Why should I read this?
Regulators, like businesses, are adapting quickly to the changes posed by the ongoing COVID-19 threat. The past decade has seen regulators around the world go through an unprecedented period of growth. Although priorities may be shifting, they continue to have greater resources at their disposal to enforce higher sanctions in a broader range of areas than ever before. Data protection and consumer regulators are now just as likely to take enforcement action as those that regulate competition - which means constructive engagement is important for many organisations, not just the biggest players in a market.
Managing the risks associated with multiple and active regulators requires organisations to develop a multi-disciplinary compliance strategy - particularly in light of the dynamism now characterising our political and economic landscape. There is much that hitherto unregulated organisations stand to learn from heavily regulated businesses, from big pharma to merchant banks to telcos. We have drawn from our substantial experience interacting with regulators across the UK, but the themes and strategies identified below apply globally.
Identify your internal network of experts and encourage collaboration
Most legal teams have discrete units that are tasked with managing risk in relation to trade, sanctions, anti-bribery and corruption, data protection, consumer and competition - often with an additional function responsible for handling litigation. Historically, this made good sense: who would be better placed than a competition lawyer to handle a merger control filing, or a litigator to appeal the procedural basis of a regulatory decision?
However, as regulators and legislators adopt a more joined-up approach it is imperative that organisations do the same. In its European Data Strategy, the European Commission identifies the ease with which individuals can exercise their data subject rights as a factor that impacts the level of innovation, and by extension, competition, in the market. This blurring of boundaries between historically discrete disciplines is indicative of the direction of travel and will require organisations to adapt accordingly. Individuals within each of these practice areas have experience that you should draw on to develop a streamlined and, where appropriate, consistent approach when engaging with regulators in each of these areas.
Understand the framework in which the regulator operates and is bound by
Regulators do not have unfettered discretion to take enforcement action. They have specific rights to enforce particular pieces of legislation. For example, in the UK the Medicines and Healthcare Regulatory Agency (MHRA) has powers to enforce the Consumer Protection Act 1987, the Medical Devices Regulations 2002 and the General Product Safety Regulations 2005; Ofcom wields powers under the Communications Act 2003, the Postal Services Act 2011 and the Competition Act 1998. This doesn't mean that the MHRA can take enforcement action in relation to breaches of the Competition Act 1998, any more than Ofcom can regulate compliance with the Medical Devices Regulations 2002.
Increased collaboration between regulators is leading to scope creep - and the increased risk that a single infringement can leave a business exposed to regulatory enforcement on multiple fronts. That is why it is important to understand the enforcement powers that legislation grants regulators and any procedural requirements they must comply with. Regulators do sometimes overstep the mark: in the past year alone the UK courts have heard claims for judicial review in respect of decisions taken by a whole host of regulators, including the Competition and Markets Authority (CMA), the Gas and Electricity Markets Authority (Ofgem), the Institute of Chartered Accountants in England and Wales (ICAEW), the Office of Communications (Ofcom), Transport for London, the Pensions Regulator, the Investigatory Powers Tribunal, the Commission for Aviation Regulation, the Environment Agency and the Food Standards Agency. Understanding the limits to the scope of a regulator's authority is key to developing a successful engagement strategy and identifying ultra vires enforcement action when it occurs.
Familiarise yourself with historic enforcement - and political and economic pressures which could impact priorities
Historic enforcement action by regulators is a clear indication of their priorities. Over the past year the ICO has targeted organisations that have failed to implement technical and organisational security measures and those that have not been transparent about what they use personal data for and with whom they share it. The CMA shares the ICO's concerns around transparency, while Ofcom is more focused on issues of consumer fairness. Regulators make their enforcement priorities known. Familiarise yourself with them and adjust your risk appetite accordingly.
However, regulators do not exist in a vacuum and their priorities are influenced by political and economic factors. This is clearest in the data protection context. The ICO recently announced that as a result of the COVID-19 pandemic, it would pause its investigation into adtech and real-time bidding - and it hasn't yet imposed the fines on Marriott and British Airways which were announced last July. This reflects broader shifts in the political and economic landscape: individuals are currently more likely to be concerned about how their personal data is used on the COVID-19 tracking apps that are starting to proliferate; while the UK Government is unlikely to thank the ICO for levying eye-watering and headline-grabbing fines in the current economic climate.
