Revised Financial Services and Markets Bill published, ICO issues fine for unsolicited marketing calls, DCMS carries out digital rights review for listed sports events and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.
Revised Financial Services and Markets Bill published
Amendments have been introduced to the Financial Services and Markets Bill which would amend the Financial Services and Markets Act 2000. If these changes remain in the final legislation, the amendment could bring cryptoassets generally within the regulatory perimeter. The wider definition of "cryptoassets" is likely to take in a broader selection of digital assets (including, for example, NFTs) than previously expected. The amendments would also mean a change in emphasis regarding the regulation of cryptoassets. Originally, the Bill was planned to regulate stablecoins and financial promotions relating to cryptoassets. The UK government has already said that it will consult on the extension of the regulatory perimeter to all cryptoassets before the end of this year. In addition, the Bank of England plans to consult about the regulatory framework for stablecoins next year.
ICO issues fine for unsolicited marketing calls
The ICO has issued a fine to Zuwyco Limited, a lead generation company, for their involvement in making almost 100,000 unsolicited marketing calls. An initial investigation began in May 2020, following several complains made to the ICO stating that Zuwyco had persistently called consumers, asking them to sign up for pension transfer schemes. The ICO's investigations showed that all but one complainant was called multiple times - one receiving more than 50 calls from Zuwyco, despite being registered on the Telephone Preference Service. Others continued to be called even after specifically asking the company not to contact them further. The investigation concluded that Zuwyco breached regulations 21 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the ICO issued a fine of £160,000.
DCMS carries out digital rights review
The UK government announced its intention to review whether digital rights should be brought in scope of the listed events regime in its broadcasting white paper. It has now published the terms of reference for the review. The DCMS has already undertaken engagement with stakeholders from a range of groups likely to be interested in the review since the publication of the broadcasting white paper. The publication of the terms of reference provides an opportunity for any further stakeholders with an interest to contribute to the review.
Ofcom publishes Spectrum Roadmap and Space spectrum strategy
Ofcom has published an updated version of its Spectrum Roadmap which sets out its intention to progress new areas of spectrum related work with a view to deliver to Spectrum Management Strategy. The new version follows a consultation and sets out future work areas. These will include: reviewing the impact of technology developments and network convergence to inform policies on future spectrum use, exploring new ways to enable innovation and sharing such as using spectrum 'sandboxes', and obtaining more real-world data to support the more efficient use of the spectrum. Ofcom says that the demand for spectrum continues to increase. It has also provided a summary of responses to its consultation. Furthermore, Ofcom has published the Space spectrum strategy, which contains its refreshed approach for managing radio spectrum used by the space sector.
New Ofcom rules to right fake number fraud
Ofcom is strengthening its rules and guidance to require all telephone networks involved in transmitting calls either to mobiles or landlines, to identify and block spoofed calls, where technically feasible. This aims to make it harder for scammers to use spoofed numbers. Ofcom has also updated its guidance on how all phone companies should identify and block spoofed calls. This includes making sure a number meets the UK's 10 or 11-digit format; blocking calls from numbers that are on Ofcom's Do Not Originate list; and identifying and blocking calls from abroad spoofing a UK caller ID. Ofcom's guidance to telecoms firms to identify and block calls from abroad that falsely use UK numbers is based on an industry initiative, which some providers have already implemented voluntarily. Ofcom is giving phone companies six months to make the necessary technical changes to comply with these new rules, which will come into force in May 2023. When dealing with requests for genuine numbers, Ofcom expects providers to run "know your customer" checks on business customers. These could involve checking the Companies House register, fraud risk databases and the Financial Conduct Authority's Warning List to uncover information that may indicate a high risk of misuse by the customer seeking to use phone numbers.
Ofcom issues discussion document on media plurality
Ofcom says that it has been almost two decades since the UK's media plurality framework was last updated, and in that time, the way in which news is consumed has changed dramatically. As intermediaries increasingly play the role of gatekeepers, curating or recommending news content to online audiences, it is not clear that people are aware of the choices being made on their behalf, or their impact. To better understand the implications of these changes, Ofcom has started a programme of work on the future or media plurality. Specifically, it has set out to examine the possible impacts of the growth of online news, and the tole of online intermediaries, on media plurality, and what, if any, regulatory changes may be necessary to maintain and secure it. The discussion document sets out Ofcom's understanding of how online intermediaries currently operate within the UK news ecosystem. The report explains the role they play in the news value chain; examines the potential risks they might pose and discusses some potential options for amending the regulatory framework to help secure positive outcomes for media plurality in the UK. Ofcom will be engaging with industry and interested parties and then plans to develop formal recommendations for consideration by the UK government.
CMA consults on allowing school early exit from software contracts
The CMA is consulting on proposals from Education Software Solutions Limited to allow schools to escape longer-term software contracts due to concerns that the lack of notice given to them limited their choice and competition. ESS is the largest provider of school management information system (MIS) software in England and Wales. In April 2022, the CMA started investigating if ESS' conduct was anti-competitive by effectively limiting schools' ability to choose an MIS software provider and excluding its competitors. The CMA was concerned about ESS providing that its customers - schools in England and Wales - must move to three year contracts, from their previous one-year contracts, without giving them sufficient time to make alternative arrangements with other software providers. The CMA was concerned taht these changes reduced schools' choice of MIS software provider and made it difficult for other providers to compete with ESS to win business. ESS has offered to give commitments, which would enable certain schools - broadly those schools which had been given insufficient time to switch providers - to apply to an independent adjudicator for a new break clause to allow them to escape their current three-year contract with ESS and choose alternative providers. The CMA considers that the proposed commitments address its competition concerns by giving affected schools the choice to exit their current three-year contract and switch to another MIS supplier, facilitating competition. It is consulting on the commitments until 8 December 2022.
European Parliament adopts new cybersecurity legislation
The European Parliament has adopted stricter requirements for cybersecurity risk management, reporting obligations and information sharing. The rules cover topics from incident response and encryption to vulnerability disclosure, and will also establish a framework for enhanced co-operation and information-sharing between different bodies and member States. The legislation will expand the entities and sectors who will need to take the measures, including essential sectors of energy, transport, health and banking, as well as important sectors such as waste management, food, motor vehicles and electronics.
European Commission adopts proposal for Regulation to promote transparency
The European Commission has adopted a proposal for a Regulation of the European Parliament and of the Council on data collection and sharing relating to short-term accommodation rental services and amending Regulation (EU) 2018/1724 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services. The Commission's proposal will be discussed in view of adoption by the European Parliament and the Council. After its adoption and entry into force, Member States will have a two-year period to establish the necessary mechanisms for data exchanges.
EDPS calls for better protection for all journalists and a ban on highly advanced military-grade spyware
The European Data Protection Supervisor (EDPS) has published Opinion 24/2022 on the proposed EU Media Freedom Act. It welcomes the objectives pursued in the proposed EU Media Freedom Act to protect media freedom, independence and pluralism across the EU. However, the EDPS is concerned that the measures may not be effective in practice. The EDPS recommends that the legislation should clarify that any journalist would benefit from the protection offered. It should also further define and restrict the possibility to waive the protection of journalistic sources and communications, particular the exceptions related to the prohibition on intercepting communications using spyware or other forms of surveillance of media service providers. The EDPS also recommends that the proposed Act includes measures guaranteeing the independence of EU member states' authorities and bodies tasked with reviewing breaches of the protection of journalistic sources and communications. In addition, an explicit legal basis for cooperation between the relevant EU supervisory authorities, including EU data protection authorities, according to their respective competences, should be included. While understanding and supporting the obligation to make some media service providers' personal data publicly available to achieve transparency and for matters of public interest, the EDPS points out the potential interference with the fundamental rights to privacy and data protection that publishing this information may entail. Therefore, the EDPS recommends listing explicitly the public interest purposes for which certain information will be made public, as well as the categories of personal data to be made public considering the purposes.
EDPS issues opinion on EU-wide cybersecurity requirements to protect privacy and personal data
The EDPS has published its Opinion on a proposed Regulation setting out cybersecurity requirements for products with digital elements. It aims to set out EU-wide cybersecurity requirements for a broad range of hardware and software products and their remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters or routers. In its Opinion, the EDPS reiterates that under the GDPR an appropriate level of security of the processing of personal data must be ensured by controllers and processors. In addition, data protection principles must be embedded throughout the development of technologies that process personal data, including many products with digital elements. The EDPS strongly recommends that the new laws include data protection by design and by default principles. It highlights that the proposed European cybersecurity certificate should not serve as a replacement for the GDPR certification, which already guarantees compliance with the GDPR. It should be made clear in the proposed Regulation that the cybersecurity certificate does not mean that a particular product with digital elements complies with the GDPR. The EDPS suggests clarifying the relationship between the proposed Regulation and EU data protection laws, specifically how these will interact around market surveillance and enforcement.
ECJ rules on conditions for establishing whether net costs of universal service provision are unfair burden on universal service provider
The Court of Justice of the European Union has ruled in Case C-494/21 Eircom Limited v Commission for Communications Regulation on questions from an Irish court about the Universal Service Directive (Directive 2002/22) about whether the net costs of the provision of the telecoms universal service impose an unfair burden on the designated universal service provider. The Directive provides that, where necessary, member states should establish mechanisms for financing the net cost of universal service obligations (USOs) in cases where it demonstrated that the obligations can only be provided at a loss or at a net cost which falls outside normal commercial standards. The ECJ concluded that Articles 12 and 13 of the Directive must be interpreted as requiring the competent national regulatory authority, to determine whether the net cost of USOs represents an unfair burden on an operator entrusted with such obligations, to examine the characteristics particular to that operator, taking into account its situation compared with its competitors in the relevant market.
Commission opens in-depth investigation into the proposed acquisition of Activision Blizzard by Microsoft
The European Commission has opened an in-depth investigation to assess the proposed acquisition of Activision Blizzard by Microsoft under the EU Merger Regulation. The Commission is concerned that the proposed acquisition may reduce competition in the markets for the distribution of console and personal computers, video games and for PC operating systems. The Commission's preliminary investigation shows that the transaction may significantly reduce competition on the markets for the distribution of console and PC video games, including multi-game subscription services and/or cloud game streaming services, and for PC operating systems. In particular, the Commission is concerned that, by acquiring Activision Blizzard, Microsoft may foreclose access to Activision Blizzard's console and PC video games, especially to high-profile and highly successful games (so called 'AAA' games) such as 'Call of Duty'. The preliminary investigation suggest that Microsoft may have the ability, as well as potential economic incentive, to engage in such conduct vis-a-vis rival providers of PC operating systems. The Commission will now carry out an in-depth investigation into the effects of the transaction to determine whether its initial competition concerns are confirmed. It has 90 working days, until 23 March 2023, to take a decision. It says that the opening of an in-depth inquiry does not prejudge the outcome of the investigation. the UK's CMA has also been considering the transaction and has competition law concerns.
UK, Canada and Singapore partner on cybersecurity for IoT
The DCMS has announced a partnership between the UK, Canada and Singapore. The three countries have agreed to work together to promote and support cybersecurity measures for internet connected products. The governments have agreed to co-ordinate their approaches and consider similar effects from other governments, academia, trade and civil society with the aim of ensuring innovation is fostered while avoiding fragmentation of security requirements. The governments have also endorsed the emerging baseline security requirements for such products and believe that international standards are necessary to mitigate the cyber risks.
Regulators collaborate through new global network to counter online harm
The new Global Online Safety Regulators Network has been formally launched. It is a collaboration between Australia's eSafety Commissioner, Fiji's Online Safety Commission and Ofcom in the UK, with support from the Broadcasting Authority of Ireland. The Network is intended to pave the way for a coherent international approach to online safety regulation, by enabling new online safety regulators to share information, experience and best practices. Members will share a commitment to act independently of commercial and political influence, as well as to foster human rights, democracy and the rule of law. The Network is being set up at a time of rapid evolution in the global digital landscape and a greater focus on online safety issues from governments, industry and citizens alike. The includes recent legislative reforms like Australia's Online Safety Act 2021, Fiji's Online Safety Act 2018, the UK's Online Safety Bill, Ireland's Online Safety and Media Regulation Bill 2022 and the European Union's Digital Services Act, as well as online safety reform work underway in Canada, New Zealand and Singapore.