ICT regulation

ICT regulation in 2021: Four things to look out for

From regulation of Big Tech to the upcoming legislative framework for AI, I have identified the key areas to be on the lookout for in 2021 when it comes to regulating ICT.

 

  1. Regulating digital gatekeepers

 

Big Tech has been on the regulators’ and legislators’ radar for a while, with earlier EU antirust fines imposed on Google and the introduction of more serious fines by the GDPR. While a number of antitrust cases have been filed against Facebook in the US in late 2019, the latest European Commission proposal signifies more considerable innovation when it comes to regulating Big Tech.

The proposed Digital Markets Act creates something new: asymmetric, market power-based regulation of digital gatekeepers. Whereas the new Digital Services Act continues to build on the existing consumer protection philosophy, which only acknowledges the asymmetry between the consumer and the business, Digital Markets Act only imposes remedies on those digital platforms that have an entrenched, durable intermediary position. This is akin to asymmetric regulation of telecoms operators with Significant Market Power.

In a manner that resembles telecoms infrastructure regulation, the Digital Markets Act seeks to grant access to the Big Tech platforms by means of ‘unbundling’ some of their features. Considering the regulators’ and legislators’ reluctance to regulate Internet ‘content’ since late 1990s, such ex ante measures can be seen as truly historic. 

 

  1. AI regulation

 

Following the introduction of GDPR rules on profiling and human intervention, the Ethics Guidelines for Trustworthy AI prepared by the EU High-Level Expert Group on Artificial Intelligence (AI HLEG) have provided a strong hint that we can expect a horizontal legislative action in the area of AI.

Following a public consultation in 2020, European Commission expects to unveil a legislative proposal regulating AI in the first quarter of 2021. It remains to be seen to what extent will European legislators transpose ethical principles identified by the AI HLEG, such as human agency and oversight or technical robustness and safety, into mandatory legal obligations.

 

  1. European Electronic Communications Code (EECC)

 

The EECC, a new Directive incorporating most of the EU electronic communications legislation, was due for implementation on 21st December 2020. With a few Member States still lagging behind the schedule, often due to COVID-19, European Commission has already adopted Delegated regulation on EU-wide voice-call termination rates for both fixed and mobile calls. This further reduces wholesale prices of voice calls within the EU with the aim of further reduction of retail prices.

The impact of the EECC on telecoms markets remains to be seen. The new Directive gives national regulatory authorities more options to tackle market failure through commitments of dominant players. It modernises and further harmonises the rules on spectrum with a view to 5G and technologies to follow, plus introduces basic regulation protection customers using number-independent OTT communications services. The latter have until now largely been excluded from the regulation of the telecoms sector.

Practical effects will largely depend on the implementation in the Member States. For example, will the regulators be able to leverage regulatory sticks and carrots to foster the emergence of wholesale-only broadband infrastructure players? Implementation at the national level will also be crucial to reap the full benefits of the new spectrum management rules, according to Vesna Prodnik of Vafer, a specialised mobile telecoms consultancy: “Member States still have a wide discretion as to the exact rules on simplifying small-area wireless cells placement, which are crucial for the necessary 5G network density.”

 

  1. Electronic identity

 

As even larger amount of business and private life moves online because of COVID-19 pandemic, online identity fraud has become even more rampant. Should governments centralise the approach to e-identity? Or should one rely on decentralised, commercially offered identity solutions? Should everyone receive an ID certificate, or another means of verifying who they are in all online environments?

The EU eIDAS Regulation has introduced an interoperability framework for EU citizens using their own national electronic identification schemes (eIDs) to access public services in other Member States. It has further created an internal market for trust services – namely electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication – by ensuring that they will work across borders and have the same legal status as their traditional paper based equivalents. 

Despite these developments, we still seem to be far from a uniform and universally accepted electronic IDs, especially at the international level. A further push may come from the European Commision’s review of the eIDAS regulation, which is currently underway following an open public consultation.

 

Next steps for ICT businesses

 

  • Check how your online operations might be affected in the future by the additional obligations proposed by the EU Digital Services Act
  • If you develop or deploy AI solutions, consider doing an AI ethics impact assessment to ensure their long-term viability
  • Check if any of the services you provide online might be classified as interpersonal communications services and therefore subject to EECC regulation

At Aphaia, we will continue to keep up with these developments. Please reach out if your business requires assistance with any of them. You can visit us at https://aphaia.consulting to explore our full array of services.

Memorandum of Understanding

Memorandum of Understanding signed between the ICO and the National Privacy Commission of the Philippines

A Memorandum of Understanding has been signed between the UK’s ICO and the Philippines’ NPC, effective January 12th 2021.

