Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form



Commercial Contract Updates - Exclusion and Limitation Clauses
Tuesday 9th January 2018


Commercial contracts often purport to exclude parties’ rights and remedies or to limit the liability of the parties, but it is important to note that such clauses may not always be enforceable. Parties may not, for example, exclude their liability for fraud or for personal injury or death caused by negligence.

Where a party seeks to rely on such a clause, particularly if it is onerous or unusual, it should always ensure that it is brought to the other party’s attention so that there is no question of whether or not the clause forms part of the contract.

In consumer contracts, there are strict requirements in the Consumer Rights Act 2015 that terms must be fair to the consumer. There are similar (albeit less restrictive) requirements in the Unfair Contract Terms Act 1977 (UCTA) for business-to-business contracts.

Under UCTA, where one party deals on the written standard terms of business of the other, the other party cannot exclude or restrict its liability for any breach of the contract unless the relevant clause satisfies the reasonableness test (i.e. “that the term shall have been a fair and reasonable one to be included having regard to the circumstances which were, or ought reasonably to have been, known to or in the contemplation of the parties when the contract was made”).

Where only part of a term is invalid or prohibited, the Courts are sometimes prepared to sever that part and leave the remaining clause intact.

Recent case law

In African Export-Import Bank v Shebah Exploration [2017] EWCA Civ 845, the Courts had to decide whether a loan contract, subject to the conditions of the Loan Market Association Standard Form (a neutral industry model form), was on the “written standard terms” of one party, and therefore subject to the reasonableness test. Following previous case law, it was noted that “written standard terms” must be the terms that a party uses for all, or nearly all, of its contracts of a particular type, and that the essence of such terms must not be varied between transactions. In the High Court, Phillips J stated that it would be difficult to find that any negotiated, commercial contract, based on a neutral industry model and where the parties have legal assistance, is on the written standard terms of one of the parties. The Court of Appeal upheld the High Court’s decision that UCTA would not therefore apply to the loan contract.

In Goodlife v Hall Fire Protection [2017] EWHC 767 (TCC), the exclusion clause in question purported to exclude liability for personal injury and death resulting from negligence (which is prohibited under UCTA). The High Court had to decide whether or not the clause could remain in effect with the offending words removed. The Court was prepared to sever the offending words and, due to the equal bargaining position of the parties, it was found that the remaining clause was reasonable.


Neutral model contracts are used in many types of business, and parties could be forgiven for thinking that these would count as “written standard terms”. However, following the decision in Shebah Exploration, it is clear that UCTA’s reasonableness test will not apply to such contracts unless one party has genuinely adopted the model contract as its own terms, and uses those terms for all of its contracts without scope for negotiation.

Whether or not part of an exclusion clause can be severed by the Courts, to make the remainder of the clause effective, is a question which has been addressed by seemingly conflicting decisions in the past. Following the recent decision in Goodlife, the position appears to be as follows:

  • Where part of a clause is ineffective, e.g. because it excludes liability for personal injury or death caused by negligence (as prohibited by UCTA), then the rest of the clause may still be tested for reasonableness and remain effective (as was the case in Goodlife).
  • However, where a clause is tested for reasonableness under UCTA, it must pass or fail as a whole and cannot be severed to remove the unreasonable parts (this was the effect of the decision in Stewart Gill Ltd v Horatio Myer and Co Ltd [1992] QB 600, which the Court distinguished in Goodlife).

The distinction seems to rely on the idea that an exclusion of liability for personal injury or death caused by negligence will not be subject to the reasonableness test; it is simply ineffective under UCTA. If the clause in Goodlife, after having removed the reference to personal injury and death, still had unreasonable parts (e.g. if it purported to exclude liability for fraud), then the whole clause may have been deemed ineffective.

For more information please contact William Eggleston on 0161 836 8831 or via email -


Specialist Dental Lawyer’s Guide to Dental Equipment Warranties
Monday 8th January 2018

When you buy a dental practice, the contract of sale is likely to contain warranties. These warranties are a series of promises which are made by a seller, giving you, as a buyer, assurances as to the efficacy of the business that you are acquiring.

The warranties can cover a wide range of issues and should be tailored to the specific practice and your personal requirements. If, once you own the practice, it transpires that a warranty has been breached, the contract should set out the method, timescales and amounts of a remedy that will be available to you.

Warranty provisions relating to equipment are often hotly negotiated. Although you may be paying thousands of pounds for dental chairs and autoclaves within a practice, you should not expect the same kind of warranty that you would get when buying electrical appliances on the high street.

The first issue to consider is the date on which the warranty is given. Warranties that are given by the seller will apply on the date of exchange of contracts. It is wise for the buyer to seek a provision in the contract to say that the warranties are repeated on the date of completion.

You are very unlikely to get a promise that something is going to continue to work for a year or two following the purchase. Equipment warranties are usually limited to an assurance that something is working on the day on which the contract is signed; although even this is not a given, as the seller may say that they are not sufficiently qualified to make such an assurance.

As a buyer, you might seek warranties not only that the equipment is in working order on the date of completion, but further that the equipment that you are being sold is adequate for both the continuation of the practice (i.e. that the seller isn’t going to remove a vital item of equipment prior to the sale and leave you unable to practise). A warranty that the equipment available is sufficient and adequate to ensure that the practice complies with current GDC and CQC guidelines is also reasonable. Warranties that equipment has been properly maintained and serviced will also give the buyer some protection (although this should also be investigated during the purchasing due diligence process).

Finally, a sensible buyer should seek a warranty that the equipment within the practice is actually owned by the seller and is free from any finance or lease agreement.

During negotiations, a seller may want to limit the warranties in relation to equipment as much as possible. Sellers frequently make formal disclosures against equipment warranties. If information is disclosed to you prior to completion, then you may be prevented from making a warranty claim relating to that information.

What constitutes a disclosure can also be in dispute. A seller may claim that they have disclosed to you anything that would be reasonably apparent on an inspection of the practice. The question then arises as to what sort of inspection this would cover. A qualified technician, who inspects the equipment, might find a fault in an item that a cursory glance by a less qualified person would fail to bring to light.

Warranties will also be limited in terms of both value and time. You will have a limited period of time in which to bring a claim for breach of warranty following a practice acquisition. It is therefore important that you are aware of the timescales agreed. A seller will also seek to include within the sale agreement both minimum and maximum values on possible claims. It is important that both the seller and the buyer understand the warranties that are being offered in any sale agreement. Equipment warranties should offer the buyer some assurance that what they are buying will be fit for their requirements even if they don’t purport to promise that the equipment won’t break in the weeks, months or years following your acquisition.



Data Protection Bill – Exemptions
Thursday 14th December 2017

The UK’s proposed Data Protection Bill (the “Bill”) creates a number of exemptions to the requirements under the EU General Data Protection Regulation (GDPR), many of which mirror similar provisions in the Data Protection Act 1998 (DPA). For businesses which rely on these provisions to process personal data without breaching the legislation, it is important to understand the scope and the limitations of the exemptions due to the increasing penalties for non-compliance.

Public functions

The existing DPA exemptions for public bodies are largely unchanged in the Bill, with the majority of data subjects’ rights being excluded where the processing of personal data is necessary for the prevention or detection of crime and the assessment and collection of taxes, the public functions of certain regulatory bodies and for various functions in the public interest, including protecting the public against financial malpractice, protecting charities and securing the health and safety of workers.

A contentious new addition in the Bill relates to the processing of personal data for the maintenance of effective immigration controls (and, significantly, has nothing to do with the prevention of crime), which the advocacy group Liberty described in its report of October 2017 as a “brazen violation of the data protection and privacy rights of migrants”.

Exemptions from access and transparency rights

Data subjects’ rights of access can sometimes conflict with the rights of privacy of other individuals. For this reason, an important exemption is recreated in the Bill which provides that data controllers are not required to disclose information in response to an access request where another individual can be identified from that information (unless they give their consent).

Rights of access, and the requirements to provide certain information to data subjects upon the collection of personal data (a.k.a. “transparency”), are also excluded where the data could have the benefit of legal professional privilege, or are processed for the purposes of business management forecasting. If the data consists of confidential references (for employment, education or training), the controller’s records in relation to any negotiations with the data subject, or information recorded by candidates during an exam, the exemption will also apply.

A person will also not be required to comply with an access request if doing so would reveal incriminating evidence of their commission of a criminal offence (however, note that this rule against self-incrimination does not apply to offences under the Bill, or to perjury offences).

Corporate finance providers enjoy a similar exemption; rights of access and transparency will not apply where compliance would likely affect the price of corporate finance instruments, or where compliance would prejudicially affect the functioning of financial markets by affecting the decisions of business people in relation to corporate finance.

Freedom of expression and research

There have been concerns that the increased protection for individuals under the GDPR could have a detrimental impact on the general right of freedom of expression. However, the Bill contains a wide exemption – which covers almost all of the rights of data subjects, the lawful grounds for processing and requirements relating to consent (including children’s consent) – for the processing of data for journalistic, academic, artistic or literary purposes, where the controller reasonably believes that the publication of the material would be in the public interest.

