retail digest - travers smith · retail digest welcome to the retail digest. ... • cybercrime:...

1

Retail Digest

AUTUMN 2016

32

Retail DigestWelcome to the Retail Digest. Here we provide an insight into this year’s developments that have impacted businesses in the retail sector. We explore the challenges facing businesses day-to-day and offer advice on how to respond in these times of uncertainty. Topics we have examined in this edition include:

• Brexit: its impact on supply chains, customs duty and what it means for EU nationals

• the new EU data protection law and its effect on UK and EU businesses

• the Privacy Shield

• zero-hours contracts and what lies ahead

• cybercrime: the TalkTalk case

• the impact of the ODR Platform and Consumer ADR Regulation on online retailers

2016 has been a strong year for Travers Smith in the retail team advising clients on legal developments in the sector as well as continuing to advise on corporate transactions including mergers and acquisitions, IPOs and refinancings. If you need assistance or have suggestions in relation to any issues raised in this publication, please do not hesitate to contact any member of our retail sector team as described on page 28.

Travers Smith is “praised for its strong understanding of the

retail industry, offering experts in commercial contracts,

franchising, corporate transactions, IP and

brand protection.”Chambers Guide to the UK Legal Profession

“The team has ‘incisive business acumen’, gives ‘strong and

practical advice’ and ‘invests in us to understand our business’.”

Legal 500

AUTUMN 2016

Adrian WestSector Head, Partner, Corporate Finance Group

E: [email protected] T: +44 (0)20 7295 3419

mailto:[email protected]

54

CUSTOMS DUTY: THE POTENTIAL IMPACT OF BREXIT FOR UK RETAIL06BREXIT: WHAT NOW FOR EU NATIONALS IN THE RETAIL SECTOR? 10NEW EU DATA PROTECTION LAW – WHAT NEXT?12PRIVACY SHIELD: UP AND RUNNING – FOR NOW…14ZERO-HOURS CONTRACTS: DO THEY HAVE A FUTURE?16HACKS, CYBER-ATTACKS AND SIMPLE HUMAN ERROR: PROTECTING PERSONAL DATA18

Contents

20 RESOLVING CONSUMER DISPUTES: NEW OBLIGATIONS FOR ODR & ADR?

76

Customs Duty: the potential impact of Brexit for UK retail Half of the UK’s goods exports are made to countries within the EU. Following the Brexit vote in June, businesses with complicated cross-EU product supply chains will need to start considering the impact that changes to import/export duties will have on their businesses, as well as the potential impact of additional customs clearance procedures.

In this note, we outline the current UK position on customs duty, how this could change post-Brexit, and the practical implications for UK businesses to begin considering at this stage.

What is the current position?The UK is currently part of the EU’s Customs Union. Customs duty is imposed on goods entering the EU and is collected by the Member State of import. The tariff which is applied depends on the type of product and its value, and its country of origin. The majority of revenue that the UK collects from customs duty is remitted to the EU.

The movement of goods between EU Member States is duty-free. There is no requirement to prepare declarations of import or export for

goods originating in the EU, although certain administrative requirements designed to collect trade statistics must be met (an EC sales list must be filed monthly and, if sales exceed a certain threshold, an Intrastat return must also be filed).

Products from non-EU countries require a certificate of origin. However, once imported into the EU, these goods can circulate freely within the EU.

How could this change post-Brexit?Following Brexit, the UK will need to implement its own legislation on customs duty, unless a deal is struck during negotiations which makes this unnecessary or a decision is made not to impose customs duty altogether. The nature of the legislation and the tariff rates will depend on the type of trade agreements that the UK negotiates with the EU and countries outside the EU. There has been much commentary about the different models that the UK could adopt post-Brexit, and at the current point in negotiations it is not yet clear which approach is most likely to be taken.

However, whilst these options are different in non-tax respects (such as in the level of contribution to the EU’s budget and level of single market access for trade in services), from a customs duty perspective the difference between them ultimately depends on whether the option chosen is a free trade agreement or a customs union.

The default option: WTO rules?The post-Brexit default option for the UK would be to rely on trading under the World Trade Organisation (WTO) rules. However, although the UK is currently a WTO member, the terms on which it trades under the WTO framework are negotiated by the EU, on an EU-wide basis; it is thought that these would need to be re-negotiated on the basis of the UK being outside the EU, although the precise legal position is unclear.

Such a re-negotiation would require the agreement of all 163 other WTO members. As such, it is expected that this process would take several years.

During the interim period following Brexit whilst the UK seeks to resolve these issues, WTO members would still be able to trade with UK businesses and consumers but they could elect to apply considerably higher tariffs than would be applicable to transactions with other WTO members.

Impact of WTO rulesAssuming the UK is able to resolve any issues with the terms on which it will trade under the WTO framework, it will be able to benefit from WTO rules. These provide that each WTO member must apply the same external tariffs (the ‘most favoured nation’ (MFN) tariffs) to imports from all other WTO members. The main exception is where WTO members agree preferential tariff rates under a customs union or free trade agreement, in which case lower tariffs may be applied. The impact of this would be as follows:

• Exports: as the UK would no longer be a member of the EU, the EU’s common external tariffs would apply to UK exports to the EU, making it less attractive for EU companies and consumers to source goods from the UK. The average external MFN tariff is 5.3 percent, but there are much higher tariffs for certain products, such as food, drink, textiles and vehicles.

• Imports: the UK would be free to set its own import tariffs on goods imported from other countries and keep the revenue this generates. However, if the UK wishes to keep trade with the EU tariff-free, it would need to unilaterally lower the tariffs for all other WTO members (which be unattractive, as it would undermine its bargaining power in relation to the negotiation of free trade agreements). Alternatively, the UK could impose tariffs on imports from the EU, which would make it more expensive for UK businesses and consumers who currently source goods from the EU.

98

Leaving the EU customs union is also likely to lead to a significant increase in customs clearance procedures particularly on goods passing through ports and airports. This will lead to an additional cost for businesses, resulting in either increases in price or reduced margins. It may also pose logistical challenges in particular during the transitional period unless very significant resources are committed by both the UK and the EU to put in place rapid customs clearance procedures. The potential for serious delay is illustrated by the effect of increased security checks which were imposed in France this summer, leading to 12 mile tailbacks in the UK at Channel crossing points.

Remaining in the customs unionIt may be possible for the UK to negotiate to remain part of the existing EU customs union on its current terms. This ‘soft Brexit’ approach would retain the status quo, and the UK would be required to make contributions of collected duty to the EU budget. However, no non-EU country has previously negotiated an agreement with the EU which does not require it to levy customs duties and/or comply with procedural requirements. It would also severely restrict the UK’s ability to conclude free trade agreements with countries outside the EU – a freedom which is regarded by some as one of the key benefits of Brexit.

Free trade agreements (FTAs)If the UK ceases to be part of the EU customs union and the Single Market, the UK will need to renegotiate its trading position with the EU and also with non-EU countries. One key implication of the UK leaving the EU customs union is that it may no longer have access to the benefit of the preferential tariffs negotiated under the EU’s multiple FTAs with non-EU countries. It is expected to take the UK a significant time to renegotiate these FTAs and if it is not possible to secure the same preferential tariffs, this would make UK exports more expensive.

What are the practical implications of Brexit now for UK retail businesses?Whilst it is not yet clear what impact Brexit will have on customs duty in the UK, businesses can put themselves in the best position possible to pre-empt the potential implications of Brexit by being proactive and aware of the ongoing process. A number of steps that retailers could consider taking now are outlined in the box opposite.

In terms of contractual protection, whilst contracts for the sale of goods entered into with non-EU countries usually include the Incoterms published by the International Chamber of Commerce, most contracts for the sale of goods between businesses in different EU member states are silent on customs duties, because to date this has not been relevant.

Therefore, businesses may consider including language in contracts for the sale of goods between UK and EU businesses and consumers to apportion the risk in the event customs duties are levied on the supply. These provisions could specify which party will be responsible for any customs duties, for the cost of filing import/export declarations, for customs agents’ fees and for any other related costs.

Contractual provisions could also be included to give a purchaser the right to walk away from a contract if, for example, the customs duties levied exceed a specified threshold.

Finally, the impact of tariffs on the retail sector has recently been highlighted in a report from the British Retail Consortium. Click here to read the report.

Steps retailers can take now: tariffs• Investigate how much of your product

is sourced from other EU countries and whether it includes categories of goods likely to be subject to higher tariffs;

• Amend key supply contracts relating to product sourced from other EU countries to deal with customs duties and clearance (see opposite).

If tariffs on products sourced from the EU are likely to impose significant additional costs, consider:

• investigating alternative sources of supply from the UK (where no tariffs will apply) or non-EU countries (where the same tariffs are likely to apply as in relation to the EU, but costs of production may be lower);

• whether, if necessary, the affected product line could be dropped or replaced with a different product available at a more acceptable price.

Steps retailers can take now: customsRetailers concerned about the impact of delays at customs following Brexit may also wish to consider:

• making contingency plans to review and potentially increase stock levels in the run-up to any change in customs procedures;

• seeking assurances that logistics providers will be prepared for any changes – for example, ensuring that their drivers have relevant permits if needed to drive in the EU post-Brexit and that where practical, voluntary systems to ease the passage of goods through customs (such as TIR) will be adopted.

