Legal Practice Notes

ARCHIVED : This Practice Note has been archived and is not maintained. This Practice Note, prepared in collaboration with Guy Pendell, Liz Williams and Kushal Gandhi of CMS, addresses the scenario in which the UK and the EU do not secure an agreement on jurisdiction after the UK’s departure from the EU. Throughout the implementation period beginning on exit day—the day the UK leaves the EU—the provisions of the withdrawal agreement will apply. For guidance on that period and the withdrawal agreement’s effect on jurisdiction, see Practice Note: Brexit implementation period—jurisdiction [ Archived]. This Note considers the implications of the UK leaving the EU on exit day without a deal for jurisdictional issues in UK court proceedings that involve the European Free Trade Association ( EFTA) States that are parties to the Lugano Convention 2007, namely Iceland, Norway and...

ARCHIVED : This Practice Note addresses the position that arises where the UK and the EU fail to reach arrangements for the cross-border enforcement of judgments after the UK’s departure from the EU. During the implementation period that commences on exit day—that is, the day the UK leaves the EU—the provisions of the withdrawal agreement will apply throughout that period for enforcement. For guidance on the implementation period and the effect of the withdrawal agreement on enforcement, see Practice Note: Brexit implementation period—enforcement [ Archived]. This archived note examines, in particular, the implications of a no-deal exit for the enforcement of judgments arising from civil and commercial claims under the following instruments, namely: Brussels Convention, Regulation ( EC) 44/2001 ( Brussels I), Regulation ( EU) 1215/2012 ( Brussels I (recast)), Lugano Convention 2007 and EC- Denmark...

ARCHIVED: This Practice Note is archived and not maintained. It addresses the position at the close of the implementation period after the UK’s departure from the EU. Throughout the implementation period, which begins on exit day (ie the day the UK leaves the EU), the provisions of the withdrawal agreement apply. For guidance on the implementation period and the effect of the withdrawal agreement on service, see Practice Note: Brexit implementation period—applicable law [ Archived]. This note considers the consequences of the UK leaving the EU without a deal for deciding which law governs a dispute, ie the applicable law (also referred to as governing law). The principal UK measure addressing a no deal Brexit and applicable law is The Law Applicable to Contractual Obligations and Non- Contractual Obligations ( Amendment etc) ( EU Exit) Regulations 2019, SI 2019/834, which modifies two EU...

This Practice Note sits within the Data Protection Negotiation Guide (the Guide). This section of the Guide covers negotiating clauses about prior consultation with the Information Commissioner’s Office ( ICO) in controller–processor arrangements governed by the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). For a primer on the Guide, see Practice Note: Data protection negotiation guide—controller: processor—introduction. This Practice Note makes use of several standard abbreviations, which are defined in that introduction. As set out in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties may, as a commercial matter, apportion between them the costs and expenses of carrying out these obligations there is substantial alignment between the UK GDPR and the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and the Guide concentrates on the position under the UK GDPR For...

Practice Note This Practice Note sits within the Data Protection Negotiation Guide ( Guide). This section covers negotiating clauses on erasure and handback of personal data once processing ends in agreements between controllers and processors that are subject to the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). For an introduction to the Guide, see Practice Note: Data protection negotiation guide—controller: processor—introduction. This Practice Note uses a number of common abbreviations, which are defined separately in that introduction. As explained in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties may commercially apportion the costs and expenses of fulfilling these obligations between themselves there are notable similarities between the UK GDPR and the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and the Guide concentrates on the position under the UK GDPR. For...

This Practice Note sits within, and complements, the Data Protection Negotiation Guide (the Guide). This section of the Guide covers negotiating clauses concerning data protection impact assessments ( DPIAs) in controller–processor contracts entered into under the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). For an overview of the Guide, please see Practice Note: Data protection negotiation guide—controller: processor—introduction. This Practice Note employs several standard abbreviations, each defined separately in the introduction cited above for ease. As set out in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties may commercially apportion the costs and expenses of fulfilling these obligations between themselves as they deem appropriate there are notable parallels between the UK GDPR and the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and the Guide concentrates on the position under the UK...

Practice Note This Practice Note sits within the Data Protection Negotiation Guide (the Guide). This section covers negotiating clauses arising from Article 28(1) of the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), which obliges controllers to engage only processors offering ‘sufficient guarantees’ to deploy technical and organisational safeguards, ensuring UK GDPR-compliant processing and protection of data subjects’ rights. For the Guide’s introduction, related materials and instructions on use, see Practice Note: Data protection negotiation guide—controller: processor—introduction. This Practice Note utilises several common abbreviations, which are defined in that introduction As explained in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties retain commercial flexibility to divide the costs and expenses of meeting these obligations between themselves there are substantial similarities between the UK GDPR and the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and the Guide...

This Practice Note forms part of the Data Protection Negotiation Guide (the Guide). This segment of the Guide considers negotiating terms on notifying data subjects of breaches within controller–processor contracts governed by the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). For an overview of the Guide, consult Practice Note: Data protection negotiation guide—controller: processor—introduction. This Practice Note uses certain standard abbreviations. Their meanings are set out separately in the introduction referenced above. For ease of reference within that introductory material. As explained in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties may commercially decide how to apportion the costs and expenses of carrying out these duties between them there are notable parallels between the UK GDPR and the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR) and the Guide centres on the...

Practice Note This Practice Note sits within the Data Protection Negotiation Guide (the Guide). This section considers how to negotiate clauses on notifying the ICO of breaches in agreements between controllers and processors governed by the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). For a primer on the Guide, see Practice Note: Data protection negotiation guide—controller: processor—introduction. A number of standard abbreviations are used here; their meanings are given in that introduction. As set out in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties may commercially apportion between them the costs and expenses of fulfilling these obligations the UK GDPR closely aligns with the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and the Guide concentrates on the position under the UK GDPR. For information on the background to the UK GDPR and its...

This Practice Note sets out pragmatic guidance on moving goods among the UK, Northern Ireland and the Republic of Ireland (and between these territories and other EU Member States). It also explains what to do where consignments could be deemed at risk of entering the EU, and outlines how companies can seek authorisation to move goods into Northern Ireland. Introduction During negotiations over the United Kingdom’s withdrawal from the European Union ( Brexit), both sides recognised the need to safeguard the 1998 Northern Ireland peace settlement (the Good Friday Agreement). The challenge was devising a workable answer to the reality that the Republic of Ireland would stay within the EU single market, while Northern Ireland would leave the EU alongside the UK. The initial approach proposed that the UK, including Northern Ireland, would continue within the EU customs union until a...

FORTHCOMING CHANGE: On 19 June 2025, the Data ( Use and Access) Bill obtained Royal Assent, becoming the Data ( Use and Access) Act 2025 ( DUAA 2025) and coming partly into force on that date. Parts 5 and 6 serve to amend aspects of UK data protection and e Privacy law, including the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications ( EC Directive) Regulations 2003, SI 2003/2426. Some DUAA 2025 provisions, covering matters such as dealing with data subject access requests and the conferring of power to make further regulations, came into immediate effect on 19 June 2025. Other provisions, addressing notices from the Information Commissioner and certain aspects of law enforcement processing, will take effect on 19 August 2025 (being two months from the date of...

The tort of misuse of private information is the chief route for enforcing privacy rights, and is relied upon to protect privacy rights, at least against defendants who are not public authorities, and is often the principal claim advanced. Yet, in any particular dispute, a claimant would be prudent and well advised to assess whether deploying alternative causes of action could reinforce their privacy case. As Lord Hoffmann remarked in Wainwright v Home Office (para [18]), there are various common law and statutory remedies for which protecting privacy is among the underlying values they secure. This Practice Note reviews six causes of action that may bear upon a ‘privacy claim’. For more information on misuse of private information claims, see Practice Notes: Starting a claim for misuse of private information—a practical guide Responding to a claim for misuse of private...

Developers, manufacturers and distributors in digital health—spanning m Health apps and any associated Software as Medical Device ( Sa MD), artificial intelligence ( AI) system or Artificial intelligence as a Medical Device ( AIa MD)—must meet stringent data protection regulations in tandem with regulatory compliance across the entire lifecycle, from development through to commercialisation This Practice Note concentrates on data protection and privacy issues for m Health (mobile health) and also considers the tighter safeguards governing the collection of an individual user’s health data. It does not cover broader life sciences regulatory matters, such as those relating to medical devices What is m Health? For related guidance, see: Practice Note: Digital health—regulation of m Health apps and medical software. Practice Note: Mobile app development and data protection. Practice Note: Digital health—data protection and privacy case studies, including wearables and AI...

Meditech scenario on database right and database copyright This training scenario sits alongside Precedent: Rights in databases—training materials, as companion guidance. It is intended to support newcomers in applying what they have learnt, and in developing a fuller, more confident understanding of the topic. Background facts: Meditech delivered a health screening service to Custech through an internet-based analysis and reporting platform. A medical device captured a patient’s reading, and those readings were stored as patient data for later reference. The patient data were then entered into the platform using a web-based processing system, and subsequently reviewed by a qualified professional who chose from a range of menu options. These menus corresponded to variables held within a database system within the platform. The database comprised a series of classifications of relevant physical characteristics, such as resting heart rate, as recorded by the device. For each...

ARCHIVED This archived Tracker helps determine whether a state is a signatory to the Lugano Convention 2007 and if it has taken effect in that state. The EU has refused the UK’s request to accede to the convention in its own capacity. It is not updated and is provided purely for background. For fuller guidance on the extent to which the Lugano Convention 2007 will, after IP completion day (ie 31 December 2020, at 11 pm) and notwithstanding the EU’s rejection of the UK’s accession, still be applied by the courts of England and Wales, as well as by the courts of the remaining contracting states in matters involving a UK element, see the following Practice Notes: Brexit post implementation period—considerations for dispute resolution practitioners [ Archived]— Jurisdiction Lugano Convention 2007—application to the UK post IP completion day...

Brexit: On 31 January 2020, the UK left its status as an EU Member State and moved into an implementation period, during which EU law continued to apply fully. Throughout this period, the GDPR remained in force in the UK and the UK was generally regarded as an EU (and EEA) country for the purposes of EEA and UK data protection law. Accordingly, any mentions of EEA or EU states in this Practice Note should be understood to include the UK until the end of that implementation period. For additional detail on that phase, its length, and the privacy regime expected to apply afterwards, see Practice Note: Brexit—implications for data protection [ Archived]. ARCHIVED: This Practice Note is archived material and sets out the position before the General Data Protection Regulation became applicable. It is provided for background purposes only and is not being...

ARCHIVED : This Practice Note has been archived and is not maintained. This Practice Note examines how the UK’s departure from the EU influences the application of Regulation ( EU) 1215/2012, Brussels I (recast), when determining jurisdictional disputes. It addresses: the applicable provisions in the Withdrawal Agreement between the UK and the EU; relevant domestic legislation, including, where relevant, transitional provisions, together with the position of the EU Commission; the implications of the UK becoming a third state as a consequence of leaving the EU. It should also be noted that other jurisdictional regimes are affected by the UK leaving the EU. For guidance, see Practice Note: Brexit post implementation period—considerations for dispute resolution practitioners— Jurisdiction. For specific guidance on the position during the implementation period, see Practice Note: Brexit implementation period—jurisdiction [ Archived]......

This Practice Note explores jurisdiction agreements (choice of court agreements): what they achieve, why they are adopted, and comparable arrangements pursuing the same objective. It outlines the main categories of jurisdiction agreement together with remedies available if one is breached. For assistance distinguishing the different types, see: Determining court jurisdiction—overview. It is likewise essential to grasp the operation of any formal jurisdictional regime. For insight into which regimes may apply, see Practice Note: Jurisdiction rules. A principal regime is the Hague Convention on Choice of Court Agreements. That convention applies between the UK and other contracting states in proceedings where the parties have entered into an exclusive jurisdiction agreement... What is a jurisdiction agreement? A jurisdiction agreement is the parties’ undertaking specifying which court(s) will have authority to determine disputes that could arise between them. For clarity on the concept of...

Contract Where an agreement is entered into by two or more parties, it may include a promise or obligation undertaken by two or more of them. Any such promise may be: joint several joint and several Whether an undertaking in contract is joint, several, or joint and several is a matter of construction, depending on the parties’ intention as revealed by the terms of the contract. For example, in Rhinegold Publishing v Apex Business Development, statutory demands were issued against Rhinegold Ltd and a related company, Tannhauser Ltd, for approximately £22,000 and £31,000 respectively. A settlement agreement followed under which the parties agreed to pay the sums due, but Tannhauser did not fully comply. Although the agreement was silent on liability, the High Court decided that, on a proper reading, the parties were jointly and severally liable. As a result, Rhinegold had to meet the...

The Investigatory Powers Act 2016 ( IPA 2016) The IPA 2016 establishes the statutory framework regulating covert surveillance by public authorities, superseding what had previously been largely—though not entirely—set out in the Regulation of Investigatory Powers Act 2000 ( RIPA 2000). In May 2021, the Grand Chamber of the European Court of Human Rights delivered its judgment in Big Brother Watch v UK, addressing the historic reliance on RIPA 2000 to authorise bulk interception operations. The Grand Chamber accepted that bulk interception and international data sharing can be necessary in a democratic society, while urging a range of safeguards—such as independent authorisation and protections for confidential material—which are now, for the most part, reflected in the IPA. See News Analysis: Another blow for UK’s intelligence gathering regime ( Big Brother Watch and others v the United Kingdom). Where those safeguards required...