With big tech ever-more prevalent in all of our lives, the debate continues to rage on the taxation and regulation of digital businesses. Whilst the Chancellor this week gave a clear indication of the government's stance on taxation in the Autumn Budget, on regulation the government is taking a more considered approach. In this edition, we include an update on the Furman review into how competition law should operate in relation to digital businesses. We also report on a Court of Appeal competition case that emphasised that restrictions on selling through digital markets carries a significant regulatory risk.
In our last edition, we focussed on the GDPR. But as the recent Morrisons case illustrates, when it comes to data breaches, regulatory fines are not the only major risk, and businesses can be vicariously liable for the actions of malicious employees that can be very difficult to protect against. The GDPR is a starting point but by no means the end of the story, whether in relation to cyber security, or data privacy (although the next big change on that front, in the form of the ePrivacy Regulation, still appears to be some way off being finalised).
Of course, Brexit remains an acute focus and as the withdrawal negotiations appear to be reaching their end-game, focus has shifted to preparations for a 'no deal' Brexit (meaning the UK leaving the EU on 29 March 2019 without a withdrawal agreement in place). We discuss government guidance on no deal preparations in areas such as data protection and sanctions, as well as some of the Brexit-related statutory instruments that have started being published under the European Union (Withdrawal) Act.
If you would like to discuss any of the issues covered in more detail, please contact me, one of the other experts listed below, or your usual Osborne Clarke contact.
- Advertising and Marketing
- Consumer finance
- Cyber Security
- Data protection
- Health and Safety
- Regulated Procurement
- Sanctions and Export Control
ASA still on the fence on identifying prize winners
The Advertising Standards Authority has still not followed up on its announcement some months ago regarding the CAP Code rule on publishing the name and county of prize draw and competition winners.
Pending finalisation of the ASA's review, companies running prize draws or competitions will need to consider whether it is appropriate for them to publish the names and counties of winners, and the legal basis for doing so under the GDPR if they do. It is to be hoped that the ASA will move quickly on this, as "legitimate interest" arguments may be weakened while the CAP Code requirement is suspended.
CMA probe into influencers
The Competition and Markets Authority has launched an investigation into concerns that social media stars are not properly declaring when they have been paid, or otherwise rewarded, to endorse goods or services.
In the interim, the Committee of Advertising Practice has released an ‘Influencer’s Guide’ in collaboration with the CMA and the ASA, which serves as a good guide for current best practice. Practices should be kept under review as the CMA investigation develops.
Consultations on further 'junk food' ad restrictions
The Department of Health is expected to launch its consultation into restrictions on in-store promotions of so-called "junk food" shortly.
In its childhood obesity plan, the government promised to consult on a raft of changes intended to combat childhood obesity, some of which relate to advertising and marketing. Of particular interest is the consultation on proposed restrictions on retailers offering promotions such as "buy one get one free" on foods which are high in fat, salt or sugar (HFSS).
The government strategy also suggested that the government might consider restricting the placement of such foods to aisles in supermarkets – which would prevent positioning on gondola ends, at check out or at the front of the store.
Businesses who advertise on TV will also be interested in a consultation, expected later in the year, regarding a ban on advertising HFSS foods before 9 PM.
ASA annual report
The ASA annual report for 2017 demonstrates that enforcement against misleading advertising is a real risk to business and is becoming more so. Last year, the ASA reviewed nearly 20,000 ads – a 119% increase on the year before. Complaints were upheld in relation to over 7,000 of the ads reviewed, suggesting that an upheld complaint is a real possibility for businesses.
The ASA is also increasingly referring serious cases to Trading Standards for further enforcement action – which can result in criminal sanctions for breach of consumer protection law.
ASA rulings under new HFSS rules
The ASA has released a series of rulings on the new rules regarding advertising of HFSS products. The new rules prohibiting advertising of HFSS products targeting children came into effect in July 2017. Five high-profile rulings this summer, against McDonald's, KFC, Kellogg's and Walkers, give some useful guidance as to how the ASA will interpret the rules in practice.
Compliance with social responsibility provisions under the CAP code becomes obligatory from 31 October 2018
The Gambling Commission has announced that from 31 October, gambling licensees will have to comply with the social responsibility provisions of the CAP Code. The announcement forms part of the Gambling Commission's response to a consultation on licence terms. The licence terms will now be strengthened in a number of areas including advertising and marketing. Licensees will now have an obligation to ensure all advertising and marketing is socially responsible and are reminded that they are responsible for affiliate marketing as well as their own.
Shaping future competition law enforcement in digital markets | Furman review calls for evidence
On 12 October 2018, the Furman review announced a call for evidence to inform its study of competition in digital markets. This panel of experts is considering whether competition law policy and enforcement tools in the UK need to be reconsidered for the particular characteristics of digital markets.
The call for evidence sets out ten questions, split into two categories: “Understanding the effects of digital markets” and “Policy and implementation solutions”. The questions are closely linked to the eight issues on which the panel’s terms of reference have asked it to make recommendations.
This consultation runs for eight weeks with a deadline for submitting evidence on Friday 7 December.
Resale price maintenance under the spotlight: consumer electronics manufacturers fined over €111 million
In September 2018, the European Commission published summaries of its decisions to impose over €111 million in fines on four consumer manufacturers for breaching competition law by engaging in fixed or minimum resale price maintenance.
The Commission found that the manufacturers had restricted the ability of their online retailers to set their own retail prices for widely used consumer electronics products, resulting, the Commission said, in higher prices for “millions of European consumers”.
CAT dismisses Ping’s appeal against online sales ban fine
In what the CMA is calling a "landmark case", the Competition Appeal Tribunal has dismissed Ping's appeal against the CMA's decision last year to fine Ping for restricting competition by operating an online sales ban.
The CAT’s decision serves as a warning that attempts to restrict the ability of resellers to sell online can expose companies to significant risk, even where the ban is in pursuit of a legitimate, and even potentially pro-competitive, commercial aim.
Ofcom fines Royal Mail £50m for abuse of dominant position
Ofcom (the communications services regulator) has announced that it is to fine Royal Mail £50m for abuse of its dominant position in the UK wholesale bulk-mail delivery sector following a complaint by one of its wholesale customers.
FCA publishes policy statement on SME access to the FOS
The FCA has published near-final rules on extending access to the Financial Ombudsman Service to more small and medium-sized enterprises, as well as to larger charities and trusts and a new category of personal guarantors.
The rules expand the scope of those persons who are considered to be "eligible complainants" under the DISP rules.
The FCA intends to finalise the rules by the end of 2018, with a view to these coming into force on 1 April 2019. Firms will need to consider the new rules once they are published and ensure that they are ready to comply with these by the effective date.
Updated draft of Consumer Credit Brexit Regulations published
On 28 September 2018, the government laid down an updated version of The Consumer Credit (Amendment) (EU Exit) Regulations 2018. These set out the changes which are being proposed to existing consumer credit legislation when the UK leaves the EU next year.
The changes are minor and technical, with the main differences relating to the pre-contract information regime.
FCA thematic review on impact of credit broking remuneration models at point of sale
On 27 September 2018, the FCA published a report following its thematic review of the impact of credit broking remuneration models at the point of sale. This focussed on the extent to which commission arrangements, such as fees paid to brokers by lenders, can lead to customer detriment.
Whilst the report does identify some examples of poor customer outcomes, the FCA did not find evidence to suggest that commission payments to credit brokers (excluding motor finance brokers) were, on the whole, resulting in consumer detriment. A minority of customers did, however, indicate that they felt pressured during the sales process, were unhappy with their decision to buy goods on credit or were uncomfortable that the credit product they purchased was right for them.
The FCA will continue to monitor credit broking activity as part of its ongoing supervisory responsibilities. It will publish the findings of its motor finance review later in 2018.
Employee’s misuse of data leaves employer liable in group compensation claim
The Court of Appeal has dismissed an appeal against a High Court decision finding an employer vicariously liable for the actions of its employee in processing personal data.
The decision emphasises the critical need for businesses to ensure that adequate safeguards are in place around the data processing activities undertaken by their employees – and appropriate procedures are in place to limit the potential damage when an individual goes ‘rogue’.
Think outside the GDPR: liability for cyber security issues can strike in many ways
When it comes to cyber security, focussing solely on the GDPR can be dangerous. Liability for cyber security issues can arise in numerous ways. Securing personal data is not enough. Even in the absence of a personal data breach, companies may face disciplinary action or fines from other regulators (and under different regulatory regimes).
Regardless of the applicable regime, the priority for all businesses is to ensure that they have in place robust procedures for dealing with cyber incidents (with adequate staff training to ensure that those procedures are implemented fully, even during high-pressure situations).
Further delays to the ePrivacy Regulation
The European Council has announced that it intends to produce no more than a status update on the progress of the ePrivacy Regulation by the end of the year. The Regulation was originally intended to come into force on 25 May 2018 (the same time as the GDPR), but 2020 is now looking more likely. Many organisations, particularly those in the AdTech sector, can breathe a sigh of relief for now, given the current draft would have huge implications on the use of ad cookies. However, considerable uncertainty still lies ahead.
Government publishes guidance on data protection and no-deal Brexit
In the event of a no-deal Brexit, there would not be any immediate change to the UK's data protection regime, as the DPA 2018 would be in place and the GDPR would be incorporated into UK law. However, the UK would be a 'third country' (i.e. non-EEA), meaning that transfers personal data between the EU and the UK will not be possible without putting adequate safeguards in place to protect the data.
In absence of an adequacy decision (which is not likely to be forthcoming anytime soon post-Brexit), the UK government suggests most UK organisations will need to put in place standard contractual clauses with EU partners to ensure data can continue to flow freely.
Private web browser firm complains to the ICO about AdTech providers
Brave, a private web browser firm, has complained to the ICO and the IDPC about AdTech firms (including Google) in respect of online behavioural advertising.
