UK: Radar - December 2016: Data Protection

Last Updated: 13 January 2017
Article by Taylor Wessing

Data protection

2016 was another busy year for data protection so we are just highlighting some of the main events in 2016. You can see our full data protection and cybersecurity news archive on our Global Data Hub.

General Data Protection Regulation

A lot happened in 2016 so the fact that after four years of negotiation, the General Data Protection Regulation (GDPR) was finally passed, may not be top of everyone's list of important events this year. It is, however, big news for any organisation processing EU personal data, whether as a data controller or a data processor, and whether inside or outside the EU.

The GDPR is a major overhaul of EU data protection law which gives new rights to individuals and brings an enhanced compliance burden for organisations processing personal data. The GDPR will apply across all Member States (including the UK) from 25 May 2018, and organisations should begin preparing for it if they haven't already started.

Our Global Data Hub features a wealth of information on all aspects of the GDPR and we will continue to focus on moving towards compliance in 2017. We can also expect to see guidance from regulators, some of which may be published before the end of the year.

ePrivacy Directive

Having completed the GDPR, the Commission is now reviewing the e-Privacy Directive. In response to the EC's consultation, the UK's ICO called for an overhaul to bring the Directive in line with the GDPR, introduce a harmonised opt-in approach for electronic marketing communications and bring consistency to enforcement. This approach was echoed by the Article 29 Working Party and the European Data Protection Supervisor. Both called for an extension of the scope of the legislation to include OTT services and went further than the ICO in arguing that consent requirements for the processing of traffic and location data should apply to all companies and not just telecoms operators.

The EC published a summary report on the response to the consultation on the review of the e-Privacy Directive in August.

Key findings included:

  • while the majority of individuals are in favour of OTT services coming within the e-Privacy regime, industry responders were divided on the issue;
  • a similar division can be seen in terms of responses concerning cookies, with individuals largely of the view that providers should not be able to prevent access to services if users refuse cookies, and industry largely taking mostly the opposite stance;
  • while there was general agreement that marketing rules should be harmonised, individuals mostly preferred opt-in, with industry largely advocating an opt-out approach;
  • while 83% of individuals were in favour of rules to ensure confidentiality of communications, only 31% of industry responders agreed;
  • there was more consistency on the overall review of the e-Privacy Directive. 76% of all participants believed it was not fit for purpose.

Investigatory Powers Act

The controversial Investigatory Powers Act 2016 (IPA) has been given Royal Assent. While more than 1700 amendments were debated, it passed more easily than originally anticipated due, it is thought, to the diversion of the Referendum result. A petition to debate the legislation in the House of Commons has passed and it is thought the IPA will be the subject of legal challenges. It also has a bearing down the line on whether or not the UK gets a decision of adequacy for the purposes of data exports once it leaves the EU.

Background

Investigatory powers to intercept communications, acquire communications data and interfere with equipment have been dealt with under a patchwork of laws. These include the Regulation of Investigatory Powers Act (RIPA) and had included the Data Retention Directive until that legislation was declared invalid by the Court of Justice of the European Union in 2014 in the wake of the mass surveillance scandal. Attempts to introduce further powers, even before the demise of the Data Retention Directive under the so called 'snoopers' charter' failed after Nick Clegg withdrew his support in April 2013. The government introduced stop-gap legislation in the form of the Data Retention and Investigatory Powers Act 2014 (DRIPA) but needed to bring in more permanent legislation before the powers under DRIPA expired at the end of 2016.

When does it come into force?

The data retention provisions which replace those in DRIPA have been brought into force in time to replace them. Other provisions will not be in place "for some time" according to the government and existing provisions under RIPA will remain in force until expressly repealed. The government has said some of the provisions require extensive testing and there will be consultation with industry to help develop Codes of Practice and other secondary legislation required to bring the rest of the IPA into effect. The government plans to set out a timetable for this process "in due course".

What does the IPA do?

The IPA overhauls RIPA and, in many cases, extends its scope. In particular, it provides for:

  • Warranty powers to conduct interception, equipment interface (i.e. hacking in order to monitor) and obtaining of bulk communications data. The most intrusive warrants and notices which are issued by the Secretary of State must be approved by a senior judge or Judicial Commissioner. A range of public authorities have powers to issue different types of warrants. There is a requirement to take various matters including privacy and human rights into account before issuing, renewing or cancelling warrants. Interception and equipment interface warrants can be targeted, thematic or bulk.
  • A prohibition on unlawful interception of communications. The offence is similar to that under RIPA but extends to cover all communications stored by the telecommunications system before as well as after transmission.
  • A new Investigatory Powers Commissioner who will oversee use of powers under the IPA.
  • A power for the Secretary of State to issue "technical capability notices". These will require telecommunications operators to institute semi-permanent interception capabilities. The notices can deal with interception, equipment interface, or bulk data sets.
  • A power for the Secretary of State to serve "data retention notices". These can require telecommunications operators to generate, obtain and retain "communications data" about users for up to twelve months. The classes of communications data which may need to be retained can be very wide – up to "all data". The data can then be requested by a range of authorities for a range of purposes (largely to do with prevention of crime and terrorism and to protect public health and safety). Crucially, the definition of communications data has been extended so that the information obtainable includes internet connection records i.e. website browsing histories (although not details of individual web pages visited).
  • Relevant authorities with the ability to use "request filters" to make complex searches for types of communications data.
  • Certain exemptions in relation to disclosure of journalistic sources, legal privilege and communications between MPs and their constituents.

Who will be caught by warrants and data retention provisions?

The IPA significantly widens the types of businesses subject to notices, warrants and data retention obligations. In addition, many of the powers under the IPA are extra-territorial and can, to varying degrees, apply to non-UK businesses where they provide telecommunications services to people in the UK or control a telecommunications system in the UK.

The definitions including of telecommunications systems, services and operators are deliberately wide and a large range of business will be impacted, including:

  • Large telecommunications providers – can be caught by all warrants, notices and retention provisions.
  • ISPs – codes of practice may apply some exemptions for small ISPs.
  • Cloud service providers, messaging apps and web-based email – caught by provisions applying to telecommunications operators. Draft Codes of Practice specifically state that "internet based services such as web-based email, messaging applications and cloud-based services" are included.
  • Private networks – these are covered in the IPA so businesses, schools, universities and possibly even households are caught by the definition of private network.
  • Free wi-fi providers – cafes and other organisations as well as the providing operator providing free w-fi will be within the definition of telecommunications operator.
  • Media organisations – caught by provisions relating to journalist exemptions and private networks.
  • IoT devices – data generated by IoT devices will be within the definition of communications data.

How will enforcement be handled?

Powers in relation to communications providers are largely enforceable through injunctions. Many of the enforcement powers can only be used in the UK, however, interception warrants and targeted communications data acquisition notices can be enforced by injunction against non-UK persons, in which case conflict of law provisions must be taken into account.

Other legislative developments

The second part of the data protection reform package was also completed with the publication of the Directive for the police and criminal justice sector in the Official Journal. This entered into force immediately on 5 May 2016 and Member States must transpose it into national law and implement it from 6 May 2018.

The PNR Directive was been published in the Official Journal. It must be implemented by 25 May 2018.

The EC published proposals for a Council Decision to give effect to an EU-US umbrella agreement to cover the transfer of personal data between the EU and the US for the purposes of prevention, detection, investigation and prosecution of criminal offences including terrorism. This is distinct from the EU-US Privacy Shield proposals as it covers law enforcement cooperation. The agreement, which provides for certain protections to be given to the data and for the right to judicial redress for EU citizens in relation to privacy breaches, was signed by the USA and on behalf of the EU in June 2016 and has just been approved by the European Parliament.

CJEU judgments and Opinions

We haven't seen anything from the CJEU as dramatic as last year's Safe Harbor decision and 2014's Google Spain decision but there were some interesting developments.

AG Opinion on retention of personal data
An Advocate General's (AG) Opinion in a case brought by Tom Watson and others relating to the government's data retention rules, joined with a similar case from Sweden, was published in July.

The UK reference asked whether the current UK requirement on communications operators to retain communications data for 12 months was compatible with EU law, in particular the Privacy and Electronic Communications Directive and the Charter of Fundamental Rights.

The AG opined that a general obligation to retain data may be compatible with EU law, subject to satisfying certain strict requirements:

  • the general obligation to retain data and accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference;
  • the obligation must respect the right to respect for private life and the right to the protection of personal data under the EU Charter;
  • any interference with the above fundamental rights must be in pursuit of an objective in the general interest. The AG's view is that the only valid justification would be the fight against serious crime;
  • the general obligation to retain data must be strictly necessary to the fight against serious crime (i.e. no other measure or combination of measures could be as effective while causing less interference with fundamental rights). In addition, the conditions laid out in the Digital Ireland case must be observed regarding access to data, retention periods and security of data, in order to limit interference with rights to what is strictly necessary; and
  • the general obligation to retain data must be proportionate.

When the judgment is issued, there will, no doubt be consideration as to whether the provisions of the Investigatory Powers Act comply with it.

Applicable law in cross-border disputes
The CJEU considered the issue of governing data protection law in July in a case involving a cross-border dispute between an Austrian consumer protection association and Amazon EU, established in Luxembourg. The dispute centred around the conclusion of contracts between Amazon.de and Austrian consumers. The sales contracts were stated to be governed by the law of Luxembourg and the contract allowed for the use of customer data and content. These terms were the source of the claimants' objection. Amazon does not have a registered office in Austria.

The case went to the Supreme Court of Austria which made a reference to the CJEU, asking three questions including whether Article 4(1)(a) of the Data Protection Directive 1995, meant that treatment of personal data by an undertaking engaged in electronic commerce was governed by the law of the Member State to which that undertaking directed its activities.

The CJEU cited Weltimmo, saying the fact that the undertaking which is the data controller does not have a branch or subsidiary in a Member State does not mean it does not have an establishment there for the purposes of Article 4(1)(a), however, the fact that a website is accessible in a particular Member State, does not necessarily mean that the data controller has an establishment in that Member State. It is for the Austrian national court to determine whether Amazon carried out the relevant data processing in the context of the activities of an establishment situated in a Member State outside Luxembourg. If it were to determine that the establishment was located in Germany, German law would govern the processing of the personal data in question.

Dynamic IP addresses can be personal data
In November, we reported on the CJEU decision which held that a dynamic IP address which can be combined with data held by a third party, is likely to be personal data. The CJEU said that while an IP address alone is not personal data, it should be treated as such if ISPs hold additional data which could be combined with the IP addresses to identify individuals where there is a reasonable likelihood they would do so and where they have the legal means to do so. This would not be the case where it would involve disproportionate effort to combine data or where the combination was illegal.

The ruling comes as no surprise to those familiar with the progression of EU data protection law although those used to a US definition of what constitutes Personally Identifiable Information may find it more surprising.

The Data Protection Directive has a wider definition of personal data than the UK's Data Protection Act which is more accurately reflected in German data protection law, and the GDPR has a wider definition still in terms of whether data should be classed as personal because of its potential to be combined with other data in order to identify individuals. Decisions of regulators and courts have been trending towards the wide interpretation given by this judgment for some time.

The ruling does leave some questions unanswered, not least of which is just what is meant by "disproportionate effort" and "reasonable likelihood" in terms of combining different datasets. Notwithstanding the remaining ambiguities, the stance taken in this case reflects the general direction of travel of EU data protection law. The working assumption should be that any data which can identify an individual when combined with other lawfully obtained data, even where that data is held by a third party, should be treated as personal data unless there is a good reason not to do so.

Crackdown on nuisance marketing

2016 has seen a big step up in terms of enforcement by the ICO with barely a week going by without the announcement of a major fine being imposed on a company for sending nuisance marketing texts or making calls. A further deterrent was announced by the government in October. The government plans to amend PECR so that, from Spring 2017, company Directors can be held personally liable for the use of nuisance marketing calls by their companies. Fines of up to £500,000 per Director will be available by way of sanction in addition to fines of up to £500,000 for the company. The use of personal fines is intended to avoid the situation where a company facing a fine declares bankruptcy in order to avoid paying it and then essentially sets up again under a different name.

ICO Guidance

Wi-fi Analytics
In February, the ICO published guidance for organisations which provide wi-fi services through which they process analytics data. The ICO's key points are that organisations must give clear and comprehensive information to individuals to make them aware of the processing and that they should avoid excessive data collection and take steps to reduce the risk of identifying individuals.

Organisations should avoid covert collection of data by informing individuals, for example at the entry to relevant premises and around the building, as well as in website terms and conditions and on sign up to the wi-fi network, about what they are doing. They should also ensure users have time to review the information before the processing takes place.

The ICO also recommended carrying out privacy impact assessments in order to help reduce risk.

Encryption
The ICO published updated guidance in March intended to help organisations decide when and how to use encryption. The ICO reminds organisations that while there is no legal requirement to encrypt data, there is a requirement to use appropriate measures to keep data secure. Where a lack of encryption has led to data loss, the ICO warns regulatory action and monetary penalties may follow, not to mention reputational damage.

The ICO warns that vulnerabilities often occur due to failure to keep systems and protections up to date. Other issues arise from basic errors like storing data on unencrypted devices like USBs which then get lost or are stolen. Failure to dispose of equipment properly or simply sending unencrypted data by mistake, are also recurring problems.

The ICO urges organisations to consider their specific needs prior to selecting a solution. Independent assessments of encryption software can also be useful, particularly to assess how robust they are. Organisations should also have proper internal security policies and practices in place.

Direct marketing
At the end of May, the ICO published updated guidance on use of direct marketing. The government has confirmed that the guidance will be issued as a Code of Practice which would give it statutory recognition and allow it to be considered by the courts.

In terms of what's new, the ICO said the guidance:

  • includes a greater focus on scenarios involving not-for-profit organisations – a reminder that they have to follow the same rules as other organisations in the wake of the high profile scandals involving the marketing practices of some not-for-profits;
  • more direction around "indirect" or third party consent – the ICO says that indirect consent is insufficient for texts, emails or automated calls due to the stricter rules on electronic marketing under PECR which require that the sender of the message obtains consent. However, indirect consent may be acceptable under certain circumstances where it is sufficiently clear and specific. In essence, the customer must have anticipated their details would be passed to the organisation in question, for example, where the third party organisation was specifically named or where the class of third parties to whom personal data might be transferred was sufficiently well defined. A customer is unlikely to consent to unlimited marketing calls or texts from anyone, says the ICO, so the question is what the customer would reasonably expect given the context. If the third party marketing content is different from the type of content in relation to which the consent was originally obtained, it is unlikely to be valid under PECR.

    The ICO also says that the fact that consent does not last indefinitely is even more important in relation to third party consent and reminds organisations that consent to pass personal data to third parties is a one-step process so that A may get consent to pass data to B but that will not allow B to pass data to C.

    Organisations should make rigorous checks as to how and when consent was obtained, by whom and what the customer was told. They should not rely on assurances that consent was properly obtained but should conduct their own due diligence. Where consent was generic, it will be very difficult to show it was specific enough for calls, texts or emails. And, at the very least, any promotion sent e.g. by mail must be consistent with the context in which consent was given and aimed at a similar market;
  • information about what constitutes "freely given" consent – it is not acceptable to 'over-incentivise' someone for giving consent to receiving direct marketing materials, nor to make it a condition of receiving products or services.

The ICO says it has not issued sector specific guidance, nor is it possible to give definitive answers to all questions as each case will be specific on its facts.

Privacy notices
In October, we reported on the ICO's revised Code of Practice on Privacy Notices, transparency and control (CoP) together with a checklist for privacy notices to help organisations to comply with the Data Protection Act and also the incoming requirements under the GDPR. The ICO recommends adopting a blended approach, using a number of different techniques in order to present information in the most fair and transparent way, taking into account the audience, the available methods of communication and the complexity of the data processing.

Article 29 Working Party

Applicable law
In January, the Article 29 Working Party (WP) published an updated Opinion on applicable law in light of the CJEU decision in Google Spain. It considers:

  • Activities carried out in the context of an establishment
    Under Article 4(1)(a) of the Data Protection Directive, the Directive applies where processing of personal data is carried out in the context of the activities of an establishment. "Establishment" is broadly interpreted (as confirmed by the CJEU in Weltimmo) and the processing doesn't have to be carried out by the relevant establishment but in the context of its activities.

    The WP highlights the concept of an "inextricable link" as one of the new elements to be considered following the Google Spain judgment. This means that even where an establishment is not directly processing data, processing by a non-EU data controller may still be brought within the scope of the Directive where there is an inextricable link between the processing and the activities of the EU-based establishment.
    In addition, the EU establishment must orientate its activity towards the inhabitants of that Member State.

    The WP goes on to discuss what constitutes an inextricable link. It notes that revenue-raising in the EU by a local establishment is likely to be inextricably linked to processing of personal data outside the EU. This is the case even if the revenue raised locally is not used to fund local or other EU activity. The WP warns against using remote links to try and apply EU law and also suggests that the concept of an inextricable link does not apply solely to the search engine model. It provides other examples where this sort of reasoning might be applied including offering free services within the EU (financed by use of data collected); offering membership or subscription services in the EU; or seeking donations in the EU.
  • Applicable law for multi-jurisdictional businesses
    The WP looked at which law applies where an organisation has several Member State establishments but where only one is a data controller in relation to the processing and where the others do not necessarily play a part in the processing. It notes that the Google Spain case did not address this directly and suggests a case by case approach. Regardless of where the data processing takes place, where a company has establishments in several EU Member States and the activities of each and the data processing are inextricably linked, then the law of each Member State will apply to the establishment within that State. Clearly this will change under the GDPR.
  • Where there is no EU establishment
    Member State law will apply under Article 4(1)(c) of the Directive even if there is no establishment in that Member State but where the data controller uses equipment situated in the Member State territory (other than for mere transit). While Google Spain did not discuss this issue, it does not exclude organisations without an EU establishment from being subject to EU data protection law.

EDPS

EDPS guidelines on web-based services and mobile apps

In November, the European Data Protection Supervisor (EDPS) published guidelines on the protection of personal data processed by EU institutions through web-based services and mobile apps. The guidelines came in the wake of the CJEU ruling that dynamic IP addresses can be personal data (discussed above). While the guidelines are aimed at EU institutions, they have a wider relevance in their focus on demonstrating compliance and integrating data protection principles with online and app-based activities. Particular focus is on the use of cookies, online tracking, security and personal data transfers.

Opinion on use of surveillance technologies
The EDPS issued an Opinion on dissemination and use of intrusive surveillance technologies. The EDPS notes that certain uses are legitimate but the technologies can be exploited for illegal purposes. The EDPS recommends:

  • assessing EU standards for protection of human rights in the sector;
  • appropriate regulation of surveillance and interception tools;
  • consistent and effective EU policy on the export of intrusive surveillance tools;
  • addressing dissemination of interception and surveillance technologies within cybersecurity policies and appropriate legislation;
  • investing in internet security initiatives with new technologies containing privacy by design and default;
  • a consistent EU approach to protecting whistleblowers on human rights violations in this area.

Guidelines on personal data and mobile devices

The EDPS produced guidelines for EU institutions and bodies on personal data and electronic communications and mobile devices. The EDPS says these can be applied to any organisation and will remain relevant once the GDPR comes in due to the emphasis on accountability and demonstrating compliance. The EDPS recommends a case by case risk/benefit analysis prior to organisations allowing data processing on mobile devices. This should include an assessment of the type of data being processed and security implications. Organisations should also have policies governing the use of BYOD.

Case on employee monitoring

The judgment from the European Court of Human Rights in Barbulescu v Romania created a stir in January but was less controversial than might first have appeared. While the UK, as a signatory to the European Convention on Human Rights, is bound by the judgments of the European Court of Human Rights, this judgment did not extend the scope of permissible employee monitoring in the UK.

The employee, Barbulescu, was asked by his employer to set up a Yahoo! Messenger account to deal with client queries. Company policy was that it could not be used for personal communications. The account was monitored for nearly two weeks and Mr Barbulescu was informed that the monitoring showed he had used the internet for personal purposes. On denying this, he was shown a transcript of the communications and was subsequently dismissed for breach of company policy. Barbulescu relied on Romanian law to challenge the dismissal. The dismissal was upheld and he then appealed, arguing his emails were protected by Article 8 of the European Convention on Human Rights. The appeal was dismissed and the Romanian court held that the monitoring had been reasonable and the only way to establish whether there had been a disciplinary breach. Barbulescu next appealed to the European Court of Human Rights, arguing that the decision to terminate his contract had been based on infringement of his Article 8 rights. The Court dismissed the appeal.

It is worth emphasising that the heart of the judgment is that the Romanian domestic authorities acted appropriately in striking a fair balance between the rights of the individual to respect for the employee's private life and the interests of his employer. In this case, the employer's policy stated that its systems could only be used for professional purposes. It consequently expected it would only be accessing client-related communications. In addition, it was reasonable for the employer, in the context of Romanian labour law, to verify that its employees were completing their professional tasks during working hours (Romanian labour law specifically allows monitoring for this purpose provided the confidentiality of the employee personal data is preserved).

UK law allows employers to conduct minimal and proportionate monitoring of communications sent using an employer's electronic communications system during business hours for specified business purposes such as checking that employees are complying with internet usage policies (and subject to various safeguards). In certain circumstances this may also include access to the content of those communications where necessary.

This judgment underlines the importance of having appropriate and lawful employee monitoring policies in place and making sure both that they are communicated to employees and that they are adhered to by the employer.

Surveillance Camera Compliance tools

The Surveillance Camera Commissioner published a self assessment tool and a certification scheme in the first part of 2016, to help companies comply with and demonstrate compliance with the Surveillance Camera Code of Practice. The self assessment tool is in the form a questionnaire designed to be completed by relevant authorities and the certification scheme allows the relevant authorities and any organisation operating a surveillance camera in a public space, to apply for an audit against the code by a third party and get a certification mark if the audit is completed successfully.

The Commissioner suggests that all local authorities complete the self assessment tool for their main town centre system. Once any recommended actions have been completed, local authorities should apply for step 1 certification which lasts for a year and then apply for full certification towards the end of the first year.

Guidance is provided after the main town centre system has been certified as to how to proceed with other camera systems. While it focuses on public authorities, the guidance is also relevant to organisations which wish to comply with the code on a voluntary basis.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement

    Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of www.mondaq.com

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

    Disclaimer

    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

    Registration

    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

    Cookies

    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

    Links

    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

    Mail-A-Friend

    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

    Emails

    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

    Security

    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at enquiries@mondaq.com.

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions