• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

Information Commissioner's Office releases new code of practice

On 7 October 2016, the Information Commissioner’s Office (ICO) released a new code of practice in respect of privacy notices (the Code), with the aim of improving transparency and ensuring fairness for individuals when organisations are collecting their personal data.

There are 5 key areas of emphasis emerging from the Code and the ICO recommends organisations take these into account when drafting new privacy policies, or amending their current privacy policies:

  1. Content - An ‘off-the-shelf’/‘one-size fits all’ privacy policy is not endorsed. Organisations should develop bespoke policies relevant to the data being collected and their intended audience. The Code encourages organisations to map out how information is processed in order to be able to provide individuals with sufficient detail to be informed of how the organisation will use their data. The ICO acknowledges that drafting privacy notices broadly can allow for development in the way a business uses personal data and encourages businesses to align their privacy policies with their house style and approach.
  1. Consent – The Code includes further guidance on obtaining and recording consent from individuals (when consent is being used as a basis for processing) and some examples of good practices, including some standard wording for seeking consent for direct marketing, which has helpfully been tested on members of the public.
  1. Control - Individuals should be given more control in the management of their personal data, including how it will be used.  The ICO advocates use of a privacy dashboard to enable users to indicate their agreement to particular types of data processing or sharing, and to allow users to change these settings at any given time.
  1. Communication – How and when a business communicates its privacy notice is a core part of the Code. The ICO encourages businesses to be innovative and not use a single document when other methods of communication would be more effective (some examples are provided). Clear and simple language should also be used (which is not always easy when complex technologies and processes are being used).
  1. Consultation - Before rolling out a new privacy policy, organisations should seek the input of its intended audience to test the effectiveness of the policy. This helps the organisation to test: (i) whether individuals understand the policy; (ii) if it is clear and appropriate to the audience; and (iii) whether it contains any errors.

The Code also includes a privacy notice checklist covering key points to help ensure business draft notices effectively.

Compliance with the approach and good practice recommendations in the Code will help organisations to meet the enhanced privacy notice requirements set out in the General Data Protection Regulation (GDPR). Although organisations will still need to include further information in their privacy notices (listed in the GDPR section of the code/Articles 13 and 14 of the GDPR) to fully comply. The Information Commissioner has said it is extremely likely that the GDPR will start to apply before Britain leaves the European Union and, in any event, businesses will need to comply to do business in the EU.

According to an ICO survey conducted earlier this year, only one in four adults trust businesses with their personal data. Businesses clearly have a lot of work to do to build customer trust and transparency is an excellent starting point. For more information on how we can help you craft an innovative, GDPR-compliant privacy notice, please contact a member of our team.

The security risks of modern Voice over Internet Protocol

Cyber crime is becoming an increasingly significant and growing global problem that affects all sectors with an on-line platform or service.  The UK Cyber Security Breaches Survey 2016 commissioned by the Department for Culture, Media and Sport (DCMS) found that 25% of companies experience a cyber-breach at least once a month.  At the annual Black Hat USA cyber security conference, warnings were delivered about the security inadequacies of modern VOIP (Voice over Internet Protocol) or unified communications systems which are sometimes overlooked when corporates or individuals assess their cyber-attack vulnerabilities.   The incorporation of VOIP into a corporate network means that VOIP tends to be another service running over the IP network and is therefore another door through which hackers can gain access to a wider system or underlying infrastructure.

What is VOIP?

VOIP or Voice over Internet Protocol is a service that is used to send voice transmission over a broadband internet connection.  It transmits analogue voice signals as digital packets over the internet instead of using the traditional public switched telephone network.  This convergence of data and voice means that VOIP is another data service over the IP network and there is no physical separation of the networks.   For VOIP providers it, it is an electronic communications service and is regulated in the UK by Ofcom.  Since it was first launched, gateways have been subsequently created as an add-on to VOIP to allow computer to telephone calls and vice versa.  Corporate VOIP services can now also be integrated with other corporate enterprise systems to search for users in internal corporate directories and deliver voicemail to a desktop. 

The advantage of VOIP is that standard call charges are not incurred.  However, the disadvantage is that as VOIP is delivered using a third party application, the same requirements to patch and update the software apply. An additional issue is that the standard firewalls cannot always analyse the data carried by the SIP Protocol (the protocol commonly used for controlling VOIP calls) and consequently cannot determine whether a call is legitimate or fraudulent.

There has been a reported increase in cyber attacks on VOIP infrastructure and particularly on UK servers with most attacks taking place outside of regular working hours.

The VOIP Security Alliance has identified the following five types of threats to a VOIP service:

  • Social threats: misrepresentation of identity, authority, rights or content – it is possible to doctor voices or change incoming phone numbers.
  • Interception: eavesdropping on calls (which without lawful authority is illegal in the UK)
  • Service abuse: hacking into a system to make calls to premium rate numbers or international numbers (one of the most common attacks).
  • Intentional interruption of service: a denial of service attack particularly targeted to the VOIP system.
  • Other physical interruptions: such as loss of power to the servers hence bringing the service down.

From a practical perspective, companies often assume that the VOIP service should be handled by a telephony specialist when in fact, the security of the system is a networking matter.  Obviously, securing a PBX (Private Branch Exchange) completely from the outside world would render the service totally redundant but it is a case of focusing on minimising vulnerabilities.  This can be from a practical perspective through mailbox passwords, implementing security features provided with the service such as barring access to premium rate numbers and using a VPN to carry the traffic between a remote endpoint and the PBX.

Information and Cyber Security Legal Position

The current general legal position in the UK requires those organisations that control personal data to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data (Data Protection Principle 7, Data Protection Act 1998).

In practice this requires corporates to:

  1. Adopt security measures (both physical and technological) commensurate with the type of data being held and the harm that may result from a security breach;
  2. Be ready to respond to any breach of security swiftly and effectively; and
  3. Be clear as to who is responsible for information security within the organisation and back this up with policies, procedures and well trained staff in relation to the security measures, reporting and responsibility.

In essence, the VOIP service and infrastructure should form part of the IT and Communications estate that has equally as stringent security measures applied to it (yet adapted to address the protocols used to provide the service).

The UK Privacy and Electronic Communication Regulations also need to be complied with for VOIP service providers.  Essentially the technical and organisational measures to be adopted mirror those in the Data Protection Act with the following additional requirements that they must:

  1. Ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
  2. Ensure the implementation of a security policy with respect to the processing of personal data; and
  3. Notify the Information Commissioner (ICO) in the event of a personal data breach within 24 hours of becoming aware of the basic facts, with full details as soon as possible (with a more detailed follow up notification 72 hours later if applicable) and notify the subscriber without undue delay if the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user;
  4. A log of any breaches must be kept and should be submitted to the ICO on a monthly basis.

Any notification to a user of the system is not required if the service does not have a direct relationship with the end user (but it must notify the organisation that does). Alternatively, if the service provider has demonstrated to the ICO’s satisfaction that it has implemented measures that render the data unintelligible to any person not authorised to access it and that those measures were applied to the data concerned in that breach.  The ICO also has an audit right to assess compliance with the notification requirements and a failure by a service provider to comply with the notification requirements may attract a fine of £1000.  Where there remains significant risk to the security of the service, the service provider shall inform the subscribers concerned of the nature of the risk, any appropriate measures the subscriber may take to safeguard against that risk and the likely cost of such measures.

Regardless of Brexit, the general consensus seems to be that the EU General Data Protection Regulation (GDPR) will come into force in May 2018 and that the UK will adopt legislation that closely mirrors both that and the recently adopted Network and Information Security Directive once the UK leaves the European Union. Obviously, any EU laws already in effect in the UK will need to be revoked or repealed before they cease to be law.  With this in mind, the data breach notifications that currently apply to public electronic communications service or network providers i.e. the VOIP service providers will now also fall on those using the services in the event of a data breach, with the potential for significant fines if this timescale is not met (assuming fines are at a similar level to those set in the GDPR).  The NIS Directive’s application is broader than incidents affecting personal data - although it will only apply to ‘essential service providers’ determined as such by the Government and digital service providers such as search engines, cloud computing providers and online market places.  There are notification requirements where there is an incident to the network and information systems of that service would have significant disruptive effect on the provision. This could include the failure of a VOIP or unified communications service whether or not there has been a breach of personal data.

For those faced with procuring a VOIP service, it appears to be an increasingly common position from VOIP providers that they are a more conduit for the data and do not store personal data.  Once the GDPR applies, the distinction between a processor and controller will be less stark as processors will also incur liability.  In addition, companies should ideally place and enforce their own information security requirements on the service provider and if this is not possible, ensure that the service providers own information security requirements are sufficient.  It is always worth carrying out due diligence and asking if there have been data breaches or security issues arising from the service. The question of who incurs the cost in the event there has been fraudulent use of the system is always relevant – particularly when it becomes an issue of whether the fraud has occurred due to the security vulnerabilities of a particular VOIP service.  Such an issue is generally always contentious and where it Is a risk that the VOIP service provider is not willing to assume this should also be built into any business case of assessing the cost savings of moving to the service.  In the event that a main switchboard and/or phone lines (internal and external) may cause significant disruption, the limits of liability should be negotiated with the size and nature of the business and service credits in mind.

The costs savings brought about by migrating to VOIP systems are clear but the convergence of the networks and the increased cyber vulnerabilities this brings about as companies add a service which by its very nature must be connected to the outside world should not be overlooked as cybersecurity increasingly becomes a Board level issue where reporting on security breaches will in May 2018 be a matter for all companies not just the telcos and with potentially significant fines attached.

This article was previously published in the September 2016 issue of  Cyber Security Practitioner.

ICO Issues Record Fine against TalkTalk following Hacking of Customer Data

On 5 October 2016 the Information Commissioner’s Office (ICO) ordered the telecoms group TalkTalk to pay a fine of £400,000. The fine was issued as a result of a data breach that took place between the 15 and 21 of October 2015 when hackers accessed the company’s customer data.  The attack compromised the personal information of 156,959 TalkTalk customers, including their names, addresses, dates of birth, phone numbers and email address.

The hackers were able to access the data via three vulnerable webpages that were part of an old infrastructure that was inherited by TalkTalk as part of an acquisition in 2009. TalkTalk did not know that the database software was outdated and that it was no longer supported by the provider because it failed to scan it properly. The relevant software was affected by a bug which enabled the hackers to bypass access restrictions, however, an easy fix would have been available.

The ICO’s investigation concluded that these failures by TalkTalk, which led to the data breach, constituted a breach by TalkTalk of the Seventh Principle of the Data Protection Act (DPA) because it did not have in place appropriate security measures to protect the personal data for which it was responsible.

The £400,000 fine is the largest fine ever issued by the ICO, which at present has the ability to issue fines as high as £500,000.  

Kemp Little’s Head of Data Protection & Privacy, Nicola Fulford, was in attendance when the fine was announced by the Information Commissioner, Elizabeth Denham.  Denham indicated that “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”  She emphasised that although hacking is not defensible, it "is not an excuse for companies to abdicate their security obligations”. “TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action” she added.[1]

The fine is a clear signal by the ICO that the onus is on businesses to take greater steps to protect their customers’ personal data. According to Denham, the record fine represents a “warning to others that cyber security is not an IT issue, it is a boardroom issue” and represents a “duty to their customers.”

It should be noted that the ICO’s investigation into TalkTalk’s data breach was specifically regarding whether or not it breached the DPA only. A separate criminal investigation is also currently being conducted.

For an analysis of the report by the UK’s Culture, Media and Sport Committee on the TalkTalk data breach, which preceded the issuance of the ICO fine, please refer to an article by Kemp Little’s experts Nicola Fulford, Partner and Head of Data Protection and Privacy and Emma Wright, Commercial Technology Partner, entitled “Report into TalkTalk breach highlights security concerns” originally published in E-Commerce Law and Policy in July 2016, and available here.

 

[1] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/.

Greater clarity on the implications of Brexit for employers, following Theresa May's Conservative Party Conference speech

Theresa May’s speech at the Conservative Party Conference at the weekend arguably gave us a much clearer picture of what Brexit will look like:

  • She will invoke article 50 no later than the end of March 2017, meaning we will leave the EU in around Spring/Summer 2019;
  • The European Communities Act 1972 (“ECA”) will be repealed with effect from the date of Brexit. The ECA gives direct effect to all EU law in Britain, so in theory all existing European laws not already separately enacted into English law would no longer apply (with significant implications for the world of employment law in particular). Mrs May has promised to convert the “acquis” (i.e. the body of existing EU law) into British law before Brexit, giving parliament the freedom to amend or repeal any such legislation at a later date. However, Mrs May could face a real challenge in enacting so much legislation in such a short period with a Commons majority of only 12; and
  • Mrs May has given her clearest indication yet that we will no longer be part of the Single Market following Brexit, saying that “We will decide for ourselves how we control immigration.  And we will be free to pass our own laws” and “Let me be clear. We are not leaving the European Union only to give up control of immigration again. And we are not leaving only to return to the jurisdiction of the European Court of Justice.” The implication being that if we cannot achieve this in the Single Market, we will leave it.

