Archive for the 'Web law' Category

New rules on payment surcharges in consumer contracts

At the end of last year, the Government implemented Article 19 of the Consumer Rights Directive through the new Consumer Rights (Payment Surcharges) Regulations 2012. These regulations aim to address ‘above-cost’ payment surcharges made by traders.

Payment surcharges (where a trader imposes a fee on customers depending on the type of payment method they choose to use) have become a popular way for traders to reduce the headline cost of goods or services when trading in a competitive market. Payment surcharges are particularly notorious in the budget airline industry (where substantial charges are often imposed for using a credit card), but in recent years have become increasingly common in both on and offline consumer contracts.

The new laws are aimed at ensuring that any surcharges are note used by traders as a mechanism for generating additional revenue for the trader.

So what do these regulations actually change?
The new regulations prohibit traders from imposing payment surcharges on customers where the charge exceeds the cost to the trader of using the payment method – in other words, ‘above cost payments’. They are payment method agnostic – that means they apply not just to surcharges imposed when using a credit or debit card, but also other methods such as cheques, cash and direct debits.

In addition to payment charges, the regulations are also applicable to discounts offered for paying using particular methods (for example, direct debit).

The regulations apply to all consumer contracts (both on and offline) in sales or services, digital content and most utilities, and also extend to package holidays, which is beyond the scope of the Directive. The rationale for including package holidays is that a failure to extend the prohibition would produce inconsistencies between packages holidays and individual, separately purchased, components of a holiday (for example air travel).

The regulations detail some excluded contracts including certain financial service and social services contracts.

Charges that do not vary depending on the payment method (and therefore apply to all payment methods) are not affected by the regulations.

How do you calculate what charges are reasonable?
Neither the regulations nor the Directive define what the “cost to the trader” is for the purposes of determining what charge is appropriate. In its guidance (see link below) the Department for Business Innovation and Skills states that only direct costs are relevant, but that these will vary depending on the size of the trader.

In relation to card payments, the guidance lists the following types of costs as being relevant:

  • The Merchant Service Charge, which traders pay to their acquiring bank
  • IT and equipment costs used for particular means of payment such as card terminals, for example point of sale devices
  • Risk management – active fraud detection and prevention measures which vary depending on their business and whether transactions take place face to face or remotely
  • Processing fees such as charges for reversing or refunding a payment
  • Any operational costs that can be separately identified as internal administrative costs arising from activities dedicated exclusively to card payments. For example, where traders opt to buy in services from intermediaries who provide equipment, fraud detection and processing services (especially online payments) for card payments, they should be able to recover the costs they incur through a payment surcharge.

When does this change come into effect?
The regulations come into force on 6 April 2013 and apply to all contracts entered into on or after this date, although new businesses (which begin trading between 6 April 2013 and 12 June 2014) and micro-businesses (less than 10 employees) are given until 12 June 2014 before the regulations apply.

Do the regulations have any other powers?
In the event of non-compliance trading standards are provided with powers to investigate.

Trading standards can also seek undertakings from traders or apply for injunctions in the event of non-compliance. The regulations can also be enforced under the Enterprise Act 2002 (Part 8 Domestic Infringements) Order 2013. Specified enforcers can apply to the courts for enforcement orders if they become aware that a trader has or is likely to engage in conduct which constitutes an infringement.

What do traders need to do now?
Any trader that currently imposes payment surcharges should review their charges to ensure that they are compliant with the new regulations.

Further information…
The Department for Business, Innovation and Skills has published helpful guidance including Q&A’s on the new Regulations whith can be accessed on the BIS website (PDF).

Martin Sloan

European Parliament approves new consumer dispute resolution procedures

The European Parliament recently confirmed its adoption of the European Commission’s Alternative Dispute Resolution (ADR) and Online Dispute Resolution (ODR).

The ODR is intended to establish an EU-wide online platform to quickly and efficiently handle consumer disputes arising from online transactions, avoiding the need to go to court.

Tonio Borg, Commissioner for Health and Consumer Policy explained that

ADR and ODR are a win-win for consumers, who will be able to resolve their disputes out-of-court in a simple, fast and low-cost manner, and also for traders who will be able to keep good relations with customers and avoid litigation costs.

