Age Appropriate Design Code submitted, cybersecurity for connected cars, EDPB guidelines on data protection by design and by default consultation plus more in this week’s round-up of techlaw news
ICO submits Age Appropriate Design Code of Practice to the UK government
The Information Commissioner has submitted the final version of the Age Appropriate Design Code of Practice to the Secretary of State in accordance with the statutory deadline of 23 November 2019. The code will need to be laid in Parliament before it takes effect. There are currently restrictions in place due to the election on 12 December, so the submitted code will not be published until after a new government is formed. Information Commissioner Elizabeth Denham wrote a blog post about the progress of the code in August. The UK government included provisions in section 123 of the Data Protection Act 2018 to create standards that provide proper safeguards for children when they are online. As part of that, the ICO was required to produce a statutory age appropriate design code of practice. The final version of the code follows a consultation carried out by the ICO.
EDPB launches consultation on guidelines on data protection by design and by default
The European Data Protection Board has launched a consultation on its guidelines on data protection by design and by default. The consultation ends on 16 January 2020. The guidance covers the obligation of data protection by design and by default in Article 25 GDPR, where the core obligation is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This requires that controllers implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects. Controllers must be able to demonstrate the effectiveness of the implemented measures.
ENISA publishes report on cybersecurity for connected cars
ENISA, the European Union Agency for Cybersecurity, has highlighted the importance of cybersecurity for connected cars in a new report. Connected and autonomous vehicles have features which can enhance users’ experiences or improve car safety. However, they can also lead to cyberattacks that can result in vehicle immobilisation, road accidents, financial losses, disclosure of sensitive data and endanger road users’ safety. ENISA’s report aims to identify the emerging threats targeting the smart cars ecosystem as well as the potential security measures and good practices to mitigate them. In particular, the study gathers in a single document security controls collected from relevant published documents and standards, covering the policies, organisational practices and technical aspects. The proposed security controls are mapped against those mentioned in the draft recommendation on cybersecurity of the UN Working Party on Automated/Autonomous and Connected Vehicles.
EUIPO publishes reports on online copyright infringement and IPTV
The European Union Intellectual Property Office has issued a report examining consumption of copyright-infringing content in the 28 EU member states, for TV programmes, music and film, using a variety of desktop and mobile access methods, including streaming, downloading, torrents and ripping software. The report consists of two parts, a descriptive analysis of the trends in consumption of infringing content, and an econometric analysis of the factors that influence differences in piracy rates among the EU member states. The report finds that digital piracy is declining. Between 2017 and 2018, overall access to pirated content declined by 15%. The decline was most pronounced in music, at 32%, followed by film (19%) and TV (8%). However, piracy remains a significant problem, more so in some member states than in others. A number of factors that could influence consumption of pirated content in a given country were examined. These factors included socio-economic variables (income levels, education, inequality, unemployment); demographic variables such as the proportion of young people in the population; variables related to the features of the relevant marketplace, including market size, the extent of the internet infrastructure and the number of legal offers available for the various types of content; and attitudes towards intellectual property infringements. A follow-up study will be carried out in 2020.
They have also published a separate report about illegal IPTV in the EU. The television market has experienced a change from traditional modes of broadcasting by air, satellite and cable to internet-based streaming. This is known as IPTV (internet protocol television) and includes live and on-demand streaming of television content online. Unauthorised delivery of IPTV content is also on the rise. The report estimates EUR 941.7 million of unlawful revenue was generated by copyright infringing IPTV providers in the EU in 2018 and that these services were used by 13.7 million people in the EU. Infringing business models change quickly as they adapt to new technology and business opportunities. The research clarifies the technology used, the complex supply chains and legal issues.
Irish Data Protection Commission issues guidance for organisations engaging cloud service providers
The Irish Data Protection Commission has issued guidance for organisations engaging cloud service providers. The guidance deals specifically with the security of personal data when data controllers use cloud providers. It points out that the GDPR requires personal data to be kept securely. A risk to the security of personal data can arise where a data controller relinquishes control over the data to a cloud service provider, where there is insufficient information available regarding the cloud processing services and their safeguards, or where the cloud provider cannot adequately support the data controller’s obligations or data subjects’ rights. The guidance considers the possible risks as well as transparency requirements. In addition, it considers the location of the data and the terms of a contract between the data controller and the cloud service provider.
Ofcom consults on upgrading broadband customers to superfast and ultrafast products
Ofcom is proposing changes to certain regulations that require Openreach to install new broadband connections within a set period of time. These changes would enable broadband companies to upgrade their customers to faster broadband products more efficiently. Openreach has told Ofcom that its wholesale customers seek a more efficient and cost-effective way to upgrade existing retail customers to higher-speed products. Openreach says that it has worked with providers to develop a new process for upgrades to be made in bulk batches at a street cabinet, reducing the cost per customer. Under this process, Openreach would wait for a sufficient volume of upgrades from a provider at a given cabinet before making those upgrades. Given the potential benefits to broadband customers of using this new bulk upgrade process, Ofcom proposes to exempt these types of orders from certain rules which require them to be installed within a set timeframe. The consultation ends on 23 December 2019.