UK law

Ministry of Justice invests in legal technology

Lawtech UK is a government-backed initiative, launched in 2019 when Tech Nation was tasked with incubating LawtechUK and driving its objectives forward. It provides resources, programmes and courses to promote new ways of delivering and accessing legal services. LawtechUK has operated the Lawtech Sandbox - a programme helping UK founders and legal businesses develop new products including the development of software to help businesses detect risks of potential legal disputes with stakeholders. CodeBase and Legal Geek have now been awarded £3 million funding following a competition process, and will take over from Tech Nation. The LawtechUK programme will continue to be supported by the LawtechUK Panel.

ICO reaches agreement with Easylife Ltd

The ICO has reached an agreement with Easylife Ltd to reduce the monetary penalty issued for breaching the Data Protection Act 2018, to £250,000. Easylife accepts the ICO's findings set out in the MPN and has agreed to pay the reduced fine. The ICO fined Easylife on 4 October 2022. This followed an investigation which found the company was making assumptions about customers' medical conditions, based on their purchase history, to sell them further health related products. The ICO found this involved the processing of special category data by Easylife, and the activity was being conducted without a lawful basis. Easylife has since stopped the unlawful processing of special category data. Easylife appealed against the monetary penalty notice. Both parties have now reached agreement that the MPN and the ICO's factual findings stand, and the amount of the penalty should be reduced. The First-tier Tribunal (General Regulatory Chamber) has approved the agreement reached by both parties and has otherwise dismissed the appeal.

ICO issues updated guidance on AI

The ICO's guidance on AI and data protection has been updated after requests from UK industry to clarify requirements for fairness in AI. It includes new chapters on transparency in AI, lawfulness in AI, accuracy and statistical accuracy, fairness in AI, fairness in the AI lifecycle, and a glossary with updated content. This guidance covers what the ICO thinks is best practice for data protection-compliant AI, as well as how the ICO interprets data protection law as it applies to AI systems that process personal data. The guidance is not a statutory code. It contains advice on how to interpret relevant data protection law as it applies to AI, and recommendations on good practice for organisational and technical measures to mitigate the risks to individuals that AI may cause or exacerbate.

Ofcom issues guidance on its approach to online safety risk assessments

At the time of writing, the Online Safety Bill has reached the Committee Stage in the House of Lords. Ofcom has published a discussion document on its planned approach to risk assessments. As currently drafted, the Bill will require all regulated firms to do a risk assessment of illegal content that may appear on their service, ranging from online fraud to terrorism. Services that are likely to be accessed by children will also have to do a risk assessment concerning content which is harmful to children. Ofcom proposes a four-step process: establish the context, assess the risks, decide measures and implement; and report, review and update. Its guidance will also cover the type of evidence it thinks should feature in risk assessments. It will issue its first consultation on its approach to illegal content risk assessments once its powers commence. A separate consultation on children's risk assessments will follow. Ofcom will then issue a statement to finalise its first set of risk assessment guidance on illegal content, and services will be required to carry out their first illegal content risk assessment within three months of its publication.

Ofcom publishes research on online scams

Ofcom has published research about online scams which indicates that around nine in ten online adults in the UK (87%) have come across content they suspected to be a scam or fraud. Potential victims were most commonly contacted via a direct message, or a mass message posted to a group (46%). A fifth were reached through online advertisements (20%), while others were targeted through user-generated and influencer posts or videos (6% and 4% respectively). When asked who should take action against online scams and fraud, the majority of participants (61%) felt online tech firms have a responsibility. Just over half those surveyed said responsibility should fall to users, or to the police (54% respectively), while three in then (30%) think Ofcom should be responsible. Ofcom says that the research will help to inform its approach implementing the Online Safety Bill.

CMA combines investigations into Meta and Google

On 25 May 2022, the CMA launched an investigation under Chapter II of the Competition Act 1998 into suspected breaches of competition law by Google. The investigation concerns Google's conduct across parts of the ad tech stack. The CMA has been conducting a separate investigation into whether Google has abused a dominant position through its conduct in relation to header bidding services. The CMA has decided on administrative priorities grounds to close its investigation into whether Google and Meta entered into an anti-competitive agreement under Chapter I of the Competition Act 1998. As a result, the CMA is no longer investigating Meta in this case. The CMA is continuing to investigate whether Google has abused a dominant position through its conduct in relation to header bidding services under Chapter II of the Competition Act 1998. That investigation includes whether Google has abused a dominant position through its agreement with Meta. Due to the interrelationship of the facts and conduct in the two investigations, the CMA ahs taken the decision to combine them.

Artificial Intelligence in Weapons Systems Select Committee issues call for evidence

The Committee is considering the use of artificial intelligence in weapons systems. Advances in robotics and digital technologies, including artificial intelligence, have led to step changes in many sectors, defence included. One such area of advancement and heightened interest is the creation of automated weapons systems. Concerns have arisen about the ethics of these systems, how they can be used safely and reliably, whether they risk escalating wars more quickly, and their compliance with international humanitarian law. Much of the international policymaking surrounding AWS has been focused on restricting their use, either through limitations or outright bans. The Committee will be looking at a wide range of issues surrounding AWS, including: the challenges, risks and benefits associated with them; the technical, legal and ethical safeguards that are necessary to ensure that they are used safely, reliably and accountably; and the sufficiency of current UK policy and the state of international policymaking on AWS. The deadline for responses is 10 April 2023.

