Cryptoassets Law

Legal Status Of Cryptoassets In The UK

Cryptoassets are often depicted as inhabiting an online wild west. A place where people can thrive off uncertainty and a lack of regulation. This is starting to change in the UK. A Legal Statement made by the UK Jurisdiction Taskforce of the LawTech Delivery Panel (UKJT) and subsequent case law has introduced greater cryptoasset certainty under English Law.

Legal Status of Cryptoassets in the UK

In the ten years since Bitcoin was born, there has been a proliferation of cryptoassets. These include Litecoin, Ethereum, Ripple, Zcash and many more.

The term cryptoassets, rather than cryptocurrencies, is preferred by the UK regulatory authorities as it is more neutral and captures the broader range of tokens that are not just designed to act as a means of exchange (to which cryptocurrency typically applies, such as Bitcoin).

Although the area is plagued with a lack of accepted definitions, in this blog, "cryptoasset" is used in the sense of the Financial Conduct Authority's (FCA) category of "exchange token" as distinct from "security tokens" or “utility tokens” which provide similar legal rights and obligations to traditional securities and money.

Definition of “exchange token”

In broad terms, the FCA has created a framework by categorising cryptoassets based on their intrinsic structure, as well as their designed use. On its webpage on cryptoassets, the FCA explains that cryptoassets such as Bitcoin are classified as unregulated “exchange tokens”, which:

"… are usually decentralised and designed to be used primarily as a medium of exchange. We sometimes refer to them as exchange tokens and they do not provide the types of rights or access provided by security or utility tokens, but are used as a means of exchange or for investment."

More broadly, cryptoassets are considered to be "virtual assets", as defined by the Financial Action Task Force (FATF) in their report Guidance for a risk based approach to virtual assets and virtual asset providers. Unsurprisingly perhaps, related regulation has been introduced at a national level; in some jurisdictions, at least.

Various concerns have been raised at the supranational level about what these virtual assets mean for the global financial system and data protection authorities; Libra, for example, being the latest, and so far greatest, crypto-bogeyman.

Uncertainty

What is surprising is that, despite the speed with which virtual assets have infiltrated the financial system (for example, there are already futures and exchange-traded notes in Bitcoin), the fact is that in England, and in many other jurisdictions, quite what a cryptoasset is remains unclear and unresolved.

The fundamental question of "what is a Bitcoin?" is far from new, and has been addressed recently both in the High Court and in the City of London Law Society's (CLLS) submissions to the UKJT in relation to cryptoassets, distributed ledger technology (DLT) and smart contracts.

These submissions have now been responded to by a UKJT statement.

The Legal Statement

A legal statement published by UKJT in November 2019, says that cryptoassests are capable of being property which can be owned. While this Legal Statement is not binding, it will give market participants greater certainty around crypto transactions. Recent case law has enhanced such certainty.

The UKFT did not sought to define the term cryptoasset, saying that it would not be a useful exercise to do so given the rapid development of technology. Instead it focused on identifying the key features of a cryptoasset, and on answering key questions to do with ownership, transfer and whether under English law cryptocurrencies constitute “property”. Further:

  • Despite being property, cryptoassets are not things in possession because they are “virtual” and cannot therefore be possessed.
  • The novel and distinctive features possessed by some cryptoassets (intangibility, cryptographic authentication, decentralisation, rule by consensus) do not disqualify them from being property).
  • Cryptoassets are not disqualified from being property as pure information, or because they might not be classifiable either as things in possession or things in action.
  • A private key is not in itself to be treated as property because it is information.

In summary, the UKJT concluded that cryptoassets have all the legal characteristics of property and are, as a matter of English legal principle, to be treated as property.

AA v Persons Unknown [2019] EWHC 3556

In October 2019, a hacker bypassed the firewall and anti-virus software of a Canadian insurance company, encrypting its computer systems. The unknown hacker demanded $1,200,000 in equivalent Bitcoin in exchange for the decryption software.

The claimant, a cybercrime insurer of the Canadian company, paid the ransom by purchasing Bitcoin and transferring the amount into a Bitcoin wallet. Following recovery of the encrypted files, the claimant took steps to recover the ransom amount, which was traced back to a wallet linked to and controlled by Bitfinex, a cryptoexchange operated by two British Virgin Island entities.

The claimant subsequently issued various proceedings seeking, amongst other things, a proprietary injunction over the Bitcoins that had been traced back to the wallet controlled by Bitfinex.

Judgement

Given that proprietary injunctions can only be granted over property, the court had rule on whether or not Bitcoins constituted property under English Law.

The court considered in detail the UKJT's "compelling" analysis (Legal Statement) of the proprietary status of intangible assets, which concluded that, although having many novel and unique characteristics, cryptoassets may be objects of property rights. The Court emphatically approved this approach.

Having accepted that cyrptoassets constituted property, the Court determined that all other requirements for a proprietary injunction were met and granted the injunction. This was the first time the courts have applied, and accepted, the analysis set out in the legal statement.

