Category Archives: Consumer Protection

The impact of the General Data Protection Regulation (GDPR)

The GDPR will come into effect on 25th May 2018 and has been described as the biggest shake-up of data protection law for 20 years. James Wickes, CEO and co-founder of cloud-based visual surveillance company Cloudview, looks at the changes businesses need to make and the consequences of getting it wrong.

Data protection is a fundamental concern to all organisations which hold personal information. Next year new, tighter legislation comes into force which has been described by legal firm Wright Hassall as the biggest shake-up of data protection law for 20 years.

The General Data Protection Regulation (GDPR) becomes law on 25th May 2018. It will be directly applicable in the UK without further implementation, and serious breaches could see organisations facing fines from the Information Commissioner’s Office (ICO) of up to €20 million or 4 per cent of turnover, whichever is higher. These increased fines will apply immediately, so organisations need to ensure that their GDPR compliant policies and processes are in place promptly. Large organisations also need to be aware that the size of the fine is calculated on the turnover of the whole organisation, not the operating division or subsidiary in which the breach occurred.

Personal implications for senior executives

Fines, however, are not the only potential penalty. The new legislation could have a personal impact on any senior executive with legal responsibility for their organisation’s behaviour.

The Culture, Media and Sport Committee’s investigation into cyber security, triggered by the cyber-attack on TalkTalk, was published in June 2016 and makes two recommendations. First, it suggests that a portion of CEO compensation should be linked to effective cyber-security. The report says: “To ensure this issue [cyber-security] receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber-security, in a way to be decided by the Board”.

It goes on to say: “We concur with the ICO [Information Commissioner’s Office] that whilst the implementation of the GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.” So executives could face jail as well as fines for breaching the new regulations.

The need for consent

To understand the implications of the GDPR, we commissioned a briefing note from independent solicitors Wright Hassall. They identified two key issues:

  1. Organisations whose core activity is processing special categories of data or the systematic monitoring of individuals on a large scale will have to appoint a Data Protection Officer to monitor compliance with the rules.
  2. Organisations will have to demonstrate that an individual’s consent to the processing of their personal data is ‘freely given, specific, informed and unambiguous’. In most cases implied consent will not be sufficient. In my area, CCTV, it is as yet unclear to what extent organisations will need to seek to obtain explicit consent from individuals to record them via a CCTV system as we are already are required to make the presence of cameras very clear.

To prepare for the GDPR, the first step organisations should take is to carry out a Privacy Impact Assessment (PIA) to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. They need to consider whether there is a legitimate reason to collect specific information, whether it is stored securely, with safeguards to prohibit interception and unauthorised access, and whether data is deleted when it no longer serves a purpose. This latter issue has recently been raised as a concern by the surveillance camera commissioner, who points out that the Metropolitan Police are failing to delete number-plate records after two years, but have retained the data since the London Olympics in 2012.

Organisations also need to have a documented information retention policy which is understood by those handling data collection, and ensure that staff know how to respond to requests from individuals for access to their personal data. For more information, the ICO has produced a useful guide.

Personal data is not just text

What many organisations often fail to understand is that personal data covers every type of information, from written text to video and audio. This is increasingly important with the growth of the Internet of Things (IoT). All the data we upload onto our phones, from how many steps we take to changes in our heating systems, could be included if it allows individuals to be identified. IT departments are often responsible for all these devices and all this data.

Yet one area falls outside the remit of ‘traditional’ IT: CCTV, which many organisations use to monitor communal areas, manufacturing sites and warehouses. If video footage enables individuals (clients, employees, or passing members of the public) to be identified, the GDPR is applicable. CCTV surveillance systems should not normally be used to record conversations between members of the public or staff as part of a working environment – this is highly intrusive and unlikely to be justified.

CCTV footage differs from other types of data in that systems are binary in their ability to be secure or accessible. Because IT systems have moved into data centres, or better still, to the cloud, it is relatively straightforward for IT departments to ensure that data protection regulations are met, for example by ensuring that only authorised individuals can access certain information. However, access to current DVR-based CCTV systems has to be physically constrained by using locks or passcodes, as anyone with access to the equipment can access the data. Remote access has to be managed through a VPN (Virtual Private Network) which is expensive to set up, not always secure and inflexible.  Processes also need to be enforced rigorously to ensure data protection standards are met. CCTV is typically seen as peripheral to a business – but the legislation still applies, as do the fines.

One solution to this CCTV GDPR compliance problem is to hold CCTV information securely in the cloud, with access limited to authorised personnel. There is no longer a physical DVR; data is sent directly and securely from the cameras to the cloud. Such systems should be configured to record CCTV data only when needed and should automatically delete it when it is no longer required. Cloud-based CCTV systems should also have all the required security and encryption necessary to protect data and verifiable audit logs to prove that data was handled, transmitted, viewed and deleted appropriately. Not all providers offer this level of end to end service, so organisations still have to take responsibility for ensuring that their cloud provider is compliant with the appropriate regulations. They should also bear in mind that many cloud providers have clauses which allow them to share data with third parties – clearly inappropriate for personal data.

Ignorance is no excuse for breaking the law, and this includes data protection legislation. The new legislation comes into force in just over a year’s time, so organisations need to begin preparing now.

More information is available in the briefing note ‘Is your use of CCTV compliant with data protection legislation’ from Wright Hassall, available on the Cloudview website

GDPR and the effect on data breaches

The Information Commissioner’s office have now confirmed that the UK will have to enact the General Data Protection Regulation (GDPR) by May 2018 given this implementation date will occur before the expiry of the two year period from the giving of the UK’s Article 50 notice to leave the EU.

The introduction of the GDPR is the biggest overhaul of data protection legislation in 18 years, 18 years which have seen a major boom in data and advancements in technology which the previous legislation has failed to keep pace with. Furthermore, the introduction of the GDPR will impact, to some degree, every single business and organisation in the UK.

Under the current legislation only public bodies, via a voluntary arrangement, have a positive obligation to report data breaches to the Information Commissioner. As such when a data breach occurs many private sector organisations simply batten down the hatches and hope no-one traces a data breach back to them, and in most cases they will get away with this.

However, the GDPR introduces a new positive notification requirement where certain types of breaches (i.e. those likely to result in a risk to the rights and freedoms of individuals) have to be reported to the Information Commissioner within 72 hours of becoming aware of the breach and, if the breach is likely to result in a high risk to the rights and freedoms of individuals (e.g. the data lost could result in identity theft), then the individuals whose data has been breached, which could be customers or employees, without undue delay.

The thought of having to write, on a firm’s headed paper, to individuals telling them your firm has lost their data constitutes a significant reputational risk, especially in today’s era of social media where that letter could be photographed, published online and shared thousands of times. This, combined with the threat of fines for not reporting breaches of up to €10m or 2% of global turnover, should firmly put data protection compliance and the introduction of the GDPR on the boardroom agenda of every organisation in the UK.

Rather than waiting until May 2018 and then trying to get everyone in an organisation up-to-speed on the new legislation every business should be taking steps now so that when May 2018 arrives they are already up-to-speed with the new legislation which significantly reduces the risk of having to report data breaches to the Information Commissioner and possibly customers, employees and other third parties, from May 2018 onwards.

Whilst a lot of the press attention has been on high profile data breaches caused by hackers and cyber-attacks, the one area that often gets overlooked, and is traditionally the weakest link in any data protection system, is the human element.

The vast majority of data breaches occur due to human error. This is someone such as an employee or sub-contractor doing something they shouldn’t be doing or simply making a mistake such as the fax or e-mail to the wrong recipient, losing a memory stick or failing to encrypt data or destroy data properly.

Any business can have a superb written data protection policy, however that policy is not worth the paper it is written on unless employees are trained so they understand the reason there is a policy in the first place, the personal consequences on them from an employment/disciplinary perspective in not complying with that policy, the wider financial and reputational damage consequences to the organisation itself and how practically that policy impacts on them as they go about their day-to-day tasks.

Without the benefit of rolling out a comprehensive system of staff training (both initially and on an on-going basis) businesses will continue to put themselves at risk, both from a financial and reputational point of view, as employees go about their daily task oblivious to how their actions can have serious consequences down the line.

Brexit and UK Consumer Law


The seismic shift in British politics signalled by the referendum decision on 23 June 2016 is likely to have far-reaching legislative consequences in the UK. In the event that the new Conservative government negotiates a ‘clean break’ from the EU (i.e. an arrangement not involving membership of the EEA), the UK will be faced with the prospect of regulatory reform on an unprecedented scale. At present, most areas of domestic law are influenced to some extent by EU legislation and some areas are wholly determined by it. In the areas currently most influenced by EU law, a ‘clean break’ scenario would raise many questions. Should the law be kept as it is? If not, what will take its place?

This article will consider the implications of a ‘clean break’ scenario on UK consumer law. By its very nature, consumer law affects more people more of the time than any other area of civil law. Beyond this, a consideration of UK consumer law is particularly relevant in the context of post-Brexit planning for two reasons. First, it is an area that is currently highly influenced by EU law and therefore serves as a good practical example of the sorts of challenges to be faced by lawmakers. Second, its broad scope, high public visibility, and control over a multitude of day-to-day transactions mean that swift legislative review will be necessary, as well as politically expedient for the government, following any ‘clean break.’

Although a temporary Act of Parliament incorporating all current EU regulation into domestic law could provide short-term stability while the process of reviewing the law is undertaken, decisions will eventually have to be made in many areas. A few of these areas are considered below.

Consumer Rights and Sale of Goods

The traditional approach to Sale of Goods Law in British jurisdictions did not automatically confer particular rights on consumers as a class. However, as a result of the Consumer Rights Directive, the current position is that UK Sale of Goods legislation is starkly divided between consumers and non-consumers.  Consumers are given enhanced rights and afforded greater protection by the courts than commercial parties.

As practitioners in the area will know, dividing parties between consumers and non-consumers is often easier said than done. There will always be situations that fall somewhere between the two camps and categorisation can be difficult. In the worst instances, a degree of uncertainty is introduced into otherwise straightforward transactions. Rationalising this area should, therefore, be a priority.

The heart of the distinction is also ideological: how should freedom of contract be reconciled with social paternalism? The authors do not advocate a particular approach, but in a ‘clean break’ scenario the UK will be afforded the first opportunity in many years to determine the right answer to that question. It is an opportunity that should be seized.

Food Law

The law relating to food (and in particular hygiene, safety, and the provision of information) is almost totally governed by EU law.  The EU approach is marked by a dramatically different approach than was traditionally taken in the UK. In broad terms, this has led to a higher level of complexity and prescription than was previously the case.

Has the EU approach been beneficial? Without empirical evidence, it is difficult to analyse the efficacy of the approach. On the other hand, complex and prescriptive regulation is necessarily burdensome for traders. Consequently, it is suggested that a study should be undertaken to determine the efficacy of current food safety and hygiene law compared with that in other lighter regulation jurisdictions. An informed decision can then be taken as to whether the current level of regulation justifies the burden it places on traders.

A particular example of an area of food law that could benefit from urgent review – and one which would have a pronounced effect – relates to durability. At present, EU law dictates the terms of durability markings placed on food, such as use-by dates. It is notorious how much perfectly edible food is routinely thrown away because of this. Furthermore, EU law prevents retailers from giving such food away if the date has passed – regardless of the actual state of the food. Consumers, and in particular those who can ill-afford to do so, dispose of wholesome food on a huge scale even though many foods are safe well beyond their use-by dates. This is something which should be addressed.

Consumer Credit

The EU approach to consumer credit has undoubtedly complicated an area of law that should be consumer friendly.  The Consumer Credit Directive excludes transactions over a certain sum of money and excludes credit secured on residential land (the latter now being dealt with by the Mortgage Credit Directive).  EU law says little about consumer hire agreements and does not recognise hire-purchase. The result is consumer credit legislation where different regimes apply to the general bewilderment of many practitioners – let alone consumers.

To take an example, a consumer credit agreement or consumer hire agreement can fall within: (i) a regulatory regime dating from 1983 (and, if a bill of sale is involved, also from a regime introduced the century before last), (ii) the 2010 set of regulations where the Consumer Credit Directive applies, or (iii) the 2015 legislation intended to comply with the Mortgage Credit Directive.

There is no need for such complexity. Following a ‘clean break’, the current system should be abandoned and replaced with a single new Act.

Unfair Commercial Practices

The Unfair Commercial Practices Directive was incorporated into domestic law by the Consumer Protection from Unfair Trading Regulations 2008.  The legislation has proven difficult to implement. Indeed, following the introduction of the 2008 Regulations, Trading Standards enforcement virtually came to a halt for a number of years due to the inability to tackle unfamiliar concepts and vague language.

Although much improvement has been made since the Regulations and the Directive remain problematic for practitioners and enforcers. What is a ‘commercial practice’? Can it relate to an isolated incident or must it involve a pattern of behaviour? These questions – and the chain of litigation that resulted from them – were made necessary by the vague language introduced into UK law by the Directive.

Previously, the Trade Descriptions Act 1968 had provided a workable piece of legislation dealing with similar issues. Having been in force for some 40 years, a substantial body of case law had developed around the Act providing certainty to consumers and traders – as well as a rich source of jurisprudence to the courts – which no longer exists. In a ‘clean break’ scenario, legislators would be well served to contrast the language of the 1968 Act with that employed in the 2008 Regulations.

Weights and Measures

One topic that has consistently proven emotive with the public is the choice of unit. Indeed, it has already been reported that some butchers are now offering their customers the opportunity to buy in pounds and ounces. Although perhaps not as pressing a concern as some others considered above, legislating in favour of imperial units of measurement over metric would present the government with an easy opportunity to win support from Brexiteers currently sceptical about the government’s commitment to the implementation of the referendum mandate.

From a regulatory point of view, there would be little difficulty in permitting domestic traders (particularly those selling meat, fruit, and vegetables) to choose between imperial and metric units. Exports to the EU would, of course, continue to be marked in metric units in compliance with EU legislation.


The above are only a few examples of areas that will require consideration. There are many others which will fall to be considered in the event of a ‘clean break.’ Such an exercise in legislative reform is unprecedented in UK history and is naturally daunting to many as a result. However, it also presents an unprecedented opportunity to reform the law for the better.

Forced Conversion of Consumer Loans in Croatia – Care About Consumers or Just a New Issue?

In expectation of parliament elections, Croatian financial market and its participants experienced a dynamic end of 2015 with the latest amendments to the Consumer Lending Act and the Credit Institutions Act. The amendments introduced a legal framework for forced conversion of loans denominated in CHF („CHF Loans“) and loans denominated in HRK and indexed to CHF („HRK/CHF Loans“)

The amendment had been welcomed by the majority of population that saw this as an opportunity to decrease their over indebtedness, whereas it had fallen under scrutiny of expert-public eye. Expectedly, the latter saw the amendments rather as an increased risk factor for banking operations in Croatia, than a fair and equitable solution in overcoming consumer indebtedness.

Being aware of practical importance and great complexity of an issue for banking operations in Croatia, the authors will cope with the issue in a limited manner – to give a glance as to how the amendment was structured and how it impacts certain constitutional principles. Having this in mind, the authors will start by taking a closer look at the measure introduced by the amendments, and mentioning briefly certain structural issues. Furthermore, the authors will briefly present certain procedural solutions that had been considered so far.

  1. Background

Swiss franc denominated or indexed loans (the “Swiss Loans”) were very attractive in Central and Eastern Europe during the credit boom in the 2000s, including Croatia, as they offered lower rates than those in national or euro currencies. It is estimated that 55,000 holders of loans are denominated in CHF and worth roughly HRK 25 billion. A majority of those loans were granted in the 2000s and were primarily used for mortgages or buying commercial property. Accordingly, it is estimated that 38% of mortgages in Croatia were denominated or indexed in CHF. When the Swiss National Bank lifted its cap on the value of Swiss franc allowing the currency to surge, many borrowers were caught out and forced to fork out more Croatian Kuna to cover payments. After the Swiss National Bank announced on 23 January 2015 it will no longer hold the Swiss franc at a fixed exchange rate against the Euro (a decision from 2011), the Swiss franc dramatically appreciated making the Swiss loans far more expensive to service, especially for consumers in countries such as Croatia which are relying on income in Croatian Kuna.

Although there were some legislation measures introduced in Croatia from 2013 onwards[1], the latest amendment enjoyed the greatest public attention. In September 2015, Croatia adopted additional amendment No. 102/2015 entered into force on 30 September 2015 (the “Amendment”). Based on the Amendment, the lenders were obligated to convert the CHF loans to EUR denominated loans and HRK/CHF loans to EUR indexed HRK loans according to the exchange rates applicable on the disbursement date or the date of entry into the loan agreement, as the case may be. The idea of the Amendment was to put borrowers of the CHF Loans and HRK/CHF Loans in the same position that they would have been had their loans, from the start, been denominated in EUR or EUR index.

Reflecting this basic purpose, the Amendment obliged banks to convert CHF Loans to EUR denominated loans and the HRK/CHF loans to EUR indexed HRK loans, and to provide respective consumer with the new repayment schedule within 45 days as of the Amendment entering into force. The consumers had 30 days to notify the lenders whether they opt to accept the loan conversion calculation by way of accepting the annex to the loan agreement; otherwise the loans continued to subsist.

The cost of the exchange rate fluctuations was expected to be absorbed by the banks whereas the financial loss that banks might incur from such conversion shall be tax deductible. The Amendment has a retroactive effect having an impact on the loans entered into prior to the entry in the force of the Amendment.

The Amendment for sure had both legal and financial adverse impact. As for the former, the measure invasively intruded into contractual relationship leaving behind certain consistency gaps. For instance, the Amendment applies to all types of Swiss Loans, regardless of their purpose, i.e. to loans granted for acquisition of second homes, property for investment purposes or even luxury goods. On the other hand, no relief is offered to consumers who have repaid the loans prior to this Amendment being introduced or who are subject to the enforcement proceedings conducted against them.

As for the financial side, the Croatian National Bank estimated the measure will incur costs of HRK 8.5 billion ($1.26 bln) on Croatian banks, which is equivalent to their combined profits over three years.

The European Central Bank (the “ECB”) anticipated that the conversion of the loans as envisaged by the Amendment may result in a decline in the international reserves of the Republic of Croatia, which may in turn have undesired consequences on the country’s macroeconomic stability. Moreover, a lower level of international reserves as a result of the conversion might impair the functional independence of Croatian National Bank, in particular the central bank’s ability to set its policy instruments with the aim of achieving its objectives. According to the ECB, the Amendment might also have some negative effects if it were to lead to a deterioration of foreign investor sentiment due to a perceived increase in legal uncertainty and country risk.

  1. Remedies

Given the nature of the issue – serious constitutional concerns and widespread effects of the challenged legislation – there was a possibility of Amendment to be challenged before the Croatian Constitutional Court by invoking a breach of certain rights and principles guaranteed under the Constitution of the Republic of Croatia (the “Constitution”), such as, for example, principle of legal certainty and prohibition of retroactive effect, breach of free enterprise and market and property ownership. Moreover, the applicants were entitled to request suspension of the Amendment due to possible irreversible losses that might occur for the bank concerned and the Croatian banking system as a whole in the period before the final decision on constitutionality of the Amendment is brought.

Given the specific conversion mechanism envisaged by the Amendment and the fact that no individual act of competent bodies will be required to perform conversions, banks could hardly benefit from the remedies that are usually available to the applicants when the act is repealed i.e. possibility to repeal the individual acts that are based on the repealed general act. In other words, the main goal of the constitutionality review procedure in the matter at hand was to suspend the Amendment i.e. to suspend the forced conversion to be performed under the Amendment, and ultimately, to repeal the Amendment.

To this date, several Croatian banks have submitted requests to the Constitutional Court to assess the constitutionality of the Amendment. The Constitutional Court had not suspended the Amendment before it entered into force (30 September 2015). Therefore, some of the banks found ways to mitigate the risks of uncertainty of the subsequent effects of the repealing decision on the conversions carried out in the period between the date on which the Amendment entered into force and the date as of which the Amendment will be repealed, by inserting certain limitation language in the amendments to the loan agreements.

  1. Conclusion

Unequivocally, the Amendment appears to be of significant practical importance for banking business, and introduced several issues that are yet to be resolved by the Constitutional Court. It admittedly has its pitfalls, standing at the edge, or even over the edge, of constitutional boundaries. Apart from the potential unconstitutionality of the Amendment, and potential adverse financial effects it might have for the bank system and the state budget, the Amendment seems to endanger one of the basic principles of every modern and civilized legal system – the principle of legal certainty.

As from the consumer perspective, looking at a greater picture, it may be noted that the loss which banks might incur due to the conversion shall be tax deductible. That being said, it might be expected that the measure will leave the state budget without the inflow it would have normally received had there been no amendment in place. Therefore, the measure that may appear as a benefit for some consumers, may in the long run potentially adversely affect a larger number of other consumers (those who were not indebted in CHF), which brings the consumer care in question.

It yet remains to be seen whether the Amendment has been introduced having in mind only the short-sighted goals, or not.

[1] Even before the Swiss National Bank unpegged the Swiss franc, Croatia started to deal with the consumer loans. Consequently, in November 2013 introduced an amendment (No. 143/2013) to the Consumer Lending Act in a way of fixing the maximum interest rate for CHF denominated loans. Furthermore, upon the announcement of the Swiss National Bank in January 2015, Croatia introduced another amendment (No. 9/2015) to the Consumer Lending Act which fixed the CHF/HRK exchange rate in loans with a currency clause for a period of 12 months despite of the fact that the Croatian courts[1] assessed the currency clauses in loan contracts as valid. The rate was fixed considerably below the market exchange rate with the lenders bearing the difference between the market exchange rate and the fixed rate.

Will the Panama Papers finally teach law firms about cybersecurity?

It was recently revealed that the data leak from Panamanian law firm Mossack Fonseca was caused by an outsider who was able to capitalise on vulnerabilities in old-fashioned technology. This is not unique or a surprise, but actually a common occurrence. Law firms around the world are constantly under attack from hackers, undoubtedly because they not only deal with a huge amount of monetary transfers each day, but also due to the wealth of confidential information contained within their servers.

All law firms, and indeed all businesses, can be hacked in a number of different ways, from stealing an office mobile phone to piecing together a shredded document. However, there are two main ways in which a firm is most likely to be breached: through software vulnerabilities or social engineering of its staff.

Susceptible software

Every day, security researchers and hackers find numerous ways to bypass security defences in a piece of software. The vendor of that software will then fix the weakness with an update, and the cycle continues. The issue lies in the window between the vulnerability being identified and ultimately being fixed by the IT team. This could be a matter of minutes, but could be days, weeks, or even years in some cases, depending on the team’s software update schedule and the level of additional security systems in place.

This is an important task, as every single device connected to a network is at risk if the weakness is not corrected in time, ranging from a server or printer, right the way through to a door entry system. It is important to consider how patient a hacker can be as it can take days, months, or even a year for a hole to appear in a network, so it is a waiting game on their part, but one they will willingly play.

Socially engineering staff

Utilising a firm’s employees is undoubtedly the most simple and effective method for breaching a firm’s network. Hackers can exploit staff within a firm to divulge information, either allowing them to directly access systems or build up a picture of the environment, which is pieced together to allow them to breach defences.

This information can be as simple as calling an individual within a firm, stating that you are new within the IT department and need to run some tests on their machine. The oblivious employee will then go onto a fake website and run a piece of software as requested, which will then give the hacker on the phone access to the firm’s network. Once a hacker has got into a network, it is simple for them to escalate system privileges and gain access to whatever they wish.

To get on the right track here, firms must train their employees well and keep them informed of any security threats that are current and could be on the horizon. By demonstrating to employees in a seminar-based format just how easy it can be to succumb to a hack, firms can help to dramatically increase their defences. Offering real world examples alongside regular updates of the latest guises of cyber attacks will help to reinforce this training.

Starting with cybersecurity

The issue facing firms for many years is that hackers can easily learn and develop these skills online – by joining a user group, watching videos or downloading more or less ready to go software applications.

Due to the number of financial transactions that occur within law firms on a daily basis, they are a prime target for hackers and if not protected by a concrete cybersecurity strategy, can be an easy source of money. Firms concerned about their own computer failures following the hack at Mossack Fonseca might not know how to implement a cybersecurity defence, or how to initiate improvements to their existing offering.

The truth is that technology is actually the last piece of the puzzle when it comes to cybersecurity – the real work comes in undertaking risk assessments and understanding what the risks to a firm are. A firm will be truly vulnerable to hackers if these two basic exercises have not been completed.

The issue is that over time, the security landscape changes, and so do the risks. The risks have developed and moved on, but many firms are still relying on the basics to protect their firm. In order to implement an effective data leak protection policy, firms should implement controls such as portable encryption, endpoint protection, email content control, data leak prevention and intelligent firewalls as a minimum.

The ISO 27001 standard is a worldwide standard for managing IT security within a business, and is a fantastic starting point for a law firm looking to implement a cybersecurity strategy. In the main, it boils down to a firm identifying its risk, assigning controls to these risks and then continuously reviewing and improving this process. This approach will give the senior leadership team and staff throughout the firm the confidence that the business has been truly analysed and appropriate controls assigned to potential chinks in its armour.

It is likely that the security systems that are needed to protect the majority of firms from the majority of hacks are already in place. If a firm is already running an Information Security Management (ISM) system by continually monitoring, documenting, reviewing and improving its security processes, then it is certainly on the way to being truly protected. At this point, a firm should look to have its security tested by an expert, to ensure there are no weak points in its structure.

Regardless of how or when a cybersecurity strategy has been implemented, it is imperative that the senior management within a law firm takes responsibility for its security. An IT department, whether outsourced or within a firm itself, should not have the responsibility placed solely on its head if a firm does have a data leak. It is a firm’s responsibility, particularly the board’s, to understand the risks, and prepare for the constant attempts by hackers to find a way into its network. Only then can a firm and its staff feel confident that they are cyber secure.

Take Two Pills and Call Your Lawyer in The Morning: Consumers Allege They Were Misled by The Makers of COLD-FX

The makers of COLD-FX might be feeling a little under the weather after appearing in the BC Superior Court to further respond to allegations that untrue representations and omissions induced consumers to purchase the drug product that was ineffective at providing “immediate relief” and therefore “worthless” if taken in accordance with the representations.   The case is the latest class action involving misleading advertising allegations to make Canadian headlines.

The claim against Valeant Pharmaceuticals, and its subsidiary, Afexa Life Sciences, was started in 2012 by a Vancouver Island resident Don Harrison over advertising saying that COLD-FX provided “immediate relief of cold and flu” if taken over a three-day period at the first sign of cold or flu symptoms.  A study showed that the product provides no such short term relief.  Rather, patients experienced a therapeutic effect only after taking the product daily for at least two months, and six months in the case of seniors.  Harrison alleges that the companies continued to “knowingly or recklessly” promote COLD-FX as a short term remedy despite evidence to the contrary. A similar action has been commenced in Saskatchewan.

COLD-FX is a top-selling natural health product in Canada, with sales topping nearly $120-million as recently as 2011, according to a November 15, 2015 Globe and Mail article, “Why COLD-FX is too good to be true”.   As part of one COLD-FX natural health product license, Health Canada has approved a number of claims for COLD-FX, including that the product:

Helps reduce the frequency, severity and duration of cold and flu symptoms by boosting the immune system. …Provides further reduction of cold and flu symptoms when taken with a flu shot… Clinically proven to reduce the frequency, severity and duration of cold and flu symptoms in individuals over 65 by boosting the immune system. … helps reduce overall symptoms of sore throat, runny nose, sneezing, nasal congestion, malaise, fever, headache, hoarseness, ear-aches and cough.

The plaintiff in the BC action is seeking class certification so that anyone who bought COLD-FX for the short-term relief of cold and flu symptoms will be able to apply for a refund. The companies have denied the allegations and are contesting the application for class-action certification.

The BC Supreme Court has previously refused to certify a proposed consumer class action concerning misleading advertising.  In Clark v Energy Brands Inc., 2014 BCSC 1891, the plaintiff alleged that Energy Brands Inc. and Coca-Cola Ltd., systemically misrepresented bottled beverages beginning with the trademark VITAMINWATER, and the description that the beverages are “nutrient enhanced water beverage”, and misled consumers to believe the products were healthy beverages with a minimal amount of sugar.  The Court refused to certify a class stating that the plaintiff had not met the requirements of the BC Class Proceedings Act, namely, whether “the claims of the class members raise common issues, whether or not those common issues predominate over issues affecting only individual members”. The Court stated:

However, in my view whether the labelling and marketing of the product has actually misled a consumer is an inherently individualistic and fact-based question.

There is of course, no evidence that all consumers were misled, at all times, in respect of each and every consumer transaction in question. No such evidence would be possible. Yet the relief sought by the plaintiff in the context of the plaintiff’s arguments for potential remedies would practically amount to such a conclusion. Otherwise there would be no utility in the declaration sought.

The COLD-FX class action also follows other recent class actions launched against Boiron Inc. on behalf of consumers who purchased Oscillococcinum or Oscillo, a homeopathic product marketed to treat the flu.  The petitioner for the Quebec class action claimed  that consumers were misled into purchasing a product that was no more effective than a placebo sugar pill, with ingredients that are not medically effective, and diluted to the degree of being not present in the final product.  The class was not certified by the Superior Court of Quebec.  The decision has been appealed and a motion to dismiss the appeal was denied.

The Superior Court denied certification on the basis that the facts alleged by the petitioner did not justify the conclusions sought, and also that the petitioner is not in a position to adequately represent members of the class.  On the first point, the Superior Court found that the petitioner did not demonstrate a prima facie case of false representations.  The Court found that Boiron represents that the product relieves flu symptoms, and not that it prevents, cures or fights the flu, or even that it does so with an active ingredient.  Further, the evidence did not demonstrate the product is nothing more than a placebo.  In fact, the expert opinion filed by the petitioner acknowledged an ability of the product to relieve flu-like symptoms “slightly better” than a placebo. Further, evidence filed with the Natural Health Products Directorate of Health Canada in the process of obtaining a license for the product included a randomized placebo-controlled study. However, the petitioner seemed to suggest that the efficacy of the product should be assessed not solely on statistical evidence, “which seems to satisfy Health Canada”, but a higher standard.  The Court commented:

While the merits of homeopathy and the nature of the evidence required by Health Canada to issue a licence for a homeopathy product may be challenging subjects, the Court has to be concerned with the Petitioner’s allegations and whether she has an “arguable case” to present.

The COLD-FX and Oscillo cases raise the question of how to reconcile allegations of false and misleading representations against the fact that the products were licensed by the Natural Health Products Directorate.   Will a product license serve as a shield to absolve the license holder from liability for false and misleading representations in relation to licensed claims? Will the following comments by the Supreme Court of Canada in another class action case be applied to licensed products?

[C]ompliance with statutory obligations is not always determinative of the issue of civil fault … [C]are must be taken . . .  not to conflate the notion of civil fault and the violation of a statutory norm, whether in a commercial setting or elsewhere … [J]ust because a failure to discharge a statutory obligation leads to a demonstration of fault in all but the most exceptional cases, it does not follow that a civil fault is absolved where there is no such failure.

The claimed misrepresentations in the COLD-FX case relate largely to how quickly COLD-FX takes effect (“immediate relief …”, “at the first sign of symptoms for optimal results”, “stops colds & flu in their tracks”).  The plaintiff claims “at no time has COLD-FX been permitted by Health Canada to make (such) representations.”  Interestingly, several COLD-FX licensed products are branded “COLD-FX First Signs”, with approved recommended use including “Take at first signs of cold to help reduce the frequency of colds and flus.”  These products contain additional ingredients to ginseng (panax quinquefolius).

In the VITAMINWATER case, the defendants also raised arguments concerning the effects of federal legislation and the federal regulatory scheme.  For example, the defendants argued that the regulation of the product as a natural health product specifically precluded listing the quantity of non-medicinal ingredients, such as sugar, on the label of the product.  In response, the plaintiff argued that authorization of the sale of the product as a natural health product did not provide relief from the responsibility to not mislead the public, and cited a letter from Health Canada, that stated “…you are responsible for ensuring that advertising claims on the label do not contravene s. 9 of the FDA.”  That section prohibits the labelling, sale or advertising of drugs in a manner that is “false, misleading or deceptive or is likely to create an erroneous impression regarding its character, value, quantity, composition, merit or safety.”  The plaintiff further argued that the deceptive practices of the defendants start with the name of the product itself, VITAMINWATER, which was not mandated by Health Canada. Although the Court ultimately did not certify the class, it stated the issues arising from the federal licensing regime “could potentially go to the merits of the claim … (but) do not preclude certification.”

The Boiron decision in Quebec also casts doubt on certifying a class where the representative fails to show that he or she has taken steps that illustrate his or her interest to play the role of representative.   In finding the petitioner failed to demonstrate that she was in a position to represent the members of the proposed class adequately, the Court noted:

What seems, prima facie, to be the real trigger of the recourse is the lawyer-induced opportunity to obtain a settlement in Canada, because one was achieved in the U.S. against Boiron U.S.A., based, prima facie, on different circumstances, including the representations by Boiron U.S.A. on the presence of an “active ingredient”.  The sequence of events … suggests to the Court that the Petitioner made no reasonable research on Oscillo Products and that she made no reasonable attempt to find other potential group members.

The COLD-FX and the Oscillo Boiron cases are also interesting to Canadians given that our punishing winters mean these products are likely found on the shelves of many medicine cabinets.  Beyond that, the cases are noteworthy given the attempt at class certification to address advertising claims that consumers believe are misleading.  For a few years now, we have heard from our US counterparts that that risk of misleading advertising is not just regulator or competitor action, but by consumers acting as a class. Although class actions have not been prevalent in Canada, this may mark the beginning of a trend, and a significant change to the risk to companies when they make product claims.  A quick search of the Canadian Bar Association’s class action database identifies several class actions related to misleading advertising with products ranging from Sketchers shoes to Red Bull energy drinks.

State AGs Urge FTC To Strengthen Telemarketing Sales Rule

This week, 38 state Attorneys General (AGs) submitted comments to update the Telemarketing Sales Rule (TSR). In a letter to the Federal Trade Commission (FTC), the AGs called for a number of new requirements as part of the FTC’s rule review. The letter is led by Florida Attorney General Pam Bondi and Pennsylvania Attorney General Kathleen Kane. (Note a letter of 36 state AGs constitutes an official position of the National Attorneys General Association).

State AGs have authority to pursue unfair and deceptive acts and practices under state laws, and additional enforcement power under certain federal laws and regulations. Specifically, AGs have authority to remedy violations of the Telemarketing Sales Rule. The TSR applies limitations on telemarketing activities, including the Do Not Call registry, requires certain disclosures from telemarketers, and provides guidelines for allowable sales calls and payment transactions.

The state AGs offer comments in four categories: 1) prohibitions on the use of preacquired account information; 2) negative option marketing restrictions on consumer-to-vendor calls; 3) telemarketer / seller requirements to maintain call records; and 4) regulation of money transfers.

First, the comment letter notes that for online sellers the use of preacquired account information for marketing is already prohibited under the Restore Online Shoppers’ Confidence Act, in response to online retailers sharing customer billing information with third party sellers. The AGs call on the FTC to adopt a similar prohibition to telemarketing, indeed a total ban on the use of preacquired account information. The letter notes that the three major credit cards currently restrict merchants from sharing consumer account information with third parties.

Second, AGs have long targeted negative option marketing which they deem to be the sale of products or services based on a consumer’s acceptance through his or her silence or ambivalence, failure to cancel the agreement, or lack of rejection of products or services. The AGs argue the TSR should require the following: disclosures made separately from other terms in the product offer; a distinct consumer acceptance of that offer; and a confirmation sent to the consumer. The AGs also seek this regulation to be applied to inbound consumer-to-vendor calls when a consumer is responding to an advertisement or direct mail marketing.

Third, the AGs request a mandatory recordkeeping rule on telemarketers and sellers, including the creation of call records, to aid in their enforcement efforts.

Fourth, the AGs seek a ban on certain payment methods, such as cash-to-cash money transfers, often used in telemarketing fraud — the comment letter even references the ubiquitous “Nigerian scam.” The AGs support TSR amendments to require money transfer companies to perform due diligence into whether a transfer results from a prohibited solicitation.

The state Attorneys General comment letter can be found here.

New Distance Selling Contracts Regulation In Turkey – Chapter I (Scope And Pre-Information)

Regulations required for the implementation of the Turkish Consumer Protection Act, published on November 7, 2013 effective May 1, 2014(“New Consumer Protection Act“), are being published one after the other. There is no doubt the Distance Selling Contract Regulation was one of the most expected regulations in this respect, which will be implemented on contracts entered by parties through the use of distance communication tools without physically meeting. The Distance Selling Contract Regulation was published in yesterday’s Turkish Official Gazette Nr. 29188 which will enter into force within three months from that date. It will superseded the current effective Regulation on Distance Selling Contracts which had entered into force on March 6, 2011 and published in the Turkish Official Gazette Nr. 27866. The superseded regulation had superseded the oldest regulation on the same topic which was effective from June 13, 2003, and published in the Turkish Official Gazette Nr. 25137.

Effective Date: February 27, 2015!

Article 48 of the New Consumer Protection Act is governing distance selling contracts of which the 6th sub-paragraph rules contracts beyond the scope of distance contracts. The rights and obligations of the consumer along with the seller and the provider, right of withdrawal, information requirement, delivery and other terms and conditions will be determined under a separate regulation. Hence, the Distance Selling Contract Regulation to become effective February 27, 2015 will serve this purpose (“Regulation“).

Description of Distance Selling Contract: Contracts per SMS also Distance Selling Contracts!

The New Consumer Protection Act described the distance selling contract as “…. contracts entered by using distance communication tools until the contract among the parties has been established including the moment of its establishment within a system established for distant promotion of goods or services without requiring the seller’s or provider’s along with the consumer’s simultaneous physical presence…” The Regulation adopted the same description and determined which tools constitute distance communication tools by listing them. Accordingly, any contract established via “any kind of tool or platform enabling entering into a contract without the requirement for coming together physically such as letter, catalogue, telephone, fax, radio, television, electronic mail message, SMS, İnternet” shall be deemed as a distance selling contract. Different from the superseded regulation, this Regulation includes contracts established via SMS within the scope of distance selling contracts.

The following shall not be subject to Regulation

Although the above definition gives an idea of the scope of the Regulation, the Regulation explicitly listed under its Article 2 on which contracts the Regulation shall not be implemented.

According to the mentioned Article 2, the following services have been left out of the Regulation’s scope:

(i) financial services,

(ii) sales made through automatic machines,

(iii) through public phones by using such phones with telecommunication operators,

(iv) services for betting, drawing, lottery and similar chance games,

(v) constitution, transfer or obtaining of real estates or rights related thereto,

(vi) renting of houses,

(vii) package tours,

(viii) time share property or holiday, long term holiday service and the re-sale or exchange thereof;

(ix) delivery of daily consumable materials such as food and drinks to the residence or office of the consumer by regular delivery,

(x) passenger transportation services except for few obligations to be subject to the Regulation,

(xi) installation, maintenance and repair of goods,

(xii) nursing services, social services to support families and persons such as children, elderly or ill persons’ care.

Pre-Information Obligation: Not only before establishment of contract but before acceptance of proposal required

As in the previously superseded regulation, this Regulation requires the consumer is informed of certain information by the seller or the provider before the distance selling contract is established. However, different from the superseded regulation this Regulation extended the scope of such information requirement widely and on top of that it ruled the required information is provided not only before the contract has been established but before any proposal to this end is accepted by the consumer.


The mandatory information to be provided to the consumer before the distance selling contract is established or the equivalent proposal is accepted are as follows:

(i) essential qualifications of the good or service subject to contract;

(ii) name or title of the seller or provider, MERSIS number, if any;

(iii) open address, phone number and similar communication information that will enable the consumer to maintain quick communication with the seller or provider along with the identity and address of the person acting in the name or on behalf of the seller or provider;

(iv) if there is communication information of the seller or the provider to enable the consumer to transmit its complaints other than the information mentioned in the preceding paragraph, if any, such information should be provided;

(v) total price of the good or service including all the taxes, calculation method of the price if the type of price does not allow a prior calculation, all the transportation, delivery and similar additional charges, if any, along with the information that additional charges could be applicable if such charges cannot be calculated in advance;

(vi) additional charge applicable to the consumers if the usage fee of the distant communication tool cannot be calculated over the ordinary fee tariff at the time when the contract is established;

(vii) information on how the payment, delivery, performance will be made along with undertakings in relation thereto and settlement procedure of the seller or provider with regard to complaints, if any;

(viii) if there is a right for withdrawal, terms for using such right, period, procedure thereof and information on the transporter which will be assigned by the seller for the return of the related goods or service;

(ix) open address, fax number or electronic mail information serving the withdrawal notification;

(x) if no withdrawal right is applicable, information on the inability of the consumer to benefit from the withdrawal right or on which conditions such withdrawal right will be lost;

(xi) upon the request of the seller or provider, deposits to be paid or provided by the consumer or other undertakings and the conditions related thereto, if any;

(xii) technical protection measures that could effect the functionality of the digital content, if any;

(xiii) information on which hardware or software the digital content could work together about which the seller or the provider has information or they are reasonably expected to have such information;

(xiv)information on how consumers can make their application for settlement of dispute to Consumer Court or Consumer Arbitration Council.

Although provision of the above information is mandatory, it is possible for the parties to mutually agree otherwise. In other words, consumer and seller or providers are freely entitled to mutually agree upon such information with an amendment. However, it is the duty of the seller or provider to refute any argument of consumers that such information has not been provided, i.e. no pre-information has been made.

Pre-Information has been extended and diversified

Possibility of identifying the seller or provider:As it can be understood from above, the information required to be provided to the consumer before the distance contract has been established or an equivalent proposal is accepted, has been held widely extended and it has been made easier for the consumer to contact the seller or provider promoting goods or services via distant communication tools. Thus, it will be maintained that the consumer can determine without any doubt the identity of the seller or provider from whom the consumer purchased goods or services.

  1. Withdrawal right has been extended:The superseded regulation remained insufficient in using the withdrawal right and was not able to meet the needs of consumers in this respect. This Regulation points out under which circumstances the withdrawal right could be used and under which not. Additionally, the Regulation prolonged the term for using the withdrawal right and specified the obligations of the seller and provider along with the consumer in relation to such withdrawal right.
  1. Sale conditions have been specified: It is understood that the Regulation aims to raise the awareness of the consumer in identifying all but all the amounts the consumer is obliged to pay while purchasing the related goods or services. Hence, the same provision ruling such obligation is also specifying the consumer is not obliged to cover the additional charges if the consumer has not been informed about them. Additionally, it has become mandatory that the total price of the goods or services including all applicable taxes includes all the expenses based on each invoicing period in contracts with an indefinite term or subscription agreements for definite term.
  2. Technical information to be provided to the consumer: Part of the information the consumer has to be informed before the distance selling contract is established or an equivalent proposal is accepted is technical. As informing the consumer about technical protection measures that could have an affect on the functionality of the digital content defined as “any kind of data provided in digital format such as computer program, application, game, music, video and text“, and information on which hardware or software the digital content could work together, on which the seller or the provider has information or they are reasonably expected to have such information are included within the mandatory pre-information list. Such technical information is qualified to orientate consumers, who purchase digital content via distance communication tools, on which conditions the goods or services they purchased could function.

How to enter into contracts with minors and the disabled?

There is no doubt that a comprehensive part of the section which could purchase digital content via distant communication tool will be constituted of minors. Hence, the superseded regulation had envisaged a protection provision in this respect and had required to state in conformity with the used distant communication tool and within good faith principles that the mandatory pre-information were provided for commercial purposes in a way to protect those who are incapable, minor or disabled. This Regulation, however, omitted to have such a provision and obviously will seek the solution of such matter within the general provisions of the law. Hence, any seller or provider who has anyhow entered into a distance selling contract with minors or the disabled could possibly have problems in making the delivery of the good or services they have sold to the latter. For this reason, we advise to put a protective provision in this respect within the pre-information form.

Method for Pre-Information:

Different from the superseded regulation, this Regulation determines the pre-information method and prescribed the consumer has to be informed about the required pre-information in writing or permanent data storage unit in accordance with the used distant communication tool, at least in 12 font letters, in an understandable language, in open, plain and readable form.

If the distance selling contract has been established via Internet, it is mandatory the following pre-information is separately indicated just before the consumer becomes obliged to pay:

(i) essential qualifications of the good or service subject to contract;

(ii) total price of the good or service including all the taxes, calculation method of the price if the type of the price does not allow a prior calculation, all the transportation, delivery and similar additional charges, if any, along with the information that additional charges could be applicable if such charges cannot be calculated in advance;

(iii) if there is a right for withdrawal, terms for using such right, period, procedure thereof and information on the transporter which will be assigned by the seller for the return of the related good or service;

(iv) if no withdrawal right is applicable, information on the inability of the consumer to benefit from the withdrawal right or on which conditions such withdrawal right will be lost.

If the distance selling contract is established via Internet, the following pre-information has to be indicated openly and in an understandable form before the consumer submits its order:

>(i) whether there is any restriction for delivery; and

(ii) which payment tools shall be accepted.


Consequently, while entering into a distance selling contract via Internet part of the pre-information stated above have to be separately indicated in an open and understandable form before the consumer performs its payment obligation and some of other pre-information shall be indicated in the same way before the consumer submits its order. Thus, it will be confirmed that the consumer has been informed about such minimum information and it accepted them.

If the distance selling contract is established via voice communication tool, some of the pre-information shall be provided just before the order has been submitted by the consumer whereas complete pre-information shall be provided in writing on delivery of the good or performance of the service at the latest:

The same pre-information required to be provided to consumers in a separate and open way before they are obliged to make a payment while they enter into distance selling contracts via Internet shall be provided while entering with them into any distance selling contract via voice communication tool just before the consumer places its order which has to be made within the same communication environment. Furthermore, a complete set of the pre-information given by law have to be sent off to the consumer in writing until the delivery of the goods or performance of the service at the latest.

Pre-information to be provided in an understandable and open form if the distance selling contract has been entered within an environment where information about the order is provided within a restricted area or time:

The same pre-information required to be provided to consumers in a separate and open way before they are obliged to make a payment while they enter into distance selling contracts via Internet shall be provided while entering with them into any distance selling contract within an environment where information about the order is provided within a restricted area or time just before the consumer places its order, which has to be made within the same communication environment. Additionally, the consumer has to be informed at the mentioned stage about the name or title of the seller or provider and its MERSIS number, if any. Pre-information required to be provided at the delivery of the good or performance of the service constitutes complete set of pre-information given by law as it is required for distance selling contracts established via voice communication tool.

If the distance selling contract has been established via voice communication tool or within an environment where information about the order is provided within a restricted area or time and the performance thereof is required immediately, pre-information required to be provided in an open and understandable way:

In this case, the consumer has to be informed only about the following:

(i) essential qualifications of the goods or service subject to contract;

(ii) name or title of the seller or provider and its MERSİS number, if any;

(iii) total price of the goods or service including all taxes, calculation method of the price if the type of the price does not allow a prior calculation, all the transportation, delivery and similar additional charges, if any, along with the information that additional charges could be applicable if such charges cannot be calculated in advance;

(iv) if no withdrawal right is applicable, information on the inability of the consumer to benefit from the withdrawal right or on which conditions such withdrawal right will be lost.

Pre-Information requires confirmation

Any seller or provider has to confirm that the consumer received the pre-information either through Internet, voice communication tool or within an environment where the order is placed within a restricted area or time in accordance with the used communication tool. Otherwise, it shall be deemed that no contract has been established.

Other obligations on Pre-Information

Just before the consumer approves the order, any seller or provider has to inform the consumer in an open and understandable form that the order shall be deemed a payment obligation. Otherwise, the order shall not be binding upon the consumer.

If the consumer is contacted by the seller or the provider by phone to establish a distance selling contract, the seller or provider has to disclose at the beginning of each conversation its identity, if it is acting in the name or on behalf of another person the identity thereof, and the commercial purpose of the conversation.

The information above constitutes the scope and pre-information provisions of the Regulation. Withdrawal right and other issues stipulated in the Regulation shall be subject of another article which will come out soon.

Six Things To Know About The New VAWA Final Regulations

On Oct. 20, 2014, the Department of Education issued new regulations implementing changes to the Clery Act by the Violence Against Women Reauthorization Act of 2013 (VAWA). The regulations are massive, set out in 227 pages of the Federal Register, and they take effect on July 1, 2015. All colleges and universities receiving federal funds are affected. The following are a few of the highlights from the regulations:

  1. New programs and increased transparency. The new regulations require that institutions develop and describe programs aimed at eliminating dating violence, domestic violence, sexual assault and stalking. Institutions must offer the programs to students and employees and must describe these programs in the annual security report required by the Clery Act. Schools must also disclose all aspects of their investigatory and disciplinary procedures including reporting methods, sanctions, protective measures and interaction of campus and local law enforcement.
  2. Advisors in disciplinary hearings. Both the accuser and the victim may choose to be accompanied by an advisor in any disciplinary proceeding or related meeting. Institutions may not limit the choice or presence of an advisor but may restrict advisor participation in proceedings if the restrictions apply equally to both parties. The advisor may be a friend, school administrator, family member, attorney or other advocate.
  3. Defining and reporting stalking. Institutions must now report incidents of stalking in their annual security reports. The regulations define “stalking” as “two or more acts” in which the stalker “follows, monitors, observes, surveils, threatens, or communicates to or about a person” that would cause a “reasonable person” to fear for their safety or suffer substantial emotional distress. Notably absent from the definition is the requirement that the stalker have the specific intent to stalk the victim.
  4. Dating violence and domestic violence defined and added to reportable incidents. Reports of sexual assault and violence must now be further broken down in the annual security report if they also qualify as dating or domestic violence. Whether an incident is “dating violence” largely depends on the nature of the relationship between the victim and the accused. To determine if an incident of “domestic violence” has occurred, schools will look to family violence laws in their jurisdictions.
  5. Reporting “unfounded” complaints. Institutions may withhold and later remove an “unfounded” report from its crime statistics in the rare event that a sworn or commissioned law enforcement officer makes a formal determination that the crime is false or baseless. An incident may be labeled “unfounded” only after a full investigation, but not, for example, when the victim refuses to cooperate with prosecution. Institutions must report yearly the number of sexual assaults that law enforcement has determined to be “unfounded.”
  6. Gender identity and national origin added to hate crimes biases. The regulations add actual or perceived gender identity and national origin to the list of categories a hate crime may be based on. That list now includes: race, gender, gender identity, religion, sexual orientation, national origin and disability.

Too good to be true? Godfrey Hirst v Cavalier Bremworth

Misleading and deceptive conduct – Fair Trading Act (FTA)

“Get unlimited broadband for $75 a month!” “Join Sky and get Sky Sport free!”.  Consumers are constantly bombarded with advertisements and offers from traders. Sometimes the offers seem too good to be true, until you read the fine print.

The FTA prohibits misleading or deceptive conduct and false representation. The relevant provisions being section 9 which prohibits misleading and deceptive conduct generally and section 13 which prohibits false or misleading representations.

A breach of these sections of the FTA is a criminal offence and if found to be in breach the offender can face fines up to a maximum of $600,000 for a company and up to $200,000 for an individual.


Godfrey Hirst v Cavalier Bremworth

The Court of Appeal decision in the case of Godfrey Hirst NZ Limited v Cavalier Bremworth Limited [2014] NZCA418 is a significant case concerning misleading conduct and a reminder to traders that it is not good enough to hide information in fine print, or where consumers need to hunt for it.  The case involved a claim by Godfrey Hirst NZ Limited (GH) against Cavalier Bremworth Limited (CB) with regard to its headline warranties statement made by CB on its website relating to its “Habitat Collection” range of synthetic carpets which was manufactured by INVISTA (Australia) Pty Limited, the manufacturer of the synthetic fibres used in the carpets. The warranties posted on the website include “lifetime stain and soil resistance”, “25 years fade resistance”, “15 years abrasive wear” and “Lifetime Anti-static protection” – such warranties were then qualified by a hyperlink access to a “Limited Warranties” booklet contain the full terms and conditions (and limitations) of the warranties.

GH claimed consumers would have to delve too far into the fine print to know the limitations of the warranties (for instance, the terms and conditions contains qualifications that carpets installed by landlords in rental residential dwellings are excluded from the lifetime stain resistance warranty, stains by non-food and non-beverage substances, including ink and bleaches are excluded).

CB’s defence pointed to the asterisks used to draw consumers’ attention to the detailed terms and conditions.  However, the Court of Appeal did not consider that the hyperlink to the warranties booklet averted the misleading dominant message.  The Court of Appeal concluded that although consumers might notice some of the warranties are limited, such limitations did not detract from the “dominant message” or “overall impression” conveyed to a significant number of consumers.

In arriving at their decision, the Court of Appeal considered the following questions:

  1. Who is the consumer?
  2. What standard of care is expected of the consumer?
  3. Did the High Court impose on the consumer too high a standard?

The consumers in such a case would comprise all of the “average”, ordinary” or “reasonable” consumers in the class targeted by the allegedly misleading representations, except the “outliers”. Outliers are consumers who are unusually stupid or unusually ill-equipped or who have extreme or fanciful reactions.

In general, consumers are expected to exercise a degree of care which is reasonable having regard to the circumstances.  In real life this means that where consumers have real day to day experience of the type of goods and services, they should be expected to have some common sense, but they will not be expected to understand technical details. In this case, although the link to the full terms and conditions was readily accessible, the terms were “too detailed and complex to permit a consumer looking at the website easily to determine what was covered by the warranties”.

The Court of Appeal concluded that the advertisements were misleading and that the qualifying intention accessible by hyperlink on another web page, was not sufficient to correct the consumer perception as to the warranties advertised.


What does it mean for consumers and business?

The Court of Appeal decision clarifies a number of important points in relation to misleading advertising, including that *:

  • All consumers are entitled to the protection of the FTA, not just the knowledgeable, well-off or sophisticated.
  • Claims are made to all members of the target audience, except for the “outliers” which includes those who are “ill-equipped” or “whose reactions are extreme or fanciful”.
  • When assessing whether a claim breaches the FTA, it is the dominant message of the headline that is important.
  • Where there is a glaring disparity between the dominant message of the headline and the information qualifying it, the maker of the statement must draw the disparity to the consumer’s attention in the clearest possible way.
  • The FTA will be breached where a claim has lured a consumer into “the marketing web” by misleading means.  It does not matter that the consumer may come to appreciate the true position before the transaction is completed.

* from Commerce Commission media release 9 September 2014