The recent TCC judgment in John Sisk and Son Limited (Sisk) v Capital & Centric (Rose) Limited (C&C) has demonstrated the importance of clear and consistent contract drafting, particularly in relation to the incorporation of contractors’ “schedules of derogation” or “schedules of clarification”.

Sisk v C&C – Background

Sisk and C&C entered into a JCT Design & Build Contract 2016 (as amended) (the Contract) on 20 May 2022. The works to be carried out included the design and construction of two new residential buildings, repairs and refurbishment of two listed mills and two further existing buildings together with external and other associated works. The dispute centred around which party was contractually responsible for the risks associated with the existing structures on the site and the ability of those structures to support the proposed works

A dispute was initially referred to adjudication to consider two issues: first the ground condition; and second the existing structure. The Adjudicator found in C&C’s favour, ruling that the responsibility for ground conditions and the existing structure was solely Sisk’s risk.

As a result of the Adjudicator’s decision, Sisk issued Part 8 court proceedings, seeking declaratory relief in connection with the allocation of risk under the Contract.

Risk allocation for the existing structures was set out in clauses 2.42.1 to 2.42.3 of the amended conditions. In summary, Sisk was stated to be responsible for risk in relation to the existing structures and ground conditions. However, clause 2.42.4 read “this clause 2.42 shall be subject to item 2 of the Clarifications“. The definition of Clarification was “the clarifications headed ‘Contract Clarifications’ contained within Volume 2, Appendix 2.9 of the Employer’s Requirements”. The Judge focused on this definition and whether there were any inconsistencies in the contract documents. The Judge ultimately disagreed with the Adjudicator’s decision that Sisk was solely responsible for the existing structures and ground conditions.

In particular, the Judge noted that the electronic version of the Contract included two clarification documents, the ‘Contract Clarifications’ and the ‘Tender Submission Clarifications’. Whereas, the paper version of the Contract only included one clarification document, the ‘Contract Clarifications’. The Judge had to determine what documents had been included within the Contract and what fell within the definitions of Clarifications.

This question had substantial implications on the parties’ liabilities. This was because item 2 of the Contract Clarification document provided that “the Employer is to insure that existing buildings/works”, whereas item 2.1.02 of the tender submission clarifications conversely stated that C&C would procure insurance “in line with JCT Option C”.

TTC judgment – pre-contractual negotiations

Both parties submitted evidence of pre-contractual negotiations to support their respective positions. The Judge, however, generally prohibited the parties from relying pre-contractual negotiations. It was considered that “evidence of pre-contractual negotiations is admissible to establish that a fact was known to both parties”. In this case, “any admissible evidence would need to be directed either to a particular known fact or to the general object of the contract”. The Judge decided that they had no proper basis to have regard to the pre-contractual negotiations as admissible evidence of the issues in dispute.

TCC judgment – Which contract documents?

The Judge also had to address the issue of what documents formed the Contract. C&C argued that the Contract definition of “Clarifications” included both the Contract Clarifications and the Tender Submission Clarifications. The Judge, however, rejected this argument, stating “…Section 2.9 referred to a Clarifications Document, not to a Contract Clarifications Document. The contract definition refers expressly to “the clarifications headed “Contract Clarifications” contained within Volume 2, Appendix 2.9 of the Employer’s Requirements”… this can only be referring to the specific contract clarifications worksheet which is “within” the Clarifications Document, rather than to the whole workbook…”

TTC judgment – Clarification definition

In light of the above, the dispute hinged on the fact that “contract clarification two” stated that “the Employer is to insure the Existing buildings/works. Employer also to obtain warranty from Arup with regard to the suitability of the proposed works. Employer Risk”. The Contract failed to provide definitions of Existing Structure Risk or Employer Risk. While it was difficult to see what risk had been allocated to C&C in the absence of sufficient definitions, the Judge objectively concluded that that C&C had accepted the contractual risk associated with the suitability of the existing structures, and that this risk solely fell on C&C, rather than Sisk.

Difference in ‘incorporating’ and ‘referring’ to a document

In this case, the conditions of contract were amended such that clause 2.42.4 was to be subject to the ‘Clarifications’, being contained within the Employer’s Requirements, a contract document. In the comparable matter of Workman Properties Ltd v Adi Building & Refurbishment Ltd [2024], the contract stated that Adi had examined the Employer’s Requirements and had agreed to accept full responsibility for any design. The Court had to consider whether paragraph 1.4 of the Employer’s Requirements meant that Workman had warranted to complete the design to the end of RIBA Stage 4, and whether this was capable of overriding Adi’s obligations. The Court concluded that the Employer’s Requirements were “nowhere near sufficient to require the other unequivocal contract provisions to be read as so heavily qualified”. The Employer’s Requirements therefore did not override the contractual terms here, and Adi remained responsible for ensuring the design was sufficient and adequate for construction.

In Workman, the contents of Employer’s Requirements were not capable of overriding conditions of contract. In Sisk, however, the fact the Employer’s Requirements had been directly referenced in the conditions of contract meant that the opposite was true (i.e. that the Employer’s Requirements outranked the conditions). Readers should note that simply incorporating a contract document within the contract may not have the intended impact, as opposed to expressly referring to the contract document in the conditions. Parties should therefore consider how the contract documents are to be utilised and referred to, and whether an order of precedence clause should be deployed to properly record the parties’ intentions with regard to the contract documents, especially where there may be inconsistencies between documents.

