1 Issue 54 March

March 2010

Technology, Media & Telecommunications.

Data Protection and Freedom of Information

EU - Working Party opinion on controllers and processors The Article 29 Working Party published yesterday an Opinion on two of the key concepts under the Data Protection Directive - “data controller” and “data processor”. The distinction between the two has a number of practical implications including determining who is liable to comply with data protection law and whether processing clauses are required.

The Opinion’s key conclusion is that a data controller must determine the “purpose” and “essential means” of the processing but can delegate “technical and organisational means” to the data processor. This is helpful and should provide more legal certainty for businesses. However, applying it to some real life situations may still be a challenge.

Why has the Opinion been issued?

The Directive defines a data controller as someone who determines the “purpose and means” of processing and a data processor as someone who processes personal data “on behalf of” a data controller. The distinction has a number of practical implications:

> data processors are not responsible for the processing or generally subject to data protection legislation (though at least 11 European states impose some limited data security obligations directly on data processors);

> data controllers must have a written contract with data processors, flowing down a limited set of data protection obligations through the use of processing clauses. These clauses must oblige the data processor to only act on behalf, and under instructions, of the data controller; and

> disclosures of personal data to a data controller can be more difficult to justify than disclosures to a processor. In certain countries indeed, an additional consent from, or notice to, the data subjects may be required if the disclosure is to a data controller.

Contents EU - Working Party opinion on controllers and processors ........................ 1

EU - Commission Issues New Model Processor Clauses ............................. 5

Belgium – The Belgian Data Protection Regulator opines on RFID ............................ 8

Germany – Is the Safe Harbor agreement still safe? ............................... 10

Germany – Constitutional Court Overturn Data Retention Directive ......... 11

UK - No contract, no problem? Think again ..... 12

UK - An extreme decision on exclusion clauses? .... 15

UK - BSkyB v EDS: Time to Reassess the Risks of Outsourcing? .................. 17

2 Issue 54 March

Despite the fairly fundamental issues raised by this distinction, there has been considerable doubt about how this classification operates in practice, especially for increasingly sophisticated vendor services and outsourcing relationships. This was demonstrated by the various and sometimes contradictory opinions rendered in relation to the US Treasury’s access to financial messages transported by SWIFT on behalf of their customers in the framework of the Terrorist Finance Tracking Program.

Data processors and “essential means”

The Opinion on the concepts of “controller” and “processor” (WP 169) addresses these issues. The main point in the Opinion is that so long as the data controller continues to determine the “purpose” and “essential means” of the processing, it can still delegate “technical and organisational means” to the data processor. The Opinion defines the “essential means” to be:

“elements which are traditionally and inherently reserved to the determination of the controller, such as “which data shall be processed?”, "for how long shall they be processed?”, “who shall have access to them?”, and so on”

This position is broadly similar to that taken by the UK Information Commissioner, whose Guide to Data Protection states:

“the data controller is the person who decides how and why personal data is processed. However, we take the view that having some discretion about the smaller details of implementing data processing (i.e. the manner of processing) does not make a person a data controller.”

The Opinion also suggests other criteria to consider when making this assessment, such as the visibility of the processor to the data subject (see the call centre example below), the level of supervision by the controller and the margin of manoeuvre open to the processor.

It also states that while contractual provisions stating that a party is to act as data controller or data processor (or both!) will affect the analysis, they are not determinative and it is important to consider the underlying factual circumstances.

Examples of classifications

While this provides a useful framework for any analysis, it can still be difficult to come to any firm conclusions in any particular case. It is therefore helpful to look at some of the examples given in the Opinion:

3 Issue 54 March

> Payroll processing companies - These will clearly be data processors. While they have some discretion about the technical equipment they use to provide their services their tasks will be clearly and tightly defined and they will be bound to follow the relevant employer’s instructions.

> Call centres - The Opinion considers that outsourcing providers who provide call centres will normally be data processors as they must present themselves using the data controller’s identity and can only use the controller’s information for limited purposes.

> Tax authorities - In contrast, when an employer discloses information about its employees to the tax authorities, the tax authority clearly receives that data as a data controller as the employer has no ability to control the tax authority’s use of that information.

> Accountants - However, not all the examples given in the Opinion lead to such clear cut conclusions. For example, in the case of accountants, it is possible that they may be either data processor or data controller depending on how their arrangements with their client’s are structured.

Controllers - Joint or independent?

Even if data is passed to a party acting as data controller, that is not the end of the analysis as the Opinion goes on to consider if that party ought to be considered independent or joint controller with the disclosing party. This distinction also has practically implications as joint controllers may be jointly and severally liable for any data protection breaches.

The Opinion again stresses the need for a substantive and functional approach and while contractual allocation of responsibilities can be useful in assessing this issue, it is not determinative of the result. Instead, the main question is whether the two data controllers share a common purpose or means. For example, a tax authority will clearly be an independent data controller to the disclosing employer. In contrast, the Opinion considers that a pharmaceutical company sponsoring clinical trials, and the company running the trials, may be joint controllers as there may be a great deal of commonality in their activities. Research based pharmaceutical companies might be surprised by this conclusion.

An important point made by the Opinion is that these relationships ought to be structured in a way that clearly sets out each party’s responsibilities and allocates data protection obligations in a sensible manner. Absent this, the Opinion suggests there should be joint and several liability between all parties involved in that processing.

