Cabinet Office publishes version two of Model Services Contract and guidance, CMA launches Retained Horizontal Block Exemption Regulations consultation, CMA concludes investigations into the online video gaming sector, and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.

UK law



Cabinet Office publishes version two of Model Services Contract and guidance



The Cabinet Office has published the Model Services Contract and Guidance version 2.0. The new version reflects developments in government policy, regulation and the market. The Model Services Contract forms a set of model terms and conditions for complex services contracts that are published for use by government departments and many other public sector organisations. This follows the recent publication of the Digital, Data and Technology Playbook in March and consequently, many of the changes cover data and technology issues.



CMA launches Retained Horizontal Block Exemption Regulations consultation



The Competition and Markets Authority (CMA) is consulting about its proposed recommendation to the Secretary of State for Business, Energy and Industrial Strategy regarding the retained Horizontal Block Exemption Regulations (retained HBERs). This will inform the CMA’s recommendation on whether to replace the retained HBERs when they expire on 31 December 2022. The consultation ends on 6 May 2022.



CMA concludes investigations into the online video gaming sector



The CMA has concluded its investigations into the online video gaming sector. The sector-wide investigation looked at subscriptions for online gaming services where people automatically continue to be charged indefinitely until they take action to end their contract. The CMA was particularly concerned that people might find themselves locked into paying for services they no longer want or use. The CMA has now secured an undertaking from Sony relating to its PlayStation Plus product, a service which allows users to play online together. Sony has agreed to put in place measures to protect customers who have not used their memberships for a long time but are still paying. Sony will contact these customers to remind them how to stop payments and, if they continue not to use their memberships, Sony will ultimately stop taking further payments. The CMA also engaged with Nintendo, which changed its business practices during the course of the investigation so that Nintendo Switch Online Service is no longer sold with automatic renewal set as the default option. This means people will not be automatically entering into renewing contracts, addressing a number of the CMA’s concerns about people becoming locked in.



ICO concludes investigation into unauthorised disclosure of CCTV footage from DHSC



The ICO has issued a statement in which it says that it found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care.?The leaked CCTV images showed the former Secretary of State for Health and Social Care, Matthew Hancock MP, and his former aide, Gina Coladangelo.?The regulator launched a criminal investigation after it received a report of a personal data breach from DHSC’s CCTV operator, EMCOR Group plc.?Given the seriousness of the report and the wider implications it potentially had for the security of information across government, the ICO had a legal duty to carry out an impartial assessment of the evidence available to determine if there had been a breach of the law.? Forensic analysis revealed that the leaked images were most likely obtained by someone recording the CCTV footage screens with a mobile phone.? Six phones retrieved during the execution of search warrants did not contain the relevant CCTV footage.?After taking legal advice, the ICO concluded that there was insufficient evidence to charge anyone with criminal offences under the Data Protection Act 2018.? The ICO has therefore closed its criminal investigation.



ICO fines Bizfella Ltd £30,000 for sending unsolicited direct marketing messages



The ICO has fined Bizfella Ltd, a credit broker that trades under various names including Cash Carrot and Pixie Loans, £30,000 for sending 224,550 unsolicited direct marketing SMS messages in contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. The ICO also served Bizfella with an enforcement notice ordering it to cease the transmission of unsolicited communications for the purposes of direct marketing via electronic means. The ICO has also fined Finance Giant Ltd £60,000 for sending just under 500,000 direct marketing texts and emails to people without valid consent. They did not make opting out of receiving marketing clear and easy to their customers.



National Security and Investment Act: guidance on compliance and enforcement



The UK government has published guidance on the National Security and Investment Act. The guidance covers notices, orders, monitoring and verifying compliance, enforcement, and processes. The Secretary of State may require a contribution to costs for dealing with an offence and may refer suspected offences to the police for possible criminal investigation.



Online Safety Bill communications offences factsheet published



The government has published a factsheet on the communications offences in the Online Safety Bill. The factsheet provides a series of case studies regarding the new communications offences (harmful communications, false-communications and threatening communications) proposed by the Law Commission and included within the Online Safety Bill. It sets out example communications and assesses whether they meet the criminal threshold under the proposed revised offence(s).



EU law



EDPS issues a reprimand to the European Border and Coast Guard Agency (Frontex) for moving to the cloud without proper data protection assessment



On 1 April 2022, the EDPS reprimanded the European Border and Coast Guard Agency (Frontex) for a breach of the Data Protection Regulation (EU) 2018/1725, which applies EU institutions, offices, bodies and agencies. The EDPS found that Frontex moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing. Frontex also failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution (Microsoft 365) was the outcome of a thorough process whereby the existence of data protection compliant, alternative products and services meeting Frontex’s specific needs were assessed. In addition, Frontex failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes. Frontex therefore breached the accountability principle as well as its obligations as a controller and the requirements of data protection by design and by default. In addition to the reprimand, the EDPS ordered Frontex to review its Data Protection Impact Assessment and the record of processing activities relating to the processing of personal data in cloud services.



European Parliament approves text of Data Governance Act



The European Parliament has adopted its first-reading position on the European Commission's proposal for a new Regulation on European data governance (Data Governance Act). The draft Act aims to increase trust in data sharing, create new EU rules on the neutrality of data marketplaces, and facilitate the reuse of certain data held by the public sector. It will set up common European data spaces in strategic domains such as health, the environment, energy, agriculture, mobility, finance, manufacturing, public administration, and skills. It will now have to be formally adopted by Council before it is published in the Official Journal and enters into force.



European parliament committee agrees on proposal for common charger



The European Parliament’s Internal Market and Consumer Protection Committee has adopted its position on the revised Radio Equipment Directive. The new rules would make sure consumers no longer need a new charger and cable every time they purchase a new device, and can use one charger for all of their small and medium-sized electronic gadgets. Mobile phones, tablets, digital cameras, headphones and headsets, handheld videogame consoles and portable speakers, rechargeable via a wired cable, would have to be equipped with a USB Type-C port, regardless of the manufacturer. Exemptions would apply only for devices that are too small to have a USB Type-C port, such as smart watches, health trackers, and some sports equipment. This revision is part of a broader EU effort to address product sustainability, in particular of electronics on the EU market, and to reduce electronic waste. Once Parliament as a whole has approved this draft negotiating position at the May plenary session, MEPs will be ready to start talks with EU governments on the final shape of the legislation.