Astoundingly, the Commission claims that the a well-functioning and transparent ADR could save consumers €22.5bn a year.

Online Dispute Resolution – the basics
ADR aims provide an alternate route to resolving disputes by using non judicial entities – for example, a conciliator, mediator, arbitrator, or ombudsman.

The ADR entity proposes a solution or brings the parties together to find a solution. Entities operating fully online are called online dispute resolution entities and will be utilised in the new ODR platform.

With more online and cross border European trade the ODR platform will allow the resolution of disputes when traders and consumers are in geographically different locations. The nature of the platform will (hopefully) speed up procedure to the benefit of both consumers and traders.

It is intended that the new procedure will be available to resolve all consumer contract disputes other than contracts for health and education, regardless of what they purchased, and whether the purchased it domestically or across borders. The ADR process will apply to contracts purchased both online and offline.

When will the regulations come into force?
Member States will have 24 months, after the entry into force of the Directive, to transpose the regulations into national legislation i.e. midway through 2015. The ODR platform will become operational six months after the end of the transposition period.

What should traders do now?
A trader who commits or is obliged to using ADR will need to inform consumers about ADR on their website and in their general terms and conditions. Although the changes are not intended to come into force for some time, traders should start to think about their process changes now.

Traders will be obliged to inform consumers about ADR when a dispute cannot be settled between the trader and consumer. Traders should also provide a link to the ODR platform on their websites.

How will it work in practice?
The platform will link all national alternative dispute resolution entities. A set of common rules will be published detailing the functions of the ODR platform, including the role of national ODR advisors.

Consumers will be able to submit a complaint online using the ODR platform. The platform will notify the trader a complaint has been made. The consumer and trader will then agree upon the appropriate ADR entity to determine the dispute. The new rules provide that ADR entities should settle disputes within 90 days.

We will post more information on the new procedures when they become available.

Martin Sloan

Leveson, Royal Charters and the future of press regulation in Scotland

On Monday the three main political parties in Westminster agreed on a plan to implement the Leveson Report’s press regulation recommendations in England and Wales.

The plan
The agreed approach involves a Royal Charter which will establish a new regulator for the press, and amendments to the Enterprise and Regulatory Reform Bill (to help entrench the Royal Charter so that it can only be dissolved by a two-thirds majority vote of both the House of Commons and also House of Lords) and the Crime and Court Bill (so that all “relevant publishers” who do not sign up to the new regulator will pay extra or exemplary (punitive) damages for libel and breaches of privacy). 

The Royal Charter is surprisingly difficult to find, but here is a link.  It remains to be seen whether the new plan will gain widespread acceptance.

Labour leader Ed Miliband has claimed that:

What we have agreed is essentially the royal charter that Nick Clegg and I published on Friday. It will be underpinned by statute. Why is that important? Because it stops ministers or the press meddling with it, watering it down in the future.

Tough talking, but what exactly does Ed Miliband mean when he says “essentially the royal charter”?  What might end up being different?

Well, according to the Royal Charter as drafted at present, a “relevant publisher” means:

a person (other than a broadcaster) who publishes in the United Kingdom:

i) a newspaper or magazine containing news-related material, or
ii) a website containing news-related material (whether or not related to a newspaper or magazine)

It’s an alarmingly wide definition, which could capture not just foreign news websites but also bloggers and perhaps Tweeters. It doesn’t entirely correspond with Culture Secretary Maria Miller’s assertion that:

a publisher would have to meet the three tests of whether the publication is publishing news-related material in the course of a business, whether their material is written by a range of authors – this would exclude a one-man band or a single blogger – and whether that material is subject to editorial control.

By way of example, here on Brodies Techblog we have a team of bloggers, we publish news-related material in our blogs (in that we comment on topical legal issues), and our posts are subject to editorial control before they are published. Did Cameron, Milliband and Clegg have blogs like this in their sights when agreeing the draft charter? Should a blog like this be treated differently from the blog of a individual, but high profile and influential blogger? It’s not clear.

What is clear is that there is still work to be done on the drafting of the charter.