Leaving the Single Market will have significant implications for business, not least in hiring nationals from EU Member States, as freedom of movement will no longer apply. It remains to be seen how the government will approach a system for enabling businesses to hire EU nationals post-Brexit, given that Mrs May has already eschewed the idea of a Points Based System. Finally, Mrs May has stated that “existing workers’ legal rights will continue to be guaranteed in law – and they will be guaranteed as long as I am Prime Minister”. But this does leave open the possibility of changes to employment law currently derived from EU law, following Mrs May’s eventual departure

Electronic signatures encouraged by Law Society practice note

In recent years, the UK business community has increasingly embraced electronic signature as a means of executing contracts on corporate and commercial deals. This seems a no-brainer, given the extent to which deal-making now happens remotely – often across time zones, the need of high-volume contracting businesses to streamline their execution logistics and the sheer number of electronic signature software tools now on the market (DocuSign and Adobe Sign, to name two of many).

And yet there is some lingering uncertainty around the validity of electronic signatures as a means of executing various forms of contracts, particularly when it comes to deeds or documents that are subject to statutory formalities, for which case law authority is rather thin on the ground.

A new practice note issued by the Law Society and CLLS in July of this year looks set to address this issue and help individuals and businesses executing corporate and commercial transactions better understand when and how they can use electronic signatures.

What is electronic signature

Electronic signature is an umbrella term that captures various different methods of indicating agreement to terms presented in electronic form. These range from clicking on an icon to place on order in an e-commerce transaction to using advanced cryptography-based digital signatures in a document or message. To be legally effective as a signature, any such method must demonstrate the signatory’s intention to be bound by the terms he or she is signing up to.

The Law Society/CLLS practice note focuses on the methods of electronic signature that are most commonly used in the context of a corporate or commercial transaction, namely, a person:

  • either pasting his or her signature as an image or inserting an electronic representation of his or her signature (e.g. where using an electronic signature tool) into the appropriate signature block of an electronic version of a contract;
  • typing his or her name into a contract or an email containing the terms of a contract;
  • accessing a contract through an online electronic signature platform and clicking to have his or her name inserted into the appropriate signature block of the electronic version of the contract; or
  • using finger or a stylus to sign his or her name in the appropriate signature block of an electronic version of a contract on a touchscreen.

What is the law on validity of electronic signature

As a matter of law, the validity of using an electronic signature for execution is clear for certain types of contracts and less so for others.

At one end of the spectrum, it is a well-established principle of English law that a simple contract does not need to be in any particular form or executed in a particular way, so using an electronic signature to execute a simple contract should be valid.

However, things are a little murkier for “formal” contracts – contracts that are required by legislation to be “in writing”, “signed” or “under hand” (such as a guarantee or an assignment of copyright) or for deeds, which are likewise subject to strict formalities.

While there is case law authority for the validity of certain forms of electronic signature for executing particular “formal” contracts – for example, the case of J Pereira Fernandes SA v Mehta [2006] EWHC 813 (Ch) confirms that typing a name into an email can be a valid signature for the purposes of a guarantee – and certain general principles be inferred from this body of case law, these authorities still need to be applied on a case-by-case basis to the specific form of electronic signature a party may want to use for a particular kind of contract. This is obviously not ideal for parties looking to execute transaction documentation on short notice using electronic signatures.

The new eIDAS Regulation (Regulation (EU) No 910/2014), which came into effect in July 2016 with a view to harmonising the rules on electronic signature across EU member states (including, for the time being at least, the UK), goes some way to addressing this uncertainty by providing that an electronic signature should not be denied legal effect solely on the grounds that it is electronic form. However, it is still unclear to what degree the Regulation will assist for the electronic signature of “formal” contracts and deeds.

While it is not definitive legal advice, in light of the uncertainty in this area, the Law Society/CLLS practice note (which has been prepared by a joint working party of The Law Society Company Law Committee and CLLS Company Law and Financial Law Committees (the JWP) and approved by Mark Hapgood QC as Leading Counsel) is a welcome guide to the practical steps that businesses and individuals should follow to achieve valid electronic signatures of contracts in accordance with the principles set out in the relevant legislation and case law.

The Law Society/CLLS Note

The Law Society/CLLS note takes the key types of contracts that typically feature on a corporate and commercial transaction and considers the validity of electronic signature (and the related practical considerations) for each in turn.

The key takeaway from the note for businesses and individuals is that, in the opinion of the JWP and Leading Counsel, simple contracts, “formal” contracts and deeds may all be executed using electronic signature and can exist solely in electronic form. However, due to the additional statutory formalities that apply to deeds, there are a number of practical considerations the parties will need to take in account when using electronic signature to execute a deed, namely:

  • a company signing electronically will need to ensure the execution complies with the Companies Act 2006 requirements for valid execution of a deed – i.e. executed by two authorised signatories of the company or by a director in the presence of a witness; an individual signing electronically will need to do so in the presence of a witness;
  • an electronic signature (by or a company or an individual) will be validly witnessed where another person genuinely observes the signing and signs the relevant attestation block (either electronically or by “wet ink” on a hard copy of the electronically signed deed);
  • the JWP and Leading Counsel suggest it is best practice for the witness to be physically present to witness the signature rather than attending via a videoconference link; and
  • given the statutory requirement for deeds to be “delivered”, the parties to the deed will need to make sure their signing arrangements include steps to confirm when delivery takes place.

Finally, for companies proposing to use electronic signature, the note also points out that it is important to ensure there is no restriction on this in the company’s articles of association or resolutions and, where an overseas company is proposing to use electronic signature to execute and English law-governed contract, the parties may wish to seek local advice as to whether that company can validly use electronic signature.

In the accompanying press release to the Law Society/CLLS note, Elizabeth Wall (chairperson Law Society Company Law Committee) comments that a key thrust behind the note is to get the legal industry

comfortable with electronic signatures and [to] embrace the practical benefits of e-signing.” As lawyers advising technology and technology-enabled clients that are keen to take advantage of technological developments in deal execution, we welcome the note and hope it has the intended consequences. 

Wrongful dismissal and bad leaver provision

In the recent case of Richards & Anor v IP Solutions Group Ltd [2016] the court considered whether two founder directors were wrongfully dismissed and also the operation of a bad leaver provision as set out in the company’s articles of association. The case deals with an investor director (appointed as a representative of a private equity house) and the independent non-executive director (“NED”) summarily dismissing two founder directors in a board meeting on grounds of serious breaches by the directors of their duties as employees and directors.  The founder directors each held 30% of the shareholding in IP Solutions Group Ltd (the “Company”).  As per the bad leaver provision in the Company’s articles of association, on being summarily dismissed the sale price of the leaver’s shares was £1 in aggregate for all the sale shares.  Following their dismissal, the founder directors were notified that their 30% shareholding was to be transferred to the Company for an aggregate of £1 under the bad leaver provision.

The issues that Mrs Justice May DBE considered were:

  1. If the two founder directors were wrongfully dismissed; and
  2. if the Company was summarily entitled to dismiss the founder directors, was the bad leaver provision a penalty and therefore no effect?

The primary disagreement between the founder directors and the investor arose in relation to the calculation of the bonus. The bonus to the founder directors was calculated on a pre-agreed accounting model which was a complex model.  Following Q1, the finance director and the investor’s representative initially thought that the Q1 target was reached. The founder directors were paid a fixed bonus (albeit without the formal approval by the board through a board meeting). However, after further detailed calculation by the investor, it was concluded that the test had failed for Q1, but was likely to pass for the upcoming quarter. The founder directors accepted this, but instead of repaying the Q1 bonus, they offered for the bonus to be off-set in the future quarter. The investor was also not happy about the progress of the business. The investor and the independent NED planned ahead of a board meeting and summarily dismissed both the founder directors.

The main issue turned on whether (i) the directors breached their statutory duties; and (ii) if the Company was entitled to summarily dismiss them. The investor’s counsel argued that as per their employment contracts, their statutory duties were in effect a strict liability on the directors. 

It was concluded that the founder directors were wrongfully dismissed. It was accepted by the founder directors that retaining the Q1 bonus breached their statutory duty, but it was not a material breach. The other breaches quoted by the investor’s counsel were also held to be insignificant.

Though it was not necessary to decide on issue #2 above, the judge set out briefly the tentative conclusions she would have reached on this issue. She considered the recent decision of the Supreme Court in the case of Cavendish Square Holding BV v. Makdessi [2015] and the reasoning of each of the justices in that case.  She concluded that the arrangement for "Leavers" as provided for under the articles of association was more akin to a primary obligation agreed between parties for distinct commercial reasons to do with a shareholder leaving the Company. On this basis the price of £1 payable for the aggregate shareholding of a person who is a "bad leaver" is simply the agreed price on transfer. Even if the transfer and pricing provisions in the articles were to be construed as secondary obligations consequent upon breach of the employment contract, there was nothing unconscionable in an arrangement arrived at between parties dealing at arms-length with the benefit of extensive expert advice. The judge concluded that “had it been necessary, therefore, I would have found that the Transfer provisions relating to a "Bad Leaver" were enforceable”.

An end to roaming charges within the EU?

Regulation (EU) 2015/2120 combines the hotly contested network neutrality rules, together with the removal of roaming charges on public mobile networks within the EU (“Regulation”). Since it was adopted on 25 November 2015, and in conjunction with the Digital Single Market agenda, the European Commission (“Commission”) with support from the European Parliament[1] – has been focussing its attention on abolishing roaming charges throughout EU member states.  The Commission was tasked with devising a “fair use policy” to prevent potential abuse of the Regulations.[2]  On 5 September 2016, the Commission published it’s “fair use policy”, which will obligate EU telecommunications providers to offer 90 days per year of free roaming access for their consumers, of which a maximum of 30 days could be used consecutively.[3]  If these caps are exceeded, mobile operators will have the freedom to apply roaming charges to their customers.  It is no surprise that such caps were proposed considering the disparity in charges across member states (for example, on average a user in Latvia spends €3.70 a month to use their mobile phone, while in Ireland the average is €23.80)[4] in a bid to avoid consumers abusing the benefits of the Regulations.  Without caps, users could take out a mobile contract in a member state with lower monthly mobile charges, but use their device at no additional cost in their home member state. Realising the proposed draft implementation paper of the Commission’s “fair use policy” may not have struck the right balance between consumer and operator interests, the Commission withdrew the paper and has reverted back to the drawing board with an intention to publish a new policy that would end all roaming charges by 15 June 2017.

A brief history of roaming charges in the European Union

What problem is the Commission trying to solve?  Before the EU legislators got involved, consumers in the EU faced higher charges when (just as in any other foreign country)  using their mobile phone outside of their home country; such charges are known as the ‘retail roaming surcharges’.  Operators are required to pay ‘wholesale roaming charges’ to use the network of the operator located within the member state their customer is travelling to.  Retail roaming surcharges have enabled operators to generate additional revenue when their customers travel abroad, by passing on the wholesale roaming charges to the customer at a mark-up (the retail surcharge).  The Regulation will see retail roaming surcharges abolished for the benefit of consumers and to make advances to a digital single market throughout the EU.  This raises a concern from operator’s that they’ll be open to abuse.

The Commission announces the “complete abolition of roaming charges”,[5] or does it?

On 7 September 2016 the Commission announced it had achieved what it had set out to do;[6] the initial draft “fair use policy” published two days earlier saw the end of roaming charges within the EU… or did it?  Not quite, the “fair use policy” introduced a maximum 90-day annual cap on free roaming, of which 30 days could be used consecutively.  The Regulation set out factors the Commission must take into consideration when drafting the “fair use policy”.[7]

Shortly after the Commission’s announcement, the draft was withdrawn from the EC’s website following views from members of the European Parliament that the draft rules should not include a 90-day cap.[8]  The draft proposal was replaced with the following statement: “An initial draft was published on 5.9.2016. The Commission services have, on the instruction of President Juncker, withdrawn the draft and are working on a new version.”[9]… leaving many unanswered questions, and particularly whether roaming charges would be completely abolished.

Has the Commission back-tracked on their proposal?

While the Commission appeared to have turned 180 degrees following their recent announcement, in a State of the Union address on 14 September, EC President Junker confirmed that “the Commission, the Parliament and the Council [were committed] to abolish[ing] mobile roaming charges”, stating it was “a promise [they] will deliver”.  In the same statement, Junker explained that “the draft was not technically wrong, but it missed the point of what was promised.”[10]

It was always the Commission’s intention to introduce a “fair use policy” to avoid abuse by consumers.  To use the example above, if roaming charges were completely abolished; a user in Ireland who pays €23.80 a month for their mobile phone contract may opt to move their service provider to a mobile operator in Latvia at a reduced cost of €3.70 per month, and take advantage that their operator in Latvia could no longer charge the retail roaming surcharges when the user used their mobile in Ireland.  The Commission has stressed that these proposals are intended to benefit travellers, therefore it’s paramount that the proposals aren’t open to abuse by non-travellers within the EU.

The balance the EU is trying to strike is to allow mobile users across the EU to take advantage of the low prices for data use and calls when they travel abroad on holiday, while ensuring that mobile operators “have the tools to guard against abuse of the rules.”[11]  For mobile operators, their concern will be the predicted loss of c.$3.1bn in roaming revenues for EU operators’ until 2019.[12]  Since the Regulation is largely pro-consumer, there is concern within the telecommunications industry that a complete abolition of roaming charges may impact smaller telecommunications operators whose main business may be generating revenue through roaming charges.[13]  To address this, operators that may be severely affected by the removal of retail roaming surcharges are entitled to seek authorisation to apply a roaming surcharge to ensure “the sustainability of its domestic charging model”.[14]  However, such authorisation must be obtained through the mobile operator’s national regulatory authority who will assess whether or not the mobile operator meets the test (based on “relevant objective factors specific to the roaming provider”) set out in the Regulation.[15]  The test as drafted lacks clarity on how smaller operators will be expected to demonstrate the sustainability of their domestic charging model will be undermined by the Regulation.  However, there is an indication of the factors that the EC will take into account when laying down the detailed rules for national regulatory authorities to take into consideration when granting authorisation:

  • overall actual and projected costs of providing regulated retail roaming services (by reference to wholesale roaming charges for unbalanced traffic and a reasonable share of the joint and common costs necessary to provide regulated retail roaming services);
  • overall actual and projected revenues from providing regulated retail roaming services;
  • the operator’s customers’ domestic and regulated retail roaming services consumption; and
  • level of competition, prices and revenues in the domestic market, “any observable risk that roaming at domestic retail prices would appreciably affect the evolution of such prices”.[16]

Dealing with an estimated $3.1bn loss in revenue for EU operators

As June 2017 looms on the horizon, mobile operators (if they haven’t already) will soon start considering how to mitigate the anticipated $3.1bn loss in revenue to the industry, when operators can no longer charge consumers to roam within the EU. 

By removing roaming surcharges at the retail level, we might expect operators to focus their attention on roaming charges at the wholesale level.  However, and surprisingly, this is very unlikely.  This is because the current regulations state that mobile operators who allow foreign mobile users to roam on their network may only levy wholesale roaming charges up to a specified cap from the foreign users’ domestic mobile operator.[17]  These regulations help to protect smaller mobile operators, and particularly mobile virtual network operators, who rely on wholesale access to provide roaming services to consumers.  It prevents discrimination and an abuse by larger mobile operators who already benefit from economies of scale.  As a result, the attention may turn back to retail prices.  It’s been acknowledged that the abolition of roaming charges may just move the problem elsewhere, for example, consumers may see a rise in their domestic mobile contracts.[18]  It’s unlikely that mobile operators will absorb the entire loss.  

The end to roaming charges by 15 June 2017

Without a revised policy, it’s unclear where the policy makers will end up.  We’re certainly expecting a revised “fair use policy” that delivers what has been promised by the Commission, European Parliament and European Council, but will we see a complete abolition of roaming charges throughout the EU?  It’s unlikely due to the potential for abuse.

In the UK, mobile operators will have to comply with the Regulations from 15 June 2017, however once the UK leaves the EU a move to re-impose roaming charges on customers is likely to prove extremely unpopular.


[1]European Commission Press Release, 27 October 2015

[2] Regulation (EU) 2015/2120, whereas (22) and Article 6d

[4]European Commission Fact Sheet, 22 September 2016

[5]European Commission Statement, 7 September 2016

[6] European Commission Statement, 7 September 2016

[7] Regulation (EU) 2015/2120, Article 6d(2)

[11] European Commission Press Release, 21 September 2016

[14] Regulation (EU) 2015/2120, whereas (23)

[15] Regulation (EU) 2015/2120, Article 6c

[16] Regulation (EU) 2015/2120, Article 6d(3)

[17] Regulation (EU) 531/2012, Articles 7, 9 and 12

Data mapping: an update of new GDPR requirements

Nicola Fulford, Partner, and Krysia Oastler, Data Protection Associate, Kemp Little LLP, examine the new requirements for data mapping under the GDPR—and why they are effectively a win-win for organisations and their customers. To read the full article which was originally published in PDP Journals please click here.

Dashing deliveries from Amazon

Last week Amazon launched the Amazon Dash Button for Amazon Prime customers based in the UK.The Dash Button allows customers to order supplies of products such as toilet roll, cat food or even play-doh at the touch of a Wi-Fi connected button. We consider some of the legal implications of this new product.

Each Dash Button is paired with a product of your choice which you press when running low. The service is configurable, so you can be notified on the Amazon app with each order, or so that new products won’t be ordered until your prior order has been delivered, regardless of how many times the Dash Button is pressed. This means there is no need to worry about young fingers pushing the button multiple times, but also that the Dash Button is not without user interface or control.  

The Dash Button is only a stepping stone for Amazon as it delves deeper into the Internet of Things – the connectivity of everyday objects with the infrastructure of the Internet. Coming next is the Amazon Dash Replenishment Service, which enables connected devices to order products from Amazon when your supplies are running low. Your printer could soon make sure that you never run out of toner and your American-style fridge could automatically reorder water filters as they near their end of life.

With the General Data Protection Regulation (“GDPR”) coming into force on 25 May 2018, Amazon and other companies looking to develop new products for the Internet of Things will need to be aware of the developments in EU data protection law which will affect how they design and bring their devices to market.

Under the GDPR data controllers will be obliged to adopt technical and organisational measures to protect data and must demonstrate that they are adhering to the concepts of privacy by design and privacy by default. This will include conducting data protection impact assessments in certain circumstances. If the impact assessment indicated that the processing would result in a high risk to individuals, then businesses will be required to consult with the national data protection authority before any processing takes place.

Devices such as the Dash Button will enable companies to collect data relating to shopping and consumption habits which is very valuable for retailers looking to market their products, but will reveal significant information about peoples’ lives. Under the GDPR, those who collect and use personal data will need a legal basis for doing so, likely to be consent in this case. However, consent will become harder to obtain. Data controllers will need to demonstrate that they have obtained consent through a clear affirmative act which was feely given, specific, informed and unambiguous. Pushing a button alone to order laundry detergent is not going to be sufficient. This means that making sure that privacy notices are clear and available and that consent is captured at the time the Dash Button is purchased will be key, combined with some means of user interface for communication with the customer. Successful businesses will likely have to be innovative, utilising icons and alerts on devices together with some sort of dashboard for the account, to keep both customers and regulators on board.

With the maximum fines under the GDPR reaching EUR 20 million or 4% of annual worldwide turnover, a striking contrast with the current maximum fine of £500,000 under the Data Protection Act 1998, compliance with GDPR is going to be a serious issue which is going to grab board level attention. The Dash Button is just a pre-cursor for the automated world to come, but organisations need to keep in mind customers’ privacy as well as convenience.

To read more on existing drone regulations, please refer to our article Drone law: heading into turbulence? 

Brexit: essential policy highlights for business

On 26 August 2016 the House of Commons Library published their Brexit briefing paper; a lengthy document titled ‘Brexit: impact across policy areas’. The paper considers the vast possible impact that Britain’s vote to leave the EU may have. We take a look at the government’s conclusions in key areas, alongside the predictions made by Kemp Little in the immediate aftermath of the vote.

Investment

It’s well-known fact that EU membership in itself attracts foreign investment to the UK because, “it allows multinationals based outside the EU to access EU markets without facing tariff and non-tariff barriers.”[1] On the face of it therefore, the vote to leave will have a negative impact, however, as the paper explains there is a silver lining that accompanies post Brexit UK. It will have the potential freedom to establish its own more favourable regulatory regime that attracts overseas investment, an opportunity that has escaped the UK since the Lisbon treaty came into force in 2009.

Data Protection

The theme of regulatory reform in this area after our vote to leave, was picked up on by Kemp Little in our ‘Brexit: what lies ahead’ webinar. While the paper reiterates our view that data protection law in general is unlikely to change, there is now freedom to modify and create a more merciful version of the incoming General Data Protection Regulation (GDPR). This could cause complications for a UK company that has customers or business in the EU, but on the other hand, could entice cloud providers and other data storage companies to move their businesses to the UK.

Intellectual Property

Kemp Little identified IP rights after Brexit to be a particular area of concern, with a genuine worry that the impact of leaving the EU on trademarks, could lead to the UK IPO quickly becoming swamped with applications to ensure that EU marks remain protected in the UK. The paper attempts to instil a sense of calm and quotes the IPO statement from 2 August 2016 which emphasises that, “nothing will change until the negotiations to exit are concluded.[2] Despite this, companies are best advised to act quickly and ensure that their IP is adequately protected in the requisite jurisdictions.

Tax

The paper highlights that a breakaway from the EU will now afford the UK government more freedom to modify tax laws and in particular VAT reliefs. We highlighted in our article, ‘The Effect of Brexit on UK Digital M&A’, that VAT is too important to the UK government for any drastic changes to occur, the briefing paper substantiates this argument by clarifying that VAT, “account[s] for around 17% of all government receipts”[3] and therefore changes to tax and VAT reliefs in particular are unlikely.

Conclusion

The overriding theme of the briefing paper, as expected, is that we have to be patient. No immediate or drastic policy changes have been announced and the true extent of any future impact of Brexit is heavily dependent on how negotiations, which are set to be prolonged, pan out. It is, however, worth considering that much of the ongoing speculation as to which ‘model’ the UK will adopt to forge its future relationship with the EU, fails to take account of the possibility that as Theresa May stated on 20 July 2016, “[it may] not necessarily be based on any of the models that already exist.”[4]

  • Page 10 of 25