Open Source Software

Open Source Software - An Overview

A feature of the software world over the last 20 years has been the rise and rise of open source software (OSS). From its origins in US academia in the early 1970s, OSS emerged into the mainstream in the 1990s, continuing into widespread use throughout the 2000s and 2010s so that it is today approaching ubiquity.

What is open source software?

In essence, open source software is software provided under a licence which grants certain freedoms to a licensee. It is often free and used by developers to produce the foundational elements of software. But not always. It should properly be seen as a range of associated licensing techniques: there are many different types of OSS licences differing widely in clarity, length and legal effect.

Looking ahead

The scope and appeal of open source software is only likely to increase, due to a fairly unique combination of circumstances:

  • The internet. Open source software modules are readily downloadable from software library sites like netand github.com. To that extent open source is similar to other software delivery techniques that the internet powers, like virtualisation, software-oriented architecture (SOA), software as a service(SaaS) and cloud computing, all of which are following a trend of increasing adoption throughout the 2010s.
  • The current generational shift in the software industry. The generational shift from the traditional "software as a licence" – on the PC at home or in the server room at the office – towards remote, service-based computing which embraces these internet-enabled delivery techniques is now firmly established. This shift is another spur for OSS.
  • The rise of smartphone and tablet devices. Smartphones and tablets are increasingly challenging the dominance of the desktop and laptop as the primary computing device. The software running on these devices both from an operating system perspective (such as Android and Tizen) and also the applications available on "app stores", have opened up new markets and scenarios for open source software to be used.
  • The rise of the Internet of Things (IoT). IoT can be broadly described as the interconnecting of physical devices with software and sensors and enabling these devices to communicate with each other and the internet. IoT is tipped to be one of the greatest technology innovations of the 2020s and open source software is a key enabler of IoT.

Plethora of open source software licences

Today, there are many hundreds of open source software licences in use, varying widely in length, clarity, intent and legal effect, and ranging from the intrusive, "copyleft" General Public Licence (GPL) through to short licences containing virtually no obligations.

OSS licences can be broadly grouped into two distinct categories. These are:

  • Permissive licences.
  • Restrictive licences (also known as "reciprocal", "hereditary" or "copyleft" licences).

While the exact terms vary between OSS licences, the key difference between the two categories of licence is how subsequent amendments, improvements and adaptations of the open source software (or combinations of the open source software with other software) are licensed or restricted.

Permissive open source software licences

Permissive OSS licences usually only require that any distribution of the original open source software be on the same terms as those on which it was provided. Importantly, permissive licences permit a licensee to freely amend, adapt open source code and combine open source code with proprietary code without placing restrictions (or significant restrictions) on such amendments, adaptations or combinations (usually called "derivative works") and how these derivative works can be licensed onwards.

Restrictive open source software licences

Restrictive OSS licences, on the other hand, go one step further than permissive licences, imposing licensing restrictions or requirements where the open source software is amended, adapted or combined with any other software (whether proprietary or open source) to produce a derivative work. While the provisions vary, restrictive OSS licences will (to a certain extent) apply to both the original open source software and any derivative works based upon it. This can be of key concern to organisations when using restrictive open source software alongside their proprietary software, as proprietary software could unintentionally be made subject to the open source licence.

Some examples

As a practical matter, when using open source software, a good starting point is to identify the OSS concerned and the licence terms under which it is made available and then to assess whether the licence attaches any particular terms which might pose a risk to your business. A leading OSS service provider publishes data in relation to trends in OSS usage under the most common OSS licences. The table below sets out the position based on the most recent data:

Top 10 open-source licences in 2016 and 2018

Licence Permissive or restrictive? 2016 (percentage of all open source licences) % 2018(Percentage of all open source licences) % Change%
MIT Permissive 25 26 1
Apache 2.0 Permissive 15 22 7
GPL 3.0 Restrictive 19 16 -3
GPL 2.0 Restrictive 15 10 -5
LGPL Restrictive 6 6 0
BSD 3 Permissive 6 5 -1
Microsoft Public Permissive 5 3 -2
BSD 2 Permissive 3 2.2 -1
Eclipse 1.0 Restrictive 1 1 0
Zlib Restrictive 1 1 0

Software as a Service

Software as a Service (SaaS) is the term used to describe an arrangement in which software is hosted by a company and made available to users indirectly via a web browser. An example would be Dropbox where a user logs in via a portal to access and use the software provided for a subscription fee. There has been considerable controversy over whether the source code for OSS hosted by a SaaS provider must be made available to the users.

Under the wording of current OSS licences (except the GNU Affero General Public License (AGPL)), the hosting of OSS software by a SaaS provider would not appear to be a problem. Indeed, Section 0 of GPLv3 notes that mere interaction with a user through a computer network, with no transfer of a copy of a program, is not conveying and as a result, the obligations to publish source code may not be triggered. As a result, AGPL was created. It is a modified version of the ordinary GPL version 3, with one added requirement: if a modified AGPL program (or a derivative of it) runs on a server and users access it there, the server must also allow them to download the corresponding source code.

Final Thoughts

This blog is only a brief introduction to open source software and some legal issues to consider. Before supplying any software which contains OSS or, in some cases, before buying any software which contains OSS, understand how the supply or acquisition of the open source software may impact your business model is crucial. Generally speaking there has been a trend towards more permissive licencing in the last decade. Whilst encouraging, this should not prevent organisations from having a deeper look into the OSS licences they use.

EM law specialises in technology law. Get in touch if you have any questions on the above.

 


Dealing with redundancy

Dealing With Redundancy

Dealing with redundancy can be daunting for both employers and employees: employers need to ensure that they follow correct procedures and apply them fairly. Employees have a number of rights in a redundancy situation and both parties need to understand what these are.

Dealing with redundancy from an employee perspective

Employees who are dismissed by reason of redundancy may be entitled to a statutory redundancy payment and they may be able to challenge the termination of their employment as an unfair dismissal.

The definition of "redundancy"

The definition of "redundancy" encompasses three types of situation: business closure, workplace closure, and reduction of workforce. The dismissal of an employee will be by reason of redundancy if it is "wholly or mainly attributable to" the employer:

  • ceasing or intending to cease to carry on the business for the purposes of which the employee was employed by it (business closure);
  • ceasing or intending to cease to carry on that business in the place where the employee was so employed (workplace closure); or
  • having a reduced requirement for employees to carry out work of a particular kind or to do so at the place where the employee was employed to work (reduced requirement for employees).

Redundancy payments

Employees who are dismissed by reason of redundancy may be entitled to a statutory redundancy payment. Additionally, they may have an express or implied contractual right to an enhanced contractual redundancy payment. In circumstances in which an employer is liable to pay an employee a statutory redundancy payment, if the employer either fails to make the payment because it is insolvent or refuses to do so, the employee may apply to the Secretary of State for payment out of the National Insurance Fund.

Statutory redundancy payments

Under section 135 of the Employment Rights Act 1996 (ERA), employees with at least two years' continuous employment at the relevant date are entitled to a statutory redundancy payment if they are dismissed by reason of redundancy.

Statutory redundancy pay is calculated according to a formula set out in section 162 of the ERA 1996, which is based on age, length of service (subject to a maximum of 20 years) and pay (subject to the upper limit on a week's pay).

Claiming from the National Insurance Fund

Where an employer refuses to make a redundancy payment (or has made a part payment only), or the employer is insolvent, an employee may apply to the Secretary of State for a redundancy payment out of the National Insurance Fund under the scheme contained in section 166 of ERA 1996.

Contractual redundancy payments

In addition to a statutory redundancy payment, an employee may also be entitled to an enhanced contractual redundancy payment. This entitlement may be either express or implied:

  • If the employee's contract of employment expressly sets out a redundancy policy, the policy will be an express term of their employment. However, it is more common for a redundancy policy to become expressly incorporated by being set out in another document or collective agreement which is referred to in the employee's contract of employment. Another way in which a redundancy policy can be expressly incorporated into an employee's contract of employment is where a person with ostensible authority makes a verbal or written statement that results in a commitment by the employer to pay enhanced redundancy payments.
  • The most common way in which redundancy terms may be implied into an employee's contract of employment is where a set of redundancy terms are regularly applied in a particular trade or industry or by a particular employer. In order for employees to show implied incorporation of the enhanced redundancy terms into their contracts of employment, they must show that the custom in question is "reasonable, notorious and certain". This means that the policy's terms must be fair (and not arbitrary or capricious), must be generally established and well known, and must be clear cut.

