Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form



ICO investigation into Facebook, Cambridge Analytica and political campaigns
Wednesday 11th July 2018

A progress report published yesterday by Information Commissioner Elizabeth Denham provides insight into the ICO’s investigation of the Facebook/Cambridge Analytica scandal and the use of data analytics in political campaigns.

US social media giant Facebook has been issued by the ICO with a notice of intent to issue a fine of £500,000, for failing to take sufficient measures to safeguard users’ data and for its lack of transparency around the “harvesting” of personal data by third parties.

The notice follows the widely reported scandal involving, amongst others, data analytics outfit Cambridge Analytica, whose parent company SCL Elections Ltd also faces criminal sanctions for its failure to comply with a prior enforcement notice.

Facebook is under investigation for breaches of the Data Protection Act 1998 arising out of its failure to enforce its own policies on how user data may be collected and processed by other organisations. This led to an estimated 87 million users’ personal information being collected through a psychometric analysis app developed by Cambridge University academics, such data supposedly having then been used to psychologically profile and influence constituents in elections around the world.

Whilst a £500k fine would represent the maximum that the ICO may impose, and the largest fine issued to date by the ICO for data protection breaches, it is a fraction of the amount that Facebook could have been fined had the breaches occurred under the new GDPR regime, which came into force on 25 May this year.

According to The Guardian, if imposed, this fine would equate to a mere five and a half minutes’ worth of revenue for Facebook (based on figures from Q1 2018) – a sanction branded as “unacceptable” by privacy campaigners. Had the GDPR been in force at the time of the suspected breaches, Facebook could have been hit with a fine in excess of £1 billion based on 4% of its worldwide annual turnover, although we are yet to see the extent to which supervisory authorities will make use of the new maximum penalties under the EU Regulation.

The progress report also highlights warnings that have been issued to the UK’s 11 main political parties concerning their practices, including purchasing marketing lists without conducting due diligence on the legality of how that data was obtained, failing to provide fair processing information to data subjects and engaging third parties to undertake potentially unlawful analysis and profiling of individuals.

With widespread concerns that the data harvested from Facebook has been used in attempts to sway election results – including on both sides of the Brexit referendum in the UK and in President Trump’s election campaign in the US – by spreading misleading information to targeted individuals, this investigation illustrates the far-reaching impact that data protection breaches, by large data-led organisations such as Facebook, can have.


The Lucky Country? Not if you’re a smoker.
Friday 29th June 2018

The World Trade Organisation (WTO) has ruled in favour of Australia’s law, introduced in 2011, that made it mandatory for cigarettes to be sold in brown packets that carry health warnings. Tobacco producing nations Cuba, Honduras, Dominican Republic and Indonesia argued to the WTO that plain packaging infringed on trademarks and intellectual property rights. Regular readers of our blog will be familiar with similar claims brought in the EU regarding similar UK regulations, which you can read about here:

The WTO rejected their arguments that Australia could use alternative measures to achieve an equivalent benefit to public health. Australia was the first country to introduce the drastic packaging measures. Plain-packaging rules insist that 75% of the front of a cigarette pack is covered by a health warning, and 90% of the back. The packaging rules, coupled with significant (and still increasing) taxes and restrictions on where people may smoke in public places has seen a significant reduction in the number of smokers in the country.

Britain, Ireland, France, Hungary, Norway and New Zealand - have already followed Australia in introducing similar legislation. The WTO ruling paves the way for more countries to follow suit. The tobacco growing nations have promised to appeal the ruling, so watch this space. In the meantime, you can read Colin Bell’s comprehensive analysis of The Court of Justice of the European Union rulings on the Tobacco Products Directive here:

For more information on plain packaging issues, contact a member of our IP team.


Is this America? Then Let's Get it On
Friday 29th June 2018

Regular readers of our blog will remember our previous posts on music copyright, most recently here, and here, This issue seems to be in the news much more frequently these days. Perhaps following the considerable pay out (£4.8 million) awarded to Marvin Gaye’s heirs after a jury in the US found that Pharell William and Robin Thicke’s hit Blurred Lines was too similar to Gaye’s Got To Give It Up is to blame. Their lawyer said the case set a “horrible precedent” and indeed it may have fuelled these subsequent claims. Our thoughts on the original decision are here,

Childish Gambino is the latest music maker to be hit with allegations of copying. Users on Reddit and Twitter began discussing how similar his “ground breaking track” This Is America,, particularly known for its video, and which has reached number 1 in the US charts, is to rapper Jase Hartley’s 2016 song American Pharaoh, Having spent an afternoon listening to one song after the other I’m still undecided as to whether or not Childish Gambino’s song is a copy of Hartley’s. Other writers, more musically in tune than me perhaps, have pointed out the similarity in subject matter, lyrical tone, instrumentation, flow, and inflection. From my listening I would agree, it seems to be the overall vibe (if you will) that is similar, but is that enough to support a cause of action?

