This Week’s Techlaw News Round-up

September 20, 2024

UK law

Repeal of video sharing platform regime commenced

Ofcom has started the process of repealing the VSP regime. It has issued a reminder that the UK government must give video sharing platforms at least six months’ notice of its intention to repeal the regime. 2 September 2024 marks the start of the six months’ notice for repeal of the VSP regime, being the first stage of the repeal process. The ultimate date of repeal will be decided by the UK government and it is expected to happen after Ofcom’s codes for protection of children come into force (date to be confirmed). The Secretary of State will lay a statutory instrument before Parliament, setting the date of repeal. From that date the current transition period will end and pre-existing VSPs will become fully subject to the Online Safety Act 2023.

CMA publishes findings on phase two of Vodafone/Three merger investigation

The Competition and Markets Authority has published its provisional findings on phase two of the potential Vodafone/Three merger investigation. It has provisionally concluded that the merger would lead to price increases for tens of millions of mobile customers, or see customers get a reduced service such as smaller data packages in their contracts. The CMA has particular concerns that higher bills or reduced services would negatively affect those customers least able to afford mobile services as well as those who might have to pay more for improvements in network quality they do not value. The CMA has also provisionally found that the merger would have a negative effect on “wholesale” telecoms customers – ie Mobile Virtual Network Operators (MVNOs) such as Lyca Mobile, Sky Mobile and Lebara, which rely on the existing network operators to provide their own mobile services. The merger would reduce the number of network operators from four to three, making it more difficult for MVNOs to secure competitive terms, restricting their ability to offer the best deals to retail customers. However, the CMA has also found that the merger, by integrating the Vodafone and Three networks, could improve the quality of mobile networks and bring forward the deployment of next generation 5G networks and services, as claimed by Vodafone and Three. However, it currently considers that these claims are overstated, and that the merged firm would not necessarily have the incentive to follow through on its proposed investment programme after the merger. As a result, the CMA has provisionally concluded that the merger would lead to a substantial lessening of competition in the UK, in both retail and wholesale mobile markets. The CMA asks for comments by 4 October 2024 and its notice of possible remedies by 27 September 2024. The CMA will consider these before it issues its final report, which is due by 7 December 2024.

ICO issues statement in response to Meta’s announcement on user data to train AI

The ICO has issued a statement in relation to Meta’s announcement about user data to train AI: “In June, Meta paused its plans to use Facebook and Instagram user data to train generative AI in response to a request from the ICO. It has since made changes to its approach, including making it simpler for users to object to the processing and providing them with a longer window to do so. Meta has now taken the decision to resume its plans and we will monitor the situation as Meta moves to inform UK users and commence processing in the coming weeks. We have been clear that any organisation using its users’ information to train generative AI models needs to be transparent about how people’s data is being used. Organisations should put effective safeguards in place before they start using personal data for model training, including providing a clear and simple route for users to object to the processing. The ICO has not provided regulatory approval for the processing and it is for Meta to ensure and demonstrate ongoing compliance.”

High Court grants application to serve outside jurisdiction regarding crypto fraud

In Tai Mo Shan Ltd v Persons Unknown, the High Court allowed an application to serve a claim, which sought to enforce a New York judgment relating to a cryptocurrency fraud, outside of the jurisdiction of England and Wales and by way of transmission of non-fungible tokens (NFTs). The court was satisfied that there was a good arguable case, that the claim fell within the service gateways in the Civil Procedure Rules, that England was the most appropriate forum for the proceedings; and that the claim had a reasonable prospect of success. The court acknowledged that cryptocurrency in a wallet held by the claimant’s solicitors in England and Wales was the only traceable proceed of the underlying fraud. It contained the proceeds of an “ethical hack” that had been ordered in related proceedings, and the New York judgment had declared that the claimants had a proprietary interest in its contents. The CPR also give a court the power to authorise a claimant to serve by a method not otherwise permitted under the rules (such as via NFT) if there is a good reason for doing so.

UK government issues guidance about how to join the register of digital identity and attribute services

The register of digital identity and attribute services is a public list of government approved organisations who provide digital identity services certified against the UK digital identity and attributes trust framework. The guidance sets out how digital identity and attribute service providers can apply to join the register of digital identity and attribute services. By joining the register, providers can prove that their services are safe, secure and reliable.

EU law

European Commission adopts new standard contractual clauses

The European Commission has adopted new standard contractual clauses (SCCs) that EU data exporters can use to transfer personal data to third-country controllers and processors which are directly subject to the EU GDPR. The model clauses are designed to ensure compliance with EU GDPR requirements and complement existing clauses for data transfers to third-country importers not covered by the EU GDPR.

Advocate General considers place of performance under Recast Brussels Regulation of online provision of software

In VariusSystems digital solutions GmbH v GR Inhaberin B & G (Case C?526/23), Advocate General De La Tour issued an opinion about the place of performance under Article 7(1) of the Recast Brussels Regulation ((EU) 1215/2012) for the online provision of software. Article 7(1) provides where a person domiciled in one member state may be sued in another, which for contract matters is generally the courts for the place where the goods were delivered or should have been delivered, or where services were provided or should have been provided. The case arose in the context of a contract for the development and operation of the software for COVID-19 tests in Germany. It did not have a jurisdiction clause or designate a place of performance if there was a dispute. The claimant claimed payment under the contract and sued in Austria on the basis that the work had been done in Vienna. The defendant alleged defects in the software and argued that the place of performance was that of its registered office. The AG proposed that the CJEU rules that Article 7(1) must be interpreted as meaning that the place of performance of the online provision of software is, in the absence of contractual provisions permitting that place to be determined, the place in which the customer uses that software.