The catch-up game | How digital transformation is shaping the regulatory landscape

Business regulation is essential to ensure that public interests get taken into account in profit-driven enterprise . "The challenge of regulation keeping pace with new technology is nothing new", explained Ashley Morgan, Senior Knowledge Lawyer at Osborne Clarke. "Modern competition law was formed in response to the proliferation of railways in 19th century America, and the effect this was having on those dependent on the railways. Digital transformation represents a step-change in the speed of innovation in consumer facing businesses, which is leaving regulators in catch-up mode. It is also exposing 'regulatory gaps' and posing broader ethical and societal questions."

Governments are waking up to the need for a new approach to tackling the challenges of digital transformation. As Catherine Wolfenden, partner and Head of the Regulatory Group at Osborne Clarke commented, "the UK government set out its stall in a recent white paper on 'Regulation for the Fourth Industrial Revolution', which outlines a number of areas of focus for regulators. The question is whether we are seeing this evidenced in the various regulatory regimes that businesses may be subject to."

Technology is also providing a new set of tools. Regulators are turning to complex data analytics and new technology to monitor and enforce compliance in their regimes while, as Wolfenden notes: "New skills sets are being required by in-house lawyers to address the way they are using data and technology in particular in relation to compliance issues."

Historic change

Digital transformation is changing what needs to be regulated and what the government is required to do to protect the economy, the environment and, in particular, consumers. Marc Shrimpling, partner in the competition team at Osborne Clarke, explained: "One of the big challenges that competition regulators face is that, historically, they have been judged on their ability to deliver savings for consumers, so that means we have a price-centric approach to regulation."

Consequently, the Competition and Marketing Authority (CMA) benchmark is "how much money does it save in proportion to what it spends every year?". So an investigation into anti-competitive behaviour that shows a saving – less is spent on the investigation than the savings made from the process – presupposes the consumers are being overcharged.

However, services and opportunities in digital markets are often ostensibly free. "So there is no cost to the consumer whatsoever, and the harm is more difficult to monetise and calculate," he added. But as Simon Neill, also a competition partner at Osborne Clarke, noted "the CMA's focus is increasingly on the consumer protection aspect of its remit, and is seeking new powers to take action where it considers that consumers have been harmed."

The CMA also has existing powers that it may look to deploy, Shrimpling added. "Our regulator has regarded its ability to carry out investigations and impose remedies on a whole market as the jewel in its crown."

Currently there is an investigation into the whole digital advertising market, under which the CMA has the power to impose remedies and changes even if it cannot prove individual breaches of competition law. A number of other authorities, such the European Commission and the German competition authorities, are considering the UK approach, he added.

Digital-age consumer

One of the areas where technology is most visibly changing behaviours is in digital media markets. Tom Harding, a partner in Osborne Clarke's commercial group, explained: "Digital transformation means that consumers are acting in different ways, there is far more activity and commerce online and on digital channels." Regulation is now on the horizon specifically to protect these consumers from harm.

Geo-blocking –which the European Commission defines as geographically-based restrictions that undermine online shopping and cross-border sales in the digital single market – is one area of activity in the EU. The Geo-blocking Regulation – which has applied since 3 December 2018 – was brought in to put an end to unjustified geo-blocking rules.

Harding commented: "This legislation appreciates that more and more consumers are shopping on line and we need to open up online markets. What the EU says is that a consumer in Germany should be able to go onto a French website and access it just as easily. It is also prevents redirecting: a German consumer who goes onto a UK website cannot automatically be taken back to the German site. It is about transparency of pricing and opening up digital channels to everyone."

Another area of focus for the European Commission is redressing a perceived imbalance in the relationship between online platforms or search engines and goods and service businesses that rely on them. The Platform-to-Business Regulation, which is aimed at promoting fairness and transparency for business users of online intermediation services, applies from 12 July 2020. The Regulation is notable in the way that it applies to a business-to-business relationship concepts and protections that are usually reserved for business-to-consumer transactions.

The other major piece of consumer protection regulation on the digital agenda is the Consumer Omnibus Directive, which sets about to modernise and reinforce EU consumer protection laws. The reforms will lead to a rise in GDPR-level fines for breaches of consumer law, which would represent a significant shift in the risk profile of a host of consumer protection regulation.

'Regulatory sandbox'

In this milieu, regulators are increasingly being urged to engage with technology and innovators and understand technologies. The model held up to advance this agenda in the UK is the "regulatory sandbox". Piloted by the Financial Conduct Authority (FCA), the first edition began in 2017.

Nikki Worden, partner at Osborne Clarke, explained: "The FCA invites two cohorts a year from about 25 firms. If you are a firm cooperating in the regulated sector, the FCA invites you to test your product on real customers in a controlled environment. The FCA supervises, collaborates and guides these start-up that don't have regulatory licences needed to launch their products."

The regulatory sandbox is a quicker way to market to test regulatory as well as commercial viability and get full authorisation. It also helps the regulator to understand new technologies and to formulate thinking on innovation and on the policy and guidance it introduces. The danger for firms, warns Worden, is that once they come out of the sandbox, their risk profile, and the scrutiny from the regulator, can change significantly. This is particularly so if they scale up quickly, as this affects the FCA's calculation of potential harm to consumers. Chris Ratcliffe, senior associate at OC, adds, "the other problem is that it is only available to 50 firms a year, and, considering the size of the financial services sector in the UK and the amount of innovation going on, it is not a solution available for the vast majority of firms."

Despite the limitations, other regulators, in the UK and overseas, are looking at the FCA's sandbox. Ofgem has already initiated its own version of the regulatory sandbox and other regulators are likely to follow, particularly in sectors that are looking to encourage start-ups but where regulation can be a barrier to entry for new market participants.

Health and safety

While much of the debate around digital transformation and regulation focusses on the challenges posed, new "Reg Tech" solutions are being developed to assist businesses with compliance. Matthew Kyle, associate director in Osborne Clarke's health and safety team, pointed out that this is feeding into regulators' expectations of what businesses need to do to comply with legal frameworks that are already there. For example, the Health and Safety at Work Act puts the onus on businesses to manage safety risks in relation to their employees and those affected by their activities. "What is 'reasonably practicable' is part of every enforcement and prosecution, but as technology becomes more adaptable or affordable there are more options for doing things – and the bar of what is reasonably practicable is lower."

In some cases, this could mean technology replacing the activity of individuals in the health and safety arena. The combination of sensors and people out in the field, Kyle says, brings an opportunity for "real-time" reporting and the collection of data. "There might be kit that replaces 'doing' the activity; but opportunities in data management could arise that allow employers to identify to go beyond 'lagging indicators' and use data to provide precursors to an event and control or prevent that risk."

Avatars

The regulators are also looking at how new technologies can bolster their own enforcement toolkits. Harding explained that in one novel use of technology, the Advertising Standards Agency has used "avatars" - in gaming a character that represents an online user - to monitor and identify ads shown to specific groups. By mimicking the online behaviours of a child, the ASA can see whether that "avatar" is shown ads for high in fat, salt or sugar, gambling, or other age-inappropriate products or services. In June, the Advertising Standards Authority published results from its avatar monitoring campaign, which identified breaches of the rules by eight brands.

Regulators also need to work together to tackle challenges that span multiple regimes or jurisdictions. The Consumer Protection Cooperation (CPC) Regulation applies from 17 January 2020. The CPC pushes for consumer regulators across the EU to cooperate more closely across national boundaries. Shrimpling explains: "It acknowledges that the online world is fast-moving and digital means you do not frankly have time to go to court and get an injunction. Regulators will have the power to lock and take down the content, or erect gates on your domain name and take away your website."

The battle ahead

On the horizon, government bodies and large corporations are limbering up for a battle over "Big Data" and how the new digital markets are regulated and shaped. The cliché that "data is the new oil" has been invoked by politicians such as Democrat presidential candidate Elizabeth Warren, who compares the status of large technology businesses to the Opec oil cartel and wants their break up on anti-competitive grounds.

However, Shrimpling suggests the "new oil" analogy is misleading. "If I sell a barrel of oil, the oil can only be used by the person who is using it. Data isn't the same. A business that holds data can give away it's data to a number of other companies, but it still has that data itself and it can still be used. The answer to big data might not lie in a radical smash up, it may lie in the regulatory and standards concept of 'FRAND', or fair reasonable and non-discriminatory access. Maybe consumer law requires more complex thinking."

The complexities are underlined by the fact that sharing data between commercial entities raises its own regulatory issues. Neil gives the example of a connected vehicle manufacturer, which may have access to valuable data, such as when the vehicle needs its next service. There is an argument for forcing the manufacturer to provide that data to others to allow fair competition in the 'aftermarket'. But doing so would raise data protection and information security, and competitors agreeing to share data would also need to ensure those agreements did not raise their own competition concerns.

Ratcliffe added that the FCA is still formulating its policy on big data and machine learning. The FCA is looking at the use of big data and automated processes for accountability and transparency. The FCA wants firms to be transparent around customers and data they are collecting and how they are going to be using that data and if that data has run through an automated process the business needs to be in a position to explain a decision so a customer can judge if they have been fairly treated or not. The FCA wants to ensure accountability in automated processes.

'All data lawyers now'

Wolfenden highlighted that lawyers need to understand the regulatory considerations around new technology that their business is using, but also what technology is available that can aid compliance. A common thread running through the overlapping debates is data. Shrimpling added: "We can't just assume that being a data lawyer means GDPR data protection and compliance. We all need to recognise the fact we all are all data lawyers and data is an important asset of the companies we work for. We need to understand the regulatory parameters because it is going to become an increasingly valuable tool."