UK Law
ICO fines construction company £4.4 million
The ICO has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff. It has issued a fine of £4,400,000 to Interserve Group Ltd, a Berkshire based construction company for failing to keep personal information of its staff secure, which was in breach of data protection law. The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
ICO says that immature biometric technologies could be discriminating against people
The ICO is warning organisations to assess the public risks of using emotion analysis technologies, before implementing these systems. Organisations that do not act responsibly, posing risks to vulnerable people, or fail to meet ICO expectations, will be investigated. Emotional analysis technologies process data such as gaze tracking, sentiment analysis, facial movements, gait analysis, heartbeats, facial expressions and skin moisture. Examples include monitoring the physical health of workers by offering wearable screening tools or using visual and behavioural methods including body position, speech, eyes and head movements to register students for exams. Emotion analysis relies on collecting, storing and processing a range of personal data, including subconscious behavioural or emotional responses, and in some cases, special category data. The ICO says that this kind of data use is far more risky than traditional biometric technologies that are used to verify or identify a person. The inability of algorithms which are not sufficiently developed to detect emotional cues, means there is a risk of systemic bias, inaccuracy and even discrimination. The ICO intends to publish guidance next year.
ICO consults on draft employment practices guidance – information about workers’ health
The ICO is producing an online resource with topic-specific guidance on employment practices and data protection. It is releasing drafts of the different topic areas in stages and adding to the resource over time. A draft of the guidance on handling information about workers’ health is now out for public consultation. The draft guidance aims to provide practical guidance about handling the health information of workers in accordance with data protection legislation and to promote good practice. The ICO also intends to produce additional practical tools (such as checklists) to go alongside the guidance to help support employment practices. The consultation ends on 23 January 2023.
Call for evidence on AI regulation launched
The House of Commons Science and Technology Select Committee has launched an inquiry into the risks of artificial intelligence AI in the public and private sectors, and how the UK government can ensure it is used ethically and responsibly. The Committee is asking for evidence on the current rules around AI, how it could and should be regulated, and what the UK could learn from other countries. The government is expected to publish a white paper on AI governance later in 2022 to address issues such as biased algorithms, a lack of transparency and unexplained decision-making. The inquiry is open until 25 November 2022.
Home Office publishes two draft revised codes of practice following consultations
The Home Office has published the draft revised Interception of Communications code of practice and the draft revised Covert Human Intelligence Sources code of practice. The draft codes have been updated following consultations. The Home Office states that both draft revised codes of practice will come into force once they have each been debated and approved by both Houses of Parliament. They were both laid before Parliament on 19 October 2022.
Ofcom consults on new template notices (Electronic Communications Code)
Ofcom is seeking views on two new template notices that communications network operators may need to use to secure access to land or properly under the Electronic Communications Code. The Code gives operators certain rights to install and maintain their network infrastructure apparatus on public and private land. A new section of the Code was added following the introduction of Telecommunications Infrastructure (Leasehold Property) Act 2021. This grants Code operators additional rights to access property when they are unable to reach agreement with landowners. As required under the Act, Ofcom has drafted two new template notices for Code operators to issue to landowners who repeatedly fail to respond to their requests for access to their property – a warning notice (which must be issued twice) and a final notice. These notices must be issued before operators can apply for a court order to secure access. Ofcom is also making minor changes to the existing request notice, which operators must serve in writing to first alert landowners of their request to access the land. The consultation ends on 7 December.
EU Law
Digital Services Act and Digital Markets Act published in Official Journal
Regulation (EU) 2022/2065 (the Digital Services Act) has been published in the Official Journal of the EU. The Regulation will enter into force on 16 November 2022. However, most of its provisions will apply from 17 February 2024 to allow smaller organisations to get ready. Article 92 of the Digital Services Act provides that for very large online platforms and a very large online search engines (designated under Article 33(4), the regulations will apply from four months after they have been notified as being designated as such by the European Commission, even if this is earlier than 17 February 2024. Regulation 2022/1925 (the Digital Markets Act) has also been published in the Official Journal. The DMA enters into force on 1 November 2022 and will start to apply six months later. Gatekeepers will have a maximum of six months after they have been designated to comply with their new obligations. See here for more information.