Should the press be regulated like broadcasters?
An interesting – but often overlooked – aspect of the press regulation debate is that broadcasters are regulated by communications regulator Ofcom.

The traditional freedom of the press (particularly in comparison to broadcasting) has complex roots and justifications, including the practical issue of scarcity of broadcast spectrum, which has led to far stricter regulation of television and radio broadcasters.

As a consequence of Ofcom’s regulatory control over broadcasters, broadcasters’ websites are specifically excluded from the Royal Charter definition of “publishers” set out above.  These websites will continue to be regulated by Ofcom.

The Scottish dimension
Press regulation is a devolved competency of the Scottish Parliament.  Alex Salmond has said the concept of a UK-wide regulator backed by Royal Charter may be “an idea worthy of consideration”.

It appears that the First Minister is keen to distance himself from the report produced of the Expert Group on the Leveson Report in Scotland, better known as the “McCluskey Report” (in reference to the Group’s chair, Lord McCluskey), which was published three days before the Westminster announcement.

The recommendations were widely derided last week as being draconian and having gone too far.

Allan Rennie, editor-in-chief of Media Scotland, said:

it’s not just about the press, it’s about anyone in Scotland who dares to express an opinion.

Analysis of a Report and recommendations which appear stillborn are perhaps academic, but it’s not entirely easy to reconcile some of the more vigorous attacks on the McCluskey Report with the actual content of the Report’s proposed Draft Press Standards (Scotland) Bill.

For example, one of the most widely repeated claims over the weekend was that the proposed draft Bill would apply to any publication which can be viewed from Scotland (in other words, anything on the internet, regardless of where the author of the content in question is located). While it’s correct that in the case of allegedly defamatory publications posted on the internet it is generally accepted that “publication” takes place where the article is downloaded, the proposed draft Bill didn’t explicitly refer to this understanding of “publication”.

It referred instead to a publication which “takes place in Scotland”. Further, paragraph 20 of the McCluskey Report specifically stated that the proposed draft Bill was written in “plain English”. (On the other hand, it does seem curious that the proposed draft Bill dispensed with the “publishes in the United Kingdom” wording in several of the draft bills that have been in circulation recently, including Hacked Off’s “Proposed Media Freedom and Regulatory Standards Bill”.)

Differences under the Scottish legal system
Less ambiguous was the McCluskey Report’s conclusion that

we have reached the view that there is no practical alternative to making [the new regulation system] compulsory for all news-related publishers.

As discussed above, the new plan agreed by the three main parties in Westminster does not provide for compulsory opt-in, but instead envisages exemplary damages for publishers who fail to sign up to the new regulator.

However, because damages under Scots civil law are purely compensatory, the concept of exemplary or punitive damages is unknown in Scotland. This is explained in further detail in the Scottish Government’s “Carrots and Sticks” Leveson Briefing Note.

There are also other aspects of Scots Law which would require consideration should the Royal Charter plan be followed, including arbitration and court expenses (in Scotland “costs”).

However, none of these problems would be insurmountable, and the McCluskey Report itself noted at Paragraph 10:

Scottish legislation could provide for a separate Scottish Recognition Body. We do not consider that there is anything in such a proposal that would prevent the formation of a single UK-wide Regulatory Body if that as considered appropriate”.

Alex Salmond has said that he shall continue cross-party talks on press regulation, and report to the Scottish Parliament after Easter. The Scottish Government has separately sought clarification from the UK Government on the impact of the proposed Royal Charter in Scotland.

For the timebeing, however, the future regulation of the press and the web in Scotland (or available in Scotland), and its scope, remains unclear, leaving publishers in the UK uncertain as to whether they will be subject to two different regimes or a single, harmonised, regime.

We will continue to follow this debate as it evolves.


ICO revisits approach to cookie law consent – what does this mean for other organisations?

Last month, the Information Commissioner’s Office (ICO) announced that it was going to change the way that it sought to obtain consent from users to the use of cookies on its website, as required under laws that came into force in May 2011 (known as the cookies law). Those changes were implemented on Friday.

What’s changed?
Firstly, the ICO’s website now sets certain non-essential cookies automatically upon arrival. This is a big change from the old approach and marks a shift from prior, explicit, consent to implied consent.

