Irish DPC fines Twitter €450,000, HM Treasury launches call for evidence on VAT and the Sharing Economy, PSA issues notice on country of origin principle, and more in this week’s round-up of techlaw news from the past week.
Irish Data Protection Commission fines Twitter €450,000
The Data Protection Commission (DPC) has announced that it is fining Twitter €450,000. The DPC’s investigation commenced in January 2019 following receipt of a breach notification from Twitter. It has found that Twitter infringed Article 33(1) and 33(5) of the GDPR because it failed to notify the breach on time to the DPC and to adequately document the breach. The DPC says that it has imposed an administrative fine of €450,000 on Twitter, saying it is an effective, proportionate and dissuasive measure. The draft decision in the inquiry was submitted to other concerned supervisory authorities under Article 60 of the GDPR in May 2020. It was the first one to go through the Article 65 (dispute resolution) process since the GDPR was introduced, and was the first Draft Decision in a “big tech” case on which all EU supervisory authorities were consulted as concerned supervisory authorities. The European Data Protection Board has published the Article 65 decision and the final decision on its website.
HM Treasury calls for evidence on VAT and the Sharing Economy
HM Treasury has issued a call for evidence on VAT and the Sharing Economy. It says that the Sharing Economy has empowered individuals and business to connect with consumers and provide services to them on a larger scale than previously possible. Such activity is usually facilitated by digital platforms which can be based anywhere in the world. It creates huge opportunities for the UK’s economy and society through stimulating enterprise and aiding optimal use of scarce resources. However, the government is also aware that it could potentially create certain challenges to the VAT tax base. The aim of the call for evidence is to test the government’s view of the VAT challenges the Sharing Economy creates. The consultation ends on 3 March 2021.
PSA publishes notice on removal of country of origin principle
The Phone-paid Services Authority has issued a notice reminding all providers of phone-paid services that from 1 January 2021, all providers participating in, or wishing to participate in, the provision of phone-paid services to UK consumers must register with the PSA and comply with the Code of Practice regardless of the country in which they are established and services they provide. The new Communications Act (e-Commerce) (EU Exit) Regulations 2020, which come into force 31 December 2020, removes the application of the “country of origin” principle and other requirements of Article 3 of Directive 2000/31/EC from sections 120 to 124 of the Communications Act 2003. These sections govern the regulation of phone-paid services in the UK. In practice, the new regulations do not represent a change for most providers that are active in the UK market. All UK-based companies, companies based outside the EEA, and certain companies established in the EEA already have to comply with the Code of Practice. Most EEA-established companies that currently do not have to comply with the Code are already registered with the PSA on a voluntary basis. However, the requirement to comply with the Code of Practice, including registering with the PSA, becomes mandatory for all EEA-based phone-paid services companies from 1 January 2021 onwards and the PSA will be able to take enforcement action against such companies for non-compliance without first having to allow the EEA state they are established in to take measures.
European Commission presents its plan for green, smart and affordable mobility
The European Commission has presented its ‘Sustainable and Smart Mobility Strategy' along with an Action Plan of 82 initiatives that will guide its work for the next four years. The strategy lays the foundation for how the EU transport system can achieve its green and digital transformation and become more resilient to future crises. As outlined in the European Green Deal, the aim is a 90% cut in emissions by 2050, delivered by a smart, competitive, safe, accessible and affordable transport system. In particular, innovation and digitalisation will shape how passengers and freight move around in the future if the right conditions are put in place. The strategy foresees making connected and automated multimodal mobility a reality – for instance by making it possible for passengers to buy tickets for multimodal journeys and freight to seamlessly switch between transport modes. It also aims to boost innovation and the use of data and AI for smarter mobility – for instance by fully supporting the deployment of drones and unmanned aircraft and further actions to build a European Common Mobility Data Space.
European Commission publishes report on implementation of Damages Directive
The European Commission has published a report on the implementation of the Antitrust Damages Directive which helps citizens and companies claim damages if they are victims of infringements of EU antitrust rules, such as cartels or abuses of dominant market positions. Based on the findings of the report, the Commission has drawn positive conclusions as regards the consistent implementation of its rules. In line with the requirements in the Directive, the report has been sent to the European Parliament and the Council. The report takes stock of the implementation of the rules concerning some of the core rules of the Directive, such as the right to full compensation, disclosure of evidence, evidentiary value of infringement decisions, limitation periods, passing on of overcharges and estimation of harm. The Commission intends to continue to monitor the developments in the member states with a view to reviewing the Directive, once sufficient experience from the application of its rules is available.
Artificial Intelligence: guidelines for military and non-military use
The European Parliament Legal Affairs Committee has adopted guidelines on the use of AI for military purposes and in the health and justice sectors. MEPs call for an EU legal framework with definitions and ethical principles with a key requirement being that AI systems are subject to meaningful human control, allowing humans to correct or disable them in case of unforeseen behaviour. Humans should therefore be identifiable and ultimately held responsible. MEPs agreed that lethal autonomous weapon systems should only be used as a last resort and be deemed lawful only if subject to human control, since it must be humans that decide between life and death. They call on the EU to take a leading role in promoting a global framework on the military use of AI, alongside the UN and the international community. MEPs also say that the increased use of AI systems in public services, especially healthcare and justice, should not replace human contact or lead to discrimination. When AI is used in matters of public health, (eg robot-assisted surgery, smart prostheses, predictive medicine), patients’ personal data must be protected and the principle of equal treatment upheld. Judges use AI technologies more and more in decision-making and to speed up proceedings. However, safeguards need to be introduced to protect the interests of individuals. People should always be informed if they are subject to a decision based on AI and should have the right to see a public official. AI cannot replace humans to pass sentences. Final court decisions must be taken by humans, be strictly verified by a person and be subject to due process. MEPs also warn of threats to fundamental human rights arising from the use of AI technologies in mass surveillance, both in the civil and military domains. They call for a ban on “highly intrusive social scoring applications” (for monitoring and rating of citizens) by public authorities.
ENISA publishes its report on AI Cybersecurity Challenges
The European Union Agency for Cybersecurity (ENISA) has released its Artificial Intelligence Threat Landscape Report, unveiling the major cybersecurity challenges facing the AI ecosystem. AI takes many steps across the supply chain and requires vast amounts of data to function efficiently. The report emphasises the importance of cybersecurity and data protection in every part of the AI ecosystem to create trustworthy technology for end-users. The report covers the definition of AI’s scope in the context of cybersecurity by following a lifecycle approach. It also deals with the ecosystem of AI systems and applications taking into account the different stages of the AI lifecycle - from requirements analysis to deployment. It also includes identification of assets of the AI ecosystem as a fundamental step in pinpointing what needs to be protected and what could possibly go wrong in terms of the security of the AI ecosystem. Further, it considers the mapping of the AI threat landscape by means of a detailed taxonomy. This serves as a baseline for the identification of potential vulnerabilities and attack scenarios for specific use cases. It deals with the classification of threats and listing of relevant threat actors and highlights the impact of threats to different security properties. The report also identifies the challenges and opportunities to deploy secure AI systems and services across the EU. The report highlights the need for more targeted and proportionate security measures to mitigate the identified threats, as well as the need for an in-depth look into AI’s use in sectors such as health, automotive and finance.
Holders of .eu domain names—new Brexit transition guidance from EURid
EURid has issued further guidance on the impact of the UK’s withdrawal from the EU on .eu domain names registered by registrants established or residing in the UK, or by UK citizens residing outside EU/EEA.
As of 1 January 2021, UK undertakings or organisations established in the UK but not in the EU, UK citizens who are not resident of an EU member state or EEA country, and UK residents who are not EU citizens will no longer be eligible to hold a .eu domain name.