4 Issue 54 March

Conclusions

The Opinion provides some useful clarifications but in many cases it will still be difficult for businesses to come to any firm conclusion on whether a party acts as a data processor, joint controller or independent data controller. While the Opinion considers that it “has not found any reason to think that the current distinction between controllers and processors would no longer be relevant and workable in that perspective”“, questions about the need for the data controller/data processor concepts, as evidenced by the responses to the Commission’s consultation on the Data Protection Directive, may continue.

The Opinion is available here

By Tanguy Van Overstraeten and Richard Cumbley, Linklaters LLP

A full version of this article considering the application of these principles to outsourcing and information technology agreements will appear in the April/May edition of Computers & Law - see www.scl.org for further details.

5 Issue 54 March

EU - Commission Issues New Model Processor Clauses The European Commission has finally issued its long awaited revision to the controller-processor model clauses. The main change is to allow sub-processing. This has been implemented in a sensible manner and provides welcome flexibility when structuring outsourcings and other processing arrangements.

Background

Model clauses are one of the most flexible methods for businesses to export personal information from the European Union to countries outside the EU, without falling foul of the prohibition on export set out in the EU Data Protection Directive 95/46/EU. Model clauses come in two flavours – one used for export to data controllers located the EU, and the other for data processors. The latter category are widely used in the outsourcing and IT services industries, but to date only one set of controller-processor model clauses have been approved for use by the European Commission.

Lengthy consultations with industry bodies such as the International Chamber of Commerce (ICC), the American Chamber of Commerce to the European Union (AmCham EU), Japan Business Council in Europe (JBCE) and the Federation of European Direct and Interactive Marketing (FEDMA) have created this revised set of controller-processor model clauses which are a marked improvement on the previous versions although the new clauses do not address all the perceived shortcomings of their predecessors such as the onerous filing requirements imposed by some national regulatory authorities and the problems raised when the clauses are used by multiple parties. However, the arbitration provisions, which were unpopular with some data controllers, have been removed.

Sub-Processors

The most significant alteration is that the new model clauses expressly allow a processor located outside the EU to appoint a sub-processor. This situation is extremely common in practice – for example where Indian IT service providers sub-contract some of their work intra-group or to third parties. Appointment of subcontractors under the new model clauses is conditional upon:

> the non-EU based processor obtaining the controller’s prior consent in writing;

> the non-EU based processor providing to the EU based controller a copy of the contract under which any sub-processing takes place; this contract in turn has to be made available to data subjects, but although redactions can be made when providing the contract to data subjects if they contain commercially sensitive terms, the same is not true when providing copies of the sub-processing arrangements to EU based data controllers; in practice therefore service providers will want to ensure that their sub-processing arrangements do not contain any

6 Issue 54 March

commercially sensitive terms, in order to avoid having to disclose them to their ultimate EU based controller customers;

> the sub-processing being carried out under a written contract which imposes the same obligations on the sub-processor as are imposed on the non EU-based processor;

> the non EU based processor remaining liable for the sub-processor; and

> data subjects being granted third party rights against the sub-processor which can be exercised should both the EU based controller and non-EU based processor cease to exist or become insolvent.

This largely reflects the arrangements which many data controllers have been implementing for some time. Importantly, the new model clauses do not draw the line at sub-processors and deeper supply chains are permitted (i.e. sub-sub-processing). This follows from the definition of sub-processor - “any processor engaged by the data importer or by any other sub-processor of the data importer”.

The new model clauses also only applies to processors based in third countries not providing adequate protection. This means the clauses are not authorised for use with a processor in the EU who uses sub-processors outside of the EU. Although this appears to put EU based IT service providers, or similar, at a disadvantage to their non EU competitors, the practical answer may be for the controller to enter into the new model clauses directly with the non-EU sub-processors.

Use in practice

The new model clauses will help to simplify the contractual framework for outsourcing arrangements. A data controller customer in such arrangements no longer needs direct contracts with all processors and sub-processors and can rely on the non-EU based “head” processor supplier to put a “chain of contracts” in place with sub-processors. It seems logical to conclude that this approach can also be used for processors and sub-processors within the EU and that such an arrangements would satisfy the requirements of Article 17 of the Directive.

Finally, it is worth remembering that the model clauses are not a “cure all”. Many data protection authorities, such as the UK Information Commissioner, will be more interested in the steps a data controller has taken in practice to confirm that offshore processors will keep the information secure. Depending on the nature of the data, this may include on-site visits and audits. In the event of a serious data loss, model clauses alone will provide very little comfort.

Expiry of Old Model Clauses

The new model clauses come into effect on 15 May 2010. On this date the old model clauses, approved under Decision 2002/16/EC, will cease to be

7 Issue 54 March

recognised. This is in marked contrast to the controller-controller model clauses where the two different forms of model clauses approved to date continue to benefit from approved status in parallel. As a result, contracts that have already been concluded between parties will continue to be valid but only so long as the “transfers and data processing operations that are the subject matter of the contract remain unchanged”. It is not entirely clear what this means but, potentially, even an amendment to Appendices to the clauses (i.e. to the details of the data transferred and security measures) could trigger the need for new model clauses.

The Future for Data Processors

The new clauses are very welcome. However, they come at a time when the very concept of “data processors” is being questioned. A number of the responses to the Commission’s consultation on the Data Protection Directive pointed out it is increasingly difficult to draw a clear distinction between data controllers and data processors given the increasing sophistication of vendor services and outsourcing relationships and have called for the distinction between data controllers and data processors to be abolished. The Article 29 Working Party has been reviewing these definitions for some time and their interpretation will be on the agenda of its 74th meeting on 15-16 February 2010.

The new processor clauses are available here and a redline showing the changes to the existing processor clauses is available here.

By Tanguy Van Overstraeten, Brussels, and Richard Cumbley, London.

Tanguy and his team in Brussels actively contribute in the work of the Digital Economy Committee of the American Chamber of Commerce to the European Union (AmCham EU) that participated in the review of the model clauses.

8 Issue 54 March

Belgium – The Belgian Data Protection Regulator opines on RFID Following in the footsteps of the Article 29 Working Party (see Working Paper 105) and the European Commission (see Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification), the Belgian Privacy Commission recently issued an opinion on RFID (Opinion No. 27/2009 regarding RFID).

RFID and data protection

The Privacy Commission’s Opinion starts by pointing out RFID technology’s ultimate goal, i.e. the ability to distinctively identify any object in the world, and sets out the technology used to achieve this goal (a reader, an RFID tag and a system to handle the data flows). The Privacy Commission cites a number of examples of its use in various sectors, including public transport cards, boarding passes in airports, healthcare tools and security mechanisms such as those protecting bank notes.

This technology clearly has the potential to infringe people’s privacy so the Opinion goes on to consider its compatibility with the Law of 12 December 1992 on privacy protection in relation to the processing of personal data (the “DPA”).

The Privacy Commission starts by recognising that some RFID applications will not be subject to the DPA as they will not involve any processing of personal data. However, in other circumstances personal data is likely to be processed, either because the RFID tag can be linked to an individual or because the tag itself contains personal data. In such circumstances, the DPA applies “as soon as the link between the identification number on the tag and a natural person can be established through the implementation of reasonable means by the data controller or any other person”. Use of that RFID application will be a processing of personal data.

Practical application

The Opinion then reviews the rights and obligations imposed on data controllers by the DPA to illustrate how they can be applied for RFID applications.

First, the Privacy Commission analyses the various legal grounds on which the processing of personal data by RFID can be based, focusing in particular on consent and legitimate interest. The Privacy Commission considers that in the retail sector, for example, consent can be expressed by granting customers an “opt-in” right, e.g. by requiring them to actively choose to leave an RFID tag “on” after leaving the shop, the default option being to switch it off permanently upon purchase of the item. It states that where retailers offer RFID-equipped loyalty cards to their customers, they should offer those customers an anonymous card as an alternative, i.e. an RFID card which can not be linked to an individual because no personal data is stored about the card holder, neither on the RFID tag itself nor on the RFID system.

9 Issue 54 March

Second, the Privacy Commission insists that data subjects are informed of the use of RFID tags, especially because of “invisible” data processing that can occur when they are used. The rules on filing of a notification with the Privacy Commission should also be strictly applied and the filing exceptions in the Royal Decree of 13 February 2001 implementing the DPA should be interpreted restrictively. For example, in the retail sector, the filing exception for customer management does not extend to processing of personal data from customers for profiling, so that such activities would require a notification to be filed.

Third, the Privacy Commission reiterates that, regardless of the processing ground relied upon by the retailer, customers should be able to deactivate an RFID tag upon purchase of the goods where such tag is intended for the management of stocks by the retailer. This ensures compliance with the obligation not too keep personal data for longer than necessary.

Finally, the Privacy Commission stresses the need for adequate security measures. The Privacy Commission recommends in particular that data controllers:

> perform a “privacy assessment” about the impact of the RFID application on data protection. The higher the risk for unlawful processing of personal data, the stricter the assessment should be;

> determine the persons responsible for the follow-up of such evaluations and their tasks in terms of verification of the organisational and technical security measures in place, in particular in light of the technological progress in that field; and

> provide such assessment to the supervising authority at least six weeks prior to the roll-out of such application.

Conclusion

This opinion shows the Privacy Commission is closely monitoring developments in the field of RFID applications. Although it names numerous examples of such applications, it seems to focus in particular on the use of such systems in the retail sector, as most DPA concepts are illustrated with examples from that particular sector.

The Privacy Commission’s requirement for a privacy assessment is a new development that reminds the data controllers of the growing importance of taking privacy into account in the design of new applications, as illustrated by the concept of “security and privacy by design”.

By Guillaume Couneson, Brussels

10 Issue 54 March

Germany – Is the Safe Harbor agreement still safe? The Düsseldorfer Kreis, the association of German data protection authorities, has announced that a review of the US Safe Harbor agreement will take place in April 2010. The data protection commissioner of Schleswig-Holstein, Thilo Weichert, said that the agreement was not being enforced effectively in the US and may not guarantee that US companies comply with European data protection standards.

Widespread breach of Safe Harbor?

The Safe Harbor is an agreement between the European Commission and the United States Department of Commerce entered into in 2000. The agreement enables organisations to publically declare they will comply with the Safe Harbor principles and so join the Safe Harbor list. This allows the transfer of personal data to the US in circumstances where the transfer would otherwise not meet the European adequacy test for privacy protection.

A survey called “The US Safe Harbor – Fact or Fiction?”, conducted by the US company Galexia, has recently triggered doubts that US companies actually meet the standards set out in the Safe Harbor agreement. According to the survey, only 348 companies had fulfilled the minimum requirements, and another 206 companies falsely alleged that they were members of the agreement.

