Changes to UK Data Protection Regime

The UK's Data (Use and Access) Act 2025 (DUA) has been passed, though much of it is yet to take effect. There are some important tweaks to the UK's data protection laws (Data Protection Act 2018/UK GDPR and cookies regulation (PECR)). Firms will need to reconsider their privacy policies relating to research, (direct) marketing, cookies and AI in particular. There are now the same potential fines for cookie violations as for UK GDPR breaches - note that the Information Commissioner seems to care more about cookies and automatically scans for non-compliance. If you need legal advice on any of this, please let me know.

UK Marketing Rules For Crypto: Muddy Waters?

Amid the sound and fury of crashing crypto businesses you could be forgiven for having forgotten that the UK government was 'busy' consulting on extending its rules for marketing financial services to cover certain 'cryptoassets'. Those rules are still not published, but we are told today they are on the way. There will then be a six month transition period before they take effect. But beware a few twists...

Qualifying cryptoassets

This might change, but for now the government has broadened the scope of ‘qualifying cryptoasset’ to mean 'any cryptographically secured digital representation of value or contractual rights which is fungible and transferable'. It will not matter, therefore, whether or not the cryptoasset is based on distributed ledger technology (DLT). That technology-neutral approach is consistent with the proposed regulatory treatment of stablecoins used as a means of payment (or 'digital settlement asset').

The definition will specifically exclude: 

• investments already 'controlled' under financial promotions rules;
• electronic money under the Electronic Money Regulations 2011;
• central bank (digital) money; and
• cryptoassets that are only transferable to one or more vendors or merchants in payment for goods or services, such as tokens used as travel passes, lunch passes, and supermarket loyalty schemes which happen to be cryptographically secure.  

The government has decided to retain the requirement for a qualifying cryptoasset to be 'fungible', on the basis that non-fungible tokens (NFTs) may represent non-financial services products, the NFT market is evolving rapidly and "the government does not yet have sufficient information on risks and use-cases". But it might act later. 

'Wrapping' a fungible token inside an NFT is risky because that might not remove its fungibility and involves a case-by-case assessment - fungibility is not a feature of the asset itself but the context (in some circumstances they might be treated as interchangeable).  

Whether tokens that might have several uses (‘hybrid tokens’) have at least one use that meets the test of a 'qualifying cryptoasset' (or another controlled investment) will be judged at the time the promotion is issued: 

"unregulated cryptoassets such as utility and exchange tokens into the scope of the financial promotions regime (provided they fall within the definition of ‘qualifying cryptoasset’), and security tokens are already captured as controlled investments."  

Note that if a token will qualify as a security token at any time in its lifecycle then it must be treated as one from the outset. 

Controlled activities 

A relevant 'financial promotion' is one that induces someone to engage in a 'controlled activity' in relation to a qualifying cryptoasset. For this purpose there will be no new specific "controlled activities" that will apply only to qualifying cryptoassets. So the activities that promotions must relate to are: 

• dealing in securities and contractually based investments 
• arranging deals in investments 
• managing investments 
• advising on investments 
• agreeing to carry on specified kinds of activity 

The government considers the restrictions would not apply to promotions that simply say that a retailer/seller is willing to accept (or offer) qualifying cryptoassets in exchange for goods and services (e.g. a sign at a retail checkout that says ‘we accept crypto’). Since that is not an investment activity of the "controlled" kind listed above, it is simply out of scope entirely and it is unnecessary to specifically exempt it. 

Exemptions

Whether the usual array of exemptions apply to qualifying cryptoassets and related controlled activities will be consistent with the way that the usual exemptions apply more broadly, so there will be no different approach specifically for cryptoassets.

This post does not constitute legal advice. If you need any assistance, please let me know. 

Extension of FCA Principles And Marketing Rules To Payment Service Providers

From 1 August, the Financial Conduct Authority will begin to enforce its Principles of Business and certain rules on marketing and communications against the payment service providers that it regulates.

The FCA explained its approach in a policy statement earlier this year, but it was likely put off as a summer project, and Brexit will have been a distraction for many. At any rate, chapters 2, 3 and the rules in Annexes A-C are the key parts to read.

Some Key Points

Because many PSPs also provide unregulated services that are allied to their regulated activity (e.g. gateway services and other "technical services" as well as unregulated foreign exchange and e-commerce services), it's important to note that the FCA's high level Principles will also apply to unregulated activities that are "connected" to regulated e-money or payment services. The FCA is refusing to clarify exactly what that means, since the list is long, and this may lead to 'regulatory creep' to the extent PSPs err on the side of caution. 

Equally, a PSP's compliance with the Principles (and even the marketing rules) can be affected by the activities of other group companies - e.g. faulty centralised fraud or risk management systems or other outsourced support services; or misleading ads for an unregulated service that is deemed to be "connected" with the PSP's regulated service.

The FCA is particularly anxious about the misleading promotion of currency transfer services (and 'connected' foreign exchange services, even if unregulated).

The FCA does not care that there is overlap with other advertising and communications requirements - as there is for banks (the 'new' rules on marketing and communications are created by applying the FCA's existing Banking Conduct of Business (BCOB) rules to PSPs). But the FCA does confirm that these rules cannot cut across EU-derived regulations (wither Brexit?).

Next Steps

The extension of the Princples and the marketing rules to PSPs means they will likely need to update various in internal policies and procedures, e.g. those dealing with: 

• Governance (reporting lines and responsibilities to control operational risks);

• Marketing and communications (the policy and procedures for sign off on your ads and communications to ensure they are clear, fair and not misleading) particularly for payment services involving currency transfer services - and any "connected" unregulated activities; and

• Treating Customers Fairly (with appropriate cross references to other policies). 

That summer project starts now!

Privacy Must Be A Core Business Competence

The European Commission's proposed General Data Protection Regulation is just that: general regulation. No longer can businesses afford to treat data protection compliance as a 'bolt-on' to their marketing department, or even the compliance department. CEO's need to understand how the demands of personal data privacy are going to re-shape their business.

Just ask yourself whether you think the following rights go to the heart of any business that deals with individuals: the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing. Not to mention requirements for enhanced internal controls, numerous enforcement and compliance burdens, and the obligation to appoint a data protection officer.

The trouble is, none of these concepts is straightforward, nor are the rules easily digested.

But digest them you must. Even if they don't make it onto the statute books, the genie is out of the bottle. Many of these 'rights' reflect the current concerns of at least some consumers (albeit most of them probably also happen to work for the European Commission and various consumer groups). Existing services will be judged against them as 'best practice'. Some businesses and new entrants without legacy systems will factor them into new services. And if they do make it onto the UK's statute books, you can bet they'll be gold-plated.

The Society for Computers and Law has done a great job of stimulating debate on the EC's proposals, and helping identify the implications for businesses generally. But there's a long way to go before the practical implications for businesses and business models are understood and fed back to the authorities in time for a new directive to be finalised in 2014. In fact, bitter experience suggests this won't happen at all.


At a recent seminar, Mark Watts, Chair of SCL's Privacy and Data Protection Group, polled about 100 delegates on the questions asked in the 4 week Ministry of Justice consultation on the EC's plans. The results can be downloaded via the Society for Computers and Law web site. One response made a telling point:

'Writing wide-ranging, broadly applicable laws that affect almost everything a business does but which can only be interpreted and implemented with the assistance of specialist data protection lawyers is surely not the best way to go. Laws that potentially affect so much of what ordinary business does on a day to day basis should be capable of being understood by "ordinary businessmen". The Regulation is a long way from this and will keep data protection lawyers in business for years.'

Further, As Dr Kieron O'Hara explains in relation to the technological challenges presented by the 'right to be forgotten' in his excellent article in this month's Computers & Law magazine, the EC's ambitious plan for personal privacy requires "a socio-legal construct, not a technical fix." 

Week One: Build A Decent Framework

The first week in any new in-house role or project has many defining moments. Are you friendly and approachable, or nervous and shy? Do you listen respectfully before suggesting improvements, or arrogantly impose your own experience and expertise from the outset? Do you have a plan for how you'll approach your new role, or will you simply react to demands on your time?

One advantage to having worked in nearly a dozen businesses over the past twenty years or so is having the opportunity to experience many 'fresh starts'. Here are three steps I've learned to take each time:

1. Research the business and its products: You should've done this at interview stage (along with understanding the overall market context), but you probably didn't get the whole picture from company filings, web sites and other publicly available material. Depending on seniority, you may not get much more. Play the 'newbie' card while you can. Try to meet the lead business people and ask plenty of questions about their successes and key challenges. Ask each product manager to explain how his or her product works. Make a note of anything that surprises you - good or bad. Understand the business problem-solving methodology (if any), project planning framework (if any) and the end-to-end business processes that comprise or support the products - how customers are signed up, complaints are handled, how distribution works, the supply chains, how contractual rights are enforced. Due diligence reports, regulatory filings, major contracts, sales presentations and process maps all make great source material.

2. Figure out the top ten challenges for the business: This can be a hair-raising experience, especially in a young business or one that's poorly run. Try to be discreet, patient and under-react until you've figured out the list and considered how to align yourself with each challenge. A well-managed business will identify and prioritise its most significant challenges annually. In that case, figuring these out will involve a fairly easy discussion with the boss about the business planning cycle, the current plan and where you fit in. In other cases, there may be no clarity at all, and no process for achieving it - great opportunities for anyone with an analytical mind and a positive attitude. Clearly the annual revenue target, major product launches, acquisitions and any substantial new regulation will be likely to feature in the top ten. Addressing the organisation's substantial strengths, weaknesses, opportunities and threats should round out the list.

3. Figure out the top ten legal challenges: What the lawyers need to do should have become pretty clear by now. Of course you have to factor in your own major initiatives, like getting a handle on significant contracts, contested litigation, training and competence, ensuring appropriate records retention and so on. But some of that will be business as usual. The major challenges should involve cross-functional co-operation - including public affairs and PR.

I'm interested in your thoughts.


Image from De Madera Constructions.