Businesses and other institutions collect and generate vast amounts of data about the individuals with whom they come into contact, including users, customers and employees. Many organisations hold records relating to millions of individuals. Some of this data is highly confidential; and the theft or unauthorised disclosure of even non-confidential this data can cause real damage. Security incidents involving personal data are reported in the media every day.
The GDPR should enhance the protection of personal data across the EU and beyond. That's one of the core functions of the legislation - along with improved harmonisation of data protection law within the EU. However, having spent much of the last 9 months helping clients to prepare for the GDPR, I'm concerned that the new law may have some material negative effects on privacy protection. In this post I highlight some of these unintended consequences.
Bringing data protection into disrepute
Article 28(2) GDPR provides that a processor of personal data "shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes."
This provisions is puzzling in (at least) two respects.
The GDPR*, which will come into force on 25 May 2018, represents a major evolution in EU data protection law. Data subjects' rights are strengthened across the board, with a concomitant toughening of obligations for data controllers and data processors.
The Consumer Rights Act 2015 comes into force on 1 October 2015. The Act has far-reaching implications for business providing goods, services and digital content to consumers. I've just finished updating the templates on www.website-contracts.co.uk to take account of the new rules. The updated documents are listed below.
Back in October 2012 I wrote this post on the different relationship models that may be used in software-as-a-service (SaaS) channel partner agreements. To my surprise, the post provoked quite some interest. Since 2012, I've drafted and negotiated many more such agreements. Nonetheless, I still find that SaaS reseller agreements can be tricky; and if the initial approach isn't right, you can waste a lot of drafting and negotiation time.
EDIT: the first version of the software is now available (including lots of free documents) here: https://docular.net.
I've been working for the past 2 years on a web-based software system to store contract text and legal drafting knowledge in a modular fashion, and to make the production of legal templates and documents based on that text and knowledge as efficient as possible. The system automates everything that can be automated in the document production process.
Written contracts covering the provision of software support services often incorporate some kind of service level agreement, or SLA for short. If you have been tasked with preparing or negotiating a software support SLA, and are looking for some guidance, this post should help you.
SLAs may cover more than just software support services. For example, where hosting, hosted services and/or software maintenance are being provided, an SLA may also cover aspects of those services. For the purposes of this post, however, I look only at support services.
The term EULA is widely abused: I've just finished a telephone conference where it was applied, by someone who should know better, to a proposed contract covering not only licensed software but also hosted software services, consultancy, support and much else besides. I therefore want to clarify what I mean by EULA and "end user".
The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 are coming into force next week. They include a detailed list of information that a trader must provide to a consumer in situations where the Regulations apply. Should you use the model instructions on cancellation to help you comply with this requirement, or should you draft special legal clauses for your contracts?
The list of information that must be supplied is set out in Schedule 2, and includes the following items: