Author Archive
« Older Entries |
Newer Entries »
Ok, let’s start with the basics. What is ‘special category data’?
Article 9 of the GDPR (as incorporated into UK law, and amended) (“UK GDPR”) defines special category data as:
- Personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership.
- Data concerning:
- health
- a person’s sex life
- a person’s sexual orientation.
- Genetic data.
- Biometric data (where used for identification purposes).
In short, special category data is personal data that needs more protection because it is sensitive.
And what does ‘more protection’ mean?
It means that, in addition to ensuring that the processing is generally lawful, fair and transparent, and that it complies with all the other principles and requirements of the UK GDPR, you must comply with the following requirements:
- Prior to processing any special category data, you must not only identify and document a lawful basis under Article 6 (as required for all processing of personal data), but you must also satisfy at least one of the conditions for processing special category data listed in Article 9.
- Of the 10 conditions for processing special category data in Article 9, five require you to meet additional conditions and safeguards set out in Schedule 1 of the Data Protection Act 2018 (“Schedule 1 conditions”). For some Schedule 1 conditions you also need to put in place an ‘appropriate policy document’. The ICO has provided an appropriate policy document template.
- In practice, you may need to use the explicit consent condition for the special category data processing (Article 9(2)(a)). If so, then bear in mind that the individual’s consent must be:
- freely given
- specific, i.e. it must specify the nature of the special category data, and be separate from any other consents
- affirmative, i.e. opt-in
- unambiguous
- capable of being withdrawn at any time.
- Article 35 requires you to do a Data Protection Impact Assessment (DPIA) for any type of processing that “is likely to result in a high risk to the rights and freedoms of natural persons”. This is more likely to be the case when processing special category data.
- Article 30 requires controllers to maintain a record of processing activities. The exemption from this obligation for organisations employing fewer than 250 persons (Article 30(5)) does not apply where the processing includes special categories of data.
- Update your privacy notice with specific information about your processing of special category data.
Tags: Article 9 conditions, dpa 2018, gdpr, lawful basis, lexoo, sensitive data, special category data, UK gdpr
Posted in Privacy, Updates | No Comments »
23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’. (more…)
Tags: data protection, essentially equivalent, FISA, gdpr, privacy shield, SCCs, tia, transfer impact assessment
Posted in Privacy, Updates | No Comments »
13/07/20 – The EU Platform to Business Regulation (the ‘P2B Regulation’) came into effect on 12 July 2020. The P2B Regulation applies to all online platforms and search engines which provide services to business users in the EU, where those business users offer goods or services to consumers in the EU. (more…)
Posted in Updates | No Comments »
Issues to consider when drafting, reviewing or negotiating service levels include:
Service levels
- Are uptime service levels measured monthly, or over a different period? (A 99.9% uptime service level measured monthly allows for a single outage of approx. 43 minutes; measured quarterly, that increases to more than two hours.)
- Are out-of-hours outages dealt with in the same way as outages during business hours?
- What types of downtime excluded from the availability calculation, e.g. planned maintenance or Force Majeure events?
- For response/resolution service levels, are different severities of fault subject to different service levels? Does a workaround constitute a resolution for the purpose of the service level?
- Do the service levels apply from Day 1, or does the supplier have a grace period to allow the service to be ‘bedded in’?
- Are there any ‘chronic’ service levels’, which if breached entitle the customer to terminate the agreement?
Service credits
- If service credits are payable for breach of service levels, are the service credits subject to a cap? If a default results in breaches of multiple service levels, can the customer claim multiple service credits?
- Does a service credit constitute the customer’s sole remedy, or is the customer able to claim against the supplier if its actual losses exceed the value of the service credit?
- How and when does the customer claim service credits?
Tags: availability, chronic service level, service credit, service level, SLA, uptime
Posted in Commercial, Technology | No Comments »
Issues to consider when negotiating a SaaS (Software as a Service) agreement include:
- How is the customer on-boarded/integrated? What remote or physical access to the customer’s IT systems does the supplier need?
- Are there any other customer dependencies? What happens if the supplier fails to meet the installation or go-live date?
- Is there a minimum term during which the customer is unable terminate? After the end of the minimum term, does the term renew for a further fixed period, or can it then be terminated at any time? Can the customer terminate during the minimum term/renewal term, but subject to an early termination payment?
- Will the supplier be accessing, storing or otherwise processing any of the customer’s personal data? If so, have the parties agreed data processing terms?
- What IT and other security measures will the supplier maintain in relation to the customer’s data?
- What service levels apply to the services, particularly regarding availability and fault fixing times? Is the customer entitled to service credits and/or to terminate the agreement if service levels are not met?
Tags: saas, service levels, software as a service
Posted in Uncategorised | No Comments »
12/03/20 – The UK government has issued a Statement in response to the Law Commission’s report on Electronic execution of documents. My article on the Law Commission’s report can be accessed here.
Key takeaways from the government’s Statement:
- The government agrees with the report’s conclusion that businesses and individuals can feel confident in using e-signatures in without the need for primary legislation.
- The government accepts the report’s recommendation that an Industry Working Group should be established to consider, in particular, the security and technology of electronic signatures.
- The Industry Working Group will also be asked to consider the question of video witnessing of electronic signatures.
- In accordance with the report’s recommendation, the government will ask the Law Commission to undertake a broader review of the law of deeds. The timing for the review will however be subject to government and Law Commission priorities given the existing volume of law reform work.
Tags: deeds, electronic signature, execution of documents, law commission, video witnessing
Posted in Commercial, Updates | No Comments »
10/02/20 – In AA v Persons Unknown [2019], the Commercial Court confirmed that cryptoassets such as Bitcoin can constitute property under English law, and are therefore capable of being subject to a proprietary injunction (i.e. a court order which prevents the defendant from dealing with the relevant property).
The judgment refers extensively, and gives considerable weight, to the UK Jurisdiction Taskforce’s recent Legal Statement on the Status of Cryptoassets and Smart Contracts – see my article on the UKJT Statement here.
Background
In October 2019, one or more hackers encrypted the IT systems of a Canadian insurance company with malware. In order to regain control of its IT systems, the insurance company paid the hacker(s) a ransom of 109.25 Bitcoins (approx. $950,000).
The insurance company’s cybercrime insurer traced the ransom payment to a Bitcoin wallet linked to and controlled by Bitfinex, a crypto exchange operated by two British Virgin Island entities. The insurer applied for a proprietary injunction to recover the 96 Bitcoins that remained in the wallet.
Judgement
Because proprietary injunctions can only be granted over property, the Commercial Court first had to consider whether Bitcoin constitutes a form of property. Although Bitcoin do not fit into either of the two conventional categories of property – ‘choses in possession’ or ‘choses in action’ – the Court reviewed the analysis of the proprietary status of cryptoassets in the UKJT Statement, and in particular the UKJT’s conclusion that, despite their “novel or distinctive features“, cryptoassets may be objects of property rights, and “[i]f it is necessary to classify it at all, then a cryptoasset is best treated as being another, third kind of property” (UKJT Statement, para. 86(a)). The Court agreed with this approach, adding that “it is fallacious to proceed on the basis that the English law of property recognises no forms of property other than choses in possession and choses in action“.
Having confirmed that Bitcoin constitutes property, the Court granted the proprietary injunction.
Tags: Bitcoin, blockchain, cryptoassets, cryptocurrencies, distributed ledger technology, DLT
Posted in Technology, Updates | No Comments »
04/12/19 – Prompted by a perceived need to provide legal certainty and market confidence in distributed ledger technology (DLT) and smart contracts, the UK Jurisdiction Taskforce (part of the LawTech Delivery Panel) published a Legal Statement on the Status of Cryptoassets and Smart Contracts on 18 November 2019. The Statement follows on from a consultation launched on 9 May 2019.
Cryptoassets
In relation to cryptoassets, the UKJT’s main conclusions are:
- Cryptoassets should be treated in principle as property under English law because:
- cryptoassets have all the key characteristics of property – “… definable, identifiable by third parties, capable in its nature of assumption by third parties, and […] some degree of permanence or stability” (para. 39), and
- none of the distinctive features of cryptoassets – such as intangibility, cryptographic authentication, use of a distributed transaction ledger, decentralisation and rule by consensus – disqualify cryptoassets from being property.
- Cryptoassets’ status as property has important consequences in a number of areas, including succession on death, insolvency, fraud, theft and breach of trust.
- As with other intangible assets, title to cryptoassets can be vested or transferred by assignment or agreement of its owner. The Statement suggests that an ‘on-chain’ assignment (i.e. a transfer of the cryptoasset itself) is best analysed by way of the creation of a new cryptoasset owned by the transferee, with the ‘old’ cryptoasset ceasing to have any value or function because it is treated by the consensus as having been spent or cancelled (and as a result any further dealings in it would be rejected).
- It is also possible to transfer a cryptoasset ‘off-chain’, where the cryptoassets represents or is linked to a conventional asset, such as money, land or a contractual debt. An off-chain transaction would however allow the transferor to retain a copy of the private key, and therefore expose the transferee to the risk of ‘double-spending’ by the transferor.
- A distributed ledger (such as a blockchain) operates as a “reliable record in practice of which person, or which address-identifier, has control of a cryptoasset, because only dealings in a cryptoasset that are both consistent with the transaction history recorded in the ledger and signed with the relevant private key will be accepted as valid” (para. 131). But unless and until it is given binding legal effect by statute, the distributed ledger does not constitute a definitive record of legal rights in the way that the records held by the Land Registry or the Intellectual Property Office do.
- Although cryptoassets are not documents of title, documentary intangibles or negotiable instruments, some types of security can be granted over them, including mortgages and equitable charges. Because a cryptoasset cannot be physically possessed, you cannot create a lien over it, or sue someone for conversion of it (wrongfully dealing with it). For the same reason, a cryptoasset cannot be the object of a bailment.
Smart contracts
In relation to smart contracts, the UKJT’s main conclusions are:
- Whether the contractual obligations under the smart contract are defined by computer code, or the code is implementing an agreement whose meaning is to be found elsewhere, English law is able to identify, interpret and enforce smart contracts using ordinary and well-established legal principles.
- English law is also able to deal with smart contracts formed between anonymous or pseudonymous parties, and can also deal with bilateral smart contracts as well as those structured around Decentralised Autonomous Organisations (DAOs).
- A statutory “signature” requirement can, in principle, be met by using a private key which authenticates a document, and a statutory “in writing” requirement can be met in the case of a smart contract whose code element is recorded in source code.
Final comments
In addition to the conclusions mentioned above, the Statement provides a comprehensive, useful description of the key technical and operational characteristics of both cryptoassets and smart contracts.
Tags: blockchain, contract, cryptoasset, distributed ledger technology, DLT, smart contract, token
Posted in Technology, Updates | No Comments »
Next Page »« Previous Page