Issue 57 January 2011

January 2011

Technology Media and Telecommunication.

Data Protection and Freedom of Information

EU - Update to Data Protected

At the end of last year, we updated Data Protected, the most comprehensive

summary of European data protection laws.

The report contains a detailed overview of data protection legislation in each

EU Member State together with Russia, Switzerland and the European

Economic Area States of Iceland, Liechtenstein and Norway. For each of

these jurisdictions, the report contains:

> an analysis of what constitutes personal data;

> details of local processing requirements, including the formalities

necessary to obtain consent;

> an up to date review of sanctioning powers in these jurisdictions

together with details of how those powers have been exercised in

practice;

> an overview of restrictions on transborder dataflows;

> details on local notification requirements; and

> links to national regulators‟ websites and national legislation.

Access to Data Protected is free and available here.

Contents Data Protection and Freedom of Information

EU - Update to Data Protected ....................... 1

EU – Data Protection in 2011 .............................. 2

Germany – Imprisonment for privacy breach ......... 4

Hong Kong – New restrictions on international transfers ... 5

Poland – Amendments to data privacy rules .......... 8

Sweden – Registration relaxed for whistle blowing hotlines .......... 10

UK – Google undertakings and future privacy regulation ........ 12

UK – Information Commissioner puts a price on security .......... 15

UK – Human rights and confidentiality obligations .................................... 20

UK – Information Commissioner steps up audit program .............. 22

Media and Telecoms

Sweden – The Pirate Bay convictions upheld ...... 25

Outsourcing

UK – Does failure to pay justify walking away? .. 27

UK – Update on endeavours clauses .... 30

Issue 57 January 2011 2

EU – Data Protection in 2011

2011 is likely to be another important year for data protection and privacy

practitioners. The highlight is likely to be the European Commission‟s

continued work revising the data protection framework and, in particular, its

long-awaited redraft of the Data Protection Directive which is expected in the

middle of the year.

Let‟s hope it meets businesses‟ expectations by addressing the issues raised

by the current privacy framework in a sensible and pragmatic manner, i.e.

more harmony in the implementing laws of the Member States, technology

neutral provisions which can survive the fast changing technological

environment and the prioritisation of efficient privacy protection over

administrative red tape.

In a nutshell, my wish list includes:

> the adoption of legislation that ensures greater uniformity in the legal

regimes of the Member States. In this respect, serious consideration

should be given to the use of a Regulation rather than a Directive;

> an ex post regime for the protection of citizens‟ rights based on actual

harm rather than an administrative ex ante system with burdensome

notification and approval processes;

> greater emphasis on self-regulation as a means to respond to the fast

developing technological environment, recognising that the adoption of

new legislation takes time and the principles contained in legal

instruments should remain technology neutral to ensure their long-term

effectiveness;

> more clarity around the new and increasingly popular concepts of

“privacy by design”, “the right to be forgotten” and “data portability”. The

introduction of such concepts should be subject to an impact

assessment involving businesses and privacy associations to identify

realistic approaches in line with the rapid development of technologies;

> a more pragmatic approach to the interpretation and enforcement of

data protection legislation, for example with regard to key legal

definitions such as “personal data”, “data controller”, “data processor”

and “consent” and in relation to determination of applicable laws. A

sensible approach to these issues balancing the rights of citizens

against business needs is a critical issue for Europe‟s competitiveness

and the development of innovative services such as cloud computing

solutions; and

> an overhaul of the rules on transborder data flows, further simplifying

and broadening the use of binding corporate rules for multinationals

and enabling a similar regime for data processors and non-group

companies with a sufficiently close relationship. This should be

supplemented by a review of the current system for “white listing”

countries – a more flexible „adequacy‟ approach should be available

Issue 57 January 2011 3

tailored to specific circumstances and transfers rather than the review

of the legal data protection system of an entire country.

Looking beyond the borders of Europe, I would also like to see and actively

contribute to the promotion of a more global approach towards data and

privacy protection. It is time to foster a global framework made out of both

legislation and effective self-regulation encompassing the traditional

developed economies, such as the US and Japan, as well as fast growing

economies such as the BRIC countries. I would welcome the roots of a global

treaty being put in place during the current calendar year, combining the work

of organisations such as the OECD and the APEC, although I am conscious

that this will be a demanding and time-consuming effort.

This wish list is certainly not exhaustive but it provides an idea of what I

believe should lead the attention of regulators, legislators as well as legal

practitioners in 2011.

By Tanguy Van Overstraeten, Brussels

This article first appeared in the January 2011 edition of Data Protection Law

& Policy (www.e-comlaw.com/dplp/index.asp).

Issue 57 January 2011 4

Germany – Imprisonment for privacy breach

A recent judgment by the German criminal courts demonstrates the

increasing importance of data privacy laws and the risk that serious breaches

of those laws will be severely punished.

Corporate investigations

The matter originated from an article in the German magazine Capital in early

2005. It reported on the medium-term planning of Deutsche Telekom AG in

remarkable detail. Deutsche Telekom was extremely annoyed about the

article and the apparent leakage of information from the organisation. Thus,

the former CEO of Deutsche Telekom, Kai-Uwe Ricke, asked the then head

of Deutsche Telekom‟s group security, Klaus Trzeschan, to identify the leak.

To conduct his investigation, Trzeschan collected and analysed the telephone

connection data of more than 40 journalists, unionists and supervisory board

members in 2005 and 2006. The purpose of this exercise was to find out who

contacted whom and to narrow down the range of potential suspects.

Furthermore, Trzeschan kept copies of connection data of five journalists, in

case further leakages occurred in the future.

Quis custodiet ipsos custodes?

When this investigation came to light, a criminal investigation was launched

into Trzeschan‟s conduct. This cumulated in the Bonn Regional Court

sentencing Trzeschan to three and a half years‟ imprisonment on 30

November 2010.

The sentence was primarily imposed because Trzeschan‟s collection and use

of the telephone connection data of a number of journalists, unionists and

supervisory board members was a breach of telecommunications secrecy

legislation. However, the sentence also reflects three additional charges of

bad faith and fraud by Trzeschan against Deutsche Telekom.

The presiding judge of the Bonn Regional Court stated that Trzeschan had

tried to take the law into his own hands. Also, the Court considered that this

case of spying must be considered to be a particularly serious crime.

Trzeschan assumed sole responsibility for what had occurred during

proceedings and has lodged an appeal against the decision.

By Daniel Pauly and Carolin Reul, Frankfurt

Issue 57 January 2011 5

Hong Kong – New restrictions on international transfers

The Privacy Commissioner has recently indicated that one of the strategic

goals for the Office of the Privacy Commissioner for Personal Data in the next

few years is to bring section 33 of the Personal Data (Privacy) Ordinance

(“PDPO”) into force as soon as possible. Section 33, which prohibits the

transfer of personal data outside Hong Kong unless one of a number of

conditions is met, has been part of the PDPO since it was enacted but has

never been brought into operation.

Organisations transferring personal data to jurisdictions outside Hong Kong,

should review their existing personal data arrangements to ensure that such

transfers will be lawful once section 33 comes into force.

What is section 33?

Section 33 of the PDPO applies to personal data which is collected, held,

processed or used in Hong Kong or is controlled by a data user whose

principal place of business is Hong Kong. It prohibits the transfer of personal

data outside Hong Kong unless at least one of the following conditions in

section 33(1) is met:

> the destination has been approved by the Office of the Privacy

Commissioner for Personal Data for the purposes of section 33;

> the data user has reasonable grounds for believing that there is in force

in that place "any law which is substantially similar to, or serves the

same purposes as" the PDPO;

> the individual has consented in writing to the transfer;

> the data user has reasonable grounds for believing that the transfer is

for the avoidance or mitigation of adverse action against the data

subject. It is not practicable to obtain the data subject's consent, but if

practicable, such consent would be given;

> the data are exempt from data protection principle 3 by virtue of an

exemption under "Part VIII – Exemptions" in the PDPO; or

> the data user has taken "all reasonable precautions and exercised all

due diligence to ensure" that the data will not in that place be collected,

held, processed or used in any manner that would constitute a

contravention of the PDPO if it occurred in Hong Kong.

However, despite having been on the statue books since 1995, section 33

has never come into force. This has meant that transfer of personal data to

entities outside of Hong Kong (such as servicing agents or other group

entities outside Hong Kong) is permissible provided that organisations have

complied with data protection principle 1 (collection of personal data) and

data protection principle 3 (use of personal data) and notified data subjects at

the time of collecting their personal data that such data may be transferred

out of Hong Kong for the purposes specified.

Issue 57 January 2011 6

Typically organisations discharge this obligation by including a statement to

this effect in the Personal Information Collection Statement issued to

individuals before collecting the personal data from them. However, once

section 33 comes into force, mere notification will not be sufficient.

Why should you get ready for section 33?

Last year, the Privacy Commissioner published his "Strategic Plan for 2010 –

2014" in which he stated that:

“The [Office of the Privacy Commissioner for Personal Data] has commenced

preparatory works for the implementation of section 33 of the PDPO and will

make extra effort in working with the Administration with a view to putting it

into operation as soon as possible.”

While this does not provide any certainty as to the likely date on which

section 33 will come into force, it does suggest that section 33 is on the

Privacy Commissioner‟s agenda for the next three years and may well

commence operation within that timeframe.

How should you get ready for section 33?

Perhaps one of the easiest ways to ensure that personal data is lawfully

transferred outside Hong Kong is to obtain the written consent of the

individual to the transfer pursuant to section 33(1)(c). Accordingly,

organisations should look at the procedures they use to collect personal data

and try to obtain consent as part of that process.

Of course, obtaining the written consent of individuals is not the only way to

comply with section 33. One of the other ways, prescribed by section 33(1)(f),

is where organisations can show that they have taken "all reasonable

precautions and exercised all due diligence to ensure" that the data, once

transferred outside Hong Kong, will not be dealt with in a manner that would

constitute a contravention of the PDPO.

The Privacy Commissioner has stated in a Factsheet on section 33 that one

method for achieving this is for the parties to the transfer to enter into a

binding contract, or other acceptable agreement, applying the data protection

principles to the data upon its transfer to the place outside Hong Kong.

A "model contract" for the purpose has been provided by way of guidance.

The model contract includes, among other things, representations and

warranties by the transferring party that the data is lawfully transferred in

accordance with the data protection principles, and also by the receiving party

that the data is and will be dealt with in accordance with the data protection

principles. It also requires the receiving party to indemnify the transferring

party in respect of any breach, fault or negligence arising from the contract

and to destroy the data on termination of the contract.

Where organisations are transferring personal data to jurisdictions such as

Europe which already have comprehensive data protection laws, putting in

place such a contract is unlikely to be difficult since entities in those

jurisdictions are already required to comply with similar (if not more onerous)

Issue 57 January 2011 7

requirements to those imposed by the PDPO. Moreover, it is reasonable to

expect that the Privacy Commissioner will include such countries in any future

“white list” issued under section 33(1)(a) (in which case there would be no

need for the contractual arrangement to be implemented as well).

Other transfers

However, as the Privacy Commissioner notes in his Strategic Plan, there is

an increasing trend for organisations to outsource personal data processing

to servicing agents in jurisdictions which do not have legislation in place for

the protection of personal data privacy. It is therefore important for

organisations to review their existing contractual arrangements with such

entities and consider whether more robust requirements around the handling

of that data need to be introduced.

By Rowan McKenzie and Prue Bindon, Hong Kong

Issue 57 January 2011 8

Poland – Amendments to data privacy rules

The long-awaited amendment to the Polish Data Protection Act (the “DPA”)

will enter into force at the beginning of March 2011.

The amendments are intended to clarify sections of the DPA and make it

more effective. In pursuit of the second aim, there are a number of

amendments relating to the status and powers of the Polish data protection

authority, the Inspector General for the Protection of Personal Data (the

“GIODO”), though it will only receive limited powers to impose fines.

Nevertheless, work on the next round of amendments to the DPA has already

begun and should contain new fining powers as well as covering other issues

such as data protection in the web community.

Clarifications to the DPA

The amendments resolve the previous ambiguity about the withdrawal of

consent by including a provision stating that consent can be withdrawn at any

time. There are no transitional or “grandfathering” provisions, so it should be

assumed that this right of withdrawal also applies to consents given before

the amendments came into force. Any such recall of consent should not,

however, prevent the processing of personal data where the controller can

rely on another legal ground to legitimise that processing.

The obligation to respond to subject access requests has also been

amended. The previous provisions in the DPA could be interpreted as only

obliging the data controller to provide the information specifically listed in the

provision. The new amendments make it clear that a data subject is entitled

(to the extent limited by law) to full details of all processing carried out by a

data controller.

The amendments have also limited the situations in which personal data can

be disclosed to third parties. Prior to the amendment, anyone could obtain

personal data about an individual (other than sensitive personal data)

provided that they had good reason and disclosure would not infringe any

rights and freedoms of their subject. For example, this was used by attorneys

to request personal details of their clients‟ opponents. However, this provision

has been deleted and such requests are now subject to the general regime of

data processing. Those requesting personal data will have to show there is an

appropriate legal justification under the DPA rather than just trying to convince

the data controller they need to obtain that personal data.

Finally, the registration provisions of the DPA have also been amended. Once

the amendments are passed, a data controller will only be allowed to expand

its processing activity to include the processing of sensitive data with the prior

approval of GIODO. Mere notification of such amendment to GIODO will no

longer be sufficient.

The status and powers of GIODO

The amendments still do not give GIODO the power to issue financial fines

directly for breaches of the DPA. However, GIODO will have the power to

Issue 57 January 2011 9

impose fines where it has issued a decision to a data controller and the data

controller has subsequently failed to comply with it.

For the purposes of improving the protection of personal data, GIODO will

have the power to issue pronouncements regarding data processing by

particular entities. Those pronouncements should have the value of a

recommendation, and failure to observe them may have negative

consequences in case of a subsequent GIODO inspection.

An additional criminal sanction has been introduced. This will make it an

offence to prevent or obstruct an inspection by GIODO‟s inspectors. It is

punishable by a fine, restriction of liberty, or imprisonment for up to two years.

Criticism of the amendments

Many of these amendments have been criticised by legal commentators in

Poland who insist that financial sanctions should be introduced, rather than

criminal ones, to ensure the proper enforcement of the DPA. There are also

calls for greater recognition of administrators of information security. Some

commentators have argued that a data controller should not be subject to

official inspections by GIODO or formal registration obligations under the DPA

where it has employed a professional administrator of information security.

However, such changes will have to wait for further amendments to the DPA.

By Ewa Kurowska-Tober and Gabriela Trębicka, Warsaw

Issue 57 January 2011 10

Sweden – Registration relaxed for whistle blowing hotlines

The Data Inspection Board (Sw. Datainspektionen) has issued a new

regulation which, from 1 November 2010, allows companies to implement

some whistle blowing hotlines without the need to obtain an exemption from

the Data Inspection Board.

Background

In Sweden, processing of personal data concerning legal offences involving

crime, judgments in criminal cases, coercive penal procedural measures or

administrate deprivation of liberty is, as a general rule, prohibited unless the

data controller is a public authority. The Data Inspection Board and the

Swedish Government may, however, grant exemptions from this prohibition in

an individual case or through general regulations.

Since 2008 a large number of companies have applied for, and have been

granted, specific exemptions for their whistle blowing hotlines. To simplify the

administrative process and, at the same time, ensure that the requirements to

protect personal integrity are maintained, the Data Inspection Board has now

issued a new regulation which, under certain circumstances, enables a

whistle blowing hotline to be set up without a specific application and decision

from the Data Inspection Board.

Scope of permitted hotlines

The new regulation relieves companies that wish to process personal data in

a whistle-blowing hotline of the obligation to apply for an exemption from the

Data Inspection Board. It does not, however, change any of the requirements

on how companies handle and process personal data held in such systems.

The regulation contains the same requirements for such hotlines that the

Data Inspection Board previously set out in the individual decisions of

exemption.

According to the regulation and the Data Inspection Board‟s guidance to the

regulation:

> the personal data processed in such system can only relate to persons

in key or management positions within the company or group of

companies;

> there must be an adequate and objective justification to set up such a

hotline, rather than using the company‟s normal information and

reporting channels;

> the hotline must be limited to reports that there have been serious

abuses relating to accounting, internal audits, audits, bribery, offences

within the banking and insurance sector or other serious abuses

regarding the vital interests of the organisation or the life and health of

individuals. Other serious abuses could, for example, be serious

environmental crimes, serious deficiencies with regard to security at

the workplace and very serious forms of discrimination and

harassment; and

Issue 57 January 2011 11

> the system must complement the company‟s normal administrative

routines and it must be voluntary to use.

In addition to these specific requirements, the provisions in the Personal Data

Act (Sw. personuppgiftslag (1998:204)) must be complied with when

processing personal data in a whistle-blowing system.

If a company wishes to process personal data relating to crime in a way that

does not fulfil the general requirements set up by the Personal Data Act and

the Data Inspection Board, a specific exemption must be applied for from the

Data Inspection Board.

By Emma Linnér, Stockholm

Issue 57 January 2011 12

UK – Google undertakings and future privacy regulation

In November 2010, Google signed wide-ranging undertakings agreeing to

significantly improve its privacy compliance with a particular emphasis on

policies, training and privacy by design. It will need to report to the

Information Commissioner on its progress and submit to a consensual audit

covering both its UK and US offices.

These undertakings arise out of Google‟s Street View cars‟ collection of Wi-Fi

payload data. No doubt Google will now be hoping to draw a line under this

matter in the UK. However, the incident demonstrates an increasing focus on

structural, rather than behavioural, compliance which is likely to feature in

both future enforcement action and amendments to the Data Protection

Directive itself.

Google Street View

Google Street View is an augmentation to Google‟s online mapping service

that provides a street-level view of some parts of its map. It was created by

sending cars to photograph cities around the world with 360-degree cameras

strapped to the roof. Despite the fact that the cars are simply photographing

public scenes on public roads, the service has been highly controversial.

Google has had to make a number of amendments to this service following

incidents in which people were caught sunbathing, leaving adult

establishments or burgling premises.

Of much greater concern was the news in May that the Google Street View

cars were also collecting data from open Wi-Fi networks in over 30 countries

for a period of three years. Google had only intended to collect the network

addresses of the Wi-Fi routers to provide a location-mapping service.

However, following an audit request by the German data protection

authorities, Google discovered that it had been collecting the actual data sent

over unencrypted Wi-Fi networks – i.e. the contents of those transmissions.

Investigation by the Information Commissioner

The Information Commissioner sent two senior members of staff to Google‟s

UK premises to investigate. On the basis of their investigation and

discussions with Google, they concluded that the Wi-Fi data was fragmentary

and would not identify any individual.

Accordingly, the Information Commissioner decided not to take any formal

action. There may well have been a dose of pragmatism in this decision but it

also reflects the limits on his powers. If the data does not identify any

individual, it is not personal data and Google‟s actions are not subject to the

Data Protection Act 1998. Equally, while it is likely this interception of

communications was a criminal offence under the Regulation of Investigatory

Powers Act 2000, the Information Commissioner has no powers to enforce

this legislation. It instead falls to the police and it is notable that the

Metropolitan Police have decided not to pursue a criminal prosecution.

Issue 57 January 2011 13

The Information Commissioner‟s position has, however, been subject to

criticism from a number of privacy bodies. These criticisms were heightened

when a Google blog on 22 October 2010 revealed that “in some instances,

entire agreements and URLs were captured, as well as passwords”. This lead

to a Commons Debate on 28 October 2010 in which a number of MPs were

strongly critical of the Information Commissioner.

Undertakings with teeth

This rapidly led to the Information Commissioner re-opening his investigation

and, within a matter of days, publicly stating that he was seeking

undertakings from Google and would serve an Enforcement Notice if Google

did not agree to them. This is unusual, as normally the Information

Commissioner only publicises undertakings after they have actually been

agreed to. The undertakings required Google to:

> continue and update employee orientation programmes on Google‟s

privacy principles;

> train Google employees on its code of conduct including sections on

privacy;

> enhance the core training for engineers and other important groups

with a particular focus on the responsible collection, use and handling

of data;

> institute a security awareness programme for Google employees;

> require engineering project leaders to maintain a privacy design

document for each initiative they are working on which involves the

processing of significant user data. Such document should record how

such user data is handled and be reviewed regularly by managers;

> delete UK payload data when Google has no other outstanding legal

obligation to retain such data; and

> within nine months facilitate a consensual audit by the Information

Commissioner.

These undertakings are very extensive and, arguably, go far beyond the sorts

of obligations that could be imposed under an Enforcement Notice by

applying to Google‟s operations generally rather than just those activities

responsible for the original breach. This approach could also breathe new life

into the use of undertakings which have traditionally relied on naming and

shaming an organisation but have now largely lost their sting due to the

frequency with which they are issued. It will be interesting to see if future

undertakings are similarly onerous.

In any event Google agreed to these undertakings on Friday 19 November

2010. It will now be audited by the Information Commissioner.

Issue 57 January 2011 14

Audit by the Information Commissioner

The audit right is the most striking part of the undertakings and underscores

their breadth. It will take place in two phases. Firstly, Google must, itself,

prepare a written privacy report covering:

> Internal Privacy Structure – Google must provide the Information

Commissioner with details regarding the development of its new

Privacy Team led by Dr Alma Whitten, other privacy-focused teams,

and their initiatives within Google. It must also analyse cross-functional

privacy efforts across engineering, product management, compliance

and internal audit functions.

> Privacy Training & Awareness – Google must provide an overview of its

revamped privacy training and awareness efforts including summaries

of the substance of training and awareness initiatives provided to

Google employees, engineers and product managers, as well as

employees in the legal, sales, and human resources departments.

