UK: Data Protection Update - June 2018

Last Updated: 11 July 2018
Article by Jonathan Kirsop and Alison Llewellyn

Welcome to the June 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.

Data protection

  • Personal liability for PECR regulatory fines proposed in Government consultation
  • European Council adopts decision amending EEA Agreement to incorporate GDPR
  • Department of Digital, Culture, Media and Sport consults on exemptions from paying charges to the ICO
  • ICO publishes draft Regulatory Action Policy
  • The European Court of Justice decision widens concept of 'Data Controller'
  • MEPs pushing for amendments to the EU-US Privacy Shield
  • European Data Protection Board

Cyber security

  • Dixons Carphone admits huge data breach
  • Three further high profile data hacks this month
  • EU cybersecurity certification framework

ICO enforcement

  • The British & Foreign Bible Society c/o the Bible Society fined £100,000
  • BT plc fined £77,000
  • Gloucestershire Police
  • Yahoo! Fined £250,000

Data protection

Personal liability for PECR regulatory fines proposed in Government consultation

On 30 May 2018 the Department for Digital, Culture, Media & Sport in the United Kingdom launched a consultation on the functioning of the current regime for holding company directors (or similar positions in corporate bodies or unincorporated associations) and members of partnerships to account for breaches of the Privacy and Electronic Communication Regulations 2003 ("PECR").

The proposals follow the Government's amendments to PECR in April 2015, which lowered the threshold at which the ICO can take action against companies that are in contravention of PECR and gave the ICO the power to issue civil penalties of up to £500,000.

We regularly report in this bulletin on enforcement action taken by the ICO in its crackdown on nuisance calls and texts made by companies in breach of PECR, and the increasingly hefty fines imposed in an effort to disincentivise such contravening marketing tactics. However, such fines are not always recovered in their entirety and the ICO has recently indicated that it has only recovered £9.7 million of the £17.8 million in fines issued for nuisance calls since 2010; a recovery rate of just 54%.

Currently only businesses responsible for unlawful marketing (such as nuisance calls, texts, or other electronic marketing messages) are liable for fines and not the directors themselves. The ICO has repeatedly asked the Government for powers to hold directors of companies to account, as part of its bid to tackle instances of companies being placed into liquidation by directors seeking to avoid substantial penalties, before reopening the responsible company under a different name (sometimes referred to as "phoenixing"). As we reported in September 2017, the ICO has made clear that it is committed to recovering fines it has issued, and will work with insolvency practitioners and liquidators if a company moves to insolvency after being fined.

The Government proposals being consulted on will provide the ICO with the powers it needs to hold officers personally and directly responsible for fines of up to £500,000 under PECR, even in cases where the company is put into liquidation. The ICO would also be able to take action against those no longer in senior positions (for example through resignation), as long as they were a director at the time of the relevant breach.

Any enforcement action taken by the ICO would be based on the seriousness of the contravention and other aggravating or mitigating factors. The consultation period runs until 21 August 2018 and the full consultation document is available here.

European Council adopts decision amending EEA Agreement to incorporate GDPR

On 18 June 2018, the European Council adopted a decision in relation to a series of amendments to the EEA Agreement in order to incorporate the GDPR. The amendments are:

  • The rules of the European Data Protection Board will now give full effect to the participation of the supervisory authorities of the EEA European Free Trade Association ("EFTA") member states and the EFTA Surveillance Authority (except in relation to voting rights and standing for election as chair or deputy chair of the Board).
  • Full participation by EEA EFTA member states in the "one-stop-shop" mechanism. This means where a data controller or processor processes personal data in more than one member state, one national data protection authority must act as lead authority and is competent for monitoring the activities of that data controller or processor throughout the EU.
  • EEA EFTA member states are kept informed of consultations with third countries seeking an adequacy decision.

Department of Digital, Culture, Media and Sport consults on exemptions from paying charges to the ICO

The DCMS has opened a public consultation to obtain views as to whether the current exemptions from paying charges to the ICO are still appropriate and whether there should be any new exemptions. Under the GDPR the Government is required to ensure an adequate level of funding to the ICO, so the impact of any changes to charge exemptions on the ICO's resources will be given due consideration.

The Regulations provide exemptions from paying charges for people and organisations that process personal data only for one or more of the following 'core business purposes':

  • Staff administration (including payroll);
  • Advertising, marketing and public relations (in connection with their own business activity);
  • Accounts and records (except in relation to processing of personal data by or obtained from a credit reference agency).

Other exemptions include processing for the purposes of judicial functions or personal, family or household affairs (including recreational purposes).

Some not for profit organisations; data controllers processing personal data only to maintain a public register (such as the Electoral Roll); and data controllers that do not process personal data by automated means, or with the intention that it be processed by automated means, are also exempt.

The DCMS welcomes views and invites participants to use the online tool (see here). The closing date for receiving responses is 1 August 2018. The consultation document can be found here.

For more information about fees that are due to the ICO, please see our article in last month's bulletin here.

ICO publishes draft Regulatory Action Policy

In its draft Regulatory Action Policy, the ICO has promised to continue its existing enforcement style based on education and encouraging compliance rather than being an overly strict enforcer. It aims to be effective, proportionate, dissuasive and consistent in its application of sanctions, using its most significant powers to target organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.

Under the new UK Data Protection Act 2018, which came into force on 25 May 2018 ("DPA 2018"), in appropriate cases an 'urgent' information notice may be given to an organisation which requires a response in no less than 24 hours. If the recipient of an information notice does not provide a full and timely response, the ICO may apply to the court for an order requiring compliance with the information notice. An urgent assessment notice may require access to non-domestic premises with less than 7 days' notice, which in effect may allow the ICO to carry out a no-notice inspection to assess a company's compliance with the DPA 2018.

When deciding on the level of fines, aggravating or mitigating factors will be taken into account, for example, the attitude and conduct of the individual or organisation concerned.

The ICO is welcoming comments on its draft policy which can be found here.

The European Court of Justice decision widens concept of 'Data Controller'

The European Court of Justice ("CJEU") has ruled that the administrators of 'fan pages' on Facebook should be considered joint controllers of the personal data processed about people who access those pages. Both Facebook and the operator of the 'fan page' have a responsibility to inform users about how personal data is processed, obtain consent, if necessary, and conclude contracts with each other to regulate responsibilities.

The longstanding case concerns a dispute over data processing carried out in connection with a fan page on Facebook. The administrator of the fan page is the German organisation Wirtschaftsakademie Schleswig-Holstein, which provides educational services. In 2011, a German data protection authority ordered Wirtschaftsakademie to deactivate its fan page after raising concerns that neither it nor Facebook had informed people visiting the page that cookies were being used to gather information about them. However, Wirtschaftsakademie challenged the data protection authority's order arguing that Facebook, rather than Wirtschaftsakademie itself, was responsible for the data processing as controller. The case arrived at the CJEU when Germany's Federal Administrative Court asked the CJEU to help it interpret EU data protection law before it issues a ruling on the matter.

In an interesting decision, in addition to Facebook being held to be a data controller of the personal data processed about its users and other visitors to fan pages hosted on its platform, (because Facebook is "primarily determining the purposes and means of processing" of that data) the CJEU has also found that Wirtschaftsakademie is a data controller because it has an influence over the data processing, and helped to set the "parameters" by which the personal data about visitors to its page was processed (despite the fact Wirtschaftsakademie does not have access to the data processed other than in anonymised form for statistical purposes).

The CJEU's judgment means that any organisation that has an influence over how personal data is processed could be considered a data controller, not just in the context of fan pages on Facebook. Practically speaking, organisations in this position should reassess whether they should consider themselves a data controller and, as a result, ensure that any joint data controller has issued appropriate fair processing notices and obtained any necessary consents to the processing of data. Additionally, they should be ready to handle subject access requests and requests to delete data even if they do not primarily determine the way the data is processed or even have access to it in identifiable form (albeit in practice this may just mean passing those requests on to the other joint controller).

MEPs pushing for amendments to the EU-US Privacy Shield

The Civil Liberties Committee ("LIBE") at the European Parliament, a committee of MEPs, is pushing for an ultimatum to be served on the US government to strengthen the safeguards provided for in the EU-US Privacy Shield. LIBE has passed a motion on 12 June 2018 recommending that the European Commission suspend the application of the Privacy Shield unless the US meets its obligations "in full" by the end of summer. The European Parliament will vote on the motion in July.