The complaint takes issue with 'real time bidding', where personal data is broadcast to the programmatic ecosystem and can be viewed by third parties. Brave argues that this is a data breach and that AdTech vendors are failing to protect data against unauthorised access, in breach of the GDPR. Brave is hoping this will trigger an EU-wide investigation into the AdTech industry's practices.
If this complaint succeeds, it could have far-reaching and dramatic consequences on the AdTech industry.
Launch of new Shale Environmental Regulator Group
Following the establishment of the shale support fund and new regulatory measures introduced earlier in the year, the Department for Business, Energy and Industrial Strategy this month announced the launch of Shale Environmental Regulator Group, a new fracking regulator.
SERG will act as an overarching environmental regulator which, it is hoped, will help to resolve regulatory issues regarding fracking sites. BEIS anticipates that SERG will also allow for knowledge-sharing on best practice for authorities considering fracking applications.
Air pollution and air quality update
Defra has published a supplement to its 2017 air quality plan which looks at tackling nitrogen dioxide pollution and requires those local authorities across England with levels in excess of government limits to undertake measures to become compliant by 2021.
Fire safety case indicates that health and safety sentencing guidelines should be applied to fire cases
In Butt v Regina, the Court of Appeal confirmed that courts should apply the ‘structure’ of the sentencing guidelines for health and safety offences (in force since February 2016) for the sentencing of cases involving breaches of the Regulatory Reform (Fire Safety) Order 2005.
Fire safety offences had been excluded from the health and safety sentencing guidelines because of the risk that inclusion would distort sentencing levels upwards due to the inherent danger of fire. However, this ruling provides some clarity for those businesses who have fire safety responsibilities as to how the courts will determine the seriousness of any offending and what the likely level of any fine will be.
Tougher sentences for gross negligence manslaughter offenders from November 2018
New sentencing guidelines for manslaughter offences, including gross negligence manslaughter, come into force on 1 November 2018. The guidelines will apply to all cases sentenced after this date, irrespective of when the offence took place. The guidelines allow for a maximum custodial sentence of 18 years.
Directors, managers and individuals with responsibility for the health and safety of employees should be aware of this tougher sentencing regime, which is likely to see more of the individuals charged with the offence in relation to health and safety matters going to prison.
Prosecutions for this offence are still relatively rare, but the Grenfell Tower tragedy, the Croydon tram derailment and the prosecution of Hillsborough match commander David Duckenfield have put this offence in the spotlight.
HSE targeting construction firms in new health inspections
Construction firms are being targeted by the HSE on their health standards, with a specific focus on respiratory risks and occupational lung disease.
HSE inspectors will be looking at the measures businesses have in place to protect workers’ lungs from the likes of asbestos, silica and wood dust.
HSE has said that it will use enforcement measures to ensure that people are protected.
Abnormally low tenders
The recently published decision in SRCL Limited v NHS Commissioning Board (known as NHS England) provides some useful guidance on how contracting authorities should deal with abnormally low tenders.
The court confirmed that a contracting authority is only obliged to reject tenders that it considers contain abnormally low tenders where the abnormally low price is as a result of breaches of EU social, labour or environmental law, or international labour law.
In all other circumstances, contracting authorities retain discretion as to whether they exclude a tenderer for submitting an abnormally low price (so long as the authority's decision does not breach the fundamental EU principles of equality, transparency, non-discrimination and equal treatment).
Government guidance on contracting with the public sector
The UK government and House of Commons have published two helpful guides to procurement in the UK.
The government has issued a guide on NHS procurement, aimed at overseas investors. The guide provides information on not only how to partake in procurement exercises run by the NHS in England, Scotland, Wales and Northern Ireland, but also on how the NHS aims to adopt innovation through procurement.
The House of Commons Library, meanwhile, has published a guide to public procurement and public contracts in the UK more generally. Of particular help is specific advice for businesses selling, or hoping to sell, to the public sector (section 9).
UK Department for International Development criticised for poor procurement and contract management
Public Finance International, a public finance watchdog, has criticised the UK's Department for International Development for "significant weaknesses" in its contract management.
The review found that contracts were frequently amended or extended beyond the initial length, potentially in breach of UK and EU procurement law.
On a more positive note for DFID, the report did highlight that it had "good performance in most areas of tendering".
OFSI publishes its first annual review
The Office of Financial Sanctions Implementation has published its annual review of operations during 2017-2018. 122 suspected breaches of financial sanctions were reported to OFSI. Whilst OFSI has yet to impose a financial penalty for breaching sanctions, the message continues to be that OFSI will take breaches seriously.
It is important that businesses are aware of their reporting obligations for sanctions breaches (even inadvertent ones).
UK sanctions policy in the event of a no deal Brexit
The UK government has published a document which explains how the UK would implement sanctions if the UK leaves the EU without a deal.
If the UK and the EU cannot agree on a withdrawal agreement, the UK will look to carry over all EU sanctions at the time of the departure. Sanctions regimes will be implemented through new legislation in the form of regulations made under the Sanctions and Anti-Money Laundering Act 2018, which will provide the legal basis for the UK to impose, update and lift sanctions after leaving the EU.