This Week’s Techlaw News Round-up

March 22, 2024

UK law

ICO publishes new fining guidance

The Information Commissioner’s Office has published new data protection fining guidance setting out how it decides to issue penalties and calculate fines. The guidance aims to provide greater transparency for organisations about how the ICO uses its fining power. Publication of the guidance follows a consultation last year. The new guidance replaces the sections about penalty notices in the ICO Regulatory Action Policy published in November 2018. Among other things, the guidance explains the legal framework that gives the ICO the power to impose fines, helping people more easily navigate the complexity of the legislation; how the ICO will approach key questions, such as identifying the wider “undertaking” or economic entity of which the controller or processor forms part; and the methodology the ICO will use to calculate the appropriate amount of the fine.

ICO reprimands Dover Harbour Board and Kent Police over information sharing

The ICO has also issued reprimands to Dover Harbour Board and Kent Police after they breached data protection law. Officers from both organisations used the social media app, WhatsApp, and instant-messaging service, Telegram, on their personal phones to share information for the purpose of combatting vehicle crime. At the time of the ICO’s investigation, the Telegram group included 241 officers from multiple UK police forces and international law enforcement agencies. The ICO found evidence that personal information was being shared in the group without appropriate safeguards in place. Using social media messaging apps on personal devices avoids the necessary oversight supervisors and managers should have. It says that there are official channels for law enforcement agencies to lawfully share information which should be used by staff.

FCA issues report in use of synthetic data in financial services

The Financial Conduct Authority has published a report about the use of synthetic data in financial services. Synthetic data is one of many privacy enhancing technologies that can expand and support data sharing. While it has the potential to address important financial services public policy issues, such as financial crime and fraud, there are still open questions that are being researched. Recognising the potential for this technology to drive societal good and foster a more inclusive and fair financial landscape, the FCA set up the Synthetic Data Expert Group in March 2023. The group brings together 21 experts from across financial services, public sector, data and technology vendors, and consumer groups to further explore the use of synthetic data in financial markets. The report focuses on three key themes across the data lifecycle: data augmentation and bias mitigation system; testing and model validation and internal and external data sharing for fraud controls. These themes, illustrated through real-world use cases and the experiences of expert practitioners, provide insights into the opportunities and challenges that can arise from using synthetic data in financial services.

CMA issues annual plan for 2024/2025

The CMA has issued its annual plan for 2024/2025 as it takes on new responsibilities under the Digital Markets, Competition and Consumers Bill, expected to receive Royal Assent in April 2024.. For 2024 to 2025, the CMA’s key areas of focus include acting in areas of essential spending and where people are under particular financial pressure, such as accommodation, caring for ourselves and others, and travel; broadening its work to protect consumers from harmful practices in online choice architecture and misleading pricing, enabling innovating businesses to access digital markets such as cloud services, e-commerce, and digital advertising, encouraging effective competition and consumer protection in emergent markets, including the development and deployment of AI foundation models, acting in existing and emergent markets for sustainable products and services, including through broadening its green claims work, encouraging competitive markets for climate technology, and implementing its Green Agreements Guidance, and identifying and acting in areas where it can influence the pro-competitive development of markets and have the most positive impact on innovation, growth and productivity, and promoting resilience through competition.

CMA responds to consultations and gives evidence to House of Lords on role of UK regulators

The CMA has provided evidence to the House of Lords Industry and Regulators Committee inquiry into UK regulators. It has also published its response to the call for evidence on smarter regulation and the regulatory landscape. Finally, it has published its response to Ofcom about in-contract inflation-linked price rises.

Ofcom launches investigation into Vonage over 999 access

Ofcom has launched an investigation into cloud communications provider, Vonage. This follows an incident resulting in disruption for its business customers to emergency call services during October and November 2023. Ofcom’s rules require providers to take all necessary measures to ensure uninterrupted access to emergency organisations as part of any call services offered. Providers must also take appropriate and proportionate measures to identify and reduce the risks of the availability, performance or functionality of their network or service being compromised. Additionally, providers are required to take appropriate and proportionate measures to prevent adverse effects from any such compromise. If there are negative effects, they should take steps to remedy or mitigate those effects. Providers are also required to inform Ofcom, as soon as reasonably practicable, of any security compromise that has a significant effect on the operation of a network or service. The investigation will seek to establish the facts surrounding the incident and examine whether there are reasonable grounds to believe that Vonage has failed to comply with its regulatory obligations.

Law Society responds to ICO’s generative AI and data protection consultation

The Law Society has responded to the ICO’s call for evidence for its consultation into web scraping as part of the ICO’s consultation series on generative AI and data protection. The Law Society emphasises the importance of taking a balanced and blended approach to regulating AI. It agrees with the ICO that it is unlikely that other lawful bases with regards to web scraping for generative AI will be available under Article 6(1) of the Data Protection Act 2018; and in principle, the legitimate interests test could be met if technical and organisational measures to limit the use of the generative AI model are in place

EU law

Commission sends requests for information on generative AI risks

The European Commission has formally sent requests for information under the Digital Services Act to Bing and Google Search (Very Large Online Search Engines), as well as to Facebook, Instagram, Snapchat, TikTok, YouTube, and X (Very Large Online Platforms). The Commission is requesting that they provide more information on their respective mitigation measures for risks linked to generative AI, such as so-called “hallucinations” where AI provides false information, the viral dissemination of deepfakes, as well as the automated manipulation of services that can mislead voters. The Commission is also requesting information and internal documents on the risk assessments and mitigation measures linked to the impact of generative AI on electoral processes, dissemination of illegal content, protection of fundamental rights, gender-based violence, protection of minors, mental well-being, protection of personal data, consumer protection and intellectual property. The questions relate to both the dissemination and the creation of generative AI content. The companies must provide the requested information to the Commission by 5 April 2024 for questions related to the protection of elections and by 26 April 2024 for the remaining questions.

Commission opens formal proceedings against AliExpress under the DSA

The Commission has opened formal proceedings to assess whether AliExpress may have breached the Digital Services Act in areas such as the management and mitigation of risks, content moderation and the internal complaint handling mechanism, the transparency of advertising and recommender systems, the traceability of traders and data access for researchers. Based on the preliminary investigation conducted so far, including the analysis of the risk assessment report sent by AliExpress in August 2023, the information published in its Transparency report and its replies to the Commission’s formal requests for information (from 6 November 2023 and 18 January 2024), the Commission has decided to open formal proceedings against AliExpress under the Digital Services Act. The Commission will now carry out an in-depth investigation as a matter of priority. The opening of formal proceedings does not prejudge the outcome. AliExpress was designated as a Very Large Online Platform on 25 April 2023 under the DSA, following its declaration of having 104.3 million monthly active users in the EU. As a VLOP, four months from its designation, AliExpress had to start complying with a series of obligations set out in the DSA.

Council of Europe AI Committee finalises Framework Convention

The Framework convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law has been finalised by the Council of Europe Committee on Artificial Intelligence. The draft text will be referred to the Committee of Ministers for adoption and signature at a later stage. It sets out a legal framework that covers AI systems throughout their lifecycles.