rosenblatt view

Archive for May, 2018

GDPR – what about business cards?

18/05/2018
Clock is ticking towards rollout of EU’s landscape-shifting data protection and privacy law. Time and tide wait for no man. And nor does GDPR. Business leaders take note: the countdown is almost

Clock is ticking towards rollout of EU’s landscape-shifting data protection and privacy law.

Time and tide wait for no man. And nor does GDPR.

Business leaders take note: the countdown is almost over. On 25 May 2018 the much vaunted and much daunted General Data Protection Regulation (GDPR) will be rolled out across the European Union. It will shift the data protection and privacy landscape for any business that controls or processes personal data. In practice that means each and every business must get its data house in order.

We take a look at the main features of the EU’s brainchild and where an age-old business tool fits into it all: the business card.

So, what about business cards?

If at a networking event someone hands you their business card, it’s dangerous to assume they’ve given you their unqualified consent to process their personal data carte blanche. Equally, it’s probably not necessary to recite your privacy notice while they consume a mini pastry or sushi in a spoon. It is however reasonable for them to expect you to contact them – so you’ve probably got their consent, at least to make initial contact.

It may not be so simple to establish legitimate interest when it comes to making contact beyond that initial approach. The Information Commissioner’s Office has recommended a three-stage test to establishing legitimate interest before processing a subject’s data:

  1. What is the purpose of the data processing?
  2. Is the data processing necessary to achieve that purpose?
  3. Do the data subject’s individual interests override those of the legitimate interest?

We need to consider the likely intentions or expectations of the data subject when they hand over their business card. They probably expect to hear from you and may expect a follow-up email on the topics you discussed, but whether they want or expect to be added to your marketing database and receive promotional emails is another question entirely. It is prudent to seek specific consent for that purpose.

Ultimately, it is up to you as the data controller to consider whether the processing of personal data meets the criteria under GDPR.

Best practice when it comes to adhering to all aspects of GDPR is to give full and proper consideration to how you process personal data, and why. Your systems and policy for handling personal data cannot be too detailed or too thorough. It may be that an automated consent form is generated when any contact is added to your database. Alternatively your first email to that person could be tailored to ask them specifically to confirm their consent – but always give them the option to unsubscribe!

For more information on GDPR generally, keep reading.

What is GDPR?

GDPR replaces the outdated Data Protection Directive (introduced in the digitally-simpler days of 1995). In contrast to EU directives, national governments don’t need to enable GDPR, so it will be applicable in the United Kingdom (and across the EU) from day one.

GDPR is designed to tackle the challenges posed to data privacy that have evolved over the last two decades with the rise of increasingly complex and opaque data technology. It aims to give a greater degree of control to individuals over how their data is stored and processed. GDPR gives individuals (or “data subjects”) enhanced rights, such as the right to be informed about how their data is held, the right to restrict the processing of their data, or the right to be erased (or “forgotten”).

Above all however, GDPR introduces a new regime under which organisations are accountable for how they handle personal data. A key aspect of GDPR is the duty it places on businesses (and their data processors) to manage and monitor their own data management protocol in a fair and transparent manner.

It is no longer adequate to simply deal with data issues as they arise. In this new world order organisations must be able to demonstrate they have given proper consideration to how they will comply with the rules of GDPR. From 25 May 2018, every business should have a GDPR protocol in place – and if they don’t, the consequences could be very expensive.

Why does GDPR matter?

The GDPR regime has teeth.

The penalties for non-compliance with GDPR will be severe.  A breach of the rules may result in a fine of up to €10 million or, if greater, 2% of a company’s global turnover. That penalty could be imposed for failing to promptly notify the supervising authority (in the UK, the Information Commissioner’s Office) of a data breach, or neglecting to keep adequate data processing records.

In the case of a serious breach, such as processing individuals’ data without their consent, offenders could face a fine of €20 million or, if greater, 4% of their global turnover.

Does GDPR affect my business?

GDPR is almost certain to affect your business because personal data (whether it is that of a customer, an employee or a supplier) is so intrinsic in the way organisations conduct their business in the digital era, whether it is stored electronically or not.

GDPR applies to both “controllers” and “processors” of personal data. If your business is responsible for handling personal data on behalf of another organisation, it is likely to be a processor under GDPR. If your business is not a processor, the chances are it is a controller – meaning it determines the purpose, conditions and means of processing personal data. In some cases a business could be a controller and a processor.

