Recent regulatory developments
In this section we discuss recent regulatory developments, explore what these changes mean for businesses and the regulatory landscape, and answer some frequently asked questions
The EU AI Act has been formally approved by the Council as of 21 May 2024. It's a regulation that needs no introduction as its progress has been closely tracked, with the protracted negotiations between the EU's legislative institutions thoroughly reported.
In addition to balancing the interests of various stakeholders, EU lawmakers also had to scramble to revise the draft legislation to provide specific rules for "general-purpose AI models", which stormed into public consciousness in November 2022 with the release of ChatGPT.
The Act will shortly be published in the EU’s Official Journal and is likely to enter into force in August of this year. There is a graduated approach to delivery, eg six months after entry into force (ie by around February 2025), Member States must phase out prohibited systems; and within 12 months (summer 2025), obligations for general purpose AI models will come into play. Then, within two years of the AI Act coming into force, all rules will apply, save for certain classification rules for “high-risk” AI systems, which will come into effect 36 months after entry into force. For a more detailed discussion of the AI Act, see here.
What impact has it had?The Act is likely to have global impact. It aims to protect EU citizens and therefore it applies in a targeted way. That means those making their AI systems available in the EU will be caught, no matter where they are based.
Those developing AI models and systems and contemplating engagement with the lucrative economic EU market will already be thinking about the purposes for which their system will be used and the risks relevant to that use. They will also likely be seeking to understand and comply with their obligations under the AI Act.
ConclusionGiven that the AI Act is much closer in terms of its implementation timeline and provides a more tangible framework compared with the UK's regulator-led, principles-based approach, many providers and deployers in the UK will be seeking to comply with the AI Act.
It is also likely that contracts between providers, deployers, distributors, importers and product manufacturers, will be drafted to comply with the AI Act, and may start to be replicated widely on a global basis. In other words, contracts drafted with the AI Act in mind may become the industry standard.
The AI Act will be pored over in the coming weeks and months. While it arguably provides certainty, only time will tell whether it contains the flexibility to accommodate the fast-paced technological developments occurring in the field of AI.
Give your views on the impact and challenges of AI regulation in our anonymous regulatory outlook survey. Complete the survey >>
Compliance with specific AI regulations or regulatory framework(s)
Data privacy and protection
Ethical considerations
Transparency and accountability of AI systems
Other
Ricky CellaSenior Associate+44 7895 301115ricky.cella@rpc.co.uk
Joshy ThomasKnowledge Lawyer+44 7927 578065joshy.thomas@rpc.co.uk
As the digital age advances, so does the sophistication of cyber threats. In response to this escalating challenge, the EU is set to introduce proactive legislation – the Digital Operational Resilience Act (DORA). From 17 January 2025, DORA will transform the EU financial landscape, revolutionising cybersecurity norms across the region.
The creation of DORAIntroduced on 16 January 2023, DORA was born out of the need to shield financial institutions from the increasing prevalence of cyber attacks. Its primary objective is to ensure these institutions have robust recovery capabilities in place to counteract potential cyber threats. This is achieved by mandating the implementation of comprehensive security measures and protocols.
DORA's applicationDORA’s influence is far-reaching. It extends to all financial institutions within the EU, as well as those outside the EU that engage with EU financial institutions. This includes banks, insurance companies, investment firms, and even cryptocurrency exchanges. DORA also establishes a framework for critical ICT third-party service providers. This could encompass large tech companies when they provide services to financial entities.
“Non-compliance with DORA could lead to significant repercussions.”
The importance of DORADORA requires financial institutions to have the following in place:
production systems: effective internal governance and control frameworks to manage ICT risks. This includes having policies and procedures that identify, measure, manage, and report ICT risks
resilience: robust technology to support incident response plans and address potential ICT risks. This means investing in technology and infrastructure to ensure the continuity of critical functions during adverse situations
auditing and management: regular testing of incident plans to ensure their effectiveness. This is crucial not only to demonstrate recovery capabilities to stakeholders but also to instil confidence in customers. DORA also mandates the reporting of major ICT-related incidents and significant cyber threats to competent authorities.
To streamline DORA’s complexities, the EU has introduced five “pillars” to simplify the legislation’s aims and objectives:
ICT risk management
incident response processes
incident reporting to resilience testing
third-party risk management
information sharing about cyber threats and vulnerabilities.
The purpose of DORA is to implement these pillars. Of particular interest to lawyers are the incident response process and third-party risk management. Incident response requirements are complex and mandate notifications to regulators within 24 hours of detection of a reportable incident. Third-party risk management expressly includes requirements as to the content of a financial institution's contracts with ICT service providers.
The consequences of non-complianceNon-compliance with DORA could lead to significant repercussions. Sanctions for non-compliance include fines of up to 2% of an organisation's total annual worldwide turnover or up to 1% of the entity's average daily turnover worldwide until the financial entity achieves compliance, with a long stop of six months.
