Regulatory Outlook - Osborne Clarke · 2019. 7. 18. · 5 Regulatory Outlook | Helping you succeed...

Regulatory Outlook

July 2019

2 Regulatory Outlook | Helping you succeed in tomorrow’s world

Contents


How is digital transformation affecting the regulatory landscape?

Catherine WolfendenPartner and Head of Osborne Clarke’s Regulatory Group

T: +44 117 917 3600 E: [email protected]

Ashley MorganSenior Knowledge Lawyer


The Regulatory Outlook is intended to help your business to navigate a regulatory landscape increasingly influenced by the rapid developments in technology. As the Information Commissioner’s Office has starkly illustrated in recent weeks, regulatory risk can have a serious impact on the bottom line. The ICO’s intention to fine Marriott £99m and British Airways £183m confirms that much-talked-about GDPR risks are beginning to crystallise, and that when it comes to enforcement, the ICO is a regulator that means business.

In this edition of the Regulatory Outlook, we take a look at the powers and behaviour of a number of regulators that your business may find itself dealing with in one way or another. Which regulators have powers to compel businesses to hand over documents? Which can, and which do, conduct dawn raids? Which have powers to bring prosecutions against individuals, and do they typically do so?

We also look at how the regulatory landscape is being impacted by digital transformation: in terms of both the new technologies that regulators are focussing on, and how regulators are adapting their own behaviours and toolkits. Some of the themes that emerge are that:

• Digital transformation is affecting all areas of business and regulation. From the difficulties that cryptocurrency causes in tracing proceeds of crime, to the regulation of influencer marketing on social media or 3D printing of foods, digital transformation is pervading all areas – as are the challenges of regulating it.

• The breadth of the challenges varies markedly. For some regulators, it is about applying existing powers to specific new technologies, as in the example of 3D printed foods. In other areas, such as competition, principle-based regulation has proved itself very adaptable over the decades, but new platform-centred models, price-comparison algorithms and the central role of data in powering digital markets are causing regulators to pause to verify whether longstanding approaches remain effective.

• It is not always the most cutting-edge technology that is the most disruptive. Electronic commerce is far from new in itself, but the prevalence of smartphones, the use of new technologies in warehouses and logistics, and the rise of the gig economy have all contributed to a dramatic shift in customer habits and expectations. Advertising, competition, financial services and consumer protection regimes are all having to adapt as a result.

• Keeping pace with technology will always be a challenge for regulators. But regulators are taking a much more proactive approach to innovation. The Advertising Standards Agency has started using avatars to probe ads being directed at children, while the Financial Conduct Authority’s ‘regulatory sandbox’ initiative takes a collaborative approach, and one that may be extended cross-sector. The government’s recent white paper, Regulation for the Fourth Industrial Revolution, sets out a central strategy for evolving the regulatory model to be “sufficiently flexible and outcomes-focussed to enable innovation to thrive.”

www.osborneclarke.com/insights/regulation-fourth-industrial-revolution/

www.osborneclarke.com/insights/regulation-fourth-industrial-revolution/


How is digital transformation affecting the regulatory landscape?

Navigating this complex, evolving regulatory landscape requires businesses to have a strong compliance function, with systems and processes that can be applied to a range of different regulatory risks, in whichever territories you operate in worldwide. In addition to deep expertise across the spectrum of business regulation, Osborne Clarke’s Global Compliance team can help you design and operate the overarching systems that you need in order to understand and manage all of the regulatory risks that you may face.

To discuss how we can help you to understand and manage your regulatory risks, please contact one of the experts listed in relation to the relevant area, or your usual Osborne Clarke contact.


Current issues

Advertising & Marketing

Nick JohnsonPartner


01

Katrina AndersonAssociate


CMA to investigate online advertisingThe CMA has announced that it will launch an investigation into online advertising. This is in response to an official request by the Chancellor, Philip Hammond, which was triggered by the recommendations of the Caincross Review.

The investigation will focus on three topics:

• The extent to which online platforms have market power in user-facing markets, and what impact this has on consumers.

• Whether consumers are able and willing to control how data about them is used and collected by online platforms.

• Whether competition in the digital advertising market may be distorted by any market power held by platforms.

The CMA has previously suggested that remedies might include: increasing competition through data mobility, open standards and open data; giving consumers greater protection in relation to data; limiting platforms’ market power; improving transparency and oversight for advertisers; and institutional reform.

Regulator using online “avatars” to identify adverts unlawfully targeted at childrenThe Advertising Standards Authority (ASA) has started using “avatars”: online profiles that simulate children’s online web browsing activity. These avatars flag when they are served with online ads for age-restricted categories. This was first rolled out to identify unlawfully targeted gambling ads and resulted in enforcement by the ASA against five gambling brands.

Guy Parker, Chief Executive of the ASA, has publicly said that the ASA is looking to expand this work, which suggests that the technology will be used to identify adverts served to children for other age restricted categories such as alcohol and weight control products. This increases the likelihood of enforcement in these areas.

Rules on publication of prizewinners’ names updated to be GDPR-compliantThe Committees of Advertising Practice (CAP) consulted extensively on how to make the existing rules about the publication of winners’ names, under the non-broadcast advertising code, compliant with GDPR. As a result of the consultations, a new law has been introduced governing how prizewinners’ names should be published.

The rules have been amended to require companies who run prize draws or competitions to publish or make available information that indicates that a valid award took place. This should normally be the surname and county of the major prizewinners. However, prizewinners will need to be given the opportunity to opt out of any publication. Even if the prizewinner does opt out, the company will still need to retain this information internally as they will need to provide the information and a copy of the winning entry to the ASA if challenged.

https://www.gov.uk/government/news/cma-launches-digital-markets-strategy


UK government consults on increasing restrictions for advertising “junk” food

The consultation, which concerns foods which are high in fat, salt and sugar (HFSS), proposes various options, such as a 9pm broadcast watershed ban, along some novel restrictions for online advertising. These include introducing a “ladder” into the HFSS rating to incentivise reformulation by allowing greater advertising privileges to products which lower the number of points on the HFSS rating scale.

Imposing broadcast-like restrictions of a watershed ban online is unprecedented and may require platform owners to develop their platforms to ensure they are compliant.

For more on the proposals, see our video.

New CAP guidance on gambling advertising and minors The new CAP guidance requires advertisers to have robust evidence to show they have “been diligent in forecasting the

likely audience” and taken “all reasonable steps to use the data available to include or exclude individuals” on the basis of age or other criteria. Specific guidance is provided on how to do this in relation to social media and influencers.

ICO publishes findings into bidding in the Adtech industryThe findings are highly critical and amongst other things query whether it can be appropriate to rely on “legitimate interest” as a lawful ground for processing individual’s data. Some existing privacy notice practices are also criticised for lack of clarity and transparency.

The report’s findings suggest that the ICO is not happy with the current industry standard approach to data protection compliance and it is clear that the ICO intends some type of “intervention”. Although it seems this will involve further consultation with the industry there may be enforcement if industry practices do not change.

Current issues

In Focus: Regulatory powers and trends

Who are the regulators? The main regulator is the ASA.In some cases, the Competition and Markets Authority (CMA) also investigates specific advertising-related issues, such as reviews, influencer marketing and digital advertising. However, this is not the standard mechanism for enforcement against individual companies as the CMA typically investigates thematically and focuses on one specific area or issue at any one time. Currently the ASA is looking at influencer marketing and there are plans to start an investigation into digital advertising.

Do they have powers to compel businesses to hand over documents?The ASA does not have the power to compel businesses to hand over documents.

Do they conduct dawn raidsNo.

Are they able to bring criminal prosecutions (and do they do so)?The ASA does not have the power to bring a criminal prosecution. However, occasionally, when the breach is particularly flagrant and criminal prosecution may be merited, the ASA will refer an advertiser to trading standards for criminal prosecution. The CMA may also bring criminal prosecutions.

Do they bring prosecutions against individuals?

While the ASA does not bring prosecutions itself, the references discussed above to trading standards could relate to either corporations or individuals.

Is there a self-reporting / leniency regime? Advertisers may ask for informal resolution of a matter. This is discretionary and, where granted, will typically involve the advertiser agreeing to take down or amend the advert immediately. As a consequence, in such cases, there is no public ruling on the matter.

Are there any plans to introduce new powers (or use existing powers differently)?There are no plans to extend the ASA’s powers. However, the government has announced plans to consult on giving the CMA the power to impose civil fines.

Are there any areas of new technology that are a particular focus of regulatory attention?The CMA is currently looking at influencer marketing, on social media and other channels. The CMA has also announced that it will be launching an investigation into online advertising.

https://www.gov.uk/government/consultations/further-advertising-restrictions-for-products-high-in-fat-salt-and-sugar

https://www.youtube.com/watch?v=9QNnpMkqE6Y&feature=youtu.be

https://www.asa.org.uk/uploads/assets/uploaded/734c1499-850d-4d2f-88a441ffd1903b50.pdf

https://www.gov.uk/government/news/cma-launches-digital-markets-strategy



How has digital transformation affected the regulator’s own behaviours? The ASA has recently announced that it is using “avatars” which mimic browsing habits of children to identify inappropriately

targeted adverts. Five gambling operators were prosecuted as a result of the trial and the ASA has announced its intention to expand the use of avatars to look for inappropriately targeted adverts for alcohol, weight control products and HFSS foods.

Dates for the diary

End July

Decision in fashion ID case expected, which is expected to clarify the position on joint controllership in certain advertising and marketing scenarios.

Q4 2019

Government response to HFSS advertising restrictions consultation expected.Margrethe Vestager.

Q1 2020

CMA will decide whether to refer online advertising for a full market investigation.

Q1 2020

ICO adtech sector investigation - second sweep expected.


Anti-bribery, Corruption and Financial Crime

Jeremy SummersPartner


02

Current issues

SFO enforcement: direction of travel The SFO has been under the directorship of Lisa Osofsky for nearly a year. She has a US law enforcement background, having previously worked for the FBI, and is intent on being a “new kind of Director”.

This will inevitably see the adoption of US enforcement tactics. In public remarks, Ms. Osofsky has been clear that the SFO will rely more on international co-operation, covert intelligence and, in particular, “flipping” suspects to provide evidence against others in return for immunity.

Ms. Osofsky will be keen to show this commitment in action and reverse the trend of recent high-profile cases where prosecutions have failed.

Failure to prevent the facilitation of tax evasionThe second corporate failure to prevent offence, of failure to prevent the facilitation of tax evasion, has been in force since September 2017 and, like its predecessor under the Bribery Act, it does not have retrospective effect.

As a result, we are only now starting to see the first enforcement action: HMRC has a dedicated team in its Fraud Investigation Unit tasked with enforcing the new offence and the first investigations were announced in March 2019.

HMRC will want to demonstrate that the legislation has teeth, and we anticipate that prosecutions may be likely to follow in the next 12-18 months. As with the Bribery Act offence, a company will have to demonstrate that it had “reasonable procedures” in place to avoid conviction.

Brexit | Effect on law enforcementMuch concern has been expressed as to the UK law enforcement and security relationship with the EU in the post-Brexit era. What is known is that EU-wide tools such as Europol and the European Arrest Warrant, that are heavily relied upon by UK law enforcement, will not survive. What is not known is what will replace them.

We anticipate that bilateral treaties will be entered into that will replicate much of the present system, but inevitably these may be less efficient and so may place UK enforcement agencies at a disadvantage.



Who are the regulators? The main agencies regulating business crime are the following:

• Serious Fraud Office (SFO).

• City of London Police Economic Crime Unit (ECU).

• Her Majesty’s Revenue and Customs (HMRC).

• The Financial Conduct Authority (FCA).

• The Competition and Markets Authority (CMA).

Do they have powers to compel businesses to hand over documents?Each agency listed above has the power to compel businesses to hand over documents, and if so must do so through prescribed written notices. The SFO’s power, under section 2 of the Criminal Justice Act 1987, for example, renders it a criminal offence to fail to comply with a documents request. HMRC is able to compel the production of documents in relation to investigations for suspected tax-related criminal offences. In exercising its powers, the CMA must suspect a breach of competition law.

Do they conduct dawn raids?

All five agencies that regulate business crime conduct dawn raids.

• The SFO can conduct raids with or without notice, dependent on whether there is a risk that evidence may be destroyed. Any raid will be undertaken in conjunction with the police.

• FCA raids are also typically undertaken with the police, who will execute the warrant, accompanied by FCA staff.

• The CMA is able to conduct raids with or without a warrant, and is under no obligation to give advance notice if the occupier of the property is suspected of infringement. Where no infringement is suspected, two working days advance notice in writing is required.

Are they able to bring criminal prosecutions (and do they do so)?

Yes. Each of the authorities has the power to, and does regularly, bring prosecutions.

• The ECU is able to bring criminal prosecutions in relation to any type of financial crime.

• The SFO will limit its cases to the most serious and complex matters of fraud or bribery.

• HMRC’s criminal investigations are dealt with by the Fraud Investigation Service, though ultimate decisions on prosecution rest with the Crown Prosecution Service (CPS).

• HMRC principally targets criminal tax evasion and is also the lead UK agency in relation to money laundering.

• The FCA can bring criminal prosecutions to tackle financial crime, including insider dealing, unauthorised business and money laundering.

• The CMA is the lead agency for “criminal cartel” offences.

Do they bring prosecutions against individuals?Yes. Each agency frequently prosecutes individuals. Maximum penalties include imprisonment for up to 14 years in relation to money laundering and ten years in respect of offences of fraud and bribery.

Individuals can also face fines, confiscation orders and disqualification from acting as company directors.

For the purposes of UK law, if an individual commits a crime in the course of working for a company, that company can also be prosecuted if the individual concerned is sufficiently senior to be viewed as representing the “controlling mind” of the company.

Is there a self-reporting / leniency regime?

The SFO has published guidance “Corporate self-reporting” which will be considered when determining whether or not to prosecute a company. The guidance makes it clear that self-reporting must form part of a genuinely proactive approach adopted by the corporate management team. Co-operation will be likely to include bearing the cost of an internal investigation under SFO guidance, waiving privilege and providing evidence with which to prosecute individuals.

In contrast to the US, there is no formal provision whereby a self-report will lead to a non-prosecution agreement. Since 2014, the UK has had a regime of Deferred Prosecution Agreements (DPA). These only apply to companies, not individuals. There have been four DPAs to date.

Other agencies have their own regimes. The CMA can deploy the statutory immunity provisions of the Enterprise Act 2002. This can afford full immunity to the party making the first report.

In its regulatory function, the FCA is able to offer reduced sanctions in return for early admission of liability.

Are there any plans to introduce new powers (or use existing powers differently)?

An on-going debate exists around extending the corporate offence of failure to prevent bribery and failure to prevent the facilitation of tax evasion, to all forms of economic crime.

The corporate offence is, in effect, a strict liability offence, which will arise unless the commercial organisation concerned can show that it had adequate or reasonable procedures in place to prevent the bribery or tax evasion.

The SFO, in particular, is keen for this offence to be extended to cover underlying crimes such as fraud, false accounting and money laundering.


We anticipate that the extended offence will be enacted, although the timescale for this is unclear and will depend on the availability of parliamentary time, which may largely be taken up with Brexit in the coming months.

Although there has been discussion around a possible wider reform of corporate criminal liability, which would remove the need to establish the “controlling mind” test, this, at the present time, appears unlikely.

Are there any areas of new technology that are a particular focus of regulatory attention?

One particular area of focus for the SFO is the use of cryptocurrency in relation to money laundering and organised crime. This is because cryptocurrency can be difficult or impossible to track in the way that traditional currency can be tracked.


How has digital transformation affected the regulators’ own behaviours?

Artificial intelligence (AI) / machine-learning (ML) is now being employed by law enforcement agencies to assist with undertaking large data-heavy investigations. AI/ML enables the software to increase its ability to detect relevant material as the electronic search progresses, thus avoiding the significant time and cost of that exercise being conducted by people.

The most high-profile example of this to date is the SFO’s investigation into Rolls-Royce plc. That investigation led to a DPA, which saw the company pay a total sanction of some £500m, although no individuals were subsequently prosecuted.

In public comments, the SFO has been clear as to the value of AI/ML in this case, and the use of these technologies will undoubtedly be an increasingly common feature of criminal investigation in the future.


Competition

Katherine KirrageAssociate Director


Simon NeillPartner


03

Advanced tech, defence and critical infrastructure sectors targeted by foreign direct investment screening programmes in the USA and Europe Governmental controls on M&A and investments on national security grounds have moved up the political agenda across the world, with many jurisdictions strengthening or introducing regimes for the first time.

In the UK, recent changes mean that any deal with a target in the advanced tech, military/dual-use or quantum computing sectors with a UK turnover above £1million will be within the scope of a national security review. At the EU level, a new process for screening foreign direct investment into the EU will apply from October 2020. National security reviews are a live concern for cross-border deals. Expert and experienced advice at an early stage is essential to minimise transaction risk and to successfully navigate a review process.

Increased consumer protection in the UK? CMA proposes reforms

In February 2019, the Competition and Markets Authority (CMA) published a series of proposed reforms designed to address its concerns with its abilities under the current legal framework to adequately protect consumers. The proposals to the Department of Business, Energy and Industrial Strategy (BEIS) are intended to “put consumers at the heart of the UK competition regime” by deconstructing the current “analogue” system of competition and consumer law.

The reforms represent a potentially significant increase In the CMA’s reach. Businesses should expect an increasing crackdown by the CMA on practices that are considered to be causing consumer detriment.

Furman Review recommends shake-up of UK competition rules for the digital age

In March 2019, an independent panel of experts published its recommendations for the government following its review of competition policy in the UK. The panel was instructed to examine the impact of digital markets on competition and consumers, and to consider whether competition law policy and enforcement tools in the UK require reform.

The panel found that UK competition law and policy did need reform in order to adequately manage the challenges and opportunities posed by digital markets.

CMA launches digital market study

On 3 July 2019, the CMA launched a market study into online platforms and the digital advertising market in the UK. The CMA is assessing the extent of online platforms’ market power in user-facing markets and what impact this has on consumers. The CMA is also looking at whether consumers are able and willing to control how data about them is used and collected by online platforms, and whether competition in the digital advertising market may be distorted by any market power held by platforms.

Current issues

https://www.osborneclarke.com/insights/advanced-tech-defence-critical-infrastructure-sectors-targeted-foreign-direct-investment-screening-programmes-usa-europe/

https://www.osborneclarke.com/insights/increased-consumer-protection-uk-cma-proposed-reforms-existing-competition-consumer-protection-regimes/

https://www.osborneclarke.com/insights/shaping-future-competition-law-enforcement-digital-markets-furman-review-recommends-shake-uk-competition-rules-digital-age/

https://www.osborneclarke.com/insights/shaping-future-competition-law-enforcement-digital-markets-furman-review-recommends-shake-uk-competition-rules-digital-age/

https://www.gov.uk/cma-cases/online-platforms-and-digital-advertising-market-study


Who are the regulators?The principal competition regulator in the UK is the CMA.

In addition, a number of sectoral regulators (such as the Payment Systems Regulator and the Financial Conduct Authority in relation to financial services, Ofgem in relation to energy and Ofcom in relation to broadcasting, amongst others) have powers to enforce competition law in relation to their sector, under the Competition Act.

Do they have powers to compel businesses to hand over documents?

Yes. The regulators are empowered to send detailed requests for information to companies and require them to provide information and documentation within strict time-frames, with potential criminal penalties for the provision of false or misleading information or documentation.


Yes. Dawn raids are an established part of the investigatory toolkit for competition regulators.


The CMA has powers to bring proceedings against individuals in relation to the criminal cartel offence, alongside the SFO.

The sectoral regulators do not have the powers to bring criminal proceedings in relation to competition law. However, those regulators, like the CMA, do have the power to make a disqualification order for directors. In practice, this is the approach more typically taken by the CMA in respect of directors involved in cartels, due to the procedural and evidential difficulties in bringing criminal proceedings.


Yes, the CMA does bring proceedings against directors (see the question above).


The CMA and the sectoral regulators have whistleblowing procedures in place which can offer immunity to companies reporting involvement in anti-competitive behaviour in certain circumstances. In addition, the CMA and the regulators offer reductions for fines in return for cooperation and settlement.


The CMA has proposed a significant shake up to its powers in a submission to the BEIS, aimed at addressing current concerns within the CMA that the scope and use of its powers are not sufficient to tackle consumer harm effectively.

Linked to this, the findings of the CMA-commissioned Furman review into digital markets recommended that reform to UK competition law and policy are required.

In its digital strategy paper, the CMA has committed to implement the findings, and steps are already being taken to do so with the launch of the CMA’s digital market study in July 2019.


The e-commerce sector remains under the close scrutiny of regulators, as it has for several years. As the importance of this sector continues to grow, so too does the focus on ensuring that competition law is able to address new forms of vertical restrictions, such as restricting the ability of distributors to bid on ad-words.


In addition to the CMA’s proposed reforms discussed above, there has been a notable shift back to a focus by the regulator on vertical restraints, reflecting the concerns that, in the digital transformation, such restraints are causing direct consumer harm and are being overlooked.



Dates for the diary

30 July 2019

Deadline for responses to invitation to comment on digital market study.

31 October 2019

End of five year term of EU Competition Commissioner Margrethe Vestager.

2 July 2020

Deadline for publication of CMA’s report on digital market study.


Current issues

Consumer Finance

Nikki WordenPartner


04

Charlotte HarrisAssociate Director


FCA willingness to take action to remedy price discrimination The FCA has significant resources, including teams of economists and regulatory strategists. It publishes a business plan each year, in which it sets out its strategic priorities. One of its current cross-sectoral strategic priorities is price discrimination. The FCA is concerned that the ‘loyalty penalty’ (applying more expensive pricing to existing customers whilst offering special offers to new customers) disproportionately affects the vulnerable, and has concluded that ‘demand-side’ intervention (such as prompts to shop around) is not enough.

The FCA’s view is supported by the CMA and the Treasury Select Committee, with the Select Committee even recommending that the FCA makes it mandatory for firms to publish the size of their loyalty penalty. The FCA is currently looking at this issue, including whether to apply ‘supply-side’ remedies (such as price controls for example) in the context of general insurance, cash savings and mortgages.

FCA considers the future of regulation

Another of the FCA’s key priorities outlined in the 2019/20 Business Plan is ‘the future of regulation’. The FCA is conscious that technology and innovation, changing consumer needs and new models and services are transforming financial services and, in considering whether the regulatory landscape is fit to meet these challenges, it has been considering whether there is a need to introduce a new (potentially statutory) ‘duty of care’ for regulated firms.

FCA strategic objectives On 14 May 2019, the FCA released a podcast by Andrew Bailey, FCA Chief Executive, setting out his views on the “big strategic objectives” and issues facing the regulatory landscape. He explained that “operational resilience” is a risk that has come forward “very rapidly” and is “a significant change”.

In particular, data risks (in relation to the use of data and security of customers’ data) have grown rapidly over the last two years. Mr Bailey explained that it is “important that firms are very active on this front”. He emphasised that a feature of operational risk (and particularly in the cyber area) “is that it’s never over… because it continually evolves and mutates”.

Bank fined £1.89m for outsourcing failings Illustrating how much of a priority operational resilience is for the FCA, on 30 May 2019, the FCA and the PRA fined R Raphael & Sons plc £1.89m for failing to manage its outsourcing arrangements. The firm’s Payment Services Division operates prepaid card and charge card programmes in the UK and Europe, which relied on outsourced service providers to perform certain critical functions (including authorisation and processing of card transactions).

The regulators identified a lack of adequate consideration of outsourcing within the Board and departmental risk appetites. Without the 30% reduction due to Raphaels’ agreement to resolve the matter, the combined FCA/PRA fine would have been £2,709,574.

https://www.fca.org.uk/publication/business-plans/business-plan-2019-20.pdf

https://www.fca.org.uk/publication/business-plans/business-plan-2019-20.pdf

https://www.fca.org.uk/publications/feedback-statements/fs19-2-duty-care-and-potential-alternative-approaches

https://www.fca.org.uk/media/podcast/inside-fca-podcast-andrew-bailey-business-plan-and-future-regulation

https://www.fca.org.uk/news/press-releases/fca-and-pra-jointly-fine-raphaels-bank-1-89-million-outsourcing-failings


Current issues

FCA sets out progress and next steps promoting innovation in financial services

The FCA has recently published an evaluation report looking back on five years of ‘Project Innovate’. The FCA launched Project Innovate in 2014 with a view to creating the conditions for financial services innovation in the interests of consumers. The Project has allowed nearly 700 firms to receive some kind of assistance. Forty-seven firms have completed ‘Regulatory


Who are the regulators?The FCA is the conduct regulator for banks and insurance firms, and sole regulator for all other financial services firms.


The FCA is extremely well funded and has considerable powers to fine, bring prosecutions, require firms to appoint experts to undertake business reviews, and require customer remediation programmes.

The threat of enforcement action often means that a ‘supervisory conversation’ with the threat of enforcement is enough to make firms respond as requested.


The FCA has powers to, and does, make unannounced visits to regulated firms.


Yes, and the Senior Managers and Certification Regime is being rolled out so that it will apply to all firms by December 2019.


Yes, but this is currently rare. The FCA is more likely to enforce against an individual by fining them and barring them from working in financial services firms in future.

Is there a self-reporting / leniency regime?Where the FCA does issue fines, it will often discount the level of fine to take into account self-reporting, alongside other mitigating factors.


The FCA is considering whether there is a gap in its regulatory regime which could be filled by the introduction of a duty of care on regulated firms.


There are a number of new types of technology that are being introduced into the financial services sector and which will be a focus for the FCA. These include crypto-assets, AI and ML-based applications and open banking services/APIs.


The FCA has taken a proactive approach to considering its role in relation to enabling innovation in financial services, through initiatives such as the ‘regulatory sandbox’. The FCA is also actively considering the future of regulation and in particular whether there is a gap in its regulatory regime that could be filled by the introduction of a specific duty of care.

Sandbox’ testing, with 80% of those now operating in the market. The FCA is now also working with other regulators globally, with one of the priorities being to look at how technology can help tackle financial crime.

https://www.fca.org.uk/news/speeches/deeds-not-words-next-stage-fca-innovation-journey


Dates for the diary

Summer 2019

Publication of the FCA’s interim market study report on home and motor insurance pricing, with discussion of potential remedies where appropriate.

9 December 2019

The extension of the Senior Managers and Certification Regime commences for all solo-regulated firms.

18 December 2019

New rules requiring banks to assist repeat users of overdrafts in force.

12 November 2019

New rules banning buy now pay later firms from charging backdated interest in force.

10 January 2020

Deadline for Member States bringing into force the laws, regulations and administrative provisions necessary to comply with MLD5.

6 April 2020

New rules simplifying overdraft pricing in force


Data Protection & Cyber Security

Charlie WedinPartner, UK

T: + 44 20 7105 7856 / +44 117 917 4290 E: [email protected]

Tamara QuinnPartner, UK


05

E-Privacy regulations As anticipated, the e-Privacy Regulation did not get over the line before the end of the last term of the European Parliament. However, the new Finnish presidency has stated that the regulation will continue to be a priority for the European Parliament this year, with the European Data Protection Board recently calling upon EU legislators to intensify efforts towards adoption by the end of 2019 (although this seems ambitious given the delays to date). One of the key sticking points is the debate over the role of consent under the new regulation.

In the meantime, on 29 March 2019, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulation 2019 came into effect, and amended the definition of ‘consent’ in the Privacy and Electronic Communication (EC Directive) regulations 2003 to align to consent under the GDPR (meaning that implied consent and browse-wrap consent for cookies is non-compliant).

Although at this stage we aren’t aware of any enforcement action by the Information Commissioner’s Office (ICO), and market practice does not seem to have fully caught up (the ICO itself has admitted that its own cookie banner and cookie consent mechanisms do not currently comply with these updated requirements). Organisations should use this as an opportunity to revaluate their current cookie practices, and in particular in preparation for the e-Privacy Regulations.

Current issues

EU Cybersecurity Act The EU’s Cybersecurity Act came into force on 27 June 2019. The Act introduces a mechanism for EU-wide cybersecurity certification and an enhanced role for ENISA, the EU’s cybersecurity agency. Companies with ICT processes, products or services that may be covered by the proposed certification scheme will need to monitor developments carefully. The provisions which require Member States to designate authorities with respect to cybersecurity certification will become applicable two years following publication.

Processing of children’s data The ICO has released a new consultation document on its code of practice applicable to information society services which may be accessed by children. The draft code sets out key principles for ensuring an “age appropriate design”, including to set “default” privacy settings at the highest protection (such as geolocation information to be set to “off” by default). The code will apply to relevant services that are ‘merely likely’ to be accessed by children, and not just those that are ‘targeted’ at children.

http://www.legislation.gov.uk/uksi/2019/419/contents/made



https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0881&from=EN

https://ico.org.uk/media/about-the-ico/consultations/2614762/age-appropriate-design-code-for-public-consultation.pdf


Current issues

GDPR guidance The European Data Protection Board (EDPB) has published a set of draft guidelines to clarify what is meant by ‘lawful processing’ under Article 6(1)(b) of the GDPR (for processing that is necessary for performance of a contract) in the context of contracts for online services.

The guidelines state that a controller must be able to show that the main object of the contract with the data subject cannot be performed without the processing of the relevant personal data. If there is an alternative way to perform the contract without such processing, and the processing is merely ‘helpful’, then it will not be objectively ‘necessary’. This will require controllers to more closely scrutinise the actual purpose and requirement for the personal data being processed under Article 6(1)(b).

We are still waiting for the final version of the EDPB’s guidelines on the territorial scope of the GDPR. See our Insight on the guidelines for a detailed overview.

Regulatory initiativesIn May 2019, the ICO launched its ‘Be Data Aware’ campaign to help the general public understand how organisations use their data, as well as informing people on how they can control it. This campaign is likely to result in an increase in the number of complaints and requests received by organisations on their data privacy practices.

The ICO is also set to develop a new framework (to be published in spring 2020) on how artificial intelligence (AI) can be audited to check for compliance with data protection laws, having previously raised some concerns that AI and machine learning (ML) can exacerbate known security risks, and result in decisions that are biased or not fully transparent. The ICO is currently asking for input to help shape its proposed framework.

EnforcementOn 8 July 2019, the ICO announced its intention to fine British Airways £183.39 million for infringements of the GDPR. This would be its first monetary fine under the new legislation. However, the ICO has previously issued enforcement notices requiring that entities cease to process personal data.

The ICO’s GDPR ‘One Year On’ update demonstrates the material rise in data breach reporting. The ICO received 14,000 reports from 25 May 2018 to 1 May 2019, up from 3,300 in the year from 1 April 2017. Of the 14,000 reported, the ICO closed over 12,000 cases during the year. Of those closed, around 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or stringent enforcement action. We await the outcomes for the 2,000 cases that have not yet been closed by the ICO, and anticipate that, particularly given the scale of the British Airways fine, some of these may result in more stringent enforcement action.

Data controllers should also ensure that they are up to date with their statutory data protection fee and registration (£40, £60 or £2,900 fee dependent on the size of the controller entity), which can be paid or renewed on the ICO website. This should be completed for all relevant group companies that act in a controller capacity. The ICO has now issued fines (in the region of £4,000) to organisations that have failed to pay/renew the annual fee.

https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-32018-territorial-scope-gdpr-article-3_en

https://www.osborneclarke.com/insights/european-data-protection-board-publishes-draft-guidance-territorial-scope-gdpr/

https://ico.org.uk/bedataaware

https://ai-auditingframework.blogspot.com/2019/03/an-overview-of-auditing-framework-for_26.html

https://ico.org.uk/about-the-ico/news-and-events/blog-gdpr-one-year-on/



Who are the regulators?

The ICO the principal regulator for data protection in the UK. It is also the supervisory authority in the UK for the purposes of the GDPR and enforcement in relation to data protection.

Sector specific regulators that do not focus on data protection also have enforcement powers in relation to cybersecurity. These include the Financial Conduct Authority in relation to regulated entities and sector-specific regulators in relation to the Security of Network and Information Systems Regulations which apply to: (a) digital service providers (in which case, the competent authority will be the ICO); and (b) operators of essential services. For the latter, the UK’s “competent authorities” are sector specific and as follows (with some variation for Wales, Scotland, and Northern Ireland):

• Electricity: The Gas and Electricity Markets Authority (Ofgem) and the Secretary of State for Business, Energy and Industrial Strategy (BEIS) acting jointly.

• Oil: BEIS.

• Gas: BEIS and, in certain cases, the BEIS and Ofgem acting jointly.

• Transport: (a) for air transport, the Secretary of State for Transport and the Civil Aviation Authority acting jointly; and (b) for Rail, Water, and Road transport, the Secretary of State for Transport.

• Health: The Secretary of State for Health.

• Drinking water supply and distribution: The Secretary of State for Environment, Food and Rural Affairs.

• Digital infrastructure: Office of Communications.

The answers below focus on the ICO’s powers regarding data protection under the GDPR only.


Yes. The ICO can issue an information notice, to compel a data controller or processor to provide information and documents.


The ICO has extensive powers of inspection which it can exercise (in certain circumstances) without prior written notice (i.e. a dawn raid). This power has not been exercised to date, but the ICO has signalled that it will look to use this power in future.


The ICO is a prosecuting authority which can bring criminal prosecutions under a variety of legislation including both the DPA 2018 and, for example, the Computer Misuse Act 1990 (which, unlike the DPA 2018, allows for custodial sentences to be imposed).

In November 2018, the ICO exercised these powers with its first prosecution under the Computer Misuse Act, resulting in a six month prison sentence for the individual.


As noted above, in November 2018, the ICO successfully brought a criminal prosecution under the Computer Misuse Act 1990 against an individual for unauthorised access to computer material.


In the event of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of an individual, it is a legal requirement to notify the ICO. If the ICO is not notified (in breach of that legal obligation), this will be considered an aggravating factor for the purposes of any enforcement action.


All of the ICO’s post-GDPR powers are fairly new and it remains to be seen how they will be used (and whether they will be expanded upon review). The ICO has demonstrated its willingness to issue Enforcement Notices requiring that the processing of certain data ceases; notably, against HMRC for its failure to obtain adequate consent to collect callers’ personal data


The ICO’s stated regulatory priorities, so far as new technology is concerned, are:

• Cyber security.

• AI, big data and ML.

• Web and cross-device tracking.

• The use of surveillance and facial recognition technology.

For example, this year the ICO released:

• Its interim report on Project ExplAIn. This project aims to create practical guidance to assist organisations with explaining AI decisions to the individuals affected.

• A summary report from the adtech Fact Finding Forum, which was designed to help the ICO better understand the key data protection issues around adtech (particularly around Real Time Bidding).



The reports mentioned above show how the ICO is working with other bodies to develop its understating of digital transformation.


Dates for the diary

Q4 2019 – Q1 2020

ePrivacy Regulation expected to be passed by European Parliament.

For example, during Project ExplAIn the ICO worked with the Alan Turing Institute, the national institute for data science and AI.


Current issues

Employment & Contingent Workforce

Kevin BarrowPartner


Julian HemmingPartner


06

Preparing for IR35 reforms HMRC have published draft legislation fort the 2020 off-payroll IR35 tax reforms. The proposed regime is largely modelled on those introduced already into the public sector, but takes account of the different needs of private sector employers and also the lessons learned since the new rules in the public sector came into force. The reforms are expected to come into force from 6 April 2020.

These reforms will affect both users and suppliers of personal service contractors in private and public sector situations. Under the proposals, responsibility for determining tax status of workers who supply services via a personal service company or other intermediary will transfer to the end-user. Liability for unpaid tax will also change.

It is essential that end-users understand the proposed reforms and the potential implications for them so that risks can be identified and so far as possible minimised or eradicated, and the financial implications understood.

For more on these reforms, see our Insight.

Non-disclosure agreements We are still awaiting the outcome of the government consultation into confidentiality clauses (also known as non-disclosure clauses) in respect of workplace harassment and discrimination. The consultation closed at the end of April 2019 and feedback is due to be published over the summer.

Pending the outcome of the government’s consultation and in light of guidance issued by regulators (including the Solicitors Regulation Authority, with which in-house and private practice legal advisers must comply) and concerns raised by the Women and Equalities Select Committee, employers should ensure they are taking steps to address the key issues including:

• How discrimination and harassment complaints are dealt with.

• How non-disclosure clauses are used and ensuring these comply with any regulatory guidance in ensuring employees are not prevented from raising matters with the police, regulator or other appropriate body, and are clear and understandable.

• Ensuring employees are aware of procedures for raising grievances or concerns around discrimination and harassment in the workplace and the support available.

Employers must also remain alert to any trends or patterns in any allegations put to them and which may point towards there being a ‘problem’ – either culturally or with regard to a specific individual – within the organisation.

Holiday payCalculating statutory holiday pay still remains a grey area, with employers dependant on case-law to determine what elements of pay should be included. The Court of Appeal has now ruled on voluntary overtime, confirming that it should be included in holiday pay calculations where it is sufficiently regular and settled to be considered normal remuneration.

https://www.osborneclarke.com/insights/uk-government-proposals-new-ir35-legislation-published-11-july-2019/


Current issues

However, we may see a further appeal on this to the Supreme Court. Employers must also remain alert to the risk of contractors, arguing that they are in fact workers entitled to holiday pay extending back to the start of their engagement.

From April 2020, legislation will be introduced (arising from the government’s response to the Taylor Review – discussed below) extending the reference period for calculating statutory holiday pay from 12 to 52 weeks.

Employment status and the ‘gig economy’Following the Taylor Review, in April 2020, new rules are due to come into force:

• Repealing the so-called ‘Swedish derogation’ – which currently enables agency workers to be employed on a contract at a lower rate than permanent counterparts.

• Extending the existing ‘section 1’ statement right to a day-one written statement of rights for employees and workers, which will also set out details on other rights such as eligibility for sick leave and pay and other types of paid leave, such as maternity and paternity leave.

• Extending the holiday pay reference period from 12 to 52 weeks, ensuring those in seasonal or atypical roles get the paid time off they are entitled to.

• Lowering the threshold required for a request to set up information and consultation arrangements, from 10% to 2%.

The government has also committed to legislate to improve the clarity of the employment status tests to reflect the reality of modern working relationships.

We are also waiting for the Supreme Court and the Court of Appeal to hear appeals in two gig worker cases – one involving drivers and the other involving cycle couriers. In the meantime, the EU has introduced a new directive on transparent and predictable working conditions, which seeks to strengthen rights of those in the gig economy. The UK has three years to implement the directive (subject to the outcome of Brexit and any deal reached).

Increasing diversity and pay transparencyThe government has been consulting on a reporting requirement for ethnicity pay gaps, gathering views on what information should be reported and by whom. The consultation closed in January and a response is expected soon. Last year, the government introduced a voluntary disability, mental health and wellbeing reporting framework. Employers should be alert to the fact that the government may at some point look to make this reporting framework mandatory, in the same way that gender gap reporting was initially voluntary, before becoming mandatory.

The third round of gender pay reporting is due in April 2020 and employers should ensure that they are already looking at what steps they should be taking to close the gap and any commitments they have made to taking specific actions to address identified issues.

The revised Corporate Governance Code and the new reporting requirements for quoted companies are also now in force, applying to financial years beginning on or after 1 January 2019. All quoted companies with over 250 UK based employees are required to report and explain the ratio of their Chief Executive’s total pay over a financial year to that of their employees across specific quartiles. The first statutory disclosures will be provided from January 2020, although early disclosures by some companies are expected.

No deal Brexit | EU citizens’ rights in the UKWhilst we wait to see whether an agreement can be reached on the UK’s exit from the EU, the UK government has made it clear that businesses should not see any significant changes to employment rights in the event of a no-deal Brexit. This follows technical amendments having been made by the government to allow existing employment laws to continue to work post Brexit.

The UK government has published a paper setting out how the EU Settlement Scheme would apply to EU nationals in the UK in the event of a no deal Brexit. The EU Settlement Scheme will continue in a no deal scenario, meaning that any EU citizen living in the UK by 30 October 2019 will be eligible to apply to this scheme and secure their status in UK law. However, as there would be no agreed implementation period, this guarantee would only apply to EU citizens who are resident in the UK by 30 October 2019. If, however, a deal is ratified along the lines of the current draft, EU nationals would be given the right to apply for settled status if they were living in the UK by 31 December 2020.

The UK government has called on the EU to protect the rights of UK nationals living in the EU in the event of a ‘no deal’ scenario, and has promised to support UK nationals living in the EU as far as possible. We await further guidance from the government on how they propose to do this.

WhistleblowingThe Supreme Court is set to determine whether or not a dismissal can be automatically unfair on grounds of whistleblowing in circumstances were the individual who took the decision to dismiss was unaware of the ‘protected’ disclosures and relied on evidence which had been tainted by another manager. The UK must also implement within the next two years the EU directive on whistleblowing (subject to the outcome of Brexit and any deal reached), which will bring changes for employers in respect of their obligations and the rights of employees.




All employers will also be subject to the powers of a number of other regulators that relate to employees, including the Information Commissioners Office, the Health and Safety Executive, HMRC (which enforces National Minimum Wage legislation as well as tax and social security), the Equality and Human Rights Commission, the Pensions Regulator and the Gangmasters’ Licensing Authority (GLA). Employers will also be impacted by the Solicitors Regulation Authority in respect of the obligations on solicitors (whether in-house or external) when drafting and negotiating non-disclosure provisions in settlement agreements and other related documentation.

Workforce solutions companies including recruitment and staffing companies and online staffing platforms are also, depending on the exact commercial models they operate, subject to the Employment Agencies Standards Inspectorate (EASI). There has been talk of EASI and GLA merging.

Workforce solutions companies are also, depending on the exact commercial models they operate, subject to Payment Services Regulations where they act as payment agents.

Employers operating in a regulated sector will also need to be aware of and comply with any applicable rules/guidelines of that regulator.


The EASI and the GLA each have powers to compel businesses to hand over documents.


The EASI and the GLA each have powers to visit and ask for access to premises, but are generally required to give notice.


The EASI and GLA are each able to bring criminal prosecutions, and do so occasionally.


EASI / GLA can bring prosecutions against either individuals or companies.


There is no statutory leniency scheme.


The government’s response to the Taylor Report is likely to involve increasing the powers and resources of the EASI and/or the GLA, and as discussed above, there has been some talk of the EASI and the GLA being merged.


Online platforms using algorithms to connect candidates / service providers with hirers / customers, and in some cases act as payment intermediaries, are a focus of attention by relevant authorities and are understood to be the subject of a number of investigations.


The regulators are currently grappling with the challenge of applying “old” law to online marketplaces that connect candidates / service providers with hirers / customers – without undermining the efficiencies and economic benefits of such new technologies and models.


Dates for the diary

4 April 2020

Deadline for employers of 250+ employees to publish their third annual snapshot of their gender pay gap data, taken on 5 April 2019.

6 April 2020

IR35 reforms in the private sector expected to come into force.

6 April 2020

Parental bereavement right entitling parents who have lost a child under 18 to 2 weeks paid leave expected to come into force. We are currently awaiting implementing regulations. European Parliament.

6 April 2020

Statutory regulations, implementing measures coming out of the government’s Good Work Plan, come into force, including:

• abolishing the so-called ‘Swedish derogation’ on agency contracts;

• lengthening the reference period for determining a week’s pay for holiday pay purposes from 12 weeks to 52 weeks, and

• entitling all employees and workers to a statement of written particulars from day one and providing for additional information to be included in the particulars.

6 April 2020

Employers liable to pay employer’s national insurance contributions on ‘termination payments’ above £30,000.


Current issues

Environment

Matthew GermainPartner


07

Caroline BushSenior Associate, UK


Government revises climate targetOn 12 June 2019, following the advice of the Committee on Climate Change, the UK government created secondary legislation which revises the greenhouse gas reduction target set by the Climate Change Act 2008. Previously, the target was to reduce greenhouse gas emissions by 80% of 1990 levels by 2050. The new target is for ‘net zero’ emissions by 2050. In simple terms, this means that emissions will need to be either equal to or less than the total emissions which are absorbed by the environment in 2050.

The UK is the first major economy to make such an ambitious pledge. While a ‘net zero’ economy will require significant action across all UK industries, the Committee predicts that the transport and energy sectors will require the most reform.

Clean Air Strategy 2019On 14 January 2019, the Environment Secretary, Michael Gove, launched the new Clean Air Strategy in a bid to tackle the threat of air pollution to public health. The new strategy includes more stringent measures to reduce emissions across transport, farming, industry and the home.

Objectives that will affect businesses include: a commitment to a new target for the reduction of harmful nitrogen deposits; future legislation which bans the sale of the most polluting fuels; and the phasing-out of coal-fired power stations.

Closure of the CRC Energy Efficiency SchemeThe CRC Energy Efficiency Scheme closed at the end of the previous compliance year, on 31 March 2019. While there is no direct replacement for the scheme, the government has introduced the new Streamlined Energy and Carbon Reporting (SECR) regime and has also increased Climate Change Levy (CCL) rates.

SECR will require many businesses to report on:

• UK energy use (as a minimum, gas, electricity and transport, including UK offshore area).

• Associated greenhouse gas emissions.

• Energy use and greenhouse gas emissions figures from the previous year (from 1 April 2020).

• Energy efficiency measures, in a narrative form.

• Details of the methodology used.

The new regime is aimed at encouraging companies to implement energy efficiency measures to cut costs and achieve environmental benefits.

https://www.gov.uk/government/news/pm-theresa-may-we-will-end-uk-contribution-to-climate-change-by-2050

https://www.gov.uk/government/publications/clean-air-strategy-2019

https://www.gov.uk/government/consultations/streamlined-energy-and-carbon-reporting

https://www.gov.uk/government/consultations/streamlined-energy-and-carbon-reporting

https://www.gov.uk/government/publications/rates-and-allowances-climate-change-levy/climate-change-levy-rates

https://www.gov.uk/government/publications/rates-and-allowances-climate-change-levy/climate-change-levy-rates


Government to mandate ‘biodiversity net gain’On 13 March 2019, the government confirmed that new developments must deliver an overall increase in biodiversity. Under the new rules, if a developer causes biodiversity loss or fails to mitigate or compensate all impacts on a site, a penalty will be imposed. The penalty will require developers to create a compensatory habitat, which will support local biodiversity. If a developer fails to mitigate or compensate a loss, then a penalty tariff will be imposed.

The penalty tariff will be calculated against any shortfall in biodiversity, measured against the net gain obligation (10%). Brownfield sites will be exempt from the requirement of a 10% net gain.

This scheme will have a significant impact on both developers and investors. The developer of the site must ensure that all new developments avoid environmental harm and increase biodiversity by at least 10% in order to avoid having to pay a penalty tariff.

Current issues

Net Zero Carbon Buildings Framework issuedOn 30 April 2019, the UK Green building Council issued the ‘Net Zero Carbon Buildings: Framework’ to the construction industry. The Framework is aimed at enabling both old and new buildings in the UK to achieve net zero carbon status by 2050.

The Framework proposes two approaches for the attainment of net zero carbon buildings, one for in-use operational energy and a second for emissions released during the construction process. According to the report, buildings’ operational energy use should be reduced and, where possible, powered exclusively through renewably sourced energy. Emissions from productions and construction should be measured, reduced and offset in order to attain ‘net zero’ carbon emissions. While this Framework is initially intended as guidance, more stringent standards are expected to be developed over the next decade.

This new Framework has obvious relevance to all developers and real estate investors.


The principal regulator is the Environment Agency (EA).


The EA has the power to compel businesses to hand over documents in accordance with the requirements of the ‘Regulators’ Code’. The most commonly used power is found under section 108 of the Environment Act where the EA can require a business to produce records (including digital records) and provide copies if necessary.


The EA, in conjunction with the Police, has been known to conduct dawn raids. Dawn raids generally only come as a result of ‘serious’ breaches such as criminally organised illegal dumping of waste. The powers to carry out dawn raids originates from section 108(4) of the Environment Act 1995, which requires the EA to enter the premises at a reasonable time and allows the EA to take measurements, photographs, recordings and to retain articles for the purpose of an examination or investigation.


The EA can bring criminal proceedings. However, it only does so after considering all other options. As an alternative to criminal prosecution, the EA can also impose a civil sanction, such as an Enforcement Undertaking. These avoid some of the high investigative and legal costs for the EA in a time when it is focusing its budgets and resources on using criminal prosecution for the most serious offences.



The EA can prosecute any individual with the consent of a court or an insolvency practitioner. Financial penalties are generally not applied unless the penalty is mandatory, although the EA will always seek to recover the costs of investigations and enforcement proceedings.


The EA is more likely to issue either a fixed penalty notice or a formal caution if the offender admits/ reports the offence. However if the offence is ‘serious’, prosecution will normally be the outcome.


There are currently no new proposals for an extension of the EA’s powers. However, the new Environment Act, which is predicted to come into force following Brexit, will create a new ‘green watchdog’ called the Office for Environmental Protection (OEP). The OEP will work alongside the EA and will have the power to take businesses, public bodies and the government to court over any breaches of environmental law.

https://deframedia.blog.gov.uk/2019/03/13/government-to-mandate-biodiversity-net-gain/

https://www.ukgbc.org/ukgbc-work/net-zero-carbon-buildings-a-framework-definition/


Current issues.

Export Control

Kristian AssiratiAssociate, UK


08

Jon RoundSenior Associate


UK government acted unlawfully in relation to the sale of arms to Saudi Arabia On 20 June 2019, the Court of Appeal, overturning an earlier High Court decision, ruled that part of the UK government’s decision-making process for determining if export licences for the sale or transfer of arms or military equipment to Saudi Arabia was wrong in law.

The Court of Appeal decision does not mean the permanent suspension of current (extant) export licences granted to Saudi Arabia, nor necessarily an end to future sales. Instead, the government must reconsider the matter and make necessary assessments of past episodes of concern in its estimation of future risks.

Importantly for affected businesses, on 25 June 2019 the Export Control Joint Unit (ECJU) confirmed that extant licences were not immediately affected by the ruling, but that it was re-considering decisions made about those licences. It has, however, stopped new registrations for six military Open General Export Licences (OGELs) until further notice.

For more, see our Insight.

Exporting controlled goods after a no deal Brexit The ECJU has published an OGEL to allow, subject to certain conditions, the export of dual-use items from the UK to the EU in the event of a no deal Brexit. Licences are not currently required to export the majority of dual use items within the EU.

Affected businesses should consider registering for the OGEL through SPIRE, the ECJU’s online export licensing system. This OGEL removes the need for affected businesses to apply for individual licences and will come into force immediately following a no deal Brexit.

Businesses should also be aware that in the event of a no deal Brexit, export licences issued by remaining EU Member States would no longer be valid for exporting dual-use items from the UK. Businesses relying on licences issued by other Members States should be prepared to register for new authorisations in remaining EU Member States to justify those exports following a no deal Brexit

Modernisation of the EU dual-use export control regime On 28 September 2016, the European Commission published a proposal to amend the legislation underpinning the current European dual-use export control regime, the EU Dual Use Regulation. The proposed changes aim to harmonise, simplify, and introduce a new “human security” dimension to the existing European dual-use export control regime.

On 5 June 2019, the proposals moved a step further when the European Council issued its mandate for negotiations with the European Parliament. While the Council supports several of the changes originally proposed by the Commission, it has made material changes to key sections, including to the new ‘human security’ element discussed in further detail below. On the basis of this mandate, the Council will now start negotiations with the European Parliament.

https://www.judiciary.uk/wp-content/uploads/2019/06/CAAT-v-Secretary-of-State-and-Others-Open-12-June-2019.pdf

https://www.gov.uk/government/publications/notice-to-exporters-201909-court-of-appeal-judgment-about-military-exports-to-saudi-arabia/notice-to-exporters-201909-court-of-appeal-judgment-about-military-exports-to-saudi-arabia

https://www.osborneclarke.com/insights/uk-government-acted-unlawfully-making-export-licensing-decisions-sale-arms-saudi-arabia/

https://www.consilium.europa.eu/media/39555/mandate-for-negociations.pdf



Who are the regulators?The ECJU – part of the Department for International Trade – is responsible for administering and regulating the export of UK strategic goods.

Enforcement is carried out by HM Revenue & Customs (HMRC), Border Force and the Crown Prosecution Service (CPS).

In coming to export control decisions the ECJU obtains advice on foreign policy, defence and development matters from a range of additional UK government departments including:

• The National Cyber Security Centre.

• The Department for Business, Energy and Industrial Strategy.

• The Department for International Development.

Do they have powers to compel businesses to hand over documents?Yes. Any business licensed by the ECJU to export dual-use items is required to keep certain record of its exports and transfers. Those businesses must also enable the ECJU to inspect and copy those records. The purpose of that inspection is to ensure that the licences are being used correctly.

Do they conduct dawn raids?Unannounced visits are rare, but the ECJU does have powers to undertake ‘ad hoc’ inspections at any ‘reasonable hour’ without prior notice.

In most cases inspections are agreed six to eight weeks beforehand. The right to undertake ‘ad hoc’, unannounced visits is typically reserved for exceptional cases where the regulator happens to be inspecting others in the same location.

Are they able to bring criminal prosecutions (and do they do so)?Directors, officers and employees of businesses involved in exporting dual-use items from the UK can be held criminally responsible under the UK dual-use export control regime. For example, under the Customs and Excise Management Act 1979, exporting dual-use goods with “intent to evade” a restriction or prohibition is chargeable with a fine or criminal sentence of up to ten years.

However, in recent years we have seen the increasing use by HMRC of ‘compound penalties’: a fine by which HMRC can offer businesses (or individuals) the chance to settle cases that would otherwise justify being referred to the CPS (generally in a bid to avoid an expensive and protracted criminal investigation).

Do they bring prosecutions against individuals?There have been high profile prosecutions against individuals in recent years. For example, in 2014 the Managing Director of Delta Pacific Manufacturing Limited was jailed for two and a half years, and fined £68,000, for exporting specialised alloy valves to Iran in breach of UK dual-use export control laws. The alloy valves were routed through Hong Kong and Azerbaijan in order to conceal their final destination and avoid UK export controls.

Is there a self-reporting / leniency regime?HMRC accepts and processes voluntary disclosures of errors made by exporters.

Those disclosures are first assessed by HMRC. Depending on a range of factors, including the seriousness of the breach, appropriate action may include educational visits or the issuing of written warnings, through to compound penalties and investigations leading to criminal prosecution.

Are there any plans to introduce new powers (or use existing powers differently)?As outlined above, a re-cast of the EU dual-use Regulation is currently moving through the internal EU legislative process. Proposals under the re-cast regulation include a new ‘enforcement coordination mechanism’ to support information exchange and enforcement between EU Member States.

Are there any areas of new technology that are a particular focus of regulatory attention?There have been increasing calls for the EU dual-use export control regime to be upgraded to control the export of cyber-surveillance technology which could be misused for committing serious human rights violations, including surveillance software, more tightly.

This issue rose to particular prominence as a result of the use of EU-origin cyber-surveillance technologies during the Arab Spring protests in 2010. Against this background, in 2017 the European Commission proposed introducing a new “human security” dimension as part of the modernisation of EU export control law, as discussed above (for information about the cyber surveillance technology covered by the proposals, see our previous Insight.) The proposals have proved controversial for both EU stakeholders and the technology industry though, and the provisions no longer feature as prominently in the latest Council Mandate cited above.

https://www.osborneclarke.com/insights/upcoming-changes-to-bring-cyber-surveillance-technology-within-eu-export-control-regime/


How has digital transformation affected the regulators’ own behaviours?HMRC is currently pursuing a number of initiatives with the intention of digitising its functions and interfaces, as detailed in its “HMRC digital” blog. For example, it is automating an increasing number and range of tasks using machine learning. This is principally being deployed in relation to taxpayers, but as its digital capability increases, it is likely to use some of the tools that have been developed in relation to its export control function.


UK Border Force is bringing in artificial intelligence-based systems to monitor people coming into the country and flag those considered to be higher risk. As with HMRC, while the initial focus of this initiative is not export control, UK Border Force has said that this system will also be used to identify higher risk shipments coming into the country.

Dates for the diary

31 October 2019

Date by which businesses should consider registering for the EU OGEL (UK to EU exports) or registering for new authorisations in relevant Member States (to cover EU to UK exports) in the event that the UK leaves the EU without a deal in place.

2020

UK government’s appeal of Court of Appeal decision on the licensing of military weapons to Saudi Arabia to be heard by the Supreme Court.

https://hmrcdigital.blog.gov.uk


Current issue

Food Law

Katie VickeryPartner


09

Anna LundySenior Associate


New allergen labelling law The government has announced that it is planning to introduce new allergen labelling legislation in summer 2019, with businesses being expected to implement the changes by 2021. Food businesses will be required to provide a list of all ingredients for pre-packed foods for direct sale.

Food Contact Guidelines for the Compliance of Paper and Board Materials and ArticlesThe Confederation of European Paper industries has issued Food Contact Guidelines for the Compliance of Paper and Board Materials and Articles. The purpose of the guidelines is to provide advice on the requirements of Regulation (EC) 1935/2004 which applies to all materials and articles intended to come into contact with food.

The guidelines are aimed at food manufacturers, suppliers and business operators, as well as national authorities. They have been developed in conjunction with industry to assist paper and board manufacturers in demonstrating compliance with Regulation 1935/2004 in the absence of any specific legislation for paper and board packaging materials.

Food fraud in the organic sector Europol/INTERPOL has published the results of its “OPSON VIII” operation on fraudulent actions in the organic sector.

The action focused on complex international supply chains and aimed at identifying their vulnerable points. It also investigated suspicions of fraud and targeted false certification,

concentrating on food and feed in significant quantities which were mostly imported and destined for redistribution under an EU organic label.

The operation resulted in more than €100 million worth of potentially dangerous food and drinks being seized and 672 individuals arrested, with investigations ongoing in many countries.

Baby food and drink: Public Health England finds mislabelling and inconsistency with health advicePublic Health England has announced it has found several inconsistencies between the national infant feeding advice and how certain baby food and drink products are presented.

The majority of the issues relate to labelling and product information, with some foods marketed as healthy snacks being among those with the highest sugar content. The inconsistencies were found after Public Health England undertook an extensive evidence review, assessing 1,120 baby food and drink products.

New legislation on transparency and sustainability of the EU risk assessment model in the food chainThe purpose of this new legislation is to increase the transparency of the EU risk assessment model in the food chain and strengthen reliability, objectivity and independence of studies undertaken by the European Food Safety Authority (EFSA).

https://www.food.gov.uk/news-alerts/news/fsa-welcomes-new-allergen-labelling-law

http://www.cepi.org/fcg

https://ec.europa.eu/food/safety/food-fraud/coord-act_en#2019

https://www.gov.uk/government/publications/commercial-infant-and-baby-food-and-drink-evidence-review

http://europa.eu/rapid/press-release_MEMO-19-1031_en.htm


Current issue

The new Regulation is expected to be published in the Official Journal on 6 September 2019. Following its entry into force 20 days after publication, it will become applicable 18 months later (by the end of March 2021).

EFSA publishes its latest review of pesticide residues in foodEFSA’s latest review found that just under 96% of food samples it assessed were free from pesticide residues or contained traces that fell within legally permitted levels.

As part of its assessment, EFSA analysed around 88,000 samples collected from the 28 EU Member States, as well as Iceland and Norway. EFSA has concluded that acute and chronic dietary exposure to pesticide residue is unlikely to pose concerns for consumer health.

The future of online sales of foodThe International Conference on eCommerce of Food took place on 24 June 2019. The future of online sales of food was discussed. A running theme throughout the conference was the need for more regulation to:

• protect consumers purchasing food online;

• ensure the safety and quality of food purchased online;

• protect consumers from fraudulent and deceptive commercial practices when engaging in online transactions; and

• harmonise control procedures between EU and non-EU partners.

We expect to see changes to online food regulation in the coming months and years to address the various challenges posed and the aims of regulators.

Spirits industry agrees memorandum of understanding with the EU regarding alcohol labellingSpiritsEUROPE has agreed a memorandum of understanding which commits its signatories to including calorie labelling on pack and ingredient information online for two-thirds of spirits on the EU market by 2022.

The memorandum of understanding is a voluntary initiative agreed between the industry and the EU. Most of the major spirits manufacturers have agreed to sign up to the memorandum, and it is therefore expected that most industry players will shift to providing this information on a voluntary basis in an effort to avoid new regulation in this area.

Similar arrangements are anticipated for other alcoholic drinks categories and some beer manufacturers have already publicly committed to on-pack calorie labelling in anticipation of this.

Who are the regulators?The principal regulators are the Environmental Health and the Trading Standards departments of Local Authorities:

• Environmental Health departments regulate food safety and hygiene matters.

• Trading Standards departments regulate misleading labelling and pricing.

In addition, the Food Standards Agency and DEFRA have a role in relation to wider market issues.

Do they have powers to compel businesses to hand over documents?Regulators have very wide powers to compel businesses to hand over documents. However, whilst they can compel the business to provide documents, the regulator is often limited to taking copies (not originals), provided reasonable photocopying or printing facilities are available, unless the original version of the document is evidence in itself. They can also request copies of electronic documents which can be accessed from any premises they visit.


Do they conduct dawn raids?An authorised enforcement officer is entitled to entry to a premises although this should be at a reasonable hour.

Are they able to bring criminal prosecutions (and do they do so)?Regulators do have powers to bring criminal prosecutions. Prior to a prosecution being commenced, there will usually be engagement with the business. If the issue is relatively minor and the business agrees to make an appropriate change, then the matter may not proceed to prosecution. If corrective action is taken, such as a recall or withdrawal of a product from the market, that is often considered sufficient penalty.

However, for matters of food safety and hygiene, prosecutions are more likely, especially in circumstances where a consumer has been exposed to risk of harm and/or has suffered as a result of the breach.

http://www.efsa.europa.eu/en/press/news/190626

https://ec.europa.eu/commission/commissioners/2014-2019/andriukaitis/announcements/international-conference-ecommerce-food_en

https://spirits.eu/upload/files/publications/CP.MI-098-2019-MoU-Final%20Version%20on%20website%20without%20signature-%204%20June%202019.pdf



Do they bring prosecutions against individuals?Provisions exist for personal prosecution, including of directors and senior managers of companies. Personal prosecutions are more common in relation to sole traders or small businesses.

Is there a self-reporting / leniency regime?There is a requirement to notify regulators where a product poses a safety risk but there is no formal self-reporting/leniency regime.

Are there any plans to introduce new powers (or use existing powers differently)?The Food Standards Agency has embarked on a programme of reforms through to 2020 under the banner of “Regulating our Future”.

Are there any areas of new technology that are a particular focus of regulatory attention?There is an international focus on how countries can ensure the safety and quality of foods purchased online. This is likely to be subjected to much more discussion and scrutiny over the next months and years.

There is also likely to be much more focus on emerging food technologies such as 3D printing of foods as those technologies becomes more commonplace.

How has digital transformation affected the regulators’ own behaviours?The FSA’s “Regulating our Future” initiative demonstrates how the regulator is looking to modernise the way that it regulates. Part of this is about being able to respond to technological change, with specific measures such as establishing a data-driven ‘risk engine’ to generate a risk score for businesses.

Dates for the diary

Q3 2019

New allergen labelling laws expected to be introduced.

September 2019

New legislation on transparency and sustainability of the EU risk assessment model in the food chain expected to be in force, requiring implementation by the end of March 2021.

Q3 2019

EFSA safety assessment expected on Cannabidiol as part of novel food application.


Current issues

Health & Safety

Mary LawrencePartner


Matthew KyleAssociate Director, UK


10

HSE publishes fatal injury statisticsThe HSE has published its annual figures, which show that there were 147 deaths at work in 2018/19 (as reported under the RIDDOR regime). This is broadly in line with the number for the past five years.

The majority of fatalities are caused due to falls from height (40) and the movement of vehicles (30), so both will remain an area of focus for the HSE. The majority of deaths were in the agriculture, forestry and fishing (32), construction (30) and manufacturing (26) sectors.

A total of 92 members of the public were killed in 2018/19 as a result of a work-connected accident. Of these deaths, about a third (32) occurred on railways and a further 23 occurred in the health and social work sector.

Fire Safety Review: what’s the current status?The report from Phase 1 of the public inquiry into the fire at the Grenfell (which focussed on what happened on the night of the fire) is expected by October this year. The second phase considering the wider circumstances that led to the tragedy is now underway.

In the wake of this inquiry and specifically following the government’s acceptance in full of the recommendations of Dame Judith Hackett’s independent review on fire safety and building regulations, we anticipate that parliament will debate new legislation next year; although possibly implementation may not be until 2021. It is expected that new duty holders will be created and that there will be much tighter obligations on coordination and the provision of building information.

Working at height hazardsDespite being an obvious risk, falls from height continue to be a major cause of injury and fatalities in the workplace. The All-party Parliamentary Group on working at height published its report earlier this year. Whilst the primary legislation was considered to be fit for purpose, its recommendations bring a renewed focus on this issue.

The report recommended:

• Enhanced reporting under RIDDOR to provide full details of the fall.

• An independent body to allow for confidential reporting of near misses and accidents that are not RIDDOR-reportable.

• An extension of the Working Well Together campaign beyond the construction sector.

• An equivalent system to Scotland’s Fatal Accident Inquiry process.

Perhaps the most likely of these to gain traction is the enhanced reporting, since the effect of a slimmed down regime under RIDDOR has meant that the capture of detailed data has been lost.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/707785/Building_a_Safer_Future_-_web.pdf

https://workingatheight.info/wp-content/uploads/2019/02/Staying-Alive-APPG-REPORT.pdf


Current issues

It is unclear what a new investigating body would achieve over and above the HSE or why it should be exclusive to falls from height. Interestingly, one of the areas for further consultation outlined was the creation of a digital technology strategy including tax relief for small firms.

It is clear that working at height is perceived as not being adequately managed. Reports such as this, when aligned with responsibilities to design out work at height and the advent of accessible technology such as drones, rightly demonstrate an expectation that organisations can be doing more to control this risk.



Who are the regulators?The primary regulator is the Health and Safety Executive, although the police, local authorities and sectoral regulators such as the Office of Rail and Road may be involved in relation to safety incidents.

Where an incident has resulted in a death, the Police will have primacy of the investigation until relevant safety-related offences (corporate and/or gross negligence manslaughter) have been ruled out, following which they will continue to gather evidence for the Coroner.

Safety related offences are criminal and are investigated depending on the industry sector in which they occurred. Broadly, local authorities are the main enforcing authority for retail, wholesale distribution, warehousing, hotel and catering premises, offices, and the consumer/leisure industries. The ORR regulates the rail industry’s health and safety performance and is also the monitor of Highways England, with the HSE broadly having responsibility for the remaining industry sectors (such as manufacturing and agriculture).

Do they have powers to compel businesses to hand over documents?.The Police can seize documents/articles as evidence of an offence, but this often requires a warrant. Local authorities, the HSE and the ORR (which have the same powers under the Health and Safety at Work Act 1974) have powers (when lawfully on premises) which include inspection and copying of documents, taking measurements, photographs and samples and the power to seize and destroy in certain circumstances. These authorities also have the power to compel witnesses to answer questions, with failure to do so being an offence.

Do they conduct dawn raids?Most investigations follow an incident (although there may not necessarily have been any injury), so attendance by enforcing authorities will often be expected. However, the HSE and other authorities do have the power to enter premises at any reasonable time to inspect health and safety compliance.

Are they able to bring criminal prosecutions (and do they do so)?Yes. Prosecutions following Police investigations are brought by the Crown Prosecution Service, but the agencies enforcing health and safety prosecute in their own right.

Do they bring prosecutions against individuals?Yes. In addition to the offence of gross negligence manslaughter, there are safety offences specific to individual employees and a further offence for those with management responsibilities, such as directors and senior officers.

Is there a self-reporting / leniency regime?No. There is no self-reporting regime, and no general obligation to report a breach. However, certain health and safety incidents have to be reported and where this is the case, it is an offence not to do so.

There is no leniency regime as such, but cooperation with enforcement agencies post-incident is a sentencing consideration.

Are there any plans to introduce new powers (or use existing powers differently)?There are no specific plans. However, in recent years, the Police have become much more engaged in the investigation of work related safety incidents. The HSE has also increased the number of investigations and resulting prosecutions of individuals.

Are there any areas of new technology that are a particular focus of regulatory attention?Drones are increasingly used (and expected to be used) to eliminate or reduce work at height, particularly where visual inspections are required. The European Commission has adopted EU rules to apply to all operators of drones, with guidance due to be published later this year.

How has digital transformation affected the regulators’ own behaviours?As well as the application of technology to minimise exposure to risk, the way in which health and safety issues can be monitored, for instance through real time metrics and then better management of that data to inform control measures, will undergo a step change in the coming years.

One knock-on effect of the safety improvements that digital transformation can bring is that there is likely to be a subtle shift upwards to the benchmark of what may be reasonably practicable for employers to do to control the risks of their business.


Current issues

Product Regulation

Anna Lundy Senior Associate, UK


Katie Vickery Partner


11

Connected devices | Security by design Following the release of a voluntary Code of Practice in October 2018, the government opened a further consultation (which closed in June 2019) to make some or all of the Code mandatory. The results of the consultation are awaited but it is expected that the following will become mandatory:

• Passwords must be unique and not resettable to a default factory password.

• Manufacturers will need to be explicit about the minimum length of time a product will receive security updates.

• Manufacturers will need to have a public point of contact for issues to be reported to as part of a Vulnerability Disclosure Policy.

We are also expecting a mandatory labelling scheme to inform consumers whether security features have been implemented and how long security updates will be provided. This will operate on a voluntary basis initially.

Increased market surveillance across the EU for non-food productsOn 20 June, an EU Regulation (2019/2010) was adopted that aims to strengthen market surveillance powers, improve coordination across member states and increase enforcement across the majority of non-food products.

In particular, there is a specific requirement for a manufacturer based outside of the EU to identify a person (natural or legal) who is responsible for providing compliance information and cooperating with the market surveillance authorities.

EU Fitness Check Report on chemicals legislationThe European Commission has released its Fitness Check report on chemicals legislation (excluding REACH) as part of its REFIT programme. The Report examined over 40 pieces of legislation covering the entire life cycle of chemicals including their application and use in products.

The overall conclusion is that the legislation is fit for purpose but there are areas of weakness, particularly in implementation and enforcement, and the communication of hazard and safety information.

Brexit | Product standards and safety markingThe House of Commons Library has released a briefing paper in preparation of Brexit. It is already known that the “CE Mark” will be replaced with a “UKCA” mark, but in addition, the EU will no longer recognise UK notified bodies. Therefore products sold in the EU under notified body approval will need to ensure that the notified body is based in the EU27.

https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security

https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R1020&from=EN

http://ec.europa.eu/transparency/regdoc/rep/1/2019/EN/COM-2019-264-F1-EN-MAIN-PART-1.PDF

https://researchbriefings.parliament.uk/ResearchBriefing/Summary/CBP-8583#fullreport



In the UK, the government intends to rename notified bodies as “approved bodies” and businesses will only be able to apply the UKCA mark and sell their products in the UK if (where applicable) the product has been assessed and approved by a UK approved body.

Timber RegulationsWe have seen an increased focus in enforcement of the Timber Regulations (EU 995/2010), which prevents illegally harvested timber and timber products from being placed on the market.

The Regulations also impose requirements to have a defined due diligence and risk assessment process in place. This applies to a number of wooden products including furniture, frames, casks, barrels and packing crates.

“Made in Germany”YouGov recently conducted an interesting poll to understand consumer perception of “Made in” statements for different countries. Consumers have the most positive reaction to products made in Germany, with Italy and UK coming second and third respectively. China has the most negative perception.

Who are the regulators?The primary regulators are Trading Standards and the Office for Product Safety and Standards (OPSS). However, there are a number of sector-specific regulators for particular types of products, for example the MHRA will regulate medical devices.

Generally, most product-related issues are dealt with by Trading Standards at local authority level and National Trading Standards for wider market issues.

Do they have powers to compel businesses to hand over documents?Regulators can compel the business to provide documents, although the regulator is often limited to taking copies (not originals), providing reasonable photocopying or printing facilities are available, unless the original version of the document is evidence in itself. Regulators can also request copies of electronic documents which can be accessed from any premises they visit.

Do they conduct dawn raids?An authorised enforcement officer is entitled to entry to a premises although this should be at a reasonable hour.

Are they able to bring criminal prosecutions (and do they do so)?Yes. Prior to a prosecution being commenced, there will usually be engagement with the business. If the issue is relatively minor and the business agrees to make a change then the matter may not proceed to prosecution. If there is a product recall or withdrawal, that is often considered sufficient penalty. Prosecutions in this space tend to be for wilful disregard of the law or for extremely serious safety issues.


Do they bring prosecutions against individuals?Provisions exist for personal prosecution, including of directors and senior managers of companies. Personal prosecutions are more common where there are sole traders or small businesses.

Is there a self-reporting / leniency regime?There is a requirement to notify regulators where a product poses a safety risk but there is no formal self-reporting/leniency regime. However, a positive and cooperative approach with a regulator is generally beneficial.

Are there any plans to introduce new powers (or use existing powers differently)?The OPSS will shortly be able to enforce under the General Product Safety Directive in addition to existing legislation (see below).

Are there any areas of new technology that are a particular focus of regulatory attention?There is an increased focus on IoT connected devices and new requirements being put in place to ensure security by design (as discussed above under Key Issues).

National Trading Standards has a separate e-crime unit that focusses on online scams, misleading websites, subscription traps and online shopping frauds.

How has digital transformation affected the regulators’ own behaviours?Regulators have increased their surveillance of the online world and new technology products that are coming on to the market. This has led to consolidation of experience within particular regulators and the setting up of focussed teams.

https://d25d2506sfb94s.cloudfront.net/cumulus_uploads/document/ajftirezq9/YouGov%20Cambridge%20Globalism%20Project%20-%20Made%20In%20X.pdf


Dates for the diary

23 July 2019

Consumer Rights Act 2015 (Enforcement) (Amendment) Order 2019 takes effect. This extends the enforcement powers of the OPSS to the General Product Safety Regulations 2005.

31 October 2019

In the event of a no deal Brexit on this day, the new UKCA mark (which replaces the CE mark) will become law. Products sold in the UK with a CE mark will be permitted to be sold for a “time-limited period” (although how long this will be has not been specified). It would be prudent to start planning for the introduction of this mark in new labelling designs.

There is one exception where the UKCA mark will apply from Brexit Day. This is where a product is certified by a UK notified body and is being sold in the UK.

1 January 2020

From 1 January 2020, a Unique Formula Identifier is required under the CLP Regulation on the label of products with mixtures classified as hazardous.

26 May 2020

Medical Devices Regulation fully applies.

1 January 2021 and 16 July 2021

EU Regulation 2019/1020 on increased market surveillance across the EU for non-food products comes into effect from 16 July 2021, with the exception of certain provisions that come into effect from 1 January 2021.


Current issues

Regulated Procurement

Catherine WolfendenPartner


Kate DaviesAssociate, UK


12

Damages claim can continue even after procurement abandoned It is usual for contracting authorities and utilities to abandon a procurement as a means of closing down a challenge from an unsuccessful bidder. Usually, the parties are able to discontinue the claim by consent shortly after the abandonment.

In Amey Highways Ltd v West Sussex County Council, the Court held that the Council’s decision to abandon the procurement after receiving a challenge did not extinguish the claimant’s cause of action, and that the claimant was entitled to continue to pursue its claim for damages against the Council if it chose to do so.

The difference between the winning bidder and Amey’s scores was 0.03%. The Court held that, although the Council was entitled to decide to abandon the procurement and had done so lawfully, Amey had established that it had incurred loss and damage as a result of the Council’s actions before it abandoned the procurement. This means that the abandonment had no impact on Amey’s claim, despite no contract ever being awarded under the procurement due to the abandonment.

This case could signal an important new development in the handling of procurement challenges, particularly in relation to decisions to abandon procurements as a way of shutting down legal challenges.

Incumbent advantage is not necessarily an unfair advantageIn Proof IT SIA v EIGE, the CJEU held that, whilst an incumbent bidder undoubtedly benefits from an advantage by having performed the previous contract, that advantage is not necessarily unfair.

The claimant alleged that, in evaluating bids against the award criteria, the contracting authority had allowed the incumbent to benefit from the knowledge it acquired in previously performing a similar contract for the contracting authority.

The Court found that the contracting authority had not breached the principle of equal treatment and was not under an obligation to take steps to remove the incumbent’s advantage. The Court noted that it is inevitable that an incumbent bidder will enjoy an inherent advantage in a procurement procedure, but the principle of equal treatment does not generally prevent a contracting authority, nor an incumbent bidder, from using the market advantages enjoyed by one firm above another.

The case provides helpful clarity on the extent to which public procurement law requires the advantages enjoyed by an incumbent bidder to be levelled against other bidders.

www.casemine.com/judgement/uk/5cecd8f22c94e04633569346

https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A62017TN0010


Guide for voluntary, community and social enterprise sector on bidding for public contractsThe Office for Civil Society (part of the Department for Digital, Culture, Media and Sport) has produced a user-friendly guide to bidding for public contracts for organisations in the voluntary, community, and social enterprise sector.

The guide provides a basic overview of how to find and bid for public contracts, specifically targeted at VCSE bidders, including:

• Where to find contract advertisements.

• Different types of early engagement events and how to search for them.

• How to showcase social value in a bid.

Recent case law on mergers during tendersThere have been two recent EU decisions in long-running cases dealing with mergers between bidders during or soon after a procurement.

Current issue

In Telecoms Italia SpA v Ministero dello Sviluppo, two bidders pre-qualified separately for a procurement and, having merged during the live procurement, sought permission from the contracting authority to continue bidding as a newly formed single entity.

The Advocate General gave an opinion that, whilst it is usually the case that a bidder must pre-qualify in order to submit a tender, it is permissible to “adjust” the identity of bidders in certain circumstances. As both bidders had pre-qualified, it should be permissible for them to submit a tender as a newly-merged entity, provided that the bidders did not coordinate to benefit from unfair advantages compared to other bidders. There was no suggestion that this was the case.

In Sopra Steria Group SA v European Parliament, the General Court held that a contracting authority was entitled to reject two bidders who, having each won a lot as part of their respective consortia, failed to declare their merger (which completed after the procurement had concluded).

The tender had required bidders to declare potential conflicts, such as those arising from mergers. The Court held that the bidders should have declared the merger, and that the authority was entitled to reject both bidders on the basis that the resulting group structure would give rise to conflicts of interest.

Who are the regulators?There is no regulator of public procurement regulations in the UK.

Compliance with public procurement law is enforced through the High Court by suppliers bringing legal action against contracting authorities / utilities who breach the rules. The Court has the power to set aside contracts, award damages for loss of profits and wasted bid costs, and fine public bodies.

Complaints may also be made directly to the European Commission.

In the health sector, NHS Improvement (formerly known as Monitor) has the power to investigate and issue directions in relation to contracts for NHS health care services awarded by NHS commissioners under the NHS (Procurement, Patient Choice and Competition) Regulations. NHS Improvement has the power to declare contracts ineffective, but has never exercised this power to date. It does not have the power to order NHS commissioners to pay monetary damages.

The Cabinet Office’s Public Procurement Review Service (formerly known as the Mystery Shopper service) is able to investigate concerns and make recommendations to contracting authorities regarding best practice, but does not have enforcement powers.


Do they have powers to compel businesses to hand over documents?The Technology and Construction Court (TCC) hears the majority of public procurement challenges, and has issued guidance recommending that contracting authorities hand over key documents relating to the alleged breach of the regulations as early as possible in any dispute.

Even if a contracting authority refuses, at a certain stage in the legal proceedings, both parties will be required to disclose key documents to each other.

In addition, any documents held by a public body can be requested under the Freedom of Information Act 2000 (although certain information will be exempt from disclosure for reasons relating to commercial interests or ongoing legal proceedings).

NHS Improvement has the power to require an NHS commissioner to provide it with information for its investigation.

Do they conduct dawn raids?No. As there is no regulator, there are no dawn raids in relation to regulated procurement.

https://www.gov.uk/government/publications/vcses-a-bidders-guide-to-working-with-government

https://eur-lex.europa.eu/legal-content/HU/TXT/?uri=CELEX%3A62017CN0697

https://publications.europa.eu/en/publication-detail/-/publication/0d57a024-3f2e-11e5-9f5a-01aa75ed71a1



Are they able to bring criminal prosecutions (and do they do so)?No.

Do they bring prosecutions against individuals?No.

Is there a self-reporting / leniency regime?Public procurement law provides that contracting authorities may not award public contracts to suppliers that have committed certain offences or demonstrated misconduct in previous contracts. Suppliers that meet any of the exclusion grounds (listed within the UK legislation) can avoid exclusion by providing evidence of “self-cleaning”. The evidence must demonstrate that the supplier has taken “appropriate measures” (as set out in the legislation) to demonstrate reliability despite the existence of an exclusion ground.

Appropriate measures include: having paid compensation in relation to damage arising out of misconduct; having collaborated with investigating authorities; and having implementing concrete technical, organisational and personnel measures to prevent further misconduct.

If a supplier can demonstrate “sufficient” self-cleaning (as determined by the authority), the supplier cannot be excluded.

Are there any plans to introduce new powers (or use existing powers differently)?For several years, public procurement lawyers have discussed the arguments for and against:

• introducing an independent UK procurement regulator, with powers of enforcement against contracting authorities; and/or

• introducing a public procurement tribunal that would deal with legal challenges quicker and more cost effectively than the High Court (similar to, for example, Iceland’s Public Procurement Complaints Commission, which deals with and resolves complaints in around three months).

There are currently no plans in the pipeline to introduce either of these new regimes. It may be that Brexit presents an opportunity for the UK government to overhaul the procurement regime in the UK, although there is some scepticism as to whether this would be deemed a priority for the government in the wake of Brexit.

Are there any areas of new technology that are a particular focus of regulatory attention?Procurement tools that use artificial intelligence (AI) are being developed across the EU to increase the efficiency of procurement procedures. At present, such tools are predominantly being developed for and used by the private

sector for unregulated procurements. The use of such tools in the public sector is likely to follow once they are more established. Market analysts suggest that artificial intelligence could introduce the following improvements in procurement:

• Better supply management, enabling authorities to anticipate supply chain requirements (and the need for a competitive procurement) further in advance and with greater accuracy.

• More sophisticated spend forecasting and predictions based on a broader analysis of market intelligence, allowing for more accurate contract value estimations.

• Better price benchmarking against comparative contracts, enabling contracting authorities to have a better understanding of what price they should be paying.

• More sophisticated evaluation when comparing different contract models. At present, evaluators find it very difficult to compare variant bids, to the extent that most tenders require bidders to bid against the same set of criteria and pricing structure. An AI-based evaluation tool may be capable of identifying the most economically advantageous tender from a variety of different contract models, increasing the potential for innovative bids.

• More innovative and complex procurement procedures (i.e. procedures that would be too resource-intensive for a contracting authority to run without the aid of artificial intelligence).

• More comprehensive risk assessment of potential suppliers at selection stage, based on deep market intelligence, leading to more reliable suppliers. An artificial intelligence tool with access to information from across the public sector could provide early warnings of a potential Carillion-style collapse, or could, for example, allow for the exclusion of a supplier linked to poor production processes in a developing country.

How has digital transformation affected the regulators’ own behaviours?Whilst public procurement in the UK and EU has not yet evolved significant new digital practices that affect the way in which countries procure contracts, the digital transformation could lead to new behaviours.

For example, in South Korea, public entities procure contracts through a nationwide web-based procurement system (KONEPS). Data from the KONEPS is fed into a national Bid Rigging Indicator Analysis System (BRIAS) to identify potential collusion. BRIAS collects information from KONEPS on a daily basis and analyses the bidding price, the number of participants and the competition method, and produces a potential bid-rigging score. If the score is above a certain threshold, this suggests a need to collect more information and potentially open an investigation into suspected collusion. Whilst we have not seen any UK or EU examples of such wide-reaching practices in public procurement, the digital transformation opens up such opportunities.


Dates for the diary

1 September 2019

From 1 September 2019, all central government bodies, their executive agencies and non-departmental public bodies must include new selection questions on the approach to payment for any procurements above £5m per annum.

The new questions should be included at section 6.2 of the standard selection questionnaire. The government has issued guidance on how the new questions should be assessed.

18 April 2020

On 18 April 2019, the Public Contracts Regulations 2015 was amended to include new requirements relating to electronic invoicing, as set out in the Public Procurement (Electronic Invoices etc.) Regulations 2019. The Utilities Contracts Regulations 2016 and the Concessions Contracts Regulations 2016 will be amended to include comparable provisions on 18 April 2020.

The new provisions require contracting authorities and (from 18 April 2020) utilities to accept and process any undisputed supplier invoices that comply with the technical e-invoicing standards developed under the overarching EU Directive. Contractual terms to this effect will be implied into all regulated contracts after the relevant implementation date for each regulation.

The Cabinet Office’s Procurement Policy Note includes guidance and model contractual terms.

2 September 2019

The Cabinet Office is due to publish the results of its consultation on how government should take account of social value in the award of social contracts. The consultation sought comments on a proposed new evaluation model for social value, including proposed questions, possible responses and proposed evaluation metrics.

The intention is for the new model to apply to procurements run by central government departments, executive agencies and non-departmental public bodies.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/760127/PPN_0418.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/802963/_Procurement_Policy_Note_03_19-_The_Public_Procurement__Electronic_Invoices_etc.__Regulations_2019.pdf

https://www.gov.uk/government/consultations/social-value-in-government-procurement

© Osborne Clarke LLP July 2019Publication number H_1907041248FWE

Date post:	20-Sep-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	1 times

Regulatory Outlook - Osborne Clarke · 2019. 7. 18. · 5 Regulatory Outlook | Helping you succeed...

Documents