Regulating UK digital services – the British government shares its thoughts

The UK government recently published its response (Government Response) to a House of Lords committee report (Committee Report) discussing prospective regulation of digital services facilitated by the internet.

The Government Response largely accepts the key recommendations of the Committee Report, and finds the Committee Report is closely aligned with the government’s preferred approach. The Government Response also refers to the objectives identified in its recently published Online Harms White Paper.

We summarise some of the key recommendations of the Government Response and the differences between the Government Response and Committee Report:

  1. The Government Response reaffirms the principles set out in the Digital Charter.
  2. The Government Response also confirms that the government will establish a central regulatory body which will coordinate internet regulation and oversee and enforce a new statutory duty of care.
  3. An additional duty of care will be imposed on online platforms to ensure that they have adequate risk management procedures in place. The duty is designed to make companies take more responsibility for user safety online and tackle harm caused by content or activity on their services.
  4. The principles set out in the Committee Report are affirmed. In particular, the Government Response draws attention to initiatives in place to increase digital literacy and sets out the role of the newly created Centre for Data Ethics and Innovation in shaping future guidance for industry.
  5. The Committee Report suggested that companies should keep a record of the time each user spends using their services. The Government Response does not go so far as the Committee Report. The Government Response finds insufficient evidence to link screen-based activities and negative effects. However, the Government Response does leave the door open for future regulatory intervention in this area. In the meantime, companies will be expected to support the development of research in this area by providing anonymised data to researchers.
  6. Similarly, the Government Response on market concentration did not go as far as the Committee Report recommendation. The Committee Report recommended the introduction of a public-interest test when assessing possible mergers between digital service providers. This will sit alongside the Competition and Markets Authority’s existing tests when assessing possible mergers. The new test would focus on the accumulation of data in order to prevent the creation of data monopolies.
  7. The Government Response disagrees with the Committee Report recommendation for companies to publish annual data transparency statements. The Government Response states that it is sufficient for companies to publish GDPR-compliant privacy notices.
  8. One of the headline recommendations in the Committee Report was the prospective use of a labelling scheme for social media in order to moderate content. This labelling scheme would have been overseen by Ofcom, the UK’s broadcasting and telecommunications regulator. The Government Response is not clear about whether it agrees with this approach. However, the government has not ruled out the potential use of a labelling scheme in the future.

Comment

As we indicated in our post on the Committee Report, many of the initial recommendations are already achieved by existing laws or present serious implementation issues. The Government Response has helped modulate many of the Committee Report’s recommendations although more detail will be required before pen is put to statute paper. The Committee Report and Government Response offer an interesting insight into potential regulatory developments that all companies in the online space need to be aware of. We will keep you posted on future developments.

European Commission issues guidance on the free flow of non-personal data in the EU

The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), which we discussed in a previous blog, became applicable from 28 May 2019. Together with the General Data Protection Regulation (EU) 2016/679 (GDPR), the two regulations now provide a “comprehensive framework for a common European data space and free movement of all data within the European Union”. The European Commission has published practical guidance to help users understand the interaction between these two regulations.

Continue Reading

EU Cybersecurity Act gets the green light!

On 7 June 2019, Regulation (EU) 2019/881 on ENISA (the European Union Agency for Network and Information Security) and on information and communications technology cybersecurity certification, also known as the Cybersecurity Act, was given the final go-ahead and published in the Official Journal of the European Union.  The Cybersecurity Act will come into force on 27 June 2019.

As highlighted in our previous blog on the Cybersecurity Act, cyberattacks are becoming more and more sophisticated and most often occur across borders. There is a growing need for effective and coordinated responses and crisis management at the EU level.  The Cybersecurity Act aims to build a safer cyber environment through an EU-wide framework for businesses to achieve cybersecurity certification for their information and communications technology (ICT) products, processes and services.

ENISA will assume the key role of supervising and advancing cooperation and information sharing across EU member states, EU institutions and international organisations.

The past two years have seen cybersecurity turning into a high priority on the Brussels agenda.  The Cybersecurity Act forms part of a set of measures across the board intended to promote more robust cybersecurity within the EU by establishing the first EU-wide cybersecurity certification framework across a broad range of products (e.g. the Internet of Things) and services.

The Cybersecurity Act works alongside both:

  • the EU General Data Protection Regulation, which requires security measures to be implemented when processing personal data; and
  • the EU Network and Information Security Directive (NIS Directive), which aims to protect critical national infrastructure.

While the NIS Directive applies only to operators of essential services and digital service providers, the Cybersecurity Act encourages all businesses to invest more in cybersecurity and to build it into their ICT devices. Ultimately, the collective framework of legislation is designed to counteract cyberattacks and to raise consumers’ and industry players’ trust in ICT solutions.

More questions, complaints, and cross-border enforcement – GDPR one year on

The European Data Protection Board (EDPB) has published a survey of European Economic Area (EEA) regulators setting out General Data Protection Regulation (GDPR) enforcement trends. The report makes for interesting reading. It sets out how:

  • the GDPR’s “one stop shop” mechanism has been bedding down; and
  • the number of data subject complaints and data breach notifications have increased since GDPR came into force.

What do the statistics show?

During GDPR’s first year, the EDPB case register logged 446 cross-border cases. 205 of these (46 per cent) have been dealt with under the one stop shop procedure. The one stop shop is designed to enable companies that process the personal data of people in more than one EEA state to deal with a single EEA regulator. This regulator is known as a company’s lead supervisory authority (LSA). An LSA must be identified by a company in its EU place of central administration.

Most EEA regulators have seen significant increases in the number of complaints received from data subjects and data breach notifications submitted by companies. More than 144,000 queries and complaints have been made by individuals. Over 89,000 data breach notifications have been made by companies. The increase in queries and complaints substantiate the EDPB’s findings that data protection awareness is on the rise across Europe. The EDPB’s research found that 67 per cent of EU citizens have heard of GDPR. This is an increase of 20 per cent when compared to 2015.

The one stop shop: what’s in it for companies?

As highlighted in our recent article about GDPR’s first year, companies involved in cross-border personal data processing should prioritise identifying their LSA. Knowing your LSA at a time of crisis – for example, a pan-EEA personal data breach – is important. It will save you time and money and massively reduce your administrative burden. Instead of having to deal with upwards of 45 EEA regulators, you only have to liaise with your LSA. Your LSA will coordinate its investigation and response with other regulators, if necessary. Personal data breaches are difficult enough to respond to without having to coordinate responses for an impossibly large number of regulators.

Comment

The past year has been challenging for privacy professionals. It has been a year of increased privacy and data protection awareness. The statistics published by the EDPB are a helpful snapshot. They provide quantitative proof that privacy and data protection are more prominent now than they ever have been. The EDPB’s stated intention is to continue to listen to and cooperate with people and businesses involved in daily data processing. GDPR’s year two will, most likely, involve ever greater cooperation between regulators. Companies should take note and plan accordingly.

Nevada and Oregon expand their data privacy laws

May was a busy month for state privacy law updates and amendments. In addition to amendments made by Texas to its breach notification law, both Oregon and Nevada expanded their privacy-related laws this month, while Illinois’s CCPA-like law failed to pass after a variety of amendments related to whether the law would allow for a private right of action.

In Oregon, the legislature expanded its data breach notification statute (ORS §§ 646A.600 et seq.). Oregon’s updated data breach law, which was signed by Governor Kate Brown on May 24, 2019 and goes into effect on January 1, 2020, expands breach notification requirements to cover “vendors,” which it defines as “a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.” Under the new law, a vendor must notify Oregon’s Attorney General when subject to a security breach affecting the personal information of over 250 Oregon consumers, or when the number cannot be determined. Vendors do not need to notify the Attorney General if the covered entity has already made the notification. Vendors must also notify their business customers of the breach within 10 days – a change from previous language mandating notification “as soon as practicable.” The law also expands Oregon’s definition of personal information to include usernames, but only when combined with authentication factors.

On May 29, 2019, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220), a California Consumer Privacy Act (CCPA)-like law which goes into effect on October 1, 2019. This law, which amends a prior Nevada law covering consumer privacy disclosures, requires operators to allow consumers to submit verified requests through a designated request address directing operators not to sell any covered information that the operators have collected or will collect about a person.  Because SB-220 goes into effect in 2019, before the January 1, 2020 effective date of CCPA, Nevada will be the first state to provide consumers with the right to opt out of the sale of their personal information. The Nevada law, however, is much narrower than the CCPA:

  • “Sale” is defined as “the exchange of covered information for monetary considerations to a person for the person to license or sell the covered information to additional persons,” a narrower definition than “for monetary or other valuable consideration.”
  • Sale also excludes disclosures to data processors, to operators providing a service requested by the consumer, for purposes consistent with the reasonable expectation of the consumer, to affiliates, and as part of a transfer of assets.
  • Like the CCPA, SB-220 specifically excludes entities subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. SB-220 also excludes vehicle manufacturers and repairers who collect information related to a motor vehicle’s technology or service.

SB-220 authorizes the Nevada Attorney General to seek an injunction or civil penalty of up to $5,000 for each violation of the law.

Although many other proposed laws were not enacted this year, data breach and data privacy laws remain priorities for many state legislatures. In the absence of an omnibus federal data privacy or breach law, states will continue enacting varied laws governing these issues. Companies should be aware that these laws are constantly changing and that it is crucial to stay apprised of these changes to ensure compliance with a patchwork of state laws. Because these laws ultimately will be enforced by State Attorneys General, companies also should consider an effective attorney-general outreach strategy as part of their broader approach to government relations.

UK Jurisdiction Taskforce consultation on cryptoassets, distributed ledger technology and smart contracts

The UK Jurisdiction Taskforce (UKJT) recently published a consultation paper requesting submissions from stakeholders working with, or interested in, cryptoassets, distributed ledger technology (DLT) and smart contracts. Submissions will inform a legal statement by UKJT which will aim to settle questions on the legal status of cryptoassets and smart contracts. UKJT is drawn from industry, government and the judiciary and was formed to facilitate the growth of the UK legal sector.

UKJT seeks to clarify whether cryptoassets, DLT and smart contracts are compatible with, and can be relied upon with sufficient legal certainty in, English private law. UKJT’s legal statement should also provide clarification on any areas of uncertainty in the interaction of English law with cryptoassets, DLT and smart contracts.

Cryptoassets

The consultation paper identifies the legal uncertainty surrounding the status of cryptoassets as an important area in need of clarification. The consultation paper requests input on when a cryptoasset and a private key should be characterised as personal property. UKJT has limited the scope of its investigation to focus on property law rather than include other areas such as tax or data protection law. This is in order to resolve the central question of whether cryptoassets should be considered personal property in the hope of facilitating the appropriate future development of cryptoassets. The current approach of English property law is not fully compatible with the various understandings of cryptoassets. In particular, English property law has difficulties characterising cryptoassets in terms of whether they may be seen as a physical thing or a right (chattel, chose in action or chose in possession) or as property (whether personal or intellectual), and determining where they are located.

Smart contracts

UKJT is interested in determining the enforceability of smart contracts and the circumstances under which a smart contract is capable of giving rise to binding legal obligations. The consultation paper highlights the need to clarify how the general principles of contractual interpretation by a court may need to be recalibrated when applied to smart contracts. There are also concerns over how parties may be able to enforce their rights and rely on smart contracts in the event that the technology malfunctions or does not perform as expected.

DLT

The consultation paper identifies the difficulty in defining DLT, an area that is constantly evolving and with developing terminology and taxonomy, meaning that any recommendations may quickly require reconsideration. However, understanding DLT is key to informing any future regulation of cryptoassets or smart contracts. The consultation paper, therefore, requests input on whether DLT could be considered to be a register for the purposes of evidencing, constituting and transferring title to assets.

Comment

This consultation paper is the latest addition in a recent trend by regulators in the UK, Europe and the U.S. seeking to recalibrate their approach to regulating these emerging sectors and products. If you are interested in finding out more on cryptoassets, DLT and smart contracts, we recently published a white paper on Blockchain which can be found here.

If you would like to respond to the UKJT consultation, we would be happy to assist you to do so by the deadline of 21 June 2019. Responses can be submitted electronically here.

IOSCO has also recently released a request for input on key considerations for regulating cryptoasset trading platforms, which can be found here.

Texas makes its data breach notification law more current

Texas will see changes to its breach notification law, but comprehensive privacy legislation at the state level will not occur until 2021 at the earliest. This year, two privacy bills were introduced in the Texas legislature. House Bill 4518 (modeled on the California Consumer Privacy Act) did not pass in any form. The other bill, House Bill 4390, did pass, but it was amended substantially before its passage. As passed, HB 4390 amends Texas’s data breach notification statute and creates a privacy council to provide privacy advice to the legislature to support possible future comprehensive privacy legislation.

HB 4390 was intended to apply to data collected online and originally included requirements for a data security program to protect privacy. As passed, though, HB 4390 merely amends the state’s breach notification requirements in the Texas Identity Theft Enforcement and Protection Act. Two primary changes will go into effect on January 1, 2020, both of which bring the Texas law more in-line with breach notification laws around the country. First, breach notices must now be made to affected individuals and the Texas Attorney General within 60 days following the determination that a breach of system security occurred that involved sensitive personal information. Second, organizations must now notify the Texas Attorney General following a breach that affects more than 250 Texas residents. Notice content requirements were also added. The statute requires that breach notifications to affected individuals include:

  • a detailed description of the nature and circumstances of the breach, or the use of sensitive personal information acquired as a result of the breach;
  • the number of residents of this state affected by the breach at the time of notification;
  • the measures taken by the person regarding the breach;
  • any measures the person intends to take regarding the breach after the notification under this subsection; and
  • information regarding whether law enforcement is engaged in investigating the breach.

HB 4390 also creates a Texas Privacy Protection Advisory Council whose sole purpose is to study and report to the Texas legislature its findings before the next legislative session in 2021, after which it is abolished. The Council will be made up of 15 members across disciplines (e.g., technology and law) and industries (e.g., health care, Internet, banking, telecommunications, advertising, cloud data storage, and social media platforms). The Council will be tasked with studying laws from around the world that govern the privacy and protection of identifiable information connected to a specific individual, technological device, or household. Not later than September 1, 2020, the Council must report its recommendations for statutory changes to the Texas legislature. The report could be a significant factor in the Texas legislature’s efforts to regulate privacy when it reconvenes in 2021.

The breach notification provisions in the new law take effect on January 1, 2020, but the Advisory Council section of the law takes effect on September 1 of this year.

One year of GDPR – lessons learned by the ICO

The Information Commissioner’s Office (ICO) has published its update reflecting on its GDPR experience over the past year and its upcoming priorities to stay relevant, foster innovation and maintain its position as an “influential regulator on the national and international stage”.

Supporting the public, DPOs, SMEs and other organisations

The first year of the GDPR has made individuals aware of the control they have in relation to their personal data and of the powers regulators have in connection with protecting such rights. On the flip side, organisations have been under pressure to ensure their handling of personal data is compliant under the new regime. The ICO has seen an increase in engagement from businesses, data protection officers (DPOs) and individuals. The number of contacts made via the ICO helpline, live chat and written advice services has increased by 66 per cent in the past year.

Still, the ICO has pointed out that there is “a long way to go to truly embed the GDPR and to fully understand the impact of the new legislation”. Almost half of respondents to the ICO survey confirmed they had experienced certain unexpected consequences resulting from the GDPR.

The ICO has, therefore, continued to produce comprehensive guidance, blogs, toolkits, checklists, podcasts and FAQs to support businesses, especially small organisations and sole traders where GDPR compliance may have been particularly challenging. Guidance released by the ICO has included: the Guide to the GDPR, the Guide to Law Enforcement Processing, and its interactive tools for understanding lawful bases for processing and for continued data flow in the event of a no-deal Brexit.

Continue Reading

FCA and PRA jointly fine Raphaels Bank for outsourcing failure

R. Raphael & Sons plc (Raphaels) has received fines totalling £1,887,252 from the FCA and PRA for repeated failings in relation to inadequate systems and controls supporting the oversight and governance of its outsourcing arrangements.

Raphaels outsourced certain functions that supported payment services for its prepaid and charge card programmes in the UK and Europe to a service provider. These functions included the authorisation and processing of transactions made by users on these cards and management of the card programme (Card Services). From 2016, Raphaels had 5.3 million prepaid cards in issue in the UK and other European countries with average monthly transaction volumes of over £450 million.

Incident

On Christmas Eve 2015, Raphaels’ service provider for the Card Services suffered an IT incident. The IT incident led to the failure of all Card Services for over eight hours, during which time 3,367 of Raphaels’ customers were unable to use their cards. In the period during the IT incident, 5,356 customer card transactions were attempted at point of sale terminals, ATM machines and online (with an aggregate value of £558,400). These transactions could not be authorised and were declined.

Investigation

Following the incident, the FCA and PRA investigated the systems and controls that had been put into place by Raphaels and their service provider. The investigation revealed that Raphaels’ understanding of the business continuity and disaster recovery arrangements of the service provider was fundamentally mistaken. Raphaels’ contractual agreements with the service provider failed to include appropriate service level agreements governing the provision of critical outsourced services. In particular, there was no process in place for identifying how much outsourcing risk Raphaels was exposed to. The investigation also revealed that a previous incident in 2014 had not spurred Raphaels to remedy these failings, which should have been identified then.

Comment

This fine underlines the interest regulators have in the outsourcing of critical functions by those in the commercial banking and retail banking sectors. The PRA, in its final notice, reiterated its expectation that regulated firms carry out appropriate due diligence of prospective service providers and, from an early stage, set clear divisions in oversight responsibilities. Entities involved with outsourcing of such functions, or considering outsourcing, would also be well served by considering the European Banking Authority’s new guidelines on outsourcing, here.

We have written a quickfire briefing for those interested in learning lessons from this most recent regulatory intervention into an outsourcing. For more information, please get in touch.

FTC and DC Attorney General’s office discuss federal and state privacy trends at Reed Smith

On May 21, 2019, representatives of the Federal Trade Commission (FTC) and the Office of DC Attorney General (AG) Karl Racine visited Reed Smith to discuss data privacy trends to watch at the federal and state level. In an IAPP KnowledgeNet presentation moderated by Reed Smith partner Divonne Smoyer, Maneesha Mithal (associate director of the FTC’s Division of Privacy and Identity Protection, Bureau of Consumer Protection) and Ben Wiseman (director of AG Racine’s Office of Consumer Protection) discussed their expectations for a federal privacy law, expanding state authority in the privacy arena, and privacy resources, among other things, in a wide-ranging conversation.

Continue Reading

LexBlog