Archive for the 'Contract Law' Category

Court holds that failure to comply with data protection laws can be a material breach of contract

A recent case before the Court of Session has held that a company was in material breach of contract as a result of a failure to comply with data protection laws. The case also provided further guidance on when the courts will consider a aspirational pre-contractual sales statement to be a misrepresentation.

The case involved a company called Soccer Savings (Scotland) Ltd (SSSL). In 2010, SSSL entered into a contract with the Scottish Building Society (SBS) to run an affinity savings scheme targeted at football fans. Basically it allowed fans to get a savings account branded with their football club’s brand.

The scheme wasn’t very successful and SBS terminated the contract in June 2011. SSSL challenged the grounds of termination but accepted the termination as a repudiation of contract and sued for damages. The case came to proof before Lord Hodge.

The defence
When SBS terminated the agreement it relied on pre-contractual mis-representation and material breach of contract. At proof before Lord Hodge, SBS departed from some of the allegations on record and restricted their defence to mis-representation and three separate contractual breaches.

Lord Hodge found that statements of aspiration or optimism about what was achievable did not amount to an undertaking or warranty. SBS had the clear impression that the proposed venture was likely to succeed but:

It is clear that the venture failed very badly. But that does not make the statements of aspiration by the promoters of SSSL into misrepresentations of fact. Other things may have been said that strengthened [SBS’ Chief Executive] Mr Kay’s conviction that he had been given representations on which he had relied to recommend the deal to his board, but absent evidence of specific statements of fact, I am satisfied that the defence of misrepresentation fails.

So SBS were left with the three breaches of contract to justify their termination of the contract.

Breach of contract
The first breach relied upon was SSL’s failure to get a signed written agreement with a football club by the stipulated contractual deadline of 1st July 2010 thus delaying promotion of the venture.

In an earlier decision Lord Hodge had already held that this was a breach of contract but he now held that although it was a breach it was not a material breach. It did not go “to the heart of the contract” and did not contribute to the eventual failure of the scheme. Accordingly it could not be used to justify termination.

SBS argued that SSSL had breached regulations 3 and 5 of the Consumer protection from Unfair Trading Regulations 2008 by issuing letters on football club notepaper. Lord Hodge disagreed. The clubs had agreed to the issuing of the letters and had signed them. There was no breach.

Breach of data protection laws
And so to the final alleged breach – a failure to comply with data protection rules.

The data protection clause obliged SSSL to use reasonable endeavours to to comply with the statutory rules and to take appropriate measures against unauthorised or unlawful processing of personal data.

SSSL had used the database of a related company (Soccer Savings Ltd or SSL) to send out letters in its own name and in the name of two clubs to account holders in a similar scheme which another building society, the Dunfermline Building Society (DBS), already ran with the SSL. The deal with the SBS came about after the value of deposits under the SSL/DBS scheme fell significantly after DBS encountered difficulties and was put into special administration in 2009. The DBS was subsequently taken over by the Nationwide Building Society (NBS).

Lord Hodge found that SSSL was a data controller under the Data Protection Act, but was not registered as a data controller with the Information Commissioner when it processed data. It had committed an offence. In addition it did not have the necessary consent from the account holders to use their data to promote the new scheme:

While a failure to register may not of itself have been a material breach of contract, I am satisfied that SSSL’s use of the data obtained by SSL under the soccer saver scheme was. SSL did not have the consent of the data subjects (i) to make their data available to the football clubs with which it contracted or (ii) to use their data to promote SBS. Yet SSL had contracted with the football clubs to give them access to the names and addresses of account holders. And SSSL’s directors procured SSL to use the data for the latter purpose. It used the football clubs’ unauthorised possession of the soccer saver data in an attempt to circumvent the restrictions on SSL’s activities in its contract with DBS.

What takes the breaches to the heart of the contract is that SSSL was offering SBS a business proposal, a major component of which involved achieving the transfer of account holders from DBS to SBS. SSSL proposed to use SSL’s data to market SBS’s products and to obtain the transfer of accounts from DBS by targeted marketing. That is what it sought to do in SSL’s letter to the Rangers account holders [one of the clubs involved]. But that provoked NBS correctly to assert both a breach of contract by SSL and also breach of the data protection legislation. NBS carried out the threat in its letter of 10 November 2010 and complained to the Data Commissioner.

I conclude that an important component of SSSL’s performance of its obligations under the contract involved it in the breach of the statutory data protection rules and that that illegality materially impaired that performance. That amounted to a material breach of contract.

