This Week’s Techlaw News Round-Up

September 29, 2023

UK law

Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 made

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 SI 2023/1007 have been made. They were made under the European Union (Withdrawal) Act 2018 and the Product Security and Telecommunications Infrastructure Act 2022. They introduce a legislative regime preventing consumer connectable products from being sold to UK customers unless their manufacturers are compliant with fundamental security requirements. They make provision necessary for the regime established in the 2022 Act to come into effect. They are due to come into force on 29 April 2024.

Product Security and Telecommunications Infrastructure Act 2022 (Commencement No 3) Regulations 2023 made

The Product Security and Telecommunications Infrastructure Act 2022 (Commencement No 3) Regulations 2023 SI 2023/1022 have been made. They bring certain provisions of the Product Security and Telecommunications Infrastructure Act 2022 into force on 7 November 2023.

Draft Data Protection (Fundamental Rights and Freedoms (Amendment) Regulations 2023 published

These regulations will amend the UK’s data protection legislation by amending the reference to “fundamental rights and freedoms” so they refer to rights recognised under UK law, rather than retained EU law rights. These retained EU law rights will not be recognised in UK law beyond December 2023 due to changes made by the Retained EU Law (Revocation and Reform) Act 2023.

CMA clears NHS healthcare tech deal

The Competition and Markets Authority had referred UnitedHealth’s £1.2bn purchase of EMIS for an in-depth Phase 2 investigation, after identifying competition concerns during Phase 1. The CMA has now confirmed that the transaction does not raise competition concerns when considered against the higher legal standard that applies in Phase 2 investigations, clearing the deal to proceed. EMIS supplies data management systems to the NHS, including the electronic patient record system used by most NHS GPs in the UK. Optum currently supplies software used by GPs when prescribing medicines, as well as data analytics and advisory services that the NHS uses to help improve overall healthcare and health service provision. Although the merging businesses do not supply competing services, the CMA was initially concerned that the deal would allow Optum to limit its competitors’ access to the data held within EMIS’s patient record system or to degrade the digital connections to this system, which rivals rely on to provide integrated software. The investigation confirmed that EMIS, as the lead supplier to NHS GPs across the UK, holds a particularly strong market position in the supply of electronic patient record systems. But further evidence-gathering and analysis, considering the potential impact of the merger in two markets in which Optum could limit its competitors’ access to the data held within EMIS, has found that the deal does not raise competition concerns. In the supply of data analytics and advisory services for Population Health Management, the CMA found that the merged business would not, in practice, be able to use the data that EMIS holds to harm the competitiveness of rivals, primarily because the NHS could use its oversight role to prevent the merged business from pursuing this kind of strategy. In the supply of medicines optimisation software, the CMA found that a strategy that involved restricting access to EMIS’s electronic patient record system would not be commercially beneficial to the merged business, with any possible gains being limited and capable of being reduced through intervention by the NHS.

DCMS proposes to bring unregulated electronic programme guides in line with Ofcom’s Broadcasting Code

Given the landscape of changing technology and the increasing risk to audiences of unregulated content appearing on television, the UK government is consulting on whether and how to use existing powers that allow it to update which electronic programme guides are regulated in the UK. It says that this could result in more consistent protections for audiences and level the playing field with traditional broadcasters, who are already required to follow Ofcom regulators. The consultation does not include wider considerations about the future of television distribution and does not seek responses in existing broadcasting standards themselves, nor on changes to how television or public service broadcasters are funded or regulated, including proposed changes under the draft Media Bill. The consultations does not cover advertising standards or the regulation of video-on-demand services. The consultation ends on 15 November 2023.

UK government consults on “open communications” scheme in telecoms market

The UK government is consulting on the potential benefits and implications of establishing a “smart data” or “open communications” scheme in the UK telecoms market. This would enable telecoms customers to obtain from their providers, on request, information relating to their services, such as usage statistics, price and speed. The consultation ends on 13 November 2023.

EU law

Irish DPC fines TikTok €345 million for breaching GDPR

The Data Protection Commission has adopted its final decision regarding its inquiry into TikTok Technology Limited. The DPC sought to examine if TikTok had, during the period between 31 July 2020 and 31 December 2020, complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of: certain TikTok platform settings, including public-by-default settings as well as the settings associated with the “Family Pairing” feature; and age verification as part of the registration process. The DPC also considered TikTok’s transparency obligations, including the extent of information provided to child users in relation to default settings. When the DPC had completed its investigation, it submitted a draft decision to other EU regulators under Article 60(3) GDPR. The DPC’s draft decision proposed findings of infringements of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 12(1) and 13(1)(e) GDPR. While there was broad consensus on the DPC’s proposed findings, objections to the draft decision were raised. The Berlin regulator sought the inclusion of an additional finding of infringement of the Article 5(1)(a) GDPR principle of fairness as regards “dark patterns”. The Italian regulation sought to reverse the DPC’s proposed finding of compliance with Article 25 GDPR, as regards TikTok’s approach to age verification. The issues were referred to the European Data Protection Board under the Article 65 GDPR dispute resolution mechanism. The European Data Protection Board adopting its binding decision on the subject matter of the objections on 2 August 2023 with a direction that the DPC must amend its draft decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness, further to the objection raised by the Berlin SA, and to extend the scope of the existing order to bring processing into compliance, to include reference to the remedial work required to address the new finding of infringement. The DPC’s decision, which was adopted on 1 September 2023, records findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 12(1), 13(1)(e) and 5(1)(a) GDPR. The decision further includes the following corrective powers: a reprimand; an order requiring TikTok to bring its processing into compliance by taking the action specified within a period of three months from the date on which the DPC’s decision is notified to TikTok; and administrative fines totalling €345 million.

European Commission re-imposes €376.36 million fine on Intel for anticompetitive practices in the market for computer chips

The European Commission has re-imposed a fine of around €376.36 million on Intel for a previously established abuse of dominant position in the market for computer chips called x86 central processing units. Intel engaged in a series of anti-competitive practices aimed at excluding competitors from the relevant market in breach of EU antitrust rules. In 2009, the Commission fined intel;€1.06 billion after finding that Intel abused its dominant position in the market for x86 CPUs. The Commission decision was based on findings that Intel had engaged in two specific forms of illegal practices by: (i) giving wholly or partially hidden rebates to computer manufactures on condition that they bought all, or almost all, their x86 CPUs from Intel (so-called “naked restrictions”). In 2022, the General Court partially annulled the 2009 Commission’s decision, in particular the Commission’s finding related to Intel’s conditional rebates practice. At the same time, the General Court confirmed that Intel’s naked restrictions amounted to an abuse of dominant market position under EU competition rules. The General Court also annulled the fine imposed on intel in its entirety after concluding that it could not establish the amount of the fine relating only to the naked restrictions. Following this judgment, the Commission has now adopted a new decision imposing a fine on Intel only for the naked restrictions.

European Commission publishes report on the first preliminary review of the Platform to Business Regulation

The report contains a preliminary assessment of the state of implementation of Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services. Article 18 of the Regulation contains a review clause that lists several priority items for a full evaluation. These include: (i) unfair commercial practices resulting from the dependence of business users on online intermediation services; (ii) unfair competition by integrated providers of online intermediation services; (iii) imbalances affecting business users of operating systems; and (iv) possible effects of the “business user” definition on “bogus self-employment”. The report says that the Regulation remains relevant to all the priority items mentioned above, through the existing transparency and redress provisions. At the same time, other acts of EU law complement the Regulation to take up the priority items mentioned above, which could have necessitated a full evaluation of the Regulation. Notably, since the Regulation started to apply, the EU has proposed or adopted several new laws of relevance, including the Digital Services Act, the Digital Markets Act, and the proposed Directive on improving working conditions in platform work.

