Tech Disputes - Summer 2022

Key developments

Plans to reform the UK Data Protection Act

On 17 June 2022 the UK Government published its long-awaited plans to reform the UK Data Protection Act. The reforms set a clear tone: the UK wants to cut down on excessive bureaucracy and reduce costly compliance burdens for businesses. There is little mention of individuals’ rights beyond the reassurance that the plans will preserve the UK’s “high data protection standards”. While the reform package is certainly significant, only the detail of the reforms contained in the publication of the Data Reform Bill will reveal how radical it is. The extent of any changes will be constrained by the need for the UK to retain its adequacy status within the EU, a status the European Commission is more than happy to use as a bargaining chip in the management of the EU-UK relationship. Please see our article here for further commentary.

Chinese Government sets out new policy for cross-border data transfer

The Cyberspace Administration of China (CAC) published the long-awaited standard contract for cross-border data transfer on 30 June for public comment (available here in Chinese language), which supplements the requirements under China’s Personal Information Protection Law (PIPL) that came into effect 1 November 2021. Among other requirements, data exporters are required to assess the impact of data protection laws and policies of the destination jurisdiction on the enforceability of the standard contract. This will require data exporters to map out current cross-border data transfer flows and perform personal information protection impact assessment. Please see our article here for more in depth commentary on the potential implications.

Report on credential stuffing attacks

A report was published in June 2022 by the Global Privacy Assembly’s International Enforcement Working Group (IEWG) on the growing trend of credential stuffing attacks. Credential stuffing attacks are a relatively straightforward form of cyber attack aimed at exploiting people’s tendency to use the same combination of usernames and passwords across their multiple online accounts. The IEWG report stresses the increasing risk posed by credential stuffing and sets out guidance for commercial organisations on how to prevent, detect and mitigate the risk of these attacks. As a first step, TMT businesses will need to assign a “Qualified Individual” (who is responsible for the overseeing, implementing, and reinforcing of an organisation’s IT security program) to review and implement the IEWG’s recommended measures. You can read our article for more information.

First Draft of the Artificial Intelligence Act

The Artificial Intelligence Act (AIA) is currently going through the EU legislative process. The AIA will have wide territorial reach in that it will apply to non-EU organisations who supply AI systems into the EU and is expected to introduce significant financial penalties for non-compliance. First issued in April 2021, the draft AIA received proposed amendments from the EU Council in November 2021, and in recent weeks, has received proposed amendments from various committees of the EU Parliament. Our update bulletin summarises the recent proposals. The EU Parliament is expected to finalise and propose its amendments in the Autumn.

European Commission proposal on corporate sustainability

The EU Parliament and Council have announced they have reached provisional political agreement on the Corporate Sustainability Reporting Directive (CSRD) which aims to revise and strengthen the rules introduced by the Non-Financial Reporting Directive (2014/95/EU) (NFRD). The CSRD will introduce a number of new sustainability reporting requirements to ensure that companies report reliable and comparable sustainability information that investors and other stakeholders need. The change will apply to all large companies, whether listed or not and to listed small and medium-sized enterprises. You can read more about the changes in our article.

Spotlight on the Metaverse

At the end of 2021 we predicted that Metaverse would be a ‘word of the year’ for 2022. That prediction is holding true.

But what is the Metaverse? Our Gaming and Immersive Tech (GAIT) group have recently produced an article which seeks to provide the answer.

As a ‘democratised internet built on gaming technologies’, the Metaverse is likely to provide fertile ground for new types of disputes to arise.

In Parts One and Two of our ‘Meta-Versus’ series looking at Metaverse disputes issues, we explain why the Metaverse will give rise to disputes, and profile some of the types of disputes that may arise.

Key cases

HP / Autonomy v (1) Lynch (2) Hussain [2019] EWHC 249 (Ch)

This judgment was handed down on 17 May 2022 and provided some long-awaited clarity on the application of certain aspects of Section 90A FSMA. That section allows investors-at-large to hold UK issuers to account for publishing misleading information. The Autonomy judgment brings welcome clarity on the kind of factors that the Court will consider when assessing if a representation was, and was intended by an issuer’s directors to be, misleading – a necessary ingredient for issuer liability. On the subject of reliance (a key evidential hurdle for claimants), the judgment confirmed that there is a factual (though not legal) presumption that an objectively material representation did induce the claimant to transact. However, the effect of this presumption is mitigated by the regime’s requirement that claimants show ‘reasonable reliance’. This guidance provided by this judgment is of interest to any UK issuer, or investors in them. A summary of the Judgment can be found here, or you can read our analysis of the key issues, here.

D’Aloia v (1) Persons Unknown (2) Binance Holdings Limited and others [2022] EWHC 1723 (Ch)

The High Court granted an order permitting service of court proceedings via the airdrop of a non-fungible token (NFT) to a digital wallet into which misappropriated cryptocurrency had been transferred. The order is an example of the English courts embracing new technology and a noteworthy development in relation to the service of court documents. The judgment is also significant in that the court recognised there to be a good arguable case that the cryptocurrency exchanges held cryptocurrencies on constructive trust. If this is held to be correct at trial, exchanges such as Binance could face more claims for breach of trust when stolen currencies are found to have passed through their hands. The judgment can be found here.

Koninklijke Philips NV v Guangdong Oppo Mobile Telecommunications Corp Ltd [2022] EWHC 1703 (Pat)

The High Court granted an injunction to prevent the Chinese defendants from obtaining anti-suit relief from the Chinese courts (i.e. an anti-anti-suit injunction) which would prevent the claimant pursuing its English claim that the defendants had infringed Standard Essential Patents (SEP) relating to 3G and 4G. However, the injunction would not prevent the Chinese court from conducting global rate setting. The judgment (together with the Court of Appeal’s judgment in Nokia v Oneplus, which applied similar principles) will likely encourage parallel litigation in SEP FRAND licensing disputes.

Appeal dismissed against a CAT order for dominant position in the telecommunications market: BT Group Plc v Patourel [2022] EWCA Civ 593

The collective proceedings against BT (for whom we act) have been certified on an opt-out basis and the Court of Appeal has confirmed that the certification remains in place. This is one of a number of collective proceedings recently certified against technology companies. Others include the opt-out claims again Apple and Google, which were certified at the hearings for the collective proceedings orders.

UK Information Commissioner’s Office (ICO) fines Clearview AI £7.5m

The ICO’s has fined Clearview AI for using images of people in the UK, and elsewhere, which were collected from the web and social media, to create a global online database that could be used for facial recognition. This fine reinforces the message from data regulators to the wider tech community: they will not permit the collecting and using of biometric data, without adhering to the relevant legislation which applies to it - even where that data is publicly available.