This Week’s Techlaw News Round-Up

December 22, 2023

UK law

Ofcom publishes report on how VSPs protect children from accessing harmful videos

Ofcom has published a report about the actions TikTok, Twitch and Snap have taken with the aim of protecting children from accessing potentially harmful videos on their platforms, under the video-sharing platform (VSP) regime. The report states the platforms allow children aged 13 and over to sign up and rely on users declaring their true age, which is easy to falsify. The platforms enforce age restrictions using a range of methods. However, their effectiveness has not yet been established. In addition, parental controls are in place on TikTok and Snap, while Twitch’s terms and conditions require that parents supervise children in real time when using the service. Twitch is also open access, unlike TikTok and Snap, which means anyone of any age can access most of the videos on the platform, even those with a “mature” label applied, whether they have an account or not. Each platform uses different methods to classify and label content which is unsuitable for under-18s.

ASA consults on implementation of new rules on “less healthy” food and drink ads

The Advertising Standards Authority is consulting on the implementation of the new rules on restricting advertisements for “less healthy” food and drink products on TV, and in on-demand programme services and paid online ad media. The delayed rules come into force on 1 October 2025. The consultation seeks views on the guidance to accompany the new rules, the transposition of the restrictions in Schedule 18 to the Health and Care Act 2022 (amending the Communications Act 2003) into the CAP and BCAP Codes, and technical updates to the existing rules to ensure that the new rules on less healthy products work with the existing rules on advertising products classified as high fat, salt or sugar. There is also guidance on the difference between HFSS advertising and brand advertising. The consultation ends on 7 February 2024.

Joint Select Committee on National Security issues report on ransomware

The Joint Select Committee on National Security has issued a report on ransomware. It says that the UK is one of the most targeted countries in the world. Past attacks have shown that ransomware can cause severe disruption to the delivery of core government services, including healthcare and child protection, as well as ongoing economic losses. The UK government and the National Cyber Security Centre have focused their counter-ransomware efforts predominantly on resilience. Nevertheless, large swathes of UK critical national infrastructure remain vulnerable to ransomware. The report says that the government must also bring forward legislation urgently to update the Computer Misuse Act, which is now over 30 years old. The government should invest significantly more resources in the National Crime Agency’s response to ransomware, enabling it to pursue a more aggressive approach to infiltrating and disrupting ransomware operators. It should also address the pay parity between police and NCA officers and invest sufficiently in the skills needed to track and seize ransomware criminals’ cryptocurrency earnings. The Committee says that there is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking. The Committee says that if the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security. The government has two months to respond.

UK government consults on security and resilience of UK data infrastructure

The UK government is seeking views on a proposed regulation to improve the security and resilience of data infrastructure, including data centres. The proposals focus on third-party data centre services, which face security threats such as cyber-attacks, physical attacks and insider threats; resilience risks resulting from hazards such as human error and extreme weather; and limited information-sharing and cooperation across industry, and with the government, which hamper the ability to appropriately identify and address risks. The proposals focus on a new proposed statutory framework applying to UK-based data centre services provided to third parties, but potentially applicable in future where other risks are evidenced. (The consultation does mention ransomware, but not in any detail).

Bank of Ireland UK reprimanded for inaccurate data on customers’ accounts

The ICO has issued Bank of Ireland UK with a reprimand for mistakes made on more than 3,000 customers’ credit profiles. Bank of Ireland UK sent incorrect outstanding balances on 3,284 customers’ loan accounts to credit reference agencies. This inaccurate data could have potentially led to these customers being unfairly refused credit for mortgages, credit cards or loans, or granted too much credit on products they were potentially unable to afford. The investigation found that, due to the complex nature and different factors contributing to credit scoring, it would be impossible to determine the actual damage caused to each customer. However, the ICO concluded it was reasonable to assume that the inaccurate data sent by Bank of Ireland UK to credit reference agencies would have had a negative impact on the customers affected. Reported to the ICO in March 2021, Bank of Ireland UK was found to be in breach of the requirement to ensure personal data was accurate under Article 5(1)(d) of the GDPR. The ICO recommended the following steps: continuing to support affected customers, ensuring that robust processes are in place, and are reviewed regularly, and that learnings are shared across the organisation to prevent a repeat of the issue.

Ofcom publishes its proposed Plan of Work for 2024/25

Ofcom has published its proposed Plan of Work for 2024/25, outlining its areas of work for the next financial year. Its mission is to make communications work for everyone. The passage of the Online Safety Act in October 2023, helping to create a safer life online, represents the biggest change to its duties in Ofcom’s 20-year history. The plan outlines its priority outcomes and explains how it will work to meet these over the course of 2024-25. The consultation ends on 9 February 2024. Ofcom will publish the final plan in March 2024.

CMA consults on Annual Plan for 2024-2025.

The Competition and Markets Authority is consulting on its draft Annual Plan for 2024-2025. The consultation is intended to give interested parties the opportunity to provide views and comments on the CMA’s draft Annual Plan for 2024 to 2025, including proposed updates to its medium-term priorities and areas of focus. Looking ahead to 2024 to 2025, it has been preparing for its new responsibilities and powers under the Digital Markets, Competition and Consumers Bill. The targeted ex-ante powers that the Bill provides in digital markets aim to enable the CMA to tackle competition and consumer protection problems swiftly, proportionately, and effectively, maximising opportunities for sustained innovation in these critical economic sectors. The CMA also welcomes the decision to place consumer protection law on a par with competition law through the new administrative enforcement model. Together with the ability to issue tougher fines, it says this considerably strengthens its ability to protect consumers from commercial harm and deter businesses which do not comply with the rules. It will publish a summary of responses and the final Annual Plan by 31 March 2024. The consultation ends on 29 January 2024.

EU law

EDPB publishes binding decision on banning Meta’s unlawful behavioural advertising practices

The European Data Protection Board (EDPB) has published its binding decision on the Irish Data Protection Commission’s draft decision on Meta’s processing of personal data for behavioural advertising on the legal bases of contractual necessity and legitimate interests in the EEA. This follows the DPC finalising its action against Meta on 10 November 2023.

European Commission requests information from Apple and Google under the Digital Services Act

The European Commission has formally sent requests for information under the DSA to Apple and Google. The Commission is requesting more information on how they have identified any systemic risks concerning the App Store and Google Play. The Commission also seeks more information from the App Store and Google Play on their compliance with the rules applicable to online marketplaces and to transparency related to recommender systems and online advertisements. The requested information regarding the App Store and Google Play must be provided to the Commission by 15 January 2024. Based on the assessment of the replies, the Commission will assess next steps. This could involve the formal opening of proceedings under Article 66 of the DSA.

Provisional agreement reached on the European Media Freedom Act

Under the European Media Freedom Act, member states will have to ensure that citizens have access to a plurality of editorially independent media content. Among other things, the Act aims to ensure that decisions on content moderation by very large online platforms do not have a negative effect on media freedom. Platforms will first have to distinguish independent media from non-independent sources. Media would be notified that the platform intends to delete or restrict their content and have 24 hours to respond (there will be a shorter timeframe if there is a crisis). If after the reply (or in absence of it) the platform still considers the media content does not comply with its conditions, it can proceed with deleting or restricting it. However, if the media considers that the decision does not have sufficient grounds and undermines media freedom, it will have the right to bring the case to an out-of-court dispute settlement body and request an opinion from the European Board for Media Services (a new EU board of national regulators). The agreement has to be formally approved by the Committee on Culture and Education and by the European Parliament as a whole as well as by the Council.

Adobe and Figma abandon merger plans

Adobe’s and Figma’s have decided to terminate their agreement under which Adobe intended to acquire sole control over Figma. Both the European Commission and the CMA had been investigating the transaction and will now end their investigations.

EDPB says that cookie pledge initiative should help protect fundamental rights and freedoms of users

The European Data Protection Board has adopted a letter in response to the European Commission’s cookie pledge voluntary initiative. The EDPB welcomes the Commission’s initiative, which aims to help users make effective choices, and to increase transparency. The cookie pledge initiative was developed by the European Commission in response to concerns about so-called “cookie fatigue” is a voluntary business pledge to simplify the management of cookies and personalised advertising choices by consumers. The draft pledging principles would ensure that users receive material information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. In addition, with the draft principles, consent should not be asked again for a year once it has been refused. The EDPB has said that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive. The national data protection authorities may exercise their powers when necessary.

EDPB says that application of the GDPR successful, but sufficient resources are needed to deal with future challenges

The EDPB has contributed to the European Commission’s report on the GDPR. The EDPB considers that the GDPR has been successful during its five and a half years. Although it says significant challenges lie ahead, the EDPB considers it premature to revise the GDPR. It has called for the swift adoption of the new Regulation setting out additional procedural rules relating to the cross-border enforcement of the GDPR. In addition, the EDPB stresses that regulators and the EDPB need sufficient resources to continue carrying out their tasks.

European Commission designates second set of VLOPs under EU DSA

The European Commission has adopted a second set of designation decisions under the Digital Services Act, designating three Very Large Online Platforms (VLOPs). These are Pornhub, Stripchat, and XVideos. The designation is the result of Commission investigations concluding that the three services fulfil the threshold of 45 million average monthly users in the EU. In addition to the general provisions in the DSA, within four months of their designation as VLOPs, Pornhub, XVideos and Stripchat will also have to adopt specific measures to empower and protect users online, including minors, and duly assess and mitigate any systemic risks stemming from their services. Following their designation as VLOPs, the Commission will be responsible for supervising Pornhub, Stripchat and XVideos, in cooperation with the Digital Services Coordinators of the member states of establishment. The Commission services will carefully monitor the compliance with the DSA obligations by these platforms, especially concerning the measures to protect minors from harmful content and to address the dissemination of illegal content.