This Week’s Techlaw News Round-Up

February 21, 2020

EDPB holds its eighteenth plenary session

The EDPB has held its eighteenth plenary session. During the session, the EDPB discussed various issues. It says that the GDPR’s application in its first 20 months has been successful. However, the need for sufficient resources for all supervisory authorities is still a concern and some challenges remain, resulting, for example, from the patchwork of national procedures. The EDPB has also addressed issues such as international transfer tools, impact on SMEs, supervisory authorities’ resources and development of new technologies. The EDPB concludes that it is premature to revise the GDPR. The EDPB has also adopted draft guidelines to provide further clarification regarding the application of Articles 46.2(a) and 46.3 (b) of the GDPR. These provisions address transfers of personal data from EEA public authorities or bodies to public bodies in third countries or to international organisations, where these transfers are not covered by an adequacy decision. The guidelines recommend which safeguards to implement in legally binding instruments (art. 46.2 (a)) or in administrative arrangements (Art. 46.3 (b)). There will be a consultation on the guidelines. Finally, the EDPB adopted a statement on privacy implications of mergers following the announcement of Google LLC’s intention to acquire Fitbit. It highlights that the possible further combination and accumulation of sensitive personal data by a major tech company could entail a high level of risk to privacy and data protection. 

ESRB publishes report on systemic cyberattacks

The European Systemic Risk Board has published a report on cyber incidents, such as cyberattacks. The report, which also summarises the latest estimates of the costs of cyber incidents, shows that a cyber incident could evolve into a systemic cyber crisis that threatens financial stability. The ESRB has therefore identified cyber risk as one of the sources of systemic risk to the financial system which could have serious negative consequences for the real economy. Cyber risk is characterised by three features that, when combined, make it fundamentally different from other sources of operational risk: the speed and the scale of its propagation, and the potential intent of perpetrators. The interconnectedness of various information systems enables cyber incidents to spread quickly and widely. Some recent incidents have demonstrated the perpetrators’ ability to penetrate the networks of large organisations and incapacitate them quickly. Cyber incidents can also spread widely across sectors and beyond geographical borders. The report also describes when an incident might turn into a “systemic cyber incident” that could threaten financial stability. The key tipping point would occur when confidence in the financial system were so severely weakened that important financial institutions would cease all lending activity because they were no longer willing to lend, as opposed to being (technically) unable to lend. The ESRB intends to use its broad institutional composition and network to evaluate the costs and benefits of different policy options aimed at reducing systemic cyber risk.

FCA and Alan Turing Institute collaborate on AI transparency

The FCA and the Alan Turing Institute are working on a year-long collaboration on AI transparency. They have written a blog post explaining the motivation for pursuing such a project and presenting an initial framework for thinking about transparency needs in relation to machine learning in financial markets. Transparency can play a key role in the pursuit of responsible innovation by helping to secure the benefits of digital transformation in financial services. The blog post aims to contribute to the debate on the role of AI transparency as an enabler of beneficial innovation. It proposes a high-level framework for thinking about transparency needs concerning uses of AI in financial markets, resonating with recent work by the OECD, the European Commission’s High-Level Expert Group on AI and the ICO.

HMRC issues revenue brief on VAT liability of digital publications

HMRC has issued a revenue brief confirming that HMRC’s VAT treatment of supplies of digital newspapers and other digital publications has not changed following the Upper Tribunal decision in News Corp UK and Ireland Ltd (UT/2018/0065). Supplies of newspapers are zero rated under UK legislation but HMRC takes the view that digital versions are standard rated. The First-tier Tribunal ruled in favour of HMRC. However, the Upper Tribunal upheld News Corp’s appeal that they should be zero rated. HMRC has been granted permission to appeal the Upper Tribunal decision to the Court of Appeal so is continuing to treat digital versions as standard-rated until the outcome of the appeal is known. HMRC also explains how organisations can submit claims for overpaid VAT and protect their position. 

House of Lords Communications and Digital Committee launches inquiry on the future of journalism

The House of Lords Communications and Digital Committee has launched a new inquiry on the future of journalism. The Committee is seeking evidence on how digital technologies are changing the production and consumption of journalism, how journalists can be supported to adapt to those changes, and how the profession can become more trusted by the general public. The Committee is also asking how digital technologies have changed the consumption of journalism; how innovation and collaboration can help news organisations to maintain sustainable business models; whether journalists have access to the training opportunities necessary to adapt to the digital world and how public policy could better support the training of journalists; why trust in journalists has declined and how it could be improved; why the journalism profession is not more representative of the population and how journalists can better understand and convey the concerns and priorities of people who do not live in London or other metropolitan hubs. The deadline for responses is 25 March 2020.

Office of Communications (Provision of Information) Regulations 2020 made

The Office of Communications (Provision of Information) Regulations 2020 SI 2020/12 have been made. They specify descriptions of information which are exempt from the duty under section 24A(1) of the Communications Act 2003 on Ofcom to provide the Secretary of State with any information that it proposes to publish at least 24 hours before publication. The Regulations also have the effect of bringing the duty under section 24A(1) of the 2003 Act into effect. The Regulations come into effect on 1 April 2000.

PSA introduces revised guidance on consent to charge and platform security

The Phone-paid services authority has revised its guidance to help ensure that providers obtain proper consent from consumers before they are charged. The changes aim to ensure payment platforms are operated to a high standard and ensure consumers give informed consent. The guidance follows a consultation. The PSA expects providers of phone-paid services to put consumer interests at the forefront of what they do. This includes providers not charging consumers for a phone-paid service without their informed consent. The updated guidance sets out clear definitions of informed and robust consent and how this should be obtained; the types of platform security measures that the PSA would expect providers to have in place and recommendations and examples of the types of skills and experience that security staff working in this area should have.

Other news on this week