boilerplate clauses

Boilerplate clauses - what are they?

Boilerplate clauses are repeated in all kinds of contracts. They are not the commercial terms that vary from one transaction to another. They regulate the operation of the contract: its duration, interpretation, transferability and enforceability.

What are boilerplate clauses?

Boilerplate clauses are often standard, and most are not typically negotiated. But they are important. Many contract disputes depend on the drafting of boilerplate clauses such as termination, force majeure, and entire agreement.

Some heavily negotiated commercial terms routinely appear in so many contracts that they may also be classed with boilerplate. Examples are indemnities and limit of liability clauses.

Example: how boilerplate clauses may affect a dispute

Here’s an example from the case FoodCo UK LLP v Henry Boot Developments Ltd [2010] EWHC 358 (Ch). An entire agreement clause saved a developer from a series of claims for misrepresentation, brought by businesses that had leased units in the development. The clause agreed that no lessee had relied on any representation beyond those recorded in the contract. The effect was that one businessman, when confronted with the clause in the contract he had signed, admitted that he had not in fact relied on the alleged misrepresentations. That defeated his claim. The clause successfully excluded claims for innocent and negligent misrepresentation. That reduced the other five claimants to asserting fraud, which they failed to prove.

Some common boilerplate clauses:

  • Counterparts – Confirms the validity of counterparts or duplicates of the contract (and may delay contract formation).
  • Entire Agreement – identifies the express contract terms. Often contains terms limiting liability for misrepresentation.
  • Limiting liability for misrepresentation – Reduces the risk of liability for misrepresentation.
  • Severance - Agrees the contract will survive deletion of an unenforceable provision. May impose a duty to renegotiate.
  • Third party rights – Can limit non-parties’ rights to enforce contract terms and to veto variation and rescission.
  • Waiver - May help to prevent accidental loss of rights but cannot ensure their survival.

Counterparts

Parties to a contract may each execute a separate copy of the contract, each of which they will consider an original. A counterparts clause states this expressly. Even without a counterparts clause, a contract is valid if made in this way, under the common law. Land transactions are commonly executed in this way without a counterparts clause.

A counterparts clause may also be used where the parties execute multiple original contracts (duplicates), to confirm that each has the status of an original. Duplicates may be required for tax, regulatory, company administration or other reasons. In these cases, a counterparts clause may help stop a party (or an outside authority) objecting that a counterpart or duplicate contract is not binding or valid.

Entire agreement

The entire agreement affects statements made in negotiations but not repeated in the contract. In the absence of an entire agreement statement, these could create a collateral warranty or side agreement, under the common law. For example, if a sales representative offers extra benefits as an inducement to sign a contract, the supplier could be contractually bound to provide those benefits, even if they were not written into the contract. An entire agreement statement prevents this by identifying the express contract terms, limiting them to the terms identified in the clause.

Limiting liability for misrepresentation

This part of the clause addresses the risk of claims if one party (usually the supplier, rarely the customer) induced another to enter the contract by a false statement. If that happens, even unintentionally, the other may claim damages for the loss caused by entering the contract, or occasionally undo (rescind) the contract. Depending on the facts, the claims arising may include misrepresentation, negligence, fraud and (if the false statement was also captured as a warranty) breach of contract.

To reduce this risk, an entire agreement clause may include a non-reliance statement and express limits on liability and remedies for misrepresentation. This kind of wording has defeated large claims for misrepresentation, as in the example described above. This limitation often appears in the entire agreement clause for historical reasons, but it could equally well go in the limitation clause, a remedies clause or a clause on representations.

Severance

This clause takes effect if a contract term is illegal or invalid. Examples of illegal or invalid term are:

  • Unfair exclusions of liability contrary to the Unfair Contract Terms Act 1977.
  • Non-compete and non-solicitation clauses that go beyond what is reasonable to protect a party's legitimate interests.
  • A duty to pay a banned person or organisation, contrary to anti-terrorism legislation.

Some severance clauses add nothing to what English law already provides. Under the common law doctrine of severance, the invalid provision is deleted and the rest of the contract survives if all these conditions are met:

  • Public policy allows it.
  • Nothing is added or rewritten. So, if an excessive restraint on competition or limit on liability is deleted, a reasonable and valid provision is not substituted.
  • The basic nature of the contract is unchanged. (But contracts routinely survive the deletion of an unfair limit on liability.)

Third party rights

The Contracts (Rights of Third Parties) Act 1999 introduced a new pitfall in contract drafting: the risk of accidentally giving a non-party (i.e. third party) the right to:

  • Enforce a contract term. Any express or implied benefit to a non-party may be directly enforceable by that non-party against the parties.
  • Prevent variation and rescission. Once a contract creates a directly enforceable third party right, the parties may need the non-party's consent before they can change that right by agreeing to vary or rescind the contract.

A clause dealing with third party rights can prevent direct enforcement by a non-party or restrict it to third party rights created expressly or remove the need for a non-party's consent to variation or rescission. Some clauses on third party rights go further, excluding non-party rights arising in other ways and preserving other rights of the parties. The need for these provisions and their effect on the contract are often unclear.

Waiver

A party can lose a right by waiting too long to exercise it or by taking action inconsistent with the right, under the common law of waiver. Expressly reserving the right during the delay or while taking the inconsistent action can prevent waiver, at least for a while.

A "no waiver" clause tries to preserve all rights from being waived, especially by delay. However, the clause may not prevail over the later words and actions of the party seeking to rely on it.

Worth checking

Boilerplate clauses can have sweeping effects in the event of a breakdown of contractual relations. Making sure the correct ones are included is therefore essential. But the idea that they can be applied equally in every contract is false. Making your lawyer away of the idiosyncrasies of your contractual dealings when considering boilerplate clauses is therefore advisable.

If you have any questions about boilerplate clauses or about contract law more generally please contact Neil Williamson.


EU-US Privacy Shield

EU-US Privacy Shield invalid: Schrems II

In Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559, the European Court of Justice (ECJ) has given its preliminary ruling that Commission Decision 2010/87 on controller to processor standard contractual clauses (SCC) is valid but that Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.

Background

The General Data Protection Regulation ((EU) 2016/679) (GDPR) prohibits the transfer of personal data outside of the EU to a third country unless certain conditions are met. In principle, it may take place in any of the following circumstances:

  • On the basis of a European Commission adequacy decision (Article 45, GDPR).
  • Where there are appropriate safeguards in place, such as standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs), and on the condition that data subjects have enforceable rights and effective legal remedies (Articles 46 and 47, GDPR).
  • A derogation for a specific situation applies, such as the data subject has given their explicit consent (Article 49, GDPR).

EU-US Privacy Shield

The EU-US Privacy Shield is a framework constructed by the US Department of Commerce and the European Commission to enable transatlantic data protection exchanges for commercial purposes.

The EU-US Privacy Shield enables companies from the EU and the US to comply with data protection requirements when transferring personal data from the EU to the US. Approved by the European Commission on 12 July 2016, the EU-US Privacy Shield replaced the Safe Harbor Principles, which the ECJ declared were an invalid level of protection within the meaning of Article 25 of the Data Protection Directive in the October 2015 decision of Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] EUECJ.

Schrems II Facts

In October 2015, Mr Maximillian Schrems, an Austrian lawyer and data privacy campaigner, successfully challenged the validity of the EU-US safe harbor arrangement as a legal basis for transferring personal data from Facebook Ireland to servers belonging to Facebook Inc located in the US (commonly referred to as the Schrems I judgment)

Subsequently, in July 2016, the European Commission adopted a replacement adequacy Decision 2016/1250 approving a new framework for EU-US personal data flows, the EU-US Privacy Shield.

Mr Schrems reformulated his complaint to the Irish Data Protection Commissioner, claiming that the US does not offer sufficient protection for personal data transferred to that country and sought the suspension or prohibition of future transfers of his personal data from the EU to the US, which Facebook Ireland now carries out in reliance on Decision 2010/87 on controller to processor SCCs.

One of Mr Schrems' key concerns was that the US government might access and use EU individuals' personal data contrary to rights guaranteed by the Charter of Fundamental Rights of the EU (Charter) and that EU individuals would have no remedy available to them once their personal data is transferred to the US. Under US law, internet service providers such as Facebook Inc can be required to provide information to various agencies such as the National Security Agency, the Central Intelligence Services and the Federal Bureau of Investigation and it can be further used in various surveillance initiatives such as PRISM and UPSTREAM.

Decision on controller to processor SCCs

The use of SCC’s remains valid but businesses using controller to processor SCCs (or planning to do so) now face additional burdens as they will need to conduct a Transfer Impact Assessment on whether, in the overall context of the transfer, there are appropriate safeguards in the third country for the personal data transferred out of the EU (practically speaking, the European Economic Area). EU data exporters will need to take into account not only the destination of the personal data but also, in particular, any access by public authorities and the availability of judicial redress for individuals, to ascertain whether SCCs are an appropriate mechanism and may need to put in place additional safeguards.

Decision on EU-US Privacy Shield

The limitations on the protection of personal data, transferred from the EU to the US, arising from US domestic law "on the access to and use by US public authorities, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary".

As regards the requirement of judicial protection, the ECJ held that the Privacy Shield Ombudsperson does not provide individuals with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, so as to ensure the independence of the Ombudsperson and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on US intelligence services.