The result was that SSSL had indeed been in material breach of contract and so SBS had been entitled to terminate the contract –even if, perhaps, their reasons for doing so were originally quite different.

Ownership of customers
More importantly, however, the case emphasises the importance of ensuring that ownership of customers under affinity arrangements is clearly defined, and the importance of thinking up front about the privacy consents that may be required from customers.

Had the original privacy notices issued to customers clearly stated that SSL and its related companies could use customer details for marketing purposes, then many of these issues could have been avoided. However, I suspect that the course of events that subsequently unfolded were not in anyone’s contemplation when the original deal was conceived.

Martin Sloan

With assistance from Douglas MacGregor, PSL in Brodies’ Dispute Resolution and Litigation department

Survey higlights key issues for senior IT professionals in IT outsourcing contracts

Supply Management, the official journal of the Chartered Institute of Purchasing and Supply, yesterday published details of a report by outsourcing consultancy Alsbridge into customer satisfaction with IT outsourcing arrangements.

According to the report, just over a quarter of the 250 senior IT professionals canvassed were unhappy with at least one of their IT outsourcing contracts, with 76% considering renegotiating or retendering two or more of their IT outsourcing contracts before the end of the term.

The reasons for this are telling, if unsurprising.

Too much left to be agreed post signature
40% of respondents said that they had left too many important details in the contract to be confirmed at the point at which the deal was signed.

There is often a push to sign a contract by a certain date, come what may.

However, that can be dangerous. Once a contract has been signed, the balance of power shifts hugely in favour of the supplier, meaning that the customer will usually be in a very weak position when it comes to reaching agreement on the outstanding issues.

If things are left to be agreed, it is therefore essential that the contract sets out a clear process for agreeing those outstanding points (with appropriate remedies if agreement can’t be reached) and that key commercial issues are resolved prior to signature.

Changing requirements
54% of respondents said that their IT outsourcing contracts failed to keep up to date with changing technology needs, with 46% saying that the contract also failed to keep up with changing business needs.

These are classic problems, particularly in long term outsourcing contracts. IT quickly dates, and the requirements of the customer’s business are always changing. It’s therefore essential that the contract includes a process for ensuring continuous improvement obligations. This might include IT refresh obligations, obligations to keep up to date with industry best practice or to adopt industry standards, and an obligation to regularly propose ways in which the services can be improved or delivered at better value.

Combined with this, it’s also important to ensure that the contract contains a robust governance and change control procedure, which allows the customer to ensure that issues are managed and to introduce changes to reflect the changing needs of its business. This might also include clear processes for ramping up or ramping down service provision or the scope of the services in the event of changing business requirements.

Value for money
Another theme coming out of the survey was value for money. 49% of respondents cited diminishing returns on their IT outsourcing investments, whilst 36% highlighted problems with complacent suppliers. A further 46% of respondents said that they were under pressure to cut costs.

Benchmarking provisions can help a customer to keep tracks on whether its outsourcing contracts are delivery value for money. However, a bechmarking regime is only effective if it encourages the supplier to keep its service provision competitive. Key to that is ensuring that the customer has adequate remedies in the event that the benchmarking findings show that the supplier is out of step with the market. This might include mandatory price reductions or ensuring that the customer can break the contract and move to another supplier (albeit the latter is not without cost, given the expense involved in carrying out a new procurement exercise and transition to another vendor).

Long term, not short term
If these issues are properly addressed in the contract then the outsourcing arrangement is likely to be more productive and rewarding for both the customer and the supplier.

Whilst there is always a pressure to sign deals as soon as possible (particularly against articial deadlines such as the end of a calendar year or the supplier’s quarter), this survey just goes to show that spending more time on the contract (and involving legal input at an early stage in the procurement process) can lead to a more satisfactory outsourcing relationship in the long term.

Which, ultimately, is what outsourcing is all about.

Martin Sloan

Court of Appeal overturns previous decision on obligations of good faith

Last year, the English courts ruled that an obligation could be implied into a contract that the parties would not exercise a discretion under that contract in a manner that was arbitary, capricious or irrational.

The case related to an outsourcing contract between an NHS Trust and catering company Compass, trading as Medirest. The contract contained a service level regime, but unusually the “Service Failure Points” (SFPs) awarded for a breach of the service levels, which in turn could lead to a right to terminate, appeared to be determined at the discretion of the NHS Trust (the customer).

As the relationship broke down, the NHS Trust allocated apparently disportionately high SFPs for individual breaches. Amongst the examples quoted by the judge was the award of over 30,000 SPFs and a deduction of £46,000 from the charges for an out of date box of tomato ketchup sachets found in a store room. By way of comparison, the fees were around £180,000 a month, and only 1,400 SPFs were required in a six month period to trigger a right to terminate.

The court held that the Trust had a discretion under the contract and therefore, in accordance with previous case law, a term should be implied not to act in a manner that is arbitary, capricious or irrational. The court in turn held that the Trust was in breach of that obligation and that Medirest was intitled to terminate for breach.

You can read a full summary of the original judgment in this previous blogpost.

The Court of Appeal’s decision
The Trust appealed on a number of grounds. On appeal, the Court of Appeal overturned the lower court’s decision, holding amongst other things that there was no need for the implied term.

Whilst the SFPs and deductions made were clearly absurd, the Court of Appeal took the view that the Trust had misinterpreted and misapplied the SPF and deduction procedure, but that it had not acted dishonestly.

If the Trust awarded itself execessive SFPs or deductions then that would be a breach of clause 5.8 (which dealt with the application of SFPs and deductions) – no further implied term was required to make that work. Indeed, clause 5.8 stated that SFPs and deductions that were not justified were deemed to have been cancelled.

As the SFPs had expired and the Trust had refunded the excessive deductions, the breach had been cured. Medirest was not, therefore entitled to terminate the contract for material breach.

The Court of Appeal’s judgment clarifies a number of points:

  • An implied term not to act arbitarily, capriciously or irrationally will only be applied where the part in question has genuine discretion about how to exercise a right under a contract, and where there is a range of options. In this case, the Court of Appeal held that the discretation was simply whether or not to exercise a contractual right.
  • Jackson LJ’s view was that any attempt to exclude such an implied term where it might otherwise apply would have to be explicitly stated and agreed by the parties (it could not be excluded by a general exclusion of implied terms).

The case serves also as a general reminder to organisations to ensure that their contractual arrangements are clear and unambiguous. In this case, the contract comprised a standard NHS contract and a procedure from a PFI contract for service failures and deductions. The two did not sit well together. Had the contract been properly drafted, then it is possible that the Trust may not have acted in the way it did, and that the relationship between the parties may not have broken down quite so irrepairably.

The case should also act as a warning to parties to think before terminating for material breach. In this case, it appears that Medirest was already in breach of contract, and that the Trust had also served notice to terminate. However, wrongfully claiming repudiatory breach and ceasing to perform your obligations is likely to lead to a substantial damages claim from the other party. This is particularly so where the terminating party is the supplier under an outsourcing arrangement, where the sudden cessation of the services could cause substantial damage.

Martin Sloan

The SPL’s big bar bill (broadcasting rights)

Over the past couple of years I have written periodic updates regarding the rights of English (or English-based) pub landlords to use “foreign” decoders to screen football matches in their pubs.  Following the European Court of Justice (“ECJ”)’s decision as reported in Football Association Premier League v QC Leisure, in  my post from last February I offered this summary of the state of play:

The ECJ decided that national legislation banning the use of overseas (non-UK, but EU supplied) decoders amounted to an unlawful restriction on competition, and it was probable that only certain elements of Sky’s broadcast of match footage was protectable by copyright….Provided a landlord is using an EU decoder of some description, the consequences very much remain to be seen.  Perhaps the best way to summarise the current situation is to borrow some football terminology:

  1. Win – Use a decoder supplied by Sky
  2. Lose – Use a decoder without paying for it, or a decoder obtained from/that accesses the feed of a non-EU rights holder
  3. Draw – Use a decoder supplied by a EU (but non-UK) rights-holder

A new development in the pub landlords v football rights holders battle emerged on Monday, when it was reported that the Scottish Premier League (SPL) is facing a £1.7m damages claim over its legal bid to stop a pub group screening live matches via a Polish broadcaster.  The case in question is The Scottish Premier League Limited v Lisini Pub Management Company Limited

The background of the case

The story starts way back in 2006, when new Rangers boss and “fitness fanatic” Paul Le Guen was at war with Barry Ferguson, and present-day SPL player of the year Charlie Mulgrew was being “made into a man” (and what a hunky one!) at Wolves. 

