Ofcom consultation on video-sharing, Article 28 data processing clauses published, CMA fines CompareTheMarket, Virgin/02 deal review referred to CMA, National Security and Infrastructure Bill, ENISA guidelines, EDPS Opinions and CMA merger guidelines in this week’s round-up of techlaw news from the past week.
Ofcom consults on video-sharing platforms – who needs to notify to Ofcom?
Ofcom is consulting on draft guidance to help providers to self-assess whether they need to notify to Ofcom as UK-established video-sharing platforms, under new statutory rules. Video-sharing platforms (VSPs) are a type of online video service which allow users to upload and share videos with the public. Under the new VSP regulations, there are specific legal criteria which determine whether a service meets the definition of a VSP, and whether it falls within UK jurisdiction. Platforms must self-assess whether they meet these criteria. Those that do will be formally required to notify to Ofcom between 6 April and 6 May 2021. Ofcom’s proposed guidance aims to help video-sharing platforms to make this assessment. The consultation ends on 14 January 2021. It expects to publish its final guidance before the notification window opens next year.
European Commission publishes new Article 28 data processing clauses for feedback
The European Commission has published standard contractual clauses between controllers and processors under Article 28 of the GDPR. This follows the publications of the standard contractual clauses for the transfer of personal data to third countries. Article 28 provides that a contract between a controller and a processor must be in place which sets out various obligations and information. It also allows the Commission to adopt standard contractual clauses, even though the parties may also negotiate individual terms. The new clauses apply where both parties are subject to the GDPR. The clauses need the EDPB and EDPS to provide opinions, as well as consultation with the member states before taking effect. They will also apply to EU institutions under the Institution's Data Protection Regulation. If the clauses take effect before the Brexit transition period ends, they could be adopted by the Information Commissioner to apply in the UK under the UK retained GDPR. They are open for feedback until 10 December 2020.
CMA fines Comparethemarket £17.9 million for anti-competitive behaviour
The CMA has fined ComparetheMarket £17.9 million after it found that clauses used in the company’s contracts with home insurers breached competition law. The CMA’s investigation concluded that, between December 2015 and December 2017, the price comparison website ComparetheMarket breached competition law by imposing wide ‘most favoured nation’ clauses on providers of home insurance selling through its platform. These clauses prohibited the home insurers from offering lower prices on other comparison websites and protected ComparetheMarket from being undercut elsewhere. They also made it harder for ComparetheMarket’s rivals to expand and challenge the company’s already strong market position as other price comparison websites were restricted from beating it on price. As a result, competition between price comparison websites, and between home insurers selling through these platforms, was restricted. The CMA found that this is likely to have resulted in higher insurance premiums. The investigation follows on from the CMA’s market study into digital comparison tools.
European Commission refers review of Virgin and O2 deal to CMA
Following a request from the CMA, the European Commission has referred the proposed merger of Virgin Media and Virgin Mobile with O2 to the CMA for investigation. Following the announcement of the deal on 7 May 2020, the CMA publicly indicated that it would make a formal request to the European Commission to review the proposed merger, because of its potential impact on competition in several retail and wholesale telecommunication markets in the UK. The CMA made its formal request for the case to be transferred on 8 October 2020, shortly after the opening of the Commission’s investigation. That request has been accepted by the Commission and the case will be transferred for the CMA’s formal investigation to begin immediately. Virgin and O2 have asked the CMA to move quickly to the in-depth Phase 2 stage of its review through a ‘fast-track’ process. The CMA is now inviting views by 26 November on how the merger could affect competition, and on the companies’ request for a fast track process.
National Security and Infrastructure Bill receives second reading
The National Security and Infrastructure Bill has received its second reading in the House of Commons. The Bill aims to introduce a new regime for reviewing and intervening in business transactions, such as takeovers, that might raise national security concerns. It would enable the Secretary of State to “call in” acquisitions of sensitive entities and assets (“trigger events”) to undertake a national security assessment. This can happen up to five years after a trigger event has taken place. It would also: establish a requirement for proposed acquirers of sensitive entities and assets to seek authorisation and to obtain approval from the Secretary of State before completing their acquisition; create a voluntary notification system to encourage notifications from parties who consider that their trigger event may raise national security concerns; and create a power to impose remedies to address risks to national security, sanctions for non-compliance with the regime and mechanisms for legal challenge. The Bill would extend to all of the UK. Its provisions would come into effect from 12 November 2020. The CMA is currently responsible for investigating national security concerns through a wider process for reviewing “relevant merger situations” that might give rise to public interest considerations. Concerns have grown about the effectiveness of the current regime in managing the national security risks arising from investment in, or control of, companies and assets in a range of sectors. Technological developments have further widened the potential scope of national security concerns to include data and intellectual property.
ENISA Publishes Guidelines on Securing the IoT Supply Chain
The European Union Agency for Cybersecurity (ENISA) has issued Guidelines for Securing the IoT – Secure Supply Chain for IoT. The guidance focuses on the actual processes of the supply chain used to develop IoT products. Supply chains are currently facing a broad range of threats, both physical and cybersecurity-related. As organisations cannot always control the security measures of their supply chain partners, IoT supply chains have become a weak link for cybersecurity. Organisations have less visibility and understanding of how the technology they acquire is developed, integrated and deployed. ENISA has conducted a survey that identifies the existence of untrusted third-party components and vendors, and the vulnerability management of third-party components as the two main threats to the IoT supply chain. ENISA has worked with IoT experts to create specific security guidelines for the whole lifespan of IoT devices. The guidelines to help tackle the complexity of IoT focus on bringing together the key organisations in the supply chain to adopt a comprehensive approach to security, leverage existing standards and implement security by design principles.
EDPS issues opinion on combatting child abuse online
The European Data Protection Supervisor has issued an opinion on the European Commission’s plans to combat child abuse online. In September, the Commission published a Proposal to derogate from certain provisions of the ePrivacy Directive 2002/58/EC. The derogation concerns Articles 5(1) and 6 of the ePrivacy Directive on processing personal data in connection with the provision of ‘number-independent interpersonal communications services’ necessary for to use technology for the sole purpose of removing child sexual abuse material and detecting or reporting child sexual abuse online to authorities. The EDPS notes that this would interfere with the fundamental rights to respect for private life and data protection of all users of very popular electronic communications services, such as instant messaging. Confidentiality of communications is a cornerstone of the fundamental rights to respect for private and family life. Even voluntary measures by private companies constitute an interference with these rights when the measures involve the monitoring and analysis of the content of communications and processing of personal data. The EDPS emphasises that the Proposal will inevitably serve as a precedent for future legislation in this field. Therefore it should not be adopted, even temporarily, until all the necessary safeguards set out in the Opinion are integrated. In particular, in the interest of legal certainty, the EDPS considers that it is necessary to clarify whether the Proposal itself is intended to provide a legal basis for the processing under of the GDPR, or not. If not, it needs to state which legal basis under the GDPR would apply. Guidance by data protection authorities cannot substitute compliance with the requirement of legality. The proposed derogation must comply with the requirements of Article 15(1). In addition, the legislation must set out clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards. Finally, the EDPS says the proposed five-year period does not appear proportional given the absence of a prior demonstration of the proportionality of the envisaged measure; and the inclusion of sufficient safeguards in the text. The validity of any transitional measure should not exceed two years.
EPDS issues Opinion on European Health Data Space
The EDPS has also issued an Opinion on the European Health Data Space. On 19 February 2020, the European Commission issued a Communication on a European data strategy. This envisages a European Health Data Space (‘EHDS’) for the prevention, detection and cure of diseases as well as to take evidence-based decisions and to enhance effectiveness, accessibility and sustainability of the healthcare systems. The EDPS emphasises the necessity for data protection safeguards to be defined at the outset of the creation of the EHDS. The EDPS says there needs to be a thought-through legal basis for the processing operations under the EHDS under Article 6(1) GDPR and it must comply with Article 9 GDPR for the processing of special categories of data. Further, the EDPS highlights that due to the sensitivity of the data to be processed within the EHDS, the boundaries of what constitutes a lawful processing and a compatible further processing of the data must be transparent and publicly available to enhance public trust in the EHDS. The Commission should clarify the roles and responsibilities of the parties involved and identify clearly the precise categories of data to be made available to the EHDS. Further, member states should establish mechanisms to assess the validity and quality of the sources of the data. The EDPS emphasises the importance of vesting the EHDS with a comprehensive security infrastructure, including both organisational and state-of-the-art technical security measures to protect the data fed into the EHDS. Data protection impact assessments may assist in deciding the risks of the processing operations and the mitigation measures that should be adopted. The EDPS recommends paying special attention to the ethical use of data, taking into account existing ethics committees and their role in the context of national legislation. The success of the EHDS will depend on the establishment of a strong data governance mechanism which should regulate, at least, the entities that will be allowed to make data available to the EHDS, the EHDS users, the member states’ national contact points/permit authorities, and the role of data protection authorities.
Consultation launched on CMA Merger Assessment Guidelines
The CMA is consulting on updated guidelines about its approach to analysing mergers. The updated guidelines aim to ensure that the CMA protects consumers through its merger enforcement work as well as helping companies and their advisers to assess whether competition concerns might be raised by the CMA before they enter into a deal or purchase. The CMA’s current merger assessment guidelines were published in 2010. Since then, markets have evolved and changed at a rapid pace, often making the act of assessing mergers more complex. The rise of digital technologies has also significantly changed the way that consumers behave and how businesses compete with one another. The new guidance follows the Furman Review on how the CMA should approach its assessment of digital mergers; for example, an increased focus on the potential for future competition, and considering innovation and other non-price related effects when assessing whether there is likely to be a substantial lessening of competition. This will reflect the CMA’s recent case experience and improve its merger enforcement within the existing legal framework. The consultation ends on 8 January 2021.