English law upholds the principle of contractual autonomy, granting parties the freedom to negotiate and establish terms tailored to their specific needs and objectives. Contractual certainty is business critical in order to clearly delineate duties and obligations and to provide recourse for an innocent party in the event of a breach.

For contracting parties, it is important to note that contractual autonomy is not absolute and operates within legal frameworks aimed at ensuring fairness and equity in contractual relationships. This article explores the limitations designed to prevent abuse and safeguard parties from unfair or oppressive clauses.

Understanding Penalty Clauses

A contractual term that specifies predetermined consequences for a breach of contract is known as a “liquidated damages” clause. The purpose of this type of clause is not to punish the breaching party but rather to estimate, in a reasonable and realistic manner, the likely losses that would result from the breach. Importantly, the pre-estimate must be made at the time the contract was made (Clydebank Engineering v. Castaneda). This should not be confused with a penalty clause, which imposes excessive financial penalties to deter breaches and can be unenforceable if challenged in court.

The complexity of distinguishing between these two types of clauses often leads to legal challenges, with courts examining the true nature of the clause and the context of its inclusion in the contract. Factors that can be considered include the rationale behind the clause, the bargaining power of the parties, and whether the sum stipulated is excessively high or unconscionable.

Understanding whether or not a clause may amount to a penalty clause could have costly consequences. If a clause is deemed to amount to a penalty clause, it could be struck out as unenforceable.

Evolution of the Test for Penalty Clauses

The legal framework surrounding penalty clauses in UK law has significantly evolved, especially following key judicial decisions that have reshaped their assessment and enforceability.

Historical Perspective:

Historically, the assessment of penalty clauses revolved around the concept of exorbitance in relation to common law damages. In Dunlop Pneumatic Tyre Co Ltd v. New Garage & Motor Co Ltd [1915], the court held that a clause would be considered a penalty if it was not a genuine pre-estimate of costs or sought to impose a detriment on a party out of proportion to the innocent party’s legitimate interest in enforcing the contract.

Shifts in the legal test:

In recent years, the UK courts have moved away from the strict prohibition of penalty clauses. The Supreme Court judgment in Cavendish Square Holding BV v. Talal El Makdessi and ParkingEye Limited v. Beavis [2015] noted that the Dunlop test had taken on the status of a “quasi-statutory code”, which was never the intention.

Lords Neuberger, Sumption and Carnwath took a more nuanced stance, emphasising that the rule on penalty clauses does not permit the courts in every instance to review the fairness of a contractual term when parties can be said to have equal bargaining power. Instead, the focus will be on whether the term in question is a primary or a secondary obligation.

Key principles when assessing penalty clauses:

• Primary vs. secondary obligations: A primary obligation refers to an obligation that arises independently of a breach of contract, while a secondary obligation is triggered by a breach. The Supreme Court emphasised that the penalty rule applies only to secondary obligations. This distinction is crucial in determining the enforceability of penalty clauses, as primary obligations are not subject to the penalty rule.
• Legitimate interest and proportionality: The court highlighted the importance of assessing the legitimate interest in enforcement of the clause in question. The penalty rule will not be engaged if the clause serves a legitimate commercial purpose and is proportionate to the interest being protected. This requires courts to consider the context and commercial rationale behind the clause when determining its enforceability.
• Unconscionability or exorbitance: Even if a clause constitutes a secondary obligation, it may still be enforceable if it is not unconscionable or exorbitant in relation to the legitimate interest which is served by the clause. The courts will assess whether the clause imposes a penalty that is disproportionate to the loss suffered or the legitimate interest being protected. This requires a contextual analysis that considers the specific circumstances of the case.

The following can act as a checklist when considering whether or not a clause is likely to fall foul of the law of penalties:

In the well-established ruling of Parking Eye, an £85 parking fine for a 56 minute overstay was held not to be a penalty clause because the fine was considered not to be out of proportion to the legitimate interest which was served in managing the maximum parking stay for the retail outlets, their customers and the wider public.

Implications for Businesses: Drafting Strategies

The recent refinements in the test for penalty clauses have significant implications for businesses engaged in contractual negotiations and drafting. Understanding these implications is essential for businesses to ensure compliance with legal requirements while safeguarding their interests.

Key considerations include:

• Clarity and Precision: Where possible, contracts should clearly delineate between primary and secondary obligations to avoid ambiguity and potential disputes over enforceability.
• Commercial Justification: Breach clauses should be supported by legitimate commercial justifications that demonstrate their necessity and proportionality to the legitimate interests being protected.
• Avoiding Unconscionability: Businesses should refrain from including breach clauses that are unconscionable or exorbitant in relation to the loss suffered or the legitimate interest being protected.
• Consideration of Context: Drafters must consider the specific circumstances and commercial context of the contract when drafting breach clauses to ensure they align with the parties’ intentions and expectations.

What’s next…

Our next blog post in this series will examine exclusion clauses and unfair terms, another category of contractual terms which could be scrutinised by the courts.

If you would like to discuss this blog, please contact Sarah Bazaraa on 07920 237599 or by email to sarah.bazaraa@pannonecorporate.com

Pannone Corporate has been recommended as top tier in two practice areas and also recommended in a further ten practice areas in The Legal 500 2024 edition released yesterday.

Here are some highlights from what our clients had to say:

Commercial litigation 

“Direct partner contact, in-depth subject expertise and competitive rates due to its size and structure which makes it stand out in the Manchester and national market.”

“Pragmatic yet thoroughly detailed advice together with responsiveness and quick turn-around times – an invaluable resource for a busy in-house team.”

“Collaborative, responsive, thoughtful and with a deep knowledge and understanding of our business.”

Commercial property

“The team is very experienced and offers a personalised service. They are highly knowledgeable and able to represent the core interests of their clients without prompting.”

“A smaller team that offers a big company service and an ethos personalised to the needs of the client.”

“Valued members of their team and ours. They are always available and ready to answer quick questions and give advice.”

Contentious trusts & probate

“Sound, intelligent advice and support.”

“Exceptional advice and persuaded me to agree to mediation. This proved to be excellent advice and helped achieve a fantastic result, avoiding court costs.”

“Client-focused and provide realistic straight-talking advice in a manner clients can easily understand. They are very experienced around the legal issues but also have their eye on costs.”

Corporate & commercial

“Able to manage demanding and challenging stakeholders – always with a smile on their faces.”

“Highlights risks in a commercial manner. Doesn’t labour incidental points, a characteristic that helps keep processes moving and on track.”

“Always has a solution when required to get through a log-jam and able to manage diverse stakeholders to ensure a consensus solution is found.”

Debt recovery

“Pannone are very good at replying and explaining their process. We can call them anytime and they pick up – not the case with other firms.”

“The personal touch and the relationships with people at Pannone. They have held inhouse training at their Manchester office to help myself and my staff understand the legal process.”

Employment

“Supported several very complex cases and always quick to respond, giving excellent and considered advice. They understand our business and some of the difficulties we face and apply this when giving advice.”

“‘We have built a strong relationship with the whole team and no matter what the issue, any of them can be approached and you can trust that if it is not their area of expertise they will liaise with the subject expert within the team before providing advice.”

“Their employment law knowledge is fantastic, and they present this in a simple yet effective way.”

Health & safety

“An outstanding partner to myself and the whole business. Nothing is too much trouble.”