The International Perspective

Cryptoassets are usually not confined to a single jurisdiction and so the international picture remains a relevant consideration. This remains very fragmented. Even on a regional basis. The two questions to consider are whether cryptoassets are defined as legal tender and whether their exchange is legal. Cryptoassets and exchange are illegal in China for example. In the US cryptoassets have in some states been treated as legally substitutable for currency whilst cryptoexchange is legal, subject to state regulation.

Data Protection

Libra offers an example of how regulators will seek to protect data in the context of cryptoassets. Especially when such assets are linked to other forms of personal data. Such as a social media account.

Data protection authorities from around the world, including the UK's Information Commissioner's Office (ICO) and the European Data Protection Supervisor, have called for more openness about the proposed Libra cryptocurrency and infrastructure. On 5 August 2019, they issued a statement to Facebook and 28 other companies behind the project (the Libra Network) asking for details of how customers' personal data will be processed in line with data protection laws.

Libra is a project to create a global cryptocurrency using blockchain technology, with Facebook as a founding member (through its subsidiary, Calibra). The Information Commissioner, Elizabeth Denham, noted that;

"Facebook's involvement is particularly significant, as there is the potential to combine Facebook's vast reserves of personal information with financial information and cryptocurrency, amplifying privacy concerns about the network's design and data sharing arrangements".

The statement notes that the ICO “are supportive of the economic and social benefits that new technologies can bring, but this must not be at the expense of people's privacy".

It asks a set of detailed, non-exhaustive questions of the Libra Network, for example, about the provision of clear and transparent information, informed consent, data sharing, use of processors, data privacy impact assessments, and how privacy policies and standards will work consistently across multiple jurisdictions.

The signatories note that they will work together to assert strong privacy safeguards at a global level.

Caution still advised

UKJT’s Legal Statement and subsequent case law should encourage continued innovation and improve market confidence for those in the global financial services market. As can be seen in the ICO statement it is in regulators interest to encourage the economic advantages of cryptoassets. But caution is still advised.

Investors should be wary of the international uncertainty in the regulation of cryptoassets and consider seeking specific legal advice for individual projects. If a business is looking to offer services which involve cryptoassets then data protection should also be considered.

If you have any questions on the issues raised in this article please get in touch.


European Representative GDPR

European Representative – GDPR After Brexit

What is a “European Representative” and do you need to appoint one? We have received lots of marketing from businesses in France, Germany and other members of the EU encouraging us to sign up to their European Representative Office service so that we can be compliant with GDPR. This article covers the role of the European Representative and addresses the question about whether you need to appoint one now or later.

Do organisations need to appoint a European Representative right now?

No

Do organisations need to appoint a European Representative in the future?

Maybe.

If you are a UK business offering goods or services to individuals in the European Economic Area (EEA) then, after the Brexit transition period ends (31 December 2020), you may need to appoint a European Representative in the EEA because the UK will no longer be within the EEA. This representative would act as the point of contact for your data subjects within the EEA as required by Article 27 of the General Data Protection Regulation (GDPR).

See below for the specific circumstances in which this requirement exists.

Transition period

The UK left the EU on 31 January 2020. From then until the 31 December 2020 the UK will be in a “transition period”. During the transition period EU law will continue to apply in the UK which includes data protection law and no UK organisation will need to appoint a European Representative until after the transition period ends.

European Representatives after the Brexit transition period

Once the transition period ends UK-based data controllers or processors who:

  • are without any offices, branches or other establishments in the EEA

and

  • who are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals located in the EEA

will be required to have a European Representative in the EEA.

Exceptions

There are exceptions to the above requirement where:

  • you are a public authority or body.
  • your data processing is only occasional, presents a low risk to data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.

Who can be your European Representative?

A European Representative may be an individual or a company or other organisation established in the EEA where a significant portion of the individuals whose personal data you are processing are located. So if a significant portion of your customers are in Greece, your representative should be located in Greece.

One representative can act on behalf of several non-EU controllers and processors. A representative should not, however, be a data protection officer; the draft European Data Protection Board (EDPB) guidance suggests that the roles are incompatible and combining them would be a conflict of interest.

Appointing a European Representative

You will need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.

In practice you should appoint a representative through a service contract.

The appointment of a representative must be in writing and should set out the terms of the relationship. Having a representative does not affect your own responsibility or liability under the EU GDPR.

Although the representative should be located in the Member State in which a significant proportion of your data subjects are located, the representative must remain easily accessible to data subjects located in all relevant Member States.

When the function of being a representative is assumed by a company or any other type of organisation, a single individual should be assigned as a lead contact and person in charge for each controller or processor represented.

The role of the European Representative

  • Perform its tasks according to the written agreement.
  • Facilitate communication between data subjects and the controller or processor.
  • Maintain a record of processing activities under the responsibility of the controller or processor.

Notification of the appointment

You should provide EEA-based individuals, whose personal data you are processing, the contact details of your representative. This may be done by including the details in your privacy notice or in upfront information provided to individuals when you collect their data. You must also make the information easily accessible to supervisory authorities – for example by publishing it on your website.

Liability of European Representatives

In November 2018 the EDPB issued draft guidance that said that supervisory authorities were able to initiate enforcement action (including fines) against a European Representative in the same way as they could against the controller or processor which appointed them:

“To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.”

