Draft Network and Information Systems (EU Exit) (Amendment) Regulations 2021 laid, ICO fines Scottish charity for revealing personal data in email error, PSA announces consultation on new guidance to support new Code of Practice and more in this week’s round-up of UK, EU and international techlaw news developments not covered elsewhere on the SCL website.

UK



Draft Network and Information Systems (EU Exit) (Amendment) Regulations 2021 laid



The draft Network and Information Systems (EU Exit) (Amendment) Regulations 2021 have been laid before Parliament under the European Union (Withdrawal) Act 2018 (EU(W)A 2018) in connection with Brexit. The draft Regulations will amend a piece of UK secondary legislation and a piece of retained direct EU legislation in relation to network and information systems to address failures of retained EU law to operate effectively and other deficiencies arising from the withdrawal of the UK from the EU. They come into force on 28 days after the day on which the Regulations are made.



ICO fines Scottish charity for revealing personal data in email error



The ICO is urging organisations to revisit their bulk email practices after failures by HIV Scotland led to a £10,000 fine.



The breach of data protection law involved an email to 105 people which included patient advocates representing people living in Scotland with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. An ICO investigation of the February 2020 incident found shortcomings in the charity’s email procedures. These included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy and an inadequate data protection policy. It also found that despite the charity’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months later.

PSA announces consultation on new guidance to support new Code of Practice



The Phone-paid Services Authority has announced a consultation on new guidance to support the new standards and requirements that will be introduced by Code 15, which we reported on last week, and which comes into force in April 2022. The new guidance is intentionally shorter and simpler than current guidance. It is intended to support compliance with the Code rather than add complexity. The PSA is proposing seven pieces of guidance that will support various key aspects such as transparency, fairness, customer care and vulnerable customers. The consultation ends on 22 December 2021.



EU



Dublin court confirms fine on Twitter



The Irish Data Protection Commission has had its decision to impose an administrative fine on Twitter International Company confirmed in the Dublin Circuit Court. The application to confirm the decision to impose an administrative fine of €450,000 was made under section 143 of the Data Protection Act 2018. The inquiry was commenced in January, 2019 following receipt of a breach notification from Twitter. The breach related to a bug whereby if a Twitter user with a protected account, using Twitter for Android, changed their email address, their account would become unprotected. The purpose of the inquiry was to examine certain issues surrounding Twitter’s notification of the breach, as distinct from examining the substantive issues relating to the breach itself. Twitter notified the DPC of the personal data breach on 8 January 2019 and the decision found that it ought to have been aware of the breach at the latest by 3 January 2019. The decision found that Twitter infringed Articles 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.



EUIPO publishes joint study on global trade in counterfeit and pirated products



The EU Intellectual Property Office has published a joint study with the Organisation for Economic Co-operation and Development on global trade in counterfeit and pirated products. The study analyses the role of e-commerce in facilitating the trade of fake goods. It says that e-commerce plays an increasingly important role in the modern economy. The trends towards online commerce accelerated as a result of the Covid pandemic. In 2020, while retail sales declined in most countries due to the pandemic and consequent restrictions on economic activity, online sales grew by more than 20% compared to 2019. Analysis of various e-commerce indicators shows that the level of e-commerce development in a country is related to the level of imports of counterfeit goods into that country. Descriptive statistics based on 2017-2019 data on seizures of counterfeit goods imported into the EU show that over 50% of detentions are related to online transactions. However, in terms of value, detentions related to e-commerce represent only 14% of the value of seized goods. In over 90% of cases, detentions related to e-commerce are shipped to the EU by mail/post. The role of China as a provenance country is more pronounced in case of seizures related to e-commerce that in seizures in general. China was a provenance country in over 75% of cases of seizures of counterfeit goods imported into the EU with a link to e-commerce transactions. Use of e-commerce solutions differs depending on the type of counterfeit products. The propensity for fakes in e-commerce transactions is the highest in case of perfumery and cosmetics, pharmaceutical products and optical products (glasses) where over 70% of seizure cases at the EU borders were related to Internet sale.



International



Australian Government consults on draft online privacy bill



The Australian Government is consulting on draft online privacy bill. Under the draft bill, the maximum penalty of $2.1 million for serious or repeated breaches of privacy will increase to not more than the greater of $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of the entity's annual Australian turnover. The draft includes new code-making powers to enable the development of an Online Privacy Code to regulate social media services, data brokerage services and large online platforms. The code will be developed by industry and will include requirements for these companies to be more transparent about how they handle personal information and seek specific consent from users. It will also include more stringent privacy requirements for children. The scope of organisations covered by the code is another important aspect of the consultation. The Attorney-General’s Department has also released a discussion paper for consultation as part of its current review of the Privacy Act 1988. Australian Information Commissioner and Privacy Commissioner Angelene Falk welcomed the bill. She said “the issues of age verification and parental or guardian consent can be informed by overseas experience and the eSafety Commissioner’s current work in this area”. The consultation ends on 6 December 2021.



Joint statement on global privacy expectations of Video Teleconferencing companies



In July 2020, six data protection and privacy authorities from Australia, Canada, Gibraltar, Hong Kong SAR, China, Switzerland and the UK jointly signed an open letter to video teleconferencing (VTC) companies. The letter highlighted concerns about whether privacy safeguards were keeping pace with the rapid increase in use of VTC services during the global pandemic, and provided VTC companies with some guiding principles to address key privacy risks. The joint signatories invited five of the biggest VTC companies to reply to the letter. Microsoft, Google, Cisco and Zoom responded, setting out how they take the principles into account in the design and development of their VTC services. Following a review of the responses, the joint signatories further engaged with these companies to better understand the steps they take to implement, monitor, and validate the privacy and security measures put in place. The work has allowed the joint signatories to engage, in a coordinated manner and with a uniform voice, with some of the largest and fastest growing technology companies, whose services are used worldwide. It has also given those companies the opportunity to explain their approach to data protection and privacy through direct and practical interaction with a subset of the global privacy regulatory community representing citizens from jurisdictions across four continents.