of the UK GDPR. The transparency principles require all controllers to notify data subjects about their personal data handling practices through a privacy policy, at the time that data is collected. It therefore follows that if your business has changed the way it processes the personal data of its customers, due to developments discussed in this blog,  and is relying on a new basis for that processing (i.e. UK GDPR instead of the previous regime), it goes without saying that, in order to comply with the transparency principles, such businesses should update their privacy policy to reflect this. For an online business, that will usually mean updating their website privacy policy.

Multiple jurisdictions

Organisations with entities in multiple jurisdictions face data compliance challenges when trying to implement website privacy policies as part of a global privacy compliance programme. Multinationals must choose between implementing a single, global privacy policy applicable for all its customers globally or jurisdiction specific policies. Taking into account that even within the EU, member states are likely to have varying rules on data protection. This will mean paying attention to the references to legislation in jurisdiction specific policies and being clear about how exactly cross-border data transfers are taking place between different branches of an organisation. Given the potential complexity of the structure of such data transfers it would be worth seeking legal advice. Many privacy policy regulators, including the ICO, recommend a layered policy format, which pairs a short summary with a linked detailed disclosure, as the most effective way to simplify a complex privacy policy and make it clearly and conspicuously accessible.

Here to help

Hopefully this blog should give you enough scope to update your privacy policy and address data compliance. But we can also help you do so. With Brexit and the ruling in Schrems II, data compliance has become legally complex but that doesn’t mean a practical approach for businesses isn’t possible. The next big step in UK data law is whether or not an adequacy decision will be granted. The decision is currently in the comitology procedure which means all EU member states need to agree the drafting. If an adequacy decision is reached, then data flows will be unimpeded between the EU and UK. Regardless of such a decision however, references to legislation and the mechanisms relied upon for cross-border transfers will still need to be updated.

Other developments include the recent publishing of updated Standard Contractual Clauses by the European Commission. This means that agreements which export EU data to a third country and rely upon Standard Contractual Clauses should be updated. The new versions also incorporate means by which to adhere to new requirements for cross-border transfers following the decision in Schrems II. Schrems II introduced an obligation to assess local data laws before going ahead with a transfer.

EM law specialises in technology and data protection law. Get in touch if you need advice on data protection law or if you have any questions on the above.


Managing Data

Managing Data – Software Services And AI Legal

Managing data is an essential part of the operation of a growth business. It’s a cliché often bandied around that today data is more valuable than oil. But as with oil, it’s only how the resource is used that defines its value. Whereas oil can be relied upon to produce energy in all circumstances, data cannot be relied upon to produce useful insights at all times. Therefore, the means and purpose by which it is processed becomes all the more important. Given its potential, it comes as no surprise that initiatives, public and private, for managing data more effectively are commonplace. The legal sphere attempting to regulate this burst of energy gets more complex by the day. Here is our introduction to some general issues you may face when managing data for profit, or to simply improve the running of your business.

GDPR and Brexit

Before GDPR came into force in all EU member states on 25 May 2018, the ICO commissioner stated in the ICO’s March 2017 paper, Big data, artificial intelligence, machine learning and data protection, that ‘it’s clear that the use of big data has implications for privacy, data protection and the associated rights of individuals… In addition to being transparent, organisations… need to be more accountable for what they do with personal data’.

At the end of the Brexit transition period (January 1st 2021), the GDPR and parts of the Data Protection Act 2018 became part of a new body of retained EU law. Essentially replicating the old regime in the UK. Data protection legislation in the UK is now comprised of the UK GDPR and the DPA 2018. From a UK perspective the GDPR operating in the EU will be known as the EU GDPR.

As the EU GDPR will continue to have extra-territorial effect (Article 3, EU GDPR) it may continue to apply to UK organisations who act as controllers or processors and have an establishment in the EU, or who offer goods or services to data subjects in the EU; or monitor their behaviour, as far as their behaviour takes place within the EU. UK businesses could therefore find themselves subject to parallel data protection regulatory regimes under both the UK GDPR and the EU GDPR.

Are you managing data as a processor or controller?

If offering a service, for example a software platform that allows companies to process personal data, then it would often be prudent to ensure you are defined as a data processor, and not a data controller, for data protection purposes. This is because, as opposed to data controllers who bear primary responsibility for the personal data involved, data processors have less obligations under data protection laws. Processers are essentially processing data under the instructions of the data controller. Whilst a data controller determines ‘the purposes and means’ of processing the personal data (Article 4(7), UK GDPR). A helpful way of thinking about it is that a data controller has direct duties to data subjects whereas a data processor only has duties to the data controller.

The distinction between controller and processor in an AI context was first considered in the ICO’s July 2017 decision on an agreement between the Royal Free Hospital and Google DeepMind. Under the agreement DeepMind used the UK’s standard publicly available acute kidney injury algorithm to process personal data of 1.6 million patients. The ICO ruled that the hospital had failed to comply with data protection law and was ordered to perform an audit on the system. The hospital’s law firm, Linklaters, concluded in the hospital’s audit report, Audit of the acute kidney injury detection system known as Streams, that DeepMind had been properly characterised as a data processor. This was because Streams ‘does not use complex artificial intelligence or machine learning to determine when a patient is at risk of acute kidney injury. Instead, it uses a simple algorithm mandated by the NHS’. It was therefore the lack of complexity involved in the ‘means’ of processing the personal data which meant that DeepMind were considered to be a data processor. A complex algorithm would have constituted a level of agency on DeepMind’s part which would have rendered their processing that of a data controller. It was deemed, however, that their services were simple enough to be doing nothing more than following the hospital’s instructions. This grey area should be of concern to anyone planning to use AI to analyse data. Make an algorithm too complex and you may take on the liability of a data controller and hence liability towards data subjects.

