Technology Media and Telecommunication. January 2011...Issue 57 January 2011 January 2011 Technology...
Transcript of Technology Media and Telecommunication. January 2011...Issue 57 January 2011 January 2011 Technology...
Issue 57 January 2011
January 2011
Technology Media and Telecommunication.
Data Protection and Freedom of Information
EU - Update to Data Protected
At the end of last year, we updated Data Protected, the most comprehensive
summary of European data protection laws.
The report contains a detailed overview of data protection legislation in each
EU Member State together with Russia, Switzerland and the European
Economic Area States of Iceland, Liechtenstein and Norway. For each of
these jurisdictions, the report contains:
> an analysis of what constitutes personal data;
> details of local processing requirements, including the formalities
necessary to obtain consent;
> an up to date review of sanctioning powers in these jurisdictions
together with details of how those powers have been exercised in
practice;
> an overview of restrictions on transborder dataflows;
> details on local notification requirements; and
> links to national regulators‟ websites and national legislation.
Access to Data Protected is free and available here.
Contents Data Protection and Freedom of Information
EU - Update to Data Protected ....................... 1
EU – Data Protection in 2011 .............................. 2
Germany – Imprisonment for privacy breach ......... 4
Hong Kong – New restrictions on international transfers ... 5
Poland – Amendments to data privacy rules .......... 8
Sweden – Registration relaxed for whistle blowing hotlines .......... 10
UK – Google undertakings and future privacy regulation ........ 12
UK – Information Commissioner puts a price on security .......... 15
UK – Human rights and confidentiality obligations .................................... 20
UK – Information Commissioner steps up audit program .............. 22
Media and Telecoms
Sweden – The Pirate Bay convictions upheld ...... 25
Outsourcing
UK – Does failure to pay justify walking away? .. 27
UK – Update on endeavours clauses .... 30
Issue 57 January 2011 2
EU – Data Protection in 2011
2011 is likely to be another important year for data protection and privacy
practitioners. The highlight is likely to be the European Commission‟s
continued work revising the data protection framework and, in particular, its
long-awaited redraft of the Data Protection Directive which is expected in the
middle of the year.
Let‟s hope it meets businesses‟ expectations by addressing the issues raised
by the current privacy framework in a sensible and pragmatic manner, i.e.
more harmony in the implementing laws of the Member States, technology
neutral provisions which can survive the fast changing technological
environment and the prioritisation of efficient privacy protection over
administrative red tape.
In a nutshell, my wish list includes:
> the adoption of legislation that ensures greater uniformity in the legal
regimes of the Member States. In this respect, serious consideration
should be given to the use of a Regulation rather than a Directive;
> an ex post regime for the protection of citizens‟ rights based on actual
harm rather than an administrative ex ante system with burdensome
notification and approval processes;
> greater emphasis on self-regulation as a means to respond to the fast
developing technological environment, recognising that the adoption of
new legislation takes time and the principles contained in legal
instruments should remain technology neutral to ensure their long-term
effectiveness;
> more clarity around the new and increasingly popular concepts of
“privacy by design”, “the right to be forgotten” and “data portability”. The
introduction of such concepts should be subject to an impact
assessment involving businesses and privacy associations to identify
realistic approaches in line with the rapid development of technologies;
> a more pragmatic approach to the interpretation and enforcement of
data protection legislation, for example with regard to key legal
definitions such as “personal data”, “data controller”, “data processor”
and “consent” and in relation to determination of applicable laws. A
sensible approach to these issues balancing the rights of citizens
against business needs is a critical issue for Europe‟s competitiveness
and the development of innovative services such as cloud computing
solutions; and
> an overhaul of the rules on transborder data flows, further simplifying
and broadening the use of binding corporate rules for multinationals
and enabling a similar regime for data processors and non-group
companies with a sufficiently close relationship. This should be
supplemented by a review of the current system for “white listing”
countries – a more flexible „adequacy‟ approach should be available
Issue 57 January 2011 3
tailored to specific circumstances and transfers rather than the review
of the legal data protection system of an entire country.
Looking beyond the borders of Europe, I would also like to see and actively
contribute to the promotion of a more global approach towards data and
privacy protection. It is time to foster a global framework made out of both
legislation and effective self-regulation encompassing the traditional
developed economies, such as the US and Japan, as well as fast growing
economies such as the BRIC countries. I would welcome the roots of a global
treaty being put in place during the current calendar year, combining the work
of organisations such as the OECD and the APEC, although I am conscious
that this will be a demanding and time-consuming effort.
This wish list is certainly not exhaustive but it provides an idea of what I
believe should lead the attention of regulators, legislators as well as legal
practitioners in 2011.
By Tanguy Van Overstraeten, Brussels
This article first appeared in the January 2011 edition of Data Protection Law
& Policy (www.e-comlaw.com/dplp/index.asp).
Issue 57 January 2011 4
Germany – Imprisonment for privacy breach
A recent judgment by the German criminal courts demonstrates the
increasing importance of data privacy laws and the risk that serious breaches
of those laws will be severely punished.
Corporate investigations
The matter originated from an article in the German magazine Capital in early
2005. It reported on the medium-term planning of Deutsche Telekom AG in
remarkable detail. Deutsche Telekom was extremely annoyed about the
article and the apparent leakage of information from the organisation. Thus,
the former CEO of Deutsche Telekom, Kai-Uwe Ricke, asked the then head
of Deutsche Telekom‟s group security, Klaus Trzeschan, to identify the leak.
To conduct his investigation, Trzeschan collected and analysed the telephone
connection data of more than 40 journalists, unionists and supervisory board
members in 2005 and 2006. The purpose of this exercise was to find out who
contacted whom and to narrow down the range of potential suspects.
Furthermore, Trzeschan kept copies of connection data of five journalists, in
case further leakages occurred in the future.
Quis custodiet ipsos custodes?
When this investigation came to light, a criminal investigation was launched
into Trzeschan‟s conduct. This cumulated in the Bonn Regional Court
sentencing Trzeschan to three and a half years‟ imprisonment on 30
November 2010.
The sentence was primarily imposed because Trzeschan‟s collection and use
of the telephone connection data of a number of journalists, unionists and
supervisory board members was a breach of telecommunications secrecy
legislation. However, the sentence also reflects three additional charges of
bad faith and fraud by Trzeschan against Deutsche Telekom.
The presiding judge of the Bonn Regional Court stated that Trzeschan had
tried to take the law into his own hands. Also, the Court considered that this
case of spying must be considered to be a particularly serious crime.
Trzeschan assumed sole responsibility for what had occurred during
proceedings and has lodged an appeal against the decision.
By Daniel Pauly and Carolin Reul, Frankfurt
Issue 57 January 2011 5
Hong Kong – New restrictions on international transfers
The Privacy Commissioner has recently indicated that one of the strategic
goals for the Office of the Privacy Commissioner for Personal Data in the next
few years is to bring section 33 of the Personal Data (Privacy) Ordinance
(“PDPO”) into force as soon as possible. Section 33, which prohibits the
transfer of personal data outside Hong Kong unless one of a number of
conditions is met, has been part of the PDPO since it was enacted but has
never been brought into operation.
Organisations transferring personal data to jurisdictions outside Hong Kong,
should review their existing personal data arrangements to ensure that such
transfers will be lawful once section 33 comes into force.
What is section 33?
