• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

After Safe Harbor; before Privacy Shield

Standard contractual clauses as solution for data transfers to the US

Under the EU Data Protection Directive (Directive), which in the UK has been implemented via the Data Protection Act 1998 (DPA), personal data may, in principle, be transferred outside the EEA only if that third country ensures an adequate level of protection for the data. This principle is enshrined in the eighth data protection principle.  One method to ensure adequate protection, which has recently gained increased interest, is the use of standard data transfer clauses (Standard Contractual Clauses or Clauses) established by the European Commission (Commission).

Background: Demise of the Safe Harbor

In addition to the Standard Contractual Clauses, another way to ensure compliance with the eighth principle is if the Commission makes a finding that a non-EU country ensures adequate protection of personal data by reason of its domestic laws or its international commitments.  The Commission did so in 2000 in respect of the US by establishing what became known as the Safe Harbor scheme, through which nearly 6,000 companies were able to become self-certified to receive personal data from the EU to the US. 

In light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services, in particular the National Security Agency, the ability of the law and practice of the US to offer adequate protection against surveillance by public authorities of data transferred to the US, in the case in question via Facebook to servers in the US, was challenged. On 6 October 2015 the Court of Justice of the EU agreed and declared the Safe Harbor regime invalid.[1] As a result, if businesses that previously relied on the Safe Harbor scheme wish to continue to transfer data to the US, in order not to violate data protection legislation, they must make use of another method.

Standard Contractual Clauses as Alternative to Safe Harbor

For the time being the primary alternative to the Safe Harbor scheme is the use of a contract that contains the Standard Contractual Clauses (also referred to as Model Clauses or Model Contracts).  This method, too, is now under threat, however, because the Irish Data Protection Authority has recently indicated that it intends to refer a case that would challenge the legal basis for transferring data under Standard Contractual Clauses to the Court of Justice of the EU. The use of Standard Contractual Clauses was first established by the Commission in 2002 as a mechanism to lawfully transfer personal data out of the EEA and originally applied only to transfers from data controllers to data processors.  An updated version, which became effective in 2010, extended the regime to transfers to sub-processors (there are also controller to controller Standard Contractual Clauses).

The Standard Contractual Clauses are available free of charge and adopting them can be reasonably uncomplicated, but varies depending on the country (for example some data protection authorities require them to be submitted to them, or even to approve them). The use of the Clauses presents both drawbacks and benefits that should be considered prior to deciding on their use.

Clarifications to Guide Interpretation of the Standard Contractual Clauses

The Standard Contractual Clauses are indeed standard form, and as such, in order to function as intended, they may not be altered. Because they cannot be amended some contracting parties resort instead to explaining in their contracts how the Clauses are to be interpreted. Two prominent examples of areas that are often subject to such clarifications are sub-contracting and audit.

As noted above, Standard Contractual Clauses can be used in connection with sub-processors.  The use of a sub-processor is subject to the non-EU data importer obtaining the EU data exporter’s prior written consent.  In practice this consent requirement has at times, led to complex negotiations on where the non-EU data importer might be transferring data to an affiliate or using a third party to store the data.  Additionally, the EU data exporter remains liable for ensuring that the personal data is protected in the manner specified in the Clauses, including after it has been passed to a sub-processor.  If the sub-processor is an affiliate this is typically less of a concern, however, if the sub-processor is a third party there may be disagreements about the clarifications used in connection with this.

Under the Standard Contractual Clauses the data importer must allow materials connected to the agreement in respect of which the Clauses are used, to be audited by the data controller itself, or an independent body selected by the data controller. Oftentimes the underlying agreement in connection with which the Clauses were used already contains its own audit requirements, which might specify when, how, how often and upon how much notice audits may take place.  As a result, the audit requirement from the Standard Contractual Clauses may be accompanied by clarifications about how such audit rights are to be exercised, stating for instance that only the audit rights of the underlying agreement will apply (where these are appropriate).

The use of clarifications of this kind, which usually appear in a covering note, contribute to casting doubt on the unchanged nature of clauses whose intention it is to be the same across all contracts to which they apply.  Such clarifications also complicate a process that can otherwise be relatively streamlined. These clarifications might be understood as the parties’ intended interpretation but parties should specify that in the event of a conflict the terms of the Standard Contractual Clauses will override the clarifications.

Adoption and Applicability of the Standard Contractual Clause

In spite of the drawbacks associated with the interpretative clarifications, as well as the impracticalities of signing multiple Clauses agreements, the Standard Contractual Clauses do present other aspects that can entail marked benefits. In the UK the adoption process is relatively simple because use of the Clauses constitutes a pre-approved method of transferring personal data outside the EEA and does not necessitate further approval from the Information Commissioner’s Office. As a result, implementation in the UK can be very fast. Notably, however, not every EU country has accepted the Clauses as a pre-approved method and some do require the Clauses to be approved by the local regulator subsequent to adoption in order to be effective.  The outcome is therefore that the Clauses do not function as efficiently and quickly as intended in every country.

Compared to the Safe Harbor scheme, the applicability of the Standard Contractual Clauses is significantly broader.  In contrast to the Safe Harbor, which applied to transfers of personal data to the US only, the Clauses can be used in connection with transfers to any non-EU country.   

Future of the Standard Contractual Clauses

Many companies that previously relied on the Safe Harbor for transfers of personal data to the US are now adopting the Standard Contractual Clauses. The Clauses offer an alternative albeit not an ideal one to the void left by the Safe Harbor and it appears that the need to adopt them is perceived largely as an administrative hassle. Following the decision invalidating the Safe Harbor some companies noted, however, that they had not been relying exclusively on the Safe Harbor scheme but had been using the Standard Contractual Clauses as well, suggesting both that the impact of the invalidation and the consequent need to institute an alternate method is perhaps not as wide-spread as it otherwise might be and that the Clauses already have a significant foothold in EU-US data transfers.

In addition to the practical difficulties in implementing the Standard Contractual Clauses, as evidenced by the prevalence of clarifications, their adequacy in protecting personal data is also currently being questioned and there is a danger that like the Safe Harbor they might also be found to be an invalid method of transferring data to the US. Indeed, one regulator in a German federal state (Schleswig-Holstein) expressed the view that the Standard Contractual Clauses are an inadequate data transfer mechanism.  And, as referenced above, in May it was revealed that the Irish Data Protection Authority, the Irish Data Protection Commissioner, is planning to refer a case to the Court of Justice of the EU.  The case would challenge the legal basis for using the Standard Contractual Clauses to transfer data for much the same reason as the challenge brought against the Safe Harbor, namely that the mechanism fails to adequately protect personal data and in particular prevent mass surveillance. The Court of Justice of the EU is the only institution that may declare a Commission decision invalid and unless and until such time as it does so the Standard Contractual Clauses will remain a lawful method for transferring personal data.

In addition to Standard Contractual Clauses alternative methods that satisfy the eighth principle include Binding Corporate Rules or an exception from the rule is if you have consent from the data subject. Binding Corporate Rules, however, are limited to transfers within a specific corporate group and as such do not provide a broad-based alternative to the Standard Contractual Clauses.  Consent from the data subject is not recommended by data protection authorities for long term or repeated transfers.

