Digital Markets, Competition and Consumer Bill

The Digital Markets, Competition and Consumer Bill is expected to receive Royal Assent in Spring 2024. The Bill proposes several large-scale changes to the competition and consumer law regimes, including granting the Competition and Markets Authority (CMA) direct enforcement powers.

In addition to procedural changes, the Bill prohibits unfair commercial practices. These practices are defined as being those which would cause the average consumer to take a transactional decision they otherwise would not have taken as a result of a misleading action or omission, or an aggressive practice. Early indications from the CMA suggest that most enforcement action will target unfair commercial practices online, including drip pricing, misleading discounting practices, and urgency claims.

How could it impact your business?

Any businesses that trade directly with consumers, particularly those that trade online, will be affected by the changes to the consumer law regime. By granting the CMA direct enforcement powers the enforcement of consumer law becomes (from the perspective of the regulator) cheaper, quicker, and subject to less scrutiny. We predict that this change will lead to a ‘boom’ in consumer law enforcement.

Prior to the Bill becoming law, the CMA is already flexing its powers; it has launched several investigations into alleged infringements of consumer law and has outlined online selling practices as an area of strategic focus for the year ahead.

To assist the CMA with enforcement, the Bill introduces fining powers for breaches of consumer law of up to 10% annual group worldwide turnover, enhanced information gathering powers, and criminal sanctions for company officers who consented to, or were negligent to, the unfair commercial practices. If found guilty of the offence, officers could receive a personal fine, or up to two years imprisonment.

In addition to the CMA independently and randomly auditing websites for evidence of unfair commercial practices, the CMA website hosts a button whereby consumers can file complaints to the CMA independently - the likelihood that unfair commercial practices are identified is therefore high.

What steps should you take?

Businesses selling to consumers online should engage in a review of their online selling practices to ensure that they are compliant with the Bill and to avoid becoming the subject of a CMA investigation. Considering the significant potential sanctions for non-compliance, it is recommended that businesses act quickly to identify any risks presented by their current online trading practices and remedy them prior to the Bill coming into law.

In addition to a review of existing practices, businesses should review training given to sales teams and any policies regarding online trading practices to ensure ongoing compliance.

National Security and Investment Act

The National Security and Investment Act came into force in January 2022. Since it's introduction, the Act has been the culprit of holding up and disrupting many acquisitions.

As a result, the Government launched a Call for Evidence, with the aim of identifying “how the NSI regime can be even more business friendly while maintaining and honing the essential protections we need for our national security.” This consultation closed on 15 January 2024.

In response to the consultation, the Government is expected to consider the scope of the mandatory notification requirements, develop the guidance on how the Act works, and improve the notification and assessment processes.

How could it impact your business?

In order for any 'qualifying acquisition' of an entity in one of the 17 ‘sensitive areas’ to proceed, a mandatory notification must be made to the Government explaining the proposed transaction. The practical ramification of this is that many transaction timetables have been delayed.

The Government has made it clear that they do not intend to make any changes to the triggers for mandatory notification and, as such, it is likely that investors will have to continue to contend with the legislation.

However, it isn’t all bad news, as the Government is due to consider whether any targeted exemptions should be implemented, or if they can refine acquisitions caught by some of the ‘sensitive areas’.

What steps should you take?

The Government has approved the majority of mandatory notifications which have been made to date (reporting that 93% of notifications in the most recent Annual Report “have been cleared without needing a detailed assessment”).

As such, until changes have been made, the best way to protect against delays and disruption caused by this legislation is to consider whether a mandatory notification is required as soon as there is a ‘good faith intention to proceed’ and there is likely to be no further ‘material’ changes to the details of the acquisition (i.e. the new ownership structure or the percentage to be transferred).

If an acquisition is completed without compliance with the NSIA, the consequences can be severe. In these cases, the Government has the power to apply both civil and criminal penalties.

Standard Contractual Clauses

Under the UK GDPR, businesses cannot lawfully transfer personal data outside of the UK unless: (a) the destination country has been deemed adequate by the UK Government; or (b) the restricted transfer is covered by appropriate safeguards.

Details of the countries and territories currently covered by the ‘adequacy regulations’ can be found on the ICO’s website, here. 

Appropriate safeguards (also known as ‘transfer mechanisms’) include the UK’s International Data Transfer Agreement (IDTA) or an Addendum to the new standard contractual clauses issued by the European Commission under the EU GDPR on 4 June 2021 (known as the ‘new EU SCCs’). These new EU SCCs replace the previous set of EU standard contractual clauses issued by the European Commission under the ‘old’ Data Protection Directive (now known as the ‘old EU SCCs’).

Contracts that were entered into before 21 September 2022 in reliance on the old EU SCCs will only remain valid until 21 March 2024. If a restricted transfer will continue beyond this date, the relevant exporting and importing parties must implement a new contract on the basis of the IDTA or the Addendum (or look to an alternative safeguard under the UK GDPR).

(Note the new EU SCCs are not valid for restricted transfers under the UK GDPR on their own. They must be used in conjunction with the Addendum.)

How could it impact your business?

To date, any commercial contracts that were entered into prior to 21 September 2022, under which data is transferred to a non-adequate or ‘third’ country outside the UK, have been able to continue relying on the old EU SSCs to safeguard data. However, from 21 March 2024, the old EU SCCs cease to be valid, meaning data provisions need to be migrated to either the IDTA or new SCCs plus Addendum. Companies should therefore carry out a timely review of all relevant agreements, to check whether old SCCs have been relied upon and, if so, determine which mechanism will be most appropriate to replace them.

Contracts with third party suppliers are likely to be of particular concern and should be prioritised. Often suppliers use standard terms incorporating a Data Processing Agreement (DPA), which enables them to process data on behalf of the transferring controller. The DPA will set out any relevant transfer mechanism where the supplier is based overseas to their controller clients. If a supplier has not updated its standard terms, these may refer to the old SCCs, which will be invalid from 21 March. Such terms are often available on the supplier’s website for ease of review.

In addition, data protection policies should be reviewed by businesses to ensure that they do not refer to the old SCCs or otherwise suggest that the business continues to rely upon this soon outdated mechanism.

What steps should you take?

For existing contracts, (ignoring exemptions/other existing mechanisms) companies have two options:

• implement the International Data Transfer Agreement; or

• implement the UK Addendum alongside the new SCCs.

These mechanisms require additional action, including carrying out a Transfer Risk Assessment (TRA). A TRA tool and guidance is available on the ICO’s website.

Note that there are differences between the content of the IDTA and the Addendum + new EU SCCs. In contrast to the IDTA, the new SCCs incorporate the mandatory written terms between controllers and processors, such that a separate DPA may not be required between the transferring parties. A general review of all data clauses is advised if moving to the Addendum and new SCCs, as there may be inconsistencies.

Contract and data policy reviews should take place immediately to be effective from the deadline of 21 March 2024. Training may be required on how to use the new mechanisms and conduct transfer risk assessments.

If the old SCCs remain in contracts, international personal data transfers will not be adequately safeguarded and will therefore be unlawful. Businesses risk exposure to the usual consequences of non-compliance, including reputational damage, ICO investigation, monitoring and fines, together with individual private action concerning the mishandling of data.

Hague Convention on Recognition and Enforcement of Foreign Judgments

The UK’s withdrawal from the EU had a significant and detrimental impact on UK companies’ ability to have their judgments recognised and enforced in the EU (and vice versa). The Ministry of Justice therefore opened a consultation as to whether the UK should become a signatory to the Hague Convention on the Recognition and Enforcement of Judgments 2019. The response was overwhelmingly in favour. As a result, the Government has indicated that it will become a signatory to the Convention.

How could it impact your business?

Currently, whilst English judgments rendered before 31 December 2020 can still take advantage of the European regime, those issued after this date need to go through significant steps dictated by the relevant local law to have them recognised and enforced. This not only impacts the ability to enforce a judgment, but also to simply have it recognised by national courts (for example, to demonstrate that a national court should not re-litigate a matter that has previously been decided by the English court).

Becoming a party to the Hague Convention can only mean good news for UK businesses operating in the EU, who will then be able to benefit from a single, simplified process throughout the region. As the arrangements are reciprocal, EU companies will be able to benefit from a similarly streamlined process to have their judgments recognised and enforced in the UK.

It will not however happen overnight. Although the Government has indicated that it will sign up to the Convention as soon as possible, legislation will then need to be enacted to ratify the Convention within the UK and it is anticipated that it will come into force 12 months after ratification.

What steps should you take?

UK or EU companies with potential claims in the corresponding region may wish to delay bringing claims until after ratification so that they can benefit from this more efficient procedure. Before doing so however, care must be taken to ensure that delaying does not fall foul of any relevant limitation periods.

Green Agreements Guidance

The Competition Markets Authority (CMA) recently published the Green Agreements Guidance. Designed to provide companies with greater clarity when entering into green collaboration agreements, the guidance provides a framework for how your business can legitimately engage in cooperation with competitors to combat climate change.

The guidance reflects the CMA’s wider strategic objective to promote sustainability whilst protecting competition and is a supplement to existing guidance on horizontal and vertical agreements previously issued by the CMA.

The guidance covers all environmental sustainability agreements, defined as agreements between competitors, or potential competitors, that aim to prevent, reduce, or mitigate the harmful effects of economic activities on the environment or assist with the transition towards sustainability. This marks an important area of divergence from similar guidance issued by the European Commission in June 2023, which allows for inclusion of wider societal objectives, such as working conditions and respect for human rights within agreements.

How could it impact your business?

The guidance is likely to impact the content of corporate sustainability and ESG policies, green collaboration agreements and projects, and how businesses make decisions in relation to net zero commitments. It presents greater clarity on how businesses may collaborate with others, setting out clear examples of what may, or may not, be considered permitted by the CMA.

However, the guidance remains vague in some areas and penalties for non-compliance are high, for example, the CMA can issue fines of up to 10% of annual group worldwide turnover on all entities involved.

What steps should you take?

As the guidance is already in place, it is recommended that businesses review their existing ESG/Green collaboration agreements and policies to ensure they are compliant, particularly those which may have been signed off by European-based compliance teams. If any areas of uncertainty are identified, businesses should seek advice on whether the agreement is exempt or requires further Competition Law analysis.

If required, the CMA’s open-door policy offers businesses the opportunity for constructive dialogue with the regulator relating to green agreements. Given that ESG is a high-growth area, particularly considering the introduction of the Corporate Sustainability Due Diligence Directive in the EU, businesses may wish to roll out training and guidance to in-house legal and procurement teams, to ensure agreements are compliant with the guidance.

Landlord Withholding Consent to Alterations

The recent High Court case of Messenex Property Investments Ltd v Lanark Square Ltd [2024] held it was reasonable for a landlord to refuse consent to alterations, where structural engineer’s drawings and an unqualified undertaking for costs were requested and a tenant failed to provide them.

In this case, the tenant applied for consent from the landlord in accordance with their lease to add three floors to a building and convert the ground floor from business to residential use after planning permission was obtained in April 2020.

Due to the major works proposed, the landlord requested preliminary and final architectural and structural engineer’s drawings showing the extent of the works as a condition of consent. Discussions continued until March 2023 when the Tenant issued proceedings alleging the landlord had unreasonably withheld consent.

The High Court decided the Landlord could reasonably withhold consent on the following grounds:

• The tenant’s failure to provide structural engineering drawings; and

• The tenant’s failure to provide an unqualified undertaking for the Landlord's reasonable costs.

How could it impact your business?

The decision reinforces that a landlord’s reasonable costs must be covered when requesting consent to alter. Any budget for carrying out alterations should include an allowance for those costs.

Tenants should be alert that a landlord can impose reasonable conditions on consent being provided for works which do not need to be provided for in your lease. Where a landlord imposes additional conditions on consent, consider taking advice as to whether any condition is reasonable and needs to be complied with.

Landlord consent may be required for a planning application to be made. If planning is being/has been obtained, be mindful of engaging with a landlord early enough that consent can either be obtained, or an application to court for deemed consent can be made ahead of planning permission lapsing.

What steps should you take?

If you are a tenant intending to carry out works, engage with the landlord early on any conditions for consent so any delays with procuring specialist advice can be factored into the works’ programme. This may require professional drawings and specifications and engineers’ reports. You may need to request collateral warranties in favour of a landlord where structural or major works are intended and subsequent insurance valuations could be required before a landlord will insure those works.

If you believe that a condition imposed by the landlord is unreasonable you should seek advice as soon as practically possible.

Introduction to AI Assurance

On 12 February, the Department for Science, Innovation & Technology released a report outlining an introduction to Artificial Intelligence (AI) Assurance. This follows the white paper released by the Government in March 2023.

The report highlights the importance of AI Assurance and offers practical guidance for organisations, as well as Regulators, bringing together various considerations to help them develop and deploy responsible AI Systems.

A copy of the AI Assurance report can be found here.

How could it impact your business?

AI brings unprecedented opportunities for businesses and society. However, the benefits also come with risks for any organisation that implements the technology.

In addition to demonstrating compliance with any existing and future relevant legislation, AI Assurance is a crucial component of an organisations’ wider risk management when developing, procuring, and deploying AI systems. As such, AI Assurance should be a main priority of any business who is looking to implement AI.

What steps should you take?

Whilst the document notes that ‘AI assurance is not a silver bullet for responsible and ethical AI’, the report provides 5 key steps to further develop AI assurance understanding and capability:

1. Consider existing regulations (for example, the GDPR and Equality Act);

2. Upskill within your organisation (any organisation is likely to be held back without specific knowledge about the technology). There are options, such as the Alan Turing Institute, which provide training workbooks on AI governance;

3. Review internal governance and risk management (internal governance processes should be assessed and amended to ensure that are ready for the new technology as these will form the foundation of any policies moving forward);

4. Look out for new regulatory guidance (The ICO has previously developed guidance on AI and data protection with further guidance expected soon); and

5. Consider involvement in AI standardisation.