The case of Barbulescu v Romania, in which the European Court of Human Rights gave judgment on 12 January 2016, was widely claimed in the press to have given the green light to employers to monitor their employees' emails for personal use. It is true that the employer's monitoring of the employee's emails was upheld by the ECHR in that case, but the facts were somewhat unusual and the actual decision was more nuanced.
Mr Barbelescu worked for a company in Bucharest as an engineer in charge of sales. His employer asked him to create a Yahoo Messenger account for responding to clients' enquiries. The company had a policy that "It is strictly forbidden to disturb order and discipline within the company’s premises and especially ... to use computers, photocopiers, telephones, telex and fax machines for personal purposes." When the employer informed Mr Barbulescu that it had monitored his Yahoo Messenger communications over the course of a week and that it considered he had used the account for personal purposes in contravention of this policy, he replied in writing that he had only used it for professional purposes. The employer responded with a 45 page transcript of his Messenger communications for that week, including messages with his brother and his fiancee that contained intimate personal information about his health and sex life. The employer disciplined Mr Barbulescu and dismissed him for unauthorised personal use of the internet.
The ECHR held by a majority that Mr Barbelescu's right to privacy for his correspondence under Article 8 had been engaged, but that the interference had been proportionate within the State's margin of appreciation. Previous cases that had gone the other way were distinguished on the basis that in those cases the employer had tolerated some personal use of the internet. The Romanian courts in this case had considered it important that the employer accessed the Yahoo Messenger account in the belief that it contained only professional communications (as the employee had claimed). It was not unreasonable for an employer to want to verify that employees are working during working hours. The monitoring was limited in scope and therefore proportionate.
Whilst the Barbeslescu case is an example of an employer's monitoring of an employee's emails being upheld, it actually held that the right to privacy applies, and the monitoring was only justified on the basis of the strict policy forbidding personal use and the employee's specific denial of any breach of that policy. Most employers in the UK do allow some personal use of work computers and telephones, and in such cases a clear policy that they will be monitored to check there is no abuse needs to be clearly communicated to employees and any such monitoring needs to be proportionate.
The Information Commissioner's Employment Practices Code provides some useful guidance to employers on monitoring communications in Part 3.
Wednesday, 4 May 2016
Wednesday, 7 October 2015
No safe harbour in the US
As has been widely reported, on 6 October 2015 the Court of Justice of the European Union gave judgment in the case of Maximillian Schrems v the Data Protection Commissioner for Ireland, holding that the European Commission Decision creating the "safe harbour" for the transfer of personal data from the EU to the US was invalid.
European data protection law prohibits the transfer of personal law outside the EU except to a country which "ensures an adequate level of protection" for personal data or where certain exceptions apply - for example where the data subject has given "unambiguous consent" to the transfer, or where "binding corporate rules" have been agreed to provide a contractual means of protection. There is a very limited list of countries which have been found by the EU to ensure an adequate level of protection. But, crucially, by Commission Decision 2000/520/EC of 26 July 2000 it included the EU/US "safe harbour" agreement, with which US companies could self-certify their compliance. The US safe harbour was of vital importance to the large number of international businesses which transfer customer data to their US operations, and with the growing importance of the Cloud even companies with no US operations are increasingly storing data on servers which are physically located in the US - and have therefore been relying on their Cloud service providers' confirmation that they are signed up to the safe harbour. (Or at least they should have been relying on it if they had properly addressed their minds to the issue.)
All this was thrown into doubt when Edward Snowden revealed that the US intelligence agencies, and in particular the NSA, carried out widespread and indiscriminate surveillance of data stored by US companies. We now know that US companies have to give access to their data to the NSA, and so are unable to guarantee the necessary adequate level of protection for their personal data to persons in the EU, as the surveillance is carried out on an indiscriminate basis, rather than a proportionate basis where necessary for national security purposes - such as to combat terrorism.
Mr Schrems (who is an Austrian citizen) therefore brought a case requiring the Irish Data Protection Commissioner to prohibit Facebook Ireland (which held his personal data on Facebook) from transferring that data to servers operated by Facebook Inc in the US for processing. The Irish High Court considered it was bound by Commission Decision 2000/520/EC on the safe harbour, but had its doubts as to the validity of the decision in the light of the Snowden revelations, so referred to the CJEU the question whether it was bound to follow the safe harbour Decision.
The CJEU held that it was not, and that national data protection authorities are not prevented by Commission Decisions from carrying out their own assessment. However, the Court went on to take the opportunity to hold (despite not having been expressly asked to do so by the Irish court) that Decision 2000/520/EC is invalid - particularly in the light of subsequent revelations.
So where does this leave the many companies that have been relying on the safe harbour to transfer customer data to their US operations, or just to store it in the Cloud? They cannot just wait and see what happens when the case goes back to the Irish court to decide in the light of the CJEU's guidance, as the CJEU has already held the safe harbour invalid. Nor can they wait for the EU and US to conclude their current negotiations for an amended safe harbour, as that will take some time and they need to continue transferring personal data. Binding corporate rules or standard contractual clauses in the form approved by the EU should be an option, but it is difficult to see how a US company could comply with any contractual data protection obligations it might undertake, given it would be bound to give the NSA access to its data. There is a limited exception where "the transfer is necessary for the performance of a contract between the data subject and the controller", which might arguably be used to perform existing contracts with customers. But for the moment, the only viable option seems to be to obtain the unambiguous consent of customers to transferring their data to the US by an express opt-in, warning them of the risk of surveillance by the NSA (in case anybody isn't already aware of this, or doesn't appreciate that it could happen in this case). Realistically this would involve stopping providing the service to the customer unless they click to confirm their opt-in to a clear warning message.
The alternative is to find a non-US Cloud service provider with servers in the EU or a country which is still considered to offer adequate protection; the list being Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
European data protection law prohibits the transfer of personal law outside the EU except to a country which "ensures an adequate level of protection" for personal data or where certain exceptions apply - for example where the data subject has given "unambiguous consent" to the transfer, or where "binding corporate rules" have been agreed to provide a contractual means of protection. There is a very limited list of countries which have been found by the EU to ensure an adequate level of protection. But, crucially, by Commission Decision 2000/520/EC of 26 July 2000 it included the EU/US "safe harbour" agreement, with which US companies could self-certify their compliance. The US safe harbour was of vital importance to the large number of international businesses which transfer customer data to their US operations, and with the growing importance of the Cloud even companies with no US operations are increasingly storing data on servers which are physically located in the US - and have therefore been relying on their Cloud service providers' confirmation that they are signed up to the safe harbour. (Or at least they should have been relying on it if they had properly addressed their minds to the issue.)
All this was thrown into doubt when Edward Snowden revealed that the US intelligence agencies, and in particular the NSA, carried out widespread and indiscriminate surveillance of data stored by US companies. We now know that US companies have to give access to their data to the NSA, and so are unable to guarantee the necessary adequate level of protection for their personal data to persons in the EU, as the surveillance is carried out on an indiscriminate basis, rather than a proportionate basis where necessary for national security purposes - such as to combat terrorism.
Mr Schrems (who is an Austrian citizen) therefore brought a case requiring the Irish Data Protection Commissioner to prohibit Facebook Ireland (which held his personal data on Facebook) from transferring that data to servers operated by Facebook Inc in the US for processing. The Irish High Court considered it was bound by Commission Decision 2000/520/EC on the safe harbour, but had its doubts as to the validity of the decision in the light of the Snowden revelations, so referred to the CJEU the question whether it was bound to follow the safe harbour Decision.
The CJEU held that it was not, and that national data protection authorities are not prevented by Commission Decisions from carrying out their own assessment. However, the Court went on to take the opportunity to hold (despite not having been expressly asked to do so by the Irish court) that Decision 2000/520/EC is invalid - particularly in the light of subsequent revelations.
So where does this leave the many companies that have been relying on the safe harbour to transfer customer data to their US operations, or just to store it in the Cloud? They cannot just wait and see what happens when the case goes back to the Irish court to decide in the light of the CJEU's guidance, as the CJEU has already held the safe harbour invalid. Nor can they wait for the EU and US to conclude their current negotiations for an amended safe harbour, as that will take some time and they need to continue transferring personal data. Binding corporate rules or standard contractual clauses in the form approved by the EU should be an option, but it is difficult to see how a US company could comply with any contractual data protection obligations it might undertake, given it would be bound to give the NSA access to its data. There is a limited exception where "the transfer is necessary for the performance of a contract between the data subject and the controller", which might arguably be used to perform existing contracts with customers. But for the moment, the only viable option seems to be to obtain the unambiguous consent of customers to transferring their data to the US by an express opt-in, warning them of the risk of surveillance by the NSA (in case anybody isn't already aware of this, or doesn't appreciate that it could happen in this case). Realistically this would involve stopping providing the service to the customer unless they click to confirm their opt-in to a clear warning message.
