CMA responds to EU Digital Services Act consultation, Cloud Industry standard for data transfers, EU report on Code on Disinformation and more in this week’s round-up of techlaw news from the past week.
CMA responds to consultations on EU Digital Services Act package and New Competition Tool
Last week we featured BEREC’s response to the EU consultations on the Digital Services Act package (DSA) and the New Competition Tool (NCT). This week, the CMA has published its response supporting the European Commission’s proposals, and saying that it considers them to be a significant step in the right direction. The CMA believes that there should be strong coherence between different regimes internationally, particularly in relation to large platforms acting as gatekeepers. It would therefore be very keen to continue engagement and would be happy to have further discussions in relation to the NCT, given its experience of operating a similar tool in the UK.
Cloud Industry Unites to Create Global Standard for Transfer of Personal Data following ‘Schrems II’ ruling
An addendum to the EU Cloud Code of Conduct has been announced to provide a proposed legal solution for the transfer of personal data outside the EU. The Code defines clear requirements for Cloud Service Providers acting as “processors” under the GDPR and is adopted broadly by the cloud market. The Code was developed collaboratively between the European Commission, represented by DG Connect, and the cloud computing community, including industry. While the official approval of the current Code by the European Data Protection Board is pending, the EU Cloud Code of Conduct General Assembly have announced a new module to the Code for transferring personal data outside of the EU. This follows the Schrems II ruling which invalidated the Privacy Shield. The EU Cloud Code of Conduct General Assembly invites interested Cloud Service Providers and cloud-users to join the initiative and to contribute to the development of the module, thereby shaping the future legal basis to transfer EU citizen’s personal data to third countries around the world.
Coronavirus (Retention of Fingerprints and DNA Profiles in the Interests of National Security) (No 2) Regulations 2020 made
The Coronavirus (Retention of Fingerprints and DNA Profiles in the Interests of National Security) (No 2) Regulations 2020 SI 2020/973 have been made and come into force on 1 October 2020. The Regulations provide for extension of the time limits that apply to the retention of certain fingerprints or DNA profiles. The Regulations apply in respect of fingerprints or DNA profiles that are retained under certain counter-terrorism provisions, or that may otherwise be relevant to the interests of national security.
European Commission evaluates vertical agreements block exemption Regulation 330/2010
The European Commission has published its evaluation of Regulation 330/2010, the vertical agreements block exemption regulation, which will expire on 31 May 2022, and its accompanying Guidelines on vertical restraints. It gathered evidence on the functioning of the VBER, together with the Vertical Guidelines, to decide whether it should lapse, be renewed in its current form, or be revised. Based on the findings of the evaluation, the Commission will launch an impact assessment to look into the policy options to revise the rules to address the issues identified during the evaluation. In particular, the evaluation has shown that the market has changed significantly since the adoption of the VBER and the Vertical Guidelines due to the growth of online sales and of new market players such as online platforms. These developments have led to a number of changes in distribution models, such as increased direct sales by suppliers and a greater use of selective distribution systems, which allow suppliers a tighter control over resale conditions. Similarly, new types of vertical restrictions, such as restrictions regarding sales through online marketplaces and restrictions on online advertising, as well as retail parity clauses, have become more widespread.
EU assesses Code of Practice on Disinformation and publishes platform reports on coronavirus related disinformation
The European Commission has presented the assessment of the implementation and effectiveness of the Code of Practice on Disinformation. The assessment shows that the Code has proven to be valuable and has provided a framework for a structured dialogue between relevant stakeholders to ensure greater transparency of platforms' policies against disinformation within the EU. At the same time, the assessment highlights certain shortcomings mainly due to the Code's self-regulatory nature. These are: the absence of relevant key performance indicators to assess the effectiveness of platforms' policies to counter disinformation; the lack of clearer procedures, commonly shared definition and more precise commitments; the lack of access to data allowing for an independent evaluation of emerging trends and threats posed by online disinformation; missing structured cooperation between platforms and the research community; and the need to involve other relevant stakeholders, in particular from the advertising sector.
European Commission proposes interim legislation to enable communications services to continue detecting child sexual abuse online
The Commission has proposed an interim Regulation to ensure that providers of online communications services can continue detecting and reporting child sexual abuse online and removing child sexual abuse material. It says that it is needed because with the full application of the European Electronic Communications Code as from 21 December 2020, certain online communication services, like webmail or messaging services, will fall under the scope of the e-Privacy Directive (2002/58/EC). The Directive does not contain an explicit legal basis for voluntary processing of content or traffic data for the purpose of detecting child sexual abuse online and providers would have to discontinue their activities unless member states adopted specific national measures. The proposed Regulation provides guarantees to safeguard privacy and protection of personal data. It has a narrow scope limited to allowing current voluntary activities to continue, subject to the GDPR, and data processing will be limited to what is necessary to detect and report suspicious cases. It is now for the European Parliament and the Council to adopt the proposal. It will remain in force until 31 December 2025.
Government Digital Service issues Data Ethics Framework
The Government Digital Service has issued a Data Ethics Framework to guide appropriate and responsible data use in government and the wider public sector. It helps the public sector understand ethical considerations, address these within their projects, and encourages responsible innovation. The framework is split into overarching principles and specific actions. Overarching principles are applicable throughout the entire process and underpin all actions and all aspects of the project. Specific actions will guide organisations through different stages of the project and provide practical considerations. In addition, the framework provides specific actions organisations can take at each stage of the project to advance transparency, accountability, and fairness.
ICO issues accountability framework
The ICO has issued an accountability framework, a practice tool to help organisations manage their approach to privacy and to understand what good accountability looks like. The tool sets out a framework for compliance which can be tailored to each organisation. Accountability is a key principle of data protection compliance and the tool sets out ten categories including among others leadership and oversight, transparency and records management and security.