We've seen considerable progress on various pieces of EU, and to a lesser extent UK legislation this year with the EU's Data Governance Act now in force, and the Data Act, the AI Act and the Cyber Resilience Act agreed. Meanwhile, the UK's Data Protection and Digital Information Bill has been making its way slowly and quietly through Parliament, and Regulations were made under the Product Security and Telecommunications Infrastructure Act 2022.  You can read about some of this year's main international legislative developments here.

UK

Data Protection and Digital Information Bill (No.2)

The Department for Science, Innovation and Technology (DSIT), published the Data Protection and Digital Information (No.2) Bill (DPDI2) in February 2023. The original Bill (DPDI1) was published in July 2022 and then put on hold in September under the Liz Truss government to allow for further consideration.  DPDI2 is substantially similar to its predecessor with largely minimal changes and clarifications. See here for main changes, and here for an analysis of the original 2022 Bill.

In June, the UK's ICO published its opinion on the draft Bill, saying it "has moved to a position where I can fully support it" but setting out a list of clarifications needed in the annex to the opinion.

The Bill was reintroduced to Parliament on 8 November.  During its passage through the Commons prior to its re-introduction, amendments were accepted in relation to clauses 1-7.  The government tabled 124 pages of further amendments (described as "common-sense changes") for consideration at report stage and the Bill now moves to the House of Lords.

Retained EU Law (Revocation and Reform) Act 2023

The Retained EU Law Act was enacted in June. The list of legislation to be amended from 2024 relevant to data was relatively small and restricted to elements no longer applicable following Brexit.  It included:

• Data Retention and Acquisition Regulations 2018 (S.I. 2018/1123) – Regulation 3 Council Decision (EU) 2019/682 of 9 April 2019 authorising Member States to ratify, in the interest of the European Union, the Protocol 1955 amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

• Decision (EU) 2019/2071 of the European Parliament and of the Council of 5 December 2019 appointing the European Data Protection Supervisor.

In November, the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 were laid before Parliament. These Regulations revoke and replace Article 4(28) of the UK GDPR and s205(1A) of the DPA and other provisions which relate to the meaning of references to fundamental rights and freedoms in data protection legislation.  This is in order to make the definition of rights and freedoms relate to the European Convention on Human Rights within the meaning of the Human Rights Act 1988, rather than to refer to the EU Charter of fundamental rights.  References relating to the right to data protection are also being removed as this right is not expressly included in the Convention.  The Regulations will come into force on 31 December 2023.

Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

These Regulations made on 21 September 2023 (PSTI Regs), set out the security requirements for manufacturers (but not importers or distributors) of connectable products under the Part 1 of the Product Security and Telecommunications Infrastructure Act (PSTIA). Part 1 of the PSTIA deals with security of relevant consumer connectable products, potentially placing obligations on manufacturers, importers and distributors, and is set to come into force on 29 April 2024.  Much of the detail on what security measures will be required from manufacturers is set out in the PSTI Regs, which will come into force on the same date.  The PSTI Regs are based on the UK's Code of Practice for Consumer IoT security and ETSI EN 303 645, and advice from the National Cyber Security Centre.  Read more about the PSTI Regulations here.

Investigatory Powers (Amendment) Bill

The Investigatory Powers (Amendment) Bill was held over in the November 2023 King's Speech.  It will make a small number of targeted changes to the Investigatory Powers Act 2016 including changes to the bulk personal dataset regime to improve the ability of the intelligence services to respond with greater agility and speed to existing and emerging threats to national security.  There are concerns that the legislation may not be well received by the EU in terms of protections for EU data exports to the UK.

EU

Data Act

Political agreement was reached on the EU's Data Act in June 2023, and it is expected to be published in the Official Journal in early 2024.  It will apply 20 months after that.  It aims to facilitate data sharing, in particular, of industrial and business data as well as personal data, in order to help individuals and businesses leverage the value of the data they help generate, and level the data playing field.  Read more.

Data Governance Act

The Data Governance Act (DGA) came into force in June 2022 with a 15-month grace period.  Its application began on 24 September 2023.  The DGA seeks to increase trust in data sharing, particularly in the public sector, to strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data.  The DGA will also support the set up and development of common European data spaces.  The DGA sits alongside the Data Act and sets up frameworks for data sharing.  Affected organisations must now comply.  Read more.

The European Commission also adopted an Implementing Regulation to introduce common logos to help easily identify trusted data intermediation service providers and data altruism organisations in the EU as provided for under the DGA. 

European data spaces

In July, the EC published a proposal for a Regulation for a framework for financial data access intended to set out processes for management of customer data sharing in the financial sector. Once passed it will amend the EBA Regulation, the EIOPA Regulation, ESMA and DORA. You can read more about developments in financial data here.

The European Commission adopted a Communication setting out plans for a Common European Tourism Data Space in July. The EC intends that the data space will provide the European tourism ecosystem with the means for sharing data, in particular to foster trust, enhance interoperability support digitisation and sustainability of the industry. The introduction of the system will take place over the next two and a half years with full functionality expected by 2025.

The EC also outlined plans to build a European data space for public procurement data.  By the end of 2024, all participating national publication portals should be connected. The data space will pool data on the preparation for tenders, their calls and outcomes.  The aim is to enable more targeted and transparent public spending and boost policy making.

In December, the EC published a Communication on the creation of a common European mobility data space to facilitate the access, pooling and sharing of data from existing and future transport and mobility data sources.

