Search This Blog

Thursday, 26 May 2011

An EU Contract Law? Too Tough To Digest

A hat-tip to Mayer Brown for the heads-up on the latest in the saga of a proposed European Contract Law. We have until 1 July to send feedback on 189 individual articles included in a 'feasibility study'. The Commission will then consider that feedback, together with the results of an earlier consultation.

As I have posted previously in another place, I'm not terribly supportive of a new European Contract Law. It doesn't fix any real problem, and it won't catalyse a single, cross-border market - notwithstanding the rationale advanced by the European Commission. The example used is:
"An Irish consumer buys an MP3 player online from a French retailer. In this case, Irish contract law would apply if the French retailer has designed his website for Irish consumers."
This is a strange scenario, littered with odd assumptions. Besides, there are notable instances of successful cross-border retailing in the EU that rely on the law of a single Member State as the law of the contract. And choice of law is the least of the barriers to setting up such an operation, as the European Commission itself discovered in the context of the reform of laws related to consumer rights and consumer credit. In particular, a May 2007 study by Civic Consulting revealed that:
“the main [non-regulatory] barriers hindering selling of consumer credit products in other EU Member States are different language and culture; consumers’ preference for national lenders; credit risk for lenders – no access to creditworthiness information; problems related to tax, employment practices etc.; difficulties to penetrate local market; different consumer demand in different Member States; lack of consumer confidence in a brand; differing stages of development of consumer credit; and lack of adequate marketing strategies.”
Furthermore, the law should follow, not lead commerce (though I realise that is a common law, rather than a civil law view). Otherwise, it acts as a hurdle to innovation and market development, and only those who are 'good at regulation' (incumbent players) will cope.

A pan-European contract law also conflicts with the principle already enshrined in various financial and other regulatory frameworks that, in general, the law in a corporation's home Member State should govern that corporation's cross-border EU activities. In fact, given the preponderance of any EU-based cross-border retailer's trade is with the citizens of its home state (with the exception of retailers based in Luxembourg) this proposal would seem to envisage retailers either imposing European Contract Law on their local customers, or creating separate set of terms for cross-border customers. I don't see how either is helpful, other than to generate work for the likes of... well, me.

But I'm not in the business of creating more hurdles for cross-border trade. So, while I will of course personally attempt to digest yet another European dog's breakfast, I propose to focus my drafting energies on an exclusion clause that will mean my clients and their customers won't have to.

Apply within ;-)

Tuesday, 17 May 2011

Would You Like A Cookie?

The law that applies to ‘cookies’ is changing with effect from 26 May 2011. Within a year from that date, not only must the user be given clear and comprehensive information about the purposes of cookies and use of the data they collect; but cookies can also only be placed on the user’s device after the user has given his or her consent. There is an exception where such storage or access is strictly necessary for the provision of a service that has been requested by the user (as well as where the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network). The UK Information Commissioner has issued guidance on how to comply.

How best to obtain consent?

This is likely to vary according to the type of cookie being set and the use to which the information is put. Cookies may be either "Session” cookies, which are temporary and deleted as soon as the user closes his or her browser; or "Persistent” cookies, which are stored on the user’s device hard drive until they expire or are removed. Where a persistent cookie is set, the consent only needs to be obtained prior to it being set the first time.

Of course, users can configure their browser to warn them whenever a new cookie is about to be stored; clear the cookies that have previously been set; and/or block specific cookies in advance. Or they can choose not to visit a website or use a service whose cookies they don’t want to receive. However, the Information Commissioner has found that most browser settings are not sophisticated enough to allow the service provider to assume the user has given his or her consent to allow your website to set a cookie. So, the Commissioner has advised that consent must be obtained in some other way.

If you are changing your terms for the use of your web site or web-based service, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms. Where a third party sets its own cookies or similar technologies onto “your” users’ devices, you will need to ensure your users’ consent is obtained either by you or the third party.

For sites with subscribers who must log-in to gain access, you could prompt the user to agree amendments to your privacy policy to cover the use of cookies at time of next log-in. More challenging is how to obtain consent to cookies from users who don't log-in or necessarily interact with your site in a way that would enable you to display terms of consent that could be agreed. The Information Commissioner has suggested that web site owners “place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device. This could prompt the user to read further information (perhaps served via the privacy pages of the site) and make any appropriate choices that are available to them.”

Whichever way you decide to meet the challenge, you'll need a psychiatrist on standby for your digital design team ;-)

Image from Jefferson Park.

Tuesday, 10 May 2011

What Is Identity, Anyway?

I was a pleasure to join a CSFI round-table discussion on identity today. It was the latest in a series of discussions to elucidate the problems with the current approach to identifying customers (and providers) in the financial services context. Subsequent discussions will focus on potential improvements and alternative solutions.

It was a broad-ranging discussion, as you'd expect, and tough to do justice to everyone's remarks, but worth a quick summary. Dr Ian Brown of the Oxford Internet Institute set the context in terms of the various meanings of 'identity' and how other disciplines view it. However, he doesn't believe it's helpful to think in terms of 'identity' itself, as opposed to 'reputation', for example. And it's not actually necessary in many cases for someone to be identified (e.g. a tube journey). People's attitudes to privacy vary with context: students have been shown to disclose more in their responses to an informal student survey than to official university research questionnaires. Ian also explained how the technological landscape is evolving - and ought to be encouraged to evolve - including the work of David Chaum and others on how to ensure 'unconditional anonymity' or that transactions you undertake are not shown as related. He suggested that approach could be promoted via initiatives like Project Stork (a project to enable interoperability of EU member state ID cards).

Marc Dautlich of Olswang pointed out that "identity" itself is not legally prescribed, but explained the relevant provisions of the Data Protection Act and the offences created by the Identity Documents Act 2010 relating to the possession of false documentation with improper intent. However, he believes the law does not adequately address the fact that the consequences of misuse of identity or personal data vary greatly according to the context. His sense is that it would be more helpful in the future to regulate for appropriate outcomes rather than regulate identity or personal data itself.

My role was to say something about alternative legal approaches to identity.

From the outset, given the pan-European approach to regulating data protection and money laundering, it's important to consider the difference between common law and civil law attitudes to regulation. In common law jurisdictions the law tends to follow commerce, whereas in civil law jurisdictions there's an expectation that the law should stipulate what can and cannot be done. That means UK players can't sit back and leave market forces to reveal any need for new regulations to support a shift to a new identity model. The EC will be under pressure to regulate how the new paradigm should work, and to influence such regulation we would need to participate in the EU 'social dialogue'.

At any rate, 'identity' is not a constant, but flexible in terms of the data used to distinguish the subject from everyone else, the sources of that data, who controls it and the source of any requirement to identify the subject. Identity is contextual, as Ian mentioned. Some personal data we volunteer happily in a social media situation (or on reality TV), but less so in a formal or institutional situation. Often we have no control over the process. Money laundering regulation, for instance, casts an obligation on product providers to identify their customers by reference to official data.

An organisation's attitude to identity data also tends to be governed by whether the organisation is a 'facilitator' (which exists to solve its customers' problems) or an 'institution' (which primarilty exists to solve its own problems). Facilitators try much harder than institutions to ensure that their collection and use of personal data, and treatment of identity, is transparent and proportionate to the customer activity being facilitated, and 'friction' in the customer experience is kept to a minimum.

However, some institutional identity requirements may be disproportionate partly because the government views the institutions concerned as useful 'choke points' for imposing requirements for public policy purposes, like anti-terrorism or serious crime prevention.

In future, I suggested that we determine identity requirements from the consumer/customer standpoint, and ensure they are facilitative and proportionate (rather than simply a hurdle to be cleared). That may also mean solving public policy identification requirements in different ways. The semantic web represents an ideal opportunity to minimise identity issues. For instance, I've long been a proponent of the idea that you should have an applet on your computer that holds your personal profile and can interrogate product provider's semantic datafeeds to find, say, an insurance product that's right for you without requiring you to disclose your personal data.

I look forward to seeing the output of this round table process in due course.

Image from Brainstorm Services.

Thursday, 5 May 2011

Do Other EU Countries' Data Protection Laws Apply To You?

A hat-tip to Claire Walker and Shona Kerr for their SCL article on the above question: "Location, Location … Guidance on Applicable Law in International Data Processing Scenarios" (cheap annual subscription applies).

The "guidance" referred to is the Opinion of the EU's Article 29 Data Protection Working Party of national data protection regulators. And, naturally, the answer to the above question is that "it depends".

In essence, the factors for businesses to consider are whether you are the data controller or processor, and whether you have an "establishment" in a given EU Member State and/or are sufficiently involved in processing personal data through "equipment" or some means of processing located in that country. There are helpful detailed examples in the Opinion, but ultimately it's a question of fact and degree that will benefit from discussion with the operational or IT staff who know what's actually going on. Guidance is also given on supervision and enforcement.

This sort of analysis is not exclusive to the law on personal data protection - many local laws and regulations may apply to your cross-border activities in another country, even if you don't operate a physical point of sale there (direct and indirect taxes being critical examples). But it's a useful illustration of the type of issues facing anyone operating on a cross-border basis.

Tuesday, 3 May 2011

Week One: Build A Decent Framework

The first week in any new in-house role or project has many defining moments. Are you friendly and approachable, or nervous and shy? Do you listen respectfully before suggesting improvements, or arrogantly impose your own experience and expertise from the outset? Do you have a plan for how you'll approach your new role, or will you simply react to demands on your time?

One advantage to having worked in nearly a dozen businesses over the past twenty years or so is having the opportunity to experience many 'fresh starts'. Here are three steps I've learned to take each time:

1. Research the business and its products: You should've done this at interview stage (along with understanding the overall market context), but you probably didn't get the whole picture from company filings, web sites and other publicly available material. Depending on seniority, you may not get much more. Play the 'newbie' card while you can. Try to meet the lead business people and ask plenty of questions about their successes and key challenges. Ask each product manager to explain how his or her product works. Make a note of anything that surprises you - good or bad. Understand the business problem-solving methodology (if any), project planning framework (if any) and the end-to-end business processes that comprise or support the products - how customers are signed up, complaints are handled, how distribution works, the supply chains, how contractual rights are enforced. Due diligence reports, regulatory filings, major contracts, sales presentations and process maps all make great source material.

2. Figure out the top ten challenges for the business: This can be a hair-raising experience, especially in a young business or one that's poorly run. Try to be discreet, patient and under-react until you've figured out the list and considered how to align yourself with each challenge. A well-managed business will identify and prioritise its most significant challenges annually. In that case, figuring these out will involve a fairly easy discussion with the boss about the business planning cycle, the current plan and where you fit in. In other cases, there may be no clarity at all, and no process for achieving it - great opportunities for anyone with an analytical mind and a positive attitude. Clearly the annual revenue target, major product launches, acquisitions and any substantial new regulation will be likely to feature in the top ten. Addressing the organisation's substantial strengths, weaknesses, opportunities and threats should round out the list.

3. Figure out the top ten legal challenges: What the lawyers need to do should have become pretty clear by now. Of course you have to factor in your own major initiatives, like getting a handle on significant contracts, contested litigation, training and competence, ensuring appropriate records retention and so on. But some of that will be business as usual. The major challenges should involve cross-functional co-operation - including public affairs and PR.

I'm interested in your thoughts.

Image from De Madera Constructions.