Lock up (or you’ll have the ICO on your Doorstep)

Posted on

In a decision given just before Christmas, the ICO has imposed a hefty £275,000 fine on Doorstep Dispensaree Limited for its breaches of the GDPR. The ICO found that Doorstep had failed in ensuring the security of special category personal data, following an investigation by the Medicines and Healthcare products Regulatory Agency (“MHRA”) that discovered:

-        47 unlocked crates;

-        2 disposal bags; and 

-        1 cardboard box,

all packed full of poorly stored personal data (including NHS numbers, medical information and prescriptions), with nothing to mark the documents as confidential waste – the discovery was actually made in a rear courtyard with residential access, and some of the documents were sopping wet (suggesting that they had been there for some time). In total the MHRA estimated there to be approximately half a million documents containing personal data.

It’s worth noting that this fine wasn’t imposed without warning (or without the opportunity for Doorstep to address/explain its inadequate storing facilities). The Commissioner first wrote to Doorstep on 15 August 2018 with her concerns and a number of GDPR compliance questions, and whilst Doorstep responded via its solicitor 6 days later it failed to answer the Commissioner’s questions and instead tried to deny any knowledge of the matter. Doorstep was also given a second chance when the Commissioner wrote again in September 2018 (repeating the questions about GDPR compliance) but it responded later that month with a further refusal to answer the questions. 

The chain of events that followed resulted in Doorstep being issued with an Information Notice (which Doorstep unsuccessfully appealed), requiring it to provide the information initially requested by the Commissioner. The Commissioner then sent not one, but two chaser emails, with the second chaser threatening Doorstep with the issue of a penalty.

Doorstep eventually responded to the questions on 1 March 2019, providing a number of data protection documents. However, upon inspection most of these documents had not been updated since April 2015, meaning they pre-dated the implementation of the GDPR by 3 years (not ideal in demonstrating GDPR compliance).

The Commissioner originally proposed a penalty of £400,000 for Doorstep’s breach. Doorstep tried to suggest that any penalty should be issued against its licenced waste disposal company, Joogee Pharma Limited. This was rejected by the Commissioner, who was satisfied that Joogee had acted as data processor only, relying on Doorstep’s instructions and leaving it to Doorstep as data controller to determine the purpose and means of the data processing.

In assessing the appropriate penalty, the Commissioner referred to Doorstep’s breach as ‘extremely serious’, and one that demonstrated a ‘cavalier attitude to data protection’. However, being mindful that the penalty must be effective, proportionate and dissuasive the Commissioner decided to lower the proposed penalty, imposing a penalty of £275,000 instead. The penalty is due to be paid by this Friday (17 January 2020).

Whilst this case comes as a word of warning in particular to any companies that are in possession of medical information, whether that be NHS numbers or prescriptions, there is a lesson there for any companies holding confidential data: store your information securely and keep your data protection documentation up to date. 

Our commercial team specialises in data protection and all things GDPR, so please get in touch with us if you have any concerns over GDPR compliance – we are happy to advise and update (or put together) your suite of data protection documents to ensure your compliance with the GDPR. 

 

 

Waterworld : The battle of Shnuggle and Munchkin

Posted on

Last week, the Intellectual Property Enterprise Court (IPEC) handed down its judgment in relation to a dispute surrounding design rights in baby baths. The decision focuses on how the court will determine that a design possesses individual character and therefore creates a "different overall impression" on the informed user, so that it does not infringe a prior design. As her honour Judge Clarke’s judgment is a total of 78 pages, we have done our best to sponge up the decision’s information and wash off any unnecessary details to give you a squeaky clean summary of all you need to know about Shnuggle v Munchkin (apologies!). 

The case concerned design right infringement of baby baths, in which the defendant (Munchkin (US) and their UK subsidiary, Lindam) were accused of design infringement by the claimant (Shnuggle), for the release of their product, the "Sit & Soak".