Meanwhile, the proposal on the European health data space, launched last year, continued to progress.

Draft EC Regulation on additional procedural rules on GDPR enforcement

In July, the European Commission adopted a proposal for a Regulation on additional procedural rules relating to the enforcement of the GDPR (GDPR Procedural Regulation).  The Regulation is intended to set up procedural rules for cross-border enforcement actions.  The Commission feels that further harmonisation is needed to support the consistency and cooperation procedure under the GDPR, owing to the fact that different Member States have different interpretations which can result in a lack of consensus and a lengthy dispute resolution process under the Article 65 procedure.

EC to evaluate Regulation on ENISA and ICT

The European Commission published a call for evidence for an valuation of the ENISA and ICT Regulation.  The call was open until 16 September 2023 and a report will be adopted in Q2 2024.

Draft Regulation for EU Common Criteria-based cyber security certification scheme

In October, the EC published a draft implementing Regulation setting out rules for the application of the Cyber Security Act for the European Common Criteria-based cyber security certification scheme (EUCC).  Once adopted, it will apply to all information and communications technologies which are submitted for certification under the scheme and is therefore relevant to ICT organisations operating in the EU. 

Draft Cyber Resilience Act

The European Parliament and Council reached agreement on the Cyber Resilience Act on 1 December 2023. This will introduce mandatory cyber security requirements for all hardware and software throughout the product lifecycle, taking a risk-based approach.  Manufacturers will be required to implement security by design and provide support and updates to consumers for a period of time related to the anticipated lifespan of the product. They will also be subject to transparency and incident reporting requirements.  The CRA will now be formally adopted and will enter into force 20 days after publication in the Official Journal.  Manufacturers, importers and distributors of hardware and software products will then have 36 months to prepare for full implementation and 21 months in relation to incident and vulnerability reporting obligations.

EU Regulation on data collection and sharing relating to short-term accommodation rental services

Provisional political agreement was  reached in November between the co-legislators on the EU's draft Regulation on data collection and sharing relating to short-term accommodation rental services and amending Regulation (EU) 2018/1724 establishing a single digital gateway to provide access to information to procedures and to assistance and problem-solving services. The aim of the Regulation is to harmonise and improve the framework for data generation by short-term rentals (STRs) across the EU and enhance transparency. The Regulation will now be formally adopted and will then be published in the Official Journal. There will be a two-year implementation period.

Other related UK and EU legislation

See here for an update on the EU's Digital Markets Act, here for an update on progress with EU AI legislation and here for an update on the UK's Online Safety Act.

As ever, the UK's Information Commissioner's Office (ICO) and the EU's European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS), have been busy publishing guidance and consultations.  We’ve also seen a number of UK government consultations and EU reports.  Here are the highlights from 2023.

UK

ICO

ICO Tech Horizons Report

The ICO's first Tech Horizons Report, published in January, looked at technologies emerging over the next two to five years and analysed their impact on society in the context of personal data. Relevant businesses are encouraged to be part of the ICO's sandbox scheme and to consider privacy at an early stage in order to maintain public trust and confidence.

ICO guidance to games developers on compliance with the Children's Code

In February, the ICO published top tips for games designers on how to comply with the Children's Code. 

ICO call on accountants to help SME clients with data protection compliance

In March, the ICO called on UK accountants to help their SME clients establish compliant data protection practices. 

ICO resources for product designers

The ICO published guidance in March to help product and UX designers, product managers, QA testers and software engineers embed data protection into their products and services by design.  The guidance sets out key considerations for each stage of product design up to post -launch.

ICO prioritisation framework

In April, the ICO set out a prioritisation framework for handling complaints made against public authorities under the Freedom of Information Act (FOIA) and the Environmental Information Regulations.

ICO guidance on SARs for employers

In June, the ICO published guidance on SARs for businesses and employers in the form of a set of Q&As for employers. The guidance covers common issues including how to respond to requests, procedural issues, the scope of requests, what information can be withheld, and how to deal with mixed data.

ICO's Children's Code guidance updated to cover edtech

The ICO  updated its Children's Code guidance to cover edtech providers and services. The updates are intended to clarify when an edtech provider is covered by the Code. This includes services likely to be accessed directly by children, and those provided through schools. Schools are not in scope of the Children's Code as they are not Information Society Services providers.

ICO warning of dangers of neurotech

The ICO warned in June that neurotechnolgies (which monitor the brain) pose major risks of bias if not developed and used correctly, particularly to neurodivergent people. The ICO will produce guidance for developers of neurotech. In a report, ICO tech futures: neurotechnology, the ICO predicted that neurotechnolgies will become more widespread over the next decade but risk causing harm if they are not developed and tested using a wide enough range of people.

ICO's new PETs guidance

The ICO published guidance on using privacy enhancing technologies (PETs) in July.  The guidance is divided into two parts which variously cover: guidance aimed at DPOs and those with specific data protection responsibilities in larger organisations – this focuses on how PETs can help achieve compliance with data protection law; and a more technical section for DPOs who want to understand more detail about currently available PETs – it sets out eight types of PET and explains their risks and benefits.

ICO's journalism code of practice

In July, the ICO published its code of practice about using personal information for journalism. The code is strictly limited to data protection law and does not cover media standards in general. The draft code was presented to the Secretary of State in July 2023.  Once it has been laid and completed parliamentary procedure (40 days for sifting), it will gain statutory status at which point it can be relied upon in legal proceedings, and will carry more weight than 'guidance'.  It can, however, provide guidance immediately.