> Privacy Reviews – Google must assess its privacy reviews for its

products including a discussion of the implementation of Privacy

Design Documents, and analyze related processes including code

audits undertaken against these documents. The Privacy Report must

also provide the Information Commissioner with an overview of reviews

such as Google‟s annual Safe Harbor certification.

This will effectively transfer much of the burden of the audit to Google. The

review will also need to be conducted carefully and methodically as once it is

complete the Information Commissioner will be entitled to validate the privacy

report‟s accuracy and findings via an in-person review. This review will not be

limited to the UK and the Information Commissioner has specifically reserved

the right to conduct part of this exercise at Google‟s US headquarters.

The future of enforcement, the future of privacy

The Information Commissioner‟s enforcement action show a clear direction of

travel from behavioural to structural compliance. It will be very interesting to

see if future undertakings contains similarly extensive obligations and how the

Information Commissioner uses undertakings in the future now he also has

the power to issue monetary penalty notices.

This also reflects the wider debate about the future of data privacy. The

European Commission‟s recent communication on the Data Protection

Directive contains similar structural compliance themes such as the

appointment of data privacy officers, accountability and privacy by design,

many of which have gained significant support and are likely to feature in

future amendments to the Directive.

The Google undertakings are available here

By Marly Didizian, Richard Cumbley and Julian Cunningham-Day, London

Issue 57 January 2011 15

UK – Information Commissioner puts a price on security

In November 2010, the UK Information Commissioner issued his first

administrative fines under the Data Protection Act 1998. Hertfordshire County

Council received a monetary penalty notice of £100,000 for faxing highly

sensitive information to the wrong recipients on two occasions and

employment services company A4e received a monetary penalty notice of

£60,000 following the theft of an unencrypted laptop containing personal

information about 24,000 people.

While the Act imposes a range of obligations, it is no surprise that the first

monetary penalty notices are for security breaches. Neither of these breaches

is particularly unusual, and given that similar breaches still take place on a

regular basis, further fines are likely.

Background

In April this year, the Information Commissioner was given the power to issue

administrative fines, “monetary penalty notices”, of up to £500,000 if:

> there is a serious contravention of the data protection principles;

> the contravention is of a kind likely to cause substantial damage or

distress; and

> the contravention was deliberate or reckless (recklessness in the sense

that the data controller knew or ought to have known there was a risk

of contravention likely to cause substantial damage or distress but

failed to take reasonable steps to prevent it).

While fines have previously been available for breach of the Act via the

courts, this is a significant extension to the Information Commissioner‟s

powers. First, there is no initial “yellow card” for data controllers. Under the

old regime, fines were only available for breach of the data protection

principles if the Information Commissioner first issued an Enforcement Notice

and the data controller subsequently breached it. Second, based on these

first monetary penalty notices, the level of fines are higher. The Information

Commissioner has criticised the “pathetic fines” for previous breaches of the

Act imposed via the courts.

A4e – Theft of an unencrypted laptop

The first monetary penalty notice was issued against A4e, a company

contracted by the Legal Services Commission to operate Community Legal

Advice Centres in Hull and Leicester. It employs approximately 3,250 staff of

which around 1,000 work remotely.

One of these home workers was burgled in mid-June and the laptop used by

that worker was stolen. It contained information about 24,000 clients of A4e

including their name, postcode and date of birth as well as sensitive personal

data such as information about ethnicity or disability status. While A4e had

started to roll out encryption earlier this year, this particular laptop was still

unencrypted. Moreover, while A4e‟s policies required employees to access

data on a central secure network via a secure link, the Information

Issue 57 January 2011 16

Commissioner found that A4e were aware that employees were not using this

technology and were instead storing data locally on their laptops.

The Information Commissioner decided that a monetary penalty notice was

available for this breach as:

> the failure to encrypt the laptop was a serious breach of the seventh

data protection principle which requires appropriate technical and

organisational steps to protect personal data;

> it could lead to substantial distress to individuals due to the risk of their

information being disclosed to third parties. In particular, 15 individuals

complained directly to the Information Commissioner and 3,200 rang a

help line set up by A4e. Distress was likely even though there is no

evidence that the data has actually been misused; and

> A4e knew or ought to have known there was a risk of a breach, given

that its employees were holding substantial amounts of information

locally on their laptops, but failed to protect that data through

encryption.

In setting the level of the monetary penalty notice at £60,000, the Information

Commissioner was mindful of the facts above but also a number of mitigating

factors such as the prompt action by A4e in response to the breach, the fact

A4e voluntarily reported the breach to the Information Commissioner, was

fully co-operative during the investigation and has subsequently applied

encryption to the whole of its laptop estate.

Hertfordshire County Council – Mis-directed faxes

The second monetary penalty notice arose when Hertfordshire County

Council faxed highly confidential information relating to a child sex abuse

case to the wrong recipient on 11 June 2010. The person sending the fax did

not use a pre-programmed auto dial button to send the fax and instead mis-

typed the fax number manually. They also failed to attach a fax cover sheet

with appropriate protective markings, indicating that the information was

confidential and what to do if the fax was sent to the wrong number.

The council obtained a High Court injunction against the recipient requiring

them to destroy the data and informed the Information Commissioner. The

council made a number of improvements to its processes including making

encrypted email the default for sending confidential information and only

allowing sensitive information to be faxed with the consent of a senior

member of the legal team.

When the council met with the Information Commissioner on 24 June 2010

they were reluctant to implement further measures such as a “ring ahead”

system. However, on that same day a council employee sent another highly

sensitive fax to a barristers‟ chambers rather than Watford County Court,

again as a result of manually typing the fax number rather than using the auto

dial functionality.

The Information Commissioner decided that a monetary penalty notice should

be issued for these breaches as:

Issue 57 January 2011 17

> the failure to adopt the “ring ahead” procedure advocated by the

Information Commissioner was a serious breach of the seventh data

protection principle. There is always a risk that manually typed fax

numbers might be entered incorrectly and the council did not have the

right processes in place to manage this risk;

> it could lead to substantial distress to individuals, particularly given the

nature of the information. This is the case even though only 57

individuals were affected and it seems very unlikely that the information

would be misused in this case; and

> the council was aware of the risks and ought to have taken more steps

to protect this information given its highly sensitive nature.

In setting the level of the monetary penalty notice at £100,000, the

Information Commissioner focused on the fact there were two repeated

breaches and that the information was highly sensitive. Interestingly, another

aggravating factor was the: “Potential for media coverage relating to these

security breaches to cause data subjects further distress” – i.e. the press

coverage caused by the Information Commissioner‟s decision to take

enforcement action was itself an aggravating factor. In mitigation, the council

voluntarily reported the breach to the Information Commissioner, was fully co-

operative during the investigation and has now implemented a “ring ahead”

procedure.

