Technology & Digital round-up – 30 September 2021

30th September 2021

Welcome to the first edition of our Technology & Digital round-up, giving you a flavour of recent legal and other developments of interest. Please contact one of our experts if you have any queries or need advice or assistance.

The legal part…

• Unlocking the power of data is one of the government’s 10 Tech Priorities. As part of its post-Brexit global data plans, it is consulting until 19 November 2021 on wide-ranging reform of the UK’s data protection and e-privacy regimes. It wants to maintain high data protection standards without creating unnecessary barriers to responsible data use. The proposals are likely to be welcomed by businesses. Importantly, the consultation paper says that the UK’s future regime will not require organisations to change many of their current processes if they already operate effectively, but it will provide the flexibility to do so if other processes can deliver the same or better outcomes in more innovative and efficient ways. The government believes it is perfectly possible and reasonable to expect the UK to maintain EU adequacy (ensuring the continued free flow of data between the UK and EU) as it begins a dialogue about the future and moves to implement any reforms. It remains to be seen whether the European Commission, which can withdraw the UK’s newly-granted adequacy status at any time, shares that view.

• The Information Commissioner’s Office (ICO) is consulting until 7 October 2021 on its draft international data transfer agreement and guidance. This will replace the current standard contractual clauses (SCCs) for transferring personal data outside of the UK in the absence of relevant adequacy arrangements. As with the new European SCCs adopted in June 2021 (see our earlier briefing) the UK’s draft caters for a wider range of transfer scenarios to reflect the reality of today’s complex data sharing relationships and sets out additional obligations to address the shortcomings raised in the Schrems II decision. A proposed addendum to model data transfer agreements from other jurisdictions provides a potential practical solution for businesses subject to more than one regime that might otherwise have to enter into two different sets of SCCs.

• As ways of working change and the role of technology increases, the ICO is consulting until 21 October 2021 on updating its employment practices guidance. See our recent briefing for details.

• We Buy Any Car, Sports Direct and Saga were fined a total of £495,000 for sending more than 354 million nuisance messages between them, in breach of the Privacy and Electronic Communications Regulations (PECR). One of the government’s proposed e-privacy reforms is to increase the maximum PECR fine of £500,000 to match the much higher amounts under the UK General Data Protection Regulation.

• WhatsApp received a record €225 million fine from Ireland’s data privacy watchdog for severe and serious infringements of the EU General Data Protection Regulation. The initial proposed figure reportedly ranging from €30 to €50 million was rejected by eight data regulators in other EU countries and the European Data Protection Board made a binding ruling which the Irish regulator must now enforce. WhatsApp indicated its intention to appeal.

• In a decision which will have significant practical implications, the European Court of Justice (ECJ) recently concluded in The Software Incubator Ltd v Computer Associates (UK) Ltd that the concept of ‘sale of goods’ in the EU’s Commercial Agents Directive must be interpreted as meaning that it can cover the supply, in return for payment of a fee, of computer software to a customer by electronic means where that supply is accompanied by the grant of a perpetual licence to use that software. The Court of Appeal had previously held that software was not goods for the purposes of the UK’s Commercial Agency Regulations and the Supreme Court made a referral to the ECJ. See our briefing for details.

• The Commercial Court’s recent decision in Fetch.ai v Persons Unknown has reinforced the status of England and Wales as a leading jurisdiction for the prosecution and resolution of cyber fraud cases. Hackers gained access to private keys associated with cryptocurrency accounts held by the claimant at the Binance cryptocurrency exchange. They removed cryptocurrency from the accounts and sold it on at a massive undervalue, apparently to co-conspirators, causing loss of some $2.6 million to the claimant. The claimant applied for, and was granted, a proprietary injunction, a worldwide freezing order and disclosure orders requiring third parties to provide information to assist in tracing the assets. See our recent briefing on combatting cyber fraud and practical advice for businesses.

• The US sanctioned a Czechia-based cryptocurrency exchange for allegedly facilitating proceeds from multiple ransomware gangs. See this news report. It also issued an updated advisory on potential sanctions risks for facilitating ransomware payments. See our recent briefing for more information on sanctions.

• The High Court’s recent decision in Darren Lee Warren v DSG Retail Ltd confirmed that the courts will take a narrow view of data breach claims brought in breach of confidence, misuse of private information and negligence.

• The Court of Appeal has ruled that AI cannot be the inventor of a patent. See this news report.

• The ICO’s Children’s Code came fully into force on 2 September 2021. It contains 15 standards that online services (including apps, games, connected toys and devices, and news services) need to follow to comply with their obligations under data protection law to protect children’s data online.

…and in other news

• In one of her first appearances as the newly-appointed Secretary of State for International Trade, Anne-Marie Trevelyan announced a five-point plan for digital trade in a speech during London Tech Week, aimed at reducing costs for British businesses, cutting red tape and shoring up data protection.

• The government launched its first National AI Strategy – a new ten-year plan to make the UK ‘a global AI superpower’. It includes plans for a White Paper on AI regulation.

• The European Commission published its proposed ‘Path to the Digital Decade’, a concrete plan to achieve the digital transformation of its society and economy by 2030. The Commission’s Digital Decade targets are centred on digital skills, digital infrastructures, digitalisation of businesses and public services.

• Non-governmental organisation Global Witness is calling on the Equality and Human Rights Commission and the ICO to investigate whether the algorithms used to promote job ads infringe equality and data protection laws, after it found that Facebook users in the UK may be excluded from viewing job ads based on protected characteristics, such as gender and age.

• Following the creation of a joint Bank of England/HM Treasury Central Bank Digital Currency (CBDC) taskforce and subsequent discussion paper on new forms of digital money, plus the rise of cryptocurrency as an increasingly possible mainstream form of payment, UK Finance published a report ‘Retail CBDC – A threat or opportunity for the payments industry?’ which concludes that there are a range of significant issues beyond technology that central banks will have to grapple with. The authors expect sustainability to be a key consideration, both around the use of energy of some cryptocurrencies, but also the potential power of CBDC to boost greener behaviour. In related news, the Lords Economic Affairs Committee launched a CBDC inquiry.

• Protesters recently took to the streets of El Salvador after the country became the first to introduce Bitcoin as a legal tender, alongside the US dollar; and recently reported research found that Bitcoin mining produces electronic waste annually comparable to the small IT equipment waste of a place like the Netherlands. Meanwhile, China declared all cryptocurrency transactions illegal (again).

• An incident in which a collector bought a fake Banksy NFT (non-fungible token) has highlighted the vulnerabilities of NFT trading. In related news, an NFT-based fantasy football card firm has raised $680 million and an image of a popular internet meme sold as an NFT for about $74,000. Head of our Technology & Digital Group, Sally Mewies, took part in a recent techUK podcast in which the panellists discuss NFTs and how they may move beyond these types of news stories and emerge in the UK as a key technology to support smart contracting, e-commerce and supply chains.

• In a bold move, Microsoft announced that users can now delete all passwords from their accounts and instead log in using an authenticator app or other solution.

• Leeds Digital Festival kicked off on 20 September 2021, with Walker Morris proudly sponsoring the event that is now one of the UK’s largest tech gatherings. As part of the festivities, Walker Morris hosted a panel discussion titled ‘Funding the Unicorn’, where experts provided their top tips for startups looking to grow: a summary of those insights can be found here.