Section 33 of the PDPO applies to personal data which is collected, held,
processed or used in Hong Kong or is controlled by a data user whose
principal place of business is Hong Kong. It prohibits the transfer of personal
data outside Hong Kong unless at least one of the following conditions in
section 33(1) is met:
> the destination has been approved by the Office of the Privacy
Commissioner for Personal Data for the purposes of section 33;
> the data user has reasonable grounds for believing that there is in force
in that place "any law which is substantially similar to, or serves the
same purposes as" the PDPO;
> the individual has consented in writing to the transfer;
> the data user has reasonable grounds for believing that the transfer is
for the avoidance or mitigation of adverse action against the data
subject. It is not practicable to obtain the data subject's consent, but if
practicable, such consent would be given;
> the data are exempt from data protection principle 3 by virtue of an
exemption under "Part VIII – Exemptions" in the PDPO; or
> the data user has taken "all reasonable precautions and exercised all
due diligence to ensure" that the data will not in that place be collected,
held, processed or used in any manner that would constitute a
contravention of the PDPO if it occurred in Hong Kong.
However, despite having been on the statue books since 1995, section 33
has never come into force. This has meant that transfer of personal data to
entities outside of Hong Kong (such as servicing agents or other group
entities outside Hong Kong) is permissible provided that organisations have
complied with data protection principle 1 (collection of personal data) and
data protection principle 3 (use of personal data) and notified data subjects at
the time of collecting their personal data that such data may be transferred
out of Hong Kong for the purposes specified.
Issue 57 January 2011 6
Typically organisations discharge this obligation by including a statement to
this effect in the Personal Information Collection Statement issued to
individuals before collecting the personal data from them. However, once
section 33 comes into force, mere notification will not be sufficient.
Why should you get ready for section 33?
Last year, the Privacy Commissioner published his "Strategic Plan for 2010 –
2014" in which he stated that:
“The [Office of the Privacy Commissioner for Personal Data] has commenced
preparatory works for the implementation of section 33 of the PDPO and will
make extra effort in working with the Administration with a view to putting it
into operation as soon as possible.”
While this does not provide any certainty as to the likely date on which
section 33 will come into force, it does suggest that section 33 is on the
Privacy Commissioner‟s agenda for the next three years and may well
commence operation within that timeframe.
How should you get ready for section 33?
Perhaps one of the easiest ways to ensure that personal data is lawfully
transferred outside Hong Kong is to obtain the written consent of the
individual to the transfer pursuant to section 33(1)(c). Accordingly,
organisations should look at the procedures they use to collect personal data
and try to obtain consent as part of that process.
Of course, obtaining the written consent of individuals is not the only way to
comply with section 33. One of the other ways, prescribed by section 33(1)(f),
is where organisations can show that they have taken "all reasonable
precautions and exercised all due diligence to ensure" that the data, once
transferred outside Hong Kong, will not be dealt with in a manner that would
constitute a contravention of the PDPO.
The Privacy Commissioner has stated in a Factsheet on section 33 that one
method for achieving this is for the parties to the transfer to enter into a
binding contract, or other acceptable agreement, applying the data protection
principles to the data upon its transfer to the place outside Hong Kong.
A "model contract" for the purpose has been provided by way of guidance.
The model contract includes, among other things, representations and
warranties by the transferring party that the data is lawfully transferred in
accordance with the data protection principles, and also by the receiving party
that the data is and will be dealt with in accordance with the data protection
principles. It also requires the receiving party to indemnify the transferring
party in respect of any breach, fault or negligence arising from the contract
and to destroy the data on termination of the contract.
Where organisations are transferring personal data to jurisdictions such as
Europe which already have comprehensive data protection laws, putting in
place such a contract is unlikely to be difficult since entities in those
jurisdictions are already required to comply with similar (if not more onerous)
Issue 57 January 2011 7
requirements to those imposed by the PDPO. Moreover, it is reasonable to
expect that the Privacy Commissioner will include such countries in any future
“white list” issued under section 33(1)(a) (in which case there would be no
need for the contractual arrangement to be implemented as well).
Other transfers
However, as the Privacy Commissioner notes in his Strategic Plan, there is
an increasing trend for organisations to outsource personal data processing
to servicing agents in jurisdictions which do not have legislation in place for
the protection of personal data privacy. It is therefore important for
organisations to review their existing contractual arrangements with such
entities and consider whether more robust requirements around the handling
of that data need to be introduced.
By Rowan McKenzie and Prue Bindon, Hong Kong
Issue 57 January 2011 8
Poland – Amendments to data privacy rules
The long-awaited amendment to the Polish Data Protection Act (the “DPA”)
will enter into force at the beginning of March 2011.
The amendments are intended to clarify sections of the DPA and make it
more effective. In pursuit of the second aim, there are a number of
amendments relating to the status and powers of the Polish data protection
authority, the Inspector General for the Protection of Personal Data (the
“GIODO”), though it will only receive limited powers to impose fines.
Nevertheless, work on the next round of amendments to the DPA has already
begun and should contain new fining powers as well as covering other issues
such as data protection in the web community.
Clarifications to the DPA
The amendments resolve the previous ambiguity about the withdrawal of
consent by including a provision stating that consent can be withdrawn at any
time. There are no transitional or “grandfathering” provisions, so it should be
assumed that this right of withdrawal also applies to consents given before
the amendments came into force. Any such recall of consent should not,
however, prevent the processing of personal data where the controller can
rely on another legal ground to legitimise that processing.
The obligation to respond to subject access requests has also been
amended. The previous provisions in the DPA could be interpreted as only
obliging the data controller to provide the information specifically listed in the
provision. The new amendments make it clear that a data subject is entitled
(to the extent limited by law) to full details of all processing carried out by a
data controller.
The amendments have also limited the situations in which personal data can
be disclosed to third parties. Prior to the amendment, anyone could obtain
personal data about an individual (other than sensitive personal data)
provided that they had good reason and disclosure would not infringe any
rights and freedoms of their subject. For example, this was used by attorneys
to request personal details of their clients‟ opponents. However, this provision
has been deleted and such requests are now subject to the general regime of
data processing. Those requesting personal data will have to show there is an
appropriate legal justification under the DPA rather than just trying to convince
the data controller they need to obtain that personal data.
Finally, the registration provisions of the DPA have also been amended. Once
the amendments are passed, a data controller will only be allowed to expand
its processing activity to include the processing of sensitive data with the prior
approval of GIODO. Mere notification of such amendment to GIODO will no
longer be sufficient.
The status and powers of GIODO
The amendments still do not give GIODO the power to issue financial fines
directly for breaches of the DPA. However, GIODO will have the power to
Issue 57 January 2011 9
impose fines where it has issued a decision to a data controller and the data
controller has subsequently failed to comply with it.
For the purposes of improving the protection of personal data, GIODO will
have the power to issue pronouncements regarding data processing by
particular entities. Those pronouncements should have the value of a
recommendation, and failure to observe them may have negative
consequences in case of a subsequent GIODO inspection.
An additional criminal sanction has been introduced. This will make it an
offence to prevent or obstruct an inspection by GIODO‟s inspectors. It is
punishable by a fine, restriction of liberty, or imprisonment for up to two years.
Criticism of the amendments
Many of these amendments have been criticised by legal commentators in
Poland who insist that financial sanctions should be introduced, rather than
criminal ones, to ensure the proper enforcement of the DPA. There are also
calls for greater recognition of administrators of information security. Some
commentators have argued that a data controller should not be subject to
official inspections by GIODO or formal registration obligations under the DPA
where it has employed a professional administrator of information security.
However, such changes will have to wait for further amendments to the DPA.
By Ewa Kurowska-Tober and Gabriela Trębicka, Warsaw
Issue 57 January 2011 10
Sweden – Registration relaxed for whistle blowing hotlines
The Data Inspection Board (Sw. Datainspektionen) has issued a new
regulation which, from 1 November 2010, allows companies to implement
some whistle blowing hotlines without the need to obtain an exemption from
the Data Inspection Board.
Background
In Sweden, processing of personal data concerning legal offences involving
crime, judgments in criminal cases, coercive penal procedural measures or
administrate deprivation of liberty is, as a general rule, prohibited unless the
data controller is a public authority. The Data Inspection Board and the
Swedish Government may, however, grant exemptions from this prohibition in
an individual case or through general regulations.
Since 2008 a large number of companies have applied for, and have been
granted, specific exemptions for their whistle blowing hotlines. To simplify the
administrative process and, at the same time, ensure that the requirements to
protect personal integrity are maintained, the Data Inspection Board has now
issued a new regulation which, under certain circumstances, enables a
whistle blowing hotline to be set up without a specific application and decision
from the Data Inspection Board.
Scope of permitted hotlines
The new regulation relieves companies that wish to process personal data in
a whistle-blowing hotline of the obligation to apply for an exemption from the
Data Inspection Board. It does not, however, change any of the requirements
on how companies handle and process personal data held in such systems.
The regulation contains the same requirements for such hotlines that the
Data Inspection Board previously set out in the individual decisions of
exemption.
According to the regulation and the Data Inspection Board‟s guidance to the
regulation:
> the personal data processed in such system can only relate to persons
in key or management positions within the company or group of
companies;
> there must be an adequate and objective justification to set up such a
hotline, rather than using the company‟s normal information and
reporting channels;
> the hotline must be limited to reports that there have been serious
abuses relating to accounting, internal audits, audits, bribery, offences
within the banking and insurance sector or other serious abuses
regarding the vital interests of the organisation or the life and health of
individuals. Other serious abuses could, for example, be serious
environmental crimes, serious deficiencies with regard to security at
the workplace and very serious forms of discrimination and
harassment; and
Issue 57 January 2011 11
> the system must complement the company‟s normal administrative
routines and it must be voluntary to use.
In addition to these specific requirements, the provisions in the Personal Data
Act (Sw. personuppgiftslag (1998:204)) must be complied with when
processing personal data in a whistle-blowing system.
If a company wishes to process personal data relating to crime in a way that
does not fulfil the general requirements set up by the Personal Data Act and
the Data Inspection Board, a specific exemption must be applied for from the
Data Inspection Board.
By Emma Linnér, Stockholm
Issue 57 January 2011 12
UK – Google undertakings and future privacy regulation
In November 2010, Google signed wide-ranging undertakings agreeing to
significantly improve its privacy compliance with a particular emphasis on
policies, training and privacy by design. It will need to report to the
Information Commissioner on its progress and submit to a consensual audit
covering both its UK and US offices.
These undertakings arise out of Google‟s Street View cars‟ collection of Wi-Fi
payload data. No doubt Google will now be hoping to draw a line under this
matter in the UK. However, the incident demonstrates an increasing focus on
structural, rather than behavioural, compliance which is likely to feature in
both future enforcement action and amendments to the Data Protection
Directive itself.
Google Street View
Google Street View is an augmentation to Google‟s online mapping service
that provides a street-level view of some parts of its map. It was created by
sending cars to photograph cities around the world with 360-degree cameras
strapped to the roof. Despite the fact that the cars are simply photographing
public scenes on public roads, the service has been highly controversial.
Google has had to make a number of amendments to this service following
incidents in which people were caught sunbathing, leaving adult
establishments or burgling premises.
Of much greater concern was the news in May that the Google Street View
cars were also collecting data from open Wi-Fi networks in over 30 countries
for a period of three years. Google had only intended to collect the network
addresses of the Wi-Fi routers to provide a location-mapping service.
However, following an audit request by the German data protection
authorities, Google discovered that it had been collecting the actual data sent
over unencrypted Wi-Fi networks – i.e. the contents of those transmissions.
Investigation by the Information Commissioner
The Information Commissioner sent two senior members of staff to Google‟s
UK premises to investigate. On the basis of their investigation and
discussions with Google, they concluded that the Wi-Fi data was fragmentary
and would not identify any individual.
Accordingly, the Information Commissioner decided not to take any formal
action. There may well have been a dose of pragmatism in this decision but it
also reflects the limits on his powers. If the data does not identify any
individual, it is not personal data and Google‟s actions are not subject to the
Data Protection Act 1998. Equally, while it is likely this interception of
communications was a criminal offence under the Regulation of Investigatory
Powers Act 2000, the Information Commissioner has no powers to enforce
this legislation. It instead falls to the police and it is notable that the
Metropolitan Police have decided not to pursue a criminal prosecution.
Issue 57 January 2011 13
The Information Commissioner‟s position has, however, been subject to
criticism from a number of privacy bodies. These criticisms were heightened
when a Google blog on 22 October 2010 revealed that “in some instances,
entire agreements and URLs were captured, as well as passwords”. This lead
to a Commons Debate on 28 October 2010 in which a number of MPs were
strongly critical of the Information Commissioner.
Undertakings with teeth
This rapidly led to the Information Commissioner re-opening his investigation
and, within a matter of days, publicly stating that he was seeking
undertakings from Google and would serve an Enforcement Notice if Google
did not agree to them. This is unusual, as normally the Information
Commissioner only publicises undertakings after they have actually been
agreed to. The undertakings required Google to:
> continue and update employee orientation programmes on Google‟s
privacy principles;
> train Google employees on its code of conduct including sections on
privacy;
> enhance the core training for engineers and other important groups
with a particular focus on the responsible collection, use and handling
of data;
> institute a security awareness programme for Google employees;
> require engineering project leaders to maintain a privacy design
document for each initiative they are working on which involves the
processing of significant user data. Such document should record how
such user data is handled and be reviewed regularly by managers;
> delete UK payload data when Google has no other outstanding legal
obligation to retain such data; and
> within nine months facilitate a consensual audit by the Information
Commissioner.
These undertakings are very extensive and, arguably, go far beyond the sorts
of obligations that could be imposed under an Enforcement Notice by
applying to Google‟s operations generally rather than just those activities
responsible for the original breach. This approach could also breathe new life
into the use of undertakings which have traditionally relied on naming and
shaming an organisation but have now largely lost their sting due to the
frequency with which they are issued. It will be interesting to see if future
undertakings are similarly onerous.
In any event Google agreed to these undertakings on Friday 19 November
2010. It will now be audited by the Information Commissioner.
Issue 57 January 2011 14
Audit by the Information Commissioner
The audit right is the most striking part of the undertakings and underscores
their breadth. It will take place in two phases. Firstly, Google must, itself,
prepare a written privacy report covering:
> Internal Privacy Structure – Google must provide the Information
Commissioner with details regarding the development of its new
Privacy Team led by Dr Alma Whitten, other privacy-focused teams,
and their initiatives within Google. It must also analyse cross-functional
privacy efforts across engineering, product management, compliance
and internal audit functions.
