UK law
Select Committee issues report on connected technology
The House of Commons Culture, Media and Sport Select Committee has issued a report on connected technology. It says that users must be given clear information about, and a fair chance to understand, the basis on which their data is used and how to exercise their rights. It also says that the UK government should introduce measures to standardise privacy interfaces for connected devices. Privacy interfaces should be appropriately accessible, intuitive and flexible enough so users with a reasonable level of digital literacy and privacy expectations can use them, without requiring them to go through complex dashboards with long terms and conditions and settings. The use of connected tech in schools and by children in homes raises concerns, including the harvesting and third-party use of children’s data and their lack of control over what technology is used and when. According to the Committee, the ICO needs to be more proactive and ensure that all products include age-appropriate terms and conditions. The monitoring of employees in smart workplaces should be done only with the consent of those being monitored. The ICO should develop its existing draft guidance on monitoring at work into a principles-based code for designers and operators of workplace connected tech. Further, the Committee supports calls from industry for the government to do more to address the ongoing skills shortage in the cybersecurity sector. It also says that the government must make tackling technology-facilitated abuse a priority. The Office for Product Safety and Standards should convene a working group to bring the industry together to tackle tech abuse. The Committee will publish a second report later in the summer focussing on the impact of connected tech and AI on the creative industries.
Parents Court says that SEP patent owner can choose between FRAND terms set by different jurisdictions
The Patents Court has issued its ruling in Nokia Technologies Oy and another v OnePlus Technology (Shenzhen) Co. Ltd and others [2023] EWHC 1912 (Pat). It concluded that Oppo was not licensed pursuant to the ETSI IPR Policy. Oppo was not an ETSI Clause 6.1 Beneficiary. It was not entitled to any of the declarations it sought. Finally, abuse of dominance arguments failed. Consequently, Oppo will have to make its election between committing to the FRAND licence determined in a previous trial or being subjected to an injunction against infringing Nokia’s patents. The main objective of the ETSI IPR Policy is to balance the rights and interests of IPR holders to be fairly and adequately rewarded for the use of their SEPs in the implementation of ETSI standards and the need for implementers to get access to the technology defined in ETSI standards under FRAND terms and conditions.
CMA provisionally clears NHS healthcare tech deal
The CMA has provisionally cleared UnitedHealth’s proposed £1.2bn purchase of EMIS following an in-depth investigation. EMIS supplies data management systems to the NHS, including the electronic patient record system used by the majority of NHS GPs in the UK. Optum currently supplies software used by GPs when prescribing medicines, as well as data analytics and advisory services that the NHS uses to help improve overall healthcare and health service provision. While the merging businesses do not supply competing services, Optum and its competitors use the data that EMIS holds and integrate their own software with EMIS’ electronic patient record system to compete in other markets, including the supply of population health management services and medicines optimisation software. A Phase 2 investigation confirmed that EMIS, as the lead supplier to NHS GPs across the UK, holds a particularly strong market position in the supply o electronic patient record systems. However, the combination of this position with Optum’s activities should not present competition concerns. In the supply of population health management services, the independent panel provisionally found that the merged business would not, in practice, be able to use the EMIS business to harm this competitiveness of rivals. This is primarily because the NHS would be able to use its oversight role to prevent the merged business from pursuing this kind of strategy. In relation to the supply of medicines optimisation software, the independent panel has provisionally found that it would not be commercially beneficial for the merged business to restrict access to EMIS’ electronic patient record system. In particular, a more detailed analysis of the market shows that such a strategy would likely be unprofitable with any possible gains being limited and capable of being reduced through intervention by the NHS. The CMA welcomes responses from interested parties to its provisional findings by 1 September 2023. These will be considered ahead of the CMA issuing its final report, which is due by 5 October 2023.
EU law
EDPB settles dispute on TikTok processing of children’s data
The EDPB adopted a dispute resolution decision under Article 65 GDPR concerning a draft decision of the Irish DPC regarding TikTok Technology Limited. The binding decision addresses legal questions arising from objections to the draft decision of the DPC as lead supervisory authority regarding TikTok. The binding decision aims to ensure the correct and consistent application of the GDPR by the national data protection authorities. The DPC issued the draft decision following an own-volition inquiry into the processing by TikTok of personal data of registered TikTok users between the ages of 13 and 17, as well as certain issues regarding TikTok’s processing of personal data of children under the age of 13. As no consensus was reached on the objections lodged by other data protection authorities, the EDPB was called upon to settle the dispute. The objections concerned, among other things, whether there had been an infringement of data protection by design and default regarding age verification, and whether there had been an infringement of the principle of fairness with regard to certain design practices. The DPC is required to adopt its final decision, addressed to the controller, based on the EDPB binding decision considering the EDPB’s legal assessment, at the latest one month after the EDPB has notified its decision.