Monthly Archives: July 2020

CORONAVIRUS UPDATE: Returning to the workplace safely

1) Carry out a Covid-19 risk assessment You should identify work activity and situations that might cause transmission of Covid-19, think about who could be at risk, determine how likely it is that your workers could be exposed to the …

Posted in Shorter Reads | Leave a comment


Introduction An arbitrator’s failure to disclose a professional relationship with an expert witness led an ICSID ad hoc committee (the “Annulment Committee”) on 11 June 2020 to issue a unanimous decision to annul a €128 million award against Spain in …

Posted in Longer Reads | Tagged | Leave a comment

Privacy Shield invalidated: what this means for your data flows to the US

Last Thursday, in a landmark decision, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, the EU-US agreement that allows unrestricted transfers of personal data from the EU to over 5,000 certified organisations in the US. The …

Posted in Longer Reads | Leave a comment

No Data Protection Impact Assessment (DPIA) undertaken for Test and Trace programme – but what is a DPIA, anyway?

Earlier today, the BBC reported the latest in an increasingly long line of problems to have plagued the country’s COVID-19 ‘Test and Trace’ programme: it has not complied with the General Data Protection Regulation (GDPR).Following a legal challenge from privacy campaigners, the Department of Health has admitted that the programme, which aims to trace contacts of those infected with COVID-19 in order to prevent further spreading of the virus, was launched without any Data Protection Impact Assessment (DPIA) having been undertaken.But what exactly is a DPIA and when is one needed?A DPIA is a process designed to assess whether a proposed activity that involves processing personal data is necessary and proportionate. It should be used to assess and manage any risks to the rights and freedoms of individuals that might result from that processing activity by determining ways of addressing them. DPIAs are key tools in demonstrating a business’s compliance with its accountability obligations under the GDPR.The GDPR requires that DPIAs be carried out if any processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Guidance on the matter recommends considering the need for a DPIA if a business plans to:process any ‘special category’ personal data on a large scale, as is the case with the ‘Test and Trace’ programme (health data constitutes ‘special category’ personal data);implement any automatic decision making or profiling that significantly affects the person whose data is processed (for example, to provide or refuse a service to that person);systematically monitor individuals (for example, via CCTV);deploy innovative technology that uses personal data (for example, facial recognition software implemented at offices to enable access to certain areas); and/orprocess personal data of vulnerable individuals (which might include employees) where there is an imbalance of power in the relationship and, consequently, those individuals have no genuine option to object.DPIAs should be considered at the start of any new project that fits one or more of the above criteria, so that potential risks to the relevant personal data are addressed in advance of implementation (which is what the Department of Health failed to do in this case).If your business has already undertaken a DPIA in respect of a processing activity, it will need to review that DPIA periodically (and ideally at least once every 2 to 3 years), particularly if there is any change in the context or nature of the processing.Undertaking a DPIA will not only help your business demonstrate accountability and compliance with a GDPR, but will also build trust amongst those whose personal data is processed. This is much easier to lose than it is to gain. The risk to the UK government posed by this latest development is that fewer UK citizens, having lost confidence in its handling of their personal data, may participate in the Test and Trace scheme. Without significant participation across the population, the country is unlikely to have an effective contact tracing system.

Posted in Shorter Reads | Leave a comment

Is it a Fair CoP?

Confirmation of Payee (CoP) checks were introduced on 30 June 2020. The system is a new way for banks to check the account details of a payee (that is the recipient – whether a person or a business – of a bank transfer) before the payment is sent. This helps to avoid a payment being sent to the wrong account, whether as a result of a mistake or a fraud.The CoP mechanism was originally due to be introduced in late March 2020, but it was postponed due to COVID-19. The six principal banking groups in the UK were all required to implement the new protection by this date, though some smaller banks and building societies may also choose to introduce it.Previously when processing a payment mandate, only the payee account number and sort code were checked. This left an opening for fraudsters to substitute their own bank account details for those of the intended recipient of the funds as nobody would check whether the payee’s name matched the name on the account to which the funds were to be transferred. However, from 30 June 2020, when a customer sets up a new payee or changes the payee details on an existing payment mandate, a CoP check will be run to confirm whether the payee’s name is in fact the same as that of the accountholder.There are three possible responses from a CoP check. First, the payee bank may confirm an exact match between the payee name and the name of the accountholder in which case the payment will be processed as planned. Alternatively, there may be a partial match. The customer making the payment will then be shown the name of the accountholder in order to verify whether this is in fact the correct payee. Lastly, there may be no match, in which case the customer is asked to check the payee name and account details before proceeding with the payment.The new system is intended to reduce the risk of authorised push payment (APP) fraud, as well as innocent mistakes made by customers. APP fraud happens when fraudsters deceive individuals (either consumers or employees of a business) into making a payment to the fraudster’s bank account. An example of this would be sending an invoice that looks very similar to one which the individual is expecting, such as an invoice from a supplier, but which includes the fraudster’s own account details. The individual arranges payment of the invoice but has unknowingly paid the fraudster instead of the legitimate recipient.While it is expected that the CoP checks will reduce instances of fraud, there are limitations to the new system. CoP checks can only be carried out where both the paying and payee banks have implemented the mechanism and, at least for the time being, only where the payments are being made by the Faster Payments System or by CHAPS. CoP checks also cannot be carried out for international payments. Fraudsters are likely, therefore, to adapt their approach, for example, by opening accounts with banks which do not have the CoP mechanism in place.The existence of the partial match response may also lead to fraudsters opening accounts using names which are very similar to the names given on the fake invoices in the hope that the bank customer won’t notice the slight discrepancies or that they will assume it’s a mistake on the invoice. Bank customers should be check partial match responses very carefully to avoid this risk, and if necessary, contact the payee to confirm the account details. Where contacting the payee, make sure to use a different contact method than the one used to send the invoice, for example, by calling a supplier instead of replying to the email attaching the invoice.Businesses should also take appropriate steps to limit the risk of customers not getting an exact match on a CoP check when paying an invoice, for example, by ensuring that the payee name listed on their invoices is an exact match for the name on the bank account.

Posted in Shorter Reads | Leave a comment

Material Adverse Change Clauses in the Time of COVID-19

Material adverse change clauses (“MAC clauses”) are common in finance and acquisition agreements and are designed to address changes in the circumstances of one of the parties (usually the borrower or target business). For acquisitions, a MAC clause allows a …

Posted in Longer Reads | Tagged , | Leave a comment


Campaigns, like Soho Estates’ “summer festival” initiative, are pushing the government to temporarily ease regulations so leisure and hospitality operators can utilise public squares and other open spaces near their venues to serve customers, with deliveries and rubbish collections being …

Posted in Longer Reads | Leave a comment

English Court of Appeal finds that the Arbitration Act s.44(2)(a) applies to third-parties

In the context of a New York arbitration, the decision in A and B v C, D and E [2020] EWCA Civ 409 concerned an application to the English court for an order under s.44(2)(a) of the Arbitration Act 1996 …

Posted in Longer Reads | Tagged , | Leave a comment

Brief update: Business Interruption Insurance – FCA files a Reply in the Test Case

The FCA has filed a very extensive Reply[1] (35 pages) to the insurers’ Defences in its business interruption (BI) insurance test case, alleging broadly that the eight defendant insurers are seeking to deprive BI cover clauses of their plain and …

Posted in Shorter Reads | Leave a comment


This is the second of two articles considering the corporate insolvency aspects of the Corporate Insolvency & Governance Act 2020 (the Act).  In the first article, we looked at the temporary measures introduced by the Act in response to the …

Posted in Shorter Reads | Leave a comment