> Privacy Training & Awareness – Google must provide an overview of its
revamped privacy training and awareness efforts including summaries
of the substance of training and awareness initiatives provided to
Google employees, engineers and product managers, as well as
employees in the legal, sales, and human resources departments.
> Privacy Reviews – Google must assess its privacy reviews for its
products including a discussion of the implementation of Privacy
Design Documents, and analyze related processes including code
audits undertaken against these documents. The Privacy Report must
also provide the Information Commissioner with an overview of reviews
such as Google‟s annual Safe Harbor certification.
This will effectively transfer much of the burden of the audit to Google. The
review will also need to be conducted carefully and methodically as once it is
complete the Information Commissioner will be entitled to validate the privacy
report‟s accuracy and findings via an in-person review. This review will not be
limited to the UK and the Information Commissioner has specifically reserved
the right to conduct part of this exercise at Google‟s US headquarters.
The future of enforcement, the future of privacy
The Information Commissioner‟s enforcement action show a clear direction of
travel from behavioural to structural compliance. It will be very interesting to
see if future undertakings contains similarly extensive obligations and how the
Information Commissioner uses undertakings in the future now he also has
the power to issue monetary penalty notices.
This also reflects the wider debate about the future of data privacy. The
European Commission‟s recent communication on the Data Protection
Directive contains similar structural compliance themes such as the
appointment of data privacy officers, accountability and privacy by design,
many of which have gained significant support and are likely to feature in
future amendments to the Directive.
The Google undertakings are available here
By Marly Didizian, Richard Cumbley and Julian Cunningham-Day, London
Issue 57 January 2011 15
UK – Information Commissioner puts a price on security
In November 2010, the UK Information Commissioner issued his first
administrative fines under the Data Protection Act 1998. Hertfordshire County
Council received a monetary penalty notice of £100,000 for faxing highly
sensitive information to the wrong recipients on two occasions and
employment services company A4e received a monetary penalty notice of
£60,000 following the theft of an unencrypted laptop containing personal
information about 24,000 people.
While the Act imposes a range of obligations, it is no surprise that the first
monetary penalty notices are for security breaches. Neither of these breaches
is particularly unusual, and given that similar breaches still take place on a
regular basis, further fines are likely.
Background
In April this year, the Information Commissioner was given the power to issue
administrative fines, “monetary penalty notices”, of up to £500,000 if:
> there is a serious contravention of the data protection principles;
> the contravention is of a kind likely to cause substantial damage or
distress; and
> the contravention was deliberate or reckless (recklessness in the sense
that the data controller knew or ought to have known there was a risk
of contravention likely to cause substantial damage or distress but
failed to take reasonable steps to prevent it).
While fines have previously been available for breach of the Act via the
courts, this is a significant extension to the Information Commissioner‟s
powers. First, there is no initial “yellow card” for data controllers. Under the
old regime, fines were only available for breach of the data protection
principles if the Information Commissioner first issued an Enforcement Notice
and the data controller subsequently breached it. Second, based on these
first monetary penalty notices, the level of fines are higher. The Information
Commissioner has criticised the “pathetic fines” for previous breaches of the
Act imposed via the courts.
A4e – Theft of an unencrypted laptop
The first monetary penalty notice was issued against A4e, a company
contracted by the Legal Services Commission to operate Community Legal
Advice Centres in Hull and Leicester. It employs approximately 3,250 staff of
which around 1,000 work remotely.
One of these home workers was burgled in mid-June and the laptop used by
that worker was stolen. It contained information about 24,000 clients of A4e
including their name, postcode and date of birth as well as sensitive personal
data such as information about ethnicity or disability status. While A4e had
started to roll out encryption earlier this year, this particular laptop was still
unencrypted. Moreover, while A4e‟s policies required employees to access
data on a central secure network via a secure link, the Information
Issue 57 January 2011 16
Commissioner found that A4e were aware that employees were not using this
technology and were instead storing data locally on their laptops.
The Information Commissioner decided that a monetary penalty notice was
available for this breach as:
> the failure to encrypt the laptop was a serious breach of the seventh
data protection principle which requires appropriate technical and
organisational steps to protect personal data;
> it could lead to substantial distress to individuals due to the risk of their
information being disclosed to third parties. In particular, 15 individuals
complained directly to the Information Commissioner and 3,200 rang a
help line set up by A4e. Distress was likely even though there is no
evidence that the data has actually been misused; and
> A4e knew or ought to have known there was a risk of a breach, given
that its employees were holding substantial amounts of information
locally on their laptops, but failed to protect that data through
encryption.
In setting the level of the monetary penalty notice at £60,000, the Information
Commissioner was mindful of the facts above but also a number of mitigating
factors such as the prompt action by A4e in response to the breach, the fact
A4e voluntarily reported the breach to the Information Commissioner, was
fully co-operative during the investigation and has subsequently applied
encryption to the whole of its laptop estate.
Hertfordshire County Council – Mis-directed faxes
The second monetary penalty notice arose when Hertfordshire County
Council faxed highly confidential information relating to a child sex abuse
case to the wrong recipient on 11 June 2010. The person sending the fax did
not use a pre-programmed auto dial button to send the fax and instead mis-
typed the fax number manually. They also failed to attach a fax cover sheet
with appropriate protective markings, indicating that the information was
confidential and what to do if the fax was sent to the wrong number.
The council obtained a High Court injunction against the recipient requiring
them to destroy the data and informed the Information Commissioner. The
council made a number of improvements to its processes including making
encrypted email the default for sending confidential information and only
allowing sensitive information to be faxed with the consent of a senior
member of the legal team.
When the council met with the Information Commissioner on 24 June 2010
they were reluctant to implement further measures such as a “ring ahead”
system. However, on that same day a council employee sent another highly
sensitive fax to a barristers‟ chambers rather than Watford County Court,
again as a result of manually typing the fax number rather than using the auto
dial functionality.
The Information Commissioner decided that a monetary penalty notice should
be issued for these breaches as:
Issue 57 January 2011 17
> the failure to adopt the “ring ahead” procedure advocated by the
Information Commissioner was a serious breach of the seventh data
protection principle. There is always a risk that manually typed fax
numbers might be entered incorrectly and the council did not have the
right processes in place to manage this risk;
> it could lead to substantial distress to individuals, particularly given the
nature of the information. This is the case even though only 57
individuals were affected and it seems very unlikely that the information
would be misused in this case; and
> the council was aware of the risks and ought to have taken more steps
to protect this information given its highly sensitive nature.
In setting the level of the monetary penalty notice at £100,000, the
Information Commissioner focused on the fact there were two repeated
breaches and that the information was highly sensitive. Interestingly, another
aggravating factor was the: “Potential for media coverage relating to these
security breaches to cause data subjects further distress” – i.e. the press
coverage caused by the Information Commissioner‟s decision to take
enforcement action was itself an aggravating factor. In mitigation, the council
voluntarily reported the breach to the Information Commissioner, was fully co-
operative during the investigation and has now implemented a “ring ahead”
procedure.
