8th July 2021
Welcome to the first edition of our Technology & Digital round-up, giving you a flavour of recent legal and other developments of interest. Please contact one of our experts if you have any queries or need advice or assistance.
This reflects a growing trend for government-led responses to the increasing threat posed by cyber-attacks against not only private organisations but also critical infrastructure. In the announcement by European Commission president Ursula von der Leyen, the new unit was described as combining resources across the bloc in an effort to try and provide a common platform for responding to cyber-incidents. In addition to sharing operational resourcing, Member States will also look to settle on a technical pan-EU Cybersecurity Incident and Crisis Response Plan and create new protocols for assistance. On current planning the new unit will be in the operational phase by end of June 2022, then being fully established within the year thereafter. See this link.
The UK has been granted adequacy by the EU in the form of two implementing decisions, one under the GDPR and another under the Law Enforcement Directive. This comes just in the nick of time and only a couple of days before the interim agreement on data exports under the UK-EU Trade and Cooperation Agreement was due to expire. As a result of the decisions, personal data flows from the European Economic Area to the UK will be uninterrupted and data exporters in the EU will be able to export data to recipients located in the UK without additional contractual safeguards. However, the decisions can be revoked and will expire automatically on 27 June 2025 unless formally extended. See this link.
The FCA published its fourth annual research findings on consumer interaction with cryptoassets following heightened public interest and media coverage. The number of adults now holding cryptoassets has again increased to 2.3 million (from 3.9% to 4.4% of adults) with the median holding amount also increasing (from £260 to £300) and most financing through disposable income and investing via an exchange. However, despite the apparent enthusiasm, the research also suggests that consumer understanding has decreased. While consequences of the findings from a regulatory perspective are yet to be seen, the likelihood is that increased contact with consumers will result in more cryptoasset businesses finding themselves within the FCA’s regulatory perimeter. See this link.
The Taskforce on Innovation, Growth and Regulatory Reform published a report on maximising opportunities of regulatory freedom brought by Brexit. Identifying the possibilities to both shed unnecessary EU-derived regulation and create a UK approach focussed on three aims: 1) boosting productivity 2) encouraging competition and 3) stimulating innovation. With a focus on common law development as a means of allowing for more forward-looking, judgment-based regulation, the report suggests that increased reliance on a common law approach will allow for greater flexibility and more agile regulation. The report also identifies the use of sandboxes (as are now commonly used by the FCA and Information Commissioner’s Office (ICO)) as a means of allowing firms to test innovative products/services and business models without the immediate risk of failing to provide properly tailored regulation. The report then goes on to make a number of proposals for specific sectors, ranging from AI-based medical devices to agricultural genomics.
The European Commission has approved model article 28 clauses while also approving new form Standard Contractual Clauses (SCCs) for international transfers, rather confusingly referring to both sets of clauses as SCCs. While the article 28 SCCs designed to ensure compliance in controller-processor contracts will not be mandatory, organisations may be interested to see the stance taken on drafting where the regulation is silent.
Facial recognition technology (FRT) is in the spotlight again as EU data protection authorities call for a ban and the ICO publishes its own opinion, paving the way for another possible area of divergent regulation post-Brexit and potentially jeopardising the UK’s newly acquired adequacy status. In particular and in marked contrast, the ICO’s opinion focusses on responsible use of AI-based FRT and standards rather than any ban on use of the technology.
As reported in The Guardian, OpenStreetMap is looking to relocate to the EU as a result of Brexit with the company’s treasurer, Guillaume Rischard, indicating that the decision is due to a “multitude of paper cuts” either created or exacerbated by the UK’s departure from the bloc. Of those cuts, the failure of the UK and the EU to reach agreement on database rights appears to have held particular sway. The loss of EU web domains and the perceived importance of the EU in regulating tech matters were also cited as reasons for the expected move. While Ireland and France have both been discounted, this appears to pave the way for other EU Member States to begin lobbying efforts to try and attract what has become one of the most uniquely successful mapping businesses in the world that currently boasts Apple, Microsoft and Uber as being among its clients.
Both countries are already global leaders in the digital economy. According to the UK Government, service exports to Singapore were already 70% digital, accounting for £3.2 billion. Interestingly, the Government announcement includes a statement on cross-border data flows while still upholding high standards of data protection, suggesting that an adequacy decision in favour of Singapore may also be part of the deal and potentially setting the scene for a showdown with Brussels which does not currently have adequacy in place with Singapore.
As reported by the BBC, this happened just as businesses were closing up shop for the Independence Day holiday weekend, with evidence of global repercussions already emerging. The latest offensive has reportedly hit around 200 US businesses, including IT service providers which has then allowed for the attack to permeate corporate networks utilising software supplied by those providers. Russian-linked ransomware group REvil is suspected to be responsible with President Biden stating that there would be retaliation if evidence proves that the attack originated from actors in Russia. As an example of the potential impacts of the attack, the Coop supermarket group has had to close more than half of its 800-plus Swedish stores after point-of-sale terminals and self-checkouts stopped working.
As reported in TechCrunch, New York-based IAB Tech Labs is being sued by the Irish Council for Civil Liberties in Germany over the use of data in real time bidding (RTB). With the sharing of data for RTB being described as the “world’s largest data breach”, the claim contends that there are no technical constraints in place to restrict what companies do with data obtained (including with regard to onward transfers) and low security standards mean that other entities not directly involved in the bidding process are likely to be able to intercept information. The litigation follows the ICO’s investigation into the adtech industry and will now run alongside litigation brought by the Belgian data protection authority over IAB Europe’s Transparency and Consent Framework.