15 March 2024
UK law
Joint Committee on National Security Strategy issues UK government response to its report on ransomware
The Joint Select Committee on the National Security Strategy has published the UK government’s response to its year-long inquiry into ransomware. Following the response, the Committee intends to continue to monitor and follow up on issues raised in its report, especially in the areas where it says “well-founded recommendations to enhance critical elements of national security have been rejected out of hand”. It will also encourage the successor Committee appointed after the upcoming General Election to continue to follow up and monitor progress against the report’s recommendations. The Committee will seek to assess whether the assertions made by the government in rejecting key recommendations – that the National Cyber Strategy will reduce the number and size of cyber-attack insurance claims, obviating the need for government intervention in that insurance market; that the fragmented approach to regulation and enforcement across government is effective; that the proposed 21% resource uplift for the National Crime Agency is commensurate with the resource needed to tackle cybercrime – are borne out in evidence, and continue to press for the recommended interventions to be implemented where it is not.
FCA updates position on cryptoasset Exchange Traded Notes for professional investors
The Financial Conduct Authority (FCA) has announced that it will not object to requests from Recognised Investment Exchanges (RIEs) to create a UK listed market segment for cryptoasset-backed Exchange Traded Notes (cETNs). These products would be available for professional investors, such as investment firms and credit institutions authorised or regulated to operate in financial markets only. Exchanges will need to continue to make sure sufficient controls are in place, so trading is orderly and proper protection is afforded to professional investors. cETNs must meet all the requirements of the UK Listing Regime, for example on prospectuses and on-going disclosure. With increased insight and data due to a longer period of trading history, the FCA believes exchanges and professional investors should now be able to better establish whether cETNs meet their risk appetite. The FCA continues to believe cETNs and crypto derivatives are ill-suited for retail consumers due to the harm they pose. As a result, the ban on the sale of cETNs (and crypto derivatives) to retail consumers remains in place. The FCA continues to remind people that cryptoassets are high risk and largely unregulated.
Two UK websites introduce age assurance measures for adult content following Ofcom engagement
Two online platforms have introduced age assurance measures, after Ofcom raised concerns that they were not doing enough to prevent children from being able to access pornography hosted on their sites. Both platforms now require users, at the point of accessing adult content, to verify their age by one of four methods: submitting verifiable credit card details, allowing their age to be estimated by an age estimation tool, submitting valid identification, or a mobile network operator check; or sign into a registered account in which their age has already been verified. They both proactively engaged with Ofcom, which will monitor whether these changes are working effectively.
ICO issues reprimand to London Mayor’s office for Policing and Crime
The ICO has reprimanded the London Mayor’s Office for Policing and Crime (MOPAC) for a complaint web forms glitch which exposed the personal data of people who were complaining about the Metropolitan Police Service. MOPAC, which is responsible for the oversight of the Metropolitan police, had two contact forms on its website of which people’s submissions were accidentally made public in November 2022. One form was to contact the Victims Commissioner for London and the other to escalate a complaint about the Metropolitan Police Service. MOPAC contacted 394 people to alert them that their data had been made available in error. However, there is no evidence that the data was ever accessed by a third party. Since the error was reported, MOPAC has taken remedial action including improving the awareness and training that has since been delivered around the forms’ permissions.
ICO fines Pinnacle Life £80,000 for a year-long unlawful spam phone call campaign.
The ICO has also fined Pinnacle Life £80,000 for spam calls. It says that Pinnacle made nearly 48,000 unlawful calls to people registered on the Telephone Preference Service. During the spam calls, the company attempted to sell life insurance products. Members of the public told the ICO that company employees would often become insulting or aggressive during these calls and continue to harass victims when they asked not to be contacted further. They would present misleading information, often suggesting they were employed by the same company with which the victims had a life insurance policy. An investigation by the ICO found evidence to suggest attempts by the company to continue to operate under another name and not comply with orders to cease contacting individuals.
EU law
Tinder commits to provide clear personalised prices information to consumers
Online dating app Tinder has committed to provide consumers with clear information about personalised prices after discussions with the European Commission and EU Member States’ consumer authorities. The Consumer Protection Cooperation Network (CPC) started the dialogue with Tinder in July 2022 under the Commission’s coordination following an early 2022 study from the Swedish consumer association showing that the app charged different prices from one user to the other without informing them. Moreover, no clear pattern emerged as to which variables determined the price. These practices were violations of EU consumer law. The CPC will actively monitor how Tinder implements the commitments on the app and, where necessary, enforce compliance, for example by imposing fines. Tinder committed to the following by mid-April 2024: not applying personalised pricing based on age without clearly informing consumers; clearly informing consumers that discounts on prices for premium services are personalised by automated means; and informing consumers why they are offered personalised discounts.
MEPs adopt plans to boost security of digital products
The European Parliament has approved new cyber resilience standards aimed at protecting digital products in the EU from cyber threats. The regulation, already agreed with Council in December 2023, aims to ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties. Important and critical products will be put into different lists based on their criticality and the level of cybersecurity risk they pose. The two lists will be proposed and updated by the European Commission. Products deemed to pose a higher cybersecurity risk will be examined more stringently by a notified body, while others may go through a lighter conformity assessment process, often managed internally by the manufacturers. Products such as identity management systems software, password managers, biometric readers, smart home assistants and private security cameras are covered by the new rules. Products should also have security updates installed automatically and separately from functionality updates. The European Union Agency for Cybersecurity (ENISA) will be more closely involved when vulnerabilities are found and incidents occur. ENISA will be notified by the member state concerned and receive information so it can assess the situation and, if it identifies a systemic risk, will inform other member states so they are able to take the necessary steps. The Council of the EU will now have to formally adopt the new cyber resilience standards for it to become law.
Media Freedom Act agreed by European Parliament
The European Parliament has agreed the Media Freedom Act. EU member states will be obliged to protect media independence and all forms of interventions in editorial decisions will be banned. Among other things, the text includes a mechanism to prevent very big online platforms, such as Facebook, X (formerly Twitter) or Instagram, from arbitrarily restricting or deleting independent media content. Platforms will first have to distinguish independent media from non-independent sources. Media would be notified when the platform intends to delete or restrict their content and have 24 hours to respond. Only after the reply (or in the absence of it) may the platform delete or restrict the content if it still does not comply with its conditions.
EDPS finds Commission’s use of Microsoft 365 infringes data protection law
The European Data Protection Supervisor (EDPS) has found the European Commission’s use of Microsoft 365 infringed several provisions of data protection law including failure to adopt appropriate safeguards for data exported outside the EU. Among other corrective measures, the Commission was ordered to suspend all data transfers to countries outside the EU lacking adequacy decisions, effective from 9 December 2024.
Council and Parliament strike a deal to expand the use of digital tools in EU company law
The Council and the European Parliament have reached a provisional deal on the Directive to further expand and upgrade the use of digital tools and processes in company law. The new rules will make company’s data more easily available, enhance trust and transparency in companies across member states, create more connected public administrations and reduce red tape for companies and other stakeholders in cross-border situations. It aims to contribute to a more integrated and digitalised single market for companies. The provisional agreement reached with the European Parliament now needs to be endorsed and formally adopted by both institutions.