This does not mean that regulators are not currently taking action: it does mean that you can expect them to modify their enforcement priorities and the manner of their approach.
Invest in building relationships with regulators
It is a good idea to engage constructively with regulators - time invested while they don't have you in their sights could pay off when the going gets tough. Contribute to consultations and, where appropriate, proactively seek their input on matters within their jurisdiction. Schedule meetings and videoconferences to build relationships with staffers that are on the front lines. If an investigation is already underway, maintain open lines of communication and make sure they aren't surprised by any public announcements you make. Do not assume that regulators have taken a leave of absence as a result of the COVID-19 pandemic: while priorities may have shifted, regulators are continuing to conduct investigations and host virtual meetings with businesses they are scrutinizing.
For some authorities, collaboration is essential to mitigating financial exposure. This is certainly true of the Serious Fraud Office (SFO): most recently, the prosecutor cited 'exemplary, genuine and proactive cooperation by Airbus' as a significant factor in its decision to reduce the amount of the penalty ultimately imposed for a series of anti-bribery and corruption failings. Regulators are increasingly adopting a prosecutorial stance, so adjust your interactions with them accordingly.
Assess your international exposure
In some sectors regulators cooperate extensively with their counterparts overseas. Competition enforcement has been global for decades. This is also the case, for example, when it comes to healthcare. Manufacturers of pharmaceutical products can use the mutual recognition process to ensure that a marketing authorisation issued by the MHRA is recognised by other healthcare regulators in Europe.
Enforcement of data protection laws may currently be regional in nature but is likely to go global, as more stringent regimes emerge in the US and APAC. Within Europe, there were high hopes that the GDPR would establish a degree of cooperation between European data protection authorities. Enforcement action taken by data protection authorities across Europe since 2018 indicates that this is not the case and the regulatory 'one-stop shop' envisaged by the European Commission is not yet reality. The challenges associated with managing regulatory enforcement are likely to be greater where regulators do not cooperate with their equivalents overseas - or, in the case of the US, across state boundaries.
Assess your exposure to action by other regulators
Collaboration between regulators in different industries is leading to a rise in regulatory activity. The recent fine imposed by the Information Commissioner's Office (ICO) against Doorstep Dispensaree is indicative of this trend. Doorstep Dispensaree were fined £275,000 for failing to keep medical records safe. The matter came to the ICO's attention because the MHRA was conducting its own separate investigation. If you're approached by a regulator about an infringement, consider the likelihood of other regulators taking action in respect of it.
Be prepared to litigate
Do not discount the possibility of regulatory overreach. Regulators can and do make decisions that have a material impact on a business (or its values). While regulators are undoubtedly the experts when it comes to the laws they seek to enforce, even experts make mistakes: in the competition arena, the General Court recently decided to annul the European Commission's 2016 decision to block the Three-O2 merger on the grounds that it had made 'several errors of law' in applying merger regulations. In such cases, litigation may be an appropriate and indeed necessary course of action. Keep this in mind before litigation is on the horizon and factor this into your communications with regulators. Avoid making statements during or before an investigation that could prejudice you later. Consider whether it makes strategic sense to persuade the regulator that you are prepared to take the matter to court - some regulators have deeper pockets and higher appetites for litigating than others.
It's very easy to make fatal missteps when it comes to privilege. Regulators are increasingly aggressive when it comes to requesting information that you might consider privileged. This is where developing a multi-disciplinary approach reaps rewards: experienced litigators will be acutely aware of the risks associated with the inadvertent disclosure of privileged information when it comes to litigating against regulators - and the deficiencies of the doctrine of limited waiver in particular. Keep this in mind when producing and circulating documents that may be relevant to a regulatory investigation.
Consider the risk of fines - and other risks that are harder to quantify
Fines grab headlines and the attention of senior stakeholders. The ICO is empowered to issue fines of up to 4% of annual turnover or €20 million. The CMA can impose fines of up to 10% of worldwide turnover, while Ofgem and Ofwat can fine regulated entities up to 10% of that entity's turnover. Fines can have a material impact on your business - and in many cases represent a significant source of revenue for regulators.
When evaluating risk it is easy to focus on the fines: these impact the bottom line in a manner that can be measured. There are, however, broader consequences that merit consideration. There can be major reputational consequences associated with both accepting and challenging a regulator's decision. Consider what precedent a regulatory decision sets for your business model and any global repercussions.