High Court considers ownership of LinkedIn contacts in an employment context, ICO launches artificial intelligence and data protection risk toolkit, DCMS publishes new research on cyber security issues regarding use of internet-connected devices by businesses and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.
High Court considers ownership of LinkedIn contacts in an employment context
The recent High Court decision in Clayton Recruitment Ltd v Wilson & Anor  EWHC 1054 (Ch) considered the ownership of LinkedIn contacts as part of a costs application. The defendant W was employed by a legal recruitment agency and he left his employer to start his own recruitment agency. In his LinkedIn account he had a large number (about 3,500) of business connections - business individuals with whom he was "connected" even if he did not deal with them all. Some of them were probably purely personal; others (probably most of them) were connections made in the course of his employment. The claimant was justifiably sensitive about W maintaining his connections in his LinkedIn account. They, or a very large part of them, were connections which the claimant was entitled to protect under its contract. When they were used for W’s circular about his new business the judge said that the claimant was justifiably concerned that those connections would be used for W’s own competing activities. W’s employment contract and other contractual arrangements meant that his employer owned LinkedIn connections made in the course of his employment and the contract clearly provided for their deletion.
ICO launches artificial intelligence and data protection risk toolkit
The ICO has launched the first version of its AI and data protection risk toolkit. It is a risk assessment tool designed to provide further practical guidance to organisations to help them reduce the risks to individuals’ rights and freedoms caused by their own AI systems. It aims to support organisations to understand the risks to individuals’ information rights caused by the processing of personal data by AI.
DCMS publishes new research on cyber security issues in use of internet-connected devices by businesses
The Department for Digital, Culture, Media and Sport has published new research about cyber-security issues in internet-connected devices used by businesses. Key findings include: despite significant concerns from IT professionals about device security, enterprise connected devices are being deployed and relied on by many organisations; vulnerabilities are found regularly in enterprise connected devices which have put large numbers of organisations at risk; and organisations lack clarity on how to monitor and protect themselves from vulnerable connected devices. It follows publication of Part 1 of the government's Product Security and Telecommunications Infrastructure Bill.
DCMS issues further guidance on Product Security and Telecommunications Infrastructure Bill
The DCMS has also issued additional guidance about the Product Security and Telecommunications Infrastructure Bill, which supports the rollout of future-proof, gigabit-capable broadband and 5G networks, and better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products. The guidance documents published on the Bill are a product security impact assessment, a de minimis assessment of telecommunications infrastructure, an opinion by the Regulatory Policy Committee as well as a memorandum for the Joint Committee on Human Rights.
NEC Software Solutions UK / Capita Secure Solutions and Services merger inquiry updated
The CMA is investigating the completed acquisition by NEC Software Solutions UK Limited of SSS Public Safety Limited and Secure Solutions USA LLC (previously part of Capita plc). It has now referred the completed acquisition by NEC Software Solutions UK Limited of SSS Public Safety Limited and Secure Solutions USA LLC for an in-depth investigation, on the basis that, on the information currently available to it, it is or may be the case that this merger has resulted or may be expected to result in a substantial lessening of competition within a market or markets in the United Kingdom.
NCSC publishes updated cloud security guidance collection
The National Cyber Security Centre has launched its updated cloud security guidance. It collates and refreshes its existing cloud guidance (and blogs) into a single collection. The cloud collection includes a new section on choosing the right cloud provider to suit your security needs. There are two approaches to doing this: applying the 14 Cloud Security Principles. This approach is recommended for organisation hosting sensitive data in the cloud (such as personally identifiable, commercially sensitive and government official data). The second is using the Lightweight Approach to Cloud Security, which helps an organisation to identify whether a service has the most important security features that will help it defend against common attacks. This approach is suitable for smaller organisations looking to do some due diligence in their online services, as well as larger organisations that are not processing sensitive data.
