GDPR and its impact on e-commerce business

The General Data Protection Regulation (“GDPR”) will come into force throughout the European Union on 25 May 2018. The GDPR will replace existing data protection laws and will be directly applicable in the same form across all EU member states with the intention of reducing the burden on international organisations.

The GDPR introduces significant changes and requirements that will have vast implications on the way organisations handle, use and store data. This has, therefore, direct impact on the e-commerce business which, by their very nature, receive and process a huge amount of personal data. This article will highlight the main issues that e-commerce companies should consider when implementing policies and procedures in compliance with GDPR.

Territorial scope

The GDPR will apply to any business that processes personal data in relation to the offer of goods and services to individuals within the EU and/or the monitoring of the behaviour of an individual in the European Union. As a result, companies that offer products and services to individuals in the European Union via their website or other online platforms will have to comply with EU data protection rules, regardless of whether they are established in the EU.

When accessing whether a company is offering goods and services to EU individuals, the mere accessibility of the company’s website will not be sufficient to trigger the application of GDPR and it must be apparent that the company targets EU individuals – for instance, by mentioning /using EU currency, referencing EU customers or by presenting ordering information in an EU language (where this is not the language used in the country where the company is based).

Legal basis for processing

E-commerce businesses will need to identify legal grounds for their processing activities. One of the main changes introduced by GDPR relates to consent of the data subject. There needs to be clear affirmative action by the data subject to show consent – silence, pre-ticked boxes, inactivity, failure to opt-out or other such mechanisms will not be enough to qualify as valid consent. The Information Commissioner’s Office (ICO) adds that consent requests should be:

• Unbundled: separate from other terms and conditions;

• Opt-in: pre-ticked and pre-selected options are invalid;

• Granular: if data is to be used for multiple purposes, then consent must be granted for each of them separately;

• Named: consent request must state all organisations and third parties relying on that consent; and

• Documented: records must be kept to show when, how and what the data subject consented to.

E-commerce businesses should note that if the processing of data is necessary for the performance of a contract with the data subject – this would include data required to process an online payment or deliver the purchased product – in this case, there is no need to get consent.

E-commerce businesses should conduct a necessity test to determine if the information is necessary for the purpose of the contract is being collected as is especially relevant when customer data is used for marketing or advertising purposes.

Retention periods

Personal data should not be retained longer than necessary or beyond the point at which the purpose of processing has been achieved. In some cases, however, companies would want to keep all or some of the data. If that is the case, then companies should find other grounds for keeping the data – for example, the need to retain data to deal with legal requirements under national law.

Privacy notices

GDPR requires companies to inform data subjects about how their personal data is being processed. Specific information such as purpose and legal basis for processing, whether personal data is shared with third parties or if the company conducts profiling activities etc. As such, a link to the terms and conditions and the privacy notice should be displayed when the customer purchasers goods online. Privacy notices should be periodically reviewed and updated to comply with the GDPR.

Data subjects’ rights

Individuals will have the ‘right to be forgotten’, the ‘right to data portability’ and the right not to be subjected to automated data profiling. Online stores and e-commerce businesses should also allow their customers to access and modify any information that is held on them. In order to comply with the GDPR in this respect, companies should provide information on whom customers may contact regarding any data privacy concerns.

Contracts with third parties and international transfers

Companies in the e-commerce business usually outsource components of these activities, such as payments, marketing or IT. Whenever a data controller (the e-commerce company) uses a processor, the data controller needs to have a written contract in place that includes specific terms such as data processed, duration, obligations such as data breach reporting, transparency, etc. When service providers are located outside the Economic European Area (EEA), legal mechanisms for carrying out personal data transfers should also be identified. Service providers will be held accountable for their own level of appropriate security and must document their processing and obtain prior consent to use sub-processors.

Contractual interpretation: does “to the extent” equate to “if”?

In the recent case of Zayo International v Ainger [2017] EWHC 2542, the court considered obiter whether the words “to the extent” can be taken to mean “if” in light of a management warranty claim. The clause in question is reproduced below:

“5 No Management Vendor shall have any liability in respect of any Management Warranty Claim:

5.1 to the extent that provision or reserve in respect of the liability or other matter giving rise to the claim in question was made in the Accounts, which could be reasonably demonstrated from the audit papers and other books and records of the Group.”

The Claimant’s case was that a natural reading of the clause would be taken to mean that should the provision made be £100,000, and the actual claim comes up to £1,000,000, the claimant would be able to claim £900,000 (i.e. that a claim should only be restricted by the amount actually provided for in the accounts).

However, the court disagreed with the Claimant and held that if a provision was made (no matter how small when compared to the actual liability), then no Management Vendor would have liability in respect of that claim irrespective of whether the provision was less than the actual liability once fully determined. This seems a rather surprising interpretation of such a clause and it seems difficult to believe that this was the intent or understanding of either parties when drafting this provision.

Practical impact

We have seen some quick reactions to this case in the drafting of contracts but possible solutions to reduce uncertainty may be to consider “if and to the extent” wording or explicitly stating that “to the extent” denotes “degree” and does not mean “if”. Although this was a high court decision and the point was made obiter, it nonetheless serves as a useful reminder to the drafting party of the possibility that “to the extent” in a contract may be taken to mean “if” by the courts.