Commercial Disputes

“Brexit means Brexit”: But does Brexit mean we have to worry about GDPR?
5 May, 2017

The EU’s General Data Protection Regulation (GDPR) is the most significant development in data protection law in the last 20 years. Given that Article 50 has been triggered and the UK is certainly leaving the EU, do we have to prepare for and comply with GDPR?

The answer is yes. Here are three reasons why:

1 – It is likely that GDPR will come before Brexit

Article 50 began a two year countdown to the end of the UK’s EU membership. Depending on negotiations, the latest that the UK will leave the EU is now 23 March 2019. Therefore, when GDPR becomes applicable on 28 May 2018 it is highly likely that the UK will still be a member.

As an EU ‘Regulation’, GDPR will automatically become law in all EU member states.

2 – The UK plans to pass a Great Repeal Bill

The Great Repeal Bill will end the supremacy of EU law in the UK. However, this legislation will also enshrine all current EU law as UK law – otherwise there would be a problematic ‘black hole’ in UK law where EU law once applied. After the Great Repeal Bill is passed, the Government will then begin the process of ‘unpicking’ the old EU laws. However, this means is that GDPR is likely to be enshrined in UK law (at least for a while).

3 – The UK may have to ‘match’ the GDPR in any event

The current EU data protection regime requires anyone outside of the EU to deal with EU data according to EU standards. This is currently done in one of two ways: Either (1) the EU formally acknowledges that a non-EU country’s data protection laws are ‘adequate’, or (2) any company dealing with EU data is contractually obliged to meet these standards when trading with EU entities.

So, if the UK wishes to trade with the EU and data is involved (which it certainly will be), UK traders will have to abide by standards similar to those under GDPR anyway. By way of example, the United States had previously relied on its ‘Safe Harbour’ framework to facilitate the transfer of EU data to U.S. companies. However, the European Court of Justice declared the Safe Harbour invalid in 2015. The U.S. is now negotiating the new ‘Privacy Shield’ with the EU to guarantee data protection standards.

What are some of the main changes and what do I have to do?

Some of the changes under GDPR include:

  • New obligations for data processors;
  • Greater penalties for data protection breaches;
  • More stringent rules on data breach reporting;
  • More stringent conditions on obtaining consent;
  • More stringent rules on the provision of information to data subjects;
  • Businesses will bear their own responsibility for risk assessment and general compliance, and will have to be able to prove compliance through documentary evidence;
  • New technologies and business models must have data protection ‘built in’;
  • Data subjects will have the “right to be forgotten”; and
  • Data subjects will have the right to data portability (i.e. to have data provided to them in a commonly used or machine-readable format, or transferred to other data controllers with ease).

For more information on the GDPR and those steps that you need to take now to be ready for its implementation, see our Guide to the new General Data Protection Regulation:



Mandatory E-filing – impact on administration appointments
25 April, 2017

From today, the use of the electronic working system (known as CE-File) is mandatory in all Rolls Building courts.  It will no longer be possible to issue claims or applications, or to file documents, on

paper and all issuing and filings will instead have to be made through the CE-File website (

This theoretically makes the appointment of administrators using the out of court route much easier, as the appointment can be done remotely without the need to physically attend court.  E-filing is effective from either the date and time of submission of the documents, or if a payment is due with the filing, when payment is made.  As payments can also be electronic, this means that notices (of intention to appoint or actual appointment) can be effective at any time of day or night.

What happens in practice is this:

  1. You file your notice and, once submitted, you receive a filing acknowledgement so you know it has been submitted.
  2. The notice is vetted by court staff during office hours (between 9am and 4.30pm) and an electronic notification should hopefully be received confirming the filing is accepted.
  3. The filing is then deemed effective from the date and time of submission.
  4. If the document is faulty, this is notified to the submitter, the document is deemed not to have been issued, and must then be resubmitted.

Having tested this process I can confirm that you can indeed submit notices that become effective at 11.55pm, although you don’t receive confirmation of this until the next morning when the court staff have vetted the document.  The CE-File process itself is rather clunky and takes a bit of getting used to, but is otherwise relatively easy to use.  You need to create an account and can then search against case numbers where documents have been filed electronically, or create new filings.

There are significant uncertainties that will be created, however, in connection with the timing of the notices of intention to appoint, and notices of appointment.  In one case (during the non-mandatory pilot period) I had to wait several hours following submission of the notice of appointment, during office hours, for the court to accept the document.  During this time the administrators were on site waiting for confirmation of their appointment and it took some chasing of the court staff before the appointment could be confirmed.

There are clearly some teething issues, which will hopefully be resolved as the process becomes more efficient.  Hopefully court staff will be briefed to prioritise notices of intention and notices of appointment of administrators, given the time-critical nature of these documents.  In the meantime, however, it would be wise to mark the submission as urgent so that hopefully it can be dealt with more expediently. For further information please contact Joanna Ford on: 01732 224 033 or by email:


What’s in a partnership?
13 April, 2017

The answer, quite often, is a lot. Long established business partnerships can build up large portfolios of assets over the years.  In most cases it is easy to tell whether they are partnership assets or not but what if it is not clear?

One of the great things about partnerships is their potential simplicity. You don’t need a document to form a partnership, you just need to have two or more people working together with shared risks and profits.  In these circumstances the venerable Partnership Act 1890 will step in and provide a framework under which the arrangement can be governed or analysed if there is any dispute between the partners.

Because of this many partnerships never get round to properly documenting the agreement between the partners. When all is going well this is not a problem but can make for expensive litigation if a dispute arises about whether or not something is a partnership asset.

In the absence of an express agreement that an asset is or is not a partnership asset then the court will look at all of the facts of the case in order to determine the true position. This can involve a detailed analysis stretching back over a number of years and require extensive witness evidence.  Such an exercise is expensive and inevitably introduces uncertainty into the outcome.

So, if your partnership does hold any valuable assets, it is always best to clearly record what their status is and how they are shared between the partners. Ideally this should be in a partnership deed or written agreement.  Otherwise, any written document setting out the position that is approved, or at least not disputed, by all the partners, will reduce the chances of a dispute happening and, if it does, significantly reduce the costs of fighting it.

Is your personal data being used to influence your vote?
30 March, 2017

Those of you that are up-to-date with U.S. spy-drama “Homeland” will appreciate that the manipulation of democratic processes by means of hi-jacking personal data is topical enough to warrant inclusion in the show. When ex-CIA agent Carrie Mathison and co uncover these abuses, they will probably be very concerned.

Those of you that are up-to-date with real life may have read reports that a data analytics company (owned by a billionaire friend of President Trump) is thought to have played a major role in securing victories for the Trump and Leave campaigns in the U.S. and Britain respectively. That company has developed technology which creates intimate psychometric profiles from our Facebook and other social media profiles.  This allows our emotional triggers to be exploited through targeted and individualised advertisements.

When the Information Commissioner’s Office heard of these potential abuses, it became very concerned. We should be concerned too – whichever side of history our vote fell on. An ICO spokeswoman has recently announced  “a wide assessment of the data-protection risks arising from the use of data-analytics, including for political purposes… We intend to publicise our findings later this year”.

Although Article 50 has now officially been invoked, the EU’s new General Data Protection Regulation (GDPR) is still going to affect Britain in a significant way. It strengthens the principles that data must be processed with informed consent, and in a transparent and fair way. For a company, the maximum sanction for non-compliance is the greater of 4% of annual worldwide turnover or €20 million.  In light of the revelation that, through the processing of our data, it is possible to affect the course of history itself, the strengthened provisions of the GDPR can only be a good thing.

If you are a company that controls or processes data, you ignore data protection law at your peril. Ask yourselves: is the data for which you are responsible obtained, used, stored, secured, and then deleted appropriately?

For the rest of us, we might more frequently ask ourselves: Who has access to and is using my data, and what are they doing with it?

Charities in the dog house
28 February, 2017

In December 2016 the RSPCA and British Heart Foundation were fined by the Information Commissioner’s Office (ICO) for breaching the Data Protection Act 1998. Millions of donors’ personal data was misused in three ways:


1. Wealth screening: both charities employed wealth management companies to gather information from their donors’ publicly available information to assess their income, property ownership, lifestyles, and friendship circles. These companies advised on how much donors might be persuaded to give in the future, and who might be most likely to leave money in their will. 


2. Obtaining information: When donors opted-out of providing certain information, the charities hired companies to collect this information anyway, through processes of data and tele-matching (for example, by tracing a current phone number from an old one, or using an email address to obtain a postal address). The data was then used to contact people for further donations.


3. Data sharing: The charities were part of a data sharing scheme with other charities, through which personal data was swapped in order to target individuals who had donated to other causes. The ICO found that the charities’ opt out provisions were not clear enough to cover these practices.


The Information Commissioner, Elizabeth Denham, said: “The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money… Our investigations suggest that the activities… are also being carried out by some other charities.”


The RSPCA and the British Heart Foundation were fined £25,000 and £18,000 respectively, though these fines could have been up to ten times higher. The Information Commissioner exercised her discretion in significantly reducing the fines because, amongst other things:  (i) there was a risk of causing further distress to donors (whose monies would inevitably be used to pay the fines), (ii) ongoing investigations in the charity sector may lead to further fines, and (iii) the charities are likely to be ‘punished’ through the likely reputational damage.


The two cases serve as an example of how data protection laws seek to protect the public, as well as the real (and potentially much more costly) consequences for data controllers who break those laws.

1 2 3 12