ICO's compliance lessons from reprimands

The ICO published key learnings for organisations to improve their data protection practices based on reprimands issued by the ICO in Q1 2023/4.

ICO support for data sharing between gambling operators following completion of regulatory Sandbox

The ICO published a report in July following the exit of the Betting and Gaming Council from the ICO's regulatory Sandbox.  The Council entered the Sandbox to explore the gambling industry's development and trial of a Single Customer View (SCV) solution, developed with operators and intended to enable a more unified and proactive intervention by gambling operators to reduce incidents of gambling related harm. The data sharing project (known as GamProtect) will now be implemented across the gambling industry with support from the Betting and Gaming Council. The ICO also wrote to UK Finance sharing its findings and responding to a request for clarification in relation to the sharing of consumer credit risk data by credit reference agencies with gambling operators.

ICO and CMA joint report on Online Choice Architecture

On 9 August 2023, the ICO and CMA published a joint blog and position paper, calling for organisations to stop using harmful Online Choice Architecture (OCA) to steer consumers into providing more personal data than they otherwise would like.   Read our article on 'Why Online Choice Architecture is a data protection priority' for more on this.

Multi-national joint statement on data scraping and data protection

The ICO together with regulators from Norway, Jersey, Switzerland, Canada, Hong Kong, Australia, New Zealand, Columbia, Morocco, Argentina and Mexico, published a joint statement highlighting the data privacy issues caused by unlawful data scraping on social media sites. 

ICO guidance for employers on processing health information of people who work for them

The ICO published guidance in July, setting out data protection obligations on employers processing health data of the people who work for them.  The guidance has been updated following a consultation on the draft.  It explains the additional requirements when processing special category data and goes into detail on information provision, carrying out a DPIA prior to processing, data minimisation and security.  The second part of the guidance looks at particular workplace scenarios and the guidance also includes a number of checklists.

ICO guidance on sending bulk emails

In July, the ICO published guidance on how to send emails to multiple recipients in a secure manner.  In a blog post, the ICO said that incorrect use of the 'bcc' field to send bulk emails is one of the top data breaches reported to the regulator. 

ICO guidance on sharing data to protect children and "likely to be accessed" by them

In September, the ICO published new guidance setting out ten steps to sharing information to safeguard children as part of the wider safeguarding process.  The aim of the guidance is to reassure people involved in safeguarding children, that data protection law does not prevent information sharing but ensures it is shared in a fair and proportionate way. 

The ICO also updated its guidance on "likely to be accessed by children.  The Children's Code applies to online services "likely to be accessed by children".  The ICO published guidance in the form of FAQs on what this means but has now updated this to add further clarification in response to a consultation which closed in May 2023. 

ICO consultation on draft biometric guidance

The ICO consulted on the first phase of guidance on biometric data and biometric technologies.  Phase one covers draft biometric data guidance.  The consultation closed on 20 October 2023. Read more.

ICO and CEO of NCSC sign MoU

In September, the UK's Information Commissioner and the CEO of the National Cyber Security Centre signed a joint Memorandum of Understanding setting out how the ICO and NCSC will co-operate. 

ICO warning to organisations against data breaches which put abuse victims' lives at risk

In October, the ICO called on organisations to handle personal information properly to avoid putting victims of domestic abuse at further risk.  The call came after the ICO says it had reprimanded seven organisations over the last 14 months for data beaches affecting victims of domestic abuse.  The ICO said organisations should train staff and put appropriate systems in place to avoid such breaches.

ICO guidance on monitoring of workers by employers

In October, the ICO published its final guidance on worker monitoring to help employers comply with data protection law if they wish to monitor their workers. This is aimed at both public and private sector employers and sets out how to conduct monitoring fairly and lawfully. Read more about the guidance, and see our edition of Global Data Hub which focuses on biometrics, monitoring and facial recognition here.

ICO draft guidance on penalty notices and fines for consultation

In October, the ICO published draft Data Protection Fining Guidance for consultation. The guidance is intended to replace parts of the ICO's Regulatory Action Policy (RAP) on its approach to fining. It sets out the legal framework underpinning the ICO's powers to impose fines, the circumstances in which the ICO would consider it appropriate to issue a penalty notice, as well as factors which will influence how the fine is calculated. Read more.

ICO blog on how data protection law can help retailers tackle shoplifting

The ICO published a short blog on how data protection law can be used to share criminal offence data to prevent or detect crime (particularly shoplifting) while complying with principles of necessity and proportionality. The blog contains examples of what may or may not be appropriate and looks to be targeted at smaller retailers.  It coincided with the publication of the government's Action Plan to tackle Shoplifting.

ICO toolkit on sharing personal data with law enforcement

In November, the ICO published a toolkit on data sharing with law enforcement. This is intended to help SMEs and sits alongside existing, more detailed guidance on the issue, and the ICO's code of practice on data sharing.

ICO and EDPS issue MoU on cooperation on the application of data protection laws

The ICO and the EDPS signed an MoU establishing a framework for cooperation between them on the application of data protection law in November.  The MoU sets out what information might be shared with the goal of improving best practice and supporting regulatory efforts as well as cooperating on projects of mutual interest.

ICO draft guidance on transparency in the health and social care sectors

The ICO published draft guidance on transparency in the health and social care sector for consultation in November. The guidance is aimed at anyone in health and social care who is involved in delivering transparency information to the public. The consultation closes on 7 January 2024.

UK government

DCMS guidance on certification under UK digital identity and trusts framework

In January, DCMS published a policy paper on how organisations can be certified under the UK digital identity and attributes trust framework (DIATF), together with consolidated guidance on the digital identity programme.  The framework, currently under development, will enable digital identities to be reused in a secure manner.  Organisations must be certified to participate and can already complete this process.

DCMS-commissioned report on global data localisation requirements

DCMS published an independent report it commissioned on data localisation requirements in January.  It looks at the extent and impacts of potential data localisation measures and includes summary tables as well as 'deeper dives' on some jurisdictions.

DHSC draft guidance on NHS England's obligations to protect patient data

DHSC published draft statutory guidance pursuant to s274A of the Health and Social Care Act 2012 in January.  The draft guidance sets out measures NHS England is required to take to protect the confidentiality of patient data as it has now taken over NHS Digital's statutory functions as of the end of January 2023.  NHS England is required to adopt the same statutory protections implemented by NHS Digital together with additional measures to further enhance confidentiality and data protection.

BEIS Strategy Committee report on worker rights

The Business, Energy and Industrial Strategy Committee published a report on workers' rights and protections in July.  Among the recommendations are that the government introduce a right for workers to be consulted and notified when technology will result in their surveillance, and to consult on an enforceable code of practice on the use of surveillance technology in the workplace.

DCMS Committee recommendations on monitoring employees

The DCMS Committee published a report on 'Connected tech: smart or sinister?' in August. Among its recommendations are that monitoring of employees should only be done in consultation with employees and with their consent.  The report calls on the ICO to develop its draft guidance on monitoring at work into a principles-based code for designers and operators of workplace connected technology. 

Government consultation on banning cold calling for consumer financial products and services

HM Treasury consulted on a cold calling ban for consumer financial services and products.  The ban was announced in May 2023, and the consultation and call for evidence looked at how best to design and implement it.  The government highlighted that the ban will work alongside other measures to tackle fraudulent marketing, including the DPDI Bill and the Online Advertising Programme, as well as a proposed online fraud charter published in November. The consultation closed on 27 September 2023.

DHSC access policy for Secure Data Environments

The DHSC published the final version of its data access policy update setting out its policy decisions regarding Secure Data Environments (SDEs) for secondary uses of NHS data.  The DHSC has committed to providing more information in several areas including on what data will be made available.

Other

Biometrics and Surveillance Camera Commissioner annual report

The Biometrics and Surveillance Camera Commissioner published a joint Annual Report 2021-22 covering biometrics and surveillance technology in February.  In his introduction, he warned that the current plan to replace the Surveillance Camera Code with the DPDI Bill effectively does away with current rules without providing a comprehensive replacement framework or suitable oversight.  He also expressed concerns about 'mission creep' of ANPR cameras, the use of drones capturing footage of public spaces, and the use by law enforcement of citizen phone camera footage. 

DRCF annual report and 2023/4 workplan

In May, the Digital Regulatory Cooperation Forum (DRCF) published its workplan for 2023/24. There will be a particular focus on online safety and data protection, promoting competition and data protection, illegal online financial promotions, supporting effective governance of AI and algorithmic systems, enabling innovation in relevant regulated industries, digital assets, and, more broadly, on joint horizon scanning and cooperation.

EU (EDPB and EDPS)

EDPB Guidelines

In March, the EDPB adopted final guidelines on:

• The Interplay between the application of Article 3 and the provision on international transfers in Chapter V GDPR – these are intended to assist controllers and processors when identifying whether a processing operation constitutes an international transfer
• Certification as a tool for transfers – these complement guidelines 1/2018 on certification
• Guidelines on deceptive design patterns in social media interfaces – practical recommendations for designers and users of social media platforms on how to assess and avoid deceptive design patterns in social media interfaces that infringe on GDPR requirements.

Guidelines on personal data breach notification under the GDPR were adopted in March.  Non-EEA controllers were dismayed to see that the guidelines advise notifiable breaches must be notified not just to the supervisory authority in the country of the controller's representative, but to the Supervisory Authority (SA) of each Member State in which affected individuals live.  The EDPB pointed out that the one-stop-shop mechanism is not engaged by the presence of a representative in a Member State.

In April, the EDPB adopted final Guidelines on data subject rights – Right of access. The guidelines analyse the right of access and set out clarification on its scope.

The EDPB adopted final Guidelines on administrative fines in June. They aim to harmonise the methodology used by Data Protection Authorities (DPAs) to calculate fines.

In May, the EDPB adopted final Guidelines on Article 65(1)(a) GDPR, which are intended to set out the main stages of the Article 65 procedure and clarify the competence of the EDPB when adopting a legally binding decision under Article 65(1)(a).

In October, the EDPB adopted Guidelines on data transfers subject to appropriate safeguards under the Law Enforcement Directive.  The Guidelines relate to Article 37 of the Directive which deals with transfers of personal data by competent authorities or international organisations competent in the field of law enforcement.

EDPB report on cloud-based services coordinated enforcement action

In January, the EDPB adopted a report on the findings of its first co-ordinated enforcement action which focused on the use of cloud-based services by the public sector.  22 DPAs across the EEA looked at 100 public bodies operating in a range of sectors. 

EDPS opinion on draft passenger information Regulations

In February, the EDPS published an opinion on two EC draft Regulations which deal with the collection and transfer of advance air passenger information (API) collected during the check-in process.  They are intended to replace Directive 2004/82.

EDPB 2023/23 work programme

The EDPB adopted its work programme for 2023/24 in March. The programme is based on the EDPB's strategy to 2023, and grouped around four pillars.  Broadly we can expect the following guidelines on a wide range of issues including:

• data subject rights of access
• legitimate interests
• children's data
• data breach notification
• blockchain
• interplay between the AI Act and the GDPR
• use of facial recognition technology by law enforcement
• use of social media by public bodies
• use of data transfer tools.

The EDPB will also focus on:

• compliance mechanisms for controllers and processors
• resources for SMEs
• co-ordinating the enforcement framework
• ensuring consistent decision making by national regulators
• encouraging use of the full range of enforcement mechanisms
• collaborating with non-EEA regulators.

EDPB one-stop-shop case digest

In March, the EDPB published a one-stop-shop case digest which looks at thematic issues from one-stop-shop decisions relating to the Article 17 right to erasure and the Article 21 right to object. 

EDPB guide for small businesses

In May, the EDPB published a Data Protection Guide for small businesses as part of its awareness-raising programme.  It covers the basics of data protection including cyber security, data subject rights and data breaches.  It also includes links to materials for SMEs developed by Member State data protection regulators.

EDPB template complaint form

The EDPB adopted a template complaint form in July to facilitate the submission of complaints by individuals and their subsequent handling by DPAs in cross-border cases. DPAs will be able to use it on a voluntary basis and can adapt it to their national requirements. The EDPB also adopted a template acknowledgment of receipt form.

EDPS opinions on draft Financial Data Access Framework and EU Payment Services Regulation and Directive

The EDPS published opinions on the draft Financial Data Access Framework and Regulation and Directive on payment services within the EU in August. The EDPS is supportive of the Framework but recommends tightening the definition of "customer data" and limiting the types of personal data that can be processed, as well as explicitly excluding data obtained through profiling.  Regarding the proposed Regulation and Directive on payment services, the EDPS makes recommendations to assist with fraud prevention.

EDPB and EDPS joint opinion on cross-border enforcement

In September, the EDPB and EDPS adopted a joint opinion on the European Commission's Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR.  They broadly welcomed the proposal but made a few recommendations for areas where further clarification is needed.  They also stressed that the Proposal should not unduly restrict the intervention by the Concerned Supervisory Authorities on draft decisions and urged the Commission not to change the current approach to the parties' right to be heard in any dispute resolution procedure where the SAs have not reached consensus.

EDPB and EDPS Joint opinion on the proposed Regulation on the digital Euro

The EDPB and EDPS published a Joint opinion on the proposed Regulation on the digital Euro in November. They are broadly supportive but make a number of recommendations to better ensure data protection standards.

2023 has been another eventful year when it comes to EU and UK data transfers, particularly to the USA.  Highlights include the new EU and UK adequacy arrangements for the US under the EU-US Data Privacy Framework (DPF) and UK Data Bridge.  The Schrems II litigation also finally reached a crescendo resulting in a record €1.2bn fine for Meta which is currently being appealed.  These are some of the year's main events.

EU and UK data transfers to the US

Both the EU and the UK adopted adequacy decisions in relation to frictionless data transfers to the US where importing organisations are signed up to the EU-US Data Privacy Framework (and UK Extension) in July and September respectively.  The DPF and UK extension replace the EU Privacy Shield struck down by the ECJ in what became known as the Schrems II judgment. The EDPB published an information note and on 17 July, the US International Trade Administration launched its DPF website which allows organisations to self-certify under the DPF, and provides a range of advice and information. 

The DPF provides new assurances that:

• access to EU data by US intelligence authorities will be limited to what is necessary and proportionate to protect national security
• EU individuals will have access to a new independent Data Protection Review Court which can order remedies in relation to any data processing which violates the DPF safeguards.

The EC said the safeguards "therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules", suggesting there is no need for Schrems II supplementary measures when using Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) for EU-US data transfers.  

The UK government's Data Protection (Adequacy) (United States of America) Regulations 2023 came into force on 12 October 2023.  Similar to the EU adequacy decision, they establish the UK-US Data Bridge (the government's preferred term for adequacy) which allows transfers of personal data to be made to US organisations signed up to the DPF and participating in the UK Extension to it, without the need for additional transfer mechanisms like SCCs or BCRs. The US has designated the UK as a qualifying state. This means UK individuals have the right to access the redress mechanism set out under Executive Order 14086 (EO).

The UK government published supporting documents including: a Paper in support of the UK's designation as a qualifying state by the US; an explainer of the Data Bridge; and a factsheet. The ICO published an opinion providing "qualified" support but noting potential risks in four specific areas if the protections are not properly applied.

Not all US organisations are entitled to sign up to the DPF and UK Extension. The scheme is regulated by the FTC and Department of Transport.  Organisations regulated by other departments and outside FTC jurisdiction, for example those in banking, insurance and telecoms, are ineligible.  In addition, journalistic data cannot be transferred under the UK-US Data Bridge.

Under the UK Data Bridge, special category data can be shared but owing to a difference in definitions, it must be correctly identified by UK organisations as such when it is being shared in order to attract the relevant level of protection in the US. US recipient organisations are required to indicate they are seeking to receive criminal offence data from the UK as part of a human resources data relationship where relevant. Where such data is being shared outside an HR relationship, it must be made clear the data is sensitive and requires additional protections.

The DPF is likely to face a challenge in the ECJ at some point although an action by French MP Philippe Latombe has stalled before the European General Court.

Read more about the DPF here.

META fined a record €1.2bn in culmination of Schrems II litigation

Following the intervention of the EDPB under the Article 65 GDPR process, the decision of the Irish DPC about Meta Ireland's transfers of personal data to the USA using Standard Contractual Clauses and supplementary measures was published in May, bringing the decade-long Schrems litigation to a head.  The Irish DPC found that:

• In making the data transfers at issue, Meta infringed Article 46(1) GDPR as the transfers were made in circumstances which failed to guarantee an essentially equivalent level of protection to that under the GDPR.  None of the SCCs Meta had used, nor the supplementary measures it had put in place could compensate for the lack of protection and Meta could not rely on derogations to the prohibition on transfers
• The data transfers was required to be suspended
• Meta was required to bring its processing operations into compliance with the rules on data transfers by ceasing unlawful processing, including storage in the US of unlawfully transferred EEA personal data
• Meta was required to pay a fine of €1.2bn.

Meta was granted a stay of action and is currently appealing the decision in the Irish High Court and the ECJ.  Read more about the Irish DPC's decision here and about the response of EU and UK data protection regulators here.

UK and EU South Korea adequacy

The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 came into force in 2023.  They provide for frictionless transfers of personal data between the UK and South Korea without the need for a transfer impact assessment or the use of an additional transfer mechanism.  The Regulations also cover data transfers including personal data relating to credit information – data which is not covered by the EU's South Korea adequacy decision which was also adopted in 2023.

EU and UK Binding Corporate Rules

EDPB recommendations

In June, the EDPB adopted a final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C). The recommendations update the existing BCR-C referential which contains criteria for BCR-C approval, and merge it with the standard application form for BCR-C.  The recommendations provide additional guidance and aim to ensure a level playing field for all BCR-C applicants based on experience gained by DPAs. They also take account of the Schrems II judgment.  

On publication, the guidelines became applicable to all BCR-C holders. In practice, existing as well as new and ongoing applicants will have to bring their BCR-C in line with the requirements set out in the recommendations, either during the application process or as part of their 2024 annual update.

ICO Addendum to EU BCRs

In November the UK's ICO began consulting on a draft Addendum to approved EU Binding Corporate Rules. The Addendum will comprise the EU BCRs, an addendum extending their scope to include UK Restricted Transfers and which forms the UK legally binding instrument, and a UK BCR Summary which provides information to Relevant Data Subjects (and for Processor BCR, Third Party Exporters).

Standard Contractual Clauses

China's SCCs

In March, China published Standard Contractual Clauses which will become mandatory from 1 January 2024, and SCC Regulations which took  effect on 1 June 2023.  Businesses will be able to use SCCs in order to transfer personal data where:

• The exporter is not a critical information infrastructure operator (as defined)
• The data exporter is not processing personal data of over 1million data subjects
• The data exporter has not made aggregated transfers of personal data of more than 100,000 data subjects since 1 January of the preceding year, and
• The data exporter has not made aggregated transfers of  sensitive personal data exceeding 10,000 data subjects since 1 January of the preceding year.

Despite the fact the Chinese SCCs are fairly new, the responsible Chinese authority is likely to adjust their scope in 2024, having issued further regulations at the end of September 2023 which define use cases in which no SCCs are required. Read more.

DSIT report on UK IDTA and Addendum to EU SCCs

In November, the Department for Science, Innovation and Technology, published an executive summary and its initial conclusions from the first phase of an evaluation of the International Data Transfer Agreement (IDTA) and the Addendum to the EU SCCs.  These transfer mechanisms replaced the original GDPR SCCs as a lawful mechanism under which to transfer personal data to third countries. The evaluation concluded there was a considerable difference between awareness and implementation of the transfer mechanisms of larger versus smaller organisations.  Smaller organisations tended to be less proactively engaged with data protection issues and unaware of the IDTA. Possible action points identified include awareness raising, implementation monitoring and evaluation of the wider impacts of uptake.

Other highlights

• The UK and the Dubai International Financial Centre Authority released a joint statement committing to increased facilitation of personal data flows. 
• In March, TikTok announced its plans to host EU user data on servers in Ireland and Norway and to have any data transfers outside the EU vetted by an independent third party.  The proposals are similar to those being introduced in the US under Project Texas.  TikTok is also introducing security gateways to enhance data access control by determining employee access to EU user data, and working to incorporate privacy enhancing technologies.
• In April, the EEA Data Protection Authorities (DPAs) published a report on the outcome of the work carried out by the task force set up to look into the 101 complaints filed by NOYB following the Schrems II decision in a consistent manner.  The complaints relate to the transfer of personal data to the USA made by Google Analytics and Facebook Business Tools. 
• In July, the Council of Europe published the first model of the model contractual clauses for the transfer of personal data from controller to controller developed under the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+). 
• In July, NOYB filed complaints against Alphabet-owned fitness tracker Fitbit, with data protection regulators in Austria, the Netherlands and Italy.  NOYB alleges that Fitbit effectively requires users to consent to their personal data being exported outside the EU and does not allow them to withdraw that consent.  It also claims that Fitbit fails to provide an adequate explanation of what it does with exported special category data.
• The EDPB published a statement following its participation in the EC's first annual review of the EU-Japan adequacy agreement.  The EDPB agreed with the EC's assessment that changes to Japan's data protection laws had not impacted the adequacy decision. 
• In November, the UK's International Data Transfers Expert Council, set up in January 2022 to advise the government on its data transfer policy, produced a report submitted for consideration to DSIT setting out its findings based on its work since it was founded. The Council makes a series of short-, medium- and long-term recommendations as to how to achieve global consensus on trusted transfers.

Arguably the hottest topic of the year, data protection regulation is an integral part of AI Safety.  You can see an update on legislative and regulatory developments in AI here, including the EU's AI Act and AI Liability Directive, and the UK's AI White Paper, and you can read our predictions for 2024 here, but thse are some of the data-specific developments in 2023.

ICO

In March, the ICO published updated guidance on AI and Data Protection following requests for clarification on fairness requirements when using AI.  Read more.

In April, the ICO responded to the government's AI White Paper consultation.  It broadly supports the government's aims, including the AI sandbox and the overall sector-based approach, however, it did raise a number of issues and stressed the important role of the Digital Regulation Cooperation Forum, also recommending that the government prioritise research into the type of guidance and the Sandbox activities that AI developers would most value.

The ICO published a list of eight questions for developers and users of Generative AI to ask themselves in response to the rise of generative AI and large language models (LLMs), and in the context of the signature by academics of a letter calling for a six-month moratorium on the development of AI.

In June, the ICO called on businesses to address the privacy risks of generative AI before adopting the technology and said it would carry out tougher checks on whether organisations have complied with data protection law before and when using generative AI.  The ICO is signalling that this will be a priority area, saying "businesses need to show us how they've addressed the risks that occur in their context – even if the underlying technology is the same". 

In October, the ICO issued Snap Inc and Snap Group Limited, with a preliminary enforcement notice over potential failure to properly assess the risks to privacy posed by the AI Chatbot 'My AI' deployed on Snapchat.  My AI is powered by ChatGPT. 

In December, the ICO published a roundup of its guidance and resources on AI.

CDEI

In June, the UK's Centre for Data Ethics and Innovation (CDEI) published a portfolio of AI assurance techniques in collaboration with techUK. It is intended to be used by anybody involved in designing, developing, deploying or procuring AI-enabled systems, and sets out examples of AI assurance techniques being used in the real world, to support the development of trustworthy AI. It also published a report on Enabling responsible access to demographic data to make AI systems fairer. 

EDPS

The European Data Protection Supervisor published an opinion on the European Commission's draft AI Liability Directive, and the draft Directive on adapting noncontractual civil liability rules to AI (AILD) in March. In November, it published a further opinion on the EU's AI Act which focused largely on the role of the EDPS and Member State data protection Supervisory Authorities.

ENISA

In March, ENISA (the European agency for cyber security) published a report Cyber security of AI and standardisation.  The report provides an overview of existing and proposed standards to prepare for the EU's AI Act.  In June, ENISA published four reports on AI and cyber security.

ChatGPT

At the end of March, the Italian data protection regulator, the Garante, announced an immediate ban on ChatGPT and an investigation into its parent company OpenAI's GDPR compliance.  The Garante said OpenAI did not have a lawful basis for processing such large amounts of personal data to train ChatGPT, and did not verify the age of users thereby exposing minors to unsuitable answers.  It also had concerns of transparency and data security following a data breach.  While disagreeing with the Garante's findings. OpenAI temporarily disabled access to ChatGPT in Italy. 

Other EU regulators also began to scrutinise OpenAI and the EDPB set up a dedicated task force to foster cooperation and exchange information on possible enforcement actions conducted by data protection authorities.  The Italian regulator, the Garante, subsequently lifted its ban subject to OpenAI making changes to its privacy practices, including around transparency, lawful basis, and age verification for Italian users.

Clearview AI

Clearview AI has been the subject of regulatory enforcement action across the EU and UK regarding its unlawful scraping of personal data to create an image database. It also settled a settled a class-action lawsuit in the US in relation to the same issues. 

In May 2022, Clearview AI was fined £7.5m by the UK's ICO.  In November,  the First Tier Tribunal found that the ICO had no jurisdiction to issue its enforcement and penalty notices on the basis that the UK GDPR (and GDPR) did not apply to the processing at issue.  Clearview AI succeeded because it successfully argued it is a foreign company providing its service to foreign clients using foreign IP addresses, and in support of the public interest activities of foreign governments and government agencies, in particular in relation to their national security and criminal law enforcement functions, such functions being targeted at behaviour within their jurisdiction and outside the UK.  The ICO is seeking leave to appeal the judgment, arguing Clearview was not, as it contended, processing for foreign law enforcement purposes and should not, therefore, be shielded from enforcement under the UK legislation.

The use of tracking technologies for targeted digital advertising purposes has been a major target of enforcement action by EU regulators in 2023.  Meanwhile, the draft ePrivacy Regulation remains on the European Commission's Work Programme but shows little sign of progressing, a fact not lost on the EDPB which recently published guidance on Article 5(3) of the ePrivacy Directive.  You can read more about data and digital advertising in depth here.

