This Week’s Techlaw News Round-up

March 1, 2024

UK law

ICO releases guidance on biometric data and recognition

The ICO has issued guidance on biometric recognition, which highlights how the UK GDPR applies when biometric data is used in biometric recognition systems. The guidance also looks at the uses of biometric recognition and explains how these involve processing special category biometric data. It does not cover the use of biometric classification or categorisation systems. These systems make inferences about people based on observable characteristics and will be addressed in the next phase of the ICO’s biometric technologies project through separate guidance, to be published by the end of 2024.

ICO orders Serco Leisure to stop using facial recognition technology to monitor attendance of leisure centre employees

The ICO has ordered Serco Leisure, Serco Jersey and seven associated community leisure trusts to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance. The ICO’s investigation found that Serco Leisure and the trusts have been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for attendance checks and subsequent payment for their time. They failed to show why it is necessary or proportionate to use FRT and fingerprint scanning, when there are less intrusive means available such as ID cards or fobs. Employees had not been proactively offered an alternative to having their faces and fingers scanned to clock in and out of their place of work, and it had been presented as a requirement to get paid. The ICO said that due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks. The ICO has now issued enforcement notices instructing Serco Leisure and the trusts to stop all processing of biometric data for monitoring employees’ attendance at work, as well as to destroy all biometric data that they are not legally obliged to retain. This must be done within three months of the enforcement notices being issued.

ICO launches second call for evidence on purpose limitation in the generative AI lifecycle

The ICO has issued a second call for evidence as part of its consultation series on generative AI. This second call focuses on how the data protection principle of purpose limitation should be applied at different stages in the generative AI lifecycle. It summarises the ICO’s analysis and its policy position. The power of generative AI models is partly due to the broad way in which they can be used. Despite the open-ended ambition of these models, developers need to consider the purpose limitation requirements of data protection, to ensure that before they start processing, they can set out sufficiently specific, explicit and clear purposes of each different stage of the lifecycle; and explain what personal data is processed in each stage, and why it is needed to meet the stated purpose. The ICO says that organisations will be better able to comply with data protection law and maintain public trust if they consider the difference between developing the generative AI model, developing the application based on it, and are clear about what types of data are used and how in each case.

Law Commission seeks views on regulation of self-flying and remotely piloted aircraft

The Law Commission of England and Wales is seeking views on how best to regulate self-flying and remotely piloted aircraft. Automation is already heavily used in aviation today, but recent breakthroughs have seen the development of new, innovative, self-flying (“autonomous”) and highly automated systems and vehicles. These include drones and advanced air mobility vehicles, such as vertical take-off and landing (“VTOL”) aircraft, which can provide short journeys for a small number of people. The consultation considers issues such as safety, drones, VTOLs, rules of the air and liability and ends on 27 May 2024.

Patents Court rules on consequential matters following FRAND judgment

The Patents Court has ruled in the case of Optis Cellular Technology LLC and others v Apple Retail UK Ltd and others [2024] EWHC 197 (Ch).  This follows judgment in the trial relating to the terms of a FRAND licence to Apple for Standard Essential Patents (SEPs) owned by Optis. In a further trial the court considered issues consequential to the judgment. The court had to consider the degree of redaction required in the public version of the judgment for reasons of confidentiality.  A balancing approach was appropriate between “trade secrets” and open justice and some issues were trade secrets.  However, other provisions in lump sum licences for which redactions had been sought did not come within definition of trade secrets and so the court refused the redactions. In addition, “non-discriminatory” implied a degree of transparency. People who were not currently party to the proceedings could apply to have the redactions in the judgment lifted. The judge also made it clear that the SEP owner cannot hedge its bets by commencing parallel proceedings and hoping to then choose the outcome most favourable to it.

New report on pro-innovation regulation and quantum computing published

The Regulatory Horizons Council has issued a report which sets out a pro-innovation approach to regulating quantum technologies. The report outlines 14 key recommendations within three categories: Regulatory Frameworks and Governance: Establishing application-specific regulatory frameworks that are adaptable and proportionate to the unique properties and development stages of quantum innovations; Standards and International Collaboration: Fostering international collaboration and harmonising standards to facilitate global market access; and Innovation Funding and Market Development: Integrating regulation and responsible innovation practices into the development of quantum technologies and fostering market development through regulatory sandboxes and testbeds. The RHC is now undertaking further work to identify priorities in regulating emerging technologies.

EU law

Zalando commits to follow consumer protection laws by providing clear information

Following a dialogue with the Commission and national consumer authorities, Zalando has committed to removing misleading sustainability flags and icons displayed next to products offered on its platform. Such claims can mislead consumers about the environmental characteristics of the products. As from 15 April 2024, the icons will not appear. Instead, clear information about products’ environmental benefits, such as the percentage of recycled materials used, will be provided by Zalando.

Delegated Act on Independent Audits under EU DSA enters into force

Under the Digital Services Act, Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) must undergo an annual audit, carried out by an independent auditor, to assess their compliance with their DSA obligations and with any commitments undertaken under codes of conduct and crisis protocols adopted. A delegated act on independent audits came into force on 22 February and provides a framework to guide providers of VLOPs and VLOSEs, as well as auditing organisations, in preparing and issuing audits. It sets out mandatory templates for the audit reports produced by auditors, as well as for the audit implementation reports, which will be produced by VLOPs and VLOSEs. The 20 VLOPs and 2 VLOSEs will have to transmit these audit reports to the Commission and the competent Digital Services Coordinator in their member state of establishment. They will also have to publish them at the latest within three months from the time they complete the audit report.

EDPB launches CEF action or 2024.

The European Data Protection Board has launched its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 data protection authorities (including seven German state regulators) will take part. The CEF covers the implementation of the right of access. This right was selected because it is at the heart of data protection and one of the most frequently exercised data protection rights, and one which regulators receive many complaints about. In particular, it enables individuals to check whether their personal data is processed in a compliant manner by organisations. In addition, it often enables the exercise of the other data protection rights, such as the right to rectification and erasure. In 2023, the EDPB adopted Guidelines on the right of access to help organisations respond to data access requests from individuals in line with the GDPR. The results of the joint initiative will be analysed and the various regulators will decide on possible further supervision and enforcement actions. The EDPB will publish a report on the outcome of this analysis once the actions are concluded.

1 March 2024