• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

ICO publishes its view on the Council's position on the EU General Data Protection Regulation

For nearly twenty years, EU data protection laws have remained fairly static, even in the face of considerable technological advancements, the rise of social media and the “big data” boom.

So in 2012 the European Commission decided to address this gap between the law and technology by publishing new draft general data protection regulation (“GDPR”) to replace the existing Data Protection Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The original aim of the GDPR was to harmonise data protection procedures and enforcement across all EU member states, as opposed to the current system where each member state has their own data protection regime. Two years after the initial draft, the European Parliament adopted a legislative resolution on the proposal which included a significant number of recommended amendments. To complete the trio, in June this year, the EU's Justice and Home Affairs Council (“Council”) agreed a general approach to the proposed GDPR by the European Commission in January 2012. The text agreed by the Council contains significant differences from the European Parliament’s version and the European Commission’s version, which means that there are now three versions of the GDPR in circulation.  

In advance of the completion of the trilogue process, the UK regulator, the Information Commissioner’s Office (“ICO”), thought it useful to set out its comments on the Council’s amendments to the GDPR. In the main, the key comments and concerns raised by the ICO on 26 August 2015 are:

  • Too much derogation for member states. The ICO argued that while member states need to be able to determine their own national arrangements for certain data processing activities, there is a risk with the Council’s draft of creating multiple data protection regimes arising as member states are given too great an ability to derogate from the GPDR. Separate arrangements should be kept to a minimum.

  • Pseudonymisation. The ICO agrees that there should be a single definition of personal data and therefore agrees with the Council’s rejection of a separate category of data for pseudonymous data. The ICO’s view is that pseudonymisation should just be a privacy-enhancing technique. It further emphasised that the pseudonymised data is a relatively low-risk form of personal data and the Regulation should provide an incentive for doing so.

  • Incompatible further processing. The Council’s draft introduced a new provision which sets out certain criteria to be taken into account to determine whether a new purpose for processing of personal data is compatible with the one for which the data were originally collected. The ICO is critical of this as it views this provision as confusing. Also the ICO responded that processing of personal data must always have a legal basis and any incompatible processing should be only in accordance with a relevant exemption for the data protection principles. In practice, it would be very difficult for an organisation to evaluate whether or not its legitimate interests override those of the individual and whether or not the incompatible processing is permitted.
  • Children’s consent. The ICO did not agree with the Council’s decision to remove the definition of “child”, which had been defined an individuals under the age of 13. Having no definition makes it difficult for data controllers to know when the provisions relating to children’s data applies.
  • Transparency. The ICO welcomes the requirement to provide the fair processing information to individuals in clear and plan language. However the requirements of the GDPR are framed like a classical privacy notice, just with more detailed requirements. The ICO feels that this doesn’t encourage businesses to find innovative ways of explaining their data processing techniques to individuals.   
  • Profiling. The ICO supports reference to “significantly affects” and so it affirms the Council’s position that data subjects can only object to decisions based solely on automated processing where it significantly affects the data subject. This would essentially allow for low-risk profiling, like behavioural advertising. The ICO disagreed with the Council’s requirement to have a “human intervention safeguard” as the ICO viewed this as impractical, especially for the delivery of real time advertising.
  • Records. The ICO has expressed concern that the requirement for businesses to maintain records of their processing activities will be unnecessarily burdensome on small and medium sized business. Instead it would prefer that national authorities produced guidance about what records are to be maintained by different types of businesses.
  • Breach notification. The ICO expressed concern that it would receive a large number of notifications for trivial or inconsequential data breaches and therefore it welcome the reference to “high risk breaches”
  • Data protection officer. The ICO prefers the flexibility proposed by the Council – namely that each member state is free to determine whether to make appointment of a mandatory data protection officer a compulsory requirement. The ICO feels that the list of skills and expertise for the data protection officer listed in the original Commission draft of GDPR was excessive and did not reflect how businesses managed data protection in practice.
  • Lead supervisory authority. The ICO was particularly critical of the provisions detailing data protection supervisory authorities and labelled these as “confusing and overly complex”. The ICO’s view is that local data protection authorities should continue to deal with matters on a local basis (as is the current situation). ICO was concerned that the role of the lead supervisory authority wasn’t clearly defined. ICO did not like the concept that the lead supervisory authority needs the involvement of other supervisory authorities or the European Data Protection Board when addressing international data processing. Additionally the ICO viewed that the receipt of a “relevant and reasoned objection” was too low a threshold to trigger the consistency mechanism and thus require the involvement of other supervisory authorities.
  • Fines. The ICO wasn’t happy with the three tier fine system and believed that it shows a lack of flexibility and could result in unfair outcomes. So a relatively minor breach (like failing to designate a “representative”) could result in the highest fine, while breaches relating to basic individual rights fall within the lowest fine tier. ICO would prefer to have single list of breaches that could attract a fine.

As we have come to expect, the ICO is advocating a more risk-based approach with more flexibility for national data protection authorities to implement and enforce new rules. However this increased flexibility is at odds with the original objective of GDPR to ensure that data protection laws were harmonised across all member states. It also remains to be seen to what extent the Council’s views prevail in the trilogue negotiations over differing views of the Commission and Parliament representatives, although it seems there has been some compromise from all sides so far.    

For further information please contact Nicola Fulford