Welcome to the July edition of Technol-AG, Addleshaw Goddard's monthly technology update.
- Independent review calls for new laws on biometric technology
In June 2022, the Ada Lovelace Institute published an independent legal review that considered how biometric data is governed in England and Wales. The review, written by Matthew Ryder QC, calls for a new statutory framework to govern biometric technologies and ensure its ethical use.
Live facial recognition is one of the key examples highlighted in the review to showcase the need to create more governance around biometric technologies.
The review focuses mainly on biometric technologies used in the public sector, but calls for there to be urgent research into the use of biometric data by private companies.
Included within the ten recommendations of the review, it is recommended that technology or sector specific codes of practice are created that highlight duties in different scenarios, alongside a code of practice that is legally binding in relation to the governance of live facial recognition. In fact, the review notes that Microsoft has suggested there should be specific legislation related to live facial recognition.
With the rising use of biometric technology in recent years, businesses will need to be alert to developments in the regulation of this area on the back of the review. If the recommendations are enforced, they will clearly have implications for businesses, particularly manufacturers and software developers, due to many apps using facial recognition as a security measure.
- Government shows new national security system is a success and NIS Regulations are working
The Secretary of State for Business, Energy and Industrial Strategy, Kwasi Kwarteng, has published the first report on the UK's new national security and investment system.
The National Security and Investment Act 2021 ("NSI Act") grants the Secretary of State powers to scrutinise and intervene in certain acquisitions to safeguard the UK’s national security. Although the powers cover all areas of the economy, some acquisitions of entities that carry out work in 17 sensitive areas of the economy must be notified to the Secretary of State and receive approval before completion.
The report shows the new system has been an operational success for screening investments for national security concerns and has provided certainty for businesses, with all assessments completed within their legal deadlines. As a recent example, on 20 July 2022 the Secretary of State made a final order under the NSI Act in respect of a licence agreement entered into between a British university and a Chinese company for the use of know-how relating to certain motion camera technology to develop, test and verify, manufacture, use and sell licensed products.
The Secretary of State considered that the technology (that can be embedded in children's toys, drones and other surveillance equipment) has dual applications and that there is potential that the technology could be used to build defence or technology capabilities that may present a national security risk to the UK and that those risks would arise on the transfer of intellectual property to the acquirer.
The Government has also published the second post-implementation review of the Network and Information Systems Regulations 2018 ("NIS Regulations") (the "Review"). The Review finds that the NIS Regulations are largely working and should be retained with some improvements to their implementation.
The NIS Regulations came into force on 10 May 2018 with the overarching objective of improving the security of the network and information systems of operators of essential services, which if disrupted, could cause significant economic and social harm. The NIS Regulations apply to sectors such as transport, energy, water and health as well as relevant digital service providers (i.e. cloud computing services, online marketplaces, and online search engines). The NIS Regulations derive from the NIS EU Directive and in the UK, the finance and banking sectors are excluded from the NIS Regulations because those sectors are covered by equivalent legislation that was already in place.
According to the Review, evidence suggests that cyber security is being prioritised at a senior level and that the majority of operators have either introduced new policies, improved existing ones, or improved their incident response management, and there is a wider awareness of guidance and available support from the competent authorities. Findings of more voluntary reporting is considered to be an indication of a mature cyber sector, willing to take steps and address the threats to essential services.
The Review recommends the following areas for improvement:
- Relevant guidance needs to make it easier to identify whether firms are within scope of the NIS Regulations and ensure that organisations that need to be included in the NIS Regulations are designated.
- More should be done to secure the supply chains of operators of essential services, where the supplier is critical to the provision of that essential service.
- Competent authorities need more resources to carry out what they deem to be an effective job of enforcing the NIS Regulations.
- Work needs to be done to ensure that the right cyber incidents are captured because the NIS Regulations are not effective at capturing relevant cyber incidents that occur in the sectors regulated.
- The Department for Digital, Culture, Media and Sport needs to conduct work to assess why the enforcement regime is not being utilised where it is merited.
- Greater consistency in regulatory implementation across sectors is required, alongside the creation of performance metrics so that the Government can better measure the impact and effectiveness of the NIS Regulations.
- UK financial regulators to oversee cloud services
Britain's' regulators, namely the Bank of England and the Financial Conduct Authority, will obtain powers to directly oversea cloud computing companies (i.e. Amazon and Google) which provide critical services to financial firms. Over recent years, banks have moved to outsource swathes of IT infrastructure to a select few cloud computing firms, raising concerns of widespread disruption if one of those cloud providers was to suffer critical disruption or a cybersecurity incident.
The UK's move towards greater oversight further illustrates how cloud concentration risk is increasingly gaining the attention of authorities around the world, including the SEC, the European Commission and the Bank for International Settlements, as cloud services become integral to financial institutions' businesses.
More broadly, across the economy, it would be prudent for all companies with an over-reliance on one cloud service provider to pay attention to these regulatory headwinds. Whilst of smaller systemic-risk than financial institutions, the risks accompanying cloud service provider concentration also attach to many other parts of the economy, and so all businesses should consider performing renewed risk assessments as to the criticality the same cloud providers play in their businesses', their main suppliers' and their main customers' operations. Investigations, here, may reveal that the same weaknesses pervade entire industries and the entirety of certain supply chains.
- Cryptocurrency crash sparks job cuts and 'wave of litigation'
The recent downturn in cryptocurrency prices could signal an emergence of new crypto-related litigation claims. Predominantly, the focus of lawyers has, to date, been looking at the recovery of stolen crypto assets, but the attention could now turn to investors seeking recovery of lost investments.
Prices of Bitcoin in recent times have fallen nearly 70% from a high of $68,000 in November 2021. Similarly, Ethereum has fallen from $4,850 in November 2021 to below $1,100. Coupled with this has been the collapse of terraUSD an algo stablecoin. This phenomenon has been labelled a "crypto winter", characterised by low market confidence, widespread sell offs and job losses. The fall of Three Arrows Capital is a prime example - a cryptocurrency hedge fund which has recently fallen into insolvency.
However, while we have seen cryptoasset prices crash in the past, what sets this crypto winter apart from others is that the market is now comprised of a wider base as well as more sophisticated investors, thereby increasing the scope and scale of those exposed to the crypto winter.
As we saw in the aftermath of the 2007-8 financial crash, this downturn could spark the proliferation of litigation claims arising from investors seeking to recover their losses.