Rights of access, rectification, restriction of processing and objection to processing are also excluded where personal data is processed for scientific or historical research, statistical purposes, or for archiving purposes in the public interest.

Health, social work, education and child abuse

In most proceedings in the Family courts, if the court processes personal data relating to health, social work or education (e.g. where it is contained in evidence or other reports in the proceedings) and, under the relevant court rules, the court may withhold the information from the data subject, then the rights of the data subject (such as access rights) will not apply.

In relation to health, social work or education data, there are also exemptions from the right of access where disclosure would be likely to cause serious harm to the physical or mental health of the data subject (or another individual).

Where an access request is made by a person either with parental responsibility for a child (under 18) data subject or who has been appointed by a court to manage the data subject’s affairs: in relation to data concerning child abuse, the right of access will not apply to the extent that compliance would not be in the best interests of the data subject; and in relation to data concerning health, education or social work, the right of access will not apply where the data was obtained from or provided by the subject with an expectation of privacy (or where the subject expressly indicates that the information should not be disclosed).

Any businesses concerned about the changes under the GDPR, or unsure whether or not exemptions might apply, should seek advice before the GDPR (and the Bill) come into force next May; our experienced Commercial team can assist in deciphering the legislation and preparing your business for the new rules.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.


GDPR - Data Subject Rights
Thursday 14th December 2017

The EU General Data Protection Regulation (GDPR) provides important changes to the rights of data subjects. As well as introducing new rights, some provisions in the Data Protection Act 1998 (DPA) have been revised to strengthen protection for individuals and bring further clarity for controllers.

Bolstering existing rights

The DPA obligation for controllers to provide certain information to data subjects has been rechristened as “transparent communication” in the GDPR. As well as information about their identity and the purposes for which personal data are processed, controllers will have to provide subjects with information about:

·         the legal basis for processing data;

·         any intended recipients of the data or transfers to non-member states;

·         data retention periods;

·         information about subjects’ rights and how to withdraw consent or lodge complaints; and

·         the existence of any automated decision making or profiling systems.

This information must be provided at the time the data is obtained, in a concise, intelligible and easily accessible form, using clear and plain language (particularly in respect of child subjects).

Data subject access rights subsist in the GDPR and subjects may request access to their personal data as well as the information as listed above at any time. The timescale for complying with such requests is reduced from 40 days to one month, and businesses will no longer be able to charge a £10 fee for this service. However, if subject access requests are manifestly unfounded or excessive (and it is for the controller to prove that they are), controllers may either charge a reasonable fee to cover their costs or refuse to act on the request. Controllers may also request information from the subject if they have reasonable doubts as to their identity (and, therefore, the validity of the request), and may refuse an access request where the requested data contains personal data relating to other individuals (which could not reasonably be separated).

The right to rectification of personal data (correcting errors and omissions) is largely unchanged in the GDPR, but data subjects currently have to apply for a court order to request rectification; under the GDPR controllers will usually have to respond to such requests within a month, but this can be extended by two further months for complex or multiple requests.

The right for data subjects to object to the processing of personal data is also broadened; subjects may currently object only where the processing of personal data is likely to cause them substantial unwarranted damage or distress or where it is used for direct marketing. Under the GDPR an objection may be made in relation to any processing which is justified on the grounds of either public interest or the legitimate interests of the controller (the latter being particularly significant as many controllers may turn to this as an alternative to consent, which is becoming harder to demonstrate). Controllers will have to cease processing the data following such a request unless they can demonstrate compelling legitimate grounds which override the subject’s rights; from a practical standpoint, this topic is yet to be explored in detail, but such grounds may include where the controller and the subject have an existing relationship (e.g. for the provision of services) and the processing is necessary in order to provide the level of service that the subject expects and continues to desire.

New rights in the GDPR

Under the GDPR’s new right to erasure (a.k.a. the “right to be forgotten”), subjects may require controllers to erase personal data concerning them where the data are no longer necessary for the purposes for which they were collected or have been unlawfully processed, where the subject withdraws the consent upon which the processing is justified, or where the subject objects to the processing of that data. This has garnered criticism as, where personal data has been made public (e.g. by posting online), controllers are also required to take reasonable steps to inform all controllers processing the data of the erasure request, which is likely to be difficult to comply with in practice (although it is worth noting that in taking such “reasonable steps”, controllers are entitled to take into account limitations in technology and the costs of implementation).