The SPL took proceedings back in against Lisini Pub Management Co Ltd for unlawful broadcasts of Celtic games in autumn 2006 using a broadcast signal from Poland.  At the start of 2007 Lisini signed an undertaking saying that they would stop using foreign decoders.  They then used a Polish decoder to screen a match in April 2007.  The SPL then obtained interdict to prevent any more use of foreign decoders.  And the case was then sisted to see what the ECJ had to say about the use of decoders supplied by EU rights-holders. 

Of course, as described above, the ECJ decided that the use of foreign decoders was probably OK, and Lisini Pub Management Co Ltd is now counterclaiming against the SPL, seeking damages of £1,761,749. 

The decision

In the Outer House of the Court of Session Lord Woolman refused to dismiss Lisini’s counterclaim, concluding:

 In my view the English Premier league case has an important bearing on the present action. The material facts are virtually identical. The ECJ gave clear answers to the precise questions referred to it. Its decision means that subscribers in member states are entitled to access broadcast signals from other member states. An EC citizen living in (say) Germany should not be prevented from obtaining a signal from Sky, BBC, RAI, Nova or Polsat.

The SPL sought to argue that the ECJ arrived at its conclusions without any detailed investigation of whether banning the use of overseas (non-UK, but EU supplied) decoders would actually have an anti-competitive effect on the market for live football broadcasts.   Lord Woolman found this argument “unconvincing”. 

What’s not reported amongst the “SPL face £1.7m claim” headlines is that I think Lisini will have to work quite hard to actually prove such a huge loss.   It will be interesting to see how they reach that figure – it’s not exactly “small beer”.


Cloud computing and “data ransom” – it’s not a myth

Here on TechBlog we have mentioned on a couple of occasions (here and here) that one of the biggest risks arising out of the use of cloud computing/third party hosted services is the concept of “data ransom”.

That is, in the event that the contract terminates or the supplier becomes insolvent the customer is unable to get its hands on its data without handing over a chunk of cash.

According to a story in Computing Weekly last Friday about the insolvency of acquisitive data centre operator 2e2, that risk is no longer a hypothetical one.

Last week, the administrators of 2e2 contacted its customers (including a number of NHS Trusts) and told them that they required its customer base to provide nearly £1m of funding in order for the business to continue providing services. This is presumably in addition to the charges that the customers are obliged to pay.

The joint administrators’ letter to customers states that this funding is required in order to enable 2e2 to continue trading and allow customers to access their data and migrate to another provider:

As you will understand, we have received a number of requests from customers seeking to gain access to their data immediately and to transition services to alternative providers. Unfortunately, the levels of data held in the Companies’ Data Centres are such that this process could take up to 16 weeks and we will need to ensure that the integrity of third party data and security is maintained.

If its customers do not pay then:

We will be unable to maintain the datacentre infrastructure and we will have no alternative, other than to cease all operations without any managed wind-down of those operations.

For “without any managed wind-down” read “we will switch off the service without notice and without any assistance to help you access your data and transition elsewhere.” For any business that depends on the operation of the data centre for its livelihood, that’s a pretty frightening prospect.

Warning signs
In the case of 2e2, it seems that it had been suffering financial problems for some time.

In 2012, it was in court twice following the late payment of debts. It was also revealed that the annual interest payments on its debt were more than £20m a year (as against a turnover of around £40m).

A fortnight before the adminstrators were actually appointed, Channel Register also reported that 2e2 had breached its banking covenants in December and had reached its credit limits with suppliers.

These should all have acted as warning signs to customers that things weren’t looking good, and that action was required.

Contracting for cloud services
So what can you do?

  • First of all, don’t use a traditional IT services contract to contract for critical cloud/hosting services. It will likely be deficient. As will the supplier’s standard terms. It’s also essential that your lawyer understands how the cloud works, terminology, and why the risk profile is different to that for other ICT. If not, then your contract is unlikely to deal with those risks.
  • Carry out financial diligence on your supplier (and its parent company). How solvent is it? How much debt is it carrying? Can you get a parent company guarantee? Does the supplier actually own its kit/premises or is it leased? What happens if the supplier defaults on lease payments and the lessor wants its kit back?
  • Keep financial diligence under review by carrying out regular checks on the supplier.
  • Ensure that the contract allows you to terminate in the event that things look bad. Once a supplier has entered insolvency it will be much harder to transition away from the supplier. If the business isn’t viable as a going concern then the administrator is unlikely to be interested in your problems.
  • Ensure that your contract includes exit assistance provisions and that a draft exit plan is actually developed (and maintained) whilst things are going well.
  • Ensure that you have internal business continuity plan in place to deal with supplier insolvency. How critical is the supplier? What is your strategy? How do you mitigate the risks? Do you have dual suppliers (potentially expensive)?
  • Consider other technical measures. Source code escrow is pretty pointless for cloud (your immediate requirement is the object code and data, not the source code). How about ensuring that you get a regular of the data or a copy of virtual server?

Finally, think about auditing your existing contracts for cloud services. What do they say? Are you comfortable that you can quickly (and safely) transition away from the supplier? If not, now is the time to review them and ensure that you have appropriate provisions in place. Remember – the time to repair a roof is when the sun is shining.

Martin Sloan

Does your social media competition follow the rules?

A “witty” epigram (which I dreamt up all by myself) is: “competition laws are boring, laws about competitions aren’t”.  I really like reading about how competitions are regulated, with the added bonus that you also gain some interesting insights into companies’ marketing strategies and profit margins.

In recent years I have noticed that the relative ease of launching promotions on social media sites such as Facebook and Twitter has resulted in the internet being awash with competitions which fail to meet the applicable rules and regulations.

Although social media competitions are usually just a fun way of reaching out to potential customers, the consequences of failing to follow the rules – or even just failing to apply the rigour traditionally administered to “offline” competitions – can be distinctly less jolly.  For example, in November Boots ran a competition on Facebook and subsequently accidentally informed all 9,000 entrants that they had won a trip to Barcelona.  It’s thought the company was forced to issue £90,000 worth of apologies.

The CAP Code
It’s important to remember that all prize promotions – whether online or otherwise – must adhere to the Advertising Standards Agency (ASA)’s CAP code (the Government-approved Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing).

In the last couple of years the ASA has published plenty of rulings regarding non-compliant online competitions (see for example the recent “118 118” ruling) whilst also maintaining a public list of non-compliant online advertisers.

Although the ASA punishments are normally limited to a bit of bad publicity, and a warning of “don’t do it again”, in theory its sanctions can extend to revocation of trading privileges (for example bulk mailing discounts) and referral to the Office of Fair Trading.

There’s not space here to list all the applicable CAP Code competition rules, but here are some really important ones:

  • don’t run what the Gambling Commission would deem an “illegal lottery” (punishable by fines and/or imprisonment); 
  • avoid running an illegal lottery by including a “skill” element (which can be part of a competition run, for example, where the competitor has to purchase a “promotional pack” of goods, providing the “promotional pack” doesn’t cost more than a “normal” pack);
  • alternatively, avoid running an illegal lottery by offering free entry (or where one route to entry is not free, at least one alternative and equally publicised “free” route to entry which costs no more than what it would normally cost to use that method of communication));
  • if you are including a skill element, remember that the law applying to participants from Northern Ireland is slightly different (so participants from Northern Ireland should still be offered a free entry route even if participants from the rest of Great Britain have to purchase, for example, a “promotional pack”).
  •  always include a closing date (and don’t change it);
  • always state what the prize actually is;
  • clearly state any restrictions (for example age; geographical location);
  • include details of the promoter;
  • tell people how winners will be informed;
  • always make it easy to find the applicable terms and conditions; and
  • ensure that any prize draw is conducted in accordance with the laws of chance, either by using a computer process that produces verifiably random results (consider using, or by an independent person, or under the supervision of an independent person.

If in doubt, bear in mind Rule 8.2 of Section 8 (Sales Promotions) of the CAP Code:

Promoters must conduct their promotions equitably, promptly and efficiently and be seen to deal fairly and honourably with participants and potential participants. Promoters must avoid causing unnecessary disappointment.

Social media sites have their own rules too
Once compliance with the CAP code has been addressed, social media sites’ own rules must be complied with.  The big risk here is that if either Facebook or Twitter don’t like your competitions, then they can disable or permanently delete your accounts.  (Anecdotal evidence suggests that deleted Facebook accounts are rarely restored.)

Twitter’s guidelines are fairly straightforward, Facebook’s less so. 

In fact, the Institute of Promotional Marketing is currently working with both Facebook and Twitter to develop guidelines for brands who wish to run social media competitions.

Nevertheless, it’s still possible to read Facebook’s Promotions Guidelines and Twitter’s Guidelines and identify some broad do’s and dont’s.

On Facebook:

  • Don’t post a competition as a Status Update and ask “friends” to act upon it.  Facebook doesn’t like corporate/marketing content where social content should be, and prohibits the use of any “indigenous functionality” (Liking, Sharing, Commenting, checking-in, uploading photos to a Wall or responding to a poll/questionnaire) as a means of entering a competition.  Facebook instead recommends hosting competitions on externally hosted applications embedded into a Page App tab on your Facebook page.  (Upon reflection, the prohibition on using “Like” to enter is quite sensible – how could you tell the difference between someone just liking the page because they like your brand, or someone liking it to enter the draw?)
  • Facebook does allow you to stipulate that only people who “Like” your page can enter the competition. You are also allowed to limit people entering your competition to those who have checked into your location or who are using your Facebook app.
  • Ensure that the applicable terms and conditions acknowledge that Facebook is not associated with your competition in any way and that any personal information collected from the entrants is being sent to your company.  (In my experience a lot of terms and conditions relating to Facebook competitions fail to include this vital disclaimer.)
  • After a competition winner has been chosen, contact them off Facebook. (Make sure to collect contact details during the registration process so you don’t have a problem with this.)  You can’t use Facebook messages, chat, or posts to contact the winner.

On Twitter:

  • Discourage competitors from posting the same Tweet repeatedly.  (Competitions saying “whoever retweets this the most wins” are definitely a bad idea).  Twitter dislikes multiple Tweets because they damage the quality of searches.  The best solution is to state that multiple entries in a single day will not be accepted.
  • Encourage users to include an @reply to you in their Tweet so you can see all the entries.  Many of the complaints that reach the ASA regarding Twitter competitions involve suspicions that entries haven’t been received.  Relying on a public search may not show all relevant Tweets.

And remember that the CAP code and Gambling Commission rules outlined above will still also apply, so think about how you ensure that your competition does not accidentally become an illegal lottery.

If you have any questions about running a social media promotion, please get in touch


Drafting enforceable dispute resolution clauses

Debate often surrounds the negotiation and enforceability of alternative dispute resolution (ADR) clauses that provide for mediation or conciliation prior to arbitration or the commencement of court proceedings.

The High Court’s recent decision in Wah v Grant Thornton International Limited emphasised the importance of precision in drafting to ensure alternative dispute resolution clauses can be enforced before proceeding to court should difficulties arise.

The court’s decision
Generally speaking, neither English or Scots law recognises an agreement to agree (such as an obligation to negotiate amicably) as being enforceable. On its own, such an obligation is too imprecise to impose a contractually binding obligation. This means that ADR or dispute escalation clauses have to be carefully drafted in order to be enforceable.

In Wah, Judge Hildyard explained that the Courts have to balance giving effect to what the parties agree and ensuring that what the parties have agreed is capable of being given legal effect. In order to be enforceable the clause must sufficiently detail the process to be invoked and the parties’ obligations.

The ADR clause in Wah detailed an ADR procedure for resolution of any disagreements, which comprised an escalation procedure and arbitration.

Although lengthy, the High Court held that the pre-arbitration escalation clause was not a valid pre-condition to starting arbitration proceedings because the process was not sufficiently defined and was vague in terms of the parties’ respective obligations. In particular, it did not detail the nature of any attempts to resolve any disagreements, or what the escalation representatives were required to do.

Where an ADR clause is silent or does not specifically prohibit a party commencing proceedings (whether in court or artbitration) prior to the conclusion of certain clearly specified events (such as the completion of a multi-tiered escalation process), then either party can commence those proceedings at any point. In Wah, the ADR clause was not considered a condition precedent and therefore the arbitral tribunal had jurisdiction to hear the claim notwithstanding that the escalation process had not been completed.

Drafting tips
This case highlights the importance of negotiating clear ADR clauses when drafting contracts.

  • Any ADR clause should clearly detail the process to be followed before court or arbitration proceedings can be instigated.
  • The parties should consider how the clause will apply in practice and consider if the process detailed in the agreement is workable.
  • If the ADR clause includes expert determination, then the parties should ensure the powers given to these appointed experts are sufficient to resolve any potential issues. A failure to provide the expert with the relevant powers could result in the clause being held as unenforceable and case progressing to the courts.

Resolving agreements to agree
It’s also important to remember that a dispute resolution procedure cannot always resolve a dispute if the underlying clause in the contract does not give sufficient guidance on what is required.

Agreements to agree are often inevitable in complex, long term commercial or outsourcing contracts. Sometimes during contract negotiations it is suggested that if during the term of the contract the parties are unable to reach agreement on an agreement to agree then the clause should state that the matter should be “resolved in accordance with the dispute resolution procedure”. Whilst this sounds great in principle, it may not work in practice. An escalation procedure may help focus and resolve areas of commercial disagreement. If, however, the process ultimately concludes with reference to an expert, arbiter or court, then it may not provide a satisfactory resolution unless the contract provides the expert, arbiter or court with a clear basis on which to make its decision.

For example, if the contract contains an agreement to agree (such as an obligation to negotiate and agree in good faith) in relation to the charges that a supplier may impose in the event that a contract is extended, then if the expectation of the customer is that the charges will not be any higher than those currently imposed, then the original clause should clearly state this and provide the expert, arbiter or court with a clear set of rules or principles upon which it is expected to make its decision.

If the contract doesn’t provide sufficient guidance on how the issue in dispute is to be resolved, then the outcome may not be the one that you are expecting – the expert, arbiter or court may consider that it is unable to resolve the dispute, leaving you in a deadlock, or (perhaps even worse) issue a decision that is not what you were expecting.

Martin Sloan

OFT finds that websites are continuing to fall short on consumer protection laws

The Office of Fair Trading (OFT) has recently published the results of its annual survey of over 150 websites to check whether or not they complied with consumer protection law.

The survey, which included the 100 top online retailers and most popular clothing sites, had some interesting results.

Key areas of non-compliance
Amongst the areas of concern, the OFT noted the following:

  • 33% of sites that provided information on returns placed unreasonable restrictions on consumers. For example, by only accepting returns in their original packaging.
  • The law – under the Consumer Protection (Distance Selling) Regulations (which apply to most contracts “concluded at distance – for example, over the Web or by phone/mail order) consumers have the right to inspect the goods that they have purchased and have a seven working day ‘cooling off period’ in which they can return the goods, though there are some exceptions to this, such as where the goods are perishable or customised. If goods need to be returned in their original packaging, un-opened, then it is difficult for consumers to inspect the goods to check if they are fit for purpose. It’s also important that the return period runs from the correct date, and isn’t subject to other unreasonable conditions. 

  • 62% of sites had no email contact address.
  • The law – the E-Commerce Regulations set out certain information that websites should contain, such as the registered or principal office of the organisation, its VAT number, if UK VAT registered, and a contact email address.

  • 24% of websites notified consumers of unexpected additional charges at checkout.
  • The law – The reach of the Advertising Standards Agency (ASA)’s remit now extends to advertising and promotions on an organisation’s own website. One of the main consequences of this is that pricing information should comply with the ASA’s CAP code – in particular, pricing should be transparent and not misleading. Websites should display total prices payable – if you can’t opt out of a charge then it’s not additional. Similarly, if most of the customers of a website pay VAT then prices displayed should be VAT-inclusive. For more information on ASA’s advertising rules see this earlier TechBlog post.

Website health check
The survey did show that the general awareness by website operators of their basic legal obligations in relation to trading online is improving. 

However, while the survey is a useful indicator of compliance with certain aspects of the law, it focussed only on the “fair trading” aspects of consumer protection law. It doesn’t look into some other key areas of legal compliance – for example what organisations do with the personal information of their customers.

Fair trading rules are just one aspect of a wider matrix of rules applying to trading online. The problem is that there are a lot of different aspects to website compliance and these will vary depending on whether or not the site is a trading website or whether it deals with consumers rather than businesses. Knowing exactly what is required can be complicated.

Brodies can help by carrying out a health check of your website, to audit its compliance with the key legal requirements and recommend changes that you should make to comply with the applicable laws. If you are interested in this, please get in touch.

Leigh Kirktpatrick

Consumer law – where can I sue?

In a recent case the European Court of Justice (ECJ) has ruled that consumers can sue in the member state in which they are domiciled, where the party that they are suing is domiciled in another member state, and the contract was not “concluded at a distance.”

This latter phrase was given a surprisingly wide interpretation by the court, and has consequences for any business that promotes its services online, even if it concluded contracts offline.

The facts
In this case, the individual raising the action, Ms Muhlleitner (who resided in Austria) had bought a car from a company based in Germany. She had come across the German company on the internet, but did not buy the car online, instead she travelled to Germany to conclude the contract and collect the car.  

When Muhlleitner arrived back in Austria, she discovered that there was a problem with the car, but the company that she bought it from refused to repair it. She then raised an action in the Austrian courts to seek to annul the contract of sale. The Austrian courts then had to consider whether or not they actually had the jurisdiction to hear a dispute against a German trade, in relation to a contract that hadn’t been ‘concluded at a distance’ (by internet or by phone).

The law
The ECJ considered the issue, and decided that, under the Brussels Regulation, the contract did not have to be concluded at a distance for the consumer to be given the additional protection of being able to sue in their home state.  

Instead they found that, in order for a consumer to raise an action in their own member state (rather than the state of the business they are suing):

  • the business must pursue commercial or professional activities in the member state in which the consumer was domiciled, or in anyway direct such activities to that member state; and
  • the contract  in question must relate to those activities.

What this means
This decision will be welcomed by consumers, making it much easier (and cheaper) to raise legal proceedings against a supplier in another member state. As can easily be imagined, the concept of ‘directing’ or ‘pursuing’ commercial interests in a particular EU state is not that limiting when you consider that online marketing and the use of websites will bring into scope many businesses. The decision is consistent with the EU’s aims of protecting consumers and encouraging cross-border trade.

However, the decision may not be welcomed by businesses, who now need to be aware that rules governing jurisdiction of disputes now have a wider application than previously thought, bringing offline transactions into scope. Businesses that promote their services outside their member state should therefore be aware that exclusive jurisdiction clauses in their standard terms and conditions may not be effective.

Leigh Kirktpatrick

New ICO guidance on the use of cloud services

The Information Commissioner’s Office (ICO) has published new guidance on the use of cloud computing services. The guidance is intended to provide an overview of how data protection law applies to businesses that utilise cloud based solutions to handle and process data.

The guidance is essential reading for any organisation that currently utilises (or is considering utilising) cloud based solutions, and emphasises that organisations remain responsible for the security of data that they store or process in the cloud.

The guidance
The guidance covers a variety of cloud based services, including infrastrastructure as a service (IaaS), platform as a service (Paas), and software as a service (SaaS). It also considers the differences between private, public and hybrid deployment models, and “layered” services where, for example, a SaaS vendor is in turn utilising a third party IaaS vendor – such as using a third party SaaS service that is hosted on servers by Amazon Web Services.

Issues covered by the guidance include:

  • Identifying the data controller (or data controllers)
  • The data controller’s responsibilities – including risk assessment, due diligence and monitoring
  • Selecting a cloud provider
  • Access control and protecting your data
  • Encryption
  • Understanding how the cloud provider will process data – for example, will it use any of the data processed by it for the purposes of targeted advertising?
  • Use of cloud services located outside the UK/EEA – including the importance of understanding where the cloud provider will store and process data
  • Staff training

The guidance also provides a checklist to help organisations assess the risks of using a cloud service, covering confidentiality, integrity of the data, availability and legal/contractual issues.

Assessing the cloud provider’s security measures
As with previous ICO guidance on outsourcing, the guidance emphasises the importance of pre-contractual diligence, appropriate written contractual terms between the data controller and the cloud provider (which prevent the cloud provider from changing the terms of service without your approval), and regular monitoring and oversight of the cloud provider’s compliance with the agreed information security measures. As the ICO notes, the fact that auditing and oversight may be harder with a cloud provider does not lessen the data controller’s obligations under the Data Protection Act.

The ICO does recognise the role that independent security audits (such as an ISAE3402 or SSAE16 report) can play in verifying the adequacy of the cloud provider’s security measures. For more on the use of such audits see this previous TechBlog post.

Organisations should, however, be aware that the ICO draws a distinction between security audits conducted in accordance with recognised independent standards, and industry recognised standards and kitemark schemes, as a kitemark is unlikely to address all aspects of data protection compliance.

Increased regulatory focus
As the fine issued last month to Scottish Borders Council illustrates, the adequacy of outsourcing arrangements is a area coming under increased scrutiny from the ICO, with hefty fines being levied where data controllers have failed to exercise appropriate oversight of their data processors.

For organisations that are increasingly looking to use cloud based services, this guidance will provide a timely reminder of the important steps that should be taken to ensure that such services do not adversely impact upon the security of personal data.

You can download the guidance from the ICO website.

Twitter: @BrodiesTechBlog feed

December 2017
« May    

%d bloggers like this: