Data Sharing Code of Practice is laid before UK Parliament, Gambling Commission warning about responsibility for third party websites, DCMS call for views on cybersecurity, ICO fines and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.
Data Sharing Code of Practice is laid before UK Parliament
The Data Sharing Code of Practice has been laid before the UK parliament. The ICO has issued a statement welcoming that news. It says that “the new data sharing code aims to give businesses and organisations the confidence to share data in a fair, safe and transparent way, and it dispels many of the remaining myths about data sharing. The code will guide organisations through the practical steps they need to take to share data while protecting people’s privacy. Data sharing that engenders trust in how personal data is used is a driver of innovation, economic growth and the delivery of more efficient and targeted services. Looking beyond the immediate COVID-19 crisis, data sharing will be central to the UK’s recovery. The ICO will continue to engage with organisations and other stakeholders as part of our ongoing work on addressing perceived barriers to data sharing, helping them better understand how they can share information appropriately.” The Data Sharing Code of Practice will lay before Parliament for 40 sitting days before coming into force.
Gambling Commission issues warning to operators over third party responsibilities
The Gambling Commission has warned gambling businesses that they will face regulatory action if they do not carefully manage all the third party websites for whom they are responsible. The warning follows regulatory action taken against FSB Technology (UK). The Commission has imposed additional licence conditions on FSB which will pay £600,000 for advertising, money laundering and social responsibility failings. FSB’s business model includes contracting provisions of its licensed activities to third parties. This arrangement, often referred to as a ‘white label’, places responsibility on the licensee to ensure that its third-party partners keep gambling fair, safe and crime-free. However, a Gambling Commission investigation discovered FSB did not have sufficient oversight of three third-party websites or effective anti-money money laundering and social responsibility policies and procedures in place between January 2017 and August 2019. For example there were ineffective customer interactions with, and source of funds checks on, a customer who displayed indicators of problem gambling and spent £282,000 over an 18-month period. A marketing email was sent to 2,324 customers who had previously self-excluded; a VIP team manager acted without adequate oversight and did not receive adequate anti-money laundering training; and an inappropriate banner advertisement containing cartoon nudity was placed on a Great Britain facing website which was providing unauthorised access to copyrighted content.
DCMS publishes call for views on supply chain cyber security
The Department for Digital, Culture, Media & Sport is holding a call for views on supply chain cyber security to seek industry input on how organisations manage supply chain cyber risk. The call for views is seeking feedback on existing guidance for supply chain cyber risk management, and will also test the suitability of a proposed framework for managed service provider security. The framework sets out measures organisations should take, such as: having policies to protect devices and prevent unauthorised access; ensuring data is protected at rest and in transit; keeping secure and accessible backups of data; and training staff and pursuing a positive cyber security culture. The call for views ends on 11 July 2021.
ICO takes action against contact tracing QR code provider
The ICO has fined a company for sending direct marketing emails to people who provided their personal data for contact tracing purposes. The company called TML provides digital contact tracing services which work by offering people a QR code to scan when arriving at businesses’ premises. The company sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to meet the government’s contact tracing rules. The ICO fined TML £8,000 for using personal data for marketing without adequate valid consent. The ICO has also responded to the rise in the use of QR code technology to help meet the rules by contacting 16 QR code providers to ensure they were also handling people’s personal information properly. The checks, which took place over the past six months, found that most of the companies understood the relevant laws and the importance of processing personal data fairly and securely. ICO experts also met with some of them to help improve their practices. The ICO has published guidance for contact tracing businesses.
Amex fined by ICO for sending four million unlawful emails
The ICO has fined American Express Services Europe Limited £90,000 for sending more than four million marketing emails to customers who did not want to receive them. The ICO began investigating when it received complaints from Amex customers who were getting marketing emails despite having opted out from them. The emails included details on the rewards of shopping online with Amex; getting the most out of using the card and encouraging customers to download the Amex app. Amex had rejected its customers’ complaints saying the emails were servicing emails and not marketing. During the investigation the ICO found that Amex had sent over 50 million, of what it classed as, servicing emails to its customers. The ICO said that between 1 June 2018 and 21 May 2019, 4,098,841 of those emails were marketing emails, designed to encourage customers to make purchases on their cards which would benefit Amex financially. The ICO says that it was a deliberate action for financial gain by the organisation. Amex also did not review its marketing model following customer complaints.
Ada Lovelace Institute issues report on vaccine passports
The Ada Lovelace Institute has issued a report on vaccine passports. The report sets out the requirements that governments and developers will need to deliver for any vaccine passport system to deliver societal benefit. It says that the current vaccine passport debate is complex, encompassing a range of different proposed design choices, uses and contexts, as well as posing high-level and generalised trade-offs, which are impossible to quantify given the current evidence base, or false choices that obstruct understanding (eg ‘saving lives versus privacy’). Meanwhile, policymakers supporting these strategies, and companies developing and marketing these technological solutions, make a compelling and simplistic pitch that these tools can help societies open up safer and sooner. The report sets out a six point roadmap for vaccine passports: The six requirements are: scientific confidence in the impact on public health; clear, specific and delimited purpose; ethical consideration and clear legal guidance about permitted and restricted uses, and mechanisms to support rights and redress and tackle illegal use; sociotechnical system design, including operational infrastructure; public legitimacy; and protection against future risks and mitigation strategies for global harms.
UK government publishes response to consultation on National Data Strategy
The National Data Strategy was published for consultation in 2020. The government has now published an overview and analysis of key findings from the consultation. It says that respondents generally welcomed the framing of data as a strategic asset that should be used for economic and social benefit and tended to agree that the strategy identified the right pillars and missions to make the most of the opportunities presented by better data use. Respondents broadly agreed that data use should not just be considered as a threat to be managed, but also embraced as an opportunity to drive productivity and innovation across the economy, fuel scientific research, revolutionise the public sector and create a fairer and more prosperous society for all. Respondents also highlighted the potential for data use to support wider government priorities. This perspective was complemented by numerous case studies highlighting responsible data use throughout the coronavirus pandemic showcasing the value of data use for public good. However, respondents also stressed the need to ensure that the data revolution works for everyone. This included drawing attention to specific challenges around incorrect or inappropriate uses of data (often expressed as data bias), digital inclusion and connectivity, as well as the need for everyone to have the appropriate skills to operate and thrive in a data-driven economy. Above all, respondents’ feedback confirmed that maintaining a high level of public support for data use will be key to unlocking the power of data. Creating a trustworthy data regime that maintains high data protection standards and enables responsible data use is crucial to ensure that the benefits of the data revolution are felt by everyone.
ICO and CMA set out blueprint for cooperation in digital markets
The ICO and the CMA have published a joint statement, setting out their shared views on the relationship between competition and data protection in the digital economy. The statement highlights the strong overlap between promoting and protecting competition in digital markets and safeguarding people’s data. They say that coherent and clear regulation is vital for creating the conditions that allow new innovative services to flourish and for people to have confidence in digital services. The regulators have committed to working together to find regulatory solutions that achieve good competition and data protection outcomes. Competitive digital markets, with coherent and well-targeted regulation, can empower consumers by giving them greater control over their personal data and driving positive competition outcomes. The ICO and CMA are committed to continuing working together on projects that will put their joint statement into practice. This is already the case on the CMA’s investigation into Google’s Privacy Sandbox and the ICO’s investigation into real time bidding in the adtech industry. This commitment has been reinforced through an updated agreement (MOU) signed by the ICO and CMA, which sets out how the two regulators will collaborate further in future, for example through information sharing and the potential for joint projects. The MOU and the statement fit within a broader programme of work of the Digital Regulatory Cooperation Forum, involving the CMA, the ICO, Ofcom and the FCA, to support a coordinated regulatory approach across digital and online services. Internationally, the ICO and CMA say that they will engage with relevant organisations around the world to build consensus and promote global regulatory coherence and collaboration.
CMA gives Virgin and O2 merger green light
The CMA has cleared the proposed merger of Virgin Media and Virgin Mobile with O2. Both Virgin and O2 sell wholesale services to a number of mobile operators in the UK. Virgin supplies wholesale leased lines to mobile operators and O2 provides its mobile network to companies that do not have their own. The CMA was initially concerned that, following the merger, Virgin and O2 could raise prices or reduce the quality of these wholesale services. This could lead to other companies being forced to offer lower quality mobile services or increase their retail prices which would negatively affect consumers. The merger was referred to a group of independent CMA Panel members for an in-depth Phase 2 investigation. The Group has concluded that the deal is unlikely to lead to any substantial lessening of competition for a number of reasons. The costs of leased lines are only a relatively small element of rival mobile companies’ overall costs, so it is unlikely that Virgin would be able to raise leased-line costs in a way that would lead to higher charges for consumers. There are other players in the market offering the same leased-line services, including BT Openreach - which has a much greater geographical reach than Virgin - and other smaller providers. This means the merged company will still need to maintain the competitiveness of its service or risk losing wholesale custom. As with leased-line services, there are a number of other companies that provide mobile networks for telecoms firms to use, meaning O2 will need to keep its service competitive with its wholesale rivals to maintain this business.
IPO updates guidance on technological protection measures complaints process
The Intellectual Property Office has updated its guidance on the technological protection measures (TPMs) complaints process. The guidance sets out when and how someone may make a complaint, other steps that they should consider and some of the factors that may influence the outcome of a complaint. TPMs (also known as copy protection measures or Digital Rights Management (DRM) are often used to protect copyright works, for example, through encryption on DVDs. TPMs can have a important role in enabling copyright owners (rightsholders) to offer content to consumers in different ways, as well as protecting against unlawful copying (piracy). UK law protects the right of copyright owners to use TPMs to protect their works, and circumvention of such technology is illegal. However, use of TPMs could potentially prevent activities that are permitted by copyright exceptions. The law therefore provides for a complaints process that aims to ensure that a TPM does not unreasonably prevent people from benefiting from an exception.
Belgian data protection authority approves its first European code of conduct
The Belgian Data Protection Authority has approved its first transnational code of conduct. In parallel to the approval of the code of conduct, the Belgian Data Protection Authority has also accredited SCOPE Europe as the monitoring body for the EU Cloud CoC. This monitoring body will ensure that code members abide by the provisions of the EU Cloud CoC. Therefore the EU Cloud CoC is now operational. The EU Cloud CoC formalises requirements of Art. 28 GDPR (concerning the processor) – and other relevant related Articles of the GDPR – for practical implementation within the cloud market (including IaaS, PaaS and SaaS). Adherence to the EU Cloud CoC is also achievable for SMEs in this sector.
MEPs issue report on online piracy of live sporting events
MEPs have issued a report calling for illegal streaming of live sporting events to be blocked in real time and organisers’ rights to be strengthened. The report sets out proposals to deal with the growing phenomenon of illegal broadcasting of live sporting events. To help combat the problem, MEPs call on the EuropeanCommission to clarify and improve the current EU framework on intellectual property rights for live sport events, which are currently not subject to copyright protection, and to introduce specific provisions regarding the rights of sport event organisers, for whom licensing of broadcasting rights are a key source of income. Some member states, however, have introduced specific legal protection from which organisers can benefit. According to MEPs, existing rules need to be adapted to address the specific short-term value of live sport events and concrete measures should be introduced to ensure the immediate removal of illegal content, under effective safeguards. Given that illegal streams are most harmful in the first thirty minutes of their appearance online, the text calls for such streams to be removed or disabled immediately and no later than thirty minutes following a notification by rights holders or a certified “trusted flagger”. MEPs reiterate the importance of hosting platforms acting swiftly to remove content and call for an EU system establishing common criteria for certified “trusted flaggers” to be introduced, as well as further harmonisation of procedures and remedies in the future Digital Services Act and in other sector-specific proposals. However, injunction procedures to remove illegal sporting events must avoid arbitrary or excessive blocking of legal content. Enforcement measures should be proportionate and include access to judicial remedies, in particular for small businesses, SMEs and start-ups. Legal offers on sport content should also be promoted more effectively in the EU and made easier for consumers to find online. Finally, the liability for illegal broadcasts should lie with the providers of sport streams, and not with the fans or consumers.