13 Nov 2019

Commercial and tech update - November 2019


Welcome to this month’s edition of our commercial and tech update. While we have resisted including too many Brexit related articles in our updates, this month’s edition offers some practical steps that providers of digital services can take in the event of a no-deal, together with a cautionary tale about an automatic email signature being enough to get the parties in a bind.


Guide to preparing for no deal Brexit for providers of digital, technology and computer services

In October, the Department for Digital, Culture, Media & Sport published a 10-point checklist to help digital technology and computer services providers understand what is required if the UK leaves the EU with no deal. Of particular relevance to businesses providing digital services in the EU is the requirement to appoint a representative in the EU to assist with meeting online security standards. This is not required whilst the UK remains a member of the EU. The Network & Information Systems (NIS) Directive (implemented into UK law by the NIS Regulations) provides legal measures to boost the overall level of network and information system security in the EU and applies to operators of essential services and Relevant Digital Service Providers (RDSPs). A company is a RDSP if it:

  • provides at least one of the following digital services: online marketplaces; online search engines; or cloud computing services;
  • has its main establishment is in the UK or it has nominated a representative in the UK; and
  • has 50 or more staff; or a turnover of more than €10 million per year, or a balance sheet total of more than €10 million per year.

UK-based organisations who offer such services to the EU (e.g. by having users in the EU or using a language or currency used in EU countries) must comply with the law in the applicable EU member state and appoint a representative in one of the EU member states where services are offered. The appointing of a representative in the EU is a formal written process set by the country in which the operations are occurring and must state that the designated representative may act on behalf of the business to fulfil its legal obligations in the applicable EU member state.

The Information Commissioner’s Office (ICO) is in charge of regulating RDSPs in the UK and it is necessary to inform the ICO that a representative in another country has been appointed. Failure to appoint a representative will most likely result in a fine.

Another impact of a no deal Brexit on RSDPs is that organisations, businesses or undertakings established in the UK but not in the EU/EEA will no longer be able to renew or register .eu domain names. With effect from 19 October 2019 in order to renew or register a (.eu) domain, it is necessary to be established in the EU and prove eligibility. A grace period to demonstrate eligibility will apply until 1 January 2020 before the .eu domain name will be withdrawn and become inoperable. From 1 November 2020, all such ineligible domain names will be revoked and become available for general registration.

Click here for more detail on all recommended steps.


A binding email

A recent case has provided lawyers with a reminder to take care that negotiation emails do not inadvertently create a binding contract. In Neocleous v Rees [2019] EWHC 2462 (Ch), the County Court found that a solicitor had entered into a signed, binding contract on behalf of his client, on the basis that his automatic email signature had been included below the terms he set out in the main body of the email. The court held that the automatically generated email footer listing the name and contact details of the sender constituted a signature and that therefore a valid contract had been formed.

In this case, the contract in question was for the sale of land, the required formalities for which are set out in Section 2 of the Law of Property (Miscellaneous Provisions) Act 1989 (LPMPA). The parties were in dispute over a right of way, and their solicitors had entered into settlement discussions. The claimants offered to buy some of the defendant's land in order to resolve the issue and settlement terms were negotiated over several emails between the parties' solicitors. Eventually the claimants’ solicitor emailed saying that he could “confirm that terms of settlement between our respective clients have been reached on the following basis”, with the terms then listed including the land to be transferred and the price. At the bottom of the email was the solicitor’s name, position and contact details. These were automatically added as a footer, not manually added by the solicitor.

The planned tribunal hearing to resolve the dispute was then vacated on the assumption that a settlement agreement had been reached, but the defendant seller later disputed that a binding contract had actually come about, because she said the LPMPA signature requirements had not been met. As a reminder, the LPMPA requires that a contract for the sale of land must be made in writing and signed by or on behalf of each party. The court concluded that while the email footer was automatically added to each email the defendant's solicitor sent, the solicitor’s firm’s creation of that rule had been deliberate, and that there was no way for a third party to know whether the signature had been added automatically or manually. Therefore, objectively speaking, the presence of the solicitor’s name would indicate an intention on the part of the sender to authenticate or sign the email.

Most contracts have even fewer execution formalities than those for the transfer of land, so the risk of inadvertently concluding a contract may be even higher in other situations. The case is a salutary reminder to ensure that mark as “subject to contract” any correspondence that may be considered to be accepting an offer or otherwise concluding an agreement.

Trailblazing judgment backs use of automated facial recognition

Hot on the heels of our coverage in September’s update of the controversial use of facial recognition in Kings Cross, the Divisional Court has dismissed a challenge to South Wales Police’s (SWP) use of Automated Facial Recognition (AFR) in what is considered to be the first case to assess the technology in any court around the world. The facts of the case were discussed in detail in our May issue (link here). In summary and by way of reminder, SWP carried out a pilot scheme – “AFR Locate” – in which cameras are used to scan faces in large crowds in public places such as shopping centres or sports matches. Biometric data from these images is subsequently run against a “watchlist” of individuals known to the police, following which an officer will make a decision as to whether a match exists. If no match is found, the images are deleted.

Judicial review proceedings were brought by Edward Bridges, with the support of the civil rights group Liberty, on the basis that this use of AFR was unlawfully intrusive, with SWP alleged to have breached: (1) Article 8(1) ECHR; (2) data protection legislation (the DPA 1998 and DPA 2018); and (3) the Equality Act 2010 (which will not be addressed here).

The Court held that SWP’s use of AFR was justified as it was proportionate and struck a fair balance. Central to this finding were the following factors: (i) AFR was deployed in an open and transparent way; (ii) it was used for a limited amount of time and covered a limited area; and (iii) it was used for a specific and limited purpose of identifying individuals whose presence in the area was of justifiable interest to the police.

This was a fine balancing exercise, responsive to “the central issue” of “whether the current legal regime in the United Kingdom is adequate to ensure the appropriate and non-arbitrary use of AFR in a free and civilized society”. Whilst the Court found that AFR can indeed be employed in an appropriate and non-arbitrary way, the judgment does not by any means give law enforcement agencies or others carte blanche to use the technology as they wish. What the judgment does show, however, and the court explicitly acknowledged as much, is that “the algorithms of the law must keep pace with new and emerging technologies”.

EHRC issues guidance on NDA use in discrimination cases

The Equality and Human Rights Commission has released new guidance for employers on the use of confidentiality agreements (often referred to as NDAs) that could stop a worker speaking about any act of discrimination, harassment or victimisation. Confidentiality agreements are often used, lawfully, by employers seeking to protect confidential information, for example know-how, trade secrets or other sensitive commercial information. A confidentiality agreement in a worker’s contract that seeks to stop a worker pursuing a claim based on an act of discrimination that happens in the future would not be enforceable.

The guidance gives a clear explanation on the law in relation to confidentiality agreements and sets out what constitutes good practice when drafting a confidentiality agreement. Points to note include:

  • a worker should not be asked to sign a confidentiality agreement as part of their employment contract which would prevent them from making a discrimination claim against an employer in the future;
  • a confidentiality agreement should not be used to prevent a worker from discussing a discriminatory incident that took place in their workplace, save for in limited circumstances (e.g. the victim has requested confidentiality around their discriminatory experience);
  • a worker cannot be restricted from whistleblowing, reporting criminal activity or disclosing other information as required by law by the terms of a confidentiality agreement;
  • workers should be given time to read and fully understand the terms of a confidentiality agreement; and
  • a confidentiality agreement should spell out the details of exactly what information is confidential.