Tech Disputes - Spring 2023

Key developments

Meta fined €1.2bn for failure to protect the personal data of users that was transferred from EU to US

Ireland’s Data Protection Commission (DPC) said Meta had mishandled personal information when transferring personal data about users of its Facebook service from the EU and EEA to the US. The Irish DPC found that, although Meta Ireland had entered into the correct version of the Standard Contractual Clauses (SCCs) and undertaken a Data Transfer Impact Assessment (DTIA) (as required under the General Data Protection Regulation and the Schrems II decision) the way that the DTIA had been applied in the context of the nature of the personal data that was transferred to the US meant that there was not adequate protection for the transferred personal data. Meta Ireland has therefore been required to pay the fine and to suspend the data transfers. Meta has indicated that it intends to appeal the decision. The Irish DPC’s decision highlights the importance of getting compliance right. See the decision here, and our advice on what organisations should be focusing on here.

The ICO fines TikTok £12.7m for failing to protect children's privacy

This is the third largest fine imposed by the ICO to date. The ICO found that TikTok had not done enough to prevent an estimated 1.4m children under 13 from using its platform without parental consent. TikTok was found to have breached multiple UK GDPR provisions, including using underage users' personal data without explicit parental consent and failing to provide clear information on data collection. The fine was reduced from an initial figure of £27m after TikTok's representations to the ICO. See the fine here, and our article here.

UK Government publishes the Digital Markets, Competition and Consumers Bill (DCCB)

The DCCB was introduced to Parliament on 25 April as the UK’s new bill to crack down on subscription traps, protect consumer cash online and boost competition in digital markets. Alongside proposing a new regime for digital markets, which will be overseen by the digital markets unit of the CMA, the DCCB also introduces a number of changes, in many ways equally important, to consumer protection enforcement in the UK. The DCCB provides for a new framework for the direct enforcement of consumer protection law, giving the CMA enhanced powers to investigate infringements and issue fines more on a par with those available under competition rules (up to 10% of global turnover for businesses). The bill is currently in the committee stage in the House of Commons. See the bill here, and our article here.

European Data Protection Board (EDPB) publishes revised guidelines on Personal Data Breach Notification

The revised guidelines, published on 4 April, clarify that non-EU controllers, even if they have a representative in the EU, cannot benefit from a "one-stop-shop" for breach notification by simply notifying the supervisory authority of their representative’s member state. Instead, they must notify every supervisory authority in the EU Member States where affected individuals reside. This approach, although potentially burdensome, aligns with the EDPB’s earlier guidance and reinforces the need for non-EU controllers to navigate multiple notification processes in the case of a data breach, all within the tight timeframes imposed by the GDPR. See the guidelines here.

European Commission (EC) approves Microsoft's Acquisition of Activision Blizzard

The EC has approved Microsoft's $69 billion blockbuster acquisition of Activision Blizzard (Activision) on 15 May 2023. Microsoft addressed the EC’s initial concerns by committing to offer a license to (i) EU consumers that would allow them to stream all Activision games on any cloud game streaming service and (ii) a corresponding license to cloud game streaming service providers. However, while this is undoubtedly a big win for Microsoft, they need both the EC’s and the CMA’s approval for the acquisition to complete. The CMA has previously rejected the deal on the grounds that it would harm competition in the nascent cloud gaming market in the UK, a decision that Microsoft is currently appealing. See the Commission’s decision here, and the CMA’s final report here.

Key cases

Online Terms: Parker-Grennan v Camelot UK Lotteries Ltd [2023] EWHC 800 (KB) (04 April 2023)

In this case, the claimant believed she had won £1 million by matching a ‘winning number’ when playing an online lottery game. When the claimant provided a screenshot of her result, Camelot informed her that it was a coding error and she had actually won only £10. The judge concluded that Camelot's terms and conditions, which expressly stated that each ‘play’ is pre-determined at point of purchase, were properly incorporated into the contract through the ‘click-wrap’ method. Although there was a degree of imbalance between Camelot and the claimant, the terms were not considered unfair under the Unfair Terms in Consumer Contracts Regulations 1999. This case emphasises the importance of clear and user-friendly terms and conditions for online services. See the judgment here and our article here.

Cryptoassets: Piroozzadeh v Persons Unknown Category A & Ors [2023] EWHC 1024 (Ch) (02 March 2023)

This case concerned whether a cryptocurrency exchange holds misappropriated assets as a constructive trustee. Binance had an interim proprietary injunction against it successfully discharged. The judge found that in obtaining the injunction, the claimant/applicant had breached their duty of fair representation, including omitting a potential defence available to Binance as a bona fide purchaser of the cryptoasset. The judge discharged the injunction against Binance, stating that damages would be an adequate remedy and that the claimant should have targeted the non-exchange defendants instead. The question of whether a constructive trust can arise in deposit pooling scenarios was left open. See the judgment here.

Data: Experian Ltd v Information Commissioner (Allowed) [2023] UKFTT 132 (GRC)

The First-Tier Tribunal (FTT) has partially allowed an appeal by Experian against an ICO GDPR Enforcement Notice issued in October 2020. The FTT found that the ICO had misunderstood the data processing by Experian’s marketing business and failed to consider the benefits to consumers. The original notice required Experian to make various changes, but the FTT reduced the notification burden and ruled against retrospective notification. The decision emphasises proportionality and transparency in GDPR compliance. The ICO may appeal the decision. Read the judgment here and our article here.

Competition: 1576/6/12/23 Apple Inc. & Others v Competition and Markets Authority [2023] CAT 21 & CAT 29

On 3 May, the Competition Appeal Tribunal (CAT) rejected the CMA’s application for permission to appeal an earlier judgment of 31 March that quashed the CMA’s decision to initiate a market investigation into mobile browsers and cloud gaming. The CAT had ruled that the CMA had breached statutory deadlines by not consulting on the proposal to make a market investigation reference within the specified timeframes. In the order, the CAT concluded that the CMA’s grounds of appeal lacked a real prospect of success and failed to find any other compelling reason for why permission to appeal should be granted. Read the judgment here, and the order here.

Data: Prismall v Google UK Ltd & Anor [2023] EWHC 1169 (KB) (19 May 2023)

The High Court ruled against Andrew Prismall, in his misuse of private information claim brought on behalf of 1.6m NHS patients against Google and DeepMind Technologies. The proposed claimant class had records that were transferred to DeepMind to help develop a medical app. The court struck out the claim, stating that the ‘lowest common denominator’ damages suffered by the proposed class did not meet the de minimis threshold for damages. This decision highlights the serious challenges faced by claimants seeking compensation for data privacy breaches, and the pro-defendant position here stands in contrast to the fine issued against Meta above. Read the full judgment here, and keep an eye out on UpData for an upcoming article.

IP issues arising from emerging tech: Generative AI and Virtual Assets

Assets created by Generative AI and virtual goods, such as NFTs, create novel issues of IP law to consider.

In our publication on classifying NFTs, virtual goods and metaverse services, we consider new IPO guidance on the classification of:

• NFTs; and
• services provided virtually in the metaverse.

In our article on Generative AI and copyright, we cover:

• the ownership of copyright in AI-generated outputs;
• the position where multiple users create output via inputting same prompts; and
• issues arising out of training generative AI using datasets containing works protected by third-party copyright.