Select Committee inquiry on trade in services, CAP guidance on age restricted ads online, Law Society Q&A on e-signatures and virtual executions and more in this week’s round-up of UK and EU techlaw developments.
New inquiry launched on future of UK-EU relations on trade in services
The House of Lords EU Services Sub-Committee has launched an inquiry into the future of UK-EU relations on trade in services. The inquiry will examine the effects of the provisions set out in the UK-EU Trade and Cooperation Agreement (TCA) on the UK’s services sector. The Committee seeks evidence on various questions such as the impact of the TCA on trade in services and the effect national reservations to the TCA may have on trade in services with the EU. It also considers the effect of arrangements on the mobility of professionals, IP provisions and financial services. The Joint Declaration on Financial Services Regulatory Cooperation provides that both sides seek to establish structured regulatory cooperation on financial services and the Committee asks what form this should take. It also asks about the plans to delegate more powers to financial regulators and what form of Parliamentary oversight of these regulators would be appropriate. Further, it asks for views on the new UK-EU framework for the mutual recognition of professional qualifications as well as commitments on local presence and economic needs tests. It points out that the UK will become an associate member of Horizon Europe but will not associate with the Erasmus+ programme and asks for views on the impact on the UK’s research and education sector and students. It also asks for views on the creative industries sector. Finally, it points out that the EU has granted the UK a data adequacy ‘bridge’ of up to six months to allow the free flow of personal data until the EU determines whether or not to grant a data adequacy decision to the UK. It asks how the absence of a data adequacy decision at the end of this bridging period would affect trade in services and what effect the arrangements agreed will have on digital trade and trade in digital services between the UK and EU. The inquiry ends on 5 February 2021.
CAP issues guidance on age restricted advertisements online
The Committee on Advertising Practice has issued updated guidance on age restricted advertisements online. The UK Code of Non-broadcast Advertising and Direct & Promotional Marketing contains media placement restrictions for products such as alcohol, gambling or e-cigarettes. The updated guidance is for marketers using online media; principally, for programmatic advertising, and paid advertising and organic content appearing on social media and video sharing platforms. It should also be used by affiliates and other third parties acting on a marketer’s behalf in targeting ads (for example, influencers). It supports them in demonstrating that they have taken adequate steps in targeting age-restricted marketing communications to limit children and young people’s exposure to them satisfying the Advertising Standards Authority that they have complied with the CAP Code. The overarching principle is that age-restricted marketing communications should not be targeted at the protected age category (either under-16s or under-18s depending on the specific rule) “through the selection of media or the context in which they appear”. The guidance is also likely to be helpful for any marketer wishing to restrict the reach of an ad because its content is not suitable for particular age groups (eg because it is scary or sexualized). The guidance covers programmatic ads, organic ads, and considers the ASA’s approach to enforcement.
Law Society issues Q&A on how to use electronic signatures and complete virtual executions
The Law Society has issued a Q&A on how to use electronic signatures and complete virtual executions. It has been drafted by a working group of the Company Law Committee of the Law Society and is focused on electronic signatures in commercial law matters. The purpose of the Q&A is to assist lawyers with some of the practicalities of using an electronic signature in England and Wales, including complying with the decision in R (on the application of Mercury Tax Group and another) v HMRC  EWHC 2721. It does not address the making of statutory declarations, wills or other documents that have formality requirements which mean that electronic signing is not possible. Users of the Q&A should consider what relevant regulators, registries and government bodies might require when completing transactions generally and when executing a document by electronic means and when registering any document.
Biometrics and Forensics Ethics Group publishes note on use of live facial recognition technology
The BFEG was commissioned to advise on the ethical issues in the use of live facial recognition (LFR) technology in collaborations between police forces and private entities. It has now published a briefing note. In gathering evidence, it was clear that the use of biometric recognition technologies (including LFR) in public–private collaborations (P–PCs) are likely to increase. The BFEG working group highlighted several ethical concerns generated by the collaborative use of LFR, including
sharing data and technology; the development of behavioural biometrics for use in LFR; discrimination and bias in the use of LFR; the construction of watchlists; and the effect of using LFR in private spaces used by the public. In the absence of regulation, the working group outlined a number of issues that should be addressed before setting up of P–PCs in the use of LFR. The working group also made a number of recommendations that should be followed by those involved in P–PCs, including that an independent ethics group should have oversight of the use of LFR by police forces and in P–PCs.
EDPB adopts Guidelines on examples regarding data breach notification
The EDPB has adopted guidelines on examples regarding data breach notification. The guidelines introduce practice-orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The guidelines contain an inventory of data breach notification cases deemed most common by the national supervisory authorities, such as ransomware attacks; data exfiltration attacks; and lost or stolen devices and paper documents. Per case category, the guidelines cover the most typical good or bad practices, provide advice on how risks should be identified and assessed, highlight the factors that should be given particular consideration, as well as set out when the controller should notify the supervisory authority and/or notify the data subjects. The guidelines are currently out for consultation.
EDPB and EDPS adopt joint opinions on new sets of SCCs
The EDPB and EDPS have adopted joint opinions on two sets of contractual clauses (SCCs) – one covers the SCCs for contracts between controllers and processors and the other SCCs for the transfer of personal data to third countries. Several amendments were requested to bring more clarity to the text and to ensure its practical usefulness in day-to-day operations of the controllers and processors. These include the interplay between the two documents, the so-called "docking clause" which allows additional entities to accede to the SCCs, and other aspects relating to obligations for processors. Additionally, the EDPB and EDPS suggest that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity - any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle. The draft SCCs for the transfer of personal data to third countries under Art. 46 (2) (c) GDPR will replace the existing SCCs for international transfers that were adopted under Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the decision in ‘Schrems II’, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination affect compliance with the clauses, especially if there are binding requests from public authorities for disclosure of personal data. The EDPB and the EDPS invite the Commission to refer to the final version of the EDPB Recommendations on supplementary measures, if the final version of the recommendations is adopted before the Commission’s SCC decision. The draft may still be amended as it is still out for consultation.