This Week’s Techlaw News Round-up

May 3, 2024

UK law

Investigatory Powers (Amendment) Act 2024 receives Royal Assent

The Investigatory Powers (Amendment) Act 2024 has received Royal Assent. It updates the Investigatory Powers Act 2016 with the aim of ensuring that the UK’s investigatory powers framework remains fit for purpose in the face of evolving threats. It follows the Home Secretary’s statutory report on the IPA 2016 in February 2023, and a subsequent independent review in June 2023. The key objective is to make targeted reforms to the IPA 2016 to ensure that it remains fit-for-purpose for intelligence services, law enforcement and other public authorities.

CMA publishes AI strategic update

The CMA has issued its AI strategic update, which sets out how it is ensuring consumers, businesses and the wider economy reap the benefits of developments in AI, while harms are mitigated. As well as its work on foundation models, it is considering issuing proactive guidance about how to comply with consumer law in AI-related markets if it sees uncertainty or particular issues that need clarification, such as downstream AI integration in software and the use of consumer chatbots by firms. It says it will support safe innovation with AI as part of the ongoing DRCF AI and Digital Hub pilot. Further, it will continue the digital transformation of the CMA itself and it will explore opportunities to further advance how it works through AI. The CMA will be exploring a range of different tools and techniques, and it will take the opportunity to trial AI-tools safely and securely where they have the potential to enhance its efficiency and effectiveness. It acknowledges that AI has the potential to be a transformative technology which can drive a huge range of benefits for UK businesses and consumers and that the CMA has a critical role to play in how AI-related markets develop. It plans to build its knowledge and act as a leader with the aim of ensuring the full benefits of AI are realised for UK businesses and consumers.

MHRA’s AI regulatory strategy ensures patient safety and industry innovation into 2030

The Medicines and Healthcare products Regulatory Agency (MHRA) has set out its strategic approach to AI. It is considering the opportunities and risks of AI from three perspectives: as a regulator of AI products; as a public service organisation delivering time-critical decisions; and as an organisation that makes evidence-based decisions that affect public and patient safety, where that evidence is often supplied by third parties. The MHRA is currently in the process of implementing its own regulatory reform programme related to AI-driven medical devices to include risk proportionate regulation of AI as a medical device. This considers the risks of these products while permitting scope for further development of transformative healthcare.

Ofcom and Ofcom issue statement on online safety and data protection

Ofcom and the ICO have published a joint statement on collaboration on the regulation of online services. The statement sets out how the two regulators will work together on areas of mutual interest to ensure a coherent approach to regulation between the online safety and data protection regimes. It builds on a joint statement published in November 2022 that envisioned working together more closely to achieve greater alignment.

Ofcom investigates OnlyFans’ age verification measures

Ofcom is investigating if OnlyFans is doing enough to prevent children accessing pornography on its site. Video-sharing platforms (VSPs) established in the UK are required to take appropriate measures to prevent under-18s from accessing pornographic material. In response to this VSP regulation, several UK-based sites that host adult content, including the largest, OnlyFans, have introduced age verification measures. However, having reviewed submissions Ofcom received from OnlyFans in response to formal information requests, Ofcom suspects that it did not implement its age verification measures to sufficiently protect under-18s from pornographic material. It is also investigating whether OnlyFans failed to comply with its duties to provide complete and accurate information in response to these statutory requests. It will provide an update on this investigation in due course. While Ofcom is implementing the Online Safety Act, it continues to regulate VSPs that fall within its jurisdiction under the pre-existing regime. The UK government will decide the date on which the VSP regime will be repealed. Given the importance of ensuring that children are protected from pornographic material, Ofcom says it will continue to assess age assurance measures on adult video-sharing platforms until the VSP regime is repealed.

EU law

European Commission designates Shein as Very Large Online Platform under the Digital Services Act

The European Commission has formally designated Shein as a Very Large Online Platform (VLOP) under the Digital Services Act. Shein is a fashion online retailer with an average of more than 45 million monthly users in the EU. This user number, which Shein has communicated to the Commission, is above the DSA threshold for designation as a VLOP. Shein will have to comply with the most stringent rules under the DSA within four months of its notification (that is, by the end of August 2024), such as the obligation to adopt specific measures to empower and protect users online, including minors, and duly assess and mitigate any systemic risks stemming from its services.

European Commission designates Apple’s iPadOS under the Digital Markets Act

The European Commission has also designated Apple with respect to iPadOS, its operating system for tablets, as a gatekeeper under the Digital Markets Act. It has concluded that iPadOS constitutes an important gateway for business users to reach end users, and that Apple enjoys an entrenched and durable position with respect to iPadOS. Apple now has six months to ensure full compliance of iPadOS with the DMA obligations.

European Commission establishes whistleblower tools for DSA and DMA

The European Commission has launched two whistleblower tools for the DSA and DMA. The tools will make it possible for individuals to provide, without fear of reprisals, information allowing to identify and uncover harmful practices of VLOPs or VLOSEs (very large search engines) designated under the DSA, or any violations of the obligations of gatekeepers under the DMA. Individuals who encounter harmful practices by VLOPs or VLOSEs can, under the DSA, lodge complaints with their national Digital Services Coordinator. Any instance of non-compliance with the DMA by gatekeepers can be reported to the dedicated Commission contact point or to national competition authorities of their member state where the complainant is based.

Court authorising access to telephone records must have discretion to refuse such access

The Court of Justice of the EU has recently ruled in Case C-178/22 | Procura della Repubblica presso il Tribunale di Bolzano. Under Italian law, the offence of aggravated theft is one of the offences that may justify obtaining telephone records from a provider of electronic communications services if a court authorises it. The Court of Justice considers that access to such records can be granted only to the data of individuals suspected of being implicated in a serious offence, and says that member states must define “serious offences”. However, the court responsible for authorising that access must be entitled to refuse or restrict that access where it finds that the interference with the fundamental rights to private life and to the protection of personal data which such access would constitute is serious, while it is clear that the offence at issue is not a serious offence in the light of the societal conditions prevailing in the member state concerned.

European Commission consults on fair telework and the right to disconnect

The European Commission is consulting on the possible direction of EU action on ensuring fair telework and the right to disconnect. Remote working has become widespread, especially since the COVID-19 pandemic. The EU Labor Force Survey shows that the overall proportion of people working from home in the EU has almost doubled in the last few years, from 11.1% in 2019 to 20% in 2022. There are significant differences across industries, sectors and work profiles, depending on a job’s “teleworkability” that is, to what extent it is feasible to be carried out remotely. Evidence shows those workers who can and do work remotely clearly appreciate its benefits, notably its flexibility, with over 60% of respondents to a 2022 Eurofound survey confirming they want to work from home at least part of their working time. While remote working can allow for flexible work arrangements, it also raises questions on how to ensure workers’ rights are respected in a more digitalised work environment. This includes ensuring adequate working conditions and health and safety at work. Notably, the use of digital tools for work and the possibility to work remotely can carry the risk of an “always-on” work culture. This has led to calls by different stakeholders for a “right to disconnect”, to draw clear boundaries between one’s professional and private life. The consultation ends on 11 June 2024.