In operating an enhanced redundancy payments scheme, an employer must be careful to ensure that the manner in which it applies enhancements will not leave it open to the accusation that it has disadvantaged some employees over others in a manner that is discriminatory. Age discrimination is a common issue in schemes which use age and/or length of service to calculate the payment, unless they closely follow the statutory redundancy pay model (above).

Redundancy and unfair dismissal

An employee who has sufficient qualifying service, i.e. has been employed for two years (although this time period depends on a number of factors and should by no means be taken for granted), is entitled not to be unfairly dismissed. Redundancy is a potentially fair reason for dismissal. Even if a dismissal is genuinely on grounds of redundancy, whether it is fair or unfair to dismiss for that reason normally depends on the application of the general test of fairness in section 98(4) of ERA 1996, namely whether the employer acted reasonably in dismissing the employee in all the circumstances.

A redundancy dismissal is likely to be unfair unless the employer:

  • Identifies an appropriate pool of employees for redundancy.
  • Consults with individuals in the pool.
  • Applies objective selection criteria to those in the pool.
  • Considers suitable alternative employment where appropriate, subject to a trial period.

Collective consultation (employer perspective)

Where 20 or more employees are being made redundant over a period of 90 days or less, an employer has a duty under the Trade Union and Labour Relations (Consolidation) Act 1992 to:

  • Inform and consult appropriate employee representatives. Where 100 or more redundancies are proposed, consultation must begin at least 45 days before the first dismissal takes effect. For less than 100 redundancies, the consultation period is 30 days.
  • Notify the Secretary of State (in practice a Form HR1). Notification must be received by the Secretary of State at least 45 days before the first dismissal where the employer proposes to dismiss 100 or more employees. Where less than 100 redundancies are proposed, the notification period is 30 days.

A tribunal may award up to 90 days' pay in respect of each employee where there has been a breach of the information and consultation duty. An employer may be fined if it fails to notify the Secretary of State.

Whenever there is an obligation to consult collectively, the employer will also need to ensure that it has followed a fair procedure in relation to individuals, including consulting with them properly, so as to minimise claims for unfair dismissal.

Alternatives to dealing with redundancy

When dealing with redundancy from the outset of the procedure (and throughout the consultation process), an employer should consider whether it can avoid making compulsory redundancies or reduce the number of compulsory redundancies.

If the employer is undertaking collective consultation, this is one of the matters over which it has a statutory duty to consult the employee representatives. It should also consider this during individual consultation as part of a fair redundancy procedure.

Initial steps that the employer should consider include:

  • Suspending or restricting recruitment.
  • Reduction or removal of overtime opportunities.
  • Not renewing the contracts of contractors.
  • Ceasing or reducing the use of agency workers.

If these initial steps are unavailable or are not sufficient, the employer could consider:

  • Inviting potentially redundant employees to apply for suitable alternative vacancies.
  • Inviting employees to volunteer for redundancy.
  • Inviting employees to consider early retirement under the pension scheme.
  • Temporarily laying off employees or reducing their hours. In some cases this may itself entitle the employees to claim a redundancy payment.

Dealing with redundancy - we're here to help

If you have any questions or need help dealing with redundancy or other employment law issues please contact any one of our employment lawyers; Rhodri ThomasHelen Monson or Imogen Finnegan or call us on 0203 637 6374.


good faith

Good Faith In English Contracts

On 7 May 2020, the UK Cabinet Office published guidance that parties to contracts should act responsibly and fairly, support the response to Covid-19 and protect jobs and the economy. Being non-statutory it is unclear how the courts might apply this message. Such expectations call to mind the concept of good faith. The government is encouraging businesses to act in the interest of public health, the job market and other businesses rather than just their own. In contract law this roughly translates as a duty of good faith to the other party of a contract.

History of good faith

The concept of good faith can be introduced in a number of ways. For example, it can be a legal principle that would apply to all the commercial activity in a certain country or it could be written into a contract. Importantly, the way it operates is dependent on the legal system of the country in which it is raised. One thing that is universal about good faith is that it is subjective which creates this scope for different interpretations.

English law has traditionally been averse to subjective clauses and has repeatedly rejected the adoption of good faith as a core concept of private law. There are several reasons for this hostility. English law embodies an ethos of individualism, so that parties are free to pursue their own self-interest. A general doctrine of good faith would also create too much uncertainty by creating obligations that are potentially vague and subjective. This could undermine the goal of contractual certainty, on which English law places great weight.Over the past thirty years, EU law has introduced the notion of “good faith” into confined areas of English private law. The majority of these interventions have concerned the protection of consumers in their interactions with businesses.

Good faith today

There is no general principle of good faith in English law unlike in other European legal systems (France and Germany significantly) and some US states. Therefore including a duty of good faith clause is the best way for a party operating under English law to make sure that the duty applies.

It was stated in a judgement in January 2020 by HHJ Pelling QC that ‘the circumstances in which… [good faith] can be implied into commercial agreements is an incrementally developing area of law’. Although there is no general doctrine of good faith in English contract law it can still affect commercial contracts in three ways:

  • Express duty.The parties can expressly agree that they will act in good faith. The question is whether the words chosen actually impose this duty and what it means in practice.
  • There is a well-recognised duty of rationality under which a party must exercise a contractual discretion in good faith and not arbitrarily or capriciously. This is often referred to as the "Braganza duty".
  • Implied duty.The courts might imply a general duty of good faith in a contract, or use the concept of good faith to imply other fact-specific duties. However, these duties are only likely to arise under a limited class of "relational" contracts.

Below is a more detailed look at these three avenues by which good faith is introduced into English law contracts.

Express obligations to act in good faith

Express duties of good faith, i.e. a clause stating that the parties should act in good faith, act with the utmost good faith, act in absolute faith, resolve disputes by friendly discussions, may achieve the following:

  • Prevent action that frustrates the purpose of the agreement.
  • Require the disclosure of material facts to the other party.
  • Prohibit knowingly lulling the other party into a false belief.
  • Prohibit asking for information under a pretence.
  • Prohibit knowingly providing false information on which the other party will rely.
  • Prohibit negotiating behind the other party's back.
  • Prohibit knowingly sustaining a groundless dispute.

The duty of rationality (the Braganza duty)

Another way to introduce good faith is through the principle known as the ‘duty of rationality’. This is an implied obligation in English contract law, in the absence of clear language to the contrary, to exercise a contractual discretion in good faith and not arbitrarily or capriciously (as stated in the case British Telecommunications plc v Telefónica O2 UK Ltd [2014] UKSC 42). This is often referred to as the "Braganza duty" after the leading case, Braganza v BP Shipping Ltd [2015] UKSC 17.

The duty of rationality is limited in scope. It is only likely to arise when one party, acting as decision-maker, makes a subjective decision on a matter that affects both parties giving rise to a potential conflict of interest between the parties. Any potential conflict of interest will be heightened where there is a significant imbalance of power between the parties. To simplify, the duty exists to stop the more powerful party to a contract from abusing that power.

The duty has been applied in a broad range of situations. Below are some examples:

  • Unilaterally setting or varying the charges or interest rate in a contract.
  • Valuing a portfolio of securities after the default of a counterparty.
  • Deciding whether to award an option to a service provider.
  • Deciding whether to award discretionary bonuses to employees.
  • Placing an employee on gardening leave.
  • Refusing to allow a tenant to keep a dog.
  • Deciding to carry out a valuation of premises.
  • Assessing and reclaiming overpayments.
  • Avoiding an insurance policy.

Implied obligations requiring good faith

It is well recognised that broad concepts of fair dealing may be reflected in the court's response to questions of construction and implication of terms: "A thread runs through our contract law that effect must be given to the reasonable expectations of honest men" (Lord Steyn, LQR 1997, 133 (Jul)). Almost all contracts would reasonably be understood as requiring honesty in their performance, reflecting the common assumption by the parties to this effect. For example, one of the principles of contract law is that no person may benefit from his or her own wrongdoing, which encourages honest performance. The court may also imply terms in fact that:

  • The parties will co-operate in the performance of a contract.
  • A party cannot insist on the performance of an obligation it has prevented the other from performing.