However whether your business is a controller or a processor or both, it must comply with GDPR and have a lawful basis for processing personal data. If you are a controller, you must have a GDPR-compliant contract in place with all of your processors. If you are a processor, you also ought to consider protecting yourself by having a contract in place, as processors may now be accountable directly to data subjects.

What is “personal data”?

Personal data is any information from which a natural person can be directly or indirectly identified.

In the case of a business card, the personal data is pretty apparent – the data subject’s name, email, phone number and address, and any other information on the card which can be used to identify the person. The data subject can be directly identified by his or her name, but details such as a job title also allow indirect identification.

In other cases information which constitutes personal data may be less obvious, and could be anything from medical records to an IP address. As a rule, if a person can be identified through information, it is personal data as far as GDPR is concerned. It is clear that regulators will view the definition of personal data with a wide scope, so it would be prudent to have policies and procedures established to handle all forms of information.

How can we lawfully process personal data under GDPR?

GDPR sets out six bases upon which personal data can be lawfully processed:

 

  • Consent from the data subject to use their personal data for a specific purpose
  • A contract between the controller or processor and the data subject which makes the processing of their personal data necessary 
  • A legal obligation on the controller or processor which requires the personal data to be processed
  • It is in the vital interest of a data subject for their personal data to be processed
  • The processing of the personal data is necessary to perform a public task
  • It is in your legitimate interest (or that of a third party) to process the personal data (but this will not override the interests of the data subject).

In everyday business, most people would expect to rely on consent or legitimate interests, but even then it’s best to tread carefully. Speak to a data protection and privacy expert to create a bespoke plan to ensure your business is GDPR compliant.

Rosenblatt’s Commercial team advises on GDPR compliance and data protection policies in addition to its media/technology/IP expertise. For more information, please contact Chris Pulham.

The content of this bulletin should not be construed as legal advice. If you do require legal advice, please contact a solicitor at Rosenblatt.

 

Wrotham Park no more – moving forward with negotiating damages

03/05/2018 | Noel Deans & Sean Field-Walton
Morris-Garner and another (Appellants) v One Step (Support) Ltd (Respondent) UKSC 20 In Morris-Garner the Supreme Court had the opportunity to consider damages awards for breach of contract based o

Morris-Garner and another (Appellants) v One Step (Support) Ltd (Respondent) [2018] UKSC 20

In Morris-Garner the Supreme Court had the opportunity to consider damages awards for breach of contract based on the price that would have been hypothetically negotiated for releasing the restrictive term. It follows that from handing down of the judgment on 18 April 2018, Morris-Garner is now the leading case on the matter and should be a point of reference for practitioners and employers alike.

Background and Wrotham Park

The remedy for breach of contract is often given little more explanation than the often repeated phrase: “the measure of damages for breach of contract is to put the innocent party in the position that they would have been in had the contract been performed”. Damages are usually awarded in circumstances where a party can be considered to have suffered some financial loss through breach or non-performance of a contractual term. As such, they are usually considered compensatory. Nonetheless, in some cases, including those where enforcement is sought for breaches of restrictive covenants contained in employment contracts, injunctive proceedings in the High Court are another source of recourse.

There are, however, other scenarios where there is no clear economic loss suffered and an injunctive remedy is considered inappropriate. Wrotham Park Estate Co Ltd v Parkside Homes Ltd [1974] was one such case. In Wrotham Park, a plot of land was sold subject to restrictive covenants on the development of a portion of that land. Ultimately, that land was transferred to a property developer who was not aware of the said restrictions. The developer proceeded to develop the land in breach of that restriction.

Despite being aware of plans to develop the land and a grant of planning permission, the party holding the right to enforce that restrictive covenant only made their objection known when they applied for an interim injunction against the developers. This was after the development had begun. Albeit the injunction was sought at an early stage of the development, Brightman J decided that although the claimant would ordinarily be entitled to an injunction it should be rejected as a matter of discretion. The state of law at the time suggested that no or nominal damages should be awarded as the claimant had suffered no financial damage from the breach of contract. Nevertheless, the claimant was awarded a sum equal to that which the Court considered they would have received on a negotiated release of the restrictive covenant; 5% of the developer’s anticipated profit. The award of damages on the basis of a hypothetical negotiation has until this point tended to be referred to as “Wrotham Park” damages. In Morris-Garner, the Supreme Court said that they prefer to call these “negotiating damages” and therefore we adopt this terminology for the purposes of this article.

The facts of Morris-Garner

Morris-Garner involved a joint venture between two defendants and the claimant. The joint venture provided rented accommodation and support services to enable vulnerable individuals referred by local authorities to live as independently as possible. In 2006, the first defendant transferred her 50% shareholding to the claimant in return for £3.15 million. The first defendant was subjected to confidentiality, non-solicitation and non-competition covenants running for three years. Within the restricted period and in breach of those restrictive covenants the first and second defendant founded and operated a business in competition with that of the claimant. In the words of Lord Reed who delivered the leading judgement on behalf of the Supreme Court in this case:

“[the claimant] sought an account of profits, or alternatively what were described as restitutionary damages, in such sum as it might reasonably have demanded as a quid pro quo for releasing the defendants from those covenants, or, in a further alternative, what were described as compensatory damages for the loss it had suffered by reason of the defendants’ breach of those covenants.”

                                                                                             Emphasis added.

The first instance judge applied Wrotham Park by saying that the claimant could elect to either receive negotiating damages calculated as the fee the defendants would have had to pay to be released from their obligation, or alternatively compensatory damages in the form of lost profits or possibly goodwill. At the Court of Appeal, this decision was upheld. That Court considered the test for whether negotiating damages could be awarded was whether an award of damages on that basis was a just response in the particular case which was a matter for the judge to decide on a broad brush basis.  The Supreme Court ruled that both the first instance judge and the Court of Appeal had taken an approach that could not be considered to be correct. The salient areas of the judgment in Morris-Garner are set out below.

A theoretical objection?

At paragraph 91 Lord Reed dealt with what some had argued was a bar to the award of damages on a negotiated damages basis, namely that “[t]he use of an imaginary negotiation can give the impression that negotiation damages are fundamentally incompatible with the compensatory purpose of an award of contractual damages”. He did so by stressing that the relevant contractual right should be conceptualised as an asset and an economic value being given to the fact that a party had been deprived of it.

Understanding contractual rights as assets

He also accepted at paragraph 95(9) that the normal inference “[w]here the claimant’s interest in the performance of a contract is purely economic, and he cannot establish that any economic loss has resulted from its breach” would be that they have suffered no loss and in that event, they could not be awarded more than nominal damages. However, he goes on to explain at paragraph 95(10) that “negotiating damages can be awarded for breach of contract where the loss suffered by the claimant is appropriately measured by reference to the economic value of the right which has been breached, considered as an asset”. The hypothetical negotiating is only a means of reaching a value.

No right to elect how damages are assessed

In rejecting the approach taken by both the judge at the first instance and by the Court of Appeal, Lord Reed at paragraph 96 clarified that no claimant is entitled to elect how their damages are assessed. Part of this confusion may have been caused by a misunderstanding of the previous cases which could be seen as treating Wrotham Park assessments as some entirely separate means of assessing damages. Shutting down this view, Lord Reed emphasised that using an imaginary negotiation is “merely a tool” for assessing the value of a financial loss.

Concluding thoughts

Morris-Garner has been remitted to the lower courts for the Court to consider the financial loss and/or loss of goodwill which the claimant has actually sustained.

Claimants should be encouraged in that the Supreme Court has clearly enunciated that an inability to show clear financial loss is not necessarily the be all and end when seeking a damages award for breach for contract.

By providing authoritative clarification on an area of law with confused reasoning, Morris-Garner has narrowed the scope for seeking negotiating damages. The Supreme Court is clear that the ordinary inference if no clear loss can be proven is that no or nominal damages should be awarded.

Nonetheless, claimants should fully explore recovering damages on a negotiated damages basis where they cannot easily identify a financial loss but can put an objective economic value to a benefit protected by the contractual term that has been infringed.

Negotiating damages are not understood as a departure from ordinary compensatory damages. They are ordinary damages awarded following the use of a hypothetical negotiation used to assist a judge in calculating the economic value of an asset or a right that is taken or infringed through breach of a contractual term.

Our employment department has experience and expertise in all of the above areas.

 If you would like any further information, please contact Noel Deans at noeld@rosenblatt-law.co.uk or on 0207 955 1413.

This article should not be taken as definitive legal advice on any of the subject matter covered. If you do require legal advice, please contact Rosenblatt as above.

  • contact

Latest news