ICO response to extended transition period for cross-border data flows, consultation on online promotions of HFSS foods, Parliamentary committee reports on AI and on 5G and more in this week’s round-up of UK and EU techlaw developments.
ICO responds to extended transition for cross-border data flows
The ICO has issued a statement on the UK government’s announcement on personal data flows with effect from 1 January 2021. The government has announced that the EU-UK trade agreement will allow personal data to flow freely from the EU and EEA to the UK, until adequacy decisions have been adopted, for no more than six months. This will enable businesses and public bodies across all sectors to continue to freely receive data from the EU and EEA, including law enforcement agencies. As a sensible precaution, during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data. As the ICO has previously announced, the UK has, on a transitional basis, deemed the EU and EEA EFTA states to be adequate to allow for data flows from the UK.
UK government issues consultation on preventing online promotions of foods high in fat, sugar and salt
The UK government is consulting on preventing promotions of HFSS foods, including online from April 2022. It seeks views on how compliance should be investigated as well as views on penalties that could be administered in instances of non-compliance as well as on its draft regulations. The draft regulations provide that HFSS foods may not be promoted in certain areas of retailers’ websites including entry pages of retailer’s website or grocery page, landing pages when a customer is browsing other categories of food; and pages where customers view their shopping basket or proceed to payment. The consultation runs for eight weeks.
House of Lords Liaison Committee issues report on artificial intelligence
The House of Lords Liaison Committee has published a report examining the progress made by the UK government in the implementation of the recommendations made by the Select Committee on Artificial Intelligence in its report published in 2018. The committee concludes the government needs to better coordinate its AIe policy and the use of data and technology by national and local government. It says that there is a clear consensus that ethical AI is the only sustainable way forward. The time has come for the government to move from deciding what the ethics are, to how to instil them in the development and deployment of AI systems. The increase in reliance on technology caused by the pandemic has highlighted the opportunities and risks associated with the use of technology, and in particular, data. The government must explain to the general public the use of their personal data by AI. It should take immediate steps to appoint a Chief Data Officer, whose responsibilities should include acting as a champion for the opportunities presented by AI in the public service, and ensuring that understanding and use of AI, and the safe and principled use of public data, are embedded across the public service. A problem also remains with the general digital skills base in the UK so training should be offered on digital skills, as well as to ensure that people have the opportunity to reskill and retrain to be able to adapt to the evolving labour market caused by AI. AI will become embedded in everything we do. It will not necessarily make huge numbers of people redundant, but when the pandemic recedes and the Government has to address the economic impact of it, the nature of work will change and there will be a need for different jobs and skills. This will be complemented by opportunities for AI, and the Government and industry must be ready to ensure that retraining opportunities take account of this. In particular the AI Council should identify the industries most at risk, and the skills gaps in those industries. A specific national training scheme should be designed to support people to work alongside AI and automation, and to be able to maximise its potential.
House of Commons Digital, Culture, Media and Sport Committee issues report on 5G
The House of Commons DCMS committee has issued its inquiry report on 5G. It launched its inquiry in the expectation that, with only five years to deliver the Government’s manifesto commitment of nationwide gigabit-capable broadband by 2025, 2020 was going to be a year of big policy and infrastructure announcements. Although the committee recognises that the pandemic put enormous pressure on public finances, it was “nonetheless a surprise” when the government abandoned its commitment to nationwide gigabit-capable broadband by 2025 in the National Infrastructure Strategy, and set out, in the Spending Review, plans to distribute only 25% of the £5 billion it had committed for gigabit-capable broadband. Even meeting the revised target will be a challenge, as it still requires industry to roll-out infrastructure at considerable pace. The Government’s target for majority 5G coverage by 2027 is equally ambitious, especially following the rulings on the use of equipment by high risk vendors. There is a risk that industry’s roll-out of 5G technology will repeat the legacy of mobile ‘not-spots’. The government must clarify its plans for delivering its targets, updating about progress and explain what the severe reduction in funding for infrastructure will mean and when it expects the remaining 15% of premises to be served with gigabit-capable broadband. Consumers and businesses also need persuading to upgrade to full-fibre and 5G technology. Issues around pricing and the switch-off of copper services are addressed. Both the government and Ofcom need to address the causes of costs and delays to the infrastructure roll-out. DCMS must finalise and launch the contracts for delivering infrastructure to hard-to-reach properties as soon as possible. As it finalises its regulation of the wholesale fixed telecoms market, Ofcom must also address concerns about competition and Openreach’s market dominance. The scale of the government’s legislative measures does not match the scale of its ambition for gigabit connectivity. The government must reform the wayleave regime for telecommunications infrastructure to address issues with unresponsive and/or uncooperative landlords and urgently address the lack of sufficient skilled engineers to complete the work.
Unmanned Aircraft (Amendment) (EU Exit) Regulations 2020 made
The Unmanned Aircraft (Amendment) (EU Exit) Regulations 2020 SI 2020/1593 have been made. Regulations 1 to 85 of the Regulations are made under sections 8(1) and 23(1) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 2018 to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(a), (b), (c), (d) and (g)) arising from the withdrawal of the UK from the EU. The Regulations make amendments to the legislative framework for unmanned aircraft. The majority of the amendments concern two EU Regulations. Regulations 2 to 58 amend Delegated Regulation (EU) 2019/945 (on unmanned aircraft systems and on third-country operators of unmanned aircraft systems). Regulations 59 to 84 amend Implementing Regulation (EU) 2019/947 (on the rules and procedures for the operation of unmanned aircraft). Regulation 85 makes minor amendments to the Air Navigation Order 2016 (SI 2016/765) to remove references to the European Aviation Safety Agency (EASA). Regulation 86 makes consequential provision in exercise of the power in section 41(1) of the European Union (Withdrawal Agreement) Act 2020. It replaces references to “exit day” in regulation 10 of the Operation of Air Services (Amendment etc.) (EU Exit) Regulations 2019 with references to “IP completion day”.
Audiovisual Media Services (Amendment) (EU Exit) Regulations 2020 made
The Audiovisual Media Services (Amendment) (EU Exit) Regulations 2020 SI 2020/1536 have been made. These Regulations are also made under section 8 of the European Union (Withdrawal) Act 2018. Regulation 4 remedies a deficiency in the determination of UK jurisdiction with regards to video-sharing platform services after IP completion day (31st December 2020). It sets out how jurisdiction is to be determined after that time. Regulation 5 substitutes “IP completion day” for various references to “exit day” in the Broadcasting (Amendment) (EU Exit) Regulations 2019 (S.I. 2019/24). This will ensure that the provisions in the existing regulations will take effect by reference to IP completion day rather than exit day.
Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 made
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 SI 2020/1586 have been made. These Regulations make amendments to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (“the 2019 Regulations”). The 2019 Regulations amend legislation in relation to the regulation of the processing of personal data, in particular relating to the UK leaving the EU. They are made under section 8(1) of the European Union (Withdrawal) Act 2018. Regulations 3 to 6 amend a number of references to exit day in the 2019 Regulations to instead refer to IP completion day. Paragraph (4)(e)(ii) of regulation 5 amends the 2019 Regulations following the adequacy decision made by the European Commission in relation to Japan and the declaration by the Court of Justice of the European Union in Schrems case that the Privacy Shield decision is invalid. Paragraph (4)(g)(iv) of regulation 5 amends the 2019 Regulations to enable binding corporate rules that pre-date the GDPR and were authorised other than by the ICO to continue to be relied on in certain circumstances. Paragraph (4)(i)(i) of regulation 5 amends the 2019 Regulations to reflect the obligation of Iceland, Liechtenstein, Norway (as EEA states) and Switzerland to implement Directive (EU) 2016/680 of the European Parliament and of the Council. Paragraph (2) of regulation 6 amends the 2019 Regulations to revoke retained direct EU legislation. Regulation 7 revokes the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019 (S.I. 2019/485), which previously amended the 2019 Regulations but are not yet in force and are now redundant following the Schrems decision.
CMA investigates NVIDIA’s takeover of Arm
The CMA is requesting views on the effect that NVDIA’s takeover of Arm could have on competition in the UK, before the CMA’s formal investigation starts later this year. US-based chip designer and producer NVIDIA Corporation plans to purchase the Intellectual Property Group business of UK-based Arm Limited in a deal worth $40 billion. Arm develops and licenses intellectual property and software tools for chip designs. The products and services supplied by the companies support a wide range of applications used by businesses and consumers across the UK, including desktop computers and mobile devices, game consoles and vehicle computer systems. The CMA will look at the deal’s possible effect on competition in the UK. The CMA is likely to consider whether, following the takeover, Arm has an incentive to withdraw, raise prices or reduce the quality of its IP licensing services to NVIDIA’s rivals. Comments are requested by 27 January 2021.
AI Council issue report on AI strategy
The AI Council has issued a report on AI strategy. The report sets out long-term ambitions and suggests near-term directions for all government departments, with the aim of cementing the UK as a key place to live with, work with and develop AI. The report has two underlying messages. The first is that we need to “double down” on recent investment the UK has made in AI. The second message is that we must look to the horizon and be adaptable to disruption. Support for AI needs to reflect the rapid pace and evolution of the science and technology and its applications. This means staying at the forefront of the development of AI and integrating approaches to ethics, security and social impacts and planning for the next 10-50 years. The UK will only feel the full benefits of AI if all parts of society have full confidence in the science and the technologies, and in the governance and regulation that enable them. That confidence will depend on the existence of systems that ensure full accountability, clear ethics and transparency. The report sets out suggested directions across three pillars: Research, Development & Innovation; Skills & Diversity, and Data, Infrastructure & Public Trust. It also addresses some specific measures to support adoption and the key areas of health, climate and defence.
PSA fines company £885,000 for sending text messages without consent
The Phone-paid Services Authority (PSA) has fined a company £885,000 and banned it from the market for three years after it committed eight breaches of the PSA Code of Practice. TCS Combined Solutions Ltd ran a subscription service called ‘DiscountMeDirect’ which operated at two different price points: a maximum of two £2.50 messages per week on one shortcode, or a maximum of three £1.50 messages per week on other shortcodes. TCS failed to obtain consumer consent from all subscribers before sending chargeable texts containing voucher alerts and discount codes. Following an oral hearing, the Tribunal found the breaches to be very serious. These breaches included failing to get consent to charge some consumers and failing to send spend reminders. The Tribunal reprimanded TCS, issued a fine of £885,000 and banned the company from the market for three years. It also ordered TCS to refund all customers who claim a refund.
Law Society responds to Law Commission consultation on communications offences
In September 2020, the Law Commission made a number of proposals for reform of the criminal law concerning communications offences, to ensure that the law is clearer and effectively targets serious harm and criminality arising from online abuse. This is balanced with the need to better protect the right to freedom of expression. The Law Society has published its response, agreeing on the case for reform. It agrees that the law relating to communications offences needs to be updated to reflect the way in which people communicate in the twenty-first century. However, the Law Society has stressed the importance or respecting fundamental rights such as freedom of expression and privacy. To comply with the rule of law the new criminal offences must be clear and certain, so that individuals know precisely what conduct and communications are permitted and what will constitute a criminal offence. The Law Society also raised some concerns as to the definitions contained in the proposed new offence, and the mental element proposed, which is broad, unconventional and potentially vague in meaning. It suggested, given the subject matter of the new offence, that the need to respect human rights be explicitly set out in the legislation creating the offence.
Irish DPC consults on guidance on a “Child-Oriented Approach to Data Processing”
The Irish Data Protection Commission has launched a consultation on The Fundamentals for a Child-Oriented Approach to Data Processing, The guidance has been drawn up by the DPC with the aim of improving standards of data processing. The Fundamentals introduce child-specific data protection interpretative principles and recommend measures that aim to enhance the level of protection afforded to children against the data processing risks posed to them by their use of/ access to services in both an online and offline world. In tandem, the Fundamentals will assist organisations that process children’s data by clarifying the principles, arising from the high-level obligations under the GDPR, to which the DPC expects such organisations to adhere. The consultation ends on 31 March 2021.
ENISA launches consultation on cloud certification scheme
ENISA has launched a consultation on a new draft candidate cybersecurity certification scheme in a move to enhance trust in cloud services across Europe. The scheme aims to further improve the Union’s internal market conditions for cloud services by enhancing and streamlining the services’ cybersecurity guarantees. The draft scheme intends to harmonise the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU member states. There are challenges to the certification of cloud services, such as a diverse set of market players, complex systems and a constantly evolving landscape of cloud services, as well as the existence of different schemes in member states. The draft EUCS candidate scheme tackles these challenges by calling for cybersecurity best practices across three levels of assurance and by allowing for a transition from current national schemes in the EU. The draft scheme is a horizontal and technological scheme that intends to provide cybersecurity assurance throughout the cloud supply chain, and form a sound basis for sectoral schemes. The consultation ends on 7 February 2021.
Advocate General issues opinion that electronically supplied software is ‘sale’ of ‘goods’ under the Commercial Agents Directive
Advocate General (AG) Tanchev has given an opinion in the case of The Software Incubator Ltd v Computer Associates UK Ltd that the electronic supply of computer software, which was licensed for an unlimited period in return for a fee being paid, was a ‘sale’ of ‘goods’ under the Commercial Agents Directive (86/653/EEC). The AG argued that an interpretation of ‘goods’ which applied to tangible and intangible items ‘is consonant with the objectives pursued’ by the Commercial Agents Directive; and the restriction of the concept of ‘goods’ to tangible items would have the effect of failing to protect commercial agents who negotiate the sale of the same item supplied in intangible form.
New Directives on cybersecurity and resilience of critical entities proposed by EU
The EU has proposed a new EU Cybersecurity Strategy. The aim of the new strategy is to improve Europe's collective resilience against cyber threats and help to ensure that all individuals and businesses can fully benefit from trustworthy and reliable services and digital tools. It also foresees the EU taking a bigger role in relation to international norms and standards in cyberspace. Furthermore, the Commission is making regulatory proposals to address both cyber and physical resilience of critical entities and networks: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'); and a new Directive on the resilience of critical entities. They cover a wide range of sectors and aim to address current and future online and offline risks, from cyberattacks to crime or natural disasters, in a coherent and complementary way.