Another contentious addition in the GDPR is the right to restriction of processing. If a data subject contests the accuracy of personal data held by a controller, they may compel the controller to cease processing that data (e.g. by removing content from a website) until the controller is able to verify its accuracy. The potential impact of this provision on freedom of speech is concerning; websites will undoubtedly be encouraged to comply with all take down requests (regardless of their validity) rather than incurring the time and expense of a verification process.

The right to restriction of processing also applies as an alternative to erasure where the processing is unlawful, where the controller no longer needs the data but the subject requires them in connection with a legal claim, and where the data subject objects to the processing (pending verification of any overriding legitimate grounds of the controller).

The GDPR also creates a right of “data portability” which allows subjects to require personal data to be provided to them in a structured and commonly-used format, or to be transferred between controllers. While designed to improve interoperability between processing systems and to prevent people from becoming “locked in” to a particular service provider, the impact on businesses that will have to comply with such requests is uncertain.

Additional protection for individuals

It is important to remember that a lot of the GDPR has been designed, generally, to increase data protection for individuals.

For example, consent remains an important lawful ground for processing personal data but will be harder to demonstrate under the GDPR, as it must be freely given, specific, informed, unambiguous and given by a “clear affirmative action” (goodbye, pre-ticked check boxes). There are also new rules allowing data subjects to object to decisions that have been made by the automated processing of personal data (including “profiling”, where subjects are evaluated by reference to certain aspects of personal data).

Some organisations may benefit from exemptions (implemented in the UK’s new Data Protection Bill but authorised under the GDPR) in respect of some of their processing activities. Exemptions exist for various public functions (such as the prevention of crime, immigration controls and regulatory bodies), public interest purposes (such as avoiding self-incrimination, maintaining legal professional privilege and freedom of speech), and also for data relating to healthcare, social work, education and child abuse.

In order to stay on top of the new rules, we recommend that businesses have in place robust data security and privacy policies, tailored to their particular circumstances and practices.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page


Buying a Dental Practice Checklist
Tuesday 28th November 2017

If you are considering buying a dental practice, but don’t know where to start, the below checklist might help:

  1. Register as an interested buyer with dental brokers. There are many specialist dental brokers in the UK. If you are unsure of the brokers operating in your area, our dental team can point you in the right direction.
  2. Educate yourself. The process of buying a dental practice can seem complicated and overwhelming. There are free guides available on the Brabners website and, in most instances, we will be happy to answer your initial questions without charge.
  3. Get your team in place. Specialist dental accountants and lawyers can be invaluable in guiding you along the process. Buying a dental practice is likely to be one of the most expensive acquisitions in your life: getting someone who knows the quirks of the sector to help you makes sense.
  4. Secure your finance. Knowing that a bank will back your acquisition will ensure that, when you make an offer on a practice, your bid stands out from a crowd. It will also speed up the process once you find the practice of your dreams.
  5. Understand what you are looking for. Weigh up what you are looking for in a practice, write it down. Are you looking for an NHS practice or private? Does location trump profitability? Do you want a practice that runs itself or do you intend to be hands on in developing the business?
  6. On finding a practice you are interested in, do your homework. A dental lawyer can help you to ask the right questions. A dental accountant can help you to understand the accounts.
  7. Set a target date. Once you have found the practice you wish to buy, finalising the purchase needs to be your priority. It is unfortunate that many dental acquisitions are often unnecessarily protracted. Setting a realistic target date (following discussions with your professional advisors) is likely to focus the minds of everyone involved.

The dental team at Brabners can talk you through the process, ensuring that the dream of buying your own practice doesn’t turn into a nightmare.

To download our free dental practice acquisition guide CLICK HERE.


UK website privacy notices are far from compliant with GDPR
Monday 20th November 2017

An international study has found that businesses in the UK need to improve their online privacy notices if they are to comply with the General Data Protection Regulation (GDPR) by the time it comes into force on 25 May 2018. With new fines of up to 4% of global worldwide turnover or €20million, whichever is higher, organisations should be keen to improve in response to this timely warning.

The study was led by the UK data protection regulator, the Information Commissioner’s Office (ICO), and included participation by 24 additional data protection regulators from around the world. In all, 455 websites and apps across a wide variety of sectors were assessed. The regulators were considering how easy it was from a user’s perspective to establish precisely what information was being collected, how it was being used, processed and shared, and what the purpose of the collection and processing was.

The study highlighted several issues that were present across all of the jurisdictions in which websites were assessed:

  • Privacy communications across all sectors tend to be too vague, lacking specific detail and relying on generic clauses;
  • Most organisations are failing to inform their web users what happens to their information once it has been collected; and
  • There is a general failure to specify with whom personal data is shared.