Although these obligations exist it would be incorrect to imply that they constitute the concept of good faith as defined in courts around the world. The concept of good faith should not be seen as a "general organising principle". To do so would risk undermining the express terms agreed between the parties in that, in English Law, the terms of a contract are the most important thing to assess before any subjective principles such as good faith (as stated in the case MSC Mediterranean Shipping Company SA v Cottonex Anstalt [2016] EWCA Civ 789.) However, where the contract is "relational", it may be possible to use the concept of good faith as an aid when interpreting a contract. This concept was first advocated by the High Court in Yam Seng. Some recent decisions support the concept of a relational contract and give a sense of ‘relational’ is defined:

  • The Court of Appeal commented, obiter, that a 25-year PFI contract could be classified as a relational contract. Given the "massive length" of the contract, the parties should not latch onto "infelicities and oddities" to disrupt the project and maximise their own gain. (Amey Birmingham v Birmingham City Council [2018] EWCA Civ 264.) Similarly, the High Court decided that a different 25-year PFI contract was a “paradigm example of a relational contract in which the law implies a duty of good faith(Essex County Council v UBB Waste (Essex) Ltd [2020] EWHC 1581 (TCC)).
  • In the High Court, Leggatt LJ decided that a long-term joint venture to develop hotels and an associated travel business was a relational contract subject to an implied duty of good faith (Al Nehayan v Kent).

Length can be seen as the main factor in recent statements when considering whether or not a contract is ‘relational’. As stated in the 2019 case Bates v Post Office, broadly speaking a relational contract exists when there is:

  • A long-term contract or a contract the parties intend to be long term, even if it lacks a fixed term and allows termination by notice.
  • The parties intend their roles to be performed with integrity and with fidelity to their bargain.
  • The parties will be committed to collaborating with one another.
  • The spirits and objectives of the venture cannot be expressed exhaustively in a written contract.
  • The parties each repose trust and confidence in one another.
  • The contract involves a high degree of communication, co-operation and predictable performance based on mutual trust and confidence, and expectations of loyalty.
  • One or both parties have made a significant investment.
  • The relationship is exclusive.

However, the law remains in flux and the circumstances in which a contract will be considered "relational" are limited.

Summary

Understanding the way the concept of good faith is constituted and used in the jurisdiction under which a contract is governed is the first step when considering to rely upon it. As has been mentioned, its subjective nature causes a wide variety of interpretations and not always the clearest picture of how it is used in practice. Taking the UK as our prime example (and specialism), the English courts have an austere, some would say draconian, approach to interpreting good faith into contracts because the written terms of a contract are seen as being precedent and therefore able to overrule any such principles. Therefore the surest way to make sure the obligation exists in English law (or does not) is by considering the inclusion (or non-inclusion) of a good faith clause.

Relying on the duty of rationality or the concept of a ‘relational’ contract, i.e. not an express clause, is ill-advised. In a recent case, TAQA v RockRose [2020], the court decided that just because a contract could be defined as a ‘relational contract’, it would not automatically lead to the conclusion that the parties owe each other a good faith obligation. It would depend on the terms of the particular contract. This is further indication that the UK courts are unlikely to imply a duty of good faith and even within the context of Covid-19 it is doubtful that its scope will increase.

If you have any questions about good faith clauses or about contract law more generally please contact Neil Williamson.


Schrems II

Schrems II - EDPB publishes FAQs on judgment

Following Schrems II (in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) the European Data Protection Board (EDPB) has adopted a set of frequently asked questions and responses (FAQs) concerning the judgment. For more information about that decision read our blog.

The Schrems II judgement

The European Court of Justice (ECJ) has invalidated the EU Commission’s decision approving the EU-U.S. Privacy Shield because U.S. intelligence agencies can access personal data relating to EU residents in ways that are incompatible with EU personal data protection laws and EU residents lack proper enforcement rights.

In addition, the ECJ ruled that the controller-processor Standard Contractual Clauses (SCCs), another widely used mechanism for international data transfers, remain valid. However, data exporters and importers must assess, prior to any transfer, the laws of the third country to which data is transferred to determine if those laws ensure an adequate level of protection of personal data.

Moving forward

The judgment was welcomed by the EDPB because it highlights the fundamental right to privacy in the context of the transfer of personal data to third countries. In response to the ECJ's ruling that the adequacy decision for the EU-US Privacy Shield is invalid, the EDPB invited the EU and US to work together and establish a complete and effective framework that guarantees the level of protection granted to personal data in the US is essentially equivalent to that guaranteed within the EU.

Schrems II: EDPB FAQs

Although the ECJ also determined in Schrems IIthat controller to processor standard contractual clauses (SCCs) remain valid as an adequate safeguard for data transfers, the EDPB commented that:

  • No grace period - the ECJ ruling applies with immediate effect. There will be no grace period during which organisations can remedy their Privacy Shield-based data transfers. In contrast, when the US-EU Safe Harbor framework was invalidated in 2015, the Article 29 Working Party granted a grace period until an appropriate solution was found with the U.S. authorities. It did so via a statement dated 16 October 2015, stating no enforcement action would be taken until the end of January 2016. However, while there will be no EU-wide grace period, national supervisory authorities will still have discretion over when to take enforcement actions in their territory.
  • The exporter and importer of the data being transferred must look beyond the protection provided by the terms of the SCCs and assess whether the country where the data is being transferred offers adequate protection, in the context of the non-exhaustive elements set out in Article 45(2) of the GDPR. If it is determined that the country of destination does not provide an essentially equivalent level of protection to the GDPR, the exporter may have to consider adopting further protective measures in addition to using SCCs. The EDPBis considering what those additional measures could include and will report in due course.
  • The judgment highlights the importance of complying with the obligations included in the terms of the SCCs. If those contractual obligations are not or cannot be complied with, the exporter is bound by the SCCs to suspend the transfer or terminate the SCCs, or to notify its competent supervisory authority if it intends to continue transferring data.
  • Supervisory authorities (SAs) have a responsibility to suspend or prohibit a transfer of data to a third country pursuant to SCCs if those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means.
  • Implication for other transfer mechanisms including BCRs. The threshold set by the ECJ applies to all appropriate transfer mechanisms under Article 46 GDPR. U.S. law referred to by the ECJ (i.e., the Foreign Intelligence Surveillance Act and the Executive Order 12333) applies to any transfer to the U.S. via electronic means, regardless of the transfer mechanism used for such transfer. In particular, the ECJ’s judgment applies in the context of binding corporate rules (BCRs), since U.S. law will also prevail over this cross-border data transfer mechanism. Similar to the SCCs, transfers taking place based on BCRs should be assessed and appropriate supplementary measures should be taken. The EDPB states that it will further assess the consequences of the judgment on transfer mechanisms other than SCCs and BCRs (e.g., approved codes of conduct or certification mechanisms).
  • Companies can rely on the derogations set forth under Article 49 of the GDPR, provided that the conditions as interpreted by the EDPB in its guidance on Article 49 of the GDPR are met. When transferring personal data based on individuals’ consent, such consent should be explicit, specific to the particular data transfer(s) and informed, particularly regarding the risks of the transfer(s). In addition, transfers of personal data that are necessary for the performance of a contract should only take place occasionally. Further, in relation to transfers necessary for important reasons of public interest, the EDPB emphasises the need for an important public interest, as opposed to only focusing on the nature of the transferring organization. According to the EDPB, transfers based on the public interest derogation cannot become the rule and must be limited to specific situations and to a strict necessity test.

Schrems II: Further clarification expected

The EDPB is still assessing the judgment and will provide further clarification for stakeholders and guidance on transfer of personal data to third countries pursuant to the Schrems II judgment. Data exporters and importers should closely monitor upcoming developments and guidance of the EDBP and national supervisory authorities, assess their existing cross-border transfers and consider implementing supplementary legal, technical or organisational measures in order to ensure they can continue to transfer personal data to third countries lawfully. Whilst the judgement most obviously applies to data transfers with the US it also has wider implications for transfers to any country outside the EU (third countries).