Luckily for Childish Gambino he is unlikely to have to defend himself in court. Hartley has responded to fans on social media by agreeing that it seems Gambino has been inspired by his track and urging listeners not to let the controversy surrounding the similarities to overtake the message both artists are trying to get across about race in America. Hartley has also pointed out that "All artist[s] get inspired by others.” And this is one of the concerns of artists globally, there are a finite number of musical notes and ways to put them together, when there are similarities it will not always have been a deliberate copy.

Ed Sheeran is unlikely to be as lucky as Gambino though. He has already settled a case in respect of his song Photographs, see Now, Structured Asset Sales who own one third of the copyright in Marvin Gaye’s song Let’s Get It On have launched legal proceedings worth $100 million against Sheeran in the US alleging that his song Thinking Out Loud copies "the melody, rhythms, harmonies, drums, bass line, backing chorus, tempo, syncopation and looping" of Gaye’s song. This comes two years after the estate of Ed Townsend (who also claim ownership rights in Let’s Get it On) made similar allegations (see; their original claim in the US failed for procedural reasons although a subsequent one was refiled in 2017. With two cases looming and with the potential reputational risks for a popular song writer like Sheeran it would not be surprising for him to settle rather than risk court hearings but only time will tell.

Get in touch with a member of our IP team, particularly if you’re concerned that your music has been copied too!



Monday 18th June 2018

In March the European Commission published the “Draft Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community”. The paper sets out the position of the negotiations so far and makes clear those areas that have been agreed by the negotiators (subject to technical legal revision) and proposals made by the Union which are still under discussion.

Many of the proposals in respect of Intellectual Property rights have been agreed between the negotiators. The UK has agreed that the following  IP rights will continue to be protected in an equivalent way, for the same period in the UK so long as the said right is registered in the EU before the last day of the transition period:

  1. EU trade mark;
  1. Community design;
  1. Community plant variety right;
  1. International trade mark (as per the Madrid system with the EU designation);
  1. International design right (as per the Hague system with the EU designation); and
  1. Unregistered community design.

The above rights will, where relevant, enjoy the same date of filing and date of priority in the UK as it does in the EU.

If any of the rights listed at points 1 to 3 above are declared invalid or revoked (or declared null and void and cancelled in the case of a Community plant variety) as a result of an administrative or judicial procedure that was ongoing on the last day of the transition period then the corresponding right in the UK shall also be declared invalid or revoked. The date of such declaration will be the same in the UK as it is in in the Union. In addition, any IP rights that have been exhausted in the EU and the UK before the end of the transition period shall remain exhausted both in the EU and UK.

If a person has filed an application for an EU trade mark before the end of the transition period and a date of filing was given, they will have 9 months from the end of the transition period to file an identical application in the UK and still benefit from the filing date and priority date allocated to the EU mark application. The same shall be true for an application for a Community plant variety right but the ad hoc right of priority will be 6 months from the end of the transition period.

Finally, the negotiators have agreed that holders of rights in relation to a database in the UK that arise before the end of the transition period will continue to be afforded the same level of protection as was afforded to them under the relevant EU laws.

Yet to be agreed between the parties are the rules on:

  • Geographical indication, designation of origin or traditional speciality (most famously these rules apply to products such as Champagne and Parmesan Cheese).
  • The registration of existing EU rights in the UK, whether the UK entities will be allowed to charge for this process and what information the EU entities will be required to pass to the UK.
  • How to deal with application for supplementary protection certificates that were submitted in the UK before the end of the transition period but was still outstanding.

From this position paper it appears that rights holders can expect to enjoy the same level of protection in the UK as they already do and do not have cause for concern at least until the end of the transition period and when such rights are due for renewal at which point the UK may have developed their own rules post-Brexit.

After the transition period, rights will cease to have effect in the UK, accordingly rights owners who wish to retain UK rights will need to ensure their UK rights are protected separately. We already recommend clients file national applications (in EU Member States of key concern) as well as EU TMs, this will obviously become more important in the UK post Brexit. While at this stage there is no need to do anything differently, clients may wish to give more consideration to separate UK rights and registrations in advance of Brexit and the end of the transition period.

For more information, please see and please also visit our IP & IT page or contact a member of our IP Team.


No chance of a break for Kit Kat
Monday 18th June 2018

As followers of our previous blog may remember, the EU General Court found that Nestle had failed to show that their 3D mark, Kit Kat’s four fingers, had acquired distinctive character through use in the EU. The Court found that Nestle had shown use in Denmark, Germany, Spain, France, Italy, the Netherlands, Austria, Finland, Sweden and the UK.

Nestle raised an appeal, that was supported by MARQUES, The Association of European Trade Mark Owners. Their argument was that it would be impossible for anyone to provide adequate evidence if the registration of an EU mark could be refused because of lack of evidence of distinctiveness in a single Member State.

The Attorney General considered various legislation and case law in this respect and ultimately found that the General Court’s view could be summarised to say that “the acquisition of distinctive character is not linked simply to a majority of Member States and populations, but also to the concept of ‘geographical representativeness’. When proving distinctive character in respect of an EU trade mark application, the geographical nature of this requirement is not set out by Member State borders but the application must show how the distinctive character has been established across the territory of the EU.

An example given by the Attorney General is that companies may group together certain national markets due to historical links, or common languages, customs and practices. Accordingly, in those situations, an applicant could rely on evidence of distinctiveness in the UK market as sufficient for that in the Irish market or evidence provided in the Spanish market may also be sufficient for the Portuguese market, provided the applicant could show the relevant groupings and evidence of market comparability.

This may give Nestle some hope but the Attorney General still reached the opinion that the Court dismiss the appeal brought by Nestle. He explained that, “Nestle had not established, in respect of the product concerned, the comparability of the Belgian, Irish, Greek, Luxembourg and Portuguese markets with some of the other national markets for which it had provided sufficient evidence.”

To summarise, because Nestle had not established the relevant regions or parts of the EU where the distinctive character could be shown, they are not now able to claim (for example) that the Irish market (where insufficient evidence was provided) is part of the same market as Great Britain (where distinctiveness had been established) and so on.

Whilst the appeal appears at first glance to be nuanced legal arguments, if the Court follows the Attorney General’s opinion it will serve as useful guidance for other companies hoping to register a trade mark of “distinctive character” in the EU. Evidence does not need to be shown for each Member State but applicants should be careful to ensure that they establish the geographic regions across the EU that show “distinctive character” has been established across all regions.

If you would like to discuss your trade mark application in the EU, or any other jurisdiction, please contact our trade mark team at


Copyright and Planning Permission – brave (or stupid) to develop without assignment of rights
Monday 18th June 2018

Copyright and Planning Permission – brave (or stupid) to develop without assignment of rights

The case of Signature Realty Ltd v Fortis Developments Ltd and another [2016] EWHC 3583 (Ch), 17 February 2017 provides useful insight for developers and architects regarding the use of plans approved as part of planning permission.

The case concerned a property developer, Signature Realty Ltd (“Signature”), who secured planning permission for the construction of student flats in Sheffield city centre. Planning was approved on the basis of the drawing of their architect C&W. Signature subsequently encountered problems with funding and was unable to purchase the site.

Fortis Developments Ltd later bought the site and Beaumont Morgan Developments Ltd were engaged by them as the design and build contractor (jointly referred to as “the Defendants”). The planning permission granted to Signature was conditional upon the development being carried out in accordance with their C&W’s drawings which had been published on Sheffield’s Planning Portal. This contained a copyright notice that limited the use of the drawings to consultation purposes, for comparing current applications with previous schemes and for checking whether developments had been completed in accordance with approved plans.

It is commonplace within the development sector for site owners or developers to instruct architects to draw up planning designs on the proviso that the site will later be sold to a third party who will carry out the development in accordance with these designs without infringing copyright. So long as the architect has been paid for their work there will be an implied licence to use their plans for all purposes connected with the site to which the plans relate. This implied licence may be transferred and is not conditional upon the architects being included in any subsequent work.

In the Signature case the distinction was that the new owner, the Defendants, did not buy the site from the party which owned the copyright (Signature). They purchased the site from the owner who did not have any licence to the copyright or the ability to transfer this. The implied licence was with Signature who did not own the land.

In the decision the judge commented that there was no statutory or intellectual property right in planning permission. It was held that copyright did subsist in C&W’s drawings and that the bar for subsistence of copyright was not high. The Defendants had engaged their own architect but the judge found that there had been instances of infringement.

In order to avoid copyright infringement in relation to planning permission we suggest:

  • Remember that planning permission is not a licence to copy or use the approved plans. Planning permission and the public availability of the underlying designs is not a licence to use them.
  • Avoid copying or reproducing plans or drawings.
  • Be mindful that changing or using only a small part of the designs will not be sufficient to evade a claim for infringement. Substantial copying is sufficient and this is judged qualitatively as opposed to quantitatively.
  • Prior to acquiring a site carry our proper due diligence to establish who owns the copyright in the designs.
  • Secure a written licence or assignment of the copyright holder before using approved plans.

For any queries regarding Signature Realty Ltd v Fortis Developments Ltd and another [2016] EWHC 3583 (Ch), 17 February 2017, or copyright law in general, please visit our IP & IT page or contact a member of our IP Team.


Update - Unsuccessful Appeal and Settlement – Status Quo in Music Copyright Claims
Monday 18th June 2018

Updates to two previous blogs and cases on music copyright.

Still Got to Give it Up

In March, a federal appeals court in the US upheld the original jury decision in the Blurred Lines case, where it was found that Pharrell Williams and Robin Thicke and infringed Marvin Gaye’s copyright in the song Got to Give it Up.

The music industry have some concerns about the decision, among those who consider the decision to wide ranging, and affords protection to a “musical style” not just the music, which could inhibit future musicians and composers, leaving them at risk of similar claims.

But the case has been hailed by Gaye’s family as positive for writers as rather than stifling creativity will hopefully lead to more originality and avoid copycat works.

As previously stated all cases should be taken on their own merits and some of the similarities between the relevant works in this case were striking. However given the size of potential damages, it make others quicker to settle claims to avoid an adverse decision and a damages award (see below).


We keep this love in a photograph” and this copyright claim out of court as claim against Ed Sheeran is dismissed #photograph  

Back in August 2016 we blogged about Ed Sheeran’s copyright battle with the writers of X Factor winner Matt Cardle’s ‘Amazing’. It was alleged that Sheeran’s track ‘Photograph’ was a ‘note-for-note’ copy of ‘Amazing’.

Subsequently an Order was made to the effect that the claim be dismissed ‘with prejudice’ following agreement between the parties on 6 March 2017. The details of the settlement paid to the writers of ‘Amazing’ Thomas Leonard and Martin Harrington has not been disclosed. In their complaint they alleged that Sheeran ‘copied, and exploited, without authorisation or credit, the work of other active, professional songwriters, on a breath-taking scale.’ Leonard and Harrington sought in excess of $20 million and were represented by Richard Busch, who successfully sued Robin Thicke and Pharrell Williams for $5.96 million on behalf of the family for Marvin Gaye. This was a similar claim regarding Thicke and Williams track ‘Blurred Lines’.

In the US a jury decides on the claim and, crucially, the award made if to the plaintiff if they are successful. It may be that Sheeran and his advisors have taken a pragmatic approach to see an end to the dispute and any further negative press (which could be more costly than the potential damages award given Sheeran’s success and reputation as a songwriter).  Thus far, Sheeran and his representatives have not made a comment.


For any queries regarding copyright law or intellectual property rights in general, please visit our IP & IT page or contact a member of our IP Team.


Red Bull GmbH - v - EUIPO - A Turning Point for Colour Combination Marks?
Tuesday 12th December 2017

In a decision which may cause concern to businesses which adopt distinctive colour schemes as part of their branding, the European General Court (Second Chamber) (hereafter “the Court”) has recently handed down its judgment in the case of Red Bull GmbH v European Union Intellectual Property Office (‘EUIPO’).

This case concerned an appeal by Red Bull against the EUIPO’s decision to cancel two of its existing European trade mark registrations (which were registered in 2005 and 2011 respectively).  Each of Red Bull marks in question were “colour combination” marks which aimed to protect the well-known blue and silver colour scheme which Red Bull uses uniformly across its global branding. 

Applicants seeking to register colour combination marks are required to provide the EUIPO with:

(i)             an appropriate representation of the mark that shows the systematic arrangement of the colour combination in a uniform and predetermined manner; and

(ii)            a reference to a generally recognised colour code (e.g. Pantone) relating thereto. 

As a matter of best practice, an applicant should therefor provide the examiner with a precise written description of the use of the colour(s) that they are seeking to protect to accompany the visual representation.

The two Red Bull registrations concerned are depicted below, along with their respective ‘descriptions’:

Dismissing Red Bull’s submissions that the EUIPO had interpreted existing case law in this area ‘unduly strictly’, and that its decision was both “disproportionate and discriminatory”, the Court considered that Red Bull’s marks, even when taken together with their respective descriptions, were no more than the “mere juxtaposition of two or more colours, designated in the abstract”.  As the extent of the protection given by the two registrations could not be “grasped clearly or precisely”, the Court concluded that both ought to be cancelled for lack of precision. 

Among commentators, the Court’s decision has been regarded as the effective ‘death knell’ for the registration of ‘colour combination’ marks.  Indeed, the extensive list of requirements set out in the judgment, which the Court suggests should be met before such marks may be considered valid for registration, could well be seen as being prohibitive in the eyes of prospective applicants. 

However, on closer inspection there do appear to be a number of underlying factors in play here which may better explain the Court’s decision in this case:

1.                The devil is in the detail?

Firstly, the Court was clear in its judgment that, where a description is included in an application for a mark, it will necessarily become an ‘integral’ part of the registration (along with the graphic element).  Looking back at the above descriptions submitted in support of the Red Bull marks, that the Court took issue with the lack of precision in the scope of these registrations is understandable.

To illustrate how the Court’s concerns as to the ‘precision’ of a description might be allayed, it is helpful to consider an example of another colour combination mark which is protected on an EU-wide basis, which is owned by John Deere plc:

This mark protects the distinctive colour scheme adopted across its product range by the global manufacturer of agricultural and construction machinery.  The detailed description submitted in support of this mark certainly helps the reader to visualise how the colour scheme to which it attaches will be systematically used in respect of John Deere’s products (in a way which the Red Bull descriptions do not).  With this in mind, one might well argue that the Court’s decision in the present case was less to do with the registrability of colour combination marks per se, and more to do with the inadequate descriptions which accompanied Red Bull’s registrations.

2.                …and the Legislation?

Secondly, the fact remains that, pursuant to existing EU legislation and accompanying EUIPO guidance, colour combination marks are eligible to be registered as trade marks per se irrespective of any specific shape or configuration attached to them.  The fact that combinations of colours “in the abstract” are stated to be registrable would therefore appear to contradict the Court’s position in this decision that the colours of a combination mark must be presented in some ‘systematic arrangement’ which associates the colours in some ‘predetermined and uniform way’.

The wording of the EU legislation therefore creates scope for an applicant to argue that it is the colours of the combination mark themselves that are the distinctive (and registrable) element, and the arrangements of the colours thereon should not have bearing on the examiner’s decision. Therefore, if an applicant can show that the colours themselves are distinctive in the minds of consumers (as Red Bull had managed to do in their initial applications) then surely there should be no need to also prove that customers can identify with any specific embodiment of them.  Indeed, it could even be argued that if an applicant went too far in describing their colour combination mark, it could inadvertently be rendered a figurative mark.  It is not apparent that Red Bull developed such arguments sufficiently in this case, which could again help to explain why it was ultimately unsuccessful in its appeal.


The decision in this case is perhaps not as significant as it may seem at first glance, and we would submit that, instead of marking a turning point in the law relating to the registration of colour combination marks, should be seen as one which is specific to its facts.  Undoubtedly, the Court was presented with two marks which were accompanied by vague descriptions, though the EUIPO’s objections could well have been effectively rebutted by reference to the legislation underpinning the EU trade mark regime.  While this is little comfort to Red Bull, who must now consider whether there is merit in appealing this decision to the Court of Justice of the European Union, those considering the filing of applications to register colour combination marks in future should not be too disheartened.