On the back of the report, several regulators in different jurisdictions have decided to take action to improve compliance with data protection legislation. Some regulators are working to provide guidelines to advise businesses on how to improve their privacy practices, and in more serious cases regulators have contacted individual organisations to set out remedial actions that need to be taken to improve control of personal data.

In the UK, 30 websites were assessed by the ICO as part of the study. They included websites from the retail, banking, travel and price comparison sectors. The assessments concluded that the privacy notices of these websites were inadequate. Key problems highlighted by the ICO in the UK included:

  • 26 of the 30 failed to specify how and where information would be stored. Additionally, the data that was provided was often unclear and vague;
  • 26 organisations failed to explain whether personal data would be shared with third parties and who those third parties would be;
  • 24 websites did not provide users with any clear means to remove their personal data from the website; and
  • 7 businesses did not make it clear how users could exercise their rights to access the personal data the businesses held about them (i.e. through a Subject Access Request)

The ICO manager involved, Adam Stevens, said of the poor results, “the GDPR is coming in May 2018 and from what we’ve found so far, organisations which want to do business or operate in the EEA have a lot of work to do if they don’t want to be breaking the law.”

This month, the ICO have set up a dedicated advice line for small and micro businesses and charities. The main aim is to help those organisations without significant resources to prepare for GDPR, however, the service will also be able to advise on current data protection rules, electronic marketing and freedom of information requests. To get in touch, visit the ICO website here

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.



European Parliament Moves to Begin E-Privacy Regulation Negotiations
Wednesday 15th November 2017

The European Parliament last week voted to begin informal trialogue negotiations with the Council of the European Union and the European Commission on the draft wording of the new E-Privacy Regulation (EPR).

What is the E-Privacy Regulation?

The Regulation on Respect for Private Life and the Protection of Personal Data in Electronic Communications (EPR) is a new law emanating from the EU. The EPR is concerned with the collection and use of electronic communications data, including both content and metadata, as well as with tracking technologies, such as cookies or digital fingerprinting.

The EPR will repeal and replace the current law in this area, the Directive on Privacy and Electronic Communications 2002 (DPEC). Similar to the General Data Protection Regulation (GDPR), the EPR will have direct effect in EU member states and so should lead to greater harmonisation and eventual cost savings for businesses that operate within the single market.

How does the E-Privacy Regulation relate to GDPR?

The GDPR is, as the name suggests, a regulation with general application. It takes a blanket approach to data protection and does not distinguish between sources or methods of collection of personal data. The EPR is designed to complement the GDPR, sitting alongside it and applying in tandem. The EPR will only apply to information collected via certain channels; electronic communications and tracking technologies. For this information, whether it amounts to personal data or not, the EPR will lay down specific rules that apply in addition to any GDPR obligations. The EPR will not create any exceptions to the GDPR regime.

This means that businesses using electronic communications data will have to look to both regulations to ensure compliance. In the first instance, the EPR will define the rights and obligations involved in the collection and use of all electronic communications data, and then, if that data contains personal data, the GDPR will also kick in.

Who will be affected?

The EPR takes a much broader approach to electronic communications data than the DPEC. The new definition aims to catch all electronic communications in any form, including text, voice-over-internet-phone services such as Skype, and internet messaging platforms such as Whatsapp or Facebook Messenger.

In addition, the EPR will specifically apply to those businesses that provide communications services only as an ancillary function intrinsically linked to another service. This means that businesses that include communications platforms within their products, sites or services will also be caught, for example, a player-to-player messenger built into an online game, a messaging service between guests and hosts on an accommodation website, or even connectivity between appliances in an Internet-Of-Things context.

Like the GDPR, the EPR will take a global, extra-territorial view of compliance. The provisions of the EPR will apply to any business that is providing electronic communication services to individuals within the EU, or using tracking technologies placed on the devices of individuals within the EU. It does not matter where the business is established.

What are the key provisions of the E-Privacy Regulation?

The EPR splits ‘electronic communications data’ into two categories, content and metadata. The content is the message, the information or signal input by one end-user and transmitted to another. The metadata is all the surrounding information, the date of the message, the time, the identity of the sender and recipient, the IP addresses of each, etc.

Different rules apply to the collection and use of each category of electronic communications data. The rules’ key aim is to enshrine the principle that communications data should be private, however, they also seek to achieve a balance in which legitimate uses of such data are allowed, and wider uses are allowed with consent.

The use of metadata for billing purposes for example, is a legitimate use and will not require consent. On the other hand, accessing the content of messages to improve targeted adverts within a service would be seen as a wider use that would require the consent of the users.

The other main strand of the EPR is that individuals should not be tracked by technologies such as cookies without their consent. The European Commission proposal aims to improve the current state of regulation in this area, which is inconsistent in both its application and enforcement, leading to widespread non-compliance and consent fatigue.

The EPR marks a major departure from previous attempts to enforce a requirement for consent, by moving the obligation to seek consent from the website to the browsers or operating systems that enable access to the internet.

There are still technical issues to overcome in order to achieve this, as what the regulation essentially requires is a universally understood signal that can be sent by a browser to a website to tell it that the individual has not consented to tracking technologies. The idea of a Do Not Track signal has been under discussions in the World Wide Web Consortium for over 5 years with little progress seen so far.

When will the E-Privacy Regulation enter force?

The current aim is for the EPR and the GDPR to come into force together on the 25 May 2018. This would create a unified and complete system of data protection regulation across the EU.

However, the EPR is still in draft form and must be negotiated and agreed between the 28 member states of the EU and adopted by both the Council of the European Union and the European Parliament. The negotiations in respect of the GDPR took around 4 and a half years to complete, and the draft text of the EPR was only released in January of this year.

Given the short timescales that would be required for negotiations, and the key technical hurdles involved in cookie consent, it appears unlikely that the 25 May 2018 deadline will be met. What is clear is that the EPR remains a high priority for European legislators, despite these challenges.

What to do now

The consequences of non-compliance match those of the GDPR, with a maximum fine of up to 4% of annual worldwide turnover or €20million. Getting ready for the EPR should therefore be high on the agenda of any business, based anywhere in the world, that provides communications in the EU or uses tracking technologies in the EU.

Currently, we only have a draft text of the EPR and there are substantial amendments still likely to be made. This does not mean that preparation cannot begin now. At the moment there are three key points to take away from the draft proposals:

  1. Privacy of electronic communications is paramount: Organisations should review how and why they are collecting and using communications data.
  2. Consent will be required for tracking technologies, and the consequences of non-compliance will be much greater: Proper cookie consent should be sought in all instances, consider implementing banners.
  3. The scope of application is not limited to just those businesses in the EU: The EPR and GDPR are likely to affect most businesses in some way, resources should be sought to enable the changes required for compliance to be made.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.


The Data Protection Bill – Criminal Offences
Wednesday 15th November 2017

There are just over 6 months left before the EU General Data Protection Regulation (GDPR) comes into force, and most businesses are now aware of the hefty administrative fines for breaching the new EU rules. However, the UK’s new Data Protection Bill (“the Bill”) also creates criminal offences for the UK, some of which exist neither in the current Data Protection Act 1998 (DPA) framework nor the GDPR.

Unlawful obtaining of personal data

Under the DPA, it is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal data without the consent of the data controller. It is also an offence to sell, or offer to sell, illegally obtained personal data. This offence is extended under the Bill to include the retention of personal data. Therefore, an innocent recipient of personal data (where, for example, the data was disclosed to them by mistake) will commit an offence by failing to delete or destroy that data.

Defences to this offence involve proving that the actions were necessary to detect or prevent crime, required or authorised by law or an order of the Courts, or justified as being in the public interest. It is also a defence to prove that the alleged offender reasonably believed that they either had a legal right to obtain, disclose, procure or retain the data, or that the controller would have given its consent if had known about the circumstances.

Re-identification of de-identified personal data

Personal data is “de-identified” if it has been processed in such a way that it can no longer be attributed to a specific data subject (such as through encryption, anonymisation or pseudonymisation). The Bill makes it an offence to “re-identify” such data (so that data subjects can again be identified from it) without the consent of the relevant controller, or to process personal data which has been unlawfully re-identified by someone else.

This new offence also has defences relating to the prevention or detection of crime, authorisation by law or by the Courts, and justification in the public interest. If an alleged offender can prove that they reasonably believed they were either the subject or the controller of the data, had the subject or controller’s consent, or would have had such consent if the subject or controller knew of the circumstances, they will also have a defence.

It has been suggested that this offence could be disastrous for some security researchers (sometimes known as “ethical hackers”), who routinely attempt to decrypt encrypted data for the purposes of testing and improving security systems. However, where a researcher is commissioned to test the security of a system in this way, they will likely benefit from the consent of the relevant controller. Even where such actions have not been commissioned or requested, it is conceivable that ethical hackers could rely on the defence of public interest. Alternatively, it may be that the controller would have consented had they known of the circumstances – businesses may even be grateful for researchers pointing out security vulnerabilities in their systems (provided those vulnerabilities are not exploited during the process). These defences are not clear cut, however, and it remains to be seen how such actions will be treated when the Bill comes into effect.