The Privacy Shield enables US businesses to transfer personal data from the EU to the US in line with the requirements of EU data protection law. It operates as a self-certification mechanism, allowing businesses to confirm that they comply with a number of privacy principles. The Privacy Shield has been operational since August 2016, when it replaced Safe Harbour.

The European Commission confirmed the adequacy of the Privacy Shield mechanism following its first annual review last year (see October 2017 bulletin). However, it has continued to receive criticism, including by privacy campaigners, the WP29 (which called for the recommended actions to be completed by 25 May 2018 (see January 2018 bulletin)), and now from the LIBE Committee. The LIBE Committee stated that the current form of the Privacy Shield does not provide the adequate level of protection required by EU data protection law and the EU Charter. Concern has been raised about: (1) the extent of safeguards in place under the Privacy Shield to address bulk US surveillance powers; (2) EU citizens' ability to exercise all their rights in respect of the data transferred to the US under the framework; and (3) whether there is sufficient scope under US law for data subjects to obtain judicial redress in respect of any mishandling of their data.

MEPs pushing for amendments to the EU-US Privacy Shield

The Civil Liberties Committee ("LIBE") at the European Parliament, a committee of MEPs, is pushing for an ultimatum to be served on the US government to strengthen the safeguards provided for in the EU-US Privacy Shield. LIBE has passed a motion on 12 June 2018 recommending that the European Commission suspend the application of the Privacy Shield unless the US meets its obligations "in full" by the end of summer. The European Parliament will vote on the motion in July.

The Privacy Shield enables US businesses to transfer personal data from the EU to the US in line with the requirements of EU data protection law. It operates as a self-certification mechanism, allowing businesses to confirm that they comply with a number of privacy principles. The Privacy Shield has been operational since August 2016, when it replaced Safe Harbour.

The European Commission confirmed the adequacy of the Privacy Shield mechanism following its first annual review last year (see October 2017 bulletin ). However, it has continued to receive criticism, including by privacy campaigners, the WP29 (which called for the recommended actions to be completed by 25 May 2018 (see January 2018 Bulletin )), and now from the LIBE Committee. The LIBE Committee stated that the current form of the Privacy Shield does not provide the adequate level of protection required by EU data protection law and the EU Charter. Concern has been raised about: (1) the extent of safeguards in place under the Privacy Shield to address bulk US surveillance powers; (2) EU citizens' ability to exercise all their rights in respect of the data transferred to the US under the framework; and (3) whether there is sufficient scope under US law for data subjects to obtain judicial redress in respect of any mishandling of their data.

European Data Protection Board

Members of the ICO were in Brussels on 25 May 2018 as the WP29 was replaced by the EDPB. The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU's data protection authorities. The EDPB is composed of representatives of the national data protection authorities and the European Data Protection Supervisor. The EDPB is established by the GDPR, and is based in Brussels. It is believed that the EDPB will be a stronger, independent body with powers to rule by binding decisions, ensuring a unified approach to upholding data protection rights across the EU.

Click here to visit the EDPB website.

Cyber security

Dixons Carphone admits huge data breach

Dixons Carphone has admitted a huge data breach involving 5.9 million payment cards and 1.2 million personal data records. It is investigating the apparent attempt to access its payment processing systems at Currys PC World shops and Dixon Travel branches, which began in July last year. There was an attempt to compromise 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked. Dixons Carphone said it had no evidence that any of the cards had been used fraudulently following the breach.

Dixons Carphone chief executive Alex Baldock admitted the group had "fallen short" of its responsibility to protect customer data. The ICO has been informed of the breach and has commented that it is investigating it. The ICO previously fined Carphone Warehouse £400,000 in 2015 for a separate breach.

Three further high profile data hacks this month

Fortnum & Mason - The 311-year-old store warned about 23,000 customers that their details (including email and home addresses and social media handles) had been accessed. Most of those affected had entered their details online when voting in the TV personality of the year category at the store's food and drink awards.

Adidas - The company says it became aware of the breach on 26 June 2018, when it learned that an unauthorised party was claiming to have acquired the details of Adidas US customers. A preliminary investigation found the leaked data included contact information, usernames and encrypted passwords. Adidas said it does not believe any credit card or health and fitness information was compromised but sent alerts to millions of its US customers to inform them that their data may have been breached.

Ticketmaster - Ticketmaster has warned UK customers they could be at risk of fraud or identity theft after it revealed a major data breach had affected tens of thousands of individuals. Anyone who bought concert, theatre and sporting event tickets between February and 23 June 2018 may have been affected by the incident, which involved malicious software used to steal individual's names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details. The company said less than 5% of its global customer base had been caught up in the breach, and indicated the number directly affected was fewer than 40,000.

EU cybersecurity certification framework

Proposals for a new information and communication technology cybersecurity certification framework have been announced, with the European Council agreeing its general approach on the proposal, known as the Cybersecurity Act, on 8 June 2018. The new laws that have been proposed envisage a three-tier system of voluntary cybersecurity certification, which will be implemented across all EU member states. Manufacturers of IT products and services, including manufacturers of connected cars and medical devices, will be able to obtain an EU-wide certification that their products conform to cybersecurity standards. As the certificates issued will be valid in all EU counties, the framework will make it easier for users to carry out cross-border business. It will also enable companies to have more confidence in the security of the technologies that they are using. The scheme will allow IT products and services to be evaluated in accordance with cybersecurity standards to provide for a 'basic', 'substantial', or 'high' assurance rating. Unless otherwise specified in national laws, certification will be voluntary and companies will be able to self-assess for the basic level rating.

The European Union Agency for Network and Information Security ("ENISA") will also become established as a permanent EU agency for cybersecurity under the proposal. ENISA will support member states on cyber issues, organise regular EU-level cybersecurity exercises, and support and promote EU policy on cybersecurity certification. The proposal agreed by the European Council forms the basis of their position for negotiations with the European Parliament. Both the European Council and the European Parliament will need to agree on the final text before it can enter into force.

ICO enforcement

The British & Foreign Bible Society c/o the Bible Society fined £100,000

The British and Foreign Bible Society, based in Swindon, has been fined £100,000 by the ICO, after its computer network was compromised as the result of a cyber-attack in 2016. Between November and December 2016, the intruders exploited a weakness in the Society's network to access the personal data of 417,000 of the Society's supporters. For a subset of these supporters some payment card and bank account details were placed at risk.

BT plc fined £77,000

British Telecommunications plc ("BT") has been fined £77,000 by the ICO after it sent nearly five million nuisance emails to customers. The investigation found that BT did not have customers' consent for such direct marketing. The 4.9 million emails, sent between December 2015 and November 2016, promoted three charities.

Gloucestershire Police

Gloucestershire Police has been fined £80,000 for revealing identities of abuse victims in a bulk email. The force was at the time investigating allegations of abuse relating to multiple victims. On 19 December 2016, an officer sent an update on the case to 56 recipients by email (including victims, witnesses, lawyers and journalists) but entered their email addresses in the 'To' field and did not activate the 'BCC' function, which would have prevented their details from being shared with others.

The case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, and not the DPA 2018 which has replaced it, because of the date of the breach.

Yahoo! fined £250,000

Yahoo! UK Services Limited, based in London, has been fined £250,000 by the ICO after its computer network was compromised as the result of a Russian state-sponsored cyber-attack that affected more than 515,000 UK email accounts co-branded with Sky in November 2014. The stolen data included names, email addresses, telephone numbers, passwords and encrypted security questions and answers. The ICO said Yahoo had failed to take appropriate measures to prevent the theft of data and failed to ensure that data was processed by Yahoo's US arm with appropriate data protection standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Skadden, Arps, Slate, Meagher & Flom (UK) LLP
Stephenson Harwood
Wright Hassall LLP
Lowndes, Drosdick, Doster, Kantor & Reed, P.A.
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Skadden, Arps, Slate, Meagher & Flom (UK) LLP
Stephenson Harwood
Wright Hassall LLP
Lowndes, Drosdick, Doster, Kantor & Reed, P.A.
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions