• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

What Can The Bitcoin Split Teach Us About Consensus-Based Governance?

The past few months has been a particularly turbulent time for the cryptocurrency community. A disagreement between miners on the one hand and managers, administrators and founders on the other, led to Bitcoin being split in August, with Bitcoin Cash diverging from legacy Bitcoin, as a new form of the currency. A few months on, we’re now seeing one faction of the community pushing for a network upgrade to take place in November, which could lead to yet another split if no consensus is reached.

Investors in Bitcoin will no doubt be watching this closely, as any decisions could affect the value of the currency (Bitcoin initially slumped 6.8% following the split in August). However, it’s my view that you don’t have to be a cryptocurrency enthusiast to find this whole episode completely fascinating. The situation with Bitcoin provides us with an interesting example of the role that a consensus based system can have in resolving disputes and acting as a governance system in a quasi-legal manner.

The ‘classic’ approach

The typical approach to governance in negotiated contracts involves an increasing series of escalations and decision-making committees, meeting, taking into account certain information, and voting on a final decision. These committees are bound by pre-defined rules on the state of play. Typically, there are states of appeal, but ultimately, a single body (such as a judge or an arbitrator) will make a decision to resolve the dispute, based on the pre-agreed rules.

This is quite straightforward to picture in a contract setting, such as a dispute over the timeliness of an outsourced service, whereby the supplier argues that it was not given the necessary materials or instructions, meanwhile the customer claims that the supplier should have had or known these details.

The not-so-simple approach

The picture is muddied when we consider a far softer governance framework, such as the global domain name unique identifier system. This is run by ICANN, a non-profit organisation which was essentially established to implement U.S. Department of Commerce policy. ICANN has by-laws and committees, but was dogged for many years with ambiguity about the exact scope of its remit and authority.  From 2010 onwards, pressure increased to move ICANN out of its contract and oversight from the Department of Commerce and into the ‘global multistake holder community’. This process has been complicated and political, but, for this article, the key feature is that it required both a groundswell movement of support and lobbying, along with the consent of particular parties (such as Congress and the Department of Commerce). The end result, a ‘multistake holder model’ still comes to decisions. It aims to do so through a ‘bottom-up’, decentralised, inclusive, process, but it still makes a binary decision – yes or no, A or B.

The completely revolutionary approach

Compare this with Bitcoin. Sweeping governance issues arose during the debate over the technology, which ultimately led to the splitting of the currency. A public and violent debate ensued, containing everything from principled positions, to pragmatic solutions, to nasty name-calling. The decentralised, anonymous nature of this platforms, with less chance of recurring transactions with any one counterparty, make this hearty and vitriolic debate more likely than in a private governance model.

What makes this governance system particularly interesting, is that there was no obligation for a unanimous decision to be reached. One side of the fence wanted to overcome technology issues with the currency by updating the underlying system, while the other wanted an entirely new currency – so both were ultimately implemented.

In this distributed ledger system, anyone can put forward a solution, anyone (with a few trivial formalities) can vote on their preferred answer, and multiple ‘solutions’ to the dispute can be accepted and form the go-forward system. Miners and traders each voted by mining or purchasing one option over another. Unlike traditional voting, this is on-going, open to all, and can be done in a non-attributable way, over and over again. As such, there is never a final and conclusive answer, never a holistic decision made, just a quantitative indicator of how aligned each view is with the rest of the market, and how much consensus there is for each view. It is in fact more akin to a prediction market, or a stock market – but for an idea, not an asset per se.

It will be interesting to see how this model plays out, and what other applications this form of ‘messy’ governance may have – particularly in systems which seek a ground-up consensus, and want to operate in a global manner while anticipating a changing world order.

 

First published in The Finance Digest October 19th 2017

Changes to UK cyber security regulation: necessary or overkill?

On 8 August 2017 the UK Government published a consultation on the implementation of the Network and Information Systems (‘NIS’) Directive into UK law. The NIS Directive does not apply to communications providers (‘CPs’), to the extent that CPs do not provide digital services; however with CPs having security obligations under the Communications Act 2003, Ofcom has over the summer launched a consultation on its plans to update its guidance on the security requirements in the Communications Act. Emma Wright and Chris Benn of Kemp Little LLP review both consultations and ask to what extent these changes are necessary.

Cyber security is high on the agenda as arguably one of the most serious threats to the UK. The NIS Directive will apply from 10 May 2018 (sooner than the General Data Protection Regulation (‘GDPR’)). Despite the NIS Directive being a directive (which requires implementation by Member States), the UK Government supports the overall aim of the NIS Directive and confirmed it will continue to apply it in the UK post-Brexit. Considering the multi-jurisdictional nature of securing and policing the internet this is not a surprise.

The UK Government has recently issued its public consultation on ‘Security of Network and Information Systems,’ focusing on implementation. The NIS Directive applies to operators of essential services (‘OESs’) and digital service providers (‘DSPs’); interestingly it does not apply to CPs, to the extent that CPs do not provide DSP services. CPs have existing security obligations under the Communications Act 2003, and in June 2017 Ofcom launched a consultation on updating its guidance on the security requirements in sections 105A to D of the Communications Act. Both consultations focus on the security of the networks rather than the personal data being generated, transmitted and stored on the networks and the incident reporting that will apply.

The NIS Directive

The NIS Directive is concerned with the security of ‘network and information systems,’ which means: (i) electronic communications networks; (ii) any device, or grouping of interconnected or related devices, which automatically processes digital data; and (iii) digital data stored, processed, retrieved or transmitted by (i) or (ii), to enable the operation, use, protection and maintenance of (i) and (ii). For the first time, operators of ‘essential services’ will have mandatory breach notification requirements in the event of a cyber attack.

Which organisations are caught by the NIS Directive?

OESs and DSPs are within scope. However, the NIS Directive leaves it to Member States to identify the organisations that will meet the definition of an OES or DSP, hence the UK Government’s consultation.

OESs

An OES is a public or private organisation providing a service, which is essential for the maintenance of critical societal and/or economic activities, where the provision of such service depends on network and information systems, and where an incident would have ‘significant disruptive effects’ on the provision of that service. It affects only those organisations that operate within the electricity, oil, gas, air transport, rail transport, water transport, road transport, banking, financial market infrastructure, healthcare, supply and distribution of drinking water, or digital infrastructure sectors.

The UK Government’s public consultation provides further clarity to organisations likely to be considered an OES. Those that may be caught should consider the criteria set by the UK Government, which includes ‘identification thresholds’ and such criteria is intended to capture the most important operators in each sector, where incidents would cause ‘significant disruptive effects.’ Compliance with the NIS Directive will require changes in some organisations’ infrastructure, which may not be easily implemented given the narrowing timeline until implementation.

However, those operators that do not meet the ‘identification thresholds’ may still be required to comply with the NIS Directive. The UK Government has reserved power to designate specific operators as an OES where it has valid grounds to do so, for example, where it is in the interest of national security.

DSPs

A DSP is an organisation providing an online marketplace, an online search engine, or a cloud computing service, and again, the UK Government’s consultation seeks to clarify the organisations that will need to comply with the NIS Directive. It proposes an automatic exclusion for DSPs that employ fewer than 50 persons and have an annual turnover and/or balance sheet total that does not exceed €10 million and provides definitions of each of the three services that fall within the definition of a DSP.

Some important exclusions are:

• An online marketplace does not include a service provider redirecting a user to other services to make a final transaction (i.e. not facilitating the final sale) nor does it include sites that only sell directly to consumers.

• For online search engines, those sites offering search facilities powered by another search engine are not in scope, since the underlying search engine must comply with the NIS Directive.

• Cloud computing includes infrastructure as a service, platform as a service and business to business software as a service (‘SaaS’), however SaaS offerings for entertainment only purposes are not caught.

While CPs will fall outside of the scope of OESs, depending on the services provided by the CP, they may be a DSP under the NIS Directive.

Security requirements

OESs

The two main obligations are to take:

• appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems; and

• appropriate measures to prevent and minimise the impact of incidents affecting the network and information systems with a view to ensuring the continuity of the services they provide.

The UK Government proposes a ‘guidance and principles based approach’ in respect of these measures, which will be set by the National Cyber Security Centre (‘NCSC’) in cooperation with Government departments and UK regulators. The consultation issued by the UK Government asserts that the onus is on UK organisations to demonstrate compliance with the security measures required under the NIS Directive. At present, such organisations have the proposed ‘high level principles’ as a nod to what organisations should do, but further guidance will not be issued until early 2018, with some guidance not likely to come until November 2018, long after 10 May 2018: the date the Directive should be implemented in the UK. However, a grace period has been offered to OESs, that compliance will only be required in respect of guidance that exists, and is published, and that OESs should be given enough time to incorporate new guidance into their risk management and security measures.

DSPs

The UK Government points to the security requirements and list of factors DSPs should take into account when assessing the appropriateness of the level of their security stated in the NIS Directive. DSPs will have to “identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use to provide [their] services,” and again the level of security must be “appropriate to the risk posed,” and ultimately to prevent incidents (similarly to the obligation imposed on OESs).

Incident reporting

OESs

OESs have a mandatory obligation to notify (without undue delay) the relevant regulator or a CSIRT (a computer security incident response team, as discussed further below) of incidents having a ‘significant impact’ on the continuity of the essential services they provide. Under the NIS Directive, an ‘incident’ is any event having an actual adverse effect on the security of network and information systems, and ‘significant impact’ should be assessed taking into account several factors. The consultation provides guidance on what a significant impact to the ‘continuity’ of essential services is, i.e. a loss, reduction or impairment of an essential service. In respect of ‘significant impact,’ which currently under the NIS Directive leaves much to be determined, the UK Government proposes that a consultation (to be commenced following the end of the current consultation) between the NCA, OESs and the NCSC should take place to establish thresholds specific to each sector.

Where an OES relies on the services of a DSP, the OES must notify the relevant regulator if there is a ‘significant impact’ to its essential service because of a disruption to the underlying digital service that it relies on.

The consultation provides further clarity on OESs’ reporting requirements, noting that incidents are not limited to cyber security incidents, but also physical incidents, such as power failures, environmental hazards and hardware failures, thus the reporting requirements have the potential to be particularly onerous on OESs. This is acknowledged by the UK Government. Consequently, OESs will welcome the UK Government’s proposal to align the reporting requirements under the NIS Directive with current practices, acknowledging that some industries already have mandatory or voluntary reporting frameworks in place and NIS is only intended to reinforce these frameworks through legislation. All OESs will be required to notify incidents to the NCSC, rather than to industry specific regulators, which will relieve some of the burden on OESs.

In respect of the timing of such incident reporting, the UK Government is proposing that “without undue delay” should mean “without undue delay and as soon as possible, at a maximum no later than 72 hours after becoming aware of an incident” to align with other reporting requirements established by similar legislation, e.g. the GDPR. Note that any existing timeframes shorter than those proposed in the NIS Directive, such as the timeframes proposed by Ofcom under s.105 of the Communications Act, will remain in place.

DSPs

DSPs also have a mandatory obligation to notify of ‘substantial incidents’ in relation to digital services, however such requirement is only triggered when the DSP has access to the information it requires to assess the impact of the incident. The NIS Directive sets out a list of factors that should be considered when assessing if an incident is a ‘substantial incident.’

The European Commission is working with Member States to establish the framework for DSPs’ reporting requirements to give further clarity to the list of factors. This framework will be published as legally binding guidance under the Implementing Act, which was expected in August 2017. The UK Government acknowledges that the reporting requirements for DSPs currently lack clarity and is proposing a targeted consultation in due course (those interested must opt-in by providing their details).

DSPs will be subject to the same timing requirement as OESs: ‘without undue delay and as soon as possible, at a maximum no later than 72 hours after becoming aware of it.’

Competent authorities and enforcement

The NIS Directive gives flexibility to Member States to designate one or more national competent authorities (‘NCAs’) to oversee compliance by OESs and DSPs with the NIS Directive. Currently the Information Commissioner’s Office (‘ICO’) takes the lead on personal data breach notifications, and industry specific organisations have additional obligations to report to other regulators in the event of security breaches. The UK Government intends for multiple regulators and public authorities to take responsibility in order that sufficient expertise is available to understand the challenges affecting the organisations in the industries that fall within the scope of the NIS Directive. This raises the question of consistency in enforcement. Technical support will be offered from the NCSC, designated as the Single Point of Contact (acting as a liaison with Europe) and the UK’s CSIRT (computer security incident response team, which is a role that includes monitoring and responding to incidents at a national level). The NCSC’s involvement may go some way to ensuring consistency in the guidance published for organisations and approach to responding to incidents.

OESs and DSPs will need to bear in mind their dual responsibilities of personal data breach reporting and security incident reporting. Helpfully, the UK Government is proposing that the timing of reporting incidents under the NIS Directive aligns with other legislative requirements although the regulator may be different. Given the potential severity of the loss of an essential service, the UK Government is proposing to adopt similar fines to those set out in the GDPR.

Ofcom security guidance consultation

CPs are already subject to statutory obligations of security and incident reporting under sections 105A and 105B of the Communications Act 2003, and subject to audit and enforcement provisions under sections 105C and 105D (‘the Guidelines’). The original version of the Guidelines came into force in May 2011 following new obligations introduced under the European Framework on Electronic Communications (originally published in 2002 and later revised in 2009). Ofcom published the current version of the Guidelines in August 2014.

However, Ofcom’s use of these provisions to date appears extremely limited and Ofcom has consulted on revised guidance in these areas. The consultation period closed on 7 September 2017. Ofcom has reflected on the rise in cyber security breaches, which is the rationale for the proposed changes to the Guidelines, focusing on areas of cyber security, risk management and governance, incident reporting and maintaining network availability.

Of course, where an OES outsources its network then many of the obligations will be flowed down to the underlying network provider to the greatest degree possible. CPs that choose to provide cloud computing services will also be required to comply with the NIS Directive in their role as a DSP.

Section 105A - security and availability

Cyber security guidance and schemes

Ofcom has already produced guidance to cover cyber security in respect of Section 05A, and intends its proposal to add to and enhance the existing framework. Ofcom will be looking to the NCSC for guidance on cyber specific measures CPs should be taking. It is ‘encouraging’ CPs to be aware of the guidance from the NCSC (including the ‘10 Steps to Cyber Security’ and Cyber Essentials) and ENISA’s Technical Guideline on Security Measures. CPs should also obtain Cyber Essentials Plus, which is likely to prove difficult as the scheme is designed for smaller organisations.

CPs have previously argued certification ND1643 (a standard designed to assist with preventing or minimising the impact of security incidents on network interconnection) “may be of little value in improving security.” However, Ofcom is keen for the standard to continue to lead compliance, but in an alternative form of a best practice document, which Ofcom can use as a baseline for security compliance. Ofcom encourages the NICC (the company responsible for setting the ND1643 certification) to issue a new document, which is fit for purpose, following consultation with members and other stakeholders.

Ofcom’s focus on cyber security means that CPs will be required to consider cyber security threats alongside the risks associated with protecting personal data, with cyber security risk management being “an essential part of compliance with section 105A.” 

Risk management and governance

Ofcom is expecting CPs to carry out vulnerability testing of their cyber security measures, and is currently working with DCMS and the NCSC to develop a vulnerability testing framework, similar to that which the Bank of England operates for financial institutions.

Despite the rise in data protection and cyber security as a board issue following the increase in breaches and advancing GDPR, Ofcom does not consider that cyber security receives sufficient attention at a senior level of CPs. This reflects the findings of the DCMS Select Committee issued just over 12 months ago.

To this end, Ofcom has built on those recommendations: CPs should look to document senior management decisions in the event of a security incident (or more broadly a breach of the Ofcom guidelines) and the processes that were followed, since Ofcom will look to these records as evidence of compliance with its Guidelines. CPs should designate owners at all levels in the organisation, including at Board level. Ofcom recognises that security certifications can “form a powerful mechanism” to demonstrate compliance, however CPs should not see this as a tick box exercise, since Ofcom is not making such certifications a requirement for CPs to obtain.

Maintaining network availability

To comply with CPs obligation to take measures to maintain network availability appropriate to the needs of their direct customers, Ofcom has suggested:

• avoiding single points of failure in a network will go some way to evidencing ‘appropriate steps,’ however Ofcom notes that there are circumstances when this is impractical;

• investing in additional and temporary flood resilience defences, where appropriate; and

• mitigating power failures - one of the root causes of security incidents.

Ofcom intends to investigate significant availability incidents involving power loss and flooding. In respect of third parties, which many CPs engage to support the delivery of their network, Ofcom considers that CPs remain responsible for the actions of their subcontractors and must have sufficient levels of control over subcontractors, to ensure that such subcontracting does not breach the CPs’ statutory obligations.

Section 105B - incident reporting

Despite considering that the current reporting regime is working well and remains appropriate, Ofcom is proposing changes.

Mobile network operators

Ofcom is seeking to address the difference in the number of incident reports it receives from mobile network operators, which is significantly less than fixed network operators, despite the decline in fixed telephony and rise in mobile telephony. Ofcom has previously set different reporting thresholds for the four main mobile network operators; however, the new proposed thresholds are set depending on density of coverage, i.e. urban vs rural areas, rather than by mobile network operator. Ofcom is proposing to tighten the reporting thresholds for mobile network operators to ensure it receives “a significant and sustained increase in reporting” from such operators.

Cyber security incidents

Ofcom expects CPs to notify incidents which have a “significant impact on the operation” of a network or service, which in light of recent cyber attacks, Ofcom considers includes a major breach of data confidentiality or integrity.

The latest proposal is to capture any incidents involving cyber security breaches, which significantly increases the reporting burden on CPs. Ofcom feels it should be aware of all incidents that could be considered to have a “significant impact” to enable further investigation where Ofcom feels it is necessary to do so, encouraging over, rather than under, reporting from CPs.

‘Urgent incidents’

CPs are likely to be nervous about Ofcom’s proposal to introduce new reporting timelines for ‘urgent incidents,’ which would be required to be notified within three hours of the CP becoming aware. This will not give CPs much time to assess the impact of the incident in order to be able to conclude that such an incident is in fact an ‘urgent incident.’

All other incidents are to be reported in line with the requirements under the GDPR, i.e. within 72 hours of the CP becoming aware, or even later for ‘non-major’ incidents.

Ofcom sets out the criteria for ‘urgent incidents,’ which includes:

• incidents affecting services to 10 million end users;

• incidents affecting services to 250,000 end users and expected to last 12 hours or more;

• incidents attracting national mainstream media coverage; and

• incidents affecting critical Government or public sector services.

These new requirements will require great investment from CPs to be able to adhere to these tight reporting requirements.

Sections 105C & D -audit and enforcement

Auditing

Ofcom is intending to replace the current guidance around audit and enforcement. Ofcom is proposing to increase its power to conduct audits more frequently, which will include information gathering and direct engagement with CPs. CPs will still be liable for the costs of such audits.

Conclusion

Considering the huge rise in cyber attacks, the NIS Directive is a welcome piece of legislation for consumers. However, for those organisations caught by it, it creates the additional burden of mandatory reporting requirements and increases the level of security measures. Whilst the focus is currently on compliance with the GDPR, organisations should not miss this opportunity to ensure updated reporting procedures also capture any additional obligations imposed by the NIS Directive.

CPs must take note of the proposed new guidelines from Ofcom, now that it intends to conduct more audits. CPs are faced with a plethora of new requirements and this is before the status of the draft ePrivacy Regulation is confirmed.

 

First published on Cyber Security Practitioner September 2017  

 

Playing catch up - gender pay gap reporting

Amy Douthwaite & Marian Bloodworth consider the implications of the gender pay gap reporting rules.

  • Calculating the threshold number of employees and working out who is in scope is not as simple as it might first appear.
  • The internal and external implications of gender pay gap reporting should not be underestimated.

The Equality Act 2010 (Gender Pay Gap Information) Regulations 2017 (the Regulations) came into force on 6 April 2017, requiring larger employers to produce an annual report on their gender pay gap.

The first report must be published by 4 April 2018 on data as at the snapshot date of 5 April 2017 and annually thereafter. There are many legal and practical issues for employers to consider.

The basic obligation

Employers with 250 or more employees as at 5 April must report the following metrics:

  • the difference in mean hourly pay of male and female employees;
  • the difference in median hourly pay of male and female employees;
  • the difference in mean bonus pay for the previous 12 months of male and female employees;
  • the difference in median bonus pay in the previous 12 months of male and female employees;
  • the proportions of male and female employees paid a bonus in the previous 12 months; and
  • the number of male and female employees in each quartile.

The Regulations set out detailed instructions on how to carry out the calculations for each of the metrics. While the basic obligation appears simple enough, there are a number of challenging areas within the Regulations as they are not as clear as they could be.

Who counts for the 250 threshold?

The first question is whether the employer is caught by the 250 employee threshold. While the Regulations themselves do not define ‘employee’, the Explanatory Notes provide that ‘employment’ has the meaning set out in s 83 of the Equality Act 2010. Therefore, employers should include in their threshold calculations any person employed under a contract of employment, a contract of apprenticeship, or a contract personally to do work.

Depending on the organisation’s structure and engagement methods, this could prove more complex than employers anticipate, including in relation to partners, overseas employees, non-executive directors, consultants and casual workers.

In terms of the inclusion of partners, the Regulations include a definition of ‘relevant employee’ to determine who should be reported on, which expressly excludes partners and LLP members, meaning they will not have to be reported on. However, they are not expressly excluded for the purposes of calculating the ‘employee’ numbers for the threshold. Therefore, if a partner falls within the definition of ‘employment’ within the Equality Act 2010 they should be included in the threshold calculation.

In terms of overseas employees, the ACAS guidance (Guidance) suggests that generally when an employer based in Great Britain has an employee based overseas, that employee will be classed as an ‘employee’ for the Regulations if they would be able to bring a claim in the employment tribunal under the Equality Act 2010. This will involve an analysis of the tests in Lawson v Serco [2006] IRLR 289 and Ravat Halliburton [2012] IRLR 315. Equally there is no clarity as to how overseas secondees to the UK, or UK employees of businesses with overseas headquarters should be treated.

Who should be reported on?

Not every person included for the 250 employee threshold purposes will need to be included in the report, for example, partners (as outlined above).

In addition, the Regulations provide that if the employer does not have the data relating to an employee working under a contract personally to do work (such as a consultant) and it is not reasonably practicable to obtain the data, then it does not have to be included.

However, employers should be wary about relying on this exclusion, as in many cases this data will be relatively easy for the employer to obtain, for instance by asking the consultant or budget holder within the business for the data. In addition, while this might provide a plausible reason to not include the data in the first report, this is likely to be less acceptable for future years as the Guidance specifically states that employers should try to ensure that they have access to the relevant data.

Getting the data right

Employers need to ensure that they have access to and can obtain all of the required data. This may not be entirely straightforward for some employers, for instance if they operate multiple payrolls, have different payment mechanisms, or keep payment information in different locations.

They should also consider whether the method of extracting or compiling the data actually creates potentially problematic documents. For instance, if it is easiest to compile the data according to business area, this may highlight a particular issue with the gender pay gap or even equal pay issues within that business area. This then may put the onus on the employer to tackle that issue. It would also be helpful information for an employee bringing a claim within that business area. Therefore, it is not just the final report that may create legal risk, but also documents created as part of the process.

Risk of getting it wrong

Employers should obviously be trying to ensure that the data reported is correct and in compliance with the Regulations. However, given the perceived lack of teeth which the Regulations have in terms of enforcement, some employers may take the view that where there are grey areas or the obligations are unclear, a proportionate approach would be to adopt a logical and consistent methodology and accept the risk that it could be incomplete or not entirely in compliance.

The content of the report & sign-off

Once employers are comfortable with their data, the next question will be how the data should be presented. It is anticipated that most employers will have a gender pay gap. Employers therefore should carefully consider putting some context around the data. There are a number of messages that the employer may want to consider, for instance:

  • Does a feature of the calculations skew the data in some way? For instance is annual bonus paid in the ‘relevant period’ and therefore double counted to a certain extent by being included in ‘hourly pay’ and bonus metrics? This will involve a careful analysis of the calculations and the data in order to determine whether this is the case and why.
  • Are there senior (and otherwise well paid) individuals who were not ‘relevant full pay employees’ at the snapshot date (because they were on leave) and so were not reported on?
  • Is the pay gap common to the sector as a whole? How do the employer’s metrics compare to others in the sector?
  • Has the employer taken any steps already to reduce the gender pay gap? Has it introduced any initiatives to promote women within the organisation to get to the higher paying roles, has it introduced any recruitment initiatives which may help address the gender pay gap?
  • What steps is the employer going to take to reduce the gender pay gap further?
  • Is the employer involved in any sector initiatives to help encourage women into the sector or develop those already working in the sector?

While it is anticipated that employers will have a gender pay gap in the first year and for a number of years to come, there will be an expectation that the gap will narrow each year, particularly where the employer has identified steps it is taking or will take to improve the gap within the narrative of the report. Therefore, employers should carefully consider what they are prepared to commit to in the report given the risk of further negative attention if steps are promised and then not followed through.

“It is anticipated that most employers will have a gender pay gap”

The report has to be signed-off by a senior person within the organisation (a director for companies). The person, or team responsible for ensuring compliance with the Regulations should therefore consider early on who this is likely to be and their preferred approach to the obligations. Some will want to adopt a minimal ‘compliance only’ approach, whereas others will want to use the obligations as an opportunity to push forward the diversity agenda at the organisation.

Publishing the report - when & where

Once the report has been drafted the employer should consider tactics for publishing the report. When to publish the report is a key question as this could significantly affect how much external attention the report receives. Employers may decide to delay publishing until close to the deadline in the hope that their report will be one of many published at that point. Alternatively, employers may consider other strategic publishing times, for instance at a time when there are other high profile news issues.

The report has to be submitted to a designated government website and also published in a manner accessible to all its employees and the public on the employer’s website. Therefore, there is some leeway in where to publish it and it does not necessarily have to be displayed on the employer’s landing page on their website.

Most employers will have given careful thought to how the report will be perceived externally and the external communications accompanying it. However, how the report is perceived by the employer’s own staff will be important as the report could raise a lot of questions, and may spark pay grievances or even claims for sex discrimination or equal pay. Therefore, the scope, content and timing of internal communications should not be overlooked. Clarifying the distinction between equal pay and gender pay issues will be particularly important, including making clear that data showing a gender pay gap does not necessarily show an ‘equal pay’ issue.

How might the data be used?

In addition to the data potentially sparking grievances and claims regarding pay, inevitably any employee or former employee bringing a sex discrimination claim will seek to use the gender pay gap data as evidence of ingrained discrimination within an organisation. The only way to mitigate this risk will be to publish carefully worded narrative with the data, and to refer to a clear commitment to address it going forward.

Any other data that is generated while preparing the report could become disclosable in employment tribunal claims if it is relevant to the particular claim. Therefore, employers should be careful when producing and commenting on the data internally. Involving legal advisers in order to protect the data and analysis with privilege should therefore be considered.

Think ahead

While the obligations for employers to produce the gender pay gap report seems, on the face of it, straightforward and clear, the internal and external implications should not be underestimated. Employers should therefore be thinking ahead and planning their approach to their obligations under the regulations as they may be able to mitigate some of the risks associated with their obligations and be better prepared to deal with any risks that materialise.

This article first appeared in New Law Journal www.newlawjournal.co.uk

 

The future of data protection law and enforcement in light of Brexit

In the summer, the government expressed its thoughts about the UK’s future data protection law. Nicola Fulford and Gemma Lockyer look at the derogations from the GDPR.

On 23 June 2016, the United Kingdom voted to leave the European Union and whilst that leaves us in a period of uncertainty in many respects, we have received some guidance as to where the UK’s data protection law and strategy is going. On 7 August 2017 the Department for Digital, Culture, Media and Sport published their statement of intent for the planned reforms that will form the new Data Protection Bill (Statement of Intent). The Data Protection Bill will bring  the EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) into our domestic law as the government seeks to ensure that the UK maintains high standards of data protection, even after leaving the EU.

The GDPR will apply from 25 May 2018 and much has been written on the new rights of individuals and the new obligations on data controllers and processors that this will bring. The GDPR allows Member States to implement certain derogations at national level and the Statement of Intent sets out the UK government’s intentions in this regard. We have discussed the key derogations set out in the Statement of Intent below and also the views of the ICO on their international strategy looking ahead to 2021.

Key derogations giving consent to process data and protecting children online: In order for controllers to rely on consent when processing personal data, the person giving consent needs to have a certain level of understanding of what they are consenting to. Article 8 of the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorisation and requires that reasonable efforts be expended to verify that a parent or guardian has given the appropriate consent. The GDPR sets the minimum age for consent at 16 but also allows member states to set a lower age, provided this is no lower than 13, at which a child can consent in their own name to data processing. In the United States, the age of consent is set at 13 by the Children’s’ Online Privacy Protection Act and the Federal Trade Commissions’ subsequent COPPA Rule and so with varying standards between EU member states, as well as the difference between EU standards and the United States, there will be challenges for companies offering international services.

The safety of children online is one of the government’s current priorities. The government intends to establish a Digital Charter that has the aim of making online environments safer for children and young people. Despite this, the UK has decided to set the age limit at the lower end and allow a child aged 13 years or older to consent to the processing of their personal data. Carrying out age verification checks at the age of 18 is more straight-forward, with the possibility of credit checks, checking driving records and the electoral register. However, it is not possible to carry out checks of this nature on young children and so websites will need to find a new way to work with users to verify age. Whilst setting an age limit which is consistent with the United States may ease some tensions or international service providers, it will likely to prove difficult for data controllers to demonstrate they have the necessary consents from someone of an approved age.

Processing criminal conviction and offence data: Information relating to criminal convictions and offences is highly sensitive and the GDPR permits only bodies vested with official authority to process personal data of this nature. Currently, under English law, organisations are able to process personal data on criminal convictions and offences in certain specified circumstances, the examples given in the Statement of Intent include when carrying out employment checks and underwriting driving insurance policies. Employers are currently entitled to seek and be provided with varying levels of information on a prospective employee’s criminal record. The Data Protection Bill will preserve this right for organisations not vested with official authority to process personal data of this nature. There is a public policy reason for allowing employers to continue to process data of this nature to ensure that vulnerable members of society are not put at risk and the wrong people are not placed in positions of power that are at risk of abuse.

Automated individual decision-making: The GDPR introduces a new right for an individual not to be the subject of an automated decision, including profiling, which has a legal or other significant effect on the individual. This right does not apply when the automated decision is necessary for entering into or performing a contract with the data subject; authorised by Member State law if the law lays down suitable measures to safeguard the data subject’s right and freedoms and legitimate interests; or is based on the explicit consent of the data subject.

The Data Protection Bill will legislate for an exemption to the right to ensure that processing by automated means is possible where there are legitimate grounds. The examples given in the Statement of Intent are the automatic refusal of an online credit application or e-recruiting practices that do not involve any human intervention; on the basis that these business processes would become impossibly burdensome if businesses are unable to rely on computer processing powers and each decision has to reviewed by a human. However, we know that machine learning tools do not always get it right. If the data set that informs the learning contains unconscious bias then the machine is likely to generate biased answers (e.g. assuming that female CVs are more suitable for nursing roles because Google image results for “nurse” show predominately females). This derogation has the potential to seriously undermine a data subject’s right under the GDPR not to be subjected to a decision based solely on automated processing. Communicating how human intervention has been involved will be important to ensure that there are safeguards in place where a decision might have been reached which is fundamentally wrong but allowing a computer to carry out the  “first pass” could be an effective use of resources.

Freedom of expression in the media: Section 32 of the Data Protection Act 1998 provides an exemption for organisations to comply with the data protection principles (except the seventh data protection principle – the requirement to keep personal data secure) where the personal data are processed for special purposes. This includes if the processing is undertaken with a view to publication, that publication is in the public interest and compliance with the principles is incompatible with the special purpose. Through this exemption, the legislation has sought to reconcile data protection law and freedom of expression. It is intended that the exemption in section 32 will be broadly replicated in the Data Protection Bill although the enforcement powers of the ICO to  enforce the exemption is expected to be strengthened.

Research: The GDPR requires organisations to comply with certain rights belonging to data subjects, including the right for data to be rectified without delay, the right to restrict further processing, right of access and the right to erasure. The GDPR also allows the UK to legislate to allow scientific or historical research organisations, organisations that gather statistics or organisations performing archiving functions in the public interest to be exempted from these obligations. The intention is to allow for research organisations and archiving services not to have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Provided that appropriate organisational safeguard are in place to keep the data secure, research organisations will also not have to comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work. The examples given in the Statement of Intent to justify the exemption include the necessity to archive inaccurate data so that it is possible to audit a decisionmaking process that led to an unfavourable outcome or where statistical data may be compromised if an individuals’ personal data is later removed from the statistical pool.

The ICO’s international strategy

The Rt Hon Matt Hancock MP stated in the ministerial foreword to the Statement of Intent that under the Data Protection Bill “enforcement will be enhanced, and the Information Commissioner given the right powers to ensure consumers are appropriately safeguarded”. In the Information Commissioner’s Office’s International Strategy for 2017 – 2021, four challenges are highlighted which the ICO will face in the changing digital global environment.

1. To operate as an effective and influential data protection authority at european level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period: The ICO intends to maintain its relationship with its EU partners, including the European Data Protection Board and the Article 29 Working Party because, as well as overseeing enforcement of the GDPR, the European Data Protection Board will also issue guidance, making it influential in setting the direction for data protection and privacy standards. The ICO will advise the UK government on the data protection implications of leaving the EU and will seek to maintain a strong working relationship with individual EU Data Protection Authorities to ensure that UK organisations are able to continue to transfer data internationally to facilitate business growth.

2. Maximising the ICo’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies: The ICO intends to continue to engage with leading international privacy networks and explore relationships with networks that the ICO has not engaged with previously. The ICO intends to share information and knowledge with other independent bodies responsible for enforcing and promoting freedom of information laws. This will allow the UK to take international best practices and choose the best tools, which are most applicable to UK interests and apply them to ensure that the UK is taking the best from the widest pool of experiences.

3. Ensuring that UK data protection law and practice is a benchmark for high global standards: The ICO wants to ensure that the UK retains a high standard of data protection law to provide effective safeguards for the public. The ICO intends to collaborate with the international community to support work to turn the GDPR’s accountability principles into a robust but flexible global solution. Continuing to take part in the international conversation around data protection will allow the ICO to maintain its status internationally as a leading player in the data protection landscape.

4. Addressing the uncertainty of the legal protections for international data flows to and from the EU, and beyond, including adequacy: International data transfers are an important part of the digital economy. The ICO will seek to ensure that there are effective safeguards for these data transfers in the uncertainty that flows from Brexit. The ICO has stated that it intends to explore a “global data protection gateway” which will allow the UK to interoperate with different legal systems that protect international flows of personal data and will support work to develop new mechanisms to enable international transfers, such as codes of conduct and certification under the GDPR.

Impact of Brexit and conclusions

There are questions around the process under which UK organisations will be able to transfer data internationally (both to the EU and elsewhere) and so including a requirement for organisations to revisit and put in place any necessary mechanisms to facilitate the transfer of data in contracts which will continue following Brexit should be considered best practice. UK companies who operate in Europe will also have to consider their lead supervisory authority following Brexit.

The ICO’s strategy suggests that it will continue to take a tough stance on data protection in the coming years. It is clear that the ICO wants to ensure that the UK has a strong reputation for protecting the rights and freedoms of data subjects, potentially with a view to obtaining a European Commission finding of adequacy, which will cover international data transfers post Brexit. However, we may find there are some tensions with the UK government as the proposed derogations appear to unpick some of the protections offered by

GDPR (e.g. the lower age of consent by children to processing and the increased opportunities to use automated decision-making). It will also be interesting to see how the proposed Data Protection Bill and European Union (Withdrawal) Bill will interact, especially given the time taken to get this far with the Statement of Intent and the looming 2018 and 2019 deadlines.

This article was first published in PL&B UK Report, September 2017, www.privacylaws.com.

 

Maintaining standards

The advertising of gambling continues to be in the spotlight. Recently there have been a number of rulings from both the UK Advertising Standards Authority and the Gambling Commission as the thorny issue of advertising gambling continues to cause concern for regulators.

Earlier this year, BGO Entertainment was hit with a hefty penalty from the Gambling Commission, the body that regulates commercial gambling in Great Britain in partnership with licensing authorities.

BGO was fined £300,000 for misleading advertisements about promotions that failed to comply with Licence Conditions and Codes of Practice social responsibility requirements. Among other things, the LCCP require that adverts and offers, including “free bet” offers, do not mislead customers and clearly state significant limitations and qualifications.

This responsibility doesn’t stop there − the LCCP requirements extend to all areas of marketing including social media and make operators responsible for third parties contracted to provide any aspect of the operator’s regulated business, which includes marketing afiliates and advertising networks.

None of this is new. The free−bets provision was introduced in 2015 and specific social media requirements were introduced into the IGRG Code for Socially Responsible Gambling in February, 2016, (although the code of the Committees of Advertising Practice − the “CAP code” − already applied to social media). But what has perhaps changed is the Gambling Commission’s approach to enforcement.

At its Raising Standards conference last November, the commission gave a clear indication that marketing was a focus area, there was particular concern about the behaviour of some afiliates, and the commission was ready to take action. The commission repeated this message at ICE Totally Gaming at ExCeL in London in February and, on July 5, following consultation, published its revised enforcement strategy.

This makes clear there is no longer a bias in favour of settlement, so making licence reviews more likely, and introduces higher penalties for non−compliance particularly where there are repeated failings.

The BGO action was the first example of this approach, with the fine relating to nine advertisements on its own website and 14 on afiliates’ websites. BGO’s breaches of the social responsibility code − and its repeated failure to take timely and effective action to address these issues when raised by the commission − cast doubt on BGO’s suitability to carry on its licensed activities.

Hot on the heels of the BGO fine, a second illustration of the commission’s new approach is Lottoland’s £150,000 fine in June for its own, and its afiliates’, actions. The LCCP requires operators to comply with the CAP and (for broadcast advertising) BCAP codes of practice administered by the ASA.

In February, the ASA upheld a complaint against a Lottoland radio ad on the grounds that it failed to make clear to players that they were betting on the outcome of lotteries, rather than participating in a lottery, and the Gambling Commission found the same issue occurred in Lottoland’s third−party marketing, website and social media promotions. In Great Britain, lotteries differ from other gambling products as part of the proceeds must go to good causes, so the distinction is particularly important.

Marketing materials must not be likely to be of particular appeal to under−18s, especially by reflecting or being associated with youth culture. In particular, operators must not include a child or a young person (under 18) in marketing communications, and anyone who is − or seems to be − under 25 years old must not be featured gambling or play a significant role in the marketing material (with a limited exception for 18 to 24 year olds who are the subject of the bet − such as young sports players).

Use of comic−book characters and superheroes can be problematic unless the audience for such advertisements is strictly controlled. In August, 2016, the ASA found an email advertisement for Ladbrokes casino featuring Iron Man to be socially irresponsible but recently reversed this ruling on appeal on the basis the recipients of the email had all been validated as being over 18.

Additionally, under a new condition introduced in October, 2016, gambling operators must ensure that they do not advertise on websites “providing unauthorised access to copyright content”. Again, operators are responsible for their afiliates: they must take all reasonable steps to ensure that their marketing and media agencies do not place their advertisements on such websites, and must reserve the right to terminate the appointment if an agency does so.

All operators in the gambling industry looking to avoid the attention of the regulator are expected to take heed of all advertisingƒ marketing rules set out by the authorities and to learn from the experiences of others such as BGO and Lottoland.

The gambling industry is extremely competitive and with operators looking for any possible advantage, there’s perhaps a natural temptation for operators and their marketing agencies to push the boundaries. But operators also have a social responsibility and the commission is clearly keen that operators put the consumer first, and take the initiative in relation to social responsibility rather than merely complying with the strict regulatory requirements.

With competition intense, one thing that definitely won‘t help operators is falling foul of the rules around advertising, so this is an area that requires close attention.

This article first appeared in niNTERGAMINGi Magazine. You can view the original article here.

Weighing vs voting - distributed ledgers as governance devices

“In the short run, the market is a voting machine but in the long run, it is a weighing machine.” – Benjamin Graham

The ‘forking’ of Ethereum in the summer of 2016 and Bitcoin in the summer of 2017, has given us two interesting examples of the role that a consensus based system can have in resolving disputes and acting as a governance system in a quasi-legal manner.

The ‘classic’ approach to governance in negotiated contracts involves an increasing series of escalations and decision-making committees, compelled to meet, take into account certain information, and come to a decision. Those committees are bound by rules agreed in advance about the state of play. Typically, there are states of appeal, but ultimately, a single body will make a decision to resolve the dispute. The parties will have agreed if this is a private entity, such as an arbitrator, or a public servant such as a judge – but the end result is a single (or very low number of) minds voting on the right decision based on the pre-agreed rules. Typical hallmarks of this system are a private disagreement, confidential disclosures and arguments, cost-pressure to resolve the dispute speedily and amicably, and a sometimes public outcome, but which contains a small fraction of the relevant information.

This is quite straightforward to picture in a contract setting: for example, a dispute over the timeliness of an outsourced service, the supplier arguing that it was not given the necessary materials or instructions, the customer saying the supplier should have had or known these things.  The first few committees cannot agree, but narrow the issues, the matter is then escalated to the account managers, who may agree the issue, or take the matter to arbitration or the court system for a third party to vote on.

The picture is muddied when we consider a far softer governance framework. The global domain name unique identifier system is run by ICANN, a non-profit organisation which was established effectively to implement U.S. Department of Commerce policy. ICANN has by-laws and committees, but was dogged for many years with ambiguity about the exact scope of its remit and authority.  From 2010 onwards, pressure increased to move ICANN out of its contract and oversight from the Department of Commerce and into the ‘global multistakeholder community’. This process has been complicated and political, but, for this article, the key feature is that it required both a groundswell movement of support and lobbying, along with the consent of particular parties (such as Congress and the Department of Commerce). The end result, a ‘multistakeholder model’ still comes to decisions. It aims to do so through a ‘bottom-up’, decentralised, inclusive, process, but it still makes a binary decision – yes or no, A or B, etc..

Compare this with ethereum and bitcoin. Sweeping governance issues arose during the DAO controversy leading to the ethereum fork, and during the block size debate which led to the bitcoin fork. In each case, a public and violent debate ensued, containing everything from principled positions, to pragmatic solutions, to nasty name-calling. The decentralised, anonymous nature of these platforms, with less chance of recurring transactions with any one counterparty, make this hearty and vitriolic debate more likely than in a private governance model.  

The next part however is more interesting: in effect a decision does not have to be made. The ‘classic’ governance described above requires a private agreement, or a decision to be voted on by pre-agreed categories of people using a pre-agreed system.  With a distributed ledger system, anyone can put forward a solution, anyone (with a few trivial formalities) can vote on their preferred answer, and multiple ‘solutions’ to the dispute can be accepted and form the go-forward system. Take the bitcoin fork, into classic bitcoin and bitcoin cash.  A dispute about block size could not be resolved with a unanimous consensus. Two prevailing views formed about the optimal block size, and the proponents of each formed a packaged ‘brand’ for their proposal. The fork eventually came, and each group moved to their preferred system.  Miners and traders each vote with the electricity or their money by mining or purchasing one fork over another.  This voting however is on-going, open to all, and can be done in a non-attributable way, over and over again. This makes the ‘voting’ quite different to the ‘voting’ in the previous examples. There is never a final and conclusive answer, never a holistic decision made, just a quantitative indicator of how aligned each view is with the rest of the market, and how much consensus there is for each view.  It is in fact more akin to a prediction market, or a stock market – but for an idea, not an asset per se.

It will be interesting to see how this model plays out, and what other applications this form of ‘messy’ governance may have – particularly in systems which seek a ground-up consensus, and want to operate in a global manner while anticipating a changing world order.  

They can't win your raffle unless they buy a ticket... or can they?

The story of Dunstan Low, who successfully raffled his £845,000 Lancashire mansion by selling 500,000 raffle tickets,[i] is another example of the re-appearance of the earlier trend for homeowners who have lost faith in the traditional method of selling their homes to raffle them instead. On the face of it, this looks a great idea. If you charge £2 a ticket and your property is valued at £500,000, then you need only sell 250,000 tickets to recover the full value, plus some extra tickets to cover your costs. In theory, you shouldn’t be short of entrants to your raffle either, as the odds aren’t bad and the prize a chunky one.

In practice, it’s not quite that easy. Several house sale raffles and competitions have failed to achieve sufficient ticket sales and had to refund entry fees or pay a smaller cash prize instead. Potential entrants may ask why the house hasn’t sold by the traditional route, and be wary of acquiring a property without the usual investigation of problems and associated costs.

Anyone thinking of raffling their house should also be aware that the Gambling Act 2005[ii] makes it a criminal offence to run a lottery without a licence – and licences are only available to charities (and local authorities) as raffles can only be run to raise funds for good causes. There are some limited exemptions for things like raffles to raise money for charities and workplace sweepstakes, but these won’t apply to house sale raffles (even if you give part of the profits to charity). Whilst the law in this area is complex and advice should always be taken, there are two ways to differentiate your scheme from an illegal lottery. Firstly by requiring entrants to use skill, judgment or knowledge so that the winner isn’t chosen by chance, or secondly by giving entrants the option of participating for free.

Questions will only satisfy this “skill test” if they require sufficient skill, judgment or knowledge to prevent a significant proportion of entrants answering correctly (or entering at all). Of course, those who get the answer wrong must not be entered into the draw. If there’s any doubt whether the questions are sufficiently challenging, you would be wise to offer an alternative free entry route too – even though this seems counter-intuitive when you’re trying to raise money.

The free entry route can be ordinary (first or second class) post (but not special delivery), or telephone at ordinary rates (but not using a premium number), or any other method which doesn’t involve any additional expense reflecting the chance to enter the raffle and is as convenient to the entrant as the paid route. The free route can’t be “hidden away”, and of course free entries must have the same chance of winning. The Gambling Commission offers useful guidance, on both the skill test and free entry routes, on its website[iii] as well as a recent update on house sales[iv].

For more information regarding raffles and skill competitions please see our article “Healthy competition: your legal how-to guide for the sporting Summer” and do take legal advice if you are considering running a raffle, whether to fund-raise for charity or to sell your house. If you fail to negotiate the legal pitfalls correctly, you may have to close the scheme and refund all the ticket sales – and could be fined (or even imprisoned) for committing a criminal offence.

Commercial Agents: Diamonds are not forever

So said Popplewell J in the opening line of his judgment in the recent case of W Nagel (a firm) and Pluczenik Diamond Company NV[1].  The judgment is an important one for companies involved in the sale and purchase of commodities, in that it appears to be the first case to consider the scope of the exemption under the Commercial Agents (Council Directive) Regulations 1993 (Regulations) for commercial agents who operate on commodity exchanges.  However, some aspects of the judgment are of broader application to agency relationships, and will be of interest to all businesses that appoint or operate as agents in the UK.   

Background

The case involved a claim by Willie Nagel (WN), a diamond broker, against his client, Pluczenik Diamond Company (one of the world’s leading diamantaires), for termination of an agency relationship involving the purchase by Pluczenik of rough diamonds from De Beers.

WN was appointed by Pluczenik as its broker in the 1960s, and continued to act as Pluczenik’s agent in relation to the purchase of rough diamonds at De Beers ‘sights’ (one of the main channels by which De Beers sold rough diamonds into the wholesale market) in the UK up until 2013.  In 2013 De Beers moved its global sight from London to Botswana, prompting Pluczenik to terminate its relationship with WN.

WN claimed that he was a ‘commercial agent’ under the Regulations, and therefore entitled, under Regulation 17, to compensation on termination of the agency relationship.  Pluczenik disputed the claim on the grounds that the Regulations did not apply. 

Did the Regulations apply?

Regulation 2(1) defines a commercial agent as “a self-employed intermediary who has continuing authority to negotiate the sale or purchase of goods on behalf of another person (the "principal"), or to negotiate and conclude the sale or purchase of goods on behalf of and in the name of that principal …."

Pluczenik claimed that the Regulations did not apply on two grounds: first, it argued that WN did not have authority to negotiate on its behalf and did not, therefore, satisfy the requirements of Regulation 2(1), and second, it relied on an exemption in Regulation 2(2)(b) which provides that the Regulations do not apply to “commercial agents when they operate on commodity exchanges or in the commodity market”.

Authority to negotiate

On the first of these two grounds, the Court found that, because the purpose of the Regulations is to give agents a share of the goodwill they generate in a principal’s business, the key question in determining whether a person is a commercial agent under the Regulations is whether the scope of his retainer includes the development of goodwill in the principal’s business.  This is a more relevant consideration than whether an agent actually participates in discussions on price or commercial terms.

In the Court’s view, WN had developed strong relationships with senior executives at De Beers, and had used these relationships to promote Pluczenik’s interests, fostering a relationship of trust and confidence between Pluczenik and De Beers, which contributed to the success of Pluczenik’s business.  WN therefore had authority to negotiate within the meaning of Regulation 2(1).

Interestingly, and somewhat surprisingly, the Court also considered that administrative functions such as invoicing, payment, packaging and transport helped maintain Pluczenik’s goodwill with De Beers, and that this was also relevant to the decision that WN was a commercial agent within the meaning of Regulation 2(1).  This potentially has implications for businesses that appoint third parties to provide logistics and shipping services.

Commodities exemption

In determining whether there is a sale on a commodity exchange or commodity market (so that Regulation 2(2)(b) applies), the Court’s view was that the focus should be on the manner and place of sale as well as the nature of the goods sold. 

In the Court’s view, the concept of a commodity sale generally (though not always) focusses on generic goods in bulk, which are indistinguishable in origin or features from other goods of the same type, and that “where generic goods are bought by description, that is a pointer towards their being bought as commodities, but the opportunity to inspect [the goods before purchase] is not fatal to their being so”.

The court held that sales of diamonds in boxes at the De Beers sights were sales on the commodity market on the grounds that: (i) it was a wholesale market in a single class of unprocessed minerals, (ii) the boxes were sold by category and description and at a fixed price, and contained a standardised selection of stones by category, (iii) the boxes were largely traded unopened and sight unseen, and (iv) the proportion of the world’s rough diamonds sold at De Beers sights (while varying over time) was always a very substantial proportion. 

On that basis, WN was not protected by the Regulations.

The Court specifically rejected the argument by Pluczenik that, in order to be a commodity, the goods in question had to be the subject of futures and options trading.

Secondary Activities

The Court also considered, briefly, the application of Regulation 2(3), which excludes from the Regulations agents whose activities are ‘secondary’.  This part of the judgment, although brief, is noteworthy in that it is one of the few cases in which an English Court has considered this exclusion.

The Court concluded that, if an activity which the agent is engaged to perform falls within the Regulations, but is secondary to another activity which the agent is engaged to perform which falls outside the Regulations, then the agent should not be regarded as a commercial agent. 

This is a useful, albeit brief, judicial clarification of what is an unclear and convoluted part of the Regulations.

How much notice of termination must be given?

Although the Court did not need to consider the issue (as it concluded that Pluczenik had no grounds to terminate the agency relationship), it nevertheless gave its views on the key factors to be taken into account in determining what constitutes ‘reasonable notice of termination’ of an agency agreement where the Regulations do not apply[2] and no notice period is specified in the agency agreement. 

These factors include: (i) custom and practice in the relevant market, (ii) the length (and formality) of the relationship, (iii) the agent’s ability to make adjustments for loss of the agency, (iv) the notice period required had the Regulations applied, and (v) the nature of the agent’s obligations. 

Weighing up each of these factors in the present case, the court concluded that a minimum of 3 months notice (or two ‘sights’ if longer) was reasonable in the circumstances.

Compensation

Finally, the Court considered how an agent’s compensation for wrongful termination of an agency relationship should be calculated where the Regulations do not apply.  The Court concluded that damages are to be calculated in the same manner as a claim for compensation under Regulation 17[3] (even if the Regulations do not apply) with the important exception that any costs saved by the agent as a result of the termination of the agency should be taken into account when assessing a claim for damages under common law.

Conclusion

As noted above, although this case is of particular relevance to businesses operating on commodity exchanges and in the commodities market, it is of broader application to other businesses which use or operate as agencies.

Businesses operating on commodity exchanges and in the commodities market should review their existing agreements with brokers and agents to assess whether the Regulations are likely to apply.  Where they are likely to apply, businesses should consider taking steps to minimise their financial exposure on termination of these arrangements, including consideration as to whether it is better to agree with their agents that, where the Regulations apply, any payments on termination will be calculated on an ‘indemnity’ basis (where payments are capped at 1 year), rather than on a ‘compensation’ basis (where no cap applies).  Companies should bear in mind that, where an agreement is silent on which of the two alternatives apply, the uncapped compensation alternative applies by default.

In light of the Court’s view that purely administrative functions such as invoicing, packaging and transport can contribute to the goodwill between a principal and his customers, businesses who outsource any of these functions to third parties should likewise review their agreements with those third parties to assess the likelihood of the Regulations applying (particularly where the third party also contributes to goodwill in other ways) and the need to take steps (as outlined in the preceding paragraph) to minimise their financial exposure on termination.

Where an agent’s activities include activities that fall within the Regulations, and those activities are secondary in nature to other activities which are not caught by the Regulations, agents and principals should consider whether it is in their interests to include both sets of activity in the same agreement.  (The judgment in this case would appear to suggest that it is in a principal’s interest to cover both activities in the same agreement.)

The decision is also a reminder of the importance of ensuring that the key terms of an agency relationship, particularly one that is not governed by the Regulations, are agreed between the parties and properly documented.  These include termination notice periods, the grounds upon which the agreement can be terminated, and the basis of calculation of commission payments, including the extent to which an agent is entitled to commission on sales or purchases that are concluded after termination of the relationship where the agent has played a role, pre-termination, in those sales or purchases.

For further information on this article or agency or distribution agreements generally, please contact Paul O’Hare.

 

[2] Where the Regulations apply, an agent is entitled to one month’s notice per year of the agency agreement, up to a maximum of three months.

[3] According to the House of Lords decision in Lonsdale v Howard & Hallam Ltd [2007] 1 WLR 2055, compensation under Regulation 17 should be calculated by reference to what a hypothetical purchaser would pay for the agent’s business (assuming the agency had continued and not been terminated).

Nesta announces Open Up Challenge participants as CMA deadlines edge closer

Nesta, the innovation foundation, has announced the twenty organisations selected to participate in the Open Up Challenge.  The total prize pot is worth £5m and shall be shared amongst those participants offering the best solutions to SMEs seeking access to financial services and products, by harnessing the power of open banking APIs.

Participants are given exclusive access to the Open Up Data Sandbox containing anonymised transaction data relating to SME’s bank accounts.  This allows the participants to develop their platforms in anticipation of the government and CMA-backed scheme to standardise open banking APIs through which intermediaries will be able to access live SME transaction data in order to provide tailored services, such as credit scoring, financial intelligence and recommended lending products.

The Challenge is divided into two stages, the first of which culminates in the selection of up to 10 of the 20 participating teams, who will share in a £1m prize pot, to be chosen in December 2017.  The second stage continues through 2018, with prizes awarded in April and in September, with a further £2.5m available.

How does this timeline fit in with the open banking rules published by the CMA this year, requiring major banks in Great Britain and Northern Ireland to collect and make available a series of open and closed datasets?

CMA’s retail banking market investigation

In February 2017, the CMA instructed major retail banks in the Great Britain and Northern Ireland to make available reference information relating to certain standardised business and consumer products, and customer transaction data.

This followed a market investigation, which was carried out, between 2014 and 2016, following which the CMA published its report in November 2016. The terms of reference for the investigation included the consumer market for personal current accounts (including overdrafts) and the SME market for business current accounts, overdrafts, deposit accounts and lending products. The market investigation considered whether any feature, or combination of features, of the relevant markets prevents, restricts or distorts competition and, if so, what action should be taken.

The CMA’s report identified three types of lending products that suffer adverse effects on competition (AECs), as follows: (i) business current accounts; (ii) SME lending; and (iii) personal current accounts.

The Open Up Challenge represents part of the CMA’s response to the first and second of these AECs, that response being to facilitate the Challenge in order to stimulate directly innovations which would counter the lack of competition in business current accounts and SME lending. Such innovations are likely to include services which use the open banking APIs (see points 1 and 3 below) to allow for easier comparison between banking services through data aggregation and analysis – an activity which will be regulated and facilitated under the new PSD2 payment service category of “account information service provider” or “AISP”.

CMA open banking deadlines

The scope of the CMA rules are broader than SME lending, as they also cover consumer banking, but many of the rules are relevant to the Challenge since they are designed to help innovators such as the Challenge participants to reduce or eliminate AECs in relation to key banking services.  The main rules (affecting both business and consumer banking services) are set out below, and require banks to

1.release specified reference and product information, without charge or restriction (and which will be accessible via open banking APIs), no later than 31 March 2017, including:

 (a) reference information, including:

    (i)            branch locations and opening times;

    (ii)           ATM locations;

 (b) product information relating to personal current accounts and business current accounts and SME lending products, including:

   (i)            product prices (including credit interest);

   (ii)           fees and charges, including interest rates;

   (iii)          features and benefits;

   (iv)          the monthly maximum charge;

   (v)           terms and conditions;

   (vi)          customer eligibility criteria.

2.  specify the maximum monthly charge that could accrue on a personal current account from 2 August 2017.

3. publish rates for SME lending products (the APR for unsecured loans up to £25,000 and the EAR unsecured standard tariff business overdrafts up to £25,000) by 2 August 2017.

4. make transaction data from business current accounts and personal current accounts continuously available from the date PSD2 comes into force, being 13 January 2018.

5. collect feedback from their customers as to whether customers would recommend their banking products to others, no later than 15 January 2018.  Banks must release this data, as “service quality indicators”, from 15 August 2018.

6. automatically, and free of charge, provide transaction data relating to business current accounts and personal current accounts which are closed by the customer (covering the last 5 years’ of transactions) from 2 February 2018.

7. standardise business current account opening in terms of the information required from applicants (such as identification requirements) from 2 February 2018.

8. enrol personal current account holders into an alerts programme under which consumers are notified that they have exceeded or will exceed a pre-agreed credit limit, from 2 March 2018.

9.  offer a tool on the bank’s website enabling SMEs to obtain indicative price quotations and their eligibility for unsecured business loans and/or unsecured standard tariff business overdrafts, each up to £25,000, from 2 February 2018.  The same tool should be accessible to a minimum number of third party intermediary service providers by 2 May 2018.

Please note that these obligations apply to certain types of banks and credit products with a number of applicable exceptions.

Businesses seeking to exploit these rules should move quickly to ensure they are best placed to make the most of the opportunities they present. Banks, on the other hand, should already be working behind the scenes to ensure compliance with the deadlines set out above – some of which have already passed, and others will require significant preparation.

Equally, those seeking to take advantage of the open banking APIs to provide “account information services” from 13 January 2018 need to be registered to do so with the FCA – the application process for registration opens on 13 October 2017.

More information

For more information on the launch of the Open Up Challenge and Kemp Little’s role as its legal advisor, please click here.

For more information from Nesta on the Open Up Challenge, please click here and here.

Gambling Advertising: The Gambling Commission's revised enforcement strategy

The spotlight continues to fall on gambling advertising. All operators must comply with licence conditions and codes of practice which require them to make clear any conditions which apply to promotions and to comply with the Advertising Standards Authority’s CAP and BCAP codes of practice. Recent rulings by both the Gambling Commission and the Advertising Standards Agency (ASA) have made clear that compliance is an issue for both gambling operators and their affiliates and marketing agencies.

In May, BGO Entertainment was fined £300,000 for adverts which were found to be potentially misleading as they failed to make clear the conditions surrounding promotions. The fine related not only to adverts on BGO’s own website, but also to adverts which had appeared on its affiliates’ websites. BGO’s failure to take effective action to address these breaches of its licence raised doubts about its suitability to carry out its licensed gambling activities.

In February, the ASA upheld a compliant about a Lottoland radio advert which failed to make clear to players that they were betting on the outcome of lotteries, rather than participating in a lottery. In June the Gambling Commission also fined Lottoland £150,000 for failing to make this distinction clear in its third party marketing, website and social media promotions. The distinction is important because part of the proceeds of a lottery must go to good causes.

These advertising rules aren’t new – but the Gambling Commission’s approach to enforcement perhaps is. In its “Raising Standards” conference in November 2016, the Commission stressed that advertising was a focus area, operators are responsible for their affiliates’ actions, and the Commission was ready to take action, and it repeated this message at the ICE gambling expo in February.

On 5 July the Gambling Commission published its revised enforcement strategy which confirms the approach we are already seeing in practice. Three key points are:

  • The Commission will use all its enforcement powers – there is no longer a bias towards settlement, so licence reviews are more likely.
  • Consumers must be treated fairly, and advertising is a key part of this.
  • Penalties are likely to be higher, particularly for repeated failures.

The ASA published a short guide to key CAP Code requirements for gambling adverts on 21 July, and guidance on the Gambling Commission requirements is also available on the Commission’s website. It’s not only the Gambling Commission and the ASA who are interested – the Information Commissioner’s Office is concerned to ensure that marketing by operators and their advertisers complies with privacy rules. A key area for concern is whether recipients of marketing material have given the necessary consent - and requirements for consent are going to get tighter when the EU General Data Protection Regulation comes into effect in May 2018.

It is also critical that advertising meets social responsibility obligations. Gambling adverts must not be sent to under 18s (under 16s for lottery adverts), or to anyone who has self-excluded. Targeting an advert may be critical to its compliance. In May, a Ladbrokes advert using an image of Iron Man and referring to the film Iron Man 3 was found not to be irresponsible because, although the Iron Man character was likely to appeal to under-18s, the offer was sent only to people who had been validated as being over 18.

The recent decisions and enforcement strategy make clear that affiliate breaches of advertising or privacy rules may result in an operator being fined and, potentially, even losing its gambling operating licence. Gambling operators, and their affiliates, are expected to learn from the experiences of others. Operators will want to prevent their affiliates putting them in breach, and a right to compensation for loss incurred if they do. Affiliates will similarly want to know that the operator’s marketing material will not cause the affiliate a problem. Both parties will need a mechanism for ensuring that marketing lists are checked against self-exclusion lists and other targeting criteria. 

  • Page 2 of 25