Ticketmaster appeal, Exclusion clauses and online betting, Tribunal upholds CMA fine on Roland and more in this week’s round-up of UK and EU techlaw news developments not covered separately on scl.org
First Tier Tribunal agrees Ticketmaster should have stay of appeal proceedings
In Ticketmaster UK Ltd v The Information Commissioner  UKFTT 0083 (GRC), the First-Tier Tribunal (Information Rights) has granted Ticketmaster UK Limited a stay of its appeal against a monetary penalty notice. It was issued by the ICO in November 2020 for breaches of Articles 5(1)(f) and 32 of the GDPR. Ticketmaster had appealed against the penalty notice. It argued that it had not breached its security obligations. Secondly, the fine was too harsh. Ticketmaster had also applied to the Tribunal to stay the appeal proceedings. This was because the High Court was also due to consider similar liability issues in proceedings relating to the same cyber-attack which had led to the ICO imposing the penalty notice in the first place. The High Court proceedings relate to a group action by Ticketmaster customers alleging their personal data was compromised due to the attack and a Part 20 action between Ticketmaster and the supplier of the chat-bot targeted in the cyber-attack. The reasons for waiting for the High Court proceedings were to avoid duplication in the proceedings in relation to the liability issue and to avoid conflicting decisions between the High Court and the Tribunal. Therefore, the Tribunal granted the application.
High Court rules on dispute between claimant and online betting company
The High Court has granted summary judgment in the well publicised case of Green v Petfre (Gibraltar) Ltd (t/a Betfred)  EWHC 842 (QB). Mr Green won a £1.7m jackpot in an online game provided by Betfred that he played on his mobile phone. Betfred refused to honour the win due to an alleged software defect. It said that its terms and conditions excluded its liability in such circumstances. Betfred had also said that summary judgment was inappropriate as the case dealt with industry standard terms. Foster J held that the claim was suitable for summary judgment, regardless of the effect it might have on the wider industry. She concluded that the wording of each of the exclusion clauses was inadequate to exclude liability to pay out the claimant's winnings in the circumstances. Even if they had excluded liability effectively, the way in which they were presented and the fact that they were not drawn adequately to a consumer’s attention meant that the exclusions were not incorporated into the contracts. The insufficient signposting was especially significant in the context of online betting, where a website user would be unlikely to trawl through documentation online, especially if it was repetitive and not obviously relevant to them. Finally, the clauses were neither transparent nor fair as required by the Consumer Rights Act 2015, so Betfred would not have been entitled to rely upon them, even though Mr Green was an experienced and competent player of internet gaming. The judge’s comments in the case provide useful guidance for lawyers advising on exclusion clauses in online consumer contracts.
CAT increases fine after musical instrument firm breaks settlement bargain
In June 2020, the CMA fined the musical instrument firm Roland just over £4 million for restricting online discounting of its electronic drum kits between 2011 and 2018. This was one of several fines imposed by the CMA on leading musical instrument suppliers for requiring retailers to sell their products online at or above a minimum price, that is, ‘resale price maintenance’ (RPM). The fine imposed by the CMA had been reduced under its leniency and settlement programmes to take account of the fact that Roland had admitted acting illegally and cooperated with the CMA’s investigation. Roland appealed to the Competition Appeal Tribunal against the level of the fine which it had itself agreed to pay as part of its settlement with the CMA. The Tribunal has now unanimously upheld the CMA’s decision in its entirety, dismissing Roland’s arguments that its conduct was not sufficiently serious to justify such a high fine and that the CMA should have awarded it a higher leniency discount. The Tribunal also agreed with the CMA that, by appealing against the CMA’s decision, Roland had breached its bargain with the CMA to accept a lower fine in return for agreeing not to appeal. It decided that Roland should therefore lose the benefit of its 20% settlement discount. As a result, Roland’s fine was increased to just over £5 million, an increase of more than £1 million.
CDEI issues call for evidence on effective AI assurance
The Centre for Data Ethics and Innovation has issued a call for evidence from individuals and organisations who are developing or adopting AI systems as well as developing assurance tools or working on similar issues in AI assurance. Assurance covers a number of governance mechanisms for third parties to develop trust in the compliance and risk of a system or organisation. The CDEI is developing an AI assurance roadmap to address gaps in the assurance landscape which will lay out a set of activities needed to build a mature assurance eco-system and identify the roles and responsibilities of different stakeholders across these activities. By laying out this set of activities, and identifying roles and responsibilities, the roadmap seeks to address crucial gaps in the assurance landscape by building common understanding around the different types of AI assurance and how they contribute to responsible innovation, translating between developer, executive and regulator needs for assurance, particularly on fairness; and clarifying the relationship between different kinds of standards.
IPO publishes report on the economic and innovation impacts of trade secrets
The IPO has published a report on the economic and innovation impacts of trade secrets. Trade secrets are a preferred strategy for innovative UK firms. 70% of UK firms who develop product and process innovations use trade secrets to protect these innovations. Trade secrets are particularly important to UK firms in the R&D services, tech, and across manufacturing and non-manufacturing sectors. Larger firms rely on trade secrets more than smaller firms. Trade secrets can be highly valuable firm assets. They have a wide scope of coverage and support the innovation ecosystem by protecting process, product, market and organisational innovations, and by providing a key complement and support to other IP. Firms choose trade secrets to maintain a competitive advantage by avoiding the disclosure associated with other types of IPR. However, trade secrets are vulnerable to reverse engineering and misappropriation or theft. Cybertheft and economic espionage are increasing concerns. Trade secrets are often a lower cost alternative to other IPR, although enjoy relatively weaker protection. Trade secrets serve as a substitute or complement to patents. Patents are preferred for product innovations, and trade secrets for process innovations. Further work is needed to develop an evidence base for trade secrets, and exploration of key themes such as the interaction of trade secrets with patentability could better inform policy.
Select Committee calls for government to consider new health and employment rights to protect wellbeing in the digital world
The House of Lords Select Committee on COVID-19 has published its report Beyond Digital: Planning for a Hybrid World. It warns that more needs to be done to ensure that everyone benefits from society’s increasing reliance on digital technology post-pandemic and that it does not lead to increasing inequality and marginalisation. On the one hand technology has been a lifeline, but there is a real risk that any increasing reliance on digital technology will exacerbate existing inequalities. The Committee’s report makes a range of recommendations to maximise the opportunities, and mitigate the risks, of the hybrid world. The Committee says that the UK government should develop a new Hybrid Strategy, which recognises that all aspects of our lives are, and will increasingly be, a hybrid blend of online and offline interactions. It should consider introducing a legal right to internet access and digital infrastructure, but should also work with internet providers to develop a scheme to provide affordable internet access to those in poverty and on low incomes. It should also develop a genuinely hybrid healthcare service, underpinned by a code of practice giving patients the right to receive services online or offline and guaranteeing a minimum service standard for both offline and online healthcare services. This should consider patients’ rights in hybrid healthcare provision, including its impact on accessibility, privacy and the triage between face-to-face and digital provision. Alongside its new hybrid strategy, the government should consult on strengthening the current legislative framework for employment rights, to ensure it is suitable for the digital age, as well as introducing new legislation to provide platform works with enhanced employment rights.
European Parliament Civil Liberties Committee call for clear guidelines on data transfers with the US
The European Parliament Civil Liberties Committee has said in a draft report that after the CJEU rejected an earlier framework for data transfers with the US, data protection authorities should set clear rules in line with the Court’s findings. It urges the Commission to issue detailed guidelines on making data transfers compliant with recent CJEU rulings. MEPs stress the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings. They urge the Commission to assess the impact of the Court’s rulings on current data transfers to the US. They also express disappointment with the Irish Data Protection Commission and its decision to initiate the Schrems court case instead of independently triggering enforcement procedures in the EU’s GDPR while also criticising the DPC’s long processing times. MEPs call on the Commission to launch infringement procedures against Ireland for failing to enforce the GDPR effectively. More generally, the report criticises the enforcement of the GDPR by national authorities, who MEPs consider to have overlooked international data transfers and failed to take meaningful corrective decisions. The report also calls on the Commission and the EDPB to collaborate on guidelines for a toolbox of privacy-boosting measures, while considering recent CJEU rulings. In addition, the Commission should integrate the EDPB’s feedback into its proposals. The non-legislative draft resolution will be debated in a future plenary session and put to the vote by the full House.
EDPS issues annual report for 2020
The European Data Protection Supervisor has published his Annual Report 2020, setting out his various activities. The EDPS established an internal COVID-19 taskforce on the interplay between privacy and the pandemic. He also called for a pan-European approach to combat the virus, especially in the context of contact tracing apps. The EDPS also carried out investigations about the use of cloud products and services and the processing of large data sets by Europol, followed by the use of corrective powers. It also carried out remote audits and published a strategic document about the Schrems II judgment. Protecting the data of EU citizens when processed in non-EU countries will remain a top priority for the EDPS in 2021. The EDPS issued many legislative Opinions including about the European strategy for data, on AI, and the proposed temporary derogations from the e-privacy framework. It also issued Opinions on the use of data for scientific research and health-related purposes. It also increased its monitoring of technologies. Further, it contributed to the activities of the EDPB. 2020 also marked the beginning of a new EDPS mandate and the unveiling of the EDPS Strategy 2020-2024. As such, the EDPS started to work towards meeting its objectives according to three strategic pillars: foresight, action, solidarity. The overarching priority of the EDPS, as set out in its strategy, is to shape a safer digital future.