After moving to prior, explicit, consent, recorded traffic to the ICO’s website dropped by 90% as a consequence of users failing to accept cookies (including a Google Analytics cookie used to analyse traffic). Reinstating implied consent will mean that those figures will go shooting back up, giving the ICO a much better idea about how people use itse website. According to the ICO’s news release, this was one of the main drivers behind the change to its cookie consent policy.

Secondly, the ICO has updated its banner notification. The old one looked like this:
Screenshot of ICO website in 2012

The new one looks like this. The banner has now moved to the bottom of the screen (but not the bottom of the page) and is a bit more subtle (no contrasting text colour or box shading to make it stand out):
Screenshot of the ICO website. 4 February 2013

The banner message has been amended to maked it clear that the website has “placed” cookies (as opposed to “will place”), and provides a pointer to allow users to change settings. Notably, the banner will remain until the user clicks “don’t show this message again” or moves to another page.

Surprisingly, the banner message still says that cookies are used to “make this website better”. Given the ICO’s otherwise very strict adherance with the cookie law rules, I’ve always thought that this was a very ambiguous basis upon which to obtain user consent – better for whom? The user? The ICO?

Thirdly, the ICO has shifted information on the use of cookies to a new standalone cookies page.

Finally, on that page (but not on the banner itself) is an option for users to delete non-essential cookies and not set them again:
Screenshot of cookies opt out button on ICO website
This allows users who do not wish cookies to reject them, notwithstanding that they were automatically placed upon arrival at the website. Unsurprisingly, this cookie control tool relies upon a cookie to remember the user’s setting.

What does this mean for other organisations?
Whilst the ICO argues that its revised approach is consistent with its own guidance, other organisations will take some comfort from the ICO’s new approach to cookie consent:

  • The ICO is of the view that knowledge about cookies amongst internet users is much greater than it was 8 months ago.
  • Explicit consent is therefore no longer considered necessary by the ICO for low risk, but non-essential, cookies.
  • Setting cookies on arrival, based upon implied consent, can be appropriate depending on the potential intrusiveness of the cookie. Pre-setting an analytics cookie is one thing; doing the same with a behavioural advertising cookie is quite another.
  • Banners or other methods used to notify users about the use of cookies may not need to be as prominent (design intrusive) as perhaps previously thought.
  • Using a cookie to identify a user that has opted out of other cookies is considered by the ICO to be an appropriate approach, provided users are notified about this.
  • Pointing users to third party websites for further information on third party cookies (such as those used for embedded YouTube clips on the ICO’s website) remains the ICO’s method of dealing with third party cookies.

If you would like to discuss how your website or mobile app deals with cookie law, or would like to understand the implications of the ICO’s revised approach for how you currently handle cookies, please visit our cookies page or get in touch.

Martin Sloan

Will the proposed EU directive on web accessibility lead to confusion and hinder innovation?

Following on from my blogpost last month on the European Commission’s draft directive on the accessibility of public sector websites, I have an article in the forthcoming edition of C&L Magazine, the journal for the Society of Computers and the Law.

Under the proposed directive, new EU-wide rules will be introduced setting out specific requirements in relation to the accessibility of certain websites operated by public sector organisations. In the article, I analyse the impact of the proposed directive on public authorities.

If implemented as it currently stands, the directive raises a number of concerns:

  • Firstly, organisations are presumed to comply with the new law if they achieve Level AA conformance with the W3C‘s Web Content Accessibility Guidelines 2.0 (WCAG). The problem with WCAG is that whilst they provide a good starting point for accessible design, they are only one part of the wider accessibility jigsaw. Indeed, legislating in a manner that requires compliance with a fixed set of technical guidelines is concerning, because WCAG (and therefore the law) will inevitably fail to keep up with evolving technologies for delivering online services (for example, mobile or rich media).
  • This approach could have been mitigated by allowing organisations to deviate from WCAG compliance, if they can justify why this is an appropriate thing to do (as the UK Equality Act provides), but the draft directive does not provide such flexibility.
  • Finally, and perhaps more concerningly, the directive does not explain how it is intended to interact with pre-existing national laws that apply to the accessibility of services provided over the web, where a breach is based on actual discrimination taking place. This creates the very real risk that a public authority could comply with the requirements of the directive, whilst simulateously being in breach of its obligations under the Equality Act (or vice versa).