The UK’s ICO and the Philippines’ NPC have recently signed a Memorandum of Understanding in a move to strengthen their current relations. Recognizing the nature of this globalized economy, and the fact that they perform similar roles in their respective countries, the ICO and NPC decided on this memorandum, which is not legally binding, and is not applicable in circumstances which would breach either party’s legal responsibilities. Each organisation is expected to continue enforcing their respective legislations, but may collaborate on any joint enforcements, and aid in the enforcement of their respective laws, as long as it is not in contravention of national security or other relevant laws. 

 

The Memorandum of Understanding provides several opportunities for collaboration and cooperation. 

This Memorandum of Understanding signed by the ICO and NPC sets forth the intention to implement joint research projects and exchange information on best practices for data protection policies and training programmes. They will be coming together for bilateral meetings annually, or as decided. There will be no sharing of personal data, however, the ICO and NPC do intend to exchange information concerning potential or ongoing investigations, within their respective jurisdictions. The memorandum also encourages jointly investigating any cross border personal data breaches or other security incidents which involve organisations in both jurisdictions, as well as any other areas of cooperation decided on by both parties. 

 

This Memorandum does not create an obligation to share information and does not allow for the sharing of personal information. 

This agreement is not legally binding, and neither of the parties are under an obligation to cooperate or to share information, particularly information which is outside the scope of this memorandum, or which may compromise their legal responsibilities. While these parties agree to share certain information, this does not imply the transfer of ownership of, or rights to the shared information. There is no intention for the parties to share personal information, however this term is defined in each party’s domestic law. However, if the ICO or NPC wishes to share personal information and deem it necessary, as may be the case in sharing any information regarding a cross border personal data breach, this should not in any way compromise compliance with the respective parties’ own data protection laws.

 

The Memorandum of Understanding will be continuously monitored and reviewed, settling any disputes amicably through negotiations. 

The Memorandum of Understanding is regarded as a statement of intent, and it is anticipated that it will be continuously monitored, and reviewed biennially, seeking to resolve any disputes amicably, through the use of consultations and negotiations and without any legislative forum. The agreement does not imply any legally binding commitments. Therefore any issues which arise are to be handled by first notifying the point of contact for each party, and after the negotiating process, the agreement can be amended with changes agreed upon by both parties, and signed into the memorandum. The respective points of contact are expected to maintain open communication to ensure that the agreement remains effective and serves its purpose. 

 

Do you have questions about how this new agreement may affect your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

ICO urges UK businesses

ICO urges UK businesses: ensure compliance to data protection law before the end of the UK’s transition.

ICO urges UK businesses to ensure compliance to data protection law before the end of the UK’s transition on December 31st 2020. 

 

December 31st 2020 will officially end the transitionary period for the UK, out of the EU, and the ICO is calling on UK businesses to ensure that if they are impacted by data protection law, that they should take the necessary steps to ensure continued lawful data flow from the EU. The ICO advises that any businesses receiving data from organisations in the EU or European Economic Area (EEA, which includes the EU, Iceland, Norway and Liechtenstein) will need to take action to ensure the flow of data doesn’t stop. 

 

Many SMEs depend on the flow of personal data to operate, and the ICO seeks to aid these businesses during the transition. 

Personal data applies to anything that relates to an identifiable individual whether it be information on customers or staff. HR records, customer details, payroll information and information collected through cloud services are all classified as personal data and will possibly be affected. The ICO recognises that sharing personal data is essential to running the majority of SMEs and that smaller organisations may not have dedicated data protection officers or specialists to help with the preparations. They have, as a result, published a statement advising businesses on steps they can take before January 1st to ensure continued compliance. 

The ICO urges UK businesses to maintain compliance with the DPA 2018 and the GDPR, and to double check their privacy information.

 

Businesses in the UK will need to continue to ensure compliance with the GDPR and DPA 2018. However, as it relates to the exchange of data between entities in the UK and the EU, as of January 1st 2021, businesses will need to ensure that they have safeguards in place to ensure that the continued flow of data is lawful. The ICO has gathered some guidance and resources on its website and urges businesses to make use of this to determine the actions they may need to take if they use personal data. In addition, businesses should review their privacy information and other documentation for possible changes that need to be made at the end of the transition period.

 

For most businesses and organisations, the ICO suggests Standard Contractual Clauses (SCCs) to keep data flowing on EU-approved terms. 

The ICO statement suggests that standard contractual clauses or SCCs may be the best option for businesses that use personal data and want to ensure their data transfers are EU-approved. As businesses in the UK will officially be treated as non EU processors or controllers, come January first, SCCs which have proven to be a sufficient safeguard for the transfers for data between controllers and processors within the EU and internationally, have been recommended as the best option for UK businesses to adopt post-transition. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcingContact us today.

New national privacy bill

New national privacy bill proposed in Canada.

New national privacy bill proposed in Canada, is expected to significantly increase protections to Canadians’ personal information. 

Bill C-11, Canada’s newly proposed national privacy bill, which is also referred to as Digital Charter Implementation Act, 2020, will give Canadians more control and transparency when companies handle their personal information, and therefore expected to increasingly protect their personal information. This bill is said to reshape Canada’s privacy framework.  In the wake of the “Schrems II” judgment in the EU, and with the U.S. examining its own federal privacy legislation, international data flows have been challenged, inspiring the introduction of further legislation in that regard. 

This new bill was introduced by Minister of Information Science and Economic Development, Navdeep Bains, who brought up an important point on the need for interoperability with both EU and U.S. legislation.

The President of the Canadian Internet Registration Authority, Byron Holland, applauded the bill and said, “Companies that handle massive troves of personal data must be held accountable for protecting that data, be transparent about how they use it, and face real consequences should they break the trust of their users.” Minister of Information Science and Economic Development, Navdeep Bains said, “As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. … For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement.” He also  brought up an important point on the need for interoperability with both EU and U.S. legislation, and adequacy to be achieved through  this legislation.

The new national privacy bill in Canada, if passed, could mean several significant changes, including the possibility for hefty fines, for companies found to be in violation. 

If the bill passes, there could be fines of up to five per cent of global revenue or $25 million CAD, whichever is higher, for companies found to be in violation. Bill C-11 also includes the Personal Information and Privacy Protection Tribunal Act as well as the Consumer Privacy Protection Act. This bill would also give the federal privacy commissioner the power to make orders, including the ability to force an organization to comply and to order a company to stop collecting data or using personal information.

The Digital Charter Implementation Act focuses on key principles, including algorithmic transparency, data mobility, de-identified information, withdrawal of consent and disposal of personal information.

This new Digital Charter Implementation Act focuses on key principles, including algorithmic transparency, data mobility, de-identified information,and finally, withdrawal of consent and disposal of personal information. In this fact sheet, the in-depth clarifying questions surrounding DCIA 2020 are answered, including insight on how this new legislation may promote a strong Canadian digital environment, 

How do the key principles of DCIA 2020 compare to current GDPR regulation?

There has been much talk of the interoperability of DCIA and the GDPR, however it is interesting to note how they compare with regard to basic principles. The following table compares the two regulations based on the key principles of the Digital Charter Implementation Act.

Principles DCIA GDPR
Meaningful consent New rules on consent would ensure that individuals have sufficient information in plain-language allowing them to make meaningful decisions about the use of their personal information. According to the GDPR, a data subject’s consent must be freely given, specific, informed and unambiguous. The individual must indicate by a clear affirmative action, their agreement to the processing of their personal data.
Data mobility The proposed bill would allow people the right to direct the transfer of their personal information from one organization to another. For example, people would have a power to direct their bank to share their personal information with another financial institution. The right to data portability allows individuals to obtain, reuse, move, copy or transfer their personal data for their own purposes across different services without affecting its usability. This right, however, only applies to information an individual has provided to a controller.
Disposal of personal information and withdrawal of consent The new DCIA legislation would allow data subjects to request that organizations discard their personal information and, in most cases, allow them to withdraw consent for the use of their personal information. The GDPR gives people a specific right to withdraw their consent at any time. It must also be as easy to withdraw consent as it was to give it, meaning, the process of withdrawing consent should be an easily accessible one-step process.
Algorithmic transparency Businesses will need to be transparent about how they use automated decision-making systems like algorithms and artificial intelligence, to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how the automated decision making process of a system led to a  prediction, recommendation or decision and explain how the information was obtained. The GDPR grants the data subject the right not to be subject to a decision, which produces legal effects concerning him or her or similarly significantly affects him or her, based solely on automated processing, including profiling. In certain specific situations identified as legitimate exceptions according to Article 22 of the GDPR, this type of processing is valid, although additional measures are required “…the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision”.
De-identified information The legislation will clarify that personal information, with direct identifiers such as names removed, must be protected and that it can be used without an individual’s consent only under certain circumstances. Article 6(4)(e) permits the processing of pseudonymized data for uses beyond the purpose for which the data was originally collected, subject to certain conditions.

Do you require assistance with GDPR or CCPA compliance? Aphaia provides both GDPR and CCPA adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.