FOR FURTHER INFORMATION, PLEASE CONTACT

Simon YatesPartner, Tax

E: [email protected]: +44 (0)20 7295 3414

Maudie Leach Associate, Tax


Kathleen RussPartner, Tax


https://goo.gl/IXCasq




1110

Brexit: what now for EU nationals in the retail sector? Theresa May has come under criticism from fellow Conservative MPs for refusing to guarantee the rights of EU nationals living in the UK.

The issue is of great concern to the many EU nationals who currently live and work here, particularly those employed in the retail sector. It is also a concern for their employers.

While there is no indication that the rights of EU nationals will be affected in the short-term, the longer-term picture remains unclear. So, what can owners of retail businesses be doing to mitigate the risk?

• EU audit: Many retail employers are conducting an audit of the number of EU nationals currently working for the organisation, and the parts of the business in which they are working, to help identify the scale of the issue should the rights of EU citizens be altered in the future. Such an audit will be helpful for future resourcing and budgeting.

• Providing reassurance: Some employers are sending all-staff communications offering reassurance, while others are having individual conversations with affected staff. Employers must be careful not to offer any guarantees, when so much remains uncertain, but there is scope for some reassurance that nothing is changing in the short-term and that support would be provided if things did change in the longer-term. Retailers may wish to consider what that support might look like.

• Providing information: Employers may wish to keep track of Brexit-related news and provide periodic updates to staff. Employers may also wish to encourage EU nationals working for them to consider applying for proof of their residency rights. EU nationals can currently apply to the Home Office for proof of their right to live and work in the UK, including permanent residency rights for those who have lived in the UK for at least 5 years. While such proof is currently unnecessary for most EU nationals, it may provide helpful evidence in future if the immigration rules do change. Those who have obtained proof of their permanent residency rights may also be eligible to apply for British citizenship, which would provide security.

The position of EU nationals working in the UK retail sector may not be clear until negotiations on Britain’s exit from the EU have been resolved, which is scheduled to begin at the end of March 2017. Many retailers will therefore want to take steps to calm nervousness in the meantime.


Tim GilbertPartner, Employment


Adam Rice Professional Support Lawyer, Employment


Anna West Professional Support Lawyer, Employment





1312

New EU Data Protection Law – What Next? The new EU General Data Protection Regulation (GDPR) is in effect and will be applied from 25 May 2018. It makes big changes to data protection law, and involves a significant increase in maximum fines which can be levied.

For various reasons it (or something very like it) will probably apply after Brexit (now expected in 2019). So what do you need to do to plan for implementation of GDPR?

Every retailer should start to consider the issues and changes they will need to plan for, both in terms of their procedures and their technology. Some of these may involve substantial lead times, not least if transition is to be effected in an economical manner. To assist in this, the UK Information Commissioner’s Office (ICO) has published a list of 12 steps to take now. We summarise this below, with our own commentary.

Awareness

• General: decision makers in your business need to know that important changes are coming, because of the impact on operational effectiveness, costs and risk. Operational effectiveness? Because you may not be able to use a current CRM database. Costs? Because technology and resource requirements may need to be budgeted for. Risk? Because the impact of stricter rules and higher fines needs to be assessed.

Data mapping

• An essential starting point will be to map out what personal data you hold, why and where you hold it, how long it is kept for and who you share it with – and how the picture may look in 2018 and beyond. Only by having a reliable and up-to-date picture will you be in a position to start planning your GDPR compliance programme.

Consent

• Often you will need to show that a data subject has consented to your use of their data. The requirements surrounding obtaining and being able to demonstrate consent to your use and re-use of data will get a lot tighter (particularly in direct marketing, use of online behavioural advertising etc – for instance “opt out” boxes will no longer be acceptable). As well as updating your technology, you may need to re-consent your marketing database and update privacy notices in time for 2018.

Processing justified?

• You will also need to show why, legally, you are justified in holding and using data. This will need careful analysis to make sure that where you need to hold data for businesses purposes the necessary conditions are satisfied to legally justify its processing under GDPR.

Technology issues

• The new rules could well mean that you need to re-build your websites to make sure you get appropriate consents to your use of personal data and cookies; and then you may need to update your supporting IT systems to ensure that you can demonstrate consent if challenged.

• Data cleansing and the “right to be forgotten” you will want your technology to be capable of supporting easy rectification (or erasure) of data and (as now) suppression of direct marketing where this is requested.

• Portability. Individuals will have a right to data portability in a commonly used machine readable format, to transfer it to other service providers. How will you do this?

Data protection by design and privacy impact assessments

• What is currently a recommendation from regulators will move to be binding law, and you will need to show that your internal processes implement data protection by design and by default (e.g. the principle of data minimisation: only collect, use and retain data you need). Both existing and new types of processing may need you to carry out a privacy impact assessment (PIA) where there is a high risk to individuals (but how can you tell, without doing a PIA anyhow? Further guidance will be developed on this by regulators). This will need careful planning to embed it in your corporate culture.

Contracts

• Not an issue raised by the ICO, but also important – if you are entering into arrangements that may still be in place in 2018 under which you are sharing personal data with others (joint controllers, data processors etc.), you will need to consider how to “future proof” the contract terms so that you can make sure that all necessary changes are made in time to keep you compliant. This could apply to outsourcing arrangements for example.

The ICO list of things to do now contains a number of further steps that you may feel are less urgent, or which may be of more limited relevance to your business. These are:

• Subject access requests: The timescale for responding will become shorter. You will need to update existing procedures.

• Children: If you deal with children, the rules are getting tighter. For example, how will you verify ages? How will you get parental consent where needed?

• Data breaches: There will be a legal duty to report data breaches within a short timescale. Your systems will need to respond.

• Data protection officers: You may need to appoint a DPO. GDPR requires this for certain categories of data user. If required to do so, it may make sense to recruit someone now to spearhead your GDPR implementation programme.

• International: If you operate internationally (and depending on your structure), there may be decisions to be made about which lead supervisory authority you will come under (the so-called “one stop shop”) as well as needing to review how existing transfers of personal data outside the EEA will continue to be permitted.

Brexit adds a further layer of complexity since, if you offer goods or services to individuals in other EU Member States or monitor their behaviour (online profiling, behavioural advertising etc), you will need to comply both with UK rules post Brexit, and with GDPR as it applies to the EU.

Louisa ChambersPartner, Commercial, IP & Technology


Dan ReavillPartner, Commercial, IP & Technology


Alistair WilsonConsultant, Commercial, IP & Technology






1514

Privacy Shield: up and running – for now… You may recall our item in our 2015 Retail Digest dealing with the data protection “Safe Harbor”. Things have moved on. From 1 August 2016, you have been permitted to transfer personal data from the EU to organisations in the US that have committed to adhere to the principles of the EU-US Privacy Shield, which has replaced Safe Harbor. Here we examine what this means for UK and other EU businesses.

Privacy Shield: a reminder of the story so far EU data protection law states that personal data must not be transferred to a territory outside the EEA unless that territory ensures an adequate level of protection. The European Commission may make a positive finding of adequacy in relation to a third party territory (which is then binding on Member States). Even if a territory’s laws have not been found adequate, a transfer of personal data may still be lawful on a number of other grounds, but these are beyond the scope of this briefing.

No general finding of adequacy has ever been made in relation to the US, so the Safe Harbor program was approved in 2000 as a method of providing adequate protection for data transfers to the US. (Other methods of permitting transfers to the US also exist).

In October 2015, the Court of Justice of the European Union (CJEU) declared the Safe Harbor framework invalid, in the case of Maximillian Schrems v Data Protection Commissioner. The case stemmed from a complaint filed by privacy campaigner Max Schrems at the Irish DPA, in respect of the transfer of his data by Facebook Ireland to Facebook Inc, located in the US.

In July 2016 the European Commission adopted a replacement for the Safe Harbor – the EU-US Privacy Shield.

There has been criticism of Privacy Shield as not fully responding to the “Schrems” case, can businesses rely on it?The legal answer is yes. From 1 August 2016, transfers of personal data from the EU to Privacy Shield self-certified/registered organisations in the US is permitted.

The commercial answer is slightly more nuanced. Not all US based data importers can use the framework. As with Safe Harbor, it only applies to organisations that are within the jurisdiction of the US Federal Trade Commission or Department of Transportation (which excludes certain industries e.g. financial services, insurance and telecommunications).

Moreover, the adopted text of the Privacy Shield has already been criticised. European regulators are concerned. They have said that they will not make an immediate challenge to the decision of the EU Commission, but the position will be assessed after one year. Their latest statement gives potential support to others who may plan a Schrems-style challenge. In current circumstances some attack on the Privacy Shield seems likely.

So why use it? For organisations in the US whose business model involves the bulk import of personal data (cloud data hosting in particular) the Privacy Shield is relatively easy to adopt and therefore has attractions. Many US-based IT service providers used

the Privacy Shield forerunner, Safe Harbor, and this pattern may be repeated. And, given the minimal administrative burden on data exporters, EU businesses will find it convenient to agree to use the Privacy Shield where it is on offer from their counter-party, while continuing to rely on other existing mechanisms (such as EU Standard Contractual Clauses, “model clauses”) for, say, intra-group transfers. Of course, even these alternatives aren’t necessarily safe from challenge: a case brought by the Irish Data Protection Commissioner is underway, which queries the legal status of data transfers under the model clauses. That said, as with the Privacy Shield, the possibility of future changes in regulatory analysis should not prevent businesses using these mechanisms for the time being.

How does Privacy Shield fit in with the GDPR? The newly adopted General Data Protection Regulation (GDPR) will apply in all Member States of the EU from 25 May 2018 to replace the existing Directive. The GDPR adopts restrictions on the export of personal data from the EEA which are similar to the Directive (i.e. the need for “adequacy”), but raises the standards of what is “adequate”. While the GDPR says that existing adequacy decisions under the Directive (which includes the Privacy Shield) remain in force until amended, replaced or repealed, the raising of the bar could well make successful challenge more likely, or put pressure on the EU Commission to conduct an early (and negative) review.

And what about Brexit? Brexit is unlikely to take place before the GDPR becomes law in the UK, and the Privacy Shield will remain a useful mechanism for UK businesses until then (subject to challenge or amendment as described above). After Brexit, the UK will need to have in place legislation that allows an EU adequacy decision to be made in its favour, in order to ensure the continued free flow of personal data between the EU and UK, i.e. equivalent to the GDPR (and if the UK joins the EEA, we will have GDPR in full anyhow). Because of that, something like the Privacy Shield will still be needed to facilitate the transfer of personal data from the UK to the US, with protection equivalent to the EU. However, at present the Privacy Shield only applies to the EU, so unless revised, a bi-lateral UK – US equivalent would seem to be needed.

Dan ReavillPartner, Commercial, IP & Technology







James LongsterSenior Associate, Commercial, IP & Technology


https://goo.gl/lBKJUq

https://goo.gl/lBKJUq





1716

Zero-hours contracts: do they have a future?Zero-hours contracts have been the target of much criticism in the press, as have employers who use them. As a result, some businesses, including Sports Direct, JD Wetherspoon and the Everyman cinema chain, have recently announced that they are planning to reduce their use of zero-hours contracts, offering many of their workers permanent contracts instead.

So what exactly are zero-hours contracts, and are they a good or bad idea for retailers?

Zero-hours contracts – upsides and downsidesA “zero-hours contract” refers to any casual arrangement where there is no obligation on the employer to offer work and no obligation on the worker to accept it, although some contracts require the worker to accept any shifts which are offered. Until last year, a zero-hours worker could be prevented from working for any other employer, but such “exclusivity clauses” were banned in March 2015.

Workers on zero-hours contracts benefit from many employment rights, including national minimum wage, holiday, protection from discrimination and potentially unfair dismissal and statutory redundancy (in certain circumstances).

Around 903,000 people in Great Britain are on some form of zero-hours contract (according to a survey this year by the Office for National Statistics). Although this is an increase on the previous year (from 747,000), it still amounts to less than 3 percent of the GB workforce.

Zero-hours contracts have been criticised for failing to provide workers with any security or certainty of earnings. Workers who are not contractually obliged to accept work have reported that, in practice, they feel they have to accept whatever work they are offered, even at very short notice, for fear that if they refused they would not be offered work again.

However, many workers are reportedly happy with zero-hours contracts. According to the ONS survey, only 31 percent of workers on zero-hours contracts wanted more work than they were being offered. A separate survey last year (by the Chartered Institute for Personnel and Development) found that 65 percent of zero-hours contract workers reported being satisfied with their jobs.

As far as businesses are concerned, zero-hours contracts offer valuable flexibility. In the CIPD survey last year, 66 percent of employers said they used zero-hours contracts to manage fluctuations in demand.

The Government reviewed the use of zero-hours contracts in 2014 and resisted calls to ban them, citing the need for businesses to retain flexibility, particularly in a difficult economic climate. However, Theresa May has recently launched a review of employment practices with a view to ensuring workers’ rights are protected, which will include consideration of zero-hours contracts. Labour has stated that it would ban zero-hours contracts if it came into power and earlier this year such a ban was introduced in New Zealand.

The future

Whilst zero-hours contracts have been on the rise, it seems there may now be something of a move away from them, since they have recently become synonymous with perceived exploitation of workers by large businesses, which is a reputation any organisation will want to avoid. With the Government focussing on workers’ rights, the way in which employers treat their staff will remain under intense scrutiny. With this in mind employers may wish to conduct a review of their use of zero-hours contracts to ensure that they are not being relied upon unnecessarily but are needed for genuine business reasons.


Tim GilbertPartner, Employment

E: [email protected]:+44 (0)20 7295 3207

Anna West Professional Support Lawyer, Employment




1918

Hacks, cyber-attacks and simple human error: protecting personal data The UK data protection regulator (the ICO) has now completed its investigation of the TalkTalk cyber-attack, and it makes difficult reading for TalkTalk.

TalkTalk’s fineThe ICO has fined TalkTalk £400,000 (or £320,000 if paid by 1 November). This is the highest fine yet levied by the ICO. The ICO press release comments that TalkTalk had security failings which allowed the attacker to access customer data (including bank

account details) “with ease”, and that TalkTalk could have prevented the attack in October 2015 if it had taken basic steps to protect customers’ information.

Recently appointed Information Commissioner, Elizabeth Denham, commented: “Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk could and should have done more to safeguard its customer information…Cyber security is not an IT issue, it is a boardroom issue.”

How did TalkTalk get hacked?The attacker used a common technique known as SQL injection (to which known defences exist) to access data via three webpages that proved vulnerable – TalkTalk was unaware of the webpages, inherited in a 2009 acquisition, or that they enabled access to a database holding customer information. Moreover, TalkTalk was unaware that the installed version of the database was outdated, was no longer supported by the provider and was affected by bugs to which a fix was available. That fix (well publicised in 2012) would have prevented the successful attack. The company also suffered two earlier attacks in July and September 2015 (of which at least one was successful) which it failed to respond to.

What could TalkTalk have done better? According to the ICO, TalkTalk should have been able to:

• spot the web pages it had overlooked

• secure or remove them

• ensure adequate testing and monitoring (and react to threats quickly)

• apply the bug fix available since 2012 or upgrade to a newer version of software unaffected by the bug.

These risks were well known by 2015 and the errors have been seen before, so it is not surprising that a fine has resulted. We regularly see similar errors. Nonetheless, the ICO response is unusually forthright and, with the size of fine imposed, may mark the start of a more deterrent approach from the traditionally light-touch regulator – though the cost of resolving the incident, which TalkTalk has put at about £60m, and the reputational damage will always produce an incentive to keep security up-to-date. But it is a reminder of the importance of proper cyber-security for all businesses, no matter how large or small.

Higher fines in future? As a footnote, it should be added that from May 2018 the new General Data Protection Regulation will take effect. While the basic obligation to ensure “appropriate” data security remains unchanged, the level of potential fines will increase substantially – to a maximum of the higher of 4 percent of worldwide annual turnover and Eur 20,000,000.


Dan ReavillPartner, Commercial IP & Technology




Louisa ChambersSenior Associate, Commercial IP & Technology


Jonathan RushProfessional Support Lawyer, Commercial & Competition


ICO report says:“For no good reason, [TalkTalk] appears to have overlooked the need to ensure that it had robust measures in place…”

In our previous article on cyber security we pointed out that hacking often succeeds because of basic human error. The ICO found that in spite of TalkTalk’s expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting.





2120

Resolving consumer disputes: new obligations for ODR & ADR?The Alternative Dispute Resolution for Consumer Disputes (Amendment) Regulations 2015 (the “ODR Regulations”) introduced the European Commission’s online dispute resolution platform (the “ODR Platform”), with effect from 15 February 2016.

Who does the ODR Platform apply to?The ODR Platform applies to nearly all traders and marketplaces established in the EU who sell goods, services or digital content online or via other electronic means. This covers both online traders selling directly to consumers via their own websites, and those providing online marketplaces where consumers can buy goods, services, or digital content (such as Amazon or eBay). “Other electronic means” includes social media, email, telephone, fax and text messages.

What do I have to do to comply? Provide a link to the platform: The ODR Regulations require that all traders and online marketplaces covered by them must incorporate an easily-accessible electronic link to the ODR Platform on their website by 15 February 2016 (the link can be found here). A logical place for this would be alongside existing complaints information.

Provide an e-mail address: In addition, an online trader must also state their email address (an online contact form not stating an e-mail address is insufficient).

What is the ODR Platform?

The ODR Platform is intended to be used by online traders/market places to provide an easier and more efficient method of resolving disputes with consumers who have a complaint about goods or services they have bought online.

It will provide a portal for consumers to submit a complaint to a relevant, registered alternative dispute resolution (“ADR”) provider with the aim of resolving the dispute (although traders are not obliged to use ADR).

Whilst focused primarily on facilitating the resolution of cross-border disputes for those selling online in the EU, the ODR Platform still applies to those selling only within the UK.

The ODR Platform was originally intended to go live on 9 January 2016, but will now be operational for both consumers and traders on 15 February 2016 here.

Check you are not bound to use alternative dispute resolution (ADR) already: For traders already obliged or opting to use ADR (see below for further discussion of ADR), through signing up to an ADR scheme, through law, through being a member of a trade scheme, or by way of the terms of their contract, the ODR Regulations impose additional obligations to:

• Inform consumers of the existence of and potential to use the ODR Platform to resolve disputes.

• Provide a link to the ODR Platform in any offer made to a consumer by email.

• Include information about the ODR platform and a link to it in the general terms and conditions applicable to any online sales or service contracts.

Failure to comply: Trading standards services may apply for a court order requiring any online trader or marketplace failing to comply with the information requirements above to do so, although in practice the trader will normally be warned first. Continued failure following such a court order may lead to an unlimited fine and up to two years’ imprisonment.

Am I obliged to use the ODR Platform? No, the ODR Regulations do not require the trader/marketplace to use the ODR Platform, simply to give notice of it. However, the ODR Regulations are intended to supplement additional regulations on consumer ADR brought into force in October 2015, and any trader must be aware of their obligations to provide information about ADR providers and whether they intend to use them or not.

A re-cap on ADR obligations. The Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015 (the “Consumer ADR Regulations”) came into force on 1 October 2015 and implement the ADR Directive, intended to promote ADR as a means of redress for consumers in relation to unsatisfactory goods or services, particularly for online sales in the EU.

https://webgate.ec.europa.eu/odr/main/index.cfm?event=main.home.chooseLanguage

https://webgate.ec.europa.eu/odr/main/index.cfm?event=main.home.chooseLanguage

2322

Is ADR compulsory? There is no general rule in law that says that ADR must be used to resolve a dispute. However, in some sectors ADR is compulsory. For example, most financial services consumers can insist that their complaint be dealt with by the Financial Ombudsman Service. Also, estate agents and telecommunications businesses traders must belong to an ADR scheme, although they have a degree of choice about which one.

In sectors where ADR is not compulsory by law, traders may nevertheless be members of a trade association or a “trusted trader” scheme that requires its members to use ADR. Such schemes often provide or arrange the ADR scheme for their members.

A trader can also use their own contract terms to require themselves to use ADR, although they cannot insist that a consumer does so.

Even where there is no obligation requiring the use of ADR, the Civil Procedure Rules (CPR) require parties to any dispute to consider whether ADR is appropriate both before civil proceedings are commenced, and throughout the life of the case. Again, the CPR does not make ADR compulsory, but if a party chooses not to participate without good reason, then it may suffer adverse costs consequences. That said, most consumer claims are brought under the small claims track where adverse costs orders are less likely to be an issue.

The Impact of the Consumer ADR Regulations The Consumer ADR Regulations provide for the designation of competent authorities to vet and approve those who apply to become an ADR provider, together with the standards that a certified ADR entity must meet. For those in the retail sector, the Chartered Trading Standards Institute (the “CTSI”) is the competent authority. ADR providers that have already been approved by the CTSI are listed on its website here. The ADR mechanism which these providers will offer under the Regulations is designed to be quick (generally concluded within 90 days of receiving the complete complaint file) and free of charge to consumers, or available at a nominal fee.

The Consumer ADR Regulations apply to all business in the UK that sell goods, services or digital content to consumers (with some limited exceptions), and impose certain obligations on traders to provide information to consumers about ADR entities. For example, a trader who is obliged by law, or its trade association rules, or the terms of a contract to use ADR services, must make the name and website address of the relevant ADR entity available on its website and in its general terms and conditions.

What is ADR?

ADR encompasses any process to resolve a dispute without recourse to court. The simplest and most common form of ADR is direct negotiation, but where it does not give rise to a satisfactory outcome, a range of other options is available.

Broadly, ADR can either allow:

• the parties to the dispute to decide their own outcome, often with the help of a neutral third party. This is typically the case for direct negotiation, conciliation and mediation; or;

• someone who is not a party to the dispute to reach a binding decision. This is what happens in adjudication, arbitration and ombudsman schemes.

ADR has some distinct advantages, the most obvious of which are the potential to reach a satisfactory outcome more quickly and cheaply in a confidential environment. There is also more scope to be creative with how a dispute is settled.

In addition, any trader, including those who are not obliged to use ADR services, who receives a complaint from a consumer about a contract, and is unable to resolve the complaint with them using its own internal complaints procedure, must inform the consumer in writing:

• that it cannot settle the complaint

• the name and website address of an ADR provider that would deal with the complaint, if the consumer wishes to use ADR

• whether the trader is obliged or prepared to make use of the ADR provider.

