Marcus, Author at Marcus Andreen

Author Archive

DUA: New Rules

16/06/25

Great – I’m a big fan. Although I’ve got a sneaking suspicion this isn’t going to be a chat about our favourite Dua Lipa tunes.

Correct. But now you’re here let me tell you about the other DUA you need to know about.

The Data (Use and Access) Bill (“DUA”) was introduced by the UK government in October 2024 as the pared-down successor of the previous government’s (now defunct) Data Protection and Digital Information Bill (“DPDI”), which itself was introduced in July 2022. Since the bulk of its provisions had already been discussed in relation to the DPDI Bill, the DUA Bill was expected to have an easy journey through Parliament to the statute book.

However, shortly after introducing the DUA Bill the government published its Copyright and AI Consultation Paper as part of its consultation on copyright and AI, and you will almost certainly have read about the opposition by numerous well-known musicians, authors and other artists (including Elton John and Dua Lipa) against one of the policy options in the Consultation Paper, the so-called opt-out mechanism which would entitle AI developers to access and use copyright material for training purposes unless the copyright owner has expressly opted out. And, although the DUA Bill as introduced by the government does not deal with the copyright and AI issue, the House of Lords decided to use it as a proxy to propose a number of legislative changes providing protection for the UK creative sector against AI developers. The government rejected all amendments proposed by the Lords, and after more than a month of ‘ping-ponging’ between the House of Commons and the House of Lords, the Lords eventually gave way and the DUA Bill was passed on 11th June 2025. The bill is expected to receive Royal Assent in the next few days.

So we’ve just got our heads around the UK GDPR and we’ve now got a new data protection law running to 147 clauses and 16 schedules? Really?

It’s not quite as bad as it looks. First, although the DUA Bill is a chunky piece of legislation, less than half of it deals with data protection and privacy. Plus I agree with commentators who have described DUA as an evolution not a revolution of data protection law; as we’ll see there are a couple of interesting changes but for the most part the impact of DUA on SMEs is likely to be minimal.

By way of a summary of the data protection and privacy-related changes:

There is clarification what constitutes ‘scientific research’ and confirmation that individuals can give their consent for their personal data to be used for more than one type of research, including types of research that can as yet not be identified.
The DUA Bill introduces a new concept of ‘recognised legitimate interests’ which dispenses with the need to carry out a legitimate interest assessment where the processing is carried out for one of the following ‘recognised interests’:
- responding to emergencies
- democratic engagement where there is a public interest in the dissemination of political opinions
- detecting, investigating or preventing crime
- safeguarding vulnerable individuals
In relation to legitimate interest assessments (LIAs) the DUA bill provides that certain types of processing purposes “may be processing that is necessary for the purposes of a legitimate interest”, i.e. they’re not automatically necessary but they’re likely to pass an LIA. The processing purposes are:
- direct marketing
- intra-group transfers for internal administration
- ensuring the security of networks and IT systems
The DUA Bill includes a list of purposes which are treated as being compatible with the original purpose for which personal data was collected, i.e. the controller does not a need a new lawful basis under the purpose limitation principle. The list of compatible purposes includes:
- performance of a task carried out in the public interest
- archiving in the public interest
- protecting public security
- responding to an emergency
- detecting, investigating or preventing crime
- complying with a legal obligation
The Secretary of State has the power to make changes to the types of data which constitute special category data. However, the Secretary of State cannot remove any of the types of ‘core’ special category data listed in Art 9(1) of the GDPR.
The DUA Bill confirms that when making a data subject request (DSR) data subjects are only entitled to information resulting from a “reasonable and proportionate” search by the business, and provides clarification on how time periods for replying to a DSR are calculated.
In relation to assessments whether a third country is adequate for data transfer purposes, the Secretary of State will now assess whether the standard of protection provided to individuals in the recipient country is “materially lower” than the standard of protection under UK law, replacing the existing requirement that the standard of protection must be “substantially equivalent”.
The rules relating to automated decision-making are made less strict where decisions are not made on the basis of special category data.
The DUA Bill amends the Privacy and Electronics Communications (EC Directive) Regulations 2003 (PECR) by removing the requirement for providers of most online services to obtain a user’s consent for placing of cookies and other tracking technologies which collect data for improving the functionality and performance of their website

Quite a list but I take your point about evolution rather than revolution. That said, the last two sound interesting. What’s happening with automated decision-making?

The current rules on automated decision-making (ADM) are set out in UK GDPR, Art 22. In short they provide that an automated decision which produces legal effects on an individual (or similarly affects the individual) is only lawful if the decision:

is necessary for entering into or performing a contract, or
is required or authorised by law, or
is based on the individual’s explicit consent.

Furthermore the data controller must implement “suitable measures” to safeguard the individual’s rights and freedoms, including the right for the individual to make representations about the decision, to obtain human intervention in relation to the decision, and to contest the decision.

The DUA Bill introduces additional flexibility by having different requirements depending on:

whether or not the decision results from processing any special category data and
whether or not the decision is a ‘significant decision’, defined in the DUA Bill as a decision which “produces a legal effect for the data subject” or has a “similarly significant effect”.

If a decision results from processing special category data then broadly speaking the existing ADM restrictions will continue to apply, i.e. the ADM is only lawful if the decision is necessary for entering into or performing a contract, or is required or authorised by law, or is based on the individual’s explicit consent.

However if the decision does not result from processing any special category data then the current restrictions will no longer apply. And as a result ADM could, for example, take place on the basis of legitimate interests, i.e. without obtaining any consents.

Separately, if automated processing (whether or not involving special category data) produces a significant decision, the controller must ensure safeguards are in place which ensure that the individual is provided with information about the decision and also enable the individual to:

make representations about the decision
obtain human intervention on the part of the controller in relation to the decision and
contest the decision.

It follows that if the automated processing does not produce a significant decision the controller is not required to put in place the safeguards, even if the decision resulted from the processing of special category data.

Two final points on the new ADM rules:

1. The DUA Bill provides that a decision is based solely on automated processing if there is no “meaningful human involvement”. Whether there is any meaningful human involvement will depend on, among other things, “the extent to which the decision is reached by means of profiling”. If the controller concludes that there is meaningful human involvement in the decision-making then the ADM rules do not apply.

2. The Secretary of State has the right to issue regulations:

to confirm specific decisions which do or do not involve meaningful human involvement
to provide a description of decision which do (or do not) constitute significant decisions
to impose requirements regarding safeguards for individuals who the subject of significant decisions.

The big change here is clearly not having to obtain individuals’ consent when ADM doesn’t involve special category data. Remind me what special category data is?

The types of personal data which constitute special category data are listed in UK GDPR, Art 9(1):

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

A couple of things to note: information regarding someone’s income, assets or their financial circumstances is not special category data; and as already mentioned the Secretary of State is entitled to add new categories to Art 9(1).

And finally what about the changes to cookies? Am I going to be able to get rid of my cookie banner?

The current rules are set out in The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). In short they require a website provider to obtain user consent for all cookies except those which are “strictly necessary”.

The DUA Bill creates additional exceptions for cookies and other tracking technologies that are placed solely for the purposes of:

Determining how the website, or a service provided by the website, is used with a view to making improvements to the website or service. or
Enabling the appearance or functionality of the website to adapt to the user’s preferences. or
Enabling an enhancement of the appearance or functionality of the website when displayed on the user’s device

However website providers must still provide visitors with “clear and comprehensive” information about the purpose of the cookie, as well as a “simple means” of objecting to the cookie. In practice this may mean that cookie banners are here to stay but at least website providers can now pre-tick the consent box for functional/performance cookies.

Tags: #pecr, data protection, gdpr, ICO, privacy, third country, UK gdpr
Posted in Privacy, Updates | No Comments »

What do you mean they didn’t sign an NDA?

05/01/23 – If you’re having a meeting or discussion with a third party which may involve you disclosing confidential information you should of course make sure that you get the third party to sign a non-disclosure agreement (NDA). Although the detailed terms of NDAs vary, they generally have two principal functions: to impose an obligation on the party receiving the information to keep it confidential; and to ensure that the receiving party only uses the information for a specific purpose, typically to consider whether to proceed with the transaction or arrangement that is being discussed.

But what if you disclose confidential information to a third party without having an NDA in place?

Although the circumstances were slightly unusual, this is what happened to fintech vendor Clearcourse when they were negotiating for the purchase of E-Novations in August 2020. The CEO and part-owner of E-Novations, Manoj Jethwa, left the meeting room to collect some papers from his office next door. During Mr Jethwa’s absence, the representatives of Clearcourse had what was later described as an ‘unguarded and candid’ conversation about the negotiations, their (unflattering) views of Mr Jethwa, and the likelihood of Mr Jethwa being fired if the purchase completed. Mr Jethwa heard the representatives’ conversation through the wall between his office and the meeting room. Mr Jethwa also took a screenshot of the live CCTV footage from the meeting room, but claimed that there was no audio recording.

Following completion of the purchase, a dispute arose in relation to the sale and purchase agreement. In response to an ultimatum from Clearcourse to settle the dispute, Mr Jethwa shared the CCTV screenshot, with the following text message: “You should know this doesn’t do you any favours. Whilst I walked out and what you both say should be of interest for social”. In other words, Mr Jethwa threatened to make public via social media the conversation that he had overhead from his office.

Perhaps surprisingly given the nature of the discussions it appears that the parties had not signed an NDA. Clearcourse therefore made a successful application to the High Court in April 2022 for an ‘interim non-disclosure order’ (or ‘INDO’) injunction, restraining Mr Jethwa from disclosing the overheard conversation or any recording of it. Shortly afterwards there was a full High Court hearing to decide whether the INDO should be continued, when the Judge confirmed that he was satisfied that Clearcourse would ‘more likely than not’ succeed with its underlying claims for breach of confidence and misuse of private information, and continued the injunction – for the full judgement see Clearcourse Partnership and others v Jethwa [2022].

Looking at these two types of claim in turn:

Breach of confidence

For a claim for breach of confidence, the claimant must establish that:

the relevant information has the necessary quality of confidence
the person looking to disclose or use the information came to know of it in circumstances importing an obligation of confidence and
there has been unauthorised use, or a threat to use, the information to the detriment of the claimant.

Circling back to the conversation overheard by Mr Jethwa during the course of the negotiations, the Judge was satisfied that a reasonable person ‘would appreciate that a conversation held behind closed doors, between individuals on the opposite side to him in a business negotiation on these subjects, was both private and confidential’. The Judge emphasised that the duty of confidence does not only arise when a person seeks out the confidential information, but also when confidential information ‘comes to the knowledge of a person in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others’.

Misuse of private information

For a claim for misuse of private information the following two limbs must be satisfied:

the claimant must establish that they have a reasonable expectation of privacy regarding the information in question and
the court needs to balance the claimant’s right for privacy against the rights of others, such as the other party’s right to freedom of expression.

In Clearcourse, the Judge (dealing with limb 1) held that Clearcourse’s directors ‘would regard their conversation, behind closed doors, as giving rise to a reasonable expectation of privacy’, and (dealing with limb 2) that there was no justification for the disclosure of it by Mr Jethwa, whether on the grounds of his right to freedom of expression or otherwise.

Key takeaways

Where an NDA has been forgotten or overlooked, all may not be lost – a claim for breach of confidence and/or misuse of private information may be available. And as Clearcourse demonstrates it will be difficult for a recipient of confidential information in the context of a business negotiation or discussion to argue that they are not subject to a duty of confidence, even where the information comes to their knowledge inadvertently or by accident.
But the cost of making a High Court application for an interim non-disclosure order plus a return hearing will quickly run into five figures. It will also require significant management time, and possibly generate unwelcome publicity. Therefore focus on putting in place robust processes to ensure that all relevant commercial discussions with third parties are subject to signed, mutual NDAs.
If you are caught out, perhaps by only discovering that there was no NDA in place after the meeting has finished and the confidential information disclosed, then consider writing to the third party to confirm that the disclosed information is confidential and that, given the circumstances in which it was disclosed, the third party is subject to a duty of confidence in respect of the information.

Tags: #clearcourse, #confidentiality, #dutyofconfidence, NDA
Posted in Commercial, Updates | No Comments »

Direct marketing to business contacts

29/11/22 – The Information Commissioner’s Office (ICO) recently published new guidance on email marketing and phone marketing. The guidance is supplementary to the ICO’s Guide to the Privacy and Electronic Communications Regulations (PECR) and (124-page) draft Direct Marketing Code of Practice.

Direct marketing is a fiddly area, with different rules depending on whether you’re using email/text, phone, post or (perhaps less likely) fax, and also whether you’re marketing to companies, sole traders/partnerships, or individuals. This post takes a look at the rules for direct marketing by UK businesses of their own products and services, either by email or text/voice messaging services (such as WhatsApp or LinkedIn), or by phone. It is not exhaustive, and there are additional rules if for example you are selling pensions or claims management services, marketing to children etc.

What’s the relevant law?

The law applicable to direct marketing is set out in the Privacy and Electronic Communications Regulations 2003 (PECR) and to a lesser extent the UK GDPR and Data Protection Act 2018. The ICO provides extensive, plain English overviews of all areas of marketing law.

Direct marketing by email/messaging services

If you’re looking to market to a contact by email or using a text or voice messaging service then you either need to obtain the contact’s consent or you need to check if you can use the so-called ‘soft opt-in’ exemption.

Consent. For consent to be valid it needs to be freely given, specific, informed and unambiguous. In practice this means no pre-ticked checkboxes, and making sure the consent covers the type of communication you’re using – obtaining consent for marketing by email does not entitle you to send them a WhatsApp. The consent also needs to be separate from other consents, so you can’t include marketing consent in the tickbox wording used for accepting your terms of service.

Soft opt-in exemption. To use the soft opt-in exemption, you need to meet all of the following criteria:

You must have obtained the contact details yourself. You cannot for example use an email address obtained by someone in your marketing department.
The contact details must have been obtained as part of a sale or negotiation, i.e. the contact must either be an actual customer or a prospect who has previously expressed an interest in your products or services.
The marketing content must relate to products or services which are similar to the ones that your contact has previously purchased or been interested in.
The contact must have had an opportunity to opt-out of receiving marketing messages when you obtained their details, and they must continue to have that option, e.g by including a ‘click to unsubscribe’ link in the message.

A few things to bear in mind:

The direct marketing rules apply to individuals, which for these purposes include sole traders and partnerships. There are no restrictions on sending marketing messages to companies, LLPs, or other corporate entities such as local authorities.
Messages sent for customer service purposes (e.g. asking a contact to confirm their details, or providing product support) or for genuine market research purposes do not fall within the direct marketing rules. But the ICO have made it clear that if a customer service or market research message also contains a promotional element, then the whole message amounts to direct marketing. Halford’s discovered this to their cost when they emailed 498,062 customers with information about the Government’s Fix Your Bike voucher scheme, also suggesting that customers could use their vouchers at their local Halfords store – the ICO rejected Halford’s ‘service message’ argument and fined them £30,000.
The PECR direct marketing rules are separate from, and in addition to, the UK GDPR and Data Protection Act 2018. As well as the normal rules regarding the collection, storage and other processing of your contact’s personal data, you have to identify a lawful basis for using the contact’s information for marketing purposes.
When sending a message for direct marketing purposes, you must display identification information, provide clear information about the marketing, and provide a method to opt out.

Direct marketing by phone

In short, you do not consent for making direct marketing phone calls, whether to individuals or to businesses, unless either of the following applies:

The phone number is listed on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS).
Your contact or the business has previously objected to receiving marketing calls.

If the phone number is listed on TSP or CTPS you can still get consent to receive marketing calls. The ICO have suggested that any consent for overriding a TSP/CTPS listing should aim to meet the GDPR-style, opt-in standard that applies to direct marketing by email.

When making a direct marketing phone call, you must display your phone number (or a valid alternative number), say who is calling (and provide contact details if asked), provide clear information about the marketing, and make it easy for the recipient to object or opt out.

Tags: #marketing, #pecr, #softoptin, ICO
Posted in Commercial, Privacy, Updates | No Comments »

Dealing with overdue invoices – some options

09/11/22 – When I’m asked by a client to help with an invoice that they’ve been chasing without success, they assume the next step is for me to fire off a letter before action, ideally threatening fire and brimstone, and then issue legal proceedings. There are times when this is appropriate, but there are also a number of options available to suppliers before, or even instead of, asking a lawyer to help. This article takes a brief look at some of the options.

Confirm when the payment actually became overdue

Your invoice may state ‘PAYABLE WITHIN 14 DAYS’, but unless you have previously agreed 14-day payment terms with the customer then this will not be enforceable – you cannot unilaterally add your payment terms to a contract that has already been formed. Instead check the invoicing and payment terms that were agreed with the customer. This should be straightforward if there’s a written agreement, or if the customer agreed to your Ts&Cs. If not, then it may be that the customer’s PO incorporated their purchasing Ts&Cs, and the customer’s payment terms apply.

Once you’ve confirmed the correct due date, check that you’ve done what the contract requires you to do, e.g. issued the invoice with the correct information included, sent the invoice to the correct contact at your customer, attached any required delivery receipts, timesheets, acceptance certificates etc.

Find out why the customer hasn’t paid

Sending repeated reminders and demands for payment is all well and good. But make sure to ask your customer why they haven’t paid your invoice. You may discover that there’s a problem with your product or service that you didn’t even know about, and that you can now look to fix. Or your customer may have a cashflow problem, in which case it may be in your interests to try to agree extended payment terms. If conversations are verbal, make sure to confirm them in writing.

Charge the customer for using you as a credit facility

Many commercial agreements have a late payment clause entitling the supplier to charge an agreed rate of interest on amounts which are overdue. Although these are mainly used when making a formal debt recovery claim, you can invoice the customer for contractual late payment interest at any time payment is overdue.

If your agreement does not have a late payment clause (or if the contractual late payment clause does not provide a ‘substantial remedy’), then you are automatically entitled to claim statutory interest plus fixed compensation under the Late Payment of Commercial Debts (Interest) Act 1998 (as amended). The rate of statutory interest is calculated as the Bank of England base rate plus 8% (so currently 11%), and can be charged from the date that the amount became overdue until the date of actual payment. The fixed compensation depends on the amount of the debt – it is currently £40 for debts of less than £1,000; £70 for debts of £1,000 or more, but less than £10,000; and £100 for debts of £10,000 or more. For these purposes each overdue invoice will normally constitute a separate debt. Again, you can invoice your customer for statutory interest and fixed compensation as soon as a payment becomes overdue.

A contractual late payment clause may include an obligation for you to give the customer advance notice before you invoice them for interest. There is no such requirement when invoicing for statutory interest and compensation, but it would normally be a good idea to do so.

Serve a statutory demand

If the amount owed is more than £750 and you don’t believe that the debt is disputed, then consider serving a statutory demand on the customer. Following service of the demand, the customer must either pay the debt within 21 days, or ask the court to set aside the statutory demand because the debt is disputed. If the customer fails to do either, you can ask the court to wind up the customer. Although a very effective credit control tool, the relationship with your customer is perhaps unlikely to recover.

Issue legal proceedings yourself

Money Claim Online (MCOL) is a portal operated by HM Courts & Tribunals Service for the recovery of debts of up to £100,000. It is intended to be used by non-lawyers as well as lawyers, and there are plenty of guidance notes to help users put together their claim. Fees range from 5% to just over 10% of the amount of the claim. As with all legal proceedings in the UK, before using MCOL you must first have tried to settle the dispute with your customer, including sending a letter before action with detailed information about your claim and giving the customer an opportunity to respond.

Tags: #baddebt, #creditcontrol, #invoice, #mcol #moneyclaimonline, #overdue, #statutorydemand
Posted in Commercial, Updates | No Comments »

UK data protection law update – October 2022

19/10/22 – After the uncertainties regarding post-Brexit transfers of data from the UK to third countries, the International Data Transfer Agreement (IDTA) finally came into force on 21^st March 2022. Since then things have been a bit calmer. Or at least until a couple of weeks ago when the Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan, announced at the Conservative party conference that the government proposes to replace GDPR with a ‘consumer-friendly British data protection system’.

This update looks at the changes to UK data protection law that are currently being considered by Parliament and recent progress being made with post-Schrems II transfers of personal data to the U.S., and finishes with some thoughts on Michelle Donelan’s announcement.

Data Protection and Digital Information Bill

Last year the government announced a plan to create an ‘ambitious, pro-growth and innovation-friendly data protection regime’ for the UK, and following an extensive consultation the Data Protection and Digital Information Bill (‘DPDI Bill’) was introduced to Parliament on 18 July 2022.

The DPDI Bill proposes a number of changes to the UK GDPR and Data Protection Act 2018. Despite the government’s lofty goals, most if not all of the changes can probably best characterised as relatively minor adjustments and, with the exception of changes to the law on cookies, will make little difference to the majority of businesses. Changes proposed by the DPDI Bill include:

Clarification of the definition of ‘personal data’. Whether an individual is or can be identified is to be determined only from the perspective of the controller, the processor and any third party who will likely receive the information, rather than by absolutely anyone in the whole world. Also, when assessing whether data has been sufficiently anonymised (and not just pseudonymised), only additional information that is available ‘by reasonable means’ needs to be considered, rather than all information that could be obtained irrespective of effort.
When a controller is considering legitimate interests as a lawful basis for processing personal data and, as part of that exercise, assessing whether the controller’s interests outweigh those of the data subject, the controller may now rely on a list of ‘automatic’ legitimate interests. Although the list may be extended by the Secretary of State, it is currently limited to ‘public interest, national security, public security and defence, emergencies, safeguarding vulnerable individuals and democratic engagement’. Until it is extended the list will therefore be of limited help to most businesses.
A new test for the transfer risk assessment carried out before transferring personal data from the UK to a third country. Instead of verifying whether the level of protection required by UK law is applied in the third country (the ‘essentially equivalent’ test), controllers can take a risk-based approach based on outcomes, assessing whether the level of protection in the third country is ‘not materially lower’ than that provided in the UK. The new test will also apply to the Secretary of State when making an adequacy determination.
The requirement for certain organisations to designate a Data Protection Officer (DPO) is replaced with an obligation for public bodies and organisations carrying on ‘high-risk processing’ to a appoint a Senior Responsible Individual (SRI), who must be part of the organisation’s senior management. For most organisations this will simply be a rebadging exercise.
The requirement to carry out a Data Protection Impact Assessment (DPIA) to determine whether proposed processing may result in a high risk to data subject and, if so, to consult with the Information Commissioner’s Office (ICO) is replaced with a requirement to carry out an ‘assessment of high-risk processing’, with a consultation with the ICO being voluntary.
Controllers may currently refuse to respond to a data subject request which is ‘manifestly unfounded or excessive’. This test is replaced in the DPDI Bill with ‘vexatious or excessive’. I expect I’m not the only one wondering how much of a difference this will make in practice.
The ICO is renamed is renamed the Information Commission, and is given a broad range of new duties, including to promote innovation and competition.
Website operators are currently required to obtain user consent for all cookies unless they are ‘strictly necessary’ for the functioning of the website. This is extended to cookies used for installing necessary security updates, ensuring user preferences are followed, and collecting information for statistical purposes to make improvements to the services, with a right for the user to opt out.

Progress of the DPDI Bill has however stalled. Its second reading in Parliament was postponed on 5^th September 2022 following the announcement of Liz Truss’s leadership victory. And, in light of Michelle Donelan’s recent announcement, the bill could of course be abandoned altogether.

Transfers of personal data to the U.S.

Perhaps the thorniest issue for controllers and processors since the CJEU’s Schrems II decision is whether – and if so how – they can lawfully transfer personal data to the U.S. By way of a reminder, the CJEU in Schrems II invalidated the U.S.-EU Privacy Shield as a transfer mechanism, and then made it clear that EU data exporters cannot rely on Standard Contractual Clauses (SCCs) for transfers to the U.S. without addressing the lack of safeguards for data subjects as a result of U.S. signal surveillance activities. The UK in effect inherited the Schrems II problem under the EU-UK Withdrawal Agreement.

The EU and the U.S. have however now made good progress. On 7^th October 2022 President Biden signed an Executive Order (EO) which adopts a number of measures to limit the activities of U.S. signals surveillance activities, provides individuals with the right to have such activities reviewed and creates a mechanism for individuals to obtain redress. The EO also implements the EU-U.S. Data Privacy Framework announced earlier this year, in effect a relaunch of the Privacy Shield as a transfer mechanism for EU-U.S. data transfers. In response the European Commission stated that the actions set out in the EO will “address the concerns raised by the Court of Justice of the European Union in the Schrems II decision”, and the Commission is now expected to make the EU-U.S. Data Privacy Framework the basis of an adequacy determination for the U.S.. Pending the adequacy determination, the new safeguards confirmed in the EO are already helpful to EU organisations carrying out a transfer impact assessment to assess whether they can use SCCs to transfer EU personal data to the U.S..

On the same day as the EO was signed, Michelle Donelan and the US Secretary of Commerce, issued a joint statement announcing ‘significant progress on UK-US data adequacy discussions’. In particular, the UK will continue to work to conclude its adequacy determination for the U.S., and the U.S. will work to designate the UK as a qualifying state under the EO, which would give UK data subjects equivalent protections to those that are now afforded to EU data subjects. No indication was given how long this work will take, but it will almost certainly be months rather than weeks. In the meantime, UK organisations proposing to export personal data to the U.S. will want to consider the progress being made on the UK-U.S. data adequacy discussions when carrying out their Transfer Risk Assessments.

Replacing the GDPR

Michelle Donelan’s announcement that the government will be replacing the GDPR, adding for good measure that ‘it is time we seize this post-Brexit opportunity fully and unleash the full growth potential of British business’, went down well with the audience at the Conservative party conference. It’s perhaps unlikely however that many people in the audience were familiar with the detail of the GDPR, and the challenges of creating a data protection regime which achieves the right balance between freedom to use individuals’ personal information and the privacy rights of those individuals.

The reality is that the GDPR is now considered internationally to be the gold standard for data protection and privacy, with the GDPR model being adopted by a number of countries implementing or updating their own data protection laws (at least 17 countries according to one commentator). Having a data protection regime which is ‘essentially equivalent’ to the EU GDPR is also a condition for securing (or in the case of the UK maintaining) an EU adequacy status, which in turn allows the free flow of personal data to and from the EU. Any new ‘British data protection system’ which diverges significantly from the EU GDPR would jeopardise the renewal of the UK’s EU adequacy status in 2025. So whilst Michelle Donelan’s announcement may have gone down well with the pro-Brexit diehards, and we may see further adjustments along the lines of those proposed in the DPDI Bill, I expect the GDPR will be with us for a while yet.

Tags: #data privacy framework, #dpdi, #executive order, gdpr, idta, SCCs
Posted in Privacy, Updates | No Comments »

UK IDTA comes into force

21/03/22 – As expected, the International Data Transfer Agreement (IDTA), as well as the Addendum to EU SCCs, came into force today as appropriate safeguards for transfers of personal data from the UK to third countries under Article 46 of the UK GDPR. As part of the transitional arrangements the old EU SCCs (with appropriate modifications to make them ‘work’ for UK exporters) can continue to be used as an appropriate safeguard until 21 September 2022 and, if the processing remains unchanged, are capable of remaining valid until 21 March 2024. If you’re not sure what I’m talking about, have a look at my 01/02/22 update.

We are still waiting for the ICO to publish a final version of their new Transfer Risk Assessment (TRA) precedent and tool. In the meantime prospective exporters’ best bet is like to be to use the draft version from the ICO’s consultation last year. More information about TRAs here. I will you keep you updated.

Tags: ICO, idta, SCCs, TRA
Posted in Privacy, Updates | No Comments »

What’s happening with UK international data transfers?

01/02/22 – If you or your organisation transfers, or may transfer, personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection (which currently includes the U.S.), then read on. If not, then feel free to skip.

Back in August last year we looked at a brand new international data transfer agreement (‘IDTA’) template, together with a new international data transfer addendum to be used with EU SCCs (‘Addendum’), that the ICO published as part of its consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK’.

The ICO’s consultation closed on 7th October 2021, and on 28th January 2022 the Department for Culture, Media and Sport (DCMS) laid the final versions of the IDTA, the Addendum, plus the transitional provisions before Parliament. Unless the relevant statutory instrument is ‘objected to’ (which, given its subject matter, is very unlikely), the IDTA, the Addendum and the transitional provisions will come into force on 21 March 2022.

UK data exporters who enter into agreements with their data importers based on the old EU SCCs (i.e. Standard Contractual Clauses issued under European Commission Decisions 2001/497/EC and 2010/87/EU) on or before 21st September 2022 may, if the subject matter of the processing remains unchanged, continue to rely on those agreements until 21st March 2024. Note that this only applies where the agreements based on the old EU SCCs were modified to ‘fit’ post-Brexit UK data protection laws, and will not apply to EU SCCs entered into prior to Brexit.

Although the ICO have not yet published the responses from the consultation, the changes to the IDTA are limited with the main ones being:

Increased obligations for the data importer in case a data breach when the personal data is being processed by the data importer (see clauses 15.2 and 15.3).
The right for a party to the IDTA to refer a dispute to arbitration under the Rules of the London Court of International Arbitration, rather than a new (and apparently now abandoned) IDTA Arbitration Scheme (see clause 35.1)
The right for the ICO to update the IDTA template from time to time (including to reflect changes in UK data protection law), with updates automatically being incorporated into all then-current IDTAs (clause 5.4) This is clearly sensible, given the extensive changes to UK data protection law currently being considered by DCMS.

Tags: data transfers, gdpr, ICO, idta, international data transfers, SCCs, Schrems II
Posted in Privacy, Updates | No Comments »

Smart legal contracts – the Law Commission’s advice to the Government

10/12/21 – On 25th November 2021, the UK Law Commission published its advice to the Government on smart legal contracts. The advice expands on the UK Jurisdiction Taskforce’s legal statement on cryptoasset and smart contracts – see my post here.

The Law Commission concludes that current legal principles can be applied to smart contracts in much the same way as traditional contracts, with relatively minor developments required in certain contexts. It does, however, identify two specific problem areas that will require further work: the execution of deeds, and determining the geographical location where smart contracts are formed or breaches are committed (and therefore which jurisdiction’s laws apply), particularly where the smart contract concerns a digital asset.

This article considers some of the key observations and findings set out in the Law Commission’s advice.

1. What is a ‘smart legal contract’?

Considering the generally accepted definition of a smart contract as a computer program which run automatically, in whole or in part, without the need for human intervention, the Law Commission suggests that where a smart contract is used to define and perform legally binding contractual obligations it is helpful to refer to it as a ‘smart legal contract’. The Law Commission then defines a smart legal contract as ‘a legally binding contract in which some or all of the contractual obligations are defined in and/or performed automatically by a computer program’, and divides smart legal contracts into three different types, depending on the role played by the computer program code, i.e. the degree of automation of the performance of the contract:

Natural language contract with automated performance
Hybrid contract
Solely code contract

The Law Commission suggests that: ‘Automation should be considered on a spectrum. Smart legal contracts which involve elements of standard automation, such as payment by way of direct debit, have been in use for many years and are therefore unlikely to give rise to novel legal issues. However, a smart legal contract drafted primarily or solely in code […] is likely to give rise to novel legal questions; the automation in question takes the contract out of the realm of legal familiarity‘.

Although it had originally suggested (in its call for evidence) that a smart legal contract must, by definition, be deployed on a distributed ledger technology (DLT) system, the Law Commission has decided that DLT should not be an essential feature, and that a better approach is for smart legal contracts to be technology neutral.

2. What are the legal issues with smart legal contracts?

As stated, natural language contracts with automated performance via code have been in existence for a long time, and do not raise any new issues. However, where the terms of the contract are written in code, whether partly or wholly, new challenges arise in relation to contract formation, interpretation and remedies.

The Law Commission believes that contract terms expressed in computer code can, and should, be ‘susceptible to contractual interpretation‘. It suggests that the appropriate test should not be the traditional ‘what a reasonable person would understand the (coded) terms to mean, having all the background knowledge’ test, but instead a ‘what a person with knowledge and understanding of code would understand the coded terms to mean’ test – what the Law Commission calls the ‘reasonable coder‘ test. The court should ask what a person with knowledge and understanding of computer code what they understand the coded terms to mean, similar to the way that a court would ask for expert evidence in the case of a contract written in a foreign language.

The Law Commission also suggests that there is an increased risk of disputes during the lifecycle of a smart legal contract, given the likelihood of code performing ways that that the parties did not intend or expect, as well as other risk factors such as inaccurate input data, system upgrades, the code being hacked, and normal bugs and errors. The Law Commission notes that the usual legal remedy of rectification (where the court ‘corrects’ the terms of a contract) may in practice prove difficult to obtain where a computer program runs on an immutable DLT system.

3. How should businesses using smart legal contracts address these issues?

In Appendix 3 of its advice, the Law Commission helpfully provides a (non-exhaustive) list of issues that parties proposing to enter into a smart legal contract may want to consider and provide for in their contract. These include:

Confirming the role of the code in the contract and, in particular, whether the code is intended to define contractual obligations or just perform the obligations. Where contractual terms are expressed in both natural language and in code, confirming which term takes precedence in the event of a conflict.
Using natural language aids to help with the interpretation, e.g. a business process document or term sheet, and/or a natural language explanation of the code, or natural language comments within the source code itself. Making it clear that the business process document or other explanation forms parts of the parties’ agreement so that the document or explanation can be used by the court when interpreting the contract.
To satisfy the Consumer Rights Act 2015 requirement that traders’ written terms are ‘transparent’ (i.e. ‘expressed in plain and intelligible language, and be legible‘) in B2C contracts, providing consumers with a clear and informative explanation of the code in natural language.
Allocating risk amongst the contracting parties in relation to the smart legal contract-specific risk factors mentioned in the previous section.
Incorporating a ‘kill-switch’ in the smart legal contract to enable suspension or termination of the performance of the code.

4. The problem areas

The Law Commission considers that further work may be needed to support the use of smart legal contract technology in following areas:

To be validly executed, the signing of a deed must be witnessed and attested. The Law Commission is unable to see how these requirements could be satisfied for deeds which are wholly or partly defined by code, although it acknowledges the possibility of technology being developed to enable a witness to record in a smart legal contract that they have observed the execution of the deed.
It may be difficult to determine the jurisdiction and applicable law for some smart legal contracts, particularly where the smart legal contract is defined solely in code or performed via the interaction of two or more computer programs. In addition, digital location, i.e. ascribing real-world locations to digital actions and digital objects, also presents difficulties for smart legal legal contracts, particularly when deployed on DLT system. The Law Commission strongly recommends that parties to smart legal contracts stipulate both their choice of law and jurisdiction.

The Law Commission has agreed to undertake a separate project considering the rules around conflict of laws in the context of emerging technology, including smart legal contracts, which is expected to begin in the middle of 2022.

5. Looking to the future

The Law Commission points out that smart legal contracts are already used to some extent in a number of sectors (including insurance, finance, DeFi, and peer to peer), but have the potential to revolutionise the way businesses engage across all sectors. It anticipates that the market will develop established practices and model clauses that parties can use for their smart legal contracts, and hopes that work in this area will be led by LawtechUK and the UK Jurisdiction Taskforce.

Posted in Technology, Updates | No Comments »

CJEU decides that downloaded software is a sale of goods, not services

23/10/21 – Back in 2013 The Software Incubator was appointed by Computer Associates as a sales agent to promote and market Computer Associates’ application service automation software, which was deployed by CA’s customers to manage applications across data centres. The software was downloaded by customers directly from Computer Associates’ servers, subject to a perpetual licence which restricted use to a specified territory and a maximum number of authorised users.

The relationship was short lived, and The Software Incubator’s appointment was terminated later in 2013. The Software Incubator claimed compensation from Computer Associates under the Commercial Agents (Council Directive) Regulations 1993 (“UK Regulations”), which provides that a ‘commercial agent shall be entitled to compensation for the damage he suffers as a result of the termination of his relations with his principal’ (Section 17(6)). The UK Regulations define “commercial agent” as a ‘self-employed intermediary who has continuing authority to negotiate the sale or purchase of goods on behalf of another person’, but then does not provide a definition of “goods”. As you have probably already guessed, The Software Incubator and Computer Associates had different views on whether the software promoted by The Software Incubator constituted goods for the purposes of the UK Regulations, and the dispute ended up in court.

In 2018 the Court of Appeal decided, in part, in favour of Computer Associates. The Software Incubator appealed to the Supreme Court, which then referred the issue to the Court of Justice of the European Union (CJEU). In short the question for the CJEU was: Does the the supply of computer software to a customer by electronic means, together with the grant of a perpetual licence, constitute a “sale” of “goods” within the meaning of article 1(2) of the Commercial Agents Directive (Council Directive 86/653/EEC), being the original EU Directive that was implemented by the UK Regulations?

CJEU decision

The CJEU decided that:

the term “goods” could cover computer software, since software has a commercial value and was capable of forming the subject of a commercial transaction, and it was irrelevant whether the software was supplied on a CD ROM or tangible medium, or by electronic download; and
the making available of a copy of the computer software and the conclusion of a user licence agreement for that copy which entitles use of the software for an unlimited period, in return for payment of a fee, results in the transfer of the right of ownership of that copy, and therefore constitutes a “sale”.

Accordingly, the supply by Computer Associates of its software to a customer by electronic download, together with the grant of a perpetual licence constituted a “sale of goods” for the purposes of the UK Regulations, entitling The Software Incubator to compensation for termination of its sales agent appointment.

Because the question was referred to the CJEU before Brexit, the CJEU’s decision is binding on the Supreme Court.

Comment

The CJEU decision is clearly good news for sales agents which promote the supply of perpetual software licences, and probably fixed term software licences where the term is at least equal to the software’s expected economic lifespan. Less good news for software vendors, who may want to review existing arrangements with their agents and tread carefully if looking to terminate the relationships. More generally it remains to be seen to what extent the UK courts will have regard to the decision when considering the issue of whether software should be considered to be goods or services (or neither) in other contexts, particularly sale of goods legislation.

Tags: cjeu, commercial agents, computer associates, sale of goods, software, software incubator
Posted in Technology, Updates | No Comments »

What’s happening with SCCs? – Part 3 (UK SCCs)

Part 1 and Part 2 of the What’s been happening with SCCs? updates have tracked the EU’s and the UK’s progress in developing standard contractual clauses (SCCs) to deal with the transfer of personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection, as well as the publication of the new EU SCCs. This update focuses on the UK SCCs.

On 11th August 2021 the ICO launched a consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK‘. As part of the consultation the ICO published its proposal for UK standard contractual clauses in the form of a brand new international data transfer agreement (IDTA), as well as its new Transfer Risk Assessment (TRA) and tool. The ICO is also requesting comments on an update of its existing guidance on international transfers. The consultation closes on 7th October 2021.

All very interesting I’m sure. But is any of this relevant to me?

Short version is that if you’re transferring UK citizens’ personal data to a ‘third country’ (i.e. a country which is not considered by the UK to have ‘adequate’ data protection laws (full list here), then yes. You will need to use one of the transfer mechanisms (or ‘appropriate safeguards‘) set out in Article 46 of the GDPR (now incorporated into UK law as the UK GDPR, as amended). And although the UK GDPR provides for a variety of transfer mechanisms, for most businesses the only practical option in these circumstances will be for both the (UK) data exporter and (third country) data importer to enter into an IDTA, having first completed a Transfer Risk Assessment (TRA).

Bear in mind that for these purposes:

‘Transferring’ data includes making data stored in the UK available to be accessed by a data importer in a third country, even on a ‘view-only’ basis.
Whether the data importer ever does access or otherwise process the data that you transfer is irrelevant.
Following the invalidation of the EU-U.S. Privacy Shield by the ECJ in its ‘Schrems II’ judgment, the U.S. is now a third country.

Ah, ok. So what do I need to know?

The new IDTA and TRA requirements will not not become law until the end of 2021 or, more likely, spring 2022. Between now and then the situation is a bit of a mess. UK law provides that the old EU SCCs must continue to be used as the Article 46 transfer mechanism, even after 27 September 2021 when they cease to be lawful for new EU cross-border data transfers. Although some commentators have suggested that, in a post-Schrems II world, a better approach is for UK data exporters to use the new EU SCCs until the new IDTA is adopted, my view is that for the time being most UK data exporters should stay compliant with UK law and either make Brexit-required changes to their existing SCCs or, for new transfers, put in place a data transfer agreement based on the old EU SCCs.

The timelines for UK data exporters being legally required to use the new IDTA for international data transfers will be 3 months for new transfers and 21 months for existing transfers, each period running 40 days from the date on which the IDTA is laid before Parliament as a regulation.

Some high-level comments on the IDTA:

In contrast to the modular new EU SCCs (which will need quite a bit of copying and pasting), the IDTA is a single agreement, made up of four parts:
- Part 1 (Parties and signature) sets out a series of tables which capture the variables, including the status of the parties (i.e. controller, processor etc), details of the proposed data transfers, details of the data to be transferred, purposes of the transfers, and the security requirements. If the IDTA forms part of an MSA or other commercial agreement between the exporter and importer, the MSA can be recorded as a ‘Linked Agreement’.
- Part 2 (Extra Protection Clauses) is optional, but enables the parties to include any additional security, organisational and/or contractual protections that are considered necessary following the TRA.
- Part 3 (Commercial Clauses) is also optional, enabling the parties to include any commercial terms that they have agreed.
- Part 4 (Mandatory Clauses) constitutes the bulk of the IDTA, and sets out the parties’ rights and obligations in relation the data transfers.
The ICO have done their best to use plain English and avoid legal terminology, and generally to keep the IDTA as user-friendly as possible. But the IDTA template (excluding guidance notes and Q&A) runs to 43 pages, and putting one in place will require a fair bit of work.
For organisations putting in place new EU SCCs for EEA-to-third country data transfers, the ICO has helpfully produced a short addendum which, once completed and signed, will enable the EU SCCs to be used also for transfers from the UK.
In contrast to the new EU SCCs, which need to be reviewed ‘at appropriate intervals’ the IDTA (and associated TRA) should be reviewed annually, which is perhaps overly onerous for low-risk transfers.
A more detailed analysis of the Mandatory Clauses of the IDTA to follow once the ICO consultation is completed.

And some comments on the TRA:

The TRA precedent is intended to be use for medium and low risk transfers. High risk transfers, such as transfers to countries with poor human rights records, are likely to require more sophisticated transfer risk assessments. The TRA is not mandatory – data exporters are free to use what form of risk assessment they consider appropriate.
As with the IDTA, the ICO have done their best to make the TRA accessible and user friendly. It contains numerous, ‘real life’ practical examples showing when transfers may be permitted. It also explains what constitutes high, medium and low risk in the context of international transfers, and (helpfully) confirms that where the risk of harm that the transfer causes to data subjects is minimal then the transfer is permitted by default.
But the TRA is 49 pages long, and will constitute a significant undertaking for all but the most well-resourced data exporters. And although the ICO recognises the challenge that data exporters face in obtaining information about the legal framework of the data importer’s country, suggesting that information may be available via ‘reports issued by the Foreign Commonwealth and Development Office and charitable organisations‘, the ICO does not address the obvious question why this information cannot be provided by the ICO (and/or appropriate government department), instead suggesting that data exporter may need to obtain ‘expert advice‘.
On a positive note, and unlike the new EU SCCs, the objective of the TRA is not necessarily to ensure that the legal framework of the data importer’s country is ‘essentially equivalent’, but whether it provides ‘very similar protections’ to those in the UK. The TRA also makes the point that countries which have surveillance regimes may in fact be more legitimate than countries whose lack of surveillance laws may suggest a lack of safeguards.
The findings from the TRA must be documented to ensure there a record of the assessment. If a data exporter uses its best efforts to complete the TRA, the ICO will take this into account in any regulatory action resulting from a later GDPR breach.

Hmm… 49-page risk assessments and 43-page data transfer agreements. Doesn’t exactly sound ‘agile’?

You’re referring to the comments of the UK culture secretary, Oliver Dowden, who suggested in his article in the FT last February that that the UK can now be more ‘agile’ when it comes to ‘[striking] our own international data partnerships with some of the world’s fastest growing economies’.

If we accept the importance of ensuring a meaningful level of protection for UK citizens’ data when shared with third parties outside the UK then we either have to provide a mechanism which gives organisations the ability to put in place a framework to ensure a meaningful level of protection, or we go down the data localisation route and make it unlawful for personal data to be transferred from the UK to any ‘third country’.

Despite the reservations mentioned above, the ICO have in my view done a good job striking a balance between the need for ‘agility’, and the need to provide meaningful protection of personal data in a world which, for the most part, falls far behind the ‘gold standard’ of EU and now UK data protection. But the elephant in the room remains why the ICO (or appropriate government department) cannot provide UK data exporters carrying out a TRA with guidelines regarding each third country’s legal framework, third-party surveillance rights and safeguards, and their similarity to those in the UK. It will be interesting to see if this is addressed by the consultation.

Tags: data transfers, gdpr, ICO, idta, international data transfer agreement, modular SCCs, SCCs, Schrems II, Standard Contractual Clauses, transfer impact assessment, UK gdpr
Posted in Privacy, Updates | No Comments »