UK law
Data Protection and Digital Information Bill reintroduced to House of Commons
The Data Protection and Digital Information Bill received its “first” and “second” readings in the House of Commons on 8 November 2023. The Public Bill Committee completed its work and reported the Data Protection and Digital Information (No. 2) Bill with amendments to the House in Session 2023-24 and has been renamed as it is in a new session. The Bill is now due to havae its report stage and third reading on a date to be announced.
Digital Markets, Competition and Consumers Bill reintroduced to House of Commons
The Digital Markets, Competition and Consumers Bill has also been reintroduced to the new parliamentary session and received its first and second readings on 8 November. Report stage and third reading are due on 20 November. The government has tabled amendments aimed at maintaining the appeals process for all regulatory decisions (except fines) on the basis of judicial review principles. This will mean that eligible tech firms can challenge regulatory decisions on proportionality grounds throughout this process. This approach aims to enable to CMA to encourage the most powerful firms in dynamic digital markets to work with regulators to ensure competition is maintained on an ongoing basis, rather than allowing legal challenges to cause the regime to get bogged down in the courts. This is also intended to act as an incentive to the CMA to ensure that it is always acting proportionately and exploring the intervention that is most likely to achieve the best outcome for consumers. Under the Bill, certain firms may also be fined large sums. To make sure these huge fines are balanced by rigorous checks and balances, these firms will now be able to challenge these decisions “on their merits”. These changes allow firms to challenge fines on the substance of the decision, as well as the process to reach that decision. The legislation will also make clear that the regulator cannot impose a conduct requirement or pro-competition intervention on a firm unless it is proportionate to do so and there is a strong evidence base behind the intervention. These amendments bring the digital markets regime in line with the approach taken for decisions under the CMA’s Mergers and Markets regimes, where the decisions about the level of a fine can be appealed on the merits. Further amendments intend to boost the consideration of consumers by requiring the CMA to set out its reasoning for intervening in a market, including how this will tangibly benefit consumers.
Investigatory Powers (Amendment) Bill receives first reading in House of Lords
The Investigatory Powers (Amendment) Bill has received its first reading in the House of Lords on 8 November 2023. The bill will deliver the urgent, targeted changes needed to deal with evolving threats. The reforms will support the intelligence agencies to keep pace with a range of threats, against a backdrop of accelerating technological change that provides new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. Updating the 2016 Act to reflect the current threat and changing technology landscape aims to ensure that intelligence agencies can develop the necessary tools and capabilities to rapidly draw insights from vast quantities of data, allowing them to better understand and respond to threats to the UK. The government says that the safeguards within the 2016 Act will be maintained and enhanced. The government has also published its response to the 2023 consultation on the Investigatory Powers Act notices regime consultation. The Bill is due to receive its second reading on 20 November 2023.
Media Bill receives its first reading in House of Commons
The Media Bill has received its first reading in the House of Commons. It makes provision about public service television; about the sustainability of, and programme-making by, Channel 4; about the name, remit, powers, programme services; about the regulation of radio services; about the regulation of on-demand programme services; about the regulation of radio services; about the regulation of radio selection services; for the repeal of section 40 of the Crime and Courts Act 2013; for addressing deficiencies in broadcasting legislation arising from the withdrawal of the UK from the EU; and for connected purposes. The data for second reading is 21 November 2023.
FCA and Bank of England publish proposals for regulating stablecoins
The Financial Conduct Authority and the Bank of England are requesting feedback on their proposed approach to regulating stablecoins. The Bank’s proposals cover any payment systems in the future that use stablecoins in the UK at systemic scale. Stablecoins are a type of digital asset which aim to maintain a stable value. They could be used for retail payments in the future. The proposed regulatory approach put forward by the FCA and the Bank looks to harness the potential benefits stablecoins could provide to UK consumers and retailers, by making payments faster and cheaper. The proposals to regulate stablecoins aim to protect consumers and prevent money laundering with a strong set of rules and to safeguard financial stability. The UK government is giving the FCA powers to make rules about the issuance and custody of fiat-backed stablecoins in the UK under the Regulated Activities Order. It defines fiat-backed stablecoins as stablecoins that seek to maintain a stabilised value of the cryptoasset by reference to, and which may include the holding of, one or more specified fiat currencies. The consultation ends on 6 February 2023.
EDPS and Information Commissioner’s Office sign Memorandum of Understanding
The Memorandum of Understanding aims to further strengthen the EDPS and the Information Commissioner’s Office’s joint commitment to ensure a consistent and coherent approach to the protection of individuals’ rights to privacy and data protection. it sets out how both authorities, with their respective experiences and knowledge, plan to prioritise individuals’ fundamental rights across the EU and the UK.
EU law
EDPB adopts urgent binding decision on processing of personal data for behavioural advertising by Meta
The European Data Protection Board has adopted an urgent binding decision instructing the Irish Data Protection Commission as lead supervisory authority to take, within two weeks, final measures regarding Meta Ireland Limited and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire EEA. The urgent binding decision followed a request from the Norwegian Data Protection Authority (Datatilsynet) to take final measures in this matter that would have effect in the entire EEA. Datatilsynet had imposed a temporary ban on Meta’s unlawful processing of personal data for behavioural advertising conducted by its Facebook and Instagram services, which expired on 3 November 2023. The ban on processing is effective as of one week after the notification of the final measures by the DPC to the controller which was on 31 October. The EDPB takes note of Meta’s proposal to rely on a consent-based approach as legal basis. The Irish DPC is currently evaluating this alongside with the other regulatory authorities.
Theft of personal data does not on its own constitute identity theft although compensation for non-material damage may be claimed (Advocate General’s opinion)
In JU and SO v Scalable Capital GmbH (Cases C-182/22 and C-189/22) Advocate General Collins considered a referral from the German courts about what constitutes identity theft. AG Collins also considered in what circumstances non-material damages may be awarded. The claimants had their personal data stolen from a trading application managed by Scalable Capital. Although no identity fraud took place, the claimants claimed compensation for alleged pain and suffering under Article 82 of the GDPR. The claimants referred to recital 85 which distinguishes between identity theft and identity fraud and argued that theft of their data generated a right to compensation. Scalable argued that identity theft occurs only when the data is actually misused by assuming an individual’s identity and that Article 82 is designed to compensate for damages actually suffered. According to the AG, the theft of personal data does not in itself constitute identity theft or fraud. The courts must assess non-material damage and the right to compensation on a case-by-case basis, taking all relevant circumstances into account. In summary, the GDPR must be interpreted as meaning that the theft by an unknown offender of a data subject’s sensitive personal data may give rise to a right to compensation for non-material damage upon proof of an infringement of the GDPR, actual damage suffered and a causal link between the damage and that infringement. The award of such compensation does not require the offender to assume the data subject’s identity, nor does the possession of data that identifies the date subject itself constitute identity theft.
European Commission welcomes agreement on political advertising
The European Commission welcomes the political agreement reached between the European Parliament and the Council on the Regulation on transparency of political advertising. It is part of the Commission’s actions aimed at protecting election integrity and supporting an open democratic debate. Under the new rules, political adverts will need to be clearly labelled as such and must indicate who paid for them, how much, to which elections, referendum or regulatory process they are linked and whether they have been targeted. Citizens will be able to distinguish messages that seek to shape their political views and decisions. Targeting and amplification techniques will only be available for online political advertising based on personal data collected from the data subject and subject to consent, and the use of sensitive personal data will be banned. This aims to limit abusive use of personal data to potentially manipulate votes. All online political ads will be available in an online ad repository. Sponsoring ads from outside the EU will be prohibited three months before elections. The political agreement reached by the European Parliament and the Council is now subject to formal approval by the co-legislators. The Commission will work to support early compliance, including using the framework of the Code of Practice on Disinformation.
Commission welcomes final agreement on EU Digital Identity Wallet
The European Parliament and the Council of the EU have agreed the Regulation introducing European Digital Identity Wallets. In addition to public services, Very Large Online Platforms designated under the Digital Services Act (including services such as Amazon and Facebook) and private services that are legally required to authenticate their users will have to accept the EU Digital Identity Wallet for logging into their online services. In addition, the wallet’s features and common specifications should help private service providers accept them for their services, thus creating new business opportunities. The Wallet will also facilitate service providers’ compliance with various regulatory requirements. In addition to securely storing their digital identity, the Wallet will allow users to open bank accounts, make payments and hold digital document, such as a driving licence, a medical prescription, a professional certificate or a travel ticket. Member states will be required to provide EU Digital Identity Wallets to their citizens 24 months after adoption of Implementing Act setting out the technical specifications of the EU Digital Identity Wallet and the technical specifications for certification.
European Parliament adopts Data Act
The European Parliament has adopted the text of the Data Act. The Act sets out a clear definition of trade secrets and trade secret holders with the aim of preventing unlawful data transfers and data leaks to countries with weaker data protection regulations. The Act also aims to facilitate switching between cloud service providers and introduces safeguards against unlawful international data transfers by these companies. Cloud service customers will have the power to negotiate contracts and avoid being locked in with a particular provider. The Act now awaits formal approval by the Council of the EU.
European Parliament adopts draft position to curb child sexual abuse online
The European Parliament has adopted its draft position on new measures to protect children online by preventing and stopping child sexual abuse. The new rules will require internet providers to assess if there is a significant risk of their services being misused for online child sexual abuse and to solicit children, and to take measures to mitigate these risks. Mitigation measures must be targeted, proportionate and effective, and internet providers have discretion about which ones to use. To avoid mass surveillance, judicial authorities will be allowed to authorise time-limited orders to detect any child sexual abuse material (CSAM) and take it down or disable access to it, when mitigation measures are not effective in taking it down. An EU Centre for Child Protection will also be established to help implement the new rules and support internet providers in detecting CSAM. It will also collect, filter and distribute CSAM reports to competent national authorities and Europol. In addition, the Centre will also support national authorities as they enforce the new child sexual abuse rules and conduct investigations. National regulators may levy fines of up to 6% of worldwide turnover for non-compliance. The draft Parliament position now awaits endorsement in plenary.
EDPB provides clarity on tracking techniques covered by the ePrivacy Directive
The European Data Protection Board has adopted Guidelines on the technical scope of Article 5(3) of the ePrivacy Directive. The Guidelines aim to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals. To clarify the scope of Article 5(3), the Guidelines analyse the key definitions in it, such as ‘information’, ‘terminal equipment of subscriber or user’, ‘electronic communications network’, ‘gaining access’ and ‘stored information/storage’. The Guidelines also include a set of practical use cases featuring common tracking techniques. The Guidelines only address the scope of the application of Article 5(3) of the ePrivacy Directive. They do not address how consent should be collected, or the exemptions set out. The Guidelines will undergo consultation for six weeks.