This Week's Techlaw News Round-up

CMA investigates anticipated acquisition by Microsoft of Nuance Communications, Science and Technology Select Committee calls for evidence on the right to privacy in the digital era, decisions by the Austrian and Irish data protection regulators and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.

UK law

CMA investigates anticipated acquisition by Microsoft Corporation of Nuance Communications, Inc

The CMA is investigating the anticipated acquisition by Microsoft Corporation of Nuance Communications, Inc. The CMA is considering whether it is or may be the case that this transaction, if carried into effect, will result in the creation of a relevant merger situation under the merger provisions of the Enterprise Act 2002 and, if so, whether the creation of that situation may be expected to result in a substantial lessening of competition within any market or markets in the United Kingdom for goods or services.

Science and Technology Select Committee calls for evidence on the right to privacy in the digital era

The Science and Technology Select Committee has issued a call for evidence on the right to privacy in the digital era. It says that effectively sharing data across and between Government and industry has a number of potential benefits, but there are risks to doing so too. A key issue is public trust and the need for transparency with respect to how individuals’ data is used and shared. The Government’s December 2020 National Data Strategy and its more recent draft strategy, “data saves lives: reshaping health and social care with data”, address aspects of this. Specifically, the latter sets out an aim to “share anonymous data safely and appropriately across the entire health system”, which has raised concerns amongst patient groups and some privacy campaigners. The Committee is therefore seeking views on the potential benefits, including to research, to effectively use and share data between and across Government, other public bodies, research institutions and commercial organisations, and the existing barriers to such data sharing; the extent to which data issues are appropriately addressed by the Government’s strategies; the ethics underpinning the use and sharing of individuals' data in health and care contexts; the extent to which appropriate safeguards and privacy are applied in the usage and sharing of individuals' data; and the effectiveness of existing governance arrangements, for example, the Centre for Data Ethics and Innovation. The consultation ends on 28 January 2022.

EU law

Austrian Data Protection Authority issues decision in Google Analytics case

The Austrian Data Protection Authority (DSB) has issued its decision on a model case that the continuous use of Google Analytics violates the GDPR. In 2020, the Court of Justice of the European Union ruled that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB "task force". It seems the Austrian DSB decision is the first to be issued. Google had argued that the Irish DPC should have jurisdiction but the DSB rejected this. It also confirmed that IP addresses and online identifiers qualify as personal data under Article 4(1) GDPR, especially because they allow organisations to single out a data subject under recital 26 of the GDPR. It is sufficient that the data subject can be identified; an actual identification is not necessary. It is irrelevant that the website provider might require additional information from Google LLC to identify the data subject. The CJEU has ruled that there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person. The fact that Google allows user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject. While Google had made submissions claiming that has implemented "Technical and Organizational Measures", which included ideas like having fences around data centres, reviewing requests or having baseline encryption, the DSB rejected these measures. It said that “with regard to the contractual and organizational measures outlined, it is not apparent, to what extent [the measure] are effective in the sense of the above considerations. Insofar as the technical measures are concerned, it is also not recognizable (...) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law". The DPA has not yet announced a penalty. 

Irish DPC publishes result of Inquiry into the Teaching Council

The Irish DPC has published the result of an Inquiry into the Teaching Council. The inquiry was commenced in respect of a personal data breach that the Irish Teaching Council notified to the DPC on 9 March 2020. The personal data breach occurred when a phishing email was accessed by two staff members of the Council, allowing then for the creation of an auto-forward rule from their email accounts to a malicious email account. As a result, between 17 February 2020 and 6 March 2020 when the auto-forward rule was discovered, 323 emails were forwarded to the unauthorised external email address. The emails contained the personal data of 9,735 data subjects and the sensitive personal data of one data subject. The decision found that the Council infringed Article 5(1) and Article 32(1) of the GDPR between 25 May 2018, when the GDPR came into application, and the dates of the personal data breaches, by failing to process personal data in a manner that ensured the appropriate security of the personal data using appropriate technical and organisational measures. The decision found that the Council infringed Article 33(1) of the GDPR by failing to notify the DPC of the personal data breach(es) when it ought to have been aware of them. The DPC imposed an administrative fine on the Council in the amount of €60,000 for the infringements. In addition, the DPC issued the Council with a reprimand in respect of the infringements. 

Report published on functioning of .eu domain between April 2019 and April 2021

The European Commission has published a report on the implementation, functioning and effectiveness of the .eu Top Level Domain. The report covers the period April 2019 to March 2021. It shows that there were 3.7 million registered .eu domain names as of April 2021, which made the .eu domain is the eighth largest country code Top-Level Domain in the world. Between 2019 and 2021 the .eu growth flattened.  It suffered a negative impact from continued saturation and consolidation of the domain name market and the effect of the UK’s withdrawal from the EU, but this was compensated by growth in demand for domain names during the coronavirus (COVID-19) pandemic. The report also highlights that the .eu Registry allowed EU citizens to register a .eu domain name regardless of their place of residence, launched the variants in Greek and Cyrillic scripts, the Abuse Prevention Early Warning System, the Know-Your-Customer project and the registrar lock service in 2020. It also collaborated with the European Union Intellectual Property Office on the joint Action Plan to combat abusive and speculative domain name registrations. The domain also overcame a denial of service attack in spring 2020.

Published: 2022-01-14T12:00:00

    Please wait...