Updated Network and Information Systems guidance, New Cyber Security Council launched, CDEI call for evidence on privacy-enhancing technologies, CMA revised digital markets strategy and more in this week’s round-up of UK and EU techlaw developments.
Ofcom updates Network and Information Systems Guidance
Ofcom has issued updated Network and Information Systems (NIS) Guidance. The NIS Guidance sets out Ofcom’s view of how Operators of Essential Services in the digital infrastructure sector providing critical services to the economy can meet their obligations under the regulations. The updated guidance reflects the changes made in the amended NIS Regulations that came into force on 31 December 2020.
New UK Cyber Security Council to be formally launched on March 31.
The government has set up a new independent body with the aim of boosting career opportunities and professional standards for the UK’s booming cyber security sector. The new UK Cyber Security Council will provide a single governing voice for the industry to establish the knowledge, skills and experience required for a range of cyber security jobs, bringing it in line with other professions such as law, medicine and engineering. The Council aims to boost skilled job prospects around the country by giving budding and existing workers a clear roadmap for building a career in cyber security and focus on increasing the number and diversity of people entering the profession. The body will work with training providers to accredit courses and qualifications, and give employers the information and confidence they need to recruit effectively to ensure their cyber capability.
CDEI issues open call for evidence on privacy enhancing technologies
The Centre for Data Ethics and Innovation has issued a call for evidence on the role of privacy enhancing technologies (PETs) in enabling safe, private and trustworthy use of data. In the broadest sense, a PET is any technical method that protects the privacy of personal or sensitive information. It includes relatively simple technologies such as ad-blocking browser extensions as well as encryption infrastructure. Of particular interest to the CDEI is a narrower set of emerging PETs. This is a group of relatively young technologies which are being implemented in an increasing number of real world projects to help overcome privacy and security challenges. The National Data Strategy calls on the CDEI to work with wider government to explore the role of PETs in enhancing consumer control and confidence, and ensuring trustworthy use of data. The CDEI is now carrying out research that aims to address a number of related research questions: to establish the barriers inhibiting more widespread adoption of PETs in the public and private sectors; how the use of PETs affects compliance with data protection regulation; are there regulatory ambiguities that require clarification; in what ways could PETs be used for harm and how can that be mitigated, and where PETs are used beneficially, how can this be effectively communicated to build consumer confidence and public trust.
CMA publishes refreshed Digital Markets Strategy
The Competition and Markets Authority has issued a refreshed version of its Digital Markets Strategy. It sets out its aims and key priorities across its digital markets work, as well as an update on the work completed since its last strategy. The CMA’s overarching ambition is to build and establish the new Digital Markets Unit within the CMA. The strategy includes detail on work to support this aim including work to develop the new pro-competition regulatory framework for digital markets, to establish the new DMU function within the CMA, and to prepare for the proposed regime for firms with Strategic Market Status; consumer and antitrust enforcement, market studies and merger assessment; the work of the Data, Technology, and Analytics Unit; the CMA’s work with Ofcom and the ICO through the Digital Regulation Cooperation Forum to deliver effective, efficient and coherent regulation across digital markets; and the CMA’s international work to strengthen cooperation with competition and consumer authorities overseas across its work on digital markets.
FCA issues report on reducing consumer harm caused by failed technology changes
The FCA has issued a review examining how firms implement technology change, the challenges caused when changes fail, and steps firms can take to protect consumers from harm and disruption in the market. Financial services technology is constantly updated, but when firms implement changes they don’t always go to plan. The coronavirus pandemic has also required change to be implemented quickly and new ways of working. Although many changes are successful, the review reveals that failed technology changes are one of the main causes for operational disruption, accounting for a quarter of all high severity incidents that cause harm to consumers and the market. The FCA found that changes made by firms with strong governance and risk management strategies are more successful, that robust testing is an important part of the change process, and while testing automation has benefits it also presents challenges. Pairing subject matter expertise with a clear understanding of a firm’s strategy is vital. The FCA says firms must regularly upgrade their IT systems and although changes will not always be implemented without incident, firms can work towards reducing the disruption caused, making themselves and the wider industry more resilient. Although the coronavirus pandemic has caused some delay to planned technology changes and system updates, it is very important for firms to understand how technology change activity can affect the services they provide, and invest in their resilience to protect themselves, consumers and the markets. This is especially important as firms increasingly use remote and flexible working.
European Parliament JURI committee issues report on updating Unfair Terms Directive for digital services
The European Parliament JURI committee has issued a study which analyses common terms in contracts of digital service providers. It indicates when they could significantly distort the balance between the parties’ rights and obligations to the detriment of consumers and should, therefore, fall within the scope of the Unfair Terms Directive 93/13/EEC. Further, the study discusses the particularities of the assessment of online transparency of terms of digital service providers and sanctions they could face if they breach the current consumer protection framework. The report makes recommendations to improve the effectiveness of the framework by introducing a black and grey list of unfair terms, strengthening current sanctions, and introducing new obligations for digital service providers.
ENISA publishes report on pseudonymisation for Personal Data Protection
The European Union Agency for Cybersecurity (ENISA) has issued a report on pseudonymisation for personal data protection providing a technical analysis of cybersecurity measures in personal data protection and privacy. It builds on previous work on pseudonymisation techniques and best practices by exploring further, advanced pseudonymisation techniques and specific use cases in areas like healthcare and information sharing in cybersecurity. The GDPR references pseudonymisation as a security and data protection by design mechanism. Although the deployment and proper application of data pseudonymisation techniques have become highly debated, the overall context of the processing is considered as an important aspect for implementation. Therefore, pseudonymisation should be combined with a thorough security and data protection risk assessment. As there is no one-size-fits-all pseudonymisation technique, a high level of competence is needed to reduce threats and maintain efficiency in processing pseudonymised data across different scenarios. The ENISA report aims to support data controllers and processors in implementing pseudonymisation by providing possible techniques and use cases that could fit different scenarios. The report emphasises the need to take steps that include the following: each case of personal data processing needs to be analysed to determine the most suitable technical option in relation to pseudonymisation; there needs to be an in-depth look into the context of personal data processing before data pseudonymisation is applied; organisations need to continually analyse state-of-the-art in the field of data pseudonymisation, as new research and business models break new ground; developing advanced pseudonymisation scenarios for more complex cases, for example when the risks of personal data processing are deemed to be high; and further discussion on the broader adoption of data pseudonymisation at EU and national level alike.
ENISA publishes update on Cybersecurity Certification
Following a request by the European Commission, ENISA is going to prepare the new candidate cybersecurity certification scheme on 5G. This follows the EU toolbox for 5G security and it is expected to enhance the cybersecurity of 5G networks as it contributes to addressing certain risks, as part of a broader risk mitigation strategy. To this effect, a cybersecurity certification scheme on 5G will be based on provisions already available by means of existing cybersecurity certification schemes as well as experience already acquired since ENISA started engaging in cybersecurity certification. The European Cybersecurity Certification Group, the NIS Cooperation Group Work Stream and its subgroup on 5G standardisation and certification will be informed of the planning and progress and will be given many opportunities to participate. Experts in 5G will be invited to be involved via the ad hoc working group work that ENISA will establish for the scheme development.
EU 'SEPs Expert Group' releases report
The European Commission set up a Standard Essential Patents expert group in July 2018. The main task of the expert group was to provide the Commission with economic, legal and technical expertise and to assist the Commission to inform policy measures that it may take to ensure a balanced framework for smooth, efficient and effective licensing of SEPs. The group has analysed how SEP licensing is evolving as the use of SEP-based standards, notably in the Internet of Things. The expert group has now published a very long report with its findings and proposals for the future framework for SEPs licensing and valuation.