The Trading Bulletin | December 2024

Welcome to our Trading Law Bulletin, where we share the latest developments on data protection, financial services, health and safety, environmental issues, and marketing.

Data protection updates

ICO priorities

2024/2025 priorities are: AI governance, online tracking and protection of children's data.

Data (Use and Access) Bill Introduced to Parliament in October

The Data (Use and Access) Bill, which had a parliamentary introduction on 23 October 2024, aims to enhance the secure and effective use of data for the public benefit without imposing additional financial pressures on the UK. One aspect the bill hits on is cookies, with the user's consent for non-intrusive cookies no longer being required when a user visits a webpage. This comes as part of the government's efforts to streamline the current consent mechanisms for cookies, reducing repetitive consent requests for users and providing additional clarity on data controllers' interaction with user data. The bill casts a wide net, implementing changes for special category data, the provision of digital identities and a wide gambit of data-related subjects. The potentially most significant aspect of the Bill (which is rather under reported) is the "smart data" or "open data" provisions. The aspiration here is to create a replica of the "open banking" / Payment Systems Directive II environment but for "consumer data" more generally. The detail of the smart data requirements will be in regulations made under the primary legislation so at present it is difficult to see how wide-ranging these provisions will be, but it has the potential to be a very significant regulatory intervention and worth following for its potential impact on anyone processing "consumer data".

For more information, see gov.uk and UK Parliament.

ICO launches guidance on using AI for recruitment

The Information Commissioner's Office (ICO) has published considerations for organisations who wish to integrate AI into their recruitment processes. Among the considerations include ensuring that any organisation, as a data controller, provides transparent information to candidates about how any AI system that interacts with their data will be utilised by the organisation. The ICO also recommends that AI tools engaged in the recruitment process are trained to minimise biases and to process the personal information of applicants fairly.

Information on the ICO's considerations can be found here.

New Tool Released to Evaluate Privacy Enhancing Technologies

The ICO and Responsible Technology Adoption Unit (RTAU) has introduced a practical tool to help organisations evaluate potential benefits and challenges of adopting Privacy Enhancing Technologies (PETs) into their workflow. PETs are designed to enhance organisations' capacity to analyse data without compromising individuals' privacy, with tools such as homomorphic encryption and differential privacy forming analytics tools considered to be PETs. Take up of PETs has, however, been slow due to difficulties in understanding how they work and related cost implications. The ICO and RTAU's tool, combined with their checklist, aims to help demystify PETS for organisations seeking an efficient way to analyse data.

Further information can be found here.

Cyber Security and Resilience Bill

The new government announced its intention to introduce a Cyber Security and Resilience Bill in the Kings Speech, which is likely to introduce long awaited updates to the Network and Information Security Regulations (NIS). This bill is expected to focus on expanding cybersecurity measures, especially in sectors managing sensitive data or critical services. We can expect: support for a more proactive approach by the regulators, expanded reporting requirements (such as the need to report on ransomware attacks), cost recovery measures, expansion of scope to include managed service providers such as IT outsourcing services and the power for the government to expand the scope of regulation to other services as it sees necessary.

UK Cybersecurity Regulation: what's next?

Financial Services Updates

Appointed Representatives

Retailers are often Appointed Representatives (AR) that carry out regulated financial services activity under the responsibility of an authorised firm, known as a principal firm. If retailers are directly authorised, they may be responsible for their own ARs.  The Financial Conduct Authority (FCA) are actively investigating how principal firms monitor their ARs. Enhanced AR rules came into effect from December 2022, and recently the FCA published the findings of its review of how well these rules are being adhered to. Principal firms with ARs should ensure they have assessed their existing processes in response to the new rules and have sufficiently documented any revisions. ARs should be aware of the rising expectations on their principal firms and can expect greater scrutiny of their activities from their principals.

FCA focuses on vulnerable customers

Vulnerable customers continue to be a focus area for the FCA. A recent speech by the FCA's director of competition, Graeme Reynolds to the wealth management industry (but of wider relevance) emphasised that 'vulnerability' is not simply a buzzword and advised firms to prioritise:

• Identification of vulnerable customers. For example, processes to recognise those who may need more help, or where a service may not be meeting customer needs.

• Support and understanding of vulnerable customers including clear, easily understood communications and promotions so people can make informed decisions, tailoring them where necessary.

• Well-trained, empathetic client service that appreciates vulnerabilities aren’t fixed, that circumstances change and that firms might need to adapt, too, as a result.

• Monitoring and evaluation of service outcomes including data evaluation and collection.

Secret commission - case law update

The Court of Appeal's recent decision in the secret commission motor finance case Johnson v FirstRand Bank Ltd [2024] EWCA Civ 1282, caused a shock in the credit broking market by analysing the obligations of lenders and brokers in disclosing the existence of commission agreements to the consumer. This case is of relevance to credit broking retailers in the motor industry and beyond who may receive commissions for making introductions to lenders. The case found that a broker breaks its fiduciary duty to the borrower by accepting the lender’s payment of commission unless there was sufficient disclosure to procure the consumer's fully informed consent. Credit brokers must tread carefully and ensure that they respect the fiduciary relationship between broker and customer, as well as review disclosure of commission throughout their customer journey to ensure that the standard of fully informed consent is achieved.

Health & Safety/Environmental Updates

HSE continued focus on mental health

During stress awareness week, which took place from 4 November-8 November, HSE reiterated to employers that they have a legal duty to prevent work-related stress and support good mental health at work.

See further resources here.

Martyn's law

Martyn's Law (The Terrorism (Protection of Premises) Bill) has had its first and second reading in parliament. It has received cross-party support however there remained concerns over the calculation or capacity and the appropriate capacity figure for the standard tier.

See the second reading transcript here.

FSA Consultation on Allergens

The FSA has recently run a consultation on best practice guidance for allergen information for non-prepacked foods. The draft guidance will increase the burden on food retailers, requiring a written allergen information to be made readily available and requiring that staff can support this with a conversation.

See the draft best practice guidance here.

Further guidance for higher-risk buildings

Retailers caught by the Building Safety Act 2022 updates in relation to higher-risk buildings (at least 18 metres in height or has at least 7 storeys, and contains at least 2 residential units), have certain obligations in relation to maintaining a golden thread of information about such buildings.

The construction leadership council has published new guidance for duty holders and accountable persons to help them better understand what this entails.

See the guidance here.

EU to prohibit sale of products made using forced labour

The EU have demonstrated their commitment to removing forced labour from the supply chain by adopting a new regulation which prohibits the placing and making available on the EU market, or the export from the EU market, of any product made using forced labour. The regulation will enter into force on the day following its publication in the Official Journal of the European Union and will apply three years after the date of entry into force.

See the release here.

Marketing Updates

The State of UK Competition Report 2024

The CMA has published its third report on the state of UK competition. This aims to provide an analysis of competitor and market power across the UK economy and examines how competition in the UK has changed over recent years.

Key findings of the report include:

• Cost mark-ups, one measure of market power analysed by the report, have risen by roughly 10% in the UK over the last 25 years; and
• Business dynamics, measured by the rate at which businesses enter the relevant market and displace others, have declined in 2024 (with the exception of the transportation, storage & wholesale, and retail sectors).

See the full report here.

CMA issues finalised advice for trade recommendation sites on how to stay on the right side of the law

The CMA has produced compliance advice for trader recommendation platforms, clarifying their leal obligations with an aim of promoting compliance with consumer law. The advice sets out six principles and examples of 'dos' and 'don’t's'.

A useful summary of the advice can be found here. 

The ASA launches larger piece of work on mid-contract price increases

In six recent rulings, telecommunications companies have been challenged for the method in which they notify their customers of mid-contract price increases and their failure to clearly identify that their broadband contracts would be subject to such increases. This is especially important with the implementation of the Digital Markets, Competition and Consumers Act this year, which provides further rules around the presentation of pre contract information, with potentially severe consequences if businesses fail to comply with them.  

Details can be found here under related rulings.