Online Harms Regulator reporting Bill introduced, jail for National Lottery hacker, new regulation for self-exclusion on betting sites and more in this week’s round-up of techlaw news plus links to more news in depth
Online Harms Reduction Regulator (Report) Bill receives first reading in House of Lords
The Online Harms Reduction Regulator (Report) Bill received its first reading in the House of Lords on 14 January. It assigns certain functions to Ofcom in relation to online harms regulation. In particular, Ofcom would prepare and publish a report containing recommendations for the introduction of an Online Harms Reduction Regulator. Such a report would include recommendations for a duty on online platform service operators operating in the UK to ensure that (a) service users are free from harm arising from the service’s operation or use, and (b) the service is provided so that people who are not users of that service but may be affected by it are not harmed as a result of its operation or use, as far as is reasonably practicable and the harms are reasonably foreseeable. The Bill’s second reading date is yet to be scheduled.
BEUC says EU consumer groups urge immediate investigation into systematic breaches of GDPR by online advertising companies
Consumer groups across Europe are calling for their data protection authorities to open an investigation into practices by online advertising tech companies and bring them in compliance with the GDPR. Following an investigation, the Norwegian consumer organisation Forbrukerrådet has filed several GDPR complaints against the dating app Grindr and five online advertising technology companies. The report provides evidence about how ad-tech companies collect vast amounts of personal data from people using mobile devices, which advertising companies and marketeers then use to target consumers with personalised ads, without a valid legal base and without consumers’ knowledge. Consumer organisations have concerns that consumers have no realistic way to stop or control their data being hoovered up and exploited by the ad-tech industry. In its complaint, Forbrukerrådet asserts that the five ad-tech companies and Grindr do not have a valid legal basis to process and share the personal data that they are receiving. The research from Forbrukerrådet shows how sensitive information about people’s health, their sexual orientation, their location and interests is exploited. Consumers are generally unaware about this data collection and exploitation system. Even if consumers know about it, there is very little they can do to protect themselves. The pervasive tracking and profiling of consumers that is at the heart of the system is at odds with the GDPR. Apart from enabling targeted behavioural advertising, this data collection can lead to exclusion, discrimination, fraud and manipulation. BEUC is asking the EU to take action against the systematic and illegal commercial surveillance enabled by the ad-tech business model.
Cyber criminal jailed over National Lottery hack
A cyber criminal has been jailed for nine months for committing offences against the National Lottery, after a National Crime Agency investigation. The individual was sentenced at Southwark Crown Court after admitting four offences under the Computer Misuse Act 1990 and one fraud charge. He was responsible for using a widely available hacking tool, Sentry MBA, to create a file that launched the attack. In November 2016 the INCA was notified of a cyber attack against customer accounts on the National Lottery – the customer database contained about 9,000,000 records. In July 2018 two other individuals were jailed for using an online application to bombard the victim’s web domain with thousands of attempts to log in to customer accounts.
European Banking Authority issues report on big data and advanced analytics
The European Banking Authority has issued a report on big data and advanced analytics. The report focuses on techniques and tools, such as machine learning, that go beyond traditional business intelligence to gain deeper insights, make predictions or generate recommendations using various types of data from various sources. The aim of the report is to share knowledge among stakeholders on the current use of big data and advanced analytics by providing useful background on this area, along with key observations, and presenting the key pillars and elements of trust that could accompany their use. The key pillars are data management, technological infrastructure, organisation and governance and analytics methodology.
NCSC issues secure communications principles
The National Cyber Security Centre has issued guidance to help assessment of the security of voice, video and messaging communication services. The guidance contains a set of principles that can help all organisations make sound security decisions when selecting the products and services that provide secure communications. It is aimed at risk owners and security professionals who wish to assess communication technologies for their organisations, to help them achieve the right balance of functionality, security and privacy.
Ofcom fines Post Office £175,000 for failure to give disabled customers special tariff for relay services
Following an investigation, Ofcom has issued a Confirmation Decision to Post Office under s96C of the Communication Act 2003 for contravening the rules set out under General Condition C5.9 and former rule GC 15.3. GC C5.9 aims to ensure that people with disabilities can obtain comparable access to voice call services as non-disabled people; that their needs are given sufficient consideration by communication providers and that their access to voice call services is protected when they have a genuine need. Ofcom is satisfied that Post Office contravened the rules by not applying a special tariff scheme to calls made by customers who, because of their disabilities, needed to use relay services. Ofcom considered that several factors made this a serious breach: the potential vulnerability of those consumers affected; the length of time in which Post Office contravened (and, for a period, knowingly contravened) the GC; and the absence of any significant compliance function before 2018 which likely contributed to the breach occurring and/or delayed its identification. The Confirmation Decision imposes a financial penalty of £175,000 on Post Office. The penalty also includes a 30% discount from the penalty that Ofcom would otherwise have imposed due to Post Office’s admissions of liability and its agreement to enter into a settlement.
Online operators must take part in multi-operator self-exclusion scheme GAMSTOP from March
The Gambling Commission has announced that all online gambling operators must participate in the multi-operator self-exclusion scheme GAMSTOP. The scheme that has been developed for the online sector will allow consumers to self-exclude from online operators with one request rather than from each operator individually. With over 200 online operators this will make access to self-exclusion much simpler for those who wish to be prevented from online gambling. In the last two years the Commission has also introduced and strengthened new rules in relation to age verification. This also includes additional online protections and restrictions to play-for-free games, a tightening of rules around gambling advertising, improvements to guidance for the data operators must provide to consumers, and updated guidance on identifying markers of harm. Separately, the Commission has stated that a ban on taking credit cards for gambling will take effect on 14 April 2020, both offline and online.
News in depth on scl.org this week