In other words, the trader has to give a consumer details of an ADR provider but does not have to agree to use ADR. The information should be given in durable form, such as an email or a letter – most likely, the final deadlock letter in response to a consumer complaint.

Key Issues for Retailers to Consider:

In assessing whether or not to sign up to an ADR scheme, traders should consider the following:

• How much will it cost? – including both the membership fee and any charges for processing claims.

• Is the decision binding, and for whom? it is common for the outcome of the ADR to be automatically binding upon the trader (but not upon the consumer).

• What are my competitors doing? widespread take-up by competitors may cause negative PR issues for any retailer refusing to engage with ADR.

https://webgate.ec.europa.eu/odr/main/index.cfm?event=main.adr.show

2524


Vivien HalsteadProfessional Support Lawyer, Commercial, IP & Technology


Emily TearleProfessional Support Lawyer, Dispute Resolution


Consequences for retail businesses

Notwithstanding the Regulations, it remains the case that whilst providing ADR information is now mandatory, actually using ADR continues to be voluntary, as long as the trader is not separately obliged to do so.

Having said that, traders may feel compelled to adopt an ADR process if their competitors are seen to be doing so. If there is widespread take-up, then it may generate negative PR for a trader to inform consumers of the existence of an ADR provider but to state that it is not prepared to use it.

In addition, if a trader fails to comply with the information requirements, Trading Standards can apply for a court order obliging compliance, breach of which can lead to a maximum penalty of an unlimited fine and two years imprisonment.

Furthermore, quite apart from the Regulations, one should not overlook the obligation on all parties to consider ADR under the CPR. We anticipate that offering the sort of ADR process envisaged by the Regulations will be good evidence that a party has fulfilled those obligations, at least at the pre-action stage of litigation. That said, there may be good reasons for not agreeing to ADR, for example where a trader has its own robust complaints-handling procedures.

Key Points

• No general obligation to use ADR in business to consumer disputes.

But

• All traders must: (i) provide information about the ODR Platform on their websites by 15 February 2016; and (ii) provide information about ADR providers (and willingness to use ADR) where a complaint is unresolved.

• Some traders may be under an obligation to use ADR as a result of the other sector-specific regulatory regimes or voluntary membership or a code of practice requiring use of ADR. In these cases, information about ADR and the ODR Platform must be provided on the trader’s website and in its general terms and conditions.



2726

A selection of our retail clients:

Charlotte Dencer, Head of Legal at LK Bennett

“Travers Smith understands our business and, in particular,

the quirks of being a private equity investee company.

They consistently provide on-point, sophisticated advice which is always commercial

and delivered with confidence and precision. A reassuringly

bespoke service.”

2928

Our retail teamWe have taken time to understand the retail sector and build lasting relationships within it allowing us to provide focussed and high quality commercial advice to our clients.

We have a wide ranging experience across the retail sector, with a client base ranging from food retailed to luxury brands, from domestic and electronic consumer goods companies to online retail businesses, as well as private equity and other investors in the sector.

We act for businesses across a wealth of areas, from market leading M&A to complex restructuring, joint ventures and beyond M&A, IPOs and refinancings. Our lawyers have the requisite depth of experience to advise on all issues facing retailers.

We have leading lawyers in all areas relevant to the sector: corporate, commercial, real estate, employment, tax and many more.

Our retail team is handled by our dedicated team led by Adrian West.

Adrian WestPartner, Corporate

E: [email protected] T: +44 (0)20 7295 3419

Sonal PatelSenior Associate, Private Equity Group E: [email protected]: +44 (0)20 7295 3216

Tom PurtonPartner, Commercial, IP & Technology E: [email protected]: +44 (0)20 7295 3277

Doug BrydenPartner, Environment & Safety E: [email protected]: +44 (0)20 7295 3205

Tim GilbertPartner, Employment E: [email protected]: +44 (0)20 7295 3207

Edmund ReedPartner, Corporate


Kathleen RussPartner, Tax




Rob FellPartner, Dispute Resolution


Jeremy WalshConsultant


“The Travers Smith team excelled in all they did. At critical times they provided the quality of advice you can only get from an adviser who is fully immersed in the market.

They were also a pleasure to deal with.”

Jonathan Blanchard, former CFO, Radley

Emma PereiraSenior Counsel, Real Estate E: [email protected]: +44 (0)20 7295 3283












Travers Smith LLP 10 Snow Hill, London EC1A 2ALT: +44 (0) 20 7295 3000 | www.traverssmith.com

http://www.traverssmith.com/

retail digest - travers smith · retail digest welcome to the retail digest. ... • cybercrime:...

Documents