Who: Soccer Savings (Scotland) Ltd and Scottish Building Society
Where: Outer House of the Scottish Court of Session
When: June 2013
Law stated as at: 3 July 2013
The Outer House of the Scottish Court of Session decided that where a party to a contract (the “Contract”) had agreed to use “reasonable endeavours” to comply with the Data Protection Act 1998 (“DPA”) and the Contract allowed termination on grounds of “breach of a material term”, it was such a breach when a party procured the sending of a mailing to prospective customers in breach of the DPA, but it was not a material breach by that same party when it was not notified with the Information Commissioner’s Office (“ICO”)as a data controller at the time of the mailing.
The party in breach was Soccer Savings (Scotland) Ltd (“SSSL”). SSSL operated “football affinity savings schemes.”
These are savings accounts for football fans marketed under their football club’s brand.
In this case, Scottish Building Society (“SBS”) provided the savings account and SSSL took responsibility for promoting the accounts to the fans by arrangement with various Scottish football clubs.
A key part of SSSL’s marketing plans involved a similar scheme operated by a separate, but closely connected company.
This was Soccer Savings Ltd (“SSL”), whose directors were also on the board of SSSL. SSL had operated an affinity scheme with Scottish football clubs such as Rangers by arrangement with the Dunfermline Building Society, later taken over by the Nationwide Building Society. We will call the savings accounts in question “NBS Accounts”. That scheme had subsequently been cancelled by NBS following disputes with SSL.
SSL makes its list available for marketing SSSL’s alternative affinity scheme
The plan was for SSL to make its list of NBS Account holders available to two relevant football clubs, so that the clubs could send the fans a mailing inviting them to join SSSL’s new scheme and transfer into it funds currently in the NBS Accounts.
However, this and other promotional tactics produced disappointing results and SBS terminated the Contract on various grounds including breaches by SSSL of processing and notification obligations imposed on it by the DPA.
SSSL initially said it would continue to perform the Contract but then exercised what it said was its right to terminate the Contract because of SBS’s alleged repudiatory breach. SSSL subsequently sued SBS for damages for breach of the Contract.
SBS defended on the basis that SSSL was in material breach of the Contract, thus entitling SBS to terminate.
Three key questions for the court were:
1. Did the use of SSL’s account holder list to promote SSSL’s scheme breach the DPA?
• The Court held that it did breach the DPA. When SSL captured the contact details of fans wanting to open NBS accounts, it did not obtain consent to either make this data available to the football clubs or to use it for the purposes of promoting an alternative savings account.
2. If this use of NBS Account holder details did breach the DPA, given that the Contract expressly obliged both parties to comply with the DPA and allowed a party to terminate without liability if the other was “in breach of a material term,” was the use of the SSL account holder list a “breach of a material term”?
• The Court held that it was, taking the view that the breaches in question went to the heart of the [Contract] and entitled SBS to terminate it. It was central to SSSL’s plan to achieve the transfer of a significant proportion of the funds in NBS Accounts. “An important component of the SSSL’s performance of its obligations under the of the [Contract] ” said Lord Hodge, “involved it in the breach of statutory data protection rules and that illegality materially impaired that performance.”
3. Was SSSL’s failure to ensure that it was notified with ICO as a data controller at the time of the mailings in question also a “breach of a material term” of the Contract?
• The Court held that it was not. Although the judgment gives little indication of the reasoning behind this, one presumes it was felt that unlike the other data protection breaches, this did not go to the heart of the Contract or materially impair its performance.
Why this matters:
A timely “privacy impact assessment” of the kind increasingly encouraged by ICO and now expressly provided for in proposed EU data protection reforms might have made all the difference in this case.
The judgment also shows how failure by marketers to comply with data protection law may not necessarily lead to direct enforcement action by ICO, but can just as comprehensively undo a marketer if nothing more than standard data protection boilerplate is contained in a relevant agreement.
In fact the wording that applied here might be described as below the normal benchmark, as it read as follows:
“The parties shall use their respective reasonable endeavours to comply with the Data Protection Act 1998 and any regulations made thereunder or pursuant thereto and any statutory amendments or re-enactments thereof.”
Therefore only “reasonable endeavours” were required, but they still saved SBS’s bacon here as all its alternative defences, including misrepresentation, failed.