"Online interface orders": a new injunction against service providers
Updated 19 May 2020: added a section on DNS blocking
The Consumer Protection (Enforcement) (Amendment etc.) Regulations 2020 were published yesterday, and they contain a new injunction which can be sought against traders and online intermediaries: the "online interface order".
Available it both interim and final forms, this order can be sought by the Competition and Markets Authority, to enable it to tackle so-called "Community infringements". A "Community infringement" is "an act or omission which harms the collective interests of consumers" and which contravenes one of a number of laws set out in Part 8 Enterprise Act 2002.
Who can seek an "online interface order"?
Only the Competition and Markets Authority. The CMA can apply for an online interface order if it "thinks that there has been or is likely to be a Community infringement".
What are the tests for getting an online interface order?
Although the CMA can apply for an order if it merely "thinks" that there has been or is likely to be a Community infringement, the test for getting an order is, thankfully, rather more robust.
A court may make an online interface order if it finds that—
- there has been or is likely to be a Community infringement,
- there are no other available means of bringing about the cessation or prohibition of the infringement which, by themselves, would be wholly effective, and
- it is necessary to make the order to avoid the risk of serious harm to the collective interests of consumers.
Together, that feels like a pretty high threshold to overcome to secure an online interface order.
Who can be the target of an online interface order?
An online interface order can be made against absolutely anyone.
s218ZA provides that an online interface order:
"may be sought against the person the CMA thinks has engaged, is engaging or is likely to engage in conduct which constitutes the Community infringement or against another person."
So what is an "online interface"?
s218ZD defines "online interface" as:
"any software, including a website, part of a website or an application, that is operated by or on behalf of a trader, and which serves to give consumers access to the trader’s goods and services."
Not so easy to understand.
The recital to the EU Regulation from which these Regulations derive is not unduly helpful:
In the digital environment in particular, the competent authorities should be able to stop infringements covered by this Regulation quickly and effectively, and in particular where the trader selling goods or services conceals his identity or relocates within the Union or to a third country in order to avoid enforcement. In cases where there is a risk of serious harm to the collective interests of consumers, the competent authorities should be able to adopt interim measures in accordance with national law, including the removal of content from an online interface or ordering the explicit display of a warning to consumers when they access an online interface. Interim measures should not go beyond what is necessary to achieve their objective. Furthermore, the competent authorities should have the power to order the explicit display of a warning to consumers when they access an online interface, or to order the removal or modification of digital content if there are no other effective means to stop an illegal practice. Such measures should not go beyond what is necessary to achieve the objective of bringing to an end or prohibiting the infringement covered by this Regulation.
However, Article 9(4)(g) envisages the application of these injunctions against "hosting service providers" and, in the case of the domain name seizure power, "domain registries or registrars".
Given the purpose of the measure, and the broad definition, I suspect it includes sales platforms as well, such as Amazon's marketplace, eBay, etsy, and so on.
Whether these are "operated by or on behalf of a trader" is perhaps arguable, but if one read "operated by" as meaning "used by" — a trader operating them by virtue of listing their products and services, for example — rather than operating them in the technical sense of providing the platform, they would seem to fall within scope.
What can be ordered under an online interface order?
An online interface order must direct the person against whom it is made to do, or to co-operate with another person so that other person may do, one or more of the following:
- remove content from or modify content on an online interface;
- disable or restrict access to an online interface;
- display a warning to consumers accessing an online interface;
- delete a fully qualified domain name and take any steps necessary to facilitate the registration of that domain name by the CMA.
Ah. Domain seizure powers. Which, in practice, means that the CMA would be able to access incoming email directed to an account at that domain (since they control the domain, and so can set the MX record to point to their own mailservers). Would they need an interception warrant for that? Interesting question... (for another day.)
DNS blocking (or other site blocking)?
If the CMA cannot seize a domain (perhaps because it is from an overseas registry), I don't see why they could not use an online interface order to compel ISPs in the UK to do DNS blocking (akin to the court order mechanism used for blocking access to sites from a copyright / trade mark perspective).
An ISP falls within the category of "another person", and a DNS block would seem to fall within the requirement of "disable or restrict access to an online interface".
Could it be used to kill or seize a phone number?
Seize, in the sense of routing calls to the CMA? No. I don't think so.
Kill? That's more interesting. It's certainly not expressly referenced, or hinted at in the recitals, but I think it's at least arguable in some situations.
First, the definition of "online interface" is broad:
any software ... that is operated by or on behalf of a trader, and which serves to give consumers access to the trader’s goods and services.
And one of the powers of an online interface order is to "disable or restrict access to an online interface".
If a trader has a phone number in a national dialling plan (i.e. one which can be dialled by a "normal" phone (let's leave SIP URIs aside for now), someone needs to host the range that that number is in, and someone needs to handle the routing of that call once it is directed to them. There might be multiple levels of provider involved at wholesale / reseller level, finally reaching the trader's retail provider.
Ultimately, the trader's retail voice service provider runs software capable of handling incoming calls and routing them to the trader (either to the trader's own phone system, or to the trader's phone).
Whether any of these systems are "operated"by or on behalf of the trader" is probably the battleground here. Someone who provides a hosted PBX which the trader can configure? Possibly. A traditional mobile network operator, from which the trader has bought a SIM? More questionable, IMHO.
If a phone system was an "online interface" (and note that there's no requirement that an "online interface" is, in fact, "online"), then it could be the target of an injunction. Killing the phone number, or preventing it from being routed to the trader would "restrict access" to that online interface.
So, yes, I think it is arguable (I can't got much further than that right now), even if not perhaps the intended action.
It will be interesting to see if it is used in this way, and I'll update this blog (if I'm allowed) if I see any of these orders used against phone service providers.
Can the CMA exercise these powers without a court order?
Under the UK's Regulations, no. It is a mechanism to apply for a court order.
Under the EU Regulation, the UK could possibly have given more powers directly to the CMA — see Article 10(1)(a), which explicitly permits member states to enable powers to be exercised "directly by competent authorities under their own authority".
Although the Regulation goes on to say that "[t]he implementation and the exercise of [those] powers ... shall be proportionate and shall comply with Union and national law, including with applicable procedural safeguards and with the principles of the Charter of Fundamental Rights of the European Union", it's hard to see that this mandates judicial or independent oversight given the express reference in Article 10(1)(a) to direct exercise by the competent authority.
When does this come into effect?
The Regulations come into force on 2nd June 2020.