Anonymisation

Managing data to make it anonymous would fall under UK data protection laws. This is because the purpose with which the personal data was originally collected needs to be aligned with the purpose that it is later anonymised for. There are certain circumstances in which collecting personal data to begin with is not necessary and, if still useful, highly desirable for businesses wishing to process the data as they wish. If the data is originally collected in an anonymous format, then UK GDPR no longer applies. As GDPR states at recital 26, ‘the principles of data protection should… not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’.

In an ICO report, Anonymisation: managing data protection risk code of practice, the ICO lists anonymisation as one of its six key recommendations for AI. It states ‘organisations should carefully consider whether the big data analytics to be undertaken actually requires the processing of personal data. Often, this will not be the case; in such circumstances organisations should use appropriate techniques to anonymise the personal data in the data sets before analysis’.

Profiling and automated decision making

AI’s ability to uncover hidden links in data about individuals and to predict individuals’ preferences can bring it within the GDPR’s regime for profiling and automated decision making. Article 22(1) states that ‘a data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her’.

However, this is qualified by article 22(2) which states that this right does not apply to a decision that ‘(a) is necessary for entering into or performance of a contract between data subject and data controller; (b) is authorised by… law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent’.

This is further qualified: ‘in the cases referred to in points (a) and (c)…, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, (including) at least the right to obtain human intervention on the part of the controller, to express his or her point of view or contest the decision’. Having automated decision making within software performing data analysis can therefore introduce new obligations. Such obligations often being onerous for a data controller. This can include it being necessary to perform a Data Protection Impact Assessment or getting explicit consent from data subjects.

Other suggested compliance mechanisms

The ICO makes five recommendations for using AI to analyse data:

  • Privacy notices.
  • Data protection impact assessments – embed a privacy impact assessment framework into data processing activities to help identify privacy risks and assess the necessity and proportionality of a given project.
  • Privacy by design – implementing technical and organisational measures to address matters including data security, data minimisation and data segregation.
  • Ethical principles.
  • Auditable machine learning algorithms.

Treasure trove

Finding new and innovative ways for managing data is a treasure trove many wish to unlock. It is important to be wary of the growing regulatory landscape underpinning the sector. The world was shocked by the accusations made against Cambridge Analytica and making sure you display compliance is a must for maintaining a good reputation and attracting clients. With Brexit comes the potential for the complexity inherent in potentially diverging legal regimes. Being up to date on the development of the Privacy and Electronics Communications Regulations (PECR) will also be useful. Read our blog on PECR here.

EM law specialises in technology and data protection law. Get in touch if you need advice on data protection law or if you have any questions on the above.


Systems Integration Contracts

Systems Integration Contracts: Co-op v IBM

Systems integration contracts govern the relationship between the parties involved in an IT implementation project. Such a contract can make for a complicated relationship and a messy dispute, as seen in CIS General Insurance v IBM [2021] EWHC 347. Few of these kinds of projects ever see their day in court, arguably due to inherent complexities and the expense of their unpicking. This case concerned the implementation by IBM of a new IT solution for Co-op’s insurance business. The agreement was supposed to deliver the system by December 2017 and used an Agile methodology (read our blog).

Success with system integration contracts often relies upon customer co-operation and participation as much as the supplier’s delivery. The simple question of defining what a customer wants from the outset can be a challenge when creating bespoke software. A number of alternative contractual and management solutions (Agile for example) have developed in an attempt to match this complexity. In short, systems integration contracts need to be meticulously thought through and understood. IBM’s failure to use relief mechanisms under its agreement with Co-op left them with few legs to stand on when their subcontractor failed to deliver, leading to an award of £15.8 million in damages to Co-op.

Customer’s requirements

In systems integration contracts, the purpose of a customer’s requirements section is to set out clearly and comprehensively all the functionality that the customer requires from the system. This is about letting the supplier know exactly what the project needs to achieve - which can be difficult and so customers often seek help from third parties. Consultants can be used to investigate the various interest groups within the customer’s company to discern exactly what is needed and then to write up the requirement’s document for the customer. Consultants can then also be instructed to undertake market research with a view to suggesting potential suppliers.

Specification

Once a customer’s requirements are known, it is then the supplier’s job to specify exactly how those requirement’s will be achieved. This means a more technical outlining often called a ‘specification’. The customer’s requirements therefore represent the customer’s interests and the specification represents the supplier’s abilities. This opens up a spectrum of ways for the two parties to contract. Firstly, a customer could agree that it doesn’t care how their requirements are achieved so long as they are achieved. Secondly, a customer could agree to accept a product that fulfils all the obligations a supplier sets for itself in a specification. And thirdly some kind of balance between the two which gives the supplier an assurance that certain specifications will be accepted by a customer, but also the customer confidence that their requirements will be met. The third option is likely to be the most desired, but also the more difficult to communicate in a contract. This is why various alternative approaches have emerged, such as Agile, with a view to making software development more co-operative. However, as seen in CIS v IBM, the Agile Alliance’s manifesto principle ‘customer cooperation over contract negotiation’ proved ineffective when IBM was held to be responsible for critical delays to this very large ‘Agile at scale’ project.

Timetables

Timetables give suppliers the opportunity to outbid other potential suppliers at the tender stage – pushing down their delivery time to the greatest possible extent. It is no wonder, therefore, that IT projects are notorious for exceeding their original contractual timetables. This can be the result of a number of factors. And not just the result of overly aggressive bidding. It could be due to customer changes or faults made by the supplier. This is all tied together by the fact that timetables are usually unrealistic at the outset.

It should therefore be in both parties’ interests to try and be as realistic as possible when it comes to timetabling in systems integration contracts. It can also be useful to introduce phase-level assessments which mean that customers have to accept early stages of development before moving on to later ones. This is where a third party consultant or project manager can come in handy – someone who can introduce a stronger notion of objectivity.

Intellectual property rights

Ownership in or licensing of intellectual property rights in the software being supplied are a fundamental consideration in software projects and must be addressed in systems integration contracts. It may seem logical that the creation of software for a customer should lead to the intellectual property rights of that software being transferred to the customer, when such projects are finalised. However, the current trend is towards the granting of licences to customers. This is because the bespoke software developed on the project will often include modules which the supplier has already created and may even be licencing to other customers. If the licence rights are wide enough and the customer’s use of the software is for its own internal operations then in practice it shouldn’t matter whether the software is owned or licensed by the customer as far as the customer’s use of the software is concerned. However, what if the customer is undertaking the project in order to give it some competitive advantage? This advantage  would be undermined if a supplier was able to licence the new software to competitors.

Another consideration is that, given the extensive involvement of customers in such projects, it can often be the case that key ideas underpinning the development of the software have the potential to come from the customer – what rights should the customer receive (if any) as a result of its input into the development of the software?

Acceptance

It is common practice to include acceptance testing clauses in systems integration contracts. Without such provisions there is greater scope for debate between the parties around whether the supplier has created software that does what it is supposed to. A failure of acceptance tests usually gives rise to an obligation for the supplier to fix the software and re-submit it for testing. If the product continues to fail, this usually gives customers the option to:

  • Ask for the product to be fixed and tested again.
  • Accept the system with its faults, but with a reduction in price.
  • Introduce a third party to carry out the work.
  • Terminate the contract.

CIS General Insurance v IBM

This recent case is a compelling warning of how systems integration contracts can go awry. From the start of the second phase of user acceptance testing in October 2016 until termination, 1,784 defects were recorded, of which 116 were severity level one, 432 severity level two, 1,052 severity level three and 184 severity level four. With a defect in severity level one or two constituting a failed acceptance test. This put IBM in a sticky situation. Not helped by their failure to obtain relief for certain problems when they were attributable, in part, to the customer (Co-op). This was because IBM needed to promptly serve notice of such customer caused problems, which it failed to do.

The case ended up taking nearly three years to get to court with the parties then spending two months in court and a judgement taking a year to be finally produced. IBM were deemed to have successfully excluded liability for “indirect or consequential losses, or for loss of profit, revenue, savings (including anticipated savings), data, goodwill, reputation (in all cases whether direct or indirect” and so Co-op’s primary claim for £128 million of wasted costs on the abandoned project was dismissed. Co-op was successful in its secondary claim for additional costs incurred in supporting the project as a result of IBM’s breaches and was awarded £15.9 million in damages set off by a £2.9 million counterclaim against Co-op resulting from an unpaid invoice.

Final observations

It can easily be argued that the failings of IBM to ensure its subcontractor delivered was the main cause of their downfall. But that doesn’t make this case a simple question of a supplier failing to supply. The nature of the agreement, being a systems integration contract, meant that Co-op (the customer), had obligations to ensure the system delivered all it needed. When Co-op failed to correctly co-operate, IBM (the supplier) failed to serve notice to claim against such customer failings, leaving them with nothing more than a defect ridden piece of software and a set of customer caused problems which they had failed to properly address. Systems integration contracts needs to be thoroughly understood before such projects go ahead. Otherwise you could find yourself in a similarly sticky situation.

EM law specialises in technology law. Get in touch if you need advice on systems integration contracts or other technology law matters.


UsedSoft

UsedSoft Today – Software Licencing, SaaS and Brexit

Software licencing was put into controversy by the 2012 case UsedSoft GmbH v Oracle International Corp (C-128/11) (UsedSoft). The case questioned the instances in which a licensee would be able to re-sell purchased software. With the rise of cloud computing and Software-as-a-Service (SaaS) consequently becoming a more attractive option for developers and consumers, the significance of the ruling has decreased. Brexit has also had an impact. We felt it was time to review the impact UsedSoft has had in the technology sector, noting that its growing irrelevance is very much a sign of the times and future.

Exhaustion Principle

It seems common sense, especially when physical objects are in mind, that once a person has purchased an item, such purchaser has gained the right to sell that item on. Second hand cars, second hand books, second hand furniture – where would my mid-twenties self be without such amenities. The logic therefore follows that such an ability should extend to digital goods. E-books say (as explored in Nederlands Uitgeversverbond and Groep Algemene Uitgevers v Tom Kabinet Internet BV and Others (C-263/18)) or, as in UsedSoft, software.

This ability is covered in Article 4 of Directive 2009/24/EC (Software Directive) which details legal protection of computer programs and software licencing in EU law. The legislation goes as follows:

  1. A computer program rightsholder has the exclusive right to do or authorise:

“(a) the permanent or temporary reproduction of a computer program by any means and in any form, in part or in whole; in so far as loading, displaying, running, transmission or storage of the computer program necessitate such reproduction, such acts shall be subject to authorisation by the rightsholder;

(b) the translation, adaptation, arrangement and any other alteration of a computer program and the reproduction of the results thereof, without prejudice to the rights of the person who alters the program;

(c) any form of distribution to the public, including the rental, of the original computer program or of copies thereof.

  1. The first sale in the Community of a copy of a program by the rightsholder or with his consent shall exhaust the distribution right within the Community of that copy, with the exception of the right to control further rental of the program or a copy thereof.”

A slightly headache inducing bit of legislation on first read, it essentially means that, in certain circumstances, (Article 4(2)) when you sell a copy of a program, or piece of software, you exhaust the right to distribute that sold copy. The legislation therefore needed case law to define exactly what ‘selling’ meant in this context. That’s where UsedSoft came in to define it within the context of software licencing.

UsedSoft ruling

The European Court of Justice (ECJ) ruled in UsedSoft that under Article 4(2) the right to distribute a copy of a computer program was exhausted if the rightsholder permitting the download of the copy from the internet to a licensee had also granted a right to use that copy for an unlimited period of time. It was also required that a lump sum be paid for the licence. It therefore follows that the purchaser could sell a computer program (piece of software) licenced under these conditions on to someone else.

Arguably the biggest consequence was that software developers/vendors could not rely on contractual provisions in these circumstances when trying to protect against transfer or assignment following a purchase. If software is licenced for an unlimited period for a lump sum, the exhaustion principle will apply, regardless of the terms of a relevant contract.

UsedSoft’s limitations

The ECJ did qualify its ruling on software licencing with the following points:

  • The exhaustion principle would not apply to maintenance agreements related to the software licence i.e. whoever the purchaser would sell the software on to could not receive the benefit of any maintenance agreement in place between the original licensee and seller.
  • The purchaser of the software who wishes to sell it on cannot divide up the licence i.e. you must sell the software as a single package in the way you originally bought it.
  • When the resale occurs, the original purchaser of the software who is performing the resale must render its version/copy of the software unusable.

Software-as-a-Service

Increases in cloud computing capabilities has rendered software licencing under the UsedSoft model, i.e. for a one-off fee for an unlimited period of time, increasingly rare. Cloud computing has meant that software developers/vendors can make software available over the cloud on a subscription basis. This means they can run the program on their own servers and update it without having to send anything physical to customers (as used to be the case with CD-ROMs etc.).

The SaaS model essentially means that no software licence exists and that the software is really being provided as a contractual service. Such developments away from unlimited licencing to subscription based servicing has made the ruling in UsedSoft less and less relevant. UsedSoft will only apply to unlimited time period software licenced for a lump sum.

For more information on SaaS and software licencing read our blogs: SaaS Contracts – Things To Look Out For; Software as a Service (SaaS) – Some Key Aspects and Software Licences – Different Legal Structures.

Brexit

On 31 January 2020, the UK left the EU and the UK-EU withdrawal agreement entered into force. Following the end of the transition period on 31 December 2020, retained EU Law was created, the remaining withdrawal agreement provisions came into operation, and the future relationship agreements (including the UK-EU trade and co-operation agreement (TCA)) started to apply on a provisional basis.

All EU case law, including UsedSoft, that was current at the end of the transition period was retained as part of UK law. However, the UK courts may depart from that case law, subject to certain limitations set out in the UK-EU agreement.

The TCA replaces the EU rules on freedom of movement of goods with a more limited free trade area regime and going forward effectively brings to an end in the UK the EU rules on freedom of movement of services. This applies to intellectual property rights and therefore to software licencing. As shown by Part Two, Heading One, Title V (Intellectual Property) of the TCA which simply states that the TCA:

“does not affect the freedom of the parties to determine whether and under what conditions the exhaustion of intellectual property rights applies”.

The position on exhaustion of rights in the UK is now covered by the Intellectual Property (Exhaustion of Rights) (EU Exit) Regulations 2019 and for the moment favours EU developers/vendors. This legislation makes the relevant changes:

  • Any software put on the market before 2021 in the UK or EU, and to which the exhaustion principle applies, will continue to be deemed exhausted for distribution rights as per the Software Directive and ruling in UsedSoft.
  • For software placed on the market in the EU after 2020, exhaustion will apply in the UK. Therefore a UK software developer/vendor cannot stop an EU purchaser of their software selling it back into the UK once it has been exhausted.
  • For software placed on the market in the UK after 2020, exhaustion will not apply in the EU. Therefore a EU software developer/vendor can stop a UK purchaser of their software selling it back into the EU once it has been exhausted.

Sign of the times

UsedSoft’s effectiveness provides a useful microcosmic example of the development of software licencing. Firstly its relevance has been diminished by increases in the capability of cloud computing and the Software-as-a-Service model. Such a trend seemingly irreversible. This has changed the nature of agreements between software developers/vendors and customers. Secondly, Brexit has tipped the balance in favour of EU software developers/vendors for the time being. Giving them the right to bar imports of their software sold in the UK under certain circumstances. How these two changes will continue to develop UK/EU software licencing law will be interesting to observe.

It is important to note that the UsedSoft ruling only applied to software and not to all digital goods. This was explored in the 2019 case, Tom Kabinet, mentioned above. In this instance it was ruled that the exhaustion principle did not apply to downloading an e-book for permanent use because that activity was covered by the communication to the public right which is not exhaustible. Whereas the distribution right in UsedSoft for software developers could be exhausted. It is unclear where a right becomes one to the public or one to distributers, but Tom Kabinet seems to show that it is in some way based upon the nature of the digital good.

EM law specialises in technology law. Get in touch if you need advice on software licensing, SaaS and Brexit or have any questions on the above.


A Day In The Life Of A Paralegal

A Day In The Life Of A Paralegal At EM Law

Recording a single day in the life of a paralegal would be misleading. I often spend a whole day performing one task. So it wouldn’t give you much scope to focus on such a short time period. Rather I will describe an assemblage of many days. Given the current circumstances – working from home and away from the office – I have spent a lot of time doing this – writing blogs. I will cast my mind back to early March last year. When we were last in the office. I had been travelling to and from Shoreditch for a grand total of nine weeks. Neil and I would be bouncing ideas off one another and I felt I was learning a lot fast. Then, before I knew it, Neil become a disembodied voice on the phone or a floating head on my laptop. As the firm seemed to get busier and busier I found myself cut off from everyday discussions and updates. On the upside I had more time to think and Neil had time to send me challenging tasks with longer deadlines. Anyway, before describing the kind of work I do here is a semi-fictional account of a day in the Shoreditch office…

Day in the life of a paralegal

It’s January or February or March, it doesn’t matter because it’s cold. I step out of the crowd at Shoreditch High Street Station to cross the road and walk quickly through the few lively streets towards Old Street. I pass the Old Blue Last where I saw a gig a few weeks ago and a Japanese restaurant where Neil and I enjoyed Ramen once. And then through the revolving doors and into the atrium of the White Collar Factory. An impressive industrial modernist space with the utilities exposed on the ceiling and a chunky singular concrete column imposing and cylindrical.

I walk up the stairs and, after passing through many doors, enter our small office. Neil is either there, having arrived 3 or 4 hours earlier if he is particularly busy, or he may be yet to arrive if he has time to take his children to school. Often there is work to do on arrival – reviewing a contract drafted the day before which is to be sent to a client later that day or finishing a bit of research to present to Neil that morning. The day is then spent reading, researching, drafting, discussing, overhearing conversations with clients and dealing with new enquiries.

Research

A lot of time is spent researching specific points of law which I then present to Neil to help him take a view on how to move forward with a client. Examples include – cookie law, competition law for exclusive distribution agreements, incorporation of terms by reference into contracts, anti-money laundering legislation, bribery act, anonymising personal data etc. As you can see it’s a real mixed bag. I never know what the next bit of research will bring but the thing I probably spend the most time looking into is data protection. Given that the firm works for plenty of tech start-ups, data laws are often an area to be explored.

Reviewing

Reviewing contracts is a question of patiently sitting down and reading the document slowly and methodically. I tend to switch off completely from the outside world. The contracts can vary from software distribution agreements to drone tenders for governments in developing countries. Having a good eye for grammar and the logic needed to bind a contract together is important. I still feel like a novice but every time I review one of these documents I can tell I am improving. Which is satisfying.

Drafting

Drafting can seem daunting to someone at my stage. I have drafted supply of goods contracts, SaaS contracts, introducer agreements and a letter to be sent to Counsel for an opinion on a bit of litigation. I have made many mistakes and getting feedback from Neil has been crucial for my development. I have enjoyed the challenge and it is an opportunity to be creative given that you have to come up with the most elegant, simple and effective solution for a client. Which will always be unique to the situation at hand. Being adaptable and mindful of the client’s needs is therefore crucial.

Blogging

Less time spent in the office has meant more time for me to write blogs for the website and help with marketing. Writing blogs can be a fun exercise. It is similar to writing a short university essay, although your opinion is less important. At the same time it is important to write on the topics that clients will find useful and in language that is clear and relatable. This means one week I am writing about space law but the next about specific software agreements or the need for a representative under GDPR. Being engaging whilst helpful has been my aim.

New enquiries

I often speak to new clients over the phone and this is something in which my confidence has grown tremendously since working with EM law. You begin to get a sense of the kind of things clients are having issues with and you grow confidence in your own voice and ability to understand the issues at hand. My personal contact with clients themselves has been limited so this has been a good way of learning how to communicate in law.

Final observations

Reading. The more reading I do the better job I do on all accounts. Not giving up when you think you have looked everywhere for a piece of information is also important as you often find that just when you think all hope is lost, if you keep going, you find the bit of information you need in the next few clicks. Working as a paralegal at EM law is particularly exciting because of the close contact between myself and Neil which means I learn a lot about law, but it also gives it the feel of a start-up and each marketing decision is a new adventure.

Hopefully this gives you a rough idea of a day in the life of a paralegal. If you are thinking of a career in law I can definitely recommend it!


Draft Adequacy Decisions

Draft Adequacy Decisions: Data Flows EU to UK

Draft adequacy decisions were published on 19 February 2021 by the European Commission (EC) for personal data transfers from the EU to the UK. The significance of the drafts are considerable given they are the first to be produced since the European Court of Justice’s (ECJ) ruling in Schrems II which struck down the adequacy decision previously granted to the EU-US Privacy shield.

The EC’s press release on the draft adequacy decisions stated that it has carefully assessed the UK’s law and practice on personal data protection, including the rules on public authorities access to personal data, and concluded that the UK ensures an ‘essentially equivalent’ level of protection to that guaranteed under the EU GDPR and Law Enforcement Directive.

What does adequacy mean?

‘Adequacy’ is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU. An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The UK is seeking adequacy decisions under both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).

The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary. The trade deal agreed between the UK and the EU means that the UK has a bridge until 30 June 2021 where data can continue to flow from the European Economic Area (EEA) to the UK whilst the adequacy decisions process takes place. The bridge can finish sooner than this if the EU adopts adequacy decisions in respect of the UK.

Transfers of data from the UK to the EEA are permitted. The UK Government has recognised EU Commission adequacy decisions made before the end of the transition period. This allows restricted transfers to continue to be made from the UK to most organisations, countries, territories or sectors covered by an EU adequacy decision.

Adequacy criteria

In order to draw conclusions on the UK’s data protection regime, the EC assessed a number of factors when producing the draft adequacy decisions:

  • UK constitution – especially in relation to the UK’s adoption of the rights in the European Convention on Human Rights in its UK Human Rights Act 1998.
  • UK data protection laws – particularly how the UK has adopted EU data laws following Brexit through the implementation of the UK GDPR and maintenance of the DPA 2018. This includes the incorporation of both the territorial and material scope of EU data law as well as definitions, principles and rights afforded to individuals. The main point being that they are all equivalent to those in the EU GDPR.
  • Restrictions on transfers outside of the UK – how, via the implementation of the UK GDPR, the rules on international transfers of data are as restrictive as under the EU GDPR, and how data subjects in the EU can therefore have confidence that onwards transfers of data will be effectively restrained.
  • Enforcement – the Information Commissioner’s Office (ICO) is the “independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules” and is equivalent to the various data protection authorities to be found throughout the member states of the European Union. The EC considered the number of cases investigated and fines imposed by the ICO, as a method by which to deduce its legitimacy.
  • Redress – here the EC highlighted the ability of data subjects to make complaints with the ICO, prosecute for damages under the UK GDPR and utilise the Human Rights Act 1998 to express their data rights, with the European Court of Human Rights as an ultimate source of authority.

Consequences of adoption

If adopted, the draft adequacy decisions will be valid for an initial term of four years, only renewable if the level of protection in the UK continues to be adequate. The drafts include strict mechanisms for monitoring and review, suspension or withdrawal, to address any problematic development of the UK system which will no longer be bound by EU privacy rules.

UK government response to the draft adequacy decisions

The UK government has welcomed the draft adequacy decisions, urging the EU to fulfil its commitment to complete the approval process swiftly. The Information Commissioner described the progress as "an important milestone in securing the continued frictionless data transfers from the EU to the UK".

The draft adequacy decisions are now with the EDPB for a "non-binding opinion", following which the EC will request approval from EU member states' representatives. It could then adopt final adequacy decisions. Until then, organisations continue to be able to receive personal data from the EU under the temporary "bridging mechanism", agreed in the EU-UK Trade and Cooperation Agreement.

Schrems II

The draft adequacy decisions also include a detailed assessment of the conditions and limitations, as well as the oversight mechanisms and remedies applicable in case of access to data by UK public authorities, in particular for law enforcement and national security purposes. These are likely included to address the ECJ's ruling in Schrems II and concerns over the UK's use of mass surveillance techniques.

In Schrems II, the ECJ ruled that free data flows moving from the EU to certain US organisations under the EU-US privacy shield did not offer an essentially equivalent level of protection as under EU law. This was substantially based on the fact that national security laws in the US were deemed to undermine citizens’ data rights. When assessing the UK, the ECJ, in light of the ruling in Schrems II, was always going to pay close attention to UK national security laws. Additionally, Schrems II introduced more stringent obligations on organisations when carrying out cross border data transfers and so there has been a general concern that this newly stringent approach may reduce the UK’s chance of receiving an adequacy decision. The drafts can therefore be seen as a highly positive step.

What stands in the UK’s way?

Although the process for an adequacy decision under the EU GDPR is now underway with the draft adequacy decisions in place and, although the UK government has stated on a number of occasions that it is confident that the EU will deem the UK data protection regime ‘essentially equivalent’, it is worth noting that a number of issues may impact on the UK's ability to satisfy the EU:

  • The UK's use of mass surveillance techniques may lead to EU member states raising concerns about data protection in the UK, which might jeopardise an Adequacy Decision. The ruling of the ECtHR which held that aspects of the UK's surveillance regimes under the Regulation of Investigatory Powers Act 2000 (RIPA) did not comply with Articles 8 and 10 of the ECHR, is particularly relevant (Big Brother Watch and others v United Kingdom). The human rights groups which brought the claim were not satisfied with the judgment and appealed to the Grand Chamber, the ECtHR's highest judicial bench.
  • Membership of the Five Eyes intelligence sharing community means EU citizens' data could be transferred by UK security services to third countries (including the US) which are not considered to have adequate data protection.
  • Potential for unprotected onward data transfers as the UK will be able to decide which countries it deems adequate and what arrangements to have with them.

The draft adequacy decisions - a positive step

Although nothing can be taken for granted, the draft adequacy decisions are a positive step and the fact that the UK has committed to remaining party to the ECHR and "Convention 108", will likely carry some leverage as adherence to such international conventions is important for the stability and durability of adequacy findings.

If you have any questions on the draft adequacy decisions, data protection law more generally or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


E-privacy

E-Privacy – PECR and Brexit

E-Privacy regulations complement data protection laws by setting out privacy rights for electronic communications. The idea being that whilst widespread public access to digital mobile networks and the internet has opened up new possibilities for businesses and users, they have also created new risks for privacy. E-Privacy regulations have been a point of contention within the EU and reform has been expected for some time. On 10 February 2021, 4 years after the European Commission’s initial legislative proposal and to the surprise of many, the European Council reached a compromise agreement on their position on the E-privacy Regulation. What this means for E-privacy rules in the UK remains to be seen. With Brexit behind us, and therefore no obligation to introduce new EU legislation in the UK, but with an adequacy decision pending, and therefore a desire for the UK to align with the EU on data protection, it is hard to say whether or not the UK will choose to implement them. For more information on data protection and a potential adequacy decision after Brexit read our blog.

E-Privacy and PECR

PECR are the Privacy and Electronic Communications Regulations which comprise the E-privacy regulations in the UK. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003. They are derived from European law. PECR have been amended a number of times. The more recent changes were made in 2018, to ban cold-calling of claims management services and to introduce director liability for serious breaches of the marketing rules; and in 2019 to ban cold-calling of pensions schemes in certain circumstances and to incorporate the GDPR definition of consent.

What kind of areas do PECR cover?

PECR cover several areas:

  • Marketing by electronic means, including marketing calls, texts, emails and faxes.
  • The use of cookies or similar technologies that track information about people accessing a website or other electronic service.
  • Security of public electronic communications services.
  • Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg caller ID and call return), and directory listings.

How does this fit with the UK GDPR?

The UK GDPR sits alongside PECR. PECR rules apply and use the UK GDPR standard of consent (which is a high threshold). This means that if you send electronic marketing or use cookies or similar technologies you must comply with both PECR and the UK GDPR. Unsurprisingly, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the UK GDPR, and vice versa – but there are some differences. In particular, it’s important to realise that PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.

If you are a network or service provider, Article 95 of the UK GDPR says the UK GDPR does not apply where there are already specific PECR rules. This is to avoid duplication, and means that if you are a network or service provider, you only need to comply with PECR rules (and not the UK GDPR) on:

  • security and security breaches;
  • traffic data;
  • location data;
  • itemised billing; and
  • line identification services.

Electronic and telephone marketing

PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies. Companies will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you.

E-Privacy: Cookies and similar technologies

Companies must tell people if they set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given. There is an exception for cookies that are essential to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking). The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.

Communications networks and services

PECR are not just concerned with marketing by electronic means. They also contain provisions that concern the security of public electronic communications services and the privacy of customers using communications networks or services. Some of these provisions only apply to service providers (e.g. the security provisions) but others apply more widely. For example, the directories provision applies to any organisation wanting to compile a telephone, fax or email directory.

EU Council position on E-Privacy rules

On 10 February 2021, EU member states agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services. These updated E-privacy rules will define cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices. The agreement allows the Portuguese presidency to start talks with the European Parliament on the final text. The agreement included:

  • The regulation will cover electronic communications content transmitted using publicly available services and networks, and metadata related to the communication. Metadata includes, for example, information on location and the time and recipient of communication. It is considered potentially as sensitive as the content itself.
  • As a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the E-privacy regulation.
  • Permitted processing of electronic communications data without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.
  • Metadata may be processed for instance for billing, or for detecting or stopping fraudulent use. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed. Metadata may also be processed to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and man-made disasters.
  • In certain cases, providers of electronic communications networks and services may process metadata for a purpose other than that for which it was collected, even when this is not based on the user’s consent or certain provisions on legislative measures under EU or member state law. This  processing for another purpose must be compatible with the initial purpose, and strong specific safeguards apply to it.
  • As the user’s terminal equipment, including both hardware and software, may store highly personal information, such as photos and contact lists, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific transparent purposes laid down in the regulation.
  • The end-user should have a genuine choice on whether to accept cookies or similar identifiers. Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.
  • To avoid cookie consent fatigue, an end-user will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment.

Brexit

PECR continues to apply after the UK's exit from the EU on 31 January 2020. The draft ePR, described in detail above, which is still in the process of being agreed, was not finalised before 31 January 2020 and will therefore not become directly applicable in the UK. Once it is directly applicable to EU member states (which is likely 24 months after its coming into force), the UK will then need to consider to what extent to mirror the new rules. In any case, given that UK companies will continue to process data of EU end users, it will still be necessary to be aware of any discrepancies created by E-privacy reform in the EU.

The deadlock is over

It has long been considered that EU E-privacy regulations have lagged behind the technological progress seen in online marketing techniques and EU negotiations around reform have at times seemed never-ending. The agreement reached by the EU council will therefore be seen as a necessary improvement in legal certainty, although plenty of questions still abound.

PECR in its pre-reformed state will continue to apply in the UK. On 19th February 2021, the European Commission issued its draft adequacy decision that would allow EU-to-UK data transfers. While the E-privacy Regulation is not strictly relevant to the UK’s continued adequacy status, alignment on E-privacy rules would likely be viewed positively by the EU institutions, which could prompt the UK to update its laws in line with the new EU regime. The reforms will of course also be relevant to any UK business that operates in the EU. Even if the Regulation is finally adopted this year, it will not apply for a further two years meaning, these changes will likely not come into effect until 2023 at the earliest.

If you have any questions on E-privacy and data protection, data protection law more generally or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Space Law

Space Law: The Commercial Space Race Begins

Space law is the body of law governing space-related activities, encompassing both international and domestic agreements, rules, and principles. Parameters of space law include space exploration, liability for damage, weapons use, rescue efforts, environmental preservation, information sharing, new technologies and ethics. SpaceX, in May 2020, became the first private company to send humans to space. What this implies is hard to say. A recent article in the Harvard Business Review sees the sky, or should I say heavens, as the limit. With a healthy interplay between public and private investment, international co-operation and a rule of law suited to this harsh environment, it suggested that NASA’s prediction, in their 1977 report ‘Long-Term Prospects For Developments In Space’, that extra-terrestrial economies could one day out-strip terrestrial ones, was not so far-fetched. The Artemis Accords, signed in 2020 by the directors of 10 national space agencies, also indicates a shift in space law that better accommodate commerce.

Space-for-space economy

An important distinction made in the Harvard Business Review article was between a space-for-earth economy and a space-for-space one. The space-for-earth economy uses space to deliver benefits to those on earth. The use of satellites for telecommunications, internet infrastructure, or earth observation capabilities and national security. The real shift will be when companies are able to offer services in space for use in space – the space-for-space economy. However, creating such a market will require the existence of consumers beyond the stratosphere. Which may not exist for some time. In the meantime private companies will have to rely on public contracts. Hopefully, being able to supply to government space agencies will enable and invigorate supply to future commercial markets. Here are some examples of work being done:

  • SpaceX hopes to support transportation for large numbers of private space travellers. Currently their space-for-space transport solutions have been for government bodies (NASA) only. But with future decreases in the cost of launching spacecraft, SpaceX could be instrumental in putting people into space and creating the demand necessary for a space-for-space economy to develop.
  • Made In Space, Inc. is currently exploring high-quality fibre-optic cable, manufactured in zero-gravity for sale on earth. The company also recently received a $74 million contractto 3D-print large metal beams in space for use on NASA spacecraft. Such construction capabilities will be essential in a developing space-for-space economy.
  • In February 2020, Maxar Technologies was awarded a $142 million contractfrom NASA to develop a robotic construction tool that would be assembled in space for use on low-Earth orbit spacecraft. Such tools will be just as useful for a future private sector.
  • In 2015 Argotec and Lavazza collaborated to build an espresso machine that could function in the zero-gravity environment of the International Space Station. Such luxuries will be crucial for the development of an economy in space, even if for the moment they are mostly publicity stunts.
  • In 2010, Planetary Resources, Inc.and Deep Space Industries, were set up with space mining as their objection (lunar mining). Both failed because the lack of a space-for-space economy made the cost of extracting minerals to be brought back and sold on earth too high to be viable. The natural resources known to exist on the moon will, if a space-for-space economy develops, become big business.

Space law

In what legal system is this commercial activity taking place? Space law is by its nature extra-terrestrial and extra-territorial. Accordingly, its usage is governed by an extensive international legal framework, under the aegis of the United Nations (UN), made up of treaties, agreements and conventions governed by international law, which may be implemented into national law. The Artemis Accords have reinforced many of these frameworks and laid the groundwork for more commercially orientated space law.

The Artemis Accords

The Artemis Accords are named after the NASA project which aims to send the first woman and another man to space by 2024. They are an international agreement for cooperation in the civil exploration and use of the Moon, Mars, comets, and asteroids for peaceful purposes, and are grounded in what is often considered the foundation of space law, the Outer Space Treaty of 1967. The stated purpose of the Artemis Accords is to "provide for operational implementation of important obligations contained in the Outer Space Treaty and other instruments." The provisions:

  • Affirm that cooperative activities under these Accords should be exclusively for peaceful purposes and in accordance with relevant international space law.
  • Confirm a commitment to transparency and to share scientific information, consistent with Article XI of the Outer Space Treaty.
  • Call for a commitment to use reasonable efforts to utilize current interoperability standards for space-based infrastructure, and to establish standards when they do not exist or are inadequate.
  • Call for a commitment to take all reasonable efforts to render necessary assistance to personnel in outer space who are in distress.
  • Specify responsibility for the registration of objects in space.
  • Call for a commitment to publicly share information on their activities and to the open sharing of scientific data.
  • Include an agreement to preserve outer space heritage, which they consider to comprise historically significant human or robotic landing sites, artifacts, spacecraft, and other evidence of activity, and to contribute to multinational efforts to develop practices and rules to do so.
  • Include an agreement that extraction and utilization of space resources should be conducted in a manner that complies with the Outer Space Treaty and in support of safe and sustainable activities. The signatories affirm that this does not inherently constitute national appropriation, which is prohibited by the Outer Space Treaty. They also express an intent to contribute to multilateral efforts to further develop international practices and rules on this subject.
  • The Accords provide for the announcement of "safety zones", where operations of other nations or an anomalous event could reasonably cause harmful interference.
  • Include a commitment to mitigate space debris and to limit the generation of new, harmful space debris in the normal operations, break-up in operational or post-mission phases, and accidents.

National framework – UK

The UK has some of its own space law. The UK Outer Space Act 1986 sets out the UK's obligations under the various international treaties and principles covering the use of outer space. This Act also covers entities in certain of the UK's overseas territories and the Channel Islands, as well as the Isle of Man, and requires all those seeking to launch or procure the launch of a space object, operate a space object or undertake any activity in outer space, to obtain a licence. Licensing and other powers are conferred on the Secretary of State for the Department of Business, Energy and Industrial Strategy (BEIS), who carries out these powers through the UK Space Agency (UKSA). The UKSA was launched in April 2010, bringing all UK civil space activities under one single management. The UKSA began operation as a full executive agency on 1 April 2011.

The Space Industry Act 2018 is space law intended to make provision for space activities including vertical launches and suborbital activities in the UK. The UK government intends that licences under it, including for launch and sub-orbital activities, will be granted by 2021. Secondary legislation will be enacted to cover specific aspects of the Act, including licensing and insurance requirements.

Liability

The status and liability of commercial use of outer space, including the moon and other celestial bodies, is not very clear under the existing space law regimes. According to Article VI of the Outer Space Treaty 1967 and Articles II and III of Liability Convention 1972, the country in which the launch of the spacecraft takes place is liable for any activities in outer space. Even in the case of non-governmental activities, the launching state is liable. The possible litigation relating to the commercial activities are mainly the financial consequence of damage caused and also the technical complications that private entities face in case of supply of defaulted parts to national space agencies.

Legal status of resource exploitation

No nation claims ownership of any part of the Moon's surface, and the international legal status of mining space resources is unclear and controversial.

Russia, China, and the United States are party to the 1967 Outer Space Treaty (OST), which is the most widely adopted treaty, with 104 parties. The OST treaty offers imprecise guidelines to newer space activities such as lunar and asteroid mining, and it therefore remains under contention whether the extraction of resources falls within the prohibitive language of appropriation in the treaty. Although its applicability on exploiting natural resources remains in contention, leading experts generally agree with the position issued in 2015 by the International Institute of Space Law (ISSL) stating that, “in view of the absence of a clear prohibition of the taking of resources in the Outer Space Treaty, one can conclude that the use of space resources is permitted”.

Seeking clearer regulatory guidelines, private companies in the US prompted the US government, and legalized space mining in 2015 by introducing the US Commercial Space Launch Competitiveness Act of 2015. Similar national legislations legalizing extra-terrestrial appropriation of resources are now being replicated by other nations, including Luxembourg, Japan, China, India and Russia. This has created an international legal controversy on mining rights for profit. James R. Wilson, a legal expert stated in 2011 that the international issues "would probably be settled during the normal course of space exploration." In April 2020, U.S. President Donald Trump signed an executive order to support moon mining.

The final frontier

With the huge commercial potential that space offers comes the huge mobilisation required for its realisation. More than a little bit of luck will be needed to see dreams realised in the near future. Three things are certain: the private sphere will need invigoration by both government contracts/investment and their willingness to deregulate, such as allowing private space travellers to take on more safety risks than government funded ones; a vigorous upholding of the rule of law will create a bedrock for competitiveness; and a transcendence of geopolitical divides will ensure safe and unimpeded economic development.

Whilst the Artemis Accords have introduced some co-operation between nations on the question of how to regulate activity in space, it lacked two signatories: China and Russia; and failed to clarify whether, under space law, resource extraction could constitute national appropriation of areas in space.

EM law specialises in technology law. Get in touch if you have any questions on the above.