Hello and welcome to the Pinsent Masons podcast, where we try to keep you up to date with the most important developments in business law around the world every second Tuesday. My name is Matthew Magee, I'm a journalist here at Pinsent Masons, and this week we look at the data protection implications of the machines in our home, listening to us, and analyse a shift in how E money might be regulated in the UK. But first, here's some business law news from around the world:
Employers must address Middle East mental health duties proactively, say experts.
Withdrawal button rules set to impact e commerce in the EU and
UPC patent ruling offers guidance on the court's reach.
International businesses operating in the Middle East have been advised to review their approach to employee mental wellbeing to ensure they comply with increasingly stringent legal obligations in the region. The recommendation was made by Pinsent Masons experts at a recent event on workforce resilience in times of uncertainty in the Middle East. Those experts say that employers across the UAE and the Kingdom of Saudi Arabia are facing a growing convergence between mental health and employment law compliance. In the UAE, the Labour Law imposes an obligation to protect employee health, safety and welfare, expressly prohibiting psychological abuse, harassment and bullying and requiring employers to maintain a safe workplace culture. The experts said that while the issue of employee mental wellbeing was once regarded as a stand alone issue for HR officers to manage, requirements related to mental health have since become firmly embedded in legal frameworks in each jurisdiction, requiring an organisation wide response.
New rules requiring e commerce platforms to make it easier for consumers to withdraw from online transactions have taken effect in the EU. Under the Consumer Rights Directive, consumers already benefit from a 14 day right of withdrawal for distance contracts, allowing them to cancel a purchase without giving reasons. However, the implementation of amendments to that directive will take this one step further. Platforms that conduct contracts via an online interface, such as a website or app, will be required to implement a dedicated withdrawal function. Most EU countries have already transposed the rules into national frameworks, but the changes took effect from the 19th of June. The new withdrawal function complements, rather than replaces, existing withdrawal methods such as standard withdrawal forms.
The Unified Patent Court has recently provided important clarification about how far its powers can reach beyond its own member countries. The guidance was provided by the UPC’s Court of Appeal in a landmark decision in which it overturned an injunction that had banned Kodak from selling a product in the UK market. That injunction, issued by the Mannheim Local division of the UPC last summer, was granted on the basis that Kodak had infringed Fujifilm’s European patent enforcing the UK, a finding it reached despite the fact that the UK does not participate in the UPC system. The guidance confirms that the UPC can, in some cases, extend its decisions to cover activities outside UPC countries. However, it also makes clear that there are limits, and it sets out when judges are likely to use these powers.
Our domestic and working lives are now full of machines that listen to us, that follow our keystrokes and mouse clicks, that know where we are and what we're doing. At some level, we all know and understand this. We've all clicked accept in the app to get a new device working. But perhaps not many of us understand quite how full the picture of our lives is that tech providers have assembled, nor the degree to which this data has a monetary value to them. That's the concern of UK data protection regulator the Information Commissioner's Office, or ICO, which is why it's produced new guidance for companies making or operating Internet of Things products, things like smart TVs, sophisticated toasters or wearable devices. There hasn't been a change in law, but there is what seems like a renewed focus on empowering consumers and encouraging them to take control of their data, says London based data protection expert Malcolm Dowden. But first he told me what we're talking about. What information do these machines actually collect?
Malcolm Dowden: Well, an increasing range of domestic appliances collect data. Essentially anything that's referred to as a smart device is going to be collecting data not only about the householder, but crucially about other members of the household. And that can be really in three categories. It is firstly what's called provided data, and that's information that is consciously given to open an account. For example, your name, your e-mail address, your bank account details. We then have observed data, and that is data that's picked up by sensors that is recorded by the device, and that can cover things like the time of day at which the device is being used, the length of time for which the device is being used, and in some cases, the purpose for which it was being used. And that brings us to the third category, which is called inferred data and that's really where the pattern of use of a device begins to build up a very rich profile of the users in terms of, for example, their state of health, their interests, their shopping patterns, their consumption patterns, and all of that data is subject to analysis and is at least potentially available for monetisation.
Matthew Magee: Malcolm says that ultimately people have, like themselves, be observed in their most private spaces and don't seem that bothered by it.
Malcolm: This is entirely current. It is in no way theoretical. We've had, over a number of years, instances of home assistants like Alexa being used to trigger purchases of items. We've had profiles that have been derived from smart devices being used to fuel direct marketing campaigns. We've had profiles of users and their households being packaged up for social analysis, social engineering purposes. The big difference, in a sense, is that householders have allowed what are essentially sophisticated surveillance devices into their homes, being either unaware or, for reasons of convenience, unconcerned about the hinterland of data use that lies behind them.
Matthew: But that doesn't mean they shouldn't be protected. So there are already laws governing how that data is collected and used.
Malcolm: From a UK perspective, the collection, the use, the deployment of data is governed by two main bodies of law. The first is UK GDPR, that is data protection law. The second is the Privacy and Electronic Communications Regulations 2003. We refer to that as PECR and that's colloquially known as the cookie law. That is the bit of law that defines and governs the right and the ability of organisations to place information on a user's terminal device or to access information from that terminal device. That is how organisations are able to track to gather information about a user's behaviour, to analyse that data and to deploy it for various commercial purposes.
Matthew: And what kinds of restrictions, broadly speaking, do those two laws place on companies when dealing with this information?
Malcolm: Perhaps the most stringent restriction that's placed by the law is in relation to cookies. And unless an organisation can fit within a very narrow exception called soft opt in, consent is required for the placing, the firing and the deployment of cookies or any other online tracking technology. And that consent is required to be of GDPR standard. That means it should be freely given, fully informed and specific. That, in turn, means that the organisation that's looking to track behaviour must give genuine choice and must give full, understandable information.
Matthew: But now the Information Commissioner's Office wants to tighten controls over the data. In fact, it wants companies to design products and services differently right from the start, says Malcolm.
Malcolm: And so what's changed now is the degree of focus that the ICO, the UK data protection regulator, is bringing to bear on this issue. They've explicitly recognised in updated guidance and an associated blog that manufacturers of any smart device must build privacy in from the very beginning of the design process. It is an ICO requirement that manufacturers implement privacy by design. So the first question that manufacturers and their suppliers have to address is what are their respective roles within data protection law? And those roles classically can be controller, which is the organisation that determines the purpose and means for and by which personal data is collected and processed. The controller is obliged to provide clear and fully understandable information to the user about what data is being processed, what purposes it is being collected for, with whom it will be shared, how long it'll be stored, and what lawful basis is relied upon by that controller for processing that data.
Matthew: So there's a change in mood at the UK regulator at the same moment when collection of data by the machines that surround us is ever growing. But what can the UK regulator do about it? Does it have the power to compel some of the world's biggest hardware and software companies to change? Not on its own, says Malcolm. But that doesn't mean not at all.
Malcolm: The issue for any single country's regulator is, of course, that these products are manufactured and sold on a global scale. Smart TVs are not manufactured in the UK just for the UK, so there is an increasing body of, if you like, regulatory consensus among the European Union supervisory authorities. The UK, although since Brexit a separate entity and body of law, adheres quite closely to EU approaches to smart data and smart devices. So from that perspective there is at least a European wide enforcement approach.
It's always important to remember that enforcement under data protection law can include enforcement notices that require controllers like manufacturers to take specific steps or to refrain from taking specific steps, and those measures can extend to what are called stop orders. In other words, ultimately, data protection enforcement could amount to market deprivation for manufacturers with a clear ongoing pattern of non compliance.
Many of us have a number of money apps on our phones and you might think a euro is a euro, a pound is a pound, but the chances are at least some of those cash numbers whizzing around your apps is E money, a more lightly regulated cash backed way of, for example, sending money to friends or getting travel money. The most famous example is probably Revolut. UK financial services regulator, the Prudential Regulation Authority, or PRA, is a bit worried though about the fact that consumers don't always know what is E money or stablecoin, another digital payment type, and what is traditional cash in the old fashioned banking system. So it's made some recommendations. But to start with, London based financial regulation expert David Heffron told me what E money and stablecoin actually are.
David Heffron: E money is electronically stored monetary value that represents a claim on the issuer. So it's essentially a prepaid value. The customer gives money to the issuer, it receives E money in return, and then uses it for payments or other transactions. The important distinction is it's not a deposit. And why is that important? It's important because E money doesn't benefit from what we would know as FSCS protection. So that's Financial Services Compensation Scheme protection. And it's not just to regulated stablecoins, which are also emerging as another form of digital money. Stablecoin operates slightly differently, backed by certain types of assets, but it's the asset backing which is the critical bit and different to the E money.
From a customer's perspective, they both look like cash, so they look quite similar. So what we've got here from the PRA is a letter which is highlighting why they think the distinction between E money, regulated stablecoins and deposits on the other hand are important from a prudential regulatory perspective.
Matthew: The use and movement of old fashioned cash, whether folding money handed over a bank counter or numbers flickering in your banking app, is highly regulated and it's also protected by the Financial Services Compensation Scheme. If your bank was bust, you get your money back up to £120,000. E money is more lightly regulated, so it's easier to set up as an issuer and you have lower ongoing compliance costs. But because it's more lightly regulated, it doesn't get the same protection. E money is not covered by the compensation scheme. The trouble is, says the PRA, if consumers don't know the difference, then a problem in a less regulated area such as E money can bleed into the highly regulated area such as mainstream banking. And we saw in 2008 the disastrous consequences of a sudden loss of confidence in retail banking. They've called the risk E money contagion.
David: Contagion means loss of confidence spreading across different forms of money. So PRA scenario is bank offers deposits. What the PRA is highlighting, I think, is that contagion is behavioural. It can happen very quickly. And then once it starts, it's very difficult to reverse. You know, if there's lots of confidence in the bank because stable coins issued by it were losing value, that might mean that the bank's reputation in the market is tainted and people might go and start withdrawing all their money and once they start withdrawing all their money, then that causes, you know, contagion and wider issues in the banking system as a whole.
Matthew: So what is the PRA’s solution to stopping the contagion? Clearer separation of E money and traditional money, says David.
David: I think the PRA’s position is clear and quite deliberate that where banks want to engage with stable coins and E money, they must do so in a way that doesn't undermine confidence in deposits. I think that translates into three key expectations. Separation of entities issued by a non deposit taking insolvency remote entity, clear differentiation. So branding, naming, user experience must make it obvious that it's not a bank deposit and that it doesn't carry the same protections. And as always with the regulator outcome focused supervision, the PRA is not prescribing exact structures, but it will look at the overall customer experience to judge whether there's confusion risk. So importantly, I think disclosures and warnings are low, not sufficient. So it's how firms go about, you know, developing their business models where they want to use different forms of money in a way that addresses the regulator's concerns.
Matthew: David says it's clear what financial services companies need to do.
David: First, they need to be deliberate about their model. Banks may need to choose how they deal with digital money as we go forward, but where they don't use stable coins, they need to be issued from outside the bank. The second is to get the structure right early, say a separate legal entity, insolvency remote, clear governance and risk containment. And the third is really just design for clarity. Avoid deposit like branding and think carefully about how those products appear within apps and wallets. Also assess risk frameworks. So, you know, there'll be new risks that come as a result of stable coins in particular, you know, liquidity dynamics, reliance on underlying assets. So there's a shift happening, payments innovation is happening, what does all that mean for the overall bank operating model.
Thanks again for joining us, for listening, hopefully for sharing with people you think it might be relevant to, and maybe even reviewing and rating wherever you get your podcasts. Remember, you don't have to wait to hear from me every second Tuesday. You can check up on what's happening in your bit of the business law world at any time from our team of specialist reporters all over the world at pinsentmasons.com. And you can sign up to get a personalised version of the news every week at pinsentmasons.com/newsletter. But for now, thanks for listening and goodbye.
The Pinsent Masons podcast was produced and presented by Matthew Magee for international law firm Pinsent Masons.
We recommend upgrading to the latest Chrome, Firefox, Safari, or Edge.
Please check your internet connection and refresh the page. You might also try disabling any ad blockers.
You can visit our support center if you're having problems.