DATE DOWNLOADED: Thu Aug 4 21:55:54 2022

SOURCE: Content Downloaded from HeinOnline

Citations:

Bluebook 21st ed.

Suzanne Mercer, Data Protection and E-Commerce in the UK, 4 INT'l J. Franchising L.
20 (2006).

ALWD 7th ed.

Suzanne Mercer, Data Protection and E-Commerce in the UK, 4 Int'l J. Franchising L.
20 (2006).

APA 7th ed.

Mercer, S. (2006). Data protection and e-commerce in the uk. International Journal of
Franchising Law, 4(1), 20-25.

Chicago 17th ed.

Suzanne Mercer, "Data Protection and E-Commerce in the UK," International Journal of
Franchising Law 4, no. 1 (2006): 20-25

McGill Guide 9th ed.

Suzanne Mercer, "Data Protection and E-Commerce in the UK" (2006) 4:1 Int'l J
Franchising L 20.

AGLC 4th ed.

Suzanne Mercer, 'Data Protection and E-Commerce in the UK' (2006) 4(1) International
Journal of Franchising Law 20

MLA 9th ed.

Mercer, Suzanne. "Data Protection and E-Commerce in the UK." International Journal of
Franchising Law, vol. 4, no. 1, 2006, pp. 20-25. HeinOnline.

OSCOLA 4th ed.

Suzanne Mercer, 'Data Protection and E-Commerce in the UK' (2006) 4 Int'l J
Franchising L 20

-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information
I FEATU RE
Data Protection and E-Commerce in
the UK
by Suzanne Mercer, Partner, Technology Group, Eversheds LLP, London
This article looks at two separate issues that are ikely to affect most franchise businesses - the laws which deal
with data relating to individuals and to internet trading.
Part 1 of this article looks at data protection and
reviews the principal ways in which the Data Protection
Act 1998 ('the Act') impacts on franchising. It considers
the measures that franchisors and franchisees should
put in place to ensure that they are acting within the law
when dealing with an individual's personal information.
Part 2 looks at e-commerce, that modern day phenomena
which has become an embedded part of our culture;
today, even technophobes must learn how to surf. This
part looks at the legal issues which all businesses must
consider when using the internet as a sales tool.
Part 1: Data protection
Why the Data Pot ,ion Acl.?
Data protection law applies to all businesses and is not
franchising specific. As far as franchising is concerned, it
will govern the way franchisors deal with data
concerning their employees, customer contacts,
suppliers and franchisees. In the UK, the primary piece
of data protection legislation is the Data Protection Act.
The Act gives effect to a European Data Protection
Directive. This means that similar data protection laws
can be found throughout the EU Member States,
although there will still be differences between them.
Vhe dros Act apply?I
In simple terms the Act applies whenever personal
data is processed by a commercial organisation.
Personal data is any data from which a living
individual (i.e. the definition excludes companies) can
be identified, whether from the data itself, or from the
data and other information in the possession of the
person handling the data. It may comprise an
www.richmondLawtax.com
individual's name and address, an e mail address, a
photograph, CCTV footage, or other details from which
the individual can be identified. In data protection terms
the individual is called the data subject. Examples of
personal data that may be used in connection with a
franchise are details of customers, suppliers, employees
and even the franchisee where he is a sole trader or
partnership. Where the customer, supplier or franchisee
is a company then the details held about the franchisor's
contacts at that company would be personal data.
Processing includes obtaining, recording or holding
data or carrying out any operation or set of operations
on that data including editing or erasing it, retrieving or
consulting it or disclosing it to someone else. The Act
also applies to certain manual records containing
personal data, where these are held as part of a filing
system from which personal data can be readily
accessed. The person who controls the processing is
called the data controller.
The broad nature of the definitions of personal data
and processing mean that virtually every business in the
U.K. is potentially subject to the Act. Both franchisors
and franchisees are likely to be data controllers.
(
How dots it affect ra(chisixg?
The two most important aspects of the Act are:
1. the restrictions it places on the 'processing' of
personal data. These restrictions are contained in the
eight data protection principles set out below; and
2. the rights granted to 'data subjects'.
T-1 Egh Data Protection Pricpe
The Act requires data controllers to comply with eight
data protection principles, see box.
 UK DATA PROTECTION
1. Personal data shalt be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified
and lawful purposes and shall not be further processed in any
manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in
relation to the purpose for which it is processed.
4. Personal data shall be accurate and, where necessary, kept up to
date.
5. Personal data processed for any purpose or purposes shalt not
be kept for longer than is necessary for that purpose or those
purposes.
6. Personal data shall be processed in accordance with thie rights
of data subjects under the Act,
7. Appropriate technical and organisational measures shalt be
taken against uniauthorised or unlawful processing of personal data
and against accidental loss and destruction of, or damage to,
personal data.
8. Personal data shall not be transferred to a country or territory
outside the European Economic Area unless that country or territory
ensures an adequate level of protection of the rights and freedoms of
data sub~jects in reltion to th procssing of personal. daa
Rights of dat sujet
Data subjects (i.e. those individuals to whom the
personal data relates) are afforded various rights under
the Act. They have the right to:
* have access to personal data records held about
them;
* prevent personal data being processed;
* be informed about and object to automated
decisions being taken about them;
* have inaccurate personal data corrected or erased;
-
and
* compensation for damage caused by contravention
F of the Act.
What are the coiscuc ices, oli no-oafa ic.?
There are a number of potentially serious
consequences if a business fails to comply with its
- legal obligations. These include:
toCommission of a criminal offence.
The Act creates a number of criminal offences, for
Sexample unlawful obtaining or disclosure of personal
AND E-COMMERCE
data, selling and offering to sell personal data and
processing without a notification (see below).
The Information Commissioner is charged with
enforcing and overseeing the Act and can do this by
serving a notice on businesses who fail to comply with
their statutory obligations, requiring them to do so
within a specified time limit. Failure to comply with a
notice within the specified time limit results in a
criminal offence.
* Payment of compensation
An individual who suffers damage as a result of a
breach of the Act is entitled to compensation from the
data controller for that damage including, potentially,
for any distress suffered.
0 Damage to reputation
Privacy breaches are quick to hit the headlines, and
any actions brought by data subjects have the potential
to be extremely detrimental to a business' reputation.
This is particularly the case as the Act goes hand in hand
with the Human Rights Act.
What do bus.,ese eed to do?
File a notification
Subject to limited exceptions, all data controllers are
required to file a notification with the Information
Commission, which is the government office
responsible for overseeing the operation and
enforcement of the Act. The notification must indicate
what data is to be processed and for what purpose. In
the UK, unless an exemption from notification applies,
it is a criminal offence to process data without having a
valid notification in place.
Comply with the eight data protection principles
1st principle: Personal data shall be processed fairly
and lawfully
Data controllers must ensure that whenever personal
data is collected, the person to whom it relates is aware
of the identity of the person processing it and the
purpose of the processing.
The Act sets out preconditions that must be met
before data can be processed lawfully. Whenever data is
processed one of the conditions set out in Schedule 2 of
the Act must be satisfied. Relevant conditions include
that the processing is necessary for the performance of a
contract to which the individual is a party, or that they
have consented to the processing. In practice, the data
subject's consent will usually need to be obtained before
his data can be processed.
Furthermore, where sensitive personal data is
processed, one of the conditions set out in Schedule 3
of the Act must also be satisfied. Sensitive personal data
www.richmondlawtax.com
UK DATA PROTECTION
means information about an individual's racial or ethnic
origin, political opinions, religious or similar beliefs,
membership of a trade union, physical or mental health
or condition, sex life and commission or alleged
commission of any offence and any related court
proceedings, including the disposal of or sentence in
those proceedings. For example, a file note that a
customer should be served kosher food at marketing
functions would constitute sensitive personal data as
this would indicate that he is of the Jewish faith. In this
example, the business would need to obtain the
customer's explicit consent to the processing of such
data for those purposes.
It is important to remember that 'processing' includes
the transfer of data from one person to another.
Considerations to note include:
- Franchise agreements often require the franchisee to
pass customer details to the franchisor, particularly at
the end of the franchise. If this transfer is not strictly
necessary for the performance of the franchisee's
contract with the customer, then the customer's
consent to the transfer will normally be required.
- The Act will still apply in relation to transfers of
personal data where a franchise is sold from one
franchisee to another. Personal data can usually be
transferred in the context of such a sale but the issues
involved are beyond the scope of this article.
2nd principle: Only use personal data for the specified
and lawful purposes
Franchisors and franchisees should not assume that
because data is lawfully held in respect of one purpose
that they are entitled to use the same data for another
purpose. For example, a car rental franchisee may hold a
customer's details in order to have a record of a
customer's booking for a hire car the following month.
This processing will be legitimate since the processing is
necessary to fulfil the car rental contract with the
customer. However, can the franchisee contact the
customer with details of a special offer that will apply
the next time he makes a booking? The answer to this
question is 'no' unless the franchisee has the customer's
consent to contact him for marketing purposes.
3rd principle: Personal data held shall be adequate,
relevant and not excessive
The days of all encompassing lifestyle questionnaires
are probably gone and you cannot simply hold personal
data because it might come in handy some time in the
future. Businesses should ask themselves question: 'Do I
really need this personal data?'
Franchises should not adopt a 'one template fits all'
approach. For example, the template for a household
contents insurance application is likely to require
different personal information to one for car
www.richmondLawtax.com
AND E-COMMERCE
insurance. Does the franchise need to know its
customers' age, income and profession in order to
perform its contract with them? If not, it should either
not ask for this data or, where such data is desired for
profiling or another purpose, the customer must be told
that this information is optional and what the business
will do with the information should the customer
choose to disclose it.
4 th principle: Personal data shall be accurate and,
where necessary, kept up to date
The Act requires data controllers to exercise good
database management. After all, a database is only as
good as the data in it. Where the personal data held is
not kept as a purely historic record then businesses need
to review their records on a regular basis and prompt
customers, suppliers and employees (as appropriate) to
check and update their details to ensure that they are
kept accurate.
If the franchise is of the type that does not interact
with its customer on an on-going basis, then the
franchise's processes will need to be reviewed to make
sure that steps are in place to update live personal data.
For example, bank statements often contain a change of
address form on each page so it is easy to fill in the
information.
5 th principle:Personal data shall not be kept for longer
than is necessary
Technological advances have made storage of vast
quantities of data both convenient and easy. Lack of
storage space is no longer an issue when data which
would previously have filled a room can now be
retained on a couple of small disks. The temptation
simply to retain and archive data that is no longer
needed is great. However, this temptation must be
resisted and franchisors and franchisees should devise
and maintain a document retention policy. The general
rule is that, for data protection purposes, records should
not be retained beyond the life of the contract to which
they relate. However, this principle will need to be
balanced against the business' other legal obligations,
for example, to maintain records for tax purposes and
for evidentiary purposes should a claim be received in
the future, etc. These issues will all need to be
considered and a reasoned plan for the retention and
future destruction of documents put in place.
6th principle: Personal data shall be processed in
accordance with the rights of data subjects
Data controllers need to be alive to the potential of
data subjects to exercise their rights referred to above.
Access requests, in particular, can be expensive and
time consuming. As a general rule, data controllers must
provide the information requested by individuals within
40 days of receipt of their request. This can involve
trawling through numerous electronic and manual
 UK DATA PROTECTION
databases to find the relevant information. The data
controller must then assess the information to see if it
can legitimately be provided to the data subject or if
there are reasons why it could refuse to grant access to a
data subject's records.
7 th principle: Appropriate technical and
organisational measures shall be taken against
unauthorised or unlawful processing of personal data
and againstaccidental loss and destruction of, or damage
to, personal data
Data controllers are required to take appropriate
security measures to protect the personal data that they
hold. Appropriate security must then be implemented
from both an organisational and technical standpoint.
- Organisational security requires franchisors and
franchisees to train their staff in how to deal properly
with personal data. To comply with this principle,
businesses should generally devise and implement a
data protection policy dealing with the use of personal
data within the organisation.
- Technical security means that the information must
be technically secure, i.e. password protected,
screensavers used, HR files under lock and key,
encryption and firewalls.
The seventh principle also includes special
requirements for the appointment of data processors.
Data processors are any third party who process
personal data on your behalf, for example mailing
companies, the company to whom the business may
have outsourced its payroll, etc. In certain circumstances
the franchisor may act as the franchisee's data
processor, e.g. this may be the case where invoicing is
handled centrally, or vice versa. It is important that the
appointment of the data processor is in writing and that
the data processor gives sufficient guarantees in respect
of the technical and organisational security governing
the processing to be carried out. Information should not
f be sent to data processors unless an appropriate letter of
engagement has been signed.
- 8th principle:Personaldata shall not be transferredto
a country or territory outside the European Economic
Area unless that country or territory ensures an adequate
level of protection of the rights and freedoms of data
subjects in relation to the processing of personal data
If the franchisor is located outside of the European
Economic Area, even franchisee to franchisor transfers
of personal data may entail the franchisee breaching the
eighth principle of the Act, unless specific measures are
- taken.
The European Commission has held that only a
handful of non-EEA countries offer 'adequate'
protection. In addition, a 'safe harbour' agreement
between the U.S. government and the European
AND E-COMMERCE
Commission provides a code to which U.S. companies
may sign up. Complying with the code, and self
certifying compliance with the U.S. Department of
Commerce, will be deemed to give an adequate level of
data protection in relation to data transfers to the U.S.
company concerned. The European Commission has
also published some approved contractual clauses which
can be incorporated in agreements between EU and
non EU companies which will ensure that the level of
protection is considered adequate.
Other exceptions may be available if the business
wishes to transfer data overseas, including where the
data subject has expressly consented to the transfer or
where the transfer is necessary in order to perform the
contract with the data subject. This is not an exhaustive
list.
Comply with the disclosure requirements
Where data has been obtained from an individual, the
data controller must ensure that the following
information is either given or is readily available to
that individual:
- the identity of the data controller and any
representative nominated for him;
- the purpose for which the data is being processed;
and
- any further information necessary to ensure the
processing is 'fair' in all the circumstances.
Where data has been obtained from a third party, the
above information should also be provided or readily
available to the data subject either at the time the data
controller first processes the data or at the time of
disclosure to a third party if this occurs within a
reasonable period.
The above means that businesses cannot just obtain
information and hold it indefinitely without any further
action. However, the data controller is exempt from
such requirements if providing the information would
involve a disproportionate effort this would include
matters such as cost and length of time necessary to
provide the information and ease of provision of the
information, or the data controller is required to hold
the data, or disclose it, to comply with a legal obligation,
other than one imposed by contract.
O(e Europe?
Any company doing business in Europe must take
data protection law seriously if they are to avoid falling
foul of data protection laws. Although the Act is based
on a European Directive, EU Member States have been
given some freedom as to how they enact the Directive
into their own law and as a result the details of the data
protection laws vary between different countries. A
www.richmondlawtax.com
UK DATA PROTECTION
number of European countries, notably Germany, have
relatively strict data protection laws and companies
doing business there need to be aware of and comply
with these laws.
(hek ist for ipiarC
A number of practical steps can be taken to ensure
compliance, including:
* filing and maintaining an up to date data pro
cessing notification with the Information Coin
missioner. This can be completed online at
www.informationcommissioner.gov.uk;
* having a data protection policy, security policy and
document retention policy;
* training all employees in data protection and
providing them with a copy of or access to the policies;
* appointing a data protection officer who will ensure
that the policies are correct, updated and all employees
comply with them;
* ensuring that appropriate consent is obtained for the
processing of data. Standard forms and contracts of
employment should be adapted to ensure that consent
to processing of information is obtained at the time
such information is provided;
* not transferring data outside the EEA unless the
business has first considered whether there are
appropriate safeguards;
* not disclosing personal data to any third party unless
this is cleared by the business' policies or data
protection officer; and
* only using data to direct market to its customers/
potential customers where appropriate consents have
been obtained.
This article provides a brief overview of the
requirements of the Data Protection Act. It is a
complex piece of legislation and in the interests of
brevity many of its intricacies are not mentioned here.
Further information can be obtained from the
Information Commissioner's website at
www.informationcommissioner.gov.uk.
Part 2: Ecommerce
The internet is a global sales medium; no one selling
through that medium knows in advance where in the
world the customer will be. Furthermore, the customer
can be vulnerable to unscrupulous web-traders: you
place an order and give your credit card details. All that
may arrive is a bill or faulty goods which come from a
jurisdiction where it may be uneconomic to do anything
about it. No franchisor would want any of its
www.richmondLawtax.com
AND E-COMMERCE
franchisees to engage in abusive conduct of this
nature. This global element raises a number of legal
issues and legal advice should be obtained to ensure that
they are being handled properly.
An unintentional treat?
How is the contract formed? Under English law it can
be broken down into three areas: offers and invitations
to treat, acceptance and incorporation of terms.
So starting with offers and invitations to treat,
English law distinguishes between these two concepts:
* an offer is something that if accepted will form a
contract;
* an invitation to treat is a representation to another
that you are willing to consider offers that he might
make to you.
Web pages can be either offers or invitations to treat
depending on their precise wording. But why is this
legal jargon important? Consider your position if you do
not have enough stock to fulfil orders that have been
placed. Or, a scenario which has caught out many web-
retailers, an error has been made on your website
resulting in goods being advertised at the wrong price.
If the website comprises an offer then the customer's
order will form an enforceable contract and the
customer can claim damages if his order is not met. If
the website is only an invitation to treat then it will be
the customer who makes the offer when sending in his
order, the seller will then have the opportunity either to
accept or reject that offer.
A wise web trader will contain a statement in its
terms and conditions making it clear that all orders are
subject to confirmation. That e mail confirmation will
constitute acceptance of the customer's offer to buy the
goods ordered.
Another practical point to consider is how the
customer's order is acknowledged. Some websites are
set up to generate an automatic response which
acknowledges receipt of the customer's order. Does
this response constitute acceptance? Again this will
depend on the wording a wise e tailer will make it
clear whether or not the acknowledgement is an
acceptance of the customer's order.
Getting your point across
Do your terms and conditions form part of the
contract? Surely it's obvious, if you have terms and
conditions, then they must form part of the contract
with the customer? Not necessarily. The basic position
is that the terms must be in the contemplation of both
UK DATA PROTECTION
of the parties at the time the contract was formed. That
is, first, your terms and conditions must be made
available to the customer prior to the formation of the
contract. Terms and conditions sent to the customer
after the order has been placed will usually have been
received too late and will not form part of the contract.
Secondly, the customer's attention must specifically be
drawn to the terms and conditions and any unusual
provisions contained within those standard terms
highlighted to the customer. This is usually done by
linking the terms and conditions to the order form and
asking the customer to confirm that the terms have been
read and accepted.
Of all the laws the world
What law will govern the contract? When contracting
with another business it is usual to specify which law
will govern the contract and which courts will have
jurisdiction in the event of a dispute. The courts will
usually uphold the law chosen by the parties when they
are both businesses, although certain local laws may
apply in any event (see below). However, the law is
more protective towards consumers. Websites which
have been tailored to attract consumers from a certain
jurisdiction will almost certainly be subject to local law
and jurisdiction, regardless of any contrary choice of law
contained in the contract.
Hav you be o v(erred?
What overriding laws will apply to the contract? Even
where the parties' choice of law is upheld, overriding
local laws may apply, for example, competition laws and
labelling requirements. Further there are certain types
of products which have specific restrictions placed on
their sale, in particular things like financial services,
alcohol, pharmaceuticals and so forth. Other products
are illegal in certain jurisdictions but legal elsewhere. A
web trader must also ensure that its website complies
with the regulations in relation to the marketing of that
particular product.
Svild vild w16b it is 1 JaY3s?
What other laws should be considered? Do any other
requirements apply to on-line contracts? Two pieces of
European legislation have an impact on on line sales, in
particular, in the UK these are the Electronic Commerce
(EC Directive) Regulations 2002 and the Consumer
Protection (Distance Selling) Regulations 2000.
AND E-COMMERCE
Broadly speaking, the E commerce Regulations
require commercial websites to display certain
information including the name, address and contact
details of the service provider. These requirements go
little further than the requirements of the Companies
Act and Business Names Act with which an e trader
must comply in any event.
The E commerce Regulations also require e traders to
inform customers of how the contract will be formed.
This information must be given before an order is
placed so that the customer knows what to expect and
the customer must also be given the opportunity to
identify and correct input errors to limit the risk of
unwanted orders being placed. Orders have to be
acknowledged without undue delay and by electronic
means. The e-tailer must also make the terms and
conditions available to the recipient in a way which
allows the customer to store and reproduce them.
The Distance Selling Regulations also include
formalities which must be complied with when
contracting over the internet - although it is worth
bearing in mind that the Regulations apply not just to
internet transactions, but to all sales to consumers
which are not concluded face to face, including mail
order and tele sales. The general scope of the legislation
is:
1. to require businesses to give certain types of
information to consumers before the contract is
concluded or at the very latest when a business
delivers the goods or provides the services. This
includes information such as the price of the goods
and the name and address of the supplier; and
2. to allow the consumer a cooling off period in which
to decide whether it wishes to cancel the contract.
Contracts which are not formed in accordance with
the Regulations are void and breach of them can
amount to a criminal offence.
Footlote
It is clear that the internet is a marvellous sales tool.
However, it also has the potential to create problems for
the unwary. Webtrading requires careful up front
consideration and legal advice.
Suzanne Mercer isaPartner inthe Technology Group inthe London
office of Evertheds LLP.
www.richmondlawtax.com