This IT & Outsourcing e-bulletin contains summaries of the following recent developments in law and regulation in the EU and the UK:
- Sourcing 3.0: The rise of the intelligent customer
- Digital Developments: European Commission adopts Digital Single Market Strategy
- Snooping Returns: Queen's speech sets out plans for new Investigatory Powers Bill
- Paying the penalty: ICO publishes new guidance on Monetary Penalty Notices
- Securing cyber space: International Chamber of Commerce launches new cyber security guide for business
- Data Protected: CII group launch data protection best practice guide
1. Sourcing 3.0: The rise of the intelligent customer
New technology solutions and regulatory compliance challenges have disrupted the traditional approach to outsourcing, procurement and services agreements. As a result, the way in which business customers buy IT and other services, and the contract structures for doing so, have changed significantly in recent years.
In an article for PLC magazine, Nick Pantlin, Keith Robinson, David Coulling and Miriam Everett of Herbert Smith Freehills LLP consider how these developments have changed attitudes to risk in sourcing transactions and how businesses are adapting their contract structures and delivery models.
To view the article, please click here.
This article first appeared in the May 2015 issue of PLC Magazine – click here for the PLC magazine home page.
2. Digital Developments: European Commission adopts Digital Single Market Strategy
The European Commission is pursuing a range of actions of significant importance to companies operating in the TMT (technology, media and telecoms), creative and other sectors, including in particular those which use or intend to use online distribution and/or data sharing technologies.
On 6 May 2015, the Commission officially adopted its Digital Single Market ("DSM") Strategy and announced its competition inquiry into the e-commerce sector. At the same time, the Commission has also stated its intention to carry out a public consultation in relation to online platforms.
Digital Single Market Strategy: 16 actions under 3 pillars
The DSM Strategy includes a set of 16 key actions to be delivered by the Digital Single Market project team by the end of 2016. These actions fall under three pillars:
Better access for consumers and businesses to digital goods and services across Europe, including:
- rules to make cross-border e-commerce easier, such as harmonised legislation on contracts and consumer protection;
- a review of the Consumer Protection Cooperation Regulation;
- more efficient and affordable parcel delivery;
- ending what the Commission deems to be "unjustified" geo-blocking;
- a "modern, more European copyright law" allowing for wider online access to works across the EU including further harmonisation measures;
- identifying potential competition concerns in European e-commerce markets;
- reviewing the Satellite and Cable Directive to assess if its scope needs to be enlarged to broadcasters' online transmissions and to explore how to boost cross-border access to broadcasters' services across Europe; and
- reducing the burden on businesses from differing VAT regimes.
Creating the right conditions and a level playing field for digital networks and innovative services to flourish, including:
- an overhaul of EU telecoms rules;
- a review of the audio-visual media framework to make it fit for the 21st century;
- a comprehensive analysis of the role of online platforms (search engines, social media, app stores etc.);
- how best to tackle illegal content on the Internet;
- reinforcing trust and security in digital services, especially the handling of personal data; and
- proposing a partnership with the industry on cyber security in the area of technologies and solutions for online network security.
Maximising the growth potential of the digital economy, including:
- a proposed 'European free flow of data initiative' to promote the free movement of data in the EU;
- defining priorities for standards and interoperability in areas critical to the DSM; and
- supporting an inclusive digital society.
Competition e-commerce inquiry launched
To complement the actions targeted within the DSM Strategy, the Commission has launched an e-commerce sector inquiry in order to identify potential competition concerns affecting European e-commerce markets.
The inquiry will have a particular focus on potential barriers to cross-border trade in those goods and services where e-commerce is most prevalent, such as electronics, clothing, shoes and digital content. The inquiry may also cover free-to-air and public broadcasting, as well as advertising-based broadcasting. If during the course of the inquiry the Commission identifies any potential infringements of competition law it could open investigations under the standard competition rules. The Commission has also indicated that the national competition authorities will play a key role in this sector inquiry. They will have the ability to review and contribute to the information gathered by the Commission and will be consulted on the inquiry's results.
EU public consultation on online platforms
Another notable feature of the Commission's announcement was the commitment to launch before the end of 2015 a comprehensive assessment of the role of platforms, including in the sharing economy, and of online intermediaries, which will cover issues such as (i) transparency e.g. in search results (involving paid-for links and/or advertisements), (ii) platforms' usage of the information they collect, (iii) relations between platforms and suppliers, (iv) constraints on the ability of individuals and businesses to move from one platform to another, and (v) how best to tackle illegal content on the Internet.
The Commission has expressly acknowledged that platforms have proven to be innovators in the digital economy, helping smaller businesses to move online and reach new markets, and that they have a significant role to play in the rise of the sharing economy which offers opportunities for increased efficiency, growth and jobs through informed consumer choice. However, (as is clear from the Commission's competition law investigations into Google), it also considers that platforms raise a number of new regulatory questions which require consideration, such as:
- The fundamental question of what constitutes a "platform" (e.g. what common characteristics bring different services such as Facebook, eBay and Spotify under the common heading of platforms).
- Lack of user understanding about the ways in which platforms collect and process data and present information (e.g. through the use of algorithms).
- Lack of consumer awareness about the way in which data relating to users' online activities are collected and used.
- Lack of consumer understanding as to whether they are contracting with the platform or a third party upstream merchant when using a platform.
- Discrimination by platforms to favour their own services over those of third parties.
- Pricing or marketing restrictions imposed by some platforms on third party merchants.
This is a different review to the competition inquiry on e-commerce which is conducted under the Commission's formal competition law powers. The online platform public consultation, which will be broader/more 'holistic' than a competition law review, will be led by DG Connect (rather than DG Competition) and its aim is to consider possible proposals for legislation rather than findings in relation to compliance with competition law. However, the Commission's Competition Commissioner, Margrethe Vestager has been quoted as stating that the Commission is "very aware" that it is dealing with fast-moving markets and that it would only legislate where the legislation would be "future proof".
3. Snooping Returns: Queen's speech sets out plans for new Investigatory Powers Bill
On 27 May 2015, the Queen's speech set out the Government's plans for a new Investigatory Powers Bill to "address gaps" in intelligence gathering and access to communications data which is putting "lives at risk".
Details of how the legislation will work will be published in due course but the purpose of the legislation has been described as:
- addressing on-going capability gaps that are severely degrading the ability of law enforcement and intelligence agencies ability to combat terrorism and other serious crime;
- maintaining the ability of intelligence agencies and law enforcement to target the online communications of terrorists, paedophiles and other serious criminals;
- modernising the law in these areas and ensuring it is fit for purpose; and
- providing for appropriate oversight and safeguard arrangements.
It is thought likely that the legislation will require internet service providers and mobile operators to log much more data about what their customers are doing, including data on who people call, text, tweet and instant message, what games they play, and when they post on social networks.
However, it is also likely to be wider in scope than many had expected. In addition to legislating for the tracking of individual web and social media use, it looks likely that the Bill will also amend existing powers of the security services in relation to the bulk interception of the content of communications.
For further details, please click here.
4. Paying the penalty: ICO publishes new guidance on Monetary Penalty Notices
The Information Commissioner's Office has published new guidance on the issue of Monetary Penalty Notices.
The right for the ICO to impose Monetary Penalty Notices is derived from sections 55A to 55E of the Data Protection Act 1998 (the "Act"). These sections were subsequently inserted into the Privacy and Electronic Communications Regulations 2003 (the "2003 Regulations") to enable Monetary Penalty Notices to be imposed in relation to breaches of the 2003 Regulations.
A Monetary Penalty Notice is a notice requiring a data controller or person to pay a monetary penalty of an amount determined by the Commissioner and specified in the notice. The amount of the monetary penalty determined by the Commissioner must not exceed £500,000. The Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the Act or if any person has seriously contravened the 2003 Regulations and if, in both cases, the contravention was of a kind likely to cause substantial damage or substantial distress.
The Commissioner now issued new guidance about how he proposes to exercise his power to serve Monetary Penalty Notices. The new version of its guidance provides more detail on terminology including what "distress" and "substantial" mean as well as removes the section on the cancellation of Notice of Intent.
Note that with effect from 6 April 2015, the Privacy and Electronic Communications Regulations 2015 amended section 55A(1) of the Act when it applies to the Privacy Regulations 2003. This amendment removed the need to prove "substantial damage or substantial distress" before imposing a fine in respect of a serious breach of regulations 19 to 24 of the Privacy Regulations 2003, which relate to unsolicited direct marketing calls, texts and emails, automated calls, fax messages, identification of sender and the information regulations. The new guidance on Monetary Penalty Notices does not include this recent amendment and may therefore need updating in the future.
A copy of the guidance is available here.
5. Securing cyber space: International Chamber of Commerce launches new cyber security guide for business
The International Chamber of Commerce has launched a cyber security guide for businesses. The guide is free to download and is the first of its kind to be issued by an international business organization. It is complemented by an online appendix of resources which provides more specific advice, including on standards of practice and technical standards, and other resources and contacts which will be added to over time.
The guide, informed by global cyber security guidelines and national strategies, is intended to help companies of all sizes to manage their approach to cyber security and mitigate threats posed by cybercrime.
It responds to the need for material which can be used to frame discussions between business management and IT professionals, and the fact that in today's economy modern information and communications technologies unearth new risks which businesses need to recognise and deal with effectively.
The guide advocates using a risk management process to improve a business's cyber security. Key features include a security self-assessment questionnaire, a set of five principles for reducing cyber-related risk and a checklist of six essential steps every company should be taking to maintain a high calibre of information security.
It is recommended that the guide be shared with business partners in the supply chain of goods and services and with the public sector to enhance resilience as broadly as possible.
A copy of the guidance is available here.
6. Data Protected: CII group launch data protection best practice guide
The Chartered Insurance Institute has published industry Best Practice Guidance (the "Guidance") in relation to Section 29(3) of the Data Protection Act 1998 which allows disclosure of personal data in relation to the investigation of a crime or taxation. The Guidance has been provided to address issues including high volume and poor quality Section 29(3) data requests.
Section 29(3) allows an organisation to disclose personal data to a third party where it is for the prevention/detection of crime, the apprehension/prosecution of offenders, or the assessment/ collection of tax/duty, and non-disclosure would prejudice one of these reasons.
Users of the Guidance are encouraged to use a S.P.A.R.C Methodology when making/ responding to a request, which means considering:
- Subject matter of the request and whether this has been clearly set out;
- Proportionality of the information requested in relation to the requester's investigations;
- Articulation of concerns by the requester – this should be clear and relevant;
- Relevance of the data request to the crime or taxation being investigated;
- Clearly stating the specific crime or taxation matter being investigated.
The Guidance makes suggestions in respect of certain roles within organisations, including Claims Director, Fraud Manager, SPOC, Intelligence and Case Handlers, with training for each role being recommended.
Repeated non-compliance with the Guidance should be discussed at the Insurance Fraud Bureau ("IFB") Quarterly Forums, but the IFB will not be acting as an arbitrator in the case of any disputes.
A copy of the guidance is available here.