UK law
Court of Appeal rejects appeal against UK Information Commissioner’s monetary penalty notice
The ICO has issued a statement welcoming the Court of Appeal’s unanimous dismissal of an appeal by Doorstep Dispensaree Limited (DDL) against a monetary penalty notice (MPN) issued by the Commissioner on 17 December 2019. In its judgment, the CoA rejected both grounds for appeal brought by DDL. The Court found that the burden of proof in an appeal lies with the appellant and subsequent tribunals and appeal courts are not required to start considering an appeal with a “blank sheet of paper”, essentially ignoring the MPN. The ICO says that the case raised issues of considerable importance for ongoing and future appeals of penalties issued, and the ICO is grateful to the Court for clarifying the points of law. Doorstep Dispensaree, which supplied medicine to care homes, came to the ICO’s attention when the Medicines and Healthcare Products Agency reported the company after it seized unlocked crates of sensitive personal information stored in publicly accessible premises. Following an investigation the ICO issued the first Data Protection Act 2018 MPN, and an Enforcement Notice, on 17 December 2019. On appeal to the First Tier Tribunal the fine was reduced to £92,000 after DDL provided evidence showing less personal information was involved. DDL sought permission to appeal the subsequent Upper Tribunal judgement on seven grounds and was given permission to appeal only two.
Ofcom publishes update on connected TV platforms
Ofcom has published an update paper on the connected TV platform market, following an examination of these platforms as digital content gateways. As more people watch more TV online, a well-functioning connected TV platform market contributes to audiences having access to a wide range of high-quality content and services. Ofcom has examined the role of connected TV platforms as digital content gateways, looking at whether content providers are able to make their content available and discoverable to UK audiences on connected TV platforms. It has a range of evidence relevant to its powers to impose access-related conditions, including from major connected TV platform operators. The update document summarises its findings, looking particularly at agreements between platform operators and content providers. The document also describes some of the market’s features that could, in future, pose risks to competition, which might undermine the ability of content providers to access a range of platforms. The Media Act 2024 has changed Ofcom’s responsibilities as the UK’s regulator of broadcast and video-on-demand services. In particular, it has introduced new rules to ensure Public Service Broadcasters’ players and public service content are available, prominent and easily accessible on a range of connected TV platforms. In light of the analysis set out in the document and Ofcom’s new responsibilities under the Media Act, it has decided as a matter of administrative priority that it will not consider the application of access-related conditions in the connected TV platform market further at this time. Instead, it will prioritise putting the Media Act rules into practice.
Ofcom announces Global Online Safety Regulators Network’s three-year plan
The Global Online Safety Regulators Network has published its inaugural Annual Report and Strategic Plan for 2025-2027. The Network has identified the following three thematic priorities that will be its focus over the next three years. The first is building regulatory coherence across jurisdictions. Regulatory coherence is important to allow regulators grappling with novel frameworks to support one another in implementing effective online safety regulation, to enable companies to benefit from compliance economies of scale and legal certainty, and above all, to ensure that the online safety of internet users in the regulators’ respective countries does not stop “at the border”. The second priority is contributing to the evidence base of online safety and surfacing best practices. The evidence base for online safety regulation is nascent, and focusing on this priority will enable regulators, governments and policymakers to share expertise and to develop novel regulatory tools and practices. Their work to surface best practices will also support new and emerging regulators to learn from collective experiences as they commence their own online safety regulatory journey. The third priority is facilitating the sharing of information and coordination to promote compliance. From the beginning of the Network, regulators have found the ability to share informally as one of the most valuable parts of their work. Building more space for this kind of information sharing aims to deepen regulators’ understanding of users’ experiences on platforms and strengthen their capacity to hold platforms accountable for ensuring user safety, especially where there are risks of cross-border harm or instances of systemic non-compliance.
CMA consults on updated consumer protection enforcement guidance
The CMA is consulting on draft guidance outlining its role and powers in consumer protection. The proposed guidance aims to update and replace existing guidance to reflect the changes made under the Digital Markets, Competition and Consumers Act 2024. It provides a comprehensive summary of the CMA’s investigatory and enforcement powers and functions related to consumer protection. The consultation ends on 22 January 2025.
ICO fines companies £290k for making millions of nuisance calls
The ICO has fined two companies a total of £290k and issued them both with enforcement notices after they were found to have made numerous nuisance phone calls to people who had opted out of receiving marketing calls, attempting to sell them life insurance and debt management solutions. A debt advice company called BSL was found to have spoofed its outbound phone number by presenting over 1,000 different telephone numbers on calls. In March 2023 the ICO carried out a search at BSL’s office, seizing evidence including documents and electronic devices. The ICO’s investigation revealed that in 2022, BSL made 4,376,037 unsolicited direct marketing calls to numbers that had been registered to the Telephone Preference Service (TPS). This resulted in 58 complaints to the TPS and a further 193 complaints to the ICO. During the investigation, we found that BSL had deliberately tried to conceal its actions as well as ceasing to cooperate with the ICO. The ICO has now fined BSL £170,000. The ICO also identified that a second company, MBL, made 168,852 spam calls resulting in several further complaints being made to the ICO and TPS. MBL did not provide evidence that anyone whose number had been called had consented to receiving calls from them. The ICO has issued a £120,000 fine.
EU law
European Commission issues RFI to TikTok under Digital Services Act
The European Commission has sent TikTok a request for information (RFI) under the Digital Services Act. Against the background of the Romanian elections, the Commission requested TikTok to provide more information on its management of the risks of information manipulation. In particular, the Commission requested TikTok to provide detailed information on how it analysed and mitigated the risk of inauthentic or automated exploitation of its service and the risks stemming from its recommender systems. It also asked about TikTok’s efforts to enable a wider range of third parties to conduct public scrutiny, as well as to have access to publicly accessible data to detect, identify and understand systemic risks related to electoral processes. TikTok was required to provide the requested information by 13 December. Based on the assessment of the replies, the Commission will determine whether further steps will be appropriate. This RFI follows an earlier request sent to TikTok, as well as to Snapchat and YouTube, on 2 October, regarding the design and functioning of its recommender systems in relation to elections.