Following the invalidation of the Safe Harbor mechanism the EU and the US have been working towards establishing a new methodology for data transfers and in February 2016 agreement on a new framework entitled the EU-US Privacy Shield was announced.  However, although this was initially welcomed, in April 2016 the Article 29 Working Party, which consists of EU data regulators, issued an opinion on the Privacy Shield which expressed concerns about the proposal and made requests for clarification.  In May 2016 the Article 31 Committee, which is made up of representatives of all member states and has veto power over the agreement, expressed the view that parts of the proposal were not acceptable and that more time is needed.  In May 2016 the independent supervisor of the EU institutions and advisor to the EU legislator, the European Data Protection Supervisor, issued a press release indicating that the Privacy Shield is not robust enough to withstand future legal scrutiny, that significant improvements are needed to respect the essence of key data protection principles, and that a longer term solution should be sought.  The discussions are still ongoing and it will be some time before the scheme is finalised and approved. Accordingly, albeit far from an ideal solution, it appears as though at present the Standard Contractual Clauses present the most workable solution for transatlantic data transfers but it remains to be seen what their long-term fate will be.  


[1] Maximillian Schrems v Data Protection Commissioner, Judgment in Case C-362/14, 6 October 2015.

Healthy competition: your legal how-to guide for the sporting Summer

This piece looks at some key issues when running a competition or raffle to attract customers or raise funds for charity.

With a summer packed with sporting events, many businesses may be tempted to run promotions based on predicting results in those competitions. Summer party fun often includes a raffle, which can also be used to raise funds for charity. When you’re running a promotion or a raffle, and whether it’s open to customers or staff, there are a few points which it is important to bear in mind, to avoid falling foul of the prohibition on unlawful lotteries. The good news is that in April this year some of the rules were relaxed slightly, which should make it easier to run fund-raising raffles.

Lotteries are illegal unless licensed or exempt

It is a criminal offence to run or promote a lottery in Great Britain unless you have a lottery operating licence or an exemption applies.  A lottery for these purposes is any arrangement where a prize is allocated by chance among people who have paid to participate.  A raffle is clearly therefore a lottery, and a competition will also be a lottery if winning depends on chance.  Under the Gambling Act 2005, a competition is determined by chance unless it is reasonable to expect that the level of skill, judgment or knowledge required is such that either a significant proportion of participants will get the answer wrong or (which is harder to prove) a significant proportion of potential participants are deterred from entering (the “skill test”).  Lottery operating licences are only available to local authorities and charities (or those operating lotteries on their behalf), so a commercial organisation cannot get a licence to operate a lottery for itself.

Promotional competitions

When running a promotional competition, it is therefore important to ensure that participation is free or sufficient skill etc is required so it does not constitute an illegal lottery.

Competitions that genuinely depend on skill, judgment or knowledge will satisfy this skill test.  For example a crossword or Sudoku puzzle where multiple correct answers are required and only competed puzzles are submitted would satisfy this test.  If the winner is determined by a series of processes, it is the first stage which must satisfy the skill test - so it is fine for the winner to be selected at random from those who have successfully completed the skill stage.

However, competitions which ask only one simple question, or where the answer is widely known or obvious from the material accompanying the competition, will not satisfy the skill test.  In deciding the level of skill required, the person running the competition must take account of the skill and knowledge of the target audience.  There is no statutory definition of what proportion of entrants must get the answer wrong (or be deterred from entering), and it is not always clear where the dividing line between skill and chance lies.  The more questions/clues that have to be solved, the more likely it is that the skill requirement is satisfied – and it is not likely to be satisfied if the answer(s) are easily available on the internet.  In practical terms, if there is room for doubt, those running competitions may wish to carry out research amongst their target audience to assess what proportion get the answers right or to review statistics from earlier similar competitions to assess the required level of difficulty, and should retain such evidence in case of later challenge.

If a competition does not satisfy the skill test, it can still avoid being a lottery if it is free to participate.  A competition will be free to enter even if an entrant must purchase a product or service, so long as the price paid for that product or service is not increased to take account of the right to participate in the competition.  Payment does not include the cost of first or second class post or standard telephone charges – but does include premium rate telephone charges or the cost of confirmed or guaranteed postal services.  “Payment to participate” includes payment to collect the prize and payment to discover the winner, as well as payment to enter: so you should not require winners to claim their prizes via letters sent by confirmed post or make winner’s details available via a premium rate phone line (it is irrelevant whether any payment goes to the person running the competition or to someone-else such as the telecoms company providing the premium rate line used for the competition).

Where payment to enter is required (eg use of a premium rate phone number), you can still avoid the lottery regime by offering an alternative free entry route.  This alternative route must be as convenient as the paid-for route, it must be well publicised, and the allocation of prizes must not discriminate between the two routes.  The Gambling Commission thinks entry by post is more likely to satisfy these requirements than online entry particularly where there is a short period for entry.

Collection of data will not generally amount to “payment”, so you can usually reward those completing a survey by entering them into a draw.  However this may not be the case if large quantities of data are required, and particularly if that data will be sold on to a third party.

A final twist is that a competition which involves guessing the outcome of a (past or future) race or other event, or whether something is true or not, will be betting if payment is required to participate.  “Guessing” for these purposes includes predicting using skill or judgment.

“Customer lotteries” are exempt from the requirement to hold a lottery operating licence, but a raffle will only fall within this exemption if it satisfies a series of requirements, including that tickets are sold, and the raffle promoted, only on the business premises, no profits are made, the maximum prize is £50, and there must not be more than one draw in any 7 day period.

Fund-raising raffles

When running a raffle to raise funds, the “no payment” and “skill” escape routes from the lottery regime will clearly not apply. It will therefore be important to bring the raffle within one of the exemptions from the requirement for a lottery operating licence. 

Fortunately there is an exemption for “incidental lotteries” which enables people to run a typical charity fund-raising raffle if certain conditions are satisfied. Since April 2016, fund-raising raffles can be associated with commercial, as well as non-commercial, events, so the organisers can now benefit from entrance fees, sponsorship or other charges associated with the event. However:

  • All the monies raised from the raffle must go to charity ,other than monies used to fund prizes (up to a total of £500) or other costs (up to £100).
  • The raffle tickets may only be sold on the premises where the related event takes place, and only during that event. However from April 2016, the winner no longer has to be announced before the end of the event.

Work place raffles

There is another exemption permitting workplace raffles, such as the traditional office sweepstakes. Previously all funds raised had to be used to defray expenses or distributed as prizes, so these raffles could not be used to raise money for charity.  However from April 2016, it’s sufficient for the funds raised by the raffle to be applied for any purpose other than private gain, so they can now be donated to charity.

A workplace raffle can only be advertised within the workplace, and the organisers and all the participants must work at the same premises (which includes multiple buildings on a single site, but not multiple sites).  Each participant must get a lottery ticket, and these tickets can only be sold by the organisers.  However these tickets no longer need to name the organisers and those eligible to participate, or to show the ticket price, and so organisers can now use the traditional books of “cloakroom tickets” rather than incurring the expense of personalised tickets.

Terms and conditions, and data protection

Any promotional competition or prize draw should be subject to some simple terms and conditions which comply with the requirements of the Advertising Standards Authority’s “CAP Code”.  These in fact form a useful checklist for a sensible set of terms for any competition.

The CAP Code requires that consumers are given the following information before or at the time of entering the competition:

  • how to participate, including any free entry route;
  • the start date and, in some cases (eg most competitions targeted at children), the closing date;
  • any proof of purchase requirements – or if the promotion encourages but does not require a purchase, a clear statement that no purchase is necessary and an explanation of the alternative entry route;
  • the minimum number and nature of the prizes, and whether a cash alternative may be substituted;
  • any geographical, personal or technical restrictions on eligibility eg age, location, or the need to have internet access or permission to enter from an adult or employer;
  • any limit on the number of entries or promotional packs;
  • the promoter’s full name and correspondence address (unless entry is only through a dedicated website containing this information in an easily-found form);
  • how and when the winner(s) will be notified, and when they will receive their prizes if this is more than 6 weeks after the closing date;
  • how and when the results will be announced – the names and counties of the winner(s) must be published or made available on request, but the promoter may not publish “excessive” personal information;
  • the criteria by which entries will be judged; if the choice is open to a subjective interpretation, there must be an independent judge (or a panel including one independent member) whose name must be available on request;
  • if relevant, who owns the intellectual property rights in any entry and how entries will be returned; and
  • any intention to use the winner(s) in publicity.

Entrants must be able to retain this information, or have easy access to it for the duration of the promotion.

The promoter must make clear to participants how their personal data will be collected and used.  This can often be most conveniently done by asking participants to agree with the terms of a privacy policy made available to them in the same way as the competition terms.

If a competition is run via social media, it must comply with any additional requirements imposed by the relevant social media provider.  For example, Facebook requires an acknowledgment that the promotion is not endorsed or administered by Facebook, each entrant must release Facebook from liability, and friend connections must not be used to generate more entries.

Additional requirements apply if the promotion is run for the benefit of a charity or cause.  In particular, there must be a formal agreement with that charity or cause, the competition terms must name the charity or cause and make clear how it will benefit, if funds raised exceed the target the excess must be given to the charity or cause on the same basis as the target amount, details of the total funds raised must be available on request, and children should not be encouraged to buy a product promoting charitable purposes.

Practical points

The person running a prize draw must ensure that the prizes are awarded in accordance with the laws of chance; unless the winner is selected by a computer process with verifiable random results, the draw must be done or supervised by an independent person.

People may have religious or moral objections to lotteries, so there should always be an option not to be entered into a draw.

The type of prize may increase the commercial risks of the promotion.  If the prizes are within the promoter’s control (products or services, vouchers or cash), these will be lower risk than prizes such as tickets to events – plays may be withdrawn or the cast changed etc – or holidays where multiple third parties are involved.  Particular caution is needed if a prize involves personal risk for the participant eg a balloon flight. 

This piece sets out the position where promotions or draws are open to consumers in Great Britain ie England, Wales and Scotland (or if certain equipment used for the promotion or draw is located in Great Britain.  If the promotion or draw is available in other countries, then the law in those countries also needs to be considered.  In particular, the law in this area in Northern Ireland is different from the rest of the United Kingdom – for example a competition is not “free” in Northern Ireland if an entrant is required to purchase any product or service; this is one reason why many competitions are not open to those in Northern Ireland or offer them a free entry route.

Further help

To discuss any of the matters raised in this piece, please contact Susan Biddle.

Useful guidance on the skill test, what constitutes payment to participate, and alternative free entry routes is provided in the Gambling Commission’s note “Prize competitions and free draws: The requirements of the Gambling Act 2005” (December 2009), available from the Gambling Commission’s website at <www.gamblingcommission.gov.uk>.

The ASA’s CAP Code is available from their website at <https://www.cap.org.uk/Advertising-Codes.aspx>.

Facebook’s terms for promotions are available at <https://www.facebook.com/page_guidelines.php>.


AI: Investment, M&A and Liability

The Rise of AI Corporate Activity

“Artificial intelligence is one of the most exciting and transformative opportunities of our time.” - Nathan Benaich, Playfair Capital

Nicola Blackwood MP, Chair of the UK Government Science and Technology Committee, recently announced an inquiry into the opportunities of robotics and artificial intelligence for the UK.  “It is important that the UK is ready with the research, innovation and skills to be able to fully take advantage of the opportunities and manage any risks,” she said, as “the global market for the AI sector is expected to grow to $2-6 trillion by 2025.”

Certainly, artificial intelligence has become something of a hot sector of late.  The largest software businesses in the world continue to invest big in AI, whether by way of development such as IBM’s $1bn commitment to Watson or Google’s run of acquisitions including DeepMind Technologies (bought for $625m in 2014 and whose AlphaGo system recently defeated the world champion Go player), Dark Blue Labs and Vision Factory.  Apple has been busy buying up Emotient (emotion-detection technology) and Vocal IQ (speech-processing).  In addition, Amazon recently acquired Orbeus, the Silicon Valley startup which specialises in image recognition, and Salesforce has made two major acquisitions already in 2016: MetaMind (AI-based personalisation and customer support solutions) and Prediction IQ (open-source machine learning server).  The graphic below is a good visual representation of the major acquisitions in the sector since 2013.    

As well as large acquisitions, there are a proliferation of startups looking to leverage machine learning tools.  Artificial intelligence platforms are starting to become mainstream in the software industry with developments in systems which can analyse both structured and unstructured data.  The impact of AI on existing technology and employment is forecast to be profound.  A recent Deloitte report estimated that as many as 36% of jobs in the UK were at risk of being automated.

Yet, despite the talk of AI being the next paradigm shift for the internet, it should be remembered that the AI sector is currently still an immature market.  According to Bloomberg data, venture capital funding within the software industry as a whole increased 37% in 2015 to a record $24.5 billion.  Altogether, AI investments accounted for a little over $2.75 billion (11% of software investment, and less than 5% of total VC funding in 2015).  That’s more than double the figure for 2013, but AI is still trailing behind sectors such as adtech, mobile and business intelligence software.  The vast majority of deals done in 2015 were also of comparatively small amounts and overwhelmingly into US businesses.  80% of the VC investments were sub-$5 million in size and 90% of the cash flowed into the US. 

As a comparator, the table below shows key UK investments from 2014-2016.

However, despite AI being in its infancy, it is already throwing up interesting challenges for lawyers when advising potential investors or acquirers on the risk profile of artificial intelligence and machine learning platforms.Source Beahurst

AI and Acquisition Risk

The general split of risk on any M&A transaction is that (subject to agreed limitations of liability) losses suffered by the buyer caused by matters arising pre-closing fall to the seller, and those caused by matters arising post-closing are for the buyer.  By giving warranties to the buyer and providing statements and supporting documents in disclosure, the seller delivers a snap-shot of the business to the buyer.  If the disclosure process has been undertaken properly, the buyer should have a good picture of the value of the target to enable it to agree the price based on its knowledge of the business as at closing.  If any statement made by the seller about the company later proves not to be true, and the value of the business acquired is reduced because of it, the buyer has a remedy to claim for breach of warranty and look to recover the loss. 

The amount of loss which can be recovered under a breach of warranty claim follows the usual breach of contract principles, including principles of legal causation and remoteness of damage.  The principle of legal causation is somewhat ephemeral, but essentially holds that it would be unfair to hold a defendant responsible for certain consequences of a breach in circumstances where there is a break in the “chain of causation” between the breach and the harm suffered.  To determine whether the chain of causation has been broken by an intervening event, the courts will take into account the foreseeability or inevitability of that event.       

Remoteness is a separate principle, but one which also looks to assess whether the consequences caused by the breach should be the responsibility of the defendant (essentially, whether the loss was foreseeable).  The test for foreseeability operates in an M&A context such that, subject to any pre-agreed limitations or restrictions in the sale agreement, the buyer can look to recover all losses which are:

  • “in the contemplation of the parties” (ie foreseeable);
  • foreseeable not merely as being possible, but as being “not unlikely”; and
  • foreseeable at the date of the sale agreement, not the date of the breach.

The precise circumstances which unfold following the breach do not have to be foreseeable, but the nature of the loss has to be. 

To determine whether something was “in the contemplation of the parties”, the courts will firstly consider what occurs “in the ordinary course of things” (common sense) which the parties will have deemed to contemplate, whether they actually did or not.  Secondly, the court will also take into account any actual knowledge of the parties themselves of special circumstances outside the ordinary course.  Recent case law has recast this in terms of an assessment by the courts of the “presumed intentions” and “common expectation” of the parties as to the assumption of responsibility by the defendant under the contract.

In terms of a warranty claim on a share sale, questions of foreseeability are relatively straightforward (although actually quantifying the loss may be more difficult).  The buyer can protect itself from much of the acquisition risk just by ensuring the warranty schedule is drafted appropriately.  Let’s say that the seller warrants to the buyer that the target company owns all intellectual property used in the business, but fails to disclose that key software is actually licensed from a third party.  If this is subsequently discovered, it would be difficult for the seller to argue that this loss is not foreseeable and that it shouldn’t be responsible for the diminution in value caused by the company not owning the relevant IP.

Even the risk of how a target company’s IT system will operate post-closing can be mitigated by a combination of the right warranties and some technical due diligence on the target’s back-up systems, use of anti-malware or anti-virus protection or how it utilises open source software.  However, the acquisition of an artificial intelligence business may require a different approach.

The creativity of AI

The key feature of an AI system which distinguishes it from previous technology is its ability to act autonomously.  It may do so within the confines of a definable structure, but many businesses developing AI see this “creativity” as one of the main benefits of artificial intelligence and machine learning. 

In his paper Regulating Artificial Intelligence Systems: Risks, Challenges Competencies and Strategies, US attorney Matthew Scherer gives the example of C-Path, a machine learning algorithm for cancer pathology.  Researchers suspected that studying the stroma – the supportive tissue surrounding cancer cells – in conjunction with the cancer cells themselves, would help cancer prognosis.  C-Path found that the stroma indicator in and of itself gave rise to a more accurate prognosis; ignoring the actual cancer cells was a counter-intuitive conclusion which went against current scientific consensus, but led to a breakthrough. 

C-Path’s ability to “think outside the box” is not down to a creative process, but rather the computing speed and brawn to weigh up thousands more data points than a human could successfully analyse without the restriction of perceived general wisdom.  Discussing a computer chess program, Nate Silver in The Signal and the Noise: Why So Many Predictions Fail – But Some Don’t, writes:

“We should probably not describe the computer as ‘creative’ for finding the moves; instead, it did so more through the brute force of its calculation speed.  But is also had another advantage: it did not let its hang-ups about the right way to play chess get in the way of identifying the right move in those particular circumstances.  For a human player, this would have required the creativity and confidence to see beyond the conventional thinking.”          

The NUDT Tianhe-2 supercomputer can process 33.86 quadrillion (that’s 33,860 trillion or 33,860,000,000,000,000) floating-point operations per second.  Whilst most home computers don’t operate in this range, their computational power allows them to search through many more possibilities than a human in any given time frame (and this power will only increase over time).  This allows AI systems to find solutions humans may not have even considered, let alone attempted to put in place.  For some developers, this is the entire point of artificial intelligence.  In his book On Intelligence, Jeff Hawkins, the inventor of the PalmPilot and Treo smartphone, writes:

“Personally, I am less interested in the obvious applications of intelligent machines.  To me, the true benefit and excitement of a new technology is in finding uses for it that were inconceivable before.  In what ways will intelligent machines surprise us, and what fantastical capabilities will emerge over time?”

AI designers are designing their platforms precisely so that the algorithms produce unexpected solutions; but if things go wrong and damage is caused, is that foreseeable?  The behaviour of a learning AI system depends not only on its initial programming, but its post-design experiences and the data it interacts with once it has been sent out into the world.  Let’s say a buyer acquires an AI platform which has been designed to be semi-autonomous and allowed to alter its objectives based on subsequent experiences.  If the AI then does something unexpected which causes the buyer loss, should the unforeseeable behaviour break the “chain of causation”?  Should the seller be liable even if the system’s designers had no way of knowing that such an event would happen?  Should the buyer take responsibility as it knew it was buying an AI system which had the potential to be “creative”?  What if the algorithm which gave rise to the unexpected behaviour was open source?

It is market practice in the UK on a company acquisition for the buyer to be prevented from bringing a breach of warranty claim (other than in respect of tax) after a period of around 18-24 months following completion of the deal.  The rationale for this is that an 18-24 period should give the buyer sufficient time to conduct a financial and technical audit; it also gives a reasonable amount of time for any third party claims against the target company for actions pre-closing to come out of the woodwork.  Self-learning AI systems are different; no amount of human technical analysis will detect all outcomes that an AI system could deliver (otherwise it wouldn’t be a particularly valuable AI system).  In that context, allowing the buyer 18-24 months in which to bring a warranty claim seems totally arbitrary.

To date, as we’ve seen, there have been few UK to UK exits for AI businesses as the sector is still young.  Yet, as investment continues to flood into AI companies, it won’t be long before we lawyers may be having to wrestle with some vexing questions around how we structure liability for AI behaviour.

For more information, please contact Andy Moseby.

Data Protection in the new world of Artificial Intelligence


Artificial Intelligence may pose new challenges that do not fit in under the EU Data Protection Regulation. Nicola Fulford and Gemma Lockyer explore the issues.

A quick online search of “what is AI?” does not provide you with an easy answer; this is because artificial intelligence can have different meanings to different people. For our purposes, it is a computer system which is able to perform tasks which would normally require human intelligence.

To date, as lawyers, we have needed to deal with computers and machines which are capable of numerous and speedy computations and calculations – but these actions have all been governed by the direction of the programmer. Artificial intelligence, on the other hand, is the machine intelligently thinking, learning and making decisions and actions based on this thought and knowledge. From a legal perspective this phenomenon challenges many key legal concepts and means that we need to address how we apply core principles of personality and liability onto something the law is not yet ready to deal with.

Could an AI be a data subject?

A data subject is defined as any individual who is the subject of personal data. Typically we think of data subjects as employees, contractors, customers or individuals on a marketing database etc. A limited liability company is not a data subject for the purposes of the Data Protection Act 1998 (the DP Act) and neither is a computer system. An AI is capable of performing tasks which would normally require human intelligence and so could it be argued that an AI should be given some of the same protections given to humans?

The current DP Act’s definitions means that there is not going to be any personal data recorded in relation to an AI data subject because personal data relates to “a living individual” who can be identified from the data. Even if we can acknowledge that an AI has human intelligence and should be classed as an “individual”, and therefore a data subject, would we be able to go as far as to describe it as living? And, perhaps more importantly, should we? Given the new definition under the EU General Data Protection Regulation (GDPR) changes this to a “natural person”, that does not seem to be the direction of travel.

Processing data using Artificial intelligence

A much more real concern for businesses is the use of AI in the processing of personal data. Processing is very broadly defined and includes “obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data”. The first data protection principle, which requires fair and lawful processing, is often met through the use of consent. The individual will consent to the processing of their personal data and this will enable the processing to be fair. How can we obtain informed consent when the processing of the data is no longer a predictable response to a set of pre-defined instructions given to a computer programme by a programmer but is now the result of an autonomous machine which is learning and thinking for itself? The programmer no longer knows what the next processing operation might be because that is a decision taken by the AI. Consent is not mandatory in the UK for the processing of personal data, although it is often the easiest way to justify the processing. Without consent the data controller will (generally) need to show that the processing is necessary for a contract or is for legitimate reasons, provided these reasons are not outweighed by the privacy implications for the individuals concerned. However, given that we don’t know exactly what processing the AI might undertake in relation to the data it is given, how can we know that the processing is necessary? Similarly, without understanding the processing and what the privacy implications may be, how can that balance be understood and documented?

Impact of the GDPR

The current EU data protection regime is due to be replaced by the GDPR. There are several key changes in the GDPR which will affect those working within the sphere of AI.

The first is the requirement to implement Privacy by Design and by default. Businesses will be required to take data protection requirements into account from the inception of any new technology that involves the processing of personal data. An AI works because of its ability to process large volumes of data and quickly. IBM’s Watson – a computer capable of answering questions framed in natural language thanks to the vast database of information it has access to – is an example of this. If the AI is given access to personal data as part of that database, then the AI will be processing personal data and data protection requirements will need to be taken into account as part of its design. This may not always be possible when the machine itself is evolving as it thinks and learns for itself.

Thanks to the increased computing power of AI it may be possible that data which might previously not have been considered personal data, because from the data alone you could not identify a living individual, might become personal data because the AI has access to other information which, when processed together with that data, could be used to identify a living individual. This potentially increases the scope of personal data which might be available relating to a data subject.

The GDPR also restricts profiling which is the automated processing of personal data and the use of personal data to evaluate certain personal aspects relating  to a natural person,for example analysing or predicting aspects concerning a natural person’s economic situation or personal preferences. Pursuant to Article 14(1) of the GDPR, data subjects have a right not necessarily to avoid profiling itself, but rather to avoid being “subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Recital 58 provides as examples the “automatic refusal of an on-line credit application or e-recruiting practices without any human inter- vention”. Consent to this profiling will need to be obtained and this will need to be considered well in advance of implementing these kinds of AI.

Are we ready?

Artificial Intelligence is a reality and with “big data” becoming “bigger data” all the time, is the legal data protection landscape ready for AI machines? The emphasis, we believe is going to be on ensuring the data con- trollers are able to build in parameters around privacy into the AI, and also in trying to obtain the necessary consents before transferring data to an AI. Consent can be tricky today, but with the GDPR, consent will become even harder to obtain.

As with other new technologies, the law inevitably plays catch-up and AI will surely throw up new situations that do not “fit” what was in contemplation for the GDPR. For example, whether the AI is capable of being a data controller itself, making its own decisions in relation to the processing of the data, or how we might impose any liability on the AI for anything it did in breach of the DP Act or the GDPR. Given the power of the technology, this is a field likely to see an emphasis on ethics as well as law.

This article was previously published in Privacy Laws & Business.

Shareholder Spring 2.0: AGM activism increases over executive wages

This year’s season of shareholder gatherings has seen the largest amount of shareholder activism in the last four years; again, company owners’ ire is centred on executive pay.

Examples of the current shareholder spring include:

  • the defeat of the remuneration report at Smith & Nephew by 53% of shareholders thus vetoing a proposed vesting of the chief executive’s LTIP despite the company not reaching its targets;
  • the unprecedented decision by BP shareholders to rebel against a 20% pay rise for its chief executive, with 59% voting against the increase, following a year in which the company booked a $5.2 billion loss;
  • over 40% of Anglo American shareholders voting against the company’s 2015 pay report; and
  • the shareholder revolt at Foxtons over the proposal to award its chief executive a 19% increase in his basic salary, to £550,000 per year, and an uplift of his maximum bonus to 150% of pay during a period in which the company has seen sharp declines in its share price.

Investors state that the current structure of executive pay results in poor alignment of interests between executives, shareholders and the company and there should be more focus on simplifying pay packages, greater use of salaries and ensuring that equity incentives include minimum holding periods.

There is speculation that prolonged grievance amongst shareholders could result in the government and regulators intervening to cap executive remuneration in the private sector. In 2013, the government introduced legislation requiring companies to hold legally binding votes every three years, with executive pay packages needing the approval of more than 50% of shareholders. The first round of these binding votes will occur in 2017.

In addition to voting against resolutions, as was the case in the activism examples given above, the Companies Act 2006 (Act) allows shareholders to express their grievances at how a company is being run though a number of other means. Some of these rights are:

  • section 319A of the Act allows shareholders holding voting shares in a company whose shares are admitted to trading on a regulated market to require the board to answer a question relating to the business of the meeting;
  • section 303 of the Act enables shareholders representing 5% of the paid-up voting shares in a company to require that the company calls a general meeting;
  • shareholders can also use section 303 to put forward resolutions at a general meeting the shareholders have convened (members of public companies can also request that a resolution is considered at an AGM (sections 338-340));
  • section 314 of the Act enables certain shareholders to require the company to circulate a statement of up to 1,000 words to shareholders relating to a matter referred to in a proposed resolution or other business to be dealt with at a meeting;
  • in certain circumstances, removing, or blocking the appointment, of a director; and
  • bringing an unfair prejudice claim under section 994 of the Act for relief where the company’s affairs have been or are being conducted in a manner that is unfairly prejudicial to the shareholders’ interests generally or the shareholder, or certain shareholders, specifically.

With the prevalence of shareholder rebellion at AGMs this year, will we soon see some of these more pointed tactics being used by aggrieved shareholders in some of the UK’s largest companies?

For further information, please contact John Alder.

The article above, current at the dates of publication, is for reference purposes only.It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.

The maturing equity crowdfunding market

The recent announcement from PayPal that they are amending their Payment Protection policy (to withdraw protection for payments made to crowdfunding campaigns) signals the shift from crowdfunding as a fashionable method of raising money for tech ideas, hobbies and side-projects to a serious option for businesses looking to fundraise. This does however highlight that there are risks and uncertainties involved in contributing to crowdfunding campaigns.

Focusing on businesses (rather than charities and causes) there are two main approaches to crowdfunding. The first is seen as more of a purchase mechanism whereby consumers are invited to pledge money to a company in order to receive goods or services at a reduced rate; prior to them being available to the general public. Sites such as Kickstarter and Indiegogo dominate this area and consumers receive no equity in the companies that they ‘invest’ in. The second – and more business-focused approach is through sites such as Crowdcube or Seedrs whereby companies give away equity in their businesses in return for investment.

The risks involved with the first method of raising money are relatively minimal for companies aside from the reputational issues that arise from taking money and not delivering the product. According to a December 2015 study from Professor Ethan Mollick at the Wharton School of the University of Pennsylvania, approximately 9% of projects on Kickstarter fail to deliver their goods with the ‘investor’ losing out on their contribution. The terms & conditions of the marketplace sites govern what should happen in the event of a project not being delivered with the majority of these sites stating that they mandate the project creators must deliver their projects in full or provide reasonable efforts to do so. However, Kickstarter also goes on to state “the fact that Kickstarter allows creators to take risks and attempt to create something ambitious is a feature, not a bug” thereby providing its creators with a legitimate way out should their project fail.

In the US the Federal Trade Commission has started to protect users on Kickstarter from companies who go rogue with their money. Whereas in the UK the Financial Conduct Authority (FCA) has focused its efforts on equity crowdfunding as this is seen as more of an investment opportunity.

The equity crowdfunding industry grew 410% between 2012 and 2014 (source: Nesta) with Crowdcube having helped raise over £161m for 400 companies since launching in 2011.

Originally an alternative funding method best suited for startups, it’s now becoming recognised as a mainstream finance option. Hundreds of businesses of different sizes and stages of growth have successfully raised money, from a variety of investors. The speed at which equity crowdfunding has grown may initially have been driven by startups unable to access finance through traditional routes but is now being used more widely. Research from Growthdeck found that the average valuation of a UK crowdfunded business was £3.2m and that they typically gave away 12.4% of their equity to investors.

FCA regulation on equity crowdfunding states that investment should be open to anyone “who can demonstrate that he or she has the experience and knowledge required to understand the investments being offered.” This is called the ‘appropriateness test’ and is a self-certification for investors. The simplicity of crowdfunding websites – combined with the easy access has led to research from the Financial Times in February 2015 showing that 62% of funders on equity crowdfunding sites have “no experience of early-stage investment”. However, these investors have also been seen to be savvy and the amounts they contribute are lower than through other funding methods with more diverse portfolios.

Businesses such as the UK startup Mondo Bank raised £1m in 96 seconds, whilst JustPark – who had already taken investment from BMW and Index Ventures – went on to raise a further £3.7m through CrowdCube; and the founder of Easyjet, Stelios Haji-Ioannou, raised £1.3m for easyProperty.

The democratisation of investment through equity crowdfunding should be welcomed by investors and businesses as it creates a new pool of potential investors for companies, offers consumers a new method of increasing their wealth, provides a quicker timeframe for investment and should help to wake up well-established investors to a new way of thinking.

A growing trend that is expected to become more prominent in the future, is the institutionalisation of crowdfunding, notably in terms of the investors. A recent study by the Cambridge Centre for Alternative Finance and NESTA found that 45% of platforms in the United Kingdom reported institutional involvement, compared to 28% in 2014 and just 11% in 2013.  Institutional involvement is particularly strong in consumer loans crowdfunding, while in equity-based crowdfunding a growing number of venture capital, angel investors and even government-backed investment funds are co-investing alongside or in parallel with ‘crowd investors'.

As Darren Westlake (co-founder of Crowdcube) points out, Crowdfunding investors are savvy. They know building a diversified portfolio of investments will spread the risk and increase their chances of backing a winner, and crowdfunding offers the best of both worlds. They can enjoy the thrill of helping to get new ideas off the ground, and also the reassurance of backing a venture with a proven proposition, that has already gained traction through generating sales, contract wins, or partnership agreement.

As the EC’s Commission Staff Working Document into Crowdfunding in the EU points out, the risks associated with crowdfunding include: investors losing part or all of their capital or not getting the returns they expect; dilution in the case of equity crowdfunding (if the company engages in further rounds of capital raising); inability to exit investments (e.g. for lack of a secondary market); insufficient information or inability to price correctly the securities invested in, or misinformation (both in the pre-investment phase and over the lifetime of the investment); conflict and misalignment of interests between issuers, platforms and investors; insolvency of the platform operators, in particular as regards the continuous servicing of existing claims (e.g. dividend and interest payments) and protection of clients' assets; security of client data; platforms may be used for illicit activities; fraud (both for the investors and for the project) and related reputational risk for platforms.

As with any new financial area as it grows it requires regulation and management. With banks and large financial institutions continuing to be complicated and risk averse it presents a real opportunity for businesses to look to crowdfunding to help them grow; both from seasoned investors and from a wider pool of less experienced smaller-value investors. However, at the moment relatively few of the crowdfunded companies have shown a return on investment for their contributors – a few large exits will help cement crowdfunding as a long-term viable option to connect companies and a wider pool of investors.

For further information, please contact Deborah Angel.

Interpretation of a contractual limitation period in a share purchase agreement

In The Hut Group Ltd v Nobahar-Cookson and another [2016] EWCA Civ 128, the defendants (the Sellers) sold a sports nutrition business to the claimant (Buyer) pursuant to a share purchase agreement (SPA). The SPA provided that the Sellers would not be liable for any warranty claim unless the Buyer served notice of the claim on the Sellers “as soon as reasonably practicable and in any event within 20 Business Days after becoming aware of the matter." The Buyer subsequently brought a warranty claim on the basis that the target company’s management accounts did not give a true and fair view of the target’s financial position. The Sellers argued that the Buyer’s claim was time-barred, as the Buyer had failed to serve notice within the specified time period. The Sellers submitted that “becoming aware of the matter” should be interpreted as becoming aware of the facts giving rise to the claim, as opposed to becoming aware that those facts may give rise to a claim. If the Sellers interpretation was accepted, then the Buyer’s claim would be time-barred, as the Buyer had not notified the Sellers of the claim within 20 Business Days of becoming aware of the relevant facts.

The High Court held that the Buyer’s claim was not time barred, preferring the Buyer’s interpretation that “becoming aware of the matter” meant becoming aware that it had a claim for breach of warranty. On the facts, the Buyer had not been aware of the claim until it had received advice from its forensic accountants, with the consequence that the Buyer had served notice of the claim on time. However, the High Court judge did not apply the contra proferentem rule (a rule in contract law which states that any clause considered to be ambiguous should be interpreted against the interests of the party that requested that the clause be included) in reaching its decision on the basis that both parties had provided warranties in the SPA. The Sellers appealed.

The Court of Appeal had to decide whether “becoming aware of the matter” should be interpreted as becoming aware:

  1. of the facts giving rise to the claim;
  2. that there might be a claim under the warranties; or
  3. of the claim itself (in other words, that there was a proper basis for the claim).

If the Court adopted interpretation 1 or 2, then it was common ground that the Sellers appeal should be allowed.

The Court unanimously dismissed the Sellers’ appeal. The Court noted that it was common ground that contractual limitation periods for the notification of bringing claims were a form of exclusion clause. The Court also disagreed with the High Court that the clause should not be construed contra proferentem just because both sides had given warranties. Rather, in the leading judgment, Lord Justice Briggs said that he had based his decision on the principle that any ambiguity in an exclusion clause should be resolved by adopting the narrowest possible interpretation, if linguistic, contextual and purposive analysis did not disclose an answer to the question with sufficient clarity. As interpretation 3 was the narrowest of the three, it was to be preferred. The Court viewed interpretation 2, that the obligation to notify arose when a claim was merely suspected, as commercially absurd. Interpretation 1 (that the obligation to notify arose when the Buyer became aware of the facts giving rise to the claim), which was contended for by the Sellers, would make such a large inroad into the Buyer’s ability to make a claim, for no sensible purpose, that the parties would had to have used clearer words to achieve that result. The Court also noted that the purpose of the contractual notice period was to prevent the Buyer from keeping claims up its sleeve, and that such purpose was better served by an interpretation which focused on awareness of the claim itself, rather than awareness of the underlying facts.

In this decision, the Court of Appeal chose an inherently sensible interpretation of an ambiguously drafted provision. The case is a reminder that any clause which seeks to limit the period in which a buyer may bring a warranty claim will be viewed as an exclusion clause. On this basis, to avoid uncertainty, any such clauses should be given additional attention by the parties and drafted as clearly as possible. If the commercial agreement is that the buyer’s ability to bring a claim should be significantly restricted in any way, then the parties should ensure that they use very clear words to that effect. 

For further information, please contact Adam Kuan.

Unfair prejudice: Waiver of the statutory right to claim unfair prejudice

Minority shareholders are afforded certain protections by statute, in particular, the right to bring an unfair prejudice petition under section 994 of the Companies Act 2006.  This right was designed to deal with disputes between the members of private companies (usually minority shareholders) who may be the subject of oppression but are prevented by the articles or a shareholders’ agreement from taking effective steps to resolve their difficulties or to realise the value of their investment in the company by a sale of their shares.

Section 994 provides that: "A member of a company may apply to the Court by petition for an order...... on the ground (a) that the company's affairs are being or have been conducted in a manner that is unfairly prejudicial to the interests of members generally or of some part of its members (including at least himself), or (b) that an actual or proposed act or omission of the company (including an act or omission on its behalf) is or would be so prejudicial."

Common examples of what may constitute unfairly prejudicial conduct are:

  • excessive remuneration of majority shareholders in their position as directors;
  • the majority shareholder awarding excessive financial benefits to him or herself;
  • failure to properly pay dividends;
  • misapplication of company funds or property;
  • diversion of business to another company in which the majority shareholder holds an interest;
  • abuses of power and breaches of a company’s articles of association.

In addition to the protection provided by statute, it is typical for shareholders to enter into a shareholders’ agreement seeking further protection.  However, a shareholders’ agreement may provide for any disputes arising under the agreement to be arbitrated, thus preventing the shareholder from applying to the court to bring a claim for unfair prejudice.  In this article, we consider whether a shareholder can agree to waive such a statutory right. 

Previously, there were two conflicting first instance High Court judgments on this issue. In Re Vocam Europe Ltd [1998] BCC 396, the petitioners were minority shareholders who had been removed as directors of a joint venture company. There was a shareholders' agreement under which all disputes between the parties whether or not arising under the agreement were to be resolved by arbitration. The High Court judge ordered a stay of the unfair prejudice petition. 

The case of Exeter City Association Football Club Ltd v. Football Conference Ltd [2004] 1 WLR 2910, the rules of the Nationwide Conference League under which a member club was required to pay football creditors in full as part of any corporate voluntary arrangement (CVA) had caused Exeter City unfair prejudice because it exposed the club to an application by HM Revenue & Customs for the revocation of the CVA.  The Football Conference then applied for a stay of the petition under s.9(4) of the Arbitration Act 1996 because the dispute was referable to arbitration under the rules of the Football Association.  The High Court in this case refused a stay on the basis that the statutory rights conferred on shareholders to apply for relief were inalienable and could not be diminished or removed by contract (such as an arbitration agreement) or otherwise.

The above two conflicting cases were considered by the High Court in the case of Fulham Football Club (1987) Ltd v Sir David Richards and The Football Association Premier League Ltd [2010] EWHC 3111 (Ch).  The Fulham decision arose from Peter Crouch’s transfer from Portsmouth FC to Tottenham Hotspur FC.  Fulham FC contested that transfer alleging that Sir David Richards, the chairman of the Football Association Premier League Limited (FAPL), had acted unfairly in the transfer negotiations.  By doing so, Fulham alleged that both he and the FAPL had unfairly promoted the interests of one member club over another in breach of its articles of association and its rules (FAPL Rules).  Both the FAPL Rules and the FA Rules provided for members to arbitrate disputes.  On application to the High Court, the High Court followed the earlier case of Re Vocam Europe Ltd [1998] and a stay of the unfair prejudice petition was granted at first instance. 

On appeal, the question for the Court of Appeal was whether it had been open to the parties to agree that matters giving rise to an unfair prejudice petition would be referred to arbitration, and thereby to fetter the shareholder's right to bring a section 994 petition.  The Court of Appeal unanimously dismissed the appeal (Fulham Football Club (1987) Ltd v Richards [2011] EWCA Civ 855) and stayed the unfair prejudice petition to allow referral of the matters to arbitration.  Patten LJ, delivering the leading judgment, held that section 994 ("a member of a company may apply to the court") should not be construed as granting an unfettered right of access to the court.  Further, he held that "there is no statutory restriction or rule of public policy which prevents the parties from agreeing to submit such disputes to arbitration". 

This result is in accordance with the judicial tendency to uphold arbitration clauses, unless there is clear language to exclude certain matters from the arbitrator’s jurisdiction.  On further application to appeal by the FCC, the Supreme Court refused permission to appeal the Court of Appeal’s ruling.

Based on the above, it therefore seems likely that the court will uphold an agreement by the shareholders to waive their right to bring an unfair prejudice claim.  In practice, the Court of Appeal’s decision should be taken into account while drafting dispute resolution clauses in shareholders’ agreements and other constitutional documents, in particular when deciding whether or not to include an arbitration clause.

For further information, please contact Vidya Rao.

Contracting for cybersecurity risks for customers

Cybersecurity is a business imperative, and the reason is simple: the impact of a security breach can be severe. Any approach to cybersecurity must address each group which has access to the systems and data of a business, such as its customers, providers, affiliates and employees. This article is focussed on the cybersecurity risks for a business when contracting with its service providers.

Factors which affect risk include the type of business the customer operates, the level of access the provider has to systems and data, the data involved (and the sensitivity of the data), the potential impact of security breaches (and data being lost or stolen), and compliance with the applicable regulatory regime.The risk profile may also differ through the phases of service provision, from transition to steady state and finally, exit. The following is a summary of the key cybersecurity issues to address in the contract for services, which can be tailored by the customer to the circumstances of each deal.

  1. What arose during the customer’s due diligence in relation to the services to be provided and the provider itself which should be covered in the contract?  For example, if the provider was chosen because of their compliance with certain security standards, ensure they have a contractual obligation to continue to comply with those standards.
  2. Who has a right to access systems and data?
  • Can access be limited (physically and logically) to provider personnel who have a strict need to access systems and data?  Have those personnel been background checked and trained in data security? 
  • What is the minimum amount of data that the provider needs to access?
  • How long is access required? 
  • Can access be monitored and logged to provide an audit trail? 
  • What other access controls can be put in place?
  1. How will systems and data be accessed, both physically and logically?  If remote access is to be provided or data is to be transmitted, what additional safeguards can be used?
  2. Be specific about how data can be used and equally explicit about any restrictions on use.  What data can be shared or disclosed to third parties and in what circumstances?  Ensure the confidentiality provisions in the contract are adequate and aligned to the provisions relating to data. 
  3. What data can or must be stored by the provider?  What data cannot be stored?
  4. Where will data be stored by the provider?  Does this cause any logical or physical security concerns, or regulatory compliance concerns?    
  5. How will data be stored? What security standards and controls will be in place?
  6. What protections must the provider comply with in relation to system security (e.g. anti-hacking software, anti-virus software, application of regular software updates, network security maintenance including firewalls) and storing, processing and transmitting data (e.g. encryption, especially on removable media or portable technology)?  Are the provider’s relevant standards, policies and procedures sufficient, given the harm that could result from a security breach? 
  7. Can the customer’s data be segregated from other data?  In addition, can a particular data subject’s data be segregated, processed in a certain manner, ported or deleted? 
  8. Can the provider introduce hardware or software into the customer’s IT environment, and how will the integration be managed to reduce risks?   The provider should be obliged to provide hardware and software free of defects, viruses and vulnerabilities, and to promptly remedy any such issues if they arise.
  9. Include an obligation for the provider to comply with applicable laws, industry standards and guidelines, and changes to the same (with any consequential impact on service delivery methods or other contractual provisions to be agreed by the parties).
  10. The customer should have its own comprehensive and current standards, policies and procedures to cover security and data protection, including policies relating to access, storage, usage and transmittal of data, document retention, employment and HR (including vetting and background checking), IT usage, privacy, and incident management.  These standards, policies and procedures must cater for the services being provided and the service delivery model offered by the provider. 
  • The provider should be required to comply with the customer standards, policies and procedures as they change from time to time (again, with any further contractual impact of the change to be agreed).  
  • Provider personnel should be fully trained in relation to the customer policies and the contract, including any notification and escalation provisions in the event of a breach or cyberattack.
  1. Consider the contractual consequences of a security breach.   
  • Ensure there is a requirement on the provider to notify the customer of a security breach within timescales which allow the customer to comply with its regulatory or contractual notification requirements. 
  • Consider also the controls the customer requires over any notification of a security breach to regulatory authorities or other third parties.   
  • Include express provisions relating to the cooperation and support to be provided by the provider in the event of a security breach in order to contain a breach and its impact, to recover or restore any data (e.g. roles and responsibilities of a security breach team that the provider will make available to support the customer), and to enable the customer to comply with its obligations under regulations.   
  • Require the provider to prepare an incident response plan which the parties can implement if a security breach occurs.    
  • Include rights to remove provider personnel for violations of the contract.  Consider also whether rebates or credits for a failure by the provider to comply with the contract terms may encourage compliance.
  1. Consider whether liability is capped or excluded in relation to a data security breach.  Are regulatory fines stated to be a direct loss and recoverable without limit?
  2. Ensure the customer has adequate rights to terminate the contract (including express rights to terminate for breach of the data security and confidentiality provisions, or more specific obligations where necessary) and claim damages.    
  3. How will data be returned or deleted?  Equally, is data retention a requirement in any circumstance, and if so, for what period?  How will equipment and materials be destroyed?  How will shared technology be disconnected?
  4. Allocate responsibility for cyber and privacy insurance with coverage and limits that are appropriate for the services provided, and the potential impact of breaches.
  5. Add provisions which require regular review of the provider’s compliance with the contract, including through reporting and governance meetings.  Ensure the contract and related policies and procedures are maintained to address new cyber threats, the available protections and changes to laws and industry standards. 
  6. Include rights to audit the provider’s compliance with the contract.  Audits and risk assessments should be carried out regularly and the robustness of policies and measures (both logical and physical) should be tested periodically.