How to avoid a fine
Data security has been an enforcement priority for the Information
Commissioner over the last few years so it is no surprise that the first
monetary penalty notices are for security breaches nor are these particular
security breaches that unusual. To avoid being a recipient of a similar fine in
the future, organisations should all look closely at their data security
measures with a particular focus on the following areas:
> encryption of mobile devices including laptops, USB sticks and back up
tapes. The monetary penalty notice issued to A4e is a good example of
the need to apply such measures, as is the FSA‟s £2.3 million fine of
Zurich for loss of unencrypted back up tapes in August 2010. The
Information Commissioner has been consistent in his guidance on this
point for a number of years and organisations that have failed to heed
this guidance unquestionably expose themselves to fines if data loss
results;
> secure disposal of information. Insecure disposal of electronic and
manual records is another area in which the Information Commissioner
has taken a consistently hard line. One recent example is Healthcare
Locums Plc which had to give the Information Commissioner
undertakings in October 2010 after a hard drive containing doctors‟
security clearance and visa information had been sold on an auction
website;
Issue 57 January 2011 18
> avoiding mis-directed electronic communications. The monetary
penalty notice issued to Hertfordshire County Council is one example
as are the undertakings given by the Lord Chief Justice of Northern
Ireland in October 2010 following the inappropriate disclosure of
personal data in an email from his office earlier this year. While
occasional mis-typed faxes or email addresses are unavoidable, the
Information Commissioner expects appropriate process and
procedures to be in place to minimise the risk of such an event
occurring and to mitigate any subsequent damage;
> proper access controls to information. For example, in November 2010
the Independent Parliamentary Standards Authority gave undertakings
after an internal database was left insecure for a period of some 21
hours following IT maintenance. The insecurity resulted in the potential
compromise of personal data relating to 332 Members of Parliament;
and
> putting proper contractual arrangements in place with data processors
including appropriate data protection and data security obligations.
The examples above demonstrate that security breaches are still occurring on
a regular basis. Many of the undertakings set out above related to breaches
that occurred prior to April 2010 so monetary penalty notices were not
available. However, similar breaches may well lead to further monetary
penalty notices in the future.
Voluntary notification
There is no legal obligation to notify the Information Commissioner of any
security breach (though a limited duty will apply to telecoms operators from
May 2011) and these monetary penalty notices highlight the risks of voluntary
notification. In particular, it is clear that the Information Commissioner may
still take action even if there is no evidence that the lost data is being
misused, the breach is the result of employees failing to follow company
policies and guidelines (especially if the company is aware those policies are
not being followed) or a limited number of people were involved.
However, in this particular case, there may have been little choice. Not only
did the unintended recipient of the council‟s fax decided to report the matter
to the Information Commissioner, but A4e‟s decision to inform the affected
individuals meant it inevitably had to inform the Information Commissioner, as
evidenced by the fact that 15 of those individuals subsequently made direct
complaints to the Information Commissioner.
A benchmark for future fines
The level of these initial monetary penalty notices is also interesting and, as
set out in the notices, is “likely to set a precedent by which future notices will
be judged”. The Information Commissioner previously indicated that fines are
likely to be towards the upper end of the spectrum given that matters would
need to be quite serious in order to justify a monetary penalty notice in the
first place.
Issue 57 January 2011 19
However, both fines are more moderate and towards the lower end of the
spectrum. This may be influenced by the mitigating factors present in both
cases such as voluntary reporting of the breach to the Information
Commissioner and the provision of full co-operation in the subsequent
investigation. In addition, both breaches seem to have caused little actual
harm to individuals. If they had, the level of fines would have been much
higher. In addition, both the council and A4e will benefit from a 20 per cent
discount if they make early payment.
Conclusions
The fines start to put a price on data security. When the additional costs of
investigating and rectifying a breach are added in, together with the
associated reputational damage, it provides a powerful argument to take
information security seriously.
By Julian Cunningham-Day and Georgina Kon, London
This article first appeared in the December 2010 edition of World Data
Protection Report (www.bna.com/products/corplaw/wdpn.htm).
Issue 57 January 2011 20
UK – Human rights and confidentiality obligations
The Court of Appeal‟s decision in Veolia v Nottinghamshire County Council
[2010] EWCA Civ 1214 highlights the effect of the European Convention on
Human Rights on confidentiality obligations. The court decided that a
statutory obligation to disclose information should be “read down” so as to
restrict access to confidential information. This approach has now been
adopted in other cases, such as Staffordshire County Council v Information
Commissioner EA/2010/0015, in which the Information Tribunal also “read
down” obligations to disclose information under the Environmental
Information Regulations 2004.
Confidentiality as a human right
Veolia had a contract with Nottinghamshire County Council under which it
provided waste management services. A local resident made a request to
inspect and make copies of that contract. He did so exercising powers under
section 15(1) of the Audit Commission Act 1998 which provides that:
“At each audit under this Act…any persons interested may ... inspect
the accounts to be audited and all books, deeds, contracts, bills,
vouchers and receipts relating to them”
This provision was followed by an express carve-out limiting any disclosure of
personal data. The High Court decided that this entitled the local resident to a
copy of the waste management contract regardless of the fact that it
contained confidential information.
However, this decision was overturned by the Court of Appeal at the end of
2010. The disclosure of the confidential contract would infringe Veolia‟s rights
under Article 1 of the first protocol (protection of right to property) and,
potentially, Article 8 (right to respect for private and family life) of the
European Convention on Human Rights. Accordingly, section 15(1) should be
“read down” to limit access to such information. This does not provide an
absolute bar to the release of confidential information but rather, under the
general principles of the European Convention of Human Rights, requires a
“fact-sensitive and nuanced approach … in which the private and public
interests involved have to be balanced in the interests of proportionality” to
determine if such information should be released.
The decision makes the Audit Commission Act 1998 a much less attractive
means to obtain information from public authorities. The Act might provide
access to information in cases where other freedom of information legislation
does not (as the test under the Act is a balance between private and public
interests, rather than competing public interests) but it is relatively unlikely this
would make a real difference and largely outweighed by the restrictions in the
Act on who can access information and when, and the lack of a proper
dispute resolution process if access to information is denied.
Environmental information regulations
The Court of Appeal‟s decision has already started to influence other
decisions. For example, in Staffordshire the Information Tribunal had to
Issue 57 January 2011 21
consider a request for information on sales and permitted reserves of silica
sands at Moneystone Quarry in Staffordshire. The Information Tribunal
decided this request should be dealt with under the Environmental
Information Regulations 2004 and concluded it was exempt as the
information was supplied on a voluntary basis and was subject to a duty of
confidence which protected a legitimate economic interest (reg. 12(5)(e)&(f)).
However, in doing so, it made a number of statements of wider relevance:
> the disclosure of confidential information by a public body engages
ECHR rights and any statutory information access rights must be read
down to give effect to those rights;
> in this case the Regulations contain a statutory presumption in favour
of disclosing information (reg. 12(2)). Following Veolia, this
presumption should not be applied to confidential information; and
> where confidential information is held by a public authority, there is a
“strong public interest” in maintaining that confidence.
This represents a significant shift in the interpretation of the Environmental
Information Regulations 2004 and may make it more difficult to obtain
confidential environmental information in the future.
Freedom of information
Similar changes may occur in the interpretation of the Freedom of Information
Act 2000. For example, information is exempt from disclosure if it was
provided by a third party and its disclosure would be an actionable breach of
confidence (section 41). This has been interpreted restrictively in the past and
does not exempt:
> contracts concluded with a public authority on the basis that the
information has not been obtained from a third party and is, instead, a
jointly created work; and
> information where the public authority has a “public interest defence”
justifying disclosure of that information. This public interest defence is
not the same as the liberal public interest test in the Act itself but early
cases have stated “this difference will rarely affect the outcome of a
case, as it is unlikely that the relevant factors will be so finely balanced”
(Derry City Council v Information Commissioner EA/2006/0014).