EU-US Privacy Shield - Practical points:

  • The EU-U.S. Privacy Shield is no longer valid and businesses solely relying on it to transfer personal data to the U.S. should rely on another transfer solution, including by putting SCCs in place.
  • While SCCs remain valid, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected (e.g. because of potential access by law enforcement or national security agencies). This is, in effect, a Transfer Impact Assessment. This will be burdensome for small organisations but also large ones making hundreds, if not thousands, of transfers.
  • The EU Commission is now likely to issue updated SCCs. Those new clauses could bake in the Transfer Impact Assessment discussed above. While existing SCCs will hopefully be “grandfathered”, business should anticipate changes to their processes for new transfers.
  • The judgment could have a negative impact on any adequacy finding for the UK after the Brexit transition period. While there are material differences between the U.S. and UK surveillance regimes, the judgement will no doubt make the EU Commission more cautious in future adequacy assessments.
  • In the absence of an adequacy finding, transfers of personal data from the EU to the UK will be more difficult post-Brexit as EU businesses will necessarily have to consider the effect of UK government surveillance powers, in particular the Investigatory Powers Act 2016.
  • While the data protection authorities cannot grant a “grace period” as such, they may well take a gradual approach to enforcing these new requirements. As an illustration, when the Safe Harbor was struck down in 2015, data protection authorities indicated they would not take active enforcement for a few months to allow controllers to make new arrangements.

More to come…

With the publishing of updated Standard Contractual Clauses expected and the UK Adequacy decision pending, businesses handling cross-border data transfers to and from the EU or to and from the US need to keep themselves informed of the latest developments. As it stands SCC’s will need to be part of such a cross-border transfer and a ‘Transfer Impact Assessment’ will be a be a new and additional obligation.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


AI

AI - Consultation on International Standards  

On 25 June 2020, the International Organization of Securities Commissions (IOSCO) published a consultation document (CR02/2020) on the use of artificial intelligence (AI) and machine learning (ML) by market intermediaries and asset managers, which it has identified as a key priority.

IOSCO consultation paper on AI

IOSCO, the global standard setter for the securities sector,IOSCO  and machine learning by market intermediaries and asset managers. Once finalised, the guidance would be non-binding but IOSCO would encourage its members to take it into account when overseeing the use of AI by regulated firms.

IOSCO’s membership comprises securities regulators from around the world. It aims to promote consistent standards of regulation for securities markets.

Why market intermediaries and asset managers?

IOSCO believes that the increasing use of AIML by market intermediaries and asset managers may be altering their business models. For example, firms may use AIML to support their advisory services, risk management, client identification and monitoring, selection of trading algorithms and portfolio management, which may also alter their risk profiles.

One fear is that this use of AIML may create or exacerbate certain risks, which could potentially have an impact on the efficiency of financial markets and could result in consumer harm.

AI industry discussions

As well as setting out its guidance, the report also indicates some of its findings from industry discussions:

Firms implementing AI and ML mostly rely on existing governance and oversight arrangements to sign off and oversee the development and use of the technology. In most instances, the existing review and senior leadership-level approval processes were followed to determine how risks were managed, and how compliance with existing regulatory requirements was met. AI and ML algorithms were generally not regarded as fundamentally different from more traditional algorithms and few firms identified a need to introduce new or modify existing procedural controls to manage specific AI and ML risks.

Some firms indicated that the decision to involve senior leadership in governance and oversight remains a departmental or business line consideration, often in association with the risk and IT or data science groups. There were also varying views on whether technical expertise is necessary from senior management in control functions such as risk management. Despite this, most firms expressed the view that the ultimate responsibility and accountability for the use of AI and ML would lie with the senior leadership of the firm.

Some firms noted that the level of involvement of risk and compliance tends to focus primarily on development and testing of AI and ML rather than through the lifecycle of the model (i.e., implementation and ongoing monitoring). Generally, once implemented, some firms rely on the business line to effectively oversee and monitor the use of the AI and ML. Respondents also noted that risk, compliance and audit functions should be involved throughout all stages of the development of AI and ML.

Many firms did not employ specific compliance personnel with the appropriate programming background to appropriately challenge and oversee the development of ML algorithms. With much of the technology still at an experimental stage, the techniques and toolkits at the disposal of compliance and oversight (risk and internal audit) currently seem limited. In some cases, this is compounded by poor record keeping, resulting in limited compliance visibility as to which specific business functions are reliant on AI and ML at any given point in time.

AI Areas of concern

IOSCO has identified the following areas of potential risk and harm relating to the development, testing and deployment of AIML: governance and oversight; algorithm development, testing and ongoing monitoring; data quality and bias; transparency; outsourcing; and ethical concerns.

Its proposed guidance consists of measures to assist IOSCO members in providing appropriate regulatory frameworks to supervise market intermediaries and asset managers that utilise AIML. These measures cover:

  • Appropriate governance, controls and oversight frameworks over the development, use and performance monitoring of AIML.
  • Ensuring staff have adequate knowledge, skills and experience to implement, oversee and challenge the outcomes of AIML.
  • Robust, consistent and clearly defined development and testing processes to enable firms to identify potential issues before they fully deploy AIML.
  • Appropriate transparency and disclosures to investors, regulators and other relevant stakeholders.

How the FCA regulates AI in the UK

For an idea of how AI is currently regulated in finance by the UK read below:

The Financial Conduct Authority (FCA) deems it good practice to review how trading algorithms are used; develop appropriate definitions; ensure all activities are captured; identify any changes to algorithms; and have a consistent methodology across the testing and deployment of AI and ML. Markets in Financial Instruments Directive (MiFID II) requires firms to develop processes to identify algorithmic trading across the business. These can be either investment decisions or execution algorithms, which can be combined into a single strategy. Firms are also required to have a clear methodology and audit trail across the business. Approval and sign-off processes should ensure a separation of validation and development a culture of collaboration and challenge and consistency of a firm’s risk appetite. Whilst the algorithms are field-deployed, it is a requirement to maintain pre-trade and post-trade risk controls, real-time monitoring of algorithms in deployment, with the ability to kill an algorithm or a suite of algorithms centrally, a functionality commonly known as the kill-switch.

It is a best practice, but not a requirement, to have an independent committee to verify the completion of checks. However, under the SM&CR, a firm’s governing body would be expected explicitly to approve the governance framework for algorithmic trading, and its management body should identify the relevant Senior Management Function(s) with responsibility for algorithmic trading.

How to submit comments

Comments may be submitted by one of the three following methods on or before 26 October 2020. To help them process and review your comments more efficiently, please use only one method.

Important: All comments will be made available publicly, unless anonymity is specifically requested. Comments will be converted to PDF format and posted on the IOSCO website. Personal identifying information will not be edited from submissions.

  1. Email
  • Send comments to consultation-02-2020@iosco.org.
  • The subject line of your message must indicate ‘The use of artificial intelligence and machine learning by market intermediaries and asset managers’.
  • If you attach a document, indicate the software used (e.g., WordPerfect, Microsoft WORD, ASCII text, etc) to create the attachment.
  • Do not submit attachments as HTML, PDF, GIFG, TIFF, PIF, ZIP or EXE files.
  1. Facsimile Transmission

Send by facsimile transmission using the following fax number: + 34 (91) 555 93 68.

  1. Paper

Send 3 copies of your paper comment letter to:

Alp Eroglu
International Organization of Securities Commissions (IOSCO) Calle Oquendo 12
28006 Madrid
Spain

Your comment letter should indicate prominently that it is a ‘Public Comment on The use of artificial intelligence and machine learning by market intermediaries and asset managers’.

For more information read our blog ‘AI in Financial Services.’

What happens next?

The consultation on the draft guidance closes on 26 October 2020. In the UK, the FCA is currently working with the Alan Turing Institute to look at the implications of the financial services industry deploying AI. Meanwhile, the European Commission has released its own guidelines for trustworthy AI and is expected to propose legislation in this area later in 2020.

EM law specialises in technology law. Get in touch if you have any questions on the above.


resale price maintenance

Resale Price Maintenance – Korg Fined

On 9 July 2020, the Competition and Markets Authority (CMA) published the full text of its infringement decision finding that Korg (UK) Limited had breached the Chapter I prohibition of the Competition Act 1998 and Article 101 of the Treaty on the Functioning of the European Union by engaging in resale price maintenance in relation to the online retail prices of Korg's synthesizers and hi-tech equipment.

Background

In April 2018, the CMA launched an investigation related to alleged anti-competitive agreements and/or concerted practices in relation to the distribution of musical instruments and equipment by Korg (UK) Limited (Korg UK). On 24 March 2020, the CMA issued a statement of objections alleging that Korg UK had breached Article 101 of the TFEU and the Chapter I prohibition by restricting retailer freedom to discount the online retail prices of synthesizers and hi-tech equipment supplied by Korg UK, in other words, that Korg were guilty of resale price maintenance.

Korg UK subsequently reached a settlement agreement with the CMA and, on 29 June 2020, the CMA announced that it had issued an infringement decision, fining Korg UK £1.5 million for engaging in resale price maintenance designed to restrict retailer freedom to set prices online by requiring their musical instruments to be sold at or above a minimum price. The CMA has now published the full text of the infringement decision.

The facts

Korg UK is active in the distribution of musical instruments and music-making equipment (MI) including electronic MI in the UK and Republic of Ireland. The CMA's investigation was limited to the supply of Korg synthesizers and hi-tech equipment (including DJ equipment, electronic percussion, stage pianos, and controllers) (Relevant Products).

The CMA concluded that during the relevant period (9 June 2015 to 17 April 2018), Korg UK operated and enforced a wide-ranging pricing policy, the purpose of which was to ensure that MI Resellers would not advertise or sell the Relevant Products online below a certain minimum price specified by Korg UK from time to time, for example in Korg UK’s price lists. The CMA found that the nature of the Korg Pricing Policy was such that Korg UK rarely needed to contact MI Resellers about it (in writing or otherwise), when MI Resellers were complying with it because the Minimum Price was, in general, clearly displayed on Korg’s UK’s price lists relating to the relevant products.

This generally limited the need for verbal and written communications concerning the Korg Pricing Policy, and therefore limited the amount of written records related to the Korg Pricing Policy. Despite this, the CMA obtained evidence which, in the CMA’s view, demonstrated the existence of the Korg Pricing Policy. Relevant contemporaneous documentary evidence was corroborated by certain witness evidence describing verbal and/or written communications that took place between Korg UK and its MI Resellers during the relevant period.

Resale price maintenance – Korg evidence

The commercial aims, content and communication and scope and duration

Korg UK’s commercial aims for introducing the Korg Pricing Policy were as follows:

  • It was designed to enable Korg UK’s MI Resellers to achieve attractive margins through the maintenance of high and stable pricing, so increasing the attractiveness of the Korg brand and encouraging MI Resellers to stock and sell the Relevant Products (and the Korg brand more generally).
  • In doing so, it aimed to help Korg UK secure, maintain and/or improve its UK market position in the relevant products relative to its competitors, in particular, by maintaining the brand value of the relevant products.

Resale price maintenance – Korg’s monitoring and enforcement

The evidence showed that Korg UK sought to monitor and enforce the Korg Pricing Policy by contacting MI Resellers in advance of Korg UK issuing a new price list or immediately after issue to ensure early compliance with the Korg Pricing Policy.

Korg UK’s awareness of competition law and potential illegality, and culture of concealment

The evidence shows that Korg UK staff were very familiar with competition law and appeared to know what conduct would constitute a breach of it. Korg had introduced a compliance code in 2015 and senior employees took an active role in giving competition compliance training as part of the induction for new Korg UK staff. The CMA further concluded that “Korg UK staff operated under a culture of concealment and tried to avoid generating an evidence trail of potentially incriminating written records.”

CMA’s legal assessment of resale price maintenance

The decision sets out CMA’s legal assessment of Korg UK’s agreement and/or concerted practice with Reseller 1, one of its MI Resellers, that Reseller 1 would not advertise or sell online synthesizers or hi-tech equipment supplied to it by Korg UK below a certain Minimum Price specified by Korg UK from time to time, in accordance with the Korg Pricing Policy.

The CMA had reasonable grounds for suspecting that more than 20 MI Resellers of the relevant producers were subject to the Korg Pricing Policy, and that MI Resellers generally complied with Korg UK’s requests to adhere to the Minimum Price.

The CMA, therefore, concluded that throughout the relevant period:

  • Reseller 1 generally complied with the Korg Pricing Policy, due to a credible fear of sanctions for non-compliance.
  • Korg UK monitored Reseller 1’s pricing and requested Reseller 1 on numerous occasions to follow the Korg Pricing Policy with regard to Reseller 1’s advertising and selling online of the Relevant Products (this tended to happen when Korg UK issued a new price list or when Reseller 1 had been caught matching another MI Reseller’s lower prices, at least temporarily).
  • On numerous occasions Reseller 1 increased its pricing (albeit not always immediately) to at least the Minimum Price, on Korg UK’s request.
  • On numerous occasions Reseller 1 reported to Korg UK other MI Resellers advertising or selling the Relevant Products online at prices below the Minimum Price.

Decision to impose penalties

The CMA concludes that there is strong evidence that Korg UK must have been aware, or could not have been unaware, that its conduct had the object or would have the effect of restricting competition. In particular, there was evidence that staff were aware that resale price maintenance was illegal and that there was a culture of concealment to hide evidence. The CMA therefore found that Korg UK committed resale price maintenance intentionally.

Case study

The CMA has published a case study explaining the facts of this case. It notes that there are a number of lessons that businesses can learn from this case, including an understanding that:

  • It is illegal for a supplier to interfere with a reseller’s ability to independently set their own price.
  • The CMA has sophisticated means of gathering evidence and uncovering evidence even where the companies have tried to hide their actions by deleting communications.
  • If you are ever asked not to put something down in writing, you should be suspicious as it could relate to something illegal. If so, you should seek legal advice and seriously consider whether to report the matter to the CMA.
  • Directors and senior staff have a special responsibility to be well informed on competition law and make sure their companies are behaving legally and ethically.
  • Attending compliance training alone is not sufficient to be compliant – you must actively comply with the law.
  • As a reseller you can also be investigated for breaking the law if you are found to have co-operated with a minimum pricing policy. If a supplier tries to make you comply with a minimum pricing policy, you should refuse and point them to our guidance. The CMA would also urge you to report them. Resellers may also face enforcement action such as fines if they have gone along with the supplier’s resale price policy.

EM Law help a wide range of clients with compliance and structuring around their operations. Please contact us if you have any questions on the issues raised in this article.


GDPR Report

GDPR Report: EU Commission’s First Evaluation of the GDPR

On 24th June, just over two years after its entry into application, the European Commission published an evaluation report on the General Data Protection Regulation (the Regulation / GDPR). The GDPR report shows the Regulation has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.

Scope of the GDPR report

The GDPR proved to be flexible to support digital solutions in unforeseen circumstances such as the Covid-19 crisis. The GDPR report also concludes that harmonisation across the Member States is increasing, although there is a certain level of fragmentation that must be continually monitored. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage. The GDPR report contains a list of actions to facilitate further the application of the Regulation for all stakeholders, especially for Small and Medium Sized companies, to promote and further develop a truly European data protection culture and vigorous enforcement.

Background to the GDPR report

The General Data Protection Regulation is a single set of rules of EU law on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It strengthens data protection safeguards, provides additional and stronger rights to individuals, increases transparency, and makes all those that handle personal data more accountable and responsible. It has equipped national data protection authorities with stronger and harmonised enforcement powers and has established a new governance system among the data protection authorities. It also creates a level playing field for all companies operating in the EU market, regardless of where they are established, ensures the free flow of data within the EU, facilitates safe international data transfers and has become a reference point at global level

As stipulated in Article 97(2) of the GDPR, the report covers in particular international transfers and ‘cooperation and consistency mechanism', although the Commission has taken a broader approach in its review, in order to address issues raised by various actors during the last two years. These include contributions from the Council, the European Parliament, the EDPB, national data protection authorities and stakeholders. Key findings of the GDPR review are:

Empowering individuals to control their data

The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability. Today, 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people have heard about their national data protection authority, according to results published last week in a survey from the EU Fundamental Rights Agency. However, more can be done to help citizens exercise their rights, notably the right to data portability.

The application of the GDPR to new technologies

The GDPR report found that the Regulation has empowered individuals to play a more active role in relation to what is happening with their data in the digital transition. It is also contributing to fostering trustworthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.

Enforcement of the GDPR

From warnings and reprimands to administrative fines, the GDPR provides national data protection authorities with the right tools to enforce the rules. However, they need to be adequately supported with the necessary human, technical and financial resources. Many Member States are doing this, with notable increases in budgetary and staff allocations. The GDPR report found that overall, there has been a 42% increase in staff and 49% in budget for all national data protection authorities taken together in the EU between 2016 and 2019. However, there are still stark differences between Member States.

Harmonised rules but still a degree of fragmentation and diverging approaches

The GDPR established an innovative governance system which is designed to ensure a consistent and effective application of the GDPR through the so called ‘one stop shop', which provides that a company processing data cross-border has only one data protection authority as interlocutor, namely the authority of the Member State where its main establishment is located. Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the ‘one-stop-shop', 79 of which resulted in final decisions. However, the GDPR report concludes that more can be done to develop a truly common data protection culture. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to cooperate.

Advice and guidelines by data protection authorities

The EDPB is issuing guidelines covering key aspects of the Regulation and emerging topics. Several data protection authorities have created new tools, including helplines for individuals and businesses, and toolkits for small and micro-enterprises. It is essential to ensure that guidance provided at national level is fully consistent with guidelines adopted by the EDPB.

Developing a modern international data transfer toolbox

The GDPR report found that over the past two years, the Commission's international engagement on free and safe data transfers has yielded important results. This includes Japan, with which the EU now shares the world's largest area of free and safe data flows. The Commission will continue its work on adequacy, with its partners around the world. In addition and in cooperation with the EDPB, the Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses, the most widely used data transfer tool. The EDPB is working on specific guidance on the use of certification and codes of conduct for transferring data outside of the EU, which need to be finalised as soon as possible. Given the European Court of Justice may provide clarifications in a judgment to be delivered on 16 July that could be relevant for certain elements of the adequacy standardthe Commission will report separately on the existing adequacy decisions after the Court of Justice has handed down its judgment.

Promoting convergence and international cooperation in the area of data protection

Over the last two years, the Commission has stepped up bilateral, regional and multilateral dialogue, fostering a global culture of respect for privacy and convergence between different privacy systems to the benefit of citizens and businesses alike. The Commission is committed to continuing this work as part of its broader external action, for example, in the context of the Africa-EU Partnership and in its support for international initiatives, such as ‘Data Free Flow with Trust'. At a time when violations of privacy rules may affect large numbers of individuals simultaneously in several parts of the world, it is time to step up international cooperation between data protection enforcers. This is why the Commission will seek authorisation from the Council to open negotiations for the conclusion of mutual assistance and enforcement cooperation agreements with relevant third countries.

Challenges for small and medium sized enterprises (SME’s)

The GDPR report noted that the Regulation, together with the Free Flow of Non-Personal Data Regulation offers opportunities to companies by fostering competition and innovation, ensuring the free flow of data within the EU and creating a level playing field with companies established outside the EU. The right to portability, coupled with an increasing number of individuals in search of more privacy-friendly solutions, have the potential to lower the barriers to entry for businesses and open the possibilities for growth based on trust and innovation. However, some stakeholders report that the application of the GDPR is challenging especially for small and medium sized enterprises.

SMEs stress in particular the importance and usefulness of codes of conduct which are tailored to their situation and which do not entail disproportionate costs. As regards certification schemes, security (including cybersecurity) and data protection by design are key elements to be considered under the GDPR and would benefit from a common and ambitious approach throughout the EU. The Commission is currently working on standard contractual clauses between controllers and processors, building on the on-going work on the modernisation of the standard contractual clauses for international transfers.

At EM Law we specialise in helping small and medium sized companies comply with the GDPR. If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Digital Marketing

Digital Marketing - Legal Issues

Digital Marketing is a growth industry with legislation struggling to keep up. Unsuprisingly though there are legal issues that digital marketing businesses need to be aware of to remain compliant. The House of Lords' 2018 report "UK advertising in a digital age" noted that digital marketingaccounted for over half of all spending on advertising in the UK for the first time in 2017. This figure is likely to only increase, especially in the aftermath of COVID-19. This article provides some background into the types of digital marketing and some of the legal issues to consider in this context.

Digital marketing formats

The Digital Adspend study produced by industry body the Internet Advertising Bureau (IAB) and accountants PricewaterhouseCoopers, breaks down 2017 digital marketing spend by format, as follows:

Paid-for search: £5.82bn, of which smartphone spend was £2.62bn. This is essentially sponsored search results, where advertisers pay to have their details presented at the top of a search results page or prominently featured elsewhere on the page.

Display: £4.18bn, within which falls:

  • Online video:£1.61bn, of which smartphone spend was £1.17bn. An example is the pre-roll advert which appears before you watch a YouTube clip, or videos which start playing as the page loads or when your mouse scrolls over them.
  • Banners and standard display formats:£1.31bn, of which smartphone spend was £418m. These are the obvious adverts and include those which appear across the top of the screen (banner adverts) or in a sidebar, overlay adverts (which pop up on-screen and have to be clicked to close) and interstitial adverts (full-screen adverts that pop up between expected content, for example before a target page appears on the screen).

Native: £1.03bn, of which smartphone spend was £895m. An advertorial is native advertising, as are adverts which appear to be recommendations by the publisher ("you might also like"), influencer marketing on social media and adverts which appear to be search results.

Classified and other: £1.47bn. Classified advertising is advertising in an online directory or marketplace (for example, Rightmove, Auto Trader and Gumtree).

Commentators note that the biggest increase recently has been in spend on advertising targeting mobile phone users, in particular using a video format.

Key industry players

The CMA's Final Report on its Digital Marketing Market Study estimates that search advertising revenues totalled around £7.3 billion in 2019, of which more than 90% was earned by Google. Total spend on display advertising was worth £5.5 billion, of which it is estimated more than half went to Facebook.

Google receives revenue from its search engine and other brands such as YouTube, Google Maps and Google Play (an app and digital media store). Google sells advertising space on its own and other sites through Google Ads, and provides services to buy and optimise campaigns on Google via its Google Marketing Platform.

Digital Marketing Legal Issues

Adverts must be obviously identifiable as such.

All advertising must be obviously identifiable as advertising. This is a requirement under:

The Consumer Protection from Unfair Trading Regulations 2008 (SI 2008/1277) (CPUT) which implement the Unfair Commercial Practices Directive (2005/29/EC) (UCPD):

  • A failure to identify commercial intent, unless this is already apparent from the context, is a misleading omission.
  • Using editorial content in the media to promote a product where a trader has paid for the promotion without making that clear in the content or by images or sounds clearly identifiable by the consumer (advertorial) is a prohibited commercial practice.
  • Falsely claiming or creating the impression that the trader is not acting for purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer is a prohibited commercial practice.

The Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013) (E-Commerce Regulations) which implement the E-Commerce Directive (2000/31/EC):

  • Service providers must ensure that any commercial communication provided by them which constitutes or forms part of an information society service (which would include all advertising) is clearly identifiable as a commercial communication.

The UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code):

  • Marketing communications must be obviously identifiable as such.
  • Marketing communications must not falsely claim or imply that the marketer is acting as a consumer, or for purposes outside its trade, business, craft or profession; marketing communications must make clear their commercial intent, if that is not obvious from the context.
  • Marketers and publishers must make clear that advertorials are marketing communications; for example, by heading them "advertisement feature".

Information obligations on digital advertisers

Online advertisers need to:

  • Provide certain information about themselves on their websites.
  • Include certain information about themselves and their products in their online adverts.

These obligations, which apply to "information society service" providers, derive from the E-Commerce Regulations which implement the E-Commerce Directive (2000/31/EC) (E-Commerce Directive).

Information advertisers must include on websites

The information the advertiser must include on websites consists of:

  • Its name.
  • The geographic address at which it is established.
  • Details, including an email address, which make it possible to contact the advertiser rapidly and communicate with it in a direct and effective manner.
  • Where the advertiser is registered in a trade (or similar) register available to the public, details of the register in which the service provider is entered and its registration number, or equivalent means of identification in that register.
  • Where the provision of the service is subject to an authorisation scheme, the particulars of the relevant supervisory authority. Advertising itself is not subject to an authorisation scheme in the UK, but the advertiser's business may be.
  • The advertiser's VAT number.
  • Where the advertiser exercises a regulated profession:
  • the details of any professional body or similar institution with which the advertiser is registered;
  • the advertiser's professional title and the EEA state where that title has been granted; and
  • a reference to the professional rules applicable to the service provider in the member state of establishment, and the means to access them.

Information requirements for online adverts

An information society service provider (which includes any online advertiser) must ensure that any commercial communication provided by it as part of an information society service (which would include all digital marketing) shall:

  • Be clearly identifiable as a commercial communication.
  • Clearly identify the person on whose behalf the commercial communication is made.
  • Clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions which must be met to qualify for it are easily accessible and presented clearly and unambiguously.
  • Clearly identify as such any promotional competition or game and ensure that any conditions for participation are easily accessible and presented clearly and unambiguously.

Digital Marketing: Controls on the use of personal data and online behavioural advertising (OBA)

The digital environment offers advertisers the opportunity to track users' online behaviour to build a profile of their interests and target advertising at them. This practice is known as "online behavioural advertising" (OBA) or sometimes as interest-based advertising (IBA).

Information is generally collected using online identifiers (such as cookies, internet protocol (IP) addresses, radio frequency identification (RFID) tags, advertising IDs, pixel tags, account handles and device fingerprints) which can be used variously to note information such as searches conducted, content viewed, purchases made and the user's location. Data about browsing habits can be combined with information about the user obtained via registrations and purchases.

OBA may be conducted by a website owner solely based on activity on its own site (first-party OBA) or by a third party tracking activity across multiple websites and user devices and serving adverts for products not necessarily sold on the website being viewed (third-party OBA).

Examples of OBA include:

  • Advertising (such as pop-ups and banners) for products a user is likely to be interested in based on their interests, as revealed by their browsing habits or searches.
  • Retargetingof adverts for products a user has viewed, encouraging them to go back and make or complete a purchase.
  • Advertising to a mobile phone promoting a cafe which a user is passing near to.

Advertisers need to be aware that if they have collected personal data at any stage in the process enabling them to target advertising at individuals, they will be classified as a data controller unless they are acting on behalf of another data controller in which case they may be a data processor. A data controller must notify the individuals whose personal data they are using about who they are, what personal data they are collecting and what they are using that data for. They must also only process that data under one of the specified lawful bases. So if, for example, an advertiser is processing personal data relating to an individual’s political or religious beliefs, the advertiser will need to obtain consent to such processing from the individual.

Cookies

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) require the user's consent to the use of non-essential cookies and similar technologies on their devices, including computers or mobiles, but also other equipment such as wearable technology, smart TVs, and connected devices including the ‘Internet of Things’.

If the advertiser’s cookies are collecting personal data then the advertiser will also need to comply with data protection laws as a data controller.

A short introduction

Digital marketing can give rise to many legal issues and what has been mentioned here is only a short overview. The content of adverts and websites and the use of personal data need to be considered from the outset.

EM law are experts in media, technology and data protection law. Please contact us if you need any help with digital marketing legal issues.