Cross-border data flow in danger

The debate on the Safe Harbor Agreement underlines the tendency of the German data protection authorities to apply stricter rules to companies processing personal data. A rejection of the Safe Harbor agreement by the Düsseldorfer Kreis would not require data transfers to the US to automatically be terminated but would surely tighten the conditions under which such transfers will be allowed. For example, it may be necessary for Model Clauses to be implemented. If this does come to pass, many will question the continuing value of the Safe Harbor system.

The US Safe Harbor – Fact or Fiction? report is available here.

By Dr Ingemar Kartheuser, Munich

11 Issue 54 March

Germany – Constitutional Court Overturn Data Retention Directive Germany’s Federal Constitutional Court (Bundesverfassungsgericht) has overturned the German implementation of the Data Retention Directive which requires telecommunications providers to store traffic data on telephone calls and emails and to provide the authorities with access to that information to help fight terrorism and crime. The Court also ordered the stored data to be deleted immediately. The judgment has attracted great attention in the press and has prompted the Commission to review the status of the Directive itself.

Tighter controls necessary

Since 2008, German telecom providers had been obliged to keep a record for six months of traffic data for emails and phone calls, and to store details of the IP address allocated to users. Over 34,000 plaintiffs, concerned at breaches of privacy and civil liberty rights, launched Germany’s biggest class action lawsuit to date. The Federal Constitutional Court found in their favour, ruling that the law, at least in its current form, marked a “particularly serious infringement of privacy in telecommunications”. The Court held that:

> the German legislator must implement stricter conditions to be attached to the use and storage of data, such as the use of separate data storage, encryption techniques, secured access e.g. by requiring dual authorisation for access and tamper-proof documentation of access and deletion of data;

> the access to the telecoms data must serve tasks of paramount importance. Telecoms data may only be used for prosecution of crimes if suspicion of a severe criminal act exists, and may only be used for prevention of crimes if there is a concrete danger; and

> some data may not be retrieved by authorities at all (e.g. telephone calls made to anonymous telephone counselling services).

However, authorities may ask for information about to whom an internet IP address has been allocated under less strict conditions and even in case of an administrative offence.

Next steps

Although the Court suspended the law, the German legislator will still be able to implement new rules on data retention by introducing a new law complying with the requirements set out above. A number of commentators said that the German government should draw up a new law quickly in order to guarantee effective prosecution of crimes but the German government may first await the outcome of the review of the Data Retention Directive by the European Commission. Whatever happens it is likely that telecommunications providers in Germany will have to cope with much stricter, and even more costly, security obligations in the future.

By Dr Ingemar Kartheuser, Munich

12 Issue 54 March

Outsourcing

UK - No contract, no problem? Think again “The moral of the story is to agree first and to start work later”

Lord Clarke

Many commercial lawyers will recognise the sense and futility of these words. The Supreme Court’s decision in RTS v Müller [2010] UKSC is a textbook example of the risks of undertaking a project without a proper agreement in place. In the event of a dispute an uncertain, messy, fact intensive analysis will be needed to determine the legal position of each party.

A potted history

Müller are a well-known producer of dairy products and commissioned RTS to install two new production lines at its factory in Market Drayton. As is often the case, the work started before a full contract had been agreed.

Instead, a letter of intent was entered into on 1 March 2005 to allow time to develop a full set of terms and conditions. Unfortunately, by the time the letter of intent expired on 27 May, they had not been agreed. By July, the price for the work had been agreed (£1,682,000) as were almost all the contractual terms (referred to as MF/1) and most of the Schedules. However, no contract was ever entered into.

The relationship subsequently broke down in November 2005 after a failure in the new yogurt packing product lines - colourfully described by Müller’s counsel as creating a scene reminiscent of a Wallace and Gromit movie. RTS sought payment for its work from Müller, Müller counterclaimed for its losses from the failure of the new production line.

The Supreme Court was presented with three options as to RTS and Müller’s relationship:

> there was a contract between the parties but with very limited provisions. In particular, the MF/1 terms and conditions were not included. This was the finding of the High Court. It was appealed by RTS as it would thereby lose the benefit of the limitations of liability in MF/1;

> there was no contract between the parties. This was the finding of the Court of Appeal. It, in turn, was appealed by Müller as it meant Müller would be exposed to a quantum meruit claim from RTS without an ability to counterclaim for breach of contract or an ability to recover money already paid to RTS (as much of the purchase price had been); or

> there was a contract between the parties on much wider terms, including the MF/1 terms and conditions. This was the finding of the Supreme Court.

13 Issue 54 March

Back to first principles

The Supreme Court’s decision contains a helpful summary of the law:

“The general principles are not in doubt. Whether there is a binding contract between the parties and, if so, upon what terms depends upon what they have agreed. It depends not upon their subjective state of mind, but upon a consideration of what was communicated between them by words or conduct, and whether that leads objectively to a conclusion that they intended to create legal relations and had agreed upon all the terms which they regarded or the law requires as essential for the formation of legally binding relations.”

A critical part of this analysis is whether parties only intend to enter into legal relations once a formal contract is signed. This is normally indicated with the words ‘subject to contract’. In this case, the counterparts clause had this effect as it stated the contract “..shall not become effective until each party has executed a counterpart and exchanged it with the other”. To attribute such an understanding based on a counterparts clause seems bizarre. As one of the least important boilerplate provisions it seems unlikely either party would have given it much more than a glance during the negotiations.

It is also necessary to consider the commercial context. Contracts can be accepted through performance and, the fact a “transaction was performed on both sides will often make it unrealistic to argue that there was no intention to enter into legal relations and difficult to submit that the contract is void for vagueness or uncertainty”. Finally, where a contract does come into being it will frequently be possible to hold it impliedly covers retrospective performance.

