We have worked with postgraduate students at the University of Southampton to consider the legal and practical implications of hot topics in commercial law.
Discussions ranged from new compliance obligations stemming from legislation such as GDPR, to significant shifts in the court's approach to contractual interpretation and enforcement, plus the uncertainties brought by Brexit.
The postgraduate students bring fresh analysis, new perspectives and excellent legal writing skills to the above issues and we're pleased to present these articles in our Student Insight series.
Data protection in the event of a no deal Brexit
By Ioanna Tolia
With exit day fast approaching, the Department for Digital, Culture, Media and Sport (DCMS) issued a guidance on Data protection if there’s no Brexit deal. In case of a hard Brexit, 29 March 2019 would signify the end of the unrestricted data flow between the EU and the UK. As any constrain placed on cross-border data transfers would effectively hinder trade, UK businesses would end up at a competitive disadvantage. If you rely on data transfers to and from the EU, it would be advisable to adopt a proactive approach in preserving the free, cross-border flow of data post no-deal Brexit. Pending the European Commission reaching an adequacy decision, you would need to review your existing arrangements with EU-based partners and possibly consider which of the available safeguards best suits the needs of your business. One of the businesses' current priorities should be to ensure that appropriate safeguards are in place in due time.
EU-UK data sharing is governed by the EU General Data Protection Regulation (GDPR), supplemented by the UK Data Protection Act 2018 (DPA 2018). The DPA 2018 gives effect to UK derogations and creates an 'applied GDPR' regime that will govern personal data processing in the UK, post-Brexit.
Post no-deal Brexit position
In a no-deal Brexit scenario, there would be no instant alteration of the UK’s own data protection standards. As confirmed by the DCMS, the free transfer of personal data from the UK to the EU shall be permissible on the basis of the high degree of alignment between their data protection regimes. This will be kept under review by the UK Government.
What would be greatly impacted is the legal framework governing data transfers from EU-based organisations to UK-based ones. As the UK would be automatically treated as a third country under the GDPR on exit day, Chapter V thereof (regulating data flows to third countries) shall be applicable to all EU-UK data transfers.
Under an adequacy decision the European Commission recognises that a third country meets the EU's GDPR standards and is, therefore, awarded free access to EU data. Securing an adequacy decision appears to be the most favourable outcome for UK-based data controllers and processors, allowing for personal data to be transferred from the EU to the UK without restrictions. Consequently, once the UK becomes a third country post-Brexit, the Commission will make an assessment as to whether the UK's data protection laws are “essentially equivalent” to those of the EU.
The attainment of an adequacy decision, however, is by no means guaranteed. Additionally, the process of conducting such an assessment typically requires several months, if not years. At this stage, it would not be prudent to assume that an adequacy decision can be relied upon due to the uncertainties of Brexit (whether soft, hard or no Brexit at all). Accordingly, you may wish to consider the adoption of appropriate safeguards to minimise disruptions to your EU-UK data sharing processes, post-exit day.
Standard Contractual Clauses (“SCCs”)
The DCMS suggests that standard contractual clauses would be the most relevant alternative legal basis for the majority of organisations. SCCs, when embedded in a contract, enable the free transfer of personal data as between the parties. There are currently three sets of model clauses adopted by the European Commission governing transfer of personal data:
- from an EU-based controller to a third country processor; and
- as between an EU-based controller and a third country controller.
Evidently, their function presupposes the conclusion of a contract. Nonetheless, they are not applicable in all instances. It should be further noted that the existing model clauses remain valid until such time as the Commission updates them to reflect the GDPR. Their validity is currently under legal challenge before the Court of Justice of the European Union (CJEU), following a reference by the Irish High Court (Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems ). We monitor closely the progression of the case as its outcome may affect reliance on SCCs for the transfer of personal data to third countries.
Binding Corporate Rules (BCRs)
The adoption of binding corporate rules constitutes another suitable alternative option for multinational corporations. BCRs would enable the free, cross-border flow of personal data between the EU and third countries, insofar as it remains within the same corporate group. These strict sets of rules require authorisation by all the relevant data protection authorities involved. Their implementation therefore represents a considerable investment of time and resources. Further, it would be wise to ensure that BCRs are approved by the regulator of an EU27 country, and operated from within the EU, to avoid the risk that approval by the UK regulator (the ICO) would be invalidated by a "hard" Brexit.
In certain scenarios your EU-based partners may alternatively rely upon a number of derogations to transfer personal data to the UK. Under these circumstances data handling would be exempted from the GDPR provisions. Their application, however, needs to be considered on a case-by-case basis.
With only a draft deal in place and an uncertain future, the “hope for the best, prepare for the worst” mentality appears to be the best course of action as the clock is ticking.
Enforcing a force majeure: careful drafting saves money
By Victoria Zubareva
Contractual performance can be affected by delays or breaches at one or various stages of a supply chain. One way to protect yourself in these situations is to include a force majeure clause in the contract. It suspends or releases obligations of a party whose performance is prevented or hindered by a specified event usually beyond their reasonable control (force majeure). But what happens if non-performance or delay results from several events and not all of them fall under the clause? Given that courts closely analyse the words of a force majeure clause, careful drafting is essential. It should provide for a non-exhaustive list of possible force majeure events and allow for concurrent causes to trigger the force majeure clause.
All or nothing
Seadrill Ghana Operations Ltd v Tullow Ghana Ltd  EWHC 1640 (Comm) shows that English law does not provide a one-size-fits-all answer for situations where force majeure is not the sole cause of a delay or a failure to perform a contract. Oil drilling company (Tullow) was not able to perform its contract because of a drilling moratorium imposed by the government and a refusal by the government to approve Tullow’s plans for drilling another field, not affected by the moratorium. The refusal was due to a technical problem in the equipment which was not Tullow’s fault. Of the two causes only the moratorium was named as a force majeure in the contract. Tullow relied on this to terminate the contract. The court held that it could not do that because there was a clear requirement of causation in the contract and the effective cause of Tullow’s failure to perform it was not a force majeure under the clause. Teare J referred to an earlier case (Intertradex v Lesieur  2 Lloyd’s Rep 509) establishing the proposition that force majeure must be the sole cause of non-performance of an obligation but concluded that ultimately it is the question of construing the contract. So how can a contract be drafted to avoid the Seadrill result?
Non-exhaustive list of events
The judgment does not cite in full the definition of force majeure used in the contract of hire:
28. “27.2 For the purpose of the Contract, Force majeure shall be limited to the following:
(h) Drilling moratorium imposed by the government”
However, even from this extract it can be inferred that the clause contained an exhaustive list of specific events capable of triggering the force majeure clause. Arguably, such narrow wording also contributed to the particular result of that case. A list of specific events can provide some certainty but there is always a risk of omitting something important. Therefore, it is advisable to have a list of specific events either preceded by words “including but not limited to” or followed by a general wrap-up clause, eg “or any other cause of whatsoever nature beyond reasonable control of the defaulting party” (Michael Furmston, ‘Drafting of Force Majeure Clauses – Some General Guidelines’ in Ewan McKendrick (ed), Force Majeure and Frustration of Contract (2nd edn, Lloyd's of London Press Ltd 1995) 59).
Addressing causation specifically
A particular event might not be capable of being brought under the definition of force majeure, however wide the latter might be. To deal with such situations one needs to pay attention to the causation requirement at the drafting stage. The contract in the Seadrill contained a strict one: “if and to the extent that fulfillment has been delayed or temporarily prevented by an occurrence, as hereunder defined as FORCE MAJEURE”. There are a number of ways causation could be specified. For instance, possible wording includes:
- “non-performance / delay in performance is wholly or partially caused by…”
- “performance is prevented / delayed / made more costly or difficult due to, inter alia, …”
The above can be useful if you are the only party envisaging the possibility of relying on a force majeure clause. However, they will no longer be so if in particular circumstances the other party chooses to invoke the clause. Introducing materiality requirement could help, eg “if performance is materially affected by a force majeure event”. This clause would not work, though, if there are events within and outside the clause and each plays a relatively equal part in causing non-performance or delay. Similar wording would, arguably, lead to the same result as in Seadrill. Thus, it is advisable to negotiate a fairly broad clause, inserting a phrase like “whether or not this event is the sole, a substantial or one of the equal causes”. These details are worth paying attention to as it is the wording of a force majeure clause that mainly defines its effect (Coastal (Bermuda) Petroleum Ltd v VTT Vulcan Petroleum SA (No.2)  2 Lloyd’s Rep 383) and, ultimately, who is to pay.
GDPR - The sky’s the limit
By Edwin Chan
The General Data Protection Regulation (GDPR) is European law with global reach. The extraterritorial provisions in GDPR, Article 3(2) make the law, and its sanctions, applicable to a controller/processor not established in the EU, but who processes personal data of data subjects in the EU in the course of offering goods or services.3 The aviation industry appears to be particularly vulnerable. After British Airway’s 380,000 booking transactions being compromised, in October 2018, Cathay Pacific announced a data breach that could affect 9.4 million passengers.
GDPR’s ability to catch a non-EU company
Cathay Pacific is a Hong Kong airline. Notwithstanding the GDPR being an EU regulation, it has the potential to catch businesses with no establishment in the EU. The phrase “data subjects in the EU” suggests that this regulation protects any individuals in the EU, whether or not they are EU citizens. Therefore, protection extends to non-EU residents and tourists travelling to the EU. Cathay Pacific would likely fall within the scope of GDPR as personal data of its European and non-European passengers travelling to Europe would be input into the airline’s booking system.
Even if there is found to be no establishment in the EU, proceedings can still be enforced against the airline. Under Article 27, a non-EU establishment that falls within the territorial scope of the GDPR is required to designate a representative. The designated representative will be subject to enforcement proceedings in the event of non-compliance by the controller or processor (GDPR Recital 80).
Cathay Pacific’s obligations under the GDPR
- Personal data must be processed in a manner that is sufficiently protected against unauthorised or unlawful processing (GDPR Art 5(f))
- In the event of a personal data breach, the supervisory authority must be notified within 72 hours. If that is not possible, without undue delay (GDPR Art 33)
- When the personal data breach is likely to result in a high risk to the rights of the data subject, the data breach should be communicated to that person without undue delay (GDPR Art 34).
Cathay Pacific has potentially breached the above obligations. The personal data affected by the breach seems likely to include details on travel documents, telephone numbers, email and physical addresses etc. One could argue the cyber security of the airline did not offer sufficient protection which resulted in a successful hack of such a grand scale.
Also, Cathay Pacific may be found to have failed in its obligation to report the breach without undue delay. The airline revealed that the breach was first detected in March, seven months before the incident has been disclosed.
The worst-case scenario would be a fine of up to €20 million or 4% of the company’s global annual turnover, whichever is higher. In view of Cathay Pacific’s $12.4 billion USD revenue in 2017, the maximum fine comes close to $500 million USD. This is almost 4000 times greater than the maximum fine payable under local data protection legislation in Hong Kong. 
Compensation to the subjects of the data breach
Under Article 82, a person who suffered material or non-material damage as a result of an infringement of the GDPR is entitled to receive compensation. The reference to non-material damage suggests that compensation will extend to non-pecuniary loss eg psychological distress and reputation harm (Vidal-Hall v Google  EWCA Civ 311). Currently, class action lawsuit is being contemplated, with more than 200 passengers reportedly expressing their intention make a claim against the airline.
Even if legal actions can be defended, the scandalous nature of this incident can deal a massive blow to the confidence of customers and shareholders. Following the announcement, the airline’s shares sank to its lowest point in almost nine years – tumbling close to 6% which is equivalent to a loss of just below $200 million USD in market value.
This incident illustrates one of the many ways it is possible to fall foul of the GDPR and every company should carry out due-diligence to investigate and mitigate its own set of risks. The International Association of Privacy Professionals has surveyed 550 of its members (80% of the respondents located in US or Europe), 56% of the respondents indicated that they were still non-compliant with GDPR. This story serves as a reminder that the clock is ticking.
 Personal Data (Privacy) Ordinance(Cap. 486), s.64; Sia Partners, ‘Cathay pacific could be facing a USD 500 million fine under the European GDPR’ <http://en.finance.sia-partners.com/20181026/cathay-pacific-could-be-facing-usd-500-million-fine-under-european-gdpr> accessed 4 December 2018
Shifting sands?: You should inform the other party before it is too late
By Aysegul Senoz
If you provide information in response to a pre-contract enquiry, then you must update your response to reflect any changes in fact or circumstance before the contract is formed. A pre-contract statement is a "representation", setting out facts or assurances that are intended to induce the other party to enter into a binding contract. The maker of the statement (the "representor") takes on a continuing responsibility for its accuracy during the interval between the representation and conclusion of a contract.
If the representor conceals facts or makes unrealistic statements in order to induce the representee to sign a contract with him, then that statement might be actionable either as deceit or fraudulent misrepresentation, or as innocent or negligent misrepresentation. Deceit or fraudulent misrepresentation might be found where the representor:
- makes a false representation (written, orally or by a conduct)
- knows that the representation is false or is reckless as to whether it is true or false
- intends that the innocent party will rely on it
- the innocent party suffers loss as a result of it.
There are three forms of misrepresentation and remedies available may differ:
- Fraudulent misrepresentation is the most serious of them and the representee can claim damages in the tort of deceit which are rescission (setting aside the contract) and damages.
- Negligent misrepresentation occurs when the representor made a statement that he had no reasonable grounds for believing in its truth. The representee may be entitled to rescind and to claim damages. The representee can claim under Misrepresentation Act 1967 s.2(1) or under common law. The representee needs to establish a duty of care and damages will be based in tort of negligence if she claims under common law.
- Innocent misrepresentation is the statement that have been made by the representor with honestly believing it to be true. The remedy available for the innocent party is under courts’ discretion, either rescission with an indemnity or damages in lieu of rescission (Misrepresentation Act 1967 s.2(2)).
It is enough for the representee to solely prove that the representation has affected her decision. Namely, if there was no misrepresentation, the representee would not have concluded any contract with the representor (BP Exploration Operating Co. Ltd v Chevron Shipping Co  1 Lloyds Rep 77).
Can silence amount to a representation?
What if the representor keeps silent? As a general rule mere silence cannot be interpreted as lying or hiding the truth (Bell v Lever Brothers Ltd  UKHL 2). If the representee cannot find the answer that she is looking for then, she should act accordingly. Having said that, silence can amount to an actionable misrepresentation, for instance when the representor only presents the half truth or omits significant information (Spice Girls v Aprilia  EWCA Civ 15).
Due to his continuing responsibility, even if the representor was completely honest when he first made the statement, that is not enough to discharge his duty. If something changes, he must inform the representee. This duty arises if:
- After he made the statement he might find out the falsity of facts.
- The statement could be true by the time he made it, yet becomes false before the parties conclude the contract.
In either way, it is the representor’s duty to make the appropriate disclosure. Otherwise he cannot claim that he did not have an intention to induce. The representor would be liable due to recklessness as well. So it is essential to be aware of changing facts and to make the necessary disclosure in time.
The nature of a continuing representation
Once the representation is made it does not end but, depending on its content, may continue indefinitely (Lord Cranworth in Smith v Kay  7 HL Cas 750, 769). Since the statements are incentives for the representee to conclude the contract, the representor is bound with them. Therefore, the representation made to induce the other party to enter into a contract is treated as a continuing representation (Lord Wright MR in With v O'Flanagan  Ch 575, 584). Depending on the form of the misrepresentation, it may lead to rescission and/or damages.
For a representation to be an actionable misrepresentation, it must induce the representee to enter into the contract. If the representee becomes aware of the true state of affairs, yet still enters into the contract, the representation cannot be said to have induced the contract.
A statement of intention can contain fact
The representor may be held liable even if he argues what he has stated was just his intention (Intern Export LLC v (1) Jonathan Townley (2) Yaroslavna Lasytsya  EWCA Civ 2068). A statement of intention may be treated as a misrepresentation if the representor (Chitty on Contracts, (33rd edn, Sweet&Maxwell 2018), Chapter 7 - Formation of Contract, para 7-13):
- is not really planning to do what he said
- is aware that he is not capable of doing so.
Thus, the ‘intention’ may be regarded as an existing and actionable fact.
No surprise that the representor will face consequences of his misrepresentations. Misrepresentation Act 1967 s.2 provides remedies for the victim of the negligent and innocent misrepresentation. For fraudulent misrepresentation the remedies will be found in the tort of deceit.
Even though the main objective of the representor should be inducing the representee, the representor who innocently disclosed facts from the outset of the negotiation may face consequences of misrepresentation if he fails to disclose situations that have changed.
Contract formation and letters of indemnity
By José Salom Linares
Glencore Agriculture BV v Navig8 Chemicals Pool Inc (Songa Winds)  EWCA 1901 (Civ)
When the courts construe a commercial agreement, there is a strong presumption that the written document contains all the terms of the bargain between the parties. This presumption relies on the need for contractual and commercial certainty and is strengthened when it comes to Letters of Indemnity (LOI), where third-party rights may arise. As stated in The Jag Ravi (Great Eastern Shipping Co Ltd v Far East Chartering Ltd (The Jag Ravi)  EWHC 1372 (Comm)), “LOIs, particularly those in standard form, are important commercial instruments which need to be interpreted robustly and in a straightforward way”.
LOIs are frequently used instruments in trade. For example, in The Jambur LMLN 289 (QB), the judge observed that “It is not uncommon for oil cargoes sold on CIF terms (C&F in this case) to reach their destination before the seller can tender the bill of lading, the ship may then give delivery to the buyer in exchange for an indemnity and the buyer may pay the seller against a letter of indemnity”.
The prima facie assumption is that the written contract includes all the terms the parties wanted to be binding between them. Whether an extraneous term has been incorporated in the written contract must be determined from the parties' objective intention based on the totality of the evidence. This presumption is particularly strong in relation to LOIs in a standard form because:
- Letters of indemnity are documents which can confer rights to third-parties. Most of the time, these parties will be unaware of a provision outside of the written contract (Laemthong International Lines Co Ltd v Artis (The Laemthong Glory) (No 2) (CA)  EWCA Civ 519)
- Collecting cargo otherwise than on production of a bill of lading but an LOI constitutes a departure from the presentation rule, which requires a ship-owner to deliver only against an original bill of lading where one is issued. Thus, a strict approach is required to prevent abuses and fraud (Fortune Hong Kong Trading Ltd v Cosco-Feoso (Singapore) Pty Ltd, The Freja Skandic (Commercial Court) (Mr Justice Langley) 6 February 2002,  EWHC 79 (Comm). Where buyer was held guilty of deceit for misrepresentation made in an LOI).
Standard forms contracts are used in trade in order to increased certainty of legal interpretation and to reduce litigation risk. Consequently, due care is necessary when drafting commercial agreements in order to make enforceable all their terms, especially when dealing with letters of indemnity.
In a sub-voyage charter of a vessel carrying sunflower seed oil from Ukraine to India, the cargo was delivered not (as would be usual) against production of the originals bills of lading but against three LOIs. The receiver was not the lawful holder of the bills of lading; so whereas a misdelivery claim was brought against the carrier in arbitration, the carrier and the charterer sought to rely on the LOIs before the Commercial Court. It was held that delivery was made in accordance with the terms in the LOIs and therefore, the indemnity provisions were effectively triggered.
What is a letter of indemnity?
A letter of indemnity is a contract of indemnity; in other words, “a contract by one party to keep the other harmless against loss” (Yeoman Credit v Latter  1 WLR 828). In the context of the shipping industry, the beneficiary of a letter of indemnity is usually the carrier, and the party giving the indemnity is normally the shipper, the charterer or the receiver of the cargo in exchange for delivery of the cargo otherwise than against production of a bill of lading. Consequently, (as in this case) access to the cargo was no longer based on production of the document of title but on the allocation of risks based on the issuance of an LOI and the payment, or not, of the contract price.
In the first instance, the defendant sub-charterer suggested that the claim under its LOI was time-barred by clause 38 of the voyage charter-party. This clause indicated a three-months validity period of any LOI from the date of issue. However, the Commercial Court held that this clause was not incorporated into the LOI as no reference to it had been explicitly made, and that in any case, the clause did not have that particular effect; the defendant appealed on this matter.
Before the Court of Appeal, the appellant contended that, despite the presumption that a contract is intended to contain all terms of the bargain, it is open to either of the parties to allege that there was an additional and antecedent express stipulation not intended by the parties to be excluded but intended to continue in force with the express written agreement.
According to the defendant submission, the charter-party and the LOI constituted a contractual structure, and therefore, clause 38 must be regarded as being incorporated into the LOI as a continuing collateral term. Consequently, LOI’s indemnity provisions were time-barred.
Although, at the Court of Appeal, Simon LJ held that clause 38 established a three-months period for claiming indemnity, the argument about the incorporation was rejected and the appeal was dismissed on the following grounds:
- Clause 5 of the LOI was a self-contained provision, confining the sub-charterers’ liability, and no reference to any additional term was made, which might time limit it
- The voyage charter and the LOI were stand-alone agreements, conferring separate rights and obligations, each one providing different dispute resolution mechanisms. Whereas clause 38 was bound by the charter-party arbitration clause, the LOI standard form provided a jurisdiction clause, which subjected any controversy to litigation in the High Court. Thus, it was not possible to reconcile clause 38 with the LOI provisions
- Notwithstanding that clause 38 gave the appellant a contractual right to incorporate its terms into the LOI, they choose not to when entering into the LOI’s standard form provisions without any reservation
- LOIs are documents which could be relied on by third-parties, in this case outside the charter-party, making clause 38 of the voyage charter-party impossible to be foreseen.
Incorporation of clause 38 of the charter-party into the LOI was inconsistent with the LOI provisions. No words were identified in the standard form that calls for the defendant’s interpretation. Consequently, the presumption was not defeated. The starting point when construing a commercial agreement subject to English Law is that the written contract is to be regarded as containing all terms of the bargain between the parties. Because of the particular implications of an LOI, such presumption is harder to break.