• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

Intellectual property on the line in new era of app wars

Where’s the line between “inspiration” and copying? If you don’t copy code, but you introduce functionality that’s never been seen before except in an app that you happen to know really well, are you really copying? If you’re the originator of a new concept, how do you keep the hounds away? These questions are arising more and more as established apps look to maintain their dominance, and the new players look to muscle in.

In a world where the US president is telling us that fake news pervades, there appears to be a driven human need for real stories. We are, through social media apps, each individually now able to be the news, to be the story. Our followers know us – they know when we are putting it on, when we’re showing our world how it actually is.

SnapChat started with a streak – messages, photos and 10-second videos keep the messages going back and forth. They’re not interesting enough to keep, but make the recipient or sender laugh or groan. Stupid faces, half your head, your feet walking along in wet shoes, someone with a weird haircut.

Then SnapChat introduced Stories. You post photos or videos that can keep being viewed, rather than disappearing, but only stay up for 24 hours. You add content as you go through your day. You can add messages or distort the pictures with editing tools. You can reveal your story to everyone, or just a few.

In August 2016, Instagram introduced a new feature called “Instagram Stories”. It seemed remarkably similar to Snapchat. But was it copied? There were differences. It’s pretty unlikely that any code was copied. There was clear inspiration – but where does the line lie?

This has been pushed further, with Facebook’s “My Day”, and WhatsApp releasing its new “Status” feature, introduced in February 2017.

If you’re an innovator and want to introduce a new feature, what protection can you get, and what is protectable?

Copyright

Firstly, you have to prove that something’s been copied – can you prove that WhatsApp copied SnapChat – perhaps they copied Instagram or Facebook, either of whom may have been inspired by Snapchat. Will Instagram do anything – can they?

If WhatsApp, for example, started with say Instagram’s version, not Snapchat’s one, Instagram are limited in what they can protect or enforce – where is the originality? Any argument they run will require them to reveal where the idea originated – not something they will want to tell the world. Then, there’s the test: has a substantial part of an original work been copied?

Given that the main part of Stories and Status is the user’s own copyright content (photo or video), and the relevant app is merely providing a means to do that, the value is in the functionality.

So, copyright is tricky. Tricky for the originator, because there’s not much copyright in a functional feature other than the code (the idea holds the value, not the code), but tricky for the first copier too. If the first copier is far enough away that they might avoid their work being a derivative of the first work, the second tier copier is in a much stronger position. The me-toos are following quickly, and who can stop them?

Designs

From a search of the EU register of designs, it seems that neither Snapchat, nor Instagram think designs are the way to go, unless they’re filing in the names of obscure subsidiaries. Unregistered designs last for three years from first being made public, so why bother filing? If copyright doesn’t give you real protection, you need to find something, and designs are a powerful tool when used well.

Apple and Facebook file copious numbers of designs for user interfaces, and it gives them a much stronger starting position, not least to prove that a design concept was their idea, and to have something more solid to use as a litigation weapon.

Patents

Patents are expensive, slow, but if it’s about functionality, combining things that have never been married up before, there is decent argument that there is a technical effect. If you get threatened even with an application, it’s going to be off-putting.

But the arguments that it’s just another way to present information are going to make getting a patent to grant pretty hard. But before you release your new feature, you can file a patent application. You lose nothing in terms of confidentiality, because it’s out there before your patent files – and if your patent application gets a battering, no one even needs to know you filed it. You can opt to withdraw it before publication 18 months later.

The conclusion? Aiming to create a battery of rights gives you some collateral to fend off the competition. That has to be worth quite a lot.

This article was first published in Lawyer 2B.

"I do" [tick] - how to get consent under the GDPR

On 2 March, the ICO released a consultation on the meaning of consent under the GDPR and, as part of this, published its draft guidance on consent (“Guidance”).  Organisations have an opportunity to respond to the consultation before 31 March 2017 and the ICO is aiming to publish the final guidance in May 2017.  Note that the Article 29 Working Party is also scheduled to publish guidance on consent later in 2017.  This article provides a summary of the main themes coming out of the draft guidance.

Consent under the GDPR

The Guidance says that “the GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms”.  Some elements of the definition of consent under the GDPR are the same as the definition under the current Directive – it must still be freely given, specific and an informed indication signifying agreement.  Under the GDPR the indication signifying agreement must also be “unambiguous” and involve a “clear affirmative action”.  Individuals have enhanced rights under the GDPR where an organisation is processing their personal data based on their consent (for example, a right to erasure/to be forgotten and a right to data portability).

Explicit consent

Organisations will need to obtain explicit consent for automated decision making, including profiling and if relying on consent as the lawful basis for processing sensitive personal data or for transferring personal data outside of the EEA.  The Guidance clarifies what is meant by “explicit consent” as this concept appears in the GDPR but isn’t defined. 

Explicit consent requires a very clear and specific oral or written statement of consent.  For example, having the wording “I consent to receiving emails about your products and special offers” with an unticked opt in box.  Explicit consent cannot be obtained using any other positive action such as a clear affirmative action not involving a clear statement.  For example, having the wording “By entering your email address you agree to us sending you emails about our products and services” and a box for individuals to enter their email address, as this is implied consent rather than explicit consent.  To obtain explicit consent, organisations will also need to provide individuals with sufficient information about what they are consenting to, such as, the nature of the sensitive personal data, the automated decision and its likely effect or the data to be transferred outside of the EEA and associated risks. 

