Do You Need to Appoint a Data Protection Officer in Your Organisation?

What Does the UK PM's 25 Year Environment Plan Mean for Retailers?

The End of the Brandalley Legal Saga

Data Maps and Data Inventories

Guest Interview with the Hello Love Art & Design Team

Retailers Anxiously Await Possible Changes to Taxation of Online Sales

Do You Need to Appoint a Data Protection Officer in Your Organisation?

Under the EU General Data Protection Regulation (GDPR), any company that monitors individuals on a "large scale" or has "large scale" collections of sensitive data must appoint a Data Protection Officer (DPO).

A DPO can be someone internal in your organization so long as they have expert knowledge of data protection law and practice, and they do not have a conflict of interest in serving as a DPO and in doing other tasks. Internally, that may mean that the DPO cannot be the CEO, COO, CFO, CMO, or head of HR. You can also contract out the role of DPO externally to service providers.

Key aspects of the DPO's role

• Once appointed, the DPO's contact information will be published to European regulatory agencies and also to the public so that individuals who have a complaint about a company can contact the DPO. The DPO will therefore be the first point of contact for data privacy concerns. 
• The DPO will cooperate and communicate with data subjects and with the supervisory authority where necessary.
• The DPO will educate the company about its data privacy and security obligations, advise on how to carry out assessments concerning the impact of its operations on data privacy, and monitor the company's compliance with the GDPR, member state data privacy laws, and the internal privacy policies.
• The DPO will be involved in all issues that relate to personal data on an ongoing basis.
• Although the DPO reports directly to senior management, he must act independently and should not take instruction from the company on how to carry out his responsibilities.
• It is important to note that a DPO is not personally responsible if the company is not in compliance with the GDPR.

A company's duty to its DPO
A business that appoints a DPO is responsible on an on-going basis for supporting its DPO. This will typically involve ensuring that the DPO has access to all resources necessary to enable him to fulfil his tasks and role. A company must also take whatever steps are necessary to ensure the DPO's independence and autonomy.

Next steps
If a business fails to fulfil its obligations in relation to its DPO, if applicable, it may face significant fines. Therefore, ahead of the GDPR coming into effect in May 2018, businesses should now be assessing whether they are required to appoint a DPO, bearing in mind that (i) all businesses should consider voluntarily appointing a DPO; and (ii) if a business chooses not to appoint a DPO they should maintain a record of the reasons behind that decision in order to demonstrate that all relevant factors have been properly considered if this should become necessary.

What Does the UK PM's 25 Year Environment Plan Mean for Retailers?

On 11 January 2018, Prime Minister, Theresa May, launched a 25-year plan to eliminate avoidable plastic waste (including products such as plastics straws, bags, stirrers, bottles, packaging, etc.) by 2042.

The UK government has estimated that around 8.3 billion tonnes of plastic have been produced since the 1950s, and plans to enhance the environment by tackling Britain's "throwaway culture" and plastic waste — described by the PM as "one of the great environmental scourges of our time".

As part of the plan, the 5p plastic carrier bag charge currently applied to only "large" retailers (having more than 250 employees) shall be extended to all retailers equally. Figures show that around 9 billion fewer plastic bags have been used by shoppers since the 5p charge came into effect, and many retailers have switched to environmentally friendlier options such as paper bags. Additionally, supermarkets will be encouraged to have entirely "plastic-free" aisles where all food (e.g. fruits and vegetables) are loose and free of unnecessary plastic packaging. Further, the government will also be looking at how the tax system of charges could further reduce the amount of waste we create, and there will be new government funding into plastics innovation.

But how will this really affect retailers? There is concern that the government's aspirations do not pack enough punch since they do not carry legal force. Some campaigners have opined that the measures would need to be backed by legislative force before we are likely to see any benefits.

The End of the Brandalley Legal Saga

[co-author: Emmanuelle Mercier]

French legal proceedings brought in vain by the online fashion retailer

In 2009, online retailer Brandalley filed a claim with the French Competition Authority (FCA) against Vente-privée.com, one of its competitors, alleging that the latter abused its dominant position on the "online events sales market". The FCA dismissed Brandalley's claims, on the grounds that the "online events sales" did not constitute a relevant market (FCA Decision no. 14-D-18 dated 28 November 2014). Brandalley appealed the FCA's decision before the Paris Court of Appeal, but to no avail. Brandalley further appealed the Paris Court of Appeal's decision before the French Cour de cassation (French Supreme Court). However, in a decision dated 6 December 2017, the French Cour de cassation once again dismissed Brandalley's claims, thus putting an end to the legal proceedings brought in vain by the online fashion retailer.

The "online events sales" market did not constitute a relevant market in 2005-2011...

Brandalley (joined by Showroomprivé.com in the proceedings) argued that Vente-privée.com abused its dominant position between 2005 and 2011 on the "online events sales market", in particular by imposing on the high-end brands it retailed an exclusivity clause, which prohibited such brands from selling unsold stock to other competing online retailers.

However, the Cour de cassation reminded that the abuse of a dominant position as prohibited by Article 102 of the TFEU and Article L. 420-2 of the French Commercial Code may be established only if there is a dominant position on a specific market.

The Cour de cassation — following the FCA and the Paris Court of Appeal's rationale — reminded that the main criterion to determine the relevant market is the non-substitutability of the products and services from the point of view of the demand. The Court found that the criteria put forward by Brandalley — namely the attractive prices, the confidentiality of the sales, the high-end positioning and the significant stock volumes — were not specific to online events sales during the period 2005-2011, and that such (alleged) differentiating elements could actually be found in other unsold stock retail channels during that period (such as physical unsold stock retail points).

...but it might be a relevant market now

The Cour de cassation further approved the FCA's rationale according to which the unsold stock retail industry had boomed during the period 2005-2011 and that over a hundred online events sales companies had been created during that period. Moreover, new marketing technologies were developed in that industry during that period. All of these evolutions were found to have had an impact on consumer behavior. Therefore, the Court held that the non-substitutability criterion could not be analyzed based on post-2011 considerations, as the market had changed after such date.

This argument was used to dismiss Brandalley's claims based on current consumer behavior. However, it leaves the door open to new claims based on abuse of dominant position on the online events sales market, implying that such market has evolved and that it might now constitute a relevant market.

Data Maps and Data Inventories

Knowing the type of data that you collect, where it is held, with whom it is shared, and how it is transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a "data map" or a "data inventory". Outside of the United States, some attorneys may be more familiar with the term "data register".

Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting for many organizations. In addition, it is important to remember that data constantly changes. As a result, organizations must consider how often to invest the time to conduct a data map and, once invested, how long the information will be useful.

What you should think about when deciding whether to conduct a data map or a data inventory:

1. Which departments within your organization are most likely to have data?
2. Who within each department would you need to speak with to find out what data exists?
3. Is it more efficient to send the relevant people a questionnaire or to speak with them directly? What is the best way to receive information from each person in the organization that collects data so that the information provided can be organized and sorted with information received from others?
4. What information should you collect about the personal data within your organization? For example, is it enough to know where the data is, and who is responsible for it, or should you collect the reason why your organization has the data, how long it is kept, where it is systematically transferred to, and the type of security applied to the data?
5. Is your data map intended to be an inventory (i.e., a description of data at rest), or is it intended to provide dynamic information (i.e., a description of how data moves within and outside of your organization)?
6. Which stakeholders in your organization may have an interest in the outcome of your data map? For example, are there uses that a privacy officer, an information security officer, or a chief information officer, may have in the outcome of the project?
7. Do you have sufficient internal resources to conduct the data map? If not, do you have access to external resources with experience in conducting such exercises?
8. Is your data map going to inventory data that crosses national boundaries? If so, do you want your map to also account for what (if any) legal compliance strategies are being used to facilitate such transfers?
9. If your data inventory is going to examine the retention schedule (if any) applied to the data, are you going to rely on self-reported retention periods or are you going to verify actual retention periods?
10. Do you intend to use the outcome of your data inventory to demonstrate compliance with any specific legal requirements? For example, if your organization is subject to the European Union General Data Protection Regulation (GDPR) do you intend for your data map to satisfy your obligations to demonstrate that your organization applies data minimization and has a permissible purpose for its data processing?  

Guest Interview with the Hello Love Art & Design Team

Nicola Conway speaks with Kevin Helton and Jane Hutchison, the art duo behind HELLO LOVE; the Bloomsbury-based retail and wellness space encouraging artists and brands to work together to instigate positive social change.

1. What is HELLO LOVE?
   Kevin: HELLO LOVE is a retail and wellness experience that constantly evolves as we work with different artists and brands to promote Personal Sustainability and Non-Toxic Practice as a means to achieving global sustainability. Each brand has the opportunity to present a unique story, but together we create a symphony of narrative.
2. As a retailer, what is HELLO LOVE'S approach to corporate social responsibility?
   Kevin: As a social enterprise, HELLO LOVE uses art, film, music and design to communicate themes around sustainability. Artists and brands donate a percentage of every sale made through HELLO LOVE to the HELLO BEAUTIFUL FOUNDATION and other charities and social causes we support. By enabling social contribution at the point of every sale, HELLO LOVE is quickly and efficiently getting resources to those in society that need it most.
3. What is the HELLO BEAUTIFUL FOUNDATION?
   Jane: The HELLO BEAUTIFUL FOUNDATION is a London-based cancer prevention charity that lives within the HELLO LOVE space. After my own diagnosis of breast cancer in 2013, I decided to use my passion for the arts to influence culture. Free treatments are offered to the people/families going through cancer, and HELLO BEAUTIFUL hosts a lecture series and educational program aimed at teaching the community how to live more sustainably.
4. How important is social responsibility to retailers these days?
   Kevin: Sustainability should be an important issue for all retailers. Unfortunately, many businesses focus more on profits than the wellness of society. What they fail to appreciate is that sharing resources allows us to reduce operational costs whilst also creating goodwill that will lead to market longevity. We believe that as society presses forward into the new space age, collaborating and sharing resources with others in the community will become increasingly important to a retailer's ability to survive and thrive.
5. What advice would you give to newcomers to the retail sphere?
   The key to maintaining relevance in a constantly changing environment is to seek out strategic partnerships. This should take place across public and private sectors and should also encourage audience participation. Collaboration will be a constant source of growth and development for you as an organization.
6. What is the next step for HELLO LOVE?
   Jane: HELLO LOVE will continue to build relationships with artists and brands that stand at the forefront of social responsibility. Over the coming months, we will expand our offering and begin taking the steps necessary for scaling the vision.

Retailers Anxiously Await Possible Changes to Taxation of Online Sales

Retailers will be closely watching the outcome of the U.S. Supreme Court's decision to revisit a 26-year-old case which has limited states’ taxing authority over online sales.

The Supreme Court, heeding calls from traditional retailers and dozens of states, has granted review of South Dakota v. Wayfair, Inc., in which retailers challenge the 1992 ruling in Quill Corp v. North Dakota as obsolete. Quill held — in a pre-internet era — that states cannot impose sales and use tax collection obligations on retailers without a physical presence within a state. As a result, online retailers without a physical presence in a state have developed a pricing advantage over retailers located within the state.

In the meantime, Congress is considering a number of legislative proposals addressing state taxation of online sales, including the Remote Transactions Parity Act, which would allow states to require out-of-state sellers to collect sales tax. The bill has the support of the National Retail Federation.

Additionally, with many major online retailers already collecting and remitting sales and use taxes to states, some states are turning their legislative sights on smaller third-party sellers that move their merchandise over marketplace platforms hosted by e-commerce giants. Last year, Minnesota, Washington, Pennsylvania, and Rhode Island all enacted “marketplace provider laws” — first-ever statutes imposing tax collection duties on marketplaces for sales by their third-party sellers.

Estimates of uncollected state taxes on such transactions vary, but many analysts put the number at several billion dollars annually from Amazon alone. An analyst with Internet Retailer, an e-commerce news and analytics publication, recently estimated the state tax gap could be as high as $3 billion per year from Amazon sellers, and $4 billion when sellers on smaller platforms are added.

1. Int'l Ass'n of Privacy Prof'ls & TRUSTe, Inc., How IT and Infosec Value Privacy, 2 (2016), https://info.truste.com/Web-Resource-PrivacyVsSecurity-Report_TY.html?asset=K3N9WHC6-605&aliId=33018157.

2. Int'l Ass'n of Privacy Prof'ls & TRUSTe, Inc., Preparing for the GDPR: DPOs, PIAs, and Data Mapping, 16 (2016), https://www.truste.com/resources?doc=643.

[View source.]