11 minute read
The Importance Of Notice Clauses In Share Purchase Agreements
Massive change is coming, and tech is going to play a crucial role in determining whether law firms thrive or fail. At Shoosmiths we are very firmly standing behind SuperTech in supporting its goal of allowing greater integration of technology in law and the wider professional services community.”
David Stewart, Group Chief Operating Officer at Wesleyan and co-lead for the finance cluster within SuperTech, said: “ProfTech, like FinTech, is an emerging sector with enormous potential to scale. Having undertaken a number of studies into FinTech, which in just a few short years is now worth £411.7 million per annum to the West Midlands economy, we’ve identified three ways in which we can facilitate growth - access to businesses, access to technology and access to talented people.
“SuperTech combines all three, by connecting technology firms with the major professional services businesses we have across the region.”
David continued: “For established organisations like ourselves, involvement in SuperTech gives us access to the region’s emerging tech talent and latest developments. While tech firms, whether focused on finance, property, law or insurance, can find new ways to solve business issues and gain direct access to a sector that is worth almost £28bn – 26.5% of the total regional economy.”
In a further move to support the growth of professional services technology in the region, a partnership between the Investment Association and Wesleyan has established Europe’s largest asset management FinTech hub, The Engine Room, in Birmingham.
FOUR LAWTECH INNOVATIONS AND APPLICATIONS WITH LINKS TO THE WEST MIDLANDS:
SOLOMONIC - WARWICK
Solomonic offers a statistical analysis platform to equip litigation lawyers, their clients, funders and counsel with vital information to inform and enhance decision-making and advice throughout a legal case. Developed in partnership with Warwick Business School at the University of Warwick and qualified solicitors and barristers, the platform uses machine learning to analyse judgements order and other court documents to provide valuable data points for analysis. This information can then be used by legal firms to predict case outcomes, or by clients to research experts with the most experience in a field.
CLARILIS - WARWICK
Specialising in complex document automation, Clarilis offers the legal sector a simple, straightforward and efficient way to prepare contracts and other documents through its online platform solution. Launched in Birmingham in 2015 by brothers James and Kevin Quinn, the company has grown from strength to strength, with a client roster including 30 of the UK’s top 100 law firms. 2020 saw Clarilis open a new office in Singapore, marking the start of ambitious plans for further global reach targeting the South-East Asian, Australian and Canadian markets.
ENGINE B – WEST MIDLANDS REGION
Engine B is a co-created professional services enterprise that aims to create industry standards for data access and open up the marketplace for a more diverse range of clients to enter the sector. The University of Birmingham is among the consortium’s first academic partners helping to develop the standardised methodology. Currently working with accounting firms, the organisation is seeking to create an artificial intelligence-led platform that will help the industry analyse client data for audits to produce a more accurate process, help identify fraud and financial misstatements.
GOWLING WLG - BIRMINGHAM
Global leading law firm Gowling WLG is taking major steps to introduce technology within its legal services for the real estate sector. Working in partnership with AI technology partners Avail, the firm has enhanced its client services through a number of technology solutions. Its Title Register Review App allows instant reporting on Official Copies to allow lawyers rapidly to identify issues within a property portfolio and advise a client, while the firm’s Property Searches App extracts key information from multiple documents about a property to quickly create a summary report and increase the efficiency of its legal services for clients.
FIVE KEY PROFTECH STATS:
The region is home to more than 53,000 Business, Professional and Financial Services (BPFS) companies employing 358,200 people, making it the most significant business hub outside of London. (ONS)
Generating £27.8 billion GVA annually, BPFS represents the region’s largest sector, responsible for almost a third of its total GVA, with a value that is forecast to double to £50bn over the next 10 years. (Productivity and skills commission, CityRedi, 2018).
The West Midlands is home to the largest regional tech and digital cluster outside of London with 72,700 people employed across 12,550 tech and digital companies. (ONS)
The region’s newly established FinTech sector boasts 122 companies, 46% of whom are classified as scaleups.
The West Midlands’ 12 universities contain 50 tech-related centres of excellence and deliver over 66,000 graduates every year. (HESA).
OPINION
THE END OF PRIVACY SHIELD & NEW REQUIREMENTS FOR STANDARD CONTRACTUAL CLAUSES: WHAT ‘SCHREMS II’ MEANS FOR YOUR INTERNATIONAL DATA TRANSFERS
In July 2020, the European Court of Justice dealt a major blow to organisations that transfer personal data to the US and other jurisdictions, primarily with the striking down of the EU-US Privacy Shield. The judgment also raised wider concerns for organisations relying on Standard Contractual Clauses (SCCs).
In this article, Penny Bygraves of Veale Wasbrough Vizards LLP considers what this actually means for organisations within the Pharmaceuticals and Life Sciences sector who export personal data to the US and beyond and what the implications are for data transfers into the UK, if the transition period with the EU ends without a decision that the UK's data protection laws are adequate.
Implications for the Pharmaceuticals and Life Sciences Sector in the UK
Improving data transfers (eg by improving efficiency with which clinical trial results are shared or increasing the size of biobank populations) has been identified as key to ensuring the continuation of rapid developments we are seeing in the fields of predictive diagnostics, medicines and therapeutics. For example, the new NHS England Genomic Medicine Service (offering future opportunities for cell and gene therapies) will benefit from access to the latest cutting edge technologies, which empower scientists (through better integration of data) to discover more efficient medicines faster. We have seen this already in the clearer targeting strategies and reduction in clinical trial lengths demonstrated in the context of the coronavirus (COVID-19) vaccine. These demands are to be considered amongst a developing regulatory landscape.
Organisations operating within the Pharmaceuticals and Life Sciences sector will need to review any specific arrangements where they rely on the Privacy Shield, or the SCCs, to permit transfers of personal data outside the UK. This includes within group structures, as well as third party IT outsourcing and cloud storage arrangements. They should consider whether an adequacy assessment needs to be carried out and/or whether supplemental measures need to be implemented.
In particular, organisations need to look out for arrangements with large corporations who provide cloud services, or otherwise store or transfer data (such as Google or Microsoft), to see if they have updated their data protection terms. Often, these will require organisations to take some form of action to ensure that they are valid and apply to their agreement, so be aware that you may have to click a link, or request a specific agreement/ set of terms in order to comply.
The Legal Background to the Schrems II Decision
Under data protection law in the UK, organisations cannot transfer personal data outside of the UK or the EEA, without ensuring that the personal data is safeguarded in the same way that it would be if it remained in the EEA or UK. There are some exceptions to this (such as where the individual has provided explicit consent to the transfer, after being made aware of the risks), but most large scale transfers rely on one of the following methods of securing equivalent protections.
The first of these is where the EU has issued an "adequacy decision". This means that the EU has assessed the laws of the relevant country and declared that they provide sufficient protections to allow a transfer.
Other options include SCCs, or Binding Corporate Rules (BCRs), both of which seek to place contractual safeguards on data being transferred which offer
equivalent protections.
The US does not have an adequacy decision as such, but it did have the Privacy Shield. This was a voluntary code that US organisations could sign up to, which purported to ensure information protection met EU standards.
The Decision
The Court found that the law in the US around surveillance and general privacy of citizens meant that, effectively, US organisations could not guarantee equivalent protections to personal data, even when complying with the Shield.
This means that organisations in the EEA (and the UK) can no longer rely on the Shield to transfer personal data to the US. Organisations can still rely on SCCs and BCRs in principle. However, organisations are required to carry out an assessment to ensure that safeguards are in place and put in place supplemental measures where appropriate.
What Are the Options?
All international transfers that rely on SCCs or BCRs will need an assessment of the protections offered by the law of the recipient country, with a conclusion that the level of protection offered by the SCCs or BCRs is equivalent to that provided by the GDPR, or details of additional safeguards that have been put in place. and guidance on European data protection law - has recently published guidance on what this assessment might look like and what sorts of safeguards could be put in place following the assessment (if the third country is deemed inadequate). It stresses that any assessment, or additional necessary safeguards identified, should be considered on a case-by-case basis as there is no 'one-size-fits-all' solution.
How to Carry Out an Assessment
Whilst not being definitive, the guidance does set out some key requirements which should be met and also identifies some key steps in the process. For example:
The exporter (ideally with the help of the local importer) must identify any laws or practices in the third country that undermine the effectiveness of the specific safeguard relied upon (ie SCCs).
The EDPB has provided a non-exhaustive list of information sources which could be relied on when carrying out the assessment, including resolutions and reports from intergovernmental organisations and UN bodies. The assessment should focus on the particular transfer in question and the specific transfer tool relied on, ie it need not become an assessment of the entire data protection landscape in the third country.
The assessment must be thoroughly documented to ensure that you can demonstrate the basis for the decision that was taken, when required.
What If the Assessment Deems the Third Country 'Inadequate'?
If the assessment determines that local laws undermine appropriate safeguards, then unless 'supplementary measures' can be put in place, the transfer must not go ahead, or if already being carried out, then the transfer must be suspended or terminated.
Supplementary Measures
These are measures which may be adopted to raise the protection level to the EU standard and otherwise permit the transfer (despite the third country being deemed inadequate).
The EDPB has provided a non-exhaustive list of what these measures may include, such as encrypting the data and ensuring 'encryption keys' are managed and retained solely outside of that third country by the exporter and/or adopting additional contractual safeguards, requiring the recipient to resist requests from law enforcement agencies.
However, such options may not be practical in many cases. For example, encryption may work if the data is simply being stored in the US but not if it needs to be accessed or viewed there. cautiously to avoid amounting to definitive solutions and the EDPB reiterates that each data sharing scenario must be considered on a detailed case-bycase basis to determine what (if any) supplementary measures are appropriate in the circumstances.
Not a 'One-Off' Requirement
The guidance states that the protection afforded to data in the third country should be continuously monitored on an ongoing basis to ensure there have been no developments that may reduce the protection. What this specifically requires is not specified - for example, does this require repeat assessments, or how frequently should this be re-examined?
This is Likely to be Hugely Costly and Impractical for Organisations, So What Else Can Be Done?
The UK's data protection regulator, the Information Commissioner's Office (ICO), has confirmed that it will continue to regulate using a risk-based and proportionate approach and is still considering the effect of the decision.
Organisations should consider taking stock of their international transfers and reviewing any that might be high risk. Where personal data is clearly at risk, action should be taken to mitigate this where possible, such as encrypting the data and otherwise looking at where supplementary measures may be needed and what these could be.
What Will Be the Impact of Brexit?
In the event of a 'no-deal-Brexit', and there being no 'adequacy decision' forthcoming from the European Commission in respect of the UK, then there will be imminent action required - which organisations should start thinking about now. If SCCs are relied on, you should prepare to be involved in an adequacy assessment, for example, if requested by your EEA partner. Now is the time to consider how these requirements will be met, such as the practicalities of carrying out and documenting the adequacy assessment, whether to put in place SCCs for transfers into the UK, as well as identifying and adopting any necessary supplementary measures required.
We have focused on recent developments around international data transfer requirements. However, regardless of whether the UK gets an adequacy decision, there will likely be additional steps that you will need to take for data protection compliance following the end of the Brexit transition period. For example, some organisations may need to appoint a representative in the EU and make changes to their data protection documentation.
