20th Berry Pick and we are finally nearing the years I have lived on this earth. A peculiar way to celebrate an otherwise insignificant milestone in a blogger’s journey. A small step for IT lawyers a huge step for Sena. And in celebration, here’s another week’s worth of picks, complete with CJEU case-law, UK taking back(?) control post-Brexit, and the footsteps of the DSA. Enjoy!
🎩 Competition
The UK Competition and Markets Authority (“CMA”) blocked Microsoft’s proposed $68.7 billion purchase of Activision to “protect innovation and choice in cloud gaming”. The CMA found Microsoft’s proposed solution to address these concerns insufficient. It’s concluded that the merger would give Microsoft too much control over the market and the ability to stifle new and innovative competitors. Microsoft already accounts for an estimated 60-70% of global cloud gaming services and has other important strengths in cloud gaming from owning Xbox, Windows, and Azure. Gaming industry, rejoice.
The CMA announced a new bill to stamp out unfair practices and promote competition in digital markets. The Digital Markets, Competition and Consumers (“DMCC”) Bill will focus on competition amongst business online and on the high street. It focuses on consumer protection, digital markets, and competition, empowering the CMA to crack down on unfair practices and fine businesses up to 10% of their global turnover. It establishes a new regime overseen by the Digital Markets Unit to hold digital firms accountable for their actions, prevent firms with Strategic Market Status from limiting digital innovation, and make it easier for the CMA to take action against mergers that harm UK consumers and businesses. Look at me now EU-UK.
🔐 Cybersecurity
The European Union Agency for Cybersecurity (“ENISA”) published an assessment of standards for the cybersecurity of AI and issues recommendations to support the implementation of upcoming EU policies on AI. The study is focused on machine learning due to its extensive use across AI deployments. The report finds more guidance is needed to help the user community benefit from existing standards on AI, and recommends the development of technical guidance on how existing standards related to the cybersecurity of software should be applied to AI. The study calls for promoting cooperation and coordination across standards organizations’ technical committees on cybersecurity and AI.
🔏 Data Protection & Privacy
Attorney General Pitruzzella issued his opinion (link in German) in CJEU’s Case C-340/21 on the interpretation of the GDPR in relation to compensation for non-material damage resulting from unauthorised access to personal data. The opinion includes that a controller must implement appropriate technical and organisational measures to ensure data protection and that the appropriateness of those measures must be subject to judicial review. The burden of proving that the measures are appropriate is on the controller, and fear of future misuse of personal data may constitute non-material damage eligible for compensation. The opinion also states that the fact that an infringement was committed by a third party does not in itself exempt the controller from liability. It’s always exciting when the cybersecurity and GDPR overlap is addressed.
CJEU’s General Court issued its ruling clarifying the status of pseudonymised data in that pseudonymised data transmitted to a data recipient won’t be considered personal data, as long as the data recipient has no way to re-identify the data subjects. Surprise, personal data is in the eye of the beholder, pseudonymous data may not be personal data if the recipient can’t re-identify the data subjects.
Advocate General Campos Sanchez-Bordona issued his opinion on Deutsche Wohnen SE v Staatsanwaltschaft Berlin. The Advocate General’s opinion approved direct enforcement of the General Data Protection Regulation (GDPR) against companies but rejected the concept of strict liability for alleged GDPR violations. A company must bear the consequences of GDPR infringements committed by its representatives, directors, managers, or employees acting in the course of the company’s business and under the supervision of its representatives, directors, or managers. However, the DPA must establish individual and specific acts of employees below management level, and such acts must have been made possible by a failure in the control and supervision system, for which those managing bodies are directly responsible.
🛒 E-Commerce & Digital Consumer
The first set of VLOPs and VLOSEs have been announced by the European Commission! The platforms were designated based on the user data that they had to publish by 17th February of this year. The companies will now have to comply with the full set of new obligations under the DSA, within 4 months. These include, inter alia, measures such as clearer information on why users receive certain recommendations, the right to opt-out of profiling-based recommendation systems, and stronger privacy protections for minors.
I’ll include the full list, we all want to see.
Very Large Online Platforms:
- Alibaba AliExpress
- Amazon Store
- Apple AppStore
- Booking.com
- Google Play
- Google Maps
- Google Shopping
- Snapchat
- TikTok
- Wikipedia
- YouTube
- Zalando
Very Large Online Search Engines
- Bing
- Google Search
🐆 AI in the Wild
OpenAI is seeking new ways to become more privacy and data protection friendly? The organisation announced that ChatGPT will be getting some new privacy features. It seems like users can now turn off chat history and pick and choose which conversations can be used to train AI models. Conversations that are started when chat history is disabled won’t be used to train and improve their models, and won’t appear in the history sidebar. These controls, which were rolling out to all users this week, can be found in ChatGPT’s settings and can be changed at any time. OpenAI is also apparently working on a new ChatGPT Business subscription for professionals who need more control over their data as well as enterprises seeking to manage their end users. New features alert, brace yourselves. It will be interesting to see how these features are received by users (coughs EU data authorities) and whether they will be enough to satisfy privacy concerns in an ever-evolving digital landscape.
📄 Recommended Readings
Here’s a couple –in no particular order– of recent publications that piqued my interest this week. Remember to grab a cuppa and settle in for some riveting reading.
Security Implications of ChatGPT by the Cloud Security Alliance
Registered Community designs in the video game industry: a neglected yet potent tool by Emmanuelle Sarlangue
Disclaimer: I am in no way affiliated with the authors or publishers in sharing these, and do not necessarily agree with the views contained within. I try to include mostly open access publications due to, well you know, accessibility of knowledge and science.
So there you have it, folks – another week in the fascinating realm of IT Law. Remember to pop back next week for your latest dose of legal updates, served with a twist. Cheerio!
If you have any thoughts or suggestions on how to make this digest even more enjoyable, feel free to drop a line. Your feedback is always welcome!
Featured image generated using Midjourney.