Given that fines under GDPR can hit €20 million or 4% of global annual turnover (whichever is higher) the EDPB guidance sent shockwaves through the industry with many representatives deciding it wasn’t such a good idea to be a representative after all.

However, in an about-turn in November 2019, the EDPB issued draft guidance which says the intention was:

“To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative……The possibility to hold a representative directly liable is however limited  to its direct obligations referred to in articles 30 and article 58(1)(a) of the GDPR.”

Articles 30 and 58.1 simply concern keeping a record of processing activities and providing information to supervisory authorities when ordered to do so.

Summary

Right now, you can ignore those marketing emails about appointing a European Representative but 31 December 2020 will come around soon enough. If you have customers in the EEA but no office, branch or other establishment in the EEA then, as things currently stand, you should be appointing a European Representative before the year ends.

If you have any questions on appointing a European Representative or on data protection generally contact one of our data protection lawyers.


Web scraping lawyers London

Web Scraping – Legal Issues

Web scraping (or data scraping) is more prevalent than you think. It is estimated that more than 50% of all website visits are for data scraping purposes. This is why users are often asked to go through a series of tests to prove they are not an unwanted bot. There are plenty of new businesses with large datasets or web scraping capabilities which look attractive to investors given the nature of online marketing and the appeal of tools which offer businesses new innovative ways to collect and process data. Being aware of the legal issues is of paramount importance before becoming involved with, or setting up, such businesses. This involves being aware of licences to datasets and possible infringements of database and intellectual property rights.

What is web scraping?

The process of using software to harvest automatically, or scrape, publicly available data from online sources. It has many purposes including recruitment, sentiment analysis, assessing credit risk, identifying trends, marketing and sales. It is also something permitted to certain extents under bespoke licences. In the public sector datasets often operate under the Open Government Licence (OGL), inspired and re-highlighted by an EU directive, the INSPIRE directive (2007/2), which required public authorities to make spatial information datasets publicly available.

In the news

Elections in Brazil have made an example of how marketing companies could potentially abuse web scraping software. It was alleged that political parties used software to gather phone numbers from Facebook which were then used to create WhatsApp groups and spread fake news. Brazil’s electoral court are to investigate whether this undermined the legitimacy of the elections.

In the UK, the investigation of Cambridge Analytica and Facebook by the Information Commissioner’s Office (ICO) has put data scraping under public scrutiny. Facebook were fined a maximum £500,000 for two breaches of the Data Protection Act (UK) 1998 for not adequately safeguarding users’ personal data. When reflecting on the investigation, Elizabeth Denham, the UK information Commissioner, called for an “ethical pause” to allow Government, Parliament, regulators, political parties, online platforms and the public to reflect on their responsibilities in the era of big data before there is greater expansion in the use of new technologies.

Businesses should therefore consider what the legal implications may be if they intend to scrape data. If operating under a licence to scrape data, a business should understand the scope of such licence and, if personal data is involved, whether the activity complies with data protection laws. If no licence exists then scraping data may infringe copyright and database rights. If the website you wish to scrape has an acceptable use policy or other similar terms and conditions attached to it, the chances are that any scraping activity will breach that policy or conditions.

A recent case in the UK has explored the extent of licences and database rights when applied to web scraping.

77m Ltd v Ordnance Survey Ltd [2019] EWHC 3007 (Ch)

The high court found a geospatial address dataset creator liable for database right infringement and in breach of a number of licences.

The claimant, 77m, created a dataset called Matrix of the geospatial co-ordinates of all residential and non-residential addresses in Great Britain, for which it wished to sell access. It had created Matrix by combining large amounts of data from various datasets. The data at issue derived from the defendant, Ordnance Survey (OS). 77m did not contract with OS but with Her Majesty's Land Registry (HMLR) and Registers of Scotland (RoS). It also accessed data including addresses and geospatial co-ordinates made public by Lichfield District Council (LDC) under the Open Government Licence (OGL) (Lichfield data). HMLR, RoS and LDC licensed the relevant data from OS.

Before looking at database rights, the court had to decide whether 77m had acted within the terms of the licences; if they did, then 77m’s activities in relation to OS’s datasets would be shielded from database right infringement claim; if they did not, then 77m would remain exposed to the infringement claim.

77m had extracted data under the terms of a number of licences. It was found that in many instances 77m had gone beyond the behaviour permitted by the licences. Under the OGL the court deemed the use of publicly available data to create software which was not then sold or included in the software itself, lawful. In most instances however 77m’s use of the data to specify geospatial co-ordinates was in breach of the licences.

The court then went on to see whether 77m’s activity infringed database rights. Firstly it was critical to access whether or not the database in question was subject to such rights. The Database Directive (EU), implemented in the UK in 1997, states that protection shall be granted to the maker of a database who shows that there has been qualitatively and/or quantitively a substantial investment in either the obtaining, verification or presentation of the contents. The court ruled that Ordnance Survey clearly had made such an investment when putting the database together. The High Court judge, Mr Justice Birss, specifically pointed to the investment that went into verifying new addresses as they came into Ordnance Survey’s database which in recent years had an operating expenditure of £6 million per annum.