Whilst the directive may help achieve the Commission’s primary stated aim of removing barriers in the market for the provision of web development services in the EU (by ensuring that public sector organisations are obliged to set standardised technical criteria for accessibility), the directive is a fairly blunt instrument. I remain unconvinced that the directive will have such a positive impact upon the accessibility of websites to users with disabilities.

A far better approach would be to look at adopting the guidance contained in the British Standards Institute’s British standard on commissioning accessible websites.

You can read the article in full on the SCL website.

Martin Sloan

Does your social media competition follow the rules?

A “witty” epigram (which I dreamt up all by myself) is: “competition laws are boring, laws about competitions aren’t”.  I really like reading about how competitions are regulated, with the added bonus that you also gain some interesting insights into companies’ marketing strategies and profit margins.

In recent years I have noticed that the relative ease of launching promotions on social media sites such as Facebook and Twitter has resulted in the internet being awash with competitions which fail to meet the applicable rules and regulations.

Although social media competitions are usually just a fun way of reaching out to potential customers, the consequences of failing to follow the rules – or even just failing to apply the rigour traditionally administered to “offline” competitions – can be distinctly less jolly.  For example, in November Boots ran a competition on Facebook and subsequently accidentally informed all 9,000 entrants that they had won a trip to Barcelona.  It’s thought the company was forced to issue £90,000 worth of apologies.

The CAP Code
It’s important to remember that all prize promotions – whether online or otherwise – must adhere to the Advertising Standards Agency (ASA)’s CAP code (the Government-approved Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing).

In the last couple of years the ASA has published plenty of rulings regarding non-compliant online competitions (see for example the recent “118 118” ruling) whilst also maintaining a public list of non-compliant online advertisers.

Although the ASA punishments are normally limited to a bit of bad publicity, and a warning of “don’t do it again”, in theory its sanctions can extend to revocation of trading privileges (for example bulk mailing discounts) and referral to the Office of Fair Trading.

There’s not space here to list all the applicable CAP Code competition rules, but here are some really important ones:

  • don’t run what the Gambling Commission would deem an “illegal lottery” (punishable by fines and/or imprisonment); 
  • avoid running an illegal lottery by including a “skill” element (which can be part of a competition run, for example, where the competitor has to purchase a “promotional pack” of goods, providing the “promotional pack” doesn’t cost more than a “normal” pack);
  • alternatively, avoid running an illegal lottery by offering free entry (or where one route to entry is not free, at least one alternative and equally publicised “free” route to entry which costs no more than what it would normally cost to use that method of communication));
  • if you are including a skill element, remember that the law applying to participants from Northern Ireland is slightly different (so participants from Northern Ireland should still be offered a free entry route even if participants from the rest of Great Britain have to purchase, for example, a “promotional pack”).
  •  always include a closing date (and don’t change it);
  • always state what the prize actually is;
  • clearly state any restrictions (for example age; geographical location);
  • include details of the promoter;
  • tell people how winners will be informed;
  • always make it easy to find the applicable terms and conditions; and
  • ensure that any prize draw is conducted in accordance with the laws of chance, either by using a computer process that produces verifiably random results (consider using, or by an independent person, or under the supervision of an independent person.

If in doubt, bear in mind Rule 8.2 of Section 8 (Sales Promotions) of the CAP Code:

Promoters must conduct their promotions equitably, promptly and efficiently and be seen to deal fairly and honourably with participants and potential participants. Promoters must avoid causing unnecessary disappointment.

Social media sites have their own rules too
Once compliance with the CAP code has been addressed, social media sites’ own rules must be complied with.  The big risk here is that if either Facebook or Twitter don’t like your competitions, then they can disable or permanently delete your accounts.  (Anecdotal evidence suggests that deleted Facebook accounts are rarely restored.)

Twitter’s guidelines are fairly straightforward, Facebook’s less so. 

In fact, the Institute of Promotional Marketing is currently working with both Facebook and Twitter to develop guidelines for brands who wish to run social media competitions.

Nevertheless, it’s still possible to read Facebook’s Promotions Guidelines and Twitter’s Guidelines and identify some broad do’s and dont’s.

On Facebook:

  • Don’t post a competition as a Status Update and ask “friends” to act upon it.  Facebook doesn’t like corporate/marketing content where social content should be, and prohibits the use of any “indigenous functionality” (Liking, Sharing, Commenting, checking-in, uploading photos to a Wall or responding to a poll/questionnaire) as a means of entering a competition.  Facebook instead recommends hosting competitions on externally hosted applications embedded into a Page App tab on your Facebook page.  (Upon reflection, the prohibition on using “Like” to enter is quite sensible – how could you tell the difference between someone just liking the page because they like your brand, or someone liking it to enter the draw?)
  • Facebook does allow you to stipulate that only people who “Like” your page can enter the competition. You are also allowed to limit people entering your competition to those who have checked into your location or who are using your Facebook app.
  • Ensure that the applicable terms and conditions acknowledge that Facebook is not associated with your competition in any way and that any personal information collected from the entrants is being sent to your company.  (In my experience a lot of terms and conditions relating to Facebook competitions fail to include this vital disclaimer.)
  • After a competition winner has been chosen, contact them off Facebook. (Make sure to collect contact details during the registration process so you don’t have a problem with this.)  You can’t use Facebook messages, chat, or posts to contact the winner.

On Twitter:

  • Discourage competitors from posting the same Tweet repeatedly.  (Competitions saying “whoever retweets this the most wins” are definitely a bad idea).  Twitter dislikes multiple Tweets because they damage the quality of searches.  The best solution is to state that multiple entries in a single day will not be accepted.
  • Encourage users to include an @reply to you in their Tweet so you can see all the entries.  Many of the complaints that reach the ASA regarding Twitter competitions involve suspicions that entries haven’t been received.  Relying on a public search may not show all relevant Tweets.

And remember that the CAP code and Gambling Commission rules outlined above will still also apply, so think about how you ensure that your competition does not accidentally become an illegal lottery.

If you have any questions about running a social media promotion, please get in touch


European Commission proposes new laws on accessibility of public sector websites

As I reported on Twitter earlier this week, the European Commission has proposed a new directive governing the accessibility of websites operated by organisations in the public sector.

If passed, the directive would set out requirements in relation to how many public sector bodies ensure that their websites are accessible to users with disabilities. The European Commission estimates that there are over 700,000 public sector websites in the EU.

Determining what is “accessible”
One of the big issues with legislating on website accessibility is the need to have an objective set of criteria for determining what an accessible website looks like. Accessibility, by its nature, is a subjective issue, as accessibility problems will vary depending on an individual’s disabilities and the device/browser software that the user is using. This makes it difficult to have a law that sets out clearly what organisations have to do.

The UK Equality Act deals with this by a set of objective criteria for determining discrimination (that apply regardless of the type of discrimination that is alleged to be taking place), but translating this into the specific steps an organisation should be taking in relation to its website has always been difficult, as the law simply refers to policies or practices that have effect of discriminating against the individual concerned.

The proposed directive addresses this issue by presuming that the website meets the accessibility requirements where it complies with a number of external standards.

These are:

  • initially, the recently approved international standard on website accessibility ISO/IEC 40500), which in turn references Level AA conformance under version 2.0 of the W3C‘s long-established and recognised web content accessibility guidelines (WCAG);
  • any European standard on website accessibility, which may include any standard under the ongoing Commission’s Mandate M/376 project (which is also likely to be based on WCAG Level AA conformance); and
  • ultimately the harmonised standards for accessibility drawn up and approved by the EU institutions, which in turn will be based on the European standard based on M/376.

Disappointingly, the presumption of “accessibility” appears to be based only on compliance with tick box criteria (rather than say, user testing, as recommended by the British Standard BS8878). However, as I note above, it is difficult to legislate for subjective assessment.

The proposed directive is intended to sit alongside the proposed European Disability Act, which will address the accessibility of goods and services, including ICT.

As a directive, the new laws will need to be locally implemented in each member state. The Commission’s current timetable envisages the date for this laws coming into force as being 30 June 2014.

Whilst the transitional arrangements are not yet clear, public sector bodies looking to update their websites over the coming year should bear in mind the likely new laws and accessibility requirements when developing their technical requirements specifications.

For many, this should not require a huge change in approach, as WCAG level AA conformance has been a UK Government recommended standard for several years now. However, if the directive is passed then that obligation will now be part of a clear legal framework.

Martin Sloan

Hurricane Sandy highlights the importance of effective IT business continuity planning

We’ve blogged on several occasions about the importance of business continuty and disaster recovery plans – most notably about the impact on global supply chains following the giant ash cloud caused by the erruption of Eyjafjallajoekull in 2010.

I was surprised at the impact that Hurricane Sandy had on the Internet earlier this week, with several major websites (including the Huffington Post, Gizmodo and Gawker) being knocked offline for several hours as a result of flooding and damage on the east coast of the United States. According to reports, a data centre lost power as a result of a battery failure caused by flooding.

Using third party data centres and IaaS vendors can provide a way of mitigating some of the risks of business interuption. Cloud providers are often better placed to manage these risks as they often operate multiple data centres which should, in theory, mitigate the impact of a single event. But in this case, for whatever reason, that hasn’t happened.

For the websites affected by Hurricane Sandy, that downtime will have led to a substantial loss of advertising revenue across the globe. Assuming that the hosting company has otherwise complied with its contractual obligations, it’s unlikely that the website operators would be able to recover any costs from the hosting company as the hosting company will likely claim relief under the force majeure provisions in its contract.

Geographic separation
When assessing your business continuity arrangements (and those of your suppliers), it’s therefore important that one of the things that you review the proximity of any back-up facility to the primary site. Events such as tropical storms, earthquakes, power failures and civil unrest can affect a large area, meaning that multiple data centres on either side of a single connurbation could easily be affected.

As one person I follow on Twitter said, what will happen to the Internet when the Big One finally hits California?

And it’s not just the data centre location that you need to think about.

I once heard a tale about an organisation who used two telecoms companies to provide physically telecoms links between its primary office and its data centre elsewhere in the city. All was well until roadworks took place on a bridge over a river. Whilst each company used physically separate cables between the premises (including separate points of exit and entry), it turned out that the bridge in question was a single point of failure – both companies had chosen to route their cables across the river using the same bridge – and a single jack hammer blow took out both links.

OFT finds that websites are continuing to fall short on consumer protection laws

The Office of Fair Trading (OFT) has recently published the results of its annual survey of over 150 websites to check whether or not they complied with consumer protection law.

The survey, which included the 100 top online retailers and most popular clothing sites, had some interesting results.

Key areas of non-compliance
Amongst the areas of concern, the OFT noted the following:

  • 33% of sites that provided information on returns placed unreasonable restrictions on consumers. For example, by only accepting returns in their original packaging.
  • The law – under the Consumer Protection (Distance Selling) Regulations (which apply to most contracts “concluded at distance – for example, over the Web or by phone/mail order) consumers have the right to inspect the goods that they have purchased and have a seven working day ‘cooling off period’ in which they can return the goods, though there are some exceptions to this, such as where the goods are perishable or customised. If goods need to be returned in their original packaging, un-opened, then it is difficult for consumers to inspect the goods to check if they are fit for purpose. It’s also important that the return period runs from the correct date, and isn’t subject to other unreasonable conditions. 

  • 62% of sites had no email contact address.
  • The law – the E-Commerce Regulations set out certain information that websites should contain, such as the registered or principal office of the organisation, its VAT number, if UK VAT registered, and a contact email address.

  • 24% of websites notified consumers of unexpected additional charges at checkout.
  • The law – The reach of the Advertising Standards Agency (ASA)’s remit now extends to advertising and promotions on an organisation’s own website. One of the main consequences of this is that pricing information should comply with the ASA’s CAP code – in particular, pricing should be transparent and not misleading. Websites should display total prices payable – if you can’t opt out of a charge then it’s not additional. Similarly, if most of the customers of a website pay VAT then prices displayed should be VAT-inclusive. For more information on ASA’s advertising rules see this earlier TechBlog post.