Implied consent

The Guidance says that the idea of an “affirmative act” still allows organisations to use implied consent in some circumstances and that the “key issue is that there must be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.  This is positive for business who may still be able to use statement such as “By clicking submit, you consent to us contacting you by email with monthly offers”.  The Guidance, however, flags that implied consent “won’t always be appropriate” and “would not extend beyond what was obvious and necessary

Bundling consents

Organisations should avoid making consent a precondition of a service.  The guidance says “consent requests must be separate from other terms and conditions.  Consent must not be a precondition of signing up to a service unless necessary for that service”.  Consents may be bundled where the processing is genuinely necessary to provide the services, however, the ICO flags that a different lawful basis for processing may be more appropriate if this is the case.

What getting consent right looks like

  • Positive opt in – The individual is given a genuine choice and control over how their personal data is used and takes a deliberate action to opt in.  For example, signing a statement, giving oral confirmation or making a binary choice (and both choices have equal prominence)
  • Unbundled, specific and granular - Consent for processing personal data is separate from other terms and conditions and obtained separately for each distinct processing operation (where consent is the basis for processing).  If the processing is a condition of a service but not actually required for the service, the Guidance says that this consent will be presumed invalid as it is not freely given.
  • Prominent, clear and concise – Consent mechanisms must be easy to use and the language used must be clear, concise and easy to understand.
  • Third parties – Organisations will have to name the third parties who will rely on consent being given.  This is going to be a challenge for many organisations and the Guidance is clear that naming the types of organisation won’t be good enough to satisfy this requirement.
  • Withdrawing consent – You tell people how to withdraw consent and make it easy people to do so.
  • Clear records – You keep evidence of who provided consent, when the consent was provided, how the consent was provided and what the individual was told.
  • Review – You keep consent under review and refresh it if anything changes.  The ICO emphasises that consent is an ongoing and actively managed choice and not a one-off compliance tick box.

What is clearly banned

  • Pre-ticked boxes - Pre-ticked opt-in boxes and other forms of consent by default.  The Guidance makes it crystal clear that a failure to opt out is not consent and it also says that “You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.”
  • Confusing language - Double negatives or inconsistent language that is likely to confuse individuals.
  • Disruptive mechanisms - Consent mechanisms that are unnecessarily disruptive to individuals. 
  • Imbalance in the relationship - Employers and public authorities will find it hard to rely on consent and the Guidance says it should be avoided.  This is because where there is a dependence on an organisation for services or a fear of adverse consequences, individuals may feel that they do not have a genuine choice and so consent is not freely given.
  • Vague or blanket consent – Consents worded so vaguely that they do not provide clear and specific information about what the individuals is consenting to.

Tips

  • If consent is difficult, it is an indication that you should be considering another lawful basis.  The ICO says that if you would still process personal data without consent, asking individuals for consent is “misleading and inherently unfair”.  Consent will still be needed for direct marketing (unless soft opt-in is available but note that the European laws on direct marketing are currently under review) and for using personal data for a new incompatible purpose.
  • You should review where you rely on consent and consider whether another lawful basis might be more appropriate.  For example, is the processing necessary to fulfil a contract with the individual or to comply with a legal obligation? Or do you have a genuine and legitimate reason, which includes a commercial benefit, that is not outweighed by harm to the individual’s rights and interests (note that you will still need to be fair, transparent (i.e. tell people) and accountable). 
  • Where consent is still needed, review the consent mechanisms that are currently used and identify gaps between current practices and the higher standards that are mandated under the GDPR. 
  • Develop an approach to refreshing consents that don’t meet the GDPR standards in advance of 25 May 2018.
  • Implement a process for regularly reviewing consents, quickly responding to withdrawals of consent and for updating/refreshing consents if things change.

Note that the GDPR contains specific provisions on children’s consent and consent for scientific research which this article does not go into. The Guidance is out for consultation until 31 March if you would like to comment or contact us if you would like our assistance.

Amazon and the $150 million typo: cloud risks for early stage companies, and how to mitigate them

Although the impact was not quite as big as some headlines had suggested (“Amazon Just Broke the Internet”), the outage of Amazon’s Simple Storage Solution (S3) in the US-East-1 region on Tuesday 28 February caused significant disruption. The Wall Street Journal quoted Cyence Inc., a start-up specialising in cyber-risks, as estimating that the Amazon outage cost companies in the S&P 500 index $150 million. Apica Inc., a website-monitoring company, said 54 of the internet's top 100 retailers saw website performance slow by 20% or more. Connected lightbulbs, thermostats and other IoT hardware were also impacted, with many unable to control their devices as a result of the outage. Nest warned customers that its internet-connected security cameras and smartphone apps were not functioning properly as a result of the Amazon issue. Amazon was unable to update its own Amazon Web Services (AWS) status dashboard for the first two hours of the outage because the dashboard itself depended on the unavailable systems.