“Undoubtedly the firm to watch in the North West, buckets of experience mixed with in-depth knowledge of the regulatory landscape means the firm is going from strength-to-strength.’

“The class act of the North’

Insolvency & corporate recovery

“A very commercially sound and technically gifted team who provide an excellent service.”

“Excellent technically and commercially, and fun to work with.”

“Strong technically, very commercial, results-orientated and well-respected in the market.”

“A good communicator and always willing to take a commercial view.”

Intellectual property

“Pannone have kept up with us every step of the changes in our organisation, and their diligent handling of our cases has played a significant part in our organisation’s success post-pandemic. They are consistently a pleasure to deal with – no matter the query or the request, the team work tirelessly to meet our expectations.”

IT & telecoms

“Adept at providing commercial and pragmatic advice which comes from being experts in the sector.” 

“Manages to provide the right level of advice for our business without over-engineering it.”

Media & entertainment 

“Highly professional, supportive and excellent advice”

“An ability to see around corners…always my first choice.”

Property litigation

“A very cohesive and proactive team, which is essential to support our sometimes urgent and time-critical requirements.”

Notable individuals

Hall of Fame

Melanie McGuirk – Intellectual Property

Tim Hamilton – Corporate and Commercial

Leading Individuals

Amy Chandler – Intellectual Property

Amy Chandler – IT and Telecoms

Nicola Marchant – Contentious Trusts and Probate

Paul Jonson – Commercial Litigation

David Brown – Property Litigation

Melanie McGuirk – Media and Entertainment

Jack Harrington – Employment

David Walton – Health and Safety

Next Generation Partners

Gemma Staples – Property Litigation

Jonny Scholes – Contentious Trusts and Probate

Rising Stars

Sarah Bazaraa – Intellectual Property and Media & Entertainment

Arshnoor Amershi – Corporate and Commercial

Andrew Walsh – Corporate and Commercial

Earlier this year [July], the EU adopted a decision that will see the free flow of personal data between the EU and the US – a move that will undoubtedly be welcomed by trans-Atlantic businesses. The adequacy decision for the EU-US Data Privacy Framework will allow the free transfer of personal data between EU and US companies participating in the framework on the basis of binding safeguards. 

Under the EU GDPR, the European Commission (EC) has the ability to determine whether jurisdictions outside of the EU offer an adequate level of protection for EU citizens’ personal data. The effect of such an adequacy decision is that personal data can freely flow between the EU and the non-EU jurisdiction without additional safeguards needing to be put in place. Those additional safeguards included, for example, the use of EU approved Standard Contractual Clauses (SCCs) in contracts between the data exporting and importing parties, and the carrying out appropriate data protection impact assessments. In relation to EU-US data flows, this decision is highly valuable, with the White House stating that there are more data flows between the EU and the US than anywhere else in the world. 

This is not the first time the EU and the US have attempted to put a framework in place for the free flow of data. The two previous decisions of the EC, the Safe Harbor, put in place in 2000, and the Privacy Shield put in place in 2016, were declared invalid by the European Court of Justice (ECJ) in 2015 and 2020 respectively, following challenges from privacy activist Max Schrems. These decisions were invalidated in part because of programmes allowing US authorities to access personal data transferred from the EU for national security purposes. This meant US domestic law limited the protection of EU citizens’ personal data in a way that did not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by EU law. 

The EC has stated that “new binding safeguards have been introduced to address the points raised” by the ECJ in 2020, including limiting US authorities’ access to data to the extent that it is “necessary and proportionate to protect national security”. The Data Protection Review Court has also been established, allowing EU citizens an independent redress mechanism which will investigate and resolve complaints relating to access to their data by US authorities. 

Joe Jones, director at the International Association of Privacy Professionals said that there had been “significant reforms” to the US’s surveillance safeguarding, and that the Data Privacy Framework was not just a “reheating” of the two previous attempts. However, he also said “the question is: is it good enough?” Perhaps predictably, Max Schrems is unenthused about the proposed agreement. noyb, the not-for-profit organisation led by Schrems, states that data agreements with the US will not work unless the necessary changes in US surveillance law are made, which is yet to happen. Schrems is quoted as saying that simply calling something ‘new’, ‘robust’ or ‘effective’ will not be enough for the Court of Justice, and noyb have already prepared various challenges to be filed with the ECJ. 

But what does this mean for the UK? The adequacy decision does not apply to UK-US personal data flows. In June 2023, the UK and US announced that a commitment in principle had been reached in relation to a proposed data bridge allowing for the free flow of data between the UK and US organisations that have been certified under the scheme. The data bridge would act as an extension to the EU-US Data Privacy Framework, purportedly providing businesses with an annual saving of £94.2 million. However, if the EU-US Data Privacy Framework is subject to challenge and ultimately declared invalid, this may affect the UK-US data bridge. There are also further concerns that the scope of the data bridge could bring the EU’s UK adequacy decision into question. 

For now, the new adequacy decision will facilitate EU-US data flows. It will be interesting to see how the challenges from privacy campaigners develop and what effect this will have on efforts to facilitate the transfer of data between the UK and US.  

UK businesses trading in the US may wish to consider the following steps in preparing for the introduction of the UK-US data bridge:

• Until the data bridge enters into force, businesses should ensure they continue to implement and use the correct safeguards, for example, by using the form of agreements approved by the UK ICO, namely the International Data Transfer Agreement (IDTA) or International Data Transfer Addendum (UK Addendum). Both of these agreements incorporate approved SCCs.
• Businesses should update and review data sharing agreements in place with US companies, pending the entry into force of the data bridge. 
• It is worth businesses being aware that according to the US Department of Commerce, US companies that are certified under the Privacy Shield should be able to easily self-certify under the new Framework. Businesses can check the Shield participants here: https://www.dataprivacyframework.gov/s/participant-search. Given that both the new agreements seem to be based on the previous Privacy Shield, it’s a good indication whether businesses will be able to easily enter into a data transfer when the data bridge enters into force.
• If businesses have been cautious about trading in the US due to the restrictions on data sharing, it may be worth re-evaluating this point. When the data bridge enters into force, the process to comply with it should be much simpler. European data exporters should find the compliance process less complicated for data transfers to the US, as the burden of documentation and compliance will mostly be shifted to the participating US data importers by virtue of the requirement to self-certify under the EU-US Data Privacy Framework. 

Pannone Corporate has revealed its role on the sale of a Lancashire-based environmental and engineering company to Adler and Allan.

Detectronic, based in Colne, helps customers prevent flooding and reduce pollution. The company designs and manufactures a range of flow and level monitors for wastewater monitoring, including its LIDoTT range of sewer level monitoring devices.

Harrogate-based environmental services company Adler and Allan snapped up the business to further enhance its wastewater telemetry and monitoring capability.

Pannone’s corporate team advised the shareholders of Detectronic on the deal, with a team including corporate partner Tom Hall and senior associate Andrew Walsh, alongside Renee Neophytou and Lizzie O’Leary.

Hall said: “Since we first started working with the team at Detectronic more than a decade ago, the company has built up an unrivalled reputation for its innovative and creative approach to environmental services, with extensive experience in sewer and wastewater management.

“The business has achieved enormous success in recent years and the sale to a company of the ambition of Adler and Allan marks an important chapter in Detectronic’s growth journey. As a long-standing and trusted client, we look forward to seeing how the company flourishes under the expert stewardship of Adler and Allan.”

