• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

The UK Government's response to its consultation on the NIS directive

On 29 January 2018 the UK Government published its much awaited response to the Security of Network and Information Systems Directive (‘NIS’) consultation, which was launched on 8 August 2017 with a response expected before the end of 2017. Emma Wright, Partner at Kemp Little, reviews the key points found within the Government’s response to the consultation, and looks at what Digital Service Providers and Operators of Essential Services should do now to ensure compliance ahead of the 9 May 2018 implementation date.

Member States have until 9 May 2018 to implement NIS; it will introduce obligations to secure the technology, data and networks (‘Systems’) used to provide the UK’s essential services and report incidents that have a significant impact on them whether that be through a cyber event, an event typically seen as a ‘force majeure event’ or another physical event where there is an impact on the security of the Systems.

The key industries affected are: water, electricity, oil, gas, digital infrastructure, health and transport, although the UK Government will have six months from implementation to notify those companies that will need to comply. Those companies notified are treated as Operators of Essential Services (‘OESs’) for the purposes of NIS.

Banks and financial market infrastructure sectors are caught by NIS but it was made clear in the original consultation that this sector will be exempt to the extent that at least equivalent provisions exist and Financial Conduct Authority and Bank of England rules will continue to apply. The analysis of who is an OES in that sector has not been carried out as it was determined that at least equivalent provisions will exist by the time NIS is implemented.

There is a similar regime being introduced for Digital Service Providers (‘DSPs’). A DSP under NIS falls within three categories: cloud service providers, online marketplaces and search engines who will need to determine whether or not they are in scope. DSPs that employ fewer than 50 people and/or with an annual balance sheet or turnover that does not exceed €10 million are excluded from NIS. Those that aren’t automatically excluded have to determine whether they fall within the DSP definition and take appropriate steps rather than wait for notification by a Competent Authority (which for DSPs in the UK is the Information Commissioner’s Office (the ‘ICO’)). The UK did state in its consultation that it would be following the GDPR as closely as possible to reduce the burden on businesses. The Implementing Regulation laying down the rules for DSPs to implement NIS in relation to the security elements, parameters to determine whether the impact of an incident is substantial and the objective criteria where an incident will be determined as substantial, was published on 30 January 20181.

Close to 300 responses to the initial Government Consultation were received, with the majority of responses from the energy sector, followed by the rail sector.

There were some key points in the Government response:

  • It remains the UK Government’s intention that the police provisions of the NIS will continue to apply after Brexit.
  • The multi-competent authority approach proposed in the consultation has been confirmed in line with long-standing Government policy that ‘Lead Government Departments’ take responsibility for all risks including cyber.
  • A distinction has been drawn between the role of the National Cyber Security Centre (‘NCSC’) in supporting incident responses and the role of the Competent Authority when dealing with an incident that has been reported for regulatory compliance programmes. This distinction has been made to allow the NCSC to carry out its role in providing expert advice and incident response capability.
  • The NCSC will perform the advisory role of the Computer Security Incident Response Team (the ‘CSIRT’) and it will also be the Technical Authority for cyber security, publishing guidance and assessment tools for use both by OESs and Competent Authorities.
  • “The Government accepts that there is a need for extra clarification on the role of the Competent Authority,” what the interaction is between the Competent Authorities and with other regimes such as the GDPR. The aim is to publish further guidance prior to May 2018.
  • Simplification of the penalty regime to “reduce the risk of fines in excess of £17 million.” The two penalty bands are being merged and the ability of a fine to be a percentage of global turnover is now removed.
  • The reporting timeframes have been set to align with the GDPR regime although the ICO did comment in its response that reporting pursuant to NIS will not be sufficient for GDPR purposes - it is unclear whether it is expecting two notifications in relation to the same incident from a DSP if both NIS DIRECTIVE The UK Government’s response to its consultation on the NIS Directive On 29 January 2018 the UK Government published its much awaited response to the Security of Network and Information Systems Directive (‘NIS’) consultation, which was launched on 8 August 2017 with a response expected before the end of 2017. Emma Wright, Partner at Kemp Little, reviews the key points found within the Government’s response to the consultation, and looks at what Digital Service Providers and Operators of Essential Services should do now to ensure compliance ahead of the 9 May 2018 implementation date. NIS and the GDPR are triggered.
  • For OESs, it is for the OES together with the Competent Authority to identify the Systems used for the ‘provision of the service.’
  • The Government has stated it is for an OES to ensure that its supply chain takes appropriate security measures as NIS will not apply directly to the supply chain. The one grey area onthis point would of course be those DSPs that are used by OESs for them provision of the essential service.
  • It is for the Competent Authorities to produce clearer guidance and publish actual thresholds to determine a reportable incident for an OES. In order to do this, a Competent Authority will need to determine what a significantimpact would be in its sector.
  • The high level security principles set out in Annex 3 of the response willnot fundamentally change although more detail will be provided and OESs are expected to meet these by the date NIS is implemented in the UK. In relation to resilience in particular, current industry standards will not be changing. This does provide a high level framework for those caught by NIS to start implementing now.
  • The Government states that OESs will be given time to implement the necessary security measures on their systems, recognising that the process of improving security in some of these sectors will take a number of years. The Government does state however that Competent Authorities will have the power to issue penalties where significant compliance issues have been discovered and it is evident that OESs are not taking active efforts to remedy them.


There is no doubt that in the age of cyber wars, security, both physical and online, needs to be given greater prominence - particularly for key pieces of national infrastructure. The Government’s position is that although NIS introduces more costs for OESs and DSPs it is of national importance that our key infrastructure is protected. Such arguments, in our present day, are difficult to counter. What is achieved by NIS in the short term however remains to be seen. What is clear is that although there is detail still to be provided, working towards compliance needs to happen as soon as possible so potential OESs and DSPs should:

  1.  Assess whether their organisation falls within the ‘Table of essential services and identification thresholds’ set out in Annex 1 of the Government response to the Public Consultation or is a DSP that is not excluded.
  2.  Review the high level security principles (Annex 3 in the Government response to the Public Consultation) to ensure it is reflected in their organisation’s information security policies, processes and procedures and if not make this a priority to implement.
  3. If they are an OES, assess their Systems, determine who is responsible for them (particularly as many OESs rely on shared infrastructure systems) and what the supply chain is for the provision of such Systems, in preparation for further dialogue and consultation with their Competent Authority.
  4. Review their breach notification systems to ensure they capture incidents where there is a duty to notify their Competent Authority under NIS.

The Cyber Assessment Framework (‘CAF’) was provided by the NCSC on the same day as the Government response to the Public Consultation and this was in accordance with the original timeframe. It is now for the individual CompetentAuthorities to set out how OESs should interpret the CAF for their own risk management procedures once the legislation is implemented. In November 2018 further sector specific guidance reflecting the unique circumstances of the particular sector is expected from the

Competent Authority. This is anticipated to be designed after further discussion with the OESs and with support from the NCSC. There is still a lot of detail to be determined for OESs, so being proactive in any assessment of Systems potentially caught by NIS will ensure that discussions with a Competent Authority can be framed appropriately and costs to the business adequately captured. Many OESs rely on a complex web of interconnected systems and a supply chain that may have in fact been inherited so trying to review terms and establish responsibility will be a difficult task even without a tight timeframe.


Originally published in the Cyber Security Practitioner 

Standalone Software caught by Medical Device Regulation

The medical sector is undergoing significant change triggered by advancements in technology and enhanced use of patient data. Increasingly, software in a ‘supporting role’, is introduced into the traditional medical landscape to assist physicians with making critical decisions. This has given rise to key questions around whether standalone software that is not being applied specifically for medical use, but is used to support medical decisions should be regulated as a ‘medical device’. 

These questions have been addressed in the changes introduced by the European Commission to consolidate the European regulatory framework on medical devices, as well as a recent key decision by the Court of Justice of the European Union (the “CJEU”), which significantly broadens the scope of ‘medical device’ to capture standalone software and apps that are manufactured with a ‘medical’ purpose. 

Status of software as medical device confirmed under new laws  

On 5 May 2017, the European Union introduced two new regulations: one for medical devices, Regulation (EU) 2017/745 (the “MD Regulation”) and the other for in-vitro diagnostic medical devices, Regulation (EU) 2017/746 (the “IVD Regulation”). These new laws, which were aimed at ensuring a “high level of safety and health whilst supporting innovation”[1] were a long-awaited overhaul of what was perceived to be an ill-fitted model for regulating a fast-changing med-tech environment. Each of these regulations will, by 2020 and 2022 respectively, replace the existing European framework for marketing medical and in-vitro devices in Europe, expanding the scope of what will be regulated, and introducing new requirements.

The now-replaced framework[2] already captured software that was intended by the manufacturer to be used for one or more of the medical purposes as a medical device. Under the regulations, medical purposes include:

  • Diagnosis, prevention, monitoring, treatment or alleviation of disease

  • Diagnosis, monitoring, treatment, alleviation of or compensation for an injury or a disability

  • Investigation, replacement or modification of the anatomy or of a psychological process

  • Control of conception

The new MD Regulation and IVD Regulation have confirmed the position regarding software as a medical device while expanding the definition and the scope of purposes to capture new types of device; the new regulations now include additional purposes including “prognosis” and “prediction” of diseases.

Further, Article 2(2) of the MD Regulation expands the application of the new rules to “accessory for a medical device”, which is defined as not itself a medical device, but one that is intended to be used together with one or several medical device(s) to enable that medical device to be used in accordance with its intended purpose, or to specifically and directly assist the medical functionality of the medical device to fulfil its intended purpose. This means that the different software and apps designed to enable medical devices to be used for their intended purpose would now be categorised as a medical device. The MD Regulation does, however, clarify that software will not be classified as a medical device if it is intended for general purposes such as life-style and well-being apps. 

The MD Regulations have also introduced a more detailed classification system for software, which system determines the safety rules and conformity assessments that would apply. While software will generally attract a lower risk classification I, the new regulations mandate a stricter classification system for the more complex and critical software such as software that is used to make diagnostic or therapeutic decisions that are likely to have a serious impact on the patient’s health.  

CJEU adopts a purposive approach to determining software as medical device

The position regarding standalone software, while clear under the new regulations, has not been as clear cut in the Courts. The CJEU has on various occasions opined on the scope of the definition of ‘medical device’ under the Medical Devices Directive (Directive 93/42/EEC), but not until very recently has the CJEU ruled that standalone software is a medical device despite the fact that the software does not itself act on or in the human body in any way[3]

The CJEU decision followed a reference and a preliminary ruling by the French Conseil d’État on whether certain prescription support software that provides healthcare professionals with information on patients relating to contraindications, drug interactions and dosage limits can be classified as a ‘medical device’. The CJEU adopted the opinion of the Advocate General in this case, stating that the intended purpose of the software (i.e., whether its purpose falls within a medical purpose as prescribed by the regulations) and the function that the software performs on the data (i.e., analytics, learning and decision-making) are key tests in determining whether the relevant software is a medical device or not. 

In this case, the particular support software was found to have met the relevant tests, as the software facilitated calculation of dosage and the proper design of the treatment by the healthcare professionals by providing relevant information and analysis. As such, the purpose of the software was a ‘medical purpose’, as it allowed physicians to prescribe medicines more safely and to minimise the risk of an incorrect prescription. The CJEU stated that:

“software, of which at least one of the functions makes it possible to use patient-specific data for the purposes, inter alia, of detecting contraindications, drug interactions and excessive doses, is, in respect of that function, a medical device, within the meaning of Article 1(2) of Directive 93/42, even if such software does not act directly in or on the human body.” [4]  

The CJEU’s judgement is supported by existing guidance in Europe, including the European Commission’s Guidance document Medical Devices - Scope, field of application, definition - Qualification and Classification of standalone software - MEDDEV 2.1/6, which provides that “software, which is intended to create or modify medical information might be qualified as a medical device”. 

The UK’s Medicines and Healthcare products Agency (the “MHRA”) has also taken a similar approach stating that independent software is likely to be a medical device where:

  • it is linked to a specific medicine or device (e.g., as an accessory);

  • it is intended to influence the actual treatment (e.g., dose, size of implant, time of treatment, etc.); and

  • it results in a diagnosis or prognosis. 

The MHRA provides that “some decision support software may not be considered to be a medical device if it exists only to provide reference information to enable a healthcare professional to make a clinical decision, as they ultimately rely on their own knowledge. However, if the software/app performs a calculation or interprets or interpolates data and the healthcare professional does not review the raw data, then this software may be considered a medical device.”[5] The MHRA goes on to state that physicians are increasingly relying on apps and software that rely on outputs from the software without studying the data source, therefore, indicating that such technology should be captured by regulations.

Implications for industry

The CJEU decision will have a direct impact on what is a fast-evolving med-tech scene that is innovating in novel ways to use machine learning, autonomous decision making and artificial intelligence to enhance efficiency and accuracy in disease intervention and medical diagnosis and management.  Innovators and manufacturers will need to take note to carefully assess whether a software or an app will be classified as a medical device, therefore needing to satisfy the regulatory requirements. Similarly, while the MD Regulation and IVD Regulation will not come into full force until 2020 and 2022 respectively, software and app innovators will need to review the new regime to ensure compliance – further guidance on these regulations is expected by mid-2018. 

[1]           MD Regulation, Recital 1

[2]           Directive 2007/47/EC (amending Directive 90/385/EEC and Directive 93/42/EEC)

 [3]           Case C-329/16 Syndicat national de I'industrie de technologies médicales (SNITEM) and Philips France v Premier Minister and Ministre de Affairs sociales et de la Santé

[4]           Ibid, at paragraph 34

[5]           Medicines & Healthcare products Regulatory Agency, Guidance: Medical device stand-alone software including apps (IVDMDs) at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/648465/Software_flow_chart_Ed_1-04.pdf

Initial Coin Offerings - give me back my money?

Kemp Little has advised in respect of several Initial Coin Offerings (“ICOs”) in particular in relation to the existing UK financial regulatory framework and how it may indirectly apply, the tax treatment of ICO contributions, and the legal terms that govern ICOs.

We have recently examined a sample of ICO terms available on the internet. The table showed that currently there are very few trends in terms of what is considered ‘market standard’.

Table showing that currently there are very few trends in terms of what is considered ‘market standard’.

One complex area that is being treated differently by issuers is whether contributors are entitled to a refund of their contributions. This is an interesting issue because it demonstrates the tension between the practical nature of blockchain technology which provides for an immutable record of transactions that is incapable (hard-forks aside) of being reversed, on the one hand; and the right for a consumer to cancel a distance contract in accordance with Regulation 29 of the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013[i] on the other.

Immutability means that deleting out a transaction is not possible.  Further, the non-fungible nature of cryptocurrencies means that the contribution funds are often instantly commingled.  This means the exact same cryptocurrency from the contribution cannot be returned to the contributor – only an equivalent amount of cryptocurrency can (which may or may not have the same fiat value at the time of the return).

It is clear from our research that:

  1. some ICO issuers are likely to have been in breach of EU law by failing to offer their contributors a right to cancel and/or a refund; and

  2. some ICO issuers have gone above the requirements of EU law by offering a broader right to refund than required.

In the context of the immutable and non-fungible features mentioned above, this second observation raises interesting questions as to whether such issuers could actually honour the refund right they guaranteed and whether tokens distributed as part of an ICO are even capable in practice of being refunded.

A possible route through this may be found in Regulation 36 of the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013[ii]. Depending on the technical set up and timing of alt-coin distributions under the ICO it may be possible (both legally and practically) to offer a refund to contributions provided the related distribution has not yet been made. If the issuer has already made the distribution then it is possible that the services have been ‘fully performed’ and therefore, provided the terms have been drafted appropriately the contributor’s right to a refund may fall away.

This is far from a clear-cut area and is undergoing rapid developments: the exact rights that the contributor receives under the ICO terms and conditions will turn on the drafting and technical set up of the ICO.  Issuers should be wary however that structuring their ICO in certain ways (particularly in relation to the timing of when the contract is entered into and when the distribution is made) could inadvertently lead to the tokens being considered a financial contract (e.g. a future) that may be subject to additional financial regulations.


What businesses have learnt from 2017's most hard hitting breaches

2017 has seen some high-profile data breaches hitting the headlines, from Equifax to Pizza Hut. Regardless of how commonplace reports of major data breaches now are, there are still lessons to be learned from how the organisations affected have handled these breaches. Emma Wright, Partner at Kemp Little LLP, suggests here five important lessons that are to be learnt from the data breaches of 2017.

As many predicted at the start of the year, a news item announcing a data breach is now a regular occurrence and is only set to become more common with the breach reporting obligations in the General Data Protection Regulation (‘GDPR’) taking effect in May 2018. In fact with the Network and Information Security (‘NIS’) Directive taking effect on 9 May 2018 it will not only be personal data breaches but also attacks on the networks carrying the data that will be notifiable for certain key industry sectors. Will the cyber security breach headline become ever more common, and is there a possibility that these breaches will become ‘normal’ and so commonplace that the general public will become desensitised to these types of attack?

With this in mind I have tried to summarise the top five lessons to be learnt from the data breaches of 2017 (the analysis is based on publicly available information) and whether we are heading into an era when cyber security, or the lack of it, may no longer damage a brand?

Do not try and hide the breach

Whether a data breach becomes a regular occurrence or not, the way Uber handled its data breach demonstrates that if handled incorrectly, a data breach can send a signal to both the public and regulators that there is a wider lack of ethics and compliance at the core of the company. These kinds of indicators will damage a brand. This type of behaviour is also likely to lead to increased regulatory scrutiny in relation to the breach but also sends a signal to other regulators that there is a more fundamental problem. The size of the Uber data breach is significant but the headlines would have been different if it had not tried to hide the breach and pay the criminals - and we suspect the treatment it receives from regulators will be less sympathetic than if Uber had not tried to hide it.

The accountability and transparency requirements that companies will be expected to demonstrate in a post- GDPR era appear hard to reconcile with hiding the loss of millions of customers’ personal data and paying criminals.

A data breach response plan that demonstrates: i) the breach is being treated seriously, ii) every attempt is being taken to quantify the risk, and iii) genuine and effective steps are being taken to protect the individuals, is essential and should be followed.

There are unfortunately plenty of examples of companies that have appeared totally unprepared for a cyber attack. This should arguably improve once mandatory data breach notification takes effect after the coming into effect of the GDPR, although the example of TalkTalk, who at the time of the data breach was subject to such a notification, might indicate the contrary. Except for one notable difference, with the advent of the GDPR, the fines that will apply for even failing to notify the ICO of a data breach or attack on the network have stepped up significantly from the ‘parking level’ type of fines previously imposed on the telco sector under the Privacy and Electronic Communications Regulations.

Notify all relevant regulators and the time lag to then notify affected customers should be minimal

When the Equifax data breach was reported, the ICO resorted to publicly stating that Equifax should be informing affected customers before Equifax itself got around to doing so. Equifax’s handling of the breach has been much criticised with the UK Financial Conduct Authority only finding out about the breach through the media. Although the Pizza Hut breach last year was spotted fairly quickly, this did not mean that customers were informed equally promptly or before their account information had reportedly been used fraudulently for a prolonged period of time. Any breach response plan must include the relevant regulatory reporting requirements as, setting aside the fines for failing to notify, this kind of behaviour can (understandably) be taken as an indication that there was not an adequate breach response plan in place.

The GDPR will require breach notifications to the ICO within 72 hours for most data breaches with a notification to customers ‘where there is a high risk to the rights and freedoms of data subjects’ without undue delay. There will no doubt need to be careful consideration of whether notification to customers is triggered; however recent breach examples indicate that trust and confidence in the company experiencing the breach quickly evaporates if customers believe they should be informed that there has been a breach and it is not forthcoming.

When conducting an internal review of a breach or attack, considering the messaging to customers is as equally important as reporting to the ICO, and trying to explain what has happened in simple terms with steps that customers should take to protect themselves should be a priority.

A cyber breach response plan should include collaboration, knowledge sharing and implementing recommended standards or schemes

The WannaCry attack sent a very clear warning that the nature of globalisation means that a cyber security attack will also be global in its reach and impact, with WannaCry attacking 200,000 computers in 150 countries and leaving a path of devastation. However, just like highly organised physical criminal activity, it also demonstrated that collaboration and sharing information of heightened threats will help mitigate the effects of such an attack. At a local level simply understanding your network architecture and segregating back-up servers from the network should reduce the impact of an attack. Those data maps produced for GDPR compliance should be maintained and kept with the data breach response plan.

The WannaCry virus spread to almost 100 countries on its first day but through the reporting of the risk and security forces working collaboratively, the spread was halted as many in the US were able to patch their systems before being hit. The UK National Cyber Security Centre encourages the reporting of cyber risks to it and through companies joining C-iSPS - the cyber security information sharing partnership set up to encourage collaboration between Government and industry. Although aimed more at SMEs, the Cyber Essentials UK Government accreditation which acts as an annual ‘cyber security MOT’ theoretically allows a company to focus on the more complicated cyber risks. Through its accreditation it aims to ensure that companies have basic cyber security and hygiene in place so they can focus on elimination and responding to the larger and more complex cyber security risks.

The IoT changes the risk profile.

The prediction that the Internet of Things (‘IoT’) significantly increases the cyber risk profile is correct. The Mirai botnet cyber attack in 2017 was the largest attack of its kind in history - although to be fair the possibility of such attacks has only been there for years rather than decades. The attack was targeted on the servers of a company that controls much of the internet’s domain name system infrastructure (and under the NIS Directive it is likely that a report of this kind would have to be notified to government authorities). The difference with this botnet was that instead of using computers, it was largely made up of Internet of Things devices i.e. any device that has a connection to the internet. The effect of the attack was that it took down many high profile websites including The Guardian, Netflix, CNN and many others.

Setting aside that this attack is yet another indication that IoT devices are being flooded onto the market with insufficient cyber or privacy safeguards, it also highlights that the number of machines that can be used as a weapon and that ultimately may become casualties in a ‘cyber war’ has increased exponentially. This will be of particular consideration for the ‘essential operators’ under the NIS Directive, many of which rely on machine-tomachine (‘M2M’) assets as there is a risk that such assets are unlikely to have sufficient computing capacity to deploy adequate cyber security protection.

If you limit access to data internally then it will be easier to identify and notify where the breach has occurred

All employees do not need access to all of the company’s data. Restricted access should be introduced and applied systematically and reviewed regularly. This is good information security practice and allows some of the potential causes of a breach to be removed in order for a breach response team to focus on a more limited set of scenarios. With the recent Morrisons case, where the supermarket Morrisons was found by the High Court to be vicariously liable for the actions of a rogue employee who disclosed personal data, there is an even greater imperative to provide access to company systems on a ‘strictly needs’ basis

The Morrisons lawsuit was brought by 5,500 current and former Morrisons workers who were seeking compensation over the 2014 data security breach in which payroll information of almost 100,000 staff had been posted on the internet and sent to newspapers by a disgruntled employee. The data included names, addresses, NI numbers, bank account details and salaries. It was argued by the claimants’ lawyers that the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.

In the case of Bupa, it was a similar set of circumstances, where more than 500,000 Bupa customers’ data were released after an employee ‘copied and removed’ their information from the health insurer’s systems. The loss of access to personal data constitutes a data breach under the GDPR regardless of whether it is publicly released.

Bupa was able to advise customers relatively promptly and efficiently exactly as to what data had been taken, which customers were affected and what the cause of the breach was, with a video being placed on its website for customers to watch and advice as to what steps to take also being given. Information like this will no doubt assure customers that a company is proactively managing the impact of a data breach.


A point to note is that the focus to date on cyber attacks has been on personal data breaches and essentially minimising the risk of consumer harm and protecting those that have had their data lost. As demonstrated by WannaCry, attacks do not always focus on acquiring personal data; cyber attacks can also make people feel extremely vulnerable through the loss of essential services or facilities such as hospitals. The emphasis will change with the implementation of the NIS Directive where the providers of essential facilities in various key industries will be required to adopt high standards in relation to cyber security and there are reporting requirements where there is an attack on the systems or networks of providers in these sectors. Unfortunately in the case of essential operators, many of which have old assets and infrastructure, implementing high standards of cyber security and measures to allow reporting obligations to be complied with in the event of an attack is likely to be extremely difficult.

2017 has been a year where it seems that there have been constant reports yet another high profile data breach. This is likely to increase post May 2018. It may be that 2018 will be the turning point for data breaches, and that there will be a clear difference between those companies that respond to a data breach in a measured and organised manner compared to those that at best display signs of struggling to cope or at worst appear to be withholding information and not giving the matter sufficient attention. The latter will be clearly remembered by the public and for the wrong reasons.

A well-thought through data breach response plan that considers the network architecture, data flows and access rules alongside the customer base and the regulatory reporting requirements, and is able (even through a process of elimination) to identify the cause of the breach accurately and quickly, will reassure the affected company’s board, customer base and regulatory authorities that the breach is under control, and this should be a top priority for 2018.

This article was first published on Cecile Park Media

Scope of the Electronic Communications Exclusion

A recent change in financial services regulation called the Payment Services Directive 2 (PSD2) seems to have taken telcos by surprise and considering compliance should have been achieved by 13 January 2018, the applicability of PSD2 to a telcos business (whether fixed or mobile) should be urgently considered. Telco activity that was previously comfortably outside the scope of regulation may now be regulated by the FCA: an electronic communications service and/or network provider will now be considered as providing a ‘payment service’ where it provides ‘a voice based service’ that includes a revenue share arrangement with a third party, unless the telco falls within an exclusion.

Telcos must now either become authorised or comply with stringent requirements to qualify for an exclusion. These requirements include the following:

  • Spend cap limits on carrier billing amounts;
  • Notification to the FCA of reliance on the exclusion; and
  • Annual submission of regular auditors reports confirming compliance with relevant regulation, in particular figures on the spend cap limits.

Kemp Little LLP has been working with telcos since the European legislation was in draft form. We have been helping telcos and others in the payments eco-system navigate the following questions:

Which services fall within the means of ‘voice based services’?

Telcos provide a wide variety of services under the heading ‘voice based services’, but will need to have a clear understanding of the services that fall within this rubric to ensure they fall outside the regulated sphere entirely or sit within the exclusion. ‘Voice based services’ are wider than ‘premium rate services’ regulated by the Phonepaid Services Authority and include directory enquiries and other non premium rate revenue share services that subscribers call using their voice service.

Which services fall within the definition of payment services?

Where telcos allow their customers to use carrier billing to pay for purchases or make calls with a revenue share element (eg third party directory enquiries), telcos may be providing payment services. Telcos will therefore need to understand which of the services they offer might fall within the new PSD2.

How do spend caps affect general telco obligations?

To stay within the exclusion and avoid the need to be regulated, telcos will have to comply with the spend caps, restricting the amount customers can charge to their bill, on both a per-transaction and monthly basis.

How to comply with spend caps?

Compliance with spend caps will require telcos to have in place the appropriate systems and controls, which may be challenging for telcos with older systems. However, compliance – and, critically, being able to provide evidence of compliance on an annual basis – is essential, as telcos cannot benefit from the exclusion otherwise.

What control mechanisms should be put in place to continue to fall within the FCA exclusion?

Telcos will need to ensure that carrier billing or calls/SMSs with a third party revenue share element is strictly limited to the amount of the spend caps; their control mechanisms should be sufficiently robust to track customer spending as well as manage customer notification in the event spend caps are triggered.

What can happen (and is most likely) in the event the spend caps are breached?

Where telcos breach the spend caps, this means they are providing a regulated payment service without appropriate authorisation. They will need to regularise their regulatory position to avoid the imposition of sanctions by the FCA.

When is an audit report needed and what should it cover to continue to rely on the

Telcos falling within the exclusion will need to make an official notification of their status to the FCA, as well as providing annual audit reports providing specific information about the services it provides with a ‘payment service’ element, essentially to demonstrate to the FCA that they do in fact comply with the requirements of the exclusion. Telcos must therefore have in place systems to allow auditors the necessary access, as well as the records of their compliance with the requirements for the auditors to review.

If you need further assistance or guidance considering these issues or wider guidance on PSD2 or other opportunities brought about by this change in legislation, please do not hesitate to contact us


Block party - an end to online consumer discrimination?

Executive summary

  • Following publication of proposals in 2016, the European Parliament, Council and Commission have reached political agreement to end so called geo-blocking practices for online consumers of products and services within the EU
  • In high level terms, geo-blocking includes any measures to restrict or redirect online consumer access on the basis of nationality, residence and/or temporary location
  • The new rules seek to enhance consumer access and encourage pan-EU cross shopping through removal of barriers to access, and closer harmonisation of terms of use, across the Union
  • The European Commission intends to publish a draft Regulation in early 2018, with the finalised text to become directly applicable across the Union, nine months later
  • Developments in this area will be of key interest to all online retailers of goods and services, operating within the Single Market

In brief

If the EU is a true Single Market, findings of a late 2016 European Council (EC) study suggest the Union has some way to go in removing cross-border trade barriers, at least within the online space.

Geo-blocking, or the practice of consumer discrimination in respect of access and/or price based on a customer’s nationality, residence and/or temporary location remains, by the EU’s own figures, a feature of some 63% of ecommerce sites 1.  Concerns abound across Member States, that these types of access restrictions severely curtail necessary competition, and stifle critical innovation in an EU Single Market eager to address an increasingly digital customer base.

In November 2017, the EC confirmed an agreement to ban unjustified geo-blocking, paving the way for draft regulation in this space. Despite 2018’s likely lively European legislative agenda, the EC has made clear its intention to have draft regulation together towards the start of the year, with finalised text becoming applicable nine months later.

Developments in this space are of key (and pressing) interest to all online retailers of goods and services, operating within the Single Market, and come at a time of dramatically increased transparency requirements for online retailer assessment and profiling of customers (against characteristics including those above) ahead of May’s General Data Protection Regulation (GDPR) introduction.


Introduction of geo-blocking regulation closely follows recent Union efforts to smooth some of the rougher edges of the cross-EU consumer experience (similar moves including those to end cellular roaming charges and legislation to provide cross-border portability of online subscriptions and access to TV programmes). Efforts to alleviate online commercial friction represent a key pillar of the Union’s broader Digital Single Market (DSM) strategy. 

Whilst existing EU law (in the shape of Directive 2006/123/EC) provides general, non-specific prohibition of consumer discrimination, the EC appears to have taken the view that online leadership in this area requires more bespoke (and correspondingly direct) legislation. 

Cross shopping/ cross-border

Whilst a formal draft remains forthcoming (an early 2016 Proposal for Regulation can be accessed here), the EC has signalled the draft Regulation will define three specific situations “where no justification and no objective criteria for a different treatment between customers from different EU Member States are conceivable from the outset”, being:

  • The sale of goods (without physical delivery). e.g. an Austrian consumer wishing to purchase running shoes, finding the most attractive deal (for collection) on a German website. 
  • The sale of electronically supplied services. e.g. a French consumer wishing to acquire hosting services for a website from an Italian company. 
  • The sale of services provided in a specific physical location. e.g. a Spanish family wishing to purchase theatre tickets for a performance in France, without being redirected to a Spanish website.

Importantly, the draft Regulation will not require a retailer to sell a product or service, and will not directly mandate price harmonisation. The draft Regulation will however target and prohibit retailer restrictions which cannot be justified by other, objective requirements (e.g. taxation or local laws). 

In addition, the draft Regulation will attempt to ease the extent to which EU consumers may make cross-border use of credit cards, by preventing retailers from applying different payment conditions based on a customer's residence. In effect prohibiting a retailer (under certain circumstances) from accepting only credit card payments from specific Member States. Simplifying (and reducing the cost of) cross-border credit card payments, follows recent EU moves to cap interchange fees for card-based payments (Regulation 2015/751), and is again indicative of a clear direction of travel, under the DSM strategy. This comes in addition to rules introduced under PSD2 (Directive 2015/2366), which, from January this year, banned credit and debit card surcharges for consumer transactions.

Whilst developments in relation to credit cards payments are (and will likely continue) to prove significant here, it should be noted that the draft Regulation will not represent a blanket requirement for retailers to accept any credit card transaction, under any circumstances.  Retailers will continue to be free to decide which means of payment are acceptable, in relation to local vs. other Member State customers. 

Impact for retailers – physical goods

Whilst geo-blocking undoubtedly represents a significant compliance consideration, retailers of physical goods should be reassured that neither 2016’s proposal (nor likely 2018’s draft Regulation) make any attempt to:

  • directly require pricing harmonisation; or
  • require a retailer to ship products cross-border (if this is not a service routinely offered).

The forthcoming draft however will:

  • prohibit retailers from denying access or rerouting a customer to a specific regional iteration of an ecommerce site, based purely on factors of nationality, place of residence or geographic location (blocking/ rerouting on other grounds, such as relevant local laws and restrictions will remain valid); and will
  • oblige retailers to permit customers from any EU Member State to purchase products from iterations of the retailer’s sites based in any other EU Member State (unless, as above, other relevant local laws or restrictions apply).

In practical terms, this raises an interesting dilemma, cross-border shipping of physical product is not in-and-of itself required under the Regulation, yet a consumer cannot be prohibited from making a cross-border purchase. Therefore, whilst an Austrian customer may be able to purchase running shoes from a German website, how, in practice, would these goods be obtained?

The EC takes a pragmatic approach here, indicating “the customer will be entitled to order the product and collect it at the trader's premises [if this is a service offered by the retailer] or organise delivery himself to his home [through his or her own shipping arrangements]”. In practice therefore, whilst a committed cross-border cross-shopper could purchase products (sporting or otherwise) from a Member State of choice, practicality (and likely cost) may prove significant barriers.

Interestingly, logistics & distribution providers and the EC appear to have identified a potential market opportunity for pan-EU consumer shipping solutions, with the EC recently bringing forwards a Proposal to simplify cross-border parcel delivery services. As things stand in Q1 2018 however, pan-national Member State shopping for goods at retailers without existing cross-EU shipping provisions seems likely a more attractive proposition on paper, than in practice. 

Impact for retailers – digital goods and services

While regulation in this space raises considerations for retailers of physical product, providers of online services are likely to feel a more acute impact (largely if not solely, as a result of the nature of digital goods and services). In simple terms, providing a pan-EU market for digital goods and services, free from access and (most) price restrictions/variations, opens the door to potentially friction free pan-EU (digital) cross shopping.

In respect of digital goods and services, the draft Regulation will likely:

  • mandate unification of access arrangements unless variations are not solely based on factors of nationality, residence and/or temporary location; and
  • require retailers to provide harmonised terms of use (including pre-tax pricing) to all EU customers.

For the first time, an EU customer, enjoying the same rights of access and pricing arrangements as any local customer will be permitted to cross shop digital music, e-books, video games and software, across the Single Market. Whilst these developments are clearly significant to any retailer of digital product, it is important to recognise the impact of the draft Regulation will be softened somewhat by significant carve outs, namely:

  • provision of financial, transportation, electronic communications, healthcare, audio-visual and broadcasting services are entirely excluded;
  • the draft Regulation will not alleviate or supersede a retailer’s obligation to obtain appropriate IP and other rights to distribute digital content across the Single Market, as required (e.g. a retailer will still require appropriate licencing to sell a specific e-book or album in a specific Member State); and  
  • the draft Regulation will not represent a requirement for retailers to comply with local laws and regulations in every Member State, simply as a result of lifting access restrictions to digital goods or service, unless the retailer “pursues…or directs” (read, directly targets) customers in those Member States (a no doubt significant multi-jurisdictional compliance relief).

Despite these restrictions, the draft Regulation represents a significant compliance consideration for all retailers of online goods and services. In time, dramatically improved consumer access, across the EU, may lead to near complete price parity across digital platforms and emergence of pan-EU price comparison providers.

Looking forwards, action points

As with all things DSM, moves to prohibit geo-blocking speak to both core EU values of open access, in addition to more contemporary EC concerns of modernisation, within the Single Market. 

In addition, the draft Regulation may prove an interesting compliment to legislation in the privacy space, including the GDPR, which seeks to provide EU consumers with better transparency of and control over circumstances in which profiling (using characteristics including location and/or nationality) significantly impacts upon an individual.

  • For retailers, the draft Regulation requires meaningful address of key questions:
  • do we engage in geo-blocking practices? (either through re-direction or access restriction);
  • if so, how is this technically achieved? (IP location, credit card details etc.);
  • can our practices be justified by national law or regulation? (e.g. price variation in accordance with local VAT/ sales tax requirements);
  • should changes be required to process, policy and/ or supplier arrangements, how might these be implemented, technically and organisationally?
  • to what extent should we consideration the wider privacy, monitoring and profiling implications of our online activities?




Themes and warnings from the GB Gambling Commission's Raising Standards Conference 2017

Following the publication of its Strategy 2018-2021, the British Gambling Commission hosted its Raising Standards Conference 2017 on 21 November, which further explored some of the themes emerging from the Strategy and the Commission’s priorities for the next few years, which include industry collaboration, the Commission’s work with the UK’s Competition and Markets Authority (‘CMA’) on consumer T&Cs in relation to promotions, and industry compliance with the General Data Protection Regulation. Susan Biddle, Legal Consultant at Kemp Little LLP, reflects on the themes raised at the Conference.

“Go further and faster” was the overwhelming message from the British Gambling Commission’s second annual Raising Standards Conference on 21 November 2017. Well-timed to follow up on the Commission’s publication of its Strategy for the next three years1 (‘Strategy’), this was an opportunity to explore further some of the themes of that Strategy and the Commission’s priorities.

The Strategy, and the Commission’s priorities, remain consistent with the approach of the last 18 months: the focus remains on consumers and their protection. The Commission acknowledged that some progress had been made - but not enough, and not fast enough. The Commission thinks there is still a disconnect between the industry’s good intentions, and its delivery - something which is reflected in the continued decline in public trust.

Richard Lloyd, former Executive Director of Which?, provided some worrying comparisons with other sectors, but finished on a more encouraging note: like other speakers, he thinks that the industry is at a tipping point, but he does not think it is too late to turn it around, provided that the industry acts promptly.

In relation to problem gambling, the Commission will be looking not only at the person who is gambling, but also at how/where they are doing this and the nature of the product being played. The Commission re-iterated the message in the Strategy document, that the industry must focus on exploiting data and technologies to manage risks and protect consumers, as much as it does for profit. Sarah Harrison, Chief Executive of the Gambling Commission, gave the examples of improving existing tools such as reality checks, and exploring new ones such as mandatory deposit limits and stronger age verification. She emphasised the need for robust internal handling of customer complaints, and stressed that it is not sufficient simply to outsource this to ADR (alternative dispute resolution) providers. She warned that the Commission is likely to step up its reporting requirements, and more generally that over the life of the Strategy the Commission will use “tougher and broader” sanctions.

Some of the messages in the Strategy came through with particular clarity. These included the need for the industry to do more to collaborate, and to share knowledge and good practice - and then to implement this learning, including ideas coming from other operators. The industry increasingly recognises the need for this (subject to appropriate protections for commercially sensitive information, and competition law requirements), and participants made the point that the more industry players that  participate, the better, as this will reduce the risk of their market and margins being eroded by non-participants. Richard Lloyd warned that big players should be wary of leaving smaller businesses behind and should be willing to invest in industry-wide initiatives for the good of all. There was a welcome suggestion that the Commission will look at issuing more guidance on “what good looks like.”

In particular, the whole industry is expected to learn from the CMA’s current review of consumer T&Cs in relation to promotions - and though its focus has been on online gambling promotions, the CMA considers that its concerns are probably of wider application. The CMA confirmed that it does not intend to outlaw such incentives, but the terms must be fair. The importance that the Commission places on this is demonstrated by its publication of the CMA presentation on its website. It was made very clear that the Commission and the CMA expect all operators to review their T&Cs, and to make any necessary changes so as to meet the CMA’s requirements - and to comply with these requirements immediately as they are published.

The Commission emphasised that it will be monitoring compliance in subsequent months and the industry should expect appropriate enforcement action. The CMA and the Commission are continuing to work together in examining the wider question of withdrawal of player funds. Good practice needs to be embedded in the industry and its products. Social responsibility, otherwise known as ‘safe & fair gambling,’ needs to be part of everyone’s role, from the top down throughout the entire workforce. Kate Lampard, Chair of GambleAware, put in a plea for diverse main boards, so as to get a more complete view of the business and better reflect the diversity of the customer base; she recommended that the person responsible for responsible/ ‘safe & fair gambling’ should sit on the main board. Protections gainst problem gambling need to be designed into products, and not just be later add-ons to meet regulatory requirements.

Many in the industry are not yet contributing 0.1% of gross gambling yield to research, education and treatment of problem gambling. There was a clear message that this requirement is only likely to increase - and if the industry cannot deliver an appropriate level of funding via a voluntary scheme, a mandatory obligation will be imposed. Bill Moyes, Chair of the Gambling Commission, warned that the Government already has the necessary power to impose this and that the Commission believes a national levy would be fair, and it will continue to discuss with Government whether the time has come to use this power. The Commission does not believe that the EU General Data Protection Regulation (‘GDPR’) will prevent responsible use of aggregated data to protect consumers. Gareth Cameron from the Information Commissioner’s Office (‘ICO’) promised that more guidance on the GDPR will be forthcoming, though progress has been made more difficult because the UK Data Protection Bill is still being debated in Parliament. The industry will however need to look to the Gambling Commission for industry specific guidance. Gareth emphasised the importance of accountability - the industry needs to be able to demonstrate how it complies, and to document its decisions in relation to treatment of personal data and compliance.

Consent is not the only basis for processing, and the industry should consider all the options available which include compliance with legal obligations and pursuit of legitimate purposes. It is not yet clear whether compliance with LCCPs or self-exclusion schemes, or use in machine learning or the development of algorithms to flag problem gambling indicators, will constitute the necessary ‘legitimate purposes.’

However Gareth assured the audience that this is the sort of issue which the ICO and Gambling Commission are currently debating, and the ICO will provide further (general) guidance on what constitutes a ‘legitimate purpose.’ Data subjects have strengthened rights, and cyber security is a key concern for the ICO; the industry needs to be sure that it has processes in place to deal with requests and any breaches, including reporting within limited timeframes. The ICO will be encouraging reports of security breaches to be made by phone, so it can provide guidance and ensure that the ICO obtains all the necessary information.

While press and public concern has focused in particular on fixed odds betting terminals (‘FOBTs’), the Commission highlighted that it has also been looking at the online industry, and particularly at online casinos. There was a clear message to this sector that the Commission does not think their due diligence or consumer protection systems are adequate, and operators were expressly warned that the Commission will intervene if they do not remedy this.

So overall, a clear message from the Commission to the industry to “up its game” and to “show not (just) tell,” with consumer protection and problem gambling remaining priority areas, and immediate action points in some areas such as consumer terms, sharing learning, online casinos, use of technology and data, and the levy.

1. http://www.gamblingcommission.gov.uk/PDF/Strategy-2018-2021.pdf


This article was first published in the Online Gambling Lawyer on the 13th December

The Autumn 2017 Budget-driverless cars

TMT analysis: Andrew Joint, commercial technology partner at Kemp Little, explains the key announcements of the Autumn Budget relating to driverless cars.

Original news

Autumn Budget 2017: Tech and Innovation, LNB News 22/11/2017 72

The Chancellor of the Exchequer, Philip Hammond, has announced plans at Autumn Budget 2017 for a new advisory body—the Centre for Data Ethics—to enable and ensure safe and ethical innovation in artificial intelligence (AI) and data-driven technologies. The government also outlined its ambition to see fully self-driving cars, without a human operator, on UK roads by 2021.

What has been announced?

In his Autumn Budget the Chancellor stated that ‘the government wants to see fully self-driving cars, without a human operator, on UK roads by 2021’ and that he wanted to create ‘the most advanced regulatory framework for driverless cars in the world’.

Where specifically will the funds be invested?

Noting the stated figures that the driverless car industry has the potential to be worth £28bn to the UK and employ nearly 30,000 people, the investment in an ethical centre to deal with some of the wider issues raised by technologies such as driverless vehicles is a sensible but vital move by the government. However, considering the value/impact of driverless vehicles (according to the government’s own figures) this ‘R&D’ investment still seems low.

We can expect to see more charging points by our roads and electric car use following the announcement of a new £400m charging infrastructure fund, the investment of an extra £100m in Plug-In-Car Grant, and £40m in charging R&D.

What developments have happened so far?

In February 2015 the Department for Transport (DfT) published ‘A detailed review of regulations for automated vehicle technologies’, together with a ‘Summary report and action plan’, under the heading ‘The Pathway to Driverless Cars’.

These documents set out the UK government’s plan to update laws and regulations to permit the sale of automated vehicles to the public, and include plans to develop a code of practice for testing automated vehicles, while reviewing legislation to clarify liabilities in the event of a collision, and consider whether higher standards of safety are required (including dealing with cyber threats).

Additionally, a draft ‘Vehicle Technology and Aviation Bill’ was announced during the Queen’s Speech in February 2017, which included proposed automated vehicle specific legislation, relating to record-keeping, insurance and accidents relating to uninstalled software updates. The Bill passed a second reading in October 2017.

Is it realistic to expect driverless cars to be on the roads in Britain by 2021?

We can certainly expect driverless cars on public roads within the next decade. Whether we can realistically expect to see them by 2021 will depend on the passage of the legislation mentioned earlier.

The government certainly has the desire for this to be the case, but perhaps some of the broader ethical questions regarding the ‘personhood’ status of driving software will be thornier issues to resolve not only in the UK, but also elsewhere in the world.

The law places a strong emphasis on ‘the person’, which drives concepts such as ownership and both civil and criminal liability. That concept initially attached to the human—people owning things, people committing crimes or entering into agreements. But we have seen our laws adapt and, in our modern world, we have stretched the concept of legal personality. We have created intangible entities, for example limited companies, PLCs, LLPs etc, which are all capable of ownership and liability in their own right. This means they can enter into contracts, incur debt and be held accountable for their actions, and they are distinct from the identities of their shareholders, directors, parent or subsidiary companies.

In 2017, for environmental protection reasons, we have seen the Whanganui River in New Zealand granted legal status and an attempt to do the same for the Ganges in India.

In October 2017 a robot called ‘Sophia’ was granted citizenship status by Saudi Arabia—triggering a wave of interesting discussions and repercussions, such as whether Saudi robots have more rights than women.

The law could be amended to give some form of legal status (and so responsibility/accountability) to driving technologies—as we already have a precedent for amending this legal concept.

Interviewed by Alex Heshmaty.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

This article was first published on Lexis®PSL TMT on 30 November 2017. Click for a free trial of Lexis®PSL

Egaming industry predictions for 2018 - including GDPR and lottery regulation

Susan Biddle reveals her top three industry predictions for 2018

  1. The need for socially responsible provision of gambling will be a key theme, underpinning a number of issues such as: the launch of GAMSTOP and how effective this is; continued debate about the dividing line between gambling and social gaming, and the extent to which social gaming should be regulated. There will be particular concern about children being exposed to gambling-style products; whether there should be a statutory levy to replace the current voluntary funding for research, education and treatment of problem gambling; and a drive towards more co-operation between operators on sharing experiences on what works (or does not work) in relation to identifying and helping problem gamblers and those at risk of becoming problem gamblers. The 5 Live investigation reported in mid-December is perhaps a taste of things to come. Operators will make – or will be under increasing pressure to make – more use of technology (including machine learning and other forms of artificial intelligence) to help them to identify actual/potential problem gamblers and the self-excluded, and to help these people to manage (and where appropriate stop) their gambling.
  2. A continued focus on consumer protection, with all operators needing to review their T&Cs to take account of the outputs from the current Competition & Markets Authority (CMA) investigation, and vigorous action by the CMA and Gambling Commission against any who do not make the necessary changes. We’ll also see continued active enforcement by the Commission and/or the ASA of the various codes on advertising. Egaming industry predictions for 2018 – including GDPR and lottery regulation
  3.  An increased regulatory focus on lotteries, in an attempt to shore up the revenue for good causes including: the introduction and enforcement of the bar on betting on non-UK EuroMillions; the need to make clear what proportion of lottery proceeds go to which good causes; requiring those offering bets on international lotteries to make very clear that this is betting, & not a lottery raising funds for good causes; the competition for the new National Lottery licence and follow-up of the National Audit Office’s report on Camelot’s profits and contribution to good causes; and close scrutiny (by the Gambling Commission and/or the ASA) of the various attempts to sell houses via free prize draws and skill competitions.
This article was first published on EGR December 2017

Is the rapid approach of driverless vehicles accelerating the need for legal change?

Legal regulatory changes on the horizon for driverless cars.

Governments in the UK do not typically have reputations as visionary thought-leaders, facing some of the most challenging political questions of a generation. British politicians are even less likely to be focused on challenging Musk and Hawking for the ‘World’s Leading Futurist’ crown.

So what did we learn when the Chancellor delivered his Autumn Budget, announcing that he wanted to create “the most advanced regulatory framework for driverless cars in the world” and “the government wants to see fully self-driving cars, without a human operator, on UK roads by 2021”?

Prediction is very difficult, especially about the future

We can safely presume that within the next decade, we will see driverless vehicles on public roads, unleashed from their test environments. Uber recently announced plans to buy 24,000 autonomous cars from Volvo, while Google affiliated ‘Waymo’, announced that their fully driverless cars have been driving around Arizona, without a safety driver at the controls, for months. This is industry validation that we’re approaching the event horizon for publicly available driverless vehicles.

The focus is rapidly shifting from validating the capability of the driverless vehicle tech to scrutinising the suitability of existing legislation to deal with this technology. The US and UK have seen plenty of theoretical ‘thought pieces’ on holistic issues raised by driverless vehicles (and artificial intelligence more generally). However, it is only recently that legislators have begun to fully recognise that the topics have evolved from abstract sci-fi debates to practical real-world issues.

Regulatory approach to date

So, where are we with the UK regulator’s approach to automated vehicles? Here we mean both fully autonomous vehicles, capable of being operated with little or no input by a driver, as well as automated technologies which support the operation of a vehicle by a driver.

In February 2015, the DfT published ‘A detailed review of regulations for automated vehicle technologies’, together with a ‘Summary report and action plan’, under the heading “The Pathway to Driverless Cars“. These documents set out the UK government’s plan to update laws and regulations to permit the sale of automated vehicles to the public, and included plans to develop a code of practice for testing automated vehicles, while reviewing legislation to clarify liabilities in the event of a collision, and consider whether higher standards of safety are required (including dealing with cyber threats).

Additionally, a draft ‘Vehicle Technology and Aviation Bill’ was announced during the Queen’s Speech in February 2017, which included proposed automated vehicle specific legislation, relating to record keeping, insurance and accidents relating to uninstalled software updates. The Bill passed a second reading in October 2017.

Is driving software likely to become a ‘person’?

The automated vehicle is often cited as a practical example in a legal debate surrounding artificial intelligence more broadly.  Discussion on AI also focusses on issues around ethics and the concept of legal personality. The question was asked by the EU Commission in the January 2017, following a recommendation by their Legal Affairs Committee on whether robots and indeed other AI technology, should be granted ‘personhood’ status.

The law places a strong emphasis on ‘the person’, which drives concepts such as ownership and both civil and criminal liability. That concept initially attached to the human – people owning things, people committing crimes or entering into agreements. But we have seen our laws adapt, and in our modern world, we have stretched the concept of legal personality. We have created intangible entities – limited companies, PLCs, LLPs etc., which are all capable of ownership and liability in their own right.

This means they can enter into contracts, incur debt and be held accountable for their actions, and they are distinct from the identities of their shareholders, directors, parent or subsidiary companies. In 2017, for environmental protection reasons, we have seen the Whanganui River in New Zealand granted legal status and an attempt to do the same for the Ganges in India. In October 2017 a robot called “Sophia” was granted citizenship status by Saudi Arabia – triggering a wave of interesting discussions and repercussions, such as whether Saudi robots have more rights than women.

The law could be amended to give some form of legal status (and so responsibility/accountability) to driving technologies – as we already have a precedent for amending this legal concept. However, a key question is what are we trying to achieve in doing this?

This question forms the other current focus of regulators regarding automated vehicles and artificial intelligence – the underlying ethical principles, which govern the operation of the tools.

Both the UK and EU and approach has been to flag that reaching conclusions on the various ethical debates on AI and robots is fundamentally important. Indeed, in his November budget, the UK Chancellor provided the further investment required to progress ethical think-tanks and their recommendations.

Questions such as “should the driverless vehicle choose the elderly pedestrian or the young family to crash into?” are now being debated in the public domain. Reaching conclusions on these questions, which should involve factoring in both public opinion, and ongoing Government supported research – will allow us to shape the next phase of legislation. Clearly, with this revolutionary technology so close to being publicly available, we cannot wait too long for the legislation to catch-up.

This artlice was first published on Computer Business Review December 2017
  • Page 1 of 25