European businesses may be putting themselves at risk because they mistakenly believe regulators are prepared to loosen the rules, lower the compliance burden, and lessen enforcement so companies can operate more easily as the coronavirus pandemic lingers on.
Indeed, the business press is full of stories saying regulators have relaxed regulations and do not intend to pursue minor infringements—even offsetting fines in some instances.
Experts, however, say companies should not believe the hype: Regulators are just as apt to pursue non-compliance as they ever were, and several have even had to issue statements or guidance to underline the fact.
“Compliance teams should not be complacent about enforcement and should proceed with upholding the policies they had in place before COVID-19 took hold,” says Nicola Howell, senior compliance and privacy attorney at commercial data and analytics firm Dun & Bradstreet. “While justifiable allowances may be made, any significant departure from legal requirements or previous company policy could significantly backfire on a business.”
Companies that deliberately flout the law to attempt to gain market share are also unlikely to recoup costs or damages from insurers. “Even where policy wording is sufficiently broad to allow for claims for regulatory investigations, it has long been a U.K. principle not to indemnify intentional wrongdoing,” says Julian Hayes, partner at law firm BCL Solicitors. “Some regulators, such as the U.K.’s Financial Conduct Authority (FCA), had previously reinforced this message with an outright ban on regulated firms arranging or claiming insurance policies purporting to indemnify them against penalties imposed by the financial regulator.”
Other EU countries take a similarly harsh line. For example, France, Italy, Denmark, Austria, and Luxembourg prohibit insurance for both criminal and administrative penalties, while Sweden, the Netherlands, Greece, and Croatia make intention or malice the determining factor of insurability.
Below are three areas where experts believe companies may mistakenly believe authorities have suggested they are taking a more relaxed approach:
As an acknowledgement that firms need to prioritize focusing on the operational aspects of their business, national and pan-European regulators have pushed back upcoming compliance deadlines in some areas.
For example, the European Securities and Markets Authority, the European Union’s financial markets watchdog, has delayed the start date for compliance with its securities financing transactions regulations by three months until mid-July and has also extended a review into the EU’s Markets in Financial Instruments Directive, the rules that harmonize investment services across the single market. National financial regulators across the European Union have also extended consultations to delay new regulations coming into force.
Some regulators have also said they may need to adapt their approach in the future. For example, although the FCA set out its regulatory and enforcement priorities for the next 1-3 years in its latest business plan on April 7, the FCA also made it clear in the introductory paragraphs that its work will need to be “reshaped” in light of the impact of COVID-19.
No financial services regulator within the European Union, however, has explicitly said it will relax any rules already in force, or “go lightly” in terms of fines on any infringement committed from now on (even if, like the FCA and many others, they have discretionary powers to do so). “Companies cannot rely on the FCA to ignore poor practices during the corona outbreak,” says Francesca Titus, a partner specializing in white-collar crime at law firm McGuireWoods.
Experts also warn against assuming penalties will be reduced because firms are under financial pressure. “Regulators understand that the crisis is putting pressure on firms meeting their day-to-day obligations and are likely to be reasonable with firms that are making a reasonable effort to comply with regulations in a trying times,” says Ian Thomas, regulatory solutions specialist at Quorsus, a financial services consultancy firm.
“You wouldn’t therefore expect the regulators to be too harsh with fines. That being said, the key words here are ‘reasonable’ and ‘comply.’ Cash crisis or not, the regulators are unlikely to hesitate to issue fines for serious breaches or offenses—for example, those that put client money at risk,” he adds.
One of the main areas of confusion is around data protection and how personal data may be used, retained, or shared during the pandemic and what level of tolerance data protection authorities have to incidents of non-compliance or to data breaches while employees work remotely and organizations are more susceptible to hacking incidents or accidental data loss.
Despite practically every national data protection authority in the EU issuing statements regarding their regulatory approach during the pandemic crisis, experts say many companies are still questioning whether there has been a change or relaxation of the rules.
The answer is very simple, says Carolyn Bertin, IT and data privacy solicitor at law firm Keystone Law. “Data protection regulators in Europe have not relaxed the rules. What they have said is the existing laws do not prevent the sharing of personal data.”
Sarah Pearce, privacy and cyber-security partner at law firm Paul Hastings, agrees. “Generally speaking, as regards data privacy and enforcement, it is business as usual across Europe, with no dispensations being made under current circumstances.”
To clarify the situation, on April 15 the U.K.’s Information Commissioner’s Office (ICO) set out its “flexible,” “pragmatic,” and “empathetic” regulatory approach during the coronavirus pandemic.
The data protection authority says it expects to conduct fewer investigations, focusing its attention instead “on those circumstances which suggest serious non-compliance.” Fines could also be reduced given that companies may not be able to afford to pay them. The ICO has also said the timeline to carry out any remedial action following a data breach could be extended, as could the requirement to supply the regulator with the evidence as to how the breach occurred. The duty to report a data breach within 72 hours, however, remains firmly in place—a requirement that lawyers believe no DPA across the European Union will relax.
Other regulators have also extended various deadlines to show “flexibility,” but “that does not mean that data protection regulators are not on top of the situation” or that the rules around GDPR compliance, for example, have been relaxed, says Maarten Stassen, partner in the privacy and cyber-security group at law firm Crowell & Moring.
Like the ICO, the Dutch data protection authority, for example, has stated that the deadlines for providing information will be extended where necessary to allow companies to devote their attention to tackling the consequences of the pandemic, while the French regulator, CNIL, has delayed the publication of its guidance on cookies and other tracking mechanisms so that it can address the issues later “in a more serene context.”
Rules around competition law have been relaxed—but only in “limited circumstances” and when it is “absolutely necessary.”
On March 23, the European Competition Network, which brings together the European Commission and national competition authorities from across the European Union, issued a joint statement in which it acknowledged that the COVID-19 crisis might require companies to temporarily cooperate to ensure the supply and fair distribution of scarce products.
On April 8, the European Commission issued a “temporary framework” that allows, for example, companies in the pharmaceutical sector to work together to identify essential medicines with risks of shortages and devise strategies to ensure continuity of supply. Companies can also obtain informal guidance from the Commission, including “comfort letters,” which spell out whether such collaborations are compatible with EU law.
Several national competition authorities across Europe, such as those in Germany, Norway, the Netherlands and the United Kingdom, have also allowed temporary coordination between competitors to address the consequences of the crisis. Some authorities have also shown leniency and flexibility with regards to penalties. On March 19, Portugal’s competition authority fined a hospital €155,000 (U.S. $168,000) for “gun-jumping” but said that it would accept payment in installments so that its operations would not be negatively impacted during the COVID-19 outbreak.
Experts, however, warn companies against thinking such arrangements are the “new normal.”
“Beyond ensuring supply of essential goods and services, the rules around competition law continue to apply in the same way,” says Matthew Hall, partner in competition law at McGuireWoods.
Furthermore, lawyers say that regulatory scrutiny in areas that are prone to abuse is likely to be increased—perhaps even retrospectively when normal business resumes. According to Colin Miller, partner in the tech and commercial group at law firm Burness Paull, “practices that businesses can expect competition authorities to clamp down on include collusion that artificially keeps prices high, as well as the exchange of commercially sensitive information on future pricing or business strategies between competitors where this is not necessary to meet the needs of the current situation.”