Amazon’s explanation was that “an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended." Removing a significant portion of the server capacity required full restarts and this problem was compounded by the fact that parts of the system had not been completely restarted for several years, a process which took longer than expected.

As a result of the outage, Amazon said it is making several changes to the way its systems are managed and promised to make changes to improve the recovery time of key subsystems.

In signing up to cloud hosting contracts, a lot of companies assume everything will be fine and their websites, applications and data will always be available when needed, particularly if they are choosing one of the leading providers of hosted services such as AWS. In August 2016 Gartner identified AWS and Microsoft as the only two companies in its “Leader” category for cloud infrastructure as a service (IaaS) worldwide (ranking AWS ahead of Microsoft) and said that “The market for cloud IaaS has consolidated significantly around two leading service providers.”. This consolidation increases the impact of outages such as the one impacting Amazon’s S3 service.

Given the potential impact of an outage on critical services, customers may need to reconsider how they mitigate the risk of downtime, and we discuss the possible options below.

Increasing the target for availability

Taking Amazon’s S3 service as an example, when used in a single region it is said to be designed for 99.99% of availability with a service level agreement for availability of 99.9%. However, relying on a service in a single region offers the potential for a single point of failure. The Amazon outage on 28 February involved just one region, US-East-1 in northern Virginia USA, but the impact of the outage was so significant as this is the most heavily-used regions in the AWS global infrastructure.

The impact would not have been so significant if AWS customers had chosen a multi-region architecture as sites and applications using S3 in a different region would not have been affected. AWS currently operates 42 availability zones (AZs) within 16 geographic regions around the world. AZs consist of one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities, miles apart from each other on separate flood plains. By contrast, another of AWS’s services, EC2, provides an SLA of 99.95% but this greater availability threshold is based on deployment to at least two AZs (although S3 can only be selected by region, not by AZ).

The disadvantage of this approach is that multi-region implementations will increase cost and complexity. Customers are understandably reluctant to achieve an extra ‘9’ of availability by selecting another region and potentially doubling their hosting costs. However, the additional costs and complexity will need to be measured against the risks of operational disruption, financial loss and reputational damage arising from significant unavailability of critical data and/or applications in a worst case scenario.

Negotiating a stronger contractual position

Contracts with major hosting providers usually restrict the customer’s remedy to service credits if the provider fails to meet its availability target. For Amazon’s S3 service for example, if availability falls below the service level of 99.9% in a month customers would typically be awarded a service credit of 10% of the monthly fee. This may well be wholly insufficient recompense to customers who need to ensure that they can access their data or keep their sites and applications up and running at critical times, particularly if the service credits do not cover customers’ liability to their own customers as a result of unavailability.

The major hosting providers have shown some willingness to offer more contractual protection for their customers by offering increased limits on their liability for damages caused by service level failures but this has come with a significant cost in terms of fees or only been available to customers spending very significant sums with the hosting provider. Such additional legal protection has typically not been afforded to customers spending less, and this is understandable: from the hosting providers’ perspective, they are offering a low-cost and largely commoditised solution and it is simply not realistic to expect them to carry significant legal risks at the price point at which the lower end services are offered. In other words, you don’t get what you don’t pay for, and so at the cheaper end of the market where commoditised services are being provided, customers are very unlikely to be able to negotiate better legal protections.

However, where high levels of availability are essential to their business model customers should insist on having visibility over who is hosting their data and applications and ensure that during contract negotiations suppliers are required to identify all key subcontractors (and their subcontractors) so that the customer can identify potential vulnerabilities in the supply chain and consider steps to mitigate the risk of downtime before becoming committed to the contract.

Taking more control over hosting arrangements

Moving away from a massive scale, multi-tenant model towards a single-tenant, private cloud or even on premise deployment provides an opportunity for more control but at a cost both financially and in terms of operational flexibility. The cost benefits of deploying to the cloud are a significant source of advantage for start-ups and smaller organisations which do not have a major investment in existing on premise hardware, combined with the agility and flexibility of cloud computing and instant access to global infrastructure. In contrast, large enterprises deploying to the cloud face a considerable incremental cost in addition to maintaining legacy on premise resources until these can be retired, a process which may take several years.

Even for start-ups though, the need to take control over how critical services are delivered may outweigh the costs. Digital challenger bank Monzo, which offers a contactless prepaid Mastercard and plans to offer a free current account this year, said that a severe outage resulting in its cards and app not working for most of Sunday 5 March was caused by a third party processor used by Monzo to connect to payment networks. When it first started it made sense for Monzo to use a third party processor because the process for connecting directly to the payment networks was long, costly and complex and at the time there seemed to be no benefit to its customers. However, Monzo has just finished a 12-month project to connect directly to Mastercard so that it can process transactions entirely using its own technology. Announcing this change in a blog post published on 6 March, Monzo's head of engineering Oliver Beatties said that "We see ourselves as a technology company as much as a bank, and going forward our strategy is to bring all critical systems in-house and continue to develop our own platform atop modern technology which we control.”.

Local back-ups as a safety net

Despite the attractiveness of short-term savings in moving data and applications to a single region, cloud-based solution, this approach could end up being very costly if businesses are dependent on a single point of failure without having an alternative solution which they can access quickly. From a practical perspective, whatever model they adopt for hosted services customers need to ensure that they make regular back-up copies of their data stored by a hosting provider, downloading copies of the data to their own systems or to an alternative hosting provider so that if absolutely necessary they can quickly implement an alternative solution.

The same applies to software: keeping full back-up copies of key applications on-site means that, should a hosting provider have an extended outage, there is at least an option to redeploy elsewhere rather than risk an indefinite interruption in service.

Worth paying the extra hosting fees?

While cloud storage and processing does offer significant price and operational advantages for start-ups, it may well be worth even for early stage start-ups thinking about the relative costs of paying for hosting in an extra region and / or with alternative provider, relative to the impact on operational stability, reputation and customer retention that a prolonged full outage might have on a growing business. Even the most heavily negotiated hosting contracts are highly unlikely to afford adequate recompense for the effects of a full outage after it has happened. As such, while it is still strongly advisable to review the contracts (not least to ensure compliance with, for instance, data protection legislation), the strongest way to deal with the risks emanating from an outage is probably still to use an architecture for the hosting of data and software that will minimise the risk of there being a full outage in the first place.

 

 

Banking Standards Board publish SMCR good practice statement

The introduction of the Senior Managers and Certification Regime (“SMCR”) a year ago has seen an increased focus on accountability and standards of fitness and propriety. For those firms within the new regime, this has meant reviewing how they assess individuals as fit and proper, both when hiring senior managers and certification staff and when running their first annual certification process.

To assist firms looking for specific guidance as to how best to do this we set out links below to documents published by the Banking Standards Board (“BSB”).

Although these publications are aimed at banks and building societies, they will also be of use to other regulated firms, particularly in view of the proposed extension of the regime next year to all FSMA regulated firms.

 Please see below for quick links to the BSB statements:

If you have any questions or would like to discuss how best to integrate this guidance into your internal processes, please contact a member of the Kemp Little team.

InsurTech: deadline approaches for Pensions Dashboard prototype

As the March 2017 deadline approaches for the implementation of a Pensions Dashboard prototype, we consider the purpose of the Dashboard and its features, the key legal issues that will arise, and the timeline to full implementation

Background

The concept of a Pensions Dashboard was introduced in the 2016 Budget, as part of the Government’s strategy to encourage the public to engage with retirement planning and follows earlier initiatives, such as auto-enrolment into workplace pension schemes and the 2015 reforms enabling pensioners more flexibility in drawing down from their pensions pots.

The Dashboard will allow individuals to view all of their pension products through an online portal, as the Government, together with industry, recognised that the public is increasingly engaging with financial services through the internet and other digital platforms.[1]  It is hoped that the dashboard will facilitate better accessibility and management of personal financial information and financial products.

The project follows the results of research from the Department of Work and Pensions (DWP) which found that, on average, individuals will work for eleven employers during their working life, which means that upon retirement individuals often have several pensions, some of which cannot be easily located.  The intention is that the dashboard will provide a link to “lost” pension pots with previous employers and could help release the £400 million worth of pension savings that the DWP estimates remain unclaimed.

The Treasury (as the Government department responsible for supporting the project) is aiming for the Dashboard to be made available to the public by 2019 and, in advance of this, has targeted March 2017 as the launch date for a prototype capable of proving that the concept is workable.[2] 

The Association of British Insurers (ABI) is tasked with leading the development of the Dashboard, along with industry stakeholders, including insurance companies[3], regulators and trade bodies (the “Project Group”).

Development

The Project Group has been asked to work with insurance companies to: (i) agree the design of the infrastructure for data sharing; (ii) build and demonstrate a basic working prototype using anonymised customer data; and (iii) propose potential solutions for the development of an industry-wide dashboard.[4]

In December last year, six fintech firms were selected to join the Project Group to develop the technology behind the Dashboard[5].  The development has been split into the following categories:

  • Dashboard user interface (how people will interact with the Dashboard);
  • Pensions finder services (how the system retrieves information on people’s different pension pots);
  • Identity providers (verification of people’s identity);
  • Integration service providers (providing the networks and support some pension firms will need to share data with the Dashboard); and
  • Matching / data quality analysis (overcoming the challenges of locating everyone’s pension(s) such that they appear in the Dashboard).[6]

The Project Group has been asked to consider how the platform will be made available to the public, including the following options:

  1. Single destination model: A single dashboard user interface, accessible through one source (for example a consumer guidance brand or a not-for-profit website).
  2. White-labelled model: As above, a single dashboard user interface, but white-labelled and accessible through the websites of several financial services providers (such as banks, pension providers, financial advisers and fintech start-ups).
  3. Federated model:This approach would consist of many different types of dashboard user interfaces, so that each provider could independently develop the look and feel and the user journey to suit its own customers.

Customer research carried out by the Project Group has indicated that the single destination model is favoured by consumers (because of the trust placed in one reputable provider, and the simplicity this provides), and the Project Group has recommended that this model is taken forwards through the initial stages of development, but it remains to be seen whether this model prevails over the others and is ultimately taken forward as a live product.

Key legal issues

Legislation

While the project has been supported from the outset by major insurers, there is a concern that without legislation some insurers, including smaller insurance companies and those providing defined benefit schemes (which, ostensibly, have less to gain by participating), will not provide the necessary data such that individuals can access all their pension scheme information in one place.

