Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, is currently giving advice on the Act.  He is pleased with what is contained within the revised guidance. He says, “There had been a lot of concern amongst law-abiding business that the Act would be so onerous that they would be caught out and risked prosecution. However, what is clear is that they are not the target, and the Government is trying to ensure fair play. Reasonable and proportionate corporate hospitality, such as tickets to sporting events and dinners, can continue as a recognition that this is just about building normal business relations, unless it is a cover for bribery.

“Also, although businesses will be liable for anything done on their behalf unless they have good policies in place, the Government has helpfully clarified that the  type and extent of policies and risk assessments will depend upon the size and risks faced (such as which markets they are in). It is also clear, though, that businesses cannot turn a blind eye if there are genuine risks. This is a common sense approach to the implementation of what could have been a despised piece of legislation that could have hampered genuine business. “

Paul adds a word of caution. “The new guidance does, however, still make clear that facilitation payments are outlawed. Facilitation payments – sweeteners to encourage public officials to loosen red tape and allow their products to enter a market – are seen as a fact of life for businesses that export into some markets, whether or not the business wants to pay them. Concerns remain that this may still leave UK businesses at a competitive disadvantage when trying to win business overseas if businesses from other countries continue to pay facilitation payments.”

The Commission has just updated the rules and data export contract terms that apply when a European data controller transfers data to a data processor that is not based in the EEA. A ‘data controller’ is someone who decides and controls what happens to personal data, and a ‘data processor’ is someone who processes personal data on behalf of a data controller but does not take decisions in relation to the personal data and is not ultimately responsible for that data. The new rules allow for the data processor to sub-contract the processing of the data to sub-processors under certain conditions, including by obtaining the prior written consent of the data controller that is exporting the data out of the EEA. The development is aimed at keeping pace with the way business is done, and in particular different levels of outsourcing in a chain.

Separate contract terms continue to exist in relation to transfers of data from data controllers within the EEA to data controllers outside of the EEA. They are unaffected by the updated contract terms in data controller to data processor situations.