 

Shnuggle claimed both unregistered design rights alongside two registered European designs for their products, "MK1" and "MK2".  Munchkin openly admitted that they had produced the "Sit & Soak" after the Shnuggle designs were already on the market, with the intention of producing a Shnuggle-inspired design, with some added Munchkin features. Munchkin relied upon four prior art designs from other competitors which they claimed showed the commonplace design of baby baths.

 

In making her decision, the Judge first invalidated Shnuggle’s MK2 saying that it lacked individual character and failed to give a different overall impression to the previous MK1.  In addition to this, she held that the “Sit & Soak” did not infringe the MK1 or any unregistered design rights that Shnuggle claimed in their product.  

 

The decision and the approach of the court in this case carries importance, in that it reinstates the "overall different impression" test from Procter & Gamble Co v Reckitt Benckiser (UK) Ltd [2007] EWCA Civ 936. This test was also illustrated in Dyson v Vax [2011] EWCA Civ 1206, in which Dyson lost its claim of design infringement, as a competitor’s similar design was held to produce a different "overall impression".

 

This Shnuggle v Munchkin judgment reinforces this emphasis on redirecting the focus within registered design infringement, from looking at individual differences between designs, to how a design as a whole creates a different overall impression. As the Judge explained:

 

“Of course it is easier to perceive similarities and differences to describe them in words. What matters is the overall visual impression arising from a side-by-side comparison of [Shnuggle’s design] and the Sit & Soak …the informed user stands back and looks at the two together comparing them with everything in mind that I have mentioned including the prior art”. 

 

The courts appear to be adopting the imprecise science of a ‘stand back and look’ approach more and more when determining infringement.  Whilst this may provide some added ease and simplicity to such decisions, you can’t help but focus on the subjectivity of such a test.  After all, what you may perceive as a similar design, "Joe Bloggs" may perceive as completely different. So where does this leave us? Our view is that the best approach is to look at the designs in question and ask yourself whether you feel they are uncomfortably close. If the answer’s yes, you probably need to speak to a friendly IP lawyer.

 

 

 

 

 

 

The Price is Right (or is it?)

Posted on

When employment relationships break down and it’s time for a difficult chat, it is often the case that an employer will consider entering into a settlement agreement with the employee. Settlement agreements usually terminate an individual’s employment and prohibit them from bringing proceedings against their former employer in respect of their employment. As part of a settlement agreement the former employee may be compensated for the loss of such rights. In order for a settlement agreement to be binding the former employee must seek independent legal advice as to the terms and effect of the settlement agreement, in compliance with s203(3) of Employment Rights Act 1996. It is common practice for the employer to contribute towards these legal fees. But what is a reasonable contribution?

In a recent Employment Tribunal decision (Solomon v University of Hertfordshire) the Tribunal expressed a view which may well result in additional cost for employers.

In the case, the employer had put forward an offer of £50,000 in settlement of various allegations, including discrimination. The employer had also offered to pay £500 + VAT to the claimant’s independent advisor to allow her to seek advice. The tribunal largely found against the claimant following the hearing (she received just £1,900) and ordered her to pay £20,000 towards the employer's costs (the most it can without a detailed costs assessment). It based this decision on the claimant's approach to various settlement approaches, including the above offer. The claimant appealed and the Employment Appeal Tribunal upheld her appeal.  The EAT concluded that, whilst it would have been reasonable for the claimant to accept the offer, it was not unreasonable for her to refuse it.

Perhaps the most interesting part of the EAT's judgment related to the £500 contribution towards fees.  The EAT said that the claimant could only be expected to receive advice regarding the terms and effect of the proposed agreement for the contribution offered. It said that any advice as to the merits of the claimant’s claim and any likely award of compensation should a settlement not be agreed would require a different scale of advice, for which £500 plus VAT was ‘wholly unrealistic’. 

Whilst there is no obligation on an employer to pay for an employee's legal advice in relation to a settlement agreement, for the agreement to be binding the employee must obtain independent legal advice before signing it. This case is likely to be used by legal advisers acting for employees as a basis for seeking a higher contribution to their fees. The more complex the agreement, the more reasonable it will be to seek a higher contribution. Further, if an employer is seeking to settle a claim and wants to use any refusal as the basis for a claim for its costs, the contribution offered towards costs must be realistic and the EAT made it clear that £500 plus VAT in this case was wholly unrealistic.

 

Escape Plan

Posted on

When/if (please delete depending on your current view) we leave the EU there are, as everyone knows, going to be some consequences. We're going to address some of these over the coming months (or for as long as Brexit remains a possibility, whichever is shorter) and thought we'd start with everyone's favourite subject - Data Protection. If you receive personal data relating to EU subjects from your EU based customers, please read on.

In anticipation of Brexit, the government introduced the Data Protection Act 2018 ("the Act") in order to implement the European Regulation known as the GDPR (General Data Protection Regulation 2016/679 (EU)). The purpose of this was ito ensure that the UK would continue to be subject to the same regulations as EU based businesses after Brexit.

Unfortunately the Act won't be enough if we leave the EU without a deal. At the moment any UK businesses that are receiving personal data from an EU entity do not face any complications, as the UK is an EU member state which is compliant with EU data protection standards set out in the GDPR, so personal data can flow to and from the EU without additional safeguards being put in place.  

However, if the UK leaves the EU and EEA, we will become a “third country” (under the GDPR and various EU treaties).  A third country is a country other than the EU member states and the three additional EEA countries (Norway, Iceland, and Liechtenstein). 

If the UK becomes a “third country”, then unless the EU Commission issues an "adequacy decision" (which is a declaration that a particular country has in place legal protection for the processing of personal data which is as good as the GDPR) then UK businesses will have to implement extra measures in order to process such data legally.  The main solution currently is to use the Standard Contractual Clauses (‘SCCs’) or ‘Model Clauses’ which were written by the EU Commission in 2010. 

SCCs would need to be put in place between any UK entity processing personal data and the entity in the EU sending such data to it.  A copy of these SCCs can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

It is not possible to vary the terms of the SCCs although you can add terms relating to commercial activities. However, be aware that some of the SCC clauses are commercially impractical and may impact negatively on your business activities. Approach with caution (better still, do not approach at all, but speak to us instead).

On top of this, if you are processing personal data and we leave the EU without a deal, you will have to appoint an EU based representative if:

  • your business processes personal data (whether as a controller or a processor) 
  • relating to personal data (‘pd’) of data subjects who are in the EU
  • in order to offer goods or services (whether payment is required or not) or to monitor the behaviour of such individuals

unless

  • such processing is 
    • only occasional; and
    • does not include large scale processing of special categories of data or personal data relating to criminal convictions or offences; and
    • is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, copes and purposes of the processing

OR

  • you are a public authority or body 

(The special categories of data includes various types of very personal data, including data about race or ethnic origin, personal political opinions, religious or philosophical beliefs, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.)

In choosing your representative you should bear in mind that:-

  • it must be established in one of the member states where the data subjects whose personal data you process are located; and
  • it must be authorised to deal on your behalf with all personal data matters including dealing with any supervisory authorities and data subjects.

 The EU Commission is currently showing no signs of issuing an adequacy decision in relation to the UK, so, assuming that you think Brexit is going to happen at some point, it is important that you and your business are making arrangements to ensure the security of any EU personal data that you are processing. If you have not yet implemented any changes in anticipation of Brexit’s potential effect on UK data regulation, or if you have any other questions surrounding personal data processing within your business, our specialist team will be happy to help.

 

Money (That's (Not) What I Want)

Posted on

Part 36 of the Civil Procedures Rules is designed to give claimants and defendants various incentives for putting forward offers to settle litigation (including better costs recovery and higher rates of interest on damages). The majority of these offers involve offers to pay money but the Part 36 procedure isn't limited to such offers and judges are more than happy to form views on non-monetary offers, as a recent case clearly demonstrates.

In MR v Commissioner of Police for the Metropolis [2019], the claimant was arrested on suspicion of harassment, but he was later released without charge.  He brought a claim against the Police for false imprisonment and assault.

The claimant was well known in financial circles (he was granted anonymity in the proceedings for this reason) and he therefore often worked abroad. In certain countries he would have been required to declare the fact of his arrest even though it did not proceed to a prosecution. He was concerned about the potential consequences of this (indeed the trial judge found that the whole purpose of the litigation from the claimant's point of view was to establish that the arrest had been unlawful).

There were a number of offers made by both parties. These offers included payment of compensation and a letter of apology from the Police. The latter, was not good enough for the claimant, who eventually offered to settle on the basis that he would be paid his reasonable costs but would not be paid any other compensation. He did, however,  require an admission of liability for unlawful arrest. The defendant did not accept this and the matter proceeded to a trial.

Following a trial, the claimant was awarded £2,750 in damages but the court made no order as to costs. The best offer that the respondent had made was for £4,000 together with a letter of apology (and, as the offer was made under Part 36, the claimant would also have received his reasonable costs).  The best offer the claimant made was to accept nil damages but to require an admission of liability from the defendant. Both offers were expressed to be made under CPR Part 36. The trial judge decided that it would be harsh to apply the Part 36 rules to either offer, so decided that each side should bear their own costs. The case went to appeal on costs alone.

The appeal judge decided that that the claimant’s offer to accept nil damages but to require an admission of liabilty was a valid Part 36 offer and that the claimant had secured a more advantageous outcome following the trial. As a result the claimant should recover his reasonable costs of the claim on an indemnity basis from the expiry of the Part 36 offer. The appeal judge did however leave the costs order as it was for period before the expiry of the offer (so each party was left to bear its own costs).

What does this case mean for those involved in litigation. First, it shows that judges will exercise their discretion on costs and the days of assuming that the winning party will get its costs are long gone. Secondly, it demonstrates that judges are quite capable of forming views on non-monetary offers. One reason that most Part 36 offers involve money rather than anything else is that lawyers often think that it can be difficult, if not impossible, to compare non-monetary offers. This is clearly not the case. That said, this case involved two relatively simple offers - an apology versus an admission. The more complex the offers,  the more difficult it is likely to be for a judge to find that one beats the other.

All things GDPR

Posted on

We have all been inundated with e-mails asking us to “opt-in” or “stay in touch” therefore, there is no doubt that you will be aware of the General Data Protection Regulation (GDPR) which came into force on the 25th May 2018.

The GDPR applies to all European Union (EU) citizens and replaces the Data Protection Act 1998. The GDPR seeks to protect the privacy of individuals and give them more control over how their personal data is used. Whether you are a “data controller” or “data processor” you will be affected by the GDPR. Businesses based outside of the EEA but providing goods/services to EU citizens will also be subject to the GDPR.

The GDPR imposes greater transparency and accountability obligations on businesses in relation to the personal data they process. It is important that decisions made in relation to the processing of personal data are documented to show compliance with the GDPR. Greater transparency means informing individuals of the personal data you collect and your lawful basis for doing so.

Individuals have a number of additional rights available to them under the GDPR, such as the right to erasure (the right to be forgotten), the right to data portability and rights in relation to automated decision making and profiling. An individual also has the right to complain to a supervisory authority. This is the Information Commissioners Office (ICO) in the UK.

The change which has captured the attention of all businesses is the level of fine which may be imposed. A company can incur a fine of up to EUR 20 million or 4% of the global annual turnover (whichever is higher) if it is found to be in breach of the GDPR.

Although the deadline has passed, the requirment to comply with GDPR is ongoing and businesses are continuing to implement measures to ensure that they are compliant. If you have not yet implemented the GDPR requirements ,do not panic. It is important to begin the process to become compliant and our team is here to help!

If you have any questions or queries, please contact Sara Ludlam or Heather Simpson.