If the project fails to win wide enough support across the industry, the Government may consider legislating such that participation is made mandatory[7] – and this is a move which seems to be welcomed by those insurers already supporting the project.[8]  This approach is similar to that taken in respect of open banking, in which the Government and the Competition and Markets Authority (CMA) had encouraged retail banks to work towards standardising both customer data sets and accessibility but which ultimately saw the CMA introduce a final order requiring the co-operation of retail banks, in February 2017.[9]

Regulatory oversight

The potential role of regulators in oversight of the Dashboard will, to some extent, be determined by the Dashboard model which is adopted.  It is possible that insurers adopting the white-labelled or federated models will find that the activities they perform in relation to the Dashboard (such as inputting data and (potentially) promoting insurance products as part of the Dashboard offering) will be covered under existing oversight by the Pensions Regulator (TPR) and the Financial Conduct Authority (FCA).

It remains to be seen whether an independent third-party operator (such as a not-for-profit or a consumer guidance brand) operating a single destination model would need to be regulated and to what extent it is subject to regulatory oversight. If such activities were subject to burdensome regulation, the costs associated with compliance may deter not-for-profits from supporting the single destination model.

Data sharing

The regulatory bodies have duties and enforcement powers around use of data, communication with customers and acting in the best interests of customers, and are likely to have decisions to make on the data which flows into the Dashboard.

If legislation is required to ensure pension providers submit data to the Dashboard, regulators, such as the FCA and the TPR, may need to monitor providers to ensure that they are complying.

The integrity of the personal data in the Dashboard will be subject to data protection legislation (including the more onerous requirements of the General Data Protection Regulation from May 2018).  The insurers submitting data and the provider of the Dashboard (in the event that it is a third-party which is not a financial services provider) will need to work together to ensure that individuals’ data is accurate, kept up to date, and retained for as long as is necessary to meet the needs of those individuals.  It is unclear how the insurers, the Dashboard provider, and other stakeholders, will contract with each other and how the risks associated with data breaches will be apportioned between them.  This is likely to emerge as a key risk issue as participants scope and quantify their liability in relation to supporting the Dashboard.

Financial regulation

The issue of whether the provision of the Dashboard would be a regulated activity is – at this stage - of less concern to authorised firms as the Dashboard may fall within the scope of their existing regulated activities.

However, there remains the possibility that the provision of the Dashboard is found by the FCA to constitute a new type of regulated activity, which would mean that regulated firms would need to obtain additional authorisation for the new regulated activity.

Additionally, if the provision of the/a Dashboard is found to fall into existing or constitute new regulated activities, third party providers under the single destination model would find themselves within the scope of FCA oversight and would need to undergo the costly and time consuming process of becoming authorised.  As referred to further above, this regulatory burden could prevent not-for-profit organisations from participating.

In any event, any organisation considering supporting the Dashboard (through any of the three models set out in section further above) should consult with regulators early so that it can ensure it has the necessary authorisations in place in advance of the launch of the Dashboard.

Next steps

In its Pensions Dashboard white paper, published last year, the ABI stated its intention to oversee the production of an end-to-end prototype before the end of Q1 in 2017. At the time of writing, the prototype has not been announced and, until such prototype emerges, concerns will remain whether the project can be delivered on time, as a customer-facing product, in 2019.

As the development of the Dashboard continues behind the scenes, stakeholders should ensure they are prepared for its introduction and, in particular, consider the ways in which they are likely to contribute customer financial data to the Dashboard and the likely regulatory and data protection risks associated with participation.

 

[3] The sixteen insurance companies participating in the project in November 2016 are Abbey Life, Aon, Aviva, Fidelity International, HSBC, Legal & General, Lloyds Banking Group (Scottish Widows), LV=, NEST, Now: Pensions, People’s Pension, Phoenix, Prudential, Royal London, Standard Life, Willis Towers Watson and Zurich.

[5] The six fintech firms are Aquila Heywood, Experian, ITM, Origo, Runpath and Safran.

Scope of retainers

It is well established that, prima facie, the extent of any professional duty depends upon the terms and limits of the retainer. There have been several cases in recent times where the courts had to consider the issue of whether a professional owed his client a duty to advice on matters that were beyond the scope of the work as set out in their retainer letter. One such recent case is Denning v Greenhalgh Financial Services Ltd [2017] EWHC 143 (QB) where the court considered the scope of the duty of care owed, under the terms of a retainer, by a pensions adviser.

Facts:

The claim concerns an allegation of professional negligence on the part of Greenhalgh Financial Services Limited (“GFS”) upon the basis that GFS was in breach of a professional duty (in tort and/or contract) owed to the claimant by not performing a detailed review of pension transfer advice given to the claimant some eight years earlier by unrelated advisers.

In 2000, the claimant instructed Alexander Forbes Financial Services Ltd (“AF”) to provide pensions advice. AF advised the claimant to transfer his occupational pension to another provider. In 2008, the claimant was dissatisfied with the service provided by AF and instructed GFS to provide advice on the management of his investments. In 2009 and 2010, the claimant complained to the Ombudsman regarding AF’s advice. But the Ombudsman found that the limitation period had passed in relation to the advice provided in 2000. In 2013, the claimant issued a claim against GFS that GFS was negligent and had failed to advise him on a potential claim against AF and applicable limitation periods. The claimant alleged that but for GFS’s negligence, he would have issued a claim against AF in 2008 and would have received substantial damages.

The claimant relied on the earlier case of Credit Lyonnais SA v Russell Jones & Walker [2002] EWHC 1310 where it was held that a professional may owe a duty to give advice outside the scope of a retainer if, in the course of performing the retainer, the professional comes upon information which would lead any competent professional to perceive and advise upon a legal risk. It was emphasised that although a solicitor was under no general obligation to expend time and effort upon issues outside the scope of the retainer if, in the course of doing that for which the solicitor was retained, he became aware of a risk or potential risk it was his duty to inform the client. If in the course of performing his instructions within his area of competence a lawyer noticed or ought to have noticed a problem or risk for the client, which it was reasonable to assume the client did not know about, the lawyer was required to warn the client.

The court distinguished this case from that of Credit Lyonnais based on the fact that GFS was instructed to advise upon the claimant’s present and future financial requirements – the retainer was prospective. The information on the earlier transfer was provided for history and context only and no fees was to be paid to GFS to review the previous advice. There was no commercial or factual connection between the earlier transfer and the advice that GFS was asked to give. Further, the nature of the advice which it was argued GFS should have provided was in any event different in its nature to that which was the subject matter of the retainer. Based on these facts, Green J held that GFS owed no duty to advise on the possibility of a claim against AF and the claim had no real prospect of success.

Conclusion:

It is a relief to professionals that an extended duty to advise will only arise in “obvious cases”, and that there must be a “close and strong nexus” between the retainer and the matter on which it is said that the professional should have advised but failed to do so. This implies that if a client receiving professional advice wishes for any specific advice that is not covered in a retainer, then it should be discussed with the professional and the retainer amended accordingly. It is also a reminder of the importance of setting out the scope of work clearly in the retainer and if relevant, also specifying that there will be no review of past advice and that they will not consider on whether a client should complain about past advice.

Corporate criminal liability for economic crime: regime consultation begins

The UK Government begins its consultation for potential changes to law on corporate criminal liability for economic crime

The UK government has issued a call for evidence to academics, business, civil society, lawyers and other interested parties across the UK to consider whether there is a case for changes to the regime for corporate criminal liability for economic crime in the United Kingdom. The call to evidence, which remains open until 24 March 2017, notes in the introduction that “corporate economic crime is serious offending that causes harm to individuals, businesses and the economy at large. It needs to be addressed effectively”.

The crux of the issue is the so called “identification principle” in English law, which provides that (other than in relation to strict liability offences) a company can only be criminally liable where the offence can be attributed to a person who was the “directing mind and will of the company”. This has made it notoriously difficult to successfully bring criminal proceedings against UK companies, particularly large multi-national businesses. The Bribery Act 2010 introduced a potential new way of attributing liability to companies; section 7 of the act provides that a company will be guilty of an offence if it fails to prevent bribery. The company may have a defence if it can show that it implemented procedures designed to prevent bribery. A similar “failure to prevent” model will be included in the forthcoming Criminal Finances Act as a way to prevent tax evasion.

The consultation paper explores in depth the corporate “failure to prevent” model, and presents a number of options for potential reform of the law:

  • Amendment of the identification doctrine – This option would involve abolishing the current common law and create a new version of the identification principle in legislation, for example by broadening the scope of those regarded as a directing mind of a company.
  • Strict (vicarious) liability offence – This would make the company guilty, through the actions of its employees, representatives or agents, of the substantive offence, without the need to prove any fault element such as knowledge or complicity at the corporate centre. A similar “let the master answer” principle exists in United States.
  • Strict (direct) liability offence – Rather than focus on the substantive offence (as the option above does), this offence would allow a company to be convicted (without the need to prove fault) of a separate offence akin to a breach of statutory duty to ensure that economic crime is not used in its name or on its behalf. The company would have a defence if it could show that it has proper procedures in place for the prevention of the relevant underlying offence.
  • Failure to prevent as an element of the offence – Here, failure by those managing a company to prevent the relevant crime would be an element of the corporate offence. The prosecution would need to prove both the predicate offence and also that it occurred as a result of a management failure (either negligent conduct or lack of proper systems to prevent the predicate offence occurring). This is similar to the previous option, but would place the burden on the prosecution to show that the company had not taken adequate steps to prevent the wrong doing.
  • Investigate the possibility of regulatory reform on a sector by sector basis – The paper notes that there has been significant reform in the regulation of the financial services industry, and comments that there may be lessons which can be learned which may be applicable more broadly.

The government will review the information received pursuant to the call for evidence and, if it determines that a new form of corporate liability for economic crime is required, there will be a full consultation on a detailed proposal and draft legislation.

Brexit: the birth (and death) of the "reverse cross-border merger"?

In the wake of the Brexit vote, companies (and their lawyers) have been dusting off a once overlooked piece of EU law to aid their Brexit restructuring plans.

