High Court decision on databases, Citizens’ Biometrics Council report , ICO issues guidance on national security, Ofcom and PSA plans of work, CMA says Facebook’s purchase of Giphy raises competition concerns, but clears Uber/Autocab deal; and more in this week’s round-up of UK, Irish and EU techlaw developments.
High Court dismisses claim for infringement of claims management database
In the case of DRSP Holdings Ltd and another v O'Connor and others  EWHC 626 (Ch), the High Court has dismissed claims for infringement of database right in a claims management database. The case considered the application of the Copyright and Rights in Databases Regulations 1997 (SI 1997/3032). The court acknowledged that database right subsisted in the database because there had been substantial investment in obtaining, verifying and presenting the contents. There had also been extraction of a substantial part of it. However, the claimants had consented to the extraction. The court also dismissed related claims for misuse of confidential information and breach of fiduciary duty. The case is also of interest for tech dispute lawyers due to the comments the judge made about its process, as well as the reliability of the witnesses.
Ada Lovelace Institute publishes Citizens’ Biometrics Council report
The Ada Lovelace Institute has published a Citizens’ Biometrics Council report. In 2019, the Ada Lovelace Institute called for a moratorium on facial recognition, arguing for a halt on its use until the societal, ethical and legal conditions for the responsible use of emerging biometric technologies were established. In 2020, it set up the Citizens’ Biometrics Council in 2020 to deliberate on the use of biometric technologies, bringing what it says were much-needed public perspectives to the debate about technologies such as facial recognition, voice recognition, digital fingerprinting and other technology. The Council’s recommendations focus on three issues: developing more comprehensive legislation and regulation for biometric technologies; establishing an independent, authoritative body to provide robust oversight; and ensuring minimum standards for the design and deployment of biometric technologies. The Ada Lovelace Institute has also commissioned an independent legal review of the governance of biometric data in the UK, led by Matthew Ryder QC, which is due to report in spring 2021. The legal review will provide detailed analysis of the current state of the law concerning the governance of biometric data, and recommendations for legislative changes required to provide greater oversight of the technology.
ICO publishes detailed guidance on national security and defence exemption
The ICO has published new guidance which highlights how the national security and defence exemption under section 26 of the Data Protection Act 2018 applies. To safeguard national security or for defence purposes there is an exemption set out in section 26 of the DPA 2018. It is capable of exempting personal data from most of the data protection principles and obligations, and individuals’ rights, where this is required to safeguard national security or for defence purposes. It is not a blanket exemption. Organisations must be able to show that the exemption from specified data protection standards is required for the purposes of safeguarding national security. There is no exemption from the requirement to process lawfully. The guidance only considers the national security aspects of the exemption. In the future, the ICO will develop additional content on the defence aspects of the exemption, and will publish an amended version of the guidance in due course.
Facebook’s purchase of Giphy raises competition concerns
The CMA has found that Facebook’s completed acquisition of Giphy raises competition concerns in relation to digital advertising and the supply of GIFs. Giphy is an online database and search engine that allows users to share GIFs and stickers either via Giphy’s website or app, or through online platforms such as Facebook, Instagram, Twitter, and Snapchat. In May 2020, Facebook announced that it had acquired Giphy. Before the deal, Giphy competed with Facebook outside the UK in digital advertising through paid partnerships with brands, such as Pepsi and Dunkin’ Donuts. The CMA has found evidence that Giphy had planned to expand its digital advertising partnerships to other countries, including the UK. If Giphy and Facebook remain merged, Giphy could have less incentive to expand its digital advertising, leading to a loss of potential competition in this market. This is particularly concerning given Facebook’s existing market power in display advertising. In July 2020, the CMA found that Facebook has a share of over 50% of the £5.5 billion display advertising market. The CMA also found that the deal could harm rival social media platforms, as it could mean Giphy would stop supplying GIFs to these companies or do so on worse terms – for example, requiring rivals to provide more user data to the merged entity to access Giphy GIFs. This could potentially lead to reduced choice for users and further increase Facebook’s market power in relation to social media.
CMA clears Uber and Autocab deal
The CMA has announced that it has cleared Uber’s purchase of Autocab, following a Phase 1 merger investigation. The CMA opened its Phase 1 merger investigation into ride-hailing company Uber’s acquisition of GPC Software Limited (Autocab) in January 2021. Autocab supplies booking and dispatch technology software (BDT) to taxi companies. It also operates a referral network for taxi and private hire operators called iGo, where those companies can send and receive jobs to each other. The investigation considered the deal’s possible effect on competition in the supply of BDT, as well as referral networks, and any potential impact of the merger on taxi companies who are Autocab’s current BDT customers. After thorough scrutiny, the CMA has found that there is only limited indirect competition between Uber and Autocab, and the CMA did not find evidence to indicate that Autocab was likely to become a significant and more direct competitor to Uber in the future. The CMA also considered whether Autocab and Uber could try to put Autocab’s taxi company customers that compete against Uber at a disadvantage by reducing the quality of the BDT software sold to them, or by forcing them to pass on data to Uber. However, the CMA found that there are other credible suppliers of BDT and referral networks that these taxi companies could switch to if Uber were to reduce the quality of the Autocab service or force them to share their data.
Ofcom publishes its Plan of Work for 2021–2022
Ofcom has published its Plan of Work for 2021/22, outlining its priorities for the next twelve months. High-quality, reliable communications services have been more important than ever throughout the past year. These services will continue to be an essential part of people’s lives as the UK emerges from the coronavirus pandemic, and for years to come. Ofcom’s strategic priorities are investment in strong, secure networks, getting everyone connected, fairness for customers, supporting and developing UK broadcasting, and preparing to regulate online harms. It is also strengthening Ofcom for the future and developing international partnerships. As part of Ofcom’s preparations for taking on new online safety responsibilities, it has also announced plans to open a new digital and technology hub in Manchester.
PSA launches 2021/22 business plan and says key priority is a new Code of Practice
The Phone-paid Services Authority (PSA) has published its business plan and budget for 2021/22, and its final statement. The plan and budget have been approved by Ofcom, following public consultation. The business plan sets out the PSA’s key priority for the year: developing and beginning to implement a new Code of Practice. The new Code will introduce standards in place of outcomes, focus on the prevention of harm rather than cure and be simpler to implement and comply with.
IPO publishes online copyright infringement tracker survey
The Intellectual Property Office has published its tenth wave of a large-scale consumer tracking survey covering the behaviours and attitudes for the use of online digital content. It continues work originally commissioned by Ofcom and sponsored by the IPO in 2012. The study is conducted annually to ensure that the IPO can monitor the impact of new online platforms on infringement behaviours. In summary, consumption (downloading or streaming content online) was consistent across a number of categories compared to last year. There were some key differences which included a decline in the proportion of our sample who had downloaded music and TV. There was also a decline in the proportion who had streamed live sport and an increase in those streaming films. The survey also found that “passion” for the content categories remained robust during the COVID-19 pandemic with respondents agreeing that many of them played a central role in their lives; the main drivers for online consumption were cost, the choice available and the convenience of being able to consume content whenever they want; and the overall level of infringement for all content categories (excluding digital visual images) was at 23%, which is 2% lower than where it had been for the previous four years.
House of Commons Science and Technology Select Committee publishes government response to report on biometrics
On 18 July 2019 the Science and Technology Committees’ predecessor Committee published its Nineteenth Report of Session 2017–19, The work of the Biometrics Commissioner and the Forensic Science Regulator. On 9 March 2021 the Committee received the UK government’s response to the Report. In summary, the government says it welcomes the report. Much has happened since it was issued. For example, on forensics it says that is supporting Darren Jones’ Bill to give the regulator statutory powers, and is investing in a standing national policing capability (the Forensic Capability Network and associated Transforming Forensics programme). On biometrics, the Court of Appeal ruled on live facial recognition and the government has committed to empower the police to use new technologies like biometrics while maintaining public trust, where the Committee’s report has helped to highlight some of the key issues. The response deals with responses to the Committee’s conclusions and recommendations in detail, including updates on legal and policy developments, including the Court of Appeal’s judgment on the use of live facial recognition.
DCMS Committee opens inquiry into influencer culture
The DCMS Committee has opened an inquiry into influencer culture. The inquiry will examine the power of influencers on social media, how influencer culture operates, and will consider the absence of regulation on the promotion of products or services, aside from the existing policies of individual platforms. An investigation by the Advertising Standards Authority found that more than three-quarters of influencers “buried their disclosures within their posts”. It will also assess influencer impact when it comes to media and popular culture as well as the positive role they can play, such as raising awareness for a campaign addressing vaccine hesitancy among people from ethnic minority backgrounds. The inquiry ends on 7 May 2021.
Irish DPC launches inquiry into processing of personal data by the Department of Health
The Irish Data Protection Commission has launched a statutory inquiry under Section 110 of the Data Protection Act 2018 arising from the revelations on a Prime Time programme on RTE concerning the processing by the Department of Health of the personal data of children with autism who were involved in legal actions against the State. The inquiry will examine whether or not the Department of Health has discharged its obligations in connection with the data processing concerned and it will determine whether or not any provisions of the Data Protection Acts and/or the GDPR have been contravened by the Department of Health in that context. A team of Authorised Officers has been appointed by the Commission to conduct the inquiry.
ENISA releases guidelines on reporting of security incidents
The European Union Agency for Cybersecurity (ENISA) has released new guidelines to facilitate the reporting of security incidents by national telecom security authorities. The guidelines published help national telecom security authorities in the reporting of significant incidents to ENISA and the European Commission under the European Electronic Communications Code (EECC). These new guidelines replace the previous ones issued by ENISA on incident reporting under Article 13a of the EU Telecoms Framework Directive. This revised version takes into account the scope and the provisions of the EECC and provides non-binding technical guidance to national authorities supervising security in the electronic communications sector. The following three types of incident reporting are provided for under article 40 of the EECC: national incident reporting from providers to national security authorities; ad-hoc incident reporting between national security authorities and ENISA; and annual summary reporting from national security authorities to the European Commission and ENISA. The new guidelines focus firstly on the ad-hoc incident reporting between the security authorities and ENISA and secondly on the annual summary reporting. More specifically, the document includes information on how and when security authorities can report security incidents to ENISA, to the European Commission and to other security authorities. The information provided considers the services and incidents within the scope of the EECC - incidents affecting confidentiality, availability, integrity and authenticity of networks and services. The thresholds needed for the annual reporting are also defined. These thresholds are both of a quantitative and of a qualitative nature. The quantitative elements considered include the number of users affected and the duration of the incident. Qualitative information was also used, such as the geographical coverage of the incident and the impact on the economy, on society and on users. The new guidelines also include an incident report template and draw the distinction between national and annual reporting.
EUIPO issues paper on preventing use of domain names for intellectual property infringement
EUIPO has issued a paper on preventing use of domain names for intellectual property infringement. It aims to contribute to a better understanding of the domain name ecosystem, the good practices that are developing to prevent the misuse of domain names for IP-infringing activities, and the challenges and opportunities to extend or replicate some of these good practices. It covers three phases: pre-registration, registration and post-registration. In addition to the above, some registries are cooperating with IP owners and enforcement authorities to share intelligence and limit IP-infringing uses of domain names. Several registries also conduct awareness-raising activities to teach their national communities about illegal activities taking place through the use of domain names. The good practices identified are typically implemented by a limited number of registrars and registries. In that respect, the discussion paper lays out the challenges and opportunities to extend each practice, taking into consideration that registrars and registries of all sizes have different economic and technical resources.