Both conclusions could be vulnerable in light of Veolia. Similarly, many
exemptions under the Act are subject to an additional public interest test. It
may be easier now to show this favours withholding confidential information,
though the Information Tribunal‟s (unpublished) decision in Nottinghamshire
CC v Information Commissioner (EA/2010/0142) is said to suggest that Veolia
adds little to the existing public interest balancing exercise.
Veolia v Nottinghamshire County Council [2010] EWCA Civ 1214 is here
Staffordshire County Council v Information Commissioner & Sibleco
EA/2010/0015 is available here
By Peter Church, London
Issue 57 January 2011 22
UK – Information Commissioner steps up audit program
In December 2010, the Information Commissioner expanded the scope of his
consensual assessment program approaching 60 organisations, 55 from the
private sector, asking if they were interested in participating in such an
assessment. This article considers the background to the assessment
program and the factors to consider if you receive such a request.
Assessment process
The Information Commissioner may, with the consent of a data controller,
carry out an assessment of its data processing to determine if the data
controller is following good practice. The result of that assessment will be
shared with the data controller and, with data controller‟s consent, an
executive summary will be published on the Information Commissioner‟s
website. More information about the Information Commissioner‟s approach is
set out in the Assessment Notices Code of Practice (see Appendix A).
If the data controller is a government department, the Information
Commissioner can also insist on a compulsory audit through the service of an
Assessment Notice.
Use of these powers
The table at the bottom of this article provides a breakdown of the data
controllers approached by the Information Commissioner since he started this
consensual assessment program in May 2010. The information reveals a
number of interesting facts:
> there was a significant increase in the number of organisation
approached in December 2010, more than twice as many as in all the
previous months put together;
> the program has now been extended to include private sector entities,
as evidenced by the significant number of financial firms, retailers etc
approached in December; and
> the take up was very high until December. The drop off in acceptances
in December is partly because these organisations were only
approached recently and are no doubt still considering this
opportunity/sorting through their Christmas post. However, the large
number of private sector entities approached in December is also likely
to be a factor.
It is also useful to look at the assessments completed to date. In particular,
the following organisations have now been through the assessment process:
The Law Society, HMRC, the MoD, DEFRA, Trafford House Trust, Hidden
Hearing, PHSO, Shropshire Council, UKBA, North Devonshire NHS Trust,
NHS 24 and Cornwall Council. All but three of these organisations agreed to
the publication of an executive summary of the outcome of that assessment.
Issue 57 January 2011 23
Would you agree to an assessment?
The instinctive reaction of many organisations will be to avoid an assessment
– particularly those in the private sector where the Information Commissioner
cannot fall back on a compulsory audit power. However, agreeing to an audit
may provide a number of benefits including:
> the opportunity to build a relationship with the Information
Commissioner;
> an executive summary of the consensual audit will only be disclosed
with consent – though withholding the summary may well raise
questions; and
> a monetary penalty notices cannot be served as a result of matters
discovered in that audit Other enforcement actions may in theory be
taken by the Information Commissioner, but this would appear to go
against the spirit of the audit which the Information Commissioner sees
as a “constructive process”.
There are also longer term issues to consider. The European Commission
has challenged the Information Commissioner‟s inability to carry out a
compulsory audit on all data controllers. This may well result in the
compulsory audit powers being extended to the private sector entities in due
course, which would make it impossible to avoid an audit.
Refusing an assessment may also influence future enforcement decisions by
the Information Commissioner. If a breach occurs the Information
Commissioner may well have this factor in mind when deciding whether to
resolve the matter informally, seek undertakings, or issue an Enforcement
Notice or a monetary penalty notice. If the Information Commissioner does
seek undertakings he might also use that as an opportunity to lever in an
audit right to ensure he is able to conduct an assessment. For example, the
recent Google undertakings contained extensive audit rights for the
Information Commissioner (see TMT News, January 2011: Google
undertakings point to the future of privacy regulation).
Notwithstanding these considerations, it seems likely many private sector
entities targeted in December will be unwilling to voluntarily agree to an
assessment and the additional regulatory scrutiny this entails.
Details of previous assessments conducted by the Information Commissioner
are available here.
By Matthew Hunter, London
Issue 57 January 2011 24
Month
(2010)
Contacted Sectoral Breakdown Accepted Sectoral Breakdown
June 1 Local government (1) 1 Local government (1)
July 3 Local government (1),
NHS (1), Devolved
government department
(1)
3 Local government
(1), NHS (1),
Devolved
government
department (1)
Aug 3 Local government (1),
NHS (2)
3 Local government
(1), NHS (2)
Sept 1 Government department
(1)
1 Government
department (1)
Oct 5
Charity (1), Local
government (2),
Probation service (1),
NHS (1)
5
Charity (1), Local
government (2),
Probation service (1),
NHS (1)
Nov 13 Government department
(9), NHS (4)
12 Government
department (8), NHS
(4)
Dec 60 Finance companies (25),
Retail companies (9),
Communications
companies (10), Debt
collection companies (7),
Police forces (3),
Marketing companies
(3), Utility company (1),
Local government (1),
Independent regulator
(1)
6 Finance companies
(4), Police forces (2),
Issue 57 January 2011 25
Media and Telecoms
Sweden – The Pirate Bay convictions upheld
In November 2010, the Court of Appeal upheld the earlier conviction of three
members of the torrent tracking website, The Pirate Bay. It reduced the term
of imprisonment imposed on those defendants for breaches of criminal law,
whilst increasing the civil damages payable to the relevant rights holders. All
three defendants have appealed to the Supreme Court. A fourth defendant,
who helped to operate the site, was not present at the time due to medical
reasons and will be tried at a future date.
Initial judgment
In April 2009, in a joint criminal and civil case, the three operators of the site
and their one investor were found guilty of being complicit in criminal
breaches of copyright law by the District Court of Stockholm. The four
defendants were each sentenced to one year in prison and were together
held liable to pay damages of approximately SEK 32 million. The criminal
charges were supported by a consortium of intellectual property rights
holders, including the International Federation of the Phonographic Industry,
Warner Bros. Entertainment, Metro-Goldwyn-Mayer Pictures, Columbia
Pictures Industries and Twentieth Century Fox Film.
The three defendants appealed to the Court of Appeal, which had to consider
both the criminal and civil elements of the judgment.
Criminal breaches of copyright law
The torrent files in The Pirate Bay‟s database allow other internet users to
locate and download information, including copyright material. Making
materials protected by copyright available in such a way, even indirectly, is
still classified as making that work available to the public according to the
Copyright Law (Sw: lag (1960:729) om upphovsrätt till litterära och
konstnärliga verk) and can be a criminal offence. According to the Court of
Appeal, it is clear that no consent had been given to the transfer by the
copyright owners and it is therefore not permitted.
The Court of Appeal also decided that such offences were subject to the
jurisdiction of the Swedish courts as a substantial component of the principal
criminal acts – i.e. storing the torrent files in The Pirate Bay‟s database – took
place on The Pirate Bay‟s servers in Sweden. Thus the principal criminal acts
were considered to have been performed in Sweden, meaning Swedish law is
applicable and the Swedish courts competent.
Complicity with the criminal offences
While provision of the torrents is an offence, those torrents were not actually
uploaded by the defendants and instead uploaded by unknown third parties
who used the site. Accordingly, the defendants were not directly liable for
these activities.
