Monthly Archives: September 2020

New EDPB guidelines: copying and pasting GDPR provisions into your commercial agreements isn’t enough

The European Data Protection Board (EDPB) has published a set of draft guidelines clarifying the key GDPR concepts of controllers and processors by providing specific examples and helpful flowcharts to help apply these concepts in practice. Buried within these guidelines is the paragraph quoted below, which has significant implications for day-to-day commercial contracts.Under Article 28 of the GDPR, where one party (Party B) is appointed by another (Party A) to provide certain services that requires Party B to process personal data on behalf of Party A (which is the data controller), certain clauses are mandatory in the commercial contract between those parties (or in a separate data processing agreement).Where Party A’s processing activities are minimal and are considered low-risk, it is common for the relevant agreement simply to repeat the provisions of Article 28 without further elaboration.However, the EDPB states in the guidelines that simply restating the provisions of Article 28 without any additional detail is not sufficient. In particular, the EDPB states that the contract or separate data processing agreement required by Article 28 also needs to include information regarding the security measures to be adopted by the processor (Party B in the example above), as well as providing for a regular review of these measures.The level of detail required is ‘such as to enable the controller to assess the appropriateness of the measures pursuant to Article 32(1) of the GDPR’. This requires both the controller (Party A) and the processor (Party B) to take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of those individuals whose data is processed.The draft guidelines remain open to public consultation until 19 October 2020. Any interested parties are encouraged to contribute to the consultation by providing comments on the guidelines via the link below.

Posted in Shorter Reads | Comments Off on New EDPB guidelines: copying and pasting GDPR provisions into your commercial agreements isn’t enough

The Tesco shareholder action settles

A consent order filed with the Court on 2 September confirms that the Tesco group shareholder action, which had been due to go to trial in October 2020, has now settled. No details on settlement terms appear to be publicly available at this time.It had been hoped that the Tesco action would bring some welcome clarity to the law on Section 90A FSMA 2000, under which no claim has yet been to trial. Attention may now turn to the group shareholder action that is proceeding against Serco in relation to its false accounting scandal regarding electronic tagging in 2010 to 2013. The parties have exchanged pleadings in the last few months, but it will be a while yet before it reaches trial (assuming that it does not settle before this).In the meantime, investors thinking of making claims under Section 90A FSMA 2000 should be aware that there are a number of current uncertainties in the law on Section 90A FSMA 2000, for example on the extent of the disclosure and witness evidence that they would be required to produce in support of their claim on the key issues of reliance and causation.

Posted in Shorter Reads | Comments Off on The Tesco shareholder action settles

Government response on cladding welcomed by flat owners but speedy implementation is now needed

Government response on cladding welcomed by flat owners but speedy implementation is now needed. All residential blocks over 18 metres are required to have a fire safety assessment on cladding. A lack of suitably qualified professionals to carry out these …

Posted in News | Tagged , , | Comments Off on Government response on cladding welcomed by flat owners but speedy implementation is now needed

Interim injunction against Bitcoin discharged and damages considered an adequate remedy

In a recent High Court decision, Toma v Murray, Robin Vos sitting as Deputy High Court Judge, declined to a continue a without-notice interim injunction which restrained the Defendant from dealing with Bitcoin held in a coin deposit account.  Vos held that damages would be an adequate remedy in this instance.The Claimants sold Bitcoin through an account on the Finnish platform LocalBitcoins.com. However, the payment they received was reversed, leaving the Claimants without the Bitcoin or their payment. The Defendant controlled the LocalBitcoins.com accounts used to make and withdraw the payments, and which continued to hold the Bitcoin. The Defendant did not go as far as to admit that there was a fraud, though he allowed the Court to proceed on the basis that a fraud had taken place, and asserted that the account had been hacked.The Claimants initially obtained a without notice interim injunction. LocalBitcoins also froze the account, though they said that in absence of a court order they would release the Bitcoins to the Defendant.On reviewing the injunction and deciding whether it should be upheld, Vos decided that although the Claimants’  made a proprietary tracing claim, they were ultimately seeking the value of the Bitcoin held in the deposit account and therefore the claim could be satisfied in monetary terms.He held that the injunction should not be upheld and the case is set to continue to determine whether or not there was any fraud on the part of the Defendant, a matter which could not be dealt with at an interim hearing.    This is an interesting decision as it considers Bitcoin in relation to its value in monetary terms over its proprietary value. The Court distinguished it from AA v Persons Unknown [2019], the precedent for Bitcoin interim claims, as the Defendant was identified and had shown he held a significant unencumbered asset and there was no reason to believe he would not be able to meet any award against him. This was balanced against the fact that the Claimants admitted that they would have difficult in satisfying across undertaking of damages. On balance the Court considered that this decision left the Claimants with a remedy and did not place an disproportionate risk of loss on the Defendant.Some consideration was given to the volatility of the price of Bitcoin and the impact this may have on both parties. Though the Court focused on the fact that a price and value was given to the Bitcoin at the time of sale and the claim therefore was considered to be for the price paid. A condition was included in the Order to allow the Defendant to sell the Bitcoin only with the consent of the Claimant as a means of neutralising this risk. It shows once again that the court’s are having to approach digital asset cases innovatively. It will be interesting to see if any concession is given to the change in value of Bitcoin in the time before final judgment.Toma and another v Murray [2020] EWHC 2295 (Ch) (29 July 2020) (Robin Vos, sitting as Deputy High Court Judge).

Posted in Shorter Reads | Comments Off on Interim injunction against Bitcoin discharged and damages considered an adequate remedy