Major online platforms report on first six months under the Code of Practice on Disinformation

The major online platforms which are signatories of the Code of Practice on Disinformation of 2022 (Google, Meta, Microsoft, TikTok) have published new reports on how they turned their commitments to reduce the spread of disinformation into practice. The reports show that platforms are making improvements in providing more detailed, complete, and meaningful data. Additionally, signatories reported about their efforts to provide safeguards regarding new generative AI systems and features on their services. The reports also include a dedicated chapter on Ukraine-related disinformation. The next reports will consider disinformation around elections. The reports are accompanied by a new initial set of Structural Indicators, providing additional insights into disinformation on online platforms and the Code’s impact in reducing its spread. The Commission expects signatories to continue their work by expanding and fine-tuning reporting in the future.

European Commission launches EU DSA Transparency Database on content moderation decisions

The database has been launched under the Digital Services Act with the aim of ensuring transparency and to enable scrutiny over the content moderation decisions of the providers of online platforms and to monitor the spread of illegal or harmful content online. Article 17 of the DSA obliges providers of hosting services to send clear and specific statements of reasons to any affected recipient when they remove or otherwise restrict availability of and access to information provided by the recipient. The database collects the statements of reasons submitted by providers of online platforms to the Commission, in accordance with Article 24(5) of the Digital Services Act.

European Chips Act enters into force

The European Chips Act entered into force on 21 September. It aims to ensure the EU’s security of supply, resilience and technological leadership in semiconductor technologies and applications. The European Commission says that semiconductors are the essential building blocks of digital and digitised products. They are also at the centre of strong geostrategic interests and the global technological race. The new legislation aims to strengthen manufacturing activities in the EU, stimulate the European design ecosystem, and support scale-up and innovation across the whole value chain.

EDPB adopts Guidelines on data transfers subject to appropriate safeguards under the Law Enforcement Directive

During its latest plenary, the EDPB adopted Guidelines on Art. 37 of the Law Enforcement Directive (LED). These guidelines aim to provide practical guidance on the application of Article 37 LED concerning transfers of personal data by competent authorities of EU countries to third country authorities or international organisations competent in the field of law enforcement. In particular, the Guidelines aim to provide clarity on the legal standard for appropriate safeguards that competent authorities need to apply under Articles 37(1)(a) and (b) LED and on the relevant factors for the assessment of whether such safeguards exist. The Guidelines aim to serve as a reference for EU countries when they envisage concluding or amending the transfer instruments under Article 37(a) LED. There is also guidance for national data protection authorities if they are consulted or otherwise involved in the negotiation of such instruments or where they subsequently review their implementation. The guidance also considers the role of data protection authorities in the context of the data controller’s accountability obligations under Articles 37(2) and (3) LED. The Guidelines reiterate that any transfer of personal data requires an essentially equivalent level of protection in the recipient third co9untry or international organisation and that transfers should by no means undermine the level of protection applicable in the E.U. Furthermore, the Guidelines address the use of a legally binding instrument (Article 37 (a) LED) compared to an assessment by a controller (Article 37 (b) (LED), and stress that the latter should only be relied on when the assessment is based on a careful analysis of the relevant legal framework and practices establishing that the transfer is subject to appropriate safeguards. In addition, the Guidelines include practical guidance, such as a list of elements that should be addressed in a legally binding instrument as well as examples for categorising and assessing the circumstances of a transfer. The consultation on the guidelines ends on 8 November 2023.

EU Data Governance Act applies as of 24 September 2023

The EU Data Governance Act is now applicable. It aims to create a safe environment for sharing data across sectors and member sates. The Act also allows novel data intermediaries to act as trustworthy actors in the data economy. Entities engaging in data altruism can register voluntarily as data altruism organisations. This seeks to provide maximum trust with minimum administrative burden. The rules related to data altruism aim to help individuals and companies to donate data in a safe and trustworthy way to contribute to wider societal goals such as fighting a pandemic. The reuse of public sector data that cannot be made available as open data will also be enhanced. The tools aim to increase data flows, thereby supporting the development of common European data spaces, such as manufacturing, cultural heritage, agriculture and health. The Regulation also establishes the European Data Innovation Board. It will issue guidelines on the development of common European data spaces and will identify standards and interoperability requirements for cross-sector data sharing.