This Week’s Techlaw News Round-Up

April 21, 2023

UK law

Committee calls for evidence about Data Protection and Digital Information (No.2) Bill

A House of Commons Public Bill Committee is going to consider the Data Protection and Digital Information Bill and has now issued a call for evidence. The Public Bill Committee will scrutinise the Bill line by line. The first sitting of the Public Bill Committee is expected to be on 10 May and the Committee is scheduled to report by 13 June. It has asked for evidence as soon as possible. The Bill received its second reading on 17 April.

CMA launches Amazon/iRobot merger inquiry

The CMA is investigating the anticipated acquisition by Inc of iRobot Corporation. It is considering whether it is or may be the case that the transaction if carried into effect, will result in the creation of a relevant merger situation under the merger provisions of the Enterprise Act 2002 and, if so, whether the creation of that situation may be expected to result, in a substantial lessening of competition within any market or markets in the UK for goods and services. To assist it with this assessment, the CMA invites comments on the transaction from any interested party.

Online recruitment firm fined £130,000 for sending 107 million spam emails targeting jobseekers

The ICO has fined Join The Triboo Limited £130,000 for overwhelming people with spam emails. Join The Triboo Limited sent 107 million spam emails to 437,324 people between August 2019 and August 2020, meaning that each individual would have received on average 244 emails during that year. The ICO points out that this breaches the Privacy and Electronic Communications Regulations 2003. Join The Triboo Limited describes itself primarily as an operative of job search websites. The company operated five websites, four of which were job advertisement websites, through which they sourced the data for their spam email campaign.

ICO reprimands Surrey Police and Sussex Police for recording more than 200,000 phone calls

The ICO has issued a reprimand to both Surrey Police and Sussex Police, following the rollout of an app that recorded phone conversations and unlawfully captured personal data. In June 2020, the ICO became aware that staff members across both police forces had access to an app that recorded all incoming and outgoing phone calls. 1,015 staff members downloaded the app onto their work mobile phones and more than 200,000 recordings of phone conversations, for example with victims, witnesses, and perpetrators of suspected crimes, were automatically saved. The ICO considered it highly likely that the app captured a large variety of personal data during these calls, and it considered that the processing of some of this data was unfair and unlawful. Police officers that downloaded the app were unaware that all calls would be recorded, and people were not informed that their conversations with officers were being recorded. The app was first made available in 2016 and was originally intended ot be used as recording software by a small number of specific officers, but Surrey Police and Sussex Police chose to make the app available for all staff to download. The app has now been withdrawn from use and the recordings, other than those considered to be evidential material, have been destroyed. The ICO has applied its revised public sector approach to this case. Instead of issuing a £1m fine to both Surrey Police and Sussex Police, they have each received a formal reprimand. The ICO’s approach aims to reduce the impact of fines on those accessing public services and to encourage greater data protection compliance from public authorities to prevent harms from occurring in the first place.

Home Office issues additional guidance on the communication data codes of practice

The Home Office has issued guidance on its current interpretation of the Investigatory Powers Act 2016 with regards to telecommunications operators and communications data agreed between the Home Office, Investigatory Powers Commissioner’s Office and Office for Communications Data Authorisations.

EU law

Digital Markets Act Implementing Regulation published in the Official Journal

On 17 April 2023, European Commission Implementing Regulation 2023/814 on detailed arrangements for the conduct of certain proceedings by the Commission under the DMA was published in the Official Journal. The DMA will apply from the beginning of May 2023. Within two months, companies providing core platform services will have to notify the Commission and provide all relevant information. The Commission will then have two months to adopt a decision designating a specific gatekeeper. The designated gatekeepers will have a maximum of six months after the Commission decision to ensure compliance with the obligation foreseen in the DMA.

Launch of the 2022 Annual Activity Report of the EDPB

The European Data Protection Board has published its 2022 Annual Activity Report. The report provides a summary of the work carried out by the EDPB in the last year, and includes the results of a guidance review carried out among stakeholders and a thematic digest with a selection of examples of final One-Stop-Shop decisions.

EDPB promotes consistent approach for 101 NOYB data transfers complaints

The EEA data protection authorities have issued a report on the outcome of the work of the task force that was set up to look into the 101 complaints filed by NGO NOYB after the CJEU Schrems II judgment. The report sets out the common positions of the members of the task force and information on the outcomes of the first cases. Among other things, several data protection authorities have ordered website operators to comply with the requirements of Chapter V of the GDPR, and if necessary, to stop a transfer. The task force was set up in September 2020 to promote a consistent approach in the handling of 101 identical complaints lodged by NOYB with EEA data protection authorities regarding the tools “Google Analytics” and “Facebook Business Tools” on websites, and the subsequent processing of personal data transfers to the US.

European Commission seeks views on TTBER and Technology Transfer Guidelines

Technology transfer agreements grant permission for one party to use another party’s intellectual property, including patents and software copyrights, for the purpose of producing goods or services. Certain categories of technology transfer agreements are exempted by the Technology Transfer Block Exemption Regulation (TTBER) from the prohibition of anticompetitive agreements laid down in Article 101(1) of the Treaty on the Functioning of the EU. The main objective of TTBER is to increase the incentives for research and development, facilitate the dissemination of technology, and foster competitiveness. Following the call for evidence in 2022, the Commission is now consulting on how the TTBER has been applied in practice by companies and other interested parties. The evaluation is intended to help the Commission in determining whether to allow the current TTBER expire, revise it, or renew it. The consultation ends on 24 July 2023.

European Commission adopts proposal for EU Cyber Solidarity Act

The Commission has adopted a proposal for a EU Cyber Solidarity Act to strengthen cybersecurity capacities in the EU. It aims to support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, as well as reinforce solidarity, concerted crisis management and response capabilities across Member States. The Cyber Solidarity Act establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening existing cooperation mechanism. It will contribute to ensuring a safe and secure digital landscape for citizens and businesses and to protecting critical entities and essential services, such as hospitals and public utilities.

European Commission welcomes European Chips Act

The European Commission has welcomed the political agreement reached between the European Parliament and the EU member states on the European Chips Act, proposed by the Commission on 8 February 2022, including on the budget. It says that semiconductors are at the centre of strong geostrategic interests, and of the global technological race. Consequently, the Commission proposed the European Chips Act, which aims to strengthen European competitiveness and resilience in this strategic sector. The Commission proposed three main lines of action, or pillars, to achieve the Chips’ Act objectives: the Chips for Europe Initiative, to support large-scale technological capacity building, a framework to ensure security of supply and resilience by attracting investment and a monitoring and crisis response system to anticipate supply shortages and provide responses in case of crisis. The political agreement reached by the European Parliament and the Council is now subject to formal approach by the two co-legislators.

European Parliament adopts updated rules on safety of machinery in the digital era

The European Parliament has given its final approval to the new machinery regulation that was agreed on with the Council in December 2022. The new rules adapt the existing legislative framework to the latest needs of the market and to emerging digital technologies, such as AI. Their overall aim is to increase user-safety and improve predictability for the machinery industry, especially SMEs. They also aim to encourage innovation, digital transition and consumers’ trust. The text will now have to be formally approved by the Council. After that, the new legislation will be published in the Official Journal of the EU and it will enter into force on the twentieth day after publication.