How do their legal systems address issues of safety in the digital age, privacy rights, and the interests of Indigenous communities? And in what ways do they align with, or diverge from, international standards set by Europe and the United States?

In this episode, host Mauricio Figueroa is joined by three experts to discuss the policy and normative landscape of Australia and New Zealand. Tune in for an interesting conversation and through-provoking conversation about privacy and tech in these two countries. Listen to the episode here: https://bit.ly/3Yquyz8

The Panel:

Mauricio Figueroa is a legal scholar and educator. His area of expertise is Law and Digital Technologies, and has international experience in legal research, teaching, and public policy. He is the host of the SCL podcast “Privacy and Technology Laws Around the World”.

Andelka Philipps is an academic and writer and her research interests are broadly in the areas of Technology Law, Privacy and Data Protection, as well as Medical Law, Intellectual Property, Cyber Security, and Consumer Protection. She has taught in law schools in four countries: the United Kingdom; the Republic of Ireland; New Zealand; and Australia. She is currently an Affiliate with the Bioethics Institute Ghent, Ghent University, Belgium and an Academic Affiliate with the University of Oxford’s Centre for Health, Law and Emerging Technologies (HeLEX). She is also an Associate Editor for the Journal of the Royal Society of New Zealand (JRSNZ), the first to be appointed from the discipline of Law. www.andelkamphillips.com

John Swinson is a former partner of a major international law firm and has 30 years of law firm experience in NY and Australia, with principle focus on technology law and intellectual property law. He is a Professor of Law at The University of Queensland, where he teaches privacy law, cybersecurity law, and Internet & IT law.

Raffaele Ciriello is Senior Lecturer in Business Information Systems at the University of Sydney, whose research focuses on compassionate digital innovation and the ethical and societal impacts of emerging technologies. His work critically examines issues of digital responsibility, decentralised governance, and public interest technology, with recent projects spanning AI companions, blockchain infrastructures, and national digital sovereignty.

About the podcast

Join host Mauricio Figueroa and guests on a tour of tech law from across the globe. Previous episodes have focused on the use of ‘robot judges’ in several jurisdictions and developments in India, the USA and Japan. Future episodes will look at South America, Africa and Europe.

Where to listen

• podcasts.scl.org
• Spotify
• Apple
• Amazon

The post SCL Podcast “Technology & Privacy Laws Around The World” – Episode 5: Australia and New Zealand appeared first on Society for Computers & Law.

Courts and Tribunals Judiciary publishes updated AI guidance and introduces Copilot Chat for judges

The Courts and Tribunals Judiciary has published updated guidance to help judicial office holders to use AI. It updates and replaces the guidance document issued in December 2023. It sets out key risks and issues associated with using AI and some suggestions for minimising them. Examples of potential uses are also included. Any use of AI by or on behalf of the judiciary must be consistent with the judiciary’s overarching obligation to protect the integrity of the administration of justice. The guidance also introduces a private AI tool, Microsoft’s “Copilot Chat”, which is now available on judicial office holders’ devices through eJudiciary. This guidance applies to all judicial office holders under the Lady Chief Justice and Senior President of Tribunal’s responsibility, their clerks, judicial assistants, legal advisers/officers and other support staff.

Ofcom investigates misuse of telephone numbers

Ofcom is investigating if communications provider Primo Dialler has misused numbers sub-allocated to it, including to perpetrate scams. Ofcom allocates telephone numbers, usually in large blocks, to telecoms firms. They can then transfer the numbers to individual customers or other businesses. In line with Ofcom’s consumer protection rules and industry guidance, phone companies must not misuse numbers which have been sub-allocated to them. Services must also ensure numbers are being used correctly in accordance with the National Telephone Numbering Plan. Ofcom believes that the numbers sub-allocated to Primo Dialler are potentially being misused, including to facilitate scams. Its investigation will seek to establish whether Primo Dialler is complying with its obligations, specifically neral Conditions B1.8, B1.9(b), B1.9(c), and the Communications Act S128(5). The investigation falls under Ofcom’s enforcement programme, launched last year, looking specifically at phone and text scams. The aim of the programme is to protect customers by supporting best practice in the use of phone numbers and to ensure providers are following Ofcom’s rules. If Ofcom has reasonable grounds to suspect that rules have been broken, it may launch further investigations.

Ofcom takes action regarding “Global Titles” in mobile sector

Mobile operators use Global Titles as routing addresses for the exchange of signalling messages between 2G and 3G mobile networks and to support their provision of mobile services. Ofcom has now announced new rules to ban their leasing. This is because criminals can use Global Titles to intercept and divert calls and messages, and obtain information held by mobile networks. This could, for example, enable them to intercept security codes sent by banks to a customer via SMS message. In extreme cases they can be exploited to track the physical location of individuals anywhere in the world. The ban on entering new leasing arrangements is effective immediately. For leasing that is already in place, the ban will come into force on 22 April 2026. This will give legitimate businesses who currently lease Global Titles from mobile networks time to make alternative arrangements.  Alongside this, Ofcom has published new guidance for mobile operators on their responsibilities to prevent the misuse of their Global Titles.

ICO fines law firm £60,000 following cyber attack

The ICO has fined Merseyside-based DPP Law Ltd (DPP) £60,000, following a cyber attack that led to highly sensitive and confidential personal information being published on the dark web. It found that DPP failed to put appropriate measures in place to ensure the security of personal information held electronically. This failure enabled cyber hackers to gain access to DPP’s network, via an infrequently used administrator account which lacked multi-factor authentication and steal large volumes of data. DPP specialises in law relating to crime, military, family fraud, sexual offences, and actions against the police. The very nature of this work means it is responsible for both highly sensitive and special category data, including legally privileged information. As the information stolen by the attackers revealed private details about identifiable individuals, the ICO highlights that DPP has a responsibility under the law to ensure it is properly protected. In June 2022, DPP suffered a cyber-attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system. This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to the ICO until 43 days after they became aware of it.

ICO fines compensation company £90,000 for unlawful marketing calls

The ICO has also fined AFK Letters Co Ltd (AFK) £90,000 for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service, in a clear breach of electronic marketing laws. AFK writes letters seeking compensation and refunds for its customers. Between January and September 2023, AFK used data collected through its own website and a third-party telephone survey company to make 95,277 marketing calls without being able to demonstrate valid and specific consent from the people contacted. Despite AFK claiming it could not provide evidence of consent because it deleted all customer data after three months, when challenged by the ICO, it was also unable to provide consent records for several calls made within a three-month timeframe. AFK’s third-party data supplier was using consent statements which did not specifically name AFK when asking the public for consent to be called. Additionally, AFK’s own privacy policy only mentioned contact by email, and did not state that people would also receive phone calls. The ICO’s investigation found that AFK failed to comply with Regulation 21 of the Privacy and Electronic Communications Regulations.

EU law

European Commission consults on revision of EU Cybersecurity Act

The European Commission is consulting about revising the 2019 EU Cybersecurity Act. The consultation focuses on the European Union Agency for Cybersecurity mandate, the European Cybersecurity Certification Framework, and ICT supply chain security. It aims to simplify cybersecurity rules and streamline reporting obligations. The consultation ends on 20 June 2025.

