Commercial Contracts

But we varied our contract, didn’t we?

Something about making contracts, particularly business to business contracts, which is often forgotten by the parties is that, while the UK tradition is you have freedom of contract, your freedom is curtailed the moment the contract terms are agreed. If I can prove you agreed to sell a particular thing to me (say a piece of plant) for an agreed price at an agreed time, you no longer have freedom to sell it to anyone else- because I can sue you for breach of contract.

A common feature in written business contracts is a clause forbidding variation of the contract unless the variation is recorded in a particular way e.g. by a further written exchange signed by the parties. So what happens if the parties seem to vary what was agreed, but only by acting in a different way to what is recorded in their written contract? For example, informally, a licensor of serviced offices does not strictly insist on a set instalment of the licence fee being paid by the licensee at a fixed time (monthly, quarterly or whatever)? Arrears build up and the licensor seeks to enforce the strict terms of the licence. This is what happened in a case decided this month by the UK Supreme Court, where the licensee claimed the licence contract had been varied informally.

In essence, the licensee’s argument was the parties to the contract can always agree between themselves to do things differently (after all they are the same parties). The fact no written variation of the sort contemplated by the contract was signed did not matter. This argument was firmly rejected and the earlier decision of the Court of Appeal overturned (showing even very senior judges can get it wrong sometimes).

In short, the judicial reasoning is (a) such clauses prevent attempts to undermine written agreements by informal means, which may be open to abuse; (b) oral agreements can give rise to misunderstandings as to the nature of the variation, something which such clauses avoid; and (c) formality in recording variations makes it easier for businesses to regulate their own management team’s authority to agree variations with the other party. The Supreme Court considered these to be legitimate commercial reasons for agreeing, and expecting the courts to enforce, what are, after all, the parties’ own freely chosen rules on variation; it is not the role of the law of contract to obstruct the legitimate intentions of businesspeople.

So be careful. If your contract has a procedure for regulating variations and you believe the other party has agreed some important change to your contract, do not wait for the dispute you think will never happen, get the variation documented and signed as required by your contract.

Even if there is no control on variation, remember the courts always start by looking at the written terms agreed by the parties. If those are clear, the courts will be reluctant to accept the parties have orally, or by their acts/omissions, varied the written contract. If you are facing such a set of circumstances, but it is now too late to get a written agreement documenting the variation, at the very least look for all the evidence you can produce to convince the court (1) the parties agreed to vary their contract and (2) as to what the detailed variation was.

Finally, if you fail to prove the parties varied the deal, you might at least have an argument that the other party is personally barred by their actions or omissions from enforcing the original contract against you (but that is very difficult to do and a subject for another day)

Stephen Cotton, Partner


If you would like to discuss any contract queries you have please contact Stephen Cotton or Emma Arcari





So – it’s that time of year again when we remember to remind you all about Avrio. Each year, in Spring and Autumn, Avrio members gather together for a conference. The May 2018 conference is in Brighton, with 51 representatives there from 25 countries.

I’ve been involved with Avrio since Autumn 1990 (annoyingly, just missing the Spring 1990 meeting in Berlin – not long after the wall fell). Despite what of my colleagues have inferred, this hasn’t just been nearly thirty years’ of travelling and meeting (and eating and drinking) at their expense…..

We, and I, have learnt a lot in these years. One of the big lessons I learnt early on (when everyone from northern Europe responded to a questionnaire on time, and no-one from southern Europe did) is that neither is right or wrong: it is the way that things are done by those people. Similarly, when a German colleague wanted a two day response time from everyone with a progress report on a litigation matter, a colleague from Portugal said he would get a proforma response prepared – because nothing would happen for years. Again, that’s just the way it is: neither right nor wrong. But it does seem something that the UK has ignored in relation to the tortuous Brexit negotiations.

What have we gained from membership of Avrio? Some overseas customers that we wouldn’t have but for Avrio. The ability to get help for our customers from trusted colleagues elsewhere. And the ability for those involved in Avrio to get all sorts of training: not to get hung up on whether something should be subject to Scots law (because lawyers really like these jurisdictional points); when I was in the chair, how do deal with lots of lawyers used to getting their own way (think of herding cats…); and really thinking about and discussing cross-border issues.

Avrio and its members and connections are there for CCW’s customers to use. Broadly speaking, if we don’t have a member in the country that concerns you or that member doesn’t do the sort of law you need, we’ll find the right person for you.

John Clarke, Partner


For further information on AVRIO please contact John Clarke

Does your contract refer to Europe?

There are endlessly longs list of things that might be required in order to prepare for Brexit for businesses. Because the type of arrangements to be put in place post-Brexit are not yet clear, many of the items of those lists are still uncertain.


However, one thing that can be done now, which will put firms in a more robust place post-Brexit, is to check their new and existing contracts that have implications in more than one EU member state. Quite often such contracts will define the EU or Europe as a territory – perhaps for a licence of rights or a restriction of some kind.


Look closely at how “EU” is defined. Is it “the EU as it is composed from time to time”? Is it “the EU as at the date of the agreement”? Is it just “the European Union”? The definition used may result in either the UK being excluded from it shortly, or remaining in it when it is not any longer a member state. Even worse, vague definitions might be unclear and result in dispute.


Whichever way it is drafted, there is a real risk of unintended consequences come 30 March 2019 (or possibly at the end of a transitional period).


In many cases, the parties are likely to come together and agree how things are to be dealt with going forward, and that will be much easier to do in advance of the withdrawal date. However, in less friendly relationships, there is a risk that a party tries to take advantage of such drafting. Either way, it makes sense to check your contracts and approach other parties sooner rather than later.


It goes without saying that the other step to be taken is to look at any new contracts being entered into – especially if you use standard template contracts. Think carefully about how you define a European territory – perhaps list the specific states, if appropriate. Consider inserting clauses to deal with Brexit-induced changes, which might trigger a right to terminate or renegotiate should certain repercussions of those changes adversely affect the efficacy of the contract.


Many businesses are currently feeling a bit helpless in relation to preparing from Brexit, but these are real, practical steps that can (and should) be taken right now.


To discuss this matter or to find out more information please contact Alison Marshall


Copyright claim again Taylor Swift has been dismissed

The Court of California has granted Taylor Swift’s motion to dismiss the copyright claim originally brought by Sean Hall and Nathan Butler against her, which claimed that Swift had copied the lyrics “Playas gonna play… and haters they gonna hate” in her 2014 hit “Shake it off” from their song “Playas gon’ play”, which was released back in 2003 by the US girl band 3LW

First, let’s do a quick refresh on what copyright is. You are entitled to automatic protection under copyright law when you create:

  • original literary, dramatic, musical and artistic work, including illustration and photography
  • original non-literary written work, such as software, web content and databases
  • sound and music recordings
  • film and television recordings
  • broadcasts
  • the layout of published editions of written, dramatic and musical works

In the Taylor Swift case, the whole argument was reliant upon whether the combination of the lyrics was in fact original and creative. The phrases in question were popularly used from the 2000s onwards, therefore neither phrase was found to be original or creative. While it is true that a combination of unprotected words may qualify for protection, it is not true that any combination of words will qualify for protection.

The court held that “the allegedly infringed lyrics are short phrases that lack the modicum of originality and creativity required for copyright protection. Accordingly, if there was copying, it was only of unprotected elements of Playas Gon’ Play.”

Sean Hall and Nathan Butler were given leave to amend by 26 February but have failed to file an amendment before the deadline.

If you require advice on an intellectual property issue, please get in touch with Alison Marshall and Sophie Graham from our corporate team.


Data Protection Update: Morrisons Supermarket Responsible for Data Breach Caused by an Employee

The High Court in England and Wales has issued its long-awaited judgement on the Morrison’s data breach, an action that was brought by 5,518 employees. The judgement provides employers with plenty of food for thought as the court found Morrisons vicariously liable for the act of its rogue employee, despite the Court finding that Morrisons had not failed in its duties.

The Facts

In 2014 Morrisons became aware that a file relating to 99,998 employees’ personal data had been shared on online by a senior online IT auditor who had been harbouring a grudge due to a previous disciplinary. The file (which had also been sent to several national and local newspapers) contained employee names and addresses, dates of birth, bank account details. Morrison’s was alerted to the web page by one of the local newspapers and had the link taken down within a few hours.

The employee was subsequently arrested and convicted to 8 years imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

A claim was then brought against Morrison by its employees which alleged:

  • claim compensation both for breach of statutory duty (under Section 4(4) of the DPA) and at common law (the tort of misuse of private information, and equitable claim for breach of confidence).
  • The claims are put on the basis that Morrisons has both primary liability for their own acts or omissions, and secondary (vicarious) liability for the actions of one of their employees harming his fellow workers.
  • In respect of the DPA, primary liability is said to be absolute or strict, rather than a qualified liability only arising if Morrisons failed to observe appropriate standards: but in the circumstances that the DPA does not impose liability, it is asserted that in any event Morrisons failed to observe those standards and is liable on that alternative basis

 The main queries dealt with by the Court were:

  • whether an employer is liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web,
  • whether under the DPA 1998, an action for breach of confidence, or in an action for misuse of private information.


It was held that:

  • The DPA does not impose primary liability upon Morrisons.
  • Morrisons are not at fault by breaking any DPA principles, apart from one:
    • Morrison fell short of their duty of principle 7 of the DPA in respect of not having an organised system for data deletion for guarding against unlawful disclosures/ data loss – but this neither caused nor contributed to the data breach.
  • Morrisons were vicariously liable, as they were responsible for the actions of their employee during the course of his employment.

Implications for Employers

This English decision could leave the door wide open for claims brought by employees that have been victims of data breaches. However, there was a tone of reluctance from Mr Justice Langstaff to find Morrisons liable, and he gave Morrisons leave to appeal, so watch this space.

In any event, employers will have to think about how they balance employee surveillance with the right to privacy. We will be updating you on the General Data Protection Regulation which comes into force on 25 May 2018.

In the meantime, if you need any assistance regarding Data Protection you can get in touch with Sophie Graham and Emma Arcari.

General Data Protection Regulation

Are you ready for the GDPR? Without thinking about it too deeply right now, start with your gut reaction and answers to the following questions…

  • Have you started preparing for the GDPR?
  • Do you know how long you have left to get ready or finish getting ready?
  • Do you know when a Data Protection Impact Assessment needs to be carried out?
  • Do you understand the day to day impact this will have on your business, especially for marketing activities?
  • Do you know what the consequences are for your business if you are not ready in time?

If the answer is no to any of the above, we would suggest you get in touch with our data protection team at CCW.  Even under current Data Protection regulation, in this case, the Privacy and Electronic Communications Regulations, businesses are already being fined for trying to ‘tidy up’ their customer data in advance of GDPR, and getting it wrong – see this link:

In short, most if not all businesses will be affected by this new law, and in some cases an entirely different approach will need to be taken for day to day operations and how personal data is dealt with. In particular, the question of how and on what basis the information you already have on your databases (whether for marketing or other purposes) will require review. As for new data, there are steps you can take during the next 12 months to ensure future use of that new data is compliant.

The bad news is Brexit (in case you were hoping) is likely to make no difference. The really bad news is that there is another privacy law waiting in the wings which will cause additional impact on top of GDPR (and, under present proposals, at about the same time). The good news is there is still time to start getting your procedures compliant (just under a year) but such compliance involves a lot of planning.

CCW can help you prepare for GDPR, including the preparation advisable before you contact the Information Commissioner’s Office (as suggested by the ICO in the link above) in case you are already in breach under the current regime.   In short, don’t bury your head in the sand around GDPR. Contact Emma Arcari or Stephen Cotton at CCW for advice.

Data protection and the GDPR – what does this mean for my business?

The General Data Protection Regulation (GDPR) comes into force in May 2018, so what generally should businesses be aware of?


  • Larger penalties for breach
    • A new tiered approach means penalties for the most severe breaches will increase from the current level of £500,000 to up to 4% of annual worldwide turnover or €20 million (depending on the nature of the breach).
  • Brexit does not provide an immediate escape route
    • The GDPR takes effect before Brexit and its effects have a wider territorial reach than the current law.
    • Organisations do not need to be in Europe for the GDPR to apply. For example if a website can be accessed by persons in the EU – the GDPR can apply if EU individuals are targeted or monitored, e.g. cookies are used to track persons or IP addresses are collected.
  • Data processors now face liability for non-compliance
    • It is not only data controllers who need to comply with the GDPR. Obligations will be placed on data processors to comply with the GDPR (this includes requirements for consent from data controllers to appoint new sub-processors, the need for activities to be covered by a binding contract, to keep records…and so on).
  • New and increased rights for data subjects
    • New rights include a right to be forgotten, a right to restrict profiling and a right to portability. The current rights available to data subjects are mainly retained and increased. For example the timescales organisations have to deal with subject access requests will decrease to a month.
    • The definitions of personal data and sensitive personal data have been widened. Online identifiers such as IP addresses or cookies are mentioned within the GDPR.
    • Information or fair processing notices must be provided in a concise, intelligible, transparent and easily accessible way. Additional information may be required to be provided by the data controller if this is necessary for the processing to be fair and transparent.
    • Using consent as the lawful basis to process personal data is made more difficult under the GDPR. If consent is used as the basis for processing this should be checked to ensure it meets GDPR requirements. Data subjects can withdraw consent at any point.
  • Be able to demonstrate compliance with the GDPR
    • To comply with the GDPR, organisations will need to implement technical and organisational measures to ensure data is processed appropriately and that the data is protected by an appropriate level of security. Organisations will be required to demonstrate that measures have been taken to reduce the risk of breaching the GDPR.
    • The “pseudonymisation” of personal data is encouraged by the GDPR, this means that the data is processed in such a way that it can no longer be used to point to a data subject without the use of additional information. This additional information is to be kept separately and securely (to prevent the pseudonymised data being attributed back to the data subject).
    • Privacy impact assessments will be required for data processing or technology which presents a high risk to individuals (a high risk is gauged in relation to the risk of infringing an individual’s rights and freedoms, such as large scale processing of sensitive data or profiling activities).
    • Data Protection Officers may be required depending on the format of the organisation and its core activities. For example the majority of public authorities will be required to appoint a DPO, together with those organisations which carry out regular and systematic monitoring of data subjects or large scale processing of sensitive data or criminal records.
    • Organisations will be required to keep records of their processing activities (e.g. types of data processed and for what purpose).
  • Mandatory reporting of personal data breaches
    • Data controllers will be required to report breaches to the relevant supervisory authority and/or the data subject unless certain exemptions are satisfied.
    • Data processors will be required to notify data controllers of all and any breaches “without undue delay on becoming aware of it”. More guidance is expected on this point, given the lack of exemptions in this area.

The above notes provide only an outline about certain of the consequences faced by businesses under the forthcoming GDPR. Unfortunately this is not something businesses can ignore until May 2017, and it makes sense to start to address how to implement changes required  if they have not begun already. For example:

  • reviewing staff polices
  • reviewing how and what data is collected at present, checking whether or not consent from the data subject is obtained
  • reviewing the use of sub-contractors and suppliers and any relevant contracts already in place
  • planning on how to deal with data breaches, checking what technical and organisational measures are in place
  • conducting risk assessments.

More guidance is expected from the Information Commissioner (ICO) in the coming weeks and months which should be helpful. In the meantime – see here for some preparatory advice from the ICO

Online terms and conditions – a common myth

Myth: online and alternative dispute resolution – everyone has to take part….

Reality: only some traders require to participate in ADR ….


The Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015 created new requirements for businesses in relation to alternative dispute resolution (ADR). Some commentators and businesses are spreading a misconception, that every single business (whether an online trader or not) is required to use an ADR organisation to resolve disputes, when the truth is that only in certain cases does ADR have to be used. In some cases, organisations are required to use ADR by law, rules of a trade association or term of a contract, but for the other businesses – normal judicial and settlement options are available and ADR can be negotiated, if it is desired at all, between the parties in dispute without reference to the regulations.

We have seen examples of businesses who have “accidentally” signed up to ADR due to these misconceptions, in some cases leading to expensive, time consuming and avoidable procedures, all while not realising that there are other options in this ADR area.  We have also seen examples of businesses and sub-contractors being treated unfairly, being misled or through ignorance unnecessarily asked or forced to comply with ADR by partners, suppliers, banks, financial houses (who are similarly labouring under misunderstandings).

We have helped lots of businesses with their contractual notification requirements in this area recently. If you have any queries in relation to your business and its liability in relation to ADR, please get in touch with Stephen Cotton or Emma Arcari at CCW.

Top Tips for Wise Contracting

Here are some of the basic areas that every contract lawyer will look at when considering any contract:

  1. Get the parties right

 This is a very common mistake. 

  • Consider who is entering into the contract and, with legal persons like companies and LLPs, make sure you have the right names, registered numbers, contact details etc.
  • Generally, although reforms are due, only the parties to a contract can enforce the contract.
  1. Make sure the parties have the capacity to contract

 Again, getting this wrong can be fatal.

  • Think about whether or not the other party you are dealing with has the legal capacity and the authority to deal on the level you need.
  • Certain companies only allow directors, or specified signatories to sign off on contracts above a certain level.
  • When selling products which will form part of a consumer’s home (e.g. a bespoke kitchen), make sure the property owners are parties and sign up. Remember, in law, a husband is not his wife’s agent (or vice versa).
  1. Make sure what has been agreed is in the contract

 Not doing so is perhaps the biggest cause of disputes. 

  • Put simply, the contract needs to deal with the agreement between both parties.
  • Remember too, not all agreements are regarded in law as binding contracts.
  • This sounds obvious but, when negotiating, get all the awkward issues on the table then agree and record the detail. Later, parties can discover they had not, after all, reached a binding agreement at all.
  • Price is rarely everything – you must also think about who is bearing the risk if things go wrong.
  • Do not assume silence means the other party has agreed with you.
  • Get the contract to cover what you need but bear in mind it is only as good as the asset or covenant strength of the legal or natural person you are contracting with. If that covenant is not enough, think about getting some form of security. 
  1. Is there anything which is not in the contract, that affects this contract? 

Double check the contract can do what you want it to do. 

  • Do not assume any draft or set of terms from the other party are the end of the story. They may have deliberately omitted certain terms because the law favours their position if they stay silent.
  • Consider if the agreement is Business to Consumer (B2C), Business to Business (B2B) or both. If B2C, there are many statutory rules which regulate the contract, regardless of its terms. Even with B2B there are statutory limiters on exclusion and limitation provisions.
  • Are there any standard form terms and conditions, industry or trade association rules, guidelines, or legislation which affect the contract? You may need to refer to these then expressly dis-apply them, or some part of them.
  • Who/what else is needed to make the contract work? Sometimes, this can be easy-the other party binds their sub-contractors or suppliers with your terms. Often, however, the acts or omissions of third parties, over whom neither side have legal control, need to be addressed and the risk allocated.
  1. Read the draft carefully 

Then read it again. 

  • Make sure you read the whole draft, not just the parts which have been fought over (perhaps for many months or even years).
  • Some typing or printing errors can be catastrophic, for example the difference between a “not” and a “now” can make all the difference because that single letter typo changes a prohibition into a permission.

This is only a snapshot of what needs to be looked at in relation to commercial contracts, and every contract will need to be considered alongside your business and its own circumstances.  Our team has years of experience in negotiating, drafting, revising and enforcing various forms of contract. Everyone likes lists so here is a non-exhaustive one of the areas we cover: standard form contracts; bespoke terms and conditions; master service agreements; framework agreements; outsourcing agreements; short term and long term supply agreements; research and development agreements,  collaboration agreements; consultancy agreements, distribution agreement, reseller agreements, agency agreements; procurement / commercial tendering matters; B2B; B2C; heads of terms, non-disclosure agreements, confidentiality agreements; privacy policies, mobile app development agreements, user terms, online terms and conditions,  website terms and conditions, software development, software as a service, systems integration agreements, hardware maintenance and other areas in IT and technology.

If you have a contract you would like to be reviewed or another query in relation to this area, please get in touch with Emma Arcari or Stephen Cotton at 0845 22 33 001.

The Cost del Crammond

Two weeks ago, I met a criminal. Last week I met another. Nothing surprising in that you might think. I am a solicitor after all. But the last time I did any criminal defence work was at least 25 years ago. And this was in leafy Cramond for Heaven’s sake. Neither of these crooks has yet been charged and convicted and I hope no wise prosecutor would ever regard it as in the public interest to prosecute either of them. Certainly, I won’t be grassing them up by naming them here. Sadly, however, both of them are, nonetheless, ‘bang to rights’.

Working from home as I write, I’ve just encountered a higher end crook who might be regarded as representing an organised crime gang. Ironically, he’s tampering with our burglar alarm system. We’ve just had a cup of tea. Charming bloke but then Crimewatch says all the best conmen are. A line from that 1972 Slade smash drifts into my head

Mamma, mama, weer all crazee now….

Because my particular parcel of rogues consists of an electrician, a house painter (both great tradesmen whose one man bands deliver exemplary results on time and on budget) and a major UK alarm company (again professional in everything they have done). All of the jobs run into several hundred pounds. Had they done the work before Friday 13th June (even Freddie Kruger couldn’t make this up), they, unlike Slade, would not be risking a criminal record.

Their crimes? The first two gave me nothing in writing at all, nor did I need them to, and did the work at a time that suited them. There was no urgency. The third set out the contract terms clearly in writing (perfectly acceptable to me) but did not tell me about my new off-premises cancellation rights. Even if they had, and this is all getting a bit too metaphysical for me, they did not follow the precise and mandatory requirements in relation to confirming my cancellation rights as set out in the Consumer Contracts (Information Cancellation and Additional Charges) Regulations 2013. Clearly, our benighted legislators do not feel any UK business can be trusted with such weighty drafting (as in ‘If you want to, you can contact us and cancel before [work out the date, say,  17th November 2014’).

All three have therefore committed an offence under Regulation 19. What makes this even worse is that, even if I did not have the new cancellation rights (and in many cases I won’t e.g. with bespoke goods made to my order) or had them but have now  lost them (also quite common e.g. once the paint goes on my house, it becomes, get this, ‘inseparably mixed’), they’re all still crooks for not telling me that on paper or, to quote Nanny, ‘in some other durable form’.

Now don’t get me wrong. I’m a consumer too and was involved professionally in work a few years ago for a trade federation seeking to target cowboy builders. I know there are bad people out there who prey on the vulnerable. I also realise businesses are, as a matter of policy, usually regarded as the better risk-bearers. Whisper this too but, for all its faults, I’m a fan of the EU, whose fingerprints are sadly all over this nonsense. Has no-one heard of balance or commonsense? Of course, there are bad apples out there but is criminalising the, I guess, 90%+ of good ones really the way to go? As my lovely Canadian Aunty Ruby always says,

Steve, the only thing about commonsense is it sure ain’t common….

The rumour mill says the UK suddenly woke up to the need to legislate by 13th June, and panicked.

The simple point, though, is anyone who sells goods or services to consumers really needs to take some advice on their contract terms (even if, in the hundred years they and their family business have been trading, they and their customers have never felt the need to have anything in writing) as one by-product of this rather poor joke is thousands of oral contracts that are made every day will now require to be put in writing. Fine for the larger concerns but surely a little OTT for Bloggs & Co on Acacia Avenue.