Morrisons Vicariously Liable for Employee’s Deliberate Payroll Data Protection Breach
Tuesday 5th December 2017

Companies around the UK may be shocked to find out that they could be held responsible for data leaks by their employees, even where a court has ruled that the company itself has done nothing wrong.

In a landmark decision last week, the first data-breach class action in the UK, Morrisons, the fourth largest supermarket group in Britain, has been held liable for the actions of a former employee who stole the payroll information of thousands of employees and uploaded it to the internet.


In 2014, Andrew Skelton, an IT auditor at Morrisons’ headquarters was tasked with providing a copy of the company’s payroll data to their auditors, KPMG. Whilst the file was stored on his computer, Mr. Skelton made an illicit copy which he transferred to his personal USB stick. Mr. Skelton later uploaded this data to a file-sharing site and sent CD copies of it to two local newspapers in Yorkshire. It is believed that Mr. Skelton was motivated by his anger at Morrisons in respect of recent disciplinary proceedings that had been taken against him on an unrelated matter.

5,518 former and current workers of Morrisons brought the claim against the company alleging that Morrisons was either directly liable for not complying with the data protection principles in the Data Protection Act 1998 (DPA), or that Morrisons was responsible for Mr. Skelton’s breach of the act as his employer.

Direct liability

The claimants first argument was that Morrisons itself was in breach of principles 1-7 of the DPA. Mr. Justice Langstaff dealt with principles 1-6 first and disposed of them quickly on the grounds that any breach of those principles was committed by Mr. Skelton acting as the data controller of his own copy of the payroll data, Morrisons therefore could not be directly liable.

The seventh data protection principle requires data controllers to have in place “appropriate technical and organisational measures” to prevent unauthorised use of personal data. The claimants argument was that it was inappropriate for Morrisons to have trusted Skelton due to his recent disciplinary proceedings, and that they should have had some organisational measure in place to prevent him being tasked with handling such vast amounts of highly sensitive data.

The judge rejected this argument. Whilst Langstaff J accepted that there clearly were minimum standards that had to be in place, he ruled that a balance must be struck between the risk presented to personal data and the availability and cost of minimising that risk. Mr. Skelton’s previous infraction was only a minor issue and gave no reason to exclude Skelton from particular types of work. Skelton was a trusted employee and had given no real reason to doubt his trustworthiness.

Though he did find a small ‘non-material’ breach relating to a failure to delete the data from a laptop after Mr. Skelton had already taken a copy of them, this was not taken into account as there was no connection between the failure to delete and the loss caused to the claimants. The judge’s ruling was therefore that Morrisons had committed no material breaches of the data protection principles and in particular, had not failed to have organisational measures in place to protect personal data from unauthorised or unlawful disclosure.

Vicarious liability

This was the first case since the DPA came into force to consider the issue of vicarious liability. The doctrine of vicarious liability allows for someone to be held responsible for the act or omission of another, it can commonly arise in the employment context when employers are held to be responsible for the acts of their employees.

The judge followed the 2-limb test for vicarious liability as it had been stated in another case involving Morrisons, the Supreme Court decision Mohamud v William Morrison Supermarkets plc. The test is:

1.             Taken broadly, what was the nature of the position, task or job of the employee? and

2.             Given the nature of the position, task or job was there sufficient connection between that and the wrongful conduct?

In applying the test, the judge found that Mr. Skelton’s ‘task’ had been to receive and store a copy of the data and then transmit it to a third party (KPMG). Therefore, said Justice Langstaff, his act was clearly an improper mode of performing this task and so was sufficiently connected to the task to make Morrisons liable.

The question as the judge saw it, was “not whether Morrisons did wrong, but whether, when Skelton did, his acts were closely connected with his employment.”


The judgment is clearly a very worrying one for employers. Every employer will hold some personal data in relation to their employees and most will hold significant amounts of sensitive data. As Mr. Justice Langstaff himself recognised in his judgment, there can be no 100% effective system to prevent data breaches occurring, and a particular threat is posed by employees who are trusted with access to personal or sensitive data and yet choose to abuse that trust and commit breaches of the DPA.

This judgment leaves employers exposed to such rogue employees. Even in situations where the employer has taken all possible precautions and put the best protective measures in place, it appears that following this decision, the unauthorised acts of an employee that appeared trustworthy may still lead to significant liability for the employer.

It is also possible that the Information Commissioner’s Office (ICO) could investigate the matter not only in relation to the non-material breach relating to failure to delete data, but also generally. If they do, the ICO has the power to levy additional fines on Morrisons and to require the company to enter into binding undertakings to comply fully with data protection legislation going forward. Although the ruling by the judge that Morrisons did not materially breach any of the data protection principles in the DPA may lessen any sanction imposed by the ICO. However, this point will always turn on the actual facts of the case and it seems a little surprising (and counter-intuitive) that an employee was able to leak this data and at the same time for it to be considered that Morrisons had the appropriate organisational measures in place to protect personal data and not materially be in breach of data protection principles.

Under the General Data Protection Regulation (GDPR) coming into force in May 2018, such fines could be up to €20 million or 4% of annual global turnover (whichever is highest). The GDPR also incorporates a new principle of accountability, requiring data controllers (such as Morrisons in this case) to demonstrate compliance with the GDPR by showing the supervisory body (the ICO in the UK) how the data controller complies on an ongoing basis with GDPR, including through evidence of effective internal compliance measures. Where there has been a breach, such as in the present case, it could prove very difficult for data controllers to prove that their internal compliance measures are effective.

The judgment dealt only with the issue of liability and it remains to be seen what damages will eventually be awarded to the claimants. Additionally, the judge, as well as being firm in ruling that Morrisons had no direct liability in this case, has also granted leave to Morrisons to appeal the ruling on vicarious liability.

In the meantime, employers should seek to ensure that their organisational and technical systems make it as difficult as possible for any rogue employee to steal personal data. It now appears that the only sure defence is preventing the breach in the first place.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.


ICO Announces Changes to Binding Corporate Rules Applications
Friday 1st December 2017

From this week, organisations making applications to the Information Commissioner’s Office (ICO) for Binding Corporate Rules (BCRs) must ensure that they are compliant with the new General Data Protection Regulation (GDPR), coming into force on 25 May 2018.

What are Binding Corporate Rules?

Under the GDPR, personal data can only be transferred out of the EU if there will be a sufficient level of protection in place at the intended destination to protect the rights and privacy of the people involved. If data is transferred in breach of this, organisations could face fines of up to €20million or 4% of annual worldwide turnover, whichever is greater.

For some countries, the European Commission will issue an ‘adequacy decision’ meaning that the data protection laws in that country are already strong enough to protect any personal data transferred. Where there has been no such decision, however, it is down to each organisation to ensure that they put effective safeguards in place to protect the personal data.

One option is to use BCRs. BCRs are rules that apply to all members of a group of companies (or all participants in a joint venture), they determine how personal data is to be processed and protected within that group. Organisations draft their own BCRs, and once they have been approved by the ICO there is no need to require additional safeguards for intra-group transfers of personal data, even if those transfers are to countries outside of the EU. BCRs, once in place, will continue to apply even if the flow of data within the group is altered or there are changes to the group’s corporate structure.

Applications submitted from now on

From this week, the ICO requires that new applications for BCRs must comply with the requirements of the GDPR regarding adequate safeguarding of the data transferred. These applications, though they can be submitted in anticipation of the GDPR entering force, will not be approved until after the 25 May 2018.

Additional guidance on BCR applications is currently being produced by a data protection working party in the EU. It is expected that this guidance will be published by the end of the year. The ICO will be making the guidance available on their website once released.

Applications currently with the ICO and awaiting approval

Many organisations have already submitted applications for BCRs under the current legislation and are waiting to hear back from the ICO. In a press release this week, the ICO confirmed that they will continue to process these applications, and where necessary to ensure compliance with the GDPR they will be contacting organisations directly to request amendments and updates to the applications.

Binding Corporate Rules already approved and in place

Organisations that have BCRs in place that have previously been approved will also need to update their rules. It is a requirement that BCRs are updated to comply with new regulations as they come into force. As such, organisations currently relying on BCRs for cross-border data transfers must ensure that their rules are GDPR-compliant by 25 May 2018.

The ICO should be informed of any changes made, though this can wait for the next annual update communication. The ICO will be writing to all organisations that have approved BCRs nearer the time, to remind them of their obligation to update their rules and advise on the procedure for doing so.

Further information

If you would like to know more about GDPR readiness, cross-border transfers of data or binding corporate rules, please contact a member of our commercial team, or your usual Brabners contact.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.