Www.emlawshare.co.uk Commercial Contracts – Data and Technology Contracts – a brave new world...

www.emlawshare.co.uk

Commercial Contracts – Data and Technology Contracts – a brave new world

Wednesday 8 October 2014

Gemma Townley – Sharpe PritchardStephen Pearson – FreethsDavid Lane - Freeths


Commercial Contracts

EU Data Protection Reform

Gemma Townley– Sharpe Pritchard


The story so far

• Jan 2012: European Commission announced its proposals for reform of EU data protection law.

• The centerpiece of the reform is a draft Regulation to replace the existing data protection regime (Directive 94/46/EC).

• As a Regulation, it will apply to all member states without the need for implementation by national legislation.


Current Progress

• Since the draft Regulation was proposed by the Commission on 25 Jan 2012:– Oct 2013: European Parliament approved an

amended version of the draft Regulations;– March 2014: European Parliament adopted the

amended draft Regulation at first reading (COM (2012) 11 final);

– Organisations should be taking steps now to prepare for the changes; the new law is likely to come into effect during the term of contracts being awarded today.


General Provisions (1)

• Article 4 defines many of the fundamental concepts of the new regime, and includes a number of changes to the existing provisions:

– “Data Subject” = “a natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person.”

– “Personal Data” = any information relating to a Data Subject.


General Provisions (2)

• Data Subject’s Consent = the “freely given, specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement [to processing]”

• Personal Data Breach = “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”


Data Protection Principles (1)

• To process the data lawfully, fairly and in a transparent manner in relation to the Data Subject (Art 5(a))

• To collect data only for specified, explicit and legitimate purposes, and not to further process it in any manner incompatible with those purposes (Art 5(b))

• To collect and process data only to the extent that is adequate, relevant and limited to the minimum necessary in relation to the purposes for which that are processed (Art 5(c))


Data Protection Principles (2)

• To ensure that all data held is accurate and kept up to date (Art 5(d))

• Not to keep data in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data are processed (Art 5(e))

• To process the data under his responsibility and liability and to ensure and demonstrate for each processing operation the compliance with the provisions of the Regulation (Art 5(f))


Legal grounds for processing

• Art 6: Processing of personal data shall be lawful if it satisfies one or more of the following:– Data Subject has given consent for one or more specific

purpose;– Necessary for entering or performing a contract with the Data

Subject;– Necessary for compliance with a legal obligation to which the

Data Controller is subject;– Necessary to protect vital interests of Data Subject;– Necessary for performance of a task carried out in the public

interest;– Necessary for the purposes of legitimate interests

pursued by the Data Controller.


Special Categories of Personal Data• Art 9: Processing of personal data revealing race or ethnic

origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited except where (e.g.): – Data Subject has given consent;

– The Data Controller exercises a legal right or performs a legal obligation under employment law;

– Protect vital interests of Data Subject;

– Relates to data which are manifestly made public by the Data Subject;

– Necessary for the establishment, exercise or defence of legal claims;

– Necessary for the purposes of historical, statistical or

scientific research (subject to conditions).


Requirements for Consent

• Consent must be freely given, informed, specific and explicit;

• Data Controller bears the burden of proof;

• If written, clearly distinguishable from any other matter;

• Right to withdraw – should be as easy to withdraw as it is to give.


Rights of Data Subjects

• Existing rights to subject access and objecting to processing;

• Significantly expanded rights e.g. right to transparent information and communication;

• New rights e.g. right to be forgotten and the right to data portability.


Transparent Information

• Art 11: requires Data Controllers to have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of Data Subjects’ rights;

• Data Controller must provide any information and any communication relating to the processing of personal data to the Data Subject in an intelligible form, using clear plain language, adapted to the Data Subject;

• If Data Subject makes request electronically, the data must be made available in electronic form;

• If Data Controller does process the Data Subject’s personal data, he must provide the Data Subject with essentially the same info listed in Art 14.


