The GDPR will come into effect on 25th May 2018 and has been described as the biggest shake-up of data protection law for 20 years. James Wickes, CEO and co-founder of cloud-based visual surveillance company Cloudview, looks at the changes businesses need to make and the consequences of getting it wrong.

Data protection is a fundamental concern to all organisations which hold personal information. Next year new, tighter legislation comes into force which has been described by legal firm Wright Hassall as the biggest shake-up of data protection law for 20 years.

The General Data Protection Regulation (GDPR) becomes law on 25^th May 2018. It will be directly applicable in the UK without further implementation, and serious breaches could see organisations facing fines from the Information Commissioner’s Office (ICO) of up to €20 million or 4 per cent of turnover, whichever is higher. These increased fines will apply immediately, so organisations need to ensure that their GDPR compliant policies and processes are in place promptly. Large organisations also need to be aware that the size of the fine is calculated on the turnover of the whole organisation, not the operating division or subsidiary in which the breach occurred.

Personal implications for senior executives

Fines, however, are not the only potential penalty. The new legislation could have a personal impact on any senior executive with legal responsibility for their organisation’s behaviour.

The Culture, Media and Sport Committee’s investigation into cyber security, triggered by the cyber-attack on TalkTalk, was published in June 2016 and makes two recommendations. First, it suggests that a portion of CEO compensation should be linked to effective cyber-security. The report says: “To ensure this issue [cyber-security] receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber-security, in a way to be decided by the Board”.

It goes on to say: “We concur with the ICO [Information Commissioner’s Office] that whilst the implementation of the GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.” So executives could face jail as well as fines for breaching the new regulations.

The need for consent

To understand the implications of the GDPR, we commissioned a briefing note from independent solicitors Wright Hassall. They identified two key issues:

1. Organisations whose core activity is processing special categories of data or the systematic monitoring of individuals on a large scale will have to appoint a Data Protection Officer to monitor compliance with the rules.
2. Organisations will have to demonstrate that an individual’s consent to the processing of their personal data is ‘freely given, specific, informed and unambiguous’. In most cases implied consent will not be sufficient. In my area, CCTV, it is as yet unclear to what extent organisations will need to seek to obtain explicit consent from individuals to record them via a CCTV system as we are already are required to make the presence of cameras very clear.

To prepare for the GDPR, the first step organisations should take is to carry out a Privacy Impact Assessment (PIA) to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. They need to consider whether there is a legitimate reason to collect specific information, whether it is stored securely, with safeguards to prohibit interception and unauthorised access, and whether data is deleted when it no longer serves a purpose. This latter issue has recently been raised as a concern by the surveillance camera commissioner, who points out that the Metropolitan Police are failing to delete number-plate records after two years, but have retained the data since the London Olympics in 2012.

Organisations also need to have a documented information retention policy which is understood by those handling data collection, and ensure that staff know how to respond to requests from individuals for access to their personal data. For more information, the ICO has produced a useful guide.

Personal data is not just text

What many organisations often fail to understand is that personal data covers every type of information, from written text to video and audio. This is increasingly important with the growth of the Internet of Things (IoT). All the data we upload onto our phones, from how many steps we take to changes in our heating systems, could be included if it allows individuals to be identified. IT departments are often responsible for all these devices and all this data.

Yet one area falls outside the remit of ‘traditional’ IT: CCTV, which many organisations use to monitor communal areas, manufacturing sites and warehouses. If video footage enables individuals (clients, employees, or passing members of the public) to be identified, the GDPR is applicable. CCTV surveillance systems should not normally be used to record conversations between members of the public or staff as part of a working environment – this is highly intrusive and unlikely to be justified.

CCTV footage differs from other types of data in that systems are binary in their ability to be secure or accessible. Because IT systems have moved into data centres, or better still, to the cloud, it is relatively straightforward for IT departments to ensure that data protection regulations are met, for example by ensuring that only authorised individuals can access certain information. However, access to current DVR-based CCTV systems has to be physically constrained by using locks or passcodes, as anyone with access to the equipment can access the data. Remote access has to be managed through a VPN (Virtual Private Network) which is expensive to set up, not always secure and inflexible.  Processes also need to be enforced rigorously to ensure data protection standards are met. CCTV is typically seen as peripheral to a business – but the legislation still applies, as do the fines.

One solution to this CCTV GDPR compliance problem is to hold CCTV information securely in the cloud, with access limited to authorised personnel. There is no longer a physical DVR; data is sent directly and securely from the cameras to the cloud. Such systems should be configured to record CCTV data only when needed and should automatically delete it when it is no longer required. Cloud-based CCTV systems should also have all the required security and encryption necessary to protect data and verifiable audit logs to prove that data was handled, transmitted, viewed and deleted appropriately. Not all providers offer this level of end to end service, so organisations still have to take responsibility for ensuring that their cloud provider is compliant with the appropriate regulations. They should also bear in mind that many cloud providers have clauses which allow them to share data with third parties – clearly inappropriate for personal data.

Ignorance is no excuse for breaking the law, and this includes data protection legislation. The new legislation comes into force in just over a year’s time, so organisations need to begin preparing now.

More information is available in the briefing note ‘Is your use of CCTV compliant with data protection legislation’ from Wright Hassall, available on the Cloudview website http://www.cloudview.co/dls/white/Cloudview-CCTV-Article-vanilla-23-05-16.pdf

Introduction

The seismic shift in British politics signalled by the referendum decision on 23 June 2016 is likely to have far-reaching legislative consequences in the UK. In the event that the new Conservative government negotiates a ‘clean break’ from the EU (i.e. an arrangement not involving membership of the EEA), the UK will be faced with the prospect of regulatory reform on an unprecedented scale. At present, most areas of domestic law are influenced to some extent by EU legislation and some areas are wholly determined by it. In the areas currently most influenced by EU law, a ‘clean break’ scenario would raise many questions. Should the law be kept as it is? If not, what will take its place?

This article will consider the implications of a ‘clean break’ scenario on UK consumer law. By its very nature, consumer law affects more people more of the time than any other area of civil law. Beyond this, a consideration of UK consumer law is particularly relevant in the context of post-Brexit planning for two reasons. First, it is an area that is currently highly influenced by EU law and therefore serves as a good practical example of the sorts of challenges to be faced by lawmakers. Second, its broad scope, high public visibility, and control over a multitude of day-to-day transactions mean that swift legislative review will be necessary, as well as politically expedient for the government, following any ‘clean break.’

Although a temporary Act of Parliament incorporating all current EU regulation into domestic law could provide short-term stability while the process of reviewing the law is undertaken, decisions will eventually have to be made in many areas. A few of these areas are considered below.

Consumer Rights and Sale of Goods

The traditional approach to Sale of Goods Law in British jurisdictions did not automatically confer particular rights on consumers as a class. However, as a result of the Consumer Rights Directive, the current position is that UK Sale of Goods legislation is starkly divided between consumers and non-consumers.  Consumers are given enhanced rights and afforded greater protection by the courts than commercial parties.

As practitioners in the area will know, dividing parties between consumers and non-consumers is often easier said than done. There will always be situations that fall somewhere between the two camps and categorisation can be difficult. In the worst instances, a degree of uncertainty is introduced into otherwise straightforward transactions. Rationalising this area should, therefore, be a priority.

The heart of the distinction is also ideological: how should freedom of contract be reconciled with social paternalism? The authors do not advocate a particular approach, but in a ‘clean break’ scenario the UK will be afforded the first opportunity in many years to determine the right answer to that question. It is an opportunity that should be seized.

Food Law

The law relating to food (and in particular hygiene, safety, and the provision of information) is almost totally governed by EU law.  The EU approach is marked by a dramatically different approach than was traditionally taken in the UK. In broad terms, this has led to a higher level of complexity and prescription than was previously the case.

Has the EU approach been beneficial? Without empirical evidence, it is difficult to analyse the efficacy of the approach. On the other hand, complex and prescriptive regulation is necessarily burdensome for traders. Consequently, it is suggested that a study should be undertaken to determine the efficacy of current food safety and hygiene law compared with that in other lighter regulation jurisdictions. An informed decision can then be taken as to whether the current level of regulation justifies the burden it places on traders.

A particular example of an area of food law that could benefit from urgent review – and one which would have a pronounced effect – relates to durability. At present, EU law dictates the terms of durability markings placed on food, such as use-by dates. It is notorious how much perfectly edible food is routinely thrown away because of this. Furthermore, EU law prevents retailers from giving such food away if the date has passed – regardless of the actual state of the food. Consumers, and in particular those who can ill-afford to do so, dispose of wholesome food on a huge scale even though many foods are safe well beyond their use-by dates. This is something which should be addressed.

Consumer Credit

The EU approach to consumer credit has undoubtedly complicated an area of law that should be consumer friendly.  The Consumer Credit Directive excludes transactions over a certain sum of money and excludes credit secured on residential land (the latter now being dealt with by the Mortgage Credit Directive).  EU law says little about consumer hire agreements and does not recognise hire-purchase. The result is consumer credit legislation where different regimes apply to the general bewilderment of many practitioners – let alone consumers.

To take an example, a consumer credit agreement or consumer hire agreement can fall within: (i) a regulatory regime dating from 1983 (and, if a bill of sale is involved, also from a regime introduced the century before last), (ii) the 2010 set of regulations where the Consumer Credit Directive applies, or (iii) the 2015 legislation intended to comply with the Mortgage Credit Directive.

There is no need for such complexity. Following a ‘clean break’, the current system should be abandoned and replaced with a single new Act.

Unfair Commercial Practices

The Unfair Commercial Practices Directive was incorporated into domestic law by the Consumer Protection from Unfair Trading Regulations 2008.  The legislation has proven difficult to implement. Indeed, following the introduction of the 2008 Regulations, Trading Standards enforcement virtually came to a halt for a number of years due to the inability to tackle unfamiliar concepts and vague language.

Although much improvement has been made since the Regulations and the Directive remain problematic for practitioners and enforcers. What is a ‘commercial practice’? Can it relate to an isolated incident or must it involve a pattern of behaviour? These questions – and the chain of litigation that resulted from them – were made necessary by the vague language introduced into UK law by the Directive.

Previously, the Trade Descriptions Act 1968 had provided a workable piece of legislation dealing with similar issues. Having been in force for some 40 years, a substantial body of case law had developed around the Act providing certainty to consumers and traders – as well as a rich source of jurisprudence to the courts – which no longer exists. In a ‘clean break’ scenario, legislators would be well served to contrast the language of the 1968 Act with that employed in the 2008 Regulations.

Weights and Measures

One topic that has consistently proven emotive with the public is the choice of unit. Indeed, it has already been reported that some butchers are now offering their customers the opportunity to buy in pounds and ounces. Although perhaps not as pressing a concern as some others considered above, legislating in favour of imperial units of measurement over metric would present the government with an easy opportunity to win support from Brexiteers currently sceptical about the government’s commitment to the implementation of the referendum mandate.

From a regulatory point of view, there would be little difficulty in permitting domestic traders (particularly those selling meat, fruit, and vegetables) to choose between imperial and metric units. Exports to the EU would, of course, continue to be marked in metric units in compliance with EU legislation.

Conclusion

The above are only a few examples of areas that will require consideration. There are many others which will fall to be considered in the event of a ‘clean break.’ Such an exercise in legislative reform is unprecedented in UK history and is naturally daunting to many as a result. However, it also presents an unprecedented opportunity to reform the law for the better.

This week, 38 state Attorneys General (AGs) submitted comments to update the Telemarketing Sales Rule (TSR). In a letter to the Federal Trade Commission (FTC), the AGs called for a number of new requirements as part of the FTC’s rule review. The letter is led by Florida Attorney General Pam Bondi and Pennsylvania Attorney General Kathleen Kane. (Note a letter of 36 state AGs constitutes an official position of the National Attorneys General Association).

State AGs have authority to pursue unfair and deceptive acts and practices under state laws, and additional enforcement power under certain federal laws and regulations. Specifically, AGs have authority to remedy violations of the Telemarketing Sales Rule. The TSR applies limitations on telemarketing activities, including the Do Not Call registry, requires certain disclosures from telemarketers, and provides guidelines for allowable sales calls and payment transactions.

The state AGs offer comments in four categories: 1) prohibitions on the use of preacquired account information; 2) negative option marketing restrictions on consumer-to-vendor calls; 3) telemarketer / seller requirements to maintain call records; and 4) regulation of money transfers.

First, the comment letter notes that for online sellers the use of preacquired account information for marketing is already prohibited under the Restore Online Shoppers’ Confidence Act, in response to online retailers sharing customer billing information with third party sellers. The AGs call on the FTC to adopt a similar prohibition to telemarketing, indeed a total ban on the use of preacquired account information. The letter notes that the three major credit cards currently restrict merchants from sharing consumer account information with third parties.

Second, AGs have long targeted negative option marketing which they deem to be the sale of products or services based on a consumer’s acceptance through his or her silence or ambivalence, failure to cancel the agreement, or lack of rejection of products or services. The AGs argue the TSR should require the following: disclosures made separately from other terms in the product offer; a distinct consumer acceptance of that offer; and a confirmation sent to the consumer. The AGs also seek this regulation to be applied to inbound consumer-to-vendor calls when a consumer is responding to an advertisement or direct mail marketing.

Third, the AGs request a mandatory recordkeeping rule on telemarketers and sellers, including the creation of call records, to aid in their enforcement efforts.

Fourth, the AGs seek a ban on certain payment methods, such as cash-to-cash money transfers, often used in telemarketing fraud — the comment letter even references the ubiquitous “Nigerian scam.” The AGs support TSR amendments to require money transfer companies to perform due diligence into whether a transfer results from a prohibited solicitation.

The state Attorneys General comment letter can be found here.