The alternative is to find a non-US Cloud service provider with servers in the EU or a country which is still considered to offer adequate protection; the list being Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Monday, 5 October 2015
Companies can be discriminated against
In the recent case of EAD Solicitors LLP and others v Abrams, the Employment Appeal Tribunal has held that it is possible for a limited company to bring a claim of direct discrimination on the ground of age under section 13 of the Equality Act 2010.
Like many of the cases on age discrimination, the claim was against a firm of solicitors who sought to compulsorily retire a partner when he reached the retirement age in their Partnership Deed (nowadays an LLP Membership Agreement). The twist here was that the partners were (for tax reasons) supplying their services to the firm (which was a Limited Liability Partnership) through personal service companies. The member of the LLP that brought the claim of age discrimination was therefore the individual partner's personal service company, rather than the partner himself.
So how can you discriminate against a company on grounds of age? The company itself was actually very young, having been incorporated only as the partner approached retirement, but it was allegedly being discriminated against on grounds of old age.
The answer is that the formulation of the test for direct discrimination in section 13 is:
"A person (A) discriminates against another (B) if, because of a protected characteristic, A treats B less favourably than A treats or would treat others."
The discrimination therefore just has to be "because of a protected characteristic" (in this case age). Person B does not himself (or itself) have to have that characteristic. This is what is known as "associative discrimination", where person B is discriminated against because he (or it) is associated with someone having the protected characteristic. This is a well-established principle, which has been applied for example in cases where someone is dismissed from their job because they are caring for a disabled person or where they are disciplined for refusing to obey instructions to discriminate against customers on racist grounds. The point which was decided in this case was that "person B" does not have to be a natural person, but can be a legal person such as a company.
Other forms of discrimination against companies are therefore possible. The judge gave hypothetical examples of "a company being shunned commercially because it is seen to employ a Jewish or ethnic workforce; a company that loses a contract or suffers a detriment because of pursing an avowedly Roman Catholic ethic; one that suffered treatment because of its financial support for the Conservative Party or, say, for Islamic education; or one that was deliberately not favoured because it offered employment opportunities to those who had specific disabilities that were unattractive to some would-be contractors or because, let us suppose, of the openly gay stance of a chief executive."
The case only decided the claim could proceed as a preliminary point. Whether this company was actually discriminated against, or whether the discrimination could be justified as a proportionate means of achieving a legitimate end (the usual way to retire older partners) remains to be decided. It will also be interesting to see what damages can be claimed. The company has clearly suffered loss of profits, but can it claim for injury to the feelings of its director?
Wednesday, 17 June 2015
Supreme Court Confirms Document Means What It Says
I have to say it makes a refreshing change to read a report of a case where the court upholds an unjust result. Judges quite rightly seek to do justice in the cases that come before them when it is open to them to do so, but sometimes the principles of freedom of contract and commercial certainty mean that when a party has made a bad bargain, he will be held to it.
That was what happened in Arnold v Britton & others [2015] UKSC 36. 91 long leases were granted of chalets in a holiday park on the Gower Peninsula in South Wales, 25 of which contained a service charge provision in the following terms (with minor variations):
"To pay to the Lessor without any deductions in addition to the said rent as a proportionate part of the expenses and outgoings incurred by the Lessor in the repair maintenance renewal and renewal of the facilities of the Estate and the provision of services hereinafter set out the yearly sum of Ninety Pounds and Value Added tax (if any) for the first Year of the term hereby granted increasing thereafter by Ten Pounds per hundred for every subsequent year or part thereof."
That was what happened in Arnold v Britton & others [2015] UKSC 36. 91 long leases were granted of chalets in a holiday park on the Gower Peninsula in South Wales, 25 of which contained a service charge provision in the following terms (with minor variations):
"To pay to the Lessor without any deductions in addition to the said rent as a proportionate part of the expenses and outgoings incurred by the Lessor in the repair maintenance renewal and renewal of the facilities of the Estate and the provision of services hereinafter set out the yearly sum of Ninety Pounds and Value Added tax (if any) for the first Year of the term hereby granted increasing thereafter by Ten Pounds per hundred for every subsequent year or part thereof."
21 of such leases were granted between 1977 and 1991. The other 70 leases had been granted between 1974 and 1977 and provided for the service charge to increase by 10% every 3 years rather than every 1 year. 4 of those 70 were then varied between 1988 and 2002 to provide for the yearly rather than 3 yearly increases. Because of the compounding effect of the wording over the 99 year term of the leases, by expiry of all the leases in 2072 those with yearly increases would be paying over £550,000 per year by way of service charge, whilst those with 3 yearly increases would be paying about £1,900 per year.
The Lessees with the leases providing for yearly service charge increases therefore sought to challenge the service charge clause in the courts. The County Court judge decided in their favour, interpreting the clause as meaning they had to pay a "proportionate part" of the costs to the Lessor, capped by the formula in the second part of the clause. On appeal, the High Court judge, the Court of Appeal and the Supreme Court (by a 4 to 1 majority) all decided that the meaning of the clause was clear: that the Lessees had to pay a fixed service charge of £90 compounding by 10% yearly. Only Lord Carnwarth in the Supreme Court disagreed, preferring the County Court judge's interpretation.
Lord Neuberger, giving the leading judgement in the Supreme Court, was clear that where the natural meaning of the words used by the parties was clear, there was no room for the court to depart from them by reference to principles such as commercial common sense: "while commercial common sense is a very important factor to take into account when interpreting a contract, a court should be very slow to reject the natural meaning of a provision as correct simply because it appears to be a very imprudent term for one of the parties to have agreed, even ignoring the benefit of wisdom of hindsight. The purpose of interpretation is to identify what the parties have agreed, not what the court thinks that they should have agreed. Experience shows that it is by no means unknown for people to enter into arrangements which are ill-advised, even ignoring the benefit of wisdom of hindsight, and it is not the function of a court when interpreting an agreement to relieve a party from the consequences of his imprudence or poor advice. Accordingly, when interpreting a contract a judge should avoid re-writing it in an attempt to assist an unwise party or to penalise an astute party."
He also pointed out that the purpose of a fixed service charge clause was to provide certainty and avoid arguments over the lessor's actual expenditure and its reasonableness, and that inflation had been running at well over 10% per annum between 1974 and 1981, and over 15% per annum for six of those eight years; although it was less than 10% per annum after 1981. In other words, although it was ill-advised for the then lessees to have entered into leases in such terms, it was understandable in the circumstances of the time.
The Lessor had also (perhaps wisely) indicated that she was prepared to renegotiate the 25 leases to a formula linked to the Consumer Price Inflation index, so a just result may ultimately be achieved.
It is good to be able to advise clients that the clear words of their contracts will be enforced by the courts if necessary. The tricky bit, of course, is knowing when the words are clear. 8 out of 10 learned judges thought they were perfectly clear in this case, but 2 thought they were sufficiently unclear to permit an alternative interpretation. Does that mean they were only 80% clear?
Tuesday, 5 May 2015
"Parking Charge" not a Penalty
Most motorists are no doubt outraged by the high charges car
park operators make if you have overstayed your parking time, even by a
minute. Nowadays these charges are
enforced by cameras with automatic number plate recognition, so are not easily
avoided. But can you challenge them if
the car park operator takes you to court?
We now have a case on the subject. In Parkingeye Ltd v
Beavis [2015] EWCA Civ 402 the Court of Appeal considered an appeal by Mr.
Beavis against a “Parking Charge” of £85 made by Parking Eye when he overstayed
the 2 hours permitted period of free parking in the car park at the Riverside
Retail Park in Chelmsford by nearly an hour.
About 20 signs were prominently displayed at the car park. According to the judgment “The signs are worded as follows (the
words I have underlined being especially large and prominent, and the words I
have italicised being in small print but still legible if one wished to read
them)
Parking Eye car park management
2 hour max stay
. . .
Failure to comply . . . will result in
Parking Charge of £85
. . .
Parking Eye Ltd is solely engaged to
provide a traffic space maximisation scheme. We are not responsible for the car
park surface, other motor vehicles, damage or loss to or from motor vehicles or
user's safety. The parking regulations for this car park apply 24 hours a day,
all year round, irrespective of the site opening hours. Parking is at the
absolute discretion of the site. By parking within the car park, motorists
agree to comply with the car park regulations. Should a motorist fail to comply
with the car park regulations, the motorist accepts that they are liable to pay
a Parking Charge and that their name and address will be requested from the
DVLA.
Parking charge Information: A reduction
of the Parking Charge is available for a period, as detailed in the Parking
Charge Notice. The reduced amount payable will not exceed £75, and the overall
amount will not exceed £150 prior to any court action, after which additional
costs will be incurred.
This car park is private
property."
It was not disputed that the signs were reasonably large,
prominent and legible, so that any reasonable user of the car park would be
aware of their existence and nature and would have a fair opportunity to read
them if they wished, nor that this gave rise to a contract between Mr. Beavis
and Parking Eye.
Mr. Beavis challenged the £85 parking charge as being:
- unenforceable as a penalty at common law; and
- unfair and therefore unenforceable by virtue of the Unfair Terms in Consumer Contracts Regulations 1999.
At first sight, one would have thought this was obviously a
penalty, as it was not a genuine pre-estimate of Parking Eye’s loss (they being
simply contracted to manage the free parking facility for the benefit of
shoppers) and was clearly intended as a deterrent. However, the Court of Appeal reviewed the
case law on the subject, culminating in the recent case of El Madkessi (which is still under appeal to the Supreme Court) and
noted that “The modern approach to penalty clauses suggested that a clause
might not be a penalty, even though it did not contain a genuine pre-estimate
of loss, if its dominant purpose was not to deter breach and the fact that
there was a good commercial justification for it might lead to the conclusion
that that was not the case. The clause would be a penalty only if the sum
stipulated was extravagant and unconscionable.”
Here the provision of a 2 hour free parking facility for the
benefit of shoppers and the need to keep the car park from becoming full, the
fact that the charge needed to be sufficient to cover the costs of enforcement
and was in line with the charges made by local authorities all amounted to
commercial justification. The Protection
of Freedoms Act 2012 also allowed the recovery of parking charges of this
nature that had clearly been brought to the attention of motorists. In these circumstances £85 was not considered
extravagant and unconscionable by the Court, and the charge was therefore held
not to be a penalty.
The list of potentially unfair terms in the 1999 Regulations
includes “terms which have the effect of requiring a consumer who fails to
fulfil his obligation to pay a disproportionately high sum in compensation”. The
parking charge would have been unfair if Parking Eye had “acted contrary to the
requirements of good faith” in imposing it and if “that term caused a
significant imbalance in the parties' rights and obligations under the contract
to the detriment of the motorist”. Given
that the signs were prominently displayed, the Court held there was no lack of
good faith, and the same factors as led to the clause not being a penalty were
sufficient for there to be no such significant imbalance.
Mr. Beavis therefore had to pay his £85 parking charge, plus
presumably rather more in legal fees. It
would only have cost him £50 if he had taken advantage of the discount for prompt
payment.
So we now know that a “parking charge” of about £85 is
likely to be recoverable, at least if the notices drawing it to motorists’
attention are sufficiently prominent and clearly worded. Presumably there must come a point at which
such a charge is so clearly in excess of the industry norm (as charged by local
authorities and others, and which no doubt will increase over time) as to be “extravagant
and unconscionable” but we do not yet know what that point would be and it
would take a brave (or really outraged) motorist to test it again before the
courts.
Update: on 4 November 2015 the Supreme Court gave judgment in the joined appeals in Cavendish v El Makdessi and ParkingEye v Beavis, deciding that the clauses in both cases were not penalties, and therefore allowing the appeal in the former and dismissing Mr. Beavis' appeal against the Court of Appeal decision discussed above.
Update: on 4 November 2015 the Supreme Court gave judgment in the joined appeals in Cavendish v El Makdessi and ParkingEye v Beavis, deciding that the clauses in both cases were not penalties, and therefore allowing the appeal in the former and dismissing Mr. Beavis' appeal against the Court of Appeal decision discussed above.
Wednesday, 29 April 2015
Has Data Protection just got more teeth?
The recent Court of Appeal case of Google Inc v Vidal-Hall & Others made some important decisions on data protection issues. But how much difference will they actually make in practice?
The case arose out of Google's "Safari workaround". Apple's Safari web browser was supposed to block cookies by default, unless the user opted to accept them. However Google exploited a loophole to enable its DoubleClick Cookie to circumvent this and track Safari users' browsing behaviour in order to deliver targeted advertisements. Google did not make its Opt Out Cookie available to Safari users with Browsers, and publicly stated that because Safari was set by default to block third party cookies, the default privacy settings would have the same effect as the Opt Out Cookie if the user didn't change them. Following the discovery of Google's Safari workaround, three aggrieved Apple users who obviously valued their privacy brought this case in the English courts and sought permission to serve proceedings on Google in California.
Google objected to the jurisdiction of the English courts, and this case therefore concerned preliminary issues as to whether the claimants would be allowed to pursue their case against Google. The case has not been finally decided.
The case arose out of Google's "Safari workaround". Apple's Safari web browser was supposed to block cookies by default, unless the user opted to accept them. However Google exploited a loophole to enable its DoubleClick Cookie to circumvent this and track Safari users' browsing behaviour in order to deliver targeted advertisements. Google did not make its Opt Out Cookie available to Safari users with Browsers, and publicly stated that because Safari was set by default to block third party cookies, the default privacy settings would have the same effect as the Opt Out Cookie if the user didn't change them. Following the discovery of Google's Safari workaround, three aggrieved Apple users who obviously valued their privacy brought this case in the English courts and sought permission to serve proceedings on Google in California.
Google objected to the jurisdiction of the English courts, and this case therefore concerned preliminary issues as to whether the claimants would be allowed to pursue their case against Google. The case has not been finally decided.
The data protection points that were decided by the Court of Appeal were:
- The claimants could claim damages for the distress they had suffered without having to show any pecuniary loss.
- There was a serious issue to be tried as to whether the browser-generated information ("BGI") was personal data, even though it did not identify the users by name.
Point 1 is important as it potentially gives some real teeth to the Data Protection Act. The Act can be enforced by the UK Information Commissioner taking action against the offending data controller or by the affected data subjects claiming damages direct under section 13 of the Data Protection Act 1998. Whilst the Information Commissioner an impose serious penalties, his is a public office with limited resources which realistically will concentrate on the most serious offenders. The data subjects could number many thousands, and if they could all bring claims for a data breach (perhaps by a class action or if the claims farmers get involved) this could be a serious potential liability for a data controller in terms of damages and legal costs.
The problem with such claims is that the data users often do not suffer any financial loss. The real damage they suffer is distress due to the invasion of their privacy. But section 13(2) of the Data Protection Act provides that in order to claim damages for distress the claimant must also have suffered "damage by reason of the contravention" or the data processing must have been for one of the "special purposes" (being journalism, artistic or literary purposes). The Google claimants were not seeking any damages for financial loss and the special purposes did not apply.
The Court of Appeal decided to invoke Article 47 of the Charter of Fundamental Rights of the European Union (the right to an effective remedy and a fair trial) in order to "disapply" Section 13(2) because it denied the claimants an effective remedy for the breach of their rights under Articles 7 (the right to respect of private and family life, home and communications) and 8 (the right to the protection of personal data). The claimants were therefore free to pursue claims for damages for distress alone.
Whilst this is a significant development (and shows the primacy of EU over domestic law, at least where fundamental rights are concerned), it doesn't make that much difference in practice, as the courts had previously applied their own "workaround" to s13(2) by first awarding nominal damages of £1 and using that to ground a claim for distress under s13(2) - as the cases cited in the judgment demonstrate. The real difference in my opinion is the publicity this high profile case may give to the possibility of distress claims being made. Companies that previously took a relaxed attitude to their use of cookies may now wake up to the potential liabilities they may incur, and aggrieved users may be more willing to "have a go" at them. However damages for distress are still likely to be modest (a few hundred pounds is more likely than thousands), so the costs of pursuing claims will still be a significant deterrent to most claimants.
Point 2 is important as it goes to the very issue of what is "personal data". Many websites and apps track users' behaviour in order to deliver their service or provide more personalised results, and they are not always explicit about obtaining their users' informed consent as to what is going on behind the scenes. Section 1 of the Data Protection Act defines personal data as relating to an individual who can either (a) be identified from the data itself or (b) is "identifiable" from the data and other information which is in the possession of, or is likely to come into the possession of the data controller. The Court of Appeal emphasised that a person does not have to be identified by name - there may be other "identifiers" that single out the individual and distinguish them from others. Nor did it make any difference that Google did not actually identify the users by putting the data together with other information in its possession (e.g. gmail accounts). But the Court did not make a final decision on these points. All it decided were that these issues were "not clear-cut or straightforward" in relation to the BGI in the case, and that the matter should therefore proceed to a trial. We must therefore wait for the final decision (assuming it is not settled beforehand or appealed afterwards) for more guidance on this issue. However the judgment does give a clear indication that, however the law may apply in this particular case, "identified" and "identifiable" do not just mean by name. The providers of websites and apps should bear this in mind - especially given that claims for breach may now have more teeth.
Tuesday, 7 April 2015
Consumer Rights re Digital Content
It has long been a tricky legal question whether software counts as "goods" or "services". The distinction matters for a number of purposes, including that different terms are implied by law in contracts for the supply of goods and contracts for the supply of services.
The new Consumer Rights Act 2015 (the "Act") sidesteps the question by creating an entirely new category of "digital content" and stating exactly what terms are implied into a contract for the supply of digital content. However, the Act only applies to a contract between a "trader" and a "consumer"and the key terms are only implied if the consumer pays for the digital content. So for business to business ("B2B") contracts or contracts for genuinely free content, the old law still applies. But where the Act does apply, businesses will need to review their terms and conditions.
The relevant provisions of the Act are expected to come into force on 1 October 2015 and there is some excellent guidance produced by the Trading Standards Institute here, which I will not repeat in detail.
In summary "digital content" is widely defined as "data which are produced and supplied in digital form", which the guidance explains includes:
The new Consumer Rights Act 2015 (the "Act") sidesteps the question by creating an entirely new category of "digital content" and stating exactly what terms are implied into a contract for the supply of digital content. However, the Act only applies to a contract between a "trader" and a "consumer"and the key terms are only implied if the consumer pays for the digital content. So for business to business ("B2B") contracts or contracts for genuinely free content, the old law still applies. But where the Act does apply, businesses will need to review their terms and conditions.
The relevant provisions of the Act are expected to come into force on 1 October 2015 and there is some excellent guidance produced by the Trading Standards Institute here, which I will not repeat in detail.
In summary "digital content" is widely defined as "data which are produced and supplied in digital form", which the guidance explains includes:
- computer games
- virtual items purchased within computer games
- television programmes
- films
- books
- computer software
- mobile phone apps
- systems software for operating goods - for example, domestic appliances, toys, motor vehicles, etc.
- of satisfactory quality
- fit for a particular purpose
- as described
These terms are subject to some limitations, which are explained in the guidance. The consumer's remedies for breach of these terms are initially the right to repair or replacement, and then the right to a price reduction if this is not practical.
The trader cannot contract out of these implied terms. This all sounds like a big change, but the reality is that the scope to contract out of liability to consumers is already severely limited by the Unfair Terms Act 1977 and the Unfair Terms in Consumer Contracts Regulations 1999, and the sort of digital content covered would probably have been considered "goods" under the existing law and therefore subject to equivalent implied terms and remedies in any event. The Act therefore really just clarifies the legal position - which is important as it helps prevent unscrupulous traders taking advantage of the legal "grey area" to deny consumers their rights and deter them from seeking a remedy.
Standard terms and conditions for business to consumer ("B2C") contracts will need to be reviewed for consistency with the new law, especially if it was assumed that the terms implied in a contract for the sale of goods did not apply. If one of the exceptions or limitations described in the guidance are applicable, it would be helpful to spell this out. For example the guidance explains that "Most computer systems' software, games and apps have minor defects that are corrected over time with fixes or upgrades. Therefore a 'reasonable person' might expect the defects to be present and judge any items containing them to be of satisfactory quality." This is something that suppliers may well wish to highlight in their Ts & Cs.
There is more scope for excluding liability in a B2B contract, but standard terms must still satisfy the test of "reasonableness" under the Unfair Terms Act 1977. Will a statement that no term shall be implied as to satisfactory quality, fitness for purpose or correspondence with description be considered "reasonable" by a Court given that such terms are now clearly implied in consumer contracts, or will a more nuanced approach to the drafting be more likely to be upheld?
Subscribe to:
Posts (Atom)