• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

The future of data protection law and enforcement in light of Brexit

In the summer, the government expressed its thoughts about the UK’s future data protection law. Nicola Fulford and Gemma Lockyer look at the derogations from the GDPR.

On 23 June 2016, the United Kingdom voted to leave the European Union and whilst that leaves us in a period of uncertainty in many respects, we have received some guidance as to where the UK’s data protection law and strategy is going. On 7 August 2017 the Department for Digital, Culture, Media and Sport published their statement of intent for the planned reforms that will form the new Data Protection Bill (Statement of Intent). The Data Protection Bill will bring  the EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) into our domestic law as the government seeks to ensure that the UK maintains high standards of data protection, even after leaving the EU.

The GDPR will apply from 25 May 2018 and much has been written on the new rights of individuals and the new obligations on data controllers and processors that this will bring. The GDPR allows Member States to implement certain derogations at national level and the Statement of Intent sets out the UK government’s intentions in this regard. We have discussed the key derogations set out in the Statement of Intent below and also the views of the ICO on their international strategy looking ahead to 2021.

Key derogations giving consent to process data and protecting children online: In order for controllers to rely on consent when processing personal data, the person giving consent needs to have a certain level of understanding of what they are consenting to. Article 8 of the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorisation and requires that reasonable efforts be expended to verify that a parent or guardian has given the appropriate consent. The GDPR sets the minimum age for consent at 16 but also allows member states to set a lower age, provided this is no lower than 13, at which a child can consent in their own name to data processing. In the United States, the age of consent is set at 13 by the Children’s’ Online Privacy Protection Act and the Federal Trade Commissions’ subsequent COPPA Rule and so with varying standards between EU member states, as well as the difference between EU standards and the United States, there will be challenges for companies offering international services.

The safety of children online is one of the government’s current priorities. The government intends to establish a Digital Charter that has the aim of making online environments safer for children and young people. Despite this, the UK has decided to set the age limit at the lower end and allow a child aged 13 years or older to consent to the processing of their personal data. Carrying out age verification checks at the age of 18 is more straight-forward, with the possibility of credit checks, checking driving records and the electoral register. However, it is not possible to carry out checks of this nature on young children and so websites will need to find a new way to work with users to verify age. Whilst setting an age limit which is consistent with the United States may ease some tensions or international service providers, it will likely to prove difficult for data controllers to demonstrate they have the necessary consents from someone of an approved age.

Processing criminal conviction and offence data: Information relating to criminal convictions and offences is highly sensitive and the GDPR permits only bodies vested with official authority to process personal data of this nature. Currently, under English law, organisations are able to process personal data on criminal convictions and offences in certain specified circumstances, the examples given in the Statement of Intent include when carrying out employment checks and underwriting driving insurance policies. Employers are currently entitled to seek and be provided with varying levels of information on a prospective employee’s criminal record. The Data Protection Bill will preserve this right for organisations not vested with official authority to process personal data of this nature. There is a public policy reason for allowing employers to continue to process data of this nature to ensure that vulnerable members of society are not put at risk and the wrong people are not placed in positions of power that are at risk of abuse.

Automated individual decision-making: The GDPR introduces a new right for an individual not to be the subject of an automated decision, including profiling, which has a legal or other significant effect on the individual. This right does not apply when the automated decision is necessary for entering into or performing a contract with the data subject; authorised by Member State law if the law lays down suitable measures to safeguard the data subject’s right and freedoms and legitimate interests; or is based on the explicit consent of the data subject.

The Data Protection Bill will legislate for an exemption to the right to ensure that processing by automated means is possible where there are legitimate grounds. The examples given in the Statement of Intent are the automatic refusal of an online credit application or e-recruiting practices that do not involve any human intervention; on the basis that these business processes would become impossibly burdensome if businesses are unable to rely on computer processing powers and each decision has to reviewed by a human. However, we know that machine learning tools do not always get it right. If the data set that informs the learning contains unconscious bias then the machine is likely to generate biased answers (e.g. assuming that female CVs are more suitable for nursing roles because Google image results for “nurse” show predominately females). This derogation has the potential to seriously undermine a data subject’s right under the GDPR not to be subjected to a decision based solely on automated processing. Communicating how human intervention has been involved will be important to ensure that there are safeguards in place where a decision might have been reached which is fundamentally wrong but allowing a computer to carry out the  “first pass” could be an effective use of resources.