How to avoid a fine

Data security has been an enforcement priority for the Information

Commissioner over the last few years so it is no surprise that the first

monetary penalty notices are for security breaches nor are these particular

security breaches that unusual. To avoid being a recipient of a similar fine in

the future, organisations should all look closely at their data security

measures with a particular focus on the following areas:

> encryption of mobile devices including laptops, USB sticks and back up

tapes. The monetary penalty notice issued to A4e is a good example of

the need to apply such measures, as is the FSA‟s £2.3 million fine of

Zurich for loss of unencrypted back up tapes in August 2010. The

Information Commissioner has been consistent in his guidance on this

point for a number of years and organisations that have failed to heed

this guidance unquestionably expose themselves to fines if data loss

results;

> secure disposal of information. Insecure disposal of electronic and

manual records is another area in which the Information Commissioner

has taken a consistently hard line. One recent example is Healthcare

Locums Plc which had to give the Information Commissioner

undertakings in October 2010 after a hard drive containing doctors‟

security clearance and visa information had been sold on an auction

website;

Issue 57 January 2011 18

> avoiding mis-directed electronic communications. The monetary

penalty notice issued to Hertfordshire County Council is one example

as are the undertakings given by the Lord Chief Justice of Northern

Ireland in October 2010 following the inappropriate disclosure of

personal data in an email from his office earlier this year. While

occasional mis-typed faxes or email addresses are unavoidable, the

Information Commissioner expects appropriate process and

procedures to be in place to minimise the risk of such an event

occurring and to mitigate any subsequent damage;

> proper access controls to information. For example, in November 2010

the Independent Parliamentary Standards Authority gave undertakings

after an internal database was left insecure for a period of some 21

hours following IT maintenance. The insecurity resulted in the potential

compromise of personal data relating to 332 Members of Parliament;

and

> putting proper contractual arrangements in place with data processors

including appropriate data protection and data security obligations.

The examples above demonstrate that security breaches are still occurring on

a regular basis. Many of the undertakings set out above related to breaches

that occurred prior to April 2010 so monetary penalty notices were not

available. However, similar breaches may well lead to further monetary

penalty notices in the future.

Voluntary notification

There is no legal obligation to notify the Information Commissioner of any

security breach (though a limited duty will apply to telecoms operators from

May 2011) and these monetary penalty notices highlight the risks of voluntary

notification. In particular, it is clear that the Information Commissioner may

still take action even if there is no evidence that the lost data is being

misused, the breach is the result of employees failing to follow company

policies and guidelines (especially if the company is aware those policies are

not being followed) or a limited number of people were involved.

However, in this particular case, there may have been little choice. Not only

did the unintended recipient of the council‟s fax decided to report the matter

to the Information Commissioner, but A4e‟s decision to inform the affected

individuals meant it inevitably had to inform the Information Commissioner, as

evidenced by the fact that 15 of those individuals subsequently made direct

complaints to the Information Commissioner.

A benchmark for future fines

The level of these initial monetary penalty notices is also interesting and, as

set out in the notices, is “likely to set a precedent by which future notices will

be judged”. The Information Commissioner previously indicated that fines are

likely to be towards the upper end of the spectrum given that matters would

need to be quite serious in order to justify a monetary penalty notice in the

first place.

Issue 57 January 2011 19

However, both fines are more moderate and towards the lower end of the

spectrum. This may be influenced by the mitigating factors present in both

cases such as voluntary reporting of the breach to the Information

Commissioner and the provision of full co-operation in the subsequent

investigation. In addition, both breaches seem to have caused little actual

harm to individuals. If they had, the level of fines would have been much

higher. In addition, both the council and A4e will benefit from a 20 per cent

discount if they make early payment.

Conclusions

The fines start to put a price on data security. When the additional costs of

investigating and rectifying a breach are added in, together with the

associated reputational damage, it provides a powerful argument to take

information security seriously.

By Julian Cunningham-Day and Georgina Kon, London

This article first appeared in the December 2010 edition of World Data

Protection Report (www.bna.com/products/corplaw/wdpn.htm).

Issue 57 January 2011 20

UK – Human rights and confidentiality obligations

The Court of Appeal‟s decision in Veolia v Nottinghamshire County Council

[2010] EWCA Civ 1214 highlights the effect of the European Convention on

Human Rights on confidentiality obligations. The court decided that a

statutory obligation to disclose information should be “read down” so as to

restrict access to confidential information. This approach has now been

adopted in other cases, such as Staffordshire County Council v Information

Commissioner EA/2010/0015, in which the Information Tribunal also “read

down” obligations to disclose information under the Environmental

Information Regulations 2004.

Confidentiality as a human right

Veolia had a contract with Nottinghamshire County Council under which it

provided waste management services. A local resident made a request to

inspect and make copies of that contract. He did so exercising powers under

section 15(1) of the Audit Commission Act 1998 which provides that:

“At each audit under this Act…any persons interested may ... inspect

the accounts to be audited and all books, deeds, contracts, bills,

vouchers and receipts relating to them”

This provision was followed by an express carve-out limiting any disclosure of

personal data. The High Court decided that this entitled the local resident to a

copy of the waste management contract regardless of the fact that it

contained confidential information.

However, this decision was overturned by the Court of Appeal at the end of

2010. The disclosure of the confidential contract would infringe Veolia‟s rights

under Article 1 of the first protocol (protection of right to property) and,

potentially, Article 8 (right to respect for private and family life) of the

European Convention on Human Rights. Accordingly, section 15(1) should be

“read down” to limit access to such information. This does not provide an

absolute bar to the release of confidential information but rather, under the

general principles of the European Convention of Human Rights, requires a

“fact-sensitive and nuanced approach … in which the private and public

interests involved have to be balanced in the interests of proportionality” to

determine if such information should be released.

The decision makes the Audit Commission Act 1998 a much less attractive

means to obtain information from public authorities. The Act might provide

access to information in cases where other freedom of information legislation

does not (as the test under the Act is a balance between private and public

interests, rather than competing public interests) but it is relatively unlikely this

would make a real difference and largely outweighed by the restrictions in the

Act on who can access information and when, and the lack of a proper

dispute resolution process if access to information is denied.

Environmental information regulations

The Court of Appeal‟s decision has already started to influence other

decisions. For example, in Staffordshire the Information Tribunal had to

Issue 57 January 2011 21

consider a request for information on sales and permitted reserves of silica

sands at Moneystone Quarry in Staffordshire. The Information Tribunal

decided this request should be dealt with under the Environmental

Information Regulations 2004 and concluded it was exempt as the

information was supplied on a voluntary basis and was subject to a duty of

confidence which protected a legitimate economic interest (reg. 12(5)(e)&(f)).

However, in doing so, it made a number of statements of wider relevance:

> the disclosure of confidential information by a public body engages

ECHR rights and any statutory information access rights must be read

down to give effect to those rights;

> in this case the Regulations contain a statutory presumption in favour

of disclosing information (reg. 12(2)). Following Veolia, this

presumption should not be applied to confidential information; and

> where confidential information is held by a public authority, there is a

“strong public interest” in maintaining that confidence.

This represents a significant shift in the interpretation of the Environmental

Information Regulations 2004 and may make it more difficult to obtain

confidential environmental information in the future.

Freedom of information

Similar changes may occur in the interpretation of the Freedom of Information

Act 2000. For example, information is exempt from disclosure if it was

provided by a third party and its disclosure would be an actionable breach of

confidence (section 41). This has been interpreted restrictively in the past and

does not exempt:

> contracts concluded with a public authority on the basis that the

information has not been obtained from a third party and is, instead, a

jointly created work; and

> information where the public authority has a “public interest defence”

justifying disclosure of that information. This public interest defence is

not the same as the liberal public interest test in the Act itself but early

cases have stated “this difference will rarely affect the outcome of a

case, as it is unlikely that the relevant factors will be so finely balanced”

(Derry City Council v Information Commissioner EA/2006/0014).

Both conclusions could be vulnerable in light of Veolia. Similarly, many

exemptions under the Act are subject to an additional public interest test. It

may be easier now to show this favours withholding confidential information,

though the Information Tribunal‟s (unpublished) decision in Nottinghamshire

CC v Information Commissioner (EA/2010/0142) is said to suggest that Veolia

adds little to the existing public interest balancing exercise.

Veolia v Nottinghamshire County Council [2010] EWCA Civ 1214 is here

Staffordshire County Council v Information Commissioner & Sibleco

EA/2010/0015 is available here

By Peter Church, London

Issue 57 January 2011 22

UK – Information Commissioner steps up audit program

In December 2010, the Information Commissioner expanded the scope of his

consensual assessment program approaching 60 organisations, 55 from the

private sector, asking if they were interested in participating in such an

assessment. This article considers the background to the assessment

program and the factors to consider if you receive such a request.

Assessment process

The Information Commissioner may, with the consent of a data controller,

carry out an assessment of its data processing to determine if the data

controller is following good practice. The result of that assessment will be

shared with the data controller and, with data controller‟s consent, an

executive summary will be published on the Information Commissioner‟s

website. More information about the Information Commissioner‟s approach is

set out in the Assessment Notices Code of Practice (see Appendix A).

If the data controller is a government department, the Information

Commissioner can also insist on a compulsory audit through the service of an

Assessment Notice.

Use of these powers

The table at the bottom of this article provides a breakdown of the data

controllers approached by the Information Commissioner since he started this

consensual assessment program in May 2010. The information reveals a

number of interesting facts:

> there was a significant increase in the number of organisation

approached in December 2010, more than twice as many as in all the

previous months put together;

> the program has now been extended to include private sector entities,

as evidenced by the significant number of financial firms, retailers etc

approached in December; and

> the take up was very high until December. The drop off in acceptances

in December is partly because these organisations were only

approached recently and are no doubt still considering this

opportunity/sorting through their Christmas post. However, the large

number of private sector entities approached in December is also likely

to be a factor.

It is also useful to look at the assessments completed to date. In particular,

the following organisations have now been through the assessment process:

The Law Society, HMRC, the MoD, DEFRA, Trafford House Trust, Hidden

Hearing, PHSO, Shropshire Council, UKBA, North Devonshire NHS Trust,

NHS 24 and Cornwall Council. All but three of these organisations agreed to

the publication of an executive summary of the outcome of that assessment.

Issue 57 January 2011 23

Would you agree to an assessment?

The instinctive reaction of many organisations will be to avoid an assessment

– particularly those in the private sector where the Information Commissioner

cannot fall back on a compulsory audit power. However, agreeing to an audit

may provide a number of benefits including:

> the opportunity to build a relationship with the Information

Commissioner;

> an executive summary of the consensual audit will only be disclosed

with consent – though withholding the summary may well raise

questions; and

> a monetary penalty notices cannot be served as a result of matters

discovered in that audit Other enforcement actions may in theory be

taken by the Information Commissioner, but this would appear to go

against the spirit of the audit which the Information Commissioner sees

as a “constructive process”.

There are also longer term issues to consider. The European Commission

has challenged the Information Commissioner‟s inability to carry out a

compulsory audit on all data controllers. This may well result in the

compulsory audit powers being extended to the private sector entities in due

course, which would make it impossible to avoid an audit.

Refusing an assessment may also influence future enforcement decisions by

the Information Commissioner. If a breach occurs the Information

Commissioner may well have this factor in mind when deciding whether to

resolve the matter informally, seek undertakings, or issue an Enforcement

Notice or a monetary penalty notice. If the Information Commissioner does

seek undertakings he might also use that as an opportunity to lever in an

audit right to ensure he is able to conduct an assessment. For example, the

recent Google undertakings contained extensive audit rights for the

Information Commissioner (see TMT News, January 2011: Google

undertakings point to the future of privacy regulation).

Notwithstanding these considerations, it seems likely many private sector

entities targeted in December will be unwilling to voluntarily agree to an

assessment and the additional regulatory scrutiny this entails.

Details of previous assessments conducted by the Information Commissioner

are available here.

By Matthew Hunter, London

Issue 57 January 2011 24

Month

(2010)

Contacted Sectoral Breakdown Accepted Sectoral Breakdown

June 1 Local government (1) 1 Local government (1)

July 3 Local government (1),

NHS (1), Devolved

government department

(1)

3 Local government

(1), NHS (1),

Devolved

government

department (1)

Aug 3 Local government (1),

NHS (2)

3 Local government

(1), NHS (2)

Sept 1 Government department

(1)

1 Government

department (1)

Oct 5

Charity (1), Local

government (2),

Probation service (1),

NHS (1)

5

Charity (1), Local

government (2),

Probation service (1),

NHS (1)

Nov 13 Government department

(9), NHS (4)

12 Government

department (8), NHS

(4)

Dec 60 Finance companies (25),

Retail companies (9),

Communications

companies (10), Debt

collection companies (7),

Police forces (3),

Marketing companies

(3), Utility company (1),

Local government (1),

Independent regulator

(1)

6 Finance companies

(4), Police forces (2),

Issue 57 January 2011 25

Media and Telecoms

Sweden – The Pirate Bay convictions upheld

In November 2010, the Court of Appeal upheld the earlier conviction of three

members of the torrent tracking website, The Pirate Bay. It reduced the term

of imprisonment imposed on those defendants for breaches of criminal law,

whilst increasing the civil damages payable to the relevant rights holders. All

three defendants have appealed to the Supreme Court. A fourth defendant,

who helped to operate the site, was not present at the time due to medical

reasons and will be tried at a future date.

Initial judgment

In April 2009, in a joint criminal and civil case, the three operators of the site

and their one investor were found guilty of being complicit in criminal

breaches of copyright law by the District Court of Stockholm. The four

defendants were each sentenced to one year in prison and were together

held liable to pay damages of approximately SEK 32 million. The criminal

charges were supported by a consortium of intellectual property rights

holders, including the International Federation of the Phonographic Industry,

Warner Bros. Entertainment, Metro-Goldwyn-Mayer Pictures, Columbia

Pictures Industries and Twentieth Century Fox Film.

The three defendants appealed to the Court of Appeal, which had to consider

both the criminal and civil elements of the judgment.

Criminal breaches of copyright law

The torrent files in The Pirate Bay‟s database allow other internet users to

locate and download information, including copyright material. Making

materials protected by copyright available in such a way, even indirectly, is

still classified as making that work available to the public according to the

Copyright Law (Sw: lag (1960:729) om upphovsrätt till litterära och

konstnärliga verk) and can be a criminal offence. According to the Court of

Appeal, it is clear that no consent had been given to the transfer by the

copyright owners and it is therefore not permitted.

The Court of Appeal also decided that such offences were subject to the

jurisdiction of the Swedish courts as a substantial component of the principal

criminal acts – i.e. storing the torrent files in The Pirate Bay‟s database – took

place on The Pirate Bay‟s servers in Sweden. Thus the principal criminal acts

were considered to have been performed in Sweden, meaning Swedish law is

applicable and the Swedish courts competent.

Complicity with the criminal offences

While provision of the torrents is an offence, those torrents were not actually

uploaded by the defendants and instead uploaded by unknown third parties

who used the site. Accordingly, the defendants were not directly liable for

these activities.

Issue 57 January 2011 26

However, the Court of Appeal upheld the District Court‟s findings that The

Pirate Bay‟s website – by its search functions, the possibilities it offered to

upload and store torrent files and tracker function, which brings together

individual file sharers – comprises a service which facilitated the principal

criminal acts, even though these acts might have been committed in other

ways. Accordingly, the three defendants who ran the website were providing

a service promoting the principal criminal act and were complicit in those

crimes. The complicit act of the investor consists of providing computers,

broadband services and computer storage.

Reduction in sentences

Contrary to the District Court, the Court of Appeal decided that the actions of

the defendants could not be assessed collectively by reference to all of the

activities of The Pirate Bay. Instead, the Court of Appeal made a more

individualised assessment of the acts performed, holding each defendant

criminally liable only for the acts he himself performed. Since some of the

alleged acts have not been proven and others are not considered criminal,

the sentences for three of the defendants were reduced by the Court of

Appeal from one year of imprisonment to ten and eight months, respectively,

for the two operators and four months for the investor. The sentences for the

two operators also reflected the fact that The Pirate Bay operates as a

commercial and organised business.

Increase in civil damages

Despite the reduced sentences for the defendants, the total liability for

damages awarded to the rightsholders was, however, increased from

approximately SEK 32 million to around SEK 46 million. Contrary to the

District Court, the Court of Appeal did not think it reasonable to reduce the

damages for copies of the copyright works made outside Sweden.

The Court of Appeal further stated that the defendants have jointly caused the

losses and shall therefore be joint and severally liable for the losses to the

rightsholders.

By Emma Linnér and Christoffer Lööw, Stockholm

Issue 57 January 2011 27

Outsourcing

UK – Does failure to pay justify walking away?

In December 2010, the Technology and Construction Court considered the

fallout from a failed software development project which cumulated in the

supplier, Atos Origin, suspending work. After a long and detailed review of the

background to the project, Edwards-Stuart J decided that the customer, De

Beers, was in breach of contract, including by failing to make a milestone

payment, but these breaches did not justify Atos suspending work. Moreover,

by suspending work, Atos had repudiated the development contract. This

article considers the reasons for the judge‟s conclusions and the lessons to

be learnt from the case.

A supply chain management system

De Beers needed an improved IT software system for use in relation to its

diamond aggregation processes (the sorting and mixing of diamonds

according to value), the operation of which was to be moved from the UK to

Botswana. De Beers‟ business requirements were complex and bespoke to its

business as a major diamond trading company.

After a tender process, De Beers decided to engage Atos Origin and

commissioned it to undertake an initiation and analysis project to investigate

De Beers‟ requirements in order to establish the scope and cost of the

project. This analysis phase was completed by November 2007 and Atos was

awarded a £2.9 million contract to develop the new system for De Beers.

Completion of the project was initially scheduled for June 2008.

Although the contract had been preceded by an initiation and analysis period,

Atos had not fully grasped the complexity of De Beers‟ requirements and so

the contract shortly fell behind schedule. By the end of March 2008 Atos

informed De Beers that the completed software system would not be

delivered before October 2008. The parties agreed a revised programme but

De Beers refused to make a significant milestone payment to Atos as a result

of its dissatisfaction with the schedule and quality of Atos‟ work.

Unfruitful discussions between the parties took place and Atos warned De

Beers that unless it renegotiated the terms of the contract, changed the

payment terms and waived all claims against Atos relating to the project, Atos

would suspend work. De Beers refused and Atos suspended work on the

project in June 2008. The work was never resumed and the contract came to

an end.

Repudiation of the contract

Both parties alleged that this was a result of repudiation by the other. Atos

argued that De Beers had failed to pay the milestone payment and failed to

provide adequate co-operation. In contrast, De Beers argued that Atos had no

right to suspend work.

The judge decided that a repudiatory breach “must go to the root of the

contract”, with the party in breach showing “an intention to abandon and

Issue 57 January 2011 28

altogether refuse performance of the contract” (The Nanfri [1979] AC 757).

With this test in mind he carried out the unenviable task of sorting through the

background to determine who was right.

Alleged repudiation by De Beers

The most obvious basis for a repudiation by De Beers was the failure to pay

the milestone payment. The judge considered that this was not a repudiatory

breach as De Beers never evinced an intention not to be bound by the

contract. In contrast, it was a material breach and Atos could have terminated

the contract using the contractual termination provisions by providing a 30

day notice and remedy period. However, Atos never served such a notice.

Atos also argued that De Beers‟ failure to co-operate was a repudiation of the

development contract. For example, Atos alleged that De Beers:

> failed to manage its side of the project;

> failed to adequately describe its business requirements and provide

internal resources to assist Atos;

> delayed providing technical documentation regarding its legacy

systems; and

> provided business processes information during the initiation and

analysis phase that was incomplete or lacked sufficient detail. (The

judge specifically rejected this allegation as it related to events that

took place before the contract was entered into.)

The judge accepted that some of these claims had been made out and

represented a breach of the contract (for which Atos was entitled to damages,

see below). However, this breach fell well short of a repudiation as they were

all relatively minor, Atos never made any complaint in writing about them and

there was an implicit waiver of any right to terminate due to the extensions of

time agreed in March. Perhaps more fundamentally, they were not

repudiatory as the problems suffered by Atos were not caused by De Beers‟

lack of co-operation but were instead a result of Atos‟ failure to anticipate the

complexity of De Beers‟ requirements.

The final argument was that De Beers had repudiated the contract by not

following the change control procedure. In particular, De Beers had rejected

many of Atos‟ change requests on the basis that they were within the original

scope of work. The judge rejected the suggestion that this could be a

repudiatory breach.

Alleged repudiation by Atos

In contrast, the judge concluded that Atos‟ suspension of work amounted to

repudiation. Atos had not simply threatened to suspend work until the

milestone payment was made, something it was entitled to do under the

contract. Instead, Atos had threatened to suspend work unless De Beers

agreed:

> to amend the commercial terms of the contract so that Atos would

complete the project on a time and materials basis at Atos‟ internal

Issue 57 January 2011 29

rates (which would add an estimated £4.6 million to the cost of the

project); and

> to waive any claims it had against Atos.

The judge commented that “there is a very significant difference between

being willing to complete a project, and being willing to fulfil a contract”.

Damages

Accordingly, De Beers was entitled to damages for breach of contract. The

judge decided that the damages should be £1.4 million, which was equal to:

> the cost to De Beers of building a replacement system together with

some other additional expenses (which came to approximately £4.4

million), less

> the costs it would have had to pay under the now terminated

development contract and damages due to Atos for breach of contract,

in particular the failure to co-operate (which together came to

approximately £3.0 million).

The calculation of the second bullet raised interesting issues about the scope

of the development contract. De Beers‟ requirements turned out to be more

complex than was originally anticipated, but was that additional complexity

within the scope of the contract or a change for which additional charges

would be payable? Edwards-Stuart J decided that a distinction could be

drawn between:

> a “change in breadth” – This is a change that introduces new

functionality. This will be outside the scope of the original contract and

would attract additional charges; and

> a “change in depth” – These do not introduce new functionality but

rather adds scale and complexity to the project. This might happen

when a set of business requirements are reduced to a technical

specification. Changes in depth are much more contentious as the

customer may have understood this complexity at the start of the

project and assumed the supplier did as well. In contrast, the supplier

may have legitimately understood the requirements to refer to

something much simpler. The experts in this case suggested that a

distinction could be drawn by asking whether there is a solution that

met the high level requirements at a significantly lower cost than the

solution necessary to meet the detailed specification? If yes, the

additional complexity is outside the scope of the project and should be

dealt with through change control.

With this test in mind, the judge considered whether the refinement of De

Beers initial requirements into a more detailed specification resulted in “scope

creep”, which would need to go through change control and for which

additional charges would be due. In general, he decided that such work was

within the scope of the contract. In relation to one such refinement, he stated:

“If … Atos contracts to provide a system that will support those detailed

Issue 57 January 2011 30

requirements, whatever they turn out to involve, then – absent any

contractual safeguards – it seems to me that it takes the risk that they will turn

out to be more, rather than less, complex than it had anticipated at the

outset”.

Lessons learnt

The case highlights a number of important lessons. Firstly, the root of this

dispute was Atos‟ failure to anticipate the complexity of De Beers‟

requirements. Suppliers should ensure that they have properly understood

their customer‟s requirements before committing to a fixed price or delivery

timetable. Similarly, customers should not assume they can just transfer this

risk to their suppliers. In this case, De Beers suspected from the beginning

that Atos had underestimated its requirements and might have saved itself a

long and expensive court battle had they cured this problem right at the start.

Secondly, customers should be aware that a failure to co-operate and assist

their supplier may be a breach of contract. This will depend on the terms of

that contract. In this case, De Beers‟ failure to co-operate may not have been

grounds to terminate but did entitle Atos to damages, which were offset

against its liability to De Beers.

Finally, suppliers should think very carefully about threats to suspend work or

not perform their obligations under an agreement, unless there is a clear

contractual basis to do so. This judgment makes it clear that even fairly

material breaches by the customer (such as De Beers‟ failure to make a

milestone payment) may not be sufficient to justify this type of action.

De Beers UK Ltd v Atos Origin It Services UK Ltd [2010] EWHC 3276 is

available here

By Emma Harrington, London

UK – Update on endeavours clauses

There are a number of reasons why contracting parties refuse to give an

absolute commitment and, instead, will only “try” to achieve an objective. The

objective might be in the hands of third party, relate to uncertain future events

or it may simply be papering over the cracks where no commercial agreement

has been reached.

The obligation to “try” is normally expressed as an endeavours clause, with

the choice of clause reflecting how hard that party has to “try”. A great deal of

effort can be spent arguing for one variant over or another, but what these

clause will require in practice is uncertain and depends greatly on the context

in which they are used. The last year has, however, provide some additional

guidance.

Obligation to inform

An important, but often overlooked, aspect of endeavours clauses is

illustrated by the Scottish case EDI v NCP [2010] CSOH 141. EDI paid NCP

£5million for an interest in a car park in Castle Terrance, Edinburgh and

undertook to use “all reasonable endeavours” to redevelop that car park.

Issue 57 January 2011 31

However, it became clear that the redevelopment would lead to a shortage of

car parking space in Edinburgh city centre and it was unlikely it would ever be

approved. Accordingly, EDI exercised a buy back clause requiring NCP take

back its interest in the car park and repay the £5million.

NCP refused to do so, arguing that EDI had not exercised all reasonable

endeavours to redevelop the car park. One aspect of this argument was that

EDI had not informed NCP of the problems caused by the shortage of car

parking space. If it had, NCP may have been able to help in finding alternative

parking provision to replace the Castle Terrace car park.

The judge agreed that an all reasonable endeavours obligation may well

require the obligor to inform the other party of the difficulties he is having and,

in some cases, see if that other party has a solution to the problem. However,

in this case, NCP were unable to suggest any realistic alternative parking

opportunities so even if they had been approached, nothing would have come

of it.

The case highlights that an obligor may well have to inform, and involve, the

other party where there are difficulties in fulfilling an endeavours clause. A

wise obligee might include express provisions to clarify this duty and put the

matter beyond doubt.

What does all reasonable endeavours mean?

So what does “all reasonable endeavours” mean? This is one of the more

controversial and least considered form of endeavours clause. The orthodox

view that it is a half way house between “reasonable endeavours” and “best

endeavours” (UBH v Standard Life The Times, 13 November 1986). More

detail on what each of these phrases means can be found here (subscription

required), but one of the distinguishing features is that reasonable

endeavours clauses are usual regarded as not requiring the obligor to

sacrifice his own commercial interests. In contrast, an obligor who commits to

best endeavours may well have to subordinate his interests to that of the

obligee.

In Rhodia v Huntsman [2007] EWHC 292 the judge stated an obligation to

use reasonable endeavours probably only requires a party to take one course

of action whereas best endeavours probably requires a party to take all

courses of action available. This created another view of “all reasonable

endeavours” obligation – an obligation to use all reasonable endeavours

could be equated with best endeavours in this respect because both require

all courses of action to be pursued. This has been used to argue that all

reasonable endeavours is the same as best endeavours in all respects,

whereas it seems likely this statement just relates to the number of courses of

action a party must take and not the extent to which that party must otherwise

prejudice its commercial interests.

This more limited interpretation is supported by the recent decision in CPC

Group v Qatari Diar [2010] EWHC 1535 which related to the redevelopment

of the Chelsea Barracks site. Qatari Diar were obliged to use “all reasonable

but commercially prudent endeavours” to ensure the development went

Issue 57 January 2011 32

Author: Peter Church

This publication is intended merely to highlight issues and not to be comprehensive, nor to provide legal advice. Should you have any questions on issues reported here or on other areas of law, please contact one of your regular contacts, or contact the editors.

© Linklaters LLP. All Rights reserved 2011

Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. The term partner in relation to Linklaters LLP is used to refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers or European lawyers. Please refer to www.linklaters.com/regulation for important information on our regulatory position.

We currently hold your contact details, which we use to send you newsletters such as this and for other marketing and business communications.

We use your contact details for our own internal purposes only. This information is available to our offices worldwide and to those of our associated firms.

If any of your details are incorrect or have recently changed, or if you no longer wish to receive this newsletter or other marketing communications, please let us know by emailing us at marketing.database@linklaters.com.

Contacts

For further information

please contact:

Tanguy Van Overstraeten

Partner

(+32) 2501 9405

tvanover@linklaters.com

Peter Church

Managing PSL

(+44) 20 7456 4395

peter.church@linklaters.com

One Silk Street

London EC2Y 8HQ

Telephone (+44) 20 7456 2000

Facsimile (+44) 20 7456 2222

Linklaters.com

ahead. However, the development was controversial and, following intervention

by the Prince of Wales amongst others, it became clear the planning

application might not be granted. Qatari Diar decided to withdraw the

application and pursue a new development strategy.

Vos J had to decide if this was a breach by Qatari Diar. He concluded that an

all reasonable endeavours does not always require the obligor to sacrifice its

commercial interests and, in this case, the additional “commercially prudent”

qualification put the matter beyond doubt. Accordingly Qatari Diar was entitled

to rely on those interests and withdraw the planning application. In contrast,

had it simply been a political decision to appease the Prince of Wales, that may

well have been in breach of its obligations.

While the decision provides some further clarification of this term, its meaning

is still elusive and may be more metaphysical than practical (see comments in

EDI v NCP). Time spent arguing over its meaning may be better spent on

setting out what the obligor will have to do in practice.

Further analysis by the authors on the interpretation on endeavours clauses is

available here (subscription required).

By Richard Cumbley and Peter Church, London