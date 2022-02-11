CMA designates Amazon as a grocery retailer to protect suppliers, Ada Lovelace Institute issues report on a healthcare case study of algorithmic impact assessment, NVIDIA abandons takeover of Arm during regulators’ investigations and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.

UK law



CMA designates Amazon as a grocery retailer to protect suppliers



Amazon’s increasing activity in the UK groceries’ sector in recent years has led the CMA to designate the company under the Groceries Market Investigation Order. As a result, Amazon and its relevant UK subsidiaries must now comply with the Groceries Supply Code of Practice. The Code, which applies to retailers with an annual turnover of more than £1 billion from grocery sales, ensures that they treat their suppliers fairly. For example, it restricts companies from making changes to supply contracts at short notice. It also requires retailers to give an appropriate period of notice if they no longer want to use a supplier and provide reasons for ending the contract. The CMA regularly monitors UK retailers to see if they meet the criteria to be covered by the Code, such as relevant turnover. However, once the CMA has designated a grocery retailer, compliance with the Code is managed by the independent Groceries Code Adjudicator.



Ada Lovelace Institute issues report on a healthcare case study of algorithmic impact assessment



The Ada Lovelace Institute has issued a report on a healthcare case study of algorithmic impact assessment. The report sets out the first-known detailed proposal for the use of an algorithmic impact assessment for data access in a healthcare context: the NHS’ proposed National Medical Imaging Platform. It proposes a process for algorithmic impact assessments, which aims to ensure that algorithmic uses of public-sector data are evaluated and governed to produce benefits for society, governments, public bodies and technology developers, as well as the people represented in the data and affected by the technologies and their outcomes. This includes actionable steps for the AIA process, alongside more general considerations for the use of AIAs in other public and private-sector contexts.



NVIDIA abandons takeover of Arm during regulators’ investigations



NVIDIA has abandoned its proposed deal with Arm during the CMA’s investigation, following its initial finding that the merger could lead to a substantial lessening of competition. The CMA now intends to cancel its investigation into the merger. The CMA inquiry group was set to scrutinise the deal in main party hearings in February, following its initial finding in the phase 1 investigation that the merger could lead to a substantial lessening of competition. After the CMA found that the merged business would have had the ability and incentive to restrict NVIDIA’s rivals’ access to Arm’s intellectual property, the Secretary of State for Digital, Culture, Media & Sport decided to progress the merger to a further phase 2 investigation based on national security and competition concerns. Other regulators have also raised concerns, including the European Commission and the Federal Trade Commission.



ICO publishes draft parts of its anonymisation, pseudonymisation and PET guidance for views



The ICO has published a consultation on the draft chapter 3 (pseudonymisation) of its anonymisation, pseudonymisation and privacy enhancing technologies (PET) guidance. The consultation ends on 16 September 2022.



Ofcom sets out initial views on the future of mobile markets and spectrum for consultation



Ofcom has set out its initial thinking on how mobile markets might develop and how networks may need to evolve to meet future demand. It has set out how it might adapt its approach accordingly. Demand for mobile services has grown rapidly over the last decade. Ofcom expects that growth to continue, with more demand for data-hungry services. Mobile network operators will continue to play a significant role, but it also expects to see an increased role for other companies in providing mobile networks and selling mobile services. Given the changes taking place, it is considering whether and how it might adapt its regulatory approach. It will take steps to clarify its future regulatory approach to support investment. It also plans to set out more clearly how it has considered investment when making future policy decisions. It currently has no plans to introduce any new consumer pricing rules; but if new problems do emerge that require further intervention, it would be ready to act. It is also clarifying its position on mobile consolidation. Its stance on a potential merger would be informed by the specific circumstances of that particular merger, rather than just the number of competitors. It has also issued a note about radio spectrum, which it says is an important and finite resource which is essential for mobile networks. Large amounts of spectrum have been made available for mobile below 4 GHz, but demand for spectrum is growing across multiple sectors which is expected to continue. Therefore, Ofcom is considering possible future demand for mobile services and implications for spectrum. Mobile networks will need to evolve to meet future demand and deliver the quality of experience needed by consumers and businesses. There are a number of ways they might do this, including: wider and fuller use of current spectrum holdings, making use of planned spectrum releases, technology upgrades and deploying more sites including small cells. Ofcom anticipates that existing mobile spectrum holdings and spectrum already planned for release are likely to be broadly sufficient to meet future demand to 2030 if networks adopt a range of strategies to do so. The consultation on its approach ends on 8 April.



EU law



EDPB holds February plenary session



During its February plenary session, the EDPB adopted Opinion 1/2022 about the draft decision of the Luxembourg Supervisory Authority regarding the GDPR-CARPA certification criteria. This is the first time that the EDPB has adopted a consistency opinion on criteria for a nationwide certification scheme. The GDPR-CARPA certification scheme is a general scheme, which does not focus on a specific sector or type of processing. It includes requirements on data protection governance. The EDPB opinion aims to ensure the consistency and correct application of certification criteria among supervisory authorities in the EEA. To this end, the EDPB considers that a number of changes need to be made to the draft certification criteria. After approval by the supervisory authority, the certification mechanism will also be added to the register of certification mechanisms and data protection seals in accordance with Art. 42 (8) GDPR.



European Commission issues consultation on guidance to be included in the Vertical Guidelines



The European Commission has published an additional consultation relating to the Vertical Guidelines which come into force on 31 May 2022. The consultation concerns proposed guidance relating to information exchange in the context of dual distribution. The feedback from the consultation on a draft revised VBER and draft revised Vertical Guidelines, that took place between July and September 2021, indicated that there is a need for more guidance on the types of information that can be exchanged between a supplier and a buyer in a dual distribution relationship, and that it would be helpful if such guidance was provided in the Vertical Guidelines. The consultation ends on 18 February 2022. Further consultations are not planned.



First Code of Conduct for Data Protection in Cloud Infrastructure goes live



CISPE, the trade association for Cloud Infrastructure Service Providers in Europe, has announced that companies including Aruba, AWS (Amazon Web Services), Elogic, Leaseweb, Outscale and OVHCloud are the first of its members to declare services to be compliant with its Code of Conduct for Data Protection. The CISPE Code of Conduct for Data Protection in Cloud Infrastructure was validated by the European Data Protection Board (EDPB) and approved by the French Data Protection Authority (CNIL). It is the first GDPR code of conduct specifically designed for cloud infrastructure service providers. All the services declared must be verified by one of the three independent monitoring bodies accredited by the CNIL: Bureau Veritas, LNE and EY CertifyPoint. The controlled adherence by independent monitoring bodies provides cloud infrastructure customers with an added level of assurance when developing GDPR compliant services in the cloud. As a compliance tool validated by data protection authorities, the CISPE Code provides additional assurance that cloud services can be used in compliance with the GDPR. Industry players can declare compliant services under the supervision of independent monitoring bodies accredited by CNIL as the supervisory authority.