Guidance on enforcement of UK connected products regime - Product Security and Telecoms Infrastructure Act


The UK Office for Product Safety and Standards ("OPSS") has issued guidance explaining its enforcement powers when addressing non-compliance with the UK Product Security and Telecoms Infrastructure Act 2022 ("PSTIA"). PSTIA regulates the security of internet-connectable products and other products capable of connecting to them, as well as electronic communications infrastructure, seeking to enhance the security and resilience of smart devices and the infrastructure that supports electronic communications. This guidance sits alongside the OPSS's Enforcement Policy, which outlines its risk-based approach to non-compliance.

The guidance explains the five enforcement actions available to the OPSS where there has been a breach of duty under Part 1 of the PSTIA. Part 1 of the PSTIA and the related Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the "Security Regulations") came into effect on 29 April 2024. Please see this article for further details about the Security Regulations.

Experian's win against the ICO in Upper Tribunal

On 23 April 2024, in another setback for the UK Information Commissioner’s Office’s ("ICO") enforcement efforts, the Upper Tribunal ("Tribunal") agreed with the First-tier Tribunal's ("FTT") decision last year in favour of Experian Limited ("Experian"), dismissing the appeal brought by the UK ICO ("ICO"). This decision reinforces the lawfulness of the marketing activities in question.

Important CJEU ruling on automated decision making and credit scoring under GDPR

On 7 December 2023, the Court of Justice of the European Union ("CJEU") delivered two new judgments on the scope and interpretation of the automated decision-making restrictions under the GDPR.

Poland: requirement to report even minor personal data breaches

The Polish Data Protection Authority ("Polish DPA") has fined a Polish insurance company approximately €24,000 over a seemingly minor personal data breach.

The EU AI Act: what we know so far and key takeaways

On 8 December 2023, after 38 hours of intense final negotiations, the Council of the European Union and the European Parliament reached an historic, provisional agreement on laws to regulate the use of artificial intelligence in the EU (the "AI Act"). The AI Act marks the world's first comprehensive legal framework to regulate the use of AI, aiming to ensure that "AI systems placed on the European market and used in the EU are safe and respect fundamental rights and EU values". This landmark deal signifies the EU's commitment to AI safety and puts it ahead of other countries such as the US and UK, which are yet to publish their own comprehensive legislation. China has developed its own approach to regulating AI.

The definitive version of the AI Act remains to be agreed. Work will continue at a technical level to finalise the details and text, which will then need to be confirmed by the Council and Parliament, and which is expected in early 2024. Until then, these are the key takeaways from the provisional agreement.

Driving data protection compliance: employee vehicle monitoring

What is vehicle monitoring and why?

Vehicle monitoring refers to the practice of collecting and analysing data related to the operation and usage of vehicles. Businesses are increasingly using employee vehicle monitoring to improve productivity, optimise management, and ensure safety, including the use of telematics systems consisting of GPS technology, onboard vehicle diagnostics and other inbuilt software. GPS technology enables organisations to monitor and manage their vehicles by collecting real-time data on location, speed, fuel use, and more. This data can be used for optimising routes, improving safety, and cutting costs. Vehicle telematics systems that combine GPS technology with other technology telematics, enable organisations to gain more sophisticated insights into driver behaviour, vehicle diagnostics, and fuel use. Apart from speed, a telematics system can capture details such as accelerator and brake usage frequency. Other monitoring tools, like dashcams and in-cabin cameras, can enhance security by recording footage inside and around the vehicle.

The monitoring of vehicle telematics systems enables organisations to gather a wealth of data, encompassing not just vehicle-related data, but also personal data such as employee whereabouts, driving habits and other activities. It may even be possible for organisations to collect personal data about third parties, such as passengers or other road users.

Cracking down on cookies: Recent complaints and regulatory enforcement

While the rules relating to the use of cookies and similar tracking technologies in the UK and Europe are long established, it is only in recent years that we have seen a targeted focus by data protection authorities ("DPAs") to crack down on cookie-related compliance. This reaction from the regulators is partly a response to increasing complaints from data subjects and partly due to focused efforts by privacy activists calling for stricter regulation and enforcement action.

ICO launches consultation on new Data Protection Fining Guidance

On 2 October 2023, the UK's Information Commissioner's Office ("ICO") released its draft Data Protection Fining Guidance ("Draft Guidance"). The Draft Guidance provides a comprehensive overview of the legal framework underpinning the ICO's authority to levy fines, the conditions that warrant the issuance of penalty notices, and the factors that influence fine calculations. The Draft Guidance is now open for consultation until 27 November 2023.