Michelmores’ comments – learning points

These cases highlight important learning points that parties should be mindful of when drafting definitions and incorporating documents into contracts:

• Construction contracts are commonly made up of agreements signed by the parties, which often refer to a set of underlying ‘contract documents’. The contract documents can include specifications, drawings and other particulars that will help define the scope of a party’s obligations. The terms of the contract should clearly identify and incorporate those documents. The parties should also check that any definitions contained in the contract documents align with the express terms of the contract. This can be particularly relevant where a party is using standard form contracts, such as a JCT contract, where pre-existing definitions may not match bespoke specifications and schedules.
• Should a dispute arise as to the interpretation of a contract, Judges may not readily consider pre-contractual negotiations between the parties, as this can only be done in limited circumstances. All information should therefore be included within the terms or in the relevant contract documents. This will minimise the risk of a dispute arising, or there being a need to refer to pre-contractual negotiations to resolve any dispute.
• Parties need to ensure that risk allocation and responsibility is clearly allocated. Where carve-outs are being used, no matter how limited, it is essential the accepted risks are clearly and correctly recorded. This is reinforced by the Judge’s comment that “the bespoke provisions illustrate how negotiations and agreements of such issues can lead to a final contract position of some complexity”. Such mistakes can cause unwanted headaches with the ‘losing’ party suffering additional unexpected costs and liabilities.
• Proper consideration should be given to the procurement and drafting of contracts. Contracts should be drafted with appropriate oversight (including legal input where necessary) which can help minimise the risk of such disputes arising. A modest expense up front in getting the drafting correct can avoid a costly mistake down the line.

Should you have any queries or need assistance with contract drafting or any dispute, please do not hesitate to contact Anna Wood (Partner) or Andrew Pratten (Associate) in Michelmores’ specialist Construction and Engineering team. With thanks to Charlotte Pottow (Trainee Solicitor) for her contributions to this article.

Following the UK’s exit from the European Union, the EUSS provided 5.7 million EEA and Swiss citizens, together with their family members, the opportunity to continue living and working in the UK.

Under the EUSS, successful applicants would either receive ‘pre-settled’ or ‘settled’ status, based on the following residence criteria:

• ‘pre-settled’ status – limited leave to remain in the UK, usually granted where the applicant has been resident in the UK for less than five years.
• ‘settled’ status – indefinite leave to remain in the UK, usually granted where the applicant has been resident in the UK for at least five years.

Prior to the changes introduced towards the end of January 2025, individuals holding pre-settled status were required to submit a further application for settled status, upon reaching the five year residency mark. Under the recent changes, the transition from pre-settled to settled status will be automated, subject to the individual meeting the eligibility criteria.

Why?

In short, because the Court said so! In the landmark case Independent Monitoring Authority v Secretary of State for the Home Department 2022[1] the High Court sought to determine the true nature of the Withdrawal Agreement, and how this should have been applied by the government following Brexit.

In this case, the High Court found that the EUSS procedure in its previous form represented a significant breach of the Withdrawal Agreement. The Court ruled that, because there was an onus placed on the individual to apply for settled status once eligible, and to not do so would most likely result in them losing their legal status, this plainly circumvented the protection and rights afforded to EEA (and Swiss) nationals under the Withdrawal Agreement.

The Court found on two points:

• An individual cannot lose their right of residence in the UK just because their pre-settled leave has expired; and
• Provided that the conditions in Article 15 of the Withdrawal Agreement (continuity of residence) are met, a person with pre settled status will automatically acquire settlement.

Implementation – strategy and roll out timescales

The Home Office has set out its planned strategy to ensure the EUSS procedure is fully compliant with the Withdrawal Agreement terms, as follows:

• In respect of point (i) of the judgment, pre-settled status will not expire. Expiry dates have been removed from individuals’ digital immigration profiles, and cannot be viewed by employers, landlords or any other person confirming a check. Further, employers and landlords are no longer required to conduct ‘follow up’ checks where, previously, the individual’s pre-settled status displayed an expiry date.

However, the same rules continue to apply in respect of curtailment or cancellation where the individual no longer satisfies the continuous residence requirements, i.e. they must not stay outside the UK for more than 180 days in a rolling 12-month period (note, this approach to absences under the Withdrawal Agreement is more lenient than the standard approach, which uses demarcated 12 month periods, starting on the same date each year).

• In compliance with point (ii), the Home Office has introduced an automated process that will convert eligible pre-settled status holders to settled status, without the need to make a further application.

The Home Office confirmed that the updated procedure will be rolled out in phases. The first phase started in late January 2025, and the next later in the year. Therefore, eligible individuals who hit the five-year residence mark prior to the next tranche being contacted may still submit an application for settled status. There is no need to wait for the Home Office to get in contact.

Actions for eligible pre-settled status holders

In line with the roll out timetable, those reaching the five-year mark will be contacted by the Home Office to confirm they will be considering your eligibility for settled status.

To conduct the assessment, the Home Office will review records using government held information, such as tax records, to verify continuous residence, and the Police National Database to determine whether there has been any criminal conduct that would bring eligibility into question.

For those pre-settled status holders who are approaching five years in the UK, they should be proactive in ensuring personal information listed on their UKVI account, such as address and telephone contact number, is accurate and up to date to ensure the Home Office can successfully communicate when they will be considered for switching into settled status and the decision.

Thereafter, those successful will note an automatic change to their digital status to settled status, meaning they are free from immigration control and, in most cases, eligible to apply for British citizenship after one year.

Potential issues

Currently, the checks completed by the Home Office are restricted to whether the individual’s National Insurance number is/was active with HMRC or DWP for five continuous years.

Plainly, there are some immediate issues with this approach. Children, who only acquire a National Insurance number from age 16, will not be identified. Similarly, individuals who have not worked for the continuous five-year period, such as students, will not show as active with HMRC, unless they have engaged in supplementary employment alongside their studies.

Where the Home Office is unable to verify that an individual has acquired the requisite five year continuous residence, their pre-settled status will be extended for five years. However, if the individual believes that they have acquired five-years continuous residence, and can demonstrate this by way of alternative acceptable documents, they are recommended to apply for settled status outside of the automated process.

Acceptable documents could include: mortgage/lease documents, council tax bills, utility bills, bank statements or phone records (these should be accompanied by corresponding bank statements).

For pre-settled status holders who:

• Were resident in the UK by 31 December 2020; and
• Maintained continuous residence for five years

But, have since broken the conditions, before acquiring settled status, the position is less clear. The Home Office recently released a statement to detail the implementation of the Independent Monitoring Authority, which sets out that pre-settled status can be cancelled or revoked where the individual no longer satisfies the conditions of residence set out in the Withdrawal Agreement. However, the Withdrawal Agreement states that, although such measure can be taken, only where “the Secretary of State is satisfied that it is proportionate to curtail that leave”. Clearly, an important distinction, but not included in the current Home Office guidance.

We are hopeful that, as and when such cases land on the Home Office’s desk, further guidance and clarity on what may be deemed proportionate in such circumstances will be released. Until then, there is significant scope for representations to be made on the unconditional language used by the Home Office, and what should be deemed as ‘proportionate’. We anticipate that this will be applied on a case-by-case basis, at least initially.

If you have any questions, please do get in contact with Nicole Hambleton or Lynsey Blyth to discuss.

[1] R (Independent Monitoring Authority for the Citizens’ Rights Agreements) v Secretary of State for the Home Department [2022] EWHC 3274

The Employment Rights Bill (ERB) was published in October 2024 and introduced nearly 30 employee-friendly reforms. Since then, there have been various amendments to the ERB, and the government has responded to a number of its initial consultations.

Below we look at some of the topics subject to amendments and explore how the ERB will change the employment law landscape over the next two to three years.

• SSP – the original ERB proposed removing the four-day waiting period so that SSP became payable from day one of sickness absence. Amendments to the ERB will give employees earning below the lower earnings limit a right to SSP at 80% of their average weekly earnings. This means all employees – regardless of earning levels – will be entitled to some form of SSP from the first day of sickness.
• Collective consultation – the original ERB proposed removing the wording ‘at one establishment’ from collective consultation obligations (which would have meant that any proposed redundancies involving 20 or more employees across any number of sites in the UK would have triggered the requirement to collectively consult). The good news for employers is the government has confirmed it will not introduce this change; however, it will seek to introduce an additional business-wide threshold to cover redundancies across multiple establishments (full details TBC). The ERB will also introduce changes in relation to consultation requirements with employee representatives and increase the maximum protective award from 90 to 180 days, for failure to collectively consult. For a more detailed look at the changes to collective consultation, see our recent article here.
• Zero hours – The amendments to the ERB make provision for the rights relating to zero hours workers (including the right to guaranteed hours and reasonable notice of shift changes/cancellations) to be extended to agency workers. The ERB amendments also introduce the ability for workers (including agency workers) to contract out of the new rights by virtue of a collective agreement.
• Fair Work Agency (FWA) – In its recent amendments to the ERB, the government proposes extending the FWA’s powers to include (amongst others), allowing the FWA to bring Employment Tribunal proceedings on behalf of workers who do not pursue a claim themselves and providing workers with legal assistance in employment proceedings, with the legal costs potentially recoverable from employers in the event of a costs award. This will mean employers will no longer be able to rely on employee reticence to bring a claim and a more proactive approach to compliance is likely to be needed to avoid enforcement action and fines. For a more detailed look at how the introduction of the FWA may change the regulatory and enforcement landscape for employers, see our recent article here.
• Various other changes – the amendments also cover other topics, including introducing a requirement for employers to keep records for six years to evidence compliance with paid holiday entitlements under WTR 1998; various amendments to trade union legislation (see our article here for further details); enhancing the regulation of umbrella companies; and potentially introducing miscarriage bereavement leave.

The ERB is now in the House of Lords and further amendments may be made. Notwithstanding future amendments, the ERB (and accompanying regulations) will bring about significant changes for employers. Some of the ERB’s provisions will represent a complete shift in current practices and employers should consider taking preparatory steps to ensure they are ready for when the changes come into effect.

If you’d like to discuss how our Employment team can support your business in preparing for the ERB coming into force, please contact Robert Forsyth.

The Data (Use and Access) Bill (DUA Bill) proposes several reforms to the UK’s data protection framework and is expected to receive Royal Assent later this year. The House of Commons decision not to include amendments proposed by the House of Lords which were intended to ensure operators of web-crawlers’ compliance with UK copyright law has led to a wave of calls for the Government to reconsider its position. At the time of writing, we wait to see whether the Government will revise its position.

In the meantime, in this article, we look more closely at some of the key changes which the DUA Bill will introduce to UK data protection law.

Key changes to data protection law introduced by the DUA Bill

1. Examples provided of “legitimate interests” for processing

The DUA Bill recognises that organisations are unsure about whether their purpose for processing will constitute a “legitimate interest”, which is one of the six lawful bases for processing personal data under UK GDPR. A new Article 6(11) sets out a non-exhaustive list of examples of activities which are more likely to constitute a legitimate interest.

The examples include processing that is necessary for direct marketing, intra-group transmission of personal data where necessary for internal administrative purposes, and processing necessary for the purpose of ensuring the security of network and information systems.

2. “Recognised legitimate interests” as a new lawful ground for processing

The DUA Bill also introduces a new lawful ground for processing. Under UK GDPR, data controllers are required to conduct a balancing test to determine if their legitimate interest in processing an individual’s personal data is overridden by the individual’s rights and interests. Following the DUA Bill, if processing is necessary for the purposes of a “recognised legitimate interest“, then data controllers will not need to conduct a balancing test.

