This Week’s Techlaw News Round-Up

November 10, 2023

UK law

Automated Vehicles Bill receives first reading in House of Lords

The Automated Vehicles Bill has received its first reading in the House of Lords. It aims to provide a new safety framework aimed at ensuring clear liability for the user, set the safety threshold for legal self-driving and establish an in-use regulatory scheme to monitor the ongoing safety of automated vehicles. The Bill will prohibit misleading market practices, including around using ambiguous terminology in advertising material around whether their vehicles classify as self-driving. The Bill is due to receive its second reading on 28 November 2023. Watch the SCL website for more news on this Bill.

Investigatory Powers (Amendment) Bill receives first reading in the House of Lords

The Investigatory Powers (Amendment) Bill has received its first reading int he House of Lords on 8 November 2023. The Bill will deliver the urgent, targeted changes needed to protect the British people from evolving threats. The reforms will support the intelligence agencies to keep pace with a range of threats, against a backdrop of accelerating technological change that provides new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. Updating the 2016 Act to reflect the current threat and changing technology landscape will ensure that out intelligence agencies can develop the necessary tools and capabilities to rapidly draw insights from vast quantities of data, allowing them to better understand and respond to threats to the UK. The government says that the safeguards within the 2016 Act will be maintained and enhanced. The government has also published its response to the 2023 consultation on the Investigatory Powers Act notices regimes consultation. The Bill is due to receive its second reading on 20 November 2023.

Media Bill receives its first reading in House of Commons

The Media Bill has received its first reading in the House of Commons. It makes provision about public service television; about the sustainability of, and programme-making by Channel 4; about the name, remit, powers, governance and audit of S4C; about the regulation of television selection services; about the regulation of on-demand programme services; about the regulation of radio services; about the regulation of radio selection services; for the repeal of section 40 of the Crime and Courts Act 2013; for addressing deficiencies in broadcasting legislation arising from the withdrawal of the UK from the EU; and for connected purposes. The date for second reading is 21 November 2023.

FCA and Bank of England publish proposals for regulating stablecoins

The Financial Conduct Authority and the Bank of England are requesting feedback on their proposed approach to regulating stablecoins. The Bank’s proposals cover any payment systems in the future that use stablecoins in the UK at systemic scale. Stablecoins are a type of digital asset which aim to maintain a stable value. They could be used for retail payments in the future. The proposed regulatory approach put forward by the FCA and the Bank looks to harness the potential benefits stablecoins aim to protect consumers and prevent money laundering with a robust set of rules and to safeguard financial stability. The UK government is giving the FCA powers to make rules about the issuance and custody of fiat-backed stablecoins in the UK under the Regulated Activities Order. It defines fiat-backed stablecoins as stablecoins that seek to maintain a stabilised value of the cryptoasset by reference to, and which may include the holding of, one or more specified fiat currencies. The consultation ends on 6 February 2023.

EDPS and Information Commissioner’s Office sign Memorandum of Understanding

The Memorandum of Understanding aims to further strengthen the EDPS and the Information Commissioner’s Office’s joint commitment to ensure a consistent and coherent approach to the protection of individuals’ rights to privacy and data protection. It sets out how both authorities, with their respective experiences and knowledge, plan to prioritise individuals’ fundamental rights across the EU and the UK.

EU law

EDPB adopts urgent binding decision on processing of personal data for behavioural advertising by Meta

The European Data Protection Board has adopted an urgent binding decision instructing the Irish Data Protection Commission as lead supervisory authority to take, within two weeks, final measures regarding Meta Ireland Limited and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire EEA. The urgent binding decision followed a request from the Norwegian Data Protection Authority (Datatilsynet) to take final measures in this matter that would have effect in the entire EEA. Datatilsynet had imposed a temporary ban on Meta’s unlawful processing of personal data for behavioural advertising conducted by its Facebook and Instagram services, which expired on 3 November 2023. The ban on processing is effective as of one week after the notification of the final measures by the DPC to the controller which was on 31 October. The EDPB takes note of Meta’s proposal to rely on a consent-based approach as legal basis. The Irish DPC is currently evaluating this alongside with the other regulatory authorities.

Theft of personal data does not on its own constitute identity theft although compensation for non-material damage may be claimed (Advocate General’s opinion)

In JU and SO v Scalable Capital GmbH (Cases C-182/22 and C-189/22) Advocate General Collins considered a referral from the German courts about what constitutes identity theft. AG Collins also considered in what circumstances non-material damages may be awarded. The claimants had their personal data stolen from a trading application managed by Scalable Capital. Although no identity fraud took place, the claimants claimed compensation for alleged pain and suffering under Article 82 of the GDPR. The claimants referred to recital 85 which distinguishes between identity theft and identity fraud and argued that theft of their data generated a right to compensation. Scalable argued that identity theft occurs only when the data is actually misused by assuming an individual’s identity and that Article 82 is designed to compensate for damages actually suffered. According to the AG, the theft of personal data does not in itself constitute identity theft or fraud. The courts have to assess non-material damage and the right to compensation on a case-by-case basis, taking all relevant circumstances into account. In summary, the GDPR must be interpreted as meaning that the theft by an unknown offender of a data subject’s sensitive personal data may give rise to a right to compensation for non-material damage upon proof of an infringement of the GDPR, actual damage suffered and a causal link between the damage and that infringement. The award of such compensation does not require the offender to assume the data subject’s identity, nor does the possession of data that identifies the data subject itself constitute identity theft.

European Commission welcomes agreement on political advertising

The European Commission welcomes the political agreement reached between the European Parliament and the Council on the Regulation on transparency of political advertising. It is part of the Commission’s actions aimed at protecting election integrity and supporting an open democratic debate. Under the new rules, political adverts will need to be clearly labelled as such and must indicate who paid for them, how much, to which elections, referendum or regulatory process they are linked and whether they have been targeted. Citizens will be able to distinguish messages that seek to shape their political views and decisions. Targeting and amplification techniques will only be available for online political advertising based on personal data collected from the data subject and subject to consent, and the use of sensitive personal data will be banned. This aims to limit abusive use of personal data to potentially manipulate voters. All online political ads will be available in an online ad repository. Sponsoring ads from outside the EU will be prohibited three months before elections. The political agreement reached by the European Parliament and the Council is now subject to formal approval by the co-legislators. The Commission will work to support early compliance, including using the framework of the Code of Practice on Disinformation.

Commission welcomes final agreement on EU Digital Identity Wallet

The European Parliament and the Council of the EU have agreed the Regulation introducing European Digital Identity Wallets. In addition to public services, Very Large Online Platforms designated under the Digital Services Act (including services such as Amazon or Facebook) and private services that are legally required to authenticate their users will have to accept the EU Digital Identity Wallet for logging into their online services. In addition, the wallet’s features and common specifications should help private service providers accept them for their services, thus creating new business opportunities. The Wallet will also facilitate service providers’ compliance with various regulatory requirements. In addition to securely storing their digital identity, the Wallet will allow users to open bank accounts, make payments and hold digital documents, such as a driving licence, a medical prescription, a professional certificate or a travel ticket. Member States will be required to provide EU Digital Identity Wallets to their citizens 24 months adoption of Implementing Acts setting out the technical specifications for the EU Digital Identity Wallet and the technical specifications for certification.

European Parliament adopts Data Act

The European Parliament has adopted the text of the Data Act. The Act sets out a clear definition of trade secrets and trade secret holders with the aim of preventing unlawful data transfers and data leaks to countries with weaker data protection regulations. The Act also aims to facilitate switching between cloud service providers and introduces safeguards against unlawful international data transfers by these companies. Cloud service customers will have the power to negotiate contracts and avoid being locked in with a particular provider. The Act now awaits formal approval by the Council of the EU.