This Week’s Techlaw News Round-Up

July 21, 2023

 UK law

Ada Lovelace Institute issues report on regulating AI

The Ada Lovelace Institute has issued a report on regulating AI. It contextualises and summarises the UK’s current plans for AI regulation, and makes recommendations for the UK government and the Foundation Model Taskforce. The Institute’s recommendations fall into three categories, reflecting its three tests for effective AI regulation in the UK: coverage, capability and urgency. AI is being deployed and used in every sector but the UK’s diffuse legal and regulatory network for AI currently has significant gaps. Clearer rights and new institutions are needed to ensure that safeguards extend across the economy. Regulating AI is resource-intensive and highly technical. Regulators, civil society organisations and other actors need new capabilities to properly carry out their duties. The widespread availability of foundation models such as GPT-4 is accelerating AI adoption and risks scaling up existing harms. It says that the government, regulators and the Foundation Model Taskforce need to take urgent action.

CMA provisionally clears $69 billion technology deal

A CMA panel has provisionally found Broadcom’s deal to buy VMware would not weaken competition in the supply of critical computer server products. Broadcom, a leading US-based technology company, makes and sells hardware components used in computer servers. VMware sells software products and services, including server virtualisation software, which enables servers to be used more efficiently by separating them into multiple virtualised servers. Following its initial Phase 1 investigation, the CMA identified competition concerns warranting an in-depth review and referred the deal to a Phase 2 inquiry. After examining the evidence, an independent CMA panel has provisionally found the deal would not substantially reduce competition in the supply of server hardware components in the UK. The panel explored concerns that the deal could harm the ability of Broadcom’s rivals to compete if the merged company were to make their products work less well (or not at all) with VMware’s server virtualisation software. However, it has provisionally found that the potential financial benefit to Broadcom and VMware of making rival products work less well with VMware’s software would not outweigh the potential financial cost in terms of lost business. The panel also found the deal would be unlikely to harm innovation, since information about new product adaptations only needs to be shared with VMware at a stage when it is too late to be of commercial benefit to Broadcom. The findings are provisional, and the CMA is consulting on them until 12 September 2023.

DCMA issues update about measures to improve player productions with regards to loot boxes in video games

The DCMA has published its response to guidance on loot boxes published by UK Interactive Entertainment. Since the publication of the government response to the call for evidence on loot boxes in video games in July 2022, the DCMA has convened the Technical Working Group of games industry representatives, tasked with improving protections for children and adults with regards to loot boxes. The outputs of this work is guidance on loot boxes, as well as a Video Games Research Framework. The guidance includes 11 principles.

Digital Economy Act 2010 (Appointed Day No 5) Order 2023 made

The Digital Economy Act 2010 (Appointed Day No 5) Order 2023 SI 2023/792 has been made. It brings certain provisions of the Digital Economy Act 2010 into force as of 17 July 2023 and 6 April 2024. Section 124O of the Communications Act 2003 makes provision for the Secretary of State to notify qualifying internet domain registries of failures to comply with prescribed requirements relating to the misuse and abuse of UK-related internet domain names and prescribed requirements relating to complaints procedures. Sections 124P and 124Q make provision for the Secretary of State to appoint a manager of a qualifying internet domain registry where there has been a serious failure by the registry to comply with the prescribed requirements. Section 124R makes provision for the Secretary of State to be able to apply to the court to amend a qualifying internet domain registry’s articles of association, or similar documents, where there has been a  serious failure by the registry to comply with the prescribed requirements. Article 2 brings section 19 of the Act into force on 17th July 2023 for the purposes of consulting on and then making regulations under section 124O of the Communications Act 2003 to set out the prescribed requirements. Article 3 brings into force sections 19 (to the extent that it is not already in force), 20 and 21 of the Act on 6th April 2024.

Draft guidance on new digital imprints regime published

The Department for Levelling Up, Housing and Communities has published draft guidance that aims to help campaigners understand new digital imprints rules introduced by the Elections Act 2022. The new rules aim to increase transparency by requiring those promoting certain digital campaigning material aimed at the UK public to state who they are. The draft also includes guidance for the police and the Electoral Commission, who will be responsible for enforcing the rules. The new rules will apply, for the most part, all year round and not just in the run up to an election and will apply to anyone paying to publish digital political material as an advertisement. The regime will also apply to certain material where no payment to publish an advertisement has been made, but where it is promoted by specific political entities such as candidates, future candidates, political parties, recognised third-party campaigners and elected representatives (including local government representatives). The guidance has been laid before parliament and once approved will come into force at the same time as the new rules.

FCA consults on guidance about financial promotions in social media

The FCA has launched an consultation on new guidance about financial promotions in social media. It says that all financial promotions should be fair, clear and not misleading. Its financial promotion rules are designed to be technology neutral and apply across all channels used to advertise, including social media. To ensure firms understand how the rules apply and the FCA’s expectation for financial promotions on social media. To ensure firms understand how the rules apply and the FCA’s expectations for financial promotions on social media, it is consulting on the guidance. The Consumer Duty will strengthen the FCA’s expectations of firms communicating or approving financial promotions. It wants firms to consider the guidance alongside their obligations under the Duty to help them deliver good outcomes for retail customers. Unauthorised persons, such as social media influencers, who promote a regulated financial product or service without approval of an FCA authorised person may be committing a criminal offence. The FCA has also included guidance to provide additional clarity on when a communication might constitute a financial promotion. The consultation ends on 11 September 2023.

National Audit Office issues report on preparedness for online safety regulation

The National Audit Office has issued a report examining whether the preparations undertaken by DSIT (and previously DCMS) and Ofcom for the implementation of the new online safety legislation are sufficiently advanced. Its evaluation and recommendations are based on its good practice guidance on the principles of effective regulation. The report covers work undertaken by the departments and Ofcom to establish the regulatory framework, prepare to implement the regulatory framework and enable informed regulation. It says that Ofcom has made a good start to its preparations and has taken the steps it could reasonably have done by this point: compiling an evidence base to inform its implementation of the new regime; putting in place the capacity, capabilities and organisational design it needs to begin operating the regime; and engaging with stakeholders. It says that it still has much to do and will need to be self-financing.

Ofcom investigates Virgin Media over customer difficulties cancelling contracts

Ofcom has opened an investigation into Virgin Media following complaints from customers that it is making it difficult for them to cancel their services. Ofcom’s rules require that Virgin Media must ensure that conditions or procedures for contract termination do not act as disincentives for customers against changing their communications provider. Ofcom rules also require that Virgin Media have and comply with procedures for the handling of customer complaints that conform with General Condition C4 and the Ofcom Approved Complaints code. Ofcom’s investigation will examine whether there are reasonable grounds for believing that Virgin Media has failed to comply with these obligations.

Ofcom consults on strengthening customer protections regarding mobile roaming

Ofcom has launched a consultation on mobile roaming. At the end of June 2022, statutory protections designed specifically to protect customers when roaming fell away. Since then, Ofcom has been reviewing customers’ experiences of roaming (both in the EU and more widely) to understand whether customers are adequately protected from potential harms when roaming. The consultation sets out proposals for new rules and guidance relating to roaming and inadvertent roaming (when a customer’s device connects to a network in a different country even though the customer is not physically in that country – this is a particular problem in Northern Ireland). Ofcom proposes new rules requiring providers to notify customers when they start roaming (both in the EU and rest of the world destinations) and for that notification to include clear, comprehensible and accurate: personalised information on roaming charges (including specifying any fair use data limits and the time period that apply to any daily charges); personalised information on mobile bill limits (if the customer has one and what it is set at) and inform customers how to put one in place or amend it; and where to find free to access, clear, comprehensible and accurate additional information on roaming. The consultation ends on 28 September 2023.

EU law

Council of the EU agrees common position on Cyber Resilience Act

The Council of the European Union has agreed a common position on security requirements for digital products. The draft Regulation introduces mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products to avoid overlapping requirements stemming from different pieces of legislation in EU member states. The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for exampled on medical devices, aviation, or cars. The proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent by ensuring that products with digital components, for example “Internet of Things” products, become secure throughout the whole supply chain and throughout their whole lifecycle. Finally, the proposed regulation also allows consumers to take cybersecurity into account when selecting and using products that contain digital elements by providing users the opportunity to make informed choices of hardware and software products with the proper cybersecurity features. The European Parliament has also published its position. The Council, the Parliament and the Commission will now negotiate a final version of the Act.

EDPS finds that the CJEU’s use of cloud videoconferencing services complies with data protection law

The European Data Protection Supervisor has found that the use of Cisco Webex videoconferencing and related services by the Court of Justice of the European Union meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies. The EDPS has issued this decision based on the revised agreement between the CJEU and Cisco, which ensures that the processing of individuals’ personal data occurs only in the EU/EEA. The EDPS welcomes the CJEU’s inclusion of technical and organisational measures to prevent the risks associated with transfers of personal data outside the EU/EEA. The EDPS encourages the ongoing commitments by EU institutions, bodies, offices and agencies to respect data protection law when using cloud-based services. It says that one of the ways to achieve this is to conduct thorough assessments and analysis of any potential risks related to non-EU/EEA laws that may impact the privacy of individuals. In the coming months, the EDPS aims to further work on this matter with the Data Protection Officers of the EU institutions, bodies, offices and agencies, by providing relevant advice and guidance as their supervisory data protection authority.

European Commission publishes template for gatekeepers when providing information on concentrations pursuant to Article 14 of the DMA

The European Commission has published a template in relation to the information to be provided by gatekeepers under the Digital Markets Act. Article 14(1) of the DMA requires gatekeepers to inform the Commission about any intended concentration under Article 3, where the merging entities or the target provides core platform services or any other services in the digital sector or enable the collection of data.