The way in which 77m used the database was then put into question. The important distinction here is between extraction or consultation of the data within the database. Where extraction would be an infringement of database rights. Some muddled case law coming from the ECJ made the question laborious. Put simply consultation has been defined as being limited to a person merely reading data on a screen, where the only possible other medium to which the data was transferred was the person’s brain. Whereas extraction would be transferring data to a medium other than the person’s brain such as downloading the data onto your own computer.

Therefore 77m’s use of data on such a vast scale and for commercial purposes was always going to amount to an extraction and thus an infringement. The court made clear, however, that in some instances data could be consulted for a commercial purpose. But a user who took all or part of a database’s contents and transferred them to another medium so that they could use them, appropriated to themselves a substantial part of the investment that went into creating the database and was therefore clearly in breach of database rights. Database rights are not only about protecting the data but also about the work that went into compiling the data and synthesising it.

This case highlights the need to be aware of licences a company has in place to use data, the scope of such licencing and if there is no licence, or the licence has been breached, if database rights could protect the database owner.

Web scraping things to consider

Below is a list of things to consider before you scrape data or before you buy a business that has been scraping data:

  • Check the scope of the licences to scrape data, and to store and use that data.
  • If there is no licence in place then a business should consider whether the scraped data is subject to copyright and/or database rights.
  • If no licence exists you could then also check the website’s acceptable use policy and/or term and conditions. If they explicitly forbid scraping or contain other content restrictions this may enable the website owner to sue under breach of contract. Although there is no clear precedent on whether website terms and conditions form binding contracts in the UK, it is worth assuming they could be. The Irish High Court recently ruled that such terms and conditions could form a binding contract. Even if there is no acceptable use policy and/or terms and conditions, it should be noted that such a website may still be subject to copyright and/or database rights.
  • Check whether the target business you want to purchase uses a third party to scrape or store data and, if so, their contractual arrangements.
  • Legal positions differ by country, even between European countries. This is important to be aware of especially when storing data from one nation and making it available to another.
  • Check if personal data is involved and therefore if GDPR / Data Protection Act 2018 / other data protection laws are applicable.

The US perspective on Web Scraping

A recent case involved LinkedIn and HiQ, a small data analytics company that used automated bots to scrape information from public LinkedIn profiles. The Ninth Circuit Court of Appeals ruled in favour of HiQ implying that data scraping of publicly available information from social media websites is permitted. LinkedIn have expressed intent to escalate the case to the supreme court and therefore the law may still be amended.

In the US, similarly to the UK, data scrapers may find themselves on the receiving end of legal action under the following regimes:

  • Intellectual property: Scraping data from websites may infringe intellectual property rights. In 2013 a Federal Court ruled that a software as a service company, Meltwater U.S. Holdings, which offered subscribers access to scraped information about news articles had been acting illegally. Such companies are often referred to as ‘news aggregators’. The news provider, whose data had been scraped, sold licences to many companies and without one, when copying 0.4% to 60% of each article, Meltwater was deemed to have had ‘substantial’ negative effect upon the potential market or the value of the copyrighted work. Therefore getting a licence before scraping data in the US is advised. As mentioned above in the LinkedIn v. HiQ case though it may still be possible to scrape publicly available information from social media sites without a licence.
  • Contract: In the US, if a website user is bound by the Website’s terms of service and causes damage by breaching those terms, the user may be liable for breach of contract.
  • The Computer Fraud and Abuse Act: This provides a civil cause of action against anyone who accesses a computer without authorisation, as well as providing for criminal offences. Although courts have come to differing conclusions, it has generally been ruled that if a scraper uses technical steps, i.e. specialised and complex methods, to circumvent protections to data on websites then the scraper can become liable under the act.
  • Data protection: The US does not currently have comprehensive data privacy legislation at the federal level. On the state level there are plenty of statutes that mandate certain privacy-related rights, but most do not broadly regulate the collection and use of personal data. This is not always the case. California recently passed a state law which regulates data privacy. Coming into effect in 2020, it requires certain companies collecting personal data to disclose how such data will be used and allow consumers to opt-out of data collection. Data scrapers who collect such personal data in California could therefore be found liable when not disclosing the use of such data and allowing an opt-out option.

Final Thoughts

Most business aren’t in the business of web scraping - most business owners or directors aren’t even aware of what web scraping is. However, it’s something to be aware of. Maybe with this awareness you now want to make sure that your website has an acceptable use policy or other security measures in place. If you buy data you should think about how that data was collected. If you are buying a business you should include checks in your due diligence and appropriate warranties in the share purchase agreement to protect yourself from buying a business that collected data unlawfully.

If you have any questions on the points raised above please contact one of our technology lawyers.


cloud services legal issues

Cloud Services Legal Issues

Cloud services are on the rise – they are highly relevant now and they are the future. In this article we provide a brief overview of some of the legal and commercial issues to consider when using cloud services and dealing with cloud services contracts.

What are cloud services?

Cloud services describe the delivery of technology services via the internet. Cloud users either do not need to purchase or install software at all or, if they do, then only on a small scale using software that is standardised. Cloud users do not have to run their own applications and provide the computing power from their own data centres, benefitting from massive economics of scale and dramatically lowering the cost of IT service provision.

Cloud services on the rise

The UK has seen a rapid adoption of cloud computing in business with Software as a Service the preferred deployment model. Cutting costs and providing mobile working solutions for staff is the main impetus for such innovation. The flexibility and scalability of cloud computing means organisations are happy to trade-off some of the control that exists in traditional services.

The rapid take up of cloud services is not limited to the private sector. The fourth iteration of the pan-government G-Cloud Framework has just been awarded to a wide array of large and small cloud operators.

The nature of cloud service provision means that a number of well-established IT concepts need to be reconsidered and will continue to need consideration as technology is refined. Furthermore, there is increasing regulation of cloud services through a wide variety of legislative provisions that do not specifically relate to cloud service provision but have a considerable impact on cloud service provision.

How cloud service providers operate

Cloud service arrangement are generally paid for on a service basis, which means that the upfront charges for customers and regular upgrade fees associated with more traditional software licensing are avoided.

Some cloud service providers may seek to levy start-up fees or upfront subscription charges to mitigate their own commercial exposure, for example, for any third-party software licensing charges. The most common approach now is a committed term of 1 to 3 years when signing up to an enterprise SaaS service – as suppliers want to be able to recognise revenue in their accounts.

Intellectual property issues

Licensing:

Although cloud services contracts relate to the provision of services rather than to the supply of software to customers, particularly in SaaS arrangements, appropriate software licences still need to be granted to the customer. Where users have online use of software, without a licence this would amount to copyright infringement. The licences are usually very narrowly defined and limited to use of the online application for their own business purposes. Customers have no right to make copies of or modifications or enhancements to the software and they cannot sub-licence to third parties.

The cloud services provider will not always own the intellectual property rights in the software that is the subject of the cloud provision service. Where this is the case the cloud services provider will need to arrange for the right to sub-licence the software to its customers, or for a direct licence to be entered into between the customers and the relevant third-party licensors. For purposes of contractual simplicity, it is preferable (and most common) for the cloud service provider to sub-licence the customer’s use of the third-party software.

Content and Data licensing:

The extent to which cloud services providers can make use of the data that is stored within their systems by their customers has become an important issue as a result of the significant marketplace developments in data analytics, including the use of artificial intelligence. Until data analytics became a mainstream business activity, cloud providers tended to regard their customers’ data storage requirements as being a necessary business overhead as part of the overall cloud arrangement. With data analytics, customer data has become a valuable resource which can be used to provide the basis for value added data analytics derived services.

In the early days of cloud services provision, many standard terms and conditions offered by cloud service providers in the consumer market included a broad licence from the customer to the service provider allowing them to use any content stored on its servers. These licences are often expressed as being perpetual and irrevocable. The uses to which the service provider could make of the content were usually limited but there were often rights to pass the content to third parties and to use it for marketing purposes. Even in the consumer marketplace, there is now considerably more general awareness of data issues, particularly following the Facebook/Cambridge Analytica scandal. In July 2019, the US Federal Trade Commission voted to approve fining Facebook around $5 billion to finally settle the investigation of these issues.

As a result, customers receiving cloud services should carefully consider the licensing provisions that relate to the suppliers’ use of the data that they store as a result of providing the services, particularly in relation to use of personal data, treatment of intellectual property rights and confidentiality. Customers should take particular care in identifying any rights they are agreeing to provide to the service provider. Licences may be implied by necessity or business efficacy, however a better and more certain approach is to have an express licence in place that is broad in scope and covers the full range of likely activities.

Jurisdiction and governing law

It is common for cloud services providers and their customers to be located in different jurisdictions. Where this is the case, two separate issues need to be considered: applicable law and jurisdiction. In each case, the cloud contract may stipulate choice of law and jurisdiction. However, there may also be separate and different rules on applicable law and jurisdiction that apply irrespective of provisions in the contract: data protection is a good example of this, where the GDPR has its own free standing rules.

Which law governs the contract

Usually the contract will state the laws that apply. If it doesn’t then this can be problematic, especially when cloud services are involved. Why? If, for example, the parties to the contract are based within the EU then in a B2B context it will generally be the laws of the place where the cloud services provider bases its servers that will apply. The position is more complex where service data is stored on multiple servers in different jurisdictions.

It is important therefore to ensure that cloud services contracts include a choice of law (and jurisdiction) clause.

Data Protection

When organisations process personal data they do so either as a “data controller” or a “data processor”. Each have different legal obligations when protecting personal data.

The data controller is the organisation that determines the purposes and means of the processing of personal data and is responsible for compliance with data protection law. In cloud services, the UK’s data protection regulator, the ICO, usually views the customer as the data controller, although when the supplier has a large amount of control over the processing of personal data they may be considered a joint data controller.

The data processor is the entity who processes data on behalf of a data controller. The ICO will regard the cloud services provider as a data processor in most cloud services arrangements.

Most obligations around data protection law fall on the data controller therefore, usually, the customer of a cloud services provider. A customer should therefore only allow a cloud services provider to process data on its behalf if it has appropriate organisational and technical measures in place. Special care must also be taken if international data transfers take place in connection with the processing of the customer’s data.

Checklist for cloud services contracts (buyer perspective)

Before signing on the dotted line you should consider:

  • Data storage: where will your data be stored, how is it stored, who has access to it and what security measures are in place.
  • Warranties and indemnities: consider what disclaimers are contained in the agreement and have appropriate indemnities been given for loss of data?
  • Check for hidden costs: monthly service costs may be low for a reason.
  • How will disputes be dealt with: what law applies and where will disputes be heard?
  • Data recovery: what will happen to your data at the end of the contract?

Checklist for cloud services contracts (supplier perspective)

Make sure that you have considered the following:

  • Intellectual Property Rights: although supplying software as a service is more protective of IPRs you should still make sure that your IP rights are covered.
  • Limitations and exclusions of liability: it’s standard practice to exclude liability for certain losses and to have an overall cap on liability.
  • Will you provide support commitments / service availability guarantees? Your business customers may well insist on these.
  • If you offer a subscription per person what happens if unauthorised individuals access the service? Consider including audit rights.
  • What should happen with the customer’s data at the end of the contract – you probably want the right to delete it after a certain time.
  • Choice of law and jurisdiction.

Cloud services – a multifaceted and evolving area of law

Contracts for the provision of cloud services and the legal issues being thrown up by the uptake in could services technology are evolving all the time. If you need help with cloud services contracts or any technology legal issues then please get in touch with us.


COVID-19 Data Protection Issues

COVID-19 Data Protection Issues

COVID-19 data protection issues have left many businesses scrambling to keep on top of their compliance functions. Other businesses are largely ignoring data protection rules – which are you?!

Although not always at the front of minds in a crisis, data protection laws are there to be followed. As a result of COVID-19 data protection rules are being put to the test as a result of new information about individuals being collected in response to the pandemic. This often includes whether individual members of staff are displaying symptoms of the virus, the health status of staff and related individuals within the same household, the results of COVID-19 testing and the various locations individuals have visited since the start of the outbreak.

This new information collected constitutes “personal data” and sometimes falls within “special categories of personal data”, as provided for under Article 9 of the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.

Regulators Response

Data protection regulators across the EU have issued statements and guidance referring to the effect of COVID-19 on data protection.

The European Data Protection Board (EDPB) has stated that data protection laws in the EU do not, and should not, hinder the response to COVID-19. Therefore organisations subject to such regulation should remain compliant with their obligations under GDPR. The EDPB has commented that the COVID-19 emergency is a “legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”. Whether this means governments have the right to police data protection compliance more or less strictly is unclear.

In the UK the Information Commissioner’s Office (ICO) has published guidance in the context of COVID-19 data protection. The ICO’s approach is sympathetic to the challenges faced by organisations:

“We understand that resources, whether they are finance or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.

The ICO then goes on to mention that this does not extend as far as allowing infringement of statutory timescales but that they will endeavour to communicate to individuals bringing information rights requests that understandable delays may ensue.

The guidance should not be interpreted as a blank cheque by organisations to bend the rules relating to data protection compliance. It is only guidance and may not stand up in court. Additionally, the ICO does not grant any express relaxation of the rules. It has also stated, in line with the EDPB, that data protection should not stop organisations from being able to respond effectively to the crisis.

“Personal Data” and/or “Special Categories of Personal Data”

Information such as whether personnel have self-isolated, body temperature of personnel, visitors to premises and device location data will all be considered personal data. Where information also relates to the individual’s health, it would also fall within the sub-category of “special categories of personal data” – more on this below.

Legal Basis for Processing Personal Data

When processing COVID-19 personal data (that isn’t “special category data”) organisations may rely on the following legal bases:

Legitimate interests: for the purpose of the organisation’s legitimate interests in managing business continuity and the well-being of its staff.

Contractual necessity: necessary for an organisation’s performance of its obligations to its staff e.g. employees under their employment contract. Relevant obligations include ensuring the health, safety and well-being of employees.

Legal obligation: organisations have legal obligations relating to health and safety.

Legal Basis for Processing Special Categories of Personal Data

It is likely that when responding to the COVID-19 crisis organisations will collect special category data. This is because special category data, within the context of health, is defined as:

“personal data related to the physical or mental health of a natural person, including the provision of health care services which reveal information about his or her health status”.

This includes information on injury, disease, diagnosis, medical history, medical examination data, registration details with health service, appointment details and/or a number, symbol or other identifier assigned to an individual to uniquely identify them for health purposes.

Organisations can only process special category data on one or more of the following grounds:

Employment, social security and social protection obligations: certain obligations under employment, social security and social protection law may allow the processing of special category data. You need to be able to identify the legal obligation or right in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. You can refer to a government website or to industry guidance that explains generally applicable employment obligations or rights. In this instance it would be sufficient to refer to the Health and Safety at Work (UK) etc. Act 1974 which states:

it shall be the duty of every employer to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all his/her employees”.

For example, an employer will want to know whether, in light of COVID-19, an individual member of staff is a health risk in order to ensure the health, safety and welfare of that staff member and the other employees. This is likely to include collecting special category health data from a number of individuals. The employer can rely on employment, social security and social protection obligations to do this processing.

