• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

Update on extension of SMCR to FCA FSMA-authorised firms and insurers

Following on from the consultation papers published in the summer regarding the extension of the Senior Managers and Certification regime (see our client alert: here), the FCA have published proposals on how firms and individuals (including insurers) will transition to the extended Senior Managers and Certification Regime (SMCR). In addition, the FCA has published two Consultation papers on the duty of responsibility and also on Industry Codes of Conduct.

Key points:

  • It is likely now that implementation of the extension of SMCR will apply firstly to insurance firms, in late 2018
  • For other firms, implementation is likely to be in mid-to-late 2019
  • Other than for Enhanced firms, the FCA is proposing to automatically transfer existing approved persons into Senior Management Functions
  • Enhanced firms will need to make specific applications for individuals to be approved as Senior Managers
  • The Duty of Responsibility will extend to all SMFs in the extended regime
  • The FCA is seeking feedback on its approach to supervising conduct, and its suggestion that it publicly recognise appropriate industry codes of practice

Consultation paper (CP17/40) on the transitional arrangements for solo regulated firms SMCR

View the consultation paper.

Who is affected by these changes?

All FCA solo regulated firms, as well as EEA and third country branches (not insurers, these firms should read CP17/41).

Conversion of individuals from the APR to the SMCR:

The FCA want to make the transition from the Approved Persons Regime (APR) to the SMCR as simple, clear and proportionate as possible. The FCA proposes to

  • Automatically convert most of the existing approved persons at Core and Limited Scope firms into the corresponding new Senior Management Functions (SMF). A table in the CP (at page 16) sets out which roles will automatically transfer.
  • The CP also includes proposals for dealing with new and in-flight applications by Core and Limited Scope firms.
  • Although statements of responsibility will not be required on the conversion, firms must have statements available for the FCA on request.
  • Enhanced firms will need to submit a conversion notification (Form K) and accompanying documents (statements of responsibilities and responsibilities map).

Certified Staff

Individuals who are not SMFs but who fall under the Certification Regime instead will need to have been identified by the start of the regime, and will be required to comply with Conduct Rules from this date. However, firms will have 12 months thereafter in which to certify them as ‘fit and proper’.

Conduct Rules

Firms will be given 12 months from the implementation date to train all staff (other than SMFs and CFs) covered by the Conduct Rule regime.

Changes for banking firms

The CP also makes clear that the FCA are proposing to introduce the new Prescribed Responsibility for training staff in Conduct Rules before the implementation of the extended regime, and firms will therefore be required to amend existing statements of responsibility, Responsibility Maps and notify the FCA accordingly.

Appointed Representatives (ARs)

The extension of the SMCR does not affect Approved Persons (APs) working at ARs. Principal firms will remain responsible for their ARs.

The Financial Services (FS) Register

The FCA proposed in CP17/25 and CP17/26 that for firms subject to SMCR, only details of people holding SMFs will remain on the register, with employees in Certification Functions (CFs) therefore no longer appearing on the register. This is being reviewed by the FCA as concerns have been raised regarding the impact of this on individuals currently holding CFs.

When will this be implemented?

The new rules will be implemented once the Treasury sets the dates. The FCA presumes that the rules will apply to insurers in late 2018 and solo-regulated firms in mid-to-late 2019. The actual commencement dates will be announced and set by the Treasury in due course.

Consultation paper CP17/41 on transitioning insurers and individuals to the SMCR

View the consultation paper.

Who is affected by these changes?

Solvency II firms, Non-Directive firms or NDFs, small run-off firms.

Transition arrangements

As firms are of different sizes and nature, the FCA does not find it appropriate to move individuals into the SMCR in the same way for all insurers. The FCA propose to:

  • automatically convert most of the APs at the small NDFs, small run-off firms and ISPVs into the corresponding new Senior Management Functions (SMFs);
  • allow Solvency II firms and larger NDFs to submit a conversion notification (Form K) and accompanying documents.

Certified Staff

Individuals who are not SMFs but who fall under the Certification Regime instead will need to have been identified by the start of the regime, and will be required to comply with Conduct Rules from this date. However, firms will have 12 months thereafter in which to certify them as ‘fit and proper’.

Conduct Rules

Firms will be given 12 months from the implementation date to train all staff (other than SMFs and CFs) covered by the Conduct Rule regime.

Consultation Paper CP17/42 – The Duty of Responsibility for insurers and FCA solo-regulated firms

View the consultation paper.

Who is affected by this paper?

Insurers, FCA solo-regulated firms and the senior management of both.

This consultation paper focuses on the extension of the ‘Duty of Responsibility’ to Senior Managers in all firms covered by the extension of SMCR. The FCA has produced guidance on the duty, and seeks feedback from firms affected by the extension.

Responses to these three consultation papers are due by 21 February 2018.

Consultation Paper CP17/37 - Consultation Paper on Industry Codes of Conduct and Discussion Paper on FCA Principle 5

https://www.fca.org.uk/publication/consultation/cp17-37.pdf

Who is affected by this paper?

All authorised firms, including those already subject to SMCR.

What does the paper say?

The FCA is proposing:

  • a “general approach” to supervising and enforcing SMCR rules for unregulated markets and activities, including those covered by industry-written codes of conduct.
  • to publicly recognise particular industry codes that set out proper

In addition, it is seeking comments on extending the application of FCA Principle for Businesses 5 regarding proper market conduct.

Responses to this paper should be sent by 5 February 2018

What should you do now?

Firms who wish to comment on the various consultation papers should take the opportunity to do so, as past experience has shown that it is possible to inform and shape the Final Rules through consultation responses.

Separately, firms should still be considering who is caught internally by the regime requirements, and which roles will transfer automatically (or on application) to SMFs. Governance structures and reporting lines will need to be considered in light of the extension of the regime and of the duty of responsibility for SMFs.

To discuss how Kemp Little can help you implement these changes, please see our note or contact a member of our SMCR team:

PSD2 - European Commission adopts Delegated Regulation regarding regulatory technical standards on strong customer authentication and on common and secure open standards of communication

What has happened?

Firms who are within scope of the second Payment Services Directive ((EU) 2015/2366) (“PSD2”) now have – at long last – some clarity around PSD2’s strong customer authentication (“SCA”) requirements, following the European Commission’s adoption on 27 November 2017 of a Delegated Regulation and Annex with regard to the regulatory technical standards (“RTS”) on SCA and common and secure open standards of communication (“CSC”) (C(2017) 7782). 

What are the key points?

The key points relate to continuing access by payment service providers to payment service users’ payment account information held by banks and an optional corporate exemption from certain SCA requirements. 

Some detail

The journey to this point has not been easy and it is not clear whether the final RTS will answer all outstanding questions around SCA. The RTS were drafted initially by the European Banking Authority (“EBA”) further to its mandate under PSD2 to specify the requirements for SCA (under Article 98) and related exemptions, security measures for payment service users’ credentials and CSC for payment service providers. 

The RTS met with initial disapproval from the European Commission, which drafted a letter in May 2017 setting out its intention to make a number of amendments. The most controversial of these was the Commission’s proposed requirement that Account Servicing Payment Service Providers (“ASPSPs”) (banks typically) provide access to the customer interface for Account Information Service Providers (“AISPs”) and Payment Initiation Service Providers (“PISPs”) if the dedicated interface is not available. In other words, screen-scraping would still need to be provided even if a bank’s dedicated interface for AISPS and PISPs fails; this is in order to ensure continuity to payment service users (end customers) of the services provided by AISPs and PISPs. In June 2017, the EBA responded with an Opinion letter, setting out its objections, including its objection to permitting screen-scraping in this way. 

The Commission’s adoption of the RTS includes some substantive amendments reflecting the Commission’s original position. The first is the addition of a further exemption from SCA to cover electronic payment transactions that are performed through dedicated payment processes used by corporates, where the appropriate level of security is achieved through other means than the authentication of a particular individual. This exemption would be subject to the approval of each national competent authority. 

The Commission’s second amendment to the RTS relates to “screen-scraping”. Here, the Commission promotes a compromise position (or perhaps a punt). The Commission maintains that banks should permit a fall-back mechanism if the dedicated interface fails: “it is necessary  to  provide,  subject  to  strict  conditions,  a  fall-back  mechanism  that  will  allow  such  providers  to  use  the  interface  that  the  account  servicing   payment   service   provider   maintains   for   the   identification   of,   and  communication   with,   its  own  payment  service   users.” (C(2017) 7782 final (Recital 24))

Having said that, the Commission has also decided that national competent authorities may exempt banks from being required to provide such a fall-back mechanism, provided the dedicated interface meets certain criteria. In other words, it’s back to the FCA. This means that ASPSPs, AISPs and PISPs could face different SCA requirements depending upon which Member State they are operating in.

What happens next?

Although PSD2 applies from 13 January 2018, the RTS apply 18 months after the date that the Delegated Regulation enters into force, which will be the date of its publication in the Official Journal of the EU. This means that the RTS should apply from around Q3/Q4 2019, assuming the necessary approval by the European Parliament and the Council is granted.

The Commission’s adoption of the RTS has several implications for payment service providers. Payment service providers now know they have until around Q3/Q4 2019 to ensure that their systems comply with the security measures in Articles 65, 67 and 97 of PSD2 (transposed in the UK under Part 7 of the Payment Services Regulations 2017) concerning SCA, bearing in mind that those provisions in Articles 65, 67 and 97 that do not relate to SCA will apply from the implementation of PSD2 13 January 2018. 

The Basel Committee on Banking Supervision reports on the implications of fintech for banks

The growth of the fintech industry in recent years has caused regulators globally to consider their approach to supervision of players in this space. The attitude of regulators to fintech is of equal importance to firms operating in the financial industry. Focusing on the banking industry, the Basel Committee on Banking Supervision (‘BCBS’) has set up a task force to provide insight into this development, and more specifically to explore the implications for supervisors and banks’ business models. It has also published a consultation paper on the implications of fintech developments for banks and banking supervisors. The paper summarises the BCBS’s main findings and conclusions, as Jacob Ghanty, a Solicitor specialising in fintech and emerging payment technologies, explains.

The BCBS’ paper looks at a number of scenarios (possible models that the banking industry will adopt as a result of fintech developments) and assesses their potential future impact on the banking industry. A common theme across the various scenarios appears to be that banks will find it increasingly difficult to maintain their current operating models, given technological change and customer expectations. There seem to be indications that the future of banking will increasingly involve a battle for the customer relationship. In the paper, the BCBS looks at the extent to which banks or new fintech companies will own the customer relationship in each scenario. However, the BCBS indicates that the current position of incumbent banks will be challenged in almost every scenario.

The paper has some historical perspective: the BCBS recognises that the emergence of fintech is only the latest wave of innovation to affect the banking industry. It notes that banks have undergone various technology enabled innovation phases before (an example would be the trend towards online banking services in the last decade). However, its view seems to be that factors including the rapid adoption of new technologies along with their effect on lowering barriers to entry in the financial services market may prove to be more disruptive than previous changes in the banking industry. The paper is recommended reading not least as it draws together a number of concepts relevant to fintech in a perhaps more coherent and less hyped way than some other material available on this subject (see for instance the sectors for innovative services graph within the BCBS paper).

In the paper, the BCBS has identified ten key observations and related recommendations on supervisory issues for consideration by banks and bank supervisors, which are considered below.

BCBS’ observations and recommendations

Observation 1: The nature and the scope of banking risks as traditionally understood may significantly change over time with the growing adoption of fintech, in the form of both new technologies and business models. While these changes may result in new risks, they can also open up new opportunities for consumers, banks, the banking system and bank supervisors.

Observation 2: For banks, the key risks associated with the emergence of fintech include strategic risk, operational risk, cyber risk and compliance risk. These risks were identified for both incumbent banks and new fintech entrants into the financial industry.

Recommendation 1: Banks and bank supervisors should consider how they balance ensuring the safety and soundness of the banking system with minimising the risk of inadvertently inhibiting beneficial innovation in the financial sector. Such a balanced approach would promote the safety and soundness of banks, financial stability, consumer protection and compliance with applicable laws and regulations, including anti-money laundering (‘AML’) and countering financing of terrorism (‘CFT’) regulations, without unnecessarily hampering beneficial innovations in financial services, including those aimed at financial inclusion.

Recommendation 2: Banks should ensure that they have effective governance structures and risk management processes in order to identify, manage and monitor risks associated with the use of enabling technologies and the emergence of new business models and
entrants into the banking system brought about by fintech developments. These structures and processes should include:

  • robust strategic and business planning processes that allow banks to adapt revenue and profitability plans in view of the potential impact of new technologies and market entrants;
  • sound new product approval and change management processes to appropriately address changes not only in technology, but also in business processes;
  • implementation of the Basel Committee’s Principles for Sound Management of Operational Risk (‘PSMOR’) with due consideration of fintech developments; and
  •  monitoring and reviewing of compliance with applicable regulatory requirements, including those related to consumer protection, data protection and AML/CFT when introducing new products, services or channels.

Comment: It seems that the BCBS, perhaps unsurprisingly, perceives the risks and opportunities of fintech very much in the framework of existing regulatory requirements. This may come from a view that fintech is a development that should be treated like any other development, that is, within the structure of existing regulatory requirements and laws. I have sympathy for this approach and it is the normal state of affairs from an English legal perspective, but regulators should be mindful of the need to ensure that laws and regulations remain fit-for-purpose and look to develop these around fintech developments - after all the law should itself develop to deal with issues as they emerge. It is encouraging to see that this point is recognised in Observation 9 (see below).

Observation 3: Banks, service providers and fintech firms are increasingly adopting and leveraging advanced technologies to deliver innovative financial products and services. These enabling technologies, such as artificial intelligence (‘AI’)/machine learning (‘ML’)/ advanced data analytics, distributed ledger technology (‘DLT’), cloud computing and application programming interfaces (‘APIs’), present opportunities, but also pose their own inherent risks.

Recommendation 3: Banks should ensure they have effective IT and other risk management processes that address the risks of the new technologies and implement effective control environments needed to properly support key innovations.

Comment: It is difficult to argue with the BCBS’ findings here. It would be useful to see in due course some guidance with some specifics on addressing the risks of new technologies.

Observation 4: Banks are increasingly partnering with and/or outsourcing operational support for technology based financial services to third party service providers, including fintech firms, causing the delivery of financial services to become more modular and commoditised. While these partnerships can arise for a multitude of reasons, outsourcing typically occurs for reasons of cost reduction, operational flexibility and/or increased security and operational resilience. While operations can be outsourced, the associated risks and liabilities for those operations and delivery of the financial services remain with the banks.

Observation 5: fintech developments are expected to raise issues that go beyond the scope of prudential supervision, as other public policy objectives may also be at stake, such as safeguarding data privacy, data and IT security, consumer protection, fostering competition
and compliance with AML/CFT.

Observation 6: While many fintech firms and their products - in particular, businesses focused on lending and investing activities - are currently focused at the national or regional level, some fintech firms already operate in multiple jurisdictions, especially in the payments and cross border remittance businesses. The potential for these firms to expand their cross border operations is high, especially in the area of wholesale payments.

Recommendation 4: Banks should ensure they have appropriate processes for due diligence, risk management and ongoing monitoring of any operation outsourced to a third party, including fintech firms. Contracts should outline the responsibilities of each party, agreed service levels and audit rights. Banks should maintain controls for outsourced services to the same standard as the operations conducted within the bank itself.

Recommendation 5: Bank supervisors should cooperate with other public authorities responsible for oversight of regulatory functions related to fintech, such as conduct authorities, data protection authorities, competition authorities and financial intelligence units,
with the objective of, where appropriate, developing standards and regulatory oversight of the provision of banking services, whether or not the service is provided by a bank or fintech firms.

Comment: It is welcome to see financial regulators recognising the need for cooperation with other types of regulators (notably data protection). With growing recognition of the importance of the use of customers’ data in financial services, it is possible that data protection regulations will become at least as important to banks as traditional financial regulations.

Observation 7: Fintech has the potentialmodels, structures and operations. As the delivery of financial services becomes increasingly technology driven, reassessment of current supervision models in response to these changes could help bank supervisors adapt to fintech-related developments and ensure continued effective oversight and supervision of the banking system.

Observation 8: The same technologies that offer efficiencies and opportunities for fintech firms and banks, such as AI/ML/advanced data analytics, DLT, cloud computing and APIs, may also improve supervisory efficiency and effectiveness.

Recommendation 6: Given the current and potential global growth of fintech companies, international cooperation between supervisors is essential. Supervisors should coordinate supervisory activities for cross border fintech operations, where appropriate.

Recommendation 7: Bank supervisors should assess their current staffing and training models to ensure that the knowledge, skills and tools of their staff remain relevant and effective in supervising new technologies and innovative business models. Supervisors should also consider whether additional specialised skills are needed to complement existing expertise.

Recommendation 8: Supervisors should consider investigating and exploring the potential of new technologies to improve their methods and processes. Information on policies and practices should be shared among supervisors.

Comment: It is vital that regulators keep up with the firms that they are supervising and developments in the industry to avoid the risk of being unable to supervise effectively. How regulators do this is clearly a challenge given that many people with the relevant technological expertise naturally prefer to work in the industry itself rather than for the regulator. One method of tackling this issue has been the use of ‘regulatory sandboxes,’ which enable regulators to monitor emerging financial technologies first hand (see Observation 10 below).

Observation 9: Current bank regulatory, supervisory and licensing frameworks generally pre-date the technologies and new business models of fintech firms. This may create the risk of unintended regulatory gaps when new business models move critical banking activities outside regulated environments or, conversely, result in unintended barriers to entry for new business models and entrants.

Observation 10: The common aim of jurisdictions is to strike the right balance between safeguarding financial stability and consumer protection while leaving room for innovation. Some agencies have put in place approaches to improve interaction with innovative financial players and to facilitate innovative technologies and business models in financial services (e.g. innovation hubs, accelerators, regulatory sandboxes and other forms of interaction) with distinct differences.

Recommendation 9: Supervisors should review their current regulatory, supervisory and licensing frameworks in light of new and evolving risks arising from innovative products and business models. Within applicable statutory authorities and jurisdictions, supervisors should consider whether these frameworks are sufficiently proportionate and adaptive to appropriately balance ensuring safety and soundness and consumer protection expectations with mitigating the risk of inadvertently raising barriers to entry for new firms or new business models.

Recommendation 10: Supervisors should learn from each other’s approaches and practices, and consider whether it would be appropriate to implement similar approaches or practices.

Comment: It is reassuring to see that the BCBS is encouraging banking supervisors internationally to address potential knowledge gaps in the fintech area. One wonders with the explosion in fintech developments that is occurring whether governments may in future look at forms of industry self regulation in appropriate circumstances to help manage the burden of actually regulating this dynamic and fast changing industry. In the UK that is how financial regulation developed originally, but the pendulum had swung against self regulation by the time of the Financial Services and Markets Act 2000. Arguably, however, with the sheer pace and volume of new entrants and developments in fintech, some form of self regulation may become necessary, perhaps via some of the fintech hubs or incubators that have grown up to support the fintech industry. 

 

This article was first published in Payments & Fintech Lawyer November 2017 

 

Take care when submitting an application for EIS or SEIS relief

The Seed Enterprise Investment Scheme (SEIS) encourages individuals to invest in start-up companies by offering certain tax reliefs. An investor may be able to reduce their income tax liability by 50% of the funds used to subscribe for shares, up to an annual investment limit of £100,000 and on disposal of such shares be exempt from capital gains tax (after a minimum holding period). 

The Enterprise Investment Scheme (EIS) is similar but aimed at small, high-risk companies and investors can expect up to 30% of the cost of the shares to be offset against their income tax bill (up to an annual limit of £1 million). 

A company cannot apply for SEIS certification, if an EIS investment has already been made. 

In Innovate Commissioning Services Ltd v HMRC [2017] UKFTT 0741 (TC), Innovate sought SEIS certification. However, it inadvertently submitted the wrong form with HMRC, using Form EIS1 rather than Form SEIS1. On receiving the Form EIS1, HMRC wrote to Innovate checking whether it had intended to submit Form SEIS1 and noting that, if Form EIS1 was authorised, Innovate could not then correct the position. Innovate did not respond; as it had moved address and did not receive the letter. HMRC therefore gave authority for Innovate to issue compliance certificates under the EIS regime. Once Innovate realised the error, they submitted a SEIS1 and asked to withdraw the EIS1. HMRC refused stating that once it had certified Innovate under EIS, it did not have the power to accept a substitute Form SEIS1. The effect of this was the denial of superior tax reliefs under SEIS. 

Innovate brought proceedings against HMRC but the First Tier Tribunal agreed with HMRC and held that a company could not substitute a SEIS compliance statement for an incorrectly submitted EIS compliance statement after HMRC’s authorisation of the compliance statement (this followed previous decisions in X-Wind Power Limited v HMRC and GDR Food Technology Limited v HMRC). HMRC’s authorisation of the compliance statement was ‘the point of no return’. It is important to note that the Tribunal Judge remarked that the legislation provided that the provision of the compliance statement by the Company itself would be sufficient to prevent further filings being made. 

This case highlights the need to be careful in filing the correct compliance statement for EIS or SEIS relief and the consequences of failing to do so. Once HMRC authorise the compliance statement, it will be too late to reverse any mistakes. 

Implying terms into a professionally drafted contract

In the recent case of Takeda Pharmaceutical Company Limited v Fougera Sweden Holding 2 AB [2017] EWHC 1995 (Ch), the High Court had to consider whether a term for parties to co-operate following completion was to be implied into a share purchase agreement.

Facts:

The case arouse out of the sale of a Danish company (the “Target”) by Fougera Sweden Holding 2 AB (“Fougera”) to Takeda Pharmaceutical Company Limited (“Takeda”) on 30 September 2011.  Fougera was a subsidiary of an investment fund which was structured through a Luxembourg limited partnership.  Fougera had loaned certain monies to the Target prior to the sale. At the time of the sale, the Target was involved in an ongoing issue with the Danish tax authorities as to whether the Target was liable to any Danish withholding tax on the interest accrued on this loan was outstanding at the time of the sale. The share purchase agreement (the “SPA”) therefore contained an indemnity provision pursuant to which Fougera would indemnify the Target any withholding tax paid by the Target to the Danish authorities in relation to the outstanding issue. The indemnity was capped and expired on 30 September 2017. 

The Danish tax authorities issued an assessment in 2015 levying significant sums as withholding tax on the Target. The Target wished to challenge this assessment, but it required certain sensitive information about the ultimate investors of Fougera, which Fougera refused to provide. Takeda argued that Fougera was under an obligation to provide this information either (1) pursuant to the further assurance clause of the SPA; or (2) there were implied terms to this effect.

Court’s findings:

The court noted that the SPA was professionally drafted on behalf of sophisticated and well-resourced parties engaged in a very substantial transaction. It clarified that there was no dispute as to the principles to be applied in interpreting the SPA.  They were considered by the House of Lords and the Supreme Court in a series of cases culminating in the recent decisions of the Supreme Court in Wood v Capita Insurance Services Ltd [2017] UKSC 24, [2017] 2 WLR 1095. The court’s task was to ascertain the objective meaning of the language which the parties have chosen to express their agreement when read in the context of the factual background known or reasonably available to the parties at the time of the agreement, excluding prior negotiations. 

Takeda accepted that the obligations on Fougera to provide the required information was not spelled out in any of the express terms contained in the SPA, but rather the obligations were “reasonably necessary to give full effect to” the SPA. The court rejected this claim. It held that implying a duty to cooperate was not necessary to make the SPA workable.

Takeda also argued that the further assurance clause imposed an obligation on Fougera to provide the required information. The court rejected Takeda’s arguments stating that on a proper interpretation of the SPA, there was nothing that required Fougera to provide the requested information and as such there was nothing for the covenant of further assurance clause to bite on.

Conclusion:

This case clearly demonstrates the difficulty in persuading a court to imply terms into an SPA that is professionally drafted on behalf of sophisticated and well-resourced parties. The prudent approach therefore seems to be for each party to consider carefully circumstances in which they might want to rely on clauses such as further assurance clause, and to include clear express terms setting out each party’s obligations in such circumstances.

Potential implications (government review) UK M&A deals

The Department for Business, Energy & Industrial Strategy (BEIS) of the UK government has published a Green Paper seeking consultation responses on proposals for reforming the provisions of the Enterprise Act 2002 (EA 2002) which deal with scrutiny of investments for the purposes of national security. 

The Green Paper acknowledges the key role that foreign direct investment plays in the UK economy, bringing multiple benefits including foreign capital, new jobs, ideas, talent and leadership. However, the Green Paper questions whether the current provisions of the EA 2002 are adequate for assessing the potential national security implications of proposed transactions, illustrated by the Hinkley Point C decision last year. The UK needs to be alert to the risk that having ownership or control of critical businesses or infrastructure could provide opportunities to undertake espionage, sabotage or exert inappropriate leverage, and also have a regime in place to assess and mitigate such a risk. The Green Paper mentions that part of the objective is parity with other developed and open countries in their equivalent regimes. 

BEIS proposes a set of short-term and long-term reforms, with the stated objective of seeking measures which only involve necessary and proportionate steps to protect national security. 

Short-term steps – change to thresholds for specific sectors

In the short-term, the government proposes to amend the turnover threshold and share of supply tests in the EA 2002. This will allow the government to review and, if necessary, intervene in mergers which exceed the amended threshold. The amended threshold would apply in two areas: (i) the dual use and military use sector; and (ii) advanced technology. For these areas, the government proposes to lower the turnover threshold from £70 million to £1 million and remove the current requirement for the merger to increase the share of supply to, or over, 25%. 

In relation to the dual use/military use sector, the government intends to use some of the Strategic Export Control Lists as the basis for which businesses will be subject to the amended thresholds. The lists include goods which have been agreed pose a risk to national security or human rights, or because of internal obligations or foreign policy commitments, and for which UK businesses must currently secure a licence before exporting.

In relation to advanced technology, the Green Paper provides some guidance on what this term is intended to cover. The Green Paper specifically mentions the following key areas to which it is proposed the amended thresholds will apply:

  • Multi-purpose computing hardware – the proposed definition is “Enterprises that: (i) own or create intellectual property rights in the functional capability of multi-purpose computing hardware; or (ii) design, maintain or support the secure provisioning or management of roots of trust of multi-purpose computing hardware”; and
  • Quantum-based technology -  proposed definition is: “Enterprises that research, develop, design or manufacture goods for use in, or supply services based on, quantum computing or quantum communications technologies. This would include the creation of relevant intellectual property or components”.

BEIS has made clear that it welcomes respondent’s views on these proposed definitions. The Green Paper requested consultation responses on the short-term steps by 14 November 2017.

Long-term reforms

In the longer term, the government intends to make more substantive changes to how it scrutinises the national security implications of foreign investment. The proposed reforms will focus on ensuring adequate scrutiny of whether foreign investment in critical businesses raises any national security concerns and providing the ability to act where this is the case. The potential reforms include:

  • an expanded version of the call-in power, based on the existing power in the EA 2002, which will allow government to scrutinise a broader range of transactions for national security concerns within a voluntary notification regime; and/or
  • mandatory notification for foreign investment into: (i) the provision of essential functions in key parts of the economy; or (ii) new projects that could reasonably be expected in the future to provide essential functions and/or foreign investment in specific businesses or assets. 

The government proposes that mandatory notification may apply, as a minimum, to civil nuclear, defence, telecommunications and the transport sector. The government is also minded to include the types of business identified in relation to the short-terms steps, i.e. the manufacture of military and dual-use items and advanced technology. 

Responses to the long-term reforms are sought by 9 January 2018, with further consultation on proposed reforms to be included in a white paper.

When is a request to view a company's register of members 'for a proper purpose'?

Pursuant to section 116 of the Companies Act 2006 (the “Act”), any person may inspect a company’s register of members on payment of any relevant fee, provided they first submit a request containing prescribed information to the company, including the purpose for which the information is to be used.

Upon receipt of a request, the company must, within five working days, either comply with the request or refer the request to court if the company believes the request is not made for a proper purpose.

Section 119 of the Act provides that, in relation to a request made under section 116, it is a criminal offence if someone knowingly or recklessly makes a statement that is materially misleading, false or deceptive, or discloses information obtained or fails to prevent the disclosure of that information knowing or having reason to suspect that the recipient may use the information for an improper purpose.

The Act does not provide guidance on what is meant by ‘proper purpose’.

In Fox-Davies v Burberry PLC [2017] EWCA Civ 1129, the court gave consideration to the meaning of this phrase.  Here, an individual, who ran a tracing agency that located lost members of public quoted companies, submitted a request to inspect a company’s register, citing his reason as being “to assist and allow shareholders who may otherwise be unaware of their entitlements to reassert ownership or recover the benefit of their property.”  The individual was not a member of the company.

In response, the company referred the request to court in order to obtain relief from disclosing the register to the applicant, arguing that his purpose was not proper, as it was not clear who would have access to the shareholders’ personal information or how it would be kept confidential.  It is worth noting that the company had already engaged a tracing agent itself in order to assist with locating lost members.

At first instance, the High Court held that the company did not have to comply with the request because it was both invalid, as it did not identify the names and addresses of the persons to whom the information would be disclosed (as required by section 116(4)(d)) and made for an improper purpose, as the stated purpose was not the real purpose of the request (the real purpose being to extract a commission or fee from lost members).  The individual appealed the decision.

The Court of Appeal dismissed the appeal and upheld the Registrar’s decision that the request was invalid and for an improper purpose (though their reasoning as to why the purpose was improper differed).  In doing so, the Court gave the following guidance in relation to the meaning of ‘proper purpose’:

  • the proper purpose test is objective and the onus is on the company to show that the purpose is improper;
  • there is no requirement that a request be in the interests of shareholders – this is not specified in the Act and there is no reason why it should be implied;
  •  the court can look beyond the purpose stated in the request and consider surrounding circumstances that may be relevant; and
  • the test is the same whether a request is submitted by a member or a non-member.

If a company receives a section 116 request, it should carefully ensure it meets all the requirements of section 116(4) and closely examine the reasoning given by the applicant.  If there is doubt as to whether the stated purpose is proper, the company should seek advice as to the merits of referring the request to court.

A guide to GDPR profiling and automated decision-making

Organisations need to prepare for the new provisions on profiling, such as informing individuals in their privacy notices. EU DPAs are now seeking comments on their profiling guidelines. By Nicola Fulford and Krysia Oastler of Kemp Little LLP.

The Article 29 Working Party issued on 3 October 2017 its draft “Guidelines on Automated individual decision-making and Profiling”1 under the GDPR (referred to as “the guidelines” in this article).

The guidelines provide some clarity around what is a puzzling aspect of the GDPR for many. Profiling involving personal data is already part of the dayto-day processing undertaken by many organisations. Existing profiling activities involving personal data are subject to data protection law. The GDPR is an evolution (not a revolution) of the law, so why is there such attention about the impact of the GDPR on profiling?

There are three reasons. Firstly, the GDPR includes a definition of profiling, which is new, very broadly defined and being a new definition, requires guidance on which activities are caught. Secondly, there are references to profiling throughout the text of the GDPR suggesting that profiling is, in and of itself, a risky activity and organisations need to determine what this means for their profiling activities. Thirdly, there are several specific rules in relation to solely automated decision-making which reference profiling, and the text of the GDPR does not provide clarity on the scope of these rules.

In this article, we explore what is meant by profiling, automated decision- making and solely automated decision-making under the GDPR and consider how to navigate the rules applying to these activities.

What is profiling?

Profiling consists of three aspects:

  1. Automated processing (processing using computers);
  2. of personal data2
  3. with the aim of evaluating personal aspects relating to a person or group of people (including analysis or prediction)3.

The guidelines make it clear that the definition is very broad and that the processing does not need to involve inference to be caught – “simply assessing or classifying individuals based on characteristics such as their age, sex, and height could be considered profiling, regardless of any predictive purpose”4.

The guidelines describe profiling as having three distinct stages each of which fall within the GDPR definition of profiling: (1) data collection; (2) automated analysis to identify correlations; and (3) applying the correlation to an individual to identify characteristics of present or future behaviour5.

Examples of profiling include:

  • Collection and analysis of data to gain insights into behaviours and characteristics (the guidelines include an example of a data broker collecting data from different public and private sources, compiling the data to develop profiles on the individuals, placing the individuals into segments and selling the output information to companies who wish to improve the targeting of their goods and services6);
  • Keeping a record of traffic violations to monitor driving habits of individuals over time to identify repeat offenders (which may have an impact on the sanction)7; and
  • Considering an individual’s credit score before granting a mortgage8.

What is meant by solely automated decision-making?

A decision based solely on automated processing is a decision with no human involvement in the decision process9. The guidelines warn that involving a human in the process to circumvent the rules on solely automated decision making would not work, as the human involvement must be meaningful and not just a token gesture. The individual needs to have the authority to change the decision considering all the information available10..

Decisions that have a legal effect are those that impact on an individual’s legal rights (including in contract). Examples given in the guidelines include:

  • entitlement or denial of a social benefit granted by law, such as child or housing benefit;
  • increased surveillance by competent authorities; or
  • being automatically disconnected from a mobile phone service because an individual forgot to pay his/her bill before going on holiday.

A decision that has a similarly significant effect “must have the potential to significantly influence the circumstances, behaviour or choices of the individuals concerned. At its most extreme, the decision may lead to the exclusion or discrimination of individuals.” 11 The examples given in the GDPR are automatic refusal of an online credit application or e-recruiting practices without any human intervention. The guidelines explain that although online advertising will not generally meet the threshold of having a similarly significant effect, online  advertising may meet the threshold depending on the intrusiveness of the profiling, the expectations and wishes of the individuals, the way the advert is delivered and the vulnerabilities of the individuals concerned. An example given is an advert for risky financial products targeted at vulnerable individuals.

what should organisations be doing now?

Take stock of profiling activities and any automated decision-making: It will be impossible to comply with GDPR requirements without first identifying the profiling activities and automated decisions taken by the organisation. Organisations are likely to find it helpful to think about the three stages of profiling12 to help identify profiling activities.

Where automated decisions are identified, assess whether they are solely automated and, if so, if they may produce a legal or similarly significant effect on individuals. Organisations should document their analysis as part of GDPR accountability requirements.

Comply with the data protection principles: Identify an appropriate legal basis for each of your profiling activities and automated decisions. Ensure your activities comply with the data protection principles13.

Tell people about your profiling activities and automated decisions: Organisations need to provide information about profiling and automated decision-making in their privacy notices14. The rights to object and, where consent is the legal basis for processing, the right to withdraw consent must be explicitly brought to the attention of individuals and presented clearly and separately from other information. [See section below for specific requirements for Article 22 solely automated decisions that have a legal or similarly significant effect (“Article 22 decisions”).]

Have processes to deal with individual’s rights in relation to profiling and automated decision making: Organisations need to have processes in place to deal with requests from individuals exercising their rights. Consider the right of access to data and what information to which individuals will be entitled to a copy.

Individuals have an absolute right to object to direct marketing including profiling related to direct marketing. Organisations will need to have a clear view on their profiling that is related to direct marketing in order to be able to fulfil the absolute right to object to direct marketing. Individuals also have a right to object to processing of personal data necessary for the purposes of the legitimate interests pursued by the controller. Such objections to processing will likely need to be considered on a case-by-case basis by the controller.

Special considerations for article 22 decisions:  There is debate about whether Article 22 is a prohibition (meaning organisations cannot take Article 22 decisions unless one of the exemptions applies) or just a right for individuals not to be subject to Article 22 decisions (meaning individuals only have the right to object to such decisions).

The guidelines clearly state that the controller can only carry out the processing if one of the three exceptions covered in Article 22(2) applies15. Read as a prohibition, organisations are only permitted to take Article 22 decisions where:

  1. The decision is necessary for entering into, or performance of, a contract between the individual and the controller;
  2. the decision is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  3. the decision is based on the individual’s explicit consent; and
  4. the controller has implemented suitable measures to safeguard the individual’s rights and freedoms and legitimate interests (which includes at least a means for the individual to obtain human intervention, express his or her point of view and/or contest the decision).

Note that Article 22 decisions must not be based on special categories of personal data unless the controller has the explicit consent of the individual or the automated decision-making is necessary for reasons of substantial public interest and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Regardless of the distinction, when taking Article 22 decisions, organisations must implement documented processes to ensure that:

  • the decisions are lawful;
  • information about the profiling and the Article 22 decisions is easily accessible for individuals and brought to their attention (which includes the rationale behind or the criteria relied on in reaching the decision and the consequences for the individual with tangible examples);
  • details of Article 22 decisions are provided in response to data subject access requests, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual;
  • suitable measures to safeguard individuals’ rights, freedoms and legitimate interests (including as a minimum, a way for the individuals to obtain human intervention, express their point of view, obtain an explanation of the decision reached and/or contest the decision) are implemented.

Potential differences across EU member states

Member States have discretion to introduce legislation to restrict individuals’ rights and controllers’ obligations regarding Article 22 decisions. In the UK, Section 13 of the Data Protection Bill sets out safeguards in relation to the Member State derogation provisions on automated decision-making and introduces the concept of a “qualifying significant decision”, which is an automated decision that produces legal effects or significantly affects the data subject, is required or authorised by law and is not exempt due to it being necessary for performance of a contract or as a result of explicit consent being obtained.

Where a qualifying significant decision exists, the automated decision-making will be exempt from the Article 22 prohibition, subject to the controller, as soon as reasonably practicable, notifying the data subject in writing that the automated decision has been made. The individual has 21 days  to ask the controller to reconsider the decision or take a new decision that is not based solely on automated processing. If such a request is submitted, then the controller has a further 21 days to comply with the request and inform the data subject of the steps it has taken to comply along with the outcome.

It is unclear how an automated decision “authorised by law” will be interpreted in each country. It is also unclear whether including details of the automated decision in a privacy notice would satisfy the obligation to notify the individual or, more likely, this should be interpreted as an additional requirement.

There is potential for the additional exemptions to create confusion for organisations that are seeking to implement a workable mechanism which can be consistently applied, as the requirements are different from the requirements for the other exemptions (performance of a contract or if explicit consent is obtained). This is an area for organisations to keep under review.

Looking to the future –DPIA's?

Data protection impact assessments (DPIAs) are mandatory in certain circumstances under the GDPR16. A DPIA is required in the case of Article 22 decisions. Organisations need a process to identify whether they are required to perform a DPIA on future profiling and automated decision- making. Even where a DPIA is not legally required, a DPIA should be considered as a good practice tool and a way of demonstrating that profiling/automated decision-making complies with the GDPR.

Something to say?

The Article 29 Working Party has requested comments on the profiling guidelines (and separately the data breach notification guidelines) be submitted by 28 November 2017, so time remains in which to submit your views17. The aim is for the guidelines to be finalised by the end of the year.

This article was first published in Privacy Laws & Business UK Report, November 2017, www.privacylaws.com.

 

References: 

1 Available on the Article 29 Working Party websiteec.europa.eu/newsroom/just/document.cfm?doc_id=47963

2 Defined in Article 4(1) of the GDPR as any information relating to an identifiedor identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

3 Profiling is defined in Article 4(4) of the GDPR as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

4 Page 7 of the guidelines

5 See reference above

6 See reference above

7 Page 8 of the guidelines

8 See reference above

9 The guidelines illustrate the difference between decision-making based on profiling and solely automated decisions using examples. An example of decision-making based on profiling is where a human decides whether to agree the loan based on a profile produced by purely automated means. An example of a solely automated decision (including profiling) is where an algorithm decides whether the loan is agreed and the decision is automatically delivered to the individual, without any meaningful human input.

10 Page 10 of the guidelines

11 Page 11 of the guidelines

12 Data collection, automated analysis to identify correlations and applying the correlation to an individual to identify characteristics of present or future behaviour

13 Set out in Article 5 of the GDPR

14 See Articles 13 and 14 of the GDPR

15 Page 15 of the guidelines

16 See Article 35 of the GDPR

17 Details on how to provide comments are available on the Article 29 Working Party website ec.europa.eu/newsroom/just/

Facebook advertisers beware: This ruling could change how you use Facebook for marketing

Information law analysis: The EU’s Advocate General Bot recently issued an Opinion regarding the relevant jurisdiction vis-a-vis data processing activities involving Facebook. Dan Whitehead, associate at Kemp Little, explains the background to the case and potential implications of the Opinion.

Original news

Opinion of AG Bot regarding data processing activities involving Facebook (Wirtschaftsakademie v ULD Schleswig-Holstein)

Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Case C-210/16; ECLI:EU:C:2017:796

What are the facts and issues in the case?

Wirtschaftsakademie Schleswig-Holstein GmbH is a German company which specialises in providing educational and training services. It set up a ‘fan page’ on Facebook, through entering into a contract with Facebook’s German subsidiary, which was used to market its services. Through subscribing to a fan page account, Facebook made available to the company a supplementary service called ‘Facebook Insights’. Insights uses behaviour tracking cookies that are installed onto a user’s device by Facebook and provide anonymised data on the user’s habits and preferences to the owner of the fan page account.

In November 2011, the data protection authority in the German region of Schleswig-Holstein (the ULD) ordered Wirtschaftsakademie to deactivate its fan page on the basis neither Facebook nor it had informed visitors that their personal data was being collected and used for the Insights service.

Wirtschaftsakademie challenged the decision in the German Administrative Court, which set aside the decision on the basis that the company was not a controller in respect of the personal data collected through the Facebook fan page. The ULD’s case was subsequently dismissed by the Higher Administrative Court of Germany before being brought before the country’s Federal Administrative Court (FAC).

The FAC referred a number of questions to the Court of Justice of the European Union for preliminary ruling. In summary the main issues were:

  •  Can the ULD take action against a company for infringing Directive 95/46/EC (the Data Protection Directive) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) even if they are not a data controller?
  • Is the ULD, as a German regulator, entitled to exercise its powers against Facebook despite the company’s designated data controllers being based in Ireland and the United States?
  •  If the answer to the second question is in the affirmative, then is the ULD first required to consult with the supervisory authority in the EU Member State which the data controller is located?

What was the Advocate General’s Opinion?

The Advocate General disagreed with the premise of the question relating to the first main issue. It was his opinion that Wirtschaftsakademie was in fact a joint data controller alongside Facebook in respect of Insights data processing, and therefore the company’s actions were governed by the Data Projection Directive.

In explaining his reasoning, the Advocate General stated that Wirtschaftsakademie took the decision to create the fan page of its own volition, therefore triggering the allegedly infringing data processing activities. Moreover, the company could have decided to bring the data processing to an end at any point by closing the page down. Instead Wirtschaftsakademie, through keeping the page live, benefited from the ability to use the Insights tool to enhance its marketing through understanding more about its target audience. In other words, you cannot ask a third party to process data on your behalf and then absolve yourself of all responsibility.

The Opinion takes a broad view of what it means to be a ‘data controller’ and explains that it is not necessary for a controller to have complete control over how data is processed. Instead, due to the ever increasing complexity of relationships between parties who are processing data, it is necessary to acknowledge that there may be a number of controllers involved in a single processing operation. Yet just because the parties are deemed to be joint controllers does not necessarily mean each of them bears equal responsibility for any infringements of the Data Projection Directive. We agree with the reasoning behind the conclusion that has been reached here.

In respect of the second main issue, the Advocate General stated that, in determining whether the ULD was able to exercise its powers against Facebook entities outside of Germany, it was necessary to show that the German regulator was entitled to apply its own national law and that this required two conditions to be met. First, the controller must have an establishment in Germany, and second the processing must be undertaken ‘in the context of the activities’ of that establishment.

It was the Advocate General’s opinion that under Article 4(1)(a) of the Data Projection Directive, an ‘establishment’ should, in accordance with the case of Google Spain SL & Google Inc v Agencia Española de Protección de Datos (AEPD) & Mario Costeja González Case C-131/12, be interpreted broadly to include any company that undertakes any ‘real and effective activity, even a minimal one’ and Facebook Germany was therefore an establishment of Facebook Ireland.

For German member state law to apply, it merely required that the processing be conducted in the ‘context of the activities’ of the establishment. In this case, because Facebook Germany was responsible for the promotion and sale of advertising space in its country, and this activity was reliant on the processing of personal data, its business activities were ‘indissolubly’ linked to those of Facebook Ireland. Therefore, the two-stage test was met, meaning that Facebook is required to comply with German law in respect of its activities on German territory and is subject to the UDG’s powers of enforcement.

Finally, the Advocate General concluded that, as the entity with decisive influence over the processing could be pursued for any alleged infringements of the Data Projection Directive, so it would follow that action could be taken directly against Facebook Ireland. In the Advocate General’s view, the fact that ULD may exercise its powers of intervention against Facebook Inc and Facebook Ireland in no way would prevent it from also taking measures against the Wirtschaftsakademie.

On the third main issue, the Advocate General argued that on the facts of this case, including because in this case the applicable law is that of the Member State of the supervisory authority that wishes to exercise its powers of intervention, that Article 28(6) of the Data Protection Directive should be interpreted such that the ULD is entitled to exercise its powers of intervention against Facebook Ireland with complete independence and without being required first to call on the Irish supervisory authority.

What are the implications for Wirtschaftsakademie, and other companies who use Facebook for advertising?

At present, this is only the Opinion of the Advocate General and is not in itself legally binding. However, if the Court of Justice agrees with the Opinion, then the German courts may rule that the lower courts were wrong in setting aside the UDG’s original order. This could result in Wirtschaftsakademie being forced to take down its fan page.

Equally, the potential implications of this Opinion on other EU companies who advertise through Facebook are considerable. The UDG and other supervisory authorities across the EU may use any equivalent Court of Justice ruling as authority for taking action against such companies on the basis that they are data controllers who are infringing data protection laws. The risk of this happening, along with the potential for higher fines under the General Data Protection Regulation, (EU) 2016/679 (GDPR), may force advertisers to be more cautious in their use of Facebook, and other social media platforms, and put pressure on these companies into providing greater assurances about the legality of their data processing techniques.

To what extent will controllers based in one Member State now be expected to comply with the laws of other Member States?

Even if the Court of Justice follows this Opinion, there are two primary reasons why it is unlikely to have a substantial effect on controllers at this time. Firstly, the right for the UDG to exercise its powers across Member State borders follows from the 2015 Weltimmo s.r.o v Nemzeti Adatvédelmi és Információszabadság Hatóság Case C-230/14 judgment. This case involved a question of whether the Hungarian supervisory authority was entitled to impose a fine on a service provider that was domiciled in Austria. The court used the same two-stage test outlined above to establish whether the law of Hungary applied to the Austrian company’s data processing, and found that it did; therefore confirming the right of a supervisory authority to fine a company across Member State borders.

Secondly, when the GDPR takes effect on 25 May 2018, it introduces a new ‘one-stop-shop’ mechanism which will override the rulings made in this case and Weltimmo. Under one-stop-shop, where there is cross-border processing involved, the controller will be subject to the jurisdiction of a single lead supervisory authority whose identity will be determined by the country in which the ‘main establishment’ of the controller is based. Applying these new rules to this case would most likely mean that the Irish supervisory authority would be the lead supervisory authority, and the UDG’s role would be limited to cooperating with them as outlined under Article 60 of the GDPR.

This article was first published on Lexis®PSL 8 November 2017. Click for a free trial of Lexis®PSL.

Offshoring and TUPE - what happens to the staff?

In a rare case regarding the applicability of TUPE to offshoring, the Employment Appeal Tribunal has provided some welcome confirmation.

The case

In the case of Xerox Business Services Philippines v ZEB, the Claimant was employed by Xerox in the accountancy department in Wakefield.  The work of the accountancy department was offshored to Xerox in Manila (a separate legal entity). It was accepted that TUPE applied to this transfer. 

The Claimant wanted to transfer to Xerox Philippines on his current terms and conditions, save that his place of work would be Manila (allowing him to move to the Philippines on his UK terms and conditions, including his current salary). This was refused (this would of course reduce the cost saving in moving the services to the Philippines), and he was ultimately dismissed by Xerox Philippines by reason of redundancy. He brought a claim for unfair dismissal.

At first instance the Employment Tribunal found that there had been a variation to the employee’s place of work in his contract and so he was entitled to work in the Philippines on his UK terms and conditions and that redundancy was not the real reason for dismissal. The real reason he was dismissed was because he wanted to remain on his current terms and conditions, pursuant to the TUPE transfer. 

On appeal the EAT found that there had been no variation of the employee’s place of work. When the employee transferred under TUPE to Xerox Philippines it was on his current terms, including his place of work in Leeds or Wakefield - not Manila.

The EAT also found that there was a genuine redundancy situation. Xerox Philippines did not require accountancy staff in Leeds or Wakefield and consequently the requirement for employees to carry out work of a particular kind in the place where the employee was employed had ceased.

The case was remitted back to the ET to consider the reason for the dismissal, and therefore the fairness of the dismissal. 

What does this mean?

There are very few cases on TUPE transfers in the offshoring context and this case provides welcome clarification of what has long been expected. Namely that TUPE can apply to an offshoring but that, when it does, employees transfer on their same terms and conditions including their place of work.  It is then for the transferee to make them redundant as they are not needed in their current location.  Whilst it does not mean that employers do not have to consider relocating employees and consulting with them in the offshoring scenario, it does suggest that it is unlikely that that employers would be required to allow employees to relocate abroad whilst retaining UK terms that are much more beneficial than the local terms.

  • Page 1 of 25