CAP issues statement on live facial recognition
In a 2021 Opinion, the ICO looked at the use of live facial recognition (LFR) for various purposes, including for advertising. CAP have summarised key advertising-related parts of the Opinion and signposts potential future issues that might fall to be considered by the ICO and/or the ASA. The Opinion notes that LFR can also be used for marketing, to gain marketing insights or to deliver products. Where LFR is used in this context, it tends to be used for categorisation, usually in the digital out-of-home sector. This enables organisations to estimate footfall for advertising space; measure engagement with advertising space; provide interactive experiences; or serve targeted ads to passing individuals. Data protection law requires that the data protection principles be adhered to when processing personal data of individuals. In this context, organisations must ensure first and foremost, that the processing is lawful, fair and transparent. Where biometric data is processed to uniquely identify someone, further safeguards will have to be in place. The ICO advises that there is a high legal threshold to meet for the use of LFR and organisations will have to justify the use of this technology. They should also be able to demonstrate accountability, such as ensuring governance is in place through the undertaking of Data Protection Impact Assessments. Some of the advertising purposes fall beyond the remit of the CAP Code, but where the technology involves the processing of personal data to serve ads to consumers, in addition to data protection obligations, it would fall within Section 10 of the CAP Code and would be subject to rules relating to the legal basis for processing data for ads and transparency about the use of data. Any ads served via LFR would also have to comply with the rest of the CAP Code. CAP and the ASA will keep an eye on the emerging use of LFR for marketing purposes, and issue further guidance where appropriate.
ASA issues annual report covering 2021
The ASA has issued its annual report covering 2021. Among other things, it highlights ways in which the ASA is using technology, in line with its strategy, to tackle misleading and irresponsible ads online. Coinciding with the report, the ASA has also set out how their use of AI is helping them to identify and take enforcement action against influencers who fail to disclose when their posts are ads. It can capture and analyse all Instagram Stories produced by influencers who are on the ASA’s radar for being unwilling or unable to clearly and consistently label when their content is an ad.
Council of the European Union approves Data Governance Act
The Council has approved a new law with the aim of promoting the availability of data and build a trustworthy environment to facilitate their use for research and the creation of innovative new services and products. The Data Governance Act will set up mechanisms to facilitate the reuse of certain categories of protected public-sector data, increase trust in data intermediation services and foster data altruism across the EU. It is an important component of the European strategy for data, which aims to bolster the data economy. The new rules will apply 15 months after the entry into force of the new regulation.
Council of European Union extends cyber-attack sanctions regime until 18 May 2025
The Council of the European Union has decided to prolong the framework for restrictive measures against cyber-attacks threatening the EU and its member states for a further three years, until 18 May 2025. This framework allows the EU to impose targeted restrictive measures on persons or entities involved in cyber-attacks which cause a significant impact, and constitute an external threat to the EU or its member states. Restrictive measures can also be imposed in response to cyber-attacks against third states or international organisations where such measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy. Sanctions currently apply to eight individuals and four entities, and include an asset freeze and a travel ban. Additionally, EU persons and entities are forbidden from making funds available to those listed. These individual listings will continue to be reviewed every 12 months.
EDPS welcomes harmonised rules on cybersecurity and information security for all EU institutions
The European Data Protection Supervisor has published opinions about the Proposal for a Regulation laying down measures for a high common level of cybersecurity in the EU institutions, bodies, offices and agencies (EUIs) and about the information security in the EUIs. The EDPS welcomes the aim of the Proposals to improve the cybersecurity and information security of EUIs, by establishing common rules and minimum-security requirements that are aligned with relevant objectives of the EU’s Cybersecurity Strategy. Both Proposals are related to the proposal to harmonise and strengthen cybersecurity practices across the EU. The EDPS stresses how the Proposals can have a positive impact on the security of personal data. However, there are risks for compliance with the EU privacy and data protection legislation that are implied by the security measures mandated by the Proposals. All security measures envisaged should have a valid legal basis, be necessary and proportionate. There should be a specific obligation for EU officials responsible for cybersecurity and information security to cooperate closely with the data protection officers, integration of the security risk management with personal data security, and integration of security incident and data breach handling procedures. The EDPS strongly advises that the Cybersecurity Proposal provides for the EDPS’ participation in the Interinstitutional Cybersecurity Board.
European Commission takes legal proceedings over failure to transpose Audiovisual Media Services Directive
The European Commission has referred the Czech Republic, Ireland, Romania, Slovakia and Spain to the Court of Justice of the EU because they have failed to Directive (EU) 2018/1808 (the Audiovisual Media Services Directive). The Commission has also called for the Court of Justice to impose financial sanctions on member states that have failed to notify measures transposing a Directive in accordance with Article 260(3) of the Treaty on the Functioning of the EU. In addition, the European Commission has sent reasoned opinions to several member states over their failure to notify the Commission about the transposition of Directive (EU) 2019/789 (copyright and related rights applicable to certain online transmissions) and has sent reasoned opinions about member states’ failure to notify the Commission about the transposition of Directive (EU) 2019/790 (copyright and related rights in the Digital Single Market).