Unscrambling the situation

With these principles in mind, the Supreme Court considered the three alternative scenarios. The suggestion there was no contract was roundly dismissed by their Lordships. Having agreed the most essential term of all, the price, it was “unconvincing” to think RTS “was agreeing to proceed with detailed work and to complete the whole contract on a non-contractual basis subject to no terms at all”.

The suggestion that the parties were proceeding on the basis of a limited set of provisions, excluding MF/1, was also dismissed. Almost all the terms of MF/1 had been agreed and substantial works had been completed. In light of that it was “inconceivable that the parties would have agreed only some of the terms” and not MF/1.

The Supreme Court therefore concluded that the parties had made a contract on much wider terms, including the MF/1 terms and conditions. This required:

> the essential terms of the contract, including MF/1, to be agreed. After a detailed review of the negotiations between the parties their

14 Issue 54 March

Lordships decided that all terms of “real importance” had been agreed in July 2005. There were minor differences over the detail of some sections of the contract but their agreement was not a pre-condition to the conclusion of the contract. This contrasts with other cases, such as British Steel v Cleveland Bridge [1984] 1 All ER 504, in which there were fundamental disagreements about the terms applying to that relationship; and

> an unequivocal agreement by the parties that the ‘subject to contract’ provisions in the counterparts clause had been waived by the parties. This can be inferred from both communications between the parties and their conduct. Here “the reasonable, honest businessman”, whether an RTS or Müller man, would have concluded the parties had agreed the work was to be carried out for the agreed price and on the agreed terms. Hence the ‘subject to contract’ requirement had been waived.

So in the end the limitation clause in MF/1 was applicable and Müller’s attempt to pick and chose sections of terms under negotiation was unsuccessful. However, its hard to see this decision as a resounding success for RTS. It has taken almost five years and a visit to the Supreme Court to establish the nature of its contractual relationship and only now can it start to address its substantive dispute with Müller.

Wider implications

The Supreme Court’s analysis is helpful and pushes back strongly on the Court of Appeal’s ‘no contract’ analysis. While their Lordships caution against a “simplistic and dogmatic” approach to this issue, their decision that a contract is likely where work is being carried out for an agreed price, and that a waiver of a ‘subject to contract’ proviso can be inferred from communications and conduct, should narrow the circumstances in which no contract is found. The judgment also warns against overreliance on ‘subject to contract’ wording.

However, their Lordships still had to undertake a messy, fact intensive analysis. This is perhaps best illustrated by the fact that the High Court, Court of Appeal and Supreme Court all came to different conclusions about RTS and Müller’s contractual relationship. There is little to suggest subsequent cases will be any easier to decide.

RTS Flexible Systems Ltd v Molkerei Alois Muller Gmbh & Company KG (UK Production) [2010] UKSC 14 is available here

By Peter Church, London

15 Issue 54 March

UK - An extreme decision on exclusion clauses? Exclusion clauses are often the most hotly-negotiated terms in any commercial contract. However, when disputes arise they frequently disappoint and provide less protection than anticipated. The recent decision in Markerstudy v Endsleigh [2009] EWHC 281 is an example of the pitfalls that await the unwary.

This particular case arose out of a claim by Markerstudy that Endsleigh breached a series of claims-handling agreements and had caused losses of some £14million. The effect of the exclusion clauses in these agreements was central to the claim and, as such, was decided as a preliminary issue.

How not to draft an exclusion clause…

The first exclusion clause on which a ruling was sought stated:

“Neither party shall be liable to the other for any indirect or consequential loss (including but not limited to loss of goodwill, loss of business, loss of anticipated profits or savings and all other pure economic loss) arising out of or in connection with this Agreement”

It was common ground this clause excluded “indirect and consequential loss” and that, by itself, this was of limited effect as it did not prevent recovery of “losses which flow naturally from a breach without other intervening cause and independently of special circumstances”. The contentious issue was other heads of loss in the parenthesis. Were they:

> freestanding, so that both direct and indirect loss of goodwill, business, profit and economic loss are excluded. This would be a potent exclusion and would severely hamper Markerstudy’s ability to recover; or

> qualified by the words “indirect or consequential” - i.e. loss of goodwill, business, profit and economic loss is to not be excluded if it flows naturally from the breaches.

The judge had little hesitation in deciding that the latter interpretation was correct and that the exclusion clause was limited in its effect. This is hardly surprising and follows previous authorities such as Ferryways NV v Associated British Ports [2008] EWHC 225 (see TMT News, April 2008: Indirect & consequential loss including…not very much).

How not to draft an exclusion clause (Part 2)…

The second exclusion clause under consideration stated:

“Endsleigh will not be liable to Markerstudy for any indirect or consequential loss or loss of profit or loss of business arising out of data input errors by Endsleigh”

16 Issue 54 March

Again, the dispute was whether the exclusion of loss or profit or business was freestanding or qualified by the preceding reference to indirect and consequential loss. Steel J. decided that whilst Endsleigh were on “somewhat firmer ground … the introductory phrase ‘any direct[sic] or indirect loss’ governs and defines the scope of the specified forms of loss. In short, only indirect loss of profit or business is excluded”.

While exclusion clauses are to be read contra proferentum this is a radical interpretation and robs the exclusion clause of much of its force. Would the parties really have intended the reference to loss of profit and business to have no authoritative meaning and “become dangerously misleading and potentially valueless” (see BHP v British Steel [1999] 2 Lloyds Rep 583)?

