All Things Legal … July 2023 Gordon Kerr

everyone who got involved and came up with so many great questions.

Are you worried – or excited - about ChatGPT? It has the potential to become the next big thing in legal advice (and relocation support?), but I’ve come across an American court case that shows just how badly things can go wrong if you place too much faith in this technology!

If there is a particular legal topic that you would like me to cover in a future edition of The EuRApean, please let me know.

Today I’m raising my glass in celebration of the 5th anniversary of the GDPR. It may not be universally loved, but it’s a good excuse to enjoy a glass of Glenfarclas!

One company which is definitely not celebrating the GDPR is Meta, the parent company of Facebook. It has received a 1.2 billion euros fine for GDPR violations arising from its transfers of personal data from Ireland to the US. I explain below why this judgement should be of interest to RMCs, but it is unlikely to cause any immediate headaches for our industry.

Apart from a GDPR update, I’m also picking up on some of the issues that came up in my two legal clinics at the recent conference in Dublin. These clinics are a great opportunity for me to learn about the legal issues which are causing most concern for EuRA members. Thanks to

Meta, the owner of Facebook, has been fined a record €1.2 billion for breaching EU data privacy rules, and given a six-month deadline to stop transferring data to the United States. EU courts ruled that Meta had violated GDPR rules when it moved the personal data of European Facebook users to the US, where it is hosted, without protecting them sufficiently from American data surveillance practices. The fine is the biggest issued for a breach of GDPR rules.

The previous highest fine was €746 million issued to Amazon in 2021.

The ruling raises yet again the question of how companies in the EU can transfer data to the US in compliance with European law. Like most organisations, including many relocation companies, Facebook has relied on EU Standard

Contractual Clauses (SCCs) as the legal basis for transferring personal data to the US. This latest EU ruling raises doubts about how safe it is to rely on SCCs.

One lawyer has described the situation as a “doom loop”, because the standard seemingly cannot be met by anyone. A proposed new EU-US Privacy Framework, which should resolve the problem of transatlantic data transfers, is currently bogged down in EU bureaucracy.

The consolation for RMCs and others currently relying on SCCs is that the decision and fine are specific to Facebook’s particular data gathering. Despite all the protective measures which Meta put in place, including SCCs, the court ultimately found that those measures could not compensate for the “inadequate” legal protections when personal data is processed in the United States. In particular, the court highlighted legal powers contained in an American law known as FISA (Foreign Intelligence Surveillance Act) which can compel Meta to share personal data with US security agencies.

In essence, the view of the court was that internet platforms which fall under FISA legislation are unlikely to be able to comply with the strict GDPR requirements on international data transfers. Meta plans to appeal but, whatever the final outcome, the case stresses the need for the proposed new EU-US Privacy Framework to become a reality as soon as possible. In the meantime, relocation companies should continue to rely on SCCs for their EU to US data transfers – even with these latest question marks over their effectiveness.

When the ChatGPT bot was launched last year, lawyers and other professional advisers were warned that it could soon take over large parts of the legal profession and start drafting documents.

Now a lawyer who used it to carry out research has had to apologise to a judge after compiling a brief full of case law that the bot had supplied. Unfortunately – for the lawyer and his client – the cases did not exist. They were a figment of the bot’s “imagination”!

Steven Schwartz, a New York lawyer, had been hired by Roberto Mata, who alleged he had suffered “crippling” injuries on board an airliner in 2019 when a metal trolley struck his knee. Schwartz consulted ChatGPT to help with his legal research. Big mistake! The bot supplied several cases that looked relevant, including Varghese v China Southern Airlines Co Ltd, from 2019. Lawyers for the airline complained that they could not find the cited cases. Schwartz submitted eight further documents detailing lawsuits against airlines. However, according to Judge P Kevin Castel, “Six of the submitted documents appear to be bogus decisions with bogus quotes and bogus citations.”

At this point our shellshocked lawyer was required to submit a transcript of his conversation with the chatbot. It’s clear that he harboured some doubts about his robotic assistant:

“Is Varghese a real case,” he asked the bot. “Yes,” it replied.

“What is your source,” he asked. The bot said that “upon double-checking, I found that the case Varghese v South China Airlines . . . does indeed exist.”

“Are the other cases you provided fake,” the lawyer continued.

“No, the other cases I provided are real and can be found in reputable legal databases,” it said. They were not. Steven Schwartz has now been summoned to appear in court to defend himself against violations including “citation of non-existent cases”.

The moral of the story: do not believe everything you are told by a chatbot!

A recent comment in The Times newspaper summed up the view of many European businesses:

“Four letters have over the past five years become the dream excuse for countless bureaucrats to say “no” to what used to be perfectly legitimate requests for information. Those letters are GDPR and they stand for the prosaic label “General Data Protection Regulation” — an EU rule implemented in 2018 by Brussels. The legislation has a laudable aim — protecting individuals’ personal data from abuse by governments and private corporations. But few people at the coalface of daily life — including many lawyers — seem to understand the provisions. Therefore, those petty functionaries wheel it out as a way of avoiding work and having another cup of tea”

A cynical view perhaps, but there is no doubt that the absence of detailed guidance in certain areas of the legislation leads many organisations, across all business sectors, to feel overwhelmed and criticise the GDPR for being unnecessarily bureaucratic. Despite that confusion, the legislation is making an impact. Last month, the EU’s Court of Justice ruled in a case involving the Austrian post office. Officials in Vienna had used an algorithm to define “target group addresses” that were based on selected sociodemographic features — and then sold that data to organisations engaged in political advertising.

The case involved a claim for compensation for breach of the data protection rules and the landmark decision is likely to significantly increase data privacy litigation across the EU. This is because the Luxembourg court ruled that the right to compensation is not limited to damage that reaches a certain threshold of seriousness. Effectively, the ruling lowers the requirements for compensation claims in a cyber incident scenario where thousands of individuals may be affected.

In the UK, the Information Commissioner’s Office (ICO) has issued 13 fines totalling about £65 million. The ICO has a policy of preferring to issue reprimands or public disclosure of companies having breached the rules. Over the past 18 months, it has named 32 organisations, 26 of which were public bodies.

A potential problem looming is that in postBrexit Britain, reform to the legislation is being proposed. The Government wants to amend the UK GDPR, which is currently similar to the EU GDPR, with the aim of cutting “red tape” for smaller businesses. But any changes could actually come at a high cost to UK businesses if the EU withdrew Britain’s “adequacy” status. This would mean that the current free flow of data between the EU and Britain would be threatened.

The other potential area of conflict between the UK and EU is Britain’s desire to give adequacy status to countries such as the US, Australia and Dubai. These countries do not have EU approval, so if the UK goes alone with approvals this could also threaten its own adequacy status with the EU. It’s complicated and a far cry from the “take back control” argument which was heard so loudly at the time of the Brexit vote.

To end on a positive note, there is no doubt that those international businesses, including relocation firms, which have worked hard to implement the GDPR, are receiving an unexpected benefit. This arises from the fact that there is now a torrent of new data privacy laws across the world, mainly based on GDPR principles. This global trend means that the GDPR has gold-standard status and that’s likely to be a real bonus for European businesses. Something to celebrate at an otherwise muted birthday party!

This year I ran two legal clinics at the conference – one on relocation contracts and the other on data protection law. These are always a great learning experience for me, as I try to get to grips with the variety of legal issues causing most concern for EuRA members. Here are some of the topics that came up most frequently:

•Slow payment of invoices – this is a continuing problem for many relocation firms, particularly where a firm has paid out costs in advance. Wellwritten financial clauses in a contract can ensure that there is clarity on how and when payments will be made, avoiding the need for difficult conversations with a client at a later date.

• Indemnity clauses – these can trigger large liabilities which are out of proportion to the value of a contract. It all comes down to the wording of the indemnity. This should be checked carefully and, ideally, be subject to a cap on the maximum compensation payable to the client.

• Limitation of Liability and Insurance – it’s important to ensure that your financial liabilities are capped in the contract and that your insurance cover is no less than your maximum liability.

• Long contracts – we discussed the importance of building in fee increases for later years of the contract.

• Data transfers – the continuing question of how best to be compliant when sharing data with partners outside Europe.

• Document security – the practical challenges around using encryption and passwordprotection.

We had some great discussions and I’m very grateful to everyone who contributed so enthusiastically!

If you need advice on these or any other legal issues affecting your business, please feel free to contact me.

For further information on either of these new legal services, please contact me at gordonkerr@gklegal.co.uk or call +44 (0)7850 080170