This Week’s Techlaw News Round-up

May 24, 2024

UK law

DMCC Bill completes parliamentary process and other “wash-up” news

The Digital Markets, Competition and Consumers Bill has completed the parliamentary process ahead of the 2024 General Election and will receive Royal Assent on 24 May. At the time of writing, it looks as if the Media Bill may also complete the process as part of the “wash-up” process, but the fate of the Digital Information and Data Protection Bill looks more uncertain.

Automated Vehicles Act in force as of 20 May 2024

The Automated Vehicles Act came into force on 20 May 2024 following its Royal Assent. It places an obligation on self-driving vehicles to achieve as high a level of safety as careful and competent human drivers.  It also requires self-driving vehicles to meet rigorous safety checks before they are due to be in use by 2026. Corporations such as insurance providers, software developers and automotive manufacturers will assume responsibility for how the vehicle drives.

High Court rules on Bitcoin identity issue

The High Court has ruled in Crypto Open Patent Alliance v Wright [2024] EWHC 1198 (Ch) that the defendant Dr Wright was not: the author of the Bitcoin White Paper (which described the Bitcoin system and was in October 2008).  The court also ruled that Dr Wright was neither the author of the initial versions of the Bitcoin software; nor the person who adopted or operated under the pseudonym Satoshi Nakamoto in the period between 2008 and 2011.  Finaly, he was not the person who created the Bitcoin system. The judge said “I am entirely satisfied that Dr Wright lied to the Court extensively and repeatedly. Most of his lies related to the documents he had forged which purported to support his claim. All his lies and forged documents were in support of his biggest lie: his claim to be Satoshi Nakamoto.”  The judgment also notes that remote links to the proceedings had been provided (on individual request) to over 400 people from all over the world. By the conclusion of the trial, that number had risen to over 1100, reflecting the wide interest.

ICO announces fine for PSNI data breach

The ICO has announced it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 for failing to protect the personal information of its entire workforce. Personal information, including surname, initials, rank and role of all 9,483 serving PSNI officers and staff, was included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request. The ICO’s investigation has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate. In September 2023, following the report from the PSNI and reports of several other high-profile personal data breaches, the ICO issued an advisory notice which provided recommendations for public authorities to adopt to ensure personal information is not inappropriately included as part of a freedom of information response. Recognising that public money is best used to support the delivery of essential services, the ICO has used its discretion to apply the public sector approach when calculating the PSNI provisional fine amount. The aim of the approach is to ensure public money is not diverted away from where it is needed most, while maintaining the right to issue fines in the most serious of cases. Had the public sector approach not been applied, this provisional fine would have been set at £5.6 million. PSNI has also been issued with a preliminary enforcement notice, requiring it to improve the security of personal information when responding to FOI requests. The ICO’s findings are provisional, and it says that it will carefully consider any representations PSNI make before making a final decision on the fine amount and the requirements in the enforcement notice.

ICO concludes investigation into Snap’s chatbot

The ICO has concluded its investigation into Snap’s approach to assessing the data protection risks of its “My AI” chatbot. In June 2023, the ICO started investigating “My AI” following concerns that Snap had not met its legal obligation to adequately assess the data protection risks posed by the new chatbot. Snap launched “My AI” for its premium Snapchat+ subscribers on 27 February 2023, before it was subsequently made available to all Snapchat users on 19 April 2023. The investigation led to the ICO issuing a Preliminary Enforcement Notice to Snap on 6 October 2023. Its investigation resulted in Snap taking significant steps to carry out a more thorough review of the risks posed by “My AI” and demonstrate to the ICO that it had implemented appropriate mitigations. The ICO says that it is satisfied that Snap has now undertaken a risk assessment relating to “My AI” that complies with data protection law. It will continue to monitor the rollout of “My AI” and how emerging risks are addressed.

AI safety commitments agreed between global companies

New commitments to develop AI safely have been agreed with 16 AI tech companies, including companies from the US, China and the Middle East. They will each publish safety frameworks on how they will measure risks of their frontier AI models, such as examining the risk of misuse of technology by bad actors. The frameworks will also outline when severe risks, unless adequately mitigated, would be “deemed intolerable” and what companies will do to ensure thresholds are not surpassed. In the most extreme circumstances, the companies have also committed to “not develop or deploy a model or system at all” if mitigations cannot keep risks below the thresholds. On defining these thresholds, companies will take input from trusted actors including home governments as appropriate, before being released ahead of the AI Action Summit in France in early 2025.

Ofcom fines BT £2.8m for failing its EE and Plusnet customers

Ofcom has fined BT £2.8m after it failed to provide more than a million customers with clear and simple contract information before signing up to a new deal. Ofcom says that BT broke its consumer protection rules designed to ensure telecoms customers get clear, comparable information about the services they are considering buying. Since June 2022, phone and broadband companies have been required to give consumers and small businesses the details of a contract, as well as a short summary of its key terms, before they sign up. This must include information such as the price and length of the contract, the speed of the service and any early exit fees. Ofcom’s investigation has found that two of BT’s wholly-owned subsidiaries, EE and Plusnet, failed to provide these documents to at least 1.1 million customers.

CAP updates its in-game purchases guidance

The Committee on Advertising Practice has updated its guidance about advertising in-game purchases. In September 2021, CAP published new guidance on in-game purchases, which covers types of in-game storefronts, platforms for purchasing games, and broader advertising for the games themselves. The guidance has been subsequently reviewed in May 2023. The guidance is aimed at ensuring that advertisers know how to avoid misleading consumers about the cost of in-game purchases, whether games contain them, and how they might affect gameplay.

EU law

Council gives final green light to AI Act

The Council of the EU has approved the AI Act. It aims to harmonise rules on artificial intelligence and follows a “risk-based” approach, which in theory means the higher the risk to cause harm to society, the stricter the rules. The new law aims to foster the development and uptake of safe and trustworthy AI systems across the EU’s single market by both private and public actors. At the same time, it aims to ensure respect of fundamental rights of EU citizens and stimulate investment and innovation on artificial intelligence in Europe. The AI Act applies only to areas within EU law and provides exemptions such as for systems used exclusively for military and defence as well as for research purposes. After being signed by the presidents of the European Parliament and of the Council, it will be published in the EU’s Official Journal in the coming days and enter into force twenty days after publication. The new regulation will apply two years after its entry into force, with some exceptions for specific provisions.

BEUC says Temu is breaching the Digital Services Act

Consumer groups from the BEUC network have filed complaints with authorities against Chinese online marketplace Temu. They allege that Temu has failed to protect consumers and that it uses manipulative practices which are illegal under recent EU legislation. According to BEUC, Temu, which has over 75 million monthly users in the EU, often fails to provide crucial information to consumers about the seller of the products and is therefore unable to share whether the product meets EU product safety requirements. It also provides inadequate information about its recommender systems and how the different criteria it uses lead to certain products being suggested. In addition, the online marketplace is rife with manipulative techniques (dark patterns) to encourage consumers to spend more than they might originally want to, or to complicate the process of closing their account. BEUC says that Temu breaches the EU’s new online content law, the Digital Services Act, on all the above points and so should be investigated by authorities.

Council of Europe adopts the Framework Convention on Artificial Intelligence

The Council of Europe has adopted the Framework Convention on Artificial Intelligence), the first global treaty which ensures that AI systems uphold human rights. The treaty covers the use of AI in the public and private sectors, transparency and oversight requirements in relation to generative AI and states’ accountability and responsibilities for adverse impacts of AI. The treaty also requires signatories to ensure gender equality, privacy rights, and make legal remedies available for victims of human rights violations related to the use of AI systems through independent oversight mechanisms and compliance processes.

The EPO and EUIPO publish 2024—2025 work plan to enhance the European IP system

The European Patent Office and the European Union Intellectual Property Office have published their work plan for 2024—2025 which aims to make the European IP system more effective, improve its accessibility and better protect European businesses abroad. The plan also outlines new areas such as green technologies and IP education which builds on the EPO and EUIPO’s 2023 achievements and further areas like AI-related activities, IT projects and best practices in data protection and anti-scam networks. The goal is to develop a harmonised and high-quality IP environment.