Practical tips

The case demonstrates the need for care when drafting exclusion clauses. It is vital that heads of loss, such as loss of business or profit, are seen as distinct and freestanding of any general exclusion of indirect or consequential loss. There are a number of ways to do this:

> place such additional heads of loss before the words “indirect and consequential”. This will stop any argument that the words indirect and consequential are intended to govern any heads of loss listed subsequently;

> avoid including a list of excluded heads of loss followed by the words “…and any other

> never use the formulation “indirect and consequential loss including…”.

indirect and consequential loss”. This could act to qualify such heads of loss; and

Markerstudy Insurance Company Ltd & Ors v Endsleigh Insurance Services Ltd [2010] EWHC 281 is available here.

By William Robinson, London

17 Issue 54 March

UK - BSkyB v EDS: Time to Reassess the Risks of Outsourcing? Mr Justice Ramsey handed down his long awaited decision on Sky’s claim against EDS on 26 January 2010. It is likely to be remembered for its conclusions on intentional misrepresentation and the degree awarded to Mark Howard QC’s dog. However, it raises a number of other issues and demonstrates the steps a well-funded and determined claimant can take to circumvent a contractually agreed liability framework.

A system “operational within 12 months”

The dispute can be traced back to Sky’s announcement to the City in February 2000 that it was to invest £50 million to integrate its customer contact management systems and provide a state of the art system capable of cross selling and self service. Sky stated the system “will be operational within 12 months”.

Having already committed itself to such an ambitious target, Sky issued an invitation to tender in March 2000. Two tenderers emerged: PwC and EDS. Following further meetings, a letter of intent was signed between British Sky Broadcasting Ltd (“BSkyB”) and Electronic Data Systems Limited (“EDSL”) in August 2000. This was followed in November 2000 by a Prime Contract between Sky Subscribers Services Limited (“SSSL”) (being BSkyB’s subsidiary) and EDSL (the “Prime Contract”). EDS subcontracted some of the work to third parties, including Arthur Andersen.

The dangers of unrealistic expectations

By the time the Prime Contract was signed, Sky’s intention to introduce a new state of the art system within 12 months was already unachievable. To implement the new system as rapidly as possible, and therefore make up some of the lost time, the project was to use a rapid application development methodology. This is unlike the traditional waterfall development - which follows a strict sequence of events from definition of requirements, to design, to build and, finally, to test. Instead, rapid application development allows these sequences to work in parallel and parts of the projects to be delivered in different phases. While this allows a faster delivery, it also entails greater risk.

Furthermore, EDS only had an understanding of Sky’s high level business requirements. There was no functional specification or technical architecture design. These were to be developed post-contract.

Unfortunately, the project soon ran into difficulties and an amendment was signed in July 2001. However, the problems of the compressed and highly parallelised timetable remained. Arthur Andersen, to whom EDS had subcontracted the requirements work, and Sky were unable to produce suitably detailed requirements. This meant EDS could not adequately develop the architectural design, which held up the detailed design work and

18 Issue 54 March

ultimately compromised the development of deliverable code. Again, things came to a head. SSSL and EDSL signed a memorandum of understanding in March 2002, following which Sky took over EDS’s role on the project.

Proceedings were launched in August 2004 and, by the commencement of the hearing, Sky was claiming damages of £709 million for a range of matters, including the costs of finishing the system implementation, lost profits due to its inability to reduce its customer churn and loss of anticipated savings due to its inability to reduce call rates to its customer care centre.

Concurrent causes of action

SSSL had a prima facie action against EDSL for breach of contract. However, the Prime Contract contained a limitation clause capping EDSL’s liability at £30 million. Recovery of the outstanding amounts would require an alternative course of action. The additional claims were:

> by SSSL against EDSL for intentional misrepresentation (deceit) and negligent misrepresentation, both at common law and under the Misrepresentation Act 1967. The claim for negligent misrepresentation was subject to the cap of £30 million but the claim for intentional misrepresentation was not. Accordingly, this was a core part of Sky’s case. A claim in misrepresentation would also entitle damages to be claimed on a tortious “but for” basis allowing greater recovery than damages on a contractual basis;

> by BSkyB against EDSL for intentional misrepresentation and negligent misstatement. This would allow recovery of unlimited damages as BSkyB was not party to the Prime Contract and therefore not bound by the liability cap; and

> by SSSL and BSkyB against EDSL’s parent, Electronic Data Systems Corporation (“EDSC”), for intentional misrepresentation and negligent misstatement. This would also allow recovery of unlimited damages as EDSC was also not party to the Prime Contract and therefore did not benefit from the liability cap.

Tortious claims by, or against, non-parties

The latter two claims relate to an issue that arises quite commonly in practice. When two large groups contract, does the supplier have non-contractual liability to other members of the customer’s group? Do the supplier’s group companies have non-contractual liability to the customer and its group companies?

In this case, Ramsey J. found that no such duties arose as it would be inconsistent with the contractual framework for liability agreed by the parties. He paraphrased the test approved by Lord Goff in Henderson v Merrett [1995] 2 AC 145: “An alternative liability in tort will not be admitted if its effect would be to permit the plaintiff to circumvent or escape a contractual exclusion or limitation of liability for the act or omission that would constitute

19 Issue 54 March

the tort”. The only exception was any liability EDSL might have to BSkyB for intentional misrepresentation, as this fell outside the contractual exclusions of liability.

Tortious claims against EDSL

To claim damages beyond the £30 million cap, Sky would therefore need to show there was an intentional misrepresentation by EDSL to Sky. To do so, it had to demonstrate:

> EDSL made a false representation;

> EDSL knew it to be untrue or was reckless as to whether it was true;

> EDSL intended Sky to rely on that representation; and

> Sky did in fact rely on that representation.

In support of these claims, Sky put forward five alleged representations regarding the resourcing, timing and cost of the implementation, the proven nature of the technology and the methodologies employed. Four of the claims were dismissed, though it is worth considering aspects of one of them (referred to in the judgment as the Greater Resourcing Representation) to show the extent to which a pre-contractual statement can be re-interpreted in order to found a claim. The fifth claim, relating to the timing for completion of the project, succeeded.

The resourcing representation

The Greater Resourcing Representation was said to arise primarily from a letter to Sky stating “We have the resources and ability to deliver the systems and services you require” and a further email stating “EDS is ready to start this project as of Monday 17 July. We have the resources reserved for this project”. This was alleged to be a representation by EDS that it had identified all of the personnel required for the project, they were available and were reserved for the project.

The judge dismissed this contention as unreasonable and not consistent with the commercial context. Sky knew that there were still significant uncertainties as to the scope of the project and these would continue until the requirements were fully defined after signature of the contract. There is a “cone of uncertainty” with the effort and cost of the project only becoming more certain as the project passes through its development cycle (see "Software Estimation: Demystifying the Black Art" by Steve McConnell). For a large and complex IT project it is not possible to identify and reserve all resources at an early stage.

Accordingly, any reasonable person at Sky would not have understood EDS to have made the Greater Resourcing Representation and this particular claim failed.

20 Issue 54 March

The timing representation

EDS was also said to have made representations, prior to the letter of intent, as to the time for delivery of the project. Its response to the ITT contained, amongst other things, a timetable with a go-live date for a prototype in nine months’ time and a statement that they would provide the new system “on time and on budget”. The judge accepted this was a representation that not only did EDS believe this work would be achievable in nine months but EDS:

> had carried out a proper estimation of the time it would take to complete the work; and

> had reasonable grounds to believe it could be completed in this timeframe.

The conclusions here are more interesting. There was only a set of high level requirements for the project and no functional specification and the project was to use a rapid application development methodology meaning there would be an iterative approach to development, each phase being dependent on the last, meaning the scope of the project would change as it went on. The judge himself concludes later on that there is “no doubt that the cone of uncertainty reflects the fact that software estimates made at an early stage have inherent uncertainties” and quotes from Software Estimation: Demystifying the Black Art that during “"Initial Concept" there is a range of uncertainty of 4 to 0.25 times the estimate”. In light of this there would be real difficulties in making a proper estimation of time. Sky would have been well aware of this and, in fact, the signature of the letter of intent was followed by a joint planning exercise between Sky and EDS to further scope out the work and timetable for the project before signature of the Prime Contract. All this points to the representations being nothing more than a statement that the project might be possible in that timeframe. However, this was not found to be the case. What might be seen as a “mere puff” had become a hard commitment.

Having found such a representation, the judge also decided it was false and made without belief in its truth. While EDS had prepared some plans and had experience from other recent projects, this was insufficient to show a proper estimation of time had been made. Moreover, EDS knew this to be the case when the representation was made to Sky.

This conclusion largely stems from the fact that Joe Galloway, an employee of EDSL at the time of the bid, was found to have given perjured evidence about his academic qualifications and, thus, his “credibility was completely destroyed”. While this did not, in itself, prove he had made dishonest representations, it placed a considerable evidential burden on EDS to disprove these allegations. In practice, it was unable to do so.

This left Sky with the need only to prove inducement and reliance. Given Sky’s desire to complete the project as rapidly as possible, this was found to be the case.

21 Issue 54 March

EDS’ position was not helped by the narrow drafting of the entire agreement clause in the Prime Contract. While this prevented pre-contractual statements from being incorporated into that contract it did not contain a “non-reliance clause”. A non-reliance clause would have avoided the claim for negligent misrepresentation and may have been of some assistance with the claim for intentional misrepresentation. In Watford v Sanderson [2001] EWCA Civ 317, Chadwick LJ recognised that a party could use a non-reliance clause to set up an evidential estoppel for misrepresentation claims so long as certain criteria were met including a belief that the other party was not, in fact, relying on the representations. Alternatively, as is suggested in Cremdean v Nash (1977) 241 EG, the clause is effective in avoiding liability for representations, subject only to the reasonableness test in the Unfair Contract Terms Act 1977. In either case, the addition of a non-reliance clause would have been helpful.

There were also further representations on timing after the letter of intent but before the Prime Contract was entered into. During this period there had been further work to flesh out the project via the joint planning process between EDS and Sky which led to the proposed timetable being extended and subsequently shortened. This led to strong doubts within Sky, and strong disagreements within EDS, as to whether the shortened timetable was achievable, as evidenced in documents such as EDS’ Red Team Report. However, the judge found that when Joe Galloway represented that the shortened timetable was achievable, he did not believe that was the case and Sky had relied on those statements. This too was an intentional misrepresentation.

Sky’s position “but for” the misrepresentation on timing

So what would Sky have done but for the misrepresentation on timing? How would Sky have reacted if EDS had stated it was unable to give a firm commitment on the delivery date? This was a question of whether, on balance of probabilities, Sky would have appointed the alternative tenderer, PwC. The following factors were important in this assessment:

> PwC would have deployed a Siebel system, as opposed to the Chordiant solution proposed by EDS. Sky had a strong preference for Chordiant;

> Sky was motivated by functionality, cost and time. Given the commitments made in February 2000, time was particularly important; and

> PwC’s tender suggested a go-live date similar to that of EDS.

Weighing these factors up, the judge found that Sky would have selected PwC in place of EDS because of the firm go-live date. Again, this conclusion is interesting. PwC’s tender gave no firm commitment to either timescales or prices beyond an initial eight-week scoping period, nor does it seem likely that it could have given a firm conclusion given the lack of a detailed specification for the work. Sky’s own analysis of PwC’s tender was that the

22 Issue 54 March

timings were “extremely aggressive” and the judge found that, had they been selected, PwC would not have achieved go live until February 2003, over a year after the go-live suggested in its tender. Sky would surely have sought firm deadlines from PwC, which PwC would have struggled to provide at that stage, and not simply accepted an indicative view on timing in its tender.

Damages “but for” the misrepresentation

The conclusion that Sky would have selected PwC left the court with a formidable challenge regarding quantum. In relation to the timing representations it was necessary to determine:

> when PwC would have implemented its alternative Siebel system. This required detailed work by a number of experts on a range of matters such as function point analysis and the technical fit between Siebel and Sky’s requirements. As discussed above, the conclusion was PwC would have gone live in February 2003;

> the loss Sky suffered as a result of not having enhanced functionality between February 2003, the date the PwC Siebel system would have been available, and September 2005, the date that functionality was available to Sky under the system actually developed (or March 2006 for existing customers). The losses primarily derived from Sky’s inability to reduce customer churn and its inability to reduce the number of calls to its customer care centre; and

> the additional costs incurred by Sky in developing its system, relative to the system that would have been provided by PwC.

The exact level of damages has not yet been determined, but Sky claims it will be in the region of £200 million and there are reports that an interim costs order of £200 million has already been made.

Implications for the outsourcing industry

While hailed as a “landmark judgment”, the case does little to develop the law in an area which is already well established. For example, intentional misrepresentation is based on common law principles established over 200 years ago and examined frequently by higher courts in the meantime. Even its use in an outsourcing dispute is not novel, as evidenced by South West Water v ICL [1999] B.L.R. 420 in which ICL was found to have made misrepresentations about the availability of a subcontractor.

However, the judgment does provide a salutary lesson about the application of these laws to outsourcings, such as the risk of pre-contractual statements being interpreted out of context. One example is Sky’s unsuccessful allegation that EDS’ statement “we have the resources” meant it had identified and reserved all of the resourcing needed for the entire project, prior even to contract signature or agreement on scope (see above).

23 Issue 54 March

More importantly, the judgment shows these statements may be taken at face value, and more than mere puffing, even where the underlying commercial situation makes it unlikely that either party has any real belief in their truth. The salesman may feel there is a common understanding the statement is not to be relied upon but proving that is the case may be more difficult.

In light of these conclusions there are a number of points suppliers may wish to consider (to the extent they have not done so already):

> entire agreement clauses should be reviewed to ensure they also contain statements of non-reliance and a wavier of non-contractual remedies. The effectiveness of non-reliance clauses against claims for intentional misrepresentation remains unclear (see above) but they may still be helpful. A wider use of non-reliance statements on pitches and other sales documents may also be wise;

> risk reviews and post-contract performance assessments should, to the extent possible, be conducted so as to avoid damaging concessions. For particularly high risk contracts it may be possible to conduct the review in a manner that attracts privilege. In the current case, a number of reports, including EDS’ “Red Team Report”, contained material that was unhelpful to EDS;

> greater care should be taken over pitch documentation, both in terms of the wording and the extent to which customers ought to be able to rely on it (non-reliance clauses will be of assistance here). While this may involve some legal review, this is more a question of educating the sales team about the risks attached to unfounded comments. To suggest that all documentation produced as part of the sales process is subject to legal review is unrealistic in many cases and, as this case shows, statements made in informal correspondence, such as emails and telephone calls, can be equally damaging.

Finally, both customers and suppliers should consider the dangers of chasing unrealistic timetables and the benefits of greater openness on both sides when planning projects of this scale. If the decision leads to franker upfront discussion about the time and effort really necessary to complete a project then at least some good will have come from this dispute.

By Richard Cumbley and Peter Church, London

24 Issue 54 March A11833442

Author: Peter Church This publication is intended merely to highlight issues and not to be comprehensive, nor to provide legal advice. Should you have any questions on issues reported here or on other areas of law, please contact one of your regular contacts, or contact the editors. © Linklaters LLP. All Rights reserved 2010 Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. The term partner in relation to Linklaters LLP is used to refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers or European lawyers. We currently hold your contact details, which we use to send you newsletters such as this and for other marketing and business communications. We use your contact details for our own internal purposes only. This information is available to our offices worldwide and to those of our associated firms. If any of your details are incorrect or have recently changed, or if you no longer wish to receive this newsletter or other marketing communications, please let us know by emailing us at marketing.database@linklaters.com.

Contacts

For further information please contact:

Tanguy Van Overstraeten Partner

(+32) 2501 9405

tvanover@linklaters.com

Peter Church Managing PSL

(+44) 207456 5495

peter.church@linklaters.com

One Silk Street

London EC2Y 8HQ

Telephone (+44) 20 7456 2000 Facsimile (+44) 20 7456 2222

Linklaters.com