Website health check
The survey did show that the general awareness by website operators of their basic legal obligations in relation to trading online is improving. 

However, while the survey is a useful indicator of compliance with certain aspects of the law, it focussed only on the “fair trading” aspects of consumer protection law. It doesn’t look into some other key areas of legal compliance – for example what organisations do with the personal information of their customers.

Fair trading rules are just one aspect of a wider matrix of rules applying to trading online. The problem is that there are a lot of different aspects to website compliance and these will vary depending on whether or not the site is a trading website or whether it deals with consumers rather than businesses. Knowing exactly what is required can be complicated.

Brodies can help by carrying out a health check of your website, to audit its compliance with the key legal requirements and recommend changes that you should make to comply with the applicable laws. If you are interested in this, please get in touch.

Leigh Kirktpatrick

CNIL v Google – one directive and 27 data protection laws

Today’s announcement from the French data protection regulator, CNIL, highlights one of the problems with the current Euroopean data protection regime for businesses that operate across the EU.

One data protection directive; 27 data protection laws
Whilst European data protection laws are derived from a single EU-wide directive, implementation of those laws is done at a national level, with each country having its own data protection regulator. This means that some countries have a more onerous implementation than others, and/or have a regulator that takes a more pragmatic approach than others. Or to put it another way, some countries are more business friendly than others.

These variations cover issues ranging from rules on international data transfers (the UK implementation of the directive is noticably more business friendly as it permits data controllers a degree of discretion in determining whether or not a proposed outsourcing arrangement provides sufficient guarantees in relation to the protection of personal data) to data subject consent (the UK ICO embraces the concept of “implied consent” (in particular, in relation to information collected online), whereas other member states reject that concept).

This means that businesses trading across Europe are being given mixed messages as to what is expected. Witness the recent issues with businesses grappling with different national implementations of the cookie law to see the sorts of problems that this can cause.

In relation to Google’s new privacy policy, the Article 29 Working Party (a grouping of representatives from each of the national data protection regulators) agreed to collaborate on a single response to Google, rather than provide Google with 27 different responses.

From a data controller’s perspective, that is to be welcomed.

However, it’s interesting that it is the French data protection regulator that led this investigation. French data protection laws (and the French regulator) are considered to be more onerous than those in many other member states, and CNIL has historically led the complaints against Google’s new privacy policy.

Whilst CNIL’s decision is apparently endorsed by all the national EU data protection regulators (with the exception of Greece, Romania and Lithuania), the approach is very much consistent with what might be expected by CNIL under French data protection law. Had the investigation been led by another data protection regulator then the report may have been different.

Does this matter? Well yes – if the effect of the report is that a national data protection regulator’s requirement is more onerous than the requirements under the national data protection laws in a particular member state (or that regulator’s previous guidance and practice), then the data controller may feel a bit agreived.

Will this change under the new data protection regulation?
Ultimately, these problems arise because of the different approaches in each member state. Under the proposed data protection regulation this is likely to change. In particular:

  • The new laws will be set out in a regulation, not a directive. That’s important as a regulation has direct effect under EU law and does not need to be implemented nationally by each member state. This means that there will not be any varations between member states in relation to the statutory laws.
  • A requirement for explicit consent to the processing will apply (it cannot be implied). This should help ensure that organisations take a common approach to consent across the EU.
  • Data controllers operating in multiple countries will be able to elect a “home” regulator, rather than be subject to up to 27 different regulators. Issues raised by data subjects in other member states will be referred for resolution by the data subject’s data protection regulator to the home regulator of the data controller.

This last point is directly aimed at ensuring that the processing activities of a data controller are subject to a consistent approach across the EU.

Of course, the fact that there will still be 27 data protection regulators means that there could still be 27 implementations of the regulation, as each regulator will interpret the regulation in its own way. How will disagreements in interpretation of the regulation between the national regulators be resolved? Will we see a sink to the bottom where businesses choose as their home regulator the most business-friendly regulator (and if so, how will that regulator be funded)?

That remains to be seen. But I bet Google doesn’t choose CNIL as its home regulator.

Twitter: @BrodiesTechBlog feed

December 2017
« May    

%d bloggers like this: