This Week’s Techlaw News Round-Up

January 19, 2024

UK law

Online Safety Act 2023 (Commencement No 3) Regulations 2024 made

The Online Safety Act 2023 (Commencement No 3) Regulations 2024 SI 2024/31 have been made. They bring further provisions of the Online Safety Act 2023 into force on 31 January 2024. They are the third commencement regulations under the OSA and bring into force Part 10 (which includes Schedule 14) of the OSA. Part 10 sets out new and updated communications offences. Schedule 14 sets out amendments consequential on Part 10.

ICO publishes updated Commissioners Opinion on age assurance for the Children’s Code

The ICO has renewed its 2021 Age Assurance Opinion with an updated version reflecting developments over the past two years. The updated Opinion gives guidance on what online services must do if they are likely to be accessed by children; reflects the technological developments in this area; and explains legislative developments and how organisations can meet their data protection obligations whilst also complying with the Online Safety Act 2023. Age assurance is an important part of the Children’s Code. The Opinion explains how age assurance can form part of a necessary and proportionate approach to reducing or eliminating risks and complying with the Code. It also sets out how the Information Commissioner expects online services to apply age assurance measures that are appropriate for their use of children’s data. The ICO committed to review and update the Opinion when it was first published, to help organisations understand how to approach age assurance and respond to ongoing developments in technology, legislation, policy and attitudes.

ICO issues enforcement notice on Crown Prosecution Service

The ICO has issued an Enforcement Notice to the Crown Prosecution Service in relation to a contravention of the sixth data protection principle in section 40 DPA 2018. The contravention was identified following an investigation into the disclosure of an unencrypted USB device, containing personal data, to an unauthorised third party.

ICO fines HelloFresh £140,000 for spam

The ICO has fined food delivery company HelloFresh £140,000 for a campaign of 79 million spam emails and one million spam texts over a seven-month period. The marketing messages were sent based on an opt-in statement which did not make any reference to the sending of marketing via text, and which was also bundled with an age confirmation statement which was likely to unfairly incentivise customers to agree. Customers were also not given sufficient information that their data would continue to be used for marketing purposes for up to 24 months after cancelling their subscriptions.

Two home improvement companies fined a total of £250,000 for making illegal marketing calls

The ICO has also fined two home improvement companies a total of £250,000 for making unlawful marketing calls to people on the Telephone Preference Service. Poxell Ltd has been fined £150,000 by the ICO for making over 2.6 million unlawful marketing calls between March and July 2022 to people who had registered with the TPS. This resulted in 413 complaints to the ICO and TPS. It made calls to individuals with dementia and other serious illnesses. Complainants also stated calls were aggressive. The ICO’s investigation found that Poxell Ltd had purchased several telephone lines in a bid to avoid detection. The company did not engage with the investigation and continued to make unlawful marketing calls until their account was finally terminated by their communications service provider. Skean Homes Ltd has also been fined £100,000 for instigating over 600,000 unsolicited marketing calls between March and May 2022 to people who had registered with the TPS. There were 31 complaints to the ICO. It used various false names during the calls. Skean claimed they had allowed their lead generation provider to temporarily use their caller identities (CLIs) and that TPS checks failed due to a technical error. The ICO’s investigation found no evidence that a third party was using the CLIs when the unsolicited calls were made. In addition to the fines, the ICO has also issued an Enforcement Notice to both companies, ordering them to stop calling people registered with the TPS, or who had previously objected to such calls.

CMS Committee publishes Government response to report on NFTs and the blockchain

The Culture Media and Sport Select Committee published a report in October which warned that the emergence of NFTs in the world of art has led to the risk of widespread copyright infringement, while the promotion of crypto assets in professional sport is putting supporters at risk of financial harm and potentially damaging the reputations of clubs. In its response, the UK government has rejected the Committee’s call for a new code of conduct to protect creators, consumers and sellers from infringing and fraudulent material on NFT marketplaces. It has pledged to continue to monitor developments.

Extension of public performance rights to foreign nationals

The government is seeking views on changes to how foreign nationals qualify for broadcasting and performance rights in UK copyright law. The UK is party to various international agreements on copyright and related rights. Under these agreements, the UK extends protection to works (such as music and books) and performances from other countries. In return, those countries provide protection to works and performances from the UK. This enables the UK creative industries to secure remuneration when their music, books, films and other creative media are used abroad. The government intends to change how certain rights are extended to foreign nationals, to ensure UK law works for both creators and users and is consistent with the UK’s international commitments. The consultation ends on 11 March 2024.

UK launches new tech programme in partnership with Ukraine

The UK and Ukraine have launched a new initiative to facilitate commercially-driven partnerships and growth in both tech sectors and support Ukraine’s recovery. The UK-Ukraine TechBridge aims to support economic resilience for Ukraine while bringing benefits to the tech sectors in both countries. The initiative will seek to facilitate digital trade and investment by supporting relationships between high potential Ukrainian businesses and UK tech firms and investors, and through a series of virtual “missions” in priority sectors such as healthtech, agritech and fintech.

Generative AI Framework for HM Government launched

The Generative AI Framework for HM Government has been launched. It provides guidance on using generative AI safely and securely for civil servants and people working in government organisations. The government has defined ten common principles to guide the safe, responsible and effective use of generative AI in government organisations. The White Paper on a pro-innovation approach to AI regulation sets out five principles to guide and inform AI development in all sectors. The framework builds on those principles to create ten core principles for generative AI use in government and public sector organisations.

EU law

Commission finds that EU personal data flows can continue with 11 third countries and territories

The European Commission has concluded its review of 11 existing adequacy decisions. These decisions had been adopted under the EU data protection legislation that preceded the GDPR. In its report, the Commission finds that personal data transferred from the EU to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, continues to be subject to adequate data protection safeguards. Therefore, the adequacy decisions adopted for these 11 countries and territories remain in place and data can continue to flow freely to these jurisdictions.

EDPB publishes OSS case digest on Security of Processing and Data Breach Notification

The European Data Protection Board has published a thematic one-stop-shop case digest on Security of Processing (under Article 32 of the GDPR) and Data Breach Notification (under Articles 33 and 34 of the GDPR). Since the entry into force of the GDPR, data protection authorities have closely cooperated to adopt a growing number of one-stop-shop decisions on data security and data breaches. The case digest offers valuable insights on how regulators have interpreted and applied GDPR provisions in diverse scenarios, such as hacking, ransomware, or accidental data disclosure.

EDPB identifies ways to improve the role and recognition of data protection officers

The EDPB has adopted a report about the findings of its second coordinated enforcement action, which focused on the designation and position of Data Protection Officers (DPOs). It follows an EU-wide coordinated investigation and lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role. Despite some concerns and challenges faced by some DPOs (such as the lack of designation of a DPO, even if mandatory; insufficient resources or expert knowledge for the DPO; DPOs not being fully entrusted with the tasks required under data protection law; lack of independence or of reporting to the highest management), the EDPB says that the results are encouraging. However, there are challenges, and the report encourages DPAs to carry out more awareness-raising activities, information and enforcement actions. The report also encourages organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments.