The Court of Appeal decided the case of Globe Motors, Inc. v TRW Lucas Varity Electric Steering Limited on 20 April 2016. It was held that the parties to a contract may vary their contracts orally or by conduct, even where they have previously agreed in writing that any future changes to the contract are to be in writing. In view of this decision, parties to a contract should take extra care and consider the potential impact their words or actions could have as they may inadvertently amount to a legally binding contract variation. However, it is important to note that it remains difficult to prove a claim that a contract has been varied orally where a non-oral variation clause is in place. This is essential to avoid undermining the value of written contracts.


Following the TalkTalk data breach in October 2015, the Culture, Media and Sport Committee published its report on Cyber Security: Protection of Personal Data Online on 20 June 2016. The report recommends that cyber security should be delegated to someone within the company who is able to take day-to-day responsibility (with Board oversight) and who can be fully sanctioned if sufficient steps are not taken, either to prevent a breach or in the event of a breach. Due to the high level of accountability, it is vital that such individuals receive the necessary co-operation and support from the Board in order to properly implement cyber security policies.

Owing to the prevalence of cyber-crime, the report acknowledges that no organisation can operate entirely without risk of a security breach. In order to protect your company and reputation, simply taking preventative measures will not be sufficient; companies need to implement clear and realistic crisis management plans to ensure that members of your organisation know how to respond to a breach and that consumers know how to seek redress. In order to incentivise companies to take the cyber security threat seriously, the report suggests that the Information Commissioner’s Office (ICO) implement escalating fines, especially where such threats have previously led to a security breach. In order to safeguard against such fines, companies will need to undertake a frank assessment of their vulnerabilities, paying particular attention to areas where they have already been victim to a breach, and implement security measures accordingly.


On 8 July 2016 EU Member States approved the final text of the EU – US Privacy Shield. This was notified to Member States on 12 July 2016 and came into force immediately. The Privacy Shield replaces the old Safe Harbor framework (which was invalidated in October 2015 by the European Court of Justice) governing data flows between the EU and the US. The Safe Harbor framework allowed US companies to self-certify their adherence to the principles behind EU data security, meaning that data could be easily transmitted between the EU and the US. According to the European Commission, the new Privacy Shield addresses the failure of Safe Harbor to adequately protect EU citizens’ personal data. For example, the new framework requires that the access of US law enforcement and security agencies to EU citizens’ personal data will be subject to “clear limitations, safeguards and oversight mechanisms” and any complaints lodged by EU citizens must be resolved by US companies within 45 days.

Despite introducing such safeguards and avenues for redress, the Privacy Shield does not entirely fill the gaps which were evident in the Safe Harbor framework, as it still allows US companies to self-certify that they are Privacy Shield compliant, which allows them to receive personal data from EU citizens. The Department of Commerce will operate the Privacy Shield in the US and companies will be able to certify with the Department from 1 August 2016. The self-certification system was one of the main flaws of the old Safe Harbor scheme as it allowed US companies to circumvent European rules and regulations regarding how data can be treated by allowing them to declare that they were taking appropriate steps to comply.

This begs the question, how safe are transatlantic data flows? For the time being, it looks like such data transfers can return to normal. However, it is likely that the Privacy Shield will face the same challenges as its predecessor in the coming months. For now businesses can rely on the Privacy Shield as one method of demonstrating compliance with principles of the Data Protection Act 1998. However, in the event of ‘Brexit’ the UK will have to negotiate its own form of Privacy Shield with both the US and the EU to ensure the ‘adequate protection’ of personal data for cross border transfers.

If you would like to discuss any of the matters addressed above, please contact Claire Jacques on 01235 836643 or on



Since 6 April 2016, UK companies and UK LLPs have been required to maintain a Register of People with Significant Control (“PSC Register”).

Such companies and LLPs are now required to deliver the information annually to the central public register at Companies House when making a Confirmation Statement (which replaces the Annual Return) and on incorporation.

A person with significant control (“PSC”) is an individual who meets one or more of the following conditions in relation to a particular company:

  • Directly or indirectly holding more than 25% of the shares or 25% of the voting rights;
  • Directly or indirectly holding the right to appoint or remove the majority of directors;
  • Otherwise having the right to exercise, or actually exercising, a significant influence or control;
  • Having the right to exercise, or actually exercising, significant influence or control over the activities of a trust or firm which is not a legal entity, but would itself satisfy any of the first four conditions if it were an individual.

If a company is owned by a legal entity rather than an individual, it may sometimes be necessary for that legal entity to be entered in the PSC Register. Broadly, this will be the case if such legal entity meets one or more of the above conditions, it keeps its own PSC Register and is the first such legal entity in the company’s ownership chain.

If you are a PSC in respect of a company, that company will require information from you to enter on the PSC register. You may do this by volunteering the information or by responding to notices from the company (failure to respond to such notices without a valid reason may be a criminal offence).

If you would like assistance in preparing your PSC Register, please contact Amy Oakley on 01235 836635 or on



Women on maternity leave are entitled to retain their usual contractual terms, apart from those relating to remuneration, which are replaced with statutory maternity pay or the employer’s maternity pay scheme. According to guidance from HMRC, childcare vouchers provided through a salary sacrifice scheme should be treated as a non-cash benefit and therefore should continue to be provided during maternity leave. However, in the recent case of Peninsula Business Services v Donaldson, the Employment Appeal Tribunal ignored HMRC guidance and ruled that childcare vouchers should be counted as remuneration and that, therefore, they should not continue to be provided during periods of maternity leave. Employers should treat this decision with care as it appears to have been based on a misunderstanding by the EAT of how salary sacrifice schemes work in practice and without the benefit of all of the relevant law in this area.


The Employment Appeal Tribunal, in the case of Cordant Security v Singh, held that the employer’s failure to investigate a false allegation of racial abuse did not amount to an act of discrimination. The case involved an employee who was sent home from work by his manager as it was alleged that he smelt of alcohol. The employee subsequently claimed that his manager had used racially abusive language towards him. The employee was told that his grievances would not be investigated unless he raised a formal grievance, which he did not do and so the employer did not look into the matter. The employee then made a claim of race discrimination at the Employment Tribunal on the grounds that the employer’s failure to investigate his grievance had amounted to an act of race discrimination. The Tribunal upheld his claim. However, the EAT overturned that decision. It held that, as the allegation was false the employee could not have suffered any sense of injustice as a result of the employer’s decision not to investigate his grievance and, therefore, could not have suffered a detriment, which is a prerequisite for a valid discrimination claim.

Employers faced with a similar situation must approach it with care. Had the EAT not accepted that the employee’s allegation was false, the outcome to this case is likely to have been very different.

This case highlights the importance of having a clear grievance policy in place which, among other things, makes clear that a complaint that is considered by management to be deliberately false, malicious or frivolous will not be entertained and is likely to give rise to disciplinary action being taken. This will help you manage such grievances in an effective manner and will give you grounds for taking disciplinary action in cases where it is appropriate to do so.

If you would like to discuss any of the matters addressed above, please contact Ben Hegedus on 01235 836609 or on



In practice, online infringement of intellectual property rights is very difficult to combat. Trying to solve the problem by identifying the operators of an infringing website is not a straightforward task. As an alternative solution, EU legislation provides that EU Member States shall “ensure that rights-holders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe an intellectual property right”. This allows IPR holders to seek injunctions against internet service providers (ISPs) whose services are used by infringers. For the time being, this right still applies in the UK.

In the case of Cartier International AG v British Sky Broadcasting Limited the Court of Appeal held that the lack of a contractual relationship between the ISP and the infringer did not matter. The CoA nevertheless recognised that ISPs are usually innocent intermediaries in cases of infringement by implementing a set of threshold conditions which must be met before a court can exercise its discretion to grant a blocking injunction against an ISP.