Legal checklist for startups

Legal Checklist For Startups - A Quick Guide

Starting a business can be hectic – hopefully this legal checklist for startups will help you avoid falling into the kinds of traps that we often see businesses falling into before they come to us for advice.

Ideally you want to have all of the following in place as soon as possible:

  • Customer contracts
  • Supplier contracts
  • Staff contracts
  • Data protection compliance
  • Licence to occupy / lease
  • Shareholder agreement
  • Legal notices / policies
  • Insurance
  • Tax
  • Companies House
  • Other

Legal Checklist For Startups: Customer Contracts

If you do not have proper contracts in place with your customers then there’s a high risk that sooner or later there will be a problem. If the goods or services that you are supplying are low priced or if you take payment in advance then the risk of non-payment for those goods or services shouldn’t hurt you as long as non-payment only happens rarely. However, a contract is not just there to protect you from non-payment. If your contract isn’t clear on things like when it starts, how it ends and what the goods or services are that you are delivering then you run the risk of having time-consuming arguments with your customers about what the true position is or worse, they sue you. Other clauses can be very important as well such as clauses limiting your liability and ownership / licensing of intellectual property rights. If you don’t protect yourself properly in your contracts you are not just running the risk of being sued or losing your rights, you are running a business that investors won’t find attractive. Check out our blog here about what you should look out for in a contract.

Legal Checklist For Startups: Supplier Contracts

More often than not you will need to contract on your suppliers’ terms and conditions of business. The previous section refers to the kinds of things you need to look out for. If you can’t navigate your way around a contract then find someone who can help you if you are going to enter into a contract with a supplier that is important or high value. If you are having something crucial like software being built for you then you should get the contract checked but above all you should read what is put in front of you. Do not assume that the agreement will be fair or that because it is for a basic service it won’t contain “nasties”. It happens less so now thanks to paper being less prevalent in offices but in the past, many businesses fell foul of office photocopier contracts that tied them in to paying for support charges for 5 years or more.

Legal Checklist For Startups: Staff Contracts

You need to have appropriate contracts in place with your employees because it is a legal requirement. You should be able to source basic contracts at low cost. Basic contracts should cover you for an employee who, if they leave, is not going to hurt your business by working for a competitor or by taking confidential information such as client lists or intellectual property out of the business. However, if your business could be damaged in these scenarios, then ensure that your contracts are drafted by an employment lawyer who will include appropriate provisions to make it easier for you to take action against a departing or rouge employee. In practice, having properly drafted clauses restricting what a departing employee can and can’t do often prevents the mischief occurring in the first place.

Although there is no legal requirement to have a written contract in place with a consultant, the usual reasons for having written contracts in place with any supplier apply – clarity being one of them. Also, if your consultant is going to create anything for you, for example, software, reports, designs – i.e. things that contain intellectual property rights – then if you don’t include appropriate written clauses, the consultant will be the owner of those things that they are creating for you and your business will have limited rights to use them.

In addition to your employment contracts you should consider having a staff handbook drafted. The staff handbook contains your policies about behaviour and standards as well as disciplinary and grievance procedures. It makes things a lot easier to deal with if there is an issue with an employee down the line. If you are a high growth start up then you should put a staff handbook in place from the outset.

Finally, it’s a legal requirement to offer your employees a pension so make sure you understand what you need to do in this regard.

Legal Checklist For Startups: Data Protection Compliance

Firstly, you need to register your business with the Information Commissioner’s Office and pay their fee.

All businesses need to comply with the retained EU law version of the General Data Protection Regulation ((EU)2016/679), called the UK GDPR along with the Data Protection Act 2018 (DPA 2018), and if using such data to market to customers, then the Privacy and Electronic Communications Regulations (PECR).

To comply with data protection laws you need to understand them and how they impact your business and then put appropriate policies and notices in place. It can be expensive getting professional advice but it will save you a lot of time because data protection compliance is complex and, in our experience, it is unlikely that you are going to get things right if you don’t seek professional help. If you are processing “special category data” i.e.

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; or
  • data concerning a person’s sexual orientation

then we highly recommend you obtain expert advice from the outset because the ICO is more likely to come down hard on an organisation that gets things wrong when they are processing this kind of data.

If you want to send marketing communications to your customers or potential customers then it is important to get your opt-in / opt-out messaging correct and to comply with PECR. Again, either follow online guidance or have an expert advise you.

Legal Checklist For Startups: Licence To Occupy / Lease

Most start-ups nowadays don’t take on the commitment of a lease, opting instead to use a serviced office on a 12 month licence to occupy. If you are going to sign up to a licence to occupy then make sure you have read and understood the terms. You must be clear on what payments your business will be liable for, looking out for those hidden extras. The other really important clauses are those around termination. Look out for a clause that says the licence will automatically renew for another 12 months unless appropriate notice to terminate is given by you. So many businesses miss this and then find themselves tied in for another 12 months.

If you are going to enter into a lease then get the lease checked by a lawyer who specialises in this area because leases often contain traps for the unwary. You are not going to spot the issues unless you are an expert and getting this wrong can be very costly.

Legal Checklist For Startups: Shareholders Agreement

If you have set up a company with someone else you should put a shareholders agreement in place, especially if you hold a minority of the shares. You don’t have to have one – you can rely on the articles of association of your company and company law to protect you and regulate how things are done in the company. But if you don’t have a shareholders agreement in place it makes things much harder to deal with if you fall out with the other shareholders. You probably will fall out at some point and we see this all the time – businesses coming to us for help because the shareholders can’t agree on how to do things. We have to try and resolve things often with another lawyer on the other side of the table and it ends up costing the business dearly when it wouldn’t have been the case if a shareholders agreement had been in place.

Legal Checklist For Startups: Legal Notices / Policies

Your website should be displaying a privacy notice and, if it is using cookies, a cookie notice. Other website notices such as acceptable use and website terms of use policies aren’t essential but they are very low cost to obtain, give you some protection and make you look the part.

If your business employs five or more people you must have a written health and safety policy.

Although not mandatory, you should put an equal opportunities policy in place. If you don’t then this can count against you if an employee claims discrimination.

If there is any risk at all of someone in your business or supply chain bribing another person then you should have an anti-corruption and bribery policy in place. If you don’t then it’s unlikely that you will be able to demonstrate that your company had adequate procedures in place to prevent bribery and criminal sanctions may be applied.

Legal Checklist For Startups: Insurance

If your business has staff you need to have employer’s liability cover in place – it’s a legal requirement.

Depending on the industry you are in, your regulator may require you to have other types of insurance in place such as professional indemnity insurance.

Legal Checklist For Startups: Tax

You must register your business with HMRC and pay tax. Engage an accountant for this.

Companies House

If you have set up a company in England & Wales then you must ensure that your filings are up-to-date at Companies House. Register for “Companies House Webfiling” so you or whoever you have outsourced to can make filings online.

Other

You should consider whether anti-bribery compliance is necessary for you. You can read more about this here and we have done a blog about the Bribery Act here. If you are providing services to the public sector, in an industry where bribery is medium risk or above (e.g. the construction sector) or working in jurisdictions where the corruption perception is medium risk or above you should put a compliance programme in place from the outset – having an anti-bribery policy is not enough.

If your business activities are regulated, you will need to register with and obtain the relevant consents from those regulators.

You should also consider:

Having a non-disclosure agreement ready to send to individuals / other businesses. It’s unlikely you will find investors right at the beginning but if you have built an exciting product then you may be able to find investment rapidly and you should put an NDA in place with potential investors before you start discussions.

Protecting your trademark. If you can live with changing your brand name if someone else comes along with the same or similar name then not to worry. If you can’t then register your trademark asap.

Final Thoughts

Hopefully you will find this legal checklist for startups useful. It’s very much a guide and you should do your research or ask for help around compliance issues specific to your industry. Good luck with your business and if we can be of any help please get in touch.


ICO Fines Transgender Charity Mermaids

ICO Fines Transgender Charity Mermaids

The Information Commissioner’s Office (ICO) has fined charity Mermaids £25,000 for failing to keep personal data (some of which was sensitive personal data) secure. ICO fines for failing to comply with data protection laws can go up to £17.5 million or 4% of an organisation’s total worldwide annual turnover, whichever is higher.

Background

Mermaids is a charity that supports transgender and gender-diverse children and their families. It started out as a support group formed by parents whose children were experiencing gender incongruence. It registered with the Charity Commissioner in 1999. The Charity Commissioner’s website shows that most of Mermaids’ income is derived from donations and legacies with total income for the financial year ending 31 March 2020 standing at £902,437.

In August 2016 the CEO of Mermaids set up an internet-based email group service at https://groups.io. The CEO created GeneralInfo@Groups.IO so that emails could be shared between the CEO and the 12 trustees of the charity. The email service offered various settings for security and privacy:

  • “Groups listed in directory, publicly viewable messages”
  • “Group not listed in directory, publicly viewable messages”
  • “Group listed in directory, private messages” and
  • “Group not listed in directory, private messages”.

The Mermaids group email service was set up under the default option “Groups listed in directory, publicly viewable messages”.

The Groups.IO email service was in active use by Mermaids from August 2016 until July 2017. After it became dormant it continued to hold emails. In addition to communications between the trustees, the emails included some forwarded emails from individuals who were using Mermaid’s services. Those emails included personal data, in some case relating to children, and some of the data was special category data (i.e. data concerning health, sex life or sexual orientation).

In June 2019 a service user of the charity who was the mother of a gender non-conforming child, informed the CEO that she had been contacted by a journalist from the Sunday Times who had told her that her personal data could be viewed online. The journalist had informed the parent that by searching online he could view confidential emails including her child’s name, date of birth, mother’s name, her employer’s address, her mobile telephone number and details of her child’s mental and physical health.

On the same day, Mermaids received pre-publication notice from the Sunday Times that the emails were accessible online and the newspaper would be publishing an article about the incident.

Mermaids immediately took steps to block access to the email site and engaged lawyers. They began informing data subjects about the incident, contacted the ICO to report what had happened and took other measures to deal with the situation.

ICO findings

The ICO’s investigation found, amongst other things, that Mermaids had failed to ensure that adequate measures were in place to ensure the appropriate security for personal data and as a result, 780 pages of confidential emails containing personal data relating to 550 individuals were searchable and viewable online for almost three years by third parties. The ICO also found that in the period May 2018 to June 2019 there was a negligent approach towards data protection at Mermaids, data protection policies were inadequate and there was a lack of adequate training. The ICO found that Mermaids should have applied restricted access to its email group and used pseudonymisation or encryption to add an extra layer of protection to the personal data it held and shut down the email group correctly when it was no longer in use.

ICO fine

On 5 July 2021 an ICO fine was imposed on Mermaids of £25,000.

In arriving at the fine the ICO took into consideration:

  • Mermaids’ income
  • The gravity of the incident
  • The fact that special category data was made public
  • The duration of the data breach
  • The number of data subjects affected
  • The damage caused
  • The intentional or negligent character of the infringement
  • The action taken by Mermaids to mitigate the damage caused
  • The degree of responsibility of Mermaids taking into account the technical and organisational measures they implemented
  • Any relevant previous infringements
  • The degree of cooperation provided by Mermaids with the ICO in order to remedy the infringement and mitigate the damage caused
  • Other aggravating or mitigating factors

The ICO’s Monetary Penalty Notice (which gives further detail and explanation about the ICO’s findings) can be accessed here.

Comment

One never wants to see an organisation receiving an ICO fine. However, given the nature of the work that Mermaids does and the sensitivity of some of the personal data that was made public, the fine appears low. Many businesses, especially small businesses, will try and find ways to cut corners to make their budgets or resources stretch further. Some businesses, especially those who do not process special category data, may feel from reading this ICO decision that the worst that can happen to them if they do not have proper data protection processes in place is that they are going to be fined less than £25,000.

In its decision the ICO took into account not just “the prompt remedial action taken by Mermaids” but also that “this breach was highlighted in a national newspaper and that resulted in a degree of reputational damage to the charity”. It also seems that the fact that Mermaids was a charity had some bearing on the ICO decision with the ICO balancing the fine as a deterrent against not wanting to be “taking away donations made by the public.”

The ICO took into account the financial position of Mermaids. While we do not know what the content of Mermaids’ representations were in this regard, the charity made a loss for its financial year ended 31 March 2020 with total expenditure of £1,041,325 against income of £902,437. Without us knowing the true financial position, it appears that if Mermaids had received an ICO fine of, say, £250,000, this may well have caused the charity to shut down.

It is worth noting as well that in addition to the ICO fine imposed, Mermaids costs for engaging lawyers and other consultants and dealing with the fallout from the incident would have been significant. Mermaids is also vulnerable to claims being brought against it by the data subjects themselves.

If you have any questions on data protection law or compliance please get in touch with one of our data protection lawyers.


Legitimate Interests

Legitimate Interests – Lawful Processing of Personal Data

When processing personal data legally, organisations have six possible reasons or ‘bases’ to rely upon: consent, contract, legal obligation, vital interest, public task or legitimate interests. Most of these are unambiguous. Fulfilling a contract or protecting someone’s life for example. On the surface, ‘legitimate interests’ appears more open to interpretation. What will be considered legitimate? And whose interests will be taken into account? When all else fails, organisations often mistakenly look to legitimate interests as a base for processing that furthers their business interest. Seeing legitimate interests as a fall-back is misguided. In many respects it is just as stringent as any of the other possible bases.

Legitimate Interests - Legislation

The UK GDPR describes legitimate interests as “processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

Legitimate interests is different to the other lawful bases as it is not centred around a particular purpose (e.g. performing a contract with the individual, complying with a legal obligation, protecting vital interest or carrying out a public task), and it is not processing that the individual has specifically agreed to (consent). Legitimate interests is more flexible and could in principle apply to any type of processing for any reasonable purpose.

Because it could apply in a wide range of circumstances, it puts the onus on you to balance your legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual taking into account the particular circumstances. This is different to the other lawful bases which presume that your interests and those of the individual are balanced.

Three-part test

The ICO (UK data protection regulatory authority) interprets the legislation with a three-part test. The wording creates three distinct obligations:

  1. “Processing is necessary for…” – the necessity teste. is the processing necessary for the purpose?
  2. “… the purposes of the legitimate interests pursued by the controller or by a third party, …” – the purpose teste. is there a legitimate interest behind the processing?
  3. “… except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” – the balancing teste. are the legitimate interests overridden by the individual’s interests, rights or freedoms?

Purpose test – what counts as a ‘legitimate interests’?

A wide range of interests may be legitimate interests. It could be your legitimate interests in the processing or it could include the legitimate interests of any third party. The term ‘third party’ doesn’t just refer to other organisations, it could also be a third party individual. The legitimate interests of the public in general may also play a part when deciding whether the legitimate interests in the processing override the individual’s interests and rights. If the processing has a wider public interest for society at large, then this may add weight to your interests when balancing these against those of the individual.

Examples

The UK GDPR does not have an exhaustive list of what purposes are likely to constitute legitimate interests. However, the recitals do say the following purposes constitute legitimate interests: fraud prevention; ensuring network and information security; or indicating possible criminal acts or threats to public security.

Therefore, if you are processing for one of these purposes you may have less work to do to show that the legitimate interests basis applies. The recitals also say that the following activities may indicate a legitimate interest: processing employee or client data; direct marketing; or administrative transfers within a group of companies.

However, whilst these last three activities may indicate legitimate interests, you still need to do some work to identify your precise purpose and show that it is legitimate in the specific circumstances, and in particular that any direct marketing complies with e-privacy rules on consent.

The necessity test

You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose. You need to decide on the facts of each case whether the processing is proportionate and adequately targeted to meet its objectives, and whether there is any less intrusive alternative, i.e. can you achieve your purpose by some other reasonable means without processing the data in this way? If you could achieve your purpose in a less invasive way, then the more invasive way is not necessary.

The balancing test

Just because you have determined that your processing is necessary for your legitimate interests does not mean that you are automatically able to rely on this basis for processing. You must also perform a ‘balancing test’ to justify any impact on individuals. The balancing test is where you take into account “the interests or fundamental rights and freedoms of the data subject which require the protection of personal data” and check they don’t override your interests. In essence, this is a light-touch risk assessment to check that any risks to individuals’ interests are proportionate. If the data belongs to children then you need to be particularly careful to ensure their interests and rights are protected.

Reasonable expectations

Recital 47 of the UK GDPR says “the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”

The UK GDPR is clear that the interests of the individual could in particular override your legitimate interests if you intend to process personal data in ways the individual does not reasonably expect. This is because if processing is unexpected, individuals lose control over the use of their data, and may not be in an informed position to exercise their rights. There is a clear link here to your transparency obligations.

You need to assess whether the individual can reasonably expect the processing, taking into account particularly when and how the data was collected. This is an objective test. The question is not whether a particular individual actually expected the processing, but whether a reasonable person should expect the processing in the circumstances.

How do you apply legitimate interests in practice?

The ICO guidance states that organisations should undertake the three-part test and document the outcome, this process is referred to as a "legitimate interests assessment" (LIA). The length of a LIA will vary depending on the context and circumstances surrounding the processing. LIAs are intended to be a simple form of risk assessment, in contrast to a data protection impact assessment (DPIA) which is a "much more in-depth end-to-end process". A LIA is also a potential trigger for a DPIA. The ICO confirms that there is no specific duty in the UK GDPR to undertake a LIA, however, as a matter of best practice, one should be undertaken by organisations in order to meet their obligations under the UK GDPR accountability principle.

Once a LIA has been undertaken and an organisation has concluded that the legitimate interests basis for processing applies, then it should continue to keep the LIA under regular review. Where a LIA identifies high risks to the rights and freedoms of the individual, then a DPIA should be undertaken to assess these risks in more detail.

What else is there to consider?

The ICO also recommends that:

  • Individuals are informed of the purpose for processing, that legitimate interest is the basis being relied on and what that legitimate interest is. Organisations' privacy notices should also be updated to reflect this.
  • Where an organisation's purposes change or where it has a new purpose, it may still be able to continue processing for that new purpose on the basis of legitimate interests as long as the new purpose is compatible with the original purpose. A compatibility assessment should be undertaken in this case.
  • Organisations should be aware of individuals’ rights, for example, where legitimate interests is relied on as a basis for processing then the right to data portability does not apply to any personal data being processed on that basis.

Here to help

The concept of ‘legitimate interests’ as a basis for processing personal data predates GDPR. Many organisations are consequently aware of the concept. It should not, however, be taken for granted when organisations wish to further a business interest. As shown above, there are a number of obligations to consider, and therefore the basis should not be considered lightly or as a last resort.

If you have any questions on legitimate interests, data protection law more generally or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


International Transfers of Personal Data

International Transfers of Personal Data - What Are The Rules?

International transfers of personal data have been shaken up in recent memory. Most obviously Brexit has placed the EU and UK in separate data protection regimes rendering any transfer between them international, meaning they are now subject to new conditions. Additionally, data transfers to the US have been disrupted by the judgement in Schrems II. This landmark case led to the striking down of the EU-US Privacy Shield which enabled free flow of data to certain US-based organisations. For more information on the impact of Brexit read our blog.

Where does it all lead? It is easy to be overwhelmed by the complexity of the legal and political implications of these developments. However, as most organisations are realising, the simple solution continues to be Standard Contractual Clauses (SCCs). After an introduction to international transfers, this blog will focus on the use and future of SCCs. Which for the majority of organisations will be the most practical data transfer mechanism.

General principle for data exports to non-UK countries

International transfers of personal data to a country outside the UK (third country) may only take place if the controller and the processor comply with certain conditions. A transfer of personal data to a third country may take place if:

  • the UK has decided that the third country ensures an adequate level of protection

or

  • the controller or processor has provided appropriate safeguards; enforceable data subject rights and effective legal remedies for data subjects are available.

Third countries with adequate levels of protection

The UK has “adequacy regulations” in relation to the following countries and territories:

  • The European Economic Area (EEA) countries. These are the EU member states and the EFTA States. The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden. The EFTA states are Iceland, Norway and Liechtenstein.
  • EU or EEA institutions, bodies, offices or agencies.
  • Gibraltar
  • Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020). These include a full finding of adequacy about the following countries and territories: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. In addition, the partial findings of adequacy about: Japan – only covers private sector organisations. Canada - only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA. For more details please see the EU Commission's FAQson the adequacy finding on the Canadian PIPEDA.

International transfers of personal data - adequate safeguards

If the third country has not been granted an adequacy decision then organisations can rely upon adequate safeguards. Schrems II has added an additional burden - before you may rely on an appropriate safeguard to make a restricted transfer, you must be satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime. This can be done by undertaking a risk assessment, which takes into account the protections contained in that appropriate safeguard and the legal framework of the destination country (including laws governing public authority access to the data). This assessment is undoubtedly complex in many situations. The ICO intends to issue guidance on this topic in due course.

Controllers and processors may provide adequate safeguards by:

  • A legally binding agreement between public authorities or bodies.
  • Binding corporate rules (agreements governing transfers made between organisations within a corporate group).
  • Standard data protection clauses in the form of template transfer clauses adopted by the Commission.
  • Standard data protection clauses in the form of template transfer clauses adopted by the ICO.
  • Compliance with an approved code of conduct approved by a supervisory authority.
  • Certification under an approved certification mechanism as provided for in the GDPR.

Is the restricted transfer covered by an exception?

If you are making a restricted transfer that is not covered by UK ‘adequacy regulations’, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the ‘exceptions’ set out in Article 49 of the UK GDPR:

Exception 1. Has the individual given his or her explicit consent to the restricted transfer?

Exception 2. Do you have a contract with the individual? Is the restricted transfer necessary for you to perform that contract?

Exception 3. Do you have (or are you entering into) a contract with an individual which benefits another individual whose data is being transferred? Is that transfer necessary for you to either enter into that contract or perform that contract?

Exception 4: You need to make the restricted transfer for important reasons of public interest.

Exception 5: You need to make the restricted transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim.

Exception 6: You need to make the restricted transfer to protect the vital interests of an individual. He or she must be physically or legally incapable of giving consent.

Exception 7: You are making the restricted transfer from a public register.

Exception 8: you are making a one-off restricted transfer and it is in your compelling legitimate interests.

International transfers of personal data - Standard Contractual Clauses

You can make a restricted transfer if you and the receiver have entered into a contract incorporating standard data protection clauses recognised or issued in accordance with the UK data protection regime. These are known as ‘standard contractual clauses’ (‘SCCs’ or ‘model clauses’).

The SCCs contain contractual obligations on you (the data exporter) and the receiver (the data importer), and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter.

ICO guidance on Standard Contractual Clauses

The commentary on the ICO webpage on Standard Contractual Clauses (SCCs) after the transition period ends provides guidance on what the ICO expects from UK controllers in relation to restricted transfers, i.e. when they are seeking to export personal data from the UK to entities located in countries which do not provide an adequate level of data protection. As shown above, the SCCs represent one of a number of "appropriate safeguards" available to enable such transfers to take place. SCCs are often the most practical method for organisations when it comes to data transfers.

The ICO guidance states that UK controllers can continue to use the existing EU SCCs. The guidance goes on to state:

"You are able to make changes to those EU SCCs so they make sense in a UK context provided you do not change the legal meaning of the SCCs. For example, changing references from the old EU Data Protection to the UK GDPR, changing references to the EU or Member States, to the UK, and changing references to a supervisory authority to the ICO.

Otherwise you must not make any changes to the SCCs, unless it is to add protections or more clauses on business related issues. You can add parties (i.e. additional data importers or exporters) provided they are also bound by the SCCs."

ICO versions of the SCCS

The versions of the SCCs the ICO has created contain suggested changes. These are only suggestions but if you wish to deviate from these suggested changes they should be consistent with the principles set out in the above guidance extract and the guidance generally, i.e. it needs to make sense in a UK context and not change the legal meaning of the SCCs. The ICO versions act as a starting point therefore, making changes only where strictly necessary to make them make sense.

Schedule 21 of the Data Protection Act 2018 details the types of changes that can be made to the EU version for use by a UK controller but it does also seem to allow for use of the EU version as they are, without amendment, unless disapplied by the Secretary of State or the Information Commissioner (see paragraphs 7 and 8 of Schedule 21).

Exporting from both the UK and the EU

Ideally, if personal data is to be exported from both the UK and the EU to a jurisdiction not deemed adequate by both the UK government and the European Commission, the exports from each of the UK and the EU should be treated separately as, while virtually identical, the EU GDPR and UK GDPR are completely separate regulatory regimes. If SCCs are chosen as the appropriate safeguard, the safest option would be to have the data exports from the UK and the EU to be covered by different sets of clauses (or potentially, depending on risk, to use the EU SCCs with an additional set of amendments for the UK version).

This point is underlined in the original European Commission decision of 2004 which states each set of SCCs as a whole forms a model, so data exporters should not be allowed to amend these sets or totally or partially merge them in any manner. To meet the data transfer requirements under the UK GDPR and the EU GDPR, if a controller wants to use SCCs, they cannot be adapted beyond what has been recommended by both the ICO and the guidance from the EC on their use.

Retrospective?

It is important to point out that, looking retrospectively, if the EU SCCs were entered into prior to the end of the transition period, they will continue to be valid for restricted transfers under the UK GDPR. There will not be a need to replace the EU SCCs contracted before 1 January 2020 with updated UK SCCs.

New Standard Contractual Clauses

On 12 November 2020 the EU Commission published standard contractual clauses for international transfers of personal data to third countries under the General Data Protection Regulation ((EU) 2016/679) (GDPR). This was a draft implementing decision and Annex. The Commission has previously indicated that these clauses would be finalised before the end of 2020 although, as they require the opinion of the EDPB and EDPS, and consultation with member states under the comitology procedure, they will now come into force in 2021.

The Commission notes that the clauses are a modernisation of the previous clauses, designed to better reflect the use of new and complex processing operations involving multiple parties, complex processing chains and evolving relationships. They are designed to be flexible and allow for a number of parties, including for parties to accede to the clauses later ("docking clause"). They are drafted in a modular approach with general clauses followed by options for different processing circumstances.

Key points of interest include that the clauses:

  • Can be used by controllers and processors, including those not established in the EU but that are caught by the GDPR and cover both controller to controller and controller to processor options. They can also be used for EU processor to non-EU controller transfers and processor to sub-processor transfers, both of which are new options.
  • Can be included in a wider contract and additional clauses and safeguards can be added provided these are not contradictory or prejudice the rights of data subjects.
  • Should include rules for liability and indemnification between the parties and are enforceable by data subjects as third-party beneficiaries against the data exporter or importer.

What does this mean for the UK?

Under the UK-EU trade and co-operation agreement, the UK is obliged to not exercise certain powers under its own data protection legislation including producing its own SCCs during the four to six month extension period (starting on the 1st January 2021 – for more info see our blog). The ICO intends to consult on and publish new UK SCCs during 2021. With Brexit, the ICO and Secretary of State must keep the transitional arrangements for SCCs under review, and both are now able to issue new SCCs. It may be that at some point the EU SCCs will cease to be valid, for new and/or existing restricted transfers from the UK.

The extent to which the ICO, who are reviewing the new EU SCCs, are influenced by the new EU model clauses will come to be another example of how the two regimes wish to either spilt or merge. Given that the UK has already granted countries in the EU an adequacy decision (and seem to hope to get one in return), it is not overly speculative to suggest that the new EU SCCs will, in some form or another, be incorporated into UK data protection law. However, as noted above, this will not be possible until after the four to six month extension period the UK currently find themselves in.

Here to help

International transfers of personal data is a complex area of law and in a state of transition. As suggested above the most practical solution for a lot of organisations will be the use of SCCs but that’s not to say your transfers cannot be enabled any other way (see above). The extent to which organisations will have to review their positions will be based upon whether or not the EU grants the UK an adequacy decision and the extent to which the ICO incorporates the soon to be published new EU standard contractual clauses into their own. In any event organisations need to be on the lookout for when these new clauses come into force in both the EU and UK.

If you have any questions on Brexit and data protection, data protection law more generally or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Bribery Act

Bribery Act 2010 - Ten Years On

The Bribery Act 2010 came into force in July 2011. For UK businesses operating in the emerging and frontier markets its effect was seismic. Organisations were suddenly faced with having to comply with some of the toughest anti-corruption rules in the world - many simply stopped doing business in certain countries. Ten years on, how has the Bribery Act fared?

The Bribery Act - Criminal Activities

The Bribery Act 2010 repealed the existing anti-bribery legislation and abolished the common law offence of bribery. It created the following offences:

  • Active bribery, which prohibits giving, promising or offering a bribe (section 1).
  • Passive bribery, which prohibits requesting, agreeing to receive or accepting a bribe (section 2).
  • Bribing a foreign public official (section 6).
  • An offence committed by a commercial organisation where a person performing services on the organisation’s behalf pays a bribe to obtain or retain a business advantage for the organisation (section 7). This is commonly known as the offence of failing to prevent bribery.

What is a bribe?

The Bribery Act refers to a "financial or other advantage" so it doesn't just cover the payment of money. it can include things such as:

  • gifts and hospitality.
  • employing the relatives of public officials.
  • paying for travel expenses and accommodation costs.
  • making political of charitable donations.
  • engaging the services of a company which a public official has an interest in (e.g. as a shareholder).

The Bribery Act - Section 7

It was section 7 of the Bribery Act that caused businesses (and directors - see below) the most concern. Under section 7 if a person (e.g. a supplier or a subcontractor) associated (e.g. working with) with an organisation bribes another person, intending to obtain or retain business or a business advantage for that organisation then that organisation is guilty of an offence under section 7 unless it can rely on the defence outlined below. So if the subcontractor of a UK business bribed a foreign official, the UK business would, on the face of it, have committed an offence under the Bribery Act for failing to prevent that bribery.

There is a defence to section 7 though: if the UK business can demonstrate that, on the balance of probabilities, it has in place adequate procedures in place designed to prevent bribery then it would not be guilty. Putting in place “adequate procedures” can be complex, costly and time-consuming, depending on the type of work and the jurisdictions in which the UK business is operating in. We will publish a note on “adequate procedures” at a later date.

Bribery Act Penalties

An individual guilty of a section 1, 2 or 6 offence is liable to a maximum 10 year imprisonment or a fine or both. Any other person (such as a company) guilty of an offence under section 1, 2, 6 or 7 is liable to a fine. Organisations can also be barred from participating in tenders for public contracts.

Company directors can also be found individually liable if they consented to or connived in the commission of the offence. "Conniving" in an offence means that the individual knew it may occur but did nothing to prevent the offence from happening - "turning a blind eye" would be connivance.

Bribery Act - the consequences

The combination of a strict approach to corporate liability, a reverse burden corporate defence and a global jurisdictional reach resulted in the offloading onto businesses of a wide-ranging responsibility to police themselves and their supply chains to do their utmost to eradicate the risk of bribery. Compliance departments bulked up and lawyers were kept busy advising on the Act and the procedures and policies that organisations had to put in place. As we allude to in the opening section, some businesses drew a line halfway down Transparency International’s Corruption Perception Index and adopted a policy that they would not do business in jurisdictions below that line. Other countries have adopted similar tough laws to prevent corruption and, although corruption still goes on, it is harder (and more costly) to behave in this way. As to whether the Bribery Act and other modern anti-corruption laws have reduced corrupt behaviour over the last 10 years - that is difficult to say. Some commentators indicate that illicit financial flows are larger now than before.

Litigation under the Bribery Act

Freedom of information requests have revealed that, after ten years, there has been a grand total of 99 convictions under the 2010 Act (www.sfo.gov.uk/foi-request/2020-040-bribery-act-2010/). What is particularly notable is that only two of those convictions have been made against corporates for the failure to prevent bribery offence under section 7 of the 2010 Act.

The majority of the Serious Fraud Office’s (SFO) wins in relation to bribery principally relate to the use of deferred prosecution agreements. Deferred prosecution agreements (DPAs) were introduced in the Crime and Courts Act 2013, which set out a statutory mechanism that allows investigations into fraud, corruption and other crime committed by corporate organisations to be concluded without prosecution. A DPA is made between an organisation and the prosecuting authority and is supervised by a judge.

Some commentators have noted that the use of DPAs has diverted the more substantial and complex section 7 cases away from the courts. This has denied the courts any opportunity to grapple in detail with the issue as to what procedures are considered to be “adequate” for the purposes of establishing the reverse burden defence in section 7.

House of Lords Bribery Act review

The House of Lords select committee’s ten-year review of the 2010 Act is clear in its view that the 2010 Act has been a resounding success (https://publications.parliament.uk/pa/ld201719/ldselect/ldbribact/303/303.pdf). Despite this, the committee did recommend that the meaning of “adequate procedures” for the purposes of establishing the section 7 defence should be further clarified. One possible suggestion was that it should be interpreted to mean “reasonable in all the circumstances”, which echoes section 45.

The committee also requested greater clarity as to where the dividing line should be between what is considered legitimate corporate hospitality and what would be considered as bribery. This was in the context of the fact that government guidance on these topics is perceived to be inadequate, which can contribute to a misinterpretation of these terms (www.gov.uk/government/publications/bribery-act-2010-guidance).

A Challenge for SMEs

Whether or not the government will give greater clarity at some point remains to be seen. But in the meantime, for small businesses the financial burden of having to produce sufficiently adequate compliance procedures, together with the practical burden of implementing and monitoring them is proving to be a real issue.

The committee noted that there was a particular difficulty for those organisations that export goods from the UK to countries where established practices relating to hospitality may be very different to the UK. In these instances, the committee recommended that more should be done by local experts in UK embassies to bridge this gap and reduce the burden on these businesses.

Serious Fraud Office handbook

Some of the issues raised by the House of Lord’s are referenced in the SFO’s operational handbook “Evaluating Compliance Programmes” (the handbook). The handbook is intended for internal use by the SFO and so is not intended to give any guidance to practitioners or businesses. However, it is publicly available and was updated in January 2020 (www.sfo.gov.uk/publications/guidance-policy-and-protocols/sfo-operational-handbook/evaluating-a-compliance-programme/). That update provides details of the SFO’s approach to assessing an organisation’s compliance systems when it is considering whether or not to take action and, if so, what type of measures a business needs to take.

The handbook states that a business’s systems will be examined by reference to three timeframes:

  • At the time that the offending incident occurred, although this itself may span a period of time and so cover changes in systems.
  • At the time that action is being considered by the SFO.
  • At a possible date in the future; for example, in instances where systems may have yet to reach their full potential.

The need for this approach is in itself evidence of the complex and fluid landscape of anti-bribery compliance that businesses need to come to terms with. In producing and maintaining anti-bribery procedures, an organisation has to be aware that whether or not the procedures will be considered to be “adequate” can be assessed against all of those timeframes.

Changing times

While it seems that the 2010 Act will continue in its current form, nevertheless real issues still exist when it comes to the practical implementation of systems in order to satisfy the adequate procedures defence to section 7.

Risk has to be assessed and procedures and policies have to be drafted, regularly reviewed and disseminated to those affected. Staff have to be trained and effectiveness has to be monitored. All of this must potentially accommodate laws local to a business’s overseas base or customers. It all costs money. How this will play out in practice in a world grappling with the financial impact of COVID-19 remains to be seen.

The near future

With Zoom meetings replacing business lunches and business trips taking a serious dive, there are a number of factors that may provide a natural downward pressure on opportunities for corporate bribery to take place. However, within a globally savaged economy, competition for business opportunities will be fierce and, by its very nature, this competition is the principal driver for almost all bribery that occurs. So it is likely that there will be further prosecutions and DPAs obtained as a result.

A sign of the future may be the impending announcement that the government will go ahead with a £100 million investment into the funding of anti-money laundering systems. Notably, the government proposes to raise this money by way of a levy on financial institutions. In its paper setting out the economic crime plan, the government clearly stated that it believes it to be fair that those institutions whose activities are exposed to risk should pay the government costs that are associated with responding to and mitigating those risks.

If you have any questions on Bribery Act compliance or if you would like us to help you with staff training please get in touch.


EU-US Privacy Shield

EU-US Privacy Shield invalid: Schrems II

In Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559, the European Court of Justice (ECJ) has given its preliminary ruling that Commission Decision 2010/87 on controller to processor standard contractual clauses (SCC) is valid but that Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.

Background

The General Data Protection Regulation ((EU) 2016/679) (GDPR) prohibits the transfer of personal data outside of the EU to a third country unless certain conditions are met. In principle, it may take place in any of the following circumstances:

  • On the basis of a European Commission adequacy decision (Article 45, GDPR).
  • Where there are appropriate safeguards in place, such as standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs), and on the condition that data subjects have enforceable rights and effective legal remedies (Articles 46 and 47, GDPR).
  • A derogation for a specific situation applies, such as the data subject has given their explicit consent (Article 49, GDPR).

EU-US Privacy Shield

The EU-US Privacy Shield is a framework constructed by the US Department of Commerce and the European Commission to enable transatlantic data protection exchanges for commercial purposes.

The EU-US Privacy Shield enables companies from the EU and the US to comply with data protection requirements when transferring personal data from the EU to the US. Approved by the European Commission on 12 July 2016, the EU-US Privacy Shield replaced the Safe Harbor Principles, which the ECJ declared were an invalid level of protection within the meaning of Article 25 of the Data Protection Directive in the October 2015 decision of Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] EUECJ.

Schrems II Facts

In October 2015, Mr Maximillian Schrems, an Austrian lawyer and data privacy campaigner, successfully challenged the validity of the EU-US safe harbor arrangement as a legal basis for transferring personal data from Facebook Ireland to servers belonging to Facebook Inc located in the US (commonly referred to as the Schrems I judgment)

Subsequently, in July 2016, the European Commission adopted a replacement adequacy Decision 2016/1250 approving a new framework for EU-US personal data flows, the EU-US Privacy Shield.

Mr Schrems reformulated his complaint to the Irish Data Protection Commissioner, claiming that the US does not offer sufficient protection for personal data transferred to that country and sought the suspension or prohibition of future transfers of his personal data from the EU to the US, which Facebook Ireland now carries out in reliance on Decision 2010/87 on controller to processor SCCs.

One of Mr Schrems' key concerns was that the US government might access and use EU individuals' personal data contrary to rights guaranteed by the Charter of Fundamental Rights of the EU (Charter) and that EU individuals would have no remedy available to them once their personal data is transferred to the US. Under US law, internet service providers such as Facebook Inc can be required to provide information to various agencies such as the National Security Agency, the Central Intelligence Services and the Federal Bureau of Investigation and it can be further used in various surveillance initiatives such as PRISM and UPSTREAM.

Decision on controller to processor SCCs

The use of SCC’s remains valid but businesses using controller to processor SCCs (or planning to do so) now face additional burdens as they will need to conduct a Transfer Impact Assessment on whether, in the overall context of the transfer, there are appropriate safeguards in the third country for the personal data transferred out of the EU (practically speaking, the European Economic Area). EU data exporters will need to take into account not only the destination of the personal data but also, in particular, any access by public authorities and the availability of judicial redress for individuals, to ascertain whether SCCs are an appropriate mechanism and may need to put in place additional safeguards.

Decision on EU-US Privacy Shield

The limitations on the protection of personal data, transferred from the EU to the US, arising from US domestic law "on the access to and use by US public authorities, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary".

As regards the requirement of judicial protection, the ECJ held that the Privacy Shield Ombudsperson does not provide individuals with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, so as to ensure the independence of the Ombudsperson and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on US intelligence services.

EU-US Privacy Shield - Practical points:

  • The EU-U.S. Privacy Shield is no longer valid and businesses solely relying on it to transfer personal data to the U.S. should rely on another transfer solution, including by putting SCCs in place.
  • While SCCs remain valid, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected (e.g. because of potential access by law enforcement or national security agencies). This is, in effect, a Transfer Impact Assessment. This will be burdensome for small organisations but also large ones making hundreds, if not thousands, of transfers.
  • The EU Commission is now likely to issue updated SCCs. Those new clauses could bake in the Transfer Impact Assessment discussed above. While existing SCCs will hopefully be “grandfathered”, business should anticipate changes to their processes for new transfers.
  • The judgment could have a negative impact on any adequacy finding for the UK after the Brexit transition period. While there are material differences between the U.S. and UK surveillance regimes, the judgement will no doubt make the EU Commission more cautious in future adequacy assessments.
  • In the absence of an adequacy finding, transfers of personal data from the EU to the UK will be more difficult post-Brexit as EU businesses will necessarily have to consider the effect of UK government surveillance powers, in particular the Investigatory Powers Act 2016.
  • While the data protection authorities cannot grant a “grace period” as such, they may well take a gradual approach to enforcing these new requirements. As an illustration, when the Safe Harbor was struck down in 2015, data protection authorities indicated they would not take active enforcement for a few months to allow controllers to make new arrangements.

More to come…

With the publishing of updated Standard Contractual Clauses expected and the UK Adequacy decision pending, businesses handling cross-border data transfers to and from the EU or to and from the US need to keep themselves informed of the latest developments. As it stands SCC’s will need to be part of such a cross-border transfer and a ‘Transfer Impact Assessment’ will be a be a new and additional obligation.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Restraint of Trade

Restraint of Trade – Quantum Advisory Ltd

In Quantum Advisory Ltd v Quantum Actuarial LLP [2020] EWHC 1072 (Comm), the High Court considered whether the restraint of trade doctrine applied in a services agreement entered into in connection with a restructuring and joint venture. The court decided that it did not.

What is a restraint of trade clause?

The purpose of a restraint of trade clause is to restrict the freedom of a business or individual to pursue their trade with the effect of limiting competition.

The case Nordenfelt v Maxim Nordenfelt Guns and Ammunition Co Ltd [1894] AC 535 serves as an illustrative example.

Thorsten Nordenfelt, a manufacturer specialising in armaments, had sold his business to Hiram Stevens Maxim for £200,000. They had agreed that Nordenfelt ‘would not make guns or ammunition anywhere in the world, and would not compete with Maxim in any way for a period of 25 years'.

The House of Lords held that the restraint was reasonable in the interests of the parties. They placed emphasis on the £200,000 that Thomas Nordenfeldt had received as full value for his sale.

The restraint of trade doctrine

The restraint of trade doctrine exists to protect a party to a contract that is subject to a restraint of trade clause i.e. the party who has been restrained in their trade by the contract. Therefore, when the doctrine applies, the restraint of trade clause in question will be invalid. The doctrine states that a restraint of trade clause will be invalid unless it is:

  1. Designed to protect a legitimate business interest.
  2. No wider than reasonably necessary to protect that interest.
  3. Not contrary to the public interest.

How does the restraint of trade doctrine apply?

There is a line between contracts in restraint of trade, within the meaning of the doctrine, and ordinary contracts that merely regulate the commercial dealings of the parties. The courts will consider, first, if the contract in question is in restraint of trade and, secondly, whether in all the circumstances sufficient grounds exist for excluding the contract from the application of the doctrine. The recent case of Quantum Advisory Ltd v Quantum Actuarial LLP [2020] EWHC 1072 (Comm) allowed a judge to explore both of these questions in depth.

Quantum Advisory Ltd v Quantum Actuarial LLP [2020] EWHC 1072 (Comm)

Facts

In 2004, a company called Quantum (Old Quad) entered into a joint venture with Robert Davies (RD) and others. A new company (RDS) was set up to carry on a similar business with different clients. The single largest shareholder and the MD of Old Quad was Martin Coombes (MC). The principal shareholders in RDS were Old Quad and RD. It was intended that after an initial three-year period there would be a merger of the businesses of Old Quad and RDS into a single entity.

By 2007 however, the interests and ambitions of those involved had begun to diverge. In particular, while MC wanted to diversify, the other directors and shareholders wanted to focus on developing the existing business. For this and other reasons, a restructuring of the businesses became necessary. One problem this presented was that MC's shareholding in Old Quad was such as to make it unaffordable for the other parties to buy him out. It was also felt that, regardless of affordability, it would be very difficult to fix a price for any buy-out.

The restructuring

A way of getting round these problems was devised, by which:

  • The businesses of Old Quad and RPS would be carried on by a new entity (the LLP).
  • A company wholly-owned by MC (New Quad) would buy the entire issued share capital of Old Quad and RPS. The businesses and assets of those companies would be transferred to New Quad subject to outstanding liabilities.

The terms of the restructuring were documented by way of an agreement dated 1 November 2007 entered into between Old Quad and the LLP (Services Agreement). Among other things, the Services Agreement:

  • Contained covenants on the LLP's part (clause 2.2) to not during the course of the Services Agreement or for a period of 12 months after its expiration or termination directly or indirectly:
    • solicit or entice away (or attempt to solicit or entice away) any Client in connection with any Services;
    • obtain instructions for any Services from any of the Clients or undertake any Services for any of the Clients; or
    • undertake any Services in relation to either the Pipeline Business or any work introduced by any of the Introducers during the Extended Period, without first having referred such matters to Old Quad, other than pursuant to the provisions of the agreement.
  • Contained acknowledgments to the effect that:
    • The provisions of clause 2.2 were no more extensive than was reasonable to protect the interests of Old Quad.
    • Each of the restrictions in clause 2.2 was a separate obligation considered reasonable by the parties (each of them having taken, if required, separate legal advice) in all the circumstances as necessary to protect the legitimate interests of the other party (clause 2.6).

Business affairs prior to litigation

New Quad and the LLP conducted their affairs according to the Services Agreement without any real difficulty for a number of years. Increasingly, however, the LLP became dissatisfied with the terms of the Services Agreement. The LLP sought to contend that the restraints in the covenants in clause 2.2 amounted to an unreasonable restraint of trade. Specifically, it complained about the duration of the restraints in circumstances in which the LLP had very limited ability to extricate itself from the Services Agreement before expiration. The LLP did not otherwise complain about the duration of the Services Agreement or the nature of the covenants themselves.

That led to New Quad commencing proceedings, seeking a declaration that the Services Agreement was binding on the parties and an injunction to restrain the LLP from acting in breach.

Decision

The judge concluded that:

  • The doctrine of restraint of trade did not apply to the restraints and therefore the restraint of trade clauses were legally enforceable.
  • If the doctrine of restraint of trade had applied to the restraints, he would have found that they satisfied the requirement of reasonableness.

Did the restraint of trade doctrine apply to the restraints?

In concluding that the doctrine did not apply to the restraints, the judge was at pains to stress that the Services Agreement needed to be considered on its own terms and in its own circumstances. It was a bespoke agreement, fashioned to address the competing needs and interests of a group of professional people. In his opinion the following considerations weighed against the application of the doctrine:

  • The fact that the LLP had been brought into existence for the purpose of the restructuring that was effected via the Services Agreement. It had no prior being or business and no other rationale. While it was true to say that its trade was restrained by the Services Agreement, this argument lacked the kind of traction normally found in restraint of trade cases. In a sense, the Services Agreement was the essential condition of the LLP's ability to carry on business at all. It was not a restraint of trade but a means of providing the opportunity to trade.
  • In this light, to attempt to place the covenants in clause 2.2 of the Services Agreement within the scope of the restraint of trade doctrine showed up a degree of incoherence. The judge pointed out that:
    • To view the restraints as potentially justifiable if of shorter duration (a view which counsel for the LLP had at one point expressed) was to divorce them from the wider agreement and so mistake their nature. Their purpose, as MC had phrased it in a witness statement, "was to recognise the legacy/LLP client ownership boundaries".
    • It had originally been proposed that the term of the Services Agreement be ten years. However, the members of the LLP had expressed concern that, if the agreement ended after ten years, the LLP's sustainability would be threatened by the loss of a major part of its business and income so soon after trading had commenced. When MC proposed extending the term of the agreement to 99 years, the LLP agreed.

Would the restraints have been regarded as reasonable?

The following factors were among those that led the judge to conclude that, had the doctrine of restraint of trade applied to the restraints, he would have found that they satisfied the requirement of reasonableness:

  • The fact that the Services Agreement and the restraints were a matter of free agreement between experienced, intelligent, articulate and highly competent business people who were able to look after their own interests and who had expressly agreed that the restraints were reasonable as being necessary to protect the parties' interests.
  • The LLP had not persuaded the judge that the restraints were unreasonable on account of any consideration of public policy.

The judge dismissed the argument based on alleged:

  • Inequality of bargaining power between the parties (and indeed the alleged lack of any formalised negotiation process at all) because this was not supported by the facts. While it was true that the LLP had not received independent legal advice in connection with the Services Agreement, the judge did not regard this as indicating that the parties' free agreement ought to be viewed with particular caution when considering reasonableness. There was no obligation to seek independent legal advice, under clause 2.6 of the Services Agreement or otherwise.

Context is essential

Clearly this is a decision that turned on the facts. Since most reported restraint of trade cases in the corporate arena arise in relation to private M&A it presents a rare opportunity to see how the courts construe the restraint of trade doctrine in a different context. The decision is a reminder that not all restrictive covenants are subject to the restraint of trade doctrine and the specific business context is crucial to such a ruling.

If you have any questions about restraint of trade clauses or about contract law more generally please contact Neil Williamson.


Big Data

Big Data – AI and Machine Learning

The use of computers and the internet has allowed unprecedented amounts of data to be collected and used for a variety of ends. Big data technology represents the most advanced and sizeable use of this new asset. The size and extent of such operations come up against a number of regulatory barriers. Most notably the General Data Protection Regulation (EU) 2016/679 (GDPR).

What is Big Data?

Big data is the harnessing, processing and analysis of digital data in huge and ever-increasing volume, variety and velocity. It has quickly risen up the corporate agenda as organisations appreciate that they can gain advantage through valuable insights about their customers and users through the techniques that are rapidly developing in the data world.

Much big data (for example, climate and weather data) is not personal data. Personal data relates to an identifiable living individual. For data that is or could be personal data, data protection legislation in particular the GDPR must be carefully considered.

Brexit

During the transition period (ends 31 December 2020 unless extended) and after organisations should, as the ICO has noted, continue data protection compliance as usual. The key principles, rights and obligations will remain the same and organisations already complying with the GDPR should be in a good position to comply with the post-Brexit data protection regime.

Big Data Analytics, Artificial Intelligence and Machine Learning

Being able to use big data is critical to the development of Artificial Intelligence (AI) and machine learning. AI is the ability of a computer to perform tasks commonly associated with human beings. In particular, AI can cope with, and to a large extent is predicated on, the analysis of huge amounts of data in its varying shapes, sizes and forms.

Machine learning is a set of techniques that allows computers to ‘think’ by creating mathematical algorithms based on accumulated data.

Big data, AI and machine learning are linked as described by the ICO:

“In summary, big data can be thought of as an asset that is difficult to exploit. AI can be seen as a key to unlocking the value of big data; and machine learning is one of the technical mechanisms that underpins and facilitates AI. The combination of all three concepts can be called "big data analytics”. (Paragraph 11 of ICO: Big data and data protection 2017.)

Big data analytics differs from traditional data processing in the following ways:

  • It uses complex algorithms for processing data. This usually involves a “discovery” phase to find relevant correlations (which can be a form of machine learning) so that algorithms can be created.
  • There is limited transparency on how these algorithms work and how data is processed. As vast amounts of data are processed through massive networks, a “black box” effect is created that makes it very difficult to understand the reasons for decisions made by the algorithms.
  • There is a tendency to collect “all the data” as it is more easily available rather than limiting the analytics to random samples or statistically representative samples.
  • Often data is re-used for a different purpose for which it was originally collected, often because it is obtained from third parties.
  • It usually involves data from new sources such as the Internet of Things (IoT) and “observed” data that has been generated automatically, for example by tracking online behaviour rather than data provided by individuals. In addition, new “derived” or “inferred” data produced by the algorithms is used further in the analytics.

Big Data and Data protection

Managing compliance with the GDPR will play a large part in big data management projects involving data harvested from the expanding range of available digital sources. Many organisations will already have an established data protection governance structure and policy and compliance framework in place and these can be helpful as pathfinders towards structured data governance.

Controller or processor?

Under Article 4(7) of the GDPR, a person who determines “the purposes and means” of processing personal data is a controller and under Article 4(8), a processor just processes personal data on behalf of the controller.

Correctly assessing whether an organisation is a controller or a processor in the context of the collection of massive amounts of data is therefore critical to the GDPR compliant structuring of the relationship and to allocating risk and responsibility.

However, the borderline between controller and processor can be fuzzy in practice. Where it lies in the AI context was considered for the first time in the UK in the ICO’s July 2017 decision on an agreement between the Royal Free Hospital and Google DeepMind. Under the agreement, DeepMind used the UK’s standard, publicly available acute kidney injury (AKI) algorithm to process personal data of 1.6m patients in order to test the clinical safety of Streams, an AKI application that the hospital was developing. The ICO ruled that the hospital had failed to comply with data protection law and, as part of the remediation required by the ICO, the hospital commissioned law firm Linklaters to audit the system. The hospital published the audit report in May 2018, which found (at paragraph 20.7) that the agreement had properly characterised DeepMind as a processor not a controller.

Things important to this characterisation were that the algorithm was simplistic and its use had been mandated by the NHS. Understanding whether an organisation is a processor or controller is a complex issue and seeking advice on the matter may be crucial to understand potential liabilities for those using big data.

Personal data

In the context of big data, it is worth considering whether personal data can be fully anonymised, in which case taking it outside data protection requirements. This is noted in Recital 26 of the GDPR which says that:

"the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable".

However, personal data which has been pseudonymised, in other words could still identify an individual in conjunction with additional information, is still classed as personal data.

Profiling

The GDPR includes a definition of profiling that is relevant to the processing of big data. Profiling is defined as any form of automated processing of personal data used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict the following: performance at work; economic situation; health; personal preferences; interests; reliability; behaviour; location; movements. (Article 4(4), GDPR.)

The GDPR includes data subject rights in relation to automated decision making, including profiling. The fact that profiling is taking place must be disclosed to the individual, together with information about the logic involved, as well as the significance and the envisaged consequences for such processing.

Individuals have the right not to be subject to a decision based solely on automated processing (which includes profiling), which produces legal effects concerning them or similarly significantly affects them (Article 22(1), GDPR). However, this right will not apply in certain cases, for example if the individual has given explicit consent, although suitable measures must be implemented to protect the data subjects.

Fair processing

In the ICO Big Data Paper 2017, the ICO emphasises the importance of fairness, transparency and meeting the data subject’s reasonable expectations in data processing. It states that transparency about how the data is used will be an important element when assessing compliance. It also highlights the need to consider the effect of the processing on the individuals concerned as well as communities and societal groups concerned. Similarly, the EDPS 2015 opinion stresses that organisations must be more transparent about how they process data, afford users a higher degree of control over how their data is used, design user friendly data protection into their products and services and become more accountable for what they do.

Transparency

As well as the general requirement for transparency in Article 4(1)(a), the GDPR includes specific obligations on controllers to provide data subjects with certain prescribed information (typically done in the form of a privacy notice) (Articles 13 and 14, GDPR).

The ICO Big Data Paper 2017 notes that the complexity and opacity of data analytics can lead to mistrust and potentially be a barrier to data sharing, particularly in the public sector. In the private sector, it can lead to reduced competitiveness from lack of consumer trust. Therefore privacy notices are a key tool in providing transparency in the data context. In relation to privacy notices, the Paper suggests using innovative approaches such as videos, cartoons, icons and just-in-time notifications, as well as a combination of approaches to make complex information easier to understand.

An introduction

This blog is no more than an introduction and summary of some of the legal issues raised by big data. In many ways the GDPR was created in response to such activity and therefore the extent of its applicability to the topic is unsurprising. Any organisation looking to undertake such a project should be aware of regulations in a way that allows compliance to be built into an operating system.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Wm Morrison Supermarkets plc

Data Breach Claims – Wm Morrison Supermarkets plc

In Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court has overturned judgments of the High Court and Court of Appeal and decided that a supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by an employee.

Wm Morrison Supermarkets plc v Various Claimants - the facts

In 2013, Mr Skelton, who was then employed by Wm Morrison Supermarkets plc (Morrisons) as an internal IT auditor, was provided with a verbal warning for minor misconduct. Subsequently, he developed an irrational grudge against his employer. After being asked by Morrisons to provide payroll data for the entire workforce to external auditors, Mr Skelton copied the data onto a USB stick. He took the USB stick home and posted the data on the internet, using another employee's details in an attempt to conceal his actions. He also sent this data to three national newspapers, purporting to be a concerned member of the public.

The newspapers did not publish the data, but one newspaper alerted Morrisons, who immediately took steps to remove the data from the internet, contact the police and begin an internal investigation. Morrisons spent £2.26 million dealing with the aftermath of the disclosure, a large proportion of which was spent on security measures for its employees. Mr Skelton was arrested and ultimately convicted of criminal offences under the Computer Misuse Act 1990 and section 55 of the DPA 1998, which was in force at the time.

The claimants in this case were 9,263 of Morrisons' employees or former employees. They claimed damages from Morrisons in the High Court for misuse of private information and breach of confidence, and for breach of its statutory duty under section 4(4) of the DPA 1998. The claimants alleged that Morrisons was either primarily liable under those heads of claim or vicariously liable for Mr Skelton's wrongful conduct.

Data Protection Act 1998

This case was decided under the Data Protection Act 1998 (DPA 1998) which was applicable at the time. The DPA 1998 implemented the Data Protection Directive (95/46/EEC) and imposed broad obligations on those who collect personal data (data controllers), as well as conferring broad rights on individuals about whom data is collected (data subjects). Section 4(4) of the DPA 1998 provided that a data controller must comply with eight data protection principles in relation to all personal data with respect to which they are a controller.

Under section 13(1), any breach of the DPA 1998 which caused damage entitled the victim to compensation for that damage. Section 13(2) provided as follows:

"An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if the individual also suffers damage by reason of the contravention."

Under section 13(3), it was a defence to any proceedings under section 13 for a person, or in this case Morrisons, to prove that they had taken such care as was reasonably required in all the circumstances to comply with the relevant requirement.

Vicarious liability

It was also crucial to consider whether Morrisons could be vicariously liable for their employee’s action in this instance. Employers will be liable for torts committed by an employee under the doctrine of vicarious liability where there is a sufficient connection between the employment and the wrongdoing. There is a two-stage test:

  • Is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?
  • Is the connection between the employment and the wrongful act or omission so close that it would be just and reasonable to impose liability?

In Lister v Hesley Hall Ltd [2001] UKHL 22, the House of Lords characterised the second stage as a "sufficient connection" test. The question was whether the torts were "so closely connected with [the] employment that it would be fair and just to hold the employers vicariously liable".

In Mohamud v Wm Morrison Supermarkets plc [2016] UKSC 11 (Mohamud), the Supreme Court held that the supermarket was vicariously liable for an employee's unprovoked violent assault on a customer. It found that there was a sufficiently close connection between the assault and the employee's job of attending to customers, such that the employer should be held vicariously liable

Wm Morrison Supermarkets plc - Decision

Morrisons was not vicariously liable for Mr Skelton's actions. It found that the Court of Appeal had misunderstood the principles governing vicarious liability in the following respects:

  • The disclosure of the data on the internet did not form part of Mr Skelton's functions or field of activities. This was not an act which he was authorised to do.
  • Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Mr Skelton for the purpose of transmitting it to the auditors and his disclosing it on the internet, a temporal or causal connection did not in itself satisfy the close connection test.
  • The reason why Mr Skelton acted wrongfully was not irrelevant. Whether he was acting on his employer's business or for purely personal reasons was highly material.

The mere fact that Mr Skelton's employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. It was clear that Mr Skelton was not engaged in furthering his employer's business when he committed the wrongdoing. On the contrary, he was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Comment

This decision will provide welcome confirmation for employers that they will not always be liable for data breaches committed by rogue employees. It similarly provides helpful clarification for practitioners on the way in which the judgment in Mohamud should be applied in future cases concerning vicarious liability.

The facts in this case were extreme. It seems that Morrisons were wholly unaware of the grudge held by Mr Skelton. Mr Skelton also took extraordinary actions to cover up what he had done and even to frame another employee.

Unanswered questions

Had Morrisons been found vicariously liable for Mr Skelton’s actions, the employees who made the claims would have had to prove that they suffered ‘distress, anxiety, upset and damage’ by the mishandling of their personal information. A supreme court ruling on the issue would have provided a helpful benchmark to those wanting to understand more about how our courts quantify compensation for data breaches.

Moving forward

Employers should take away from the judgment that although this case was decided under the previous data protection regime, the DPA 1998 and the GDPR are based on broadly similar principles. Therefore the GDPR and Data Protection Act 2018 (DPA 2018) will not be a barrier to vicarious liability actions in data privacy proceedings commenced under the current regime.

Additionally, the GDPR makes compliance far more onerous for controllers and risks exposure to the huge revenue-based fines and data subject compensation claims for breaches of the GDPR and DPA 2018. This includes failing to safeguard data to statutory standards and neglect to have governance in place to curb the malicious acts of rogue employees.

The success of Morrisons in bringing to an end the threat under this case of being subject to a group action for compensation follows Google LLC being granted freedom to appeal against the Court of Appeal's order in Lloyd v Google LLC [2019] EWCA Civ 1599 and is another significant development in the progress of representative class actions in the UK legal system.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Web scraping lawyers London

Web Scraping – Legal Issues

Web scraping (or data scraping) is more prevalent than you think. It is estimated that more than 50% of all website visits are for data scraping purposes. This is why users are often asked to go through a series of tests to prove they are not an unwanted bot. There are plenty of new businesses with large datasets or web scraping capabilities which look attractive to investors given the nature of online marketing and the appeal of tools which offer businesses new innovative ways to collect and process data. Being aware of the legal issues is of paramount importance before becoming involved with, or setting up, such businesses. This involves being aware of licences to datasets and possible infringements of database and intellectual property rights.

What is web scraping?

The process of using software to harvest automatically, or scrape, publicly available data from online sources. It has many purposes including recruitment, sentiment analysis, assessing credit risk, identifying trends, marketing and sales. It is also something permitted to certain extents under bespoke licences. In the public sector datasets often operate under the Open Government Licence (OGL), inspired and re-highlighted by an EU directive, the INSPIRE directive (2007/2), which required public authorities to make spatial information datasets publicly available.

In the news

Elections in Brazil have made an example of how marketing companies could potentially abuse web scraping software. It was alleged that political parties used software to gather phone numbers from Facebook which were then used to create WhatsApp groups and spread fake news. Brazil’s electoral court are to investigate whether this undermined the legitimacy of the elections.

In the UK, the investigation of Cambridge Analytica and Facebook by the Information Commissioner’s Office (ICO) has put data scraping under public scrutiny. Facebook were fined a maximum £500,000 for two breaches of the Data Protection Act (UK) 1998 for not adequately safeguarding users’ personal data. When reflecting on the investigation, Elizabeth Denham, the UK information Commissioner, called for an “ethical pause” to allow Government, Parliament, regulators, political parties, online platforms and the public to reflect on their responsibilities in the era of big data before there is greater expansion in the use of new technologies.

Businesses should therefore consider what the legal implications may be if they intend to scrape data. If operating under a licence to scrape data, a business should understand the scope of such licence and, if personal data is involved, whether the activity complies with data protection laws. If no licence exists then scraping data may infringe copyright and database rights. If the website you wish to scrape has an acceptable use policy or other similar terms and conditions attached to it, the chances are that any scraping activity will breach that policy or conditions.

A recent case in the UK has explored the extent of licences and database rights when applied to web scraping.

77m Ltd v Ordnance Survey Ltd [2019] EWHC 3007 (Ch)

The high court found a geospatial address dataset creator liable for database right infringement and in breach of a number of licences.

The claimant, 77m, created a dataset called Matrix of the geospatial co-ordinates of all residential and non-residential addresses in Great Britain, for which it wished to sell access. It had created Matrix by combining large amounts of data from various datasets. The data at issue derived from the defendant, Ordnance Survey (OS). 77m did not contract with OS but with Her Majesty's Land Registry (HMLR) and Registers of Scotland (RoS). It also accessed data including addresses and geospatial co-ordinates made public by Lichfield District Council (LDC) under the Open Government Licence (OGL) (Lichfield data). HMLR, RoS and LDC licensed the relevant data from OS.

Before looking at database rights, the court had to decide whether 77m had acted within the terms of the licences; if they did, then 77m’s activities in relation to OS’s datasets would be shielded from database right infringement claim; if they did not, then 77m would remain exposed to the infringement claim.

77m had extracted data under the terms of a number of licences. It was found that in many instances 77m had gone beyond the behaviour permitted by the licences. Under the OGL the court deemed the use of publicly available data to create software which was not then sold or included in the software itself, lawful. In most instances however 77m’s use of the data to specify geospatial co-ordinates was in breach of the licences.

The court then went on to see whether 77m’s activity infringed database rights. Firstly it was critical to access whether or not the database in question was subject to such rights. The Database Directive (EU), implemented in the UK in 1997, states that protection shall be granted to the maker of a database who shows that there has been qualitatively and/or quantitively a substantial investment in either the obtaining, verification or presentation of the contents. The court ruled that Ordnance Survey clearly had made such an investment when putting the database together. The High Court judge, Mr Justice Birss, specifically pointed to the investment that went into verifying new addresses as they came into Ordnance Survey’s database which in recent years had an operating expenditure of £6 million per annum.

The way in which 77m used the database was then put into question. The important distinction here is between extraction or consultation of the data within the database. Where extraction would be an infringement of database rights. Some muddled case law coming from the ECJ made the question laborious. Put simply consultation has been defined as being limited to a person merely reading data on a screen, where the only possible other medium to which the data was transferred was the person’s brain. Whereas extraction would be transferring data to a medium other than the person’s brain such as downloading the data onto your own computer.

Therefore 77m’s use of data on such a vast scale and for commercial purposes was always going to amount to an extraction and thus an infringement. The court made clear, however, that in some instances data could be consulted for a commercial purpose. But a user who took all or part of a database’s contents and transferred them to another medium so that they could use them, appropriated to themselves a substantial part of the investment that went into creating the database and was therefore clearly in breach of database rights. Database rights are not only about protecting the data but also about the work that went into compiling the data and synthesising it.

This case highlights the need to be aware of licences a company has in place to use data, the scope of such licencing and if there is no licence, or the licence has been breached, if database rights could protect the database owner.

Web scraping things to consider

Below is a list of things to consider before you scrape data or before you buy a business that has been scraping data:

  • Check the scope of the licences to scrape data, and to store and use that data.
  • If there is no licence in place then a business should consider whether the scraped data is subject to copyright and/or database rights.
  • If no licence exists you could then also check the website’s acceptable use policy and/or term and conditions. If they explicitly forbid scraping or contain other content restrictions this may enable the website owner to sue under breach of contract. Although there is no clear precedent on whether website terms and conditions form binding contracts in the UK, it is worth assuming they could be. The Irish High Court recently ruled that such terms and conditions could form a binding contract. Even if there is no acceptable use policy and/or terms and conditions, it should be noted that such a website may still be subject to copyright and/or database rights.
  • Check whether the target business you want to purchase uses a third party to scrape or store data and, if so, their contractual arrangements.
  • Legal positions differ by country, even between European countries. This is important to be aware of especially when storing data from one nation and making it available to another.
  • Check if personal data is involved and therefore if GDPR / Data Protection Act 2018 / other data protection laws are applicable.

The US perspective on Web Scraping

A recent case involved LinkedIn and HiQ, a small data analytics company that used automated bots to scrape information from public LinkedIn profiles. The Ninth Circuit Court of Appeals ruled in favour of HiQ implying that data scraping of publicly available information from social media websites is permitted. LinkedIn have expressed intent to escalate the case to the supreme court and therefore the law may still be amended.

In the US, similarly to the UK, data scrapers may find themselves on the receiving end of legal action under the following regimes:

  • Intellectual property: Scraping data from websites may infringe intellectual property rights. In 2013 a Federal Court ruled that a software as a service company, Meltwater U.S. Holdings, which offered subscribers access to scraped information about news articles had been acting illegally. Such companies are often referred to as ‘news aggregators’. The news provider, whose data had been scraped, sold licences to many companies and without one, when copying 0.4% to 60% of each article, Meltwater was deemed to have had ‘substantial’ negative effect upon the potential market or the value of the copyrighted work. Therefore getting a licence before scraping data in the US is advised. As mentioned above in the LinkedIn v. HiQ case though it may still be possible to scrape publicly available information from social media sites without a licence.
  • Contract: In the US, if a website user is bound by the Website’s terms of service and causes damage by breaching those terms, the user may be liable for breach of contract.
  • The Computer Fraud and Abuse Act: This provides a civil cause of action against anyone who accesses a computer without authorisation, as well as providing for criminal offences. Although courts have come to differing conclusions, it has generally been ruled that if a scraper uses technical steps, i.e. specialised and complex methods, to circumvent protections to data on websites then the scraper can become liable under the act.
  • Data protection: The US does not currently have comprehensive data privacy legislation at the federal level. On the state level there are plenty of statutes that mandate certain privacy-related rights, but most do not broadly regulate the collection and use of personal data. This is not always the case. California recently passed a state law which regulates data privacy. Coming into effect in 2020, it requires certain companies collecting personal data to disclose how such data will be used and allow consumers to opt-out of data collection. Data scrapers who collect such personal data in California could therefore be found liable when not disclosing the use of such data and allowing an opt-out option.

Final Thoughts

Most business aren’t in the business of web scraping - most business owners or directors aren’t even aware of what web scraping is. However, it’s something to be aware of. Maybe with this awareness you now want to make sure that your website has an acceptable use policy or other security measures in place. If you buy data you should think about how that data was collected. If you are buying a business you should include checks in your due diligence and appropriate warranties in the share purchase agreement to protect yourself from buying a business that collected data unlawfully.

If you have any questions on the points raised above please contact one of our technology lawyers.