UK: Transferring Personal Data from the E.U.: Are Binding Corporate Rules the Answer?

Last Updated: 28 June 2005
Article by Mark Watts

This article was first published in International Data Transfer, a Special Report by BNA International

The restrictions imposed by Article 25 of the Data Protection Directive (95/46/EC) on organisations transferring personal data out of the European Economic Area aren’t new. Indeed, few, if any, data protection issues have attracted as much attention as those presented by Article 25. Its provisions needn’t be set out again here; suffice to say, nearly ten years after its restrictions first appeared, transferring personal data out of the EEA is not a straightforward matter; far from it.

The organisations most affected by Article 25 are probably the multinationals. Today’s trend towards globalisation makes it increasingly common for multinationals to have processes, management-lines, and internal information systems – and so too data transfers – that cross country borders, both inside and outside the EEA. The impact of restrictions on such transfers can be acute, as potentially they represent powerful limitations on the deployment of internal technological solutions, restrictions on the cost savings that can result from consolidating standalone country IT systems and restrictions on pan-global (or "dotted") management lines. Most multinationals understand and appreciate the importance of safeguarding individuals’ personal data overseas, yet desire a simple but robust, effective but low-formality solution, something that enables lawful transfers of personal data but also fits the complexity of their corporate structures.

Methods for Transferring Personal Data Overseas

Until recently, a multinational seeking to transfer personal data around the world, broadly speaking, had three options available to it, namely, acquiring the fully-informed and freely‑given consent of everyone about whom it transferred personal data, implementing a network of contractual arrangements between its various country legal entities, or, in respect of transfers to the United States (only), entering the EU-US Safe Harbor. No one "solution" is perfect. (Please note that whilst there are other exceptions under the Directive that allow personal data to be transferred, these are generally considered to be too narrow in scope to meet the day-to-day needs of a typical multinational).

Individual Consent

With regard to a solution based on individual consent – the most popular solution according to some industry surveys – the drawbacks are significant. "Business-to-business" multinationals, for example, are likely to acquire personal data about thousands of individuals, such as business "contacts" and yet not deal with the individuals directly, so preventing their consent being obtained or requiring it to be collected only "indirectly" via the individual’s colleagues or his employer, which is unlikely to be effective. In relation to personal data a multinational processes about its employees, consent is also problematic. Depending on the nature and scope of the consent sought, some employees – perhaps many – may refuse their consent. The multinational must then either ignore their refusal of consent and transfer their data anyway, a risky strategy, or provide an alternative means of processing that does not involve transferring their data out of the EEA – expensive or perhaps impracticable. And even if all employees everywhere did miraculously consent, much has been made of the validity of consent from existing (as opposed to a prospective) employees. It’s argued that an employee who is asked to consent to the transfer of his personnel record to, for example, the United States is unlikely to say no to his employer, even though experience has shown that some do. Is consent really "freely-given" in these circumstances? Also, to be valid, shouldn’t consent be capable of being withdrawn? A consent-based solution seems to be the one least favoured by Data Protection Regulators too, as unlike other solutions, it does not require data protection measures to be applied in the destination country, nor does it require continuing liability for the multinational in respect of the personal data transferred.

Model Contracts

A contractual solution also has its problems. A multinational may implement a contractual solution using its own terms and conduct a "Tour of Europe" to acquire (hopefully) the authorisation of each of the various EEA Data Protection Authorities. Alternatively, to avoid this exercise, it can adopt the European Commission Model Contracts, which first appeared in 2001. The original EU Controller-to-Controller Model Contracts did not prove popular with industry. The EU Controller-to-Processor Contract fared better but much has been said about their contents – the onerous level of detail required in both, "joint and several" liability between the data exporter and data importer under the Controller-to-Controller Contract, and the vagaries of certain key terms, such as "factually disappeared" under the Controller-to-Processor version. Many of the substantive problems associated with the 2001 version of Controller-to-Controller Contract have been lessened by the approval of the "ICC Clauses", which finally saw light of day in December 2004. In particular, the joint and several liability provisions have been replaced by a "due diligence" obligation on the data exporter, which business should prefer, particularly in an "arms length" transaction.

