John Edwards starts work as the new Information Commissioner, CDEI publishes AI barometer, ICO consults on the draft guidance on the right of access for competent authorities and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.
John Edwards is confirmed as the new Information Commissioner
John Edwards has been confirmed as the new Information Commissioner with his five-year term beginning on 3 January 2022. Edwards was previously New Zealand’s Privacy Commissioner. Under data protection legislation, the Information Commissioner is appointed by Her Majesty by Letters Patent on the basis of fair and open competition and on the recommendation from ministers (the Secretary of State for Digital Culture, Media and Sport, through the Prime Minister). John Edwards’ appointment as Information Commissioner was approved by the Digital, Culture, Media and Sport Select Committee after a pre-appointment hearing on 9 September 2021.
CDEI publishes AI barometer
The Centre for Data Ethics and Innovation has published its AI Barometer, a major analysis of the most pressing opportunities, risks, and governance challenges associated with AI and data use in the UK, initially across five sectors. It highlights the potential for AI and data-driven technology to address society’s greatest challenges but points out that some opportunities are easier to realise than others. While the top-rated risks varied from sector to sector, a number of concerns cropped up across most of the contexts it examined. This includes the risks of algorithmic bias, a lack of explainability in algorithmic decision-making, and the failure of those operating technology to seek meaningful consent from people to collect, use and share their data. This highlights the value of cross-sector research and interventions. Several barriers stand in the way of addressing these risks and maximising the benefits of AI and data. These range from market disincentives to regulatory confusion. Three types of barrier merit close attention: low data quality and availability; a lack of coordinated policy and practice; and a lack of transparency around AI and data use. Over the coming months, the CDEI will promote the findings of the AI Barometer to policymakers and other decision-makers across industry, regulation and research. The AI Barometer itself will also be expanded over the next twelve months, looking at new sectors and gathering more cross-sectoral insights. Additionally, the CDEI is embarking on a new programme of work that will address many of the barriers identified in the AI Barometer as they arise in different settings, from policing to social media platforms.
ICO consults on draft guidance about the right of access for competent authorities
The right of access in Part 3 of the Data Protection Act 2018 is a fundamental right that applies to competent authorities. It is more commonly known as the right to make a subject access request. It allows individuals to find out what personal data is held about them for law enforcement purposes and to obtain a copy of that data. Following on from the ICO’s initial guidance on this right, the ICO has now drafted detailed guidance which explains in greater detail the rights that individuals have to access their personal data and the obligations on competent authorities. The draft guidance also explores situations involving joint controllers, how to deal with requests involving the personal data of others and the restrictions that are most likely to apply in practice when handling a request. At the same time, the ICO has also drafted updated guidance on the provisions in Part 3 on how authorities should deal with manifestly unfounded or excessive requests. The ICO is consulting on both pieces of draft guidance to gather the views of stakeholders and the public. The consultation ends on 11 March 2022.
The Network and Information Systems (EU Exit) (Amendment) Regulations 2021 made
The Network and Information Systems (EU Exit) (Amendment) Regulations 2021/1461 have been made. They have been made in exercise of the powers conferred by section 8(1) and (5) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 2018 to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(d)) arising from the withdrawal of the UK from the EU. The Regulations amend both the retained EU law version of Commission Implementing Regulation (EU) 2018/151 and the Network and Information Systems Regulations 2018 (SI 2018/506) (which relate to securing network and information systems) by amending and removing certain criteria for managing and reporting cyber risks that apply to digital service providers where those criteria are no longer appropriate now that the UK has left the EU. In particular, thresholds for reporting cyber incidents that were set by reference to the impact of the incident on the EU’s population have been removed and these thresholds will instead be set in guidance.
Irish DPC publishes Regulatory Strategy for 2022-2027
The Irish Data Protection Commission has published its Strategy for 2022-2027. The breadth of the DPC’s regulatory remit cuts across all areas of personal and public life; both at national and international level. To develop a Regulatory Strategy that will provide effective direction for such a vast operational remit, the DPC says that it has been careful to take account of the wider context in which it regulates, the needs of its diverse stakeholders and the evolving nature of the fast-paced and non-traditional sectors it regulates. The Strategy is arranged according to fundamental goals, underpinned by the DPC’s mission, vision and values, which collectively contribute to the delivery of its strategic priorities. The DPC recognises that it cannot achieve its ambitions alone – new partnerships and new ways of engaging will be necessary as it looks towards a future of closer convergence. Nonetheless, the DPC builds from a position of confidence: it says that it is a regulatory office with ambition, a clear sense of purpose, a history of achievement, and a future of considerable promise. The DPC has consulted widely in preparing the Strategy, gathering insights and experiences of how the application of the GDPR has affected the lives of individuals and organisations operating across a wide range of sectors. It is clear that the GDPR is a matter of vital interest for many people. As is the case with any far-reaching legislation, the various interpretations from stakeholders of how best to apply the GDPR are not always in sympathy with each other. Nonetheless, the DPC is tasked with extracting the commonalities from these disparate points of view, and identifying an agenda of regulatory priorities which will drive compliance and promote better data protection outcomes for EU individuals. One overarching objective - to do more, for more – has underpinned the strategic choices made in the Strategy, as the DPC navigates a regulatory future replete with competing priorities.
European Parliament ready to start negotiations with Council on Digital Markets Act
The European Parliament has given its green light to begin negotiations with member states on rules setting out what big online platforms will be allowed to do and not do in the EU. The Digital Markets Act (DMA) proposal blacklists certain practices used by large platforms acting as “gatekeepers” and enables the Commission to carry out market investigations and sanction non-compliant behaviours. The revised text approved by Parliament sets new obligations and prohibitions directly applicable to such platforms, with a view to ensuring fair and open markets. The proposed regulation will apply to the major companies providing so-called “core platform services” most prone to unfair business practices. These include online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services, which meet the relevant criteria to be designated as gatekeepers. MEPs also included web browsers, virtual assistants and connected TV within the scope of the DMA. Other changes introduced by MEPs are related to the definition of gatekeepers based on certain thresholds, the list of obligations and prohibitions including new provisions on targeted advertising and on the interoperability of services, EU enforcement, the role of national competition authorities and fines. The text is Parliament’s mandate for negotiations with EU governments, planned to start under the French presidency of the Council in the first semester of 2022.
EPO Legal Board of Appeal refuses patent in AI case
The Legal Board of Appeal has announced its decision to dismiss the appeal in cases J 8/20 and J 9/20. The Legal Board of Appeal confirmed the decisions of the Receiving Section of the European Patent Office to refuse the applications EP 18 275 163 and EP 18 275 174, in which an artificial intelligence system called DABUS was designated as inventor in the application forms. The Legal Board of Appeal also refused the auxiliary request according to which no person had been identified as inventor but merely a natural person was indicated to have "the right to the European Patent by virtue of being the owner and creator of" the artificial intelligence system DABUS. Under the European Patent Convention the inventor had to be a person with legal capacity. For this reason at least, the main request was not allowable. Regarding the auxiliary request, a statement indicating the origin of the right to the European patent under Article 81, second sentence, EPC had to be in conformity with Article 60(1) EPC. The EPO was competent to assess whether such statement referred to a situation which was encompassed by Article 60(1) EPC.