Directive 2005/56/EC relating to cross border mergers of limited liability companies sets out the procedure by which a company incorporated in an EEA jurisdiction can be absorbed by another company within a different EEA jurisdiction.

In a recent High Court case involving a UK company and its Italian subsidiary, the court made an unprecedented ruling that a reverse cross border merger under such the directive was lawful. As a result of the ruling, the assets and liabilities of the UK parent company were merged into its Italian subsidiary and the shareholders of the UK parent became the shareholders of the Italian subsidiary. In essence, the subsidiary takes the place of the parent and the parent company ceases to exist – this is what makes it a “reverse” merger.

Of course, the ruling has piqued the interest of boards in companies headquartered in the UK but with group companies in the EEA as a way to base such companies within the EEA prior to Britain leaving the EU.

The ruling does increase the number of restructuring options open to companies looking to up-sticks and move to mainland Europe, however, it is unlikely that a reverse cross border merger of this type will end up being the preferred option for such companies. This is because the process in the UK involves a number of complexities – such as public advertisement in the London Gazette, at least one court hearing, a possible independent expert’s report and the risk of creditors vetoing the transaction – which can push out the timeline and make it commercially unattractive.

It is also ironic that the state of affairs bringing this form of restructuring to life – Brexit – will also be the death of it, as the EU directive (and no doubt the UK’s implementing legislation) will no longer be law once Britain leaves the EU.

AI in the dock: the Trial of Superdebthunterbot

It’s not often that the art world intersects with technology law.  But that’s exactly what happened when artist Helen Knowles staged a performance of The Trial of Superdebthunterbot at the Zabludowicz Collection in north London on 26 February.

“A debt collecting company, Debt BB buys the student loan book from the government for more than it is worth, on the condition it can use unconventional means to collect debt. Debt BB codes an algorithm to ensure fewer loan defaulters by targeting individuals through the use of big data, placing job adverts on web pages they frequent. Superdebthunterbot has a “capacity to self-educate, to learn and to modify it’s coding sequences independent of human oversight” (Susan Schullppi, Deadly Algorithms). Five individuals have died as a result of the algorithm’s actions, by partaking in unregulated medical trials. In the eyes of the International Ether Court, can the said algorithm be found guilty?”

The algorithm has realised that unregulated and dodgy jobs generate cash quicker, and steered the vulnerable defaulters towards such jobs. Debt BB is insolvent and the original programmer has died. The case has been brought to the International Ether Court under the Algorithm Liability Act, with Superdebthunterbot standing accused of gross negligence manslaughter.

Participants watched a film of the trial, and then the jury sat down to deliberate (ably aided by audience contributions). The jury was comprised of artists, technologists, legal academics, a futurologist and a Kemp Little Commercial Technology lawyer (Michael Butterworth).

Initially, the jury found it difficult to integrate the premise that an algorithm could be liable for a crime. In the end, Superdebthunterbot was granted a second chance at life, as there were 5 votes for guilty and 7 votes for not guilty. However, the discussion brought out a number of interesting themes:

  • The emotional and intellectual difficulties with applying a human-based code of ethics (the law) to machines. The concept of negligence appeared to translate fairly well to independent thinking machines, as the concept of “reasonable foreseeability” is an objective standard, and doesn’t require analysis of any mental state. However, there was a divide between the emotional reaction judging the behaviour as morally wrong and the intellectual desire to impute such behaviour to a rational agent.
  • The purpose of punishment, which is a live and controversial debate within human society. The jury was only asked to establish the algorithm’s liability, as sentencing would be left to the judge, but what would be the point of punishing a machine? How would any potential ‘Algorithm Liability Act’ approach the competing strands of punishment: rehabilitation and prevention, retribution; restorative justice (i.e. helping victims overcome the crime) or even redemption?
  • The difficulty differentiating between an algorithm, as a piece of code, and its physical implementation in a machine or network. It would have been much easier to find the Superdebthunterbot algorithm liable if it was embodied in a humanoid robot, but it’s much more difficult to do that when the algorithm operates across a network of disparate machines operated by third parties.
  • Regulation was a recurring theme. What would this involve? How do we move beyond and improve upon Asimov’s laws? How do we ensure compliance, once the human owners or creators are dead or insolvent? How can regulators keep up with an increasingly complex area of technology? How can the public have meaningful oversight and understanding of the algorithms and the regulators?
  • If Artificial Intelligence can be legally responsible for its actions, is a sufficient level of reflexivity or self-understanding required? Jurors drew parallels between legal responsibility for children, where at a certain age individuals are deemed by the law to be responsible for their actions. How would any such maturity level for an algorithm be defined?
  • This scenario was not far removed from reality today. It was acknowledged by the jury that this was already happening, although in a less visible way. The value of this piece of art was to make visible and crystallise issues that are already out there. Is the Artificial Intelligence the problem, or is the real issue the conversion of humans into data and then the paternalistic manipulation of the humans in a technical and organisational process?

Despite their differences, there was one thing that every single juror agreed upon: any liability for the Artificial Intelligence must not in any way let the human owners, operators and creators off the hook: a reminder that we are all responsible for the future. Has the weight of freedom ever been so great?