On the other hand, if the employer were to collect unnecessary data such as medical information beyond the scope of that required to diagnose COVID-19 within government guidance, or if the employer disclosed the names of people diagnosed when it was unnecessary to disclose such information then these actions would amount to infringements of data protection law.

Preventative or occupational medicine: occupational medicine is a specialist branch of medicine that focuses on the physical and mental wellbeing of employees in the workplace. Under GDPR the processing of special category data is permitted for the purposes of preventative or occupational medicine, the assessment of an employee’s working capacity, medical diagnosis and/or the provision of health care or treatment.

Section 11 of the Data Protection Act (UK) 2018 states that in the UK organisations can only rely on this condition if the information is being processed by a health professional or a social worker professional or another person who in the circumstances owes of a duty of confidentiality under an enactment or rule of law. Therefore, this condition only applies where an organisation has appointed medical or social advisors who are professionals.

So, an organisation can be justified in processing special category data relating to COVID-19 on the advice of its medical advisors but only when able to show that the processing of this specific data is necessary. It must be a reasonable and proportionate way of achieving one of these purposes, and the organisation must not collect more data than it needs.

Public interest in the area of public health: on the advice of public medical advisors it may be possible to process special category data. This condition is only applicable where the processing is by, or under the responsibility of, a health professional or by someone else who in the circumstances owes a legal duty of confidentiality. For example, an organisation is contacted by health professionals who are trying to collect special category data in relation to the COVID-19 crisis to enable statistical analysis of the disease. On the advice of such public medical advisors, an organisation may rely upon the public interest in the area of public health condition when processing special category data for this purpose.

Consent is another legal bases for processing personal data. When collecting data as an organisation about individuals it is better not to rely upon consent because there is a risk of it not being freely given. This is based upon the general view that an inherent imbalance of power exists between individuals and organisations, in favour of organisations. Consent can also be withdrawn at any time.

Proportionate Collection/Processing of Personal Data for Purpose

An important aspect of GDPR compliance is that organisations only collect as much personal data as is strictly necessary for the purposes being pursued.

Within the context of COVID-19 this includes not naming an individual who is a health risk to other individuals or any other sensitive information about that individual in an organisation when it is not strictly necessary. Another example may be when enquiring about those experiencing symptoms within an individual’s household. In this instance it is unlikely that any more information than a simple ‘yes’ or ‘no’ answer would be required.

In addition, organisations should ensure that the personal data that they collect is stored only for as long as necessary.

COVID-19 Data Protection Q&A

Can you tell staff that a colleague may have potentially contracted COVID-19?

Yes. You should keep staff informed about cases in your organisation. But don’t provide any more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection rules do not prevent you doing this.

Can you collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference, or an event?

You have an obligation to protect your employees’ health and therefore it is reasonable to ask people, be that employees or visitors to your organisations, to tell you if they are experiencing COVID-19 symptoms and hence collect special category data about them. Don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards and discarded as soon as it becomes obsolete.

For example, the best thing to ask would be a simple yes or no question as to whether an employee or visitor is experiencing COVID-19 symptoms or if anybody in their household is. Gaining any medical information unrelated to COVID-19 or their ability to visit your organisation would be deemed unnecessary.

You could also ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms. This approach should help you to minimise the information you need to collect.

Homeworking

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances. This includes the potential need to specifically train homeworkers on their obligations and those of the employer in relation to data protection and confidentiality, concerning the procedures which they must follow, and what is, and is not, an authorised use of data.

Should Organisations Consider Undertaking a Data Protection Impact Assessment (DPIA)?

GDPR requires organisations to undertake a mandatory DPIA:

  • if their processing is likely to result in high risk to the rights and freedoms of individuals – this should involve considerations of the likelihood and severity of potential harm. Article 35(3) of the GDPR provides the following examples of when a processing operation is "likely to result in high risks":
  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special category data, or of personal data relating to criminal convictions and offences.
  • A systematic monitoring of a publicly accessible area on a large scale.
  • (relevant data to COVID-19) when processing biometric data, genetic data and/or tracking data.
  • The GDPR defines biometric data in Article 4(14) as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of a person, such as facial images or dactyloscopic.” A fingerprint would be an example.
  • The GDPR defines genetic data in Article 4(13) as “personal data relating to the inherited or acquired genetic characteristics of a natural person”. A genetic profile of an individual would be an example.
  • Tracking data – an example would if an organisation uses device location data when accessing the geographical implications of COVID-19.

If an organisation has already started to undertake such processing activities or process this kind of data without undertaking a DPIA then they should perform one as soon as possible.

In the context of COVID-19 a DPIA will be necessary if an organisation has processed data in this way or of this nature in response to the pandemic. It is also helpful to know the context in which an organisation would be expected to perform a DPIA so that they can avoid it. Another example might be an organisation who becomes involved in the large scale processing of data in response to the crisis. Such an organisation should be prepared to undergo a DPIA if the nature of this new processing requires it.

