The Week’s TechLaw News Round Up

December 2, 2022

UK law

UK government announces update to cybersecurity laws

Following, consultation, the government has confirmed the Network and Information Systems (NIS) Regulations will be strengthened to protect essential and digital services against increasingly sophisticated and frequent cyber-attacks. The UK NIS Regulations came into force in 2018 to improve the cyber security of companies providing critical services. Organisations which fail to put in place effective cyber security measures can be fined up to £17 million for non-compliance. The government’s proposals for reform divide into two pillars – the first pillar covers proposals to amend provisions relating to digital service providers. These include expanding the regulation of digital service providers and the supervisory regime for digital service providers. The second pillar covers proposals to future-proof the UK NIS Regulations. These include delegated power to update the NIS Regulations in the future within its current framework; delegated power to amend the scope of the NIS Regulations to add sectors and subsectors; a measure to regulate critical sectoral dependencies in NIS; additional incident reporting duties beyond continuity of service; and full cost recovery for NIS functions. The government will proceed with these proposals and amend the NIS Regulations accordingly. This will be subject to finding a suitable legislative vehicle and when parliamentary time allows. The EU is also reviewing this area, see below.

UK and Ukraine agree new digital trade agreement

The UK and Ukraine have agreed a new Digital Trade Agreement which aims to help Ukraine rebuild its economy and support livelihoods. Trading digitally is particularly important in the current conflict, where damage to Ukranian infrastructure and warfare makes it much harder to trade physically. Digital tools and technologies will help Ukrainians access everyday vital goods and services during the war. For example, there is a critical need for people to be able to use digital solutions to prove they are who they say they are, due to the loss of critical documentation or displacement across borders. The agreement provides a framework for the UK and Ukraine to cooperate to promote compatibility between their respective digital identity systems to help address this.

EU law

Irish Data Protection Commission announces decision in Facebook “Data Scraping” inquiry

The DPC has announced the conclusion to its inquiry into Meta Platforms Ireland Limited (MPIL), data controller of the Facebook social media network. It has imposed a fine of €265 million and a range of corrective measures. The DPC started the inquiry in April 2021, following media reports into the discovery of a collated dataset of Facebook personal data that was available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by MPIL between 25 May 2018 and September 2019. The material issues in the inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default. The DPC examined the implementation of technical and organisational measures under Article 25 GDPR. There was a comprehensive inquiry process, including cooperation with the other EU data protection supervisory authorities. Those supervisory authorities agreed with the decision of the DPC. The decision records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.

Council and European Parliament agree on new product safety rules

The Council and the European Parliament have reached a provisional agreement on a regulation on a general product safety. The Regulation updates existing rules with the aim of ensuring that products sold online and offline are safe and in line with European standards. All products traded in the EU are subject to general safety requirements. However, given the current digital and technological developments and the existing challenges related to digitisation and the increasing volume of goods and products sold online, the EU says that rules on general product safety in force are no longer appropriate. The new Regulation modernises rules for all economic operators (manufacturers, importers and distributors) and updates them for online businesses and online marketplaces. Online marketplaces will have to cooperate with marker surveillance authorities if they discover a dangerous product on their platform. To this end, a platform will have to establish a single point of contact in charge of product safety. Online marketplaces will need to ensure that they know the traders operating on their platforms and the products they offer. Market surveillance authorities will be able to issue orders requiring online marketplaces to remove dangerous products from their platforms or to deny access to such offers. It also establishes a single market surveillance system applicable to all products. If a product is shown to be unsafe, economic operators will immediately adopt corrective measures and inform market surveillance authorities and consumers. If the product needs to be withdrawn, consumers will be entitled to a repair, replacement or refund. If possible, economic operators shall ensure that consumers are able to choose from at least two of those options. The new rules also require economic operators to have a person responsible for products sold online and offline, regardless of whether they originate in the EU or a third country. Following the formal adoption of the regulation and its entry into force, member states will have 18 months to apply the new rules.

Council of the EU formally adopts revised NIS Directive

The Council of the EU has adopted legislation for a high common level of cybersecurity across the EU. It aims to improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. The revised directive aims to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement. The directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day following publication. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.

European Commission calls for evidence on Technology Transfer Block Exemption Regulation

The European Commission has launched a call for evidence seeking feedback on the scope and content of its evaluation of the Technology Transfer Block Exemption Regulation (TTBER) and the related Guidelines. The TTBER exempts certain categories of technology transfer agreements from the prohibition of anticompetitive agreements in Article 101(1) of the Treaty on the Functioning of the European Union. Technology transfer agreements are agreements by which one party authorises another to use certain industrial property rights, such as patents and software copyrights to produce goods or services. In some cases, such agreements may facilitate collusion, restrict the ability of competitors to enter the market, or harm inter- or intra-technology competition, for example by reducing the incentives to innovate. The purpose of the evaluation is to help the Commission decide whether to renew the current TTBER, revise it or let it expire. The deadline for responses is 23 December 2022.

European Commission consults on digital fairness

The European Commission is consulting on the Fitness Check of EU consumer law on digital fairness, to seek views on issues related to consumer protection in the digital environment. The Fitness Check is examining the adequacy of the existing main EU rules in dealing with consumer protection issues such as dark patterns, influencer marketing, subscription contract cancellations, unfair contract terms, the marketing of virtual items and in-app currencies, amongst others. It aims to establish whether additional legislation or other action is needed in the medium-term to ensure equal fairness online and offline. The consultation ends on 20 February 2023.

European Commission adopts European Drone Strategy 2.0 to develop drone market

The European Commission has adopted the European Drone Strategy 2.0. It sets out a vision for the further development of the European drone market. It builds on the EU’s safety framework for operating and setting the technical requirements of drones. The new Strategy sets out how Europe can pursue large-scale commercial drone operations while offering new opportunities in the sector.

EDPS and ENISA sign Memorandum of Understanding

The European Data Protection Supervisor and the European Union Agency for Cybersecurity have signed a Memorandum of Understanding which establishes a strategic cooperation framework between them. Both organisations agree to consider designing, developing and delivering capacity building, awareness-raising activities, as well as cooperating on policy related matters on topics of common interest, and contributing to similar activities organised by other EU institutions, bodies, offices and agencies. The Memorandum of Understanding includes a strategic plan to promote a joint approach to cybersecurity aspects of data protection, to adopt privacy-enhancing technologies, and to strengthen the capacities and skills of EU bodies.