UK Regulatory Update | September 2018
Welcome to the latest edition of our Regulatory Update.
In this edition, we return to one of the most talked about, and most widely impactful, regulatory changes in recent times, the GDPR. Whilst most businesses were engaged in major projects to get ready in time for the 25 May 2018 deadline, once that passed, the focus for many may have shifted to other priorities. In our 100 days of GDPR series, we discuss what we have seen since the implementation deadline and the issues that should still be high on the agenda for businesses.
With UK-EU negotiations approaching a critical phase, Brexit also remains a top priority. On 25 September, the retailer NEXT devoted 11 pages of its half-year results to discussion of its preparations for a 'no deal Brexit' (meaning that the UK leaves the EU on 29 March without a Withdrawal Agreement, and consequently without a transition period in place). Following on from our Regulatory Outlook Brexit special edition, in this Regulatory Update we highlight some of the 'no deal notices' recently published by the UK government that businesses should be aware of as part of their Brexit preparations.
Amongst the other developments covered in this edition, we provide an update on the European Commission's flagship Digital Single Market project, report on a major decision on the scope of legal privilege, and ask: are the UK competition authorities ready to police the digital revolution?
If you would like to discuss any of the issues covered in more detail, please contact me, one of the other experts listed below, or your usual Osborne Clarke contact.
- Anti-Bribery, Corruption and Financial Crime
- Consumer finance
- Data Protection
- Digital Media and Entertainment
- Regulated Procurement
New SFO Director sets out her priorities
Lisa Osofsky commenced her five-year term as the Director of the SFO in late August. She promises to be a "new kind of Director" and brings with her both law enforcement experience from her time at the FBI and experience with investigations and compliance work in the private sector.
Ms Osofsky took the opportunity of her first speech having taken office to set out her priorities. The next 6-12 months will likely offer important insight as to the future direction of travel of SFO enforcement.
SFO v ENRC: Privilege restated
In a highly significant judgment, the Court of appeal robustly reversed a first instance decision in SFO v ENRC, which had appeared to have greatly restricted the scope of litigation privilege in the context of internal investigations.
In the event that a company is faced with, for example, a whistle-blower report, it will feel more comfortable in being able to investigate the position, with the product of that investigation being likely to be covered by privilege. Careful scoping and documenting of investigations will, though, still be required.
Government looking to tighten national security controls on M&A in the UK
The UK government is currently consulting on reforms which would substantially increase its powers to scrutinise M&A transactions for the purposes of protecting national security.
Under the reforms, the government would have the power to “call in” transactions for review where a “trigger event” gave rise to a reasonable suspicion of a national security risk.
Are the UK competition authorities ready to police the digital revolution?
On 2 August 2018, the UK Treasury department announced a review of the fitness of competition policy for the digital age. The review will be chaired by US economist Professor Jason Furman (formerly the top economic adviser to the Obama administration) and a panel of competition law and digital markets experts. It will start in September and run to early 2019, generating a final report with recommendations for the government.
Ofcom Fines Royal Mail £50m for Abuse of Dominant Position
Ofcom (the communications services regulator) has announced that it is to fine Royal Mail £50m for abuse of its dominant position in the UK wholesale bulk-mail delivery sector following a complaint by one of its wholesale customers.
EA publishes new standard rules for environmental permits
On 6 September 2018, the Environment Agency published nine sets of new standard rules for medium combustion plants and specified small-scale generators. The new rules impose limits on the emissions of gases such as sulphur dioxide and nitrogen oxides and require companies to monitor carbon monoxide emissions. The new directive will apply to all new plants from December 2018 and existing plants from 2024 to 2029 with full implementation achieved by 2030.
Developers of industrial estates under five hectares won't have to prepare EIA reports from 1 October
The Ministry of Housing, Communities and Local Government has officially increased the threshold for developers of industrial estates having to prepare EIA reports from 0.5ha to 5ha, following consultations in 2014. The increase will reduce bureaucracy on small sites where any significant environmental impact, which the EIA aims to capture, is very unlikely. The changes will save time and administration for small-scale developments but will not apply to environmentally sensitive sites such as SSSIs and AONBs.
Two projects fast-tracked for funding under the WEEE compliance scheme
The Joint Trade Association, which runs the WEEE compliance scheme, recently announced two new projects to begin later this year. The first will test plastic from waste electronic equipment to ensure it can be properly recycled. Both small and large domestic appliances will be tested for persistent organic pollutants, specifically bromine content, to assess where these pollutants are found and in what quantities. Plans will then be made for separating these plastics and identifying sites where they may be safely destroyed.
The second project will test existing protocols in anticipation of regulatory changes, due in January 2019, which will see more electrical and electronic equipment fall within the WEEE Regulation's scope.
Both projects will run into 2019 and will likely impact on electronic waste protocols.
UK government publishes five technical notices on environmental legislation in the face of a no-deal Brexit
On 18 September, the UK government published five technical notices offering guidance on the following, in the face of a "cliff-edge" Brexit:
- upholding environmental standards;
- industrial emissions standards ("best available techniques");
- using and trading in fluorinated gases and ozone depleting substances;
- vehicle type approval; and
- reporting CO2 emissions for new cars and vans.
In light of Brexit uncertainty, the notices outline how the government will uphold standards and how regulated organisations will be affected. The government highlights that all current EU law will continue to have effect in UK law and where necessary the government will make secondary legislation to support it.
Should there be a new ‘duty of care’ for financial services firms?
In July 2018, the FCA published its ‘Approach to Consumers’ and a discussion paper seeking views on the merits and practicalities of introducing a new duty of care on financial services firms when dealing with consumers.
Some stakeholders are concerned that the existing regulatory framework does not provide adequate protection for consumers. Others feel that a duty of care is already provided for under the existing FCA rules and common and statute law, and would be very burdensome to develop given the variety of potential customer relationships.
The FCA’s paper discusses the various forms the new duty might take and requests responses by 2 November 2018.
New rules on assessing creditworthiness in consumer credit
On 30 July 2018, the FCA published final rules and guidance on assessing creditworthiness in consumer credit.
The rules and guidance, which come into effect on 1 November 2018, clarify the FCA’s existing rules and guidance, and the application of the general requirements on firms in the FCA’s Senior Management Arrangements, Systems and Controls sourcebook.
Lenders are required to assess affordability on the basis of sufficient information, but the FCA does not prescribe in detail what this should comprise or whether and how information should be verified.
Firms should review their policies and procedures in the light of the new rules and guidance, and make changes where necessary.
Customers able to compare information about current account services more easily under new FCA rules
From 15 August 2018, providers of current accounts have been required to publish standing data related to account opening and service availability and major incident metrics. This means that customers will be able to easily find standard information on providers’ websites about:
- how and when services and helplines are available, including contact details for help;
- how often the firm has had to report major operational and security incidents; and
- the published level of complaints made against the firm.
This information must be published on the provider’s website in a consistent format and the large banks must also make this information available via an online Application Programming Interface.
Lead supervisory authority: the one stop shop
For companies active across multiple countries in the EU, the so-called “one stop shop” principle in the GDPR is potentially helpful in providing focus and clarity on which data protection regulator would be involved in any breach notification, investigatory or enforcement activity.
Consideration of the lead supervisory authority can also guide a company to decide which regulator it should build a relationship with and whose guidance it would be most valuable to be familiar with.
Appointing a Data Protection Officer: has your business got its risk assessment right?
The GDPR laid out the job description for a new role, that of Data Protection Officer, and made the appointment mandatory in some cases.
Some businesses initially decided to appoint a DPO, but have had trouble filling the role, or the appointment has not worked out well. This is leading some to reassess their approach: do they really need to appoint a DPO? What are the risks involved in that decision, and how do they mitigate them?
Profiling and automated decision-making under GDPR
Profiling and automated decision-making are two areas of the GDPR that have caused confusion for businesses, often with perceived negativity and assumptions that the law significantly restricts most forms of computer-led analysis of data subjects and their activities. Not necessarily so.
As with the general flavour of the GDPR, the law has undoubtedly tightened and places a greater burden and requirements on businesses wishing to carry out profiling or ADM activities. However, there’s still plenty of opportunity for those willing to understand the detail of the law, and more generally align their business models to the core themes of the GDPR.
Data Protection Impact Assessments under the GDPR
A Data Protection Impact Assessment is a way of systematically analysing data processing activities to assess whether the processing is necessary and proportionate, and identify and minimise any potential risks to the rights and freedoms of data subjects.
The GDPR gives DPIAs much more prominence, and makes it mandatory to carry them out in certain circumstances.
100 days of GDPR video series:
- Session 1: What’s actually changed?
- Session 2: Data Protection Officers
- Session 3: AI and a look into the future
- Session 4: HR risk
- Session 5: Security and data incidents
No deal Brexit: broadcasting and video on demand
The government has published a technical notice on the provisions for broadcasting and video-on-demand if there is no Brexit deal in March 2019. This includes advice for providers on what to consider and what action to take in relation to EU Member States that are signatories to the Council of Europe Convention on Transfrontier Television, and in relation to those that are not.
The clock is ticking to finalise the Digital Single Market proposals before next year’s May European Parliament election. The general perception is that by February, it will be too late to make any progress on these files as re-election campaigns will take up EU officials’ attention, and the remaining files are likely to get scrapped or put on hold. Therefore, the next few months are likely to bring an all-out lobbying war as interest groups try to block or boost proposals.
At the moment, the focus appears to be on the copyright vote (see below), the deadlocked e-privacy discussion and P2B law (also below). However, the next six months are the make-or-break period to wrap up the files.
Copyright: European Parliament adopts controversial copyright reform.
On 12 September 2018, the European Parliament voted through amendments to the proposed new copyright directive, which is widely seen as a victory for creative industries but a bad day for tech, particularly around the issue of the so-called "link tax" and upload filters.
Platforms and terrorist content
The European Commission has published a new proposal on terrorist content. The proposal includes up to four percent fines if companies repeatedly fail to comply with the outlines of the regulation (which include taking down content within one hour of a removal order).
P2B regulation: update
A draft report on the P2B proposal was published by Danish Socialists & Democrats MEP Christel Schaldemose. In general, the report suggests that the original proposal doesn’t go far enough.
The main themes of the report are that rules should be more ambitious than simply tackling transparency and that the current proposal needs “more teeth”.
The file should be finalised by the end of the year, with a vote likely for 6 December in the Internal Market and Consumer Protection Committee, if negotiations with the other MEPs go as planned.
AVMSD: (no) update
There has been no recent progress on the new AudioVisual Media Services Directive – we are waiting for the final text to be finalised, which will start the clock on the implementation timetable.
Geoblocking regulation: in force from December 2018
As a reminder, the Geo-blocking Regulation, which will stop most companies from preventing access to national versions of their websites within the EU, comes into force on 3 December 2018.
Satcab Regulation: in limbo
Trilogue negotiations took place on 8th September. The Council was hoping to appease the European Parliament with a new offer on direct injection, where broadcasters “inject” their programming into providers’ streams instead of sending their own individual signal, in an effort to find a middle ground on other sensitive topics. However, progress was blocked by a number of countries which want a more detailed impact assessment.
This one remains in legislative limbo.
FCA consults on approach to RTS and EBA Guidelines under PSD2
In a consultation paper published on 17 September 2018, the FCA proposes new rules and changes to the guidance on PSD2 in its ‘Payment Services and E-money Approach Document’, and the Perimeter Guidance Manual to ensure that:
- ASPSPs can be exempted from the requirement to build a contingency mechanism ahead of 14 September 2019 (after which it will become a requirement unless an exemption has been obtained);
- information that PSPs are required to provide under the finalised SCA-RTS is in a consistent format; and
- the FCA’s Approach Document guidance on PSD2 is up-to-date with the SCA-RTS and aligned with the finalised EBA exemption guidelines.
The consultation paper also addresses changes to fraud and complaints reporting under PSD2 in light of the EBA’s guidelines on fraud reporting, and the FCA’s continued work concerning authorised push payment fraud.
Responses are requested by 12 October 2018.
New proposals to improve conduct and communications in payment services and e-money firms
On 1 August 2018, the FCA published a consultation paper on proposals to extend its existing rules and guidance on conduct and communication to the payment services and e-money sectors. The guidance also aims to ensure that firms do not mislead consumers when they are advertising payment services that involve a currency conversion.
If these proposals are implemented, it will mean that PSPs and e-money issuers will need to:
- ensure they run their business with regard to the FCA's Principles for Business;
- ensure that they treat their customers fairly and have regard to their needs;
- in particular when advertising services, ensure that they are clear, fair and not misleading; and
- be frank and open with the FCA and other regulators.
For many PSPs, it will simply reflect current good practice and ensure that they are subject to the fundamental obligations the FCA expects of regulated firms.
Responses are requested by 1 November 2018.
UK Finance publishes ‘How to’ Guidance on the Wire Transfer Regulation
On 14 August 2018, UK Finance published a voluntary ‘How to’ guide to give firms a better understanding of how they might interpret the requirements of the Wire Transfer Regulation and the European Supervisory Authority's Guidance on the Regulation, which have applied from 16 July 2018. The guide covers the kinds of policies and procedures firms could have in place to help to meet those requirements.
New Guidelines on fraud reporting under PSD2
On 18 July 2018, the EBA published final Guidelines on fraud reporting under Article 96(6) of PSD2. These are applicable to all PSPs, with the exception of registered AISPs.
The Guidelines require PSPs to collect and report data on payment transactions and fraudulent payment transactions using a consistent methodology, definitions and data breakdowns. In particular, the Guidelines reflect responses received to the EBA’s consultation paper around the frequency of reporting, the geographical area to be applied to data breakdowns and the categories of fraudulent transactions to be reported.
The Guidelines apply from 1 January 2019, with the exception of the reporting of data related to the exemptions to the requirement to use SCA under the RTS, which apply from 14 September 2019.
Card Acquirers under the spotlight: PSR turns the microscope on Scheme Fees and Interchange Fees
On 24 July 2018, the PSR published draft terms of reference in respect of a market review into the supply of card-acquiring services.
This follows concerns that the supply of card-acquiring services in the UK may not be working well for merchants and consumers.
The final terms of reference are expected to be published before the end of 2018, which will include a timetable for the implementation of the market review.
New implementation guidelines for mobile contactless payments
On 2 July 2019, the European Payments Council published updated implementation Guidelines for mobile contactless payments (MCPs).
The Guidelines aim to create awareness amongst the payments industry of the various aspects to be considered in the development of MCP solutions. The intention is to help stakeholders understand where the risks are in order to create or maintain an adequate level of trust in MCPs. The Guidelines may also serve as a reference basis for stakeholders (both consumers and merchants) making certain implementation choices.
Whilst the Guidelines previously only covered contactless mobile payments based on NFC technology, their scope has been extended to include new technical solutions, as well as incorporating the concept of ‘Strong Customer Authentication’ and introducing new concepts such as ‘tokenisation’ and ‘payment card manager’.
Public procurement after Brexit
On 5 September 2018, the House of Commons Library published a briefing paper, Brexit: public procurement, which provides an outline of the following:
- the position in the draft withdrawal agreement relating to ongoing procurement procedures and framework agreements;
- the arrangements and key differences in the World Trade Organisation Government Procurement Agreement; and
- how the UK will look to achieve future agreements on public procurement with the EU and other countries.
The paper explains that the UK will have some freedom to amend UK public procurement law once it is no longer in the EU, but that it may be restricted from making major changes by the GPA and any future trade agreement with the EU and other countries.
Bidders must provide "proof of equivalence" to brands, marks or standards as part of tender submissions
It is already established in UK public procurement law that whenever a contracting authority / utility sets a technical specification that refers to a certain brand, mark, origin, production method or standard, it must allow bidders to offer goods or services that are "equivalent".
A recent CJEU decision (VAR Srl and another v Iveco Orecchia SpA (Case C-14/17)) introduces the additional requirement that contracting authorities / utilities must require bidders to provide proof of equivalence within tender submissions. Contracting authorities must then use that proof to verify equivalence to the requirements in the technical specification.
New UK-specific replacement for OJEU/TED will be made available in the event of a no deal Brexit
The UK government has confirmed that, if the UK and the EU fail to conclude a Brexit Withdrawal Agreement that provides for a transition period, it will introduce a new UK-specific e-notification service that will replace OJEU/ Tenders Electronic Daily (TED) for the advertisement of UK public contracts. The new service would be available from 30 March 2019.
There are currently no planned changes to any of the publication requirements, so contracting authorities would need to publish on the new service any notices that would have been published in OJEU before Brexit.
DHL Supply Chain v Secretary of State for Health and Social Care: automatic suspension lifted
The Court has lifted the automatic suspension in DHL Supply Chain's claim against the Department of Health and Social Care, meaning that DHSC will be able to enter into the logistics contract for the NHS Future Operating Model with Unipart.
The Court's decision is unusual because it held that damages would not be an adequate remedy for either party.
- For DHL, this was because the prestigious and high value contract would have amounted to a unique selling point. DHL would also lose staff to Unipart under TUPE, which would impact on its ability to bid for new contracts in the short term.
- For DHSC, this was because any delay to the implementation of the contract would have a detrimental impact on patients in hospitals and at home.
The decision was therefore based on a balance of convenience test, which the Court found favoured lifting the suspension.