This Week’s Techlaw News Round-Up

March 31, 2023

UK law

CMA narrows scope of concerns in Microsoft-Activision review

The CMA has issued updated provisional findings in its assessment of Microsoft’s proposed acquisition of Activision. It says that new evidence provisionally alleviates concerns in relation to supply of gaming consoles in the UK. It’s previously stated view that the deal raises concerns in cloud gaming is unaffected. Its investigation continues, with the final report still due by 26 April 2023. The most significant new evidence provided to the CMA relates to Microsoft’s financial incentives to make Activision’s games, including Call of Duty (CoD), exclusive to its own consoles. While the CMA’s original analysis indicated that this strategy would be profitable under most scenarios, new data (which provides better insight into the actual purchasing behaviour of CoD gamers) indicates that this strategy would be significantly loss-making under any plausible scenario. On this basis, the updated analysis now shows that it would not be commercially beneficial to Microsoft to make CoD exclusive to Xbox following the deal, but that Microsoft will instead still have the incentive to continue to make the game available on PlayStation.

ICO consults on draft guidance for “Likely to be accessed” in the context of the Children’s Code

In September 2022, the ICO clarified its position that adult-only services are in scope of the Children’s Code if they are likely to be accessed by children. To support information Society Service providers (ISS) to assess whether children are likely to access their service, the ICO has developed guidance with FAQs, a list of factors, and case studies. The ICO seeks feedback on the supporting guidance documents on “likely to be assessed” in the context of the Children’s Code and the accompanying impact assessment. The consultation ends on 19 May 2023.

Ofcom fines Tapnet £2,000 for not responding to an information request

Ofcom has fined Tapnet Ltd, which provides the video-sharing platform (VSP) RevealMe, £2,000 after the company did not respond to a statutory request for information. Ofcom is required to ensure that UK-based VSPs have appropriate measures in place to protect users from certain types of harmful material in videos. Last year, it issued several information requests to VSPs to help it understand and monitor the safety measures they have in place and to inform the VSP report it published in October. VSPs are required by law to comply with a statutory demand for information from Ofcom. Information gathered during this process is fundamental in enabling Ofcom to carry out its job as a regulator. As a result, it says that it is crucial that VSPs provide accurate and complete information in a timely fashion. Tapnet did not provide a response to Ofcom’s information request by the specified deadline, and following a formal investigation, it found that the company had breached the rules.

ICO issues reprimanded to NHS Highland

The ICO has issued a reprimand to NHS Highland for a “serious breach of trust” after a data breach involving those likely to be accessing HIV services. The ICO has called for serious improvements to a data protection safeguards amongst HIV services, stating that there is “simply no excuse”, and that “the stakes are just too high” given the impact on people’s lives. A formal reprimand has been issued to NHS Highland, which emailed 37 people likely to be accessing HIV services, inadvertently using CC (carbon copy) instead of BCC (blind carbon copy). The error means recipients of the email could see the personal email addresses of other people receiving the email, with one people confirming they recognised four other individuals, one of whom was a previous sexual partner. The ICO has applied its public sector approach to this case. This means that instead of issuing a £35,000 fine, it has issued a reprimand to NHS Highland in response to this breach. The ICO’s recommendations have been included in NHS Highland’s Information Governance Action Plan, and an update will be provided to the ICO in June 2023. According to ICO data, failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019.

Commons Library publishes data protection and digital information Bill briefing

The House of Commons Library has published a research briefing on the updated Data Protection and Digital Information Bill. The revised Bill was introduced in the House of Commons on 8 March 2023. The briefing discusses what the Bill would do, including charges to the Data Protection Act 2018 and the UK GDPR Regulation, as well as where the Bill would take effect.

International Working Group on Age Verification established

Ofcom has announced the International Working Group on Age Verification, of which Ofcom is a founding member alongside various other regulators The International Working Group has been established to help the respective members ensure that video-sharing platforms under their jurisdiction that have videos containing restricted material take their obligation to protect under-18s seriously, and implement robust access control measures to protect them from accessing harmful content on their services. The groups recognise that online platforms are global in nature and can operate across multiple jurisdictions. The statement sets out details of their shared commitment to meeting the challenges of regulation.

Ofcom proposes to modify how Electronic Communications Code applies to KCOM Group Limited

Ofcom is consulting about modifying the terms on which the Electronic Communications Code is applied to KCOM Group Limited, under section 107(6) of the Communications Act 2003. The Code is designed to facilitate the installation and maintenance of an electronic communications network, conferring rights which result in simplified planning procedures. The proposed modification would extend KCOM Group Limited’s Code powers beyond the Hull area to cover the rest of the UK. The consultation ends on 27 April 2023.

Ofcom publishes plan of work for 2023-2024

Ofcom has published its plan of work for 2023-2024. It sets out the priorities for the year ahead, and explains how Ofcom will deliver this work over the courts of 2023-24. It has taken on new duties for video-sharing platforms and telecoms security, and their Online Safety Bill will give it an important new task of creating a safer life online. It will also aim to maintain a well-functioning postal market, including through enhanced monitoring of Royal Mail’s performance and a review of the safeguard cap on second-class stamps.

Ada Lovelace Institute publishes report on AI

The Ada Lovelace Institute has published a discussion paper which aims to contribute to the conversation around EU AI standards by clarifying the role technical standards will play in the AI governance framework created by the EU’s proposed Artificial Intelligence Act. It also explores how this may diverge from the expectations of EU policymakers. In the AI Act, EU policymakers appear to rely on technical standards to provide the detailed guidance necessary for compliance with the Act’s requirements for fundamental rights protections. However, standards development bodies seem to lack the expertise and legitimacy to make decisions about interpreting human rights law and other policy goals. This misalignment is important because it has the potential to leave fundamental rights and other public interests unprotected. The paper begins by exploring the role of standards in the AI Act and whether the use of standards to implement the Act’s essential requirements creates a regulatory gap in terms of the protection of fundamental rights. It goes on to explore the role of civil society organisations in addressing that gap, as well as other institutional innovations that might improve democratic control over essential requirements. This is followed by conclusions and recommendations for adapting the EU’s standardisation policy to the goals of the AI Act.

EU law

EUIPO issues paper on live event piracy

The EUIPO has published a report by its Expert Group on Cooperation with Intermediaries. It sets out various kinds of service that can be misused in this context, what trends and techniques tend to support such piracy, the challenges associated with it, and good practice to address them. The EUIPO identifies subscription-based IPTV services, open IPTV and open web streaming services as being of particular relevance. The report also includes a section on best practice for digital service providers and content delivery networks. Content delivery networks are often used for obfuscation purposes, to hide the true internet protocol address of the origin server.

International

FTC seeks comment on business practices of cloud computer providers

The Federal Trade Commission staff is seeking information on the business practices of cloud computing providers including issues related to the market power of these companies, impact on competition, and potential security risks. Among the topics the FTC is seeking comment on include: the extent to which particular segments of the economy are reliant on a small handful of cloud service providers; the ability of cloud customers to negotiate their contracts with cloud providers or are experiencing take-it-or-leave it standard contracts; incentives that providers offer customers to obtain more of their cloud services from a single provider; the extent to which cloud providers compete on their ability to provide secure storage for customer data; the types of products or services cloud providers offer based on, dependent on, or related to AI; and the extent to which those products or services are proprietary or provider agnostic; and the extent to which cloud providers identify and notify their customers of security risks related to security design, implementation, or configuration. The call for information ends on 22 May 2023.