High Court releases first edition of "company law for dummies" handbook

The recent case of Dickinson v NAL Realisations (Staffordshire) Ltd is a “101” guide to how not to run a small business, providing insight into the pitfalls that can await any director or shareholder that may wish to cut corners rather than ratifying decisions through the appropriate approval processes.

The case concerned a range of company law topics, but I will discuss here the three more commonplace scenarios dealt with by the proceedings: (i) the sale of freehold property; (ii) the purchase by a company of its own shares; and (iii) a sale of a subsidiary. Each of which also engaged ancillary points of company law, such as directors’ authority and duties

Facts

Dickinson was the majority shareholder in NAL Realisations (Staffordshire) Ltd (previously called Norton Aluminium Ltd) (“NAL”) holding 50.6% of the issued shares. The other shareholders were a pension scheme, of which the trustees were Dickinson, his wife and a professional trustee, and a family settlement. Dickinson and his wife were the only directors of NAL until 2008 when they were joined by Mr Williamson.

In 2005, NAL transferred its factory premises to Dickinson for £224,000. The company also took a four-year leaseback at a rent of £40,000 per annum. NAL’s decision to approve the transaction was evidenced by a board minute of a meeting at which Dickinson and his wife were seemingly present.

In 2010, NAL sold its wholly-owned subsidiary, Norse Castings Ltd (“NCL”), to Dickinson for £1. No evidence of a board meeting was recorded and it was clear that the other NAL directors were not consulted about the sale: Mr Williamson was not told about the sale until after the fact and Mrs Dickinson was not sure when she first learned about it.

Later that year, NAL entered into an agreement with each of its shareholders to buy back a total of 2.5 million shares at nominal value. All the documents relating to the buy-back were signed by Dickinson and NAL did not make any payment for the purchase of the shares; rather the funds were left in the company as a debt to the shareholders secured by a debenture in Dickinson’s name.

Findings

Transfer of factory premises

The judge found that the 2005 transfer of the factory premises was void for the following reasons:

  • the board meeting, which was evidenced by the board minute, to approve the transfer had never happened;
  • even if it had happened, the decision would not have been properly approved as:
    • Dickinson would not have been entitled to vote on the transaction or be counted in the quorum by virtue of being interested in the transaction; and
    • Mrs Dickinson could not have approved the transaction on her own as the quorum for a directors’ meeting was two directors; and
  • it could not have been ratified under the Duomatic principle (i.e. unanimous approval of the shareholders) as Dickinson was not entitled to act unilaterally on behalf of the pension scheme (the professional trustee was not aware of the transaction).

As a result of the transfer being void, the judge ruled that Dickinson held the factory premises on trust for NAL and was liable to restore it to NAL and to pay NAL compensation equalling the amount of rent paid or credited by NAL to him.

Transfer of NCL shares

In relation to the 2010 transfer of NCL to Dickinson, the judge concluded that the decision to sell the subsidiary was taken by Dickinson alone and, similarly to the property transfer, without the requisite authority. The judge determined that Dickinson’s delegated authority to act alone on certain company decisions stopped short of “selling assets to himself”. Accordingly, the transfer was either void or voidable, and in any event avoided as a result of the litigation, because:

  • the shares in NCL were a “substantial non cash asset” for the purpose of section 191 of the Companies Act 2006, the disposal of which required shareholder approval;
  • the sale was a transaction at an undervalue under section 423 of the Insolvency Act 1986; and
  • it was not in the interest of NAL to transfer NCL to Dickinson for £1 and in doing so Dickinson preferred his own interests over that of NAL’s in breach of his fiduciary duties and Dickinson knew he was acting in breach of his fiduciary duties.

Buy-back of NAL shares

The buy-back was held as void as a result of the consideration not being “paid for on purchase” as is required by section 691 of the Companies Act 2006; rather, the consideration was left as a debt owing from NAL to the shareholders. The judge also found that the buy-back was also a transaction at an undervalue within section 423 of the Insolvency Act 1986.

[For more information on share buy backs, please see my colleague Adam Kuan’s “Guide to share buybacks for private companies”.] 

Duties of Mrs Dickinson and Mr Williamson

According to the judge, Mrs Dickinson and Mr Williamson had breached their directors’ duties to, amongst other things, inform themselves of the company’s affairs and join in with the other directors to supervise such affairs and to form an independent judgment as to whether acceding to a shareholder’s request is in the best interests of the company.

Conclusions

This judgment goes to show that directors and shareholders of companies have certain inescapable personal responsibilities that must be recognised and adhered to if decisions made by such directors or shareholders on behalf of the relevant company are to be lawful.

In Dickinson’s case, the judge lamented that Dickinson had “not…sought to act in the best interests of, or even with any proper regard to the interests of, the company as distinct from himself”. The lesson here for any dominant director is to ensure that they bring the other directors of the company along with them during the decision making process and guarantee that decisions are conducted in line with the company’s constitutional documents and company law. This may mean having to argue one’s case as to the merits of a decision more regularly, but it will result in decision-making processes that stand up to scrutiny.

Concurrently, passive directors, although perhaps not the instigators of company decisions, still need to satisfy themselves that they are sufficiently supervising their fellow directors, informing themselves of the company’s affairs and coming to an independent view as to whether proposals are in the best interests of the company and its members as a whole.

  • Page 6 of 25