Insolvency Oracle

Developments in UK insolvency by Michelle Butler


Leave a comment

Brexit brings changes even for exclusively-UK insolvencies

Have you found yourself reading articles about the effects of the end of the Brexit transition period that leave you wondering: ok, but is there anything that directly affects my bog-standard UK insolvency work?

As we have been labouring on fixing our own document packs, I thought I’d publish our to-do list.

Jo’s latest Technical Update summarised the main changes and gave a full list of useful resources.  If you have bought the latest Butterworths, you’ll see that the changes have already been helpfully inserted in italics.  However, you still really need to refer to the Insolvency (Amendment) (EU Exit) Regulations 2019 (at https://www.legislation.gov.uk/uksi/2019/146/contents) to see which Act sections and Rules have been affected.  And then of course there’s non-insolvency legislation like the GDPR to think about.

Jo and I found that the key effects boil down to:

  • Determining the type of proceedings;
  • Ignoring member State liquidators; and
  • Re-defining the GDPR

 

New Types of Proceedings

It seems like only yesterday that we started to add to docs whether the EU Regulation (or EC Reg as it was then in 2010) applied and thus whether the proceedings in question were main, secondary, territorial or non-EU proceedings.

Unfortunately, the Brexit effect is not that this sentence can now be eliminated.  Instead, we need to replace it with a statement as to whether the proceedings are (or will be):

“COMI proceedings, establishment proceedings or proceedings to which the EU Regulation as it has effect in the law of the United Kingdom does not apply”.

What defines the proceedings?

New definitions have been added to Rule 1.2:

“COMI proceedings” means insolvency proceedings in England and Wales to which the EU Regulation applies where the centre of the debtor’s main interests is in the United Kingdom;

“establishment” has the same meaning as in Article 2(10) of the EU Regulation;

“establishment proceedings” means insolvency proceedings in England and Wales to which the EU Regulation applies where the debtor has an establishment in the United Kingdom

Dear IP no. 116 explains that effectively COMI proceedings are the new “main” proceedings: the COMI tests are very similar to the previous ones and so, where a company’s principal place of business and registered office are in the UK, this will be the reason why the proceedings are COMI proceedings.

Dear IP no. 116 also explains that similarly establishment proceedings occur where the COMI is elsewhere but the insolvent has an establishment in the UK, where previously this would have resulted in secondary or territorial proceedings.

“Proceedings to which the EU Regulation as it has effect in the law in the United Kingdom does not apply” will be encountered where, per Dear IP no. 116, “one of the UK’s other grounds for the opening of insolvency proceedings has been relied upon”.

What documents are affected?

The documents affected (excluding those that an IP’s solicitors would draft, such as Admin order applications and winding-up petitions) are:

As regards the last document listed above, in fact there has been no change to R8.24(2)(c), which requires the Nominee’s report on the consideration of the IVA Proposal to “state whether the proceedings are main, territorial or non-EU proceedings and the reasons for so stating”… but we assume that this was mistakenly omitted.

 

Member State Liquidators: blink and you’ll have missed them

In June 2017, the Act and Rules were amended to require office holders to engage with member State liquidators involved with the debtor.  For example, office holders needed to send to the member State liquidator copies of all their notices to the court, Companies House or the OR and liquidators and administrators needed to seek the member State liquidator’s consent to the dissolution of the company prior to filing the final docs at Companies House.

All those obligations have now been removed.

Even if you have never dealt with a member State liquidator before and your checklists never even referred to them, there is one change that you need to make to documents as a consequence: R15.8(3)(j) requires decision procedure notices in CVAs and IVAs to state the effects of R15.31 about the calculation of voting rights.  R15.31(7) and (9) have been changed to remove reference to the rights of a member State liquidator to vote, so likewise you will need to tweak your CVA and IVA R15.8 notices.

 

The GDPR: what is it called now?

The EU’s GDPR (i.e. EU 2016/679) forms part of the UK’s law as a consequence of the European Union (Withdrawal) Act 2018.  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 define the product of this action as the “UK GDPR”.  These Regulations also make the necessary amendments to the GDPR to reflect the fact that the UK is not a member State.

Does this mean that we now need to start referring to the “UK GDPR”?  Personally, I don’t think so.  “GDPR” was a colloquial term in any event, so I don’t think this has ceased to be relevant… unless you’re communicating with someone in the EU about the GDPR, of course.  Certainly, I don’t think there is any need to go editing internal checklists and I don’t think there’s any pressing need to change documents that refer in passing to the GDPR… although you might like to take this opportunity to replace “GDPR” with something more generic like “data protection legislation” to future-proof it in case the EU GDPR and the UK GDPR diverge materially over time.