Freedom of expression in the media: Section 32 of the Data Protection Act 1998 provides an exemption for organisations to comply with the data protection principles (except the seventh data protection principle – the requirement to keep personal data secure) where the personal data are processed for special purposes. This includes if the processing is undertaken with a view to publication, that publication is in the public interest and compliance with the principles is incompatible with the special purpose. Through this exemption, the legislation has sought to reconcile data protection law and freedom of expression. It is intended that the exemption in section 32 will be broadly replicated in the Data Protection Bill although the enforcement powers of the ICO to  enforce the exemption is expected to be strengthened.

Research: The GDPR requires organisations to comply with certain rights belonging to data subjects, including the right for data to be rectified without delay, the right to restrict further processing, right of access and the right to erasure. The GDPR also allows the UK to legislate to allow scientific or historical research organisations, organisations that gather statistics or organisations performing archiving functions in the public interest to be exempted from these obligations. The intention is to allow for research organisations and archiving services not to have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Provided that appropriate organisational safeguard are in place to keep the data secure, research organisations will also not have to comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work. The examples given in the Statement of Intent to justify the exemption include the necessity to archive inaccurate data so that it is possible to audit a decisionmaking process that led to an unfavourable outcome or where statistical data may be compromised if an individuals’ personal data is later removed from the statistical pool.

The ICO’s international strategy

The Rt Hon Matt Hancock MP stated in the ministerial foreword to the Statement of Intent that under the Data Protection Bill “enforcement will be enhanced, and the Information Commissioner given the right powers to ensure consumers are appropriately safeguarded”. In the Information Commissioner’s Office’s International Strategy for 2017 – 2021, four challenges are highlighted which the ICO will face in the changing digital global environment.

1. To operate as an effective and influential data protection authority at european level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period: The ICO intends to maintain its relationship with its EU partners, including the European Data Protection Board and the Article 29 Working Party because, as well as overseeing enforcement of the GDPR, the European Data Protection Board will also issue guidance, making it influential in setting the direction for data protection and privacy standards. The ICO will advise the UK government on the data protection implications of leaving the EU and will seek to maintain a strong working relationship with individual EU Data Protection Authorities to ensure that UK organisations are able to continue to transfer data internationally to facilitate business growth.

2. Maximising the ICo’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies: The ICO intends to continue to engage with leading international privacy networks and explore relationships with networks that the ICO has not engaged with previously. The ICO intends to share information and knowledge with other independent bodies responsible for enforcing and promoting freedom of information laws. This will allow the UK to take international best practices and choose the best tools, which are most applicable to UK interests and apply them to ensure that the UK is taking the best from the widest pool of experiences.

3. Ensuring that UK data protection law and practice is a benchmark for high global standards: The ICO wants to ensure that the UK retains a high standard of data protection law to provide effective safeguards for the public. The ICO intends to collaborate with the international community to support work to turn the GDPR’s accountability principles into a robust but flexible global solution. Continuing to take part in the international conversation around data protection will allow the ICO to maintain its status internationally as a leading player in the data protection landscape.

4. Addressing the uncertainty of the legal protections for international data flows to and from the EU, and beyond, including adequacy: International data transfers are an important part of the digital economy. The ICO will seek to ensure that there are effective safeguards for these data transfers in the uncertainty that flows from Brexit. The ICO has stated that it intends to explore a “global data protection gateway” which will allow the UK to interoperate with different legal systems that protect international flows of personal data and will support work to develop new mechanisms to enable international transfers, such as codes of conduct and certification under the GDPR.

Impact of Brexit and conclusions

There are questions around the process under which UK organisations will be able to transfer data internationally (both to the EU and elsewhere) and so including a requirement for organisations to revisit and put in place any necessary mechanisms to facilitate the transfer of data in contracts which will continue following Brexit should be considered best practice. UK companies who operate in Europe will also have to consider their lead supervisory authority following Brexit.

The ICO’s strategy suggests that it will continue to take a tough stance on data protection in the coming years. It is clear that the ICO wants to ensure that the UK has a strong reputation for protecting the rights and freedoms of data subjects, potentially with a view to obtaining a European Commission finding of adequacy, which will cover international data transfers post Brexit. However, we may find there are some tensions with the UK government as the proposed derogations appear to unpick some of the protections offered by

GDPR (e.g. the lower age of consent by children to processing and the increased opportunities to use automated decision-making). It will also be interesting to see how the proposed Data Protection Bill and European Union (Withdrawal) Bill will interact, especially given the time taken to get this far with the Statement of Intent and the looming 2018 and 2019 deadlines.

This article was first published in PL&B UK Report, September 2017, www.privacylaws.com.

 

Contact our experts for further advice

Gemma Lockyer, Nicola Fulford