Issue 57 January 2011 26
However, the Court of Appeal upheld the District Court‟s findings that The
Pirate Bay‟s website – by its search functions, the possibilities it offered to
upload and store torrent files and tracker function, which brings together
individual file sharers – comprises a service which facilitated the principal
criminal acts, even though these acts might have been committed in other
ways. Accordingly, the three defendants who ran the website were providing
a service promoting the principal criminal act and were complicit in those
crimes. The complicit act of the investor consists of providing computers,
broadband services and computer storage.
Reduction in sentences
Contrary to the District Court, the Court of Appeal decided that the actions of
the defendants could not be assessed collectively by reference to all of the
activities of The Pirate Bay. Instead, the Court of Appeal made a more
individualised assessment of the acts performed, holding each defendant
criminally liable only for the acts he himself performed. Since some of the
alleged acts have not been proven and others are not considered criminal,
the sentences for three of the defendants were reduced by the Court of
Appeal from one year of imprisonment to ten and eight months, respectively,
for the two operators and four months for the investor. The sentences for the
two operators also reflected the fact that The Pirate Bay operates as a
commercial and organised business.
Increase in civil damages
Despite the reduced sentences for the defendants, the total liability for
damages awarded to the rightsholders was, however, increased from
approximately SEK 32 million to around SEK 46 million. Contrary to the
District Court, the Court of Appeal did not think it reasonable to reduce the
damages for copies of the copyright works made outside Sweden.
The Court of Appeal further stated that the defendants have jointly caused the
losses and shall therefore be joint and severally liable for the losses to the
rightsholders.
By Emma Linnér and Christoffer Lööw, Stockholm
Issue 57 January 2011 27
Outsourcing
UK – Does failure to pay justify walking away?
In December 2010, the Technology and Construction Court considered the
fallout from a failed software development project which cumulated in the
supplier, Atos Origin, suspending work. After a long and detailed review of the
background to the project, Edwards-Stuart J decided that the customer, De
Beers, was in breach of contract, including by failing to make a milestone
payment, but these breaches did not justify Atos suspending work. Moreover,
by suspending work, Atos had repudiated the development contract. This
article considers the reasons for the judge‟s conclusions and the lessons to
be learnt from the case.
A supply chain management system
De Beers needed an improved IT software system for use in relation to its
diamond aggregation processes (the sorting and mixing of diamonds
according to value), the operation of which was to be moved from the UK to
Botswana. De Beers‟ business requirements were complex and bespoke to its
business as a major diamond trading company.
After a tender process, De Beers decided to engage Atos Origin and
commissioned it to undertake an initiation and analysis project to investigate
De Beers‟ requirements in order to establish the scope and cost of the
project. This analysis phase was completed by November 2007 and Atos was
awarded a £2.9 million contract to develop the new system for De Beers.
Completion of the project was initially scheduled for June 2008.
Although the contract had been preceded by an initiation and analysis period,
Atos had not fully grasped the complexity of De Beers‟ requirements and so
the contract shortly fell behind schedule. By the end of March 2008 Atos
informed De Beers that the completed software system would not be
delivered before October 2008. The parties agreed a revised programme but
De Beers refused to make a significant milestone payment to Atos as a result
of its dissatisfaction with the schedule and quality of Atos‟ work.
Unfruitful discussions between the parties took place and Atos warned De
Beers that unless it renegotiated the terms of the contract, changed the
payment terms and waived all claims against Atos relating to the project, Atos
would suspend work. De Beers refused and Atos suspended work on the
project in June 2008. The work was never resumed and the contract came to
an end.
Repudiation of the contract
Both parties alleged that this was a result of repudiation by the other. Atos
argued that De Beers had failed to pay the milestone payment and failed to
provide adequate co-operation. In contrast, De Beers argued that Atos had no
right to suspend work.
The judge decided that a repudiatory breach “must go to the root of the
contract”, with the party in breach showing “an intention to abandon and
Issue 57 January 2011 28
altogether refuse performance of the contract” (The Nanfri [1979] AC 757).
With this test in mind he carried out the unenviable task of sorting through the
background to determine who was right.
Alleged repudiation by De Beers
The most obvious basis for a repudiation by De Beers was the failure to pay
the milestone payment. The judge considered that this was not a repudiatory
breach as De Beers never evinced an intention not to be bound by the
contract. In contrast, it was a material breach and Atos could have terminated
the contract using the contractual termination provisions by providing a 30
day notice and remedy period. However, Atos never served such a notice.
Atos also argued that De Beers‟ failure to co-operate was a repudiation of the
development contract. For example, Atos alleged that De Beers:
> failed to manage its side of the project;
> failed to adequately describe its business requirements and provide
internal resources to assist Atos;
> delayed providing technical documentation regarding its legacy
systems; and
> provided business processes information during the initiation and
analysis phase that was incomplete or lacked sufficient detail. (The
judge specifically rejected this allegation as it related to events that
took place before the contract was entered into.)
The judge accepted that some of these claims had been made out and
represented a breach of the contract (for which Atos was entitled to damages,
see below). However, this breach fell well short of a repudiation as they were
all relatively minor, Atos never made any complaint in writing about them and
there was an implicit waiver of any right to terminate due to the extensions of
time agreed in March. Perhaps more fundamentally, they were not
repudiatory as the problems suffered by Atos were not caused by De Beers‟
lack of co-operation but were instead a result of Atos‟ failure to anticipate the
complexity of De Beers‟ requirements.
The final argument was that De Beers had repudiated the contract by not
following the change control procedure. In particular, De Beers had rejected
many of Atos‟ change requests on the basis that they were within the original
scope of work. The judge rejected the suggestion that this could be a
repudiatory breach.
Alleged repudiation by Atos
In contrast, the judge concluded that Atos‟ suspension of work amounted to
repudiation. Atos had not simply threatened to suspend work until the
milestone payment was made, something it was entitled to do under the
contract. Instead, Atos had threatened to suspend work unless De Beers
agreed:
> to amend the commercial terms of the contract so that Atos would
complete the project on a time and materials basis at Atos‟ internal
Issue 57 January 2011 29
rates (which would add an estimated £4.6 million to the cost of the
project); and
> to waive any claims it had against Atos.
The judge commented that “there is a very significant difference between
being willing to complete a project, and being willing to fulfil a contract”.
Damages
Accordingly, De Beers was entitled to damages for breach of contract. The
judge decided that the damages should be £1.4 million, which was equal to:
> the cost to De Beers of building a replacement system together with
some other additional expenses (which came to approximately £4.4
million), less
> the costs it would have had to pay under the now terminated
development contract and damages due to Atos for breach of contract,
in particular the failure to co-operate (which together came to
approximately £3.0 million).
The calculation of the second bullet raised interesting issues about the scope
of the development contract. De Beers‟ requirements turned out to be more
complex than was originally anticipated, but was that additional complexity
within the scope of the contract or a change for which additional charges
would be payable? Edwards-Stuart J decided that a distinction could be
drawn between:
> a “change in breadth” – This is a change that introduces new
functionality. This will be outside the scope of the original contract and
would attract additional charges; and
> a “change in depth” – These do not introduce new functionality but
rather adds scale and complexity to the project. This might happen
when a set of business requirements are reduced to a technical
specification. Changes in depth are much more contentious as the
customer may have understood this complexity at the start of the
project and assumed the supplier did as well. In contrast, the supplier
may have legitimately understood the requirements to refer to
something much simpler. The experts in this case suggested that a
distinction could be drawn by asking whether there is a solution that
met the high level requirements at a significantly lower cost than the
solution necessary to meet the detailed specification? If yes, the
additional complexity is outside the scope of the project and should be
dealt with through change control.
With this test in mind, the judge considered whether the refinement of De
Beers initial requirements into a more detailed specification resulted in “scope
creep”, which would need to go through change control and for which
additional charges would be due. In general, he decided that such work was
within the scope of the contract. In relation to one such refinement, he stated:
“If … Atos contracts to provide a system that will support those detailed
Issue 57 January 2011 30
requirements, whatever they turn out to involve, then – absent any
contractual safeguards – it seems to me that it takes the risk that they will turn
out to be more, rather than less, complex than it had anticipated at the
outset”.
Lessons learnt
The case highlights a number of important lessons. Firstly, the root of this
dispute was Atos‟ failure to anticipate the complexity of De Beers‟
requirements. Suppliers should ensure that they have properly understood
their customer‟s requirements before committing to a fixed price or delivery
timetable. Similarly, customers should not assume they can just transfer this
risk to their suppliers. In this case, De Beers suspected from the beginning
that Atos had underestimated its requirements and might have saved itself a
long and expensive court battle had they cured this problem right at the start.
Secondly, customers should be aware that a failure to co-operate and assist
their supplier may be a breach of contract. This will depend on the terms of
that contract. In this case, De Beers‟ failure to co-operate may not have been
grounds to terminate but did entitle Atos to damages, which were offset
against its liability to De Beers.
Finally, suppliers should think very carefully about threats to suspend work or
not perform their obligations under an agreement, unless there is a clear
contractual basis to do so. This judgment makes it clear that even fairly
material breaches by the customer (such as De Beers‟ failure to make a
milestone payment) may not be sufficient to justify this type of action.
De Beers UK Ltd v Atos Origin It Services UK Ltd [2010] EWHC 3276 is
available here
By Emma Harrington, London
UK – Update on endeavours clauses
There are a number of reasons why contracting parties refuse to give an
absolute commitment and, instead, will only “try” to achieve an objective. The
objective might be in the hands of third party, relate to uncertain future events
or it may simply be papering over the cracks where no commercial agreement
has been reached.
The obligation to “try” is normally expressed as an endeavours clause, with
the choice of clause reflecting how hard that party has to “try”. A great deal of
effort can be spent arguing for one variant over or another, but what these
clause will require in practice is uncertain and depends greatly on the context
in which they are used. The last year has, however, provide some additional
guidance.
Obligation to inform
An important, but often overlooked, aspect of endeavours clauses is
illustrated by the Scottish case EDI v NCP [2010] CSOH 141. EDI paid NCP
£5million for an interest in a car park in Castle Terrance, Edinburgh and
undertook to use “all reasonable endeavours” to redevelop that car park.
Issue 57 January 2011 31
However, it became clear that the redevelopment would lead to a shortage of
car parking space in Edinburgh city centre and it was unlikely it would ever be
approved. Accordingly, EDI exercised a buy back clause requiring NCP take
back its interest in the car park and repay the £5million.
NCP refused to do so, arguing that EDI had not exercised all reasonable
endeavours to redevelop the car park. One aspect of this argument was that
EDI had not informed NCP of the problems caused by the shortage of car
parking space. If it had, NCP may have been able to help in finding alternative
parking provision to replace the Castle Terrace car park.
The judge agreed that an all reasonable endeavours obligation may well
require the obligor to inform the other party of the difficulties he is having and,
in some cases, see if that other party has a solution to the problem. However,
in this case, NCP were unable to suggest any realistic alternative parking
opportunities so even if they had been approached, nothing would have come
of it.
The case highlights that an obligor may well have to inform, and involve, the
other party where there are difficulties in fulfilling an endeavours clause. A
wise obligee might include express provisions to clarify this duty and put the
matter beyond doubt.
What does all reasonable endeavours mean?
So what does “all reasonable endeavours” mean? This is one of the more
controversial and least considered form of endeavours clause. The orthodox
view that it is a half way house between “reasonable endeavours” and “best
endeavours” (UBH v Standard Life The Times, 13 November 1986). More
detail on what each of these phrases means can be found here (subscription
required), but one of the distinguishing features is that reasonable
endeavours clauses are usual regarded as not requiring the obligor to
sacrifice his own commercial interests. In contrast, an obligor who commits to
best endeavours may well have to subordinate his interests to that of the
obligee.
In Rhodia v Huntsman [2007] EWHC 292 the judge stated an obligation to
use reasonable endeavours probably only requires a party to take one course
of action whereas best endeavours probably requires a party to take all
courses of action available. This created another view of “all reasonable
endeavours” obligation – an obligation to use all reasonable endeavours
could be equated with best endeavours in this respect because both require
all courses of action to be pursued. This has been used to argue that all
reasonable endeavours is the same as best endeavours in all respects,
whereas it seems likely this statement just relates to the number of courses of
action a party must take and not the extent to which that party must otherwise
prejudice its commercial interests.
This more limited interpretation is supported by the recent decision in CPC
Group v Qatari Diar [2010] EWHC 1535 which related to the redevelopment
of the Chelsea Barracks site. Qatari Diar were obliged to use “all reasonable
but commercially prudent endeavours” to ensure the development went
Issue 57 January 2011 32
Author: Peter Church
This publication is intended merely to highlight issues and not to be comprehensive, nor to provide legal advice. Should you have any questions on issues reported here or on other areas of law, please contact one of your regular contacts, or contact the editors.
© Linklaters LLP. All Rights reserved 2011
Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. The term partner in relation to Linklaters LLP is used to refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers or European lawyers. Please refer to www.linklaters.com/regulation for important information on our regulatory position.
We currently hold your contact details, which we use to send you newsletters such as this and for other marketing and business communications.
We use your contact details for our own internal purposes only. This information is available to our offices worldwide and to those of our associated firms.
If any of your details are incorrect or have recently changed, or if you no longer wish to receive this newsletter or other marketing communications, please let us know by emailing us at [email protected].
Contacts
For further information
please contact:
Tanguy Van Overstraeten
Partner
(+32) 2501 9405
Peter Church
Managing PSL
(+44) 20 7456 4395
One Silk Street
London EC2Y 8HQ
Telephone (+44) 20 7456 2000
Facsimile (+44) 20 7456 2222
Linklaters.com
ahead. However, the development was controversial and, following intervention
by the Prince of Wales amongst others, it became clear the planning
application might not be granted. Qatari Diar decided to withdraw the
application and pursue a new development strategy.
Vos J had to decide if this was a breach by Qatari Diar. He concluded that an
all reasonable endeavours does not always require the obligor to sacrifice its
commercial interests and, in this case, the additional “commercially prudent”
qualification put the matter beyond doubt. Accordingly Qatari Diar was entitled
to rely on those interests and withdraw the planning application. In contrast,
had it simply been a political decision to appease the Prince of Wales, that may
well have been in breach of its obligations.
While the decision provides some further clarification of this term, its meaning
is still elusive and may be more metaphysical than practical (see comments in
EDI v NCP). Time spent arguing over its meaning may be better spent on
setting out what the obligor will have to do in practice.
Further analysis by the authors on the interpretation on endeavours clauses is
available here (subscription required).
By Richard Cumbley and Peter Church, London