Undertaking a DPIA, mandatorily or not, can still be useful for organisations in order to understand potential risks within their data controlling/processing activities.

If you need any help with COVID-19 data protection issues or on any other aspects of data protection law please get in touch with one of our data protection lawyers.


Office Lease Lawyers London

The Office Lease - Risks And Opportunities

When negotiating an office lease, the tenant may be dealing with the property industry for the first time. It is then tempting to focus only on the rent and assume everything else is a relatively minor issue. That would be a mistake.

Three Points To Be Aware Of

  1. The office lease does not have to be fair.
  2. Risks in the property industry involve relatively large numbers.
  3. Certain words and phrases in an office lease may appear to have one meaning but actually have a very different meaning in court.

Three examples:

  • If a repairing obligation includes the words “put and keep” then the tenant may find itself upgrading the whole premises despite only having, say, a 3 year office lease. To add insult to injury, the tenant may only realise what it’s got itself into after the lease ends, meaning it would not even be able to use the property in its renovated state.
  • The extant of the “premises” being rented may seem to be a matter of common sense but it may or may not include the windows, doors, non-structural walls, structural walls, pipes and cables and the roof! The extent of the premises simply depends on what the office lease happens to state but it will be up to the tenant to repair and insure the whole of the premises. That may sometimes not be a problem but beware that the building may only look like it is in a good condition: be sure not to have liability for hidden defects, to find out about any incidents in the insurance history of the building and, to confirm that the building is fully insured (i.e. for its full reconstruction value).
  • In a modern office building, a relatively small and brief fire in the kitchen of a small office premises, can easily cause damage that causes £100,000 of costs to the landlord and the other tenants in the building.

Is Your Landlord Solvent?

Many mistakes made by tenants actually come down to a belief that the landlord, as it owns a commercial property, is relatively wealthy. This is frequently not true. Although the landlord may be part of a corporate group which is wealthy, the landlord company itself may have bank financing and internal company loans which exceed the value of the building and thus is simply supported from one year to the next by its parent company. Such arrangements are not uncommon and tenants should therefore take the extra time to think carefully and ensure they remain protected even in the event of the landlord’s insolvency.

An office lease is a very flexible document which manages many risks (each of which may be larger than the annual rent) in a business relationship that will usually continue for many years. An office lease can easily lead to the financial ruin of either the landlord or the tenant but if handled properly, these risks can be managed in a way that allows both parties to safeguard their businesses and grow. How the risks are managed must also reflect the financial, organisational and technical ability of each party to cope with it on a long term basis.

Office Lease Flexibility

An office lease should also reflect the potential for a tenant’s business priorities to change over time. This is true for start-ups as well as more established businesses. Consider:

  • Many businesses adopt strategies which reflect the prevailing attitudes of Investment analysts, who sometimes like focused businesses and sometimes instead prefer businesses with a spread of activities and hence risk. As tenants may buy or sell subsidiaries, open new divisions of their business or themselves become take-over targets, it is important that the office lease remains flexible enough for a tenant to change its business strategy.
  • For start-ups, the future is quite unpredictable, so it would often be helpful to adapt the office lease so that at least the cost of the lease is predictable. For example, larger landlords may agree to having a fixed service charge and rent to be paid monthly in advance instead of the standard 3 months in advance. As a further example of a common problem, will the landlord carry out an (expensive) inspection of the premises months after the tenant has vacated and then invoice it all to the tenant?
  • Does the office lease ensure that at the end of the lease, the tenant can choose to take a new office lease and remain in the premises or would there be a lengthy discussion about the new rent level and open competition from any new potential tenants? For a tenant, that prospect may not only be worrisome from a financial perspective but also the time perspective - the process of carefully selecting new premises and moving into them is very time consuming. A lease can manage this is many ways.
  • If there is further space available in the building, would it be prudent for the tenant to reserve that space for 6 – 12 months?
  • Might the tenant need specialised telecom and data cabling installed in the building? That might be expensive, slow and even forbidden if the office lease in is a listed building or if, as so often happens in London, the landlord also needs consent from one or more superior landlords. Such issues can be addressed in the lease at the outset, to avoid expensive problems in the future.
  • Does the landlord facilitate contact between the tenants? This does not take much effort for a landlord but clearly, is better discussed at the outset if it might be important. A simple gathering of the tenants twice a year could facilitate new business relationships or a strategy to green the building. Those are both items which can be simple and cheap but are quite impossible if the tenants do not talk and that is hard to achieve if the landlord does not facilitate it.
  • Does the landlord plan to provide a service or will the landlord be very difficult even to contact? The office lease can also establish the right communication channels between landlord and tenant and that can make all the difference in any business relationship.

Use An Expert

It is therefore important, especially for tenants who may be dealing with the property industry for the first time, to choose advisers who have a deep experience of the entire property industry and can therefore efficiently solve problems on time and budget and who can provide support for the entire lifecycle of the office lease: the initial heads of terms, the lease itself, fit-outs and refurbishments to the property (by either or both the landlord or the tenant), expanding, insolvency, renewing the lease or preparing the exit (well in advance). Contact Neil Williamson or call us on 0203 637 6374 if you would like to enquire about any aspect of an office lease.