Product Regulation and Metrology Bill introduced to Parliament
On 4 September 2024, the Product Regulation and Metrology Bill had its first reading in the House of Lords. The Bill aims to reform the UK’s product safety regime by addressing modern safety issues. The Bill’s second reading in the House of Lords is due to take place on 8 October 2024. The Bill, which applies to the whole of the UK, aims to reform the UK’s product safety regime by addressing modern safety issues, including those due to technological advances, such as AI, the fire risk associated with e-bikes and lithium-ion batteries. The Bill also aims to identify new and emerging business models in the supply chain, and ensure that the law can be updated to recognise new or updated EU product regulations, including the CE marking, where appropriate. An Impact Assessment has been published alongside the Bill, having been submitted to the Regulatory Policy Committee for scrutiny on 7 August. The RPC is currently reviewing the Impact Assessment, and will produce an opinion when its scrutiny has been completed. This will be made available to the Government and published on the RPC’s website.
Public Authority Algorithmic and Automated Decision-Making Systems Bill introduced in House of Lords
On 9 September 2024, Liberal Democrat peer Lord Clement-Jones introduced a Private Members’ Bill to the House of Lords to regulate public sector use of automated and algorithmic systems in decision-making processes and to make provision for connected purposes. It is due to receive its second reading on a date to be announced.
Draft Communications Act 2003 (Disclosure of Information) Order 2024 laid
The draft Communications Act 2003 (Disclosure of Information) Order 2024 has been laid. Its aim is to extend the circumstances in which information about a particular business obtained by the Office of Communications when exercising its powers conferred under the Communications Act 2003, the Broadcasting Act 1990, the Broadcasting Act 1996 or the Online Safety Act 2023 may be disclosed. It is due to come into force on the day after it is made. It also aims to make sure that Ofcom can share business information it has obtained using statutory powers with the Secretary of State and other relevant persons for the purpose of the Secretary of State (or other relevant person) fulfilling their online safety functions. Ofcom may only share such information in certain circumstances, including to facilitate a relevant person in carrying out a relevant function.
Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2024 laid
The Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2024 have been laid. The draft Regulations insert new Sexual Offences Act 2003 (SOA) offences into the Online Safety Act 2023 SA “priority offences” Schedule 7. These new offences relate to individuals sharing, or threatening to share, intimate images of others without their consent (Intimate Image Abuse offences or ”IIA” offences). These were recently inserted into the SOA in new section 66B by s.188 of the OSA. The offences came into force on 31 January 2024. More information is available in the explanatory memorandum. The SI also removes an offence from OSA “priority” offences” Schedule 7. This is the offence in section 33 of the Criminal Justice and Courts Act 2015 (CJCA) about disclosing, or threatening to disclose, private sexual photographs and films with intent to cause distress which was repealed by the Online Safety Act but still appears in the Schedule.
DSIT writes to Ofcom about regulation of “small but risky” services under Online Safety Act 2023
The Department for Science, Innovation and Technology (DSIT) has published its letter to Ofcom raising concerns about the regulation of “small but risky’ online services” under the Online Safety Act 2023. Because these online services provide harmful information and illegal misinformation to individuals, the Secretary of State for Science, Innovation and Technology has asked Ofcom to explain how it will monitor these small but risky services and how it will enforce the provisions of the Act to protect individuals from this content.
FCA charges individual with running a network of illegal crypto ATMs
The FCA has charged an individual for unlawfully running multiple crypto ATMs without FCA registration. Crypto ATMs are machines that allow you to buy or convert money into cryptoassets. The defendant is accused of running crypto ATMs, which processed £2.6m in crypto transactions across multiple locations between 29 December 2021 and 8 September 2023 without the required registration. The charges mark the FCA’s first criminal prosecution relating to unregistered cryptoasset activity under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. These are also the first charges brought against a person accused of running a network of crypto ATMs in the UK. This follows the FCA’s recent operation, working in partnership with law enforcement agencies, to tackle illegally operated crypto ATMs across the country. There are no legal crypto ATM operators in the UK. The defendant will appear before Westminster Magistrates’ Court on 30 September 2024. On 28 August 2024, Kent Police charged an individual for running a single crypto ATM without FCA permission. This was the first charge of its kind brought against an individual in the UK.
ICO and NCA sign memorandum of understanding for further collaboration on cyber security
The ICO has signed a Memorandum of Understanding with the National Crime Agency (NCA) that sets out how both organisations will cooperate to improve the UK’s cyber resilience. The aim of this work is to ensure that organisations across the country can better protect themselves from criminals who steal data and hold it to ransom. The ICO commits to providing relevant, up to date information sharing on cyber security matters, to support improved cyber security, and to provide guidance on how change can be implemented. Specifically, the ICO is working more closely with the NCA to ensure organisations are signposted to relevant bodies, such as the National Cyber Security Centre, and are empowered to report cyber-crime at the earliest opportunity. The ICO will encourage organisations to engage appropriately with the NCA on cyber security matters, including the response to cyber crime. It says that the NCA will never pass information shared with it in confidence by an organisation to the ICO without having first sought the consent of that organisation. The ICO will support the NCA’s visibility of UK cyber attacks by sharing information about cyber incidents with the NCA on an anonymised, systemic and aggregated basis, and on an organisation specific basis where appropriate, to assist the NCA in protecting the public from serious and organised crime. Where both bodies are engaged on a cyber incident, they will endeavour to deconflict to minimise disruption to an organisation’s efforts to contain and mitigate harm. They will work together to promote learning, provide consistent guidance and improve standards on cyber-related matters.
Ofcom publishes terms of reference for 2025 review of public service media
Ofcom says that public service media (PSM) holds a unique place in UK society. It provides trusted and accurate news, content that reflects the whole of the UK and brings audiences together. However, as audience consumption continues to move online, there are serious risks to the scale of the future provision of PSM content considering the financial challenges facing PSBs. Many of Ofcom’s previous recommendations have been adopted in the Media Act 2024. However, the ongoing pace of change means it must continue to assess what further reform might be needed to protect essential public service media for UK audiences. It has set out the terms of reference for its next review of public service media. The first phase of the review will explain how the PSBs have delivered for UK audiences over the last five years and explore the challenges to its provision over the next decade and beyond. The second phase will consider opportunities to support the future sustainability of public service media and the availability of high quality and accurate news that audiences can trust.
Data centres to be given protections from cyber criminals and IT blackouts
The government has classed UK data centres as “Critical National Infrastructure”. It is the first CNI designation in almost a decade, since the Space and Defence sectors gained the same status in 2015. The data centres sector can now expect greater government support in recovering from and anticipating critical incidents, aimed at giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all. If there were an attack on a data centre hosting critical NHS patients’ data, for example, the government would intervene to ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients’ appointments or operations. Earlier in the summer, Department for Science, Innovation and Technology (DSIT) also announced its intention to introduce the Cyber Security and Resilience Bill and strengthen the country’s cyber defences by mandating that providers of essential infrastructure protect their supply chains from attacks.
EU & elsewhere
EDPB to work together with European Commission to develop guidance on interplay GDPR and DMA
The European Commission and the European Data Protection Board have agreed to work together to clarify and give guidance on how the DMA and GDPR interlink. It will focus on the applicable obligations to digital gatekeepers under the DMA which overlap with the GDPR to effectively implement the two regulatory frameworks and achieve their respective and complementary objectives. The DMA established a High Level Group to provide the Commission with advice and expertise to make sure that the DMA and other sectoral regulations applicable to gatekeepers are implemented in a coherent and complementary manner. The Commission and representatives from the EDPB and EDPS already engaged on data-related and interoperability obligations in the High Level Group. This project builds on this engagement and deepens the cooperation in relation to the two specific regulatory frameworks.
European Commission hosts first AI board meeting
The European Commission has announced that it hosted the first meeting of the AI board on 10 September 2024, following the EU AI Act’s entry into force on 1 August 2024. The AI board is comprised of representatives from the Commission and member states and focuses on the development of AI in the EU. The meeting focused on the establishment and adoption of the AI boards’ rules of procedure, strategic discussions around the EU AI policy (including the GenAI4EU initiative and international AI activities), the implementation of the EU AI Act, and best practices for national approaches to AI governance.
European Commission publishes Data Act FAQs
The European Commission has published FAQs on the Data Act, which establishes rules on data access and use to enhance data availability and promote innovation while ensuring fairness. The Act comes into effect on 12 September 2025 and, along with the Data Governance Act, aims to create a single market for data in Europe. The FAQs cover the relationship between the Data Act and the GDPR, access to and use of data in relation to the Internet of Things (for users, data holders and third parties), fair, reasonable and non-discriminatory conditions, compensation and dispute resolution, switching between data processing services, and enforcement.
UK, US and Australia sign MoU on data sharing and critical supply chain risks
The UK, US and Australia have signed a Memorandum of Understanding (MoU). The MoU establishes a new trilateral collaboration aimed at strengthening cooperation and addressing risks to critical supply chains, as well as a Supply Chain resilience Cooperation Group. The group aims to collaborate on data exchange and coordinated efforts to enhance resilience in crucial supply chains. It will pilot an early warning system focused on the telecommunications supply chain. This will involve identifying and monitoring risks of disruptions to improve understanding of vulnerabilities and develop protocols for sharing this information and responding jointly to disruptions.