In this edition, we discuss the Law Commission’s consultation on consumer sales contracts, guidance on international personal data transfer following the end of the Brexit transition period and a look at multi-jurisdictional outsourcing issues.
Access the latest developments below.
The Law Commission is consulting on draft legislation which would implement recommendations it made in July 2016 to modernise the rules on when consumers acquire ownership of goods under sales contracts. The 2016 recommendations looked at what recourse consumers have when purchasing and engaging with online retailers which then go insolvent.
The aim is to update the antiquated rules from the 19th century which govern 21st century shopping habits and means of purchase which could never have been envisaged when the rules were initially drafted.
Principles of contract interpretation were in front of the High Court in the Cathay Pacific and Lufthansa case. The court ruled there was no requirement to imply qualifications into a written agreement, so as to prevent one party from acting in an arbitrary manner or requiring such party to act in good faith.
The Department for Digital, Culture, Media and Sport has updated its guidance to organisations in respect of international personal data transfers following the end of the Brexit transition period. This comes at a time when the UK is seeking an adequacy decision from the European Commission for the transfers of personal data from the EEA into the UK. Any adequacy decision has been further complicated by the CJEU’s findings in the Schrems II case and the Privacy International case; both raising issues in respect of national security and governments’ ability to intercept personal data (see also TechUK’s comments).
Tabitha Al-Mahdawie and Sekou Taylor look at the ICO latest guidance on data subject access requests (SARs) and the recent case of Lees v Lloyds which looked at nuisance SARs.
SARS are often used as tactic to procure information from a data controller prior to or in conjunction with launching some other claim or complaint. The court’s decision in the Lees v Lloyds case is noteworthy in that it identifies that “nuisance” SARs are often deployed in this manner and there are grounds on which such DSARs may be rejected.
The court’s decision does conflict somewhat with the ICO’s which states that the motive behind a SAR is not a relevant consideration for the data controller which must respond whether it is a “nuisance” or not.
Things of note
In this updated practice note for Practical Law, Mark Lewis sets out the strategic, structural, legal, regulatory and contractual background and considerations for multi-jurisdictional outsourcing across all sectors.
This version contains, among others, a new section outlining how to approach and integrate cloud services and advanced technologies (e.g. robotic process automation) as part of a multi-jurisdictional outsourcing project.
Read more (subscription required. Please contact one of the authors if you cannot access this material).
The CMA is seeking responses to its draft guidance paper on its role following the end of the Brexit transition period. The CMA has consumer protection enforcement power under a number of pieces of UK legislation and its consumer protection role is anticipated to continue in 2021 and beyond. The draft paper raises issues of the CMA’s ability to bring proceedings against EU organisations directing trade at UK consumers and other relevant issues flowing from the UK’s departure from the EU.
Anne Todd looks at the implementation of the ICO’s Age Appropriate Design Code and discusses how this supplements and interacts with the Data Protection Act 2018.
The code applies to all information society services which are likely to be accessed by children aged under 18, not only services specifically targeting children. This will be of interest to providers of apps, websites and online games as well as providers of a wider range of digital services and internet of things devices.
Comments from Margrethe Vestager indicate that the European Commission is looking to roll two EU initiatives (which would set down rules for tech platforms and also hand new powers to enforcers) into a single proposal focused on digital markets. The remarks suggest that the European Commission will no longer seek broad investigatory powers to delve into markets in all industries.
Our thoughts on other news
The draft Digital Services Act regulation aims to remove data moats which prevent competitors to the large tech companies being able to compete on a level playing field. The debate on access to data has been ongoing for some time with many critics stating that simply having access to data does not enable start-ups and smaller companies to compete with the large tech companies. However, the draft proposals go beyond purely data sharing and look at prohibitions including preferential treatment of tech companies’ own services on their platforms.
Read more (subscription required).
The UK’s Intellectual Property Office has opened a Public Consultation on artificial intelligence’s role in the development, creation and protection of intellectual property. The consultation invites a range of questions including artificial intelligence’s role as an inventor of intellectual property (where there is no internationally accepted policy) and its liability in infringing the rights of third parties.
The data heavy world of artificial intelligence often runs into the world of data privacy with personal data often being the fuel for the algorithms or the artificial intelligence technology having a direct impact on the privacy rights of individuals. The ICO guidance looks to simplify many of the questions and issues companies grapple with when implementing or developing artificial intelligence technology and sets out the core principles with which companies need to comply.