But the main difficulty arises not from the contents of the agreements but the sheer numbers and complexity involved in implementing a comprehensive contractual solution in a multinational. Take, for example, a multinational with 200 companies worldwide, each in a different country, each sharing personal data with its counterparts, perhaps via a shared IT infrastructure. Contractual arrangements need be put in place between each and every pair of companies. The administration involved soon becomes unwieldy – 19,900 contracts here. And whilst legal tricks can be used to minimise the number of actual bits of paper signed to create this "web" of contracts, the admin headache for a multinational implementing the web should not be underestimated. At some point in the future, the multinational is bound to acquire another company, requiring the whole web to be updated; more bits of paper, more headaches.

Safe Harbor

What of the EU-US Safe Harbor? Viewed in terms of formality alone, the EU-US Safe Harbor is perhaps the most attractive of the solutions available, although it is only available in respect of transfers of personal data to the United States. It also excludes certain important categories of personal data, such as that processed within the financial services sector. Moreover, many multinationals, particularly those with a US-based parent, have been put off joining for fear of increased scrutiny of their parent company by the US Federal Trade Commission. Also, being a politically "negotiated" document, many of the Safe Harbor Principles (and accompanying FAQs) include language that arose out of political comprise rather than a quest for legal certainty and clarity. Different interpretations are possible. Whilst the number of multinationals signed up to Safe Harbor continues to increase, progress is slow and steady. There’s no gold rush, largely for the reasons outlined.

All of these options fall short of providing a real and workable solution for a multinational struggling to do the right thing.

Binding Corporate Rules

So it was with the aim of overcoming many of these difficulties that the Article 29 Data Protection Working Party (the body set up under the Data Protection Directive, comprising representatives from each of the Member State Data Protection Authorities) adopted a paper on June 3, 2003, discussing another means of "adducing adequate safeguards" under Article 26(2), a means that has become known as "Binding Corporate Rules". Binding Corporate Rules refers to the sorts of internal codes of conduct, policies, directives and the like that multinationals use to govern themselves internally on matters such as handling confidential information, business ethics and other similarly important corporate affairs. Such policies, directives, codes and similar unilateral undertakings can be thought of as internal "law" within the multinational (occasionally, one even hears the word "lore" used). Can such documents deliver "adequate safeguards" under Article 26(2)? Yes, according to the Working Party Paper, subject to meeting certain stringent requirements.

Much of the content required of Binding Corporate Rules is as would be expected. The Working Party Paper reaffirms that the "usual" data protection principles need to be included, much as under EEA data protection legislation, the EU-US Safe Harbor and both sets of EU Controller-to-Controller Model Contracts. More detail and explanation is required to ensure compliance under Binding Corporate Rules though, particularly by parts of the multinational that operate in countries without a data protection law or culture. The principles should be tailor-made so that they practically and realistically fit with the processing activities that the multinational actually carries out.

Perhaps most importantly, the Binding Corporate Rules must be binding both "inside and out", referring to the requirement that the multinational must be bound both in practice (compliance) and in law (legal enforceability). They must deliver a real and ensured legal effect throughout the multinational.

Here, "binding in practice" or compliance means that all companies of the multinational, as well as their employees, feel compelled to comply with the Binding Corporate Rules; that is, they must respect this internal "law". The Working Party Paper does not stipulate how multinationals should guarantee compliance but states that the binding nature of the rules must be clear and good enough to be able to guarantee compliance with the rules outside the EEA. A multinational must be able to demonstrate, for example, that the rules are known, understood and effectively complied with wherever they apply by employees who have received appropriate training. Disciplinary measures should be in place for non-compliance. Executive-management must be involved to oversee and ensure compliance.

As with other every other transborder dataflow solution (except consent, strictly speaking), auditing compliance has an important role to play. Binding Corporate Rules must provide for self-audit (i.e. internal audit) and/or external supervision by accredited auditors on a regular basis, with the results being directly reported at board level. The Data Protection Authorities may become involved in this aspect too, as part of a broader commitment by the multinational to co-operate with them.

The Working Party Paper also recognises that even with fully-enforceable legal rights, as described below, litigation can be disproportionately expensive and burdensome for an individual, particularly if it has to be conducted overseas. Multinationals are encouraged to incorporate other means of compliant handling, and the use of alternative dispute resolution mechanisms is promoted.

As well as being binding internally, Binding Corporate Rules must be binding "outside", that is, legally enforceable between the multinational and the outside world – the outside world being the EEA’s Data Protection Authorities and data subjects (the individuals about whom personal data is processed). A Data Protection Authority should be able to achieve legal enforceability of its rights and powers under the Binding Corporate Rules fairly simply, for example, via the process of granting an authorisation under Article 26(2) (and its national law equivalent). It will require an unambiguous undertaking that the multinational as a whole and each of the companies within it will abide by the "advice" of the Data Protection Authority. Some multinationals have expressed concern about the meaning of "advice" in this context. For example, the same language is used in connection the EU-US Safe Harbor, where it may include a requirement to compensate individuals affected. The Working Party Paper also states that their "advice" may be made public.

For the data subject, legal enforceability will require them to become "third party beneficiaries" via some means, either through the legal effect of the Binding Corporate Rules themselves (where possible) or the Binding Corporate Rules in combination with other contractual arrangements within the multinational. Data subjects need to be able to enforce compliance both by lodging a complaint before the competent Data Protection Authority and/or by commencing legal proceedings before a competent court.

The remedies available to data subject under Binding Corporate Rules should be broadly the same as under the EU Controller-Controller Model Contracts. Giving individuals such broad legal rights is regarded as undesirable by some multinationals. They argue that provided sufficiently high levels of internal compliance are achieved, together with a commitment to co-operate with the Data Protection Authorities, there should be no need for legal enforcement measures quite so far reaching. But legal enforceability is clearly an area to which the Working Party attaches great importance, and there’s nothing new there (see, for example, the similar remarks it made about "appropriate redress" in its 1997 paper, "First Orientations on Transfers of Personal Data to Third Countries"). Giving data subjects the right to seek judicial remedies is justified in two ways in the Working Party Paper. Firstly, because even the firm commitment required from multinationals to co-operate with the Data Protection Authorities cannot guarantee 100 percent compliance and the individuals concerned may not always agree with the views of the Data Protection Authority. Secondly, because the views of the Data Protection Authorities may vary from country to country and none of them are able to award damages as a remedy; only courts can do that. Given these remarks, it’s hard to see how Binding Corporate Rules that don’t provide individuals with judicial remedies could now be approved by an EEA Data Protection Authority. And here’s the rub. The laws of some EEA countries do not enable third party beneficiary rights or binding obligations to be created by unilateral undertakings alone. In other words, the legal theories required for Binding Corporate Rules acceptable to the Working Party may not apply EEA-wide or perhaps even exist at all in some EEA countries. A patchwork of legal theories tailored to various country laws seems more likely, possibilities including theories based on unfair trade practices, the law of trusts, the law of misrepresentation and misleading advertisement, employment and consumer protection laws. From a legal point of view, finding a sufficiently good means of "legally-bindingness" unilaterally in all EEA countries is probably the biggest obstacle to the widespread adoption of the Binding Corporate Rules. Many multinationals are using hybrid BCR/contractual approaches, which, of course, isn’t going to free them of the admin headaches described above.

The Working Party Paper also deals with some of the "structural" issues unique to multinationals. It recognises them as mutating groups of entities whose members and practices change from time to time and acknowledges that updates to both the Binding Corporate Rules and the list of entities they apply to will need to be made over time. Updates are allowed under a Binding Corporate Rules solution (without the multinational having to reapply for a new authorisation) under the following conditions:

  • no transfer of personal data is made to a new group member until it is effectively bound by the rules and can deliver compliance;
  • a fully updated list of members is maintained by the multinational along with a record of any updates to the rules, which should be made available to individuals or Data Protection Authorities upon their request;
  • changes to the list of members and/or the rules are reported annually to the relevant Data Protection Authority, together with a brief explanation of the reason for the change.

For larger multinationals, even maintaining such a length list may be problematic, although it should be easier than constantly updating an entire contractual solution.

The Working Party Paper recognises that even if EEA-based data subjects are provided with legally enforceable rights against, say, a multinational’s Venezuelan operating, in practice, exercising such rights is likely to be prohibitively complicated and/or expensive. It recommends that the EU headquarters (if an EU-owned multinational) or an EU member of the multinational with delegated data protection responsibilities should accept responsibility for the acts of all other companies of the multinational outside the EEA. This would include, where appropriate, making a commitment to pay compensation for any damages resulting from the relevant violation anywhere outside the EEA. Intriguing, and not present in either the Model Contracts or the EU-US Safe Harbor, is the requirement that the burden of proof falls on the EU headquarters or delegate in such circumstances to establish that the individual’s loss was not a result of the multinational’s company overseas. In its initial request for an authorisation of the Binding Corporate Rules under Article 26(2), the multinational must include evidence that the EU headquarters (or its EU delegate, as the case may be) has sufficient assets within the EEA to cover payment of compensation for breaches of the Binding Corporate Rules, or that it has taken measures to ensure that it would be able to meet such claims, such as, for example, taking out appropriate insurance.

Recent Developments

The most recent development regarding BCRs is the Article 29 Working Party’s adoption on 14th April 2005 of two papers dealing with the procedural aspects of obtaining approvals for a BCRs approach from all of the Data Protection Authorities across the EEA.

The first paper, entitled "Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules", describes the features of the BCRs approach that should be included in any application to a Data Protection Authority. It also lists the factors to be considered by a multinational when deciding which country’s Data Protection Authority to apply to. For multinationals whose ultimate parent or operational headquarters is located in a member state of the European Union then the "lead authority" should be the authority in that member state. Multinationals having their ultimate parent or operational headquarters outside the EU should apply various factors in determining who is the lead authority. Priority is given to the Data Protection Authority of the member state where the multinational’s European Headquarters is located.

In setting out the detail of the application the checklist requires certain specifics of the arrangements described above to be included. In particular, details of the "internal bindingness" of the BCRs need to be set out. Unfortunately, some of the thrust of the June 2003 Working Party Paper – that, internally, what matters is practical compliance rather than giving wholly-owned subsidiaries a legally-enforceable right to sue each other – appears to have been lost, or at least diluted. The checklist refers to unilateral declarations not being regarded as binding in some member states, which suggests that subsidiaries actually need to be legally bound, notwithstanding that wholly owned subsidiaries are hardly going to sue each other. (By contrast, creating third party beneficiary rights that are legally enforceable externally is a clear requirement of the original Working Party Paper). The problem is that while creating enforceable third party rights in favour of the outside world – Data Protection Authorities and data subjects – is relatively straightforward, even using unilateral declarations, imposing legally-binding (as opposed to practically-binding) obligations on group companies unilaterally is far more difficult. It is this that has led some multinationals to bolster their BCRs with a contractual framework. Back to those admin headaches…

The second, shorter Working Party Paper describes the cooperation procedure to be followed by Data Protection Authorities upon receiving a request for BCRs approval. The first part of the procedure, which may take up to a month, focuses on establishing that the Data Protection Authority to which the request for an authorisation was made is the most appropriate to handle it. Once that’s established, the applicant holds discussions with that lead authority, which result in a "consolidated draft", which is then circulated to all Data Protection Authorities in countries from which transfers may take place. Their comments are subsequently fed into a "final draft", which is resubmitted by the multinational, leading to confirmation from each of the Data Protection Authorities that they are satisfied as the adequacy of the safeguards proposed. Simple. Well, hopefully.

The possibility of relying on Binding Corporate Rules and avoiding many of the drawbacks of other approaches, has been met with excitement by data protection practitioners and warmly welcomed in principle by many multinationals. Several are already a long way down the road towards developing and implementing a BCRs solution. Concerns remain, however, that the approach may still be to formalistic and that many of provisions required are too onerous or simply "too difficult", particularly in terms of using unilateral declarations to create enforceable legal rights and obligations internally. The early signs are promising however. Many multinationals are adopting the approach. Some have already had local "approvals" and are in discussions with Data Protection Authorities across the EEA using the procedure described above. It is to be hoped that, finally, after so many years, a realistic and "multinational friendly" approach to Article 25 of the Data Protection Directive will be available before too much longer.

But BCRs are not for everyone

While the BCRs approach is achieving some popularity – fashionability! – amongst multinationals, it’s not an approach that lends itself to transfers of personal data amongst groups of entities whose affairs aren’t so closely aligned and hierarchical as those of the multinational. The Working Party Paper states that BCRs "are very unlikely to be a suitable tool for loose conglomerates of legal entities". The diversity between the members of such loose conglomerates and the broad scope of their processing activities would make it very difficult (if not impossible) to meet the requirements for BCRs that the Working Party Paper sets out. Examples of such loose conglomerates would include all manner of commercial and non-commercial arrangements: complex joint ventures; international trade associations; charitable organisations; any grouping of entities that share personal data.

Nor is a BCRs approach appropriate in connection with transfers of personal data in "arms length transactions", such as companies entering into joint marketing arrangements or a party outsourcing its IT operations or another business process that involves data processing. That the providers of outsourcing services are often based in low-cost countries, such as India or China, not regarded as "adequate", has been particularly newsworthy recently. Even in the United States, which remember only has a few sector-specific data protection laws itself, data protection concerns have even been cited by politicians as reasons why data processing should not be "offshored" to India or China.

So when a BCRs approach isn’t a viable option for protecting personal data overseas what is?

Perhaps the first thing to consider is in what capacity is the recipient acting? In data protection terms, is the recipient a "Controller", a party that will exercise "control" over the data provided by determining the purposes and means for which it processed, or a "Processor", a party that will only process the data it receives on behalf of, and in accordance with the instructions of, the party providing the data (the "original" Controller). Of course, this issue arises whether or not the recipient is based in a country to which transfers of personal data are restricted by Article 25 and even when the recipient is in the same country as the Controller (or even the same building), but it can influence the parties’ choice of transborder dataflow solution when the proposed transfers are restricted by Article 25.

Take, for example, a joint marketing "partnership" where two parties, one based in the EEA, the other based in the US, collect consumers’ e-mail addresses and other personal data on their websites both to run their own marketing campaigns and to share the data with its "partner" so it can run its own marketing campaigns. As consumer consent is likely to be required anyway to allow use of the data for marketing and its sharing with a third party, wouldn’t also obtaining consent to the transfer of personal data to the US be the preferred solution, provided it is sufficiently unambiguous, fully-informed and freely-given? Although a joint marketing arrangement is likely to involve a contract between the two parties anyway, so consent wouldn’t avoid any contracting formalities, it at least would remove the need to incorporate the EU Model Clauses for Controller-to-Controller transfers, either the original "2001 Clauses" or the recent ICC Model Clauses and the liability-sharing and due-diligence requirements (respectively) that using them would introduce. If consent isn’t possible, say, because an existing marketing list is being shared, then the ICC Model Clauses would probably be the way to go.

By way of contrast, consider the typical "offshoring" situation. In all but a minority of business process outsourcing situations, the service provider (the importer of the personal data) merely acts as a Processor. In order to provide the service provider with the personal data lawfully the Controller must ensure that it has a contract in writing with its Processor that satisfies the requirements of Article 17 of the Directive (as implemented by the various EEA Member States). And if an "Article 17" data protection contract needs to be implemented anyway, wouldn’t it make sense to use a contractual solution to enable the offshore transfers, such as the Model Clauses for Controller-to-Processor transfers?

Another twist that can influence how transborder dataflows are handled is where the exporter and importer are in the pharmaceutical sector, perhaps exchanging clinical trials data collected about patients. While ordinarily, one would consider consent, or a contractual solution, where the importer is located in the US, it may be worth reconsidering the EU-US Safe Harbor, FAQ 14 of which provides assistance with certain pharma-specific data protection issues, such as ensuring that a patient is not able to jeopardise a clinical trial by using their right of subject access to find out whether they are receiving the active drug or the placebo.

It seems inevitable that for large complex multinationals, Binding Corporate Rules will become the preferred approach to handling internal transborder dataflows long term. Where BCRs aren’t appropriate, Consent, Safe Harbor and Contractual Solutions will need to be considered. When choosing which to use, it’s all too easy to let the tail wag the dog. Data exporters should put aside the question of transborder dataflows and consider what they need to do to comply with EU law in any event. In most situations, if consent or a contract is necessary then extending them to cover transfers too – adding more detail about the proposed transfers, or incorporating additional clauses – is likely to be the way to go.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions