Legal round-up for 2021 from VWV

What do universities need to know about the latest developments in data protection, procurement and the Online Safety Bill?

Welcome to a legal round-up of 2021, where we cover some key commercial law developments over the last 12 months and some important areas to watch for 2022. We will try to avoid mention of Covid and lockdowns, but instead will focus on fun stuff like data protection, procurement and the ground-breaking Online Safety Bill!

Data Protection

Over recent years the public have become more aware of their data protection rights and we have seen increased claims for damages. However, two recent cases indicate that, despite the rise in data breach claims, the courts will take a pragmatic approach.

In Lloyd v Google, the Supreme Court comprehensively dismissed Mr Lloyd’s representative action against Google. The decision addressed two questions:

1. If compensation for “loss of control” could be awarded under the old Data Protection Act 1998 without evidence of damage or distress. The answer: No! Interpreting “damage” to include a pure “loss of control” claim was untenable; and

2. If a representative action was a suitable vehicle for data breach claims. The Court was broadly encouraging of representative actions for seeking declaratory relief to questions of liability and in the pursuit of damages where uniform per claimant damages are sought, but not in cases where an individualised assessment of damages is required.

And in Rolfe v VWV (yes – we claim credit for this success!) a claim for distress with no tangible harm or loss was given short shrift. The case is a reminder of how important it is to ensure a breach is remediated quickly – by contacting the incorrect recipient and ensuring the misaddressed email was destroyed, the defendants in this case saved themselves from the costs and nuisance of a full data breach claim.

Which means, going forward, we can hope to see fewer claims following a data breach.

2021 also saw a raft of proposals for post-Brexit data protection measures and reforms, including measures to:

● reduce barriers to innovation in AI/machine learning and scientific research
● change the thresholds for data subject access requests
● boost trade by reducing barriers to data flows
● deliver better public services
● reform the UK ICO.

What does this mean for UK data protection going forward?

Universities will welcome the plans to re-balance UK data protection law towards trade and innovation. However, the reforms are at an early stage and subject to consultation. It is unclear how they will find their way into UK data protection law. There is also the question of the UK’s adequacy status with the EU. Post-Brexit, the EU granted the UK adequacy status on the basis that the UK would remain aligned to EU data standards. If we depart too far from the EU data laws, we risk losing our adequacy status.

We can be sure that UK and EU institutions will be monitoring developments in this area with interest over the coming months and years.

Universities with an online presence will need to scrutinise the online content and services they provide and consider the adoption of a proactive online safety policy


The Green Paper on Transforming Procurement promises simplification of the procurement rules for universities as well as generating social value and ensuring value for money. However, the big announcement in 2021 was that the introduction of a new procurement regime is unlikely to come into effect until 2023.

At the end of 2021, the government published its response to the consultation process. Universities have successfully persuaded the Cabinet Office to introduce a minimum contract value threshold of £2 million in relation to some of the transparency requirements to reduce the administrative burden on universities, particularly regarding the publication of information.

However, the administrative burden on university procurement teams is unlikely to go away.

For example, universities must have regard to the whole raft of procurement guidance coming from the Cabinet Office in the form of procurement policy notices (PPNs). The PPNs need to be read alongside the Public Contracts Regulations 2015. Of the nine PPNs published in 2021, six apply to universities as part of the wider public sector.

Universities should review each PPN to see if they fall within the definition of an In-scope Organisation for that particular PPN. Although often referred to as “guidance”, PPNs will often be mandatory.
We have highlighted some of the key points from the 2021 PPNs.

PPN 05/21 National Procurement Policy Statement

The National Procurement Policy Statement aims to promote the government’s national strategic priorities through procurement.

Universities are required to consider the following national priority outcomes alongside local priorities in their procurement activities:

● creating new businesses, new jobs and new skills
● tackling climate change and reducing waste
● improving supplier diversity, innovation and resilience.

In practice, many universities will already be looking at ways of incorporating these areas through their procurement processes.

PPN 10/21 Procurement Thresholds and VAT

The procurement thresholds are reviewed every two years and new procurement thresholds apply as from 1 January 2022. This year, as well as a review of the thresholds to take into account currency fluctuations, there has been a change to the method of calculation so that the thresholds now include VAT.

Where procurements involve different rates of VAT, calculating the thresholds may not be straightforward.

Universities should also note that the thresholds for social and other services including education and training services which are subject to lighter touch procurement rules, remain the same, meaning a reduction in real terms.

PPN 09/21 Requirements to Publish on Contract Finder

PPN 09/21 confirms the requirements for In-scope Organisations to publish contract opportunities and certain contract award information on Contracts Finder. For universities, this means contracts with a value in excess of £25,000 including VAT. Certain post-contract award information must be published within 90 days of award. This is extended to cover call offs under framework agreements and awards which have not been openly competed.

Online Safety Bill makes its journey through to Parliament

The use of social media networks and video sharing platforms has exploded over the last decade, resulting in the introduction by the UK government of the revolutionary Online Safety Bill (OSB).

Whilst primarily looking to target companies that deliver user-generated content (UGC), such as Twitter/Facebook and also video sharing platforms, the bill also imposes a duty of care on organisations to protect users from harmful content by:

● preventing the production of illegal content and activity online
● ensuring that children and adults who use their services are not exposed to content that is “harmful” (although not illegal).
Ofcom will be the online safety regulator and is required to prepare codes of practice to assist providers in complying with their duties of care.

What organisations are caught?

The OSB will apply to “user-to-user” services and to search engines. User-to-user services are those that do one or both of the following:

● host UGC that can be accessed by users in the UK
● facilitate public or private online interaction between service users, one or more of whom is in the UK.

We have not been provided with any definition of “user”, but the following are identified as not users/falling outside the OSB:

● internet service providers
● low-risk businesses with limited functionality such as services where users can only communicate by posting comments/reviews
● emails and text messages
● one-to-one live aural communications
● paid-for advertisements.

Where next for the OSB and how can universities be prepared?

In December 2021, the joint committee published a report recommending major changes to the draft OSB, including additional responsibilities for Ofcom, requiring service providers to conduct internal risk assessments and create an “online safety policy”, to which users must agree.

If accepted, these recommendations will be incorporated into the OSB before it makes its way to legislation.

The aim of the proposed legislation is to reach a balance between internet safety and the right to freedom of expression and privacy. As it currently stands, many unanswered questions remain not only in context of this tension but also arising from the various gaps in the bill. What is clear is that OSB potentially has wide-ranging application. Universities with an online presence will need to scrutinise the online content and services they provide and consider the adoption of a proactive online safety policy, and put in place a process for ongoing risk assessments.

Jane Byford is the head of Higher Education at leading national law firm VWV. Jane can be contacted on 07909 656 764 or at

Leave a Reply

Free live webinar & QA

Blended learning – Did we forget about the students?

Free Education Webinar with Class

Wednesday, June 15, 11AM London BST

Join our expert panel as we look at what blended learning means in 2022 and how universities can meet the needs of ever more diverse student expectations.

Send an Invite...

Would you like to share this event with your friends and colleagues?