The tripartite DMCC introduces wide-ranging landscape reforms to the UK's competition, consumer and digital markets regimes. The CMA's powers across its various functions have been substantially bolstered by the legislation and the CMA is gaining new statutory powers to regulate digital markets.

Key points:

• Digital Markets –The DMCC grants new responsibilities to the CMA to regulate companies with substantial and entrenched market power in digital markets through a new digital markets regime overseen by its Digital Markets Unit (DMU).The DMU, which previously only existed in shadow form in anticipation of the DMCC being passed, will now receive its formal statutory powers. The DMU will have the authority to impose significant penalties for non-compliance with conduct requirements, including fines of up to 10% of the firm’s global turnover.

   

• Competition – The legislation significantly strengthens the CMA's competition enforcement powers.As an example, it extends the territorial scope of the prohibition under Chapter I of the Competition Act 1998 to apply to agreements implemented outside the UK with an effect within the UK.Other changes include imposing a duty to preserve documents where a person knows or suspects that an investigation is, or is likely to be, carried out by the CMA.There are stronger evidence-gathering powers such as the CMA's ability to interview individuals as part of its competition investigations and extending 'seize and sift' powers to dawn raids at domestic premises (until now such powers were only available for raids at business premises).In addition, there are changes to make penalties for procedural infringements even tougher.Various changes are also being made to the market studies and investigations regime, as well as to the CMA's merger control regime.

   

• Consumer - The Act overhauls the UK's consumer protection legislation including changes to enhance consumer rights.Whereas previously the CMA was required to seek enforcement orders from the court, the CMA will now administer a new direct enforcement regime for infringements of the core consumer protection legislation.

For further details, our articles when the DMCC Bill was introduced into Parliament highlight the key changes in each regime:

• Changes to the digital markets regime
• Changes to the competition law regime
• Changes to the consumer law regime

The CMA has been planning carefully for its new powers. On the day the DMCC became law, the CMA issued a consultation on its draft guidance in relation to the new digital markets regime.   

The full suite of consultation materials is available at the CMA's dedicated website. The consultation is open until 12 July 2024. It is expected the new digital markets competition powers will commence as soon as October 2024. 

• property; 
• advertising;
• data protection; and
• intellectual property.

The paper analyses the legal issues as we know them today, appreciating that there is so much more to come as the future of immersive technology, and its practical implementation, begins to unfold.

Download the white paper through Darabase here.

The consultation is the first step in the process which will culminate in Ofcom publishing a final code of practice for illegal harms duties, likely by the end of 2024 (the code must ultimately be approved by Parliament before coming into force).  

The significance of the codes of practice in the context of duties arising under the legislation is addressed in s.49 of the OSA, which provides that a service provider "is to be treated as complying with a relevant duty if the provider takes or uses the measures described in a code of practice which are recommended for the purpose of compliance with the duty in question".  That said, adopting a different approach to that recommended by Ofcom will not necessarily mean that a provider fails in its duties, provided it can demonstrate compliance through other means.

Background

The OSA seeks to improve user safety online by ensuring illegal content and content that is harmful to children is identified and removed by search engines and providers of user-to-user services. The legislation will require companies to implement appropriate procedures and processes to tackle such content and will grant extensive powers to the new online safety regulator, Ofcom, to oversee and enforce the new rules.

What are these criminal offences?

The OSA does not introduce wholesale criminal liability for directors of in-scope services, but it provides that senior managers may be held criminally liable for a company's failure to comply with the legislation in specific circumstances.   These include offences for failing to comply with information and audit notices, offences committed under the Act by the body corporate but with the consent, connivance or neglect of a company officer, and, in certain circumstances, offences for failing to comply with a children’s online safety duty.

Information and audit offences

One of Ofcom's new powers is the ability to issue an "information notice" to a regulated entity requiring that entity to provide Ofcom with information needed for the purpose of exercising any of its online safety functions. Information notices can be wide in scope and may require the relevant entity to provide Ofcom with information about the use of the service by a particular named individual or information requested by a senior coroner in relation to the investigation into the death of a child. A provision has been added more recently to the Bill which enables Ofcom to also prepare a report in connection with the investigation into the death of a person. 

A service provider will commit an offence for: (a) failing to comply with the notice, (b) knowingly or recklessly providing false information in response to it, (c) intentionally providing encrypted information which Ofcom cannot understand, or (d) intentionally suppressing, destroying or altering information.

Ofcom may require the company receiving the information notice to name in its response a senior manager who may reasonably be expected to be in a position to ensure compliance with the requirements of the notice. An individual will be a “senior manager” if they play a significant role in making decisions about how the entity’s relevant activities are to be managed or organised, or they are involved in the actual managing or organising of the entity’s relevant activities.

Where any of the offences at (a) to (d) above are committed by the company, and a senior manager has failed to take all reasonable steps to prevent the offence from being committed, that senior manager will also commit an offence. It is hoped that further guidance on what "reasonable steps" should be taken by senior managers will be provided by Ofcom in due course. 

The same applies to senior managers who fail to ensure compliance with audit notices issued by Ofcom without a reasonable excuse, knowingly or recklessly provide false information in response to an audit notice, or suppress, destroy, or alter information with the intention of preventing Ofcom from being provided with the information as it was before the alteration.

Finally, corporate officers could face two years’ imprisonment for knowingly or recklessly making false reports to the National Crime Agency about child sexual exploitation and abuse on their services.

Failure to keep children safe online

The OSA also creates criminal sanctions for corporate officers where an offence is committed by the body corporate either with the consent or connivance of the corporate officer or owing to their neglect. The definition of “officer” is very wide, and includes a company director, manager, associate, secretary or other similar officer, or a person purporting to act in any such capacity.

A significant amendment to the legislation introduced criminal liability for individual officers if, through their consent, connivance or neglect, the company fails to comply with a confirmation decision requiring it to take steps to ensure it acts in accordance with a child safety duty in the OSA. The upshot is that individual directors could face up to 2 years' imprisonment for alleged failure to prevent children from encountering harmful content even where they are not directly responsible for moderation decisions or the response to Ofcom's confirmation decision.

The relevant children’s safety duties include the requirement to prevent children of any age encountering primary priority content that is harmful to children, which includes pornographic content and content which encourages, promotes or provides instructions for suicide, deliberate self-injury or an eating disorder. It also includes the requirement to protect children in certain age groups judged to be at risk of harm from other content that is harmful to children.

Senior managers can take some comfort in the fact that they will be given advanced warning if Ofcom deems the service provider to be failing in respect of a child safety duty; first, through an investigation and provisional notice of contravention (to which they can provide submissions in response) and then via a subsequent confirmation decision (which they can appeal). That said, enforcing children’s safety duties is likely to be an aspect of the new legislation in respect of which Ofcom will come under significant pressure to take action. As a result, tech companies and their senior managers are likely to face heavy scrutiny in this area.   

Why is this important?

This legislation will fundamentally change the criminal and regulatory landscape for tech companies in the UK and will introduce personal criminal liability in relation to a key focus of the OSA: child online safety. The consequences of non-compliance for both the corporate entity and for individuals are extremely serious and should be grappled with as soon as possible in order to ensure compliance once the OSA comes into force.

In-scope services should consider who may be deemed an "officer" and "senior manager" of the company under the OSA to understand to whom personal liability could attach.  Companies should also undertake a detailed review of their processes and practices currently in place relating to children's online safety and should implement any necessary adaptations now, to ensure they are well-equipped to engage robustly with the regulator in relation to any investigations or provisional notices once the OSA becomes law.

If you have specific questions on the OSA, please contact Rupert Cowper-Coles or Nadia Tymkiw.

Navigate back to the online safety and regulation hub

After a long and controversial passage through Parliament since the Online Safety Bill was first published in 2021, the Bill completed its final stage in the House of Lords on 19 September 2023.  Royal Assent is expected to be granted by the end of October 2023.

The Online Safety Act (OSA), as it will be, is part of the Government's mission to "make the UK the safest place in the world to be online".  It is a vast piece of legislation and has been described by the Government as the "most powerful child protection laws in a generation".  

What measures does the OSA introduce?

The OSA will impose new duties on 'user-to-user' services and search services to tackle (1) illegal content, which includes content relating to terrorism and child sexual exploitation and abuse, and (2) content that is harmful to children on their platforms.

New offences have also been created, including the offences of epilepsy trolling, cyber-flashing, and sharing intimate images online, including "deepfake" pornography.  

Since its conception, the OSA has undergone significant changes throughout the course of Parliamentary debate.  Particularly onerous provisions which have been added to the Bill include: 

• Stricter requirements for certain categories of services to proactively prevent under-18s from seeing the "highest risk" forms of content, such as content that encourages, promotes, or provides instructions for suicide, self-harm and eating disorders.  
• Explicit requirements for online providers to impose age verification and age estimations measures to ensure those measures are effective in preventing children from accessing pornography.
• New obligations to seek to protect users from 'scam ads' and online fraud.
• Stricter user empowerment provisions to enable adult users to avoid content they do not want to see (e.g., abusive content). 
• Greater powers for coroners to access children's data on behalf of bereaved parents.

Ofcom, as the appointed regulator, has been tasked with developing codes of practice which will indicate what steps will need to be taken to comply with the legislation.  It will also be granted extensive new powers to ensure the OSA is adequately enforced and complied with.

When will the changes take effect?

The Government and Ofcom have stressed that the changes introduced by the OSA will be implemented as quickly as possible once it becomes law.

According to Ofcom's current roadmap to regulation, the regulator will adopt a phased approach to the OSA's implementation.  Phase one will focus on illegal harms, with Ofcom planning to publish its codes of practice relating to illegal content duties very shortly after commencement.

Phase two will focus on child safety duties and pornography.  Ofcom intends to consult on its draft guidance on age assurance in Autumn 2023, with a further consultation on its draft codes of practice relating to the protection of children in around Spring 2024.

The final phase concerns transparency, user empowerment, and other duties on categorised platforms.  Ofcom is currently considering responses to a call for evidence on the thresholds of these categorised services, and will be publishing a further call for evidence in Autumn 2023 on the duties that apply to categorised services.

Who needs to comply?

Services which will be caught by the OSA include not only social media companies and search engines, but also any services that allow users to encounter content published by one another, such as forums, blogs, gaming services, chat services, dating apps and messaging services.  Businesses of all different types and sizes will therefore be required to comply with the legislation.  

Any service that targets the UK will be caught, so international services that may have a relatively modest UK user base will still need to comply. 

In-scope services will be expected to:

• Remove illegal content quickly or prevent it from appearing in the first place.
• Prevent children from accessing harmful and age-inappropriate content.
• Enforce age limits and age-verification measures.
• Ensure the risks and dangers posed to children on the largest social media platforms are more transparent (e.g., through undertaking risk assessments and publishing summaries of these in their terms of service).
• Provide parents and children with clear and accessible ways to report any problems encountered online.
• Deliver upon the promises made to users in their terms of service. 

Failing to comply with the obligations imposed by the OSA will carry serious consequences.  In-scope services that are found to be in breach of their duties could face fines of up to £18 million or 10% of their global annual revenue (whichever is higher).  Senior executives and managers could also face criminal prosecution for certain offences created by the OSA.

Over the coming weeks, RPC will be publishing a number of blogs on some of the most important provisions of the OSA.  Check back for updates, and if you have any questions about the legislation, please contact: OSB@rpclegal.com.

Navigate back to the online safety and regulation hub

The AI White Paper at a glance

The UK set out its proposal on AI regulation in its AI White Paper in March this year.  The UK's approach, aimed at regulating the use of AI rather than the technology itself, focusses on the context in which AI is deployed rather than specific technologies.

The government proposed a lightly regulated, principles-based UK framework with no formal legislation. For this framework the government puts itself in a monitoring role, using test beds and sandbox initiatives, conducting and asking convening industry to conduct horizon scanning, and promoting interoperability with international regulatory frameworks. Acknowledging AI's adaptivity and lack of explainablity, the government has decided not to provide a legal definition of AI at this point.

In addition, the White Paper clarified that the framework is to be supplemented by assurance techniques, voluntary guidance and technical standards in collaboration with bodies such as the UK AI Standards Hub.  There will be no AI regulator appointed, with the government favouring instead a system where existing sectoral regulators such as the Information Commissioner’s Office, the Health and Safety Executive and the Competition and Markets Authority will be required to create context specific rules and guidance based on the AI principles – tailored to the ways AI is used in their sectors.

The government's proposals, as set out in the AI White Paper, are covered in more detail in our previous article.

Since the UK's AI White paper was published in March

Generally, the government has moved from promoting the 'light touch' approach outlined in the AI White Paper to a position that focusses more on promoting "safety features and guardrails". It has declined to comment publicly on whether it will introduce AI legislation in the current parliament (which ends mid 2024), and it appears to maintain its line that early AI regulation doesn't necessarily need legislation.

Alongside the March 2023 Spring budget, the government published Sir Patrick Vallance's Pro-Innovation Regulation of Technologies Review (PIRT) setting out his recommendations, as well as publishing the government's response to support innovation in generative AI. The PIRT acknowledged that government engagement with stakeholders had shown that the relationship between intellectual property law and generative AI is unclear and there was a lack of regulatory clarity as to the direction of UK reforms, particularly for AI firms deploying text and data mining techniques to generate new content. In its response and in support of the PIRT recommendations, the government proposed that the Intellectual Property Office (IPO) will produce a code of practice "by the summer" (nothing has arrived yet) that will provide guidance to support AI firms in accessing copyright protected works as an input to their models, while ensuring there are protections (e.g. labelling) on generated output. We have published a detailed article on this.

In late March, the government launched a consultation (that closed on 21 June 2023) on the issues raised in the AI White Paper including: the statutory duty requiring regulators to have due regard to the cross-sectoral principles; the allocation of legal responsibility for AI throughout the value chain; suggested approaches to the regulation of foundation models; and having an AI regulatory sandbox. The government's response to the 406 responses is expected "after the summer".

In response to the AI White Paper, in May 2023 the CMA launched an initial review into AI foundation models and its report setting out its findings is expected as soon as September 2023. In its review, the CMA is looking at the evolving market for AI foundation models; opportunities and risks for competition and consumer protection; and which principles might best guide the development of these markets. As the UK is seeking a principles based non-statutory AI framework, the CMA's review findings and next steps are likely to be influential in shaping the approach of other UK regulators.

In June, the AI Council was dissolved, and the government’s Foundation Model Taskforce was established with £100m funding to lead on AI safety and develop international guardrails, such as shared safety and security standards and infrastructure.

In July, the Communications and Digital Committee launched an inquiry to examine large language models and what needs to happen over the next 1–3 years to ensure the UK can respond to their opportunities and risks. The inquiry, which closes for evidence in September 2023, is likely to seek input from Ofcom and the Information Commissioner's Office on how they plan to deal with AI. It will also examine how the UK's approach compares with that of other jurisdictions, notably the EU, US and China.

Also in July, the Ada Lovelace Institute issued a policy briefing examining the UK’s current plans for AI regulation and setting out 18 recommendations for the government and the Foundation Model Taskforce to help strengthen the proposed regulatory framework. These included: legislating to introduce rights and protections to further regulate biometric technologies and automated decision-making; establishing an AI ombudsman; introducing greater powers to request information of companies developing, deploying or using AI systems; increasing funding to regulators; and examining and strengthening the law surrounding AI liability in order to redistribute legal and financial liability for AI risk in AI value chains.

Issues facing businesses and consumers

AI has been around in various forms since the 1950s but it is in the last few months that there have been warnings, including from leading scientists and technical experts, about the dangers of AI technology.

Disregarding the more headline grabbing reports of existential threat from (in particular generative) AI, from a legal perspective there are a number of issues that we see as likely to arise when AI is used in day to day activities by businesses and consumers:

• Breaches of confidentiality or data protection laws – may occur if businesses provide confidential information or data either to the AI system supplier at the stage of training the AI model, or at the prompt stage when asking questions of a generative AI model
• Risk of professional negligence – when AI hallucinations are relied upon when providing advice or when used in making key business decisions
• Breach of equality laws – if a company implements decisions made by an AI model without checking for bias
• Contract disputes – arising out of the AI system's failure to perform, or, breaches of software licences for exceeding the amount of permitted data. The lack of explainablity of AI systems is likely to make these types of disputes more complex to run and less predictable in terms of calculating prospects of success
• An increase in product liability claims – products incorporating AI systems and used in high-risk areas may produce defects with catastrophic consequences for consumers
• Unintentional collusion – back to the issue of explainability, a business may not realise that its AI powered pricing algorithm is engaging in collusion and this may give rise to competition law issues
• Intellectual property (IP) issues – there is currently no clear answer on the authorship and ownership of IP contained in the output of generative AI models and on the question of whether it is lawful to use IP protected works to train AI models (see above and our earlier article)

What answers can we expect or at least hope for in the autumn?

Businesses are grappling with multiple impending issues connected to use of AI and are looking for answers – fast.  Formal regulation and guidance have been slow to emerge from the government and regulators, who themselves have had little time to prepare to deal with his complex and fast moving area.

The autumn is promising to be a busy time for possible answers. The IPO's code of practice, the CMA's initial review into AI foundation models, the government's response to the issues raised in the AI White Paper and the report from the House of Lords Communications and Digital Committee inquiry into large language models, are all due in the coming weeks and months.

These are likely to provide a rich backdrop of information, ideas and recommendations for the government to feed into the dialogue at the global AI safety summit which in itself should begin to provide UK businesses and consumers with some answers to the many practical issues they are facing.

Under a telecommunications supply contract, Virgin Mobile Telecoms (Virgin Mobile) contracted with Mobile Network Operator (MNO) EE to access its radio access network. EE was required to supply to Virgin Mobile with various services that would enable Virgin Mobile's customers to be provided with 2G, 3G and 4G mobile services. This arrangement was subject to an exclusivity clause in the contract.

The initial arrangement wasn't applicable to the provision of 5G services but 5G was added subsequently and the contract was amended accordingly. The amendments provided for potential agreement between EE and Virgin Mobile in relation to the provision of 5G services using EE's network or, in the absence of such agreement, for Virgin Mobile to be entitled to provide 5G services to its customers from a different network owned by one of EE's MNO competitors. 

Virgin Mobile put some of its customers on Vodafone's and O2's networks believing it fell within that '5G services' exception to the exclusivity clause. EE considered that by doing so Virgin Mobile had breached the exclusivity clause and issued proceedings, claiming damages of c. £25 million in revenue that it would otherwise have earned in respect of liability for additional charges payable by Virgin Media to EE under the contract had Virgin Mobile's customers been kept on EE's network instead.

The exclusion clause

Other than in certain limited circumstances, the contract expressly excluded liability for "anticipated profits".

Virgin Mobile accordingly applied for strike out and/or reverse summary judgment of EE's claim, contending that regardless of breach (which it denied) the claimed losses fell within the clear and natural meaning of the words "anticipated profits" in the exclusion clause. 

The key question for the court was whether that interpretation was correct. While bearing in mind that the court should hesitate about making a final decision without trial, the court decided that it had all the evidence necessary to determine this key point of contractual construction summarily.  

The decision

The court revisited the well-established general approach to contractual interpretation, as well as the purposive and contextual principles applicable to the interpretation of exclusion clauses (as referred to in our recent Drax v Wipro blog here).  

Given the clear and unambiguous language of the exclusion clause, the court found that EE's damages claim fell within the natural meaning of "anticipated profits" and was therefore excluded. 

There was no difference in meaning between "lost profits" and "anticipated profits". The agreement was a bespoke, lengthy and detailed contract negotiated by two sophisticated parties operating in the field of telecommunications, which had been negotiated on a level playing field. Although that admittedly left EE without a financial remedy if Virgin Mobile breached the exclusivity clause, EE would still be paid the substantial contractually agreed minimum revenue payments in any event, and EE could still seek effective non-financial remedies (such as injunctive relief), so the result could not be said to render the contract an "illusory bargain" or "a mere declaration of intent". 

The court therefore gave summary judgment in Virgin Mobile's favour.

Comment and practical takeaways

This is the latest of several judgments in a matter of months that emphasises the courts' willingness to construe the words of an exclusion clause so as to recognise that commercial parties are free to make their own bargains and allocate risks as they think fit. While the court will start with the assumption that in the absence of clear words parties do not intend to give up their normal rights, it will not generally place (what the court referred to in its own words as) a strained construction on clear words excluding liability. This is particularly so where the parties are sophisticated and have been legally advised.  

The court did, however, comment that it may endeavour to strain to avoid a particular construction if the exclusion clause would otherwise have the effect of defeating the object of the contract or creating commercial absurdity, such that one party can effectively breach the contract with impunity. Even then, if the contractual language fairly has only one meaning, adopting a strained construction should only be a "last resort". This does therefore leave open the possibility for claimants to push the boundaries of interpretation in some circumstances.

The focus and intention behind a contractual exclusion of lost profits is often on loss of (indirect) profits that might be earned through business dealings with third parties 'outside' the contract. Here, however, the charges EE was claiming were for charges it would have received had Virgin Mobile not (as EE alleged) breached the exclusivity clause – i.e. additional charges paid under the contract. When drafting the contract, if the parties do intend to exclude 'outside' of the contract indirect or consequential losses, this could be done explicitly by, for example, referring (as the court suggested could be done) to "losses arising in connection with third parties". 

When liability has been excluded for financial damage such as lost profits, at the dispute stage arguments may centre on what 'loss of profits' actually covers. The court made the point that even if the words "loss of profits" feature in the exclusion clause they may not be apt on the facts to encompass the claim that is being made, or they may be narrowed in scope by their factual context. Those framing the claims in a dispute should, at a pre-action stage, be mindful that despite explicit wording there may be context that means a court will characterise the loss claimed as something other than "loss of profit". As a result, we will no doubt continue to see these types of arguments being run.

Background

In October 2019, following a tender process, Rolls-Royce contracted with software developer Topalsson to develop a new digital visualisation tool allowing prospective customers to see photo-realistic renderings of Rolls-Royce cars with different custom configurations, before purchasing.

Under the services agreement (the Agreement), Topalsson was obliged to meet milestone dates contained in an agreed implementation plan, which gave a detailed breakdown of the project programme (the December Plan). As is typical of many software development projects, it soon became evident that the December Plan dates could not be achieved. A revised plan was agreed, with later delivery dates for "Technical Go-Live" (the March Plan). Technical issues and delays continued and Rolls-Royce lost confidence in Topalsson's ability to deliver the project to the new agreed timeline. Despite agreeing the revised March Plan, Rolls-Royce served a termination notice on Topalsson (the First Termination Notice) relying on Topalsson's repudiatory breach for its failure to meet the December Plan dates. Topalsson rejected the First Termination Notice and affirmed the Agreement, denying that the December Plan dates were contractually binding.

Rolls-Royce then served a further notice (the Second Termination Notice), again purporting to terminate the Agreement both: (i) for repudiatory breach, but this time for missing the March Plan deadlines; and (ii) under clause 13.11 of the Agreement, which permitted immediate termination if Topalsson failed to meet the agreed delivery or milestone dates. Topalsson rejected the Second Termination Notice too, alleging that Rolls-Royce was itself in repudiatory breach of the Agreement and purporting to accept that repudiatory breach in order to bring the Agreement to an end.

Topalsson subsequently brought proceedings against Rolls-Royce, asserting that:

• Topalsson was not in breach, as it had achieved Technical Go-Live for some deliverables and would have completed the others but for Rolls-Royce's termination; or alternatively
• there were no contractually binding delivery dates and time was not of the essence, and Rolls-Royce was partly to blame for the delays.

Rolls-Royce counterclaimed, arguing that the December Plan and subsequently the March Plan dates were contractually binding, and Topalsson was responsible for having missed them.

Key issues and decisions

Did Topalsson just have to deliver and install the software within a 'reasonable time', or did it have to comply with specific milestone dates? And did it meet its obligations?

The court found that the December Plan dates were contractually binding on Topalsson. Topalsson itself had proposed the December Plan timeline to Rolls-Royce, it knew that the timeframes were commercially sensitive and that the software was needed in time for the planned launch, and the parties had agreed those dates.

Further, the court held that, properly construed, the express terms of the Agreement made time of the essence in respect of the dates in the December Plan.

As to the March Plan, Topalsson asserted that the dates had no binding contractual effect and it just had to deliver within a 'reasonable time'. The court disagreed: Topalsson had agreed to the March Plan dates in circumstances where it had already failed to meet the December Plan and where Rolls-Royce had expressly stated that Topalsson meeting the March Plan dates was "a condition of our ongoing contractual relationship". Accordingly, the March Plan was a relaxation and/or extension of time under the binding December Plan. The March Plan dates were therefore binding on Topalsson and time was also of the essence in achieving them.

Had Topalsson met the contractual milestone dates?

By the time Rolls-Royce sent its Second Termination Notice, the Technical Go-Live milestone dates for two deliverables had passed and it was accepted that the third milestone date was not going to be met. There was, however, no express definition of "Technical Go-Live" in the Agreement and Topalsson asserted that it had either achieved Technical Go-Live or would have but for Rolls-Royce terminating the Agreement, on the basis that not all testing had to be completed and that the existence of open defects did not preclude Technical Go-Live being achieved. In other words, delivery of broadly functioning software was sufficient.

Based on the wording of the Agreement and the sequencing of project activities set out in the December Plan, the court again disagreed: Technical Go-Live required the successful completion of systems integration and user acceptance testing. The court also found that Topalsson had accordingly failed to achieve Technical Go-Live by the March Plan deadlines that had already passed, and was so far behind schedule that it would not have met the final deadline even if the Agreement had continued.

Was Topalsson responsible for failing to meet the March Plan milestones, or was it impeded by Rolls-Royce?

Topalsson argued that the delays were not its fault because:

• its subcontractor, to which it had been introduced by Rolls-Royce, had performed poorly;
• Rolls-Royce itself had delayed the start of the project and failed to provide Topalsson with the necessary systems access and software licences;
• Rolls-Royce had introduced changes to the requirements and/or scope creep; and
• Rolls-Royce had imposed a waterfall project management methodology, despite Topalsson having strongly pushed for a purely agile approach.

The court rejected those arguments, finding that Topalsson's own commercial decisions were the most likely cause of the delays including that Topalsson had chosen to engage the subcontractor and was responsible for its performance, and that Topalsson had contractually agreed to a hybrid agile/waterfall methodology. Ultimately, either "Topalsson took on a project that simply was beyond its capabilities, or … it struggled to recruit and retain the necessary staffing levels".

Was Rolls-Royce in repudiatory breach by giving the Termination Notices?

The court found that Rolls-Royce's First Termination Notice was erroneous because it relied on Topalsson missing the original December Plan deadlines, when the revised March Plan deadlines had already been agreed. This was, however, ultimately immaterial as Topalsson had affirmed the Agreement in response.

As to the Second Termination Notice, this was based on Topalsson's failure to achieve the milestone dates set out in the March Plan and relied upon:

• a contractual right to terminate for failure to meet milestone dates pursuant to clause 13.11 of the Agreement; and/or
• the common law right to terminate for repudiatory breach on the basis that time was of the essence in respect of achieving the milestone dates and Topalsson had breached this obligation.

There was a key difference between the two termination avenues available to Rolls-Royce: case law is clear that the contractual termination right under clause 13.11 could only be exercised in respect of a significant or substantial breach justifying termination; whereas under clause 5.8, the parties had agreed that time for delivery deadlines was "of the essence", i.e. a condition of the Agreement, any breach of which (irrespective of severity) would in principle amount to a repudiatory breach and justify termination. On the facts, the court found that Rolls-Royce had been entitled to rely on either avenue as Topalsson's delays were significant and "could not be described as a 'near miss'". The Second Termination Notice was accordingly valid.

Practical takeaways

Crucially, parties should ensure that their key requirements and deadlines are clearly recorded in the contract (or that it provides clear mechanisms for agreeing them later) in order to avoid subsequent confusion and disputes arising as to whether deadlines are binding and when they have been achieved. Parties should also define and make use of contractual change control mechanisms - whether relating to scope, delivery dates or other requirements - to give clarity about the contractual status of any variations agreed.

Parties seeking to terminate for repudiatory breach or based on a contractual right should, in the notice of termination, take care to rely on valid legal and factual bases to do so, or else risk being in repudiatory breach themselves. For example, if contractual timelines or scope have been varied by agreement, failure to meet the original requirements may no longer justify termination. In addition, specific requirements for written notice as set out in the contract should be strictly observed.

While a minor breach of a condition (i.e. a term which 'goes to the root of the contract') may be enough for termination, breaches of other contractual terms giving rise to an express right to terminate may still need to be sufficiently significant in the circumstances to warrant termination.

Consider whether time is expressed to be of the essence in the contract. Making time of the essence for performance is (usually) sufficient to constitute a term essential and render any delay (even if only by a few hours) repudiatory. The repudiation can be accepted by the innocent party and they can seek damages for loss of the bargain resulting from the termination of the agreement even where the failure to perform the obligation on time is minor.

As real world and virtual metaverses become mainstream, the properties around us are increasingly being used as the canvas for digital content. 

In this new, immersive world, there is much to recommend a coherent, permission-based approach to the display of digital content on, or in connection with, properties. 

Property Digital Rights – what are they and why should the property industry take notice?

Property Digital Rights (PDRs) are an emerging asset class, designed to allow property owners to protect, manage and monetise how their properties are used in AR-enabled mobile apps or smart glasses or virtual reality (VR) metaverse worlds. Just as you might grant a third party a licence to use the airspace above a property, or to extract the minerals below it, you can register your property’s digital rights and permit use of the property in immersive environments. At the same time you can select any restrictions or content preferences that should apply to your property to ensure the advertisements or other digital content meet your requirements and preserve the reputation and prestige of your property.

Some argue that immersive advertising, particularly AR advertising in physical locations, and the property digital rights that will control it, are the future of outdoor media. As with traditional screen or billboard-type advertising, property digital rights have the potential to provide a lucrative additional source of revenue for property owners and managers, with no CAPEX and limited OPEX investment.
 
Property owners already attribute significant asset value to the outdoor media inventory on many of their properties, based on the incremental revenue generated. For example, Landsec’s Piccadilly Lights screen in London has an asset value of over £200m, making it one of Landsec’s most valuable assets, larger than many office and retail properties they own. Immersive advertising represents a unique opportunity for brands to leverage the unique advantages of both digital and outdoor media. As we all spend more time in immersive environments, on mobile for now and in the future with wearable technology, today’s vast advertising spend will shift to immersive AR and VR media.

Legal considerations in the UK

The use of property digital rights in a mixed-reality space is necessarily derivative of the legal and regulatory framework in the physical world. For example, the owners of the iconic Shard building and the intellectual property in it have the primary right to register the Shard and make the property digital rights available, allowing the use of the property, or any part of it, in immersive experiences.

In the physical world, property owners’ rights to allow outdoor media are fettered in numerous ways. Taking the Shard example, individual tenants within the Shard may have rights to restrict advertising or displays in proximity to their spaces. The planning authority restricts the content, placement and nature of physical advertising, and central government applies over-arching regulation. In fact, new legislation is expected to be enacted this year to address light pollution in the City of London which will add further restrictions. Comparable restrictions apply in countries across the globe - for example, Germany recently took steps to ban public screens being active between 10pm and 6am for similar reasons.

In contrast, immersive advertising, using augmented reality content overlaid onto the real world or virtual content in a metaverse, leaves the real world property untouched. The "place-making" and other location-based sensitivities which typically concern a government or local authority and therefore drive most of the restrictive legislation to fall away. As this is a new frontier, tenants' lease contracts also don’t typically impose restrictions. In any event, even once immersive advertising becomes fully established, we can expect such third parties’ concerns to be limited to the extent the advertising creates safety issues (such as overcrowding or distracting content at busy road junctions), or negative or competitive associations with the property. As a result, many of the significant obstacles to value extraction which exist for outdoor media are removed. In the absence of statutory, copyright or contractual restrictions, property owners are free to register their properties and use their property digital rights to permit immersive advertising.  

There is another important attraction to registering a property's digital rights. The traditional tools available to a property owner in the face of the unauthorised "use" of their property in an immersive environment are unsatisfactory. The law of trespass, for example, assumes there has been a physical use or placing of items/displays on a property without consent. If the "use" of a property is within a headset, arguably there has been no physical interaction with the property at all. Intellectual property law may offer a remedy in the form of breach of copyright or passing off but clearly, as is often the case, the law is struggling to keep up with technology. A platform for the registration of property digital rights is a welcome first step for many advertisers looking for permitted locations for their content. 

We also expect that a new property digital rights registry and its associated marketplace will act as something of a catalyst to establishing a more appropriate regulatory framework in the digital world. Remember that the high degree of accuracy and oversight associated with our physical Land Registry is what underpins the success of the property marketplace and resultant property values.

Darabase – building the permission-based, brand-safe global registry

Darabase was founded in 2019 to create a global property digital rights registry. They allow property companies to register their property digital rights and offer inventory into which immersive advertising can be displayed. They also have a marketplace in which property digital rights can be bought and sold. Property digital rights holders will receive a share of the revenue of immersive advertising, just as a property owner does for traditional billboards and screens. Darabase is headquartered in London, UK and has operations and subsidiaries in the USA, Canada, Australia and the Middle East. 

To fit into existing property valuation processes, Darabase's proprietary algorithm uses an outdoor media valuation model and revenue projections from AR and metaverse commercial activity to estimate the potential value a property could earn from immersive advertising and so the asset value of the PDRs. Revenue can then be generated in two ways:

1. Publishers and advertisers work with Darabase to activate this new digital inventory. The property itself, through its location or iconic status, brings context and prestige to the advertising content, the publishers provide the audience and the moment the inventory is activated (when the audience is close to and/or looking at the property), and advertisers are secure in the knowledge that they have permission to use the property. The revenue earned is shared between the publishers and the property digital rights holders.
2. Property companies can also decide whether to retain their property digital rights or lease some or all of them on the Darabase Marketplace. In doing so, they can realise immediate revenue and property digital rights leaseholders get the opportunity to share in the potential of the immersive inventory. 

Property owners can also opt out of third party advertising - either in order to display their own immersive content or to block all content entirely. Should they choose to display their own content, they can use Darabase’s content management solution to simply serve their own  immersive promotional campaign to those walking by. 

The registry of property digital ownership and property digital rights is the foundation for a global permission-based immersive advertising ecosystem and delivers a valuable new asset for property owners.

Take-aways

A permission-based approach is key to a healthy advertising and marketing industry. Not just because of established legal dangers in proceeding without consent, but also because big brands do not want to take the risks (reputational, financial or otherwise) associated with guerilla marketing methods. In the developing regulatory environment of immersive advertising, registering property digital rights means property owners can clearly indicate their consent and the parameters of such consent; to protect their properties and potentially gain a new revenue stream.

The Actionable Futurist Andrew Grill was interviewed on stage by Helen Armstrong, a Partner in RPC’s IP and technology disputes team.

The discussion examined the risks, issues, and ethics surrounding this powerful technology and the roles played by giants like OpenAI, Google, and Facebook in this rapidly evolving space. 

This episode also covers the current applications and trends of generative AI in the retail and consumer sectors and how it’s already making a mark on our daily lives. 

As we navigate the complex world of AI regulation, Andrew shared his insights on explainability, transparency, trust within AI systems, and the implications of the UK Government’s white paper on AI. 

The episode also touched on the challenges of IP rights, GDPR, ongoing AI model training, and the importance of auditing systems to prevent bias.

Don’t miss this thought-provoking conversation as we uncover the incredible potential of generative AI, its ability to unleash creativity, and the crucial need for ethical use of this game-changing technology. 

Listen to the podcast on The Actionable Futurist®. 

Find out more about RPC @ London Tech Week here.

Since then, leading scientist Geoffrey Hinton, who developed the foundations of modern machine learning, has decided to step away from developing AI and into a role warning about the dangers of its technology in terms of the potential for widespread job losses and use by 'bad actors' and to urge responsible investment in safety and control of AI that is developing at a spectacular rate.

The AI White Paper claims that the UK is third in the world for AI research and development, and that it is home to a third of Europe’s total AI companies—twice as many as any other European country. The UK's approach to regulating AI is undoubtedly of key interest not just to UK AI and non-AI focussed businesses, but also to Europe, the US and the rest of the world.  Given the concerns being raised by those closest to the most advanced generative AI developments, no doubt many will be asking: does the White Paper go far enough?

The unicorn approach in a nutshell

The UK's AI White Paper is pro-innovation and, it's fair to say, light on regulation.  There's no surprise in this as it follows the UK's National AI Strategy and the principles of the Plan for Digital Regulation. There is no intention to introduce legislation—the framework will be principles-based and will progress iteratively with a wait and see approach to the detail to allow "getting regulation right so that innovators can thrive and the risks posed by AI can be addressed". In this respect, the government has given itself monitoring functions to provide real time assessments of how the regulatory framework is performing. This monitoring will include test beds and sandbox initiatives, conducting and asking convening industry to conduct horizon scanning, and promoting interoperability with international regulatory frameworks. In addition, the framework will be supplemented by assurance techniques, voluntary guidance and technical standards, in collaboration with bodies such as the UK AI Standards Hub and the AI Council.

No AI regulator to mind the gaps

There are no plans to appoint an AI regulator, instead the plan is that existing sectoral regulators will incorporate AI into their normal responsibilities. Following an initial period of implementation, the government anticipates introducing a statutory duty on regulators requiring them to have 'due regard' to the principles. This statutory duty won't be introduced if the government's monitoring of the framework shows that implementation is effective without the need to legislate. While the duty to have due regard will require regulators to demonstrate that they had taken account of the principles, the government recognises that not every regulator will need to introduce measures to implement every principle.

In the AI White Paper, the government recognises that AI risks arise across, or in the gaps between, existing regulatory remits. Unless the various sectoral regulators' approaches to regulating AI are aligned, businesses may end up being caught by complex rules and confused by inconsistent enforcement across regulators who have limited capacity and access to AI expertise.  This may disproportionately impact small businesses.

Aside from acknowledging that regulatory coordination will be key through existing formal networks such as the Digital Regulation Cooperation Forum (this has already published its vision for a joined up approach to digital regulation and has established a multi-agency advice service), the government is planning cross-sectoral risk assessment activities. These include: developing and maintaining a cross-economy, society-wide AI risk register to support regulators’ internal risks assessments; working with regulators to clarify responsibilities in relation to new risks or areas of contested responsibility; sharing risk enforcement best practices and supporting join-up between regulators.

Definition of AI 

There is currently no widely accepted worldwide definition of what is meant by AI. The UK government has therefore decided against a rigid legal definition and has decided to define AI by reference to the two characteristics that generate the need for a regulatory response: its adaptivity and autonomy. The reasoning behind this is that the combination of AI's adaptivity and autonomy makes it difficult to explain, predict, or control the outputs of an AI system, or the underlying logic by which they are generated. It can also be challenging to allocate responsibility for the system’s operation and outputs. Within the framework, the government will retain the ability to adapt its approach to defining AI, alongside its ongoing monitoring obligations.

Regulating use via non statutory principles

The UK is proposing a non-statutory framework that existing regulators will be expected to implement. The framework is underpinned by five, now familiar, principles to guide and inform the responsible development and use of AI in all sectors of the UK economy: 

• safety, security and robustness; 
• appropriate transparency and explainability; 
• fairness;
• accountability and governance; and 
• contestability and redress. 

The UK aims to regulate the use of AI, not the technology itself – focussing on the context in which AI is deployed rather than specific technologies. An example given is that an AI-powered chatbot used to triage customer service requests for an online clothing retailer should not be regulated in the same way as a similar application used as part of a medical diagnostic process.

Regulators are expected to issue guidance or update existing guidance on the principles and will be encouraged to publish joint guidance on AI use cases that cross multiple regulatory remits.

UK alignment with international jurisdictions

The government is proposing that this is done centrally by monitoring alignment between UK principles and international approaches to regulation, assurance and/or risk management, and technical standards.  It will also aim to support cross-border coordination and collaboration by identifying opportunities for regulatory interoperability. 

Currently, the UK's apparent 'light touch' approach sits apart from the US and EU's risk-based focus, particularly when it comes to foundation models.  Last year’s release of ChatGPT has prompted recent revisions to the EU AI Act draft legislation, honing in on foundation models.  In a slight departure from regulating use rather than specific systems, the revisions seek to impose specific obligations on providers of general-purpose foundation models for example to mitigate against use for high-risk purposes such as deepfakes. 

In a similar vein, while there is currently no comprehensive federal legislation regulating AI systems in the US, recent commentary suggests that the US (again prompted by ChatGPT) is shifting from a wholly voluntary framework towards the idea of more formal, risk based, state and federal level governance of AI.   

Practical issues

Big tech

It seems like some of the big tech firms don't yet want to launch their chatbots, but don't feel they have a choice if they are to remain competitive in this area. As a result, tech firms, and their executives, may end up with enormous responsibility and liability if things progress in a way that is harmful to humans.

AI supply chains

The complexity and opaqueness of AI supply chains makes allocating risk within the supply chain challenging.  Under the UK's current legal frameworks there is a real chance of getting it wrong in terms of inappropriate allocation of liability as between businesses using (but not developing) AI and businesses developing foundation models for use by third parties.

The government is not yet clear on how responsibility and liability for demonstrating compliance with the AI regulatory principles will be or should ideally be allocated and it is not proposing to make changes to life cycle accountability at this stage. Going forward, it plans an agile approach—with targeted measures deployed if necessary.  In the meantime, it plans to rely on assurance techniques (aiming, in collaboration with industry, to launch a Portfolio of AI assurance Techniques shortly) and technical standards (including through the UK AI Standards Hub) to support supply chain risk management.  

Foundation models

There are a small number of organisations supplying foundation models and a proportionately larger number of businesses integrating or otherwise deploying foundation models elsewhere in the AI ecosystem.  The government is again looking to assurance techniques and technical standards (particularly important for bias mitigation) to regulate foundation models and will be supported by the UK's Foundation Model AI Taskforce to help build capability in this area. 

The government is also expecting regulators to build capability in their sectors. In line with this, the Competition and Markets Authority (CMA) announced, on 4 May 2023, a review of AI foundation models. The review seeks to understand how foundation models are developing and will produce an assessment of the conditions and principles that will best guide the development of foundation models and their use in the future. As well as exploring the opportunities and risks these models could bring for competition and consumer protection, the review aims to produce guidance. 

Intellectual property

The AI White Paper doesn't address how the government plans to balance the rights of content producers and AI developers. It refers to its response to Sir Patrick Vallance's Pro-Innovation Regulation of Technologies Review recommendations, published earlier in the Spring. In its response, the government proposed that the Intellectual Property Office will produce a code of practice by the summer that will provide guidance to support AI firms in accessing copyright protected works as an input to their models. For further detail on the practical points relating to the UK's approach to AI and intellectual property rights see our earlier article.

The regulators

Busy and already under-resourced regulators are, at least at some point, likely to be overwhelmed with the technical aspects of AI.  Fact—it's incredibly difficult to understand. For example, they may lack the expertise to consider properly the application of the principles to the entirety of their sector, or they may ask for evidence as part of their investigations and simply not understand it when it arrives. There is also a risk that some regulators could begin to interpret the scope of their remit broadly to fill the gaps in ways not originally envisaged or expected.

Next steps

The government is currently consulting on the AI White Paper (the consultation closes on 21 June 2023). Further details about the implementation of the regulatory framework will be provided through an AI regulation roadmap, which will be published alongside the government response to the consultation on the AI White Paper. Thereafter it has set out a plan that covers the next year and beyond (playing out during a general election). 

In the next six months it is planning to, among other things, publish the government’s response to the AI White Paper consultation and issue cross-sectoral principles to regulators, together with initial guidance, as well as design and publish an AI Regulation Roadmap with plans for establishing its central functions. 

During the following 6 months it will encourage key regulators to publish guidance on how the cross-sectoral principles apply within their remit and design a monitoring and evaluation framework. The CMA's review of AI foundation models, referred to above, closes in June and the CMA is looking to publish a report which sets out its findings in September 2023. 

In the longer term the government will provide detail on central functions, prompt regulators who have not produced guidance to do so, publish a draft central, cross-economy AI risk register for consultation and develop the regulatory sandbox or testbed. 

The UK government is clearly not wishing to rush in when it comes to regulating AI and there are some benefits to its proposed iterative approach.  AI is, however, here and interacting with humans now.  Consequently businesses, large and small, operating in the UK's AI landscape do require more immediate regulatory parameters to protect them and allow them to deal safely with the enormous opportunities presented by digital superintelligence as well as what Geoffrey Hinton describes as an incoming flood of misinformation, job losses and even an existential threat to humanity.  

The CMA established the Digital Markets Unit (the DMU) in shadow form in 2021 so the Bill marks a crucial next step towards it gaining formal statutory powers to police digital markets.

David Cran, Chris Ross, Melanie Mugrave and Leonia Chesterfield take a look at the main aspects of the new regime and the DMU's extensive enforcement powers.

In the Autumn 2022 edition of RPC's Retail Compass, Tania Williams wrote about what you need to know to procure AI successfully. Further considerations to bear in mind when making decisions about using AI are also addressed in this article. But having worked through these considerations and having successfully procured the right AI solution, how do you go about managing the risks and challenges that might arise during the deployment of the technology? The first step is to identify those risks and challenges, and then to develop strategies for their mitigation and management.

Risks and challenges in AI technology projects

AI technology projects are similar to other technology projects, in that they are technically challenging, require extensive collaboration between the customer and the provider, and often evolve and change as the project develops. Given the costs involved and the potential impact on core business functions, there are significant risks for all parties concerned. There is also often no guarantee that any project will be successful or achieve all its aims. In addition to these general risks associated with technology projects, there are certain special risks and challenges that might arise during an AI technology project.

The AI workflow

Developing software systems that incorporate AI technologies often requires an 'AI workflow' to be integrated into the project plan. This workflow generally includes (amongst other things) data collection, data preparation, model design, model training, and model evaluation. Because the stages of the AI workflow are relatively unique to AI technology projects, it can be difficult to predict in advance how long each stage will take, what resources will be required at each stage, and when it is appropriate to move on to the next stage. Perhaps more importantly, traditional project management techniques, and software development methods (such as Agile methods), may not be suitable for properly planning and managing AI technology projects and their outcomes.

Specialist AI hardware

AI workloads are often performed using specialist or adapted hardware. Graphical processing units (GPUs) are frequently used for AI workloads, as are application-specific integrated circuits (ASICs) and a range of other devices and architectures designed to support, execute and accelerate AI workloads. The specialist nature of certain AI hardware means that its availability is more susceptible to supply chain issues, which can cause delay and potentially require a change in approach.

The AI's system's use of third-party software

Software licensed by third parties may not be suitable for use in conjunction with an AI solution. For example, such licenses may restrict the number of API calls that can be made or the amount of data that can be used. Both of these may increase substantially following the integration of an automated AI system. In addition, there may be issues over whether software usage by an AI system constitutes a new 'user' for the purpose of the licence.

Data accessibility issues

Many AI technology solutions are predicated on the analysis of a substantial amount of data. That data is often owned, or at least controlled by, the customer. Depending on the customer's systems, practices and data management team, its data can be difficult to access and work effectively with. Moreover, some of the most challenging data accessibility and suitability issues may only arise after the project has already started and substantial preparatory work has been undertaken. This can cause delay and disruption and, depending on the severity of the issues, may require a reconsideration of the project approach and objectives.

Testing and evaluation

Testing is a fundamental part of most technology projects. In very simple terms, the goal of testing is to ensure that the technology is working correctly and is properly integrated with the customer's other systems before it is fully deployed.

AI technologies have their own characteristics which mean that traditional software testing approaches may not be suitable. For example, even if the code is error free, and the system is properly integrated, that does not guarantee that the AI solution is delivering the intended results. Further, AI models often require ongoing monitoring, testing and evaluation, even after they have been deployed, to ensure that they are continuing to perform as intended.

Management and mitigation

The following is a starting point for managing and mitigating the risks discussed above:

• When developing and agreeing the project timetable, be conscious of the AI workflow and what impact this might have, particularly if things do not go as planned.

   

• Build flexibility into the project timetable and agree on processes at the outset that allow the project to evolve as necessary.

   

• The project objectives should be kept under review and, if necessary, changes should be made to ensure that the project remains viable. This is particularly relevant in cases where an AI model is intended to continuously learn and evolve, even after deployment.

   

• Review your own data management practices and make necessary improvements to maximise the quality and accessibility of your data. If data management issues arise during the course of a project, consider engaging external assistance to ensure that the problems can be worked through with limited disruption to the AI technology project.

   

• Ensure that a vigorous testing approach is devised and implemented. Consider what further support, such as Machine Learning Operations (ML Ops) support, may be required after deployment, and whether this will be provided by the same or a different supplier.

   

• Informal dispute resolution processes can provide a means for the parties to resolve issues relating to delay and variations to the project's specifications without having to resort to more formal (and time-consuming) processes.

   

• If the AI solution will be dependent on, or work in conjunction with, software licensed by third parties, consider whether the terms of those licenses permit such use. Parties should also consider whether any other third-party consent is required, and whether any use of data is in accordance with regulatory requirements.

Conclusion

An AI technology project carries with it many of the same risks and challenges as any other technology project. As such, many of the same strategies can be employed to manage and mitigate these risks. These include taking care at the contact formation stage to ensure that risks are properly identified and allocated, that there are appropriate disincentives for delay and non-performance, and that there are robust and practical mechanisms for resolving disputes, should they arise.

However, as set out above, there are also special risks associated with AI technology projects that should be borne in mind. These risks arise in relation to a range of matters, including hardware, project management, licensing, data management and the nature of AI technologies. Ultimately, each project is different, and each will carry its own risks. It is therefore important to take proper advice on these matters, both at the outset of any project, and as matters progress.

The bill contains considerable cross-party support. In Parliament on 5 December 2022, Damian Collins MP praised the work done by MPs in progressing the legislation: 

As Members know, there is a tradition in the United States that when the President signs a new Bill into law, people gather around him in the Oval Office, and multiple pens are used and presented to people who had a part in that Bill being drafted. If we required the King to do something similar with this Bill and gave a pen to every Minister, every Member who had served on a scrutiny Committee and every hon. Member who introduced an amendment that was accepted, we would need a lot of pens and it would take a long time. In some ways, however, that shows the House at its best; the Bill’s introduction has been a highly collaborative process.  

Damian Collins is right that the bill has involved an extraordinary number of amendments, but whether this is a good recipe for well-thought through legislation over something as fundamental as what information is available online is a separate question.  Numerous free speech groups and lawyers have suggested that the legislation, while well intentioned, fails to grapple with the nature of the internet and is either unworkable or may have dramatic consequences for free speech.  

In many ways, this Parliament has saved itself from the difficult questions by kicking the can down the road, requiring Ofcom to produce 'codes of practice' which will fundamentally shape what content can be shown on social media and what people can be shown when they look for content on search engines.  This in itself is problematic.  First, it means that Parliament is introducing legislation without themselves having gone through and debated the implications of what they are mandating at a high level.  Second, is the democratic deficit in expecting an unelected regulator more practiced in dealing with linear broadcasting complaints to draw the boundaries in British society around what information and speech is permitted online and how content is moderated.  So, despite good intentions, the legislation in its current form leaves many open questions and has the potential to lead to unintended and damaging outcomes.  

The systems effect

The OSB has been heralded as a "systems" bill, targeted at regulating the algorithmic processes and technologies used by platforms rather than individual pieces of content.  Damian Collins MP expressed his support for this approach in recent debates, saying "if people posted individually and organically…and that sat on a [social media] channel that hardly anyone saw, the amount of harm done would be very small".

But mandating that algorithmic systems and technologies are implemented across the internet has potentially enormous consequences for niche or smaller user-to-user services.  Take one example: Mastodon, an alternative open-source software that has grown in popularity since Elon Musk's takeover of Twitter.  Mastodon allows users to run self-hosted social networking services and has been heralded as by many well-known celebrities as a safer space and an alternative to larger social media sites.  But what would the effect of the OSB be on this platform?

On Mastodon, each user is a member of a specific Mastodon server (or "Instance") which operates as a federated social network.  Each Instance operates its own content moderation policies, run by unpaid volunteers, summed up in Mastodon's terms and conditions with the statement: "Who owns Mastodon? Everybody!".  The OSB's requirements on platforms to tackle illegal and harmful content (rather than relying on "self-moderating" processes) might make such self-governing communities unworkable, expose volunteers to civil penalties, or in some cases even subject them to criminal investigations.  

This isn't just a Mastodon problem.  Almost every online platform that allows user-to-user engagement or search will be caught by the OSB.  From Wikipedia, to Mumsnet, to Minecraft, to Signal, to Tinder, to your local community forum, every online platform or communication channel around the globe which 'targets the UK' will have to comply with an increasingly onerous array of obligations. 

Criminal liability

Following political pressure from backbenchers, the Government has confirmed it supports an amendment to the OSB to impose criminal liability on senior managers of online platforms who have consented or connived to ignore enforceable requirements of the bill resulting in "risking serious harm to children".  The bill already included a provision to make senior managers liable if they failed to comply with requests to provide information ('information notices') sent by Ofcom. 

Wikipedia has spoken out about the proposal, arguing that the risk of criminal sanctions could impact on what is widely regarded as a public interest resource.  All content on Wikipedia is produced by volunteers, and, similar to Mastodon, the community decides what is acceptable.  Wikimedia Foundation (which hosts the encyclopaedia) does not involve itself in decisions.  The possibility of criminal liability for senior managers would force it to intervene if a volunteer editor kept up an article that could be deemed either illegal or harmful (and accessible) to children under UK law – requiring the platform to make judgment calls about public interest content – including decisions about which encyclopaedia entries should be accessible to under 18s.  

Another proposed amendment to the OSB is to include in the definition of "priority illegal content" – i.e., content which platforms must proactively implement technological processes to remove – any content which could be seen to promote, aid or abet illegal immigration.  So, in 2024, it is feasible that a tweet supporting the plights of small boats arriving on the UK's shores could be deemed as 'priority illegal content' and platforms that fail to stem that content open to sanction.  Search engines could be penalised if they allow UK users to access websites that discuss seeking asylum by illegal means.  And the decision about what is available and what isn't will often be taken by computer algorithms which struggle to understand context, potentially using technology designed by Ofcom or mandated using a technology notice. 

Other unintended consequences are not hard to imagine.  Would algorithms remove all tweets promoting an environmental protest, on the basis that they are procuring a Public Order offence?  Would the UK population be banned from discussing the unofficial '420 Day', where cannabis producers, consumers and advocates around the world celebrate marijuana use?   Would discussion online about the pros and cons of buying shares be removed for potential violation of financial services legislation?  

Quite apart from the potential impact of these amendments on freedom of expression, industry body TechUK has also said expanding criminal liability will be perceived as a "very open-ended risk by investors".  Against this hostile regulatory environment, it is certainly hard to conceive that there won't be a significant impact on the UK technology sector.  Comparatively moderate regulation introduced by the European Union's Digital Service Act last year could mean talent and investment in the sector shifting to Berlin or Lisbon instead.

Journalistic content

The government say that extensive steps have been taken to ensure that journalistic and news publisher content is given special protection within the OSB, including the introduction of a "temporary must carry" provision whereby platforms will need to notify news publishers and offer a right of appeal before removing or moderating journalistic content. 

Despite these good intentions, there are concerns that other provisions in the OSB could pose serious risks of jeopardising journalistic sources and confidential journalistic material without incorporating the protections from s. 10 Contempt of Court Act 1981 and Article 10 ECHR – which ensure that journalists are entitled as a matter of law to protect the identity of their sources save for in limited circumstances. 

A report by Index on Censorship has considered the powers awarded to Ofcom to impose "s. 104 notices" ("s. 110 technology notices" under the amended bill) on operators of private messaging apps and other online services (including those which currently use end-to-end encryption) requiring them to use technology which monitors the private correspondence of UK citizens in order to seek to identify terrorism and child exploitation content.  These notices, which appear to be viewed by the government as a necessary measure to ensure the effective identification and removal of the most harmful material, could require providers to override protections offered by end-to-end encryption.   According to Index on Censorship (supported by a legal opinion from Matthew Ryder KC) the powers envisaged under the bill in essence provide for state-backed surveillance powers which go far beyond those currently available in UK law – this type of surveillance would, for example, only be available under the Investigatory Powers Act in the interests of national security, and even then surveillance would only be available with a warrant from the Secretary of State, who must be satisfied the request is "necessary and proportionate".  Ofcom could therefore be granted a wider remit on mass surveillance powers than GCHQ.  Signal, the platform favoured by investigative journalists and whistleblowers, has spoken out about the bill, stating it would "create an unprecedented regime of mass surveillance that would all but eliminate the ability of people in the UK to communicate with each other outside of government interference."

The unintended consequences here are obvious, with a severely detrimental impact on journalism.  Individuals could be subject to ongoing surveillance ordered by a regulator and operated on an indiscriminate basis via algorithms, with some of that content then being escalated for human review.  This in turn could expose journalistic sources and endanger individuals investigating politically sensitive issues.  Index on Censorship warns that "unless the government reconsiders or parliament pushes back, these powers are set on a collision course with independent media and journalism as well as marginalised groups". 

Given the extremely wide-ranging nature of the bill, important issues like this – deserving of attention due to their potentially enormous impact on journalism, human rights, and data privacy – risk being swept through with little or insufficient Parliamentary debate.  

Next steps 

Despite the obvious enthusiasm in the Commons to enact the legislation with speed, the hope is that the House of Lords or the Government take a more sober approach.  Debate and scrutiny is needed across all aspects of the OSB, which should include further engagement with stakeholders across the industry and proper scrutiny as to the potential impacts of introducing this legislation.  

If the history of this bill is anything to go by, it’s likely that there will be a few more hurdles to overcome in the coming months.    

RPC will continue to track the Online Safety Bill's progress in 2023.  If you have any questions about the legislation, please contact: OSB@rpclegal.com. 

Navigate back to the online safety and regulation hub

For 40 years, SVB (the 16th largest US bank) acted as ally and the go-to bank for the tech industry (and particularly start-ups). As the go-to bank, SVB offered services to high-risk start-ups until 10 March 2023 when it was closed by Californian regulators. SVB did not have the liquidity to fund the deposit withdrawals which were demanded following news of SVB's share price decline (on 9 March alone, withdrawal requests amounted to $42bn) and therefore became the second biggest bank failure in US history (since Washington Mutual in 2008). HSBC subsequently acquired SVB's UK business for £1.

Shortly after, on 12 March 2023, Signature Bank (Signature) (a leader in cryptocurrency lending) became the third biggest bank failure in US history after customers again withdrew their deposits following a share price decline and concerns that Signature could follow in SVB's footsteps.

The Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve stepped in to ensure that all SVB and Signature depositors would have access to and be able to recover their deposits.

It is not only the US' financial system which is threatened, however. Credit Suisse (one of the largest European lenders) has also received a lifeline of $54bn from the Swiss central bank and has now been acquired by competitor UBS for £2.5bn. The issues leading to its demise are not actually linked with those of SVB or Signature. However, concern for the banking sector remains. 

What is the impact? 

The immediate aftermath of the global banking turmoil is already being felt across the financial markets with: (i) unpredictable share prices, (ii) further banks (such as US First Republic Bank) requiring rescuing by authorities and major financial institutions, and (iii) billions of dollars' worth of investor cash being moved from bank accounts to US money market funds which are backed by US government securities (inflows reached the highest amount since June 2020). 

Although the long-term impacts are yet to be seen, there is always a risk of the FDIC bringing claims against former directors and officers (D&Os) or shareholders of publicly traded banks bringing securities class action claims. The latter is already happening. Whilst customers are being provided with comfort that their deposits will be protected, the same cannot be said for shareholders whose investments remain at risk. Securities actions have therefore already been issued against each of SVB, Signature and Credit Suisse and their Executives. These actions were all issued by The Rosen Law Firm and are no doubt the first of many. 

Whilst banks are typically resilient, mass withdrawals will always threaten their survival and there are still vulnerabilities within the market (such as rising interest rates, inflation, and issues within the crypto industry) which could lead to other institutions suffering with similar issues. Herein lies the risk of further banks suffering the same fate if investor concern remains and trust is not regained. There is a lot of capacity for change, but it will be months before we see exactly what is going to happen.

Amongst other signs of potential trouble ahead, we expect FI/D&O insurers will be closely following the cost of insuring against bond defaults for their financial institution clients.

Considerations for FI/D&O insurers 

 Had the FDIC and Federal Reserve not intervened to protect deposits in SVB and Signature, business operations would have been severely disrupted, with the knock-on effect of some businesses unable to make payroll and others potentially even going into insolvency. This action has therefore provided some reprieve to insurers from the perspective of a number of claims which would otherwise likely have been issued. Nonetheless, D&O insurers need to remain wary of the potential implications of the global banking turmoil and, in particular, the potential long-term effects of the same.

The "banking crisis" will undoubtedly impact financial lines cover. FI/D&O insurers will no doubt be reviewing their policies currently in place to understand the extent of cover provided and aggregate exposure in the event of further escalation of the banking crisis. FI/D&O insurers should also carefully consider their portfolio of clients in order to determine whether it comprises other financial institutions which could suffer the same fate as SVB, Signature and Credit Suisse. In addition, FI/D&O insurers should be alive to the prospect that some of their large banking clients may well be involved in future bank bailouts should other banks require saving. This may have the effect of materially impacting the bank's risk profile.

All this would suggest enhanced due diligence and scrutiny by insurers of the liquidity and financial status of their financial institution clients (including the extent to which they could cope with mass withdrawal demands), tech companies and start-ups.  Whether this will lead to increasing insurance premiums and/or retentions and/or policy wording amendments remains to be seen as the full impact of the current banking crisis plays out. 

 The European Commission adopted the proposal for a Regulation to lay down harmonised rules on artificial intelligence (AI Act) in April 2021. The proposal aims to provide AI developers, deployers and users with clear requirements and obligations regarding specific uses of AI, robotics and related technologies. 

In December 2022, the EU reached agreement on a draft version of the AI Act which will now be debated and discussed by EU governments, the Commission and European Parliament, following agreement by the European Parliament of its common position. However there have been disagreements between key political groups, in particular as to how the law classifies AI systems as 'high risk'—many groups are keen to ensure that only truly high risk cases are included in the list of high risk scenarios (contained in Annex III of the draft text). They are also seeking contractual freedom to allocate responsibility to various operators along the value chain and no overlap or competing obligations with existing legislation. The result of these disagreements is that the full parliamentary vote is now likely to be delayed until April 2023 at the earliest.

The current draft text seeks to distinguish AI from simpler software systems by defining AI as systems developed through machine learning approaches and logic and knowledge-based approaches. It looks to prohibit certain AI practices (such as use of AI for social scoring) and will create obligations and duties for those operating 'high risk' applications. 

The proposed rules will also deal with enforcement after AI systems are placed on the market and provide a governance structure at European and national level. Once an AI system is on the market, designated authorities will provide market surveillance while providers will be subject to a post-market monitoring system and will have to report serious incidents and malfunctioning.

Notably, the EU has also proposed a new AI Liability Directive that will potentially make it easier for those who suffer harm caused by an output or failure of an AI system to claim damages by introducing in certain circumstances (1) a rebuttable presumption that fault on the part of the AI provider or user led to the harm; and (2) a right to disclosure of evidence relating to the AI system. 

The US—a voluntary set of AI standards

 There is currently no comprehensive federal legislation regulating AI systems in the US. If passed, a proposed US Algorithmic Accountability Act would oblige large companies to undertake impact assessment and to demonstrate responsible development and deployment of AI.  Until then, the regulatory framework is wholly voluntary. 

On 26 January 2023, although not a regulator, the US National Institute of Standards and Technology (NIST) released version 1.0 of its AI Risk Management Framework, a voluntary set of standards intended to address risks in the design and use of AI products, services, and systems.

The TTC Joint Roadmap for Trustworthy AI and Risk Management was published in December 2022 'to guide the development of tools, methodologies, and approaches to AI risk management and trustworthy AI by the EU and the United States in order to advance a shared interest in supporting international standardisation efforts and promoting trustworthy AI on the basis of a shared dedication to democratic values and human rights. The roadmap aims to take practical steps to advance trustworthy AI and uphold a shared commitment to the Organisation for Economic Co-operation and Development Recommendation on AI'.

Regulating AI in the UK 

 The UK is currently far from adopting a singular regulatory framework for AI. In a White Paper published on 29 March 2023, the government confirmed that there won't be a single piece of legislation governing the use of AI, nor a single specialist regulator. Instead, each sector regulator will be responsible for ensuring potential harm from AI is properly addressed.  

The White Paper established a "new national blueprint" for regulators to take into account in order to drive "responsible innovation".  This blueprint sets out five principles that will guide the use of AI in the UK (safety/security, transparency, fairness, accountability and contestability.  By applying these broad principles to each sector, the government aims to create an adaptable and context-driven framework of regulation.  A new consultation on the proposals is open until 21 June, which will inform how the framework is developed in the months ahead.

One challenge identified is the lack of a standard international definition of AI with doubt expressed that there will be a unifying definition. The White Paper has therefore highlighted that AI will be defined by reference to the functional capabilities or characteristics or adaptivity and autonomy, rather than adopting any rigid legal definition. 

The reality for UK businesses using AI is that the UK's less centralised approach will mean that they will need to deal with multiple regulators including: Ofcom, the Competition and Markets Authority, the Information Commissioner’s Office, the Financial Conduct Authority and the Medicine and Healthcare Products Regulatory Agency.  The Data Protection and Digital Information Bill also includes measures on AI. The reasoning behind this approach is that the sector specific regulators understand the context of how AI is being deployed within their own sectors and the kinds of harms that can occur. In addition to that, they also have the best understanding of the existing rules and requirements that are in place, and therefore what may need to be built on or where future regulation may be needed. 

However, the White Paper recognises while there is a tremendous amount of guidance, regulation and standards out there (some of which is overlapping), there are also gaps. These overlapping areas and gaps suggest a need for a mapping exercise and an allocated central body to help oversee it, such as the Office for AI, who is able to convene the right regulators together to look at how they plug those gaps in a coherent and co-ordinated way. 

In the meantime, the interactive online platform—the AI standards hub (also launched in October 2022) aims to help UK organisations to navigate the evolving landscape of AI standardisation and related policy developments as well as funnel the UK’s contribution to the development of international standards for AI. 

The White Paper also recognises the need for the UK to work closely with international partners when developing its AI regulatory framework.  The UK may well look to other international initiatives such as Singapore's 'AI Verify' (an AI governance testing framework and toolkit that will allow industry, through a series of technical tests and process checks, to demonstrate their deployment of responsible AI directly to Government) or Canada's Algorithm Impact Assessment (a mandatory AI impact assessment for public bodies deploying AI) when finalising its approach to AI regulation. 

Conclusion

A significant number of tech companies and other businesses will be looking to use AI technologies and many of these companies will be contracting with overseas businesses. Managing regulatory risk will be challenging with a lack of alignment between regimes. It will therefore fall to the individual parties to the project to develop practices that enable them to comply with the relevant national frameworks. 

For a number of years, the UK Government has been laying the groundwork to bring in a digital markets regime to regulate digital firms designated as having ‘strategic market status’ (SMS). To be designated as having SMS, a firm must have 'substantial and entrenched market power' in at least one activity. Companies having SMS are likely to include the largest tech firms such as Amazon, Apple, Google, Microsoft and Meta (the so called 'GAMMA' firms). 

Building on the recommendations set out in the Furman report, these reforms establish a new digital markets regulator, the Digital Markets Unit (DMU) within the CMA, able to designate firms as having SMS and require adherence to codes of conduct. The DMU will also have the power to implement pro-competitive interventions (PCIs). See our earlier post on the new regime for digital markets.

The proposed consequences of non-compliance are significant. Where there are failures to comply with a code of conduct or PCI orders, it is proposed that the DMU will have the power to impose fines up to a maximum 10% of a firm’s global turnover for the most serious offences, with further daily penalties of up to 5% of daily worldwide turnover for continued breaches. Fines of 1% of global turnover may be imposed for information offences supported by further daily penalties of 5% of worldwide turnover for continued non-compliance.

Operating in the shadows

The DMU has been a long time coming and has already been operating in shadow form since 2021, undertaking preparatory work, gathering evidence and engaging with stakeholders across industry and government.  The shadow form DMU will also have had the benefit of the in-house expertise from within the CMA, including through its existing Data Technology and Analytics (DaTA) unit.   

However, the DMU still requires legislation to enable it to be fully operational and gain its formal statutory footing.  After various delays, momentum to finalise the legislative underpinning of the DMU is now underway. In May 2022, the Queen’s Speech announced a Draft Digital Markets, Competition and Consumer Bill to provide new powers to the DMU, promote competition, strengthen consumer rights and create new competition rules for digital markets and the largest tech firms in the UK. Following this, a report was published in late October 2022, by the Business, Energy and Industrial Strategy Committee which urged the Government to publish the draft Digital Markets, Competition and Consumer Bill ‘without delay’.  Our earlier post looks at the wider competition and consumer regime reforms included in that Bill. 

DMU coming into force - autumn 2023?

Chancellor Jeremy Hunt's announcement in the 2022 Autumn Statement referred to the Government’s intention to advance the progress of the Digital Markets, Competition and Consumer Bill to "foster more competitive digital markets; make changes to the competition framework that will include streamlined decision making and updating merger and fine thresholds; and protect consumers in fast-moving markets by tackling ‘subscription traps’ and fake reviews online.”  

The Government is aiming to publish the bill for legislative passage in the current Parliamentary session before introducing the bill in the session starting in May 2023.  It is expected that the DMU may come into being by October 2023. It has been reported there will be a DMU hub in Manchester as part of the CMA's wider presence there. 

A new European Centre for Algorithmic Transparency 

There are further institutional changes at EU level too. The EU's Digital Services Act (DSA), along with the Digital Markets Act (DMA), is part of the package of European legislation to regulate digital markets (see our post here in relation to the status of their implementation). The main aim of the DSA is to implement a new framework of obligations applying to all digital services to keep users safe from illegal goods, content or services, and to protect their fundamental rights online (see our previous post on the DSA). 

The DSA is now in force with implementing regulation firmly on its agenda. In further developments, last week, the Commission announced it is launching a new European Centre for Algorithmic Transparency, intended to provide support to the Commission as it enforces the risk management obligations under the DSA. The centre will be based mainly in Seville and is expected to be fully operational in the first quarter of 2023. The new body will support the enforcement of the new DSA rules and is reportedly in the process of recruiting.

Different UK/EU approaches

As the Digital Markets, Competition and Consumer Bill makes its way through Parliament, there are likely to be further changes to the final legislation.  However, as it stands, the UK approach to regulating digital markets is likely to be markedly different to the EU's regime.  The proposed UK regime is lighter on the detail as to what would be prohibited conduct. It is arguably more flexible in its approach and may allow for a more nuanced enforcement regime than as laid down in the EU regime which is far more prescriptive.  

With significant institutional changes on the horizon at both UK and EU level affecting the regulatory and enforcement landscape for digital markets, 2023 certainly looks to be a significant year in terms of reforms affecting the tech sector. 

Under the provisions of the DMA, published in the EU's Official Journal on 12 October 2022, 'gatekeeper' platforms will be more restricted in the practices they can use in relation to their core platform services directed towards business users and customers.

The stated intention is that this will provide innovators and tech start-ups with new opportunities to compete and innovate in the online platform environment. 

The DMA codifies many elements of prior competition enforcement cases taken by the Commission — whether this will support the digital technology sector in Europe or, in fast-moving and dynamic digital markets, end up adversely affecting innovation incentives remains to be seen.

The Background

To keep pace with rapid changes to digital technologies, services and systems, the European Commission presented a digital services package comprising the Digital Services Act (DSA) and the DMA in December 2020. For further discussion of the DSA see our earlier post here.

In early 2022, the Council and the European Parliament reached provisional agreement on the DMA, which was subsequently endorsed by EU Member States’ representatives. On 18 July 2022, the European Council formally adopted the DMA.

Having been published in the Official Journal of the European Union on 12 October 2022, the DMA will enter into force in the spring of 2023 and the Commission is gearing up for enforcement as soon as the first notifications come in.

The development — a summary of DMA obligations on gatekeepers 

This landmark legislation brings in a new regulatory 'ex-ante' regime for digital markets (rather than relying on existing ex-post enforcement tools). It comes at a time when multiple countries are looking at how best to address the regulation of digital markets.

The DMA applies to core platform services provided or offered by 'gatekeepers' to business and end-users established or located in the EU, irrespective of their place of establishment or residence and irrespective of any national law otherwise applicable to their service. It aims to ban certain practices used by online platforms which act as digital 'gatekeepers' to the single market, by imposing various obligations on them.

The DSA concepts of 'online platforms' and 'very large online platforms' are not used. Instead, to qualify as a 'gatekeeper' under the DMA an online platform must:

a) have a significant impact on the internal market — i.e. it achieves an annual turnover in the EU of or greater than EUR 7.5 billion in each of the last three financial years, or its average market capitalisation or equivalent fair market value amounted to at least EUR 75 billion in the last financial year, and it provides the same core platform service in at least three EU Member States; 

b) provide a 'core platform service' which acts an important gateway for business users to reach customers and other end users — i.e. in the last financial year has at least 45 million monthly active end users and at least 10,000 yearly active business users established or located in the EU; and 

c) currently enjoy an entrenched and durable position or will do in the near future—this criterion is met if the user thresholds in b) above are met in each of the last three financial years.

Core platform services include: online platform-type services, search engines, social networking services, video-sharing platform services, number-independent interpersonal communications (NI-IC) services (instant voice, text, image and file messaging), operating systems such as MS Windows, web browsers, virtual assistants, cloud computing services like Google Cloud or Microsoft Azure and online advertising services. This list may expand or change over time. 

Gatekeepers satisfying these requirements need to notify the Commission within 2 months after the above thresholds are met. The Commission will then designate them as a gatekeeper within 45 days of receiving this information. 

Once designated, a gatekeeper needs to comply with certain obligations in respect of each of its core platform services. Obligations are either immediately and strictly applicable (under Article 5) or are susceptible to further specification (Article 6 and 7 obligations) by the Commission. The Commission will deal with further specification by opening proceedings and declaring measures which must be implemented within 6 months to ensure effective compliance. The gatekeeper can also request a determination of whether measures it intends to implement will ensure compliance with Articles 6 and 7.   

Obligations for gatekeepers are split into activities they can and can't engage in. 

They must not:

Use of data

• cross-use or combine personal data obtained from their core platform service or from third parties who advertise on their service with data obtained from another of their services, without permission 
• use, in competition with business users, data provided by those users as a result of them using the core platform services

Self-preferencing

• prevent business users from offering, at the same or different prices or conditions, the same products or services to end users through direct or third party online sales channels 
• make access to core platform services conditional on each other
• more favourably rank their own products and services in search results 
• require end users to use the gatekeeper's operating systems such as payment systems for in-app purchases or other features, for services that business users provide using the gatekeeper’s core platform services 

Switching, leaving and complaining

• restrict the ability of end users to switch between different apps and services, including Internet access services  
• operate under Ts&Cs that make it difficult for users to leave their platform or service 
• prevent business or end users from raising the non-compliance of the gatekeeper with the appropriate authority 

They are under an obligation to:

Interoperability

• over a period of time provide the necessary technical interfaces to make their NI-IC services such as instant voice, video, text and image messaging and file sharing interoperable with third party NI-IC services, while preserving security such as end-to-end encryption where appropriate 

Data access

• provide end users with real time access to and effective portability of data provided by the end user or generated through the activity of the end user
• grant business users real time access to data generated by them and by end users from their use of the core platform service, and provide third party search engines access to ranking, query, click and view data

Advertising

• be transparent with the advertisers and publishers that they supply with online advertising services about the price and fees paid by advertisers, publisher remuneration and the metrics on which prices, fees and remuneration are calculated. They must also provide them with access to the gatekeeper's performance measuring tools and data to enable them to assess and verify the gatekeeper's performance in relation to the core platform services provided

Apps and app stores

• offer business users fair access to the gatekeeper's app stores, online search engines and social networks
• allow end users to easily un-install pre-loaded software apps and change default settings that direct or steer end users to products or services provided by the gatekeeper
• enable the installation and use of third party software apps or software app stores interoperable with the gatekeeper's operating system and allow them to be set as the default

Enforcement lies with the Commission rather than national authorities. Where it meets the relevant gatekeeper thresholds, if a gatekeeper fails to notify the Commission in accordance with DMA requirements it can be fined 1% of its total (preceding year) worldwide turnover. If a gatekeeper does not comply with its key obligations or measures ordered by the Commission, the Commission can impose fines of up to 10% of its total worldwide turnover in the preceding financial year, or up to 20% in cases of repeated non-compliance. In cases of 'systematic non-compliance' with gatekeeper obligations, the Commission may impose behavioural or structural remedies on the gatekeeper to ensure compliance. 

The DMA stipulates that it protects different legal interests to those protected by competition law.  It is to be applied in a complementary way and without prejudice to Articles 101 and 102 TFEU, corresponding or other national competition rules. This means that national authorities are not permitted to make decisions that run counter to Commission decisions made under the DMA. When it comes to enforcement, the Commission expects close cooperation and coordination with Member States.

The right of business users and end users, including whistleblowers, to raise concerns about unfair practices by gatekeepers such as 'discriminatory access conditions, unjustified closing of business user accounts or unclear grounds for product de-listings' is provided for in the DMA. Gatekeepers may not prevent or restrict business users or end users from raising any issue of non-compliance with any relevant public authority, including national courts. Consequently, any practice that would inhibit or hinder users in raising their concerns, e.g. use of confidentiality clauses in agreements or other written terms, is prohibited.

As the DMA is an EU regulation, gatekeeper obligations can be enforced directly in national courts. This will facilitate direct actions for damages by those harmed by the conduct of non-complying gatekeepers.

Next steps

As an EU regulation, the DMA is directly applicable across the EU without the need for any further legislation. After being published in the Official Journal of the EU, the DMA will enter into force twenty days after publication; it will start to apply six months later. Gatekeepers will have a maximum of six months after they have been designated to comply with their new obligations.

Any practical tips

Preparation will be key for all affected by the DMA.  Consumers, businesses and platforms looking to capitalise on the changes involving increased choice and interoperability may look to create new business models. 

Gatekeepers that operate in the EU will have much to prepare for which will require careful review of the detail of the DMA's articles and cooperation with the Commission. The obligations may be subject to various interpretations, therefore further implementing acts and guidance will be key in aiding platforms to navigate the DMA and comply with other potentially applicable legislation such as the DSA. Gatekeepers are also expected to ensure that measures they adopt to comply with their obligations comply with the EU GDPR, the EU ePrivacy Directive, legislation on cyber security, consumer protection, product safety, as well as with accessibility requirements and EU and national competition regimes. 

What's on the horizon

How new practices evolve in digital markets following the DMA's implementation will also continue to be watched carefully from a competition enforcement perspective. While there is a significant emphasis on the new ex-ante regime under the DMA, existing competition enforcement remains important. Competition enforcement tools are likely to continue to be deployed in digital markets, albeit possibly with newer theories of harm than those previously seen in the Commission's prior enforcement cases.  

Other jurisdictions may look to mirror certain aspects of the DMA regime which may be seen as a 'blueprint' in some respects.  The US is also considering legislation to address concerns in digital markets and the UK's Digital Markets Unit (currently within the CMA only in 'shadow' form) still awaits its formal statutory powers.  

Some jurisdictions may instead favour a much lighter touch regulatory regime—there have been recent suggestions that the UK's digital regulation may move towards being more 'pro-innovation'.  Given that it is not constrained by the DMA's framework (which envisages the Commission as sole enforcer and not the national competition authorities), post-Brexit the UK may choose to forge a different path in its approach to promoting the tech sector and addressing any issues in digital markets. 

With varying policy approaches in the offing, whether the suggested 'fluid' sharing of information between enforcement authorities would in reality lead to a trend of further global and cooperative enforcement (as suggested by Olivier Guersent in a speech given on 10 October 2022) is questionable.

All in all, and notwithstanding the greater coordination between regulators that has been seen recently, tech companies may face very different regulatory regimes in different countries for what are often global business models.

1. Victims of cyber crimes statistically prefer to report incidents online, rather than reporting via a more 'traditional' method such as attending a police station. As it is important to act fast with internet crimes, it is advisable that victims send all relevant information in their knowledge to the Police so that they can act quickly to attempt the interception of suspicious transactions and bank accounts.
   
   
2. The reporting system now allows victims to provide the Police with more information including: specific details regarding the amount of money and bank account details involved; links to suspicious websites; up to 30 file attachments such as screenshots of conversations on instant messaging platforms; and information on the suspected criminals such as aliases, contact details, social media accounts and bank accounts.
   
   
3. As the Police have found that the majority of internet scams can be related in 'clusters', the system intends to allow the Police to connect crimes which are linked in some way (such as having the same source or 'money mules') and to refer those crimes to the same unit for investigation. This is hopefully facilitated by the enhanced system which captures more and more detailed information on e-crime, which will be assigned to an investigating team as soon as possible. 

The e-Hub will work alongside the existing Anti-Deception Coordination Centre, to identify trends and persistent bad actors. The upgraded e-reporting system and e-Hub are part of the Hong Kong Police Force's renewed commitment to stamp out technology crimes.
 
We regularly advise clients on cyber crimes and frauds, as well as asset recovery. For further information on this topic, please contact Jonathan Crompton at RPC by telephone (+852 2216 7000) or email (jonathan.crompton@rpclegal.com).

The EU's DSA is, along with the Digital Markets Act (DMA), part of a package of European legislation proposed in late 2020 to regulate digital markets. The main aim of the DSA is to implement a new framework of obligations applying to all digital services (e.g. those offered by internet service providers, cloud services, messaging, marketplaces, social networks, content-sharing platforms, app stores and online marketplaces) to keep users safe from illegal goods, content or services, and to protect their fundamental rights online. The DMA targets certain behaviours of platforms acting as 'digital gatekeepers' to the single market.

While the DSA is European legislation it applies to all providers of intermediary services irrespective of their place of establishment or location, in so far as they offer services to (or target their activity towards) a significant number of recipients in the EU. The DSA therefore has relevance to UK based providers that offer services in the EU.

In a previous post we discussed how the European Parliament’s proposed amendments to the DSA in January 2022 might affect consumers. These amendments have now been incorporated into the text of the DSA adopted by the European Parliament. Below we highlight some of the other key changes to the DSA since the European Commission's original proposal:

• Voluntary own-initiative investigations—under the DSA, to be eligible for the conduit, caching and hosting exemptions from liability, providers of intermediary services must carry out voluntary own-initiative investigations or other activities aimed at detecting, identifying and removing, or disabling access to, illegal content or take action to comply with their national laws, including the DSA. The final text of the DSA adds a condition that these own-initiative investigations and other activities must be carried out 'in good faith and in a diligent manner'. According to the recitals to the DSA, acting in 'good faith and in a diligent manner' includes providing necessary safeguards against unjustified removal of legal content – e.g. by taking reasonable measures to ensure that where automated tools are used to conduct such activities, the technology is sufficiently reliable to limit the rate of errors to the 'maximum extent possible'. 

• Hosting—under the DSA, to benefit from the hosting exemption, an online platform must make it clear to consumers that they are dealing with a third party, rather than the platform itself. An addition to the text of the DSA means that a platform could now lose the benefit of the hosting exemption if it: (1) fails to clearly display the trader's identity as required under the DSA; (2) withholds the trader's identity or contact details until after contract conclusion; or (3) markets the product in its own name (rather than the name of the third party trader supplying it).
  
  
• User friendly and electronic single point of contact—the final text of the DSA includes a new requirement for providers of intermediary services to designate a single point of contact enabling the recipient of the service to communicate directly and rapidly with them, by electronic means and in a user-friendly manner. Recipients of the service should be able to choose the means of communication, which must not solely rely on automated tools.
  
  
• Terms and conditions—the DSA sets out specific requirements relating to the content and accessibility of terms and conditions (T&Cs). The final text of the DSA includes additional requirements for providers to: (1) tell service recipients about their internal complaint handling systems and any significant changes to their T&Cs; and (2) where services are used by minors, to explain their T&Cs in a way that minors can understand. Providers designated as 'very large online platforms' or 'very large search engines' must also provide T&Cs in a machine-readable format and in the official languages of all Member States in which they offer their services.
  
  
• Advertising on online platforms—the final text of the DSA broadens the transparency obligations for online platforms that present advertising on their online interfaces. Such platforms are now required to use prominent markings to identify adverts and provide users with information on how any parameters used to select them as an audience for the advert can be changed. Advertising based on profiling using special categories of sensitive personal data is also now expressly prohibited.
  
  
• Right to information—a new provision in the DSA now requires online platforms to notify consumers if they become aware that the platform has been used to sell an illegal product or service to consumers.

Next steps

Once formally adopted by the Council (expected in September 2022), the DSA will be published in the EU Official Journal and will enter into force twenty days after publication. The DSA will become directly applicable across the EU fifteen months thereafter, or from 1 January 2024 (whichever is later). Platforms designated as 'very large online platforms' or 'very large online search engines', may be impacted sooner – for these platforms, the DSA will apply four months after they have been designated as such by the European Commission.

Practical tips

With the DSA due to take effect in early 2024, businesses that haven't already started preparing for this should do so now. This is particularly important as complying with the DSA may require significant changes to current business practices that will require time to plan and roll out.   Depending on the specific scope of changes required, businesses may need to take on additional resource to implement any required changes and seek legal advice to ensure compliance with the requirements of the DSA – e.g. requirements relating to their T&Cs, information gathering and reporting, display/provision of information under transparency obligations, and notice and action/take down processes. 

Businesses that do not comply with the requirements of the DSA risk enforcement action by new Digital Services Coordinators which will have enforcement powers in each Member State including the power to impose penalties, such as fines. Very large online platforms and very large online search engines that infringe the DSA may also be fined by the European Commission up to 6 % of their total worldwide annual turnover. 

LeakBot, an internet of things (IoT) insurtech, has announced plans to go public on the Main Market of the London Stock Exchange via a 'SPAC' (special purpose acquisition company) deal. Following a reverse takeover by SPAC, Spinnaker Acquisitions Plc, the new company will be renamed Ondo Insurtech Plc. 

LeakBot uses its patented Thermi-Q technology to detect water leaks in buildings and alert building owners. It offers an end-to-end solution via its consumer detection device and app, insurer dashboard and 'Find & Fix' field-service, with the overall aim of reducing water waste and insurance costs. 

The company has existing partnerships with nine insurers (including Hiscox and Direct Line) across the US, UK and Scandinavia. If the deal completes, it says it will use the new funding "to finance the roll out and adoption of LeakBot in our target markets where there are some 97 million addressable homes".

The deal will be one of the first SPACs in London since changes to the Listing Rules for SPACs introduced in July 2021, following recommendations from Lord Hill's UK Listing Review report published in March. The changes to the Listing Rules were designed to promote London as an attractive venue for SPAC deals and listings (following a boom in SPAC deals in the US) whilst maintaining strong investor protections.

It is expected the deal will complete later this year following the publication of a prospectus and satisfaction of other conditions.

Ryanair launches partnership with Cover Genius

Europe's largest airline, Ryanair, has entered into a strategic partnership with embedded insurance technology company Cover Genius.

Cover Genius' distribution platform, XCover, will be integrated into Ryanair's booking process, enabling customers to purchase travel protection products and packages conveniently. Ryanair says the products will be tailored to suit each customer's itinerary.

The partnership follows a recent survey by Momentive.ai, which found 42% of travellers would prefer to purchase embedded travel protection directly from travel providers and agents.

Cover Genius offers companies claim settlement technology and analytics, alongside its distribution platforms. It has partnered with a number of household names (including Booking.Com and eBay) and recently raised a US$70million Series C funding round.

Bright Health raises US$750million from Cigna Ventures

US-based health insurtech, Bright Health, has announced it has raised $750million in new funding from Cigna Ventures, the venture arm of insurer Cigna. 

The Bright Health Group sells health insurance coverage and Medicare Advantage plans, and runs clinics in the US, using technology to improve the customer and patient experience. 

Bright Health says it will use the funding for continued growth, following its IPO in June 2021.

AgentSync hits unicorn status

In more funding news, Agentsync has raised a US$75million Series B round and achieved unicorn status (with a reported valuation of $1.2 billion). The round was led by Valor Equity Partners.

AgentSync was founded in just 2018 and has grown significantly (having raised US$4million in seed funding in August 2020). The company offers 'Compliance-as-a-Service' solutions. Its technology directly integrates regulatory database information with core business systems in order to automate critical business processes associated with compliance requirements in the US. 

Insurtech funding levels remained high in 2021. Other funding deals announced in the final quarter of 2021 include: US$255 million by Indian insurtech Acko, US$100million Series A by US-based Slide, a $25 million Series A funding by wildfire risk insurtech Kettle, US$25million by Indonesian insurtech Fuse, and a £12.25m raise by UK SaaS insurtech Genasys.

Lloyd's underwriters launch new 'Product Launchpad'

Lloyds of London underwriters have (re)launched the Lloyds Product Launchpad (formerly the Product Innovation Facility) – a collaborative initiative which is designed to speed up (re)insurance product development.

The programme makes available over £100million of capacity and aims to provide a “safe space” for underwriters to experiment with new ideas and non-traditional risks (such as intangible assets and emerging technologies).

Under previous iterations of the programme, the Launchpad launched two innovative products - a parametric profit protection policy for the hotel industry and Coincover, a dynamic protection product for losses arising from theft of cryptocurrencies held in online wallets.
 

Lemonade To Acquire Auto Insurer Metromile

Earlier this month, digital insurer Lemonade entered into a definitive agreement with pay-per-mile auto insurance start-up, Metromile, pursuant to which Lemonade will acquire Metromile in an all-stock transaction that implies a fully diluted equity value of approximately $500 million, or just over $200 million net of cash. Under the terms of the transaction, Metromile shareholders will receive Lemonade common shares at a ratio of 19:1.

Metromile has 49 state licenses, over $100 million of in-force premium and more than $250 million of cash on its balance sheet. It also has significant expertise using big data and artificial intelligence for car insurance. This is particularly relevant given Lemonade's recent launch of its 'Lemonade Car' product see story above. 

Concirrus acquires Spark Insights

Insurtech Concirrus has completed its acquisition of Spark Insights, a provider of decision analytics to the insurance market, for an undisclosed sum.

The announcements states that the acquisition brings together two companies with a shared vision of using AI, machine learning and data analytics for better risk selection, more efficient claims processes, and insurance product innovation

Concirrus supports the commercial insurance market by accelerating their transition to new digital operating models. In particular, Concirrus's big data and machine learning platform, Quest, accesses and interprets wide-ranging datasets, combining them with historical claims information to reveal the behaviours that correlate to claims.  

Spark Insights seeks to deliver predictive analytics to the insurance industry using innovative AI, machine learning and computer vision combined with satellite-based remote sensing and global earth observations.

Andrew Yeoman, CEO of Concirrus stated “The synergies with Spark Insights made this a compelling opportunity – both parties gain product distribution capacity and adding property and catastrophe response is a natural extension to our current markets.”

 Aquiline takes stake in insurtech Ripe

Ripe Thinking Limited (Ripe), a UK-based digital underwriting and insurance distribution platform, announced that it has entered into a definitive agreement for Aquiline Capital Partners LLC (Aquiline) to acquire a majority stake in the company.

Aquiline is a private investment firm with $6.9 billion in assets under management, specialising in investments at the intersection of technology and finance.

Ripe was founded in 1997 and is a leading insurtech business with more than 280,000 policyholders, protecting their specialised needs across golf, boats, caravans, and cycles, as well as providing insurance to small business owners such as personal trainers, musicians, and photographers.

Following this investment, Aquiline will work closely with the company’s management team to continue and accelerate the build of a market-leading digital insurance distribution platform.

Insurtech investments soars to record-breaking $10bn

Capital invested in insurance technology start-ups surpassed the US$10 billion mark for the first time in any one year on record according to the Willis Towers Watson's Quarterly InsurTech Briefing. 

The record-breaking $10.5bn was raised during the first three quarters of the year. Still with three months left to go, 2021 is now only $12 million short of the entirety of what was invested into InsurTechs globally in 2018 and 2019 combined. 

The total deal count was 421 which is also an annual record according to the same briefing. The latest quarter saw 113 deals yield more than $3.1 billion in investment, a 23% increase over Q3, 2020. It was the second-largest funding quarter on record.

These record-breaking statistics reflect the continued interest of venture capitalists in this space and a continued focus by businesses on the future of insurance. 

Tesla launches innovative vehicle insurance in Texas 

Tesla, the $700 billion electric vehicle company led by Elon Musk, has expanded its car insurance offering to Texas. The company already offers insurance to Tesla drivers in California, which it claims is up to 30% cheaper than non-Tesla insurance.

However, the Texan insurance is not focused on traditional policy metrics; such as credit, age, claims history or driving records. Rather, insurance premiums are calculated based on the driver's real-time driving behaviour. Drivers have "safety scores" informed by factors such as the number of collision warnings, braking too hard and turning corners aggressively. Scores can go up and down, meaning that monthly insurance premiums can also go up and down. 

Safety scores and the real-time insurance model are beta offerings. However, Tesla says it aims to expand the product to California and “most of the US” next year, provided it can obtain regulatory permissions. The company recently 'tweeted' that 'the regulatory process…is extremely slow & complex, varying considerably by state'. 

Tesla does not underwrite the insurance itself. Redpoint County Mutual Insurance Co. underwrites the Tesla insurance in Texas, which is distributed through Tesla Insurance Services of Texas Inc. (Tesla), an MGA formerly known as Samson General Agency.  

 Devoted Health exceeds $12 billion valuation

Devoted Health has raised an enormous $1.15 billion Series D round. The deal reportedly values the company at over $12.6 billion. 

Devoted Health is a tech-enabled health start-up with a mission, "to dramatically improve the health and wellbeing of older Americans". It offers 'Medicare Advantage' insurance plans and complementary services to its members (like its in-house virtual and at-home care provider), all powered by its proprietary software platform. It currently operates in Florida, Texas, Ohio and Arizona.

The company says it will use the proceeds of the funding to significantly accelerate its nationwide expansion. Such expansion could be fuelled by the lowering of the Medicare eligibility age, which is currently under debate between US legislators.

Investors in the round included well-known names such as SoftBank Vision Fund 2, Andreessen Horowitz and the Singaporean sovereign wealth fund, GIC. Commentators expect Devoted Health will eventually go public, following the IPOs of health insurtechs Clover Health, Oscar Health and Bright Health earlier this year.

Digital life insurer Ladder raises $100 million 

Ladder, a US-based digital life insurance company, has raised $100 million in its Series D funding round. Thomvest Ventures and OMERS Growth Equity co-led the round, which values the company at an impressive $900 million.  

The company uses all-digital architecture and real-time underwriting and claims to be the first 'fully digital' life insurer in the US. It provides flexible term life insurance coverage of between $100,000 to $8 million for people aged 20–60 in the US. Interestingly, Ladder targets a younger demographic needing life insurance but who, it argues, have been put off by the time-consuming process. Ladder says its process can take just five minutes.

Established in just 2017, the company raised $40 million in Series B funding in 2018 from the venture arms of major insurance companies like Allianz Life and Northwestern Mutual. It plans to issue $30 billion in 'LadderLife' coverage by year-end.

bolttech extends its record Series A 

bolttech, one of the fastest growing insurtech unicorns in the world, has announced an extension of its $180 million Series A funding round to a total of $210 million. This constitutes the largest ever Series A investment round for an insurtech. 

The additional $30 million will enable bolttech to enhance its technological and digital capabilities, as well as further pursue its international growth strategy through strengthening its presence in South East Asia and Europe alongside its existing markets.

Over several months, Ion Science Limited and its owner, Duncan Johns, transferred around £250,000 to invest in two initial coin offerings: Uvexo and Oileum. Mr Johns had been persuaded to invest in ICOs by several "advisors" claiming to be from a specialist investment firm called Neo Capital.  Mr Johns allowed the "advisors" to make cash transfers to purchase bitcoin (by granting them remote control of his computer), which was then transferred onwards on his behalf.

The con exposed

A few months later, Neo Capital told Mr Johns that his Oileum investment had made a substantial profit (approximately $15 million) from his ICO investments which would be released once he had made certain commission payments totalling approximately £250,000 (again converted to bitcoin and transferred by the fraudsters). Despite making those payments, Mr Johns did not receive his alleged profits. It emerged that all his points of contact at Neo Capital had used aliases and could not be traced, and a substantial part of his bitcoin had been dissipated through two cryptocurrency exchanges (Binance and Kraken).

Injunctions against persons unknown

The claimants applied to the court for a proprietary injunction and worldwide freezing order over the assets of the individuals connected to the fictitious Neo Capital. 

The court was satisfied that it was possible, and it had jurisdiction, to grant proprietary and world-wide freezing injunctions against persons unknown on the basis that the description of the fraudsters involved was sufficiently clear to be able to establish who would and would not be included in the group. 

New guidance on lex situs of cryptocurrency

In order to obtain permission to serve out of the jurisdiction, the claimants had to show there were serious issues to be tried on the merits of their claims. The court was satisfied that this was the case and, in doing so, provided a ground-breaking decision on the lex situs of crypto-assets, on which there was no authority.

The court indicated that the lex situs of a crypto-asset is the place where its owner is domiciled. The judge cited in support the analysis by Professor Andrew Dickinson at paragraph 5.108 of his book, Cryptocurrencies in Public and Private Law.

Disclosure orders against the cryptocurrency exchanges

To try to find the recipients of the stolen bitcoin, the claimants also asked the court for permission to serve disclosure orders pursuant to the Bankers Trust jurisdiction and/or CPR 25.1(g) out of jurisdiction on the two cryptocurrency exchanges to seek information that might identify who held the claimants' stolen bitcoin.

The claimants argued that AB Bank Ltd v Abu Dhabi Commercial Bank PJSC [2016] EWHC 2082, which held that there was no gateway permitting service out of the jurisdiction against a third party for the purposes of a Norwich Pharmacal order, had been wrongly decided. Rather than determine that, the judge considered that that case was distinguishable as the instant application involved a Bankers Trust order (not a Norwich Pharmacal) and cited authority that such orders could be served out of the jurisdiction in exceptional circumstances, which the judge considered were met.

The judge's approach in Ion Science is to be contrasted with AA v Persons Unknown & Ors, Re Bitcoin [2019] EWHC 3556 (Comm) where both Bankers Trust and Norwich Pharmacal orders were sought. In that case the judge drew the claimant's advocate's attention to AB Bank Ltd, which led the advocate to adjourn those aspects of the claimant's application. After the decision in Re Bitcoin it had been doubted whether Bankers Trust orders could be obtained in similar scenarios, making the court's decision in Ion Science particularly significant.

A blueprint for future claims?

The factual matrix behind Ion Science may be a sign of things to come in the world of cyber-fraud litigation. Given the ever-increasing investment in crypto-assets (including Tesla recently revealing it has $1.5bn in bitcoin on its balance sheet) spurring its meteoric rise in value and the generally frothy state of the crypto market, it's likely that crypto-cons, be they ICO frauds or otherwise, will become increasingly lucrative and therefore more prevalent.

GHRF received support from the U.S International Development Finance Corporate (DFC), which approved up to $26.7 million for the facility. The DFC loan will be utilised to capitalize the new public-private Syndicate 1796 and enable the GHRF to offer cost-effective insurance policies for shipments of vaccines and medical products to developing countries.

The GHRF is an alliance of insurance and technology partners that will work together to provide comprehensive insurance and risk mitigation services for the storage and transit of medical supplies, including temperature sensitive vaccines and medicines, PPE and ancillary cold chain equipment. 

Syndicate 1796 will begin underwriting in January 2021 and is the first public-private partnership to address a global emergency in Lloyd's history.

2. Insurtech Zego buys telematics firm Drivit to 'revolutionize' insurance pricing

Zego, the London-based insurance provider and the first UK insurtech to be awarded an insurance licence, has acquired telematics company, Drivit. 

The acquisition will enable Zego to collect real-time driver behaviour data in-house, which Zego intends to use to provide its customers with time and money saving insurance products. 

Zego states the deal will enable it to revolutionise the way commercial motor insurance policies are priced. Through the incorporation of Drivit's technology, Zego intends to price policies based not only on traditional factors such as a person's demographic profile and driving history but also on driver behaviour and a person's working habits. 

The Drivit team will now be fully incorporated into Zego, and its market-leading technology is already embedded into the Zego Sense app – the app-based telematics solution recently launched by Zego.

3. CPP Group UK and Partners& offer cyber risk assessment tool

CPP Group UK and Partners& are now offering access to a risk management tool to help brokers and their customers identify and mitigate cyber vulnerabilities.

The risk management tool KYND immediately identifies an organisation's cyber vulnerabilities and provides cyber risk management for businesses of all sizes. It utilises a website domain to perform a real-time scan providing expert insight into a business’ cyber exposure.

If part of the business is identified as being vulnerable, the KYND traffic light system dashboard can help advise the business on the actions needed to prevent potential cyber risks from developing into a real attack. The reports simplify any complex technical language and are used by both brokers and clients as a risk management tool.

4. Cover Whale Expands Trucking Offering to Include Fleets

Cover Whale, an insurtech with a specialty niche in the trucking and transportation segment, has expanded its trucking insurance products to include a fleet insurance program.

Fleet managers and select insurance brokers can now access the Cover Whale online fleet platform, which provides a solution for fast insurance quotes. 

The offering includes fleet physical damage and motor truck cargo and was available from January 1, 2021 through a select group of insurance brokers.

“We’ve reduced the turn-around time for quotes and endorsements by days, which is an enormous benefit for brokers and insureds. We’re proud that our launch in the small account space has been extremely successful leading to strong demand for us to enter the fleet segment.” – Jason Wexler, Chief Underwriting Officer.

5. Germany’s Getsafe Raises $30M from Swiss Re and Others

Digital MGA Getsafe disclosed $30 million in new financing led by new investor Swiss Re. The Heidelberg, Germany-based InsurTech said the money will help build its market dominance among millennials in its home country and beyond.

In particular, a push into additional European markets is also on the agenda, setting up more direct competition with Lemonade, a U.S.-based digital insurer pursuing its own European expansion.

Getsafe bundles all information related to personal insurance coverage via a single app that can be used to report claims and update personal and payment info.

'Clash': the situation where one underlying event causes multiple claims which can threaten the solvency of insurers. 

COVID-19 creates clash risk for casualty insurers both within and across lines of insurance.  

Praedicat applies previous mass litigation precedents to anticipate how COVID-19 liability could develop. The clash scenarios include loss estimates allocated to companies that may be named in litigation and to the insurance line that would cover the loss, enabling insurers to estimate exposure in their own portfolios. 

2. Insurtech Blink launches non-damage business interruption parametric solution 

Irish insurtech Blink has launched a hurricane non-damage parametric insurance solution designed to minimise overall claims totals as a direct result of early intervention by providing liquidity to small and medium-sized businesses in the immediate aftermath of a natural disaster. 

It uses automated financial validation and immediate pay-out solutions to enable businesses to bounce back after a natural disaster occurs.

Amongst other processes, Blink operates by continually monitoring national weather systems, tracking hurricane formation, confirming whether the insured party was in a hurricane path and validating business impact by tracking business activity. 

The product was developed in the Lloyd's Lab Innovation Accelerator Programme. 

3. Digital Lloyd’s syndicate Ki goes live with list of broker trading partners

Ki, the first fully digital and algorithmically driven 'follow-only' Lloyd's syndicate announced the onboarding of its first trading partners to its proprietary digital platform, providing access to its algorithmic underwriting in readiness for writing business from 1 January 2021. 

Ki is working with a leading group of Lloyd’s brokers including Aon, Aon Re, BGCI (including Ed and Besso), Bishopsgate, BMS, Gallagher, Guy Carpenter, Howden, Lockton, Lockton Re, Marsh, Miller, Price Forbes, AmWins / THB, Tysers, Willis, Willis Re.

Ki has agreed to provide valuable capacity to each trading partner in 2021, giving their clients immediate security about placing business in Lloyd’s in 2021.

Ki's algorithm enables it to evaluate Lloyd's policies and automatically quote for business via a digital platform which brokers can access directly. Ki aims to increase responsiveness and drive efficiencies by reducing the time and effort taken for brokers to place their follow capacity.

4. Usage-based insurer Metromile to become public company

Metromile Inc., the U.S. pay-per-mile auto insurer, has reached a deal to go public by merging with Insu Acquisition Corp. II (Insu II), a U.S. special purpose acquisition company.  

The merger means Metromile will become a publicly listed company without the risk of an IPO. It is anticipated that the transaction will provide Metromile with up to approximately $294 million of cash to pursue growth opportunities. 

5. Lemonade to start selling term life insurance

Lemonade plans to start selling term life insurance. Whilst the insurtech carrier confirmed it is not going to underwrite the life insurance product, its distribution broadens Lemonade's product offering from just property/casualty insurance for the first time.

The term life insurance product will be written on an undisclosed carrier’s paper as a “form of market research.” 

"We strive to prioritize product launches based on customer needs rather than regulatory frameworks, which is why over the past few months we have created the Lemonade Life Insurance Agency and why we are planning to bring the Lemonade experience to the term life insurance market in the coming months." - Shai Wininger, co-founder and COO of Lemonade

Ofcom and the Department for Digital, Culture, Media & Sport (DCMS) have been consulting on how best to implement the changes in the UK. Over the summer, the DCMS published its responses to the public consultation on implementing the EECC in the UK, setting out its proposed changes to UK legislation to implement the EECC.. 

Am I covered by the EECC?

The EECC will continue to cover traditional Electronic Communications Networks and Services (ECNs and ECSs respectively), such as mobile and fixed networks, MVNOs and ISPs.  However, the EECC now also extends the scope of ECS to include 'interpersonal communications services'. The addition of this category of services means that 'over-the-top' (OTT) providers, like Skype and WhatsApp, will now also fall into the communications regulatory environment for the first time (unless the 'interpersonal communications services' are minor and purely ancillary to a non-communications service, such as a communication channel in online games).

The EECC does not regulate e-commerce, information society services and the exercising of editorial control over online content or broadcasts.

To see if you are covered by the new code, download the PDF below. 

When will the new changes apply in the UK?

•  The UK has to adopt the code into national law by 21 December 2020.
•  The UK was involved in the negotiations for the EECC and the EECC is still viewed by the DCMS as best practice, Brexit notwithstanding. The DCMS has confirmed that it will press ahead with the implementation and that only a small number of EECC requirements will be deprioritised and  not be implemented into UK law by 21 December 2020.
• In light of COVID-19, Ofcom issued a statement on 7 May 2020 that communications providers will have at least 12 months to implement any changes that are finally implemented (regardless of the 21 December implementation date), so that resources can be allocated to respond to the crisis.

What major changes can be expected?

•  OTT providers (like Skype and WhatsApp) will now also have to comply with certain provisions of Ofcom’s General Conditions of Entitlement 
• Additional consumer protection measures will apply to OTT providers, including provisions that will need to be included in contracts, transparency and information requirements, and equivalency access for disabled users
•  Fixed line and mobile providers will also face a number of increased requirements around regulation of bundle offers, enabling easier switching between services and prohibitions on locking of devices.
  

 "OTT" provider obligations to be de-prioritised

•  The obligations of number-independent 'interpersonal communications services' (NI-ICS) providers (such as WhatsApp or Zoom) are likely to be de-prioritised as part of the implementation and will be implemented at a later date. 
• As there are no notification or registration requirements in the UK, any OTT communications services providers that will be classified as an NI-ICS will not need to do anything specific when the Code does kicks in.  When the Code kicks in, NI-ICS are still however likely to need to have appropriate security measures in place, and if directed by Ofcom, NI-ICS will also have to ensure that their services can interoperate with other NI-ICS. 
  

The General Court of the European Court of Justice (ECJ) has annulled the European Commission's (EC) competition authority decision to block Three–O2's £10.25billion merger, in 2016. The ECJ found that the EC's decision was based on 'several errors' and failed to prove the merger, which would have created the UK’s largest mobile operator with 40% of market share, would damage competition or significantly increase prices for consumers.

Despite the ECJ's recent annulment, it was no surprise that the intended merger received intense scrutiny from regulators because, if approved, it would have reduced the UK's Mobile Network Operators (MNO) from four to three, which is something that Ofcom, the CMA and EU competition authorities warned could affect competition – i.e. a reduction in consumer choice, a significant increase in prices, a reduced incentive to invest in the UK telecommunications infrastructure and have adverse impacts for Mobile Virtual Network Operators (MVNOs). At the time, Three and O2 argued that they would not individually be able to effectively compete with EE/BT (following their 2015 merger) and Vodafone (following its investment in fixed line infrastructure).

Is the merger back on?

In short, this is unlikely. 

Despite the recent ECJ decision, it is hard to see a re-start to merger talks between Three and O2, particularly with O2 announcing last month that it was to enter into a joint-venture agreement with Virgin Media’s (Liberty Global’s) UK fixed line broadband and TV business in a deal worth a staggering £31billion.  

ECJ's decision – too little, too late?

Although the decision has not reignited the intended merger between Three and O2, CK Hutchison's appeal against the EC's decision was never intended to 'unblock the merger' but instead sought to challenge competition concerns within European markets and the EC's approach. 

CK Hutchison commenting on the ECJ's decision, said, '[The EC has] prevented, vital industry consolidation in Europe which would have resulted in significant new investment, innovation and benefits for European consumers and industry' and that the EC blocked its takeover of O2 due to the 'misconceived default view' that European markets need four mobile networks to ensure competition.

It is too early to say whether the decision will impact, and if so just how far, the EC's outlook and approach to telco mergers in Europe in the future (especially, as Margrethe Vestager, the EU’s competition commissioner who took the original decision to block the merger, remains in office serving her second term). 

One thing that is for certain is that the decision undoubtedly has cast a light on the EC's and the competition commissioners' approach to merger interventions and could open the door to telecom consolidation in a number of European markets, particularly in Spain, Demark and Italy where there are still four MNOs.

Momentum is gathering in the InsurTech space in Hong Kong.  Carriers are looking to back InsurTech start-ups to diversify their offering and private equity firms are showing considerable interest in this sector, recognising the high growth potential. We have seen Hillhouse Capital purchase Aviva's stake in Blue (a Tencent backed life-insurer) and undertake various rounds of financing to support other digital ventures, including Lima Insurance Cloud, a Chinese InsurTech start-up. Global funding commitments to InsurTech reached US$6.37 billion in 2019.  As more InsurTech start-ups are reaching operational maturity, we can expect to see new waves of investment through acquisition, joint venture or partnership in the short term.

As they grow in size and number, virtual insurers are set to change the shape of the insurance industry.  Online insurance has huge market penetration potential – the vast majority of consumers are armed with a smartphone and seek simpler, smoother and immediate purchase-to-claim experiences.  InsurTech also brings more competitive pricing powered by AI and big data. The focus on niche and on-demand policies will round out the insurance ecosystem by complementing the offerings of more traditional carriers.  There are plenty of exciting developments to come.

The report highlights rising public concerns that loot boxes are addictive, costly, unregulated gambling-substitutes, which are widely accessible to children. There are already signs of potential action - the Government stated in a Background Briefing to the Queen’s Speech of 19 December 2019 that it will conduct a review of the Gambling Act, with a particular focus on loot boxes.

What are loot boxes?

The report defines loot boxes as "items in video games that may be bought for real-world money, but which provide players with a randomised reward of uncertain value".

The rewards are virtual items which can be used in-game, such as outfits, characters, or weapons. Some of these have an impact on gameplay, such as unlocking a top-tier footballer in FIFA, whereas others are purely cosmetic. In some games rolling the dice on a loot box can result in a windfall - very rare items can command eye-watering (and often baffling) price tags. In 2013, an anonymous Dota 2 player paid $38,000 for a flaming pink "war dog" to carry items around the in-game battlefield. The function is normally performed (just as capably) by a digital donkey. In 2018 a "Dragon Lore" weapon skin in Counter Strike: Global Offensive (effectively a digital sticker for one of the in-game guns) sold for more than $61,000.

Both of these games featured developer-run marketplaces where players could trade their items. In many other games, however, items cannot be freely traded with other players (either because of technical barriers or restrictions in user terms).

What's the potential harm?

The key concern being raised in relation to loot boxes is whether they effectively constitute a form of unregulated gambling.

In 2017 a petition asking the UK Government to review the subject attracted just under 17,000 signatures.  A report by the Children's Commissioner concluded that "monetisation of gaming brings children closer to gambling".  Commentators (including the Church of England) have described loot boxes as a "gateway for gambling", with deliberately addictive designs that mimic the feeling of online gambling, including through the use of bright colours and surprise mechanics. 

The money involved can be significant and unexpected (one teenager in Ontario, Canada spent almost $8,000 on FIFA Ultimate Team packs in one month – on his father's credit card).

Gambling is regulated in Great Britain by the Gambling Act 2005, which defines gaming as a "game of chance played for a prize".  Generally, a prize means "money or money's worth".  The Gambling Commission stated in a November 2017 statement that in-game items obtained via loot boxes are unlikely to constitute a prize for money or money's worth as these are generally confined to the game and cannot be cashed out.  The result is that loot boxes are currently unlikely to be held to be a licensable gambling activity, therefore falling outside the Gambling Commission's remit.

The DCMS Committee report criticised the law's focus on real-world monetary value.  It considered that approach to be a failure to keep up with modern digital economies, creating a loop hole for loot boxes.  This focus, DCMS argues, ignores the subjective value created for players in the in-game environment, and the reality that in fact these in-game items can be, and often are, cashed out in real-world trades.  It is worth noting that gambling regulators in Belgium and the Netherlands have found that some loot boxes violated their gambling laws.

The DCMS Committee report concluded that loot boxes bought with real-world money that do not reveal their contents in advance to be games of chance played for money's worth.  It recommended that the Government brings forward regulations to that effect.

Key take-aways

Loot boxes are big business.  In 2016 FIFA developer Electronic Arts reported $650 million in revenue from its the game's Ultimate Team mode, and industry analysts have predicted that the industry may be worth $50 billion by 2022. It is therefore critical for any companies in this space to consider their approach and "get loot boxes right".

Prudent developers will no doubt be looking at ways to take the heat out of the situation and possibly reduce the chances of new regulation, for example by limiting or removing any addictive element of chance (which can see players chasing rare items indefinitely) and/or the potential for exorbitant expenditure.  However, if the UK government does reclassify loot boxes as gambling, game developers using loot boxes will need to obtain an operating licence and comply with an extensive (and costly) set of regulatory obligations. 

Executive summary

RPC's Tech Group welcomes the opportunity to engage with Government in relation to the proposals to regulate online harms as set out in the Online Harms White Paper^₂, and endorses the Government's stated aim of ensuring that the UK develops and maintains a "vibrant technology sector" and its commitment to a "free, open and secure internet" and to the protection of "freedom of expression online".

We agree that the law does and should extend to the internet and that internet users and platforms are obliged to comply with the law and to act responsibly and with due regard for one another, as would be expected in any public space. Indeed, the largest online service providers already take a multitude of steps to protect users and third parties from harm on their services, from imposing standards on users to proactively identifying certain types of content and removing other content upon notification. However, that does not justify treating the internet as a space which requires more stringent regulation than any other, or for speech or conduct which would not be unlawful in a public place to be treated as if it were unlawful when it takes place online, or for the operator of the space to be held liable for the enforcement and censorship of that lawful speech or conduct which is nevertheless deemed undesirable in that space by the government at any particular time.

We are concerned that at a time when the Government is seeking to promote the importance of free speech and the free exchange of ideas around the world, including those which question authority, its efforts to mitigate online harms will inadvertently provide a veil of respectability to undemocratic regimes which would seek to stifle and censor lawful content.

While we address the specific questions posed by the consultation at the conclusion of this response, we first address a number of issues raised by the proposals in the White Paper which we believe ought to be given further consideration before any policy response is finalised and implemented. In summary;

• We would support the commissioning of further analysis and research as to the prevalence and scale of the risk posed by online harms, in order that any policy response may be targeted and proportionate;


• We would similarly support the introduction of mechanisms for monitoring the impact of any policy initiative to tackle online harms to enable further analysis and research including as to whether any detrimental impact outweighs their benefit;


• The Government should refrain from imposing expectations or obligations on online service providers in the absence of clear evidence demonstrating that this is necessary and proportionate;


• While we note the Government's concern that the current approach to regulation of the online space is fragmented, there are numerous proposals currently in the process of being implemented or consulted upon which are relevant to tackling the issue of online harms and in the absence of central co-ordination there is a real risk of developing conflicting policies, over-burdening industry and losing the opportunity to understand the impact of any changes;


• The proposed breadth of application of the proposals should be narrowed to focus on providers which are dedicated to the sharing of user-generated content, to the exclusion of media websites, retail websites (including online marketplaces), and search engines amongst others;


• We would invite the Government to consider whether smaller, not for profit or low risk online service providers should fall within the scope of the proposals;


• We are extremely concerned by the inclusion of not only unlawful content within the scope of the proposals but also content which is lawful but considered undesirable, particularly in circumstances where judgements as to what is appropriate will be devolved to a regulator or to private entities in relation to what is essentially a moral or ethical issue on which there may not be any consensus within society. We consider that such an approach would be detrimental to the UK's stated commitment to promoting free speech around the world and contrary to the Article 10 right to freedom of expression and information. If Government wishes to regulate online speech, it should seek to legislate to do so, making the relevant speech unlawful, rather than seeking to impose an obligation on private actors to identify, adjudicate upon and remove lawful material. We note that the Law Commission intends to consult on amendments to communications law offences in 2020;


• Any extension of obligations to remove content to encapsulate lawful speech must be subjected to the utmost scrutiny, and in practice online service providers must be provided with a margin of discretion in relation to the removal of such content;


• We do not consider that online service providers should be responsible for determining the veracity of content or that material posted from prisons should fall within the scope of the proposals;


• We would invite the Government to consider and consult upon whether the criminalisation of harmful conduct by individuals could provide a proportionate alternate response to the issue of online harm;


• While we reject the proposal for the imposition of a 'duty of care', which has a specific legal meaning and implications, we would welcome an expectation that online service providers act responsibly toward their users and others;


• If a duty of care were to be imposed, it is imperative that this would not compromise the application of the safe harbour provisions in the E-Commerce Directive, which would exclude a pre-moderation approach to harmful content; this is also unlikely to be technologically possible through the use of AI in relation to the broad range of harms identified in any event;


• We would not support the inclusion of an obligation applicable to online service providers globally to support UK law enforcement investigations as part of any duty of care, which has the potential to place online service providers in conflict with local law obligations;


• We welcome the Government's proposals for transparency in relation to the prevalence of harmful content but would encourage the publication of a wider range of information, such as the identity of those seeking the removal of content;


• In relation to transparency in relation to algorithms, we would encourage accountability rather than transparency to be overseen by the Centre for Data Ethics and Innovation;


• We would encourage a system of regulation which aims to centralise resource, improve digital literacy, disseminate best practice and avoid duplication of regulation;


• We would invite the Government to consider and consult upon whether a system of self-regulation, which already works effectively in relation to the advertising and press industries, could provide a proportionate response at no cost to the taxpayer;


• Any regulator which is required to oversee and adjudicate in relation to lawful but undesirable speech must be well-versed in regulating freedom of expression issues;


• We do not support the imposition of civil liability for breaches of the proposed statutory duty; and


• We do not believe that the proposed enforcement tool of imposing fines on individual directors will be effective and anticipate that it will be a significant disincentive to investment in the UK, risking the UK's industrial strategy of leading the global technological revolution.

We welcome the Government's proposals for transparency in relation to the prevalence of harmful content but would encourage the publication of a wider range of information, such as the identity of those seeking the removal of content;

* With special thanks to Marlon Cohen, Oliver Murphy, Victoria Noto, Anna Greco, Rachael Ellis, and Charlie Gould at RPC for their assistance in conducting research and preparing this response.

² Online Harms White Paper, CP 57, April 2019: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/793360/Online_Harms_White_Paper.pdf

Topics of response:

The Code provides for a number of new requirements that will need to be dealt with in contracts that communications providers enter into with consumers (including information requirements, comparisons of offers, bundled offers, contract duration and termination of contracts). The type of contract information that will need to be provided to a consumer will depend on the type of "electronic communication service" being provided. The Code applies not only to mobile and fixed line broadband and voice providers, but will also apply to a range of "over the top" service providers (ranging from Netflix to Snapchat) as well as machine to machine service providers.

Contract summaries to be provided

As part of the changes, the Code includes a new requirement for communication providers to provide a contract summary together with the contract to be entered into with the consumer. BEREC, the European communications regulation body (of which Ofcom is a member), issued a consultation on 10 October discussing what types of information should be included in the contract summary that consumers receive. The report highlights that different regulators in Europe require varying levels of information to be provided to consumers of communications services. For example, some European countries have preformatted templates that have to be provided to consumers, whereas other countries insist that contract information has to be upfront and not relegated to the last page of the contract. BEREC is consulting on the information that needs to be provided, and the outcome will feed into the Code requirements.

 What does this mean for communication providers in the UK?

It isn't clear at this stage whether a withdrawal agreement will be entered into between the UK and the EU before Brexit takes place on 29 March 2019. The current Communications Act is modelled on the existing electronic communications regulatory framework in Europe, and Ofcom is a leading member of BEREC. The Code is also likely to come into force before 29 March 2019 – even though the obligations under the Code are phased in after that date.

If the UK decides to diverge from the rest of Europe in terms of communications regulation after 29 March 2019, the information requirements set out in the Code will apply nonetheless in other European countries. This could mean that a communications provider has different information requirements that apply to contracts in the UK as opposed to the rest of Europe. A more likely scenario is the UK following what the rest of Europe does in terms of best practice and these information requirements, unless there are material reasons not to do so.

What happens now?

BEREC is inviting interested stakeholders to provide feedback on their proposals. The BEREC proposals are set out here. The consultation ends on 7 November 2018.

Smartphones and other connected devices, such as smartwatches are at the heart of CAV innovation. Unsurprisingly, these devices are key means of operating vehicle assistance systems and accessing related features and functions.  For example, many vehicle manufacturers have applications that allow users to switch on their vehicle engines remotely (e.g. for pre-heating or cooling the cabin). These apps can also confirm vehicle location and provide access to other real-time information such as fuel quantity, consumption, range and odometer readings.  This type of control and accessibility through connected channels may soon become commonplace across most car marques and will provide many welcome benefits for vehicle users.

The latest consultation focusses specifically on remote control parking and motorway driver assistance systems (which can take full control of vehicle position and speed on high-speed roads). It proposes the following amendments:

• Inclusion of an exemption in the Regulations to permit the use of hand-held and mobile communications devices as a means of performing remote control parking manoeuvres (subject to a 6-metre operation limit when users are outside of a vehicle); and

•  Additions to The Highway Code to confirm that drivers:

(i) may activate remote control parking "using a legally compliant parking application or device in an appropriate way which does not endanger others."; and

(ii) remain wholly responsible for their vehicles and if using any advanced driver assistance systems, must exercise full control over those systems at all times and use them only in accordance with manufacturer or developer instructions.

The consultation emphasises that the intent behind the proposed reforms is to provide clarity on the appropriate use of such technology. The proposals should in no way be regarded as watering down existing offences for use of mobile devices when behind the wheel. 

Of course, as CAV technology and capability continues to evolve at rapid pace, opportunities for blurring the lines between legal and illegal mobile device use in an automotive context will almost certainly increase and the law may lag behind. A common-sense approach by vehicle users should sit alongside further innovation and ongoing legal reform so that the right balance can be achieved.   

A copy of the full consultation may be accessed here.  Responses are invited by midnight on Tuesday 30 January. If you would like to contribute, please click here. 

The CMA carried out its market study into DCTs or "digital intermediary services used by consumers to compare and potentially to switch or purchase products or services from a range of businesses".  It focused on various sectors, including: home insurance; private motor insurance; broadband; energy; credit cards; and flights. 

As the CMA has confirmed in its Final Report :

"We have found a mostly positive picture of people's use of and attitudes to DCTs, and the ways DCTs treat people; but also concerns, especially on DCTs' transparency, accessibility and clarity about their use of personal information."

Consequently, the CMA has put forward a series of recommendations.  The CMA's main competition concern arising from the market study is the use of wide price parity or MFN clauses which it is now investigating.  In addition, certain other contractual arrangements remain "an area of interest to the CMA".  These are all discussed in more detail below.

Recommendations

The CMA's approach can be summarised by its Chief Executive's statement that:

"… we have also found that improvements are needed to help people get even better deals.  We have set out ground rules for how sites should behave, as well as being clear on how regulators can ensure people have a better experience online."

Consequently, the CMA has published a range of recommendations for DCTs, their users, the regulators and others.

In relation to DCTs, the CMA has set out CARE, its four high-level principles for DCTs to ensure they treat people fairly, namely:

Clear:  DCTs should explain their services and how they make money.  Thus, consumers need to be given clear information about how much of the market the particular DCT covers, how the DCT's commercial relationships affect the results, how the results are rated and the total costs involved, for example.

Accurate: DCTs should provide information which is "complete, correct, relevant, up-to-date and not misleading".

Responsible: DCTs should comply with all legal obligations in relation to data protection and privacy. They should also explain to consumers about the use of their data and what controls they can exercise over their own data.  DCTs should also deal with complaints professionally and fairly. 

Easy to use: DCTs should make information easy to find and understand.  DCTs also need to comply with their equality law obligations.

In respect of consumers, the CMA has set out various tips to encourage them to get the most out of using DCTs, such as choosing a DCT carefully, using more than one DCT and understanding how the search results have been generated.

With regard to the regulators, the CMA has put forward a number of generic and also sector-specific recommendations in order to make it easier for consumers to use several DCTs (through freeing up more data) and for them to make more accurate comparisons (through improving the effectiveness of quality metrics), for example.  The FCA has been specifically asked to consider whether it is possible, and, if so, how, to make it easier for consumers to obtain quotes from multiple DCTs, given the volume of information required in order to obtain a quote. The CMA has also found potential issues concerning the way insurance excesses are presented and has asked the FCA to consider these further.

Most Favoured Nation Investigation and Other Contractual Provisions of Interest

As mentioned above, the CMA has now launched an initial investigation into suspected breaches of Chapter I and Article 101(1) TFEU concerning the use of wide parity or MFN clauses by a comparison website in connection with home insurance.  It anticipates a decision as to whether or not to proceed further with the investigation by next March.

The CMA liaised with the FCA to determine which of them was best placed to conduct the competition investigation.  Given that the CMA has experience of reviewing MFN clauses (e.g. motor insurance, auction platforms and hotel online booking), the wide range of sectors which may make use of such clauses and the broader policy implications, it was decided that the CMA should investigate.  The CMA has reiterated that it will "liaise closely" with the FCA.

A wide MFN arrangement prohibits a supplier selling its product or service at a lower price via its own website or via another DCT.  The CMA has emphasised that it has not changed its position, as set out in its private motor insurance investigation, namely that it is concerned that "wide MFNs soften competition between DCTs and between DCTs and competing channels through reducing DCTs' incentives to compete on commissions, to innovate and to enter".  In relation to private motor insurance, the CMA had prohibited the use of wide MFNs by large DCTs.

Although its market study has not highlighted any current adverse effects, the CMA has said that it will keep the following contractual arrangements "under review":

• narrow MFNs, which require a supplier to set a price on a DCT which is no higher than the price offered via the supplier's own website. The concern is that these could go beyond what is necessary to achieve free-riding and credibility efficiencies.

• Agreements between DCTs and suppliers regarding bidding behaviour on paid search platforms.  These could potentially impact on consumers' actual purchasing behaviour.

• non-solicitation clauses, whereby DCTs are not allowed to contact customers, who have purchased a supplier's product from that DCT, in relation to that particular product for a certain period of time (often covering at least the first renewal period). 

Next Steps

The CMA is planning to continue its dialogue to ensure that its recommendations are "understood". It will be liaising closely with the FCA in relation to the MFN investigation. The FCA has itself said that it is actively considering what action to take in response to the CMA's recommendations. 

In the meantime, the CMA has advised businesses, whether operating DCTs or supplying products/services via DCTs to review their commercial agreements in light of its comments regarding MFNs, non-solicitation and advertising restriction contractual provisions.

However, on 17 May 2017, the EBA released guidance that has nuanced the audit rights that a bank must obtain from cloud service providers to be compliant. Specifically, the guidance distinguishes between the access and audit rights banks have to provide for themselves (or their auditors) and the access and audit rights banks have to obtain for regulators.

Rights of the bank and its auditors

Rather than conduct their own audit, the EBA has stated that banks may participate in "pooled audits performed jointly with other clients of the same cloud service provider" to "decrease the organisation burden both to clients and to the cloud service provider".

As an alternative to the above, banks may rely on "third party certifications and third party or internal audit reports made available by the cloud service provider" provided that they are "in line with recognised standards" and the bank are satisfied with the capabilities of the "certifying or auditing party". If a bank does rely on this, it must also have a contractual right to request the "expansion of scope of the certifications or audit reports to some systems and/or controls which are relevant".

Rights of regulators

On the other hand, banks must continue to guarantee that national regulators (such as the FCA) have "full access rights" to the head office and operations of any outsourced cloud service providers, including "the full range of devices, systems, networks and data used for providing the services to the outsourcing institution".

Takeaway

The guidance provides cloud service providers with alternative solutions to providing banks with physical access to their premises and systems for audit purposes. If this guidance is accepted and becomes the new "normal" it will undoubtedly change the way audit provisions are negotiated. However, diving into the audit pool is not an option for regulators, who will have to be granted physical access rights.

The big news
It was announced this week that wealth management firm Old Mutual (OM) has terminated its contract with International Financial Data Services (IFDS) for an IT platform upgrade. IFDS had been brought on board to build OM's 'Bluedoor' back-end investment administration platform. The termination came as somewhat of a surprise to the market, given OM's admission that it had already spent £330 million on the project. OM also terminated its contract for the associated business process outsourcing and front-end solution it was working on with DST Systems (DST). In place of IFDS and DST, OM has instructed New Zealand based IT service provider FNZ to install an alternative system by late 2018/early 2019.

The drivers for Old Mutual
Earlier this year, it was reported that OM and IFDS had entered into negotiations with the aim of addressing timescale and cost risks. From OM's statement on the termination it is clear that these discussions proved fruitless and it appears that there were three key concerns that drove the decision to terminate:

Cost
The wealth management firm stated that the costs of implementation "would have been materially greater" than the figure that they were original advised of by IFDS of "up to £450 million" had they stuck with IFDS.

 FNZ have quoted "120 - £160 million" as a preliminary estimate for the installation of the new system. Should this prove to be accurate, then OM will be roughly in line with the original budget.

Delay
In addition to costs, Paul Feeney (Chief Executive of OM) made clear that OM wanted to get their platform up and running "within a certain time" and that if they stuck with their "previous supplier that this was likely to run over."

Functionality
Linked to the above but beyond the inconvenience of increased costs and delay is the issue of functionality. OM stated that "The new platform is expected to provide additional functionality that was not included in the previous arrangements. Management estimate this would have cost in excess of a further £50 million and taken a further two years, post migration, to deliver." These additional functions are claimed to be "giving customers the option to tap into investment trusts, exchange traded funds (ETFs) and junior Isas, which was not immediately possible with IFDS."

Overall, Paul Feeney set out that OM "have made a definitive decision… and one that will provide greater functionality within an earlier time and at a better cost than would have been the case had we stayed on the route we were on.”

Whilst IT projects go wrong, it is unusual for them to fail this publically. It will be interesting to watch the fall out as we find out what actually went wrong and whether the parties have an appetite for litigation.

The Californian arbitrator ruled that the cap did apply to the prepayments of royalties and, in effect, that BlackBerry had overpaid Qualcomm. Without doubt, the result was a "big win" for BlackBerry that has been sweetened by a 15 percent jump in its share price (to its highest since January 2016).

Qualcomm's take on the result was that "the arbitration decision was limited to prepayment provisions unique to BlackBerry’s licence agreement with Qualcomm and has no impact on agreements with any other licensee.”

Whilst the exact structure of the royalty payments is unclear, it will be interesting to see whether this result will encourage companies with licensing arrangements with Qualcomm to challenge royalty payments and fees being charged. On a broader view, the result could embolden the appetite for litigation of licensees that feel existing payment caps are being incorrectly applied.

Additionally, the dispute is a timely reminder as to the importance of carefully drafting any caps on payments to be made when entering into a licence or similar commercial arrangement. Parties should carefully consider the intention of such caps, and the scenarios when such caps should or should not apply. Licensors must ensure that caps are drafted precisely, without ambiguity, to avoid the scenario Qualcomm found itself in.  

The RPC team is particularly experienced in contentious and non-contentious matters involving licensing.  For more information please contact Andrew Crystal or Joseph Byrne. 

The CMA's Acting Chief Executive has commented on the CMA's findings:

"Our work so far suggests that digital tools like price comparison websites generally work well for consumers, who really value the service they provide. However, our report suggests that improvements may be necessary to help more people get even better deals."

Areas of Possible Concern

Thus, DCTs have not been given a completely clean bill of health. The CMA is proposing a "second phase" of its market study before it publishes its final report.

In general terms, the CMA intends to develop its analysis further and refine its understanding. It will consider the impact of possible future developments in relation to DCT models and the effect of DCTs on consumers who do not use them (particularly more vulnerable groups).

In addition, during its market study, the CMA has identified four areas of possible concern, on which it will focus during the second phase. These are:

1. in order to maximise consumer confidence and trust, improving the transparency of digital comparison sites in relation to: 

• market coverage, business models and ranking methods
• the use of personal data (and offering control over how personal data is shared
• their redress policies

2. improving DCTs' access to necessary inputs and, thereby improving the benefits which they can offer:

• the CMA's particular concern relates to the availability of inputs from suppliers (e.g. pricing information for insurance and flights, eligibility in relation to credit cards and broadband speed information)
• the CMA has learnt from certain regulators that there are developments in some sectors which may resolve barriers to effective comparisons (e.g. the FCA is working with insurers and DCTs to improve the availability of information on general insurance add-on pricing)

3. making competition more effective and in particular:

• considering the competitive landscape and negotiations between DCTs and suppliers (the CMA is looking to understand why, with the exception of flights, in the different case study sectors reviewed, there was one DCT, but not always the same one, which accounted for a significantly larger proportion of sales)
• the use of most favoured nation, i.e. MFN, or parity agreements
• unbundling and also the hollowing out of features with an undue focus on price
• non-brand bidding and negative matching agreements
• non-solicitation agreements whereby DCTs agree not to contact users again for a period of time (often over a year) to offer a comparison for the same service for which the DCT had previously facilitated a sale

4. the way in which DCTs are regulated

• as the nature, and extent, of regulation varies across different sectors, the CMA will consider the possibility of cross-sector principles for all DCTs and, if this approach is appropriate, the CMA will also consider how to ensure compliance. 

Consumer Survey

As part of the CMA's market study, a survey of over 4,000 consumers was undertaken to gather information on consumers' use and perception of DCTs.  The results of the survey showed that overall levels of user trust and satisfaction were high and that DCT users think that "these tools work well, making it easier to make informed choices and save money". Some of the main findings were:

• 97% of internet users were aware of DCTs
• 85% of internet users had used a DCT at some point
• 90% of recent DCT users were "very or fairly" satisfied with the DCTs they used
• 64% of recent DCT users used more than one DCT to shop around
• 11% of DCT users thought that the DCT had shown "the whole of the market" 

Next Steps

The CMA's consultation on its published update paper, including its proposed areas of focus during its second phase of the market study, is now open until 24 April 2017. It has published a response form setting out twenty-five questions as part of this consultation process. The CMA's final report is due to be published by 28 September 2017.

The CMA has confirmed that future steps may involve a combination of competition and enforcement cases, recommendations to regulators and/or working with businesses in the sector.

Blockchain first came on the scene through Bitcoin. In basic terms it is a decentralised, distributed electronic ledger which allows for the creation and maintenance of authentic, tamper-resistant records.  This is done by essentially cutting out the middlemen (for example, central registries such as banks and governments) to bring record creation and verification into the realms of peer-to-peer control. Blockchain is so special because once a record has been created and verified, it cannot be altered. It is a great way of tracking prior activity/transactions and verifying their provenance and validity. In many contexts, blockchain is proving to be faster, cheaper, more transparent and safer than traditional ledgers. Digital currency is not the only context for its use; there are many other ways in which the technology can potentially be deployed.

Smart contracts

As well as recording the basics of a transaction such as its date, time and participants, blockchain technology can be used to create contracts with embedded code. These smart contracts can be self-executing. Their embedded code also allows for specific contractual actions or instructions to be triggered automatically, for example, making payment upon delivery of goods or services.  This mechanism could simplify and speed up business and improve contractual standardisation, leading to gains such as improved efficiencies. This further layer of customisation for transactions in the blockchain would bring much more certainty for contracting parties and less risk.

No doubt, smart contracts will be useful for certain types of transaction but there are some potential drawbacks.  For one, the unalterable nature of blockchain technology means that once code is entrenched in the blockchain, contracts completed in this way can only be cancelled or modified under terms set out in that particular code, as it exists in the blockchain. Whilst contractual certainty is important for many reasons, the commercial realities of business are not fixed. This means that the lack of malleability in a smart contract could cause problems should a dispute arise between the contracting parties, for example, if one party believes it has reason to withhold payment. 

The EPRS report refers to a radical interpretation of smart contracts where embedded code could be perceived as substituting the law itself.  This would be on the basis that the code in the blockchain would entirely govern the contract. In such instances, smart contracts could be regarded as "self-contained, self-performed and self-enforced." Such interpretation is not without its risks, however. For instance, mistakes in the code could be exploited without consequence (as they would be part of the contract).  Also, smart contracts could include provisions that are illegal in the chosen jurisdiction.

The report suggests that a more realistic interpretation of smart contracts is to place them within the wider legal system by imposing additional requirements and controls on top of the embedded code, in accordance with the relevant law.  This could include the application of traditional judicial processes, such as arbitration, to deal with any disputes.

It is important to note that smart contracts by their very nature could undermine some of the key benefits inherent in blockchain technology. Incorporating embedded code within smart contracts sets them apart from the routine transaction recording that has lent itself so well to blockchain technology. Therefore, smart contracts will likely require greater effort to process and verify which could lead to more cost. This risks cancelling out some of the efficiency gains of traditional blockchain use. Also, the extra complexity required for smart contracts could increase the risk of security vulnerabilities arising.  According to the EPRS, when combined with the "'code as law' ideology" this could cause serious practical challenges for smart contracts. 

A copy of the EPRS report is here.

Comment

This is an area that has sparked the interest of many organisations. Contract management and automation often go hand in hand when looking at improving efficiencies. Smart contracts could sit very nicely in this sphere to earn a place in the mainstream business world, particularly for more routine, repetitive types of transaction.

Through to November 2015, Diageo paid SAP between £50million and £61million in licence and maintenance fees.  Pursuant to the Software Licence and Maintenance Agreement between Diageo and SAP (the Agreement), the fees were priced by reference to the number of "Named Users" of the software.  Named Users were defined in the Agreement as individuals who are "authorised to access the Software directly or indirectly", depending on their user category as set out in a schedule to the Agreement.  The Agreement also granted Diageo a licence to use SAP Exchange Infrastructure (SAP PI), which distributed messages between ERP and other SAP systems.  Diageo paid an additional fee to use SAP PI based on the monthly volume of messages processed.

From around 2011, Diageo developed and introduced two new software systems, "Connect" and "Gen2", using a platform provided by Salesforce.  Connect enabled Diageo's customers and distributors to place orders for products directly using an online portal, rather than through Diageo employees in a call centre.  Gen2 was used to manage the operations of Diageo's sales and services representatives.

Diageo accepted that Gen2 and Connect interacted with the ERP software via the SAP PI system, but disputed whether that interaction constituted use and/or direct or indirect access to the ERP software so as to give rise to the payment of additional fees.  SAP claimed that Gen2 and Connect used and/or accessed the ERP software directly or indirectly, without SAP being appropriately compensated under the Named User pricing arrangement.  As a result, SAP claimed additional licence and maintenance fees of £54,503,578.  The court sided with SAP on liability but did not make a ruling on the amount of compensation due to SAP.

Comment

The judgment may embolden SAP and other software providers to pursue further litigation.  With that in mind, customers should carefully consider their software usage, or future plans for usage, to ensure that they are not, or will not, be in breach of existing software licence agreements.  This is likely to be a particular issue where the customer's software usage has changed over the course of an agreement or is about to change (e.g. to make use of new technologies).  For example, with the Internet of Things now with us and the increasingly prevalent customisation and integration of software, providers should really focus on their licensing arrangements at the outset of new technology projects to ensure they do not inadvertently create a scenario analogous to this case.

This Article (which was first published on Lexis®PSL Commercial on 23 November 2016 and can be found here) considers the background to the CMA's warning and the possible risks of using automated re-pricing software.

What is the background to the price fixing warning by the CMA?

On 7 November 2016, the CMA launched its latest campaign to remind online sellers of the need to comply with UK competition law.  The CMA used the recent focus on Black Friday as an opportunity to reinforce the message that online sellers, irrespective of their size, should neither agree their prices nor discuss their pricing intentions with their competitors.  Price-fixing between competitors is one of the most serious forms of competition law infringement and substantial penalties can be imposed for such cartel activities.

The warning follows a recent infringement decision by the CMA, where it found that two online sellers had agreed not to undercut each other on prices for licensed sport and entertainment posters and frames, which they both sold on an online marketplace. After difficulties in monitoring each other's compliance with their arrangement, the two sellers had then utilised automated re-pricing software to ensure compliance.

Back in June, the CMA had issued a warning to online retailers and suppliers in relation to their vertical pricing arrangements, namely Resale Price Maintenance or RPM, whereby a supplier and retailer agree that the retailer will not sell or advertise the supplier's products online below a certain price.  The CMA had emphasised that retailers should determine independently the price at which they wish to sell products. This warning again followed recent infringement decisions issued by the CMA.

There is an increased focus by the CMA on digital and online markets and ensuring that these markets are working effectively is one of the CMA's priorities.  The CMA acknowledges that the internet is "an increasingly important channel for businesses to advertise and sell their products, as it opens up markets, provides customers with more choice and enhances price competition".  As well as different forms of price-fixing, the CMA is also currently investigating the issue of online sales bans imposed by suppliers (on 9 June 2016, the CMA issued a statement of objections to Ping Europe Limited in relation to its ban on retailers selling its golf clubs online).

Online sales activities are also the subject of increased attention by the European Commission.  In 2015, it launched a sector enquiry into e-commerce and it is due to publish its final report in early 2017.  Its provisional findings have highlighted a variety of arrangements and practices which potentially infringe competition law, including pricing restrictions.

Is online retail particularly prone to price-fixing and, if so, why?

Price-fixing is by no means a new phenomenon. However, the CMA, and other competition authorities such as the European Commission, have acknowledged that one of the main features of e-commerce is price transparency. This, of course, can be extremely beneficial for consumers, who are able to shop around for the best value products more effectively. Price transparency can drive price competition as competitors can react unilaterally and quickly to pricing changes in the market place. However, this transparency also makes it easier for competitors to collude over prices and monitor compliance with illegal price-fixing arrangements. Similarly, retailers are well aware that manufacturers and suppliers can, and do, monitor readily the retail prices for their products and, thus, retailers may be more reluctant to deviate from pricing or maximum discount "recommendations" of their suppliers for fear of retribution.

How widespread is the use of automated re-pricing/price management software, what are its risks and has the CMA produced any guidance in this area?

In its recent preliminary e-commerce inquiry report, the European Commission confirmed that approximately half of the retailers, who had responded to its questionnaire, had stated that they track the online prices of competitors. Of these retailers, 67% were using automatic software programmes to do so. 78% of these software users would then adjust their own prices to those of their competitors. The European Commission found that most retailers adjusted their prices manually, but a "significant number" used both manual and automatic price adjustments, whilst about 8% only used automatic adjustments.

There was also an acknowledgement that some manufacturers were engaging in tracking the online retail prices of their products sold by distributors (approximately 30% did so systematically and others on a more specific basis) and 38% of these manufacturers used price-tracking software.

Price-tracking software is certainly becoming more prevalent and sophisticated. Its use does raise the question of whether it provides perfect competition so that retailers can, and do, respond unilaterally and competitively to pricing developments in the marketplace or instead whether it has an adverse effect on competition by either facilitating or strengthening collusion between retailers  or enabling manufacturers to monitor and enforce retailers' compliance with their particular pricing policies.

This is a question which the European Commission is likely to have to consider further in the not so distant future. For its part, the CMA has warned against using automatic re-pricing software to give effect to illegal price-fixing agreements. It is not the use of price-tracking software which is problematic, but the purpose behind its use. The CMA has also highlighted that software providers could themselves be at risk of infringing competition law in circumstances where they assist their clients in using the software to facilitate their price-fixing agreements.

What are the main regulations governing price-fixing for online retailers? What are the penalties and can consumers take action individually?

The Rules:

The Chapter I prohibition under the UK's Competition Act 1998 covers, inter alia, agreements between undertakings and concerted practices which may affect trade within the UK and which have as their object or effect the prevention, restriction or distortion of competition within the UK. Most forms of price-fixing, whether between retailers or between a retailer and its supplier, i.e. irrespective of whether it is a horizontal or vertical arrangement, will fall within this Chapter I prohibition.

In addition, in circumstances where retailers agree between themselves, i.e. as competitors, to fix prices, including arrangements not to undercut each other, this may also constitute a cartel offence under s188 of the UK's Enterprise Act 2002. This provides, inter alia, that an individual is guilty of the cartel offence where he/she agrees with at least one other person to make or implement an arrangement to fix the price for the supply in the UK (other than to each other) of a product or service.

As e-commerce provides greater scope for cross-border trade, in some instances, price-fixing between online competitors may also infringe Article 101 of the Treaty on the Functioning of the EU. The UK's Chapter I is based on Article 101 with the only difference being the geographic scope as Article 101 requires the effect on trade to be between Member States.

The Penalties:

At both UK and EU level, a competition law breach can result in a company being fined up to 10% of its worldwide turnover for its involvement. However, participation in a cartel in the UK also risks serious consequences for the individuals concerned. If found guilty of the cartel offence, an individual could face an unlimited fine and/or imprisonment of up to five years. Directors can also be disqualified from office for up to fifteen years, whether or not the Chapter I breach also constitutes a cartel.

Consumer Action:

It may be very difficult for individual consumers to gather evidence of price-fixing between competitors. Retailers are unlikely to advertise the fact that they are agreeing between themselves to charge the same prices (as opposed to price matching and compensating consumers if they can find the product cheaper elsewhere) or not to undercut each other. If consumers do have evidence, this can be presented to the CMA, but the question of whether the CMA will take action will depend on the actual evidence and also its administrative priorities at that time.

However, if a retailer is the addressee of an infringement decision by the CMA (or the European Commission), there may be the possibility of follow-on damages action against it, in the form of a class action.  The first class action to be launched in the UK is on behalf of consumers, who allege that they have overpaid for their mobility scooters as a result of online retailers being prevented from selling the supplier's scooters online below the Recommended Retail Price.

Have there been any recent noteworthy cases in this area?

Online Price-fixing between Competitors and the Use of Pricing Software:

As mentioned above, the CMA concluded that two online sellers of posters (including popular images the likes of Justin Bieber and One Direction) and frames had participated in an illegal price-fixing cartel (Decision 50223 of 12 August 2016).  These sellers had agreed not to undercut each other in respect of the products, which they both sold on Amazon's UK website, except in circumstances where a third-party had offered the product at a better price.  As well as being competitors, one of the retailers was a major customer of the other and complained that it was being undercut.

The parties used automated re-pricing software to monitor and adjust their prices, whilst ensuring that they did not undercut each other. They continued to monitor and discuss the situation, particularly when issues with the re-pricing software arose.

In this case, the software providers were not found to be in breach of competition law. However, the CMA has warned that, if software providers do help their clients to use software in order to facilitate an illegal price-fixing agreement, they too are at risk of breaching competition law and of facing serious penalties.

Each of the online retailers had annual turnover of under £16 million.  One of the sellers received immunity from fines for reporting the cartel and then co-operating throughout the investigation under the CMA's leniency policy.  The other party was fined £163,371.

Online RPM:

In May 2016, the CMA imposed fines of almost £2.3 million and over £780,000 on a supplier of commercial fridges (Decision of 24 May 2016 - CE/9856-14) and a bathroom fitting manufacturer (Decision of 10 May 2016 - CE/9857-14) respectively as a result of RPM price-fixing. The fridge supplier had imposed a 'minimum advertised price' which restricted the price at which retailers could advertise the particular product online.  Retailers were threatened with higher purchase prices for the fridges or a refusal to supply them, if they did not comply.  Similarly, in the bathroom fittings case, the manufacturer threatened retailers if their online price were not set at the "recommended" online price or above.  The CMA has said that it "is keeping an active watch on potential RPM agreements in the online space and is prepared to act against firms breaking the law".

What should online businesses be aware of as sales activity intensifies at this time of year?

It is important to remember that competition law applies throughout the year. However, as online sales activity intensifies at this time of year, in the interest of achieving desired sales, online retailers may be facing additional pressure to discuss or agree pricing with their competitors.

Online retailers should bear in mind that:

• they are obliged to comply with competition law, irrespective of the size of their business;
• it is a useful time to remind their employees of the need for competition law compliance;
• they, and their staff, must not discuss their pricing policies or intentions with competitors;
• no-one within the business should agree with a competitor to particular pricing or discounting levels or to not undercut each other;
• they should be vigilant for any potential infringements; and
• they should seek immediate advice if there are any concerns that they may have breached competition law.

As set out above, the CMA does operate a leniency policy, whereby it may be possible for a company to obtain up to 100% immunity from fines and, if relevant, for individuals to also be granted immunity from prosecution. The availability, and level, of leniency will depend on what information the CMA already has and where in the queue the leniency application is. Timing can be everything as it is only the first leniency recipient which can obtain 100% immunity.

Introduction

On 29 September 2016, the UK's Competition and Markets Authority (the "CMA") announced the launch of a market study into digital comparison tools ("DCTs"), including price comparison websites as well as smartphone apps and other digital intermediary services which UK consumers can use to compare products and services. This had been highlighted as an area of focus in the CMA's 2016/7 Annual Plan. A market study enables the CMA to examine why a particular market may not be working well.

The market study

As a result of its investigations into private motor insurance, energy and banking, the CMA has acknowledged that DCTs "can play a powerful role in increasing competition and helping consumers to find better deals and switch". Part of the CMA's objective is to understand why DCTs have been more successful in some sectors rather than others and to establish whether anything further can be done "to ensure consumers and businesses can benefit from them more widely". In addition, the CMA is looking into concerns raised about the extent to which consumers can trust the information provided and about potential restrictions on competition.

The CMA is proposing to address four main areas:

• consumers' expectations, use and experience of DCTs;
• the impact of DCTs on competition between suppliers listed on them;
• the extent to which DCTs compete effectively with each other; and
• the extent to which existing regulation is effective.

In its study, the CMA is proposing to draw on its experiences of DCTs in those sectors which have been the subject of its recent market investigations, in particular private motor insurance, energy and personal current accounts. To a lesser extent, the CMA will also focus on home credit, payday lending, extended warranties, hotel online booking and legal services. The CMA is also proposing to focus on four new sectors, namely: home insurance, broadband, credit cards and flights. Although the CMA is directing its attention to these sectors, it is expecting to draw conclusions which will apply across a wider range of sectors. The CMA will also work with the UK Regulators Network and draw on their September 2016 Report into price comparison websites.

Consequences of a market study

There are a number of possible outcomes (sometimes in combination) following a market study as the CMA may:

• give the market a clean bill of health;
• identify action to improve the quality and accessibility of information to consumers;
• encourage businesses in the market to self-regulate;
• make recommendations to government to change regulation and/or public policy;
• take competition or consumer law enforcement action;
• decide to launch an in-depth market investigation; or
• decide to accept undertakings in lieu of such a market investigation.

Next steps

The CMA has set a deadline of 24 October 2016 for comments from interested parties on the scope of this study. It then has until 28 March 2017 to confirm whether or not it proposes to launch an in-depth market investigation. Its final market study report, setting out its findings and any proposed action, will be published by 28 September 2017.

Insurance firms have always been concerned with predicting and assessing risk using the wide array of information available to them. Over the last few years an increase in computing power has opened up the possibility of analysing increasingly large datasets, collected from diverse sources including social media. This has brought with it a range of additional challenges.

Unsurprisingly, this innovation in the use of data has attracted the attention of the FCA, which issued a "call for inputs" from Insurers in November 2015 (which we reviewed here).  The purpose of this was to inform the FCA's understanding of the uses of big data in insurance. In particular it aimed to identify the benefits and risks associated with big data, how they might evolve in the future and how they might impact on consumers.

After receiving numerous responses from insurers and meeting with a variety of key stakeholders, last week the FCA published a feedback statement outlining its findings and considering the next steps. The FCA's review focused on the use of big data in the retail general insurance sphere, however many of the findings will be equally applicable to other areas of insurance and retail financial services where the use of big data is becoming increasingly prevalent.

The FCA's findings

The FCA found that big data produces a wide range of benefits for both consumers and insurers. In particular, the FCA highlighted the fact that big data has allowed firms to develop new and innovative insurance products.  It can also be used by firms to transform how consumers deal with insurance firms, streamlining both the sales and claims processes.

Despite this, the FCA's feedback statement still identified a number of concerns that it had with the use of big data. These concerns focused on two main areas:

1. Risk Segmentation - Big data can potentially increase risk segmentation as it can be used to model a consumer's risk profile more accurately. This raises the possibility that some consumers, deemed higher risk, may be unable to obtain insurance or may be unable to afford any such insurance. However, in the parts of the general insurance sector that the FCA reviewed, they found that these concerns are not yet materialising. Going forwards, the FCA has promised to remain alert to the potential exclusion of higher risk customers as a result of increased big data analysis and have said they will engage the government if this becomes necessary.
2. Pricing Practices – Insurers may use big data to enable them to price risks in ways which do not reflect a consumer's risk profile or the cost of providing such insurance. This is because big data may enable firms to identify certain customers or types of customer who have the willingness or ability to pay more for their insurance, leading to poorer consumer outcomes. At this stage, the FCA plans to further investigate pricing practices of firms in the general insurance sector but has promised to intervene only "if we identify one or more market issues where we think a regulatory intervention would improve the outcome".

There was also a concern raised by the call for inputs that the use of big data may hinder competition, by acting as a barrier to entry. However, the FCA found no evidence of this.  

What next?

Following this analysis the FCA has decided not to launch a full market study into the use of big data. Instead it will be taking forward the measures detailed above as well as looking to stay up to date with developments in the market through its usual supervisory and intelligence activities. It has also offered to jointly host a roundtable discussion with the ICO with the aim of discussing the increased use of different data sources and the data protection risks associated with this.

Commenting on the study and this decision, Christopher Woolard, director of strategy and competition at the FCA said, "There is potential for Big Data to transform practices across general insurance markets, and some consumers are already seeing benefits but there are also some risks to consumer outcomes. While we have decided not to launch a full market study, we are undertaking further work in this area and with the Information Commissioner’s Office to ensure our rules and policies keep pace with developments in the market, but also do not prevent positive innovations."

However, these plans have been dealt a blow following publication of net neutrality guidance from an EU telecoms agency in recent weeks. The Body of European Regulators for Electronic Communications (Berec) published guidelines which state that telecoms companies "should not block, slow down, alter, restrict, interfere with, degrade or discriminate advertising when providing an IAS (internet access service)". Net neutrality is the principle that all data should be treated equally, and according to Berec this means that ISPs should enable access to all content (ads or otherwise), regardless of its source.

This does not prevent consumers from installing ad-blocking apps, but the Berec guidelines do make it clear that network-level blocking should be prohibited. It will be up to Ofcom to apply the guidelines within the UK.

Back in January, Three announced its intention to become the first European mobile operator to block advertisements across its network. Three has been trialling the technology in the UK and Italy, and has since announced plans to roll out the scheme internationally.  Whether or not Three presses ahead with these plans following the Berec guidelines will be interesting to see; they had previously said that they were confident their plans would not breach EU net neutrality regulations, as consumers would be required to opt-in to the ad-blocking service.  It is also yet to be seen how (if at all) other major telecoms companies will respond to the guidelines.

While the Berec guidance has been met with criticism from telecoms companies, publishers and media companies will see this as a hugely positive step. Many such companies rely almost exclusively on advertising revenue, and argue that ad-blocking technology undermines their entire business models, resulting in consumers having to pay for content that they currently get for free. In March, visitors to the New York Times website who were running ad-blocking software were met with the message "The best things in life aren't free", and were asked to either pay for a subscription or disable their ad-blocker.

Ad-blocking technology is seen by many companies as a blunt tool which offers an "all or nothing" scenario. Certain companies, most notably Facebook, are taking a stand against ad-blocking by introducing technology of its own which makes it more difficult for users to avoid ads. Facebook is also encouraging users to provide feedback on ads so that they can provide a more tailored (and in theory less irritating) selection of ads for each individual user. In doing so, Facebook are hoping to find some middle ground where consumers are not bombarded with unwanted ads, while maintaining the ability to provide free content and generate revenue from advertising.

"A person must not cause or permit any article or animal (whether or not attached to a parachute) to be dropped from a small unmanned aircraft so as to endanger persons or property".

What is a Drone?

SUA, also loosely referred to as UAV (Unmanned Air Vehicles), UAS (Unmanned Aircraft Systems) or RPAS (remotely piloted aircraft systems) are more colloquially known as "drones". They are used in various civil industries to carry out important tasks from surveillance to transport and a 2015 House of Lords committee publication supported the claim that an estimated 150,000 jobs could be created in Europe in the drone sector by 2050. In the construction industry in particular, drones are fast becoming an invaluable tool, able to generate aerial images which can be used to monitor progress and provide immediate data on any faults that might lead to delays. Recently the Civil Aviation Authority (CAA) announced that it would allow Amazon to bypass certain aspects of the regulatory regime in place for drones, in order to facilitate the development of its "Prime Air" programme. So what are the current regulations?

Applicable Regulations

As unmanned aircraft with an operating mass of 150kg or less, drones are not subject to European Aviation Safety Agency regulations regarding airworthy certifications or pilot licencing etc. Nevertheless, they remain subject to national regulations, chiefly in the form of the ANO 2009. Under Article 255 of the ANO 2009 SUA are defined as:

"any unmanned aircraft, other than a balloon or a kite, having a mass of not more than 20kg without its fuel but including any articles or equipment installed in or attached to the aircraft at the commencement of its flight."

Whilst SUA are exempt from most of the provisions of the ANO 2009 under Article 253, Article 138 of ANO 2009 sets out the overriding obligation that "A person must not recklessly or negligently cause or permit an aircraft to endanger any person or property". The key sections for SUA under the ANO 2009 are Articles 166 and 167. Under Article 166 a person in charge of a SUA may only fly the aircraft if reasonably satisfied the flight can be made safely and they are able to maintain direct, unaided visual contact. 

Under Article 166(5):

"The person in charge of a small unmanned aircraft must not fly the aircraft for the purposes of aerial work except in accordance with a permission granted by the CAA." 

"Aerial Work", defined in Article 259, is designed to cover any purpose, other than commercial air transport or public transport, for which an aircraft is flown if valuable consideration is given or promised for the flight.

Practicalities

If a company wishes to hire the services of a SUA pilot there are various practical steps that should be taken. If, for example, a construction company hires the services of a pilot to survey a construction site they should ensure that the pilot holds a valid Permission for Aerial Work (PfAW) from the CAA, a qualification which must be renewed on an annual basis, for which the pilot must have attended an approved course and passed a number of tests to demonstrate their competence.

Helpfully, the CAA provides a list of all individuals and organisations that hold a CAA Permission for Aerial Work, noting that whilst the companies contained within the list are approved from a safety perspective, the CAA will not take responsibility for the quality of their work.

Operators of SUA for commercial purposes are also advised to make sure that they have comprehensive insurance cover, including from any third party claims, as mandated under EU Regulation 785/2004. For drones over 20kg the minimum level of cover is set at €660,000, however, as a recent House of Lords Committee pointed out, this level of cover would be insufficient to cover the cost of compensation in the event of a serious accident to a member of the public and even operators of SUA under 20kg should bear this aspect in mind. 

Consequently, if a company hires out a drone operator it would be wise to ensure that the pilot warrants, inter alia that:

• they hold a valid PfAW;
• they have a comprehensive insurance package (the terms of which should be reviewed to ensure they are consistent with the task at hand); and
• that they operate in compliance with all applicable law.

To protect itself in the event of breach of any of these warranties or a third party claim a company should ensure it obtains an indemnity from the drone operator.

Conducting Operations "In House"

If a company wishes to undertake aerial operations "in house" with their own SUA they may still be required to obtain permission from the CAA. 

Under Article 167 a "small unmanned surveillance aircraft" refers to an SUA which is equipped to undertake any form of surveillance or data acquisition, thus covering drones that could be used to survey a construction site. Resultantly, among other restrictions, under article 167(2), a person must not fly a small unmanned surveillance aircraft: (a) over or within 150 metres of any congested area; (b) within 50 meters of any vessel vehicle or structure not under control of the person in charge of the aircraft; or (c) within 50 meters of any person without first obtaining a PfAW issued by the CAA. The person may also need to submit an Operational Safety Case (OSC), including a risk assessment of the operation. Further details regarding the requirements for obtaining an OSC may be found in chapter 3, section 2 of the CAA's guidance document, CAP 722.

In addition to the requirements mentioned above, it is important to be aware that there are various sites in the UK in which it is strictly forbidden to operate drones. All such information can be obtained via the National Air Traffic Agency's (NATS) Aeronautical Information Service (AIS).

If you have any queries regarding the use of drones for commercial purposes, Andy Crystal (andrew.crystal@rpclegal.com) from RPC's Technology and Outsourcing team and Ben Wilkins from RPC's Construction and Project Team (ben.wilkins@rpclegal.com) would be happy to help.

The CMA has increased its focus on vertical arrangements. At a European level, the European Commission is conducting an inquiry into the e-commerce sector to identify possible competition concerns, particularly in respect of cross-border online trade. Against this climate, online businesses can expect increasing scrutiny over their commercial dealings which fall foul of competition law.

What is resale price maintenance?

Resale price maintenance (RPM) is a type of price fixing arrangement which occurs, for example, when a retailer and supplier agree that the retailer will only sell or advertise the supplier's products to customers at a particular price or above a certain minimum price. RPM can also occur indirectly in situations such as where the retailer is prohibited from discounting below a certain level or where the retailer is incentivised to make sales at a certain price. Retailers may sometimes face threats from suppliers of higher prices being imposed or supplies being withheld, if certain prices are not achieved (as occurred in the cases mentioned above).  An RPM arrangement may be agreed in writing or verbally.

RPM prevents retailers from independently determining their prices and potentially offering lower prices to their customers. This could prevent consumers from obtaining the full benefit of the online marketplace and reduces the effectiveness of being able to "shop around" to obtain the best price more easily than in traditional bricks and mortar shopping channels.

RPM is relevant to other vertical relationships as well as the supplier and retailer scenario. The same principles apply to an arrangement between a supplier and its distributors. Its distributors must be free to set the prices at which they resell the relevant products.

RPM is recognised as generally being anti-competitive and, thus, an illegal practice under both UK and EU competition law (under the UK Competition Act's Chapter I prohibition and under Article 101 of the Treaty on the Functioning of the European Union respectively).

What are the implications for Recommended Retail Prices?

The prohibition on RPM does not mean that suppliers cannot suggest Recommended Retail Prices (RRPs). Any RRP must only be just that, a recommendation, and the retailer must remain free to determine independently the price at which it resells the products to its customers.

Can a supplier legitimately control pricing?

The restrictions on RPM will not apply to an arrangement where a supplier appoints an agent rather than a distributor to sell goods on its behalf. However, care always needs to be taken when appointing an agent to ensure that, from a competition law perspective, it is a genuine agency arrangement so that the supplier may determine the prices at which the agent sells the products. 

What are the penalties for infringement?

The CMA can impose fines on both retailers and suppliers, if it finds that the parties have violated competition law by agreeing to fix the retail prices. The parties risk a fine of up to 10% of their business's worldwide turnover.

RPM fines have also been imposed in other Member States and by the European Commission. Earlier this year Hewlett Packard was fined in Austria for agreeing to set product prices with retailers both in stores and online. Swatch and four of its distributors were also fined 500,000 euros in Poland in December 2015 for agreeing minimum retail prices for a range of watches sold in stores and online.

Key things to remember when considering online pricing arrangements:

The CMA has published useful guidance notes, case studies and even videos to help businesses to understand RPM (and competition law compliance more generally).

The key points to note about RPM are as follows: 

• suppliers must not dictate the specific price or a minimum price at which products are sold by the retailers, whether online, in store or otherwise;

   

• suppliers should not insist on a minimum advertised price for online sales;

   

• while it is legal for a supplier to recommend a retail price, a retailer must have the discretion to decide its own retail price for its customers and a supplier must not take any steps to enforce an RRP;

   

• actions, such as offering financial incentives or making threats (of withholding supply or offering less favourable terms, for example) in order to force the retailer to maintain certain resale prices are likely to equate to RPM; and
  

   

• if the retailer and supplier agree to sell products at a fixed or minimum price, both parties may be found to be breaking competition law and each could be liable for a significant fine.

• Customers should always seek to include express delivery up provisions and give careful consideration to how any audit check is designed to operate;
• whilst it is open to parties to agree that certain breaches are not repudiatory, the mere presence of cure period provisions will not exclude the common law right to terminate for repudiatory breach; and 
• contracting parties need to be aware of the fact that variation by email, even in the presence of a standard variation clause, can be effective. 

In the guidance, the term 'cloud' is defined widely, encompassing a range of different IT services provided in various forms over the internet (and, importantly, concludes that where a third party provides services to a regulated firm over the cloud that is still 'outsourcing').  The FCA comments that if firms have proper regard to the risks highlighted then there is no reason why cloud services cannot be implemented in compliance with the FCA's rules. 

It identifies a number of risks that affect the degree of control exercised by a firm. Namely:

• that cloud customers may have less scope to tailor the service provided;

• that cloud customers may also have to accept that cloud service providers will move their data around; however in some cases cloud customers may be able to specify which overall geographic region their data is stored; and

• that firms should consider the risks associated with outsourced service providers who may contract out part of their operation to other cloud providers. This may occur without firms realising.

The guidance goes on to provide information on a number of areas that a firm should consider during the lifecycle of any outsourcing of IT services that is essential to the core functioning of the business. This includes:

• Legal and regulatory considerations – in particular firms should ensure that the outsourced service is appropriate to meet the firm's regulatory requirements. In addition it urges that firms should identify whether their contract is governed by English law and subject to UK jurisdiction and in any event should ensure effective access to data for the firm, its regulator(s) and auditors.

• Risk management – to this end firms should identify and manage any risks introduced by their outsourcing arrangements.  This will include carrying out a risk assessment to identify relevant risks and identifying steps to mitigate them. Firms should make provision in the contract for effective remediation of any breaches.

• Oversight of service provider – even during the outsourcing process firms retain full accountability for discharging all of their responsibilities under the regulatory system. Therefore, firms should ensure that they are clear about the service being provided and where responsibility and accountability between the firm and its service provider begins and ends.

• Data security – firms should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm.

• Data Protection Act – outsourcing arrangements should be compliant with the DPA.

• Effective access to data – there are specific regulatory requirements that govern access to the data held by outsourced providers for regulated firms, their auditors and regulators.

• Access to business premises – specific regulations require physical access to business premises of third party service providers for firms, their regulators and auditors.  ‘Business premises’ in this context can include head offices, operations and data centres.  Therefore it is important to identify which business premises are relevant for effective oversight. The FCA recommends that the right to access these premises should not be restricted except in specific circumstances such as for legitimate security reasons.

• Relationship between service providers – firms should review sub-contracting arrangements to ensure that these enable them to continue to comply with their regulatory duties. 

• Change management – firms should be mindful of the risks that can be introduced when changes are made to processes and procedures. To this end firms should have in place an effective change management process that considers what provision has been made for future changes to technology services, as well as how to test any changes that take place.

• Business continuity – a firm should have in place appropriate arrangements to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption.

• Exit plan – firms need to have in place plans to exit outsourcing arrangements that do not cause excessive disruption to the provision of services and enable compliance with their regulatory regimes. 

The draft guidance provides some useful practical guidance as well as clarifying some of the legal issues that are of concern to firms.  However, the relatively 'high level' of the proposed guidance means that firms will still have to work out for themselves how to assess and manage the risks involved in buying services that utilise the cloud. 

The FCA has invited feedback on the proposed guidance by 12 February 2016. After this date the FCA intends to publish the final guidance on its website.

The call for inputs shows the areas of particular interest to the FCA and the issues that it is likely to focus on in any future market study that it undertakes on the topic^[1]. Insurance firms should be mindful of these when developing their big data strategies. 

Defining "big data" 

The FCA characterises "big data" as meaning: 

• the use of new or expanded datasets and data, including from unconventional sources;adopting new technologies required to generate, collect and store these new forms of data; 
• using advanced data processing technologies and sophisticated analytical techniques; and
• applying this data knowledge in business decisions and activities 

Focus of its investigation – motor and home insurance 

The FCA wants to form a "balanced view" of the impact of big data. It recognises that big data presents many opportunities to insurance companies and insureds and is keen to explore these. However, it also wants to understand the risks associated with big data in the insurance sector, especially on consumers.  

It is therefore focussing its investigation on retail general insurance (GI) products, particularly in the context of private motor insurance and home and contents insurance. These are areas where, in addition to well-known big data "sources" (e.g. social media, social listening and data aggregators), insurers can potentially collect a huge amount of data on consumers' behaviour and lifestyle from technologies such as telematics and connected home devices. This gives rise to interesting questions in the context of pricing and risk profiling. 

Within this general area of focus, the FCA intends to consider the following three topics: 

Does the use of big data affect consumer outcomes?

• Big data has the potential to accelerate the trend towards "risk micro-segmentation" (i.e. the grouping of consumers into much smaller risk pools than before) due to insurers' improved ability to identify individual consumer characteristics. The FCA notes that this could result in changes to the premiums that consumers face. It might also change which retail GI products are available to which consumers, as insurers might be able to select more accurately which risks they choose to take on board. This could ultimately lead to some consumers being unable to find coverage.
• The FCA wants to understand the extent to which insurance firms are able to collect information about persons' characteristics or behaviour and use this to charge different prices to different consumers for reasons other than risk or cost.
• Big data may affect consumer behaviour. The FCA wants to understand the extent to which applications of big data designed to incentivise less risky behaviour (e.g. telematics devices in cars) may turn into requirements or conditions of accessing insurance in the future. It also wishes to consider how the use of big data may impact trust in retail GI firms and how this affects consumers' behaviour and the amount that firms are willing to invest in big data.

Does the use of big data foster or constrain competition?

• The FCA wants to explore whether big data improves or hinders consumers' ability to access and make choices about retail GI products and providers. How easily can consumers replicate or port data when they change providers and is this likely to result in barriers to switching?
• The FCA thinks that barriers to entry and expansion could be created by the used of big data. If an insurer is unable to make the required investment in big data, they could become uncompetitive and lose market share. Big data use could also increase or create a market power that could result in competition being restricted.  

Does the FCA's regulatory framework affect developments in big data in retail GI?

• Can the FCA's current regulatory framework (including the Principles for Business, FCA Handbook and Guidance, non-handbook guidance and other regulatory communications and statements) constrain or foster the potential for substantial innovation that big data presents?
• The FCA is also interested in understanding how data protection legislation will impact how big data is being used in insurance^[2]. The FCA's focus on retail insurance suggests that it sees data protection as one of the biggest issues at play in this area. 

Next steps 

The next step is for the insurance industry to respond with views, examples and evidence of how big data is impacting (and is likely to impact) consumers and competition within the sector. The FCA has asked for this by 8 January 2016 and the full details of what the FCA is asking for can be found here. 

The FCA expects to publish a feedback statement mid-2016, in which it will set out its findings. This might include proposals for a market study or even a decision that no further work is needed.  In any event, it will give a better steer as to whether the FCA believes there is a need for increased regulation in this area. 

In the meantime, insurance firms should think carefully about how their big data strategies might impact their consumer customers, in particular the products made available to them, the price they pay and the impact on their privacy.

[1] In its 2015/2016 Business Plan, the FCA announced its intention to review how insurance firms use big data.

[2] The FCA refers to the Data Protection Act, the Privacy and Electronic Communications Regulations and the upcoming General Data Protection Regulation.

This note explores the key features of section 54 of the Act and what it will mean for UK companies.

The new reporting obligation - who needs to comply and what must they do?

Section 54 of the Act imposes reporting requirements on all businesses: 

• which carry out any or part of a business in the UK;

• which supply goods or services; and

• which have an annual turnover exceeding £36 million. 

These businesses must prepare a slavery and human trafficking statement each financial year, describing the steps they have taken during the year to ensure that their businesses and supply chains are slavery and human trafficking free. 

The requirement to publish an anti-slavery statement only applies for financial years ending on or after 31 March 2016, so there is a five month period before the very first reports are legally expected. 

What does the statement need to say? 

The Act states that the annual statement must include: 

• a brief description of the organisation’s business model and supply chain relationships;

• a description of the organisation's policies relating to slavery and trafficking;

• a description of the training on slavery and human trafficking available to its staff;

• a description of the procedures it has in place to check for slavery and human trafficking in its supply chain;

• a description of the parts of its business and supply chain where there is a risk of slavery and human trafficking and a description of how the organisation manages those risks; and
  
  
• a summary of its effectiveness in ensuring that there is no human trafficking or slavery taking place in its business or supply chain, measured against appropriate performance indicators.

• alternatively, businesses can comply with the Act by publishing a statement confirming that no steps are taken to ensure that slavery and human trafficking are not taking place within the business and supply chain. In reality, businesses are unlikely to use this option, as it could attract negative stakeholder and media attention, which could damage reputation and profit. 

How should the statement be published? 

The statement must be published on an organisation's website and a link to it must appear in a prominent place on the homepage. Each subsidiary within a group that exceeds the threshold referred to above must publish a statement on their website. 

Who must approve the statement? 

In the case of a company, the statement must be approved by the board of directors and signed by a director. In the case of a LLP, the statement must be approved by the LLP members and signed by a designated member. 

Enforcement – what are the consequences of not complying? 

In England and Wales, the government can enforce the requirement to prepare a statement by way of an injunction requiring the organisation to comply. The government seems unlikely to take such action without warning. However, where enforcement action is taken, it is likely that the government will "make an example" of a high-profile organisation in order to try and achieve wider compliance with the Act.

In addition to the risk of legal action, companies that do not comply with the requirements are likely to face reputational risk, as pressure groups "name and shame" companies that are non-compliant.

What should businesses do now? 

Businesses should: 

• assess whether they fall within the scope of businesses that must comply with section 54 of the Act;

• identify who is responsible for developing the statement;

• consider what policies are in place within their organisation with regard to slavery and human trafficking and the extent to which those will stand up to public scrutiny;
• consider their procurement practices, including the information they collect from their contractors, the checks and audits that they carry out and the policies and procedures that they require their contractors to comply with;
  
  
• map their supply chain and identify jurisdictions or types of suppliers who present the most risk;
  
  
• consider the appropriate policies and procedures against the identified risks and start outlining what might go into a statement;

• consider how the statement might look to a visitor to their website and/or customers; and

• include appropriate contractual terms in their agreements with contractors, including appropriate warranties regarding slavery and human trafficking, appropriate audit rights and appropriate restrictions on sub-contracting and assignment. Such provisions should also be flowed down to subcontractors. 

For more information on the reporting requirements under the Modern Slavery Act 2015, please contact Lara White or Patrick Brodie.

When WiFi is enabled on your smart phone (meaning purely you have the option to connect to a WiFi connection; you don't actually have to be connected to a WiFi signal) your phone sends out your unique MAC address to the nearby routers that are available. This MAC address is picked up by these routers, along with your location. Your movements can therefore be tracked.

This location data is invaluable to businesses. For example, it can show retail stores what percentage of passers by enter their store. Going one step further, it's possible for this retail store, by comparing data from different days, to assess the effectiveness of its various shop window displays or signs. Geolocation data can also, for example, help local councils assess footfall across a particular area, meaning they can allocate council workers or police appropriately, or help stadium owners with exit routes and health and safety.

But how many people actually know that this occurs? Privacy campaigners argue that not many of us do. They also argue that, even if the geolocation data that is collected is anonymised, users can still be indirectly identifiable. For example, a period of sustained, repeated inactivity in a residential area during the night would most probably signify that person's home. Similarly, inactivity during weekdays would point towards that person's place of work.

Supporters of the collection of geolocation data cite the pseudonymity of the data as a strong reason for its use. Although how do we know that companies aren't flouting the law and going that one step further by combining geolocation data with other information they hold, meaning they can identify us without our knowledge?

The current proposals under the EU's General Data Protection Regulation suggest that this practice will continue to be permitted once the Regulation is adopted. The Regulation – which is still in draft – will harmonise data protection law across the EU. There have been significant delays during the legislative process and it is now looking as though we may not see ratification of the Regulation until 2016, with enforcement beginning in 2018.

When gathered legally and used correctly, geolocation data can greatly benefit businesses and consumers alike – especially if targeted advertising is consented to by the consumer. Personally, if my favourite coffee shop is doing a half price deal, I'd want to be alerted to this on my phone as I walk past and take full advantage!

It is hoped that achieving a Digital Single Market will open up opportunities and lead to significant growth in Europe's economy and unlocking of e-commerce potential. The Commission has produced a fact sheet outlining the benefits which it considers will flow from a Digital Single Market. A copy of this factsheet may be accessed here.

ICT standards are the pillar of the Commission's vision and it recognises them as being critical to the operation of a Digital Single Market. Such standards are required to make different systems work together and to promote the use of open platforms and interoperability of devices, applications, systems and services. According to the Commission, ICT standards are needed to boost innovation and reinforce competitiveness across the EU. There is no escaping digitisation and therefore, the Commission's view is that interoperability is essential to ensure that Europe fully adapts to the digital transformation.

Input is invited from Standards Development Organisations, companies, SMEs, national regulators, researchers, stakeholders' associations, public authorities and any other interested parties.

The consultation is set to focus on the following key technological areas: 

• 5G communications
• Cloud computing
• Cybersecurity
• Data driven services and applications
• Digitisation of European Industry
• eHealth
• Intelligent Transport Systems
• Internet of Things
• Smart Cities and efficient energy use 

A link to the consultation may be found here. It will close on 16 December 2015. 

The Commission intends to consider the input collected from this Consultation alongside other input it is obtaining from ICT standardisation experts. This information will be used to build an ICT Priority Standards Plan by the first half of 2016 which will set priorities to ensure that the most relevant standards are developed in a timely manner.

Extension of essential supplies

Currently the Insolvency Act 1986 protects the supply of gas, water, electricity and communication services to an insolvent customer. It has the effect of voiding the often seen clause that a supply agreement will terminate automatically in the event the customer enters administration or a Company Voluntary Arrangement (the clause is valid, however, where liquidation takes place, as liquidation is a terminal process).

The Insolvency (Protection of Essential Supplies) Order 2015, by virtue of the Enterprise and Regulatory Reform Act 2013, extends this protection to supplies provided "for the purpose of enabling or facilitating anything to be done by electronic means". The Order specifically protects the customer's:

• point of sale terminals;
• computer, hardware and software;
• information, advice and technical assistance in connection with the use of information technology;
• data storage and processing; and
• website hosting. 

Exceptions

Whilst there is an obligation on the supplier to continue the "essential supplies" there are exceptions to ensure that the suppliers are afforded some protection. The supplier is entitled to:

• request a personal guarantee from the insolvency practitioner as a pre-requisite to continue supply following the customer’s insolvency;
• terminate the contract if the insolvency office-holder consents to such termination;
• apply to the court for permission to terminate the contract based on the grounds that its continuation would cause hardship to the supplier; and
• cease providing the post-insolvency services in the event that bills are unpaid for more than 28 days following the due date.

The good news is that these exceptions mean that an insolvency practitioner is unlikely to require a supplier to provide the essential services unless they have a genuine belief that there is a realistic chance of saving the customer. Furthermore, costs incurred following the initiation of an administration should rank as the costs of the administration and therefore should be paid in priority to all other claims, other than those of fixed charge holders. 

Key points to consider

Suppliers should consider what their standard terms currently state about termination for insolvency and how these changes might impact them. It may be worthwhile to ask your finance teams whether they can quantify any previous losses of this kind to see if they are material. Adding an explicit right to terminate a contract in the event that the post-insolvency fees are overdue by 28 days or more is advisable. For suppliers who, as standard, invoice quarterly in arrears, special consideration should be given to these changes on the basis that even with the 28-day termination right for invoices unpaid, this effectively means a 4 month risk on non-payment.

The changes to the Act will come into effect for new contracts entered into on or after 1 October 2015.

Fundamentally, the Working Party wants to ensure that the reformed framework does not lower the current level of data protection and leaves as little doubt as possible about the rights of data subjects. Added to this is its objective that the text should be as simple, efficient and clear as possible, and that this should all be done without limiting innovation. It's a major juggling act.

As the process edges towards a conclusion, the Working Party's extensive list of recommendations suggests that it wants to ensure that its voice is heard right up until the last moment.

The Working Party's key areas of concern are as follows: 

Consent

The Working Party is firmly in favour of requiring "explicit" consent to the processing of personal data and opposes any attempt to soften the wording to "unambiguous" consent which it believes would create confusion. Its view is that only "explicit" consent would truly enable data subjects to exercise their rights. Moreover, consent should be informed and concern a specific purpose. 

Defining "personal data"

To maintain a high level of protection, the Working Party believes that 'personal data' should be defined in "a broad manner" and should reflect that a person can be identifiable when they can be "singled out" in some way and, as a result, treated differently. It believes that this concept is not reflected in recital amendments proposed by the European Parliament and reiterates that information such as IP addresses and other online identifiers should generally be considered "personal data", in line with recent CJEU rulings¹. 

Pseudonymisation

The Working Party also argues that techniques used to disguise the identity of individuals (or 'pseudonymisation') should be used strictly as a security measure and should not mean the creation of a new category of data. It is concerned that an independent category of "pseudonymous data" may cause confusion and be a way for data controllers to justify derogations from the appropriate level of protection for personal data and the rights of data subjects. 

Principles of compatible use and purpose limitation

The Working Party agrees that data controllers should continue to have a degree of flexibility to process personal data for purposes that are not incompatible with the specific purposes for which it was originally collected.

It does not agree with proposals to allow data controllers to process data for an incompatible purpose when the controller has "legitimate interests" that override the interests of the data subject. Such a balancing test finds favour with 'big data' lobbyists but, in the opinion of the Working Party, it would fundamentally undermine the purpose limitation principle and offer weaker protection than under the current regime.

However, the Working Party strongly supports the view that further processing of data for archiving, scientific, statistical and historical research purposes should remain possible and should be considered as compatible with the original purpose of collection. 

Data Portability

The right to data portability should be maintained as a separate and independent new right from the right to access. One of the aims of a data portability right is to empower the individual to control his/her personal data. Data subjects should therefore be able to request the transfer of their personal data to themselves or to a third person (including a separate data controller) from the moment it has been provided. The Working Party believes that this should apply to all types of processing whatever the legal basis being used for that processing. 

Right to Object

The Working Party is also concerned by the Council's proposal to limit the right to object to cases where the data processing is founded upon the legitimate interest of the controller or upon the public interest or in the exercise of official authority vested in the controller. It believes that this will lead to an unacceptable decrease in the current level of protection.

Restrictions and qualification of rights

Rights granted to the data subject, such as the right to have sufficient information to ensure fair and transparent processing, should not be qualified in any way as being dependent on the "specific circumstances and context in which the personal data are processed", as currently proposed. The Working Party believes that this creates uncertainty and room for interpretation that could actually leave the data subject less well protected than under the current regime.

New grounds have been added by the Council to allow derogations from data subjects' rights for such reasons as "important objectives of general public interests of the or of a Member State" and "the enforcement of civil claims". The Working Party's view is that such "very general and vague derogations" go further than the legal grounds currently permitted under the Directive and are contrary to legal certainty. 

Profiling

The proposals to safeguard profiling are also, in the Working Party's view, similarly unclear. It believes that data subjects may be unaware of customer or user "profiling" and suggests that new obligations on data controllers to ensure that they become more transparent, by clearly defining the purposes for which profiles may be created and used. This might include specific obligations on controllers to inform the data subject of the creation of the profile and the data subjects' rights to object to the creation and the use of profiles. 

Data breach notification

The Working Party agrees that there should be different thresholds for notification of personal data breaches to the data protection authority (DPA) and to the individual. It takes issue, however, with the Council's proposal that a data controller who has taken subsequent measures to ensure that any high risks for the data subject are no longer likely to materialise is exempted from notifying the data subject and the DPA. It considers that this derogation is tantamount to giving "most controllers a justification not to inform the relevant stakeholders".

In addition, the Working Party states that it is not the level of risk but "whether the personal data breach is likely to adversely affect the personal data or privacy" of the data subject that is paramount. 

Data transfers

The Working Party continues to argue against diluting the 'adequacy' principle of international data transfers by allowing transfers on the basis of "legitimate interest pursued by the data controller" based on assessment of suitable safeguards² . It considers this an over-broad derogation. The Parliament has proposed deleting this provision but, if it is to be maintained, the Working Party says that it should at least be on an exceptional basis and only for non-massive, non-repetitive and non-structural transfers. 

Binding Corporate Rules

The Working Party expresses concern over the deletion of the proposals for Binding Corporate Rules for data processors and considers it essential to re-insert them. However, it supports the Council's proposals that set clear legal conditions to allow processors to sub-contract part of their activities, in particular in the context of the development of cloud computing. 

Comment

After several years of what the Working Party describes as intense negotiations, sticking points remain.

The concept of consent has become a key aspect of the debate, with the UK resisting the notion of 'explicit' consent only for the Council's compromise proposal of 'unambiguous' consent to attract criticism for lacking clarity. Clarity may be gained in general guidance, which the Working Party will produce following adoption of the Regulation, although a significant period of bedding in will be inevitable. During this time, organisations with a commercial interest are likely to test key concepts like consent and strain the boundaries of the derogations, particularly in new areas like data breach notification.

Not surprisingly the Working Party recognises that the effectiveness of the Regulation will depend on the ability of DPAs to enforce it. It therefore reminds the EU institutions that DPAs should be equipped with appropriate powers of enforcement and sufficient resources. Sanctions should be strongly reinforced to constitute a "real deterrent" whether the data controller is a public or a private entity.

Effective investigation will depend on increased cooperation between DPAs, particularly via a designated 'lead' authority. The Working Party supports the concept of this "one-stop-shop" but, like much in the rest of the proposals, there is uncertainty over how this will work in practice and this has been left expressly for development by the European Data Protection Board rather than being covered in the Regulation.

But for all its efforts, the Working Party is just one of the voices trying to attract the attention of the Parliament, Commission and Council as they shepherd the reform package through its final stages. Lobbyists from big business, privacy activists and the EU institutions themselves all have their own agendas.

All have very different messages to push and, as they will be keen to point out, "nothing is agreed until everything is agreed".

1 Case C-275/06 Promusicae v Telefónica de España SAU [2008] ECR I-00271 and
Case C-293/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others (ECJ, 8 April 2014)

 ² Article 44(h)

Transparency by design

There have been growing calls for greater transparency around how suppliers deliver outsourced services, in particular given the desire for public scrutiny around how tax payers' money is spent.

The ICO recommends that Authorities should adopt a "transparency by design" approach when drawing up an outsourcing contract. In particular, it recommends that Authorities: (a) proactively publish as much information as possible in open formats; (b) are upfront around what in-scope information is held by them and their suppliers; and (c) put in place measures to enable them to respond effectively to FOIA requests. In relation to the latter, the ICO recommends that Authorities seek to agree with their suppliers a general approach to responding to FOIA requests and giving access to information before entering into their outsourcing agreements. The recommended steps are detailed below.

Actions to take during the contracting process

The ICO recommends that Authorities do the following:

• Agreeing what information is held: The outsourcing contract should define, by way of a broad list, what information regarding the outsourced service is considered to be subject to FOIA [1]. This might include performance data that the Authority has the right to see, information that the Authority passes to the supplier and information that passes from the supplier to the Authority on termination. Such a list would not be definitive and, in the event of a dispute, the ICO would make its own decision as to which information can be withheld and which information must be disclosed. However, the ICO notes that addressing these issues at the outset should: "save time in the long run, remove ambiguities and promote consistency".
• Consider information held by subcontractors: Information held by a subcontractor may be subject to FOIA. Therefore: (a) the list of FOIA information set out in the contract should include information held by subcontractors; and (b) the contract should include a requirement for the supplier to obtain this information from the subcontractors as required. 
• Format of information provided: The ICO recommends that the supplier and the Authority use open data formats to improve the usability of the data and ensure greater transparency.
• Setting out responsibilities in handling FOIA requests: The outsourcing contract should detail the procedures to be followed when a FOIA request is received. This would typically include: (a) obliging the supplier to transfer FOIA requests to the Authority; (b) giving the Authority the sole right to decide what will be disclosed or withheld; and (c) obliging the supplier to assist the Authority in answering requests. The use of standard clauses, such as clause 22 of the Model Services Contract[2], is helpful in setting out the procedures to be followed and the responsibilities of both parties.
• Considering exemptions: Once the list of information likely to fall within the scope of FOIA has been agreed and documented, the Authority and the supplier should identify potentially sensitive areas and types of information that may be subject to FOIA exemptions [3]. The ICO thinks that this list of potentially exempt information (which may change over the term of the contract) may sit better in a working document rather than the contract itself.

Today's consumers are increasingly reliant on digital products for entertainment and productivity, from smartphone apps to streamed songs and movies.
The Sale of Goods Act (SGA) 1979 and the Supply of Goods and Services Act (SGSA) 1982 have traditionally been the foundations of consumers' rights when buying goods or services.  However, since the SGA and SGSA were conceived before the digital era, the existing law is not clear on consumer remedies for defective digital products.

The CRA addresses this issue by establishing "digital content" as a new category of product, covering any data which are produced and supplied in digital form. It seeks to apply familiar consumer rights to digital content as predictably as possible, bringing the consumer rights regime into the 21st century.

Remedies for defective digital content

The SGA implies terms for quality, purpose and description into contracts for the sale of goods. Where a product is defective, the consumer may reject the goods within a reasonable time and obtain a refund or, where it is too late to reject the goods, the consumer may require the trader to replace or repair the goods.  The trader must do this within a reasonable time and without causing significant inconvenience to the consumer.

However, whether the SGA applies to digital content is unclear. The SGA's definition of "goods" suggests that they must be tangible items – meaning that digital content delivered electronically (as opposed to on a CD or DVD) is arguably not goods. Compounding the confusion, the right under the SGA to reject goods and receive a refund poses particular problems for digital works, given the risk (and ease) of copying.

So far, case law has not resolved these points. With the courts' approach far from certain, a consumer seeking a remedy for defective digital content is likely at present to rely on the trader's goodwill rather than strict legal rights.

The CRA, however, introduces specific rights and remedies for the new category of digital content (as long as the consumer has paid a price for that content). It expressly extends the current implied terms to contracts for digital content and, in particular, it also sets out the following remedies where digital content is faulty: 

• consumers can choose to have either a repair or replacement of the digital content, providing that the chosen remedy is not impossible or disproportionately difficult (eg. where a game stored on a consumer's smartphone is corrupt, a repair may be disproportionately difficult compared to a replacement download); and 
• where repair and replacement are both impossible (or the trader fails to carry them out), the consumer can request an appropriate price reduction, reflecting the difference in value between the price paid for the content and what the consumer actually receives (eg. the full cost if the product doesn't work at all). 

The main difference between the SGA and CRA remedies is that consumers cannot reject digital content and receive a refund. 

Services provided along with digital content

In contracts for a "mixed supply" of services and digital content (eg. a music streaming service), the CRA's digital content provisions apply to the digital content, whilst its services provisions apply to the service.

The CRA retains the implied terms in the SGSA (ie. services must be carried out with reasonable care and skill, in a reasonable time and for a reasonable charge). However, it introduces two new remedies for consumers where a trader breaches these terms, namely that: 

•  where a service is not performed with reasonable care and skill, the consumer may request that the service is performed again; and 
• if this is not possible, or where the service is not performed within a reasonable time, the consumer may request an appropriate price reduction. 

Commentary

With the CRA due to take effect from 1 October 2015, traders will need to ensure that their terms of sale comply with the new regime. Whilst the rights which will apply to digital content are familiar ones, the remedies introduced by the CRA do not simply reflect those applicable to physical goods and will require careful consideration.

In particular, traders should be aware of a consumer's right to a price reduction where digital content cannot be repaired or replaced (or the trader fails to do so). Although there is no specific right to reject digital content, where the digital content does not work and the trader does not fix it, the trader may be liable to return the whole sum paid. The scale of the price reduction in the case of less fundamental flaws with digital content may well become a key battleground under the new legislation.

According to an Information Security Breaches Survey carried out by the UK Department for Business Innovation & Skills, in 2014 81% of large UK businesses and 60% of small companies suffered a cyber-security breach.  The Government has now announced new joint initiatives with the insurance sector to help firms manage this risk.  The Government and insurance brokers Marsh have published a report entitled 'UK cyber security: the role of insurance in managing and mitigating risk'.  This report found that whilst bigger firms have acted to secure themselves against cyber threats, these threats grow ever more prevalent as attackers become more sophisticated.

Whilst historically such matters have been confined to the IT/tech industry, companies are being encouraged to place cyber threats at the forefront of commercial risk with the potential to affect all their operations.  Companies can then carry out stress tests to identify their vulnerabilities, be it their IT infrastructure or the threat of 'phishing' through online distribution channels where personal credentials might be obtained to allow access to IT systems.

The potential damage of IP theft is already recognised by many companies but the increasing interconnectedness of day to day life through the 'Internet of Things' is of growing concern.  Reputational damage, however, remains of upmost importance to companies who face huge costs and a drop in consumer confidence if large scale hacks occur.  Such attacks can be 'rapid, highly damaging, and public potentially leading to a vicious cycle of declining investor and customer confidence and therefore cash availability’ according to the report.  As such, companies need to respond appropriately.

The report highlights the lack of awareness of the availability of insurance in this sector and points out that less than 10% of companies have cyber security insurance.  

One initiative that the Government has already backed is Cyber Essentials, an industry supported scheme that helps organisations protect themselves against common cyber attacks.  It provides guidance on the basic controls that all organisations should have in place such as boundary firewalls, internet gateways and access control.  Companies can then use Cyber Essentials Certification as evidence of the security protection they have in place. 

Further recommendations for businesses are highlighted in the report.  A key initiative is that Marsh will launch a new cyber insurance product for SMEs which will cover the cost of Cyber Essentials certification.  Whilst this kitemark system is a good step towards ensuring a basic level of security, businesses should not neglect the fact that cyber threats are an ever-evolving risk that require constant attention and frequent security updates.  

Secondly, the insurance industry should help establish cyber insurance as an essential part of a business's tool-kit.  Better guidance and discussion will be a key part of informing businesses and enabling accurate assessment of this specific type of risk.  The Government hopes that by establishing a standard, insurance companies can better write risk and premium prices will come down.  However, both clients and brokers should carefully consider the types of policies applicable and the exclusions within them. 

As for insurance coverage, London has a reputation for leading on large-scale complex risks that are challenging to underwrite locally. 

Recommendations for the London insurance industry include writing clear statements in policies and reassuring businesses that cyber risk is covered.  By tackling cyber risk head on, the UK wants to become the hub of the cyber insurance market.  There is no doubt that cyber risk is going to continue growing in importance; the challenge will be staying ahead of the game in the context of rapidly advancing technology.

The Court of Appeal has handed down a judgment that makes several notable points on data protection issues: It confirmed that 

• misuse of private information is a tort
• claimants may recover damages under the DPA for non-pecuniary losses
• it is strongly arguable that "browser generated information" collected via cookies may be 'personal data' 

The recovery of compensation for non-pecuniary losses will have the most obvious impact for data protection practitioners, and is the focus of this note. The effect of this case is that individual data subjects may now seek compensation for breaches of the DPA purely by asserting that they have suffered "distress", despite not suffering financial loss. 

Although the courts' approach to awards in "distress-only" cases remains to be seen, the mere possibility of such cases may prove an unwelcome distraction to data controllers. 

We expect that this judgment will result in a significant increase in the volume of civil actions brought by individuals under the DPA, and the legal resources expended by businesses in fighting them. Claims could be brought on an individual basis, or as a group (as in Vidal-Hall). We also expect that 'distress' claims might be added to wider claims such as defamation and employment disputes. 

As a result, it is more important than ever to guard against breaches of the DPA, even those that may previously have been seen as 'low-level' risk. 

Facts

The factual background to the appeal is convoluted but essentially the claim in Vidal-Hall stems from the revelation that Google used cookies to collect "browser generated information" ("BGI") from users of Apple's Safari web browser. By collecting BGI, Google was able to track Safari users' internet usage in order to target advertising at those users more effectively. For example, Google might direct adverts for a hotel or airline to a user who had been researching a holiday. Critically, Safari users had not consented to Google's collection of information generated by their browsers. Alongside claims for misuse of private information and breach of confidence, the claimants sought compensation under section 13 of the DPA, on the basis that Google's activities had breached the Act. The claimants did not, however, disclose any financial loss. 

Legal Background

Article 23 of the Data Protection Directive (Directive 95/46/EC) required member states to implement provisions allowing a person who has "suffered damage" as a result of a data protection offence (as created by domestic legislation) to obtain compensation from a responsible data controller. The UK implemented this requirement through section 13 of the DPA. 

In defining the causes of action available to an individual following a breach of the DPA by a data controller, section 13 draws a distinction between damage and distress. An individual suffering "damage" may recover compensation for that damage from the data controller under section 13(1). In contrast, under section 13(2), an individual suffering "distress" may only recover compensation for that distress where he or she also suffers damage (unless the contravention related to the processing of personal data for journalistic, artistic or literary purposes). In almost all cases, a victim must therefore show pecuniary loss to recover compensation under section 13. 

Johnson v MDU [2007] EWCA Civ 262 was previously the leading case on the interpretation of section 13. In Johnson, the High Court rejected the argument that the inability to recover for standalone non-pecuniary losses under the DPA was inconsistent with the requirements of the Directive. The claimant had argued that the term "damage" as used in the Directive was not restricted to pecuniary loss, since it referred to any sort of damage recognised by member states' domestic laws. The Court disagreed and found that there was no compelling reason for the term "damage" to be extended beyond pecuniary loss – meaning that, according to Johnson, section 13(2) DPA was compatible with the Directive. 

The Vidal-Hall Judgment

The present judgment relates to the claimants' application to serve proceedings on Google outside the jurisdiction. Since the claimants had disclosed no pecuniary loss for Google's alleged breaches of the DPA, this meant that the Court of Appeal was required to revisit the recoverability of non-pecuniary losses under the DPA. 

On this key point, the Court found for the claimants. Since the primary aim of the European data protection regime was to safeguard privacy rather than economic rights, the Court found that it would be odd if a data subject could not recover compensation for an invasion of his or her privacy purely because there was no pecuniary loss. In accordance with this aim, the term "damage" as used in the Directive should therefore be construed to include non-pecuniary losses – meaning that section 13(2) DPA was inconsistent with Article 23 of the Directive. 

Given that Parliament had evidently intended to distinguish damage from distress, it was not immediately clear how section 13(2) could be disapplied. But where there is a will, there is a way. The Court's solution was to find that section 13(2) conflicted with the right to privacy enshrined in the EU Charter of Fundamental Rights. Under EU law, the English court was required to ensure an effective remedy for breaches of the Charter. In this case, the remedy was to disapply the offending provision of domestic law – and so section 13(2) bit the dust. 

In reaching its decision, the Court was clearly influenced by public policy concerns. The Court found that whilst damages awarded for breaches of the DPA have typically been modest, "the issues of principle are large". 

The Court also ruled that it was clearly arguable that the BGI did constitute personal data on the basis that it 'individuates', or singles out the individual, and distinguishes him from others. This was regardless of the fact that i) the BGI did not name the individual and ii) Google asserted that it had no intention of linking the BGI with other data that Google held and which could lead to the individual being identified. The Court did not have to determine the issue finally – only establish that there was a clearly arguable case. If the case does go to a full trial for resolution, then data practitioners can look forward to some valuable guidance on this issue and questions on "identification" more generally.

Contractual discretion

Where a party exercises its discretion under a contract (even if that discretion is expressed as "at its sole/absolute discretion", etc), it must be exercised without arbitrariness, capriciousness, perversity or irrationality. (This should be contrasted with the exercise of "reasonable discretion", which applies additional limits on the discretion in that the reasonableness of the decision reached is then considered by reference to external, objective standards).

The Supreme Court has confirmed that the reference to "irrationality" in the context of contractual discretion is analogous to the judicial review standard of "Wednesbury unreasonableness", ie that contractual decisions will be subject to the same review as administrative decisions.

Importantly, the Wednesbury test has 2 limbs:

•  firstly, that the decision maker has considered those matters it ought to have taken into account (and excluded those matters it ought not to have considered); and
• secondly, even if proper matters considered, was the decision reached so unreasonable that no reasonable decision maker could ever have come to that conclusion. 

Previous cases on the exercise of contractual discretion have typically focussed on the second limb, by considering whether a decision was "arbitrary, capricious, perverse or irrational", but the Supreme Court has clarified that the first limb also applies in the context of commercial agreements. 

Impact

Whilst it remains a high threshold to challenge an exercise of discretion, it's important to bear in mind that it's not just a question of irrationality, you must also consider what issues should be included and excluded when making a decision.  This decision may encourage or make it easier to mount such challenges, as counterparties will raise the question of what material was (or was not) before the decision maker at the time of the decision.

As well as the general point on contractual discretion (on which the Supreme Court was agreed), it is worth noting that comments in the majority judgments suggest that: more scrutiny of a decision may be appropriate in the context of employment contracts; and that the more unlikely the outcome of a decision, the more cogent must be the evidence to support such a decision (although two of the Lords dissented on both these points).

¹ Braganza v BP Shipping Limited and another [2015] UKSC 17

1. How consumers select and use review sites and blogs and extent to which they rely on them.  Does this make consumers vulnerable to being misled when they make buying decisions?
2. How suppliers and intermediaries promote their brands and manage their reputations online and whether they are carrying out practices that have the potential to mislead.
3. What action online review sites, blogs and other sites hosting this material take to ensure that consumers are not misled by their content and whether the way these sites display information on different goods and services may have the potential to distort consumers' decision making
4. Whether 1 - 3 are, on their own or together, leading to significant detriment to consumers and/or businesses.

There will be a focus on three main sectors: home repairs/maintenance, holidays and hotels and beauty products but the CMA has stressed that information connected to other sectors will be welcome.  Response forms are available for bloggers, brand promoters/reputation managers, consumers, review sites and suppliers. The CMA has said that the results should help it to determine if any further action is needed.  For example, consumer enforcement action, advocating legislative change or providing industry guidance.

We think that this call for information is a positive step because online reviews and endorsements are becoming much more of a dangerous area for businesses.  It is important to think about ways to show provenance and credibility of online reviews because for many businesses, this is a pivotal part of the marketing strategy.  This is especially so given the role of social media in review processes which allows reviews to be shared around online communities often with ease and often by just one click of a mouse. 

The CMA's call for information and response forms can be found here.  It will close at 5pm on Wednesday 25 March 2015.  The findings are expected to be published this Summer.

Facts

Staysure's website was targeted by hackers who were exploiting a known vulnerability in the Application Server that Staysure used. The vulnerability was first identified in 2010 and a software fix was published. A further software update was published in 2013 to fix a subsequent vulnerability. However, Staysure did not have formal processes in place to review and install software updates and in both cases failed to implement the required updates. This allowed hackers to access its system in October 2013.

At the time of the attack, Staysure's system contained approximately three million customer records, including personal information such as customer name, date of birth, postal address, payment card details (including card number, expiry date and CVV numbers) and medical screening data. Although the security of all of this information was at risk, the ICO believe that only payment card data was targeted.

The hackers potentially had access to over 110,000 live card details relating to a total of over 93,000 customers however only 5,000 customers card details were used in fraudulent transactions by the hackers. The hackers exploited the vulnerability in Staysure's IT systems by injecting malicious malware into the website. This enabled the hackers to access Staysure's entire system allowing them to decrypt customer payment card details and access CVV numbers. The ICO found that Staysure had failed to put in place adequate policies and systems for checking, reviewing and applying software security updates and drew particular attention to the wrongful storing of CVV numbers on its database in breach of the Payment Card Industry Data Security Standard.

The Head of Enforcement at the ICO commented: “The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security”. 

The press release by the ICO is here. The full ICO notice can be found here.

This new audit right does not extend to private bodies providing healthcare within public bodies. For the full list of the organisations that are caught, please see here.
The Information Commissioner has welcomed the change, which comes after years of lobbying by the ICO as a result of the high level of serious non-compliance in the sector.
Christopher Graham, the Information Commissioner, said:

“The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern.

“Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.

“We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”

As the ICO has been pressing for these powers so some time, we expect that it will exercise its new powers soon. NHS organisations should prepare themselves for greater scrutiny from now on.

1. General – commencement dates, definitions, and the extent and application of the draft Regulations;

2. Rules implementing the Public Contracts Directive – scope and general principles, rules on public contracts, including choice of procedures, particular procurement regimes, and records and reports;

3. Remedies – including applications to the court;

4. Below-threshold procurements – the draft Regulations contain a number of specific requirements for the procurement of lower value contracts;

5. Miscellaneous Obligations; and

6. Revocations, consequential amendments, savings and transitional provisions.

It is worth noting that healthcare commissioning will fall outside the scope of the new Regulations until 18 April 2016 (when the UK's new 'light touch regime' comes into force). The existing Part B services regime will continue to apply to health and social services until that date.

Principal changes

As discussed in a previous Tech Hub update, the main changes that the new procurement rules will bring about include the following:

• constraints on using the negotiated procedure will be relaxed;
• there will be a much simpler process for assessing bidders’ credentials;
• it will be possible to exclude bidders on the grounds of poor performance under previous contracts;
• the statutory minimum time limits by which suppliers must respond to advertised procurements and submit tender documents will be reduced;
• purchasers can take into account the relevant skills and experience of individuals at the award stage, where relevant;
• various improved safeguards from corruption have been inserted, including specific safeguards against conflicts of interest and
  illicit behaviour by candidates and bidders, such as attempts improperly to influence the purchasers’ decision-making process or collusion; and
• a cornerstone of the modernisation process will be the promotion of electronic procurement systems, the use of which is to become mandatory in less than five years.

The new rules are also designed to save companies a lot of initial paperwork, making the process of bidding for public contracts quicker, less costly, and less bureaucratic, and include:

• a greater emphasis on award criteria such as quality, environmental considerations, social aspects, innovative characteristics, and staff experience, while still taking into account full life-cycle costings;
• a standard “European Single Procurement Document” form in all EU languages;
• an obligation on public authorities to share information on eligible bidders from national databases – designed to make it easier for companies to bid;
• a system based on self-declarations where only the winning bidder has to provide original documents; and
• an 'Innovation Partnerships' procedure enabling public authorities to call for tenders to solve a specific problem without indicating what they believe the solution to be (i.e. allowing for negotiation).

Despite these changes, the rules on public procurement remedies will remain largely the same. For example, the 10 day minimum standstill period between notifying the award decision and contract execution, and the 30 day window to commence litigation, remain unchanged.

Comment

The Cabinet Office seeks responses, by 17 October 2014, to a number of specific questions set out in the Consultation Document. It also invites comments on the draft Regulations by the same deadline.

We anticipate that the new Regulations will come into force in Spring 2015, in line with the Government's aim for early implementation of the new EU Procurement Directives in the UK.

So, for instance, the report highlights the fact that (on average) consumers using mobile banking interact with their bank three times more than those simply banking on-line and some twenty times more than those dealing through their bank branches. That inevitably impacts the way that mobile banking platforms are designed (and their cost).

Interestingly, whilst the report picks up the obvious security concerns that come with mobile banking and payments the FCA apparently "found no evidence to suggest that consumers are currently losing money [specifically] as a result of… payments made via mobile."

The key findings of the FCA's review focus on the following:

Consumers understanding of their rights and responsibilities – The rapid growth in mobile banking increases the probability that consumers don't understand the security risks involved and don't understand how their existing legal rights (eg in the case of fraud) apply to mobile transactions. The FCA comments that regulated institutions are ideally placed to help improve customer understanding, particularly in terms of how they can maintain the security of their mobile devices. The report encourages institutions to do just that.

Senior Management – Senior management within regulated institutions need to ensure that they have adequate knowledge and understanding of the products and services being offered through mobile channels, and how consumers interact with them. The report comments on the fact that the speed of technological change obviously makes that more difficult to achieve.

Security and Technology Resilience – The report states that regulated institutions need to ensure that their mobile offerings have adequate security measures, to prevent fraud and to protect personal data, and need to continually keep those measures under review. Reflecting the significant increase in interaction that comes with mobile banking, the report also advises that firms need to ensure that their systems are sufficiently scalable and robust to deal with that level of interaction, especially as the take up of mobile banking continues to grow.

Third Party Oversight – Mobile banking and payments typically involve numerous different parties (not just a bank and its customer), including network operators, mobile handset manufacturers, technology providers etc. The report states that regulated institutions rolling out mobile offerings need to ensure that they understand and maintain appropriate oversight of who the various parties are and properly manage their various responsibilities and inter-relationships.

Last but not least the report comments that mobile banking and payments not only affect existing regulated institutions but also open up opportunities for new payment providers to enter the market. The FCA recognises, in the report, that navigating through the current regulatory regime can be quite a challenge for new entrants, which could in turn create (regulatory) barriers to innovation. In response to that the FCA has, as part of its "Project Innovate" published proposals to build an "Incubator" and "Incubator Hub" to help innovators through the authorisation regime.

The EU is heavily pushing investment, innovation and regulation in relation to Cloud Computing, having previously stated that its strategy has the end goal of 2.5 million new jobs as well as an annual EU GDP boost of €160 billion by 2020. The strategy has three key actions: 1) cutting through what the EU describes as the "jungle" of technical standards, 2) developing safe and fair contract terms and conditions, and 3) establishing a European Cloud Partnership.

A post-consultation Workshop, where responses to the consultation will be discussed, will be held in Brussels in early November this year. DG Connect states that one of the goals of the Workshop is to bring together new and existing stakeholders, with the consultation announcement specifically mentioning stakeholders from "innovative technological SMEs" and the public sector.

DG Connect is aiming to publish the first Work Programme 2016-17 Call for Proposals by the end of 2015, with the Work Programme expected to focus on "infrastructures, services, technologies and innovation ripe for commercial deployment". DG Connect states that it is likely that new Cloud Computing projects, which will run for approximately two to three years each, will begin to launch before the end of 2016.