Governmental and Regulatory Activity:
Regulatory Enforcement and Litigation:
- ICO takes action over alleged theft of road traffic accident data
- noyb lodges 226 cookie banner complaints
Our most recent Tech and Data Leaders Forum webinar focused on the Bill and how the changes to UK data protection law could impact your business in the UK and internationally. You can listen to the recording here.
DWF Solutions: we will keep you posted through Data Protection Insights on developments.
Governmental and Regulatory Activity
The EU Digital Services Act (DSA) is due to be adopted by the Council of the EU in September 2022 and is expected to take effect in January 2024. While the DSA will not form part of UK law, it will affect UK businesses that trade in the EU. The key provisions are:
- Identifying and removing illegal content - intermediary service providers will be eligible for the conduit, caching and hosting exemptions from liability for illegal content if they carry out investigations or other activities aimed at detecting, identifying and removing, or disabling access to, illegal content, provided that these activities are carried out in good faith and in a diligent manner.
- Banning "dark patterns" and practices that manipulate users’ choices – the DSA prohibits intermediary service providers from using deceptive or "nudging" techniques to influence service users’ behaviour. The DSA does not contain a list of banned techniques, but the European Commission may issue guidance on specific practices, e.g. the use of pop-ups.
- Increased transparency and accountability of online platforms – all providers must include the following information in publicly-accessible terms and conditions:
- restrictions on use of their service;
- how they moderate content;
- their internal complaint handling systems; and
- significant changes to their terms and conditions.
Providers of services directed at or predominantly used by children must explain the terms and conditions in a way that they can understand.
Very large online platforms and very large search engines must:
- provide service recipients with a concise summary of their terms and conditions in a machine-readable format and in clear and unambiguous language; and
- publish their terms and conditions in the official language of all member states in which they offer their services.
- Online advertising transparency – traders using online platforms must:
- prominently identify all advertisements;
- ensure that recipients can identify the advertiser;
- ensure that recipient understand how to change any parameters used to select them as an audience for the advert;
- enable recipients to declare whether content they provide to the platform contains commercial communications, so that such communications can be identified by other users; and
- not use special category data for profiling to target advertising.
DWF Solutions: if you'd like us to consider with you how this impacts (and the direction of travel in the UK) then let us know.
DCMS (the Department for Digital, Culture, Media and Sport) has published its UK Safety Tech sectoral analysis report, which has been updated for 2021/22. The report starts by providing statistics to show the growth of the UK safety tech sector, then lists activities by government, industry and academia in the last year in response to the recommendations of the 2020 report, including:
- G7's Internet Safety Principles;
- the introduction of the Online Safety Bill;
- the launch of the UK government Safety Tech Challenge Fund, which provides funding to demonstrate how child sexual abuse material can be detected in end-to-end encryption environments while upholding user privacy; and
- the launch of the pilot Safety Tech Academy, a scheme to help UK safety tech SMEs scale up their businesses.
Regulatory Enforcement and Litigation
The ICO has announced that it has commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of personal information from vehicle repair garages to generate potential leads for personal injury claims. The defendants are alleged to have conspired between 2014 and 2017 to access and obtain the personal data of hundreds of thousands of individuals.
The defendants will now face prosecution for conspiring to commit an offence under:
- the Computer Misuse Act 1990, relating to the alleged unlawful accessing of personal data held on computers; and
- the Data Protection Act 1998 (because the alleged activities took place before GDPR took effect), relating to the alleged unlawful obtaining of personal data.
DWF Solutions: if you are unsure regarding personal data leaving your organisation, let us know as we can help. It is your responsibility to assure this, not just the ICO's.
Max Schrems' privacy activist organisation noyb (which stands for none of your business) has announced that it has lodged 226 complaints against organisations which noyb alleges are using cookie banner software with deceptive settings, in breach of GDPR.
Noyb's statement says that companies use so-called "dark patterns" in their banner designs to get users to click the "accept" button because it is too burdensome to decline. Noyb scanned thousands of websites and served informal draft complaints on those which did not comply with GDPR requirements. The formal complaints which noyb has now lodged relate to organisations that did not cooperate.
It's worth flagging that, while the UK Data Protection and Digital Information Bill (which is due to receive its second reading in the House of Commons on 5 September) includes measures to relax the rules on cookies, organisations which process the personal data of individuals in the EU will still need to comply with the GDPR requirements.
You can watch our recent webinar about the UK Data Protection and Digital Information Bill here.
DWF Solutions: if you're subject to these complaints or want us to check your cookie compliance approach, let us know.
For advice on any aspect of data protection law, please contact one of our privacy specialists.