So no changes are required for the GDPR switch then?

Almost none.  If you have any documents that accurately define the EU GDPR, then you should update this.  For example, many letters of engagement make specific reference to the General Data Protection Regulation EU 2016/679 in setting out the parties’ obligations as data controllers (such as the style clause for engagement letters that was issued in 2018 by ICAS at https://www.icas.com/regulation/guidance-and-helpsheets/preparing-for-gdpr).  If so, then it would be correct to update this to refer to the effect of the 2019 Regulations.

You should also check what your privacy notice says about transferring data outside the EU.  Some notices are specific about when this would happen (if ever).  Of course, now the data you process are already outside the EU and if you were to transfer any of it to any of your service providers (e.g. ERA providers or debt collectors) in the UK, it would be a transfer outside the EU.  Other than making sure that your privacy notice describes this reality, it’s not a big deal, as you would still be transferring data in accordance with the data protection legislation, wouldn’t you..?

What about GDPR-compliant contracts?

To be honest, I’ve encountered a staggering diversity in the levels of concern about the creation of GDPR-compliant contracts with data processors.  I suppose that’s not surprising when even some RPB reviewers have chosen not to explore GDPR compliance to any great degree.

But if you do ensure that the data processors that are engaged by you, your firm, or the insolvents over which you are appointed are wrapped into a GDPR-compliant contract, then you may want to revisit the wording of your standards, especially around the conditions for transferring data outside the EU.

 

Fortunately, as far as we can see, those are the only practical effects on day-to-day UK insolvency work.  What with all the changes to documents and processes in consequence of the CIGA and HMRC secondary preferential creditor changes, I think we could all do with a break from largely unhelpful tinkering for a while.

 


Leave a comment

GDPR: Ready or Not!

Compared to the Insolvency Rules, getting to grips with the GDPR has felt a lot more painful.  Personally, I have struggled with the GDPR for two reasons: (i) the position of an IP working within a practice and having control over insolvent entities is so clearly a square peg in the GDPR’s round hole; and (ii) for anyone who has been treating personal data with respect already, it seems to be just lots more hassle, simply more documentation of no interest to anyone except the regulators and those who look for causes to complain.

But, if I have not persuaded you already to go off and do something far more interesting instead, here is a summary of an IP’s GDPR to-do list (or, hopefully, a “done” list).  My special thanks go to Jo Harris, who has endured the pain to get the Compliance Alliance’s packs GDPR-ready and whose webinar has informed most of the content of this blog.

(UPDATE 22/05/2018: far more authoritative than my blog is a fantastic FAQs written by the ICAEW and R3 and released just yesterday: https://bit.ly/2x7HPm2.  I think that this article is pretty-much aligned with the FAQs, but the ICAEW does provide more information on their expectations, particularly when taking on an appointment and in notifying creditors of the necessaries.)

 

Privacy Notices

Privacy Notices are probably the most obvious sign that you have prepared for the GDPR world.

Data controllers must provide privacy information to individuals when they collect personal data from them or, if the data is from another source, no later than one month of receipt.  Although the GDPR prescribes a long list of information that must be given, it also states that privacy notices must be concise and easy to understand – if only the GDPR were written so!

To draft a GDPR-compliant privacy notice, you need to have a clear picture of what personal data you hold and what you do with it… in your role as a data controller.

 

Who is a data controller?

The GDPR defines a data controller as:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

Where an IP processes data as an office holder, they are clearly in control.  An IP deals with personal data on creditors, employees, directors, shareholders, debtors (i.e. insolvent ones and those who owe the insolvent), probably also debtors’ family members…  And we’re not just talking about individual creditors etc.: you will also process personal data on staff working within corporate entities, e.g. emails containing names, email addresses and telephone numbers, sufficient to identify the individual.

What about the personal data contained in the insolvent’s books and records?  Does the IP become the data controller for those on appointment?  I have not attended a GDPR-for-IPs event without the case of Re Southern Pacific Personal Loans Limited ([2013] EWHC 2485 (Ch)) being mentioned.  Although of course this was a decision about the application of the Data Protection Act 1998, it has given many people comfort that at least a liquidator is not considered to be the data controller in relation to data processed by the company prior to liquidation.

So, for practical purposes (unless/until it is overturned), it is probably safe to draw a distinction between data processed by the IP and the insolvent’s data that just sits in a storage facility in case it is needed one day.  This fairly clean line probably doesn’t exist however for a trustee in bankruptcy, as the agency relationship is absent.  Also, at what stage does an IP begin “processing” data in their own right: what if you only review some company records in your possession?  What if you hold electronic data on your system, but never use it?

These fuzzy lines aside, how does understanding when we are a data controller help us draft our privacy notices?

 

The legal basis for processing

For the most part, privacy notices are pretty standard text.  But you do need to hang your flag on a mast when it comes to describing your legal basis/bases for processing the data.

Here are the options:

  • the data subject’s consent – not something that we associate with being in office
  • necessary to perform a contract – again, not something for an office holder, but it may be relevant for work we do (i.e. personal data we process) outside a formal appointment
  • necessary for compliance with a legal obligation – yep, this one is clearly relevant to office holders
  • necessary to protect individuals’ vital interests – nope
  • necessary to perform a task in the public interest – I have heard some say this is relevant for office holders, but it seems to have fallen out of favour more recently
  • necessary for legitimate interests – creditors and others have a legitimate interest in keeping informed and engaging in an insolvency process, so this is relevant

So there are at least two legal bases that are relevant to IPs’ work.

 

The purposes of the processing

Your privacy notice also needs to describe the purposes for which you will be processing data.  It is worth remembering that an insolvency practice will process data for a wide range of purposes: not only formal appointments, but also to deliver other services to clients, and you will also hold data for marketing purposes, for running your business…

Therefore, you might want to consider: should you have one privacy notice covering every purpose or do you want several privacy notices?  A third way, which I’ve seen work well for a particularly large accountancy/insolvency practice, is a single privacy notice with links leading to the descriptions of their processing activities relating to different groups of data subjects.

Taking a look at other firms’ privacy notices might also bring to mind other, less obvious, purposes for processing data, such as carrying out AML due diligence, detecting or preventing crime or fraud.

 

What do you do with the privacy notice?

As mentioned at the start, the GDPR puts data controllers under a requirement to provide the privacy information to all data subjects.  This can seem onerous for an IP: do we really need to send a copy of the privacy notice to all individuals whose data we hold and how can we comply with those timescales, especially on existing cases?

There are a couple of ways you can make life much easier for yourself:

  • Put your privacy notice on your website, preferably on a page with a very simple www address, because…
  • Then you can add the link/address to your email footers and letterhead, so that the next time you email or write to an individual, you have brought the privacy notice to their attention.

 

What about existing cases?

Does the GDPR mean that we must have notified every person whose data we hold of our privacy notice by 25 June?  I would like to think that the regulators – the RPBs and the ICO – might be prepared to give us some slack on this requirement.  Would a more manageable approach be to ensure that such notifications are made, say, at the time of the next progress report?

If this is acceptable, then how about the interaction with R1.50?  Where we have already issued to creditors (and members) a notice stating that every other document will be uploaded to our website without further written notice, would this suffice such that we only need to ensure that the website contains the privacy notice or a link to it?  Or, because R1.50 only provides website-only delivery for documents “required to be delivered in the insolvency proceedings”, does this mean that the privacy notice required to be delivered under the GDPR cannot be delivered by website?

Of course, the requirement stretches further than creditors and members.  For some people, you might like to make an extra-special effort to contact them asap to prove compliance with the GDPR, perhaps those who are most likely to complain – bankrupts and other individual debtors, perhaps.

 

What about closed cases?

Under the GDPR, “storage” is a form of processing.  Therefore, IPs will be continuing to “process” personal data long after a case has closed.  Do we need to contact individuals on closed cases?  Isn’t this taking things too far?!

The new Data Protection Act (currently still a Bill) may help us (thanks, JN, for highlighting this).  S93(4)(b) states that we need not notify data subjects where it “would be impossible or involve disproportionate effort”.  This must apply to closed cases, surely!

 

Privacy notices: is there more?

Oh yes, indeed!

Another meaty requirement of the GDPR is that data processors’ work must be governed by a contract with the data controller.  What data processors does an IP instruct?  And if someone is instructing an IP, does this need to be governed by a contract?

 

Who is a data processor?

The GDPR’s definition of a data processor is someone who “processes personal data on behalf of the controller”.  But a data processor’s activities may mean that they become a controller in their own right.  As I set out above, according to the GDPR’s definition, a data controller determines the purposes and means of processing data.  So logically, if someone has no control over either the purposes and/or the means of processing the data, they must be a processor, right?  For example, you instruct a debt collector to use debtors’ personal data solely to pursue debts – this sounds like a data processor, doesn’t it?

So who might an IP instruct that is not a data processor?  Surely every instruction defines at least the purposes of processing data, doesn’t it?

The ICO has provided guidance on the distinction between processors and controllers (https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf), which, although it was seemingly published in 2014, we understand is still considered relevant by the ICO for the post-GDPR world.

Paragraph 45 is interesting: “Where specialist service providers are processing data in accordance with their own professional obligations they will always be acting as the data controller”.  This is written in the context of an accountant, who will have obligations on detecting malpractice.  The guidance similarly singles out solicitors who “determine the manner in which the personal data obtained from the [client] will be processed” (paragraph 44).

 

And IPs?

Of course, I wouldn’t expect the ICO to mention IPs in their guidance (they don’t).  But I think the ICO’s guidance leads to the logical conclusion that usually IPs/insolvency practices will become data controllers in their own right when processing data on behalf of a client, e.g. when they’re instructed to help put a company into CVL.

 

Controller-processor contracts

But for anyone whom we instruct who is a data processor, we need to ensure that a GDPR-compliant contract is in place with them.  And even though you may personally be acting as agent of a company that continues to trade post-appointment, you will want to ensure that the company trades in a compliant fashion with appropriate contracts in place with their suppliers/service-providers… although remember that it’s only where the supplier/service-provider is processing personal data.

The GDPR sets out what must be included in such a contract and model clauses are widely available (although of course you may like to engage a solicitor to help).

 

Data sharing agreements

Although not mandatory, you may want to consider entering into data sharing agreements with parties who you instruct who are data controllers in their own right – the ICO guidance recommends this where you are sharing large-scale or particularly risky data.

As an IP receiving instructions, you are unlikely to want to volunteer a data sharing agreement.  However, you should amend your engagement letters, not only to refer to your privacy notice, but also to confirm your position as a data controller and remind the client of the need to comply with the GDPR and DPA.  ICAS has suggested some appropriate wording at: https://www.icas.com/regulation/preparing-for-gdpr

 

Fuzzy lines

I confess to remaining confused about the boundary between controllers and processors.  After all, wouldn’t following the GDPR definitions and ICO guidance lead us to a different conclusion from that arising from Re Southern Pacific Personal Loans Limited?  Doesn’t an IP store company records in accordance with their own obligations and doesn’t the IP decide the purposes and means of processing that data?  If so, why are they considered only a data processor?

In addition, different instructions may lead to different levels of control by the third party.  For example, on one case we may ask an agent simply to help us return items to their owners, but on another case the agent may be managing a marketing and sale process, dealing with RoT claims, wiping hardware clean…

Where these fuzzy lines exist, would it be an idea to engage with third parties via a catch-all controller-processor/data-sharing agreement?

 

Managing instructions

If you haven’t already set up a system, perhaps you might start a central register to help you record who has signed up an agreement.  Then, whenever you come to instruct a third party who will be processing personal data provided by you, you can check whether they have already signed up and, if not, you can set the ball rolling.

 

Ok, is that everything?

Nope.  There’s a whole host of additional items on the to-do list, including:

  • If you haven’t already got them, generate policies and procedures to cover areas such as data security, retention, dealing with breaches and subject access requests;
  • Before processing data on a new engagement/appointment, assess the risks associated with the proposed processing, and keep it under review during the engagement (yep, another checklist!); and
  • For each engagement/appointment, document the data held and the reasons why it is held – the ICO has produced 30-column wide spreadsheet for each data controller (and another one for a processor), so admittedly it is stupidly cumbersome for each case, but once completed for one case, there will be little variation needed for the next. But of course, it is worth giving every case a bit of thought, just in case there are some unusual considerations arising from, e.g., a novel business or an entity holding data in different countries.

Certain other aspects of our insolvency work require careful attention:

  • On (or preferably before) appointment, we will need to gather information on what data the insolvent holds and where/how it is stored and accessed;
  • If we are contemplating trading-on, we will need to review carefully the business’ data processing practices and documentation and identify whether any changes need to be made to bring them into line with the GDPR;
  • We should perhaps take more care in deciding what data we need to collect post-appointment and what happens to any data that we choose not to collect (also having regard, of course, to the recent Dear IP on collecting books and records);
  • Although generally databases and customer lists can continue to be sold in an insolvency process, we can expect to be asked more questions by potential purchasers about the insolvent’s data processing (will sale prices decrease and will sales to unconnected parties be less common as a consequence?) and some additional clauses will be required in agreements; and
  • We will want to have a good understanding – and ensure that staff have also – of our obligations on identifying a data breach.

 

Will it all become second nature?

It is a shame that the regulatory current seems to flow to ever more requirements for documentation and disclosure.  The regulatory burden never seems to lighten up, but personally I struggle to see how business or the economy is any better for it.

There remain a number of unanswered questions, some of which I’ve mentioned above, about how the GDPR works practically for IPs.  I’m sure that over time most of these will be resolved, hopefully with pragmatic solutions acceptable to the regulators.  One day, perhaps GDPR-compliance will become second nature.