Preventing disclosure of personal data

The GDPR retains (and extends) the rights of data subjects to access their personal data. Where a data subject makes such a request (e.g. a subject access request or data portability request) and is entitled to receive the information requested, it will be an offence for the data controller (or its employees, officers or persons under its control) to alter, deface, block, erase, destroy or conceal that information with the intention of preventing its disclosure to the data subject.

It will be a defence to prove that the infringing actions would have occurred in the absence of the data subject’s request, or that the person altering (etc.) the information reasonably believed the requestor was not entitled to receive the information requested.

Prohibition on requiring relevant records

Under the Bill, it will be an offence for a person (P1) to require another person to provide P1 with health records or criminal records in connection with P1’s recruitment (or the continued employment) of an employee, or in connection with a contract for the provision of services to P1.

Where a person (P2) provides goods, services or facilities to the public (or a section of the public), it will also be an offence for P2 to require access to health or criminal records as a condition of providing those goods, services or facilities to any third party.

The wording of these offences is largely lifted from the DPA, but the existing rules relate only to criminal records (although some health records may benefit from protection in other legislation such as the Access to Medical Reports Act 1988).

Further offences and penalties

Under the DPA, it is currently a criminal offence for a controller to process personal data without first being registered with the Information Commissioner’s Office (ICO). Carried over from the Data Protection Act 1984, this offence may have been practicable 20 or 30 years ago but, with developments in technology and the increasing use of personal data, it has become a costly burden for many businesses. This offence is abolished in the GDPR and the Bill, and controllers will instead have an obligation to keep their own records and make them available to the ICO upon request.

It will be an offence under the Bill to intentionally obstruct the ICO’s inspection of personal data (where inspection is necessary for the ICO to comply with its obligations) or to fail without reasonable excuse to give such assistance as the ICO reasonably requires for such inspections. It will also be an offence to fail to comply with an information notice issued by the ICO, to knowingly or recklessly make a false statement in response to such a notice, or to interfere with the execution of a warrant obtained by the ICO in connection with a suspected data protection breach or offence.

Currently, there are no custodial sentences for the criminal offences under the Bill, which are all punishable (in England and Wales) by uncapped fines.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.


The Data Protection Bill vs The Data Protection Act
Wednesday 15th November 2017

The EU General Data Protection Regulation (GDPR) creates a new framework for data protection across the EU, and commentary on the changes under the GDPR is extensive (you may, for example, find it useful to read our article from last year summarising the key differences between the current rules and the GDPR).

The UK’s new Data Protection Bill (“the Bill”), which is currently working its way through Parliament, supplements the GDPR in UK law, creates a few new criminal offences, and (where it is allowed to) provides exemptions to the new EU regime. The Data Protection Act 1998 (DPA) similarly provided exemptions when it implemented the EU’s 1995 Data Protection Directive into domestic law in 1998, and many business have relied on such exemptions since that time.

Whilst talk of increased sanctions and harder-to-obtain consent has dominated the headlines, one of the important questions for many businesses will be: can we still rely on those exemptions? The good news is that, for the most part, the answer to that question is “yes”.

In relation to consent, more emphasis will need to be put on identifying the relevant legal bases a business may have for using personal data, rather than merely relying on consent. Privacy Impact Assessments will need to be undertaken and privacy notices sent to data subjects. Where consent is required it must be obtained unambiguously and (in the relation to special categories of data) explicitly. It must also be freely given, specific and informed consent. Businesses will need to take a more granular approach to different uses they make of personal data and ensure that they have the appropriate legal basis for each different use.

The Bill recreates a number of important exemptions from the DPA for public bodies, including in relation to data processing for national security purposes, the prevention and detection of crime and the assessment and imposition of taxes. A new exemption is also introduced for the maintenance of effective immigration controls.

The existing exemptions for regulatory and supervisory bodies, which apply to data processing for purposes in the public interest (such as, for example, protecting the public from financial malpractice, protecting charities and securing the health, safety and welfare of workers) also have equivalent provisions in the Bill (and are extended to reflect new provisions under the GDPR).

The ‘freedom of expression’ exemption for journalism, literature and art is extended in the Bill to include academic purposes, and the protection for research, historical and statistical purposes is also carried through into the Bill with largely identical conditions to those in the DPA. Further new exemptions are introduced in respect of data processed for archiving purposes which are in the public interest, and to restrict data subjects’ rights of access to data where other enactments prohibit disclosure of such information (in relation to, for example, child adoption and human fertilisation).

In respect of the processing of sensitive (or “special category”) personal data, which is generally forbidden under the GDPR unless certain conditions are fulfilled, the Bill provides some specificity to the GDPR’s broadly worded conditions. One such condition involves processing for reasons of “substantial public interest” (a phrase which is not used in the current legislative framework). The Bill expands on this by providing a number of circumstances where the condition is fulfilled, notably including the processing of such data for the purpose of identifying and eliminating doping in sports.

There are new criminal offences in the Bill which are not present in the DPA. The offence of knowingly or recklessly obtaining or disclosing personal data without the controller’s consent exists in the current framework, but the Bill also makes it an offence to retain, sell, or offer to sell such data once it has been obtained without consent. Other new offences include decrypting encrypted personal data (or processing such data once it has been decrypted) without the controller’s consent, and altering or destroying personal data to prevent a data subject’s right of access.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.


GDPR vs The Data Protection Bill
Wednesday 15th November 2017

The UK’s new Data Protection Bill (“the Bill”), which was first introduced to Parliament last month, is intended to implement the EU General Data Protection Regulation (GDPR) and address areas (such as exemptions) where member states are afforded some discretion in applying the GDPR principles to domestic law (as well as creating some new criminal offences). The Bill also introduces similar provisions to those in the GDPR in respect of data processing by law enforcement authorities and intelligence services; areas which are outside the scope of the EU regime.

Controllers and Public Authorities

The substance of the Bill begins with a clarification of the term “controller”. The controller bears the brunt of the sanctions for non-compliance, and the GDPR’s definition (persons “who determine the purposes and means of the processing of personal data”) largely mimics that of the Data Protection Act 1998 (DPA). However, the Bill provides special rules in respect of data processed by the Crown or by Parliament, and retains a provision from the DPA which says that, where data is required to be processed by an enactment, the controller is the person upon which that requirement is imposed.

A definition for the term “public authority” (which is used, but not defined, in the GDPR) is also provided in the Bill, by reference to the Freedom of Information Act 2000. Whilst this was not an unexpected move, the definition notably includes limited companies whose shareholders are all public bodies (such as local authorities). One of the main repercussions of this is that such companies will not be able to rely on the “legitimate interests” ground for processing personal data.

Extended provisions

One topic of interest to the public is the minimum age at which children may provide their consent to the processing of their personal data. The default position under the GDPR is 16 years but member states are permitted to reduce this to not less than 13 years; the Bill implements the lowest age of 13.

The Bill also expands on the issue of processing sensitive personal data (such as data relating to racial origins, religious beliefs, sexual orientation etc.) which, under the GDPR, is prohibited unless certain conditions are met. The Bill provides substantial guidance on those conditions and, in some cases, may make them harder to fulfil. Controllers processing sensitive personal data will have to have appropriate policy documents in place, explaining their procedures for securing compliance with the data protection principles and their data retention and erasure policies.

An appeal route is also provided in the Bill for individuals that have been subject to a decision which substantially affects them based purely on automatic processing.

Criminal Offences

There are several new criminal offences created by the Bill which are not present in the GDPR or the existing DPA framework.

The DPA offence of knowingly (or recklessly) obtaining or disclosing personal data without the controller’s consent subsists, but the Bill also makes it an offence to retain such data once it has been obtained without consent, or to sell (or offer to sell) such data. It will also be an offence under the Bill to decrypt encrypted personal data, or to process such data once it has been decrypted, without the controller’s consent. Finally, in an attempt to safeguard data subjects’ access rights, it will be an offence under the Bill to alter or destroy personal data that a data subject has requested (and is entitled to receive) access to.


The Bill contains a wide array of exemptions from the provisions of the GDPR, some of which will be familiar to those acquainted with the existing DPA framework.

A large portion of the GDPR (including data subjects’ rights of access to data, rectification, erasure, data portability and objecting to processing) is exempted for various purposes that are in the public interest, such as the prevention of crime, the maintenance of effective immigration control, the protection of charities and the securing of the health and safety of workers (amongst many others).

The ‘freedom of expression’ exemption, which was present in the DPA, also subsists in the Bill where personal data is processed for the purpose of journalism or for academic, artistic or literary purposes.

The right of a data subject to access personal data held about him/her is explicitly limited in the Bill so that a controller is not obliged to disclose data to a subject if other individuals are identifiable from that data. The obligations on controllers to provide information about their processing of personal data to subjects are also exempted in various situations, including where compliance would cause a controller to incriminate itself for a criminal offence.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.