In summary, the customer needs to assess and address the risks of each services arrangement independently so that the resulting contract provides adequate protection for the customer.  And as mentioned in the introduction, there are many constituent pieces of the cybersecurity jigsaw.  As one jigsaw piece changes, the customer must review all other moving parts to ensure the customer maintains a comprehensive and cohesive approach to cybersecurity.  

For more information, please contact Tania Williams.


New 2016 voluntary code of practice: Business broadband speeds

On 26 January 2016, Ofcom (the UK communications regulator) introduced a new Voluntary Business Broadband Speeds Code of Practice[1] (the “Code”). The new Code was produced in collaboration with industry in response to reports of confusion, particularly among small and medium sized businesses, about the speed that can be achieved by their broadband services and, more specifically, the speed businesses believed they were purchasing versus the actual broadband speed.

A voluntary code

The Code is aimed at Internet Service Providers (ISPs) and participation is voluntary. For those ISPs that choose to sign up, the Code is a commitment to provide business customers with transparent and accurate information on the speeds of their standard business broadband services irrespective of the size of the business. A similar voluntary code already exists for residential broadband speeds which imposes comparable requirements on ISP signatories with respect to consumers.

The Code is voluntary and so its signatories are not held to hard and fast obligations – instead they agree to endorse the objectives of the Code and abide by its principles. Ofcom intends to monitor signatories’ ongoing compliance with the Code using measures such as mystery shopping and as audits of ISPs’ internal processes, but does not provide any guarantees of compliance. As it has done with the residential code[2], it is possible Ofcom will post results of its compliance reviews on its website, naming specific ISPs.

The Code sets out in detail the specific services to which it applies, and those services that are excluded. Broadly speaking, the Code applies to ISPs providing “xDSL” broadband technologies where speeds can vary depending on the technical characteristics of the line and/or fixed broadband delivered via a fixed wireless technology. As such, the Code does not apply where broadband speeds are guaranteed or will not vary.

The Code is focused on business customers – but not all of them. Only new customers and existing customers who buy new services can take advantage of the Code – it does not apply to existing customers who merely retain their current service.

So what’s it all about?

The Code sets out five principles which signatories agree to provide to their relevant business customers:

  1. Transparent and accurate information on broadband at point of sale
  2. Detailed information after the sale and on the website
  3. Manage speed-related problems
  4. Right to exit the contract without penalty where speed problems cannot be resolved
  5. Deliver the objectives of the Code through appropriate processes

Each of these principles is outlined briefly below, and expanded on in the Code.

Principles 1 and 2: Information

Principle 1 requires ISPs, as early as practicable in the sales process and prior to the customer agreeing to purchase the service or upgrade their existing package, to provide customers with transparent and accurate information about estimated download and upload access line speeds (and throughput speeds, where available). This information must be provided in the most relevant way to the customer, which may dependent on the mode of sale. ISPs must also provide a facility on their website to enable customers to find out what their estimated speeds will be if they choose a particular service.

Principle 2 requires ISPs to provide all relevant speed-related information and details about the customer’s right to exit the contract in writing within 7 calendar days of a customer purchasing a service.

Principle 3: Management

Following the parties entering into a contract for broadband services, IPSs must manage situations where customers are experiencing speed related problems, and be able to identify the cause of the problem and whether the problem is within the ISP’s control. If it is, the ISP must take all reasonable steps to ensure it is corrected, or otherwise assist the customer by explaining possible causes and how to address them.

Principle 4: Right to exit

A key provision of the Code is the right for customers to exit their contract without penalty where the download speeds fall significantly below the range given at point of sale, and the issue cannot be resolved. “Significantly below” has been defined by the Code to mean where the speed is below the access line speed achieved by the bottom 10th percentile of similar customers of the ISP. The Code sets out the process to be followed when the right of exit may apply. Importantly, the right of exit only applies after the ISP has taken all reasonable steps to resolve the issue. While ISPs can offer other remedies, such as discounts or new lines, the customer is under no obligation to accept them in lieu of exiting the contract.

Principle 5: Appropriate processes

Principle 5 requires ISPs to have in place appropriate processes to ensure they are working within the ‘spirit’ of the Code and make every effort to comply with it. Ofcom may remove as signatories any ISPs who fail to apply the principles of the Code.

Where to from here?

Current signatories to the Code, as listed on the Ofcom website, are: BT Business; Daisy Communications; KCOM (Hull business); Talk Talk Business; Virgin Media; XLN; and Zen.[3] These ISPs must implement the Code by 30 September 2016 and must inform Ofcom when they have done so. For ISPs looking to sign up to the Code from this point forward, they must first implement the Code in order to be confirmed as signatories.

The voluntary nature of the Code and signatories’ commitment to endorse its ‘spirit’ rather than adhere to the letter, mean ISPs have a fair amount of freedom to decide whether and how they wish to implement it. Given the lack of real enforcement measures available to Ofcom, a key factor in encouraging ISPs to follow the Code is the potential for reputational damage arising out of a refusal to sign up or failure to comply.

It remains to be seen how ISPs react to the Code once operational. However, the fact seven of the top broadband providers have already signed up is a positive sign, and we might also expect that at least those ISPs who provide both residential and business services will be more willing to implement the Code without great difficulty or resistance, given they should already be accustomed to similar requirements in the residential code.

For more information, please contact Emily Featherstone or Lina Monten-Lister.


  • Page 13 of 25