Innbundet

As expected, Ofcom has issued a new statement, prohibiting inflation-linked price rises in contracts for communications services. Providers can still change the price of a contract, with effect from part-way through - Ofcom has not banned that. The change is is just about how they can do it. The new requirements come into effect on 17 January 2025 and apply to any new contracts entered into from that date. You can...

Roughly two years ago - wow, how time flies - I wrote a blogpost about what UK telecoms operators need to know about the UK/USA Data Access Agreement and the US CLOUD Act. At the time, I didn’t think that UK telecoms operators would receive many, if any, requests under the agreement. I’ve seen a handful of them recently, so I thought it might be worth revisiting it. I had also hoped that a change to data protection...

The UK government has published a consultation on its draft Code of Practice for Software Vendors. This call for evidence closes at 11:59pm on 9 August 2024. There is more information here. What this is about The stated aim is a voluntary Code of Practice for Software Vendors which is designed to ensure that software security is made fundamental to software vendors’ approaches to developing and distributing their...

Yesterday, the Upper Tribunal released its decision on the Information Commissioner’s appeal against the First Tier Tribunal’s decision about the Information Commissioner’s enforcement action against data broker Experian. ([2024] UKUT 105 (AAC)) In short, the Upper Tribunal was not having any of it, and dismissed the ICO’s arguments on all five points. Perhaps the only shred of hope for the ICO was in the Upper...

I’ve written before about the UK’s Product Security and Telecommunications Infrastructure Act 2022, and the associated The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. This regime imposes new security compliance requirements for certain “connected” and IoT products, to be sold to people in the UK. Part 1 covered the products in...

Way back in October 2023, I wrote an introduction to the Product Security and Telecommunications Infrastructure Act 2022, and the associated The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. This is the UK’s new regime for establishing a baseline security level for connectable products. I’d meant to follow up swiftly with Part 2...

According to DocuSign’s website, DocuSign - a company most commonly used for helping people sign contracts digitally - is or may be (its information is not wholly clear) using your contracts and other documents to train AI. I didn’t know this, but then I don’t use DocuSign, although some of my clients do. Perhaps you do, and did. Either way, if you use DocuSign, or are asked to load your documents into DocuSign for...

Ofcom has published draft guidance, and a consultation, on Part 5 Online Safety Act 2023 - this is the OSA’s porn (or, perhaps, anti-porn) provisions. I have previously written about Part 5. If you haven’t already read that, it’s probably worth starting there. This is a blogpost based on my thoughts from reading through the documents; it is not a fully-formed response to Ofcom’s consultation. The deadline for...

Technology, and programming, has always been political. I’ve very little time for discussions which try to separate “tech” and “politics”. The same is true with licensing models. Over the last couple of years, I’ve seen more people talking about “ethical licensing”. And, while I’ve yet to see an “ethical licence” come up in the course of my work, I thought it might be an interesting topic for a blog post. FOSS...

A friend with a child at a local primary school asked if I would join their careers afternoon, to talk about being an Internet lawyer. I love this kind of thing, and the challenge of explaining what I do to 7/8/9 year olds was the icing on the cake. I went for a mix of slides / me talking, with audience participation, and a fun exercise about following instructions. In case you are interested, here are my slides:...

Over the past few months, I’ve seen an increase in the number of subject access requests received by data controllers, which appear to have been generated by, or at least infused with content generated by, “AI” tools. Perhaps you’ve seen this too? People getting help with SARs is nothing new, of course. Some people ask friends or family, others seek formal legal advice, and some use online templates. Not long after...

Just before Christmas, I wrote a short post about how the ICO appears to be finally taking some action in respect of cookies, in the sense that the ICO has written to “top websites” to express their concerns about the sites’ cookie handling practices. The ICO’s press release did not include the text of the letters sent to those sites, so I asked the ICO for a copy. The ICO has provided this, and you can see a copy...

Subtext: we are now on holiday until the new year. Wishing you a very merry Christmas, and a happy new year. We will be back in early January. And, for those who didn’t ask for a hard copy, here’s our 2023 Christmas Card: The card was designed by an Actual Artist, the talented Jennie Gyllblad - note that some of her art, while all hand-drawn cartoons, is “adult” in nature.

Back in July 2022, I wrote “What UK telecoms operators need to know about the UK/USA Data Access Agreement and the US CLOUD Act”. This is an update, prompted by a government amendment to the Data Protection and Digital Information Bill which is currently going through Parliament. It is an amendment; it is not law yet. tl;dr If the amendment passed, a UK telecommunications operator could more readily rely on “task in...

This is a very quick overview of Part 5 of the Online Safety Act 2023, which deals with certain pornographic content. In summary I’m afraid that it is not good news if you are a sex blogger, or run a small porn site, in the UK. The rules are not currently in force. “Pornographic content” is wide. It does not include text-only content, but text-only content which is accompanied by an image, pornographic or not, is...

It looks like the ICO has finally taken some enforcement action against the operators of websites which fail to comply with the UK’s “cookie law”. In a rather vague press release, the ICO has said: The Information Commissioner has warned some of the UK’s top websites they face enforcement action if they do not make changes to comply with data protection law. How many sites it has warned, or what makes a site a...

Update: we’ve run out of cards, so we’ve closed the form for this year! Once again, we’d love to post you a physical, handwritten, Christmas card, if you want one. This year’s card was drawn by the talented Jennie Gyllblad. I love it. We just need your name and address If you would like a card, please complete this form. For information on how we (decoded.legal) process your personal data relating to this, please...

Frankly, I’m not as close to the Data Protection and Digital Information Bill as I ideally would be. There’s a lot going on at the moment… So it came as a bit of a surprise when I spotted a proposed new obligation on UK Internet access providers and telecommunications providers, relating to spam: a duty to notify the ICO of suspected unlawful direct marketing. I have seen nothing about this. I have only found a PDF...

I was lucky enough to be invited to give a talk about “Online Privacy”, from an English law point of view, to a mix of undergraduate and postgraduate students recently. Here are my slides. Note that the focus is on privacy, not data protection!

I know that I’ve got quite a downer on the Online Safety Act 2023. I’ve followed it closely and, each time I read it, I find something else to dislike about it. Today though, it’s a very practical concern: how on earth am I going to get to position where I can advise clients on it? Bear in mind that the Act is not just about “big tech” - it impacts many thousands for smaller organisations and individuals too. Here’s...

I have read through the 54 pages of the Investigatory Powers (Amendment) Bill. I’ve also had the benefit of reading the background notes in the King’s Speech, as well as the Home Office’s “notices” consultation from earlier this year, and David Anderson KC’s review. So these are my initial thoughts but they are, I hope, broadly along the right lines. I’m not commenting here on everything in the bill (the bits about...

As expected, The Investigatory Powers (Amendment) Bill has been published. I’ll update this once I’ve had the chance to digest it properly.

The government has announced that the Investigatory Powers Act 2016 is to be amended, via a not-yet-published The Investigatory Powers (Amendment) Bill. The information below comes from the background briefing note, but I’ve moved bits around to keep related things together. Bulk personal data set regime Make changes to the bulk personal dataset regime to ensure the UK’s intelligence agencies can more effectively...

Ofcom has published an updated statement on net neutrality / open Internet, with accompanying annexes. If you just want the new guidance, read the annexes. If you want the background, policy, and thinking, read the statement. Overall, I’d describe Ofcom’s position as a “softening” one: it appears that Ofcom is willing to permit some behaviours which are hard to reconcile with the principle of “neutral” Internet...

There are a couple of ongoing cases before the courts of England and Wales about Bitcoin. One is about libel, and the identity of “Satoshi Nakamoto”, which has nothing to do with this blogpost. The other case is, to me at least, far more interesting, as it concerns the extent to which developers or operators of software which runs Bitcoin networks owe fiduciary obligations to users of the networks. I am looking at...