Examples given of recognised legitimate interests include where the processing is necessary for the purposes of national security, public security and defence, responding to an emergency, detecting, investigating and preventing crime and safeguarding vulnerable people.

3. Processing for the purposes of scientific research

Scientific research is a special purpose that is granted various exemptions under UK GDPR. The DUA Bill introduces a broader definition of scientific research, to include research that “can reasonably be described as scientific“. It does not matter whether the research is publicly or privately funded or whether it is carried out as a commercial or non-commercial activity.

4. Relaxing the rules regarding automated decision-making

Automated decision-making is the process of making a decision by automated means, without any human involvement. Whilst this can bring benefits such as increased efficiency, the current UK GDPR prohibits automated decision making other than in a few specific cases.

Under the DUA Bill, the current prohibition is relaxed (provided that suitable safeguards are in place) to only apply where special category data is involved.

5. Relaxing the rules regarding international data transfers

The DUA Bill introduces changes that will enable personal data to flow more easily from the UK to other countries that offer the same level of protection. The Secretary of State will use a new “data protection test” to assess the standard of data protection in another country in the context of international transfers. The test looks to ensure that the level of protection in that country is not “materially lower” than in the UK.

The test will consider the wider context of the data transfer between the UK and another country, and how the data transfer may benefit the UK.

6. A new process for submitting complaints

The DUA Bill provides greater clarity for organisations regarding how to respond to complaints.

Organisations must put a complaints process in place, and data subjects must submit their data protection related complaints to the organisation in the first instance. The complaint can only be escalated to the Information Commissioner if it has not been addressed adequately by the organisation.

7. A new process for responding to data subject access requests (DSARs)

The DUA Bill sets out an “applicable time period” and procedure for responding to DSARs in certain circumstances, for example, an extension may be necessary due to the number of requests a data subject has submitted or, where the data controller requires further information to proceed with the response.

The DUA Bill also clarifies that controllers only need to carry out “reasonable and proportionate” searches for information and personal data in response to a DSAR. This seeks to reduce the administrative burden and cost of responding to a DSAR.

8. Increased fines for e-privacy breaches

The DUA Bill proposes an increase in potential fines for breaches of the Privacy and Electronic Communications Regulations, including cookie and e-marketing breaches (such as predatory marketing calls which often target those at most risk of harm). Currently, the penalties for such breaches are limited to a maximum of £500,000. The DUA Bill increases these fines to align with the maximum under the Data Protection Act 2018 and UK GDPR, meaning that breaches can incur a penalty of up to £17.5 million or 4% of global turnover.

9. Relaxation of cookie consent requirements

The DUA Bill includes updates to the consent requirements for storage and access of people’s terminal equipment (the ‘cookies’ rule). This seeks to simplify the cookie regime, as it means that organisations need consent for fewer low-risk purpose cookies. This should reduce consent fatigue and allow organisations to more easily collect information for statistical purposes and to improve their websites.

Examples of where cookies can be used without consent are to prevent or detect fraud or technical faults in connection with the provision of the service requested, to collect information for statistical purposes to make improvements to the service or to provide emergency assistance.

Conclusion

The Government’s objective with the DUA Bill has been to balance a pragmatic approach aimed at easing compliance burdens for organisations and the Public sector whilst not presenting a risk to the UK’s adequacy status for data flows between the UK and the EU. The UK’s supervisory authority, the Information Commissioner’s Officer has welcomed the proposed changes and confirmed that, in his view, “the proposed changes in the Bill strike a positive balance and should not present a risk to the UK’s adequacy status“.

For further advice on the proposed changes to UK GDPR, or more generally in relation to data protection law compliance, please contact Anne Todd, Moya Smith or other members of our Data Protection & Privacy team. We also offer a range of data protection training which can be tailored to meet your requirements.

This article is for general information only and does not, and is not intended to, amount to legal advice and should not be relied upon as such. If you have any questions relating to your particular circumstances, you should seek independent legal advice.

Artificial Intelligence (AI) tools can provide an efficient and low-cost solution to overcoming many of the obstacles faced by early-stage businesses with limited resources. For example, OpenAI’s ChatGPT can help with troubleshooting, processing large data sets and drafting terms and conditions, whilst Microsoft’s Clipchamp can edit and produce slick marketing videos.

However, it is important to understand the limitations of this technology in order to protect your business from being exposed to risks. We explore some of the limitations of these popular AI tools below.

1. Unreliable and unbalanced output

• AI tools such as ChatGPT are prone to “hallucinations“, meaning the generation of false information. In fact, the OpenAI Terms of Use specifically say that “Given the probabilistic nature of machine learning, use of our Services may in some situations result in Output that does not accurately reflect real people, places, or facts.” This could lead to liability and reputational issues where a business uses such output in a professional context, such as in the case of lawyers who were fined for citing fake case law generated by ChatGPT in their court filings.
• The tools also have the potential for bias that reflects biases within a society, due to using imbalanced or discriminatory datasets. This can be particularly problematic when the tools are used as part of making business decisions, for example during the recruitment process, where AI is used to review resumes and identify candidate compatibility.
• To mitigate these risks, output generated by AI tools should never be taken at face value and should instead be independently verified before being used. Further, if such output is going to be incorporated into goods or services provided to customers, then the customer terms and conditions should make clear that an AI tool has been used in the process.

2. Intellectual Property infringement and ownership issues

• AI models are trained using content produced by third parties, and there is a risk of infringing intellectual property rights in doing so. As we reported last year, there is a conflict between the UK Government’s push for rapid AI development and a lack of guidance for tech firms regarding their responsibility to obtain consent from rightsholders. Without adequate guidelines in place, there will be increased litigation in this area. A recent landmark decision in the case of Kneschke v LAION at the District Court of Hamburg addressed the intersection of copyright and AI training when a photographer brought a claim against an AI research organisation for using his photographs in its training datasets without his consent. The court dismissed the claim.
• Users of Microsoft’s Clipchamp, which uses stock media such as audio, video and graphics in order to create user videos, have faced copyright infringement claims. Whilst Clipchamp provides guidance for customers regarding how to respond to such claims and assures customers that they have the right to freely share the videos, there is a grey area in relation to stock media that Clipchamp has not licensed from its third party media partner. In addition, the Microsoft terms and conditions do not provide customers with recourse against Microsoft in the event of a copyright infringement claim and say that customers are “solely responsible for responding to any third-party claims regarding your use of the AI services in compliance with applicable laws (including, but not limited to, copyright infringement or other claims relating to content output during your use of the AI services).”
• A business uploading data into an AI tool may also breach the licence terms pursuant to which that data was obtained, resulting in a damages claim or an injunction to stop using such content.
• By using AI to develop a product, a business may also lose the ability to later protect their work. This was demonstrated in a recent case, where technologist Dr Stephen Thaler sought to have his AI, called Dabus, recognised as the inventor of a food container and a flashing light beacon. The UK Supreme Court held that a human inventor is required and that a person who is the owner of the AI machine that invented something, but not the actual inventor, is not entitled to a patent. An AI system cannot be an inventor under the Patents Act 1977.

3. Breaches of Data Protection legislation

• AI tools process personal data as a result of scraping data such as names and images from websites. In doing so, the operator of the AI system must demonstrate compliance with the requirements of data protection legislation, such as having a lawful basis for carrying out such processing. In 2023, the Italian Data Protection Authority issued an interim emergency decision ordering OpenAI to immediately stop the use of ChatGPT for processing the personal data of Italian data subjects, on the basis that it violated several GDPR obligations.
• Similarly, businesses deciding to process personal data using AI systems as part of their operations will need to ensure compliance with their own data protection obligations.

4. Breaches of Confidentiality

• AI tools use content provided by users to train their models, meaning information that is input can later be included in output for another user. The Open AI Terms of Use specify that a user’s content will be used to develop and improve the product, unless users specifically opt out, and say that they do not want their content to be used to train the model.
• This raises particular concerns if confidential information is input, as this could result in commercially sensitive information being unintentionally shared. For example, Samsung decided to ban employees from using ChatGPT after an employee leaked sensitive internal source code by inputting this into the system.

5. Punitive contractual terms

• The terms and conditions offered by the providers of AI tools often significantly limit their own liability and place the onus and risk on users of the platform. For example, the OpenAI Terms of Use limit their liability to the greater of the amount paid for the service or $100, and require the customer to indemnify Open AI for losses arising from third party infringement claims relating to the use of content generated using ChatGPT.
• Where such terms are offered by a large enterprise such as OpenAI or Microsoft, they are likely to be non-negotiable, and so a business seeking to use such services will need to take a risk-based decision as to whether or not to accept this.

Businesses using AI technology should do so with caution. Having a corporate policy in place setting out rules and procedures for the safe use of AI can help to ensure that employees are informed and do not expose the business to the risks that we have outlined above.

If you would like further insight into this topic or advice on AI agreements, licensing arrangements or claims relating to intellectual property rights, our Technology & Innovation and Intellectual Property teams are well-placed to advise you.

Data protection laws apply to all types of businesses regardless of size, and early-stage businesses are not exempt. If you process the personal data of UK citizens, even if you are a non-UK business, you are likely to be subject to UK data protection laws. You may also have obligations under contracts with your customers or other companies to comply with these laws.

Setting up and scaling a business takes an enormous amount of effort. It is easy to be distracted by other priorities, but the risks relating to non-compliance are high, including substantial fines and risks of claims, potential criminal liability of directors and senior managers, damage to your reputation with customers, vendors, and potential investors and business continuity issues. Adopting the correct measures and establishing a framework for compliance is much easier to do in the early days when you are building your business processes and designing your products and services. It will help you to reduce these risks and to build trust and a positive reputation with your customers, vendors and potential investors.

In this article, we have summarised some of the key considerations under UK and EU data protection law.

1. What are the applicable data protection laws?

The Data Protection Act 2018 transposed the EU General Data Protection Regulation (EU GDPR) to become UK GDPR. Further codes and regulations apply, for example in relation to processing of children’s personal data, processing of biometric personal data, and use of AI. Regulations also apply to use of cookies and direct marketing.

Whilst in this article we will focus primarily on UK GDPR, we will come back to the other topics in further articles.

2. What is personal data?

Personal data is defined broadly and comprises data relating to any living individual who can be identified from that data either directly or indirectly.

It includes information such as: names, addresses, social security or other national identification numbers, telephone numbers, health information (of, for example, customers and employees), location data and online identifiers.

3. Who needs to comply?

All organisations which process personal data in the UK must comply with UK GDPR. UK GDPR also applies to organisations based outside of the UK which offer goods or services to individuals in the UK.

There are two types of organisations:

• controllers: who decide what information should be collected and the purpose or outcome of processing that information; and
• processors: who follow the instructions of somebody else in relation to data processing.

UK GDPR applies to both controllers and processors, but different requirements apply to each, with controllers having the highest level of responsibility. In practice most businesses will be controllers in relation to some of their data processing activities and processors in relation to other activities.

4. Check if you need to register the business with the ICO

Most small businesses must register as controllers with the Information Commissioner’s Office (the ICO) and pay a data protection fee (which for most small businesses is £40 a year). There is no minimum financial threshold or minimum number of employees which determines this.

Failure to comply can incur a fine of £4,000. The ICO undertakes routine checks against Companies House records to identify whether there are any companies which may need to register but have not yet done so. Non-registration can also lead to the ICO deciding to undertake a wider investigation or audit of the data processing practices.

To determine if your business needs to register and to register your business, you can use the ICO’s data protection fee self-assessment tool here.

5. Comply with the six key data protection principles

UK GDPR requires that you abide by six key principles. These principles require that personal data is:

• processed lawfully, fairly and in a transparent manner;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purpose(s) for which it is processed;
• accurate and up to date;
• not kept in an identifiable form for longer than is necessary for the purpose(s) for which it is processed; and
• kept secure using appropriate technical and organisational measures.

You need to keep these principles in mind in respect of all of your data processing activities.

In addition, personal data must be processed in line with individuals’ rights and not transferred to countries outside the UK without adequate protection. This will include using a data hosting facility located outside of the UK. At the current time the UK and EU have arrangements in place to recognise each other, which allows for data to be transferred freely between the UK and EU. There is also currently an arrangement between the UK and US, please see our article here.

6. Establish who will be responsible for data protection compliance within your business

As you grow your team, you will need to consider how data protection responsibilities will be managed within your business and by whom. For example, who will keep customer and staff records up-to-date and respond to data subject access requests (which we explore further in Data Protection by design and default – establish compliant business processes below)? Smaller businesses are likely to require external guidance from advisors with expertise in this area, such as to help with preparing key data protection documentation (see Prepare key documentation below).

Certain organisations are required to designate a data protection officer (DPO). A small organisation is unlikely to need a DPO, however you should identify who within the business will take responsibility for ensuring compliance and responding to any subject access requests and dealing with data breaches. As your business grows you should keep up to date with the ICO’s guidance regarding DPOs to determine if this requirement later applies to you.

You should also consider who will be responsible for information security within your business, to ensure that you have processes and infrastructure in place to protect personal data (such as by using encryption and training employees to avoid fraudulent emails).

We recommend researching the UK Government Cyber Essentials scheme and engaging with a cybersecurity expert to keep your business, your staff and your customer data safe from cyber attacks.

7. Identify the personal data that you will be collecting, and why you need this

The scope of data protection obligations that apply to your business will depend upon the categories of personal data that you collect and process. It is therefore important to identify all such categories. As mentioned above, personal data is very broadly defined pursuant to UK data protection law, and includes categories such as names, addresses, emails, telephone numbers, and bank or credit card details. It can also include more sensitive information, such as criminal records.

Once you have identified the categories of personal data that you are processing, you will need to be able to explain why you are processing it, and the lawful basis that you have for processing it. The ICO’s lawful basis interactive toolkit can be used to help determine the lawful basis.

8. Prepare key documentation

UK data protection law requires businesses to have certain key documentation in place, such as:

• Data Processing Agreements: Whenever an organisation provides personal data to a third party (for example, as part of outsourcing your operations or services), there must be a data processing agreement in place that documents certain key terms. You can ensure that a compliant version of this agreement is used and avoid negotiations down the line by having a template form of this ready to be shared with third parties that you work with. You should carefully consider which third parties personal data is shared with, and regularly audit this.
• Website Privacy Policy: This is displayed on your website, to provide users with key information regarding how you will collect, use and store their personal data when they interact with your website. The ICO’s website contains a privacy notice generator that can be used as a starting point. If you use cookies, you will also need a Cookie Policy to provide users with information and choice regarding your use of cookies.
• Data Protection Policy: This is an internal document which sets out the principles and legal conditions under UK data protection law that your business will need to satisfy when handling personal data.
• Employee Privacy Notice: This is an internal document that provides your employees with information regarding their rights in relation to personal data that your organisation processes and stores.

This documentation will need to be reviewed on an ongoing basis to ensure that it captures changes in data protection law and remains compliant.

9. Data Protection by design and default – establish compliant business processes

UK GDPR requires “data protection by design”, which means that you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated the principles of data protection into your processing activities and that individuals’ rights are safeguarded. The ICO explains that in essence, you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle. It is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the UK GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.

Certain business processes will need to be designed to ensure data protection compliance. For example, consider the following:

• If a customer contacts an employee asking a query related to data protection (such as requesting that their data is erased), how will this be escalated to the appropriate person to respond? If your business receives a subject access request (which is where an individual can ask you for a copy of any information that you have about them) (a SAR), you will be obliged to respond in a certain way and within certain timelines. Please see the ICO step-by-step guide on SAR’s for further information.
• Before a customer interacts with your website, have you drawn your use of any cookies to their attention and provided the customer with the option to select the cookies that will apply to them?
• Before you send marketing emails to a customer, have you obtained their consent for you to do so? The ICO website contains a direct marketing advice generator which provides guidance on using marketing in a compliant way.

10. Be prepared to respond to data breaches

If the personal data that your business holds is lost, disclosed, destroyed or altered without proper permission, this could amount to a personal data breach that may need to be reported to the ICO within 72 hours.

In addition, where a breach is likely to result in a high risk to the affected individuals, you must also inform those individuals without undue delay.

It is therefore important to have a procedure in place, that employees are aware about and that will be followed should a data breach occur. This includes maintaining an internal record of all personal data breaches or suspected personal data breaches.

At Michelmores, we frequently advise early-stage businesses on data protection compliance matters through MiVentures, an award-winning programme which is dedicated to giving extra support to innovative and scalable businesses.

For advice on the particular issues relating to compliance with data protection covered in this article, please contact Anne Todd, Moya Smith or other members of our Data Protection & Privacy team. Anne and Moya have both worked as in-house lawyers at large enterprise customers as well as on behalf of scale-up and SME suppliers. We have an experienced team of experts who can advise you on data breaches, subject access requests and claims brought in respect of data breaches.

This article is for general information only and does not, and is not intended to, amount to legal advice and should not be relied upon as such. If you have any questions relating to your particular circumstances, you should seek independent legal advice.

• Your beginner’s guide to data protection | ICO
• Getting started with data protection | ICO

Background

Since being published in October 2024, the Employment Rights Bill (the Bill) has been subject to continuous debate as it makes its way through Parliament.

On 4 March 2025, the Government published its responses to consultations (which commenced at the end of 2024) with business groups and unions on key aspects of the Bill, before publishing an Amendment Paper on 5 March 2025 outlining the proposed amendments to the Bill.

Included in the amendments to the Bill were various changes relating to collective redundancy as follows:

One establishment

The original Bill proposed removing the wording ‘at one establishment’ from collective consultation obligations. If passed, this would have meant that any proposed redundancy of 20 employees or more, regardless of whether these 20 are at the same establishment or different establishments, would have triggered the requirement for a collective consultation process. This would have been particularly onerous for multi-site employers.

Following the consultation, the Government explained it will no longer remove the wording; therefore collective consultation will only be required if 20 or more redundancies are proposed at one establishment.

However, the Government does intend to introduce an additional business-wide threshold to cover redundancies across multiple establishments, but it has not yet disclosed the full details of this. There is a suggestion the threshold would be based on either a percentage of the workforce or a set number of redundancies (over 20). The Government intends to set out the full details of the collective consultation process for multiple establishment redundancies in future regulations.

In response to concerns raised around delays and complexities should employers be required to consult with employee representatives across different establishments, the Bill now includes a provision that states that, in carrying out collective consultation, the employer does not need to consult all employee representatives together or try to reach the same agreement with all of the representatives. This is particularly relevant for employers considering future redundancies across multiple sites.

Protective awards

To encourage employer compliance, the Government also confirmed an amendment to increase the cap on protective awards in collective redundancy situations, where the award for failure to collectively consult will increase from 90 days to 180 days’ pay.

This increase in the protective award, combined with the existing Tribunal power to award (up to) a 25% uplift to a protective award, could have a significant impact on employers facing claims related to alleged failures to follow the Code of Practice on Dismissal and Re-engagement in a collective redundancy situation. This could be incredibly costly for employers, and compliance in collective redundancy situations will be all the more important if the changes come into force.

The Government also consulted on introducing interim relief for employees claiming collective consultation breaches in redundancy or ‘fire and rehire’ situations. This would have meant that where a Tribunal considered a claimant was likely to succeed in their claim, it would have the power to award the claimant immediate financial remedy (usually in the form of full salary pay until the case’s conclusion). Ultimately, the Government decided against incorporating interim relief into the Bill, due to the practical complexities of implementing it, and the likely effect of putting increased pressure on an already stretched Tribunal system.

Finally, the Government has confirmed that further guidance on consultation processes for collective redundancies will be produced in due course to assist employers.

To discuss how your organisation may be impacted by the proposals, or to discuss any of the other aspects of the Employment Rights Bill, please contact Robert Forsyth.

At Michelmores, our Technology & Innovation team is dedicated to supporting the growth of cutting-edge businesses and the development of transformative technologies. Through our expertise in legal support, we assist startups and established companies alike in navigating the complex challenges of the digital age. Below, we highlight some of the exciting and impactful work we’ve done with pioneering firms at the forefront of innovation.

Oriole Networks: Revolutionising AI with Photonics

Oriole Networks is a London-based tech firm on a mission to accelerate AI and machine learning in a sustainable, low-carbon world. Founded by University College London (UCL) scientists and entrepreneurs, Oriole’s groundbreaking technology leverages the power of light to connect thousands of AI GPUs directly, dramatically improving performance. This innovation can train large language models up to 100 times faster, using a fraction of the energy of traditional methods.

We were thrilled to advise Oriole Networks on its £10m seed round and £17.5m Series A funding round in 2024. This funding will help the company scale its energy-efficient AI solutions, addressing critical issues such as unsustainable power consumption in data centres. Oriole’s technology is set to revolutionise time-sensitive tasks like algorithmic trading, offering a transformative edge for industries worldwide.

Wilder Sensing: AI for Biodiversity Monitoring

Wilder Sensing, founded in 2021, is bringing AI into the field of conservation. The company developed a unique software solution that monitors biodiversity through audio analysis, helping to track and preserve ecosystems. In December 2024, we advised Wilder Sensing on securing a £300,000 equity investment from the South West Investment Fund. This investment will enhance the company’s platform, allowing it to expand its reach and improve biodiversity monitoring worldwide.

Wilder Sensing’s customers, including Somerset Wildlife Trust and ecological consultancies, are already using the platform to support biodiversity efforts. The company’s innovative technology is critical in combating the biodiversity crisis, and we are proud to be supporting their mission to create a more sustainable planet.

Sealeo: Revolutionising Vaccine Delivery

Sealeo, winners of the 2024 Imperial Enterprise Labs WE Innovate final, is tackling one of the global healthcare industry’s most significant challenges—vaccine wastage. Co-founded by Diana Epel and Emanuele Griccioli, Sealeo has developed a biodegradable material that maintains the safe temperature of medicines for 2.6 times longer than existing solutions. This breakthrough technology aims to drastically reduce vaccine wastage, particularly in last-mile deliveries, where 50% of vaccines are typically lost.

We provided legal advice on intellectual property protection as part of Sealeo’s participation in Michelmores’ MiVentures programme. Their environmentally friendly, cost-effective solutions promise to revolutionise the pharmaceutical supply chain while also reducing CO2 emissions associated with current packaging materials.

LIFELENZ: Transforming Workforce Management

LIFELENZ, an AI-enabled workforce management platform, is changing how businesses manage employee shifts and compliance. The Australian-founded company, trusted by leading global brands, provides businesses with tools to meet evolving market demands. We played a key role in supporting LIFELENZ’s entry into the UK market, in its negotiations with leading Quick Service Restaurant brands and providing strategic advice on data protection, employment law, and company secretarial matters.

LIFELENZ is now poised to expand its innovative platform further into the UK and beyond, and we are proud to have contributed to its successful UK launch and ongoing growth.

South West Grid for Learning

We have supported South West Grid for Learning (SWGfL) in its efforts to enhance online safety, particularly in tackling the growing issue of non-consensual intimate image (NCII) abuse. The Firm advised SWGfL on its industry partnerships with major social media platforms such as TikTok and Bumble, which enable SWGfL to share image hashes with industry partners. This sharing increases the effectiveness of SWGfL’s reporting tool and, crucially, improves the support provided to victims of NCII abuse. SWGfL is dedicated to creating a safer online environment for everyone. They provide essential resources and education around digital safety, empowering schools, parents, and the wider community to better navigate the challenges posed by online harm.

As the proliferation of NCII has become an increasingly topical issue, the work done by SWGfL is more relevant than ever. This issue has gained heightened attention due to Meta and X (formerly Twitter) removing content moderators from their platforms, which has left users increasingly exposed to harmful content online. The legal expertise provided by Michelmores has helped guide SWGfL to better collaborate with tech companies, aligning both the legal and ethical considerations necessary to safeguard vulnerable users from the detrimental effects of online harm.

By providing this support, Michelmores has played an important role in the ongoing fight against online harm, particularly when it comes to the proliferation of NCII.

Conclusion

At Michelmores, our Technology & Innovation team is proud to be part of the journey of these trailblazing companies, providing the legal support that empowers them to scale and innovate. Whether through cutting-edge AI solutions, environmental sustainability, or digital safety, we are dedicated to helping our clients navigate the ever-evolving tech landscape while driving positive change across industries.

For more information or to get in touch, please visit our website.

As Biodiversity Net Gain (BNG) became mandatory in England in February 2024, landowners are increasingly recognising the opportunity to diversify by creating habitat banks, providing BNG units to meet the growing demand from developers. Habitat banks are areas of land where biodiversity is created, enhanced and legally secured for a minimum of 30 years, generating biodiversity units that developers can purchase from the landowner to offset the environmental impact of their development project and meet the 10% minimum mandatory BNG requirement (if this cannot be achieved onsite).

Legal mechanisms for securing habitat banks

There are two primary legal mechanisms under the Environment Act 2021 to secure habitat banks for the long-term: Section 106 agreements and conservation covenants.

Section 106 agreements

Section 106 agreements are planning obligations that bind the land with positive environmental commitments which run for at least 30 years from completion of the habitat enhancements. Section 106 agreements are familiar to local planning authorities (LPAs) and developers. Our experience is that increasingly, more LPAs are becoming willing to engage and enter into Section 106 agreements in relation to habitat banks. Key aspects include:

• The main obligation is for the landowner to perform actions for habitat creation, management, and enhancement.
• LPAs can monitor progress through regular reports on achieving the Habitat Management and Monitoring Plan (HMMP) objectives.

Conservation covenants

Conservation covenants are an alternative to Section 106 agreements, involving a legal agreement with a responsible body registered with DEFRA. At the time of writing, there are currently 24 registered responsible bodies and these are listed on the GOV.UK website. The obligations in a conservation covenant are similar to those in a Section 106 Agreement and a landowner may find:

• A responsible body might be willing to be more flexible on the terms or take a view on a higher risk or complex project when an LPA will not.
• A direct agreement with an environmental organisation could offer more support in terms of delivery and ongoing compliance.
• A conservation covenant could be used when Section 106 agreements are not feasible or when LPAs lack resources to process them quickly.

Choosing between Section 106 and conservation covenants

The choice between these mechanisms often depends on several factors:

• Capacity: If LPAs are awaiting additional resourcing or guidance, conservation covenants may be a faster alternative, if a responsible body can be found that is willing to enter into a conservation covenant.
• Cost: Whether the habitat bank is secured by conservation covenant or a Section 106 agreement, there will be a fee payable to the LPA or responsible body for monitoring the HMMP. As more LPAs are entering into Section 106 agreements and more responsible bodies are being registered with DEFRA, the market is becoming increasingly competitive. The financial implications of the ongoing monitoring costs and the timing of payment of those costs will play a crucial role in determining the most suitable mechanism for a landowner and should be explored at the outset, where possible.
• Flexibility: Conservation covenants may provide greater flexibility in some cases, especially for larger or more complex habitat banks.
• Timing: Some LPAs are introducing a “call for BNG sites” process and applications will only be considered through this mechanism, early communication with the LPA is key.

Conclusion

Both Section 106 agreements and conservation covenants play vital roles in securing habitat banks for BNG. As the BNG market continues to evolve, it is likely that both mechanisms will coexist and the choice between these mechanisms should be based on specific project needs, commerciality, and the timing of securing biodiversity units.

If you are considering entering into a Section 106 agreement to set up a Habitat Bank and would like advice, please contact Harriet Grimes, Helen Hutton or Fergus Charlton.