Irish Data Protection Commission announces inquiry into X

The DPC has announced an inquiry into the processing of personal data comprised in publicly-accessible posts posted on the ‘X’ social media platform by EU/EEA users, for the purposes of training generative AI models, in particular the Grok Large Language Models (LLMs). The inquiry will examine compliance with the GDPR, including the lawfulness and transparency of the processing. Grok is the name of a group of AI models developed by xAI. They are used, among other things, to power a generative AI querying tool/chatbot, which is available on the X platform. Like other modern LLMs, the Grok LLMs have been developed and trained on a wide variety of data. The DPC’s inquiry considers a range of issues concerning the use of a subset of this data which was controlled by X, that is, personal data in publicly accessible posts posted on the X social media platform by EU/EEA users. The purpose of the inquiry is to determine if the personal data was lawfully processed to train the Grok LLMs. The DPC has notified X of its decision to conduct the inquiry under Section 110 of the Irish Data Protection Act 2018.

Coimisiún na Meán publishes Strategy Statement and Work Programme

Coimisiún na Meán has published its first three-year strategy, which sets out its vision for the media landscape in Ireland. The Strategy Statement 2025-2027 is accompanied by a 2025 Work Programme, which lists priority projects across Coimisiún na Meán’s remit of online safety, media sector development and regulation.  The Strategy Statement 2025-2027 is built on six key outcomes: children, democracy, trust, diversity and inclusion and public safety. Among the priority projects outlined in Coimisiún na Meán’s 2025 Work Programme are the development of a pilot programme for children at imminent risk of harm from online content, the development of an Election Integrity Strategy across all media sources, the creation of educational materials relating to online hate, the preparation of a new Broadcasting Services Strategy and a revised Media Plurality Policy, and the continuation of the Sound & Vision and Journalism funding Schemes.

The post This Week’s Techlaw News Round-up appeared first on Society for Computers & Law.

Without question, cybercrime is one of the leading threats facing every industry today.

Ransomware remains not only rampant but devastatingly expensive, with average ransomware payments having increased 500% year over year to $2 million in 2024. What’s more, these payments account for just part of the cost. Excluding ransoms, the average cost of recovery now stands at $2.73 million.

For organisations to withstand such significant financial impacts, cyber insurance has become invaluable. However, from a legal perspective, this is a landscape that has continued to throw up challenges, debate, ambiguity and several headaches in recent years.

Lloyd’s of London introduction of a policy requiring insurance group members to exclude liability for losses arising from state-backed cyberattacks in 2023 is a prime example – one that remains contentious even today owing to both attribution challenges and its conflation of systemic cyber risk with cyber war.

The former of these challenges has proven to be particularly troublesome. Given the potential costs of recovery involved in cyberattacks, many small- and medium-sized businesses are simply unable to cope with delayed cyber policy payouts resulting from disputes over attribution. These are organisations that need rapid financial support in days or weeks, not months or years.

What is the CMC?

This where the newly launched Cyber Monitoring Centre (CMC) aims to provide a solution by enhancing legal clarity.

An independent non-profit led by a technical committee comprising non-insurance experts from across academia, cybersecurity, public policy, defence and law, the CMC has developed a standardised scale that categorises the impact of cyber incidents. I have been privileged to be a part of the leadership driving the initiative.

The CMC framework works in a similar way to the Saffir-Simpson Hurricane Wind Scale, assigning a severity rating to cyber incidents using a simple five-point scale ranging from one (least severe) to five (most severe). These ratings are based on the economic impacts of incidents, starting at £100 million for category one events and rising to more than £5 billion for category five. Further, each categorisation is supported by an event report, all of which will be available freely.   

Using a wide range of data and analysis to assess incidents, a key goal of the CMC is to address the long-standing challenge of legal ambiguity in the cyber insurance landscape by providing a consistent, market-wide framework for defining systemic cyber events.

Until now, the severity of cyber incidents has been notoriously difficult to quantify for several reasons.

First, there is no universal impact metric in relation to cyber incidents. While the financial loss, casualties and recovery times of physical disasters are well understood, cyberattacks can impact organisations in a variety of different ways. While a ransomware attack might cripple one company, the same attack may cause only minor problems for another.

Secondly, there are significant challenges around the availability of data. Indeed, many incidents are never disclosed due to reputational risks and legal concerns. Even when they are, organisations often underreport the impact, downplaying the full extent of the damage. As a result, building an accurate severity model becomes more difficult.

Thirdly, cyberattacks are rarely one-off events that end with a single victim. Supply chains, financial markets and critical infrastructure may all be impacted by attacks in ways that are tricky to quantify, with traditional methods of measuring impact focusing too much on direct costs while not considering the wider consequences.

These hurdles have made underwriting challenging in relation to cyber insurance – until now. By establishing a common framework for measuring severity, and aggregating data across sectors, the CMC is striving to overcome these existing challenges and provide a clearer, more quantifiable picture of cyber risks.

What are the benefits it provides?

The benefits of a consistent standard to measure the severity of cyber incidents can be significant for a variety of different stakeholders, bringing clarity to what has historically been a complex process.

Policymakers and regulators will gain a much clearer view into cyber risks at scale, ensuring that resources can be better allocated to combat threats and regulations can be introduced that more effectively enhance nationwide resilience.

Organisations, meanwhile, will be able to assess incidents with a standardised method, helping them to identify and eliminate potential vulnerabilities across their network. Again, this will enhance long-term resilience planning.

For insurers, meanwhile, the CMC’s classifications can help to improve the way in which they cover systemic cyber incidents – attacks that impact large parts of the business community that are difficult to insure for due to their scale.

At present, insurers that do offer cyber solutions have typically relied upon multiple exclusions to define the events that they will cover. However, this can lead to the development of cumbersome, complex and confusing policies. Moving forward, however, it is envisioned that insurers could eventually simplify policy language by referring directly to CMC classification to define the limits of their cover.

Challenges include scope limitations, data availability and model evolution

Critically, these changes may serve to make coyer more attractive and accessible to businesses – especially SMEs, helping to address the growing challenge of attribution issues and policy disputes. However, no initiative of this scale is without its hurdles.

A key risk that may determine the effectiveness of the CMC is scope limitations. While its primarily focused on financial and operational impact, some cyber incidents such as those impacting the health and transport sectors could have life-threatening consequences, which must also be considered.

Keeping up with evolving threats will also be a challenge. With cyberattacks constantly changing and shifting, the CMC will need to tweak its models over time to ensure relevancy. And in large part, that relevancy will rely on industry buy-in and data availability. If participation is patchy, or companies hold back key details, the CMC’s outputs may be less reliable.

Despite these challenges, the CMC holds major promise. Indeed, it has the potential to transform cyber insurance by providing a consistent, market-wide framework for defining systemic cyber events and bringing greater clarity to the understanding of often complex cyber events.

However, that success ultimately depends on continued collaboration between government, industry, and cybersecurity professionals, with widespread adoption key to ensuring the framework’s relevance and effectiveness for years to come.

Edward Lewis, CEO of CyXcel

The post Cybersecurity Monitoring Centre: Bringing greater legal clarity to complex cyber events appeared first on Society for Computers & Law.

Electronic Communications (Networks and Services) (Designated Vendor Directions) (Penalties) Order 2025

The Electronic Communications (Networks and Services) (Designated Vendor Directions) (Penalties) Order 2025 SI 2025/443 has been made.  It makes consequential amendments to the Electronic Communications (Networks and Services) (Penalties) (Rules for Calculation of Turnover) Order 2003, SI 2003/2712 which in summary covers how certain penalties are calculated in relation to turnover under the Communications Act 2003. It came into force on 3 April 2025.

CAP and BCAP update advertising codes to align with Digital Markets Act 2024

CAP and BCAP have published amendments to their advertising codes, which took effect on 8 April 2025.  The amendments align the Codes with the unfair commercial practices provisions in the Digital Markets, Competition and Consumers Act 2024 which came into force on 6 April. The changes include new rules on drip pricing and fake reviews.  Both the CMA and the ASA will delay enforcement on fake reviews for three months. The ASA has also said that it will align its enforcement on drip pricing with the CMA’s approach.

DSIT and NCSC launch new Cyber Governance Code of Practice for board

The Department for Science, Innovation and Technology (DSIT) and National Cyber Security Centre (NCSC) has published a new Cyber Governance Code of Practice on 8 April 2025, following industry consultation in 2024. The Code outlines actions for boards and directors to manage cyber security risks across five areas: risk management, strategy, people, incident planning, and assurance. It forms part of a wider governance package that includes training and implementation toolkit, primarily targeting medium and large organisations. The Code was developed in response to data showing 74% of large businesses experienced cyber attacks in the past year.

EU law

European Commission’s Expert Group on B2B data sharing and cloud computing contracts publishes final report

The European Commission’s Expert Group on B2B data sharing and cloud computing contracts has published its final report.  It contains non-binding model contractual terms on data access and use, as well as standard contractual clauses for cloud computing contracts under Article 41 of the EU Data Act.

Joint letter published on the EU’s need for AI liability rules

Several civil society organisations and BEUC have written to Executive Vice President Virkkunen and Commissioner McGrath to share their concerns that the AI liability directive proposal (AILD) is being withdrawn and to urge them to begin preparatory work on new AI liability rules. They seek at the very least a non-fault based liability approach that will make it easier for consumers who are harmed by an AI system to seek compensation.

European Commission launches AI Continent Action Plan

The European Commission has launched its AI Continent Action Plam.  It revolves around five pillars: building a large-scale AI data and computing infrastructure; increasing access to large and high-quality data, developing algorithms and fostering AI adoption in strategic EU sectors, strengthening AI skills and talents and simplifying regulation. The Commission will also launch the AI Act Service Desk, to help businesses comply with the AI Act. It will serve as the central point of contact and hub for information and guidance on the AI Act. In May it will consult on its Data Union Strategy.

European Commission consults on cloud and AI policies in the EU

The European Commission is consulting on the preparatory work for the Cloud and AI Development Act and the single EU-wide cloud policy for public administrations and public procurement. The Commission seeks views on the EU’s capacity in cloud and edge computing infrastructure, especially in light of increasing data volumes and demand for computing resources, both fuelled by the rise of compute-intensive AI services. As well as this, the Commission seeks views on the use of cloud services in the public sector.  It ends on 4 June 2025.

European Commission launches public consultation and call for evidence on the Apply AI Strategy

The Commission’s AI Office has called for evidence and is consulting on its Apply AI Strategy, planned to be published later this year. The Apply AI Strategy is part of President von der Leyen’s Political Guidelines to make Europe a global leader in AI innovation. The Strategy will serve as a blueprint for the full adoption of AI in EU strategic sectors. In particular, the Apply AI Strategy aims to foster the integration of AI technologies into strategic sectors. These sectors include advanced manufacturing; aerospace; security and defence; agri-food; energy; environment and climate; mobility and automotive; pharmaceutical; biotechnology; robotics; electronic communications; advanced material design; and cultural and creative industries. The consultation aims to identify priorities, current challenges to the uptake of AI in specific sectors as well as potential solutions and policy approaches. The consultation also includes specific questions on the challenges in the AI Act implementation process and how the Commission and member states can support stakeholders better in implementing the legislation. The consultation ends on 4 June 2025.

Commission updates guidelines on responsible use of generative AI in research

The European Commission’s Directorate-General for Research and Innovation has published the second version of its guidelines on responsible use of generative AI in research. One of the goals of the guidelines is that the scientific community uses generative AI responsibly. They take into account key principles on research integrity as well as existing frameworks for the use of AI in general and in research specifically.  The principles include honesty, reliability, respect and accountability. It is also consulting on its AI in Science Strategy. The consultation ends on 5 June 2025.

The post This Week’s Techlaw News Round-Up appeared first on Society for Computers & Law.

The government says that cyber threats cost the UK economy almost £22 billion a year between 2015 and 2019 and cause significant disruption to the British public and businesses. Last summer’s attack on Synnovis (which provides pathology services to the NHS) cost an estimated £32.7 million and saw thousands of missed appointments for patients.

The government’s policy statement indicates that it will take the following measures to update the regime in the Network and Information Systems Regulations 2018:

• Bringing more entities into scope of the regulatory framework, including managed service providers, strengthening supply chain security and enabling regulators to designate “Critical Suppliers”,

• Empowering regulators and enhancing oversight, including technical and methodological security requirements, improving incident reporting, improving the ICO’s information gathering powers, improving regulators’ cost recovery mechanisms, and

• Ensuring the regulatory framework can keep pace with the ever-changing cyber landscape, ensuring the regulatory framework is adaptable to emerging threats.

The government is also exploring additional measures to make sure it can respond effectively to new cyber threats and take rapid action where needed to protect the UK’s national security. This includes bringing data centres within the scope of regulation, publishing a statement of strategic priorities for regulators, and empowering the Secretary of State to direct a regulated entity to take action, when it is necessary for national security.

In the year to September 2024, the National Cyber Security Centre (NCSC) managed 430 cyber incidents, with 89 of these being classed as nationally significant – a rate of almost two every week. The most recent iteration of the Cyber Security Breaches Survey also highlights 50% of British businesses suffering a cyber breach or attack in the last 12 months, with more than 7 million incidents being reported in 2024.

The Cyber Security and Resilience Bill will aim to ensure that vital infrastructure and digital services are secure.  It will be introduced to parliament this year.

The post UK government announces new cyber laws appeared first on Society for Computers & Law.

The Digital Operational Resilience Act, known as DORA, impacts the financial sector as well as Big (and Small) Tech firms supporting banks and other financial institutions. The go live deadline for DORA was 17 January 2025. DORA will have significant impacts across the international finance sector, and other types of firms in addition to the core financial sector, but arguably few of these have been fully compliant from day one. For example, some firms were preparing to be “DORA ready” for day one, recognising that there will be a period of additional implementation measures needed throughout 2025.

Cyber Threats Background

Why are the Act and the concepts of operational resilience and digital operational resilience relevant?

Recently we had an example of not one but three major banking institutions suffering IT problems which halted services to their customers, starting with Barclays, and expanding to Lloyds Bank and Halifax. Last year NatWest, RBS and Ulster Bank also suffered IT issues. The internal and external IT threats and vulnerabilities facing the financial sector are expanding. AI, which is a subject in its own right, appears to be only enhancing this trend when used by bad actors.

Some of these threats were being contemplated when the policymakers began to develop DORA, alongside market issues.

