Welcome to this month's edition of our commercial review, which sees a new piece of security legislation seeking to give the GDPR a run for its money, as well as a useful judgment on how to vary a contract.
Enjoy.
I see your GDPR and raise you…
With all the focus being on the GDPR, you would be forgiven if you had missed another security-related regulation coming into force. The Network and Information Systems Regulations 2018 ("NIS") came into force on 10 May 2018 and brought with it an extra layer of security related obligations.
NIS is not limited to personal data and applies to the security of data and its infrastructure. NIS applies to two groups of organisations: operators of essential services ("OES") and digital service providers ("DSPs"). There are a number of designated authorities in relation to OES, such as Ofcom for digital infrastructure and the Secretary of State for Health (England) for healthcare in England. The Information Commissioner's Office is the designated authority for DSPs.
OES are organisations that operate services deemed critical to the economy and wider society. They include critical infrastructure (energy and transport) and other important services, such as healthcare and digital infrastructure. DSPs are organisations that provide specific types of digital services such as online search engines, online marketplaces (however online retailers that sell directly to individuals on their own behalf are not covered) and cloud computing services.
Parties subject to NIS are required to take appropriate and proportionate technical and organisational measures to manage the risks to its systems. These measures must ensure a level of security appropriate to the risk posed, as well as maintaining the continuity of its service. Many of the security requirements under NIS align with the security provisions of the GDPR and it is likely that many organisations covered by NIS will also be data controllers.
Where an incident takes place which has a substantial impact on its service, the affected party must notify the relevant competent authority within 72 hours of becoming aware of it. Where this incident also involves personal data, the affected party must also follow the GPDR’s notification requirements. As a result, there may be dual notification requirements, which is especially important for DSPs (whose competent authority is the ICO) where it may require them to notify the ICO twice, once under NIS and once under the GDPR.
Although the increase in regulatory fines under the GDPR has attracted the most attention, the possible fines under NIS are by no means insignificant, with the competent authorities having the power to issue monetary penalties of up to £17 million in the most serious cases.
Government's commitment to AI
Following on from last month's article on the House of Lord's report on the development and use of artificial intelligence ("AI"), the UK Government announced a new AI sector deal ("Sector Deal"), as well as the establishment of a Centre for Data Ethics and Innovation to advise on the ethical use of data, including for AI, signalling the Government’s commitment to make the UK a global leader in this fast developing area of technology. The announcement of the Sector Deal came shortly after the European Commission launched its own €20 billion strategy to put AI “at the service of Europeans and boost European’s competitiveness in the field”.
Amongst other things, the Sector Deal sets out the Government’s intention to:
- make the UK a global centre for AI and data-driven innovation by investing in R&D, skills and regulatory innovation;
- support sectors to boost their productivity through AI and data analytics technology;
- boost the UK’s digital infrastructure, including plans to improve the UK’s connectivity with 5G mobile networks and encourage the roll-out of full fibre networks;
- lead the world in the safe and ethical use of data through a new Centre for Data Ethics and Innovation, and strengthen the UK’s cybersecurity capability; and
- help equip people with the skills needed for the jobs of the future through investment in science, technology, engineering and maths skills, as well as upskilling up to 8,000 computer science teachers to ensure that every school has a suitably qualified GCSE teacher and investing to fund Master degrees and PhDs to support research into AI.
Also pledged was £300 million of public funding, which will be matched by around £300 million of new private sector investment and adds to the existing £400 million budget which the Government previously announced for AI research. The newly publicised public funding will be invested in teacher training, providing incentives to encourage AI businesses to set up in regions in order to create a network of high growth tech entrepreneurs across the UK, and research and development to explore how AI can be used in established industries such as law and insurance.
The new Office for Artificial Intelligence will be established in order to implement the Sector Deal, with its one of its first roles to be agreeing implementation deals for each part of the Sector Deal, as well as metrics by which to measure its success.
Tricks of the trade secrets
New trade secrets regulations are expected imminently, as the 9 June deadline for the transposition of the EU Directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure draws near. The Directive entered into force on 5 July 2016 and the Government stressed that it recognises its continuing obligations to implement Directives while the UK remains a member of the EU.
The Intellectual Property Office confirmed that it intends to publish trade secrets regulations this month in its response to a consultation that it held earlier this year, which also included a draft version of the regulations. Aspects of the regulations that have changed following the consultation responses include bringing the provisions on protecting the confidentiality of trade secrets in court proceedings closer to those parts of the Directive, and amendments to the time limits for making a legal claim relating to trade secrets.
The Government has confirmed that it intends to apply the same definition of a trade secret as is used in the Directive. A trade secret is information that is secret, has commercial value because it is secret, and reasonable steps have been taken by the person lawfully in control of the information to keep it secret. Information is considered secret if it is not "generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question".
The Directive is intended to enable consistent protection of trade secrets across Europe. It aims to protect businesses against the unlawful acquisition, use and disclosure of their trade secrets. Trade secrets will still be permitted to be acquired under certain circumstances though, by (for example) reverse engineering.
This is good news for international businesses operating across Europe, as it is likely to mean a more consistent approach to trade secret protection, notwithstanding Brexit.
Lucid tones of a variation
The case of Rock Advertising Limited v MWB Business Exchange Centres Limited [2018] UKSC 24 saw the Supreme Court find that an oral variation of an agreement was invalid because it was not recorded in writing and signed on behalf of both parties in accordance with the variation clause in the original agreement.
MWB operated serviced offices in central London and in 2011 Rock Advertising entered into an agreement with MWB to occupy office space at the Marble Arch Tower in London. The agreement contained a standard variation clause, found in most commercial contracts, which said that a variation of the agreement was not effective unless it was recorded in writing and signed on behalf of both parties.
By February 2012 Rock Advertising had accumulated arrears of fees amounting to more than £12,000. Rock Advertising's sole director proposed a revised schedule of payment with the credit control company engaged by MWB. A conversation between the credit control company and the sole director then took place and director alleged that the credit control company agreed to vary the agreement in accordance with the revised payment schedule. The credit control company alternatively argued that they were planning to treat the revised schedule as a proposal in the ongoing negotiations and they had not yet agreed to amend the existing agreement. In March 2012 MWB locked Rock Advertising out of its premises and sued for rent arrears and Rock Advertising counterclaimed for wrongful exclusion from the premises. The claim centred on whether the variation was effective in law.
The High Court found that an oral agreement to vary the agreement had been made however the variation was ineffective because it had not been made in accordance with the variation clause. The Court of Appeal overturned the High Court decision and found that the oral agreement to revise the schedule of payments also amounted to an agreement to dispense with the variation clause and so the agreement was effectively amended. It followed that MWB was bound by the revised payment schedule and not entitled to claims the arrears.
When overturning the Court of Appeal decision, Lord Sumption stated that the view that parties cannot validly bind themselves as to the manner in which future changes in their legal relations are to be achieved is a fallacy and the law "should and does give effect to a contractual provision requiring specified formalities to be observed for a variation". He continued that party autonomy operates up to a point when the contract is made, but thereafter only to the extent that the contract allows.
Consideration
Importantly, alongside the issue of whether the variation agreement was effective, was the issue of whether there was adequate consideration for the oral variation agreement to be valid. This question ultimately did not have to be decided by the Supreme Court due to the decision in relation to the form of the variation agreement; however interesting obiter comments were made by Lord Sumption.
The High Court found that the variation was supported by consideration because it brought practical advantages to MWB, in that the prospect of being paid eventually was enhanced by the revised schedule. However, Lord Sumption commented that the only consideration which MWB can be said to have been given for accepting a less advantageous schedule of payments was: (i) the prospect that the payments were more likely to be made if they were loaded onto the back end of the contract term; and (ii) the fact that MWB would be less likely to have the premises left vacant while it sought a new licensee – but these were both expectations of a practical benefit and neither was a contractual entitlement.
The House of Lords held in Foakes v Beer (1884) 9 App Cas 605 that a practical expectation of a benefit was not adequate consideration, although in Williams v Roffey Bros [1991] 1 QB 1,the Court of Appeal held that an expectation of commercial advantage was good consideration. Lord Sumption explained that any decision on this point is likely to involve a re-examination of Foakes v Beer which is probably "ripe for re-examination" – but if it is to be overruled or modified it should done on an enlarged panel of the court and not in this case.
Whilst the legal effect of variation clauses has been in doubt for some time, the Supreme Court has ruled in favour of contractual certainty, and no doubt this judgment will have been well received by commercial lawyers and may also reduce dispute costs in the future. In the meantime we will be waiting with bated breath for the right dispute to be put before the Supreme Court to see whether the age-old case of Foakes v Beer will be overruled.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
