EU-US Privacy Shield

EU-US Privacy Shield invalid: Schrems II

In Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559, the European Court of Justice (ECJ) has given its preliminary ruling that Commission Decision 2010/87 on controller to processor standard contractual clauses (SCC) is valid but that Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.

Background

The General Data Protection Regulation ((EU) 2016/679) (GDPR) prohibits the transfer of personal data outside of the EU to a third country unless certain conditions are met. In principle, it may take place in any of the following circumstances:

  • On the basis of a European Commission adequacy decision (Article 45, GDPR).
  • Where there are appropriate safeguards in place, such as standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs), and on the condition that data subjects have enforceable rights and effective legal remedies (Articles 46 and 47, GDPR).
  • A derogation for a specific situation applies, such as the data subject has given their explicit consent (Article 49, GDPR).

EU-US Privacy Shield

The EU-US Privacy Shield is a framework constructed by the US Department of Commerce and the European Commission to enable transatlantic data protection exchanges for commercial purposes.

The EU-US Privacy Shield enables companies from the EU and the US to comply with data protection requirements when transferring personal data from the EU to the US. Approved by the European Commission on 12 July 2016, the EU-US Privacy Shield replaced the Safe Harbor Principles, which the ECJ declared were an invalid level of protection within the meaning of Article 25 of the Data Protection Directive in the October 2015 decision of Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] EUECJ.

Schrems II Facts

In October 2015, Mr Maximillian Schrems, an Austrian lawyer and data privacy campaigner, successfully challenged the validity of the EU-US safe harbor arrangement as a legal basis for transferring personal data from Facebook Ireland to servers belonging to Facebook Inc located in the US (commonly referred to as the Schrems I judgment)

Subsequently, in July 2016, the European Commission adopted a replacement adequacy Decision 2016/1250 approving a new framework for EU-US personal data flows, the EU-US Privacy Shield.

Mr Schrems reformulated his complaint to the Irish Data Protection Commissioner, claiming that the US does not offer sufficient protection for personal data transferred to that country and sought the suspension or prohibition of future transfers of his personal data from the EU to the US, which Facebook Ireland now carries out in reliance on Decision 2010/87 on controller to processor SCCs.

One of Mr Schrems' key concerns was that the US government might access and use EU individuals' personal data contrary to rights guaranteed by the Charter of Fundamental Rights of the EU (Charter) and that EU individuals would have no remedy available to them once their personal data is transferred to the US. Under US law, internet service providers such as Facebook Inc can be required to provide information to various agencies such as the National Security Agency, the Central Intelligence Services and the Federal Bureau of Investigation and it can be further used in various surveillance initiatives such as PRISM and UPSTREAM.

Decision on controller to processor SCCs

The use of SCC’s remains valid but businesses using controller to processor SCCs (or planning to do so) now face additional burdens as they will need to conduct a Transfer Impact Assessment on whether, in the overall context of the transfer, there are appropriate safeguards in the third country for the personal data transferred out of the EU (practically speaking, the European Economic Area). EU data exporters will need to take into account not only the destination of the personal data but also, in particular, any access by public authorities and the availability of judicial redress for individuals, to ascertain whether SCCs are an appropriate mechanism and may need to put in place additional safeguards.

Decision on EU-US Privacy Shield

The limitations on the protection of personal data, transferred from the EU to the US, arising from US domestic law "on the access to and use by US public authorities, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary".

As regards the requirement of judicial protection, the ECJ held that the Privacy Shield Ombudsperson does not provide individuals with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, so as to ensure the independence of the Ombudsperson and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on US intelligence services.

EU-US Privacy Shield - Practical points:

  • The EU-U.S. Privacy Shield is no longer valid and businesses solely relying on it to transfer personal data to the U.S. should rely on another transfer solution, including by putting SCCs in place.
  • While SCCs remain valid, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected (e.g. because of potential access by law enforcement or national security agencies). This is, in effect, a Transfer Impact Assessment. This will be burdensome for small organisations but also large ones making hundreds, if not thousands, of transfers.
  • The EU Commission is now likely to issue updated SCCs. Those new clauses could bake in the Transfer Impact Assessment discussed above. While existing SCCs will hopefully be “grandfathered”, business should anticipate changes to their processes for new transfers.
  • The judgment could have a negative impact on any adequacy finding for the UK after the Brexit transition period. While there are material differences between the U.S. and UK surveillance regimes, the judgement will no doubt make the EU Commission more cautious in future adequacy assessments.
  • In the absence of an adequacy finding, transfers of personal data from the EU to the UK will be more difficult post-Brexit as EU businesses will necessarily have to consider the effect of UK government surveillance powers, in particular the Investigatory Powers Act 2016.
  • While the data protection authorities cannot grant a “grace period” as such, they may well take a gradual approach to enforcing these new requirements. As an illustration, when the Safe Harbor was struck down in 2015, data protection authorities indicated they would not take active enforcement for a few months to allow controllers to make new arrangements.

More to come…

With the publishing of updated Standard Contractual Clauses expected and the UK Adequacy decision pending, businesses handling cross-border data transfers to and from the EU or to and from the US need to keep themselves informed of the latest developments. As it stands SCC’s will need to be part of such a cross-border transfer and a ‘Transfer Impact Assessment’ will be a be a new and additional obligation.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Restraint of Trade

Restraint of Trade – Quantum Advisory Ltd

In Quantum Advisory Ltd v Quantum Actuarial LLP [2020] EWHC 1072 (Comm), the High Court considered whether the restraint of trade doctrine applied in a services agreement entered into in connection with a restructuring and joint venture. The court decided that it did not.

What is a restraint of trade clause?

The purpose of a restraint of trade clause is to restrict the freedom of a business or individual to pursue their trade with the effect of limiting competition.

The case Nordenfelt v Maxim Nordenfelt Guns and Ammunition Co Ltd [1894] AC 535 serves as an illustrative example.

Thorsten Nordenfelt, a manufacturer specialising in armaments, had sold his business to Hiram Stevens Maxim for £200,000. They had agreed that Nordenfelt ‘would not make guns or ammunition anywhere in the world, and would not compete with Maxim in any way for a period of 25 years'.

The House of Lords held that the restraint was reasonable in the interests of the parties. They placed emphasis on the £200,000 that Thomas Nordenfeldt had received as full value for his sale.

The restraint of trade doctrine

The restraint of trade doctrine exists to protect a party to a contract that is subject to a restraint of trade clause i.e. the party who has been restrained in their trade by the contract. Therefore, when the doctrine applies, the restraint of trade clause in question will be invalid. The doctrine states that a restraint of trade clause will be invalid unless it is:

  1. Designed to protect a legitimate business interest.
  2. No wider than reasonably necessary to protect that interest.
  3. Not contrary to the public interest.

How does the restraint of trade doctrine apply?

There is a line between contracts in restraint of trade, within the meaning of the doctrine, and ordinary contracts that merely regulate the commercial dealings of the parties. The courts will consider, first, if the contract in question is in restraint of trade and, secondly, whether in all the circumstances sufficient grounds exist for excluding the contract from the application of the doctrine. The recent case of Quantum Advisory Ltd v Quantum Actuarial LLP [2020] EWHC 1072 (Comm) allowed a judge to explore both of these questions in depth.

Quantum Advisory Ltd v Quantum Actuarial LLP [2020] EWHC 1072 (Comm)

Facts

In 2004, a company called Quantum (Old Quad) entered into a joint venture with Robert Davies (RD) and others. A new company (RDS) was set up to carry on a similar business with different clients. The single largest shareholder and the MD of Old Quad was Martin Coombes (MC). The principal shareholders in RDS were Old Quad and RD. It was intended that after an initial three-year period there would be a merger of the businesses of Old Quad and RDS into a single entity.

By 2007 however, the interests and ambitions of those involved had begun to diverge. In particular, while MC wanted to diversify, the other directors and shareholders wanted to focus on developing the existing business. For this and other reasons, a restructuring of the businesses became necessary. One problem this presented was that MC's shareholding in Old Quad was such as to make it unaffordable for the other parties to buy him out. It was also felt that, regardless of affordability, it would be very difficult to fix a price for any buy-out.

The restructuring

A way of getting round these problems was devised, by which:

  • The businesses of Old Quad and RPS would be carried on by a new entity (the LLP).
  • A company wholly-owned by MC (New Quad) would buy the entire issued share capital of Old Quad and RPS. The businesses and assets of those companies would be transferred to New Quad subject to outstanding liabilities.

The terms of the restructuring were documented by way of an agreement dated 1 November 2007 entered into between Old Quad and the LLP (Services Agreement). Among other things, the Services Agreement:

  • Contained covenants on the LLP's part (clause 2.2) to not during the course of the Services Agreement or for a period of 12 months after its expiration or termination directly or indirectly:
    • solicit or entice away (or attempt to solicit or entice away) any Client in connection with any Services;
    • obtain instructions for any Services from any of the Clients or undertake any Services for any of the Clients; or
    • undertake any Services in relation to either the Pipeline Business or any work introduced by any of the Introducers during the Extended Period, without first having referred such matters to Old Quad, other than pursuant to the provisions of the agreement.
  • Contained acknowledgments to the effect that:
    • The provisions of clause 2.2 were no more extensive than was reasonable to protect the interests of Old Quad.
    • Each of the restrictions in clause 2.2 was a separate obligation considered reasonable by the parties (each of them having taken, if required, separate legal advice) in all the circumstances as necessary to protect the legitimate interests of the other party (clause 2.6).

Business affairs prior to litigation

New Quad and the LLP conducted their affairs according to the Services Agreement without any real difficulty for a number of years. Increasingly, however, the LLP became dissatisfied with the terms of the Services Agreement. The LLP sought to contend that the restraints in the covenants in clause 2.2 amounted to an unreasonable restraint of trade. Specifically, it complained about the duration of the restraints in circumstances in which the LLP had very limited ability to extricate itself from the Services Agreement before expiration. The LLP did not otherwise complain about the duration of the Services Agreement or the nature of the covenants themselves.

That led to New Quad commencing proceedings, seeking a declaration that the Services Agreement was binding on the parties and an injunction to restrain the LLP from acting in breach.

Decision

The judge concluded that:

  • The doctrine of restraint of trade did not apply to the restraints and therefore the restraint of trade clauses were legally enforceable.
  • If the doctrine of restraint of trade had applied to the restraints, he would have found that they satisfied the requirement of reasonableness.

Did the restraint of trade doctrine apply to the restraints?

In concluding that the doctrine did not apply to the restraints, the judge was at pains to stress that the Services Agreement needed to be considered on its own terms and in its own circumstances. It was a bespoke agreement, fashioned to address the competing needs and interests of a group of professional people. In his opinion the following considerations weighed against the application of the doctrine:

  • The fact that the LLP had been brought into existence for the purpose of the restructuring that was effected via the Services Agreement. It had no prior being or business and no other rationale. While it was true to say that its trade was restrained by the Services Agreement, this argument lacked the kind of traction normally found in restraint of trade cases. In a sense, the Services Agreement was the essential condition of the LLP's ability to carry on business at all. It was not a restraint of trade but a means of providing the opportunity to trade.
  • In this light, to attempt to place the covenants in clause 2.2 of the Services Agreement within the scope of the restraint of trade doctrine showed up a degree of incoherence. The judge pointed out that:
    • To view the restraints as potentially justifiable if of shorter duration (a view which counsel for the LLP had at one point expressed) was to divorce them from the wider agreement and so mistake their nature. Their purpose, as MC had phrased it in a witness statement, "was to recognise the legacy/LLP client ownership boundaries".
    • It had originally been proposed that the term of the Services Agreement be ten years. However, the members of the LLP had expressed concern that, if the agreement ended after ten years, the LLP's sustainability would be threatened by the loss of a major part of its business and income so soon after trading had commenced. When MC proposed extending the term of the agreement to 99 years, the LLP agreed.

Would the restraints have been regarded as reasonable?

The following factors were among those that led the judge to conclude that, had the doctrine of restraint of trade applied to the restraints, he would have found that they satisfied the requirement of reasonableness:

  • The fact that the Services Agreement and the restraints were a matter of free agreement between experienced, intelligent, articulate and highly competent business people who were able to look after their own interests and who had expressly agreed that the restraints were reasonable as being necessary to protect the parties' interests.
  • The LLP had not persuaded the judge that the restraints were unreasonable on account of any consideration of public policy.

The judge dismissed the argument based on alleged:

  • Inequality of bargaining power between the parties (and indeed the alleged lack of any formalised negotiation process at all) because this was not supported by the facts. While it was true that the LLP had not received independent legal advice in connection with the Services Agreement, the judge did not regard this as indicating that the parties' free agreement ought to be viewed with particular caution when considering reasonableness. There was no obligation to seek independent legal advice, under clause 2.6 of the Services Agreement or otherwise.

Context is essential

Clearly this is a decision that turned on the facts. Since most reported restraint of trade cases in the corporate arena arise in relation to private M&A it presents a rare opportunity to see how the courts construe the restraint of trade doctrine in a different context. The decision is a reminder that not all restrictive covenants are subject to the restraint of trade doctrine and the specific business context is crucial to such a ruling.

If you have any questions about restraint of trade clauses or about contract law more generally please contact Neil Williamson.


Big Data

Big Data – AI and Machine Learning

The use of computers and the internet has allowed unprecedented amounts of data to be collected and used for a variety of ends. Big data technology represents the most advanced and sizeable use of this new asset. The size and extent of such operations come up against a number of regulatory barriers. Most notably the General Data Protection Regulation (EU) 2016/679 (GDPR).

What is Big Data?

Big data is the harnessing, processing and analysis of digital data in huge and ever-increasing volume, variety and velocity. It has quickly risen up the corporate agenda as organisations appreciate that they can gain advantage through valuable insights about their customers and users through the techniques that are rapidly developing in the data world.

Much big data (for example, climate and weather data) is not personal data. Personal data relates to an identifiable living individual. For data that is or could be personal data, data protection legislation in particular the GDPR must be carefully considered.

Brexit

During the transition period (ends 31 December 2020 unless extended) and after organisations should, as the ICO has noted, continue data protection compliance as usual. The key principles, rights and obligations will remain the same and organisations already complying with the GDPR should be in a good position to comply with the post-Brexit data protection regime.

Big Data Analytics, Artificial Intelligence and Machine Learning

Being able to use big data is critical to the development of Artificial Intelligence (AI) and machine learning. AI is the ability of a computer to perform tasks commonly associated with human beings. In particular, AI can cope with, and to a large extent is predicated on, the analysis of huge amounts of data in its varying shapes, sizes and forms.

Machine learning is a set of techniques that allows computers to ‘think’ by creating mathematical algorithms based on accumulated data.

Big data, AI and machine learning are linked as described by the ICO:

“In summary, big data can be thought of as an asset that is difficult to exploit. AI can be seen as a key to unlocking the value of big data; and machine learning is one of the technical mechanisms that underpins and facilitates AI. The combination of all three concepts can be called "big data analytics”. (Paragraph 11 of ICO: Big data and data protection 2017.)

Big data analytics differs from traditional data processing in the following ways:

  • It uses complex algorithms for processing data. This usually involves a “discovery” phase to find relevant correlations (which can be a form of machine learning) so that algorithms can be created.
  • There is limited transparency on how these algorithms work and how data is processed. As vast amounts of data are processed through massive networks, a “black box” effect is created that makes it very difficult to understand the reasons for decisions made by the algorithms.
  • There is a tendency to collect “all the data” as it is more easily available rather than limiting the analytics to random samples or statistically representative samples.
  • Often data is re-used for a different purpose for which it was originally collected, often because it is obtained from third parties.
  • It usually involves data from new sources such as the Internet of Things (IoT) and “observed” data that has been generated automatically, for example by tracking online behaviour rather than data provided by individuals. In addition, new “derived” or “inferred” data produced by the algorithms is used further in the analytics.

Big Data and Data protection

Managing compliance with the GDPR will play a large part in big data management projects involving data harvested from the expanding range of available digital sources. Many organisations will already have an established data protection governance structure and policy and compliance framework in place and these can be helpful as pathfinders towards structured data governance.

Controller or processor?

Under Article 4(7) of the GDPR, a person who determines “the purposes and means” of processing personal data is a controller and under Article 4(8), a processor just processes personal data on behalf of the controller.

Correctly assessing whether an organisation is a controller or a processor in the context of the collection of massive amounts of data is therefore critical to the GDPR compliant structuring of the relationship and to allocating risk and responsibility.

However, the borderline between controller and processor can be fuzzy in practice. Where it lies in the AI context was considered for the first time in the UK in the ICO’s July 2017 decision on an agreement between the Royal Free Hospital and Google DeepMind. Under the agreement, DeepMind used the UK’s standard, publicly available acute kidney injury (AKI) algorithm to process personal data of 1.6m patients in order to test the clinical safety of Streams, an AKI application that the hospital was developing. The ICO ruled that the hospital had failed to comply with data protection law and, as part of the remediation required by the ICO, the hospital commissioned law firm Linklaters to audit the system. The hospital published the audit report in May 2018, which found (at paragraph 20.7) that the agreement had properly characterised DeepMind as a processor not a controller.

Things important to this characterisation were that the algorithm was simplistic and its use had been mandated by the NHS. Understanding whether an organisation is a processor or controller is a complex issue and seeking advice on the matter may be crucial to understand potential liabilities for those using big data.

Personal data

In the context of big data, it is worth considering whether personal data can be fully anonymised, in which case taking it outside data protection requirements. This is noted in Recital 26 of the GDPR which says that:

"the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable".

However, personal data which has been pseudonymised, in other words could still identify an individual in conjunction with additional information, is still classed as personal data.

Profiling

The GDPR includes a definition of profiling that is relevant to the processing of big data. Profiling is defined as any form of automated processing of personal data used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict the following: performance at work; economic situation; health; personal preferences; interests; reliability; behaviour; location; movements. (Article 4(4), GDPR.)

The GDPR includes data subject rights in relation to automated decision making, including profiling. The fact that profiling is taking place must be disclosed to the individual, together with information about the logic involved, as well as the significance and the envisaged consequences for such processing.

Individuals have the right not to be subject to a decision based solely on automated processing (which includes profiling), which produces legal effects concerning them or similarly significantly affects them (Article 22(1), GDPR). However, this right will not apply in certain cases, for example if the individual has given explicit consent, although suitable measures must be implemented to protect the data subjects.

Fair processing

In the ICO Big Data Paper 2017, the ICO emphasises the importance of fairness, transparency and meeting the data subject’s reasonable expectations in data processing. It states that transparency about how the data is used will be an important element when assessing compliance. It also highlights the need to consider the effect of the processing on the individuals concerned as well as communities and societal groups concerned. Similarly, the EDPS 2015 opinion stresses that organisations must be more transparent about how they process data, afford users a higher degree of control over how their data is used, design user friendly data protection into their products and services and become more accountable for what they do.

Transparency

As well as the general requirement for transparency in Article 4(1)(a), the GDPR includes specific obligations on controllers to provide data subjects with certain prescribed information (typically done in the form of a privacy notice) (Articles 13 and 14, GDPR).

The ICO Big Data Paper 2017 notes that the complexity and opacity of data analytics can lead to mistrust and potentially be a barrier to data sharing, particularly in the public sector. In the private sector, it can lead to reduced competitiveness from lack of consumer trust. Therefore privacy notices are a key tool in providing transparency in the data context. In relation to privacy notices, the Paper suggests using innovative approaches such as videos, cartoons, icons and just-in-time notifications, as well as a combination of approaches to make complex information easier to understand.

An introduction

This blog is no more than an introduction and summary of some of the legal issues raised by big data. In many ways the GDPR was created in response to such activity and therefore the extent of its applicability to the topic is unsurprising. Any organisation looking to undertake such a project should be aware of regulations in a way that allows compliance to be built into an operating system.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Wm Morrison Supermarkets plc

Data Breach Claims – Wm Morrison Supermarkets plc

In Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court has overturned judgments of the High Court and Court of Appeal and decided that a supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by an employee.

Wm Morrison Supermarkets plc v Various Claimants - the facts

In 2013, Mr Skelton, who was then employed by Wm Morrison Supermarkets plc (Morrisons) as an internal IT auditor, was provided with a verbal warning for minor misconduct. Subsequently, he developed an irrational grudge against his employer. After being asked by Morrisons to provide payroll data for the entire workforce to external auditors, Mr Skelton copied the data onto a USB stick. He took the USB stick home and posted the data on the internet, using another employee's details in an attempt to conceal his actions. He also sent this data to three national newspapers, purporting to be a concerned member of the public.

The newspapers did not publish the data, but one newspaper alerted Morrisons, who immediately took steps to remove the data from the internet, contact the police and begin an internal investigation. Morrisons spent £2.26 million dealing with the aftermath of the disclosure, a large proportion of which was spent on security measures for its employees. Mr Skelton was arrested and ultimately convicted of criminal offences under the Computer Misuse Act 1990 and section 55 of the DPA 1998, which was in force at the time.

The claimants in this case were 9,263 of Morrisons' employees or former employees. They claimed damages from Morrisons in the High Court for misuse of private information and breach of confidence, and for breach of its statutory duty under section 4(4) of the DPA 1998. The claimants alleged that Morrisons was either primarily liable under those heads of claim or vicariously liable for Mr Skelton's wrongful conduct.

Data Protection Act 1998

This case was decided under the Data Protection Act 1998 (DPA 1998) which was applicable at the time. The DPA 1998 implemented the Data Protection Directive (95/46/EEC) and imposed broad obligations on those who collect personal data (data controllers), as well as conferring broad rights on individuals about whom data is collected (data subjects). Section 4(4) of the DPA 1998 provided that a data controller must comply with eight data protection principles in relation to all personal data with respect to which they are a controller.

Under section 13(1), any breach of the DPA 1998 which caused damage entitled the victim to compensation for that damage. Section 13(2) provided as follows:

"An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if the individual also suffers damage by reason of the contravention."

Under section 13(3), it was a defence to any proceedings under section 13 for a person, or in this case Morrisons, to prove that they had taken such care as was reasonably required in all the circumstances to comply with the relevant requirement.

Vicarious liability

It was also crucial to consider whether Morrisons could be vicariously liable for their employee’s action in this instance. Employers will be liable for torts committed by an employee under the doctrine of vicarious liability where there is a sufficient connection between the employment and the wrongdoing. There is a two-stage test:

  • Is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?
  • Is the connection between the employment and the wrongful act or omission so close that it would be just and reasonable to impose liability?

In Lister v Hesley Hall Ltd [2001] UKHL 22, the House of Lords characterised the second stage as a "sufficient connection" test. The question was whether the torts were "so closely connected with [the] employment that it would be fair and just to hold the employers vicariously liable".

In Mohamud v Wm Morrison Supermarkets plc [2016] UKSC 11 (Mohamud), the Supreme Court held that the supermarket was vicariously liable for an employee's unprovoked violent assault on a customer. It found that there was a sufficiently close connection between the assault and the employee's job of attending to customers, such that the employer should be held vicariously liable

Wm Morrison Supermarkets plc - Decision

Morrisons was not vicariously liable for Mr Skelton's actions. It found that the Court of Appeal had misunderstood the principles governing vicarious liability in the following respects:

  • The disclosure of the data on the internet did not form part of Mr Skelton's functions or field of activities. This was not an act which he was authorised to do.
  • Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Mr Skelton for the purpose of transmitting it to the auditors and his disclosing it on the internet, a temporal or causal connection did not in itself satisfy the close connection test.
  • The reason why Mr Skelton acted wrongfully was not irrelevant. Whether he was acting on his employer's business or for purely personal reasons was highly material.

The mere fact that Mr Skelton's employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. It was clear that Mr Skelton was not engaged in furthering his employer's business when he committed the wrongdoing. On the contrary, he was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Comment

This decision will provide welcome confirmation for employers that they will not always be liable for data breaches committed by rogue employees. It similarly provides helpful clarification for practitioners on the way in which the judgment in Mohamud should be applied in future cases concerning vicarious liability.

The facts in this case were extreme. It seems that Morrisons were wholly unaware of the grudge held by Mr Skelton. Mr Skelton also took extraordinary actions to cover up what he had done and even to frame another employee.

Unanswered questions

Had Morrisons been found vicariously liable for Mr Skelton’s actions, the employees who made the claims would have had to prove that they suffered ‘distress, anxiety, upset and damage’ by the mishandling of their personal information. A supreme court ruling on the issue would have provided a helpful benchmark to those wanting to understand more about how our courts quantify compensation for data breaches.

Moving forward

Employers should take away from the judgment that although this case was decided under the previous data protection regime, the DPA 1998 and the GDPR are based on broadly similar principles. Therefore the GDPR and Data Protection Act 2018 (DPA 2018) will not be a barrier to vicarious liability actions in data privacy proceedings commenced under the current regime.

Additionally, the GDPR makes compliance far more onerous for controllers and risks exposure to the huge revenue-based fines and data subject compensation claims for breaches of the GDPR and DPA 2018. This includes failing to safeguard data to statutory standards and neglect to have governance in place to curb the malicious acts of rogue employees.

The success of Morrisons in bringing to an end the threat under this case of being subject to a group action for compensation follows Google LLC being granted freedom to appeal against the Court of Appeal's order in Lloyd v Google LLC [2019] EWCA Civ 1599 and is another significant development in the progress of representative class actions in the UK legal system.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Web scraping lawyers London

Web Scraping – Legal Issues

Web scraping (or data scraping) is more prevalent than you think. It is estimated that more than 50% of all website visits are for data scraping purposes. This is why users are often asked to go through a series of tests to prove they are not an unwanted bot. There are plenty of new businesses with large datasets or web scraping capabilities which look attractive to investors given the nature of online marketing and the appeal of tools which offer businesses new innovative ways to collect and process data. Being aware of the legal issues is of paramount importance before becoming involved with, or setting up, such businesses. This involves being aware of licences to datasets and possible infringements of database and intellectual property rights.

What is web scraping?

The process of using software to harvest automatically, or scrape, publicly available data from online sources. It has many purposes including recruitment, sentiment analysis, assessing credit risk, identifying trends, marketing and sales. It is also something permitted to certain extents under bespoke licences. In the public sector datasets often operate under the Open Government Licence (OGL), inspired and re-highlighted by an EU directive, the INSPIRE directive (2007/2), which required public authorities to make spatial information datasets publicly available.

In the news

Elections in Brazil have made an example of how marketing companies could potentially abuse web scraping software. It was alleged that political parties used software to gather phone numbers from Facebook which were then used to create WhatsApp groups and spread fake news. Brazil’s electoral court are to investigate whether this undermined the legitimacy of the elections.

In the UK, the investigation of Cambridge Analytica and Facebook by the Information Commissioner’s Office (ICO) has put data scraping under public scrutiny. Facebook were fined a maximum £500,000 for two breaches of the Data Protection Act (UK) 1998 for not adequately safeguarding users’ personal data. When reflecting on the investigation, Elizabeth Denham, the UK information Commissioner, called for an “ethical pause” to allow Government, Parliament, regulators, political parties, online platforms and the public to reflect on their responsibilities in the era of big data before there is greater expansion in the use of new technologies.

Businesses should therefore consider what the legal implications may be if they intend to scrape data. If operating under a licence to scrape data, a business should understand the scope of such licence and, if personal data is involved, whether the activity complies with data protection laws. If no licence exists then scraping data may infringe copyright and database rights. If the website you wish to scrape has an acceptable use policy or other similar terms and conditions attached to it, the chances are that any scraping activity will breach that policy or conditions.

A recent case in the UK has explored the extent of licences and database rights when applied to web scraping.

77m Ltd v Ordnance Survey Ltd [2019] EWHC 3007 (Ch)

The high court found a geospatial address dataset creator liable for database right infringement and in breach of a number of licences.

The claimant, 77m, created a dataset called Matrix of the geospatial co-ordinates of all residential and non-residential addresses in Great Britain, for which it wished to sell access. It had created Matrix by combining large amounts of data from various datasets. The data at issue derived from the defendant, Ordnance Survey (OS). 77m did not contract with OS but with Her Majesty's Land Registry (HMLR) and Registers of Scotland (RoS). It also accessed data including addresses and geospatial co-ordinates made public by Lichfield District Council (LDC) under the Open Government Licence (OGL) (Lichfield data). HMLR, RoS and LDC licensed the relevant data from OS.

Before looking at database rights, the court had to decide whether 77m had acted within the terms of the licences; if they did, then 77m’s activities in relation to OS’s datasets would be shielded from database right infringement claim; if they did not, then 77m would remain exposed to the infringement claim.

77m had extracted data under the terms of a number of licences. It was found that in many instances 77m had gone beyond the behaviour permitted by the licences. Under the OGL the court deemed the use of publicly available data to create software which was not then sold or included in the software itself, lawful. In most instances however 77m’s use of the data to specify geospatial co-ordinates was in breach of the licences.

The court then went on to see whether 77m’s activity infringed database rights. Firstly it was critical to access whether or not the database in question was subject to such rights. The Database Directive (EU), implemented in the UK in 1997, states that protection shall be granted to the maker of a database who shows that there has been qualitatively and/or quantitively a substantial investment in either the obtaining, verification or presentation of the contents. The court ruled that Ordnance Survey clearly had made such an investment when putting the database together. The High Court judge, Mr Justice Birss, specifically pointed to the investment that went into verifying new addresses as they came into Ordnance Survey’s database which in recent years had an operating expenditure of £6 million per annum.

The way in which 77m used the database was then put into question. The important distinction here is between extraction or consultation of the data within the database. Where extraction would be an infringement of database rights. Some muddled case law coming from the ECJ made the question laborious. Put simply consultation has been defined as being limited to a person merely reading data on a screen, where the only possible other medium to which the data was transferred was the person’s brain. Whereas extraction would be transferring data to a medium other than the person’s brain such as downloading the data onto your own computer.

Therefore 77m’s use of data on such a vast scale and for commercial purposes was always going to amount to an extraction and thus an infringement. The court made clear, however, that in some instances data could be consulted for a commercial purpose. But a user who took all or part of a database’s contents and transferred them to another medium so that they could use them, appropriated to themselves a substantial part of the investment that went into creating the database and was therefore clearly in breach of database rights. Database rights are not only about protecting the data but also about the work that went into compiling the data and synthesising it.

This case highlights the need to be aware of licences a company has in place to use data, the scope of such licencing and if there is no licence, or the licence has been breached, if database rights could protect the database owner.

Web scraping things to consider

Below is a list of things to consider before you scrape data or before you buy a business that has been scraping data:

  • Check the scope of the licences to scrape data, and to store and use that data.
  • If there is no licence in place then a business should consider whether the scraped data is subject to copyright and/or database rights.
  • If no licence exists you could then also check the website’s acceptable use policy and/or term and conditions. If they explicitly forbid scraping or contain other content restrictions this may enable the website owner to sue under breach of contract. Although there is no clear precedent on whether website terms and conditions form binding contracts in the UK, it is worth assuming they could be. The Irish High Court recently ruled that such terms and conditions could form a binding contract. Even if there is no acceptable use policy and/or terms and conditions, it should be noted that such a website may still be subject to copyright and/or database rights.
  • Check whether the target business you want to purchase uses a third party to scrape or store data and, if so, their contractual arrangements.
  • Legal positions differ by country, even between European countries. This is important to be aware of especially when storing data from one nation and making it available to another.
  • Check if personal data is involved and therefore if GDPR / Data Protection Act 2018 / other data protection laws are applicable.

The US perspective on Web Scraping

A recent case involved LinkedIn and HiQ, a small data analytics company that used automated bots to scrape information from public LinkedIn profiles. The Ninth Circuit Court of Appeals ruled in favour of HiQ implying that data scraping of publicly available information from social media websites is permitted. LinkedIn have expressed intent to escalate the case to the supreme court and therefore the law may still be amended.

In the US, similarly to the UK, data scrapers may find themselves on the receiving end of legal action under the following regimes:

  • Intellectual property: Scraping data from websites may infringe intellectual property rights. In 2013 a Federal Court ruled that a software as a service company, Meltwater U.S. Holdings, which offered subscribers access to scraped information about news articles had been acting illegally. Such companies are often referred to as ‘news aggregators’. The news provider, whose data had been scraped, sold licences to many companies and without one, when copying 0.4% to 60% of each article, Meltwater was deemed to have had ‘substantial’ negative effect upon the potential market or the value of the copyrighted work. Therefore getting a licence before scraping data in the US is advised. As mentioned above in the LinkedIn v. HiQ case though it may still be possible to scrape publicly available information from social media sites without a licence.
  • Contract: In the US, if a website user is bound by the Website’s terms of service and causes damage by breaching those terms, the user may be liable for breach of contract.
  • The Computer Fraud and Abuse Act: This provides a civil cause of action against anyone who accesses a computer without authorisation, as well as providing for criminal offences. Although courts have come to differing conclusions, it has generally been ruled that if a scraper uses technical steps, i.e. specialised and complex methods, to circumvent protections to data on websites then the scraper can become liable under the act.
  • Data protection: The US does not currently have comprehensive data privacy legislation at the federal level. On the state level there are plenty of statutes that mandate certain privacy-related rights, but most do not broadly regulate the collection and use of personal data. This is not always the case. California recently passed a state law which regulates data privacy. Coming into effect in 2020, it requires certain companies collecting personal data to disclose how such data will be used and allow consumers to opt-out of data collection. Data scrapers who collect such personal data in California could therefore be found liable when not disclosing the use of such data and allowing an opt-out option.

Final Thoughts

Most business aren’t in the business of web scraping - most business owners or directors aren’t even aware of what web scraping is. However, it’s something to be aware of. Maybe with this awareness you now want to make sure that your website has an acceptable use policy or other security measures in place. If you buy data you should think about how that data was collected. If you are buying a business you should include checks in your due diligence and appropriate warranties in the share purchase agreement to protect yourself from buying a business that collected data unlawfully.

If you have any questions on the points raised above please contact one of our technology lawyers.


cloud services legal issues

Cloud Services Legal Issues

Cloud services are on the rise – they are highly relevant now and they are the future. In this article we provide a brief overview of some of the legal and commercial issues to consider when using cloud services and dealing with cloud services contracts.

What are cloud services?

Cloud services describe the delivery of technology services via the internet. Cloud users either do not need to purchase or install software at all or, if they do, then only on a small scale using software that is standardised. Cloud users do not have to run their own applications and provide the computing power from their own data centres, benefitting from massive economics of scale and dramatically lowering the cost of IT service provision.

Cloud services on the rise

The UK has seen a rapid adoption of cloud computing in business with Software as a Service the preferred deployment model. Cutting costs and providing mobile working solutions for staff is the main impetus for such innovation. The flexibility and scalability of cloud computing means organisations are happy to trade-off some of the control that exists in traditional services.

The rapid take up of cloud services is not limited to the private sector. The fourth iteration of the pan-government G-Cloud Framework has just been awarded to a wide array of large and small cloud operators.

The nature of cloud service provision means that a number of well-established IT concepts need to be reconsidered and will continue to need consideration as technology is refined. Furthermore, there is increasing regulation of cloud services through a wide variety of legislative provisions that do not specifically relate to cloud service provision but have a considerable impact on cloud service provision.

How cloud service providers operate

Cloud service arrangement are generally paid for on a service basis, which means that the upfront charges for customers and regular upgrade fees associated with more traditional software licensing are avoided.

Some cloud service providers may seek to levy start-up fees or upfront subscription charges to mitigate their own commercial exposure, for example, for any third-party software licensing charges. The most common approach now is a committed term of 1 to 3 years when signing up to an enterprise SaaS service – as suppliers want to be able to recognise revenue in their accounts.

Intellectual property issues

Licensing:

Although cloud services contracts relate to the provision of services rather than to the supply of software to customers, particularly in SaaS arrangements, appropriate software licences still need to be granted to the customer. Where users have online use of software, without a licence this would amount to copyright infringement. The licences are usually very narrowly defined and limited to use of the online application for their own business purposes. Customers have no right to make copies of or modifications or enhancements to the software and they cannot sub-licence to third parties.

The cloud services provider will not always own the intellectual property rights in the software that is the subject of the cloud provision service. Where this is the case the cloud services provider will need to arrange for the right to sub-licence the software to its customers, or for a direct licence to be entered into between the customers and the relevant third-party licensors. For purposes of contractual simplicity, it is preferable (and most common) for the cloud service provider to sub-licence the customer’s use of the third-party software.

Content and Data licensing:

The extent to which cloud services providers can make use of the data that is stored within their systems by their customers has become an important issue as a result of the significant marketplace developments in data analytics, including the use of artificial intelligence. Until data analytics became a mainstream business activity, cloud providers tended to regard their customers’ data storage requirements as being a necessary business overhead as part of the overall cloud arrangement. With data analytics, customer data has become a valuable resource which can be used to provide the basis for value added data analytics derived services.

In the early days of cloud services provision, many standard terms and conditions offered by cloud service providers in the consumer market included a broad licence from the customer to the service provider allowing them to use any content stored on its servers. These licences are often expressed as being perpetual and irrevocable. The uses to which the service provider could make of the content were usually limited but there were often rights to pass the content to third parties and to use it for marketing purposes. Even in the consumer marketplace, there is now considerably more general awareness of data issues, particularly following the Facebook/Cambridge Analytica scandal. In July 2019, the US Federal Trade Commission voted to approve fining Facebook around $5 billion to finally settle the investigation of these issues.

As a result, customers receiving cloud services should carefully consider the licensing provisions that relate to the suppliers’ use of the data that they store as a result of providing the services, particularly in relation to use of personal data, treatment of intellectual property rights and confidentiality. Customers should take particular care in identifying any rights they are agreeing to provide to the service provider. Licences may be implied by necessity or business efficacy, however a better and more certain approach is to have an express licence in place that is broad in scope and covers the full range of likely activities.

Jurisdiction and governing law

It is common for cloud services providers and their customers to be located in different jurisdictions. Where this is the case, two separate issues need to be considered: applicable law and jurisdiction. In each case, the cloud contract may stipulate choice of law and jurisdiction. However, there may also be separate and different rules on applicable law and jurisdiction that apply irrespective of provisions in the contract: data protection is a good example of this, where the GDPR has its own free standing rules.

Which law governs the contract

Usually the contract will state the laws that apply. If it doesn’t then this can be problematic, especially when cloud services are involved. Why? If, for example, the parties to the contract are based within the EU then in a B2B context it will generally be the laws of the place where the cloud services provider bases its servers that will apply. The position is more complex where service data is stored on multiple servers in different jurisdictions.

It is important therefore to ensure that cloud services contracts include a choice of law (and jurisdiction) clause.

Data Protection

When organisations process personal data they do so either as a “data controller” or a “data processor”. Each have different legal obligations when protecting personal data.

The data controller is the organisation that determines the purposes and means of the processing of personal data and is responsible for compliance with data protection law. In cloud services, the UK’s data protection regulator, the ICO, usually views the customer as the data controller, although when the supplier has a large amount of control over the processing of personal data they may be considered a joint data controller.

The data processor is the entity who processes data on behalf of a data controller. The ICO will regard the cloud services provider as a data processor in most cloud services arrangements.

Most obligations around data protection law fall on the data controller therefore, usually, the customer of a cloud services provider. A customer should therefore only allow a cloud services provider to process data on its behalf if it has appropriate organisational and technical measures in place. Special care must also be taken if international data transfers take place in connection with the processing of the customer’s data.

Checklist for cloud services contracts (buyer perspective)

Before signing on the dotted line you should consider:

  • Data storage: where will your data be stored, how is it stored, who has access to it and what security measures are in place.
  • Warranties and indemnities: consider what disclaimers are contained in the agreement and have appropriate indemnities been given for loss of data?
  • Check for hidden costs: monthly service costs may be low for a reason.
  • How will disputes be dealt with: what law applies and where will disputes be heard?
  • Data recovery: what will happen to your data at the end of the contract?

Checklist for cloud services contracts (supplier perspective)

Make sure that you have considered the following:

  • Intellectual Property Rights: although supplying software as a service is more protective of IPRs you should still make sure that your IP rights are covered.
  • Limitations and exclusions of liability: it’s standard practice to exclude liability for certain losses and to have an overall cap on liability.
  • Will you provide support commitments / service availability guarantees? Your business customers may well insist on these.
  • If you offer a subscription per person what happens if unauthorised individuals access the service? Consider including audit rights.
  • What should happen with the customer’s data at the end of the contract – you probably want the right to delete it after a certain time.
  • Choice of law and jurisdiction.

Cloud services – a multifaceted and evolving area of law

Contracts for the provision of cloud services and the legal issues being thrown up by the uptake in could services technology are evolving all the time. If you need help with cloud services contracts or any technology legal issues then please get in touch with us.


COVID-19 Data Protection Issues

COVID-19 Data Protection Issues

COVID-19 data protection issues have left many businesses scrambling to keep on top of their compliance functions. Other businesses are largely ignoring data protection rules – which are you?!

Although not always at the front of minds in a crisis, data protection laws are there to be followed. As a result of COVID-19 data protection rules are being put to the test as a result of new information about individuals being collected in response to the pandemic. This often includes whether individual members of staff are displaying symptoms of the virus, the health status of staff and related individuals within the same household, the results of COVID-19 testing and the various locations individuals have visited since the start of the outbreak.

This new information collected constitutes “personal data” and sometimes falls within “special categories of personal data”, as provided for under Article 9 of the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.

Regulators Response

Data protection regulators across the EU have issued statements and guidance referring to the effect of COVID-19 on data protection.

The European Data Protection Board (EDPB) has stated that data protection laws in the EU do not, and should not, hinder the response to COVID-19. Therefore organisations subject to such regulation should remain compliant with their obligations under GDPR. The EDPB has commented that the COVID-19 emergency is a “legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”. Whether this means governments have the right to police data protection compliance more or less strictly is unclear.

In the UK the Information Commissioner’s Office (ICO) has published guidance in the context of COVID-19 data protection. The ICO’s approach is sympathetic to the challenges faced by organisations:

“We understand that resources, whether they are finance or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.

The ICO then goes on to mention that this does not extend as far as allowing infringement of statutory timescales but that they will endeavour to communicate to individuals bringing information rights requests that understandable delays may ensue.

The guidance should not be interpreted as a blank cheque by organisations to bend the rules relating to data protection compliance. It is only guidance and may not stand up in court. Additionally, the ICO does not grant any express relaxation of the rules. It has also stated, in line with the EDPB, that data protection should not stop organisations from being able to respond effectively to the crisis.

“Personal Data” and/or “Special Categories of Personal Data”

Information such as whether personnel have self-isolated, body temperature of personnel, visitors to premises and device location data will all be considered personal data. Where information also relates to the individual’s health, it would also fall within the sub-category of “special categories of personal data” – more on this below.

Legal Basis for Processing Personal Data

When processing COVID-19 personal data (that isn’t “special category data”) organisations may rely on the following legal bases:

Legitimate interests: for the purpose of the organisation’s legitimate interests in managing business continuity and the well-being of its staff.

Contractual necessity: necessary for an organisation’s performance of its obligations to its staff e.g. employees under their employment contract. Relevant obligations include ensuring the health, safety and well-being of employees.

Legal obligation: organisations have legal obligations relating to health and safety.

Legal Basis for Processing Special Categories of Personal Data

It is likely that when responding to the COVID-19 crisis organisations will collect special category data. This is because special category data, within the context of health, is defined as:

“personal data related to the physical or mental health of a natural person, including the provision of health care services which reveal information about his or her health status”.

This includes information on injury, disease, diagnosis, medical history, medical examination data, registration details with health service, appointment details and/or a number, symbol or other identifier assigned to an individual to uniquely identify them for health purposes.

Organisations can only process special category data on one or more of the following grounds:

Employment, social security and social protection obligations: certain obligations under employment, social security and social protection law may allow the processing of special category data. You need to be able to identify the legal obligation or right in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. You can refer to a government website or to industry guidance that explains generally applicable employment obligations or rights. In this instance it would be sufficient to refer to the Health and Safety at Work (UK) etc. Act 1974 which states:

it shall be the duty of every employer to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all his/her employees”.

For example, an employer will want to know whether, in light of COVID-19, an individual member of staff is a health risk in order to ensure the health, safety and welfare of that staff member and the other employees. This is likely to include collecting special category health data from a number of individuals. The employer can rely on employment, social security and social protection obligations to do this processing.

On the other hand, if the employer were to collect unnecessary data such as medical information beyond the scope of that required to diagnose COVID-19 within government guidance, or if the employer disclosed the names of people diagnosed when it was unnecessary to disclose such information then these actions would amount to infringements of data protection law.

Preventative or occupational medicine: occupational medicine is a specialist branch of medicine that focuses on the physical and mental wellbeing of employees in the workplace. Under GDPR the processing of special category data is permitted for the purposes of preventative or occupational medicine, the assessment of an employee’s working capacity, medical diagnosis and/or the provision of health care or treatment.

Section 11 of the Data Protection Act (UK) 2018 states that in the UK organisations can only rely on this condition if the information is being processed by a health professional or a social worker professional or another person who in the circumstances owes of a duty of confidentiality under an enactment or rule of law. Therefore, this condition only applies where an organisation has appointed medical or social advisors who are professionals.

So, an organisation can be justified in processing special category data relating to COVID-19 on the advice of its medical advisors but only when able to show that the processing of this specific data is necessary. It must be a reasonable and proportionate way of achieving one of these purposes, and the organisation must not collect more data than it needs.

Public interest in the area of public health: on the advice of public medical advisors it may be possible to process special category data. This condition is only applicable where the processing is by, or under the responsibility of, a health professional or by someone else who in the circumstances owes a legal duty of confidentiality. For example, an organisation is contacted by health professionals who are trying to collect special category data in relation to the COVID-19 crisis to enable statistical analysis of the disease. On the advice of such public medical advisors, an organisation may rely upon the public interest in the area of public health condition when processing special category data for this purpose.

Consent is another legal bases for processing personal data. When collecting data as an organisation about individuals it is better not to rely upon consent because there is a risk of it not being freely given. This is based upon the general view that an inherent imbalance of power exists between individuals and organisations, in favour of organisations. Consent can also be withdrawn at any time.

Proportionate Collection/Processing of Personal Data for Purpose

An important aspect of GDPR compliance is that organisations only collect as much personal data as is strictly necessary for the purposes being pursued.

Within the context of COVID-19 this includes not naming an individual who is a health risk to other individuals or any other sensitive information about that individual in an organisation when it is not strictly necessary. Another example may be when enquiring about those experiencing symptoms within an individual’s household. In this instance it is unlikely that any more information than a simple ‘yes’ or ‘no’ answer would be required.

In addition, organisations should ensure that the personal data that they collect is stored only for as long as necessary.

COVID-19 Data Protection Q&A

Can you tell staff that a colleague may have potentially contracted COVID-19?

Yes. You should keep staff informed about cases in your organisation. But don’t provide any more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection rules do not prevent you doing this.

Can you collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference, or an event?

You have an obligation to protect your employees’ health and therefore it is reasonable to ask people, be that employees or visitors to your organisations, to tell you if they are experiencing COVID-19 symptoms and hence collect special category data about them. Don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards and discarded as soon as it becomes obsolete.

For example, the best thing to ask would be a simple yes or no question as to whether an employee or visitor is experiencing COVID-19 symptoms or if anybody in their household is. Gaining any medical information unrelated to COVID-19 or their ability to visit your organisation would be deemed unnecessary.

You could also ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms. This approach should help you to minimise the information you need to collect.

Homeworking

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances. This includes the potential need to specifically train homeworkers on their obligations and those of the employer in relation to data protection and confidentiality, concerning the procedures which they must follow, and what is, and is not, an authorised use of data.

Should Organisations Consider Undertaking a Data Protection Impact Assessment (DPIA)?

GDPR requires organisations to undertake a mandatory DPIA:

  • if their processing is likely to result in high risk to the rights and freedoms of individuals – this should involve considerations of the likelihood and severity of potential harm. Article 35(3) of the GDPR provides the following examples of when a processing operation is "likely to result in high risks":
  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special category data, or of personal data relating to criminal convictions and offences.
  • A systematic monitoring of a publicly accessible area on a large scale.
  • (relevant data to COVID-19) when processing biometric data, genetic data and/or tracking data.
  • The GDPR defines biometric data in Article 4(14) as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of a person, such as facial images or dactyloscopic.” A fingerprint would be an example.
  • The GDPR defines genetic data in Article 4(13) as “personal data relating to the inherited or acquired genetic characteristics of a natural person”. A genetic profile of an individual would be an example.
  • Tracking data – an example would if an organisation uses device location data when accessing the geographical implications of COVID-19.

If an organisation has already started to undertake such processing activities or process this kind of data without undertaking a DPIA then they should perform one as soon as possible.

In the context of COVID-19 a DPIA will be necessary if an organisation has processed data in this way or of this nature in response to the pandemic. It is also helpful to know the context in which an organisation would be expected to perform a DPIA so that they can avoid it. Another example might be an organisation who becomes involved in the large scale processing of data in response to the crisis. Such an organisation should be prepared to undergo a DPIA if the nature of this new processing requires it.

Undertaking a DPIA, mandatorily or not, can still be useful for organisations in order to understand potential risks within their data controlling/processing activities.

If you need any help with COVID-19 data protection issues or on any other aspects of data protection law please get in touch with one of our data protection lawyers.


Office Lease Lawyers London

The Office Lease - Risks And Opportunities

When negotiating an office lease, the tenant may be dealing with the property industry for the first time. It is then tempting to focus only on the rent and assume everything else is a relatively minor issue. That would be a mistake.

Three Points To Be Aware Of

  1. The office lease does not have to be fair.
  2. Risks in the property industry involve relatively large numbers.
  3. Certain words and phrases in an office lease may appear to have one meaning but actually have a very different meaning in court.

Three examples:

  • If a repairing obligation includes the words “put and keep” then the tenant may find itself upgrading the whole premises despite only having, say, a 3 year office lease. To add insult to injury, the tenant may only realise what it’s got itself into after the lease ends, meaning it would not even be able to use the property in its renovated state.
  • The extant of the “premises” being rented may seem to be a matter of common sense but it may or may not include the windows, doors, non-structural walls, structural walls, pipes and cables and the roof! The extent of the premises simply depends on what the office lease happens to state but it will be up to the tenant to repair and insure the whole of the premises. That may sometimes not be a problem but beware that the building may only look like it is in a good condition: be sure not to have liability for hidden defects, to find out about any incidents in the insurance history of the building and, to confirm that the building is fully insured (i.e. for its full reconstruction value).
  • In a modern office building, a relatively small and brief fire in the kitchen of a small office premises, can easily cause damage that causes £100,000 of costs to the landlord and the other tenants in the building.

Is Your Landlord Solvent?

Many mistakes made by tenants actually come down to a belief that the landlord, as it owns a commercial property, is relatively wealthy. This is frequently not true. Although the landlord may be part of a corporate group which is wealthy, the landlord company itself may have bank financing and internal company loans which exceed the value of the building and thus is simply supported from one year to the next by its parent company. Such arrangements are not uncommon and tenants should therefore take the extra time to think carefully and ensure they remain protected even in the event of the landlord’s insolvency.

An office lease is a very flexible document which manages many risks (each of which may be larger than the annual rent) in a business relationship that will usually continue for many years. An office lease can easily lead to the financial ruin of either the landlord or the tenant but if handled properly, these risks can be managed in a way that allows both parties to safeguard their businesses and grow. How the risks are managed must also reflect the financial, organisational and technical ability of each party to cope with it on a long term basis.

Office Lease Flexibility

An office lease should also reflect the potential for a tenant’s business priorities to change over time. This is true for start-ups as well as more established businesses. Consider:

  • Many businesses adopt strategies which reflect the prevailing attitudes of Investment analysts, who sometimes like focused businesses and sometimes instead prefer businesses with a spread of activities and hence risk. As tenants may buy or sell subsidiaries, open new divisions of their business or themselves become take-over targets, it is important that the office lease remains flexible enough for a tenant to change its business strategy.
  • For start-ups, the future is quite unpredictable, so it would often be helpful to adapt the office lease so that at least the cost of the lease is predictable. For example, larger landlords may agree to having a fixed service charge and rent to be paid monthly in advance instead of the standard 3 months in advance. As a further example of a common problem, will the landlord carry out an (expensive) inspection of the premises months after the tenant has vacated and then invoice it all to the tenant?
  • Does the office lease ensure that at the end of the lease, the tenant can choose to take a new office lease and remain in the premises or would there be a lengthy discussion about the new rent level and open competition from any new potential tenants? For a tenant, that prospect may not only be worrisome from a financial perspective but also the time perspective - the process of carefully selecting new premises and moving into them is very time consuming. A lease can manage this is many ways.
  • If there is further space available in the building, would it be prudent for the tenant to reserve that space for 6 – 12 months?
  • Might the tenant need specialised telecom and data cabling installed in the building? That might be expensive, slow and even forbidden if the office lease in is a listed building or if, as so often happens in London, the landlord also needs consent from one or more superior landlords. Such issues can be addressed in the lease at the outset, to avoid expensive problems in the future.
  • Does the landlord facilitate contact between the tenants? This does not take much effort for a landlord but clearly, is better discussed at the outset if it might be important. A simple gathering of the tenants twice a year could facilitate new business relationships or a strategy to green the building. Those are both items which can be simple and cheap but are quite impossible if the tenants do not talk and that is hard to achieve if the landlord does not facilitate it.
  • Does the landlord plan to provide a service or will the landlord be very difficult even to contact? The office lease can also establish the right communication channels between landlord and tenant and that can make all the difference in any business relationship.

Use An Expert

It is therefore important, especially for tenants who may be dealing with the property industry for the first time, to choose advisers who have a deep experience of the entire property industry and can therefore efficiently solve problems on time and budget and who can provide support for the entire lifecycle of the office lease: the initial heads of terms, the lease itself, fit-outs and refurbishments to the property (by either or both the landlord or the tenant), expanding, insolvency, renewing the lease or preparing the exit (well in advance). Contact Neil Williamson or call us on 0203 637 6374 if you would like to enquire about any aspect of an office lease.


COVID-19 force majeure

COVID-19 Force Majeure and Frustration

COVID-19 has sent shockwaves throughout the business world. For some businesses the impact has been severe and they will find it difficult or impossible to perform contracts entered into before the onset of the pandemic.

In this blog we provide an overview of how businesses may be able to rely on force majeure or the doctrine of “frustration” so as to avoid liability for failing to perform their obligations as a result of COVID-19.

Contractual Position

If you are working under a contract governed by English law the starting position is that you must perform that contract. So, even if you are affected by COVID-19 you must still perform that contract and if you fail to do so you will be liable. There are two key exceptions to this rule: the operation of any force majeure clause in your contract and the common law concept of frustration.

COVID-19 Force Majeure

Unlike in other jurisdictions, English common law or statute does not recognise force majeure. So if your contract does not contain a force majeure clause you cannot use force majeure as a means to avoid liability for non-performance.

If your contract does contain a force majeure clause then you will need to check it to see how it deals specifically with each party’s rights and obligations. Key factors to consider are set out below.

Is COVID-19 covered?

Assuming COVID-19 is not specifically covered as a force majeure event, check if it is the type of event that would fall under general force majeure wording (e.g. pandemic or similar wording), or whether there has been a government decision or administrative action preventing performance that meets the political interference language which is commonly included in definitions of force majeure.

Should the party that wishes to claim force majeure have guarded against COVID-19?

Check if the contract excludes events that could have reasonably been provided against, avoided or overcome. In the COVID-19 context, the current pandemic is not likely to be foreseeable. On the other hand, parties who elected to enter contracts with reasonable knowledge of the virus’s potential consequences, such as in January of 2020 when the virus began to attract attention in China, may have a more difficult foreseeability argument.

Is COVID-19 the true reason for not being able to perform the contract?

The party that is seeking to rely on force majeure must usually establish that the force majeure event has prevented or hindered it from performance of the contract. This is mostly a factual question but, again, will also turn on the exact wording of the clause. For example, some force majeure provisions require performance to have been rendered impossible, so the burden on, for example, a contractor to show that it could not have sourced staff, equipment or materials from elsewhere will be high. Generally, force majeure clauses are not so generous as to offer relief where services or goods will simply be more expensive to perform or obtain.

Mitigation

The party that is claiming force majeure relief is usually under a duty to show that it has taken reasonable steps to mitigate or avoid the effects of the force majeure event. Check whether being able to rely on force majeure is conditional upon you mitigating the effects of COVID-19.

Notice requirements

Parties will wish to ascertain whether prompt notification is a contractual condition precedent to relief. In that situation, a failure to notify in the prescribed manner will result in a party being unable to rely on the provision. In other cases, a failure to notify will not prevent a party from relying on a force majeure provision and the only consequence will be a potential damages claim (if the other party has suffered a loss). The courts have not always taken a consistent approach to the interpretation of notice provisions, and clearly the safest course of action is to ensure strict compliance with any notice provisions in the prescribed manner and as soon as possible

What are the consequences of establishing COVID-19 force majeure?

In most contracts, establishing force majeure will lead to relief from performance, thereby avoiding the risk of a default termination, and an extension of time to target dates. Commonly, parties bear their own costs arising from any force majeure delay but there are exceptions where compensation may be payable after a certain duration or certain costs are payable from one party to another. Extended periods of force majeure can lead to a right for one or more parties to terminate the contract. If the parties do not wish this to happen, it is important to engage in discussions sooner rather than close to the deadline. It may be preferable for these to be held on a without prejudice basis.

COVID-19 Frustration

In the absence of a force majeure clause, a party to a contract may be able to rely on “frustration”. Frustration is a common law right that allows a party to be discharged from its contractual obligations if a change of circumstances makes it physically or commercially impossible to perform the contract or would render performance radically different from that agreed to when the parties entered into the contract. This test may be satisfied if the commercial purpose of the contract is no longer achievable. Delay caused by COVID-19 could in principle be a frustrating event, depending on the nature of the contract in question and the length of the delay.

The focus will be on the parties’ specific contractual obligations and whether they have ‘radically changed’ as a result of the spread of COVID-19 to the extent that requiring a party to comply with its strict contractual obligations would mean requiring it to do something fundamentally different from that which it originally promised to do. In other words, it will be important to identify the consequences of the pandemic on the parties’ ability to perform the specific contract in question. It is unlikely to be sufficient that circumstances have changed in society generally or that performance of the contract has become more onerous or expensive or even uneconomic.

Consequences of frustration

Frustration discharges a contract meaning that all current and prospective rights and obligations are cancelled. All sums paid by a contracting party before the frustrating event will be repayable, subject to the court’s discretion (broadly) to give credit for expenses incurred or benefits provided by the other contracting party.

If you have any questions or need help with any COVID-19 force majeure or frustration issues please contact Neil Williamson or call us on 0203 637 6374.


Furlough EM Law

COVID-19 Furlough Job Retention Scheme

In this blog we explain what furlough leave is and how the Job Retention Scheme introduced by the Government as a result of COVID-19 can help employers and employees.

Please bear in mind the situation is fluid and if you would like advice around furlough leave or any other aspects of the COVID-19 Job Retention Scheme please contact one of our employment lawyers.

Background

As a result of the economic impact of the COVID-19 pandemic, the Government has introduced the Coronavirus Job Retention Scheme. The scheme is intended to avoid redundancies by alleviating the pressure on employers to continue paying wages in full during the crisis period.

The scheme enables an employer and employee to agree to the employee being put on furlough leave i.e. a period of leave during which the employee is not required to work. The employer can then recover a proportion of the employee’s salary from HMRC. The level of reimbursement allowed will be the lower of 80% of wage costs or £2,500 per calendar month.

Once it is up and running the scheme will be backdated to 1 March 2020. The scheme will be open for three months and then extended if necessary. The Government expects the scheme to go live by the end of April 2020.

Which staff are included in the Job Retention Scheme?

Employees

The following individuals are covered by the scheme provided they were on the employer’s payroll on 28 February 2020:

  • Full-time employees.
  • Part-time employees.
  • Employees on agency contracts.
  • Employees on flexible or zero-hour contracts.

Employees who were made redundant since 28 February 2020 can qualify if they are re-engaged by their former employer.

Self-employed

The self-employed are not covered but a scheme is being set up to provide them with similar rights.

Does the employee have to be at risk of redundancy to be covered by the scheme?

The precise circumstances in which an employer can put employees on furlough leave remain unclear but it seems that the scheme is intended to cover employers who, without the scheme, would need to drastically cut their payroll as a result of the crisis, either through lay-off or redundancy. We will need to hear more from the Government about what evidence HMRC may require but we believe it is unlikely that employers will need to provide anything substantial to back up their claims. However, the Government has stated that it will retain the right to retrospectively audit all aspects of the scheme with scope to claw back fraudulent or erroneous claims.

Can you put employees on long-term sick leave on furlough leave?

Government guidance suggests that employees who are on sick leave or self-isolating should receive statutory sick pay (SSP) but can be furloughed once they have recovered or are no longer self-isolating.

It seems likely therefore that employees who are on long-term sick leave and have exhausted SSP will not qualify for furlough leave until they are fit for work.

Where an employer is selecting which employees to designate as furloughed, they must be mindful of the risk of discrimination if selection is linked to a protected characteristic such as disability.

Implementing furlough leave

What steps must employers take?

Government guidance states that employers should discuss the proposal with staff and make changes to the employment contract by agreement. It is a condition of eligibility for reimbursement that furlough leave is confirmed to the employee in writing.

Employers will need to:

  • Decide which employees to designate as furloughed employees.
  • Notify furloughed employees of the intended change.
  • Consider whether to consult with employee representatives or trade unions.
  • Agree the change with the furloughed employees in the form of a “furlough agreement” (more on this below). Most employment contracts will not permit an employer to reduce an employee’s pay, provide them with no work and change their employment status, without agreement. However, faced with the alternatives, which are likely to be unpaid leave, lay-off or redundancy, the majority of affected employees are likely to agree to be placed on furlough leave.
  • Confirm the employees’ new status in writing.This is an eligibility requirement for accessing the subsidy, and a record must be kept of this correspondence.
  • Submit information to HMRC about the employees that have been furloughed and their earnings through the new online portal, expected to be operational by the end of April 2020.
  • Ensure that the employees do not carry out any further work for that employer while they are furloughed.

Furlough Agreement

It is important that the agreement between the employer and employee for the employee to be placed on furlough is carefully drafted as it will amount to a variation to the employee’s employment contract. As well as covering rights to pay during the furlough leave itself, the agreement should address other benefits such as pension rights and bonus entitlement.

Deciding which employees to put on furlough leave

An employer could initially ask for volunteers. However, in some cases an employer may receive more volunteers than it wants to furlough. The procedure an employer follows to decide which employees to furlough may depend on its current financial situation. If the employer needs to very urgently furlough employees or make them redundant in order to be able to continue to trade, a limited selection procedure carried out on an urgent basis is likely to be acceptable. However, where an employer does not have any immediate financial concerns, it is likely to be more reasonable for it to follow a more comprehensive procedure in a similar way to redundancy scoring

It may seem unfair that some employees will be required to continue working, potentially increasing their risk of infection if they are unable to work from home, and others will be permitted to receive a substantial proportion of salary and not be required to do so. However, provided the employer has used appropriate, non-discriminatory criteria to choose who is granted furlough leave, it is possible for an employer to lawfully choose to furlough only part of the workforce.

Will employers need to collectively consult if they intend to put 20 or more employees on furlough leave?

The short answer is “yes” - the employer will have a duty to inform and consult appropriate employee representatives but this is a complex issue in these circumstances and what the employer should do depends on the employer’s position. If you are considering putting 20 or more employees on furlough leave please get in touch with us to discuss the best way forward.

Do employers have to top up the remaining 20%?

Employers are entitled to continue paying full pay during furlough leave, but they are not obliged to do so. If they do top up, they can only claim back employer national insurance contributions and minimum auto-enrolment payments up to the cap.

Withholding 20% of an employee’s salary will, however, amount to breach of contract and unlawful deduction of wages unless the employee gives their consent. It is expected that the majority of employees will consent since furlough leave is a better alternative than unpaid leave, lay-off or redundancy.

How does an employer make a claim to HMRC for reimbursement?

To claim, the employer will need to submit:

  • The employer’s PAYE reference number.
  • The number of employees being furloughed.
  • The claim period (start and end date).
  • The amount claimed.
  • The employer’s bank account number and sort code (UK bank account)
  • A contact phone number.

Employers can only submit one claim at least every three weeks, which is the minimum length an employee can be furloughed for. Claims can be backdated to 1 March 2020 if applicable.

Reimbursement will be paid via BACS payment to the nominated bank account.

The claim can only be made at the point at which the employer runs payroll or in advance of an imminent payroll because actual payroll amounts need to be submitted.

What can the employer claim back?

Employers can claim up to the lower of 80% of usual monthly wage costs or £2,500 per employee, plus the associated employer national insurance contributions and minimum auto-enrolment employer pension contributions.

Fees, commission and bonuses should not be included in the calculation.

The 80% calculation is based on the employee’s gross salary at 28 February 2020.

Auto-enrolment pension contributions and employer’s NICs can be reclaimed in addition to the cap.

The sum paid to the employee during furlough leave is subject to the income tax and national insurance in the usual way.

The reimbursement is made to offset those deductible revenue costs and should be treated as income in the business’s calculation of its taxable profits for income tax and corporation tax purposes, in accordance with normal principles.

If you have any questions or need help with any COVID-19 furlough issues please contact Rhodri Thomas, Helen Monson or Imogen Finnegan or call us on 0203 637 6374.