Phillips said: “PM+M has seen a real surge in transactions over the last few months, with Detectronic being the latest. We are delighted to have advised on this deal; Detectronic is a great Lancashire business and the synergies created as part of the acquisition will allow Adler and Allan to expand its market reach.

“It will add huge leverage and will enable the company to go from strength to strength. We wish them all the best for the future.”

Pannone Corporate has advised on the £1.5 million seed fundraise for transformative technology company Sticky.

The fast-growing start-up has been backed by prominent UK venture investors to help drive growth in the leisure and live events markets worldwide. The fundraise was led by Praetura Ventures, with backing from Cornerstone Partners. Follow-on funding was provided by SFC Capital, as well as new angel investors.

Pannone’s corporate team advised technology entrepreneurs and Sticky co-founders James Garner and Priscilla Israel. The team included corporate partner Tom Hall and Behzad Borang.

Hall said:

“Sticky is a hugely exciting business which is making physical spaces more engaging and revenue generating.

“In a short space of time, the business has grabbed the attention of global players through its simple no-low-code solution – one which enables brands to capture the attention of consumers in physical environments and let them achieve something or pay for something in 10 seconds or less. This fundraise is another significant milestone for the company and the start of an exciting journey for James, Priscilla and the team.”

Sticky has developed unique branded stickers – ‘stickies’ – each embedded with the company’s innovative near field communications-based technology (NFC). The creative stickers can be placed anywhere within stores, venues and other physical spaces. Consumers simply tap them using their phone, without an app, sign up or opening their camera. Sticky remembers you without an account and every sticker is unique, so consumers never have to choose where they are.

The tech company has already generated more than one million ‘taps’.

Priscilla Israel said:

“With one tap of a sticky, an interaction or payment is complete in 10 seconds or less. By applying this technology to their payments stack or replacing it entirely, our customers can turn any physical location into a point of sale, increasing revenue and customer satisfaction. Happy customers spend more money.”

James Garner added:

“Our seed funding will help us become the leader in consumer leisure and other markets, whilst letting the world build software for physical spaces 10x quicker than before. We won’t stop until every interaction in a physical space is 10 seconds or less.”

On 8 March, a new Data Protection and Digital Information Bill (No. 2) (the Bill) received its first reading in the House of Commons. This Bill replaces the Data Protection and Digital Information Bill (the DPDI Bill), which was introduced in July 2022 before being paused in September 2022. In its press release, the Government said:

• the Bill is a “new common-sense-led version of the EU GDPR”
• it will “reduce costs and burdens”
• it will “remove barriers to international trade”, and
• it will “cut the number of online repetitive data collection pop-ups online”.

Although the Bill has been introduced as separate bill, its proposals for data reform are broadly the same as those contained in the DPDI Bill.

Grace Astbury summarises the key provisions of the Bill and the implications for the UK data protection regime below.

The proposed changes seem to be more of an evolution of the UK GDPR rather than a complete departure, alleviating some but not all of the compliance burdens under the UK data protection regime. Businesses will be afforded some greater flexibility in meeting the legal requirements for their data processing activities. Should the Bill be passed in its current form, businesses should carefully consider whether their current practices and procedures meet the requirements under the Bill. However, at this stage businesses should not take any immediate steps to modify their practices. It is likely that in most cases, where a business is GDPR-compliant, they will also be compliant under the new regime proposed by the Bill.

Michelle Donelan, Science, Innovation and Technology Secretary stated that “no longer will our businesses have to tangle themselves around the barrier-based European GDPR”. However, whilst the changes move the UK’s data protection regime away for the EU GDPR, the Bill cannot make changes to obligations under the EU GDPR. Therefore, businesses processing the personal data of individuals based in the EEA will still be required to comply with the EU GDPR. Businesses who process the personal data of both UK and EEA based individuals may have little desire to have separate data practices for their EU and UK operations.

On 17 April 2023, the second reading of the Bill took place, which gave MPs a chance to debate the main principles. The Bill passes this stage but in the course of the debate, concerns were raised in relation to the ICO’s independence, the UK’s adequacy status with the EU and the overall complexity of the Bill. The Opposition welcomed the Bill’s overarching principles but suggested that it did not go far enough. The Bill will now proceed to Committee stage to be scrutinised line by line. The first sitting of the Public Bill Committee is expected to be on 10 May, with the Committee being scheduled to report by 13 June. It remains to be seen what amendments could be on the horizon.

In the coming months, businesses will need to watch out for confirmation of the timing for implementation of the Bill and whether there is general cross-party support for the proposals. Further, the European Commission is yet to release its view on the proposals for reform under the Bill, raising the question – is the UK on a collision course with its adequacy decision with the EU?

For those working in the legal profession, the Legal 500 rankings are an annual fixture in a firm’s calendar. The rankings are based on client feedback about what it’s like to work with lawyers, and which firms excel in particular areas.

As a firm, we rank favourably across the practice areas in which we operate and this is testament to our belief that our talented team is even greater than the sum of its parts.

We also believe in celebrating recognition for an outstanding performance, which is why it’s fantastic to see some of our team named in the Legal 500 Northern Powerhouse Awards shortlist. This shortlist has just been announced to recognise the lawyers, law firms and in-house legal departments setting the pace in the region, providing a platform to celebrate their achievements over the last 18 months.

The shortlists and winners were based on the Legal 500’s independent research for their annual UK Solicitors guide and winners will be selected by a judging panel.

We would like to congratulate our colleagues below on being shortlisted by the Legal 500 and look forward to the awards in March.

• TMT – rising star – Sarah Bazaraa
• Corporate – rising star – Andrew Walsh
• Private client litigation – lawyer of the year – Nicola Marchant
• TMT – firm of the year – Pannone Corporate IP/IT team

Pannone Corporate – the North West law firm – has strengthened its commercial and real estate teams with the appointment of Andrew West and James Harris as partners.

Andrew, who set up his own commercial law firm Rushmoor Law 11 years ago, following more than a decade as partner at law firm Squire Patton Boggs, brings more than 30 years’ experience in advising a range of clients on IP/IT, data and commercial issues. Andrew will work alongside partner Amy Chandler in one of the region’s most prominent commercial teams.

James joins from Knights plc, where he was a commercial property partner for more than three years. He was previously the Managing Partner of Chester-based commercial law firm, Jollife & Co LLP, for 12 years. James brings considerable experience in residential and commercial property development, as well as licensing for restaurants and public houses.

Paul Jonson, senior partner at Pannone, said: “We’re delighted to welcome Andrew and James to the firm – two senior hires who will add significant strength and depth to our commercial and real estate offering. Both markets have huge potential for us and Andrew and James will complement our existing teams in capitalising on the opportunities for growth.”

Their arrival follows the news that Pannone has been appointed onto the legal framework for the Canal & River Trust. The firm will provide construction and property litigation support, as part of a five-year agreement.

Andrew commented: “Having worked alongside Pannone for a number of years in a consultancy role, I have built up a strong relationship with both the team and clients. When the opportunity arose to join such a well-established firm on a more permanent basis it was an easy decision to make and a seamless move. It’s very much business as usual for me.”

Commenting on the sector, he said: “There is a real opportunity in the technology services space, as corporate customers continue their digital transformation across all areas of operation. This is underpinned by the proliferation of cloud services, which enables businesses to test and adopt new technologies at a quicker rate.  This trend has been accelerated as a result of COVID-19, and currently shows no sign of a slowdown,  despite the obvious economic headwinds.”

James added: “There is also considerable market opportunity in commercial development, which remains buoyant, with licensing continuing to recover following an extremely challenging two years. I’m delighted to be joining such a dynamic and experienced team, and hope to bring both sector and management expertise to the role.”

Culture is everything and it was one of the key drivers in Kenneth Tang choosing to join Pannone in October 2021.

“The firm’s culture is centred around approachability, both for clients and for its staff,” explains Kenneth. “Before joining, I read that the firm was considered a leading alternative to national practices. This really came through during my interview for the role.”

The quality of work and the team structure were also important factors for Kenneth. “Pannone offered me the chance to work within a firm that carried out high quality commercial work,” says Kenneth. “The team’s structure promotes collaborative working, where partners are directly involved in cases – which is really beneficial for junior members of the team.”

Six months into the role, we caught up with Kenneth as part of our series ‘My Life in Law’, and talked about his role as a solicitor in the Dispute Resolution team, specialising in real estate litigation.

Tell us a little bit about your background, before joining Pannone?

“Prior to qualifying, I worked as a Court Advocate, before becoming a paralegal,” Kenneth explains. “I was a trainee at Stephensons Solicitors, where I had seats in the commercial litigation and discrimination departments.”

“In that role, I advised on a number of matters, including general commercial contracts, restrictive covenants, property disputes, and professional negligence. I was heavily involved in a case that went to the Court of Appeal, which became one of the leading authorities on seeking interim relief against public bodies.”

Kenneth graduated from the University of Manchester with a degree in Ancient History. He then went on to study the GDL at the University of Law before going on to do the LPC at BPP University.

Now as a fully-fledged solicitor, Kenneth is getting stuck into the role in the Dispute Resolution team. The most satisfying aspect of Kenneth’s role is tackling ‘new and interesting issues’ every day.

“So far, I’ve been involved in a wide range of disputes, including lease termination and renewal, adverse possession, easements, forfeiture, breach of covenant, as well as residential and commercial possession,” he says. “Other areas of work include breach of contract, breach of warranty, debt recovery and unjust enrichment.”

The role is vast and varied, and when asked what a typical day looked like, Kenneth responded saying “emails, emails and emails.”

Looking forward, what are your career ambitions?

“My immediate goal is to become an integral part of the very talented team at Pannone Corporate. I want my practice to be built on being more frank and open with clients. Clients need lawyers to be their advisers, not their friends.”

Outside work, Kenneth enjoys films and sport. “My favourite film is Christopher Nolan’s The Dark Knight, and my favourite football team is Liverpool FC (my dad named me after Kenny Dalglish!),” says Kenneth.

While Kenneth is building a reputation in Dispute Resolution, there is one particular skill that his work colleagues may not know about him. “I grew up near Blackpool’s promenade and became very good at arcade games,” admits Kenneth. “Time Crisis is a game I am particularly adept at!” As one of the most celebrated arcade shoot-em-up franchises ever made, that’s not a bad game to excel at!

In our last update of 2021, we look at the IP stories and case updates making headlines across the UK and around the world.

In December’s edition of our monthly IP round-up, we delve into a Stormtrooper helmet NFT dispute between artists and a curator, the high-profile Supreme Court decision of Lloyd v Google, and Walmart’s issue with Kanye West’s Yeezy LLC. In a more festive theme, we also look at why John Lewis is being urged to donate the proceeds of its Christmas advert to charity, and the importance of clear wording of online promotions as shoppers hit the sales.

Read our monthly IP round up here.

If you would like to discuss these topics in more detail, have any questions or would like to receive our IP round-up directly to your inbox by email each month, contact Melanie or Amy:

Melanie McGuirk on 07790 882567 or email melanie.mcguirk@pannonecorporate-com.stackstaging.com

Amy Chandler on 07920 237674 or email amy.chandler@pannonecorporate-com.stackstaging.com

Dr Patricia Jones is a data protection lawyer at law firm Pannone Corporate: 

This case was brought by consumer rights activist Richard Lloyd alleging that Google had breached its data protection obligations under the Data Protection Act 1998 (DPA 1998) by using the browser generated information of more than four million Apple iPhone users.

Mr Lloyd had brought the case as a representative action on behalf of all the affected iPhone users arguing that they had the same interest.  The Supreme Court disagreed.  It considered that individual assessments of the entitlement to damages of each user would be required. The Court considered it necessary to establish what, if any, unlawful use Google had made of each user’s personal data and what damage had been suffered by the user as a result. The Court did not consider that damages can be awarded for a breach of the DPA 1998, where the individual doesn’t suffer any material loss or distress as Mr Lloyd had argued.

“Although the Supreme Court’s ruling in favour of Google was made under Data Protection Act 1998 which is no longer in force, it will make it more difficult for people to seek compensation for a data protection breach when they have suffered no material loss or distress. The decision will have implications for the bulk compensation claims that can typically follow a data breach affecting a large number of individuals and impact on the burgeoning data protection claims industry that has grown up. There are a number of data protection representative actions which were on hold pending the Supreme Court decision and it will be interesting to see what happens to them.

“Despite the judgement going in favour of the internet giant, it should act as a strong reminder to businesses – both large and small – about the importance of complying with the data protection legislation when collecting and using customer data. If businesses get it wrong, they could potentially face sanction from the Information Commissioner’s Office as well as compensation claims.

In the first of our quarterly retail law updates, we look at the latest news and legal developments affecting the sector.

It covers the upcoming Children’s Code, which will come into force in September and will impact those online retailers that currently process personal data of under 18s. We also look at the new guidance on buy now, pay later, as well as key fashion cases setting the tone for the industry, including when drawing inspiration becomes infringement.

Read our quarterly update here https://discover.pannonecorporate.com/retail-update

If you would like to discuss these topics in more detail, or have any questions, contact partner, Melanie McGuirk on 07790 882567 or email melanie.mcguirk @pannonecorporate-com.stackstaging.com

The growth in online retail hit a 13-year high in 2020, as bricks and mortar retailers were forced to close their doors for large parts of the year.

The momentum behind eCommerce was already gathering pace, but the global pandemic has only served to accelerate this growth, resulting in an increase in online retail sales of 36% year-on-year in 2020, according to the latest IMRG Capgemini Online Retail Index.

Government-imposed restrictions were debilitating for the high street, but presented online retailers with the upper hand, as consumers continued to move towards digital channels in an attempt to navigate a series of tiered lockdowns.

There’s little doubt that retail in 2020 was fundamentally shaped by the coronavirus. As we continue on the roadmap to recovery, the question now is whether the online momentum can be sustained, and whether online retailers can capitalise on the largest growth seen in the market since 2007.

Data, data, data

While adaptability was crucial in 2020, it’s on the utilisation of customer information that will be key to providing a more personalised and targeted consumer approach moving forward – particularly for retailers trying to harness the last year’s online trading boom now that physical stores are re-opening in the UK.

Even retailers without an online sales platform, such as Primark, often have a strong online presence, utilising social media channels, influencers and online gaming. This can help retailers stay connected with consumers, build a sense of community and loyalty to the brand and maintain a relevance in the virtual world.

The main commercial driver for online expansion, aside from sales, is the collection and utilisation of personal data. But retailers have to be smart to maximise the potential this has and translate it into improvements in the customer journey and, ultimately, sales.

Since the implementation of the GDPR, consumers are increasingly savvy about the monetisation of their personal data and find certain marketing techniques intrusive. The ‘holy grail’ for retailers is to collect personal data in a discrete and authentic manner, whilst still complying with transparency and fairness obligations of the GDPR.

Challenges to online retailers

The challenge for retailers is that many consumers are tired of the over-use of marketing emails, although there is a proven record that these do lead to increased sales. Fairly recent changes to the interpretation of cookies rules in the UK (PECR) have made it harder to set cookies that are beneficial to retailers, rather than merely essential for the operation of the website. Many retailers are not yet completely compliant with these rules, demonstrating the tension between lawful practices and maintaining a competitive advantage.

Under PECR, retailers should obtain opt-in consent before setting cookies which track user behaviour on other websites. What’s more, they should have some form of marketing consent prior to sending any “abandon cart” emails that prompt consumers to complete the checkout process. Collecting this type of data is extremely valuable to retailers and helps inform future product lines, advertising campaigns and business strategy. Clearly, it’s not possible to obtain this kind of detailed personal data in real life – shop assistants are not about to starting following customers down the high street or harassing them to come to the checkout!

However, many retailers are able to combine online behaviour with real life activity to truly monopolise on consumer insights. For example, they can offer free Wi-Fi in-store and link reward cards to online accounts.

As we all adjust to living in the real world again, it will be interesting to see whether the online growth can be maintained and to what extent retailers are able to convert an enhanced online presence into sales in physical stores. Interestingly, the IMRG Capgemini Online Retail Index shows that it was actually multichannel retailers that performed better than online-only counterparts for the first time since 2017, with growth of 57% vs 9.1%.

Over the next 12 months we expect the UK data regulator, the ICO, to have a close eye on the innovative ways in which retailers are collecting data and perhaps start to take action against those who are not fully complying with the requirements of PECR.

If you would like to understand more about the latest regulations on data, email Danielle Amor on danielle.amor@pannonecorporate-com.stackstaging.com or call 07920 237676.

Yesterday’s ASA (Advertising Standards Authority) report on influencers highlights that over a three-week period, 65% of the Instagram stories monitored (over 15,000 stories) were not clearly labelled and identified as advertising content (as required by the CAP Code).

This ASA report has put influencers promoting products on social media back under the spotlight as so many have failed to meet the compliance standards required. The headlines focus on the fact influencers may be named and shamed if they don’t comply, but what does this mean for the brands and retailers that build campaigns around these partnerships?

The background

The code requires that any paid for advertising is clearly labelled with #ad or similar and social media companies have introduced tools to allow brands to advertise more transparently on their platforms, such as through the “Paid partnership” tag on Instagram. For a while, it did seem that celebrities and influencers were using the ad hashtag, after a few high-profile mistakes, but this has clearly fallen off the radar in recent times, at the same time as massive growth in this form of advertising.

The main issue is the huge disconnect between the ASA focus on protecting consumers from subliminal advertising and the influencer’s priority of maintaining an “authentic” image that is not tainted by sponsorship. The appeal of these social media pages is that they give followers an insight into the “real” life of the influencer or celebrity, which is aspirational and which many followers will want to emulate. If the followers realise that the content is only being promoted due to the financial relationship with the advertised brand, the content will naturally lose some of its appeal. In turn, this can lead to the influencer losing followers and this diminishes their appeal for other brands. It’s a bit of a vicious circle.

What does it mean for brands and retailers?

In the early days, big brands worked very closely with any talent representing their brand to ensure that the content they pushed out set the right tone and was compliant. Brands have moved away from this with influencers, most likely due to the push by influencers to maintain control of their channels and their image. In turn, brands have likely left responsibility for compliance with the influencer, which is not always the best move. Brands should consider doing their own due diligence on an influencer’s track record for compliance as part of their partnership campaign planning.

Brands have a lot to lose by picking the wrong influencer and falling foul of the CAP Code. Consumers often put a lot of trust in the accounts they follow and if they feel they have been misled or manipulated, they will quickly switch off from the influencer and the brand. It can be very difficult to come back from online setbacks as numerous brands have shown; but well targeted campaign can be hugely successful. Over the coming months, expect to see more collaboration and guidance from brands with influencers to make sure they hit the right mark. But if the media spotlight moves on to something else, you can expect to see these practices slipping back in.

Never has it been easier to buy and sell online. But in a changing world, what considerations do online retailers need to make when selling overseas? Danielle Amor explains to First Voice magazine.

 Danielle Amor, Director in the Commercial Services team, says that moving online has never been easier or been more vital. But, while the internet and social media have opened up a sea of opportunities for independent retailers, the ability to engage with larger audiences outside of the UK is not risk free.

“Trading online has never before offered as much opportunity; but, with cross-border sales comes a host of legal and compliance considerations that every business, large or small, must be aware of. The secret is to start off small – focus on your key markets and set up your online shop to meet those overseas obligations, before branching out further afield.”

Read the full article on the First Voice website.

New ICO guidance on dealing with subject access requests

New guidance has been released by the Information Commissioner’s Office (ICO), concerning an individual’s right to ask an organisation whether or not they are using or storing their personal information and to request copies of their personal information – commonly known as subject access requests (SARs).

The detailed guidance focuses on how data protection officers and those responsible for data protection within an organisation should respond to SARs under the GDPR. The guidance contains valuable, practical advice and working examples. It covers how to recognise a SAR from an individual; how to locate and retrieve their personal data; and how to supply the information to that individual.

The changes follow a public consultation and provide clarity on key points which were raised, including:

• How to stop the time limit for responding to a SAR whilst waiting for clarification regarding the SAR
• What is a manifestly excessive SAR
• The fee that may be charged for a manifestly unfounded or a manifestly excessive SAR

Time limit for a SAR

Ordinarily a SAR has to be responded to ‘without undue delay’ and, at the latest, within one month of receipt of the SAR or, where applicable, receipt of the individual’s ID documentation (where the organisation has requested verification of the individual’s identity) or the fee payable by the individual (where a fee has been charged to the individual for a manifestly unfounded or a manifestly excessive SAR).

The time limit is calculated from receipt of the SAR (or ID documentation or fee) until the corresponding calendar date in the next month. If there is no corresponding date in the next month, the deadline for the response is the last day of the next month. For example, if the date of receipt is 30 January, the deadline would be 28 February (or 29 February in a leap year). If the corresponding date in the next month falls on a weekend or a public holiday, the deadline for the response is the next working day.

Time limit for a complex SAR

The time limit can be extended by a further two months, if the SAR is complex or an organisation has received a number of requests from the individual (this includes SARs and other data subject right requests, such as the right to erasure).

The new guidance gives the following examples of factors that may add to the complexity of a request:

• Technical difficulties in retrieving the information
• Applying an exemption that involves large volumes of sensitive information
• Clarifying potential issues of disclosure of information about a child to a legal guardian
• Any specialist work involved in obtaining or communicating the information
• Clarifying potential confidentiality issues of disclosure of sensitive medical information
• Needing to obtain specialist (not routine) legal advice
• Searching large volumes of unstructured manual records (only applicable to public authorities).

It’s important to be aware that although searching large volumes of information may add to the complexity of the SAR, this does not of itself make the request complex.

Stopping the clock

An organisation can ask for clarification on a SAR if clarification is genuinely required and if it processes a large amount of information about the individual. It is unlikely to be reasonable or necessary to ask for clarification if the organisation can obtain the information quickly and easily. Where it does ask for clarification, the time limit for responding to the request is stopped and resumes when clarification is received. This needs to be explained to the individual when the request for clarification is made. To calculate the time limit for the response, you need to work out when the response would normally be due (see above) and extend this by the number of days that the clock was stopped.

However, an organisation should still provide confirmation that it holds personal data about the individual, if that’s the case, and the supplementary information which it is obliged to give in response to the SAR within the one-month deadline. This is usually done by providing a link to or a copy of the organisation’s privacy notice.

Unfounded or excessive SARs

If a SAR is ‘manifestly unfounded’ or ‘manifestly excessive’, the organisation may refuse to comply, or charge a reasonable fee for the administrative costs of complying with it.

The guidance states that a SAR may be ‘manifestly unfounded’ if:

• The individual clearly has no desire to exercise their right of access, for example they offer to withdraw the SAR in return for some sort of benefit (monetary or otherwise) from the organisation
• The SAR “is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption”

However, where an individual genuinely wants to exercise their rights, it’s unlikely that the request is manifestly unfounded.

A SAR will be ‘manifestly excessive’ if it is clearly or obviously unreasonable. This is based on whether the request is proportionate when balanced with the burden or costs involved in dealing with it. Relevant factors include the nature of the requested information; the context of the request and the organisation’s relationship with the individual; the organisation’s resources; whether a refusal to comply will cause substantive damage to the individual; and whether the SAR largely repeats previous SARs and a reasonable interval hasn’t elapsed. When thinking about whether a reasonable interval has elapsed between SARs, the nature of the data and how often it is altered should be taken into account.

In each case, the word ‘manifestly’ means the unfoundedness or excessiveness must be obvious or clear, and the organisation must be able to strongly justify a finding of ‘manifestly unfounded’ or ‘manifestly excessive’. This is a high threshold.

The guidance gives some welcome clarification on how to determine a reasonable fee when dealing with a manifestly unfounded or excessive SAR. The organisation may take into account the administrative costs of assessing whether or not it is processing the individual’s personal data; of locating, retrieving and extracting the information; and of providing a copy of the information to the individual. However, no double charging is permitted. Specifically, a reasonable fee may include photocopying, printing and postage costs; the cost of transferring the information to the individual; the costs of envelopes or USB devices; and staff time, based on the estimated time it will take staff to comply with the request charged at a reasonable hourly rate. It’s good practice to establish an unbiased set of criteria for charging fees which explains an organisation’s standard charges and how it calculates the fee.

If you require more information, or need help with complying with a SAR, please get in touch with our data protection team.

In order to process personal data concerning EU residents in connection with the sale of goods or services or the monitoring of EU residents (either as a controller or a processor), you may need to  appoint a representative within the EU. This requirement (under Article 27 of the GDPR) is sometimes referred to as the “hidden obligation” as many organisations are unaware of it. From the end of this year, when the UK will no longer be subject to the Brexit transitional arrangements and will formally cease to be part of the EU, UK businesses will need to appoint such a representative if they do not have a formal presence within the EU but offer goods or services to individuals in the EU or monitor their behaviour.

Appointing a representative will not be a straight-forward process. The selection process will take some consideration, since the representative will have authority to represent the relevant controller or processor (the non-EU entity) in respect of all of their obligations under the GDPR within the EU, including before supervisory authorities (regulators). It will be crucial to appoint someone with a good grasp of data protection laws and an understanding of the nature of the processing activities being undertaken by the non-EU entity. The representative should be appointed in writing and their details will need to be made available to EU data subjects and regulators (such as on the non-EU entity’s website and in its privacy policy).

In addition, the representative must be able to facilitate communications with EU data subjects and maintain a record of processing activities on behalf of the non-EU entity. The representative will need to be located in the member state where the relevant EU data subjects are located, or where most of them are, and should be able to converse in the local language (or ideally multiple languages of the EU). Some non-EU entities operating across the EU may need to consider appointing multiple representatives. The European Data Protection Board has advised that a representative should not be the same person as the non-EU entity’s data protection officer or their processor due to the potential for a conflict of interest.

Failing to appoint a representative could result in a fine of up to (the higher of) €10 million or 2% of annual worldwide turnover.

Although it is ultimately the responsibility of the non-EU entity to comply with the GDPR with respect to EU data subjects, regulators are able to initiate enforcement action through a representative, including addressing fines and penalties to the representative.

Public authorities are exempt from the requirement to appoint an EU representative, as are any non-EU entities that only process occasional personal data that does not include a large amount of special category or criminal data and which is unlikely to result in a risk to the rights and freedoms of individuals.

Of course, given the intended incorporation of the GDPR into UK data protection law at the end of the transition period, EU entities without a presence in the UK may correspondingly need to appoint a UK representative from 1 January 2021.

Please get in touch with our data protection team if you require more information or need help with appointing an EU representative.

On 16 July 2020, the CJEU gave its long awaited decision on international data transfers in C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II).

The court ruled that the EU-US Privacy Shield (Privacy Shield) is invalid and can no longer be relied on to transfer personal data from the EU to the US. The court also held that standard contractual clauses (SCCs) cannot be relied on alone for a lawful international transfer. So what now for international data transfers?

International transfers under the GDPR

The GDPR restricts the transfer of personal data outside the EU to help ensure that the data protection rights of individuals are not undermined. Transfers of personal data can only be made in limited circumstances including:

• To a country which the European Commission has decided ensures an adequate level of data protection, but these are limited in number.
• Transfers governed by SCCs (also known as model clauses) between the data exporter and data importer. The SCCs have been approved by the European Commission with separate SCCs for        controller to controller transfers and for controller to processor transfers.
• Transfers between group companies governed by Binding Corporate Rules (BCRs). These are bespoke agreements which have to be approved by the ICO (or relevant supervisory authority) and are less common.
• Until recently, transfers to a US data importer that is a member of the Privacy Shield. This is a framework that was set up by the US Department of Commerce and the European Commission as a mechanism to comply with data protection requirements when transferring data from the EU to the US. It is commonly used by organisations to make data transfers to the US.

The end of the Privacy Shield

In Schrems II the CJEU found the Privacy Shield to be invalid with immediate effect. The court was concerned about access to personal data by US security bodies under US law and did not consider that individuals whose data had been transferred had effective remedies. All data transfers to the US which rely on the Privacy Shield are now illegal.

The US Department of Commerce is continuing to administer the Privacy Shield despite Schrems II and has made it clear that the decision does not relieve a participating US company of its Privacy Shield obligations.

What about SCCs and BCRs?

The CJEU has clarified that SCCs are still valid to make data transfers. However, they are not in themselves enough to make a transfer lawful and so cannot be relied on alone.

Individuals whose personal data are transferred outside the EU pursuant to SCCs are to be afforded a level of protection essentially equivalent to that guaranteed in the EU by the GDPR. The CJEU set out that supplementary measures may need to be adopted by a data controller, in addition to the SCCs, depending on the “prevailing position in a particular third country” in order to ensure compliance with the level of data protection required under the GDPR.

For data transfers to the US, supplementary measures are required, given the position under US law which led to the Privacy Shield being invalid. The European Data Protection Board (EDPB) has confirmed that data can only be transferred to the US if these supplementary measures, along with the SCCs, ensure appropriate safeguards and US law does not affect the adequate level of protection that they guarantee. The nature of these supplementary measures is currently unclear (see below).

For data transfers to other countries, the EDPB has set out that the data exporter and the data importer should assess whether the level of protection required under the GDPR is respected in that country in order to determine if the SCCs can be complied with in practice. If not, an assessment is to be made on whether supplementary measures can be put in place to ensure an essentially equivalent level of protection to the GDPR and whether the law of the recipient country will prevent their effectiveness. No data should be transferred pursuant to the SCCs if it is not afforded a level of protection essentially equivalent to that guaranteed within the EU.

The EDPB has clarified that the position for BCRs is the same as for SCCs and that supplementary measures may be required in the particular circumstances of the transfer.

What does this mean for your international data transfers?

The CJEU decision leaves international data transfers in a state of uncertainty. It has brought about an abrupt end to the Privacy Shield and at the same time brought uncertainty to the use of the alternatives, SCCs and BCRs.

The CJEU decision points to the possible need for “supplementary measures”, but gives little guidance as to what these may be. However, it seems likely that they will be technical or organisational measures, such as encryption, rather than contractual. One of the main issues of concern identified by the CJEU is access to the data by security or other authorities which would not be addressed by additional provisions in the SCCs, as the authorities are not a party to the contract between the data exporter and data importer. The EDPB has promised more guidance on supplementary measures. Organisations that make US transfers should keep a look out for this.

In the meantime, the ICO has recommended that “you should take stock of the international transfers you make and react promptly as guidance and advice becomes available”. Organisations should therefore undertake an audit of their international transfers outside of the EEA to ascertain which countries data is being transferred to and the basis for the transfer, whether an adequacy decision, Privacy Shield, SCCs or BCRs. This includes for any international transfers made by processors on their behalf. For data transfers to countries other than the US, where SCCs or BCRs are used, organisations should assess the level of protection conferred in that country taking into account local law. For data transfers to the US which currently use the Privacy Shield, organisations need to urgently consider alternatives, including potentially restricting data processing to the UK or EEA.

The implications of Schrems II are difficult for businesses, particularly in the currently climate. The ICO has said that it “understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.” Nevertheless, organisations should not ignore the implications of Schrems II, in particular for US transfers which use the Privacy Shield.

Patricia Jones, Consultant, patricia.jones@pannonecorporate-com.stackstaging.com

For further information please contact our specialist data protection team.
Amy Chandler, Partner, Amy.Chandler@pannonecorporate-com.stackstaging.com
Patricia Jones, Consultant, patricia.jones@pannonecorporate-com.stackstaging.com
Danielle Amor, Senior solicitor, Danielle.Amor@pannonecorporate-com.stackstaging.com

The chaos that has ensued from the regrading of A-Levels in the UK highlights far-reaching impacts of automated decision-making and why its use is restricted under the GDPR.

The law

Decisions which are based solely on automated processing which “produces legal effects concerning [the data subject] or similarly significantly affects [the data subject]” are prohibited under Article 22 of the GDPR.

There are some limited exceptions – (i) if the decision-making is necessary for the performance of a contract; (ii) if the decision-making is authorised by law and there are suitable safeguards for the rights and interests of the individual; or (iii) the individual has provided their explicit consent.

We can safely assume that A-Level students did not consent to the standardisation process! The other two exceptions do not apply here either.

The algorithm

Following a fairly thorough process, teachers provided a “centre assessed grade” (CAG) for each student in each subject and ranked each student in order from first to last. However, there was concern that the CAGs would be more generous than a usual exam mark. To moderate the grades, Ofqual developed an algorithm which took the CAGs and compared them to the performance of the relevant college and students in previous years to produce standardised grades across each cohort. These standardised grades were then allocated depending on the ranking awarded by teachers.

So, was the regrading solely the result of automated decision-making? Ofqual, in its privacy impact assessment, says not. Rather the algorithm “support[ed] the human intervention involved in the form of [CAGs] and rank orders … determined by teachers and signed off by other individuals within the centre”, with particular emphasis placed on the rank order.

The result

Almost 40% of CAGs in England were downgraded. Students attending smaller colleges and studying for more niche subjects, were more likely to receive their CAG as it was accepted that results are more likely to vary year on year and it was harder for the algorithm to work using less data. Many independent schools fell within this category. Students attending larger colleges and studying more traditional or popular subjects, typically in the state-sector, were less likely to receive their CAG. Further, if a percentage of students at a particular college previously received a U grade, for example, the bottom ranked students at that college were likely to receive a U grade, irrespective of their CAG.

The reaction

Rather than instilling public confidence, the use of the algorithm led to critics accusing Ofqual, exam boards and the government of systemic bias against students from more deprived backgrounds. The UK government and each of the devolved administrations has now announced they will be reverting to the CAGs where these are higher than the standardised grades.

What next

Whilst the immediate fury is likely to subside with the decision to revert to CAGs, threatened legal action under the GDPR and Equality Act could still proceed if university places have been lost due to initial regrading. Watch this space.

Danielle Amor, Senior associate, Danielle.Amor@pannonecorporate-com.stackstaging.com

For further information please contact our specialist data protection team.
Amy Chandler, Partner, Amy.Chandler@pannonecorporate-com.stackstaging.com
Danielle Amor, Senior solicitor, Danielle.Amor@pannonecorporate-com.stackstaging.com
Patricia Jones, Consultant, patricia.jones@pannonecorporate-com.stackstaging.com

The NHS Test and Trace system for COVID-19 was launched on 28 May 2020, some critics say with undue haste. The accompanying contact tracing app has had a first phase launch in the Isle of Wight. The purpose of these systems is to help control the spread of the virus. As part of this, large amounts of personal data will be collected. So how has data protection been addressed in these systems?

NHS Test and Trace system for COVID-19

The Privacy Notice for the system gives some insight into the type of data that is collected and why. It sets out that people who test positive will be contacted and asked to confirm or provide their full name, date of birth, sex, NHS number, home postcode and house number, telephone number and email address as well as details of their COVID-19 symptoms including when they started and their nature. They will also be asked to give the contact details of anyone they have been in close contact with who will then be contacted by text, email or by a contact tracer to provide their full name, date of birth and contact details as well as details of any COVID-19 symptoms. Some contact tracers will be employed by private companies which act as data processors in which case those people can only see the information of the contacts they are to call.
Public Health England (PHE) will keep the personal data for people with COVID-19 symptoms for 20 years and 5 years for contacts of those people who do not have symptoms. PHE justify this retention period on the basis that COVID-19 is a new disease and it may be necessary to know this information to help control any future outbreaks or provide any new treatments. However, privacy campaigners have expressed concern about the length of the retention period and the potential for personal data to be used by other government departments for other purposes.
It has been reported that PHE did not complete a Data Protection Impact Assessment (DPIA) before launch of the NHS Test and Trace system and that The Open Rights Group have made a complaint to the Information Commissioner’s Office (ICO) about this. Under the GDPR a DPIA must be carried out for processing which is likely to result in high risk to an individuals’ rights and freedoms, prior to the processing. In particular a DPIA must be carried out in the case of processing on a large scale of special category data, which includes health data, so one should have been carried out for the system. In certain cases the ICO needs to be consulted about a DPIA if the processing would result in a high risk and the controller cannot take measures to reduce that risk. In that case, the ICO will provide advice to the controller including in appropriate cases advice not to carry out the processing because the ICO consider it would breach the GDPR.
The DPIA serves the important purpose of considering the likely processing and helps to identify and mitigate the data protection risks. The reported lack of a DPIA before launch gives the impression that the data protection implications of the system have not been fully thought through and could be a factor which undermines public trust in it.

NHS Covid-19 App

On 7 May 2020 the ICO confirmed that it is reviewing the DPIA for NHSX’s pilot of its contact tracing app on the Isle of Wight. The ICO state that even though there is no legal requirement for NHSX to do so, NHSX has asked the ICO for an informal review of its DPIAs for the Isle of Wight trial and for a national roll out of the app. The ICO has agreed to do this as part of its support to NHSX.
Alongside this the ICO has prepared a document for the Human Rights Joint Committee which was sent in advance of an appearance before the Committee of the Information Commissioner and the ICO’s Executive Director of Technology and Innovation. This document sets out the ICO’s expectations on how contact tracing solutions may be developed in line with the principles of data protection by design and default and includes best practice recommendations. This makes clear that a DPIA must be completed prior to the commencement of the processing and updated at all relevant stages of the app’s development.

Conclusion

The ICO’s involvement with the NHSX contact tracing app is encouraging. However, it does seem that the NHS Test and Trace system has some further work to do to re-assure the public that the data protection risks have been considered and addressed.
If you require any further information or assistance please contact our specialist data protection team:

Amy Chandler, Partner, amy.chandler@pannonecorporate-com.stackstaging.com
Patricia Jones, Consultant, patricia.jones@pannonecorporate-com.stackstaging.com
Danielle Amor, Senior Associate, danielle.amor@pannonecorporate-com.stackstaging.com

To date the potential fines for non-compliance with the GDPR have attracted headlines. However, it is important for organisations to appreciate that there is also potential liability to pay compensation to individuals for a data protection breach. There is a developing claimant industry for compensation claims following a data protection breach. We round up below some recent cases and developments on data compensation claims.

Class action claim against EasyJet

On 19 May 2020 EasyJet reported that they had suffered a personal data breach relating to names, email addresses and travel details of 9 million customers and the credit card details of 2,208 people. Only 3 days later, on 22 May, a law firm publicised that they had issued a claim form on behalf of affected customers, that it would be now seeking a group litigation order and asking for affected people to join the claim. The litigation against EasyJet has been widely publicised by the national press, stoking up interest by individuals in making a claim.
EasyJet first became aware of unusual system activity in January 2020 but carried out investigations before informing affected individuals of the breach. They have reassured affected customers that there is no evidence that their personal data has been misused. However, those acting for claimants have described this as a monumental data breach which has had a serious impact on customers. It seems that the battle lines are being drawn for a claim for significant compensation, all at a very difficult time for the airline industry. In the meantime, EasyJet has reported the breach to the Information Commissioner’s Office (ICO) which is investigating.

Other recent breaches

The EasyJet personal data breach follows on from others in the airline industry. In March 2020, the ICO fined Cathay Pacific £500,000 for having failed to secure its systems from October 2014 to May 2018, leading to the exposure of the personal data of 111,578 customers’ from the UK and about 9.4 million more worldwide. The security breach took place before the GDPR, so this was the maximum fine that the ICO could impose.
The ICO has also indicated an intention to fine British Airways £183 million for a personal data breach in 2018 including payment card and travel booking details which involved about 500,000 customers. In addition, British Airways is currently facing court action from affected individuals for compensation. One law firm informs potential claimants that they will be able to claim significant compensation from British Airways ranging from thousands to tens of thousands of pounds.

Atkinson v Equifax Ltd

One issue is whether an Individual who has suffered no financial loss or distress from a data breach can still recover compensation.
These were the circumstances in the Atkinson case. The claim arose from a significant cyber-attack on Equifax US in 2017. Mr Atkinson brought a representative civil action seeking, according to his solicitors, compensation of £100 million on behalf of 15 million affected customers. He claimed damages for “loss of control” of his data. This followed the Court of Appeal judgement in Lloyd v Google which found that damages can be awarded for loss of control of data, even if there is no pecuniary loss or distress. Equifax Limited had already been fined £500k by the ICO, the maximum amount as this was a pre-GDPR breach, so the civil action represented further significant liability.
It has recently been reported by the barrister team acting on behalf of Equifax that, following service of the defence, Mr Atkinson is withdrawing his representative action and his solicitors have accepted that Equifax is entitled to recover its costs. Although this is not a reported case, it is indicative that there are limits on “loss of control” damages. The defence is said to have challenged the correctness of Lloyd v Google and its application to a cyber-attack case and must have been persuasive to lead to the withdrawal of the claim. Lloyd v Google has also been appealed to the Supreme Court so further developments on “loss of control” damages are expected.
However, the decision is unlikely to have an immediate impact on the mushrooming data protection claim industry, where the net for compensation following a data breach is usually cast wide to include damages for distress as well as for any financial loss and personal injury.

WM Morrison Supermarkets Plc v various Claimants

This is a recent Supreme Court decision which considered the circumstances in which an employer will be vicariously liable for a data protection breach committed by an employee. Importantly, the Supreme Court found that the employer, Morrisons, in the circumstances of this case was not vicariously liable.
The employee (S) was a senior auditor who as part of his job was given access to the payroll data of the whole workforce. Unbeknown to Morrisons S harboured a grudge which led to him copying and uploading the data of nearly 100,000 employees to a publicly accessible file sharing site as well as sending data to various newspapers. S took extensive steps to cover his tracks but was eventually caught and imprisoned. Morrisons spent more than £2.26 million in dealing with the aftermath of the disclosure.
A group action for damages was commenced by 9,263 employees/former employees who alleged they had suffered distress because of the disclosure. If successful Morrisons faced potential claims from all the affected individuals, so its potential liability was significant. In both the High Court and the Court of Appeal, Morrisons was found not to be directly liable for the disclosure. However, it was found to be liable on a vicarious basis as the employee was considered to be acting in the course of his employment when he made the disclosure. Fortunately for Morrisons, the Supreme Court overturned this decision.
The Supreme Court considered that the key question to establish vicarious liability is whether the disclosure of the data was so closely connected with acts that the employee was authorised to do that, for the purposes of the liability of the employer to third parties, the employee’s wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment. In this case the Court considered that the employee was not engaged in furthering the business of his employer when he committed the wrongdoing but rather was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment so as to establish vicarious liability.
This is a case under the Data Protection Act 1998 but it is expected that the same constraining principles will apply under the GDPR to establish vicarious liability in respect of processing by rogue employees. However, it is important to remember that where an employee is processing data on behalf of their employer, the employer is directly liable for any non-compliance with the data protection legislation. Employees should be trained on data protection and compliance monitored. An employer who fails to put in place appropriate security measures to guard against unlawful disclosure and/or data loss which causes or contributes to a disclosure will also be liable under the GDPR.

Conclusion

For breaches that affect a large number of individuals, compensation can be a significant potential liability. Whilst the Morrisons and Equifax cases demonstrate that there are some limitations on data protection compensation claims, there is still a mushrooming industry pursuing these claims on a “no win no fee” basis. We await with interest the future outcome of these compensation claims to give further guidance in this developing area.
If you require any further information or assistance please contact our specialist data protection team:

Amy Chandler, Partner, amy.chandler@pannonecorporate-com.stackstaging.com
Patricia Jones, Consultant, patricia.jones@pannonecorporate-com.stackstaging.com
Danielle Amor, Senior Associate, danielle.amor@pannonecorporate-com.stackstaging.com