Draft Communications Act (e-Commerce) (EU Exit) Regulations 2020 laid, ICO finishes investigation about the use of personal data in political campaigning, CMA requests review of Virgin and O2 merger, European parliament reports on AI, PSA annual report, CJEU decision on online sales of medicines and more in this week’s round-up of techlaw news from the past week.
Draft Communications Act (-Commerce) (EU Exit) Regulations 2020 laid
The draft Communications Act (e-Commerce) (EU Exit) Regulations 2020 have been laid before parliament. The Regulations are made under section 8(1) of the European Union (Withdrawal) Act 2018 to address deficiencies in retained EU law arising from the UK’s withdrawal from the EU. Regulation 2 provides that the directly effective provision of Article 3 of the e-Commerce Directive 2000/31/EC, which would have continued to have effect in UK law after the end of the implementation period under section 4(1) of the Act, ceases to have effect from the end of the implementation period in relation to sections 120 to 124 (which cover regulation of premium rate telephone services) and sections 128 to 131 (which deal with persistent misuse of telephone networks) of the Communications Act 2003. The effect is that the “country of origin” principle ceases to have effect and the Communications Act 2003 may be enforced by the enforcement authorities irrespective of the country in which the persons against whom enforcement is taken are established.
ICO ends investigation about the use of personal data in political campaigning
The ICO has ended its investigation into the use of personal data in political campaigning and sent a corresponding letter to the UK parliament. The Information Commissioner Elizabeth Denham has written a blog post about the investigation, during which fines were levied on Vote Leave, Leave.EU, Emma's Diary and Facebook. SCL Elections (Cambridge Analytica) were prosecuted for failing to comply with an enforcement notice. The ICO has also written to the UK parliament with full details about its investigation, providing information about the processing by Cambridge Analytica, the data practices of both Remain and Leave organisations, and about security and data sharing of data and derived data from Facebook. The ICO has plans to publish a report about its audits of the key political parties, and will also be updating its guidance about political campaigning.
CMA requests review of Virgin and O2 merger
The CMA has made a request to the European Commission to refer the proposed merger of Virgin Media and Virgin Mobile with O2 to the CMA for investigation. The proposed merger falls under the remit of the European Commission to review but can, subject to the agreement of the European Commission, be transferred to the CMA. The CMA believes that the case should be transferred given its potential impact on competition in several retail and wholesale telecommunication markets in the UK. The legal requirements for the case to be transferred to the CMA are met, and any effect on competition will be limited solely to UK consumers. While the European Commission has previously highlighted its strong interest in ensuring consistency across different merger cases in the telecommunications sector, the CMA believes that this is not relevant in this case given the imminent end of the transition period following the UK’s exit from the EU. The initial deadline for the European Commission to respond is 19 November 2020. The CMA has liaised closely with the EC on its investigation to date and will continue to do so if the European Commission decides jurisdiction should not be transferred.
European Parliament Legal Affairs Committee adopts three reports on AI
The Legal Affairs Committee of the European Parliament has adopted three reports on specific issues linked to the increased development and use of artificial intelligence systems. The Commission is expected to put forward a legislative proposal on the matter in early 2021. The first report calls for a new legal framework outlining the ethical principles to be used when developing, deploying and using artificial intelligence, robotics and related technologies in the EU, including software, algorithms and data. MEPs also called for a future-oriented civil liability framework to be adapted, making those operating high-risk AI strictly liable if there is damage caused. Finally, MEPs stress that EU global leadership in AI requires an effective intellectual property system and safeguards for the EU’s patent system to protect developers. AI should not have legal personality, and so “inventorship” should be only granted to humans. The report further addressed copyright, protection of trade secrets and the distinction between IPR for the development of AI technologies and IPR potentially granted on creations generated by AI. The vote in plenary is scheduled for the 19-22 October plenary session.
PSA publishes 2019/20 Annual report
The Phone-paid Services Authority (PSA) has published its Annual report for the 2019/20 financial year, which details the PSA’s activities regulating the phone-paid services market. The phone-paid services market grew by 2.4% in the financial year, while assessed complaints dropped from nearly 1,400 per month at the start of the financial year to less than 500 per month by the end. It has also launched a comprehensive review of its regulation so that it is fit for the market and meets the needs and expectations of consumers. It is consulting widely in developing it and plans to launch the new Code of Practice in 2021. Having made this financial year an inclusive employer pledge, it has also reviewed its approach to recruitment and training to encourage greater diversity of thought. Key financial data will be published at a later date.
Court of Justice of the European Union rules on online sales of medicines
The Court of Justice of the European Union has ruled in Case C-649/18 A v Daniel B and Others that a member state of destination of an online sales service relating to medicinal products not subject to medical prescription may not prohibit pharmacies that are established in another member state and sell such products from using paid referencing on search engines and price comparison websites. However, such a member state of destination may, under certain conditions, limit advertising, prohibit promotional offers relating to medicinal products and require that a health questionnaire be included in the process of ordering medicinal products online.
Committee publishes correspondence about regarding UK government’s view of Schrems II and adequacy decisions
The House of Commons European Scrutiny Select Committee has published recent correspondence with the DCMS. This was in response to the Committee's request for information about the the UK Government's view of the Schrems II judgment. The Committee had also requested information about the UK’s aspirations for data adequacy decisions from the EU for both commercial and law enforcement purposes from 1 January 2021. The Committee says it regards its scrutiny role as completed, yet points out that the UK government’s answers have been inconsistent in relation to obtaining a data adequacy decision. The government must continue to update it on various issues of ongoing concern to the UK’s position after transition including adequacy and international data transfers after Schrems.
DCMS issues further guidance on Schrems and international data transfers
The DCMS has published further guidance on using personal data after the Brexit transition period ends. The guidance covers various matters including data protection and GDPR and sets out what information about the transition period, data flows and EU-based representatives as well what they should prepare for from 1 January 2021. The UK government says that it remains confident that an adequacy decision will be reached. However, if this is not the case, the UK will become a third country for the purposes of personal data transfers from the EU at the end of the transition period. The guidance advises UK-based organisations to be prepared to adopt appropriate safeguards to ensure that transfers of data from the EU are legitimate. Most of the countries with adequacy decisions with the EU have indicated to the UK that they will continue to permit unrestricted flows of personal data from January.
EurID issues first Brexit notice to registrants and registrars
EURid has notified all UK registrants and their registrars that as of 1 January 2021 UK registrants will no longer be eligible to hold a .eu domain name unless they demonstrate their compliance with the .eu regulatory framework by updating their registration data before 31 December 2020. Registration data may be updated by indicating a legally established entity in one of the eligible EU member states, or by updating their residence to a EU member state, or proving their citizenship of an EU Member State irrespective of their residence. On 21 December 2020 a second notification will be sent to UK registrants and their registrars.
ICO fines company for sending spam emails selling face masks during pandemic
A company that sent spam emails selling face masks during the pandemic has been fined £40,000 by the ICO and issued with an enforcement notice. A London-based software consultancy sent up to 9,000 unlawful marketing emails to people without their permission and in breach of the Privacy and Electronic Communications Regulations 2003. The ICO also found that after it initially contacted the consultancy, it deleted a database of key evidence which would have shown the full extent of the volume of emails they had sent. It had randomly collected a list of contacts from a number of various sources, including the company director’s LinkedIn and email contacts. The ICO has also issued an enforcement notice ordering the company to stop such activity within 30 days. The company did not provide any evidence to the ICO that it had permission to contact the people on the list, or any accounts for the period covering the activity.
ICO publishes statement on the outcome of the ICO’s compulsory audit of the Department for Education
The ICO has published the outcome of a compulsory audit of the Department for Education DFE carried out in February 2020. The audit found that data protection was not being prioritised and this had severely affected the DfE’s ability to comply with the UK’s data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority. Throughout the audit process the DfE engaged with the ICO and showed a willingness to learn from and address the issues identified. The DfE accepted all the audit recommendations and is making the necessary changes. The ICO continues to monitor the DfE, reviewing improvements against pre agreed timescales. Enforcement action will follow if progress falls behind the schedule. The ICO carried out the compulsory audit following complaints received in 2019 regarding the National Pupil Database.
European Commission publishes the second set of reports on Code of Practice on Disinformation
The European Commission has published the second set of reports on actions taken by the signatories of the Code of Practice on Disinformation to fight false and misleading coronavirus-related information. The reports show that platforms kept increasing the visibility of authoritative information sources, demoting and removing content violating their updated terms of services and stepped up efforts to block or remove advertising that exploits the crisis. However, more complete, targeted and detailed quantitative data must be provided.