Wednesday, 20 October 2010

Privacy - do companies need specific power to share / use personal data?

This blog was prompted by a comment by clerkendweller on my report of the ICO's personal data sharing code consultation, about a sentence on p. 7 of the consultation paper -

The consultation mentions that private sector organisations should be able to "identify a power which permits the organisation to [disclose or share information]". The CoP suggests this might be in a company's memorandum and articles of association. [WH's note: the consultation paper said on this, "A private sector organisation’s powers are likely to be set out in, or to derive from, its constitutional documents, such as a company’s memorandum of association, rather than statute."]

Have you come across this in an actual MAA, and if so, do you know what sort of wording directors should be looking for? Maybe a corporate information policy would be a better suggestion?

This blog is my reply, because the answer to clerkendweller's question isn't as straightforward as one might like. It's affected by political, commercial and indeed historical issues more than legal ones, probably. It also depends partly on whether you're the company itself, or a third party dealing with the company.

I'm talking only about English law and "normal" English companies; and I'll ignore the issue of company directors exceeding their authority, which is another matter (something may be within the powers of a company, but not within the powers of its directors to authorise).

I also don't discuss what rights individuals might have if a company holding their personal data discloses it to someone else without having power to do so! Which is some ways the more interesting question, but wasn't what was asked, and would take even more blogs.

The short answer

It can now be generally taken that an English company of the bog standard variety has the capacity to share data, even without express specific powers in its constitutional documents to do so (and assuming the lack of certain special circumstances which corporate lawyers ought to know to look for, eg where the company is a charity).

However, most lawyers will probably say someone dealing with the company should still scrutinise its constitutional documents, and pay lawyers for doing that of course. Full reasons below.

The company itself, to make sure its own house is in order, would probably want to check it doesn't have restrictions in its own mem / arts preventing it from sharing data (unless of course that's the intention).

The long answer

To explain the answer properly, we need to consider corporate powers generally.

First, some background. Companies aren't "natural persons", of course; they're a legal construct, owing their existence and legal status to legislation by lawmakers made from the 19th century onwards.

Companies, as artificial creatures, only have capacity to do what the law says they can do - which was, largely, what was specified in the documents constituting them, filed on registering the company or when updated and publicly available for a fee. In the UK people call those constitutional documents the memorandum and articles of association, or "mem and arts".

However, people dealing with companies have sometimes found that a company has tried to get out of the deal, saying "Oh I'm just a company, I didn't actually have the power to do this deal with you, so tough luck".

Now why should those dealing with a company take the risk of the company not having enough powers? That risk should fall on the company itself, rather than third parties suffering the consequences if the company acted outside of its powers (ultra vires).

That's what lawmakers felt, too. Which is why they tried, several times over the years, to change the law to make it crystal clear (or so they thought) that innocent third parties shouldn't be prejudiced by internal restrictions on companies' powers.

The latest attempt to sort this area out was the Companies Act 2006, whose provisions on corporate capacity came in over a year ago.

Every English company should now effectively have the capacity to do anything - unless the company's articles specifically restrict what it can do (the extraneous stuff contained in the mems of pre 1 October 2009 companies is now considered to be part of the arts).

Even if there are restrictions of that kind, section 39 of the CA 2006 says (emphasis added) -

"39  A company's capacity

(1)     The validity of an act done by a company shall not be called into question on the ground of lack of capacity by reason of anything in the company's constitution.

(2)     This section has effect subject to section 42 (companies that are charities)."

This new law, from 1 October 2009, applies to existing English companies just as much as it does to companies incorporated after that date.

So an English company's ability to do things may be considered generally unrestricted, as far as third parties dealing with the company are concerned (with some limited exceptions, eg in the case of charities, or where the person dealing with the company is actually its director or connected to its director).

But now let's consider the big deals where people feel they need to bring out the lawyers.

It's been standard practice for years, when you're going to enter into a major transaction with a company, for your lawyers to check the company's constitutional documents to make sure that the company has the power to do the deal with you.

One main area where this happens is when a company wants to borrow money. The bank's lawyers will check the company's constitution, supposedly to make sure it has the power to do everything it has to do for the deal (borrow money, give security etc). The borrower pays for all this, of course. It pays its own lawyer's fees, it pays the bank's lawyer's fees. That's just life if you're a borrower trying to get finance.

In (2010) 7 JIBFL 395 (that's the Journal of International Banking and Financial Law, 1 August 2010 - subscriber-only access) Richard Bethell-Jones wrote an article "Checking constitutional documents: business as usual or money for old rope?".

There he pointed out that all these laws really ought to make people comfortable about not having to check companies' constitutional documents and the like, except in certain limited situations.

He says in trenchant terms that all this checking and re-checking is mostly a big waste of time, resources, money and paper. In fact, he think's it's "money for old rope" -

"My view is that the other reasons given for continuing these checks are unconvincing. If they convince you, please get in touch, because I can let you have the Eiffel Tower at a very advantageous price…

…I think that if the lenders paid for these checks out of their own pockets they would quickly tell their lawyers to devise
an effective sifting system, and stop checking when it isn't needed. But they do not pay; the borrower pays. Until the
borrowers tell their lenders they are not going to pay for the lenders' lawyer to make these checks (or supply it with copies
of their constitutional documents for that purpose) when it is clearly unnecessary, this ludicrous 19th century practice will
continue. It will, indeed, be business as usual."

While his article was written in the context of bank loans, the same principle applies to other powers of companies, like the power to share data.

I'm with Richard here. You shouldn't have to put specific powers allowing data sharing into English companies' constitutional documents, nor should people dealing in good faith with English companies need to check for those specific powers, in the vast majority of cases. Lawyers should of course be aware of the few cases (eg charities) where they do need to make those checks, and do them then. But not otherwise.

People dealing in good faith with English companies should be able to trust that those companies generally have power to disclose or share information (and indeed to collect and use personal data), without having to inspect their constitutional documents.

But would most lawyers (who do get paid for checking constitutional documents) agree with that view?

By training, if not temperament, most lawyers tend to be cautious conservative types.

For a company that wants to share personal data, its lawyers may well want to put into its constitutional documents specific wording spelling out powers to share personal data etc, "just in case". (Of course, for the company they really ought to make sure any restrictions on data sharing etc in the mem / arts are got rid of, although in most cases it seems unlikely that there would be any. "No restrictions on sharing" is obviously not the same thing as having specific powers to share data, but is now equally if not more important to check that.)

Similarly, lawyers working for someone obtaining data from a company will probably want to look at the company's constitutional documents to ensure that it has powers to share data, or at least no restrictions on those powers - whether they actually need to do that to protect their client, or not.

It would take a brave law firm to go against years and years of "Check the Mem and Arts!" Especially when doing that provides a steady if not always significant source of income for lawyers.

Richard also made the point that when law firms issue legal opinions to clients, it's standard practice to check constitutional documents - and it's easier to keep doing that rather than say in the legal opinion that it really doesn't matter to the third party what the company's constitutional documents contain as long as the third party is acting in good faith (and if they're not dealing in good faith, they may be in trouble, and checking the mem and arts won't do them any good then).

Richard hoped "the legal community would wake up and smell the coffee". We shall see!

(By the way, the environmentally-conscious may also applaud Richard's having a go at the practice of making those seeking finance print out and hand over "boxes and boxes" of hard copy constitutional documents -

"at completion bearing an illegible mark made in ink to certify its authenticity. This is the digital age, for heaven's sake."

- and his view that borrowers could justifiably tell lenders to go whistle for signed hard copies (my paraphrase!), they don't need them and "it is simply impertinent of the lender to ask for them.")

Declaration of interest - I know Richard well and am a huge fan of his. For many years, working mainly for banks rather than borrowers, he was a member of the elite, invitation-only City of London Law Society's Financial Law Committee, and I've been privileged to work with him as well as some other members of the Committee. He has one of the best legal minds you'll ever find, and he's robust to boot - not in the bad sense of "Oh don't worry about trivial things like the law, just do whatever you like" (which I've encountered in more than one or two lawyers), but in the good sense of being commercially pragmatic while still looking after the client's interests. He writes in a way non-lawyers can understand, too. Which is all too rare amongst lawyers.

Note - this isn't legal advice of course, just general information. And, I emphasise again, the position may well be different for other types of entities or non-English companies.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.