According to the ECB “with the use of information technology having become a large part of daily life, and even more so during the coronavirus (COVID-19) pandemic, the potential downsides of an increasing dependence on technology have become even more apparent. Protecting critical services like hospitals, electricity supply and access to the financial system from attacks and outages is crucial.  Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms.” DORA will “make sure the financial sector in Europe is able to stay resilient through a severe operational disruption.”

Increased digitalisation – and interconnection – also “amplify ICT risk”, making society as a whole (and the financial sector in particular) more vulnerable to cyber threats and / or ICT disruptions and attacks from errant third parties.

The range of cyber threats is also increasing. They include, for example, attacks such as bad actor hacking attacks, business email attacks, Phishing, Spear Phishing, Ransomware, viruses, Trojans, Distributed Denial of Service (DDOS), web application attacks, mobile attacks, and more.

The threat is not just from direct attacks. There are increasing numbers of indirect attacks, where the bad actors seek to gain access via a trusted third-party service provider that the financial company uses. This is supply chain and service provider compromise.

Other risk issues include management risk and system risk, such as failing to patch known vulnerabilities.

The number, level of sophistication and complexity of attacks are all increasing.

Costs to the Sector

The recent outages at Barclays, Lloyds Bank and Halifax demonstrate that there is a direct cost to consumers. There can even be a direct financial cost when salary payments or mortgage payments are missed. The DORA policymakers were also concerned at the potential systemic effects on the wider financial incident caused by IT issues, the effect on consumer trust, industry and national economies.

The cost of the above threats continues to increase. By comparison, we already see very significant data fines arising under data laws such as personal data rules. For example, Meta (has been fined €1.2 billion euros for one set of data breaches concerning data transfers while TikTok has been fined €345 million and £14.5 million for data breaches regarding child data. These are just examples with numerous other  data fines in the billions across the globe.

Many firms have been fined as a result of ineffective security measures leading to them being hacked, thus demonstrating a lack of appropriate and technical security measures and overall digital operational resilience. Already, even before the official go-live of DORA, firms have been receiving significant fines and penalties as a result of matters which cross over with digital operational resilience.

The Need for Digital Resilience

Regulators, whether the European Central Bank (ECB), the Bank of England (BOE), or the Fed in the US, are tasked with protecting the financial stability of their financial systems. As part of this they need to ensure that financial firms are financially resilient and stable and some of the rules around financial stability stem from the last great recession.

But today, financial stability is not the only threat to financial entities and the wider financial system: IT, ICT, and cyber threats must also be reckoned with. An example of an IT vulnerability change, apparently due to lack of testing prior to deployment and which had widespread adverse effects across a range of industries, was the SolarWinds incident. Financial entities often rely on third party suppliers or even outsource some of their core activities. Firms can be adversely affected when one of these third parties is exposed to a cyberattack. Bank of America, for example, had to warn its customers after one of its suppliers (IMS) was hacked by bad actors. Financial entities of service providers such as AddComm and Cabot have also encountered problems when these suppliers were involved in cyberattacks. Christine Lagarde (President of the ECB) states that “cyberattacks could trigger a serious financial crisis.” Piero Cipollone (ECB Executive Board) states that “cyber risks have become one of the main issues for global security. They have been identified as a systematic risk to the stability of the European financial system.” Unfortunately, it is not limited to just the European financial system.

Now, financial institutions must also ensure that they are digitally operational resilient and prepared for these internal and external tech threats.

Digital Operational Resilience Rules

DORA promotes rules and standards to mitigate Information and Communications Technology risks for financial institutions. One of the objectives of DORA is to “prevent increased fragmentation of rules applicable to ICT risk management” by establishing common rules and standards.

DORA “addresses today’s most important challenges for managing ICT risks at financial institutions and critical ICT third-party service providers.” These risks must be properly managed for digitalisation to “truly deliver on the many opportunities it offers for the banking and financial industry.” For example, better analysis and better data management can assist financial institutions  become more resilient. Also, “early warning systems” and automated alerts could enhance ICT risk management and digital operational resilience.

Key Focus Areas of DORA

DORA deals with five key pillar areas, namely:

• ICT risk management
• ICT-related incident management, classification and reporting
• digital operational resilience testing (DORT)
• ICT third-party risk management (TPRM)
• information-sharing arrangements (ISAs).

Arguably, the rules and requirements for pillar 5 above are the least well developed and are likely to evolve during 2025 and 2026.

A very complex set of rules and requirements sits behind each of these pillars of the core DORA regulation. DORA sets out a broad array of new obligations for financial entities, outsource companies and technology companies supporting the financial sector. Some of these new rules mean new or enhanced:

• ICT risk management and governance
• ICT policies and procedures
• ICT incident management and reporting
• change management
• digital operational resilience
• digital operational resilience testing
• ICT third party risk management
• business continuity
• cyber security
• training
• information sharing on threats.

Extensive Sub Rules

DORA is a legal Regulation. Being a law, it is labelled a Level 1 requirement. Unfortunately for industry, there is an expansive range of even more detailed legal and technical requirements at Level 2 below the Level 1 rules.

The array of DORA sub rules is vast. They are referred to as the Level 2 rules, with the main DORA Regulation representing Level 1. The Level 2 rules are then further separated into four types of sub rules, namely:

• Regulatory Technical Standards or RTS
• Implementing Technical Standards or ITS
• Guidelines
• (Independent) Commission Delegated Regulations.

The RTS, ITS and Guidelines were developed by the ESA, a combination of European financial regulators. The scope of these detailed Level 2 rules has added to the already complicated nature of the technical and regulatory compliance efforts required of financial entities. They are collectively far more extensive than the DORA Level 1 rules. An additional difficulty is that the Level 2 rules have come out over different time periods. The ones that are developed by the ESAs generally need to be reviewed, amended and implemented by the Commission. While the ESAs had specific time deadlines, the Commission did not have to specify when it would finalise the Level 2 rules.

Therefore, the rules have come out at different time periods, thus adding extra difficulties for financial institutions. Indeed, even near end of 2024, not all Level 2 rules were fully set out – even though the go-live date was imminent in January 2025.

In addition, we can also add two further layers of DORA regulations. There will be a certain level of national DORA direct legislation (Level 3) and national financial regulator rules (Level 4). Some of this is still in process.

Level 2 Regulatory Technical Standards

The RTS are:

• Commission Delegated Regulation specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
• Commission Delegated Regulation specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
• RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third party services
• Commission Delegated Regulation specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
• RTS on threat led penetrating testing (TLPT)
• RTS and ITS on content timelines and templates on incident reporting (drafted by ESAs, apparently awaiting Commission implementing measure)
• RTS on oversight harmonization
• RTS on Joint Examination Teams (JET).

Level 2 Implementing Technical Standards

The ITS to a Register of Information.

Level 2 Guidelines

There are two DORA Level 2 Guidelines on:

• aggregated costs and losses from major incidents (adopted by ESAs)
• oversight cooperation between ESAs and competition authorities (adopted by ESAs).

Level 2 Delegated Regulations

There are two Commission Delegated Regulations which are independent of the ESAs, as follows:

• Commission Delegated Regulation specifying the criteria for the designation of ICT third-party service providers as critical for financial entities
• Commission Delegated Regulation determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid.

DORA Ready to DORA Now.

Some of the details of the Level 2 sub regulations were finalised very close to the go-live date, and financial institutions had difficulty in fully understanding all the rules and nuances of the new regime and, importantly, in complying with these rules as some were not yet bedded down. The many layers of compliance requirements across multiple legal and technical instruments made this task vastly more complicated, consuming, and costly.

The effort needed to interpret and apply these expansive rules compounded by the late issue of some of the official materials, has meant financial entities and suppliers have faced significant challenges to reach a level even approaching compliance now and will need to expand the maturity of such compliance over the coming years.

While it was understandable to prepare on the basis of DORA ready (as much as one can be) up until now, it is now necessary to focus on DORA now, getting all of DORA and the sub regulations in place alongside measures needed to demonstrate digital operational resilience into the future.

Paul Lambert, Ph.D. Paul is the author of “DORA, Interpreting the EU’s Digital Operational Resilience Act” (published by Bloomsbury), and the editor of Gringras, The Laws of the Internet.

The post Moving Beyond DORA Ready to DORA Now appeared first on Society for Computers & Law.

The Online Safety Act 2023 (Commencement No 4) Regulations 2024 (SI 2024/1333) have been made. These Regulations are the fourth commencement regulations under the Online Safety Act 2023. They bring into force on 17 January 2025 the duties about regulated provider pornographic content in section 81 and other provisions, such as Ofcom’s enforcement and information powers and the offence of failing to comply with a confirmation decision, as they relate to section 81.

CMA publishes final digital markets competition regime guidance

The CMA has published its final digital markets competition regime guidance. It provides advice and general information to businesses, their advisers and other stakeholders on the approach used by the CMA in operating the digital markets competition regime, set out in the Digital Markets, Competition and Consumers Act 2024. The guidance received approval from the Secretary of State for Business and Trade on 17 December 2024 and takes effect from 1 January 2025. The CMA has also published relevant guidance for the reporting of a merger by firms designated by the CMA as having Strategic Market Status (SMS) under the Act.

Advertising Standards Authority publishes update on online supply pathway of age-restricted ads

The ASA has published a report providing a unique insight into the online supply pathway of ads for alcohol, gambling and other age-restricted ads. The ASA’s five-year strategy commits to protecting children and other vulnerable audiences and bringing greater transparency and broader accountability to its online advertising regulation. The ASA’s report presents the perspectives of advertisers, publishers and ad supply intermediaries on the relatively few cases, identified by automated monitoring, of age-restricted ads mistargeted to websites and YouTube channels disproportionately popular with children. The report highlights what can be done to reduce children’s exposure to age-restricted ads online (such as those for alcohol or gambling). The study also describes compliance processes in place, and steps taken, to target age-restricted ads away from children in line with CAP Guidance on Age-restricted Ads Online. Whilst breaches of the advertising codes are few in number, the ASA says that it remains important to examine the circumstances that lead to the ads being mistargeted to sites disproportionately popular with children. For example, the report provides specific case study evidence around mis-categorisation of age-restricted ads, which if categorised correctly are likely to have prevented the ad from being served and inadequacies relating to the blocklisting of publications disproportionately popular with children.

Ofcom consults on technology notices

Ofcom is consulting on two parts of the framework that underpin Ofcom’s Online Safety Technology Notice powers: its proposals for what the minimum standards of accuracy for accredited technologies could be, to inform its advice to the UK government; and its draft guidance about how it proposes to use this power. Under the Online Safety Act, Ofcom has powers to tackle terrorism and child sexual exploitation and abuse (CSEA) content. It can, where it decides that it is necessary and proportionate, make a provider use a specific technology to tackle terrorism and/or child sexual exploitation and abuse (CSEA) content, or develop technology to tackle CSEA content. Ofcom would do this by issuing a Technology Notice under section 121 of the Act. Any technology that Ofcom requires a provider to use will need to be accredited either by Ofcom, or someone Ofcom appoints, against minimum standards of accuracy set by the UK government, after advice from Ofcom. The consultation ends on 10 March 2025.

PSA publishes final annual report

The Phone-paid Services Authority (PSA) has published its final annual report before it transfers regulatory responsibility for regulating phone paid services to Ofcom in 2025, after which it will cease operations. The organisation highlighted its agile approach to regulation, including the introduction of Code 15, which shifted focus from enforcement to prevention. The PSA also says that it has reduced consumer detriment by over 85% when regulating Information, Connection and Sign-posting Services.

FCA issues discussion paper on cryptoassets

The FCA has published a discussion paper on the future market abuse regime for cryptoassets and cryptoasset admissions and disclosures regime. In 2023, the UK government announced plans to legislate for a future financial services regime for cryptoassets. This would bring certain cryptoasset activities into the FCA’s regulatory perimeter. The Treasury published its initial consultation and call for evidence in February 2023, followed by its response in October. In November 2024, the Labour government confirmed it will proceed with legislation to bring cryptoassets into the FCA’s regulatory perimeter. Under the government’s plans, the FCA’s regulatory remit for cryptoassets will expand from the current Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and Financial Promotions regime to a more comprehensive conduct regime. This will cover cryptoasset trading, regulation of stablecoins, intermediation, custody and other core activities. The FCA has issued the discussion paper help inform the development of a balanced regime that addresses market risks without stifling growth. It seeks views by 14 March 2025.

Revised EU Product Liability Directive enters into force

The revised Product Liability Directive ((EU) 2024/2853) applies to new products placed on the EU market from 9 December 2026. It updates the product liability framework for victims seeking compensation for damage, such as personal injury, property damage and damage to data, caused by defective products.  It also aims to provide greater legal certainty for economic operators. It applies to all products. This includes household items as well as AI, software and product-related digital services, and to products sold online. Under the revised Product Liability Directive, the European Commission will also develop a publicly accessible EU database of court judgments on product liability cases. This aims to give more information about how the rules apply.

The post This week’s Techlaw news round-up appeared first on Society for Computers & Law.

As many readers will know, software escrow is a risk mitigation tool that safeguards the critical assets, such as software applications, organisations are reliant on. It typically involves a tri-party legal agreement being set up between an end-user (e.g., employees at a law firm), a software vendor, and a trusted escrow agent. Having a software escrow solution in place ensures that critical assets remain accessible and operational to an end-user, even during disruption events (such as a vendor facing bankruptcy).

The rising demand and use for software runs in tandem with the ever-increasing level of risk associated with its use. As a result, the implementation of software escrow has become increasingly prevalent across the globe.

Within modern legal practice, examples of critical software applications that are commonly safeguarded by software escrow include case management software, communication and collaboration software, and document automation software. The safeguarding of these applications supports the best interests of all stakeholders that are in some way impacted by them, such as lawyers, clients, and collaborators.

The Evolution of Software Escrow

The concept of software escrow initially emerged in the 1980s. During this time, the widespread use of software was growing at a rapid rate. In response, software escrow solutions were designed and brought in to address proactively the risks associated with using third-party software suppliers. These solutions provided a means for business continuity in situations where software vendors went out of business or could not provide adequate support.

Whilst the overarching purpose of software escrow has remained the same since then, many aspects have seen tremendous change. Traditionally, software escrow was limited to single licensee arrangements for safeguarding on-premises software. However, the evolution of the industry means escrow can now be implemented for a much wider range of purposes and arrangements. Types of escrow agreements now include:

• single license
• multi-licensee
• SaaS
• hardware
• technology
• distributor Agreement

As technology and various industries continue to advance, it’s very likely that the needs and preferences that escrow solutions cater to will continue to become increasingly specific.

How do Software Escrow Agreements Work?

The first step when setting up a software escrow is an in-depth discussion between an escrow provider and a client. The aim of this is to determine whether software escrow is applicable to the client’s needs, if so, the type of agreement that is required and to establish trigger conditions, also known as release conditions. These are the agreed conditions which when met will lead to an escrow provider carrying out a software escrow release event.

The legal framework of software escrow typically comprises of five components:

The Agreement

A tri-party legal agreement between a software vendor, an escrow agent, and a software application’s end-user. The agreement clearly outlines the criteria that needs to be met for a source code release event to occur.

Release Conditions

These are specific conditions that are pre-determined in an escrow agreement. When these conditions are met, an escrow agent is authorised to release the materials held under escrow to the software licensee (i.e., the end-user). Examples of release conditions that would facilitate a release event include vendor bankruptcy, vendor insolvency, and a vendor not providing adequate maintenance and/or support.

Source Code Validation

Once a client deposits their source code to an escrow provider, it is evaluated to ensure that it is accurate, up to date, and can be redeployed if required.

Intellectual Property Rights

The intellectual property rights of all parties involved in the arrangement need to be clearly defined as this determines source code ownership and the end user’s rights upon release.

Compliance

Many client projects require the implementation of a software escrow solution. Additionally, many emerging laws involve regulations that can be satisfied through utilising software escrow, such as the Digital Operational Resilience Act (DORA) which is set to be enforced in the EU Finance Sector in January 2025.

Ultimately, software escrow can form the foundation of an effective risk mitigation and business continuity plan. It is a tool that enables organisations to face, address, and overcome unforeseen challenges with confidence and peace of mind. A software escrow release event involves an end-user receiving the materials, documentation, and guidance required to resume the operation of a software application following a disruption event. This mitigates against a range of risks, such as financial loss, damaged stakeholder relationships, and reputational damage. The absence of a software escrow solution during a time of crisis poses the risk of an organisation’s business operations coming to a standstill. Additionally, in situations where an organisation has already experienced some degree of damage following a crisis event, software escrow can be used as an effective disaster recovery tool.

The escrow space is now at a point where agreements can be customised to cater to the bespoke needs and specifications of clients.

The Use of Software Escrow in Legal Practice

As in many other industries, software forms the backbone for critical organisational operations within the legal industry. Whilst software escrow has established itself as a tool that many legal professionals recommend to clients, it’s not always a tool that they use internally.

The use of software escrow by lawyers themselves ensures that the best interests of stakeholders are placed at the forefront. This includes any stakeholder that is in some way impacted by the critical applications used by lawyers. The implementation of software escrow equips legal professionals with the ability to have uninterrupted access to these applications, regardless of any disruption that occurs. A major duty of legal professionals is the safeguarding of clients, which is a responsibility that is personified through a comprehensive risk mitigation strategy.

Ultimately, software escrow provides a proactive means for legal professionals to manage unforeseen challenges in an organised and convenient way.

The nature of the legal industry, and the role of security within it, would undoubtedly benefit from being more robust and operationally resilient, especially in the face of disruption. Escrow is one way to bolster those efforts.

The Current and Future Impact of AI on Software Escrow

The AI revolution has undoubtedly impacted the software escrow landscape and will continue to shape its future. For example the deployment of machine learning algorithms, enhances the capability to identify and mitigate potential security threats, ensuring that our clients’ assets are safeguarded. AI and machine learning technologies can also help identify vulnerabilities in code more quickly.

AI has will help with operational efficiencies, from automating routine processes to facilitating more accurate verification of software assets, while predictive analytics will help escrow agents anticipate and navigate the increasingly complex landscape of software compliance and regulation.

More fundamentally, what are the implications of trying to capture an AI algorithm or LLM in a software escrow agreement?

It’s often overlooked that an AI algorithm is fundamentally composed of code, originally created by humans. Regardless of its complexity, it remains an application running on compute resources—whether on a large scale, as seen with OpenAI’s ChatGPT models, or on a smaller scale, deployed locally or privately for specific use cases. In both scenarios, the large language models rely on code executed by an operating system, which can, in turn, be included in a software escrow agreement.

Regarding large language models, a key concern is often the data associated with the machine learning or AI algorithm. Training these models typically involves the utilisation of large, vast datasets. This data may comprise of publicly available information from the internet, which brings its own set of implications, as well as private data repositories, such as an organisation’s extensive collection of files and documents. These datasets are essential, as they provide the algorithm with the knowledge to generate responses and recognise patterns. For example, in facial recognition, the model compares CCTV images to those stored on a server to identify matches.

Ultimately, when it comes to a software escrow agreement, both the code and the underlying data are crucial to ensure the application is effectively protected and functional.

These intersections of AI with software escrow services are set to shape a new era of innovation and security, resulting in an ongoing evolution of the escrow space.

Mark Ryan is the Head of Escrow & Continuity at SES Secure, a provider of Software Escrow Solutions who have worked with clients across the globe for over 25 years. Mark has over two decades of experience in the Software Escrow sector working alongside legal professionals as a solutions advisor and guest speaker.

Tom Sweet is the Head of Technology at SES Secure. Tom leads SES Secure’s in-house team of technical experts who address the technical elements of all client projects. Tom has over 10 years of experience in the Software Escrow sector. Tom is also responsible for SES Secure’s approach to AI technologies.

The post Software Escrow – Its Evolution, Use in Legal Frameworks and The Influence of AI appeared first on Society for Computers & Law.

Government publishes revised UK digital identity and attributes trust framework

The UK government has published a gamma version of the UK digital identity and attributes trust framework. The trust framework is a set of rules for an organisation to follow if they want to have their service certified as a trustworthy digital verification service (DVS). A DVS is a service that enables people to digitally prove who they are, information about themselves or their eligibility to do something. The trust framework aims to make it easier and more secure for people to use these services. 

CMA clears Vodafone / Three merger, subject to legally binding commitments

The Competition and Markets Authority has decided that Vodafone’s merger with Three should be allowed to proceed if both companies sign binding commitments to invest billions to roll out a combined 5G network across the UK. The network commitment would be supported by shorter term customer protections which would require the merged company to cap certain mobile tariffs and offer preset contractual terms to mobile virtual network operators, for a period of three years. In September, the independent inquiry group leading the in-depth Phase 2 investigation of the merger provisionally found it could lead to higher prices for customers and less advantageous terms for virtual network providers (which depend on networks like those provided by Vodafone and Three to supply their own retail customers). Since publishing those findings, the group has explored how its concerns might be resolved and in November published a remedies working paper which included a range of potential remedy options. The group has since analysed responses to the working paper and closely engaged with respondents. The group has also sought further input from Ofcom. In its final decision, the group has confirmed it is now satisfied that the proposed network commitment, supported by shorter term protections for both retail and wholesale customers, resolve its competition concerns.

Annual report of the Biometrics and Surveillance Camera Commissioner laid in Parliament

The Biometrics and Surveillance Camera Commissioner’s annual report for 2023 to 2024 has been laid in Parliament. The report sets out the observations of the Commissioner in relation to his responsibilities for overseeing police use of DNA and fingerprints in England, Wales and Northern Ireland, and for encouraging the proper use of public space surveillance cameras.

Competition Appeal Tribunal (Amendment) Rules 2024 made

The Competition Appeal Tribunal (Amendment) Rules 2024 SI 2024/1233 have been made. They amend the Competition Appeal Tribunal Rules 2015, SI 2015/1648, to enable Part 3 of the CAT Rules to apply to applications to review certain decisions of and appeals of penalties imposed by, the CMA under its digital markets and competition functions under the Digital Markets, Competition and Consumers Act 2024. These Rules come into force on 1 January 2025.

Enterprise Act 2002 (Mergers and Market Investigations) (Determination of Control and Turnover for Penalties) Regulations 2024 made

The Enterprise Act 2002 (Mergers and Market Investigations) (Determination of Control and Turnover for Penalties) Regulations 2024 SI 2024/1236 have been made. They set out how the CMA will calculate turnover for the purposes of the enforcement of competition law. They also set out the circumstances in which a person is considered to have control over an enterprise. These Regulations come into force on 1 January 2025.

Competition Act 1998 (Determination of Turnover for Penalties) Regulations 2024 SI 2024/1235 made

The Competition Act 1998 (Determination of Turnover for Penalties) Regulations 2024 SI 2024/1235 have been made and establish rules for calculating an undertaking’s turnover under sections 35B(4) and 40A(3A) of the Competition Act 1998. They come into force on 1 January 2025.

Online Advertising Taskforce issues progress report

The Online Advertising Taskforce was set up to bring together government and the advertising sector to work in collaboration to address illegal harms and the protection of children in relation to online advertising. It has issued a report which says that during its first year it has provided a valuable forum to help raise standards, promote initiatives and best practice and share research and evidence about online harms that impact the online advertising sector. The report provides an overview of the Taskforce and its progress to date, focusing on the work of six industry-led working groups and their planned next steps.

Government publishes regulations and guidance for advertising restrictions for less healthy food or drink on television and online

The Advertising (Less Healthy Food Definitions and Exemptions) Regulations 2024 were laid before Parliament on 3 December 2024 and will come into force UK-wide on 1 October 2025. They include a 9pm watershed for less healthy food or drink advertising on TV, including all on-demand programme services (ODPS) and internet protocol television (IPTV) services under the jurisdiction of the UK, and therefore regulated by Ofcom; and a total restriction on paid-for advertising of less healthy food or drink online, including non-Ofcom regulated ODPS and IPTV.  Alongside the regulations, the government has published its final guidance.

Draft Communications Act 2003 (Disclosure of Information) Order 2024 laid

This draft Order will extend the circumstances in which information with respect to a particular business obtained by Ofcom if it exercises a power under the Communications Act 2003 (the 2003 Act), the Broadcasting Act 1990, the Broadcasting Act 1996 or the Online Safety Act 2023 (the 2023 Act) may be disclosed. Section 393(2)(b) of the 2003 Act provides that the restrictions on disclosing such information imposed by section 393(1) do not apply to any disclosure of information which is made to facilitate the carrying out by any relevant person of any relevant function. Relevant persons are described in section 393(3). Relevant functions are described in section 393(4). Article 2 specifies any function under the 2023 Act as a relevant function under section 393(4) of the 2003 Act.

Ofcom publishes its proposed Plan of Work for 2025/26

Ofcom is the UK’s converged communications regulator and Ofcom works with industries that have technology at their heart. These are sectors that have driven significant innovation and economic growth over many decades. It says that its approach to regulation has sought to foster and support growth and disruption, and that it believes that competition for ideas as well as markets is the right way to achieve sustainable outcomes. It has a role to play in the evolution of both networks and services, from making spectrum available for satellite and mobile broadband, to helping people live safer lives in an online world with AI and AI-generated content. Its Plan sets out the work that it will do in 2025/26 to make communications work for everyone, and how it will deliver. The consultation on the Plan ends on 29 January 2025.

HMRC issues guidance for tax reporting rules for digital platforms

HMRC has published its lists of partner jurisdictions and reportable jurisdictions for the tax reporting rules for digital platforms. These are in the Platform Operators (Due Diligence and Reporting Requirements) Regulations 2023 (SI 2023/817) and implement the OECD’s model tax reporting rules for digital platforms in the UK.

EU law

Council adopts new laws to strengthen cybersecurity capacities in the EU

To strengthen the EU’s solidarity and capacities to detect, prepare for and respond to cybersecurity threats and incidents, the Council of the EU has adopted two new laws as part of the cyber security legislative “package”: the Cyber solidarity Act and a targeted amendment to the Cybersecurity Act. Following their signature by the presidents of the Council and of the European Parliament, both legislative acts will be published in the EU’s Official Journal in the coming weeks and enter into force 20 days later.

EDPB calls for coherence of digital legislation with the GDPR

The European Data Protection Board has adopted a statement on the second report of the European Commission on the application of the GDPR. The EDPB welcomes the reports from the European Commission and the Fundamental Rights Agency. Importantly, the EDPB emphasises the importance of legal certainty and coherence of digital legislation with the GDPR and notes ongoing initiatives to clarify the enforcement interplay of the GDPR with the AI Act, the EU Data Strategy and the Digital Services Package. In addition, the EDPB has announced it will increase the production of content for non-experts, small and medium-sized enterprises and other groups. Finally, the Board highlights the genuine need for additional financial and human resources to help regulators and the EDPB deal with increasingly complex challenges and additional competences.

European Commission opens consultations on implementing regulations for EUDI Wallets

The European Commission has published several public consultations on implementing acts relating to Regulation (EU) 910/2014 (eIDAS Regulation), as amended by Regulation (EU) 2024/1183 (European Digital Identity Regulation or EUDI Regulation). The EUDI Regulation builds on, amends and expands the eIDAS Regulation and most importantly introduces an EU-wide framework for European Digital Identity (EUDI) Wallet as well as several other new trust services.

The post This Week’s Techlaw News Round-up appeared first on Society for Computers & Law.

Court of Appeal rules that UK courts can grant declaration for interim FRAND licence

The Court of Appeal recently delivered its ruling in the case of Panasonic Holdings Corporation v Xiaomi Technology UK Limited & Ors [2024] EWCA Civ 1143. The case involved standard essential patents owned by the complainant (Panasonic) and was an appeal from the Patent Court’s decision in which the Patents Court refused an application by the defendants (Xiaomi) for a declaration that Panasonic should grant Xiaomi an interim licence. A majority of the Court of Appeal held that there was power to grant such a declaration, and in the circumstances, it would be granted.

Investigatory Powers (Amendment) Act 2024 (Commencement No 1 and Transitional Provisions) Regulations 2024 made

The Investigatory Powers (Amendment) Act 2024 (Commencement No 1 and Transitional Provisions) Regulations 2024 SI 2024/1021 have been made  They brought certain provisions of the Investigatory Powers (Amendment) Act 2024 (IP(A)A 2024) into force on 14 October 2024. These Regulations also make transitional provision for communications data retention notices issued under section 87 of the Investigatory Powers Act 2016 which are now in effect

Media Act 2024 (Commencement No 2 and Transitional and Saving Provisions) Regulations 2024 made

The Media Act 2024 (Commencement No 2 and Transitional and Saving Provisions) Regulations 2024 have been made.  They brought certain provisions of the Media Act 2024 into force on 17 October 2024. These are the second set of commencement regulations under the Act.

Ofcom issues update on approach to information notices under Online Safety Act 2023 Ofcom has issued an update on information notices under the Online Safety Act 2023. The Act introduces a system for categorising some regulated online services based on key characteristics, including user numbers and functionality.  The providers of categorised services will be required to comply with additional duties depending on which category they fall within. Some regulated services will be designated as category 1, 2A or 2B services if they meet certain thresholds that will be set out and brought into effect via secondary legislation that will be introduced by the Secretary of State.  Ofcom submitted research and advice to the Secretary of State and published the advice in March 2024, including proposed thresholds. The Secretary of State will take a decision about those thresholds, considering Ofcom’s advice.  Once the secondary legislation is laid in Parliament, Ofcom will begin the process of engaging with providers that it believes may meet the thresholds by issuing draft information notices to relevant providers. Ofcom will, as a general rule, issue information notices in draft form to the stakeholder holding the relevant information to ensure that the notice is appropriately worded and targeted and sufficiently clear for the recipient to respond to within the proposed timeframe. While providers are not required to respond to draft information notices, Ofcom strongly encourages all providers who receive them to engage with Ofcom, particularly if there are any concerns or questions they might have about the draft notice. Once the secondary legislation passes in Parliament and becomes law, it will issue final information notices that providers will be required to respond to. The information provided will help Ofcom to make the necessary assessments of which services should be categorised and in which categories. It will publish the register of categorised services once it has made those assessments. As some providers may not have been subject to an information notice from Ofcom before, it is publishing this information to allow services time to prepare and to build their understanding of the information notice process under the Act as it relates to the categorisation process. Failing to comply with a final information notice can result in significant consequences. Failing to comply can include not responding by the given deadline or providing an inaccurate or incomplete response.

Ofcom renews co-regulatory arrangements for broadcast, ODPS and VSP advertising

Following consultation, Ofcom has announced the renewal of the co-regulatory arrangement that designates responsibility to the ASA system for the day-to-day regulation of broadcast, on demand programme service (ODPS), and video-sharing platform (VSP) advertising for a further period of ten years, until 31 October 2034. The ASA has day-to-day responsibility for regulating advertising on these services, with Ofcom providing a statutory backstop. The existing co-regulatory arrangements are due to expire at the end of October 2024 (ODPS and VSP) and the beginning of November 2024 (broadcast).

Court of Appeal says that malicious communications offence committed by posting relevant communication on website

In R v BLC [2024] EWCA Crim 1186, the Court of Appeal held that the offence of sending a malicious communication, under section 1 of the Malicious Communications Act 1988, would be committed by posting a relevant communication on a website and did not require a communication being sent or directed to a person.

EU law

Council of the EU adopts Cyber Resilience Act

The Council has adopted a new law on cybersecurity requirements for products with digital elements with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market (cyber resilience act).  The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components, for example “Internet of Things” (IoT) products, are made secure throughout the supply chain and throughout their lifecycle. Following its adoption, the legislative act will be signed by the presidents of the Council and of the European Parliament and published in the EU’s official journal in the coming weeks. The new regulation will enter into force twenty days later and will apply 36 months after its entry into force with some provisions to apply at an earlier stage.

European Commission adopts implementing regulation on NIS2 Directive

The Commission has adopted the first implementing rules on cybersecurity of critical entities and networks under the Directive on measures for high common level of cybersecurity across the Union (NIS2 Directive). The new rules detail cybersecurity risk management measures as well as the cases in which an incident should be considered significant and companies providing digital infrastructures and services should report it to national authorities. The implementing regulation will be published in the Official Journal in due course and enter into force 20 days thereafter.

Council of the EU adopts new designs protection legislation package

The Council of the EU has adopted the revised Directive on the legal protection of designs and the amended Regulation on community designs, with the aim of improving the protection of industrial designs in the era of digital designs and 3D printing. The two pieces of legislation will make it cheaper to register designs at the EU level, harmonise procedures between EU and national systems, and exempt from the design protection the spare parts used for repair of complex products under a new “repair clause”.

Council of the EU formally adopts Product Liability Directive

The Council of the EU has formally adopted a Directive on liability for defective products. The new Directive updates the existing strict liability regime, established through the 1985 Product Liability Directive (85/374/EEC), in line with the digital age, circular economy business models and global value chains. Among other things, it extends the definition of “product” to digital manufacturing files and software. Online platforms can also be held liable for a defective product sold on their platform.

Digital Services Act: request for information to Temu on traders selling illegal products on its market place

The European Commission has sent a request for information (RFI) to Temu under the Digital Services Act (DSA), requesting it to provide detailed information and internal documents on the mitigation measures taken against the presence and reappearance of traders selling illegal products on its online marketplace. The RFI further requires Temu to supply additional data and information on the measures adopted to mitigate the risk of dissemination of illegal products, as well as risks relating to consumer protection, public health and users’ wellbeing. Moreover, the Commission is also requesting details on the recommender systems of Temu and the risk to the protection of users’ personal data. Temu must provide the requested information by 21 October 2024.

European Commission closes market investigation into X’s online social networking service

The European Commission has found that the online social networking service of X should not be designated as a core platform service under the Digital Markets Act (DMA). Today’s decision comes after an in-depth market investigation launched on 13 May 2024 following the notification by X of its status of potential gatekeeper. Together with the notification, X also submitted rebuttal arguments, explaining why its online social networking service should not, in its view, qualify as an important gateway between businesses and consumers, even if X is deemed to meet the quantitative thresholds set out in the DMA. The Commission has concluded that X does indeed not qualify as a gatekeeper in relation to its online social networking service, given that the investigation revealed that X is not an important gateway for business users to reach end users. The Commission will continue to monitor the developments on the market with respect to this service, if any substantial changes arise.

Council of the EU adopts Platform Workers Directive

The Council of the EU has adopted new rules that aim to improve working conditions for the more than 28 million people working in digital labour platforms across the EU. The Platform Workers Directive will make the use of algorithms in human resources management more transparent, ensuring that automated systems are monitored by qualified staff and that workers have the right to contest automated decisions. It will also help correctly determine the employment status of persons working for platforms, enabling them to benefit from any labour rights they are entitled to. Member states will establish a legal presumption of employment in their legal systems that will be triggered when certain facts indicating control and direction are found. The directive will now be signed by both the Council and the European Parliament and will enter into force following publication in the EU’s Official Journal. Member states will then have two years to incorporate the Directive into their national legislation.

Irish Data Protection Commission launches inquiry into Ryanair’s customer verification process

The Data Protection Commission has opened an inquiry into Ryanair’s processing of personal data as part of the customer verification processes for customers who book Ryanair flights from third party websites or online travel agents. The DPC has received several complaints regarding Ryanair’s practice of requesting additional ID verification from customers who book travel tickets via third party websites, as opposed to booking directly on Ryanair’s website. Those verification methods may include biometric data. The inquiry will be conducted under Section 110 of the Data Protection Act 2018. The inquiry is cross-border in nature and will consider whether Ryanair has complied with its various obligations under the GDPR, including the lawfulness and transparency of the data processing.

The post This Week’s Techlaw News Round-up appeared first on Society for Computers & Law.