This Week’s Techlaw News Round-Up

June 30, 2023

UK law

UK government makes more amendments to Online Safety Bill regarding image-based abuse

New amendments to the Online Safety Bill have been proposed by the government on image based abuse. These will amend the law so that prosecution no longer needs to prove that perpetrators shared sexual images or films to cause distress. The government has also committed to bringing forward wider reforms around intimate images, following the Law Commission’s detailed review as soon as parliamentary time allows. The sanctions include a maximum penalty of six months in custody. In addition, where it is proven a perpetrator also intended to cause distress, alarm or humiliation, or to obtain sexual gratification, they could face a two year prison term. Offenders found guilty of sharing the image for sexual gratification could also be placed on the sex offender register. Furthermore, the sharing of “deep fake” intimate images will also be criminalised. In addition, the government has announced amendments which will enable Ofcom to obtain information on a child’s social media use if it is requested by a coroner. This aims to help families and law enforcement understand if online activity contributed to their death in any way. Ofcom will also research the role of app stores in allowing children to access harmful content, requiring firms to take action to reduce risk where necessary. Ofcom will also be tasked with improving the general public’s ability to identify disinformation and evaluate trusted sources of information. It will be required to publish a strategy every three years on how it plans to deliver this. Ofcom will also be required to publish guidance on measures that services can take to reduce the risk of harm to women and girls, and which demonstrates best practice. The updates also cover age verification or age estimation tools. Finally, top tech executives will be personally responsible for keeping children safe on their platforms.

CMA publishes its submission to the Digital Markets, Competition and Consumers Bill Committee

The CMA has published its written evidence to the Public Bill Committee for the Digital Markets, Competition and Consumers Bill. The CMA’s submission sets out why this legislation is needed; elements of the Bill it thinks are particularly important; and how the CMA is preparing for the new responsibilities proposed in the Bill. It also explains how the CMA’s processes are designed to be transparent and accountable both to the UK parliament and the UK public.

CMA issues guidance about how Privacy Sandbox tools can be tested

The CMA has published a further guidance note to advise ad techs, publishers, and advertisers on how they can test the Privacy Sandbox tools in a way that would contribute to its assessment of Google’s technologies. It envisages most testing takes place between Q4 2023 and Q2 2024. The note provide details of two preferred approaches to testing, the metrics the CMA would like to capture, and information market participants can submit to the CMA so that it can understand results of testing. The note also describes how the CMA’s preferred testing approaches align with Google’s testing framework.

IPO publishes update about the government’s code of practice on copyright and AI

Sir Patrick Vallance’s review on pro-innovation regulation for digital technologies recommended that the government should clarify the relationship between intellectual property and generative AI. The government accepted this recommendation. The government is now working with users and rights holders on a code of practice on copyright and AI. The code of practice aims to make licences for data mining more available. It will aim to help to overcome barriers that AI firms and users currently face and ensure there are protections for rights holders. This seeks to ensure that the UK copyright framework promotes and rewards investment in creativity. The IPO has created a working group to facilitate the code, and its meetings commenced on 5 June 2023. The government expects parties to enter into the final code of practice on a voluntary basis. If the code of practice is not adopted or agreement is not reached, legislation could be considered.

EU law

European Commission welcomes political agreement on Cybersecurity Regulation

The European Commission has welcomed the political agreement reached between the European Parliament and the Council of the EU on the Regulation proposed by the Commission for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. The Commission announced the proposal for the Cybersecurity Regulation in March 2022. It will put into place a framework for governance, risk management and control across EU entities in cybersecurity, with a new inter-institutional Cybersecurity Board to monitor its implementation. The key elements of the proposal for all EU institutions, bodies, offices and agencies are the following: a framework for governance, risk management and control in the area of cybersecurity; conduct of regular maturity assessments; implementation of cybersecurity measures addressing the identified risks; a plan for improving their cybersecurity; and sharing incident-related information with CERT-EU without undue delay.

European Commission announces measures to modernise payment services and open financial services data

The European Commission has proposed a revised Payment Services Directive and a legislative proposal for a framework for Financial Data Access. The revised PSD aims to allow non-bank payment service providers access to all EU payment systems, with appropriate safeguards, and giving them a right to have a bank account; improving the functioning of open banking, especially regarding the performance of data interfaces, removing obstacles to open banking services and consumer control over their data access permissions; reinforcing the enforcement powers of national regulators and facilitating implementation of the rules clarifying various elements; improving consumer information and rights; improving the availability of cash; and merging the legal frameworks about electronic money and payment services. The proposed framework for Financial Data Access aims to ensure that all consumers and firms have effective tools to control the use of their financial data. It therefore provides additional tools to ensure compliance with the GDPR and the new Data Act.

Council and Parliament strike a deal on a European digital identity

The Council and European Parliament have agreed a new framework for a European digital identity. Its aim is to provide a harmonised European digital identity means based on the concept of a European digital identity wallet. The text of the provisional agreement further develops the concept of the wallet and its interplay with national electronic identification means as well as ensuring it has a high degree of assurance. The wallet will also provide e-signatures free of charge. It also allows for new qualified trust services, including electronic ledgers and the management of remote electronic signature and seal creation devices. In addition, it offers a harmonised approach to security as well as a common technical architecture and reference framework and common standards to be developed with member states. The revised regulation will also use Cybersecurity Act certification schemes to certify the compliance of wallets with the applicable cybersecurity requirements. The revised draft retains the issuing of electronic attestation of attributes, such as medical certificates or professional qualifications, by qualified providers. This aims to ensure pan-European recognition of such credentials in electronic form and allows users to limit the sharing of identity data to what is strictly necessary for the provision of a service. The revised framework introduces the obligation for member states to perform unequivocal identity matching for cross-border services. When the text is finalised, subject to a legal/linguistic review, the revised regulation will then need to be formally adopted by the Parliament and the Council before it can be published in the EU’s Official Journal and enter into force.

European Parliament publishes report into the metaverse

The European Parliament has published a report on the metaverse. It says that while the exact scope and impact of the metaverse on society and on the economy is still unknown, it can already be seen that the metaverse will open up a range of opportunities but also a number of risks in a variety of policy areas. Major tech companies are scaling up their metaverse activities, including through mergers and acquisitions. This has given impetus to a debate on how merger regulations and antitrust law should apply. Business in the metaverse is expected to be underpinned largely by cryptocurrencies and non-fungible tokens, raising issues of ownership, misuse, interoperability and portability. Furthermore, the huge voume of data used in the metaverse raises a number of data protection and cybersecurity issues (for example, how to collect user consent or protect avatars against identity theft). There is considerable scope for a wide range of illegal and harmful behaviours and practices in the metaverse environment. According to the report, this makes it essential to consider how to attribute responsibility for fighting illegal and harmful practices and misleading advertising practices, and for protecting intellectual property rights. In addition, digital immersion in the metaverse can have severe negative impacts on health, especially for vulnerable groups, such as children, who may require special protection. Finally, the accessibility and inclusiveness of the metaverse remain areas where progress has still to be made to create an environment of equal opportunities.