The future of cybersecurityWith cyber attacks on the rise, it is perhaps unsurprising that the EU has ramped up legislation to protect and establish a harmonised framework across the financial sector. DORA aims to manage information and communication technology risks in a robust way. This will inevitably lead to some significant challenges for financial institutions and ICT service providers who will need to keep up. For those entities, planning should already be well underway because being clear as to compliance could take time.
Richard BreavingtonPartner+44 7748 366441richard.breavington@rpc.co.uk
Lauren KerrAssociate+44 2030 606775lauren.kerr@rpc.co.uk
Audits
External advice
External data sources
Internal stakeholder consultation
Reliance on team/own expertise
Structured risk mapping process
Technologies
HMRC has recently updated its guidance on the tax treatment of Double Cab Pick Ups (DCPUs) following the 2020 Court of Appeal decision in Payne & Others v HMRC [2020] EWCA Civ 889.
Payne concerned the classification of Vauxhall Vivaros and VW Transporter T5 Kombi vans for the purposes of income tax and national insurance contributions, and specifically whether the vehicles were "cars" or "vans" within section 115(1) of the Income Tax (Earnings and Pensions) Act 2003 (ITEPA 2003). The vehicles had been provided to employees for use in their work and for their own private purposes. The cash equivalent of the benefit of having been provided with a vehicle was treated as earnings from employment and taxed accordingly, with a corresponding charge in respect of national insurance. The classification of the vehicles was of importance because the cash equivalent of the benefit of a “van” and a “car” are calculated differently. In general, if a vehicle falls within the definition of a “car” the benefit and, as a result, the tax levied, will be greater than if it were a “van”.
The key question for the court in Payne was whether the vehicles fell within the definition of a "goods vehicle" in section 115(2) ITEPA 2003. The court found that whether a vehicle was a "goods vehicle" had to be determined by looking at its construction as a whole and establishing that the vehicle was first and foremost suitable for the conveyance of goods. On the court's analysis, neither the Vivaros or the Kombi vans were "goods vehicles", and they were therefore "cars" within section 115(1) ITEPA 2003.
Following the decision in Payne, HMRC guidance had confirmed that, from 1 July 2024, DCPUs with a payload of one tonne or more would be treated as cars rather than goods vehicles for both capital allowances and benefit-in-kind purposes. This was a departure from HMRC's previous approach of interpreting the relevant legislative provisions in line with the definition of "car" and "van" used for VAT purposes, which differentiated based on payload, with anything under one tonne classified as a car, and anything one tonne and over as a van.
HMRC also announced that transitional arrangements would apply for employers that had purchased, leased, or ordered a double cab pickup before 1 July 2024, allowing them to rely upon the previous treatment until the earlier of disposal, lease expiry, or 5 April 2028.
However, following feedback from farmers and the motoring industry, HMRC has now withdrawn that guidance, meaning that DCPUs with a payload of one tonne or more will continue to be treated as goods vehicles rather than cars, and businesses and individuals can continue to benefit from its historic tax treatment. The government has also announced that it will be legislating to ensure that DCPUs continue to be treated as goods vehicles for tax purposes and will consult on the draft legislation before introducing it in the next available Finance Bill.
What impact has it hadHMRC's proposed change in the treatment of DCPUs would have had a significant impact on the tax bills of employees using DCPUs as company vehicles; a cost likely to have been absorbed by business to some extent. Understandably, there was therefore a substantial amount of concern about HMRC's decision and, in reversing its position, HMRC itself acknowledged that the proposed changes to its guidance could have an impact on businesses and individuals in a way that was not consistent with the government’s wider aims to support businesses, including vital motoring and farming industries. Business will therefore welcome HMRC's confirmation that that status quo will continue.
For the time being, businesses and individuals can continue to apply HMRC's existing guidance on DCPUs used as company vehicles. However, it will be important for businesses to stay abreast of developments in this area given the government's intention to introduce legislation confirming the tax treatment of DCPUs, including by participating in the legislative consultation process when it is announced.
Robert WatersonPartner+44 7834 765846robert.waterson@rpc.co.uk
Liam McKaySenior Associate+44 7927 584578liam.mckay@rpc.co.uk
“From 1 July 2024, DCPUs with a payload of one tonne or more would be treated as cars rather than goods vehicles for both capital allowances and benefit-in-kind purposes.”
On 18 April 2024, the Serious Fraud Office (SFO) released its Strategic Vision report for the period 2024-2029. This is an important document as it sets out the priorities, values, approach and goals of the new leadership of the SFO for the next five years. As we wrote in the previous edition of Regulatory Radar, Nick Ephgrave QPM was appointed as the new Director of the SFO in September 2023, and therefore this is the document that sets out the strategy for his tenure.
The Strategic Vision report, together with the actions taken by the SFO in the first eight months of Mr Ephgrave's tenure, provide much useful guidance for companies as to how the agency will pursue its mandate in the coming years.
Focus areas for the SFOThe SFO has set out the following areas of focus in its Strategic Vision report:
implementing a rigorous review process on active cases, including by using advanced technology
prioritising cases with a higher likelihood of success and taking decisive action including closing unviable investigations, and increasing the use of dawn raids to gather evidence swiftly
enhancing cross-agency cooperation, and cross-border collaboration
exploring new methods, such as incentivising whistleblowers, to gather evidence more efficiently.
These stated focus areas raise the question of what companies can expect from the SFO in its approach to financial crime enforcement under Mr Ephgrave's leadership. Below, we explore how the strategy may play out over the next few years and the key takeaways for companies from this new phase of SFO leadership.
What can companies expect from the SFO's approach to financial crime enforcement?Companies can draw considerable guidance on the stated SFO strategy from the actions of the agency since Mr Ephgrave took over its leadership. Since September 2023, the SFO has been active, securing several convictions and launching five new investigations. Mr Ephgrave also delivered his first public speech as Director of the SFO at the Royal United Services Institute (RUSI), outlining his targets and intended direction for the agency.
Prioritising fraud and the victims of fraudThere are indications that the SFO will pursue fraud cases as a priority. In his speech to RUSI, Mr Ephgrave highlighted modern fraud as a key challenge for the SFO and indicated a need for a stronger focus on investigating and prosecuting fraud cases. He has stated that “the SFO will play a greater role in the national effort to tackle fraud” and is “already looking at ways in which the SFO can support the government’s Fraud Strategy.”
These statements are supported by the cases the SFO has taken on. Since September 2023, the proportion of open SFO cases relating to fraud has increased to 65% from 50%. All five of the new investigations launched by the SFO under Mr Ephgrave's leadership are focused on fraud. These include:
Axiom Ince: the SFO launched a criminal investigation into the collapsed law firm Axiom Ince and £66m of missing client money. The investigation, which involves over eighty SFO investigators and Metropolitan Police officers, is examining how funds were transferred from the firm’s client accounts with Barclays to the State Bank of India
Signature Group: the SFO launched an investigation into Signature Group, a business that attracted over a thousand investors for redeveloping iconic UK landmarks, over an alleged £140m property fraud and suspicions it had defrauded investors
AOG Technics: the SFO launched a new criminal investigation into fraud at AOG Technics Ltd, an aircraft parts supplier servicing major airlines globally. AOG Technics is alleged to have supplied faulty aircraft parts, leading to safety concerns and the grounding of some aircraft in the UK and US.
This focus on fraud is likely to continue given the powerful new enforcement tool provided to UK prosecutors through the introduction of the "failure to prevent fraud" offence contained in the Economic Crime and Corporate Transparency Act 2023 (ECCTA). This offence, which creates criminal liability for companies that fail to prevent their associated persons from committing frauds that benefit the company, is expected to come into force later in 2024. This will take place after statutory guidance on implementing reasonable fraud prevention procedures has been issued. ECCTA has also granted the SFO additional pre-investigation powers for a broader range of economic crime including fraud, which will further enhance the agency's ability to pursue those cases.
An increased domestic focus?Mr Ephgrave has stated on multiple occasions that he is focused on protecting the victims of financial crime, including ordinary people who fall victim to fraud. In particular, he has emphasised the importance of UK-based victims.
These statements are supported by the cases the SFO has commenced, including the investigation into Safe Hands Plans, commenced in October 2023, relating to the sale of pre-paid funeral plans to 46,000 UK customers. Cases of this type mark an apparent change in direction for the SFO, towards a more domestic focus and away from the high-profile international bribery investigations of recent years.
However, Mr Ephgrave has indicated that he sees the SFO as playing a role in major global resolutions and that he wants "to make it as easy as possible to collaborate on casework, by building strong and trusting relationships with our key international partners and taking advantage of new ways to share and exchange information and intelligence." It remains to be seen if the SFO will continue to build on its relationships with overseas enforcement agencies, and take on the types of complex, high-value, international cases that were pursued by previous leadership regimes.
Considerations for companiesThe Strategic Vision report and the actions undertaken since September 2023 indicate that the SFO is likely to be an active prosecutor under Mr Ephgrave's leadership, especially in relation to fraud. It is likely the SFO will work closely with other law enforcement agencies, including the Metropolitan Police and the National Crime Agency, to achieve its strategic aim. The SFO is also piloting a series of advanced technological tools, including to detect patterns of behaviour and analyse financial transactions, to enhance the efficiency of its investigations.
Given this apparent focus on fraud and the SFO's new powers established pursuant to ECCTA, companies, particularly those who have UK customers and investors, are advised to prepare for the coming into force of the failure to prevent fraud offence by reviewing their fraud risks and adapting and enhancing their fraud controls as soon as possible.
Thomas JenkinsSenior Associate+44 7856 279455thomas.jenkins@rpc.co.uk
Alexandra PratoAssociate+44 7709 523800alexandra.prato@rpc.co.uk
The tax world is not immune from the rise of AI. A spotlight was shone on the potential impact of AI on tax disputes, and indeed disputes more generally, in the recent decision of the First-tier Tribunal in Harber v Commissioners for HMRC [2023] UKFTT 1007 (TC), in which a litigant-in-person unwittingly cited case law that had been generated by an AI assistant. The First-tier Tribunal described the fictitious cases as “plausible but incorrect”, in that some of them shared characteristics with real authorities, but none of them were in fact genuine decisions of the First-tier Tribunal (or indeed any other tribunal or court).
While this illustrates why it is advisable to seek professional advice and assistance from a specialist tax disputes practitioner when litigating against HMRC, AI is set to have a far wider impact on the world of tax. HMRC now has some 55bn pieces of taxpayer data in its “Connect” computer system, which it uses to identify "targets” for tax investigations.
This system, and the data that it contains, enables HMRC to cross-check information from many different sources, such as corporate records from Companies House, sales transaction data from merchant acquirers, information received about taxpayers from foreign tax authorities via automatic exchange of information systems, and arrival and departure data from the UK Border Agency, to name but a few.
An increase in the volume of customs data related to imports of goods into the UK has provided a further rich seam for HMRC to mine using AI systems. There is a particular interest within HMRC in analysing this data to identify taxpayers whose declared income and/or gains is inconsistent with such data and to conduct compliance checks accordingly.
At present, humans are still involved when HMRC decides whether to open an enquiry in light of the information available to it and, after an enquiry is opened, in conducting that enquiry and ultimately concluding the enquiry. It is likely that in the not too distant future HMRC will extend the role of its AI systems so that they play a more determinative part in the decision to open an enquiry into a taxpayer's affairs.
Adam CraggsPartner+44 7545 101656adam.craggs@rpc.co.uk
Harry SmithSenior Associate+44 7566 763702harry.smith@rpc.co.uk
New regulations were introduced by HMRC in January 2024, originating from the OECD Model Reporting Rules for Digital Platforms, which mirror similar rules already brought into force by EU Member States.
The new regulations are intended to assist the government to achieve its stated policy objectives of helping taxpayers to pay the correct amount of tax and tackle tax evasion.
It is also hoped by the government that HMRC's ability to access and exchange information with other tax authorities ensuring that tax authorities have similar visibility of income for sellers on digital platforms will improve.
What are the new regulations?The new rules require certain UK digital platforms to collect information as part of their due diligence obligations, and then report this information relating to the income of sellers of goods and services on their platform to HMRC.
As part of this new process, HMRC will then cross-reference the information it has received with its records to check the tax position of the sellers. It may also exchange the information with other tax authorities for the jurisdictions where the sellers are tax resident.
Under the OECD rules, digital platforms in participating jurisdictions will be required to provide a copy of the information to the relevant taxpayer to help them comply with their tax obligations.
“The new regulations are intended to assist the government to achieve its stated policy objectives of helping taxpayers to pay the correct amount of tax and tackle tax evasion.”
What organisations are in-scope?This measure will affect digital platforms in the UK that facilitate the provision of services, or the sale of goods, by UK or other taxpayers and will affect UK taxpayers, including individuals and companies, who provide services or sell goods on digital platforms.
Digital platforms include apps and websites which facilitate the provision of goods and services, such as the provision of taxi and private hire services and food delivery services.
For the UK, these rules came into effect on 1 January 2024, with the first reporting due from January 2025.
What impact will these regulations have?This measure will place a new requirement and cost on UK digital platforms that have the responsibility of collecting specific information about sellers, verifying that information, before providing their report to HMRC.
There will be an increased initial cost to businesses as they familiarise themselves with the rules, and the format of the report that will need to be made to HMRC (in electronic format), as well as considering HMRC's guidance on how to comply with the new rules. There will then be ongoing costs of complying with the new regulations.
What are the consequences of non-compliance?Any UK digital platform operators that fail to comply with these obligations may be liable to a penalty. The penalties cover a wide range of failures such as, for example, late reporting, failing to provide information to reportable sellers, failing to provide information to HMRC, failing to comply with record-keeping requirements, or failing to provide accurate or complete reports. Penalties can range from £1k to £5k with potential daily penalties of up to £600 per day following the issue of a notice of assessment. The penalty for failure to apply the required due diligence procedures is £100 per seller.
A platform operator will not be liable to a penalty if they can demonstrate a reasonable excuse for any failure. An insufficiency of funds or relying upon another person, are excluded as being reasonable excuses.
Jasprit SinghAssociate+44 2030 606443jasprit.singh@rpc.co.uk
Navigate the complexities of the tax world with RPC’s Taxing Matters podcast.
Exploring tax from an ESG perspective with the Fair Tax Foundation
The latest on the loan charge scandal with Matt Hall from Armadillo
Changes to non-domiciliary rules with Philip Simpson KC and Ben Symons
In the “wash up” following the announcement of the general election which will take place on 4 July 2024, a number of bills were sped through the final stages of parliamentary processes. This was to ensure that the bills would not fall away once Parliament was dissolved on 30 May 2024. Included in the wash up was the Digital Markets, Competition and Consumers Act (DMCC) which received Royal Assent on 24 May 2024.
The DMCC brings in wide-ranging landscape reforms to the UK's competition and consumer regimes. In summary, the DMCC:
ushers in a new ex-ante digital markets competition regime: it grants new responsibilities to the CMA to promote competition in digital markets through a new digital markets regime overseen by its Digital Markets Unit (DMU). The CMA's DMU, which previously only existed in shadow form in anticipation of the DMCC being passed, will now receive its formal statutory powers
significantly strengthens the CMA's competition enforcement powers: for example, it extends the territorial scope of the prohibition under Chapter I of the Competition Act 1998 to apply to agreements implemented outside the UK with an effect within the UK. Other changes include stronger evidence-gathering powers such as its ability to interview individuals as part of its competition investigations and extending
“seize and sift” powers to dawn raids at domestic premises (until now such powers were only available for raids at business premises). There are also changes to make penalties for procedural infringements even tougher. Various changes are also being made to the market studies and investigations regime, as well as to the CMA's merger control regime, with adjustments to both the jurisdictional thresholds and merger investigations procedures
overhauls the UK's consumer law regime: Whereas previously the CMA was required to seek enforcement orders from the court, the CMA will now administer a new direct enforcement regime for infringements of the core consumer protection legislation. The DMCC also makes a number of changes to consumer protection legislation to enhance consumer rights.
For further details, our articles from when the DMCC bill was introduced into Parliament, which highlight the key changes in each regime, are available here:
DMCC changes to the digital markets regime >>
DMCC changes to the competition law regime >>
DMCC changes to the consumer law regime >>
The DMCC introduces significant landscape reforms across the UK's competition, consumer and digital markets regimes. The CMA's powers across its various functions have been substantially bolstered and it is gaining brand new statutory powers to regulate digital markets.
The CMA has been well prepared for receiving its new powers. It was quick off the mark and, on the day the DMCC received Royal Assent, it issued draft guidance in relation to the new digital markets regime for consultation.
The new DMCC legislation will come into force in stages. It is expected the digital markets competition powers will commence as soon as October 2024. It is important that businesses are ready for the new changes being brought in under the DMCC.
Leonia ChesterfieldOf Counsel+44 7732 401765leonia.chesterfield@rpc.co.uk
Melanie MusgraveOf Counsel+44 7525 601312melanie.musgrave@rpc.co.uk
The Digital Markets, Competition and Consumers (DMCC) Bill has finally been passed and received Royal Assent and officially become the DMCC Act 2024 (DMCCA), and introduces major reforms to the UK's consumer protection regime (including adding significant enhancements to the CMA's competition and consumer law enforcement powers).
CPRs v 2.0The DMCCA revokes and restates (with a few tweaks) the Consumer Protection from Unfair Trading Regulations 2008. The blacklist of "automatically unfair practices" is expanded to include a comprehensive ban on practices involving fake and undisclosed incentivised reviews (including requirement on business to take steps to prevent fake reviews), and the main body of the Act also includes specific provisions to protect consumers from so called "subscription traps".
Direct consumer law enforcement powersCurrently, for the CMA to enforce consumer protection laws, it must seek a court order. However, once the DMCCA is in force, the CMA will be able to directly enforce consumer protection law. This is enabled by new powers to directly issue decisions, require the removal of online content and even award compensation payments to impacted consumers.
The direct enforcement powers is looking likely to lead to a more proactive enforcement regime. The consumer law offences which these powers apply to are far-ranging, including any "unfair commercial practice", such as misleading pricing, greenwashing and deceptive online choice architecture (aka "dark patterns").
Direct fining powersNot only does the DMCCA allow the CMA to determine itself whether a breach of consumer protection law has occurred, it will soon be able to impose financial penalties for such breaches too. The most serious breaches could face penalties of up to £300k (or 10% of global annual turnover, if higher). This power will also be available to the CMA when a business breaches undertakings or an administrative direction given following its investigation, expediting what can currently entail a lengthy court process.
“The DMCCA marks the most substantial reform of UK consumer protection legislation in over 55 years.”
Why does it matter?The DMCCA marks the most substantial reform of UK consumer protection legislation in over 55 years, and every business based or active in the UK is likely to be impacted to some degree. The CMA's acquisition of direct enforcement and penalty powers will mean that businesses who repeatedly breach consumer protection law will face penalties much sooner than they might under the previous regime (and the financial consequences could be more immediate and more far reaching in terms of the size of possible fines).
What actions should you take?Organisations should stay updated on when exactly the various strands of the DMCCA (which also covers competition and digital markets law updates) will come into force and look out for the CMA's publication of accompanying guidance. It is vital that businesses familiarise themselves with the legislation and how it will apply to their operations, carefully considering their consumer law risk exposure. In particular, companies should consider their strategies regarding sales and marketing in anticipation of the enhanced authority of the CMA to levy substantial penalties for violations of consumer law.
Oliver BraySenior Partner+44 7981 232447oliver.bray@rpc.co.uk
Hettie HomewoodSenior Associate+44 7759 524371hettie.homewood@rpc.co.uk
Lewis ManningAssociate+44 7821 636371lewis.manning@rpc.co.uk
Shahil GoodkaTrainee Solicitor+44 7523 678982shahil.goodka@rpc.co.uk
The free RPC Snapshots app is available to download from Apple Store and Google Play.
In the first half of 2024, the UK's advertising regulator, the Advertising Standards Authority (ASA), has published guidance, key rulings, research findings and its 2023 Annual Report. Key themes are emerging which will affect organisations operating across a variety of sectors. Examples of these themes include environmental claims in relation to ads for electric vehicles and food and a reminder to advertisers around when the term "free" can be used in ads.
Zero-emission driving claims Earlier this year, the ASA investigated a paid-for Google ad by Ford for its "ultimate all-electric SUV". The ad featured the following claim: "Zero-emissions driving. Fast charging. Driver Assistance Tech". The issue at hand was whether the zero-emissions driving claim could mislead the public as to the environmental impact of the car. The ASA found that the zero-emissions claim was unlikely to mislead consumers because the claim was immediately followed by "Fast charging. Driver Assistance Tech". This meant that consumers were unlikely to understand that zero-emissions related to the life cycle of the car. Instead, the ASA stated that consumers would be able to understand the claim to relate to lack of emissions within the context of driving the car.
However, the fact that the ASA took the trouble to investigate this ad (which was found using the ASA's "Active Ad Monitoring" system, discussed below) and provide a ruling on it signals a clear warning to advertisers that context is key and that exact wording of these sorts of claims needs to be formulated very carefully, or they risk falling on the wrong side of the line and being misleading.
ASA backtracks on ruling against Calvin KleinIn January, the ASA ruled that a Calvin Klein poster featuring singer FKA Twigs was overtly sexual and was offensive and irresponsible on the basis that it objectified women. Meanwhile two other ads investigated at the same time, featuring Kendall Jenner, were found not to breach the CAP Code.
The ruling received a large amount of backlash, including from FKA Twigs, with critics arguing that the singer was being shown as empowered, rather than a sexual object, and citing double standards because the Kendall Jenner ads were not upheld. In March, the ASA then republished their decision, partially reversing their original finding (they found that the ad did not sexually objectify FKA Twigs, but maintained that the ad has not been responsibly targeted). In a blog that was released alongside the updated ruling, the ASA said that they were "not deaf to the commentary that surrounds [their] decision making", but that the criticism was not the reason for the reversal, which was instead due to the ASA being "inconsistent in its treatment of the three posters" that made up the campaign, such that its finding that FKA Twigs had been objectified was "flawed". The ASA did, however, stick to its initial finding that the FKA Twigs poster was "overtly sexual and was, therefore, not suitable for display in an untargeted medium" such as a poster.
Going forward, the ASA says that it will "review the thresholds for intervening against ads on grounds of offence and prioritise the most serious cases", and that it "may not warrant [their] intervention" where an issue is highly subjective and/or socially divisive.
Perhaps unsurprisingly, using the term "free" in advertising is likely to capture the attention of consumers. But advertisers need to ensure that the term is used appropriately and correctly within their ads. The ASA regularly publishes guidance on this and in April posted a reminder to advertisers linking to their current core guidance on this topic.
Under the UK Advertising Codes, advertisers must not use the term "free" if "the consumer has to pay anything other than the unavoidable cost of responding and collecting or paying for delivery of the item." Consumers are also protected against advertisers inflating prices such as delivery, packaging, or handling fees in order to "cover the costs" of giving an item away for "free".
That's not to say, though, that advertisers shouldn't use the term "free" in appropriate circumstances. If, for example, a consumer is able to receive a product or service free of charge when they purchase another item, this would be an acceptable use of the term (provided that the conditions to receive the free item are clearly set out and neither the price of the paid-for item has been inflated nor the quality or size of the free item reduced). Advertisers should therefore be mindful of their use of "free" and ensure that they do not fall foul of the rules.
The ASA has recently published the findings of its research into environmental claims in meat, dairy and plant-based food and drink ads.
Key findings include consumers' powerful association between the word and colour "green" with environment and animal welfare. The ASA noted that consumers find the use of green to signal "a brand's environmentally conscious ethos, without explicitly making any claims." In response to its research, the ASA put forward plans for 2024 which include monitoring the use of "green" and of natural/nature imagery to ensure that consumers are not misled through ads.
The ASA also announced that it will continue to engage with the Competition and Markets Authority and key stakeholders in the industry to better understand key trends in this space. This will include claims such as those around regenerative farming, as well as to provide further guidance to advertisers on environmental claims in food and beverage ads.
Advertisers should keep a watch out for future guidance released by the ASA, as well as a steady flow of rulings on green claims in order to stay on top of the ASA's approach this extremely hot topic.
“Advertisers should be mindful of how the ASA is using AI for ad-monitoring purposes and, as always, ensure compliance with the relevant UK advertising codes.”
The ASA has published its Annual Report for 2023 which highlights key work undertaken by the ASA in the previous year. Of particular importance is the launch of the ASA's AI-based Active Ad Monitoring system. The Ad Monitoring system uses artificial intelligence (AI) to monitor ads, identifying those that potentially breach the UK Advertising Codes. The system captures ads from a variety of sources including social media, through searches of public sources and through the ASA's datasets. Human reviewers then assess these ads and may look to informally resolve any issues with the advertiser, or make a ruling against the ad.
The Annual Report notes that in 2023 the Ad Monitoring system processed three million ads, which the ASA aims to increase to ten million in 2024, and was used in 23 of the regulator's published rulings last year. This highlights that consumer/competitor complaints are no longer necessary of the ASA to investigate an ad; the regulator is proactively searching for non-compliant ads itself.
Advertisers should be mindful of how the ASA is using AI for ad-monitoring purposes and, as always, ensure compliance with the relevant UK advertising codes.
Sophie YantianTrainee Solicitor+44 7514 733458sophie.yantian@rpc.co.uk
The Competition and Markets Authority (CMA) has published the results of its investigation into green claims made by ASOS, Boohoo and George at Asda. All three retailers have signed undertakings, made voluntarily and without any admission of liability, committing to change the way they promote their green credentials. This includes the removal or amendment of existing misleading green claims and complying with strict rules for specific types of green claims (such as claims about green product ranges or fabric composition) and putting in place internal processes to prevent misleading green claims (such as supplier due diligence, spot checks, and internal training). Over the next two years, each retailer must also regularly report to the CMA on the steps it has taken to comply with the undertakings.
Presentation of material information: the undertakings reiterate principles in the Green Claims Code (GCC) that where information is material to the green claim (eg where it qualifies the claim), it should be set out "clearly and prominently" with the claim. The undertakings build on the GCC by explaining what "clear and prominent" means in practice, information must:
be clearly visible
be in close proximity to the claim
not require the consumer to take further action (eg by clicking on a hyperlink)
not be displayed separately to the claim (eg on the other side of a product label).
Green product ranges: where a business markets products as being part of a green product range, there must be an objective set of criteria for determining which products are included in the range. Businesses must not market products as being part of the range if they do not meet those criteria. Businesses must also include a clear and prominent summary of the relevant criteria for the range on their website, product labels, and in any marketing materials or social media posts promoting the range (as relevant). Finally, the name of any green product range cannot itself be misleading (this is likely to apply to product ranges labelled broadly as “sustainable”, “eco”, etc).
Statements about fabrics: businesses must not claim that a product is "recycled" or "organic" if it contains more than a negligible proportion of non-recycled or non-organic fibres. Where a business does make recycled or organic claims, it must clearly set out the percentage of recycled or organic fibres contained in the product. Whilst this provision of the undertakings relates specifically to claims about fabric composition, the general principles could also be applied to other kinds of claims and product types (eg regarding the percentage of recycled plastic in a "recycled" plastic bottle).
Third party accreditation: the undertakings provide further detail about the information that businesses must give consumers when making green claims based on third-party affiliation or accreditation schemes. This includes details about the environmental benefits of the affiliation or scheme, any material connection the business has to the third party or scheme, and a link to the third party’s and/or scheme’s website. This is likely to include sector or product-specific accreditation schemes such as those run by Textiles Exchange or the Forest Stewardship Council.
Supplier due diligence: where a business makes green claims about a product’s composition or manufacturing process, the CMA expects businesses to have a supplier due diligence process in place to ensure these claims are accurate. This should involve:
getting relevant certificates from suppliers (eg final scope and transaction certificates) or a written declaration from the supplier that the product information is correct
conducting annual spot checks on a sample of certificates
getting contractual assurances from suppliers that they will comply with the business’s green claims policies and contractual terms.
Businesses should remove any green claims where the due diligence process is not complied with, or an error is identified which cannot be promptly rectified.
Other internal processes around green claims: the CMA expects businesses to have appropriate mechanisms in place to prevent misleading green claims. This could include:
automated software solutions and weekly spot checks of product listings
introducing prompts for employees during the product listing and advertising processes
developing internal green claims policies and implementing annual training on green claims compliance for relevant employees
ensuring that all new green claims are vetted by legal teams before they are published.
Substantiation and record-keeping: the undertakings give an indication of the kinds of records that businesses should have on file to back up their green claims and to evidence their internal green claims processes, including certificates and substantiation received from suppliers.
With the outcome of the investigation being published alongside a warning from the CMA that future green claims enforcement could result in significant fines once the newly made Digital Markets Competition and Consumers Act enters into force (for more on the DMCC Act, see here), the message coming from the CMA is clear: the potential liability for misleading green claims in the UK is set to increase and all businesses should review their green claims now to ensure they are compliant.
Sophie TusonSenior Associate, Environment and climate change practice lead+44 7712 511815sophie.tuson@rpc.co.uk
The Information Commissioner's Office (ICO) was unsuccessful in its appeal to the Upper Tribunal (UT) for an Enforcement Notice it had issued to credit rating agency Experian. The UT provided detailed guidance on the UK GDPR's transparency principle requirements that will be an important authority for future issues surrounding the use of privacy notices.
The ICO alleged that Experian failed to comply with UK GDPR transparency requirements when processing the personal data of individuals because it did not notify them that it was processing their data for direct marketing purposes as well as credit scoring. The First-Tier Tribunal (FTT) ruled in February 2023 that it was possible for controllers such as Experian to make transparency information publicly available through a series of hyperlinks, amongst other findings.
The ICO appealed this decision in the UT, arguing that that the FTT made an error in applying the transparency principle to Experian's processing. The ICO argued that the FTT focused too much on the consequences of the processing to data subjects, whereas the transparency principle instead intends to enable data subjects to make their own judgement as to whether their data's processing is objectionable.
Although each of the five grounds for appeal raised by the ICO were dismissed, the UT did find the FTT's decision lacking in clear, structured reasoning. To address this, the UT provided guidance on the interpretation and application of the transparency principle. It also clarified the role that recitals and European Data Protection Board guidelines can play in GDPR interpretation.
Most significantly, the judgement stressed that what the transparency obligation requires is context-specific and guided by considerations of proportionality, listing a number of factors that controllers should consider for evaluation. These were:
the type of personal data (more sensitive data such as health details are likely to demand more transparency than a retail shopping preference)
the kind and purpose of processing (more intrusive or sensitive forms of processing require more protection in transparency, such as compiling full profiles of data subjects from numerous sources)
the consequences of processing to the data subject, in terms of the nature and extent of harm/benefit received
the degree of connection between the data being processed and a particular UK GDPR right
the costs of any additional steps that the controller may have to take (the costs of providing additional privacy notices to affected users was a consideration).
What impact has it had?The judgement adds clarity to an area of the GDPR that has had relatively little judicial attention, the transparency principle. The ICO must consider the actual consequences of harm that an alleged failure of transparency has caused to data subjects before demanding the mass issuance of privacy notices. Whilst the judgment endorsed the use of hyperlinks to make publicly available the relevant transparency information, it was made clear that what will constitute appropriate measures will vary on a case-by-case basis.
ConclusionAgainst the background of two other agencies receiving scrutiny from the ICO, Equifax and TransUnion, both of which voluntarily complied with the ICO's directions, this decision represents a significant test of the ICO's regulatory approach in the credit reference agency sector. Experian has been successful in refusing to issue privacy information on an individual basis to data subjects despite the ICO's findings. The ICO currently is weighing up further appeal of the UT's decision. Nonetheless, the greater technical clarity on the interpretation of the transparency principle and its demands will be useful for any business collecting or processing personal data which has not been collected directly from data subjects.
Jon BartleyPartner+44 7912 242142jon.bartley@rpc.co.uk
Kiran DhootAssociate+44 7749 045210preetkiran.dhoot@rpc.co.uk
The Information Commissioner's Office (ICO) has launched a consultation series which aims to gather feedback from stakeholders about how data protection law should be applied to the development and use of generative AI technology in the UK, with the aim of establishing more clarity in this area.
The ICO's consultation series kicked off on 15 January 2024 with the publication of the ICO's first "chapter" on "the lawful basis for web scraping to train generative AI models". This was followed by chapters on the application of the purpose limitation and accuracy principles. The final chapter covers engineering individuals' rights into AI models.
This first chapter covers the ICO's initial thoughts on the collection and use of training data as part of the generative AI lifecycle.
The second chapter focuses on how the UK GDPR principle of purpose limitation should apply to generative AI, such as how the different stages in the AI lifecycle may process different personal data for distinct purposes. It is important for organisations to understand what the purpose of processing is at each stage so that they can assess each such purpose separately and understand their data protection law obligations.
The third chapter focusses on accuracy of training data and model outputs. It notes that developers should be aware of the effect on the accuracy of training data on their models and its impact on the use of the model.
Finally, the fourth chapter in the consultation concerns how developers will be able to ensure that individuals' rights will be respected. The ICO would like stakeholders to demonstrate they have a clear and effective process for enabling people to exercise their rights over personal data contained in the training, fine-tuning, and output data, but also the AI model itself.
What impact has it had?Alongside the progression of the EU's long awaited AI Act, the ICO has been considering how best to regulate the use of AI and how to do so alongside the UK GDPR framework. The consultation documents issued so far provide a useful insight into the current thinking behind the future regulation of AI in the UK. This is alongside the ICO's recently published strategic approach to regulating AI, which in addition to referencing these consultation chapters, highlights other limbs of its strategy including running a regulatory sandbox and Innovation Advice service which aims to respond to innovators' queries within five to ten days.
ConclusionBusinesses who may find themselves affected by the closer regulation of AI should stay abreast of further developments and statements from the ICO as they adapt their approach and support to account for emerging AI-based technologies and use-cases. It will also be important to look out for statements on AI regulation following the general election, particularly if there is a new government.
Laura VerrecchiaTrainee Solicitor+44 7514 733452laura.verrecchia@rpc.co.uk
