Regulatory round-up – October 2019


Consumer and Retail Finance – October 2019
Latest from the FCA, including overdraft pricing reforms and Senior Managers and Certification Regime; other […]
Latest from the FCA, including overdraft pricing reforms and Senior Managers and Certification Regime; other sector news.
Financial Conduct Authority (FCA)
As part of its high-cost credit review, the FCA published on 2 October 2019 a policy statement setting out rules to make overdraft fees clearer and more transparent. See the press release.
The FCA updated the guidance first published in December 2018 for registered social landlords as part of its high-cost credit review. New legislation means that registered social landlords can now refer tenants, or potential tenants, to some credit activities without requiring FCA authorisation.
On 21 October 2019, the FCA’s Executive Director of Strategy and Competition delivered a speech on the future of regulation. The FCA will be engaging in a public conversation over the coming months and will publish detailed papers including, notably, a consultation on the duty of care. In related news, the Financial Services Duty of Care Bill, a Bill to require the FCA to make rules for authorised persons to owe a duty of care to consumers in their regulated activities, received its first reading in the House of Lords on 29 October 2019.
On 18 October 2019, the FCA further updated its dedicated webpage for solo-regulated firms on the extension of the Senior Managers and Certification Regime (SMCR). It also recently published a new webpage explaining about Form K and the requirements and timetable for submitting it. The form enables firms to tell the FCA which approved individuals they wish to convert from the Approved Persons Regime to corresponding Senior Management Functions under SMCR.
The FCA is consulting until 15 January 2020 on plans to ban commission models that give motor finance brokers/dealers an incentive to raise customers’ interest rates. It is also consulting on minor changes to some of its rules and guidance to ensure that many types of credit broker give consumers more relevant information about commission.
On 14 October 2019, the FCA further updated its webpage on the Directory, the new public register for checking the details of key people working in financial services. All firms other than banks, building societies, credit unions and insurance companies must submit their data between 9 December 2019 and 9 December 2020.
On 28 October 2019, the FCA set out the changes to its mortgage responsible lending rules and guidance, to remove barriers that stop some mortgage customers from finding a cheaper mortgage deal. The changes came into force immediately. See the press release for details.
On 16 October 2019, the FCA published a feedback statement setting out its proposals to improve climate change disclosures by issuers and information to consumers on green financial products and services. See the press release.
On 23 October 2019, the FCA’s Executive Director of Supervision (Investment, Wholesale and Specialists) delivered a speech on turning technology against financial crime. She talked about the pace of change in the financial sector and how “technology, frequently an enabler of crime, can also be a hugely potent tool in the fight against it…if I could leave industry with one message today it would be don’t be afraid to use technology and innovate to keep criminals out”.
Firms can now apply until 31 December 2019 for cohort 6 of the FCA’s regulatory sandbox, which allows businesses to test innovative propositions in the market with real consumers. Among other things, it is particularly interested in receiving applications from firms with propositions that make finance work for everyone, by addressing issues around access, exclusion and vulnerability.
The FCA and the Bank of England recently published a joint report on machine learning in UK financial services.
The FCA published a new webpage on the anti-money laundering and counter-terrorist financing regime in relation to cryptoassets. From 10 January 2020, the FCA will be the anti-money laundering and counter-terrorist financing supervisor of UK cryptoasset businesses under the Money Laundering Regulations 2017. The FCA also published an updated webpage on its work in relation to cryptoassets.
In related news, the World Federation of Exchanges asked the FCA not to ban the sale of crypto derivatives to retail consumers, while supporting the regulator’s desire to better protect vulnerable consumers. See the press release.
And finally, the FCA’s two-month consultation on ‘Regulatory fees and levies: policy proposals for 2020/21’ is now expected to commence in November 2019. Feedback is expected in March 2020.
Other sector news
On 28 October 2019, the House of Commons Treasury Select Committee published its report on IT failures in the financial services sector. Among other things, it says that the current level of financial services IT failures is unacceptable, firms must resolve customer complaints and award compensation quickly, and regulators must act to improve operational resilience of the sector. See the press release from UK Finance, responding to the report.
We reported previously that the Gambling Commission has been consulting on banning or restricting the use of credit cards for all forms of remote gambling. The Money and Mental Health Policy Institute recently announced that it is launching a new project to engage financial services firms with efforts to tackle gambling related harm. See the press release.
In related news, according to a new report published by the Money and Mental Health Policy Institute, banks and building societies could play a crucial role in helping customers avoid money problems, by analysing personal financial data to identify and support people who are struggling. See the press release.
The Creditworthiness Assessment Bill, a Bill to require certain matters to be taken into account when assessing a borrower’s creditworthiness, failed to complete its passage through Parliament before the end of the last session and will make no further progress.
The Goods Mortgages Bill, which the government decided not to bring forward in 2018, is back on the agenda. The Bill, to make provision for a new form of non-possessory security that may be created over goods owned by individuals and to repeal the Victorian-era Bills of Sales Acts, had its first reading in the House of Lords on 21 October 2019.
On the same day, HM Treasury published an updated advisory notice on money laundering and terrorist financing controls in overseas jurisdictions, following the recent publication of two statements by the Financial Action Task Force identifying jurisdictions with strategic deficiencies in their anti-money laundering and counter-terrorist financing regimes.

Data Protection – October 2019
Developments in group data breach claims; update on EU-US Privacy Shield; latest from the ICO; […]
Developments in group data breach claims; update on EU-US Privacy Shield; latest from the ICO; cybersecurity update; and more.
Court of Appeal gives go-ahead to representative action against Google…
The Court of Appeal has reversed an earlier High Court decision and given the go-ahead to a representative action brought against Google by Richard Lloyd (the former executive director of consumer organisation Which?) on his own behalf and on behalf of an estimated class of 4.4 million people [1]. A representative action is one of the currently available methods for bringing collective proceedings in England and Wales.
The decision is significant because it clears the way for an “opt-out” group data breach claim. It does not have to be possible to compile a complete list when the litigation begins as to who is in the class or group represented, the members of the class do not have to have authorised the claim, and compensation can in principle be awarded without having to prove financial loss or distress. Even where the amount of compensation awarded is low, the potential financial exposure could be considerable. While the case concerns the old data protection regime, the same interpretation is likely to apply in relation to the General Data Protection Regulation (GDPR) and new Data Protection Act 2018.
By way of background, the claim alleges that Google acted in breach of the duty imposed by section 4(4) of the Data Protection Act 1998 (the Act) by placing cookies to secretly track the internet activity of Apple iPhone users, collating and using the information obtained, and selling the accumulated data. The claim is for compensation under section 13(1) of the Act, which provides that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation from the data controller for that damage.
No financial loss or distress is alleged. Mr Lloyd is claiming a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.
Mr Lloyd applied to the High Court for permission to serve the proceedings on Google in the United States. The application was dismissed on the basis that none of the represented class had suffered “damage” and the members of the class did not have the “same interest” within the relevant procedural rule so as to justify allowing the claim to proceed as a representative action. In any event, the judge exercised his discretion against allowing the claim to proceed, describing it as “officious litigation”.
The Court of Appeal disagreed and reversed the decision, finding that a claimant can recover damages for loss of control of their data under section 13 of the Act, without proving financial loss or distress, and the members of the class that Mr Lloyd seeks to represent do have the same interest and are identifiable. Here are some of the key points from the judgment:
- The key to the claims was the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data. The underlying reality was that Google was able to sell browser generated information collected from numerous individuals to advertisers who wished to target them with their advertising – that confirmed that such data, and consent to its use, has an economic value. A person’s control over data or over their browser generated information has a value, so the loss of that control must also have a value.
- It would be inappropriate for the court to apply differing approaches to the meaning of damage in respect of an action for misuse of private information and an action for breach of the Act. Both actions protect the individual’s fundamental right to privacy and are two parts of the same European privacy protection regime. The Court was referring here to the phone hacking misuse of private information case Gulati v MGN Limited [2] in which loss of control over telephone data was held to be damage for which compensation could be awarded.
- The High Court judge applied too stringent a test of “same interest”. The claimants that Mr Lloyd seeks to represent will all have had their browser generated information – something of value – taken by Google without their consent in the same circumstances during the same period, and are not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume of data extracted). The represented class are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their browser generated information.
- Not seeking to rely on any facts affecting any individual represented claimant had the effect of reducing the damages that can be claimed to what could be described as “the lowest common denominator”, but this did not mean that the represented claimants did not have the same interest. It was impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. Represented claimants could, in theory, seek to be joined as parties if they wished to claim additional losses.
- The data in possession of Google would be able to identify who was, and who was not, in the class.
- In relation to the exercise of the judge’s discretion against allowing the claim to continue, it was irrelevant that the members of the class had not authorised the claim. It was well established that the members of a represented class do not have to have authorised the claim.
- In practice, this representative action was the only way in which the claims could be pursued.
- The Court of Appeal did not accept the High Court judge’s characterisation of the claim as “officious litigation”: “To the contrary, this case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit…The case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention [the European Convention on Human Rights] and the Charter [the Charter of Fundamental Rights of the European Union]”.
It remains to be seen, however, whether this decision will open the floodgates when it comes to other group data breach claims in the future. Importantly, the Court referred to a threshold of seriousness which it said would undoubtedly exclude a claim for damages for an accidental one-off data breach that was quickly remedied. It was common ground that if the Court decided that the infringement was trivial it would be entitled to refuse to make an award for loss of control damages. But the Court said that that was far from the case here – on the pleaded case, every member of the represented class had had their data deliberately and unlawfully misused, for Google’s commercial purposes, without their consent and in violation of their established right to privacy. This was clearly a key consideration for the Court when it exercised its discretion as to whether to proceed.
Additionally, claimants looking to use this representative action procedure will still need to meet the “same interest” requirement, which will present an issue where individual claimants’ circumstances vary (for example, when damages are sought for financial loss or distress) or there are different defences to the claims.
We understand that Google intends to appeal to the Supreme Court and will continue to monitor and report on developments.
…as High Court gives go-ahead to group litigation against British Airways
In a separate but related development, the High Court has granted a group litigation order which effectively gives the go-ahead to around half a million British Airways customers to bring compensation claims over a data breach that occurred in September 2018. In July 2019, the Information Commissioner’s Office (ICO) issued a notice of its intention to fine British Airways £183.39 million for infringements of the GDPR. The fine, and this group litigation, concern a cyber incident in which the personal data of approximately half a million customers was compromised by poor security arrangements.
A group litigation order differs from the representative action route used in Lloyd v Google because it is “opt-in”. Individual claimants have to decide whether to become a party to the litigation and, if they do, they must make their own claim. The group litigation order is a way for the court to manage individual claims which give rise to common or related issues of fact or law.
These latest developments serve as a stark warning to organisations of the importance of ensuring that the necessary arrangements are in place to comply with data protection and privacy legislation.
US continues to ensure adequate level of protection for personal data transferred under the Privacy Shield
On 23 October 2019, the European Commission confirmed in its report on the third annual review of the functioning of the EU-US Privacy Shield that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the US. The Commission concluded that a number of concrete steps need to be taken to better ensure the effective functioning of the Privacy Shield in practice. This includes the development of common guidance on the definition and treatment of human resources data. The Commission will also closely monitor further developments concerning specific elements of the framework, including in relation to the issue of surveillance. The report notes the pending litigation relating to the Privacy Shield which is before the Court of Justice of the European Union (CJEU), and that the Commission may have to reassess the situation once the CJEU rules on those cases. See the press release.
Latest from the ICO
- On 31 October 2019, the Information Commissioner issued an Opinion on the use of live facial recognition technology by law enforcement in public places. The key recommendation arising from the ICO’s investigation is to call for government to introduce a statutory and binding code of practice on the deployment of this technology.
- The ICO is consulting until 9 December 2019 on an accountability toolkit, to help organisations to assess whether they have appropriate and effective internal data protection governance arrangements in place and to help them demonstrate their compliance to the ICO, the public, or a business customer. See the blog post for details.
- As part of its ongoing call for input on developing a framework for auditing artificial intelligence (AI), the ICO published a blog post on enabling access, erasure, and rectification rights in AI systems, and a separate blog post on some of the key considerations for organisations undertaking data protection impact assessments (DPIAs) for AI systems. A later blog post was published setting out final considerations and next steps, reflecting on the following key governance and accountability themes that cut across all the AI risk areas explored so far: AI governance and risk management capabilities; setting a meaningful risk appetite; and DPIAs as a roadmap to a compliant and ethical approach to AI.
- A business suspected of making nuisance pensions calls was raided as part of an ICO investigation. Stricter rules introduced earlier this year made cold calls about pensions illegal in certain circumstances.
- The First Tier Tribunal (Information Rights) dismissed an appeal by a data controller against a £400 penalty notice from the Information Commissioner for non-payment of the required £40 data protection fee [3]. The controller appealed on the basis that non-payment was an innocent mistake – it had cancelled a previous direct debit by mistake before payment was made. While she accepted that the failure to pay was due to an oversight, the Information Commissioner said that the controller should have had the relevant administrative systems in place. The Tribunal concluded that a reasonable data controller would have systems in place to comply and the controller in this case had pointed to no particular difficulty or misfortune which explained its departure from the expected standards of a reasonable data controller. The Tribunal noted that nine months had passed between the controller receiving a first reminder that the fee was due and the penalty notice being issued, during which time it failed to realise that the direct debit had not been paid.
More news from Europe
- A recent CJEU decision has confirmed that: pre-ticked boxes do not constitute valid consent to the placement of cookies on website users’ devices; the service provider must provide the website user with information regarding the duration of the operation of cookies and whether or not third parties may have access to those cookies; and it does not matter for the application of the ePrivacy Directive whether the data accessed through the cookies is personal or non-personal [4]. We reported in the June/July 2019 edition of the Regulatory round-up that the ICO recently published its long-awaited updated guidance on the use of cookies and similar technologies. This decision serves as a timely reminder to organisations that have not yet done so to review and update cookie policies and consent mechanisms to ensure compliance.
- Trade association DigitalEurope is urging Member States to ask the European Commission to reconsider its proposal for an ePrivacy Regulation (which is intended to replace the current ePrivacy Directive). Among other things, it says that too many important questions remain unaddressed, amendments continue to create more confusion than clarity, and Europe’s digital transformation will be severely hampered without a major overhaul of the text.
- The European Data Protection Board adopted a final version of its guidelines on the lawful basis for processing for online services based on contracts under Article 6(1)(b) of GDPR, i.e. where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Cybersecurity update
- On 16 October 2019, the government published guidance on what UK digital service providers operating in the EU should do after Brexit in order to comply with regulations covering the security of network and information systems. Separate guidance was later published for non-UK digital service providers operating in the UK.
- Just after the previous edition of the Regulatory round-up went to press, the National Cyber Security Centre published a revised version of the Cyber Assessment Framework to make it suitable for a wider range of potential users, beyond its application to UK providers of essential services. See this blog post with a link through to the guidance.
_________________
[1] Lloyd v Google LLC [2019] EWCA Civ 1599
[2] [2015] EWHC 1482 (Ch) and [2015] EWCA Civ 1291
[3] Roy & Partners v The Information Commissioner (Dismissed) [2019] UKFTT 2019_0096 (GRC)
[4] Bundesverband der Verbraucherzentralen und Verbraucherverbände Verbraucherzentrale Bundesverband eV v Planet49 GmbH Case C-673/17

Health and Safety – October 2019
Multiple £1 million-plus fines issued in just one month; other sentencing news; Health and Safety […]
Multiple £1 million-plus fines issued in just one month; other sentencing news; Health and Safety Executive annual injury and ill-health statistics.
Multiple £1 million-plus fines issued in just one month
Logistics company DHL was fined £2.6 million after car and truck tyres fell through an internal office roof at a warehouse in Coventry, fatally injuring one staff member, seriously injuring another and leaving two others walking wounded. An investigation by Coventry City Council found that the company fundamentally and systematically failed to manage health and safety at the site and the accident was the product of a multi-layered systemic failure of the company’s management.
A steel company was fined £1.8 million, and ordered to pay costs of over £145,000, after two employees were killed and another seriously injured when an accumulator vessel they were working on exploded. The inspector from the Health and Safety Executive (HSE) said that the company had failed to assess the risks of the maintenance work and identify suitable control measures to prevent an explosion. The HSE investigation found that the procedure used had developed through the company employees’ local custom and practice, and was not fully understood or consistently carried out by employees, exposing them to the risk of explosion.
A waste recycling company was fined £1.275 million after an employee lost part of his arm while removing waste from a blocked conveyor. The HSE inspector said: “This incident could so easily have been avoided had the company ensured that the system designed to keep people away from dangerous machinery was properly maintained. Companies should be aware that HSE will not hesitate to take appropriate enforcement action against those that fall below the required standards”.
Other sentencing news
A local council and bus company were fined a total of £650,000 after a bus passenger was run over and fatally injured by a lorry when walking across a pedestrian crossing at a bus station undergoing construction work. The HSE inspector said: “There were inadequate control measures in place to segregate vehicles and pedestrians at the site and lack of proper planning in terms of pedestrian access and egress to the bus station. Hazards associated with vehicles and pedestrians in the same location, particularly the case in a facility such as a bus station in the centre of a busy town, are well known and easily controlled using reasonably practicable precautions”.
Ferry operator Stena Line Limited was fined £400,000 after a worker was seriously injured by a moving vehicle at the company’s port terminal in Birkenhead. The HSE investigation found that there was no consideration of physical segregation of pedestrian operatives from moving vehicles when vessels were being unloaded. The company had failed to adequately assess the risks to pedestrians from moving vehicles and consequently put in place effective control measures leading to a safe system of work.
HSE releases annual injury and ill-health statistics
On 30 October 2019, the HSE released its latest annual injury and ill-health statistics report. Among other things, there were 1.4 million new or long-standing work-related ill-health cases in 2018/19. Of these, 44% concerned stress, depression or anxiety. During that period, 28.2 million working days were lost due to work-related ill-health and non-fatal workplace injuries. Of the working days lost to ill-health, 54% concerned stress, depression or anxiety. According to the report, the rate of self-reported work-related stress, depression or anxiety has shown signs of increasing in recent years. In 2017/18, the cost of workplace injury and new cases of work-related ill-health was £15 billion, of which £3 billion was borne by employers. Construction remains one of the high-risk sectors for sustaining work-related injury. Education, public administration and defence, and human health and social work, are the industries with ill-health rates (statistically) significantly higher than the rate for all industries.
Contains public sector information published by the Health and Safety Executive and licensed under the Open Government Licence.