Our IT & Outsourcing eBulletin contains summaries of the following recent developments in technology, outsourcing and data protection developments in law, and regulation in the EU and the UK.
1. Moving the Goalposts: Supreme Court decision on penalties
In a recent Supreme Court decision, the rule on penalties in English law has in effect been re-written. The court found that the underlying rationale of the rule had been misunderstood and, as a result, applied in many situations where it is both unnecessary and unjust: Cavendish Square Holding BV v Talal El Makdessi; ParkingEye Limited v Beavis  UKSC 67.
The traditional test for contractual clauses when considering penalties has been to assess whether a clause is:
- a "genuine pre-estimate of loss" and therefore compensatory; or
- aimed at deterring a breach and therefore penal.
The Supreme Court has now ruled that the true test should be whether the clause is out of all proportion to the innocent party's legitimate interest in enforcing the counterparty's obligations under the contract. If so it will be penal and therefore unenforceable. This new test should therefore be more permissive of negotiated financial (dis)incentive regimes.
The issue of penalties has long been a tricky one in the context of long-term service agreements and outsourcing contracts where the parties wish to include some form of service credit or liquidated damages regime to apply in the event that agreed service levels are not adhered to. Both customers and suppliers have traditionally struggled to document the concept of a "genuine pre-estimate of loss" in relation to such regimes.
The Supreme Court's judgment is therefore likely to be welcomed by customers, although suppliers might be concerned that it opens the door for customers to demand greater compensation for late delivery or missed service levels.
Either way, it is likely that service credit and liquidated damages regimes in contracts may be the subject of increased focus and negotiation for the foreseeable future whilst customers and suppliers alike try to test the boundaries of the new penalty regime.
The Supreme Court heard two appeals relating to whether certain sums payable on breach of contract were penal and therefore unenforceable. The appeals arose in very different contexts, and with different conclusions by the Court of Appeal.
The underlying dispute in the Makdessi case concerned certain provisions of a share purchase and shareholders’ agreement. These provided that if the seller (Mr Makdessi) was in breach of certain non-compete restrictions, he lost his entitlement to deferred consideration that would otherwise be payable, as well as the benefit of a put option to sell his remaining shares at a price determined by reference to goodwill; instead a call option was triggered, which allowed the purchaser (Cavendish) to buy his remaining shares at a price based on net asset value, with no provision for goodwill. The Court of Appeal held that the provisions were penalties and therefore unenforceable. The Court of Appeal found that the provisions were not a genuine pre-estimate of loss; were extravagant and unreasonable compared to the likely damage resulting from a breach; and had no commercial justification. That meant they were unconscionable, as their purpose was deterrence rather than compensation, and they were therefore penal.
The ParkingEye case related to a charge of £85 imposed upon an individual, Mr Beavis, for overstaying a two-hour permitted period of free parking at a retail park in Chelmsford. The Court of Appeal rejected an argument that the charge was penal. Although it was not a genuine pre-estimate of loss, and was aimed at deterring motorists staying beyond the permitted period, it was not extravagant or unconscionable and was justifiable both commercially and by other factors.
Supreme Court Decision
The Supreme Court allowed the appeal in Makdessi and dismissed the appeal in ParkingEye, in each case finding that the provisions in question were not penal.
The decision helpfully recognised that a party can, in some circumstances, have a legitimate interest in enforcing performance which goes beyond simply being compensated for losses. The Supreme Court's decision therefore introduces a more flexible test than the traditional analysis of whether a clause was aimed at deterrence rather than compensation. Of course, the question of precisely what will amount to a legitimate interest, and whether a clause is out of proportion to that interest, may be open to debate in many cases. But the decision provides a much more helpful starting point, and should result in less interference in contracts freely negotiated between commercial parties of similar bargaining power. Indeed, the judgment goes so far as to state:
"In a negotiated contract between properly advised parties of comparable bargaining power, the strong initial presumption must be that the parties themselves are the best judges of what is legitimate in a provision dealing with the consequences of breach."
The decision is also helpful in confirming that a clause may fall outside the rule against penalties altogether if takes effect in circumstances other than a breach of contract. For example, a payment which is conditional on performance rather than an entitlement to liquidated damages in the event of breach. It may therefore be possible to avoid the application of the rule altogether with careful drafting, although the judgment does make it clear that classification of a contractual term will depend on substance rather than mere form.
For further details and analysis of the Supreme Court judgment, please click here to view an article written by David Nitek and Maura McIntosh of Herbert Smith Freehills. The article first appeared in the December 2015 issue of PLC Magazine.
2. Reach for the Cloud: FCA publishes consultation on IT outsourcing
On 12 November 2015, the UK Financial Conduct Authority ("FCA") published draft guidance with the aim of clarifying the requirements on firms when outsourcing to the 'cloud' and other third-party IT services.
The FCA sees the cloud as encompassing a range of IT services provided in various formats over the internet including private, public or hybrid cloud, as well as Infrastructure as a Service, Platform as a Service, and Software as a Service.
The guidance explicitly states that the FCA considers cloud services to be a form of outsourcing. However, the FCA acknowledges that there are particular risks associated with outsourcing to the cloud which differ from traditional outsourcing arrangements, and these risks primarily affect the degree of control exercised by the firm:
- Cloud customers may have less scope to tailor the service provided.
- Cloud customers may also have to accept that cloud service providers will move their data around.
- Outsource service providers may contract out part of their operation to other cloud providers. This may occur without the firm initially realising.
In relation to legal and regulatory considerations, the guidance states that a firm should:
- have a clear and documented business case or rationale in support of the decision to use one or more service providers for the delivery of critical or important operational functions or material outsourcing;
- ensure the service is suitable for the firm and consider any relevant legal or regulatory obligations, including where a firm is looking to change their existing outsourcing requirements;
- as part of the due diligence exercise, ensure that in entering into an outsource agreement, it does not erode, impair or worsen the firms operational risk;
- consider the relative risks of using one type of service over another e.g. public versus private ‘cloud’;
- maintain an accurate record of contracts between the firm and its service provider(s);
- know which jurisdiction the service provider’s business premises are located in and how that affects the firm’s outsource arrangements;
- know whether its contract with the service provider is governed by the law and subject to the jurisdiction of the United Kingdom. If it is not, it should still ensure effective access to data and business premises for the firm, auditor and regulator;
- consider any additional legal or regulatory obligations and requirements that may arise such as through the Data Protection Act 1998; and
- identify all the service providers in the supply chain and ensure that the requirements on the firm can be complied with throughout the supply chain. Similarly, where multiple providers form part of an overall arrangement (as distinct from a chain) the requirements should be complied with across the arrangement.
The guidance also provides further advice for firms in relation to the areas of risk management, international standards, oversight of service providers, data security, effective access to data, access to business premises, relationship between service providers, change management, continuity and business planning, resolution/insolvency and exit.
The guidance will be relevant to all firms regulated by the FCA, with the overall aim being that a firm appropriately identifies and manages the operational risks associated with its use of third parties, including undertaking due diligence before making a decision on outsourcing.
The consultation is open until 12 February 2016.
To view a copy of the guidance, please click here.
The disruptive effect of new technologies such as the cloud on traditional outsourcing models was also considered further in our article "Sourcing 3.0: The rise of the intelligent customer". Please click here to view a copy of the article which first appeared in the May 2015 edition of PLC Magazine.
3. Trying to stay afloat: European Commission publishes communication on US Safe Harbor
In the aftermath of the Court of Justice of the European Union's ("CJEU") ruling in October which found that the European Commission's US Safe Harbor decision was invalid (for further details, please see our eBulletins on the case, available here and here), the Commission itself has published a communication analysing alternative bases for transfers of personal data to the US, and the consequences of the CJEU ruling on adequacy decisions.
In its Communication, the Commission makes the following key points:
- Safe Harbor 2.0 – The Commission states that it remains committed to the goal of a renewed and sound framework for transatlantic transfers of personal data. It has stepped up its talks with the US Government in order to ensure that any new arrangements fully complies with the standard set by the CJEU to have sufficient limitations, safeguards and judicial control mechanisms to ensure the continued protection of the personal data of EU citizens, including as regards possible access by public authorities for law enforcement and national security purposes. The objective of the Commission is to conclude these discussions within three months.
- Alternative bases for transfers of personal data – Companies may use a number of different, alternative tools for transferring data to countries without adequate protection (e.g. standard contractual clauses ("SCCs"), binding corporate rules ("BCRs"), or other derogations such as consent). However, the responsibility is on the data controller to ensure that such transfers take place with sufficient safeguards in accordance with the Data Protection Directive. In particular, SCCs and (typically) BCRs provide that if the data importer has reasons to believe that the legislation applicable in the recipient country may prevent it from fulfilling its obligations, it shall promptly inform the data exporter in the EU. In such a situation, it is up to the data exporter to consider taking appropriate measures necessary to ensure the protection of the personal data. Taking into account all the circumstances of the transfer, data exporters may therefore have to put in place additional safeguards to complement those afforded under mechanisms such as SCCs and BCRs.
- Consequences of Schrems on adequacy decisions – The scope of the CJEU judgment was limited to the Safe Harbor decision. However, each of the other adequacy decisions issued by the Commission contains a limitation on the powers of the data protection authorities identical to Article 3 of the Safe Harbor decision which the CJEU considered invalid. The Commission will therefore be preparing a decision replacing that provision in all existing adequacy decisions. It will also engage in a regular assessment of existing and future adequacy decisions together with the competent authorities of the third country in question. It is also worth noting that the draft General Data Protection Regulation further clarifies and details the conditions under which future adequacy decisions can be adopted.
To view a copy of the European Commission's communication, please click here.
4. More Data Protection: CJEU decision on extra-territoriality in Weltimmo case
In another important data protection case, the Court of Justice of the European Union (the "CJEU") has recently ruled that data controllers are bound by the law of a Member State even if they are registered in a different Member State, provided that the data controller exercises a real and effective activity in the context of processing personal data in the territory.
Article 4(1) of the Data Protection Directive (the "Directive") establishes that companies should comply with the data protection laws of an individual Member State where processing is carried out in the context of the activities of an "establishment" of the data controller in the territory of the Member State.
Weltimmo, a Slovakian-registered business, operated a property dealing website related to Hungarian properties. For that purpose, it processed the personal data of the advertisers. The advertisements were free of charge for one month but thereafter a fee is payable. Many advertisers sent a request by e-mail for the deletion of both their advertisements and their personal data as from that period. However, Weltimmo did not delete those data and charged the interested parties for the price of its services. As the amounts charged were not paid, Weltimmo forwarded the personal data of the advertisers concerned to debt collection agencies
The matter which ended up being referred to the CJEU revolved around the issue of whether or not Hungarian data protection law could be applied to Slovakian-registered Weltimmo, who did not have a registered office or branch in Hungary.
Weltimmo argued that the Hungarian authority ought to have asked the Slovak data protection authority to act in its place. Rejecting this argument, the CJEU held that the meaning of "establishment" under Article 4(1) of the Directive was not limited to the location of a company's registered office. The Court noted that Recital 19 in the preamble to the Directive states that establishment in the territory of a Member State implies the effective and real exercise of activity through stable arrangements. The concept of establishment could therefore extend to any real and effective activity, even one which was minimal.
In a separate question, the CJEU also considered whether the Hungarian authority would be able to impose a penalty prescribed under Slovakian law if it had been held that Weltimmo was not "established" in Hungary. The Court held that this would not be possible. The Hungarian authority may consider breaches of Slovakian data protection law but the proper action would be to refer the matter to the relevant Slovakian authority.
To view a copy of the CJEU judgment, please click here.