If you have any questions on Schrems II or data protection law more generally please get in touch with one of our data protection lawyers.


boilerplate clauses

Boilerplate clauses - what are they?

Boilerplate clauses are repeated in all kinds of contracts. They are not the commercial terms that vary from one transaction to another. They regulate the operation of the contract: its duration, interpretation, transferability and enforceability.

What are boilerplate clauses?

Boilerplate clauses are often standard, and most are not typically negotiated. But they are important. Many contract disputes depend on the drafting of boilerplate clauses such as termination, force majeure, and entire agreement.

Some heavily negotiated commercial terms routinely appear in so many contracts that they may also be classed with boilerplate. Examples are indemnities and limit of liability clauses.

Example: how boilerplate clauses may affect a dispute

Here’s an example from the case FoodCo UK LLP v Henry Boot Developments Ltd [2010] EWHC 358 (Ch). An entire agreement clause saved a developer from a series of claims for misrepresentation, brought by businesses that had leased units in the development. The clause agreed that no lessee had relied on any representation beyond those recorded in the contract. The effect was that one businessman, when confronted with the clause in the contract he had signed, admitted that he had not in fact relied on the alleged misrepresentations. That defeated his claim. The clause successfully excluded claims for innocent and negligent misrepresentation. That reduced the other five claimants to asserting fraud, which they failed to prove.

Some common boilerplate clauses:

  • Counterparts – Confirms the validity of counterparts or duplicates of the contract (and may delay contract formation).
  • Entire Agreement – identifies the express contract terms. Often contains terms limiting liability for misrepresentation.
  • Limiting liability for misrepresentation – Reduces the risk of liability for misrepresentation.
  • Severance - Agrees the contract will survive deletion of an unenforceable provision. May impose a duty to renegotiate.
  • Third party rights – Can limit non-parties’ rights to enforce contract terms and to veto variation and rescission.
  • Waiver - May help to prevent accidental loss of rights but cannot ensure their survival.

Counterparts

Parties to a contract may each execute a separate copy of the contract, each of which they will consider an original. A counterparts clause states this expressly. Even without a counterparts clause, a contract is valid if made in this way, under the common law. Land transactions are commonly executed in this way without a counterparts clause.

A counterparts clause may also be used where the parties execute multiple original contracts (duplicates), to confirm that each has the status of an original. Duplicates may be required for tax, regulatory, company administration or other reasons. In these cases, a counterparts clause may help stop a party (or an outside authority) objecting that a counterpart or duplicate contract is not binding or valid.

Entire agreement

The entire agreement affects statements made in negotiations but not repeated in the contract. In the absence of an entire agreement statement, these could create a collateral warranty or side agreement, under the common law. For example, if a sales representative offers extra benefits as an inducement to sign a contract, the supplier could be contractually bound to provide those benefits, even if they were not written into the contract. An entire agreement statement prevents this by identifying the express contract terms, limiting them to the terms identified in the clause.

Limiting liability for misrepresentation

This part of the clause addresses the risk of claims if one party (usually the supplier, rarely the customer) induced another to enter the contract by a false statement. If that happens, even unintentionally, the other may claim damages for the loss caused by entering the contract, or occasionally undo (rescind) the contract. Depending on the facts, the claims arising may include misrepresentation, negligence, fraud and (if the false statement was also captured as a warranty) breach of contract.

To reduce this risk, an entire agreement clause may include a non-reliance statement and express limits on liability and remedies for misrepresentation. This kind of wording has defeated large claims for misrepresentation, as in the example described above. This limitation often appears in the entire agreement clause for historical reasons, but it could equally well go in the limitation clause, a remedies clause or a clause on representations.

Severance

This clause takes effect if a contract term is illegal or invalid. Examples of illegal or invalid term are:

  • Unfair exclusions of liability contrary to the Unfair Contract Terms Act 1977.
  • Non-compete and non-solicitation clauses that go beyond what is reasonable to protect a party's legitimate interests.
  • A duty to pay a banned person or organisation, contrary to anti-terrorism legislation.

Some severance clauses add nothing to what English law already provides. Under the common law doctrine of severance, the invalid provision is deleted and the rest of the contract survives if all these conditions are met:

  • Public policy allows it.
  • Nothing is added or rewritten. So, if an excessive restraint on competition or limit on liability is deleted, a reasonable and valid provision is not substituted.
  • The basic nature of the contract is unchanged. (But contracts routinely survive the deletion of an unfair limit on liability.)

Third party rights

The Contracts (Rights of Third Parties) Act 1999 introduced a new pitfall in contract drafting: the risk of accidentally giving a non-party (i.e. third party) the right to:

  • Enforce a contract term. Any express or implied benefit to a non-party may be directly enforceable by that non-party against the parties.
  • Prevent variation and rescission. Once a contract creates a directly enforceable third party right, the parties may need the non-party's consent before they can change that right by agreeing to vary or rescind the contract.

A clause dealing with third party rights can prevent direct enforcement by a non-party or restrict it to third party rights created expressly or remove the need for a non-party's consent to variation or rescission. Some clauses on third party rights go further, excluding non-party rights arising in other ways and preserving other rights of the parties. The need for these provisions and their effect on the contract are often unclear.

Waiver

A party can lose a right by waiting too long to exercise it or by taking action inconsistent with the right, under the common law of waiver. Expressly reserving the right during the delay or while taking the inconsistent action can prevent waiver, at least for a while.

A "no waiver" clause tries to preserve all rights from being waived, especially by delay. However, the clause may not prevail over the later words and actions of the party seeking to rely on it.

Worth checking

Boilerplate clauses can have sweeping effects in the event of a breakdown of contractual relations. Making sure the correct ones are included is therefore essential. But the idea that they can be applied equally in every contract is false. Making your lawyer away of the idiosyncrasies of your contractual dealings when considering boilerplate clauses is therefore advisable.

If you have any questions about boilerplate clauses or about contract law more generally please contact Neil Williamson.


AI

AI - Consultation on International Standards  

On 25 June 2020, the International Organization of Securities Commissions (IOSCO) published a consultation document (CR02/2020) on the use of artificial intelligence (AI) and machine learning (ML) by market intermediaries and asset managers, which it has identified as a key priority.

IOSCO consultation paper on AI

IOSCO, the global standard setter for the securities sector,IOSCO  and machine learning by market intermediaries and asset managers. Once finalised, the guidance would be non-binding but IOSCO would encourage its members to take it into account when overseeing the use of AI by regulated firms.

IOSCO’s membership comprises securities regulators from around the world. It aims to promote consistent standards of regulation for securities markets.

Why market intermediaries and asset managers?

IOSCO believes that the increasing use of AIML by market intermediaries and asset managers may be altering their business models. For example, firms may use AIML to support their advisory services, risk management, client identification and monitoring, selection of trading algorithms and portfolio management, which may also alter their risk profiles.

One fear is that this use of AIML may create or exacerbate certain risks, which could potentially have an impact on the efficiency of financial markets and could result in consumer harm.

AI industry discussions

As well as setting out its guidance, the report also indicates some of its findings from industry discussions:

Firms implementing AI and ML mostly rely on existing governance and oversight arrangements to sign off and oversee the development and use of the technology. In most instances, the existing review and senior leadership-level approval processes were followed to determine how risks were managed, and how compliance with existing regulatory requirements was met. AI and ML algorithms were generally not regarded as fundamentally different from more traditional algorithms and few firms identified a need to introduce new or modify existing procedural controls to manage specific AI and ML risks.

Some firms indicated that the decision to involve senior leadership in governance and oversight remains a departmental or business line consideration, often in association with the risk and IT or data science groups. There were also varying views on whether technical expertise is necessary from senior management in control functions such as risk management. Despite this, most firms expressed the view that the ultimate responsibility and accountability for the use of AI and ML would lie with the senior leadership of the firm.

Some firms noted that the level of involvement of risk and compliance tends to focus primarily on development and testing of AI and ML rather than through the lifecycle of the model (i.e., implementation and ongoing monitoring). Generally, once implemented, some firms rely on the business line to effectively oversee and monitor the use of the AI and ML. Respondents also noted that risk, compliance and audit functions should be involved throughout all stages of the development of AI and ML.

Many firms did not employ specific compliance personnel with the appropriate programming background to appropriately challenge and oversee the development of ML algorithms. With much of the technology still at an experimental stage, the techniques and toolkits at the disposal of compliance and oversight (risk and internal audit) currently seem limited. In some cases, this is compounded by poor record keeping, resulting in limited compliance visibility as to which specific business functions are reliant on AI and ML at any given point in time.

AI Areas of concern

IOSCO has identified the following areas of potential risk and harm relating to the development, testing and deployment of AIML: governance and oversight; algorithm development, testing and ongoing monitoring; data quality and bias; transparency; outsourcing; and ethical concerns.

Its proposed guidance consists of measures to assist IOSCO members in providing appropriate regulatory frameworks to supervise market intermediaries and asset managers that utilise AIML. These measures cover:

  • Appropriate governance, controls and oversight frameworks over the development, use and performance monitoring of AIML.
  • Ensuring staff have adequate knowledge, skills and experience to implement, oversee and challenge the outcomes of AIML.
  • Robust, consistent and clearly defined development and testing processes to enable firms to identify potential issues before they fully deploy AIML.
  • Appropriate transparency and disclosures to investors, regulators and other relevant stakeholders.

How the FCA regulates AI in the UK

For an idea of how AI is currently regulated in finance by the UK read below:

The Financial Conduct Authority (FCA) deems it good practice to review how trading algorithms are used; develop appropriate definitions; ensure all activities are captured; identify any changes to algorithms; and have a consistent methodology across the testing and deployment of AI and ML. Markets in Financial Instruments Directive (MiFID II) requires firms to develop processes to identify algorithmic trading across the business. These can be either investment decisions or execution algorithms, which can be combined into a single strategy. Firms are also required to have a clear methodology and audit trail across the business. Approval and sign-off processes should ensure a separation of validation and development a culture of collaboration and challenge and consistency of a firm’s risk appetite. Whilst the algorithms are field-deployed, it is a requirement to maintain pre-trade and post-trade risk controls, real-time monitoring of algorithms in deployment, with the ability to kill an algorithm or a suite of algorithms centrally, a functionality commonly known as the kill-switch.

It is a best practice, but not a requirement, to have an independent committee to verify the completion of checks. However, under the SM&CR, a firm’s governing body would be expected explicitly to approve the governance framework for algorithmic trading, and its management body should identify the relevant Senior Management Function(s) with responsibility for algorithmic trading.

How to submit comments

Comments may be submitted by one of the three following methods on or before 26 October 2020. To help them process and review your comments more efficiently, please use only one method.

Important: All comments will be made available publicly, unless anonymity is specifically requested. Comments will be converted to PDF format and posted on the IOSCO website. Personal identifying information will not be edited from submissions.

  1. Email
  • Send comments to consultation-02-2020@iosco.org.
  • The subject line of your message must indicate ‘The use of artificial intelligence and machine learning by market intermediaries and asset managers’.
  • If you attach a document, indicate the software used (e.g., WordPerfect, Microsoft WORD, ASCII text, etc) to create the attachment.
  • Do not submit attachments as HTML, PDF, GIFG, TIFF, PIF, ZIP or EXE files.
  1. Facsimile Transmission

Send by facsimile transmission using the following fax number: + 34 (91) 555 93 68.

  1. Paper

Send 3 copies of your paper comment letter to:

Alp Eroglu
International Organization of Securities Commissions (IOSCO) Calle Oquendo 12
28006 Madrid
Spain

Your comment letter should indicate prominently that it is a ‘Public Comment on The use of artificial intelligence and machine learning by market intermediaries and asset managers’.

For more information read our blog ‘AI in Financial Services.’

What happens next?

The consultation on the draft guidance closes on 26 October 2020. In the UK, the FCA is currently working with the Alan Turing Institute to look at the implications of the financial services industry deploying AI. Meanwhile, the European Commission has released its own guidelines for trustworthy AI and is expected to propose legislation in this area later in 2020.

EM law specialises in technology law. Get in touch if you have any questions on the above.


resale price maintenance

Resale Price Maintenance – Korg Fined

On 9 July 2020, the Competition and Markets Authority (CMA) published the full text of its infringement decision finding that Korg (UK) Limited had breached the Chapter I prohibition of the Competition Act 1998 and Article 101 of the Treaty on the Functioning of the European Union by engaging in resale price maintenance in relation to the online retail prices of Korg's synthesizers and hi-tech equipment.

Background

In April 2018, the CMA launched an investigation related to alleged anti-competitive agreements and/or concerted practices in relation to the distribution of musical instruments and equipment by Korg (UK) Limited (Korg UK). On 24 March 2020, the CMA issued a statement of objections alleging that Korg UK had breached Article 101 of the TFEU and the Chapter I prohibition by restricting retailer freedom to discount the online retail prices of synthesizers and hi-tech equipment supplied by Korg UK, in other words, that Korg were guilty of resale price maintenance.

Korg UK subsequently reached a settlement agreement with the CMA and, on 29 June 2020, the CMA announced that it had issued an infringement decision, fining Korg UK £1.5 million for engaging in resale price maintenance designed to restrict retailer freedom to set prices online by requiring their musical instruments to be sold at or above a minimum price. The CMA has now published the full text of the infringement decision.

The facts

Korg UK is active in the distribution of musical instruments and music-making equipment (MI) including electronic MI in the UK and Republic of Ireland. The CMA's investigation was limited to the supply of Korg synthesizers and hi-tech equipment (including DJ equipment, electronic percussion, stage pianos, and controllers) (Relevant Products).

The CMA concluded that during the relevant period (9 June 2015 to 17 April 2018), Korg UK operated and enforced a wide-ranging pricing policy, the purpose of which was to ensure that MI Resellers would not advertise or sell the Relevant Products online below a certain minimum price specified by Korg UK from time to time, for example in Korg UK’s price lists. The CMA found that the nature of the Korg Pricing Policy was such that Korg UK rarely needed to contact MI Resellers about it (in writing or otherwise), when MI Resellers were complying with it because the Minimum Price was, in general, clearly displayed on Korg’s UK’s price lists relating to the relevant products.

This generally limited the need for verbal and written communications concerning the Korg Pricing Policy, and therefore limited the amount of written records related to the Korg Pricing Policy. Despite this, the CMA obtained evidence which, in the CMA’s view, demonstrated the existence of the Korg Pricing Policy. Relevant contemporaneous documentary evidence was corroborated by certain witness evidence describing verbal and/or written communications that took place between Korg UK and its MI Resellers during the relevant period.

Resale price maintenance – Korg evidence

The commercial aims, content and communication and scope and duration

Korg UK’s commercial aims for introducing the Korg Pricing Policy were as follows:

  • It was designed to enable Korg UK’s MI Resellers to achieve attractive margins through the maintenance of high and stable pricing, so increasing the attractiveness of the Korg brand and encouraging MI Resellers to stock and sell the Relevant Products (and the Korg brand more generally).
  • In doing so, it aimed to help Korg UK secure, maintain and/or improve its UK market position in the relevant products relative to its competitors, in particular, by maintaining the brand value of the relevant products.

Resale price maintenance – Korg’s monitoring and enforcement

The evidence showed that Korg UK sought to monitor and enforce the Korg Pricing Policy by contacting MI Resellers in advance of Korg UK issuing a new price list or immediately after issue to ensure early compliance with the Korg Pricing Policy.

Korg UK’s awareness of competition law and potential illegality, and culture of concealment

The evidence shows that Korg UK staff were very familiar with competition law and appeared to know what conduct would constitute a breach of it. Korg had introduced a compliance code in 2015 and senior employees took an active role in giving competition compliance training as part of the induction for new Korg UK staff. The CMA further concluded that “Korg UK staff operated under a culture of concealment and tried to avoid generating an evidence trail of potentially incriminating written records.”

CMA’s legal assessment of resale price maintenance

The decision sets out CMA’s legal assessment of Korg UK’s agreement and/or concerted practice with Reseller 1, one of its MI Resellers, that Reseller 1 would not advertise or sell online synthesizers or hi-tech equipment supplied to it by Korg UK below a certain Minimum Price specified by Korg UK from time to time, in accordance with the Korg Pricing Policy.

The CMA had reasonable grounds for suspecting that more than 20 MI Resellers of the relevant producers were subject to the Korg Pricing Policy, and that MI Resellers generally complied with Korg UK’s requests to adhere to the Minimum Price.

The CMA, therefore, concluded that throughout the relevant period:

  • Reseller 1 generally complied with the Korg Pricing Policy, due to a credible fear of sanctions for non-compliance.
  • Korg UK monitored Reseller 1’s pricing and requested Reseller 1 on numerous occasions to follow the Korg Pricing Policy with regard to Reseller 1’s advertising and selling online of the Relevant Products (this tended to happen when Korg UK issued a new price list or when Reseller 1 had been caught matching another MI Reseller’s lower prices, at least temporarily).
  • On numerous occasions Reseller 1 increased its pricing (albeit not always immediately) to at least the Minimum Price, on Korg UK’s request.
  • On numerous occasions Reseller 1 reported to Korg UK other MI Resellers advertising or selling the Relevant Products online at prices below the Minimum Price.

Decision to impose penalties

The CMA concludes that there is strong evidence that Korg UK must have been aware, or could not have been unaware, that its conduct had the object or would have the effect of restricting competition. In particular, there was evidence that staff were aware that resale price maintenance was illegal and that there was a culture of concealment to hide evidence. The CMA therefore found that Korg UK committed resale price maintenance intentionally.

Case study

The CMA has published a case study explaining the facts of this case. It notes that there are a number of lessons that businesses can learn from this case, including an understanding that:

  • It is illegal for a supplier to interfere with a reseller’s ability to independently set their own price.
  • The CMA has sophisticated means of gathering evidence and uncovering evidence even where the companies have tried to hide their actions by deleting communications.
  • If you are ever asked not to put something down in writing, you should be suspicious as it could relate to something illegal. If so, you should seek legal advice and seriously consider whether to report the matter to the CMA.
  • Directors and senior staff have a special responsibility to be well informed on competition law and make sure their companies are behaving legally and ethically.
  • Attending compliance training alone is not sufficient to be compliant – you must actively comply with the law.
  • As a reseller you can also be investigated for breaking the law if you are found to have co-operated with a minimum pricing policy. If a supplier tries to make you comply with a minimum pricing policy, you should refuse and point them to our guidance. The CMA would also urge you to report them. Resellers may also face enforcement action such as fines if they have gone along with the supplier’s resale price policy.

EM Law help a wide range of clients with compliance and structuring around their operations. Please contact us if you have any questions on the issues raised in this article.


GDPR Report

GDPR Report: EU Commission’s First Evaluation of the GDPR

On 24th June, just over two years after its entry into application, the European Commission published an evaluation report on the General Data Protection Regulation (the Regulation / GDPR). The GDPR report shows the Regulation has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.

Scope of the GDPR report

The GDPR proved to be flexible to support digital solutions in unforeseen circumstances such as the Covid-19 crisis. The GDPR report also concludes that harmonisation across the Member States is increasing, although there is a certain level of fragmentation that must be continually monitored. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage. The GDPR report contains a list of actions to facilitate further the application of the Regulation for all stakeholders, especially for Small and Medium Sized companies, to promote and further develop a truly European data protection culture and vigorous enforcement.

Background to the GDPR report

The General Data Protection Regulation is a single set of rules of EU law on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It strengthens data protection safeguards, provides additional and stronger rights to individuals, increases transparency, and makes all those that handle personal data more accountable and responsible. It has equipped national data protection authorities with stronger and harmonised enforcement powers and has established a new governance system among the data protection authorities. It also creates a level playing field for all companies operating in the EU market, regardless of where they are established, ensures the free flow of data within the EU, facilitates safe international data transfers and has become a reference point at global level

As stipulated in Article 97(2) of the GDPR, the report covers in particular international transfers and ‘cooperation and consistency mechanism', although the Commission has taken a broader approach in its review, in order to address issues raised by various actors during the last two years. These include contributions from the Council, the European Parliament, the EDPB, national data protection authorities and stakeholders. Key findings of the GDPR review are:

Empowering individuals to control their data

The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability. Today, 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people have heard about their national data protection authority, according to results published last week in a survey from the EU Fundamental Rights Agency. However, more can be done to help citizens exercise their rights, notably the right to data portability.

The application of the GDPR to new technologies

The GDPR report found that the Regulation has empowered individuals to play a more active role in relation to what is happening with their data in the digital transition. It is also contributing to fostering trustworthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.

Enforcement of the GDPR

From warnings and reprimands to administrative fines, the GDPR provides national data protection authorities with the right tools to enforce the rules. However, they need to be adequately supported with the necessary human, technical and financial resources. Many Member States are doing this, with notable increases in budgetary and staff allocations. The GDPR report found that overall, there has been a 42% increase in staff and 49% in budget for all national data protection authorities taken together in the EU between 2016 and 2019. However, there are still stark differences between Member States.

Harmonised rules but still a degree of fragmentation and diverging approaches

The GDPR established an innovative governance system which is designed to ensure a consistent and effective application of the GDPR through the so called ‘one stop shop', which provides that a company processing data cross-border has only one data protection authority as interlocutor, namely the authority of the Member State where its main establishment is located. Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the ‘one-stop-shop', 79 of which resulted in final decisions. However, the GDPR report concludes that more can be done to develop a truly common data protection culture. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to cooperate.

Advice and guidelines by data protection authorities

The EDPB is issuing guidelines covering key aspects of the Regulation and emerging topics. Several data protection authorities have created new tools, including helplines for individuals and businesses, and toolkits for small and micro-enterprises. It is essential to ensure that guidance provided at national level is fully consistent with guidelines adopted by the EDPB.

Developing a modern international data transfer toolbox

The GDPR report found that over the past two years, the Commission's international engagement on free and safe data transfers has yielded important results. This includes Japan, with which the EU now shares the world's largest area of free and safe data flows. The Commission will continue its work on adequacy, with its partners around the world. In addition and in cooperation with the EDPB, the Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses, the most widely used data transfer tool. The EDPB is working on specific guidance on the use of certification and codes of conduct for transferring data outside of the EU, which need to be finalised as soon as possible. Given the European Court of Justice may provide clarifications in a judgment to be delivered on 16 July that could be relevant for certain elements of the adequacy standardthe Commission will report separately on the existing adequacy decisions after the Court of Justice has handed down its judgment.

Promoting convergence and international cooperation in the area of data protection

Over the last two years, the Commission has stepped up bilateral, regional and multilateral dialogue, fostering a global culture of respect for privacy and convergence between different privacy systems to the benefit of citizens and businesses alike. The Commission is committed to continuing this work as part of its broader external action, for example, in the context of the Africa-EU Partnership and in its support for international initiatives, such as ‘Data Free Flow with Trust'. At a time when violations of privacy rules may affect large numbers of individuals simultaneously in several parts of the world, it is time to step up international cooperation between data protection enforcers. This is why the Commission will seek authorisation from the Council to open negotiations for the conclusion of mutual assistance and enforcement cooperation agreements with relevant third countries.

Challenges for small and medium sized enterprises (SME’s)

The GDPR report noted that the Regulation, together with the Free Flow of Non-Personal Data Regulation offers opportunities to companies by fostering competition and innovation, ensuring the free flow of data within the EU and creating a level playing field with companies established outside the EU. The right to portability, coupled with an increasing number of individuals in search of more privacy-friendly solutions, have the potential to lower the barriers to entry for businesses and open the possibilities for growth based on trust and innovation. However, some stakeholders report that the application of the GDPR is challenging especially for small and medium sized enterprises.

SMEs stress in particular the importance and usefulness of codes of conduct which are tailored to their situation and which do not entail disproportionate costs. As regards certification schemes, security (including cybersecurity) and data protection by design are key elements to be considered under the GDPR and would benefit from a common and ambitious approach throughout the EU. The Commission is currently working on standard contractual clauses between controllers and processors, building on the on-going work on the modernisation of the standard contractual clauses for international transfers.

At EM Law we specialise in helping small and medium sized companies comply with the GDPR. If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Digital Marketing

Digital Marketing - Legal Issues

Digital Marketing is a growth industry with legislation struggling to keep up. Unsuprisingly though there are legal issues that digital marketing businesses need to be aware of to remain compliant. The House of Lords' 2018 report "UK advertising in a digital age" noted that digital marketingaccounted for over half of all spending on advertising in the UK for the first time in 2017. This figure is likely to only increase, especially in the aftermath of COVID-19. This article provides some background into the types of digital marketing and some of the legal issues to consider in this context.

Digital marketing formats

The Digital Adspend study produced by industry body the Internet Advertising Bureau (IAB) and accountants PricewaterhouseCoopers, breaks down 2017 digital marketing spend by format, as follows:

Paid-for search: £5.82bn, of which smartphone spend was £2.62bn. This is essentially sponsored search results, where advertisers pay to have their details presented at the top of a search results page or prominently featured elsewhere on the page.

Display: £4.18bn, within which falls:

  • Online video:£1.61bn, of which smartphone spend was £1.17bn. An example is the pre-roll advert which appears before you watch a YouTube clip, or videos which start playing as the page loads or when your mouse scrolls over them.
  • Banners and standard display formats:£1.31bn, of which smartphone spend was £418m. These are the obvious adverts and include those which appear across the top of the screen (banner adverts) or in a sidebar, overlay adverts (which pop up on-screen and have to be clicked to close) and interstitial adverts (full-screen adverts that pop up between expected content, for example before a target page appears on the screen).

Native: £1.03bn, of which smartphone spend was £895m. An advertorial is native advertising, as are adverts which appear to be recommendations by the publisher ("you might also like"), influencer marketing on social media and adverts which appear to be search results.

Classified and other: £1.47bn. Classified advertising is advertising in an online directory or marketplace (for example, Rightmove, Auto Trader and Gumtree).

Commentators note that the biggest increase recently has been in spend on advertising targeting mobile phone users, in particular using a video format.

Key industry players

The CMA's Final Report on its Digital Marketing Market Study estimates that search advertising revenues totalled around £7.3 billion in 2019, of which more than 90% was earned by Google. Total spend on display advertising was worth £5.5 billion, of which it is estimated more than half went to Facebook.

Google receives revenue from its search engine and other brands such as YouTube, Google Maps and Google Play (an app and digital media store). Google sells advertising space on its own and other sites through Google Ads, and provides services to buy and optimise campaigns on Google via its Google Marketing Platform.

Digital Marketing Legal Issues

Adverts must be obviously identifiable as such.

All advertising must be obviously identifiable as advertising. This is a requirement under:

The Consumer Protection from Unfair Trading Regulations 2008 (SI 2008/1277) (CPUT) which implement the Unfair Commercial Practices Directive (2005/29/EC) (UCPD):

  • A failure to identify commercial intent, unless this is already apparent from the context, is a misleading omission.
  • Using editorial content in the media to promote a product where a trader has paid for the promotion without making that clear in the content or by images or sounds clearly identifiable by the consumer (advertorial) is a prohibited commercial practice.
  • Falsely claiming or creating the impression that the trader is not acting for purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer is a prohibited commercial practice.

The Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013) (E-Commerce Regulations) which implement the E-Commerce Directive (2000/31/EC):

  • Service providers must ensure that any commercial communication provided by them which constitutes or forms part of an information society service (which would include all advertising) is clearly identifiable as a commercial communication.

The UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code):

  • Marketing communications must be obviously identifiable as such.
  • Marketing communications must not falsely claim or imply that the marketer is acting as a consumer, or for purposes outside its trade, business, craft or profession; marketing communications must make clear their commercial intent, if that is not obvious from the context.
  • Marketers and publishers must make clear that advertorials are marketing communications; for example, by heading them "advertisement feature".

Information obligations on digital advertisers

Online advertisers need to:

  • Provide certain information about themselves on their websites.
  • Include certain information about themselves and their products in their online adverts.

These obligations, which apply to "information society service" providers, derive from the E-Commerce Regulations which implement the E-Commerce Directive (2000/31/EC) (E-Commerce Directive).

Information advertisers must include on websites

The information the advertiser must include on websites consists of:

  • Its name.
  • The geographic address at which it is established.
  • Details, including an email address, which make it possible to contact the advertiser rapidly and communicate with it in a direct and effective manner.
  • Where the advertiser is registered in a trade (or similar) register available to the public, details of the register in which the service provider is entered and its registration number, or equivalent means of identification in that register.
  • Where the provision of the service is subject to an authorisation scheme, the particulars of the relevant supervisory authority. Advertising itself is not subject to an authorisation scheme in the UK, but the advertiser's business may be.
  • The advertiser's VAT number.
  • Where the advertiser exercises a regulated profession:
  • the details of any professional body or similar institution with which the advertiser is registered;
  • the advertiser's professional title and the EEA state where that title has been granted; and
  • a reference to the professional rules applicable to the service provider in the member state of establishment, and the means to access them.

Information requirements for online adverts

An information society service provider (which includes any online advertiser) must ensure that any commercial communication provided by it as part of an information society service (which would include all digital marketing) shall:

  • Be clearly identifiable as a commercial communication.
  • Clearly identify the person on whose behalf the commercial communication is made.
  • Clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions which must be met to qualify for it are easily accessible and presented clearly and unambiguously.
  • Clearly identify as such any promotional competition or game and ensure that any conditions for participation are easily accessible and presented clearly and unambiguously.

Digital Marketing: Controls on the use of personal data and online behavioural advertising (OBA)

The digital environment offers advertisers the opportunity to track users' online behaviour to build a profile of their interests and target advertising at them. This practice is known as "online behavioural advertising" (OBA) or sometimes as interest-based advertising (IBA).

Information is generally collected using online identifiers (such as cookies, internet protocol (IP) addresses, radio frequency identification (RFID) tags, advertising IDs, pixel tags, account handles and device fingerprints) which can be used variously to note information such as searches conducted, content viewed, purchases made and the user's location. Data about browsing habits can be combined with information about the user obtained via registrations and purchases.

OBA may be conducted by a website owner solely based on activity on its own site (first-party OBA) or by a third party tracking activity across multiple websites and user devices and serving adverts for products not necessarily sold on the website being viewed (third-party OBA).

Examples of OBA include:

  • Advertising (such as pop-ups and banners) for products a user is likely to be interested in based on their interests, as revealed by their browsing habits or searches.
  • Retargetingof adverts for products a user has viewed, encouraging them to go back and make or complete a purchase.
  • Advertising to a mobile phone promoting a cafe which a user is passing near to.

Advertisers need to be aware that if they have collected personal data at any stage in the process enabling them to target advertising at individuals, they will be classified as a data controller unless they are acting on behalf of another data controller in which case they may be a data processor. A data controller must notify the individuals whose personal data they are using about who they are, what personal data they are collecting and what they are using that data for. They must also only process that data under one of the specified lawful bases. So if, for example, an advertiser is processing personal data relating to an individual’s political or religious beliefs, the advertiser will need to obtain consent to such processing from the individual.

Cookies

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) require the user's consent to the use of non-essential cookies and similar technologies on their devices, including computers or mobiles, but also other equipment such as wearable technology, smart TVs, and connected devices including the ‘Internet of Things’.

If the advertiser’s cookies are collecting personal data then the advertiser will also need to comply with data protection laws as a data controller.

A short introduction

Digital marketing can give rise to many legal issues and what has been mentioned here is only a short overview. The content of adverts and websites and the use of personal data need to be considered from the outset.

EM law are experts in media, technology and data protection law. Please contact us if you need any help with digital marketing legal issues.


Limiting Liability

Limiting Liability Under a Contract

Limiting liability under a contract is a common thing for suppliers or sellers to want to do but limitation of liability clauses are often drafted without much thought. A strong commercial awareness of the position of each party is essential when deciding how best to deal with liability issues.

Limiting liability – why bother?

Every commercial transaction carries a risk of liability. Performance can bring the parties into contact with each other, their staff, sub-contractors, suppliers, customers, associates, visitors and the public, in ways that could give rise to all sorts of legal liability: for breach of contract, negligence, misrepresentation, infringement of rights to physical or intellectual property, breach of statutory duty, regulatory offences, defamation and more. Liability may be incurred without fault, and through the acts of others.

In the absence of a limitation clause, there is no financial limit on the damages a counterparty can recover. There are practical limits, and legal limits under the general law of damages. Beyond these, no limits are normally implied. A party wishing to reduce its exposure therefore needs to be limiting its liability through express limitation of liability wording.

Should a customer ever propose a limitation clause?

Suppliers are normally the ones that are keen to be limiting liability; customers less so. Reasons why the customer may propose a draft limitation clause are:

  • The supplier is likely to insist on a limitation clause. By including one in its first draft the customer can set the parameters for negotiation, rather than allowing the supplier to insert its standard clause.
  • The customer can propose losses that are recoverable. For reasons why the supplier should consider accepting identified, capped losses.
  • A customer may want to limit its own liability for breach, if it has contractual duties other than payment. For example, a contract may require the customer to co-operate with the supplier to enable the supplier to perform.

Identify the risks

Limiting liability effectively requires a lawyer to review the risks in the transaction with his or her commercial colleagues or client. Even if the commercial client has already negotiated limits on liability, the lawyer should understand the thinking behind it. The lawyer can then give better advice and draft the clause against the same background of commercial purpose the courts will use to interpret it.

Common risks to consider

  • Insolvency of a party. How financially robust is the counterparty?
  • Change of control. A party's reorganisation or change of control could affect performance, at worst leaving the other party with a claim against a defunct or penniless entity.
  • Breach of this contract. How likely is a default by your client or the counterparty?
  • Third party rights. Does the contract create enforceable third party rights, exposing one party to claims by the other party's affiliates?
  • Breach of other contracts. Are there contracts with others, that might be affected by breach of the contract under negotiation?
  • Misrepresentation. Each party needs to consider how reliable is the information exchanged in the negotiation.
  • Non-contractual liability to the other party. What other liability might one party incur to the other?
  • Other liabilities. Will this transaction expose a party to non-contractual claims by end users, visitors or the public?
  • Contribution claims. In a multi-party transaction, each party should consider its position in relation to the others.
  • Vicarious liability. What acts of other people (staff, agents, sub-contractors) might a party be liable for?
  • Economic risk. What changes in prices, exchange rates, wages or other factors might affect the profitability of the contract?
  • Regulatory risk. Is there a risk that a default might put either party in breach of regulations, leading to regulatory action and penalties?
  • Tax. Is there a risk that the arrangement may be viewed in a way that creates unwelcome tax consequences for a party?

Consider other ways to minimise the risks

Here are some practical commercial actions that may help reduce some identified risks:

  • Backup. Identify alternative sources and consider backup arrangements to deal with them if the preferred contractor fails.
  • Research. Take up references, do credit checks and other research.
  • Third-party guarantees. Require a third party (such as a parent company) to guarantee payment or performance. Consider requesting a letter of credit to ensure payment.
  • Quality control. Review customer feedback and update the product, procedures or customer service to improve customer satisfaction and reduce complaints and disputes.
  • Notices and disclaimers. Use notices and disclaimers on products and in marketing material to reduce the risk of liability to non-parties (for example, for negligence or for breach of onward sale conditions).
  • Product documentation. Review product descriptions and instructions for use.
  • Marketing and advertising. Review any marketing and advertising material to ensure that it does not make any unsupported claims about the products.
  • Compliance. If you have identified a risk that performance of the contract may run into regulatory or tax problems, consider dealing directly with the regulatory and tax authorities to reduce those risks.
  • A separate entity. Use a separate legal entity, with limited liability, to enter the contract.

Limiting liability without a limitation clause

There are other possible drafting techniques to consider, in addition to inserting the usual limitation clause. Some of them are listed here. Because these terms can, in practice, reduce the risk of liability to a counterparty, they are often subject to the same common law and statutory controls as limitation clauses

  • Limit liability for misrepresentation. Limits on liability and remedies for misrepresentation often appear in a clause headed "entire agreement", rather than "limits on liability".
  • Redefine your obligations. Limit the content of duties. Keep them specific and identifiable. Make them conditional on performance by the counterparty.
  • Limit rights and duties in time. Limit a buyer's time to inspect or accept goods or services. Set an expiry date on continuing duties which may survive termination, such as duties of confidentiality and indemnities.
  • Restrict implied terms. Some duties implied into contracts by statute may be limited by express wording.
  • Use risk allocation clauses. These clauses allocate risk between the parties, regardless of fault. For example, a clause may allocate a risk to the party who is best able to insure against it.
  • Use a net contribution clause. This is the usual solution to the risk of contribution claims by other participants in a multi-party project.
  • Change the payment terms. Introduce a deposit, a retention, instalments, interest, set-off and retention of title provisions, to reduce the risk of non-payment.
  • Add a force majeure clause. This could suspend or, eventually, allow you to end your obligations if performance is prevented by a cause beyond your control.
  • Add termination rights. Add a right to terminate for cause (including change of control and threats to solvency) or for convenience.
  • Take indemnities. Ask the counterparty to indemnify you against potential regulatory liabilities, tax, or third party claims.
  • Impose preconditions to claims. Spell out circumstances in which you will not accept liability, such as attempts at do-it-yourself repairs, use of the product contrary to a clear recommendation, and defects caused by compliance with the buyer's own specification.
  • Set time limits on claims. Agree time limits for notifying claims, or to begin litigation.
  • Agree defined remedies. Defined remedies could include repair, replacement, credit against a future purchase or liquidated damages. A defined remedy may be cheaper than damages and can reduce the scope for debate if a claim arises.
  • Agree the contract provides an adequate remedy for breach. This is an indirect and uncertain way to limit recourse to uncapped remedies such as an order to perform the contract.
  • Fix contractual interest. Statutory interest at 8% or more is often payable on the price of goods and services under the Late Payment of Commercial Debts (Interest) Act 1998. A contract term can replace this with contractual interest at a lower (but still substantial) rate.
  • Provide for conclusive evidence. The parties may agree that one of them, or an independent expert, can certify matters which neither can then dispute. For example, an inspector's certificate of quality may be conclusive evidence of the quality of goods delivered. Or a lender may certify (conclusively) the amount of interest due. This can eliminate some points of dispute.
  • Call for insurance. The counterparty can be contractually required to obtain appropriate insurance.
  • Exclude third party rights. A contract cannot bind a non-party. It is therefore pointless in most cases to try limiting third party rights or claims. The exception is third party rights created by the contract.

Limiting liability with a limitation clause cap

When considering a limitation clause it is sensible to introduce a financial cap on liability, or different caps for different types of loss. The supplier will want to ensure that the cap reflects the value it will get from the transaction.

A common starting-point for negotiations is the contract price, if there is one, or an estimate of the total contract value, or a percentage of the contract value (we have seen from 25% to 150%), or the limit of the supplier's insurance.

The cap should not be so low as to risk unenforceability, at least if the UCTA reasonableness test applies. UCTA reasonableness depends on the effect of the clause as a whole, considering all the circumstances of the transaction. In some cases, a refund of sums paid was found acceptable, but this may not always be so. A cap that allows the customer to recover sums paid plus a sum to reflect its other losses is more likely to be enforceable.

The cap will be influenced by market practice: customers do review the limits on liability when comparing suppliers. The figure chosen may sometimes appear arbitrary. One way to justify an apparently arbitrary figure may be to offer alternative prices, with and without the cap. The business client's policies and commercial aims will be as important as the lawyers' advice in fixing the cap. Suppliers often agree to a limit which is not their ideal, to win the business and get onto the customer's supplier list.

Negotiation

Having a strong understanding of the commercial aspects of a contract and how best to translate this into the legal position (by gaining advice) should help when negotiating limiting liability. It is also important to consider ways of limiting liability without simply adding a limitation clause.

If you have any questions about limiting liability or about contract law more generally please contact Neil Williamson.