Ofcom announces consultation on auction design and licence conditions

Ofcom has confirmed that it will make millimetre waves (mmWave) spectrum across the 26 GHz and 40 GHz bands available for new mobile technology, including 5G services. This could deliver significant benefits by enabling large wireless data capacity and speeds. It can be used to improve mobile services and deliver innovative new services across the UK. As well as mobile services, mmWave spectrum could, in future, also support innovative wireless applications requiring large amounts of data, very high speeds, or both. Ofcom expects that new uses of mmWave spectrum will be mostly concentrated in areas with high levels of data traffic such as towns and cities. Ofcom will award citywide licences to use mmWave spectrum by auction and assign licences for more localised licences on a first come, first served bases, using its Shared Access licensing framework. It is now consulting on proposals for the design of the auction for citywide licences, the licence conditions for citywide and local mmWave licences, and how it will coordinate users of this spectrum. The consultation ends on 22 May 2023.

HRA announces launch of Artificial Intelligence and Digital Regulations Service

The Health Research Authority has launched the Artificial Intelligence and Digital Regulations Service. The service aims to clearly set out the information and guidance that developers and adopters need to follow to develop safe, innovative technologies in health and social care. This includes advice on legal requirements, best practice guidance for the development and adoption of AI and digital technologies.

ICO shares resources to help designers embed data protection by default

The ICO has produced new guidance to help UX designers, product managers and software engineers embed data protection into their new products and services from the outset. The guidance considers key privacy considerations for each stage of product design, from kick-off to post-launch. It includes both examples of good practice and practical steps that organisations can take to comply with data protection law when designing websites, apps or other technology products or services.

Cabinet Office announces Integrated Review Refresh 2023 including AI taskforce

The Cabinet Office has announced its Integrated Review Refresh 2023. Among other things, it plans to generate strategic advantage through science and technology. It has identified five priority technologies crucial for delivering UK objectives, including the cyber power agenda: AI, semiconductors, quantum technologies, future telecommunications, and engineering biology. It says that it will publish strategies for semiconductors and quantum technologies in 2023. In AI in particular, recent developments such as the launch of ChatGPT and the announcement of Google Bard have shown the powerful potential for technologies which are based upon foundation models, including large language models. To ensure the UK is at the forefront of this technology the government is establishing a new government-industry AI task force to bring together experts and report to the PM and Secretary of State for DSIT. The UK will seek to incentivise investment in data-sharing infrastructure, remove barriers to global data access and use, encourage data sets to be made available publicly, and boost individual control of personal data.

EU law

Google and Alphabet appeal General Court judgment on European Commission's Google Android infringement decision

Details have been published in the Official Journal about an appeal by Google, LLC and Alphabet, Inc. The appeal challenges the General Court's September 2022 judgment which largely dismissed their action against the European Commission's decision to impose a fine for Google's breaches of Article 102 of the TFEU. The fine was levied due to Google's practices regarding the Android mobile operating system and applications.

BEUC provides recommendations on Commission's proposal to revise Product Liability Directive

The European Consumer Organisation has published a position paper commenting on the European Commission's proposal to revise the Product Liability Directive, which was published in September 2022. The BEUC supports many elements of the proposal. However, it has also made some recommendations for improvement. It says that the definition of product should explicitly state that software, including AI, is covered as component of a product, as standalone product and as a service, "related digital content" should be covered by the scope of the Directive, and it welcomes the fact that digital manufacturing files will be included in the definition of a product. It also says that products should be considered defective whenever they are not in compliance with the law or deviate from the functioning consumers are entitled to expect. BEUC welcomes the proposal to recognise loss and corruption of data as compensable damage. It says that theft and unauthorised copying of data should also be recognised as compensable damage. Further, it takes the view that the proposed conditions for the liability of online marketplaces are too narrow. Consumers should be able to hold online marketplaces liable if the manufacturer or third-party seller is based outside the EU, or if the online marketplace fails to identify the manufacturer or third party seller.

EDPB launches coordinated enforcement on role of data protection officers

The European Data Protection Board has launched its 2023 coordinated enforcement action, which will focus on the designation and position of data protection officers (DPOs). It says that as intermediaries between data protection authorities, individuals and the business units of an organisation, data protection officers have an essential role in contributing to compliance with data protection law and promoting effective protection of data subject rights. Regulators will gauge whether DPOs have the position in their organisations required by Article 37-39 GDPR and the resources needed to carry out their tasks. DPOs will be sent questionnaires to aid fact-finding exercise or questionnaires to identify if a formal investigation is warranted; commencement of a formal investigation; or follow-up of ongoing formal investigations. The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will published a report on the outcome of this analysis once the actions are concluded.

MEPs approve revised text of Data Act on use of industrial data

Members of the European Parliament have approved a Data Act which proposes new rules for fair access to and use of industrial data. The Data Act aims to boost innovation by removing barriers obstructing access by consumers and businesses to data. It establishes common rules governing the sharing of data generated by the use of connected products or related services to ensure fairness in data sharing contracts. MEPs suggested measures to allow users access to the data they generate, as 80% of industrial data collected is never used, according to the European Commission. They also want to ensure contractual agreements are at the centre of business-to-business relationships. Companies would be able to decide what data can be shared, and the manufacturer could choose not to make certain data available "by design". When companies draft their data-sharing contracts, the law aims to rebalance the negotiation power in favour of SMEs, by shielding them from unfair contractual terms imposed by companies in a significantly stronger bargaining position. The text also defines how public sector bodies can access and use data held by the private sector that is necessary in exceptional circumstances or emergencies, such as floods or wildfires. MEPs also strengthened provisions to protect trade secrets and avoid a situation where increased access to data is used by competitors to retro-engineer services or devices. They also set stricter conditions on business-to-government data requests. Finally, the Data Act would facilitate switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers. MEPs will now negotiate with the Council on the final shape of the law.