Information

• Art 14: Where personal data relating to Data Subject is collected, the Controller must provide Data Subject with at least:

– Identity and contact details of Controller and his representative and data protection officer;

– Intended purpose of the processing;– Period for which the data will be stored;– Existence of the right to subject access, the right to rectification or erasure and

the right to object to processing;– Right to lodge a complaint with the national data protection authority and contact

details for that authority;– Recipient or categories of recipients to whom the data will be disclosed;– Intention to transfer personal data to a third country or international organization;– Any further information necessary to render processing fair.


Rectification

• Art 16: Data Subject can request the Data Controller to:

– Rectify any personal data relating to him which are inaccurate;

– Complete any incomplete data, including by way of supplementing a corrective statement.


Right to be forgotten and erasure• Art 17: Data Subject can request Data Controller to erase all

personal data relating to them and abstain from further dissemination of such data where one of the following grounds applies:– Data no longer necessary;– Consent withdrawn;– Data Subject objects;– Court has rules that data must be erased;– Data unlawfully processed.

• Controller must have the data erased, including by third parties.• Some exceptions.


Data Portability

• Art 18: Data Subject has the right to obtain from the Data Controller, on request, a copy of all personal data which the Data Controller processes by electronic means and in a structural and commonly used form.

• This new right is targeted in particular at online service providers and is designed to promote further interoperability between online systems.


Right to Object

• Art 19: creates a right to object to processing if data is being processed for vital interests of Data Controller, the public interest or legitimate interest.

• Data Controller has to demonstrate compelling legitimate grounds for the processing which override the Data Subject’s interests or fundamental rights and freedoms, otherwise Data Controller must stop.

• In practice, this will affect Data Controllers who rely on the “legitimate interest” justification.


Profiling

• Art 20: Every natural person shall have the right to object to profiling.

• Only reasons a person may be subjected to profiling are:

– If it is necessary for the entering into or performance of a contract at the Data Subject’s request;

– Expressly authorised by law;

– Based on Data Subject’s consent.


Obligations on Data Controller

• Must implement appropriate measures to demonstrate in a transparent manner that the processing of personal data is performed in compliance with the Regulations.

• Keep records and documentation about processing activities;

• Implement data security requirements;• Carry out data protection impact assessments;• Appoint a data protection officer.


Remedies, Liabilities and Sanctions (1)

• Art 31: Data Controller shall notify supervisory authority of data breaches without undue delay;

• Art 32: If adversely affects the protection of personal data or privacy of Data Subject, obligation to report to the Data Subject.

• Art 79: Fines can be awarded against controllers and processors who fail in their data protection duties:

– A written warning (less serious breaches);


Remedies, Liabilities and Sanctions (2)

• Intentionally or negligently failing to operate a proper subject access request mechanism or failing to respond promptly to subject access requests, or charging a fee for responding to such requests: EUR250,000 (or 0.5% of annual worldwide turnover);

• Intentionally or negligently failing to respond to subject access requests in a manner which complies with the Regulations: EUR500,000 (or up to 1% of annual worldwide turnover;

• General breaches of the Regulations: EUR 1,000,000 (or up to 2% of annual worldwide turnover).


Refresh of core contractual principles

David Lane

Associate

Freeths LLP


Contract Formation

• Offer• Acceptance• Consideration• Intention to create legal relations

• No need to be in writing

• Battle of the forms


Express and Implied Terms (1)

• Statutory implied terms:

• Sale of Goods Act 1979 – that the goods supplied:

1. are of satisfactory quality;

2. are fit for purpose;

3. match any description given; and

4. are, if sold by sample, equivalent to the sample.

• Supply of Goods and Services Act 1982: services will be performed with “reasonable care and skill”.


Express and Implied Terms (2)

Judicially implied terms:

1. Attorney General of Belize and others v Belize Telecom Ltd [2009] UKPC 10

2. Mediterranean Salvage and Towage Ltd v Seamar Trading and Commerce Inc [2009] EWCA Civ 531.

• “Necessity” or “Business Efficacy” tests


Variation

• Requires the same steps as a contract

• Contractual clause to prevent oral variations

• Record changes in writing


Warranties and Indemnities (1)

Warranty:

• Statement of fact

• Breach gives rise to claim for

damages

• Show breach and quantify loss

• Damages on normal contractual

basis


Warranties and Indemnities (2)

Indemnity:

• A promise to reimburse

• On a £ for £ basis

• For a particular type of liability

• Easier to claim (no need to prove

loss)

• Generally more certain level of

damages


Breach and Termination

• Procedure for termination

• Post termination rights and obligations

• Claims for damages


Limitation of Liability

• Damages:(a) Causation;(b) Remoteness; and(c) Mitigation

• How can we limit liability?

• What cannot be excluded?

• Is it reasonable and who decides?


Contractual Interpretation (1)

• “The Customer and the Supplier

will co-operate with each other in

good faith and will take all

reasonable action as is necessary

for the efficient transmission of

information and instructions and to

enable the Customer or, as the

case may be, any member of the

Customer’s Group, to derive the

full benefit of the Contract.”



The Customer and the Supplier:

(a) will co-operate with each other in good faith; and

(b) will take all reasonable action as is necessary:

(i) for the efficient transmission of information and

instructions; and

(ii) to enable the Customer or, as the case may be,

any member of the Customer’s Group, to derive

the full benefit of the Contract.



The Customer and the Supplier will co-operate with each

other in good faith and will take all reasonable action as is

necessary:

(a) for the efficient transmission of information and

instructions; and

(b) to enable the Customer or, as the case may be,

any member of the Customer’s Group,

to derive the full benefit of the Contract.


Performance Regimes, Liquidated Damages and

PenaltiesStephen Pearson

Commercial Partner

Freeths LLP


Why Performance Regimes?

£187bn expenditure per annum!

“Government is clearly failing to manage performance across the board, and to achieve the

best for citizens out of the contracts into which they have entered”

(HMG Public Accounts Committee)


How Can Regimes Work?

• SMART (Specific, Measurable, Assignable, Realistic and Time-Related)

• Convert to KPIs

• Consider financial effect of non-compliance ≤ 20% of fee?

• Over-compliance?


Example KPIs

• Customer satisfaction above [ ]%

• “Dynamic” standards, eg upper quartile of benchmark standards

• Industry-specific standards


Example KPIs (Continued)

• Rooms meeting availability criteria:– Services– Temperature– Appliances operating– Ventilation– Light levels


Example KPIs (Continued)

• Rectification of defects within:– 4 hours – Very High– 24 hours – High– 48 hours – Medium– 7 days – Low

or points accrue, leading to financial deduction / warning notice, termination

• Records up to date – logs of cleaning / inspections• Staffing to required level• Service availability at [ ]% plus


Results of Failure

• Financial deduction

• Step-in

• Termination

• Bond / Guarantee activated


Beware the Excusing Cause!(Aka the dog ate my homework)• Bedding-in period

• Force Majeure

• Actions of Authority

• Special Events

• Inclement Weather?

– Emergency?

– Shortage of materials?

– Programmed maintenance?


Liquidated Damages

• Unpopular

• An amount “reasonable in light of the anticipated or actual harm caused by the breach”

• Common in build contracts

• Unreasonably large LDs are unenforceable on grounds of public policy as a penalty

• What will you lose? Income? Third party costs?

• Cost of providing a replacement – “freshers dilemma”


Penalty Clauses• Dunlop Pneumatic v New Garage (1915)

“the essence of a penalty is the money stipulated in terroriam … the essence of liquidated damage is a genuine pre-estimate of damage”

• Cavendish v Makdessi (2005)– Is there a commercial justification– Is it “extravagant or aggressive”– Was it to deter the breach– Negotiated on a level playing field– Care needed not to describe provision as a “penalty”


Questions?

Www.emlawshare.co.uk Commercial Contracts – Data and Technology Contracts – a brave new world...

Documents

Transcript of Www.emlawshare.co.uk Commercial Contracts – Data and Technology Contracts – a brave new world...