The UK government has updated its Code of practice for app store operators and app developers. At this point it is only a voluntary code of practice; no-one is obliged to comply with it. (Note: I say “App” and “App Store” a lot in this blogpost. Both terms annoy me, for being a bit childish and worse, rather vague.) What is an “App Store”? A key part of the code of practice is understanding who or what falls within...

This blogpost is an introduction to the Product Security and Telecommunications Infrastructure Act 2022, and the associated The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. The focus here is on the “product security” aspect and, in particular, what products fall in scope. It does not cover the “telecommunications infrastructure”...

The ICO has published new guidance on workplace monitoring. If you are not sure where to start in thinking about workplace monitoring, this is a useful document. It is pleasing to see the ICO recognise that this is not just a technical, tickbox, exercise: Excessive monitoring can have an adverse impact on the data protection rights and freedoms of workers. Excessive monitoring is likely to intrude into workers’...

If you’re looking at this blogpost, or our website, or one of our presentations (1), thinking “why is it darker?”, here’s the explanation. And if you’re now looking at this thinking “it still looks the same to me”, here’s why. Reimplementing “dark mode” support Many devices / operating systems offer a “dark mode”, where colours are inverted / darkened, to make the screen more pleasant to use in low-light...

From 12th October 2023, the USA is “adequate” for the purposes of the UK GDPR for any transfer which (a) is to a person in the United States of America who is indicated on the Data Privacy Framework List as participating in the UK Extension to the EU-US Data Privacy Framework; and (b) will be subject to the EU-US Data Privacy Framework Principles on receipt by that person. This is set out in The Data Protection...

Pretty much every day, I read something to the effect of “lawyers are clueless when it comes to tech lol”. Different people, different publications, but it’s a theme which has been constant pretty much for as long as I have been a lawyer (which is approaching 20 years now). Today is no different, with a piece in The Law Society Gazette saying a lot of legal professionals are still sitting on the fence when it comes...

The government has launched a consultation on proposed changes to the notices regime under the Investigatory Powers Act 2016, following the statutory review, and David Anderson KC’s (separate, and currently unpublished) review. The “notices regime” refers to the powers available to the Secretary of State to impose data retention notices, as well as technical capability notices and national security notices on...

On 31st May 2023, Ofcom published a statement and new guidance, setting out changes to the guidance on incident reporting thresholds for what Ofcom calls “the digital infrastructure subsector”. The gist is that Ofcom expects in-scope providers to report incidents to which have a lower level of impact on their services than was previously the case. The “digital infrastructure subsector” Regulation 8(1) of the Amended...

The wonderful Society for Computers and Law is 50 this year, and it is producing a book of predictions of what tech law will look like in 50 years’ time. Here is my small contribution: In 50 years time, when the Society for Computers and Law celebrates its centenary, I will be 90. Whether I will still be around, or still thinking about Internet and telecoms law, who knows. Will there even be “Internet law” in 2073,...

First, my apologies: I haven’t blogged here for a while. Work has been busy and, well, I’ve spent far too much time blogging about Linux-related stuff on my personal blog. But anyway. Readers may recall that, back in February, I blogged about the changes to the General Conditions of Entitlement which were to take effect on 3rd April 2023. This included the changes relating to Ofcom’s desired new switching process,...

The Legal Ombudsman is changing its timescales for considering complaints. I’ve updated our complaints policy, which I hope you will never need. The new rules apply from 1st April 2023. The key change is this: Until April 1 2023, you must refer your complaint to the Legal Ombudsman within either six years of the problem happening or within three years from when you should reasonably have known there was cause for...

If you run a telco or ISP - fixed or mobile - make sure you’re aware of the imminent changes to Ofcom’s General Conditions, around switching (customers moving from one provider to another). Ofcom has made changes to the General Conditions - GC C7, in particular - and these take effect on 3rd April 2023. You can find the modified GC C7 here, and unofficial consolidated GCs here. Fixed location services: The amended...

There’s a lot of litigation around Bitcoin at the moment, on a number of different fronts. The litigation around the purported fiduciary duty of developers is interesting, but for another day. Today, we’re looking at file formats and copyrightability, following last week’s decision in Wright & Ors v BTC Core & Ors [2023] EWHC 222 (Ch). The interesting bit of the case is whether or not copyright arises in the...

A couple of weeks ago, the ICO published a statement saying that it had “decided to stop enforcing personal data breach reports made under Regulation 5A.” Even if the intent behind it was meant well, the announcement wasn’t the best thought-through statement, and I blogged to that effect. The ICO withdrew the statement - I can only guess that others shared similar sentiments to mine - and now it is back with a...

Update: the ICO has simplified its statement (full text of which is at the end of this post), which now reads “The page you requested was removed.”. The ICO has announced a “change to regulation concerning communication service providers”. This relates to the breach reporting obligations under Regulation 5A of the Privacy and Electronic Communications Regulations 2003. While quite possibly a statement that will be...

This is a slightly unusual one for a blog on which I normally cover solely Internet, tech, and telecoms issues. But there is a link! A friend asked me a while back whether, if they emailed their MP about an issue of concern for their ISP business, or if they responded to an Ofcom consultation, or spoke with civil servants in a government department, it would constitute “lobbying”, and if they needed to do anything...

Each year, we produce a geeky joke-y tech-y/legal-y Christmas card. If you’d like me to post you a card, just fill in this form with your details. We are in the UK, and happy to post internationally. Here’s what we do with your data.

In this monologue post, I set out an introductory analysis / overview of the English laws which are likely to apply to people in England who operate decentralised fediverse services which implement the ActivityPub protocol. In particular, people who run instances of Mastodon, Pleroma, and other similar software for others to use. There are some health warnings: as always, nothing here is legal advice. this post...

About a year ago, I wrote about my experience of running a law firm on Linux, three months in. It was, to be sure, early days. Now I’ve had the chance to get used to it a bit more, here are some follow-on thoughts. YMMV This works for me, and my (English law) practice. It might not work for you and yours. I’m not advocating that you switch, but rather just writing about my own experiences. A brief overview of my...

A new bill, the Economic Crime and Corporate Transparency Bill, proposes to prohibit the inclusion of “computer code” in UK company names. It’s only a bill - it is not yet law - but it amused me, so here we are. What the bill says Clause 11 of the bill says: A company must not be registered under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code. But aren’t...

This is a post to explain how I will try to help you during my impending two weeks of jury service. Updates 23rd September: I am not needed, so I am free all day for calls/meetings 21st September: I’m not needed until 14:00, so I am available for calls in the morning (until, say, 12:00) if needed. Just email as usual. 20th September: needed for jury service, so please assume that the information below applies 19th...

A friend asked me, a while back, if I would write a few thoughts about law and “the metaverse”. Honestly, I’ve been a bit hesitant about this. I’m not convinced that there’s anything particularly exciting or interesting to write about. But (a) my blog is hardly a bundle of laughs at any other time, and (b) what I take as a given, in terms of existing thinking and scholarship, might be new to some or all of you...

The Home Office announced on 21 July 2022. that UK/USA Data Access Agreement, which sits under the USA’s CLOUD Act, will come into force on October 3rd 2022. A draft of the agreement has been available for coming up three years now (and I’ve been working on this topic since before that!), so the key part of the announcement is that it has (finally) been finalised, and that there is an effective date. There is also...

The High Court ruled last week on the latest challenge against parts of the Investigatory Powers Act 2016. There’s relatively little to note, from a practical point of view, for telecommunications operators, if only because all bar one of Liberty’s challenges were dismissed. One challenge succeeded, and it is an important one, but, in practice, it is unlikely to have a material impact on telecommunications...

In June 2021, Ofcom published a statement setting out its decision to require providers of fixed and mobile telephony services and providers of internet access services, to provide, or contract to provide, a free 24/7 video relay service for deaf BSL users to enable communication with the emergency services. This caused some consternation, especially among smaller Internet access providers: surely it made no sense...

The Dutch Consumers and Markets Authority has announced that, if a Dutch entity of Vodafone, Vodafone Ziggo, does not act rapidly to ensure that users can select and use their own terminal equipment, it will issue a fine of €12,500 per day, up to a maximum of €500,000, until Ziggo resolves the situation. The full ruling of the ACM is available in Dutch. This blogpost sets out the basic principles of the (qualified)...

On 17th June 2022, further changes to Ofcom’s General Conditions of Entitlement take effect. If you haven’t started already, now would be a good time to: check, and probably update, your terms, to make sure they conform to the new rules around contract modifications. implement the pre-contractual information and pre-contractual “contract summary” rules. re-train your staff, so that they are ready to deal with...

This blogpost introduces communications providers to the concept of a “third party information notice”, a power afforded to the Information Commissioner’s Office in the UK. What is a third party information notice? Also known as “TPINs” or “3PINs”, a third party information notice is a legal mandate which the Information Commissioner’s Office can serve on a communications provider, requiring the provider to hand...

A friend asked if I could fill a slot at a conference for judges across Asia, on electronic evidence. Could I please speak for no more than 10 minutes, on something of interest. I was very limited in what I could cover in 10 minutes (and I’m the kind of person who takes timekeeping seriously!), especially since I had to assume zero technical knowledge, and this was my best shot: View it in a new window/tab.

On Friday, I wrote about the new sanction affecting Internet access providers in the UK, The Russia (Sanctions) (EU Exit) (Amendment) (No. 9) Regulations 2022. Read that blogpost for background, if you have not done so already. This one just contains some (important) updates. The UK Sanctions List contains a new type of “Sanction Imposed”: “Internet Services Sanctions” When I wrote the original blogpost on Friday, I...

Updated 2022-04-30 with information on filtering the UK sanctions list Updated 2022-05-01 with a statement from DCMS There is a new sanction, which affects Internet access providers who provide connectivity to people in the UK. It is an amendment to The Russia (Sanctions) (EU Exit) Regulations 2019. There are other sanctions which apply to app store providers and social media providers. These are out of scope of...

If you are selling online to consumers, you are required to ensure that the final “order” button, which the consumer presses to place an order, makes it sufficiently clear that the consumer is placing an order with an obligation to pay. Case law suggests that, while you can deviate from the statutory example, the threshold for demonstrating that your own choice of words is equivalent, and thus compliant, is a high...

On 21 March 2022, the UK’s International Data Transfer Agreement came into force, along with an Addendum. I’ve written about the International Data Transfer Agreement before and, bluntly, I wasn’t particularly flattering about them: The UK’s International Data Transfer Agreement: is this the ICO’s worst document yet? Unfortunately but unsurprisingly, the version of the Agreement which has come into force is the...

In January, I had the pleasure of talking at a conference for junior developers, or people new to running their own tech business, focused on core, non-technical skills: YouGotThis.io. Run by Kevin Lewis (Twitter link), YouGotThis.io is an unusual conference precisely because it focuses solely on what some might call “soft skills”. And, even if they are “soft”, they are vitally important. I was asked to talk for 30...

Warning: Copyright law is broadly harmonised around the world, but, when it comes to permitted uses and exceptions, and, in particular, to “fair use”, it is not. So this is the usual reminder that I am talking solely about English law. You’ve written some software, and you want to make the source code available online, so that others can make use of it. This blogpost will, hopefully, convince you to identify the...

An increasing number of third parties are offering services - typically, by way of a web site or an app - to facilitate data subjects in exercising their rights under the GDPR. Controllers on the receiving end of communications from one or more of these providers might want to read this post in conjunction with our previous posts: How to handle data subject access requests under the UK GDPR Five points to note...

If you’ve been involved in transfers of personal data to third countries under the GDPR, you’ll probably be familiar with the long-standing standard contract clauses. And you may be familiar with the European Commission’s new standard contract clauses (which are not recognised for use for transfers from the UK, although I’ve seen some commentary saying that you should use them anyway and argue about it later). Well,...

If you run an event, there is - sadly - a strong chance that you’ve had to deal with inappropriate behaviour. More and more events have adopted a code of conduct, to set out standards of acceptable (or unacceptable) behaviour. Breaches might lead to a warning, to ejection from an event, or to a ban on future attendance. Sufficiently egregious conduct outside an event may also lead to an exclusion, to protect the...

The Register, and probably other places, are reporting about a Munich court’s decision that the use of Google Fonts, hosted on a server operated by Google, led to an infringement of German data protection law. This is an interesting decision, although, personally, I am not going to read too much into it. This is because: it is a decision of one junior court, in response to a small claim. it does not look as if the...

The European Data Protection Board has published draft guidelines on the right of access, for consultation. These are draft guidelines, and so they may change before they are made official. To save you wading through the 60 page consultation draft, here are five bits I found interesting. (If you are not sure what the right of access is about, here is our primer.) If a data subject wants all their data, they can have...

In December 2021, Ofcom published an updated (unofficial) consolidated version of the General Conditions of Entitlement. Ofcom describes the changes as: Changes to A2, A3, A4, B2, C1, C2, C3, C4, C5, C6, C7 and C8 and Definitions to implement the European Electronic Communications Code with effect from 17 December 2021. There are quite a number of changes, and bits which I have not written about before. If you...

I have written before about the Telecommunications Security Bill, as it was going through Parliament: What could the Telecommunications (Security) Bill mean for ISPs and telcos? Telecoms Security Bill: draft specific obligations for ISPs and telcos Well, now it is here: the Telecommunication Security Act 2021. It’s law, but only parts of it are currently in force The Act comes into force in stages. The...

The ICO has fined a company £75,000 for unlawful marketing. Nothing particularly surprising there, as the ICO does it all the time, but this particular decision is an unusual one: it is a fine issued in respect of unlawful business-to-business telephone marketing. (In addition to the fine, the ICO has also imposed an enforcement notice, the gist of which is “comply with the law”.) The rules for telephone marketing...

Things I predict will happen in 2022: Telecoms companies, Internet service providers, and device manufacturers will start to get to grips with new government security requirements, in some cases needing to make significant architectural changes to their networks, and the way they operate their services. There will be a review of the Investigatory Powers Act 2016, but there will be few, if any, significant...

Wishing you all a merry Christmas, and a happy new year. We are going to be taking some holiday (finally!), and we will be back in early 2022. (Photo of Father Christmas (Le père Noël, rue Saint-Agnan, à Cosne-Cours-sur-Loire, Nièvre, Bourgogne, France.) by Cjp24, CC BY SA 4.0)

The Court of Appeal has ruled on an interesting point of law, to do with a UK mobile operator and Norwich Pharmacal orders. What is a Norwich Pharmacal order A Norwich Pharmacal order is a court order which is used to obtain information from a third party, to assist in litigation against someone else. For example, to bring a claim of copyright infringement against an ISP’s customer, the claimant rightsholder might...

We are now three or so months into the world of running decoded.legal, and doing legal work, exclusively* on Linux1, so I thought I’d write about it. I’m a client. How does this affect me? Probably not at all. After all, we switched about three months ago so, if you haven’t noticed anything different by now, chances are you won’t. (And if you have, and you don’t like it / don’t understand why something has changed,...

Blake E Reid, an excellent US tech/telecoms law professor, tweeted: This is a good argument for Internet law folks to take telecom law, where the environmental impacts of Internet infrastructure become vastly more obvious. I’m often surprised how many “Internet lawyers” don’t get into the operation of Internet access services - they’re mostly “layer 7 lawyers”, not that there is anything wrong with that - and so I...

It’s a strange world. I run a law firm which itself runs almost entirely on Free software, yet I don’t get to write about Free / open source software as much as I’d like. But, today, I’ve got a good reason: a new lawsuit (albeit one filed in the USA), attempting to enforce GNU GPL 2.0 and GNU LGPL 2.1 against a TV manufacturer. I stress that this is a claim in the USA, so it’s unlikely to be directly relevant to...

Have you put up, or are thinking of putting up, audio and video recording equipment around and outside your home? Then this post is for you. It’s about a decision of the Oxford County Court, for October 2021. If you want, you can read the judgment. Beware: it is quite long, and there is considerable discussion of the weight the judge attached to various people’s evidence. What was the case about? In essence, it was...

This blog post is a short(ish) guide to the core issues in handling subject access requests under the UK GDPR. If you have received a request and you are not sure where to start, this will help you get going. What is a subject access request? Under the UK GDPR, data subjects - an individual about whom you process personal data - have a number of rights. One of those rights is the right to ask for a copy of the...

This blog post looks at the obligations imposed on telecommunications operators under the Investigatory Powers Act 2016, to provide communications data in response to a notice from UK public authorities (including the police). This is a tricky area, with the potential for significant repercussions for both you and the subject of an investigation if you get it wrong. Are you a “telecommunications operator”? If you...

As readers of my personal blog, or people who know me, will probably be aware, I’m a proponent, and user, of Free and open source software. And this got me thinking: how would the draft Online Safety Bill affect the development of Free / open source software, if it were passed in its current form? Edit 20211023: in case it were insufficiently clear, the document is not yet a law, nor even a bill. It is at pre-bill...

(CDN: content delivery network. Such as Akamai.) Even though it is not obviously within the scope of the definition of “personal data breach”, guidance from both the UK’s regulator and the European Data Protection Board suggests that “loss of availability” can be a personal data breach, requiring you to go through the risk assessment exercise to decide if it needs to be either notified to the regulator, or...

Neil note: I’ve published this with the hope that others familiar with what this could entail will give feedback. As such, what you read now might not be the final version. If I make material changes, I’ll indicate them. Regular readers will not have missed [the UK government’s ongoing something-must-be-done attempt to put ID or age verification barriers on the web and other online services. In the Full government...

I’ve seen a few comments saying words to the effect of “an amendment to the European directive on ePrivacy will require online service providers to monitor their users’ communications”. This is wrong. It is a derogation, not a mandate The text in question is a derogation from the ePrivacy directive, which, in limited and specific circumstances permits providers of some online services to use: specific technologies...

If you’ve worked with contracts for any length of time, you’ll have had a discussion / argument with someone as to whether a party’s obligation to do something should be: absolute limited to them using them to using their “best endeavours” limited to them using “all reasonable endeavours” limited to them using “reasonable endeavours” (note the lack of all) and sometimes with the word “commercial” thrown in for...

(I have more questions than answers, but I thought it was worth writing something, even if just as a straw man for others to rip apart.) #Introducing Github Copilot Github has launched a beta tool, available only to some users, of something it calls “Copilot”. It describes it as: Your AI pair programmer In a little more detail: Trained on billions of lines of public code, GitHub Copilot puts the knowledge you...

The long-running saga as to whether the United Kingdom will be considered “adequate” from a data protection point of view has reached an important, and probably welcome to many, point: today, the European Commission has decided that, mostly, the UK offers a sufficient level of protection for European data subjects’ personal data to be considered “adequate”. For now, anyway. #What does this mean The GDPR imposes...

The European Commission has published a new set of standard contract clauses. They’re also in the Official Journal, as of 7 June 2021. If you are subject to the GDPR and you are involved — whether as the person receiving/accessing personal data, or the personal sending/giving access to personal data — in international transfers of personal data, you need to be on top of this. Quick background If you are subject to...

This blogpost addresses a common claim, that all UK Internet access providers are required to retain everything about their subscribers’ or users’ activities. Every packet they shift, every web page they visit, every message they send. tl;dr There is no evidence to support the claim, and the legislative framework and accompanying code of practice strongly suggests otherwise. ISPs are not subject to an automatic...

The European Parliament has adopted (deemed approved) a regulation addressing the dissemination of terrorist content online. The stated aim of the Regulation is to “address the misuse of hosting services for terrorist purposes and contribute to public security in European societies”. If you provide hosting services (which is defined broadly, and includes social media services, sites with public comments sections,...

1 This post covers the Data Protection Act 2018’s national security and defence exemption. Most controllers will never need to rely on this but, if you do, it’s a useful provision, and one which you need to apply carefully. The national security and defence exemption s26 Data Protection Act 2018 provides an exemption from some of the provisions of the UK GDPR, and some parts of the DPA 2018 itself, where exemption...

The European Parliament has published its report on the European Commission’s report on the implementation of the GDPR, which the Commission published two years after its application. Yes, it’s a report about a report. And this is a blogpost about a report about a report. Here are five things which stood out to me. 1. The Parliament “is concerned that controllers often mention all the legal grounds of the GDPR in...

Last week, I completed the eighth and final week of Ken Adams’s “Drafting Clearer Contracts: Masterclass”. The course is described as “Sophisticated online training in drafting clearer contracts”, and that’s an entirely fair description. It’s based around Ken’s “A Manual of Style for Contract Drafting”. (I wished, throughout the course, that I had an eBook version of the Manual, and I’ve only just noticed that there...

When discussing Internet regulation, one often hears the trope that the Internet must be made “as safe as the offline world”. Indeed, the outgoing Information Commissioner, Elizabeth Denham, gave a speech to the Oxford Internet Institute last week, in which she said: The internet was not designed for children, but we know the benefits of children going online. We have protections and rules for kids in the offline...

1 In my last blog post, I commented on the UK government’s current proposals to impose obligations on a hugely broad range of online actors, thanks to the proposals’ extra-territorial scope. This blogpost looks at one of the proposed backstop enforcement mechanisms, to deal with sites and services which do not meet the obligations imposed on them under the online harms framework, with a particular focus on ISP...

1 tl;dr Without changing the very essence of the services they provide, it would be close to impossible for any service provider, anywhere in the world, which permits the posting of user-generated content, or interaction between users, to escape the clutches of a UK law, if the current UK government proposals become law. Purportedly inflicting UK law on a huge number of people who have no reason to even be aware of...

1 tl;dr A former client left one negative review of a law firm. The law firm sued. The court held the review was defamatory, and ordered it to be removed. The court’s judgment was published, and the BBC reported about it. Now the law firm has lots of negative reviews. Disputes, reputation, and planning We don’t do litigation, but we are often asked to — and are happy to help — give advice on the best way of...

This is a quick comment on the Court of Appeal’s judgment in the case of A and Ors, R v, relating to EncroChat. It is a comment on the judgment, and the way in which the Court applied the rules under the Investigatory Powers Act 2016. I am aware of online discussions around the evidence put to the court of first instance, and the resulting findings of fact. I make no comment on those. If you are reading this because...

I wrote last year about the Telecoms Security Bill. The bill, if passed, would be a significant change to the security obligations imposed on provides of electronic communications networks and services. As I noted in that post, the bill has two parts: Changes to the existing security obligations under the Communications Act 2003 “Designated vendor directions” Under the changes to the Communications Act, there is a...

1 This week saw what is, I believe, the first English judgment dealing with the territorial scope of the GDPR. This blogpost is a reminder of the rules on “territorial scope”, and weaves in the High Court’s ruling in Soriano v Forensic News and others ([2021] EWHC 56 (QB)). tl;dr For those who don’t want the detail, the gist is that the court decided that the claimant could not demonstrate that the GDPR’s tests for...

If you are preparing training or guidance, showcasing your product or service, or giving code samples, you’ll often want example data, such as a phone number, email address, or National Insurance. (I know I do when I do training on data protection and telecoms law.) You could use something allocated to you, and that’s fine as long as you remember to change it when you give it up, and you don’t mind someone trying to...

1 The pandemic is getting worse, democracy in the USA seems to have collapsed, and if you have to say “you’re still on mute” one more time, you’ll explode. And it’s only the 11th of January. Here are four legal tips to help keep your business running smoothly in 2021, despite — perhaps even because of — all the madness. Update your GDPR record of processing, and check your transparency information Most organisations...

1 Can you believe it? I can’t. decoded.legal first opened its (virtual) doors to clients five years ago today! Doing what we do, well … We set out with simple objective: to run a tech-savvy virtual English law firm, helping Internet, telecoms, and technology businesses achieve their commercial goals, and navigate often complex regulatory environments, at a reasonable, predictable price. Five years in, I’m...