Demise of the EU-US Privacy Shield

23 July 2020 – If you want to transfer personal data to a country outside the EEA (which has not been formally approved by the European Commission), then you need to use one of the GDPR-prescribed “transfer mechanisms”. For transfers of personal data to the US, one of the main transfer mechanisms was the EU–US Privacy Shield, a framework which enabled Privacy Shield-registered US companies to receive personal data from EU entities. I say ‘was’, because in its judgment on 16th July 2020 the EU-US Privacy Shield was declared invalid by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens. Specifically, the ECJ was concerned about the lack of oversight of US law enforcement agencies accessing EU citizens’ personal data.

The other main transfer mechanism is for an EEA controller proposing to export personal data and the importer in the non-EEA country to enter into the Standard Contractual Clauses (SCCs), which legitimise transfers of personal data by contract. In its judgment the ECJ made some observations on the SCCs, confirming that prior to exporting personal data the controller must be satisfied that the SCCs can and will be complied with, i.e. it’s not just a question of ensuring that the SCCs are included in the parties’ agreement, but the controller needs to assess the assess the quality of the safeguards in the importer’s country to ensure that individuals’ rights and freedoms will be protected. That said, the SCCs remain a valid transfer mechanism, and are likely to be the first port of call to legitimise EEA-to-US transfers of personal data that no longer benefit from the Privacy Shield.


Marcus Andreen

The P2B Regulation – regulating the e-commerce gatekeepers

13 July 2020 – The EU Platform to Business Regulation (the ‘P2B Regulation’) came into effect on 12 July 2020.  The P2B Regulation applies to all online platforms and search engines which provide services to business users in the EU, where those business users offer goods or services to consumers in the EU.  The location of the platform is irrelevant if goods or services are being offered to business customers and consumers in the EU.  Examples of business that will be subject to the P2B Regulation include online marketplaces (e.g. Amazon), accommodation booking platforms (e.g. Airbnb), and app stores – the ‘gatekeepers’ for consumer e-commerce.

The P2B Regulation requires online platforms and search engines to have terms and conditions for its business users that are clearly and plainly drafted, and include the following:

  1. Minimum 15-day notice for any amendments to the Ts&Cs, with the right for the business user to terminate if it doesn’t agree with an amendment.
  2. Objective reasons for which the platform provider can suspend, terminate or restrict access to its services. Platform providers must give at least 30 days’ notice to a business user, unless as a result of the business user’s persistent breach
  3. Information about the criteria or parameters used by the platform provider when ranking business users, including (if applicable) the effect of payments by business users on rankings.
  4. Details of any different treatment or other advantages the platform provider gives to its own goods or services over those of business users.
  5. Details of any restrictions on the business user offering its goods or services on other platforms on more favourable terms, and the reasons for such restrictions.
  6. Whether any business user data is shared with third parties, and if so for what purposes, and whether the business user can opt out of such data sharing.

If a platform provider fails to comply with these requirements the relevant provisions will not be enforceable against a business user.

In addition, online platforms must set up an internal complaint-handling/mediation system to help business users, with limited exemptions for smaller platforms.  Also, business associations will be able to take platforms to court to stop any non-compliance with the rules.

The P2B Regulation will continue to apply after the Brexit transition period by virtue of The Online Intermediation Services for Business Users (Enforcement) Regulations 2020, although (as with all EU law that is retained by the UK) it can then be amended or revoked.


Marcus Andreen

Legal know-how for business: “subject to contract”

The phrase “subject to contract” is – or should be – used when you are negotiating what you expect may in the future become a binding contract, but not yet.

For example, when negotiating a letter of intent or heads of terms, it is a useful way of making it clear that, although the key terms of the transaction are being put in writing, neither party intends to be legally bound unless and until those terms are then confirmed in a more formal, detailed agreement.  And anyone who has bought or sold a house in the UK will be familiar with offers being “subject to contract” (or “STC”), making it clear that, although an offer to purchase a property may have been accepted by the seller, there is no commitment to proceed with the transaction until the parties exchange contracts.

So far, so straightforward.  But it should be borne in mind that using the “subject to contract” phrase is not conclusive, but creates a presumption that the parties do not intend to create legal relations (ie enter into a binding contract), and that the behaviour of the parties may result in the protection offered by the “subject to contract” to be lost.   So, for example, in the case of RTS Flexible Systems Ltd v Molkerei Alois Müller1, Müller had sent a letter of intent to RTS, together with a draft contract which included a clause limiting RTS’s liability in the case of certain disputes.  The draft contract also included a clause stating that the contract would not be binding unless it was signed and executed by the parties, ie that it was subject to contract.  The contract was never signed, but RTS proceeded with its supply obligations with the consent of Müller.  A dispute arose which included a claim by Müller against RTS for failing to supply equipment of the correct specification.  Müller argued that the draft contract (with the clause limiting RTS’s liability) did not apply since the draft included the clause confirming that it was not binding unless signed and executed.  The Supreme Court disagreed, and decided that the parties had proceeded with the project as if the draft contract did apply, and they had therefore, by their conduct, waived the clause in the contract that stated it would not take effect unless signed.

So to summarise:

  • If you want to avoid the risk of finding that a binding contract has been formed during negotiations, make it clear at the outset that the discussions are subject to a formal, detailed agreement being signed, label your emails and any draft documentation with “subject to contract”, and confirm the “subject to contract” nature of the discussions prior to the start of any meetings or phone calls.
  • And if you decide to start work before the formal contract is signed, then you need to make it crystal clear that the contract negotiations remain “subject to contract”, so as to avoid a court inferring that the subject to contract understanding had been waived by agreement as a result of the parties’ conduct and communications.


Note 1: RTS Flexible Systems Ltd v Molkerei Alois Muller Gmbh & Company KG (UK Production) [2010] UKSC

Request a quote

  • Your email address will be used to send you your quote, and will not be shared with any other person, or used for any other reason whatsoever, ever.
  • Under the SRA Code of Conduct I am obliged to treat all information provided by you in strict confidence, whether or not you decide to go ahead and instruct me.