EDPB, ICO and the CNIL

In January, the European Data Protection Board adopted a report on work carried out by the Cookie Banner Taskforce which was established in September 2021 to coordinate the response to complaints about cookie banners filed across the EEA by NOYB.  The report sets out the opinion of the taskforce on whether various types of commonly used cookie banners breach the ePrivacy Directive cookie consent requirements.

The EDPB adopted provisional Guidelines on the technical scope of Article 5(3) of the e-Privacy Directive which will be finalised following a six-week consultation period. The guidelines are intended to clarify which technical operations, in particular new and emerging tracking techniques, are in scope of the Directive and provide greater legal certainty. The guidelines look at the key elements for the applicability of Article 5(3) and analyse the terminology used in more detail. They also include use cases to cover risk mitigation measures and solutions to ensure consent obligations are fulfilled.

Interestingly, the ICO chose the same week to warn some of the UK's top websites that they face enforcement action if they do not make changes to their cookie notices and policies to bring them into compliance with the law.  The ICO warned that websites must make it as easy to reject tracking technologies for behavioural advertising purposes as it is to accept them.  This is best achieved by including a 'Reject all' button next to an 'Accept all' one.  The ICO has written to 30 non-compliant leading websites giving them 30 days to make changes and will publish an update on this work in January 2024, which will include details of companies which have not addressed its concerns.

You can read more about the ICO's views on digital advertising here.

The French regulator, the CNIL, has focused extensively on enforcement around cookie and tracking technology compliance as discussed here.  In May, it  fined behavioural advertising company Criteo €40m for GDPR breaches. This represents a €20m reduction from the originally announced provisional amount. The CNIL investigated Criteo following complaints from Privacy International and NOYB.

IAB Europe's transparency and consent framework

The Transparency and Consent Framework is an industry framework first launched in March 2018 by the International Advertising Bureau Europe (IAB). It was created as a means to allow the digital advertising (adtech) industry to continue operating in a manner compliant with GDPR and the ePrivacy Directive. In February 2022, the Belgian DPA, the APD, declared the current version of the TCF unlawful under GDPR, which caused some consternation if not surprise in the digital advertising industry.  In January 2023, IAB Europe said the Belgian Data Protection Authority (APD), had approved its plans to make changes to the TCF, however, a reference has been made to the ECJ for a preliminary ruling which is expected to be delivered in early 2024.

In May, following various court decisions and guidance, IAB Europe removed legitimate interests as a valid lawful basis for targeted advertising from the TCF.

Meta

The DPC began two inquiries into Facebook and Instagram in 2018, following two complaints made on 25 May 2018 when the GDPR came into effect, which raised essentially the same issues.

Ahead of the application of the GDPR, Meta had changed its terms of service for its Facebook and Instagram services.  Having previously relied on consent to the processing of user personal data for the delivery of its services, it moved to contractual necessity.

The complainants argued that Meta was effectively relying on consent rather than the contractual necessity lawful basis because by making accessibility to its services conditional on accepting the updated terms of service, it was forcing users to consent to the processing of their personal data for personalised services and behavioural advertising in breach of the GDPR.  Following an Article 65 procedure, the Irish DPC upheld the complaints and issued its fine. Meta is appealing the decision in Ireland and before the ECJ. Read more here.

In February, it was reported that Facebook and Instagram would restrict data available to advertisers which helps them target teens.   In April, Meta announced that it would switch its lawful basis for processing data for behavioural adverts from contractual necessity to legitimate interests from 6 April in the EU.  However, in July 2023, the ECJ ruled (as part of a decision in a competition case brought by the German Budeskartellamt), that it could not justify this type of processing on those grounds.

As a result, In July, the Norwegian DPA imposed a temporary ban on Meta (to apply on its Facebook and Instagram platforms) from carrying out behavioural advertising based on the surveillance and profiling of users in Norway. The ban was extended by the EDPB in October to become effective one week after the Irish Data Protection Commissioner (Meta's lead EU regulator) notifies Meta of final measures.  In the meantime, the Norwegian DOA has begun fining Meta nearly €100,000 a day for failing to comply with the ban.

Meta was thought to be considering offering EU users an opt-in to receiving targeted ads but subsequently began offering a free service with ads and allowing EU users to pay for an ad-free service on Facebook and Instagram.  This model is also being scrutinised by EU Data Protection Authorities, as some regulators have expressed doubts, concerned that the choice between payment and non-payment does not equate to GDPR-level consent to behavioural advertising. NOYB has filed a complaint in Austria. The ICO also said it is assessing what this means for the information rights of people in the UK and is considering its response.

While this was going on:

• In January, the Irish DPC fined WhatsApp Ireland €5.5m as discussed in the section on regulator enforcement.
• In March, the Amsterdam District Court held that Facebook Ireland breached data protection law when processing the personal data of Dutch Facebook users between 1 April 2010 to 1 January 2020.
• The Austrian DPA published a decision in response to one of the NOYB complaints saying that Facebook's tracking pixel tools breach the GDPR and violated the Schrems II decision on data exports. 
• The CMA closed its investigation into suspected breaches of the Competition Act 1998 by Meta in November 2023 after accepting commitments.  The investigation related to Facebook's collection and use of data in the context of providing online advertising services, and its single sign-on function, and whether this results in an unfair competitive advantage over its competitors.

Other news

• The Digital Advertising Alliance, a coalition of "leading privacy self-regulatory organisations" published tech specifications and user interface guidelines to help brands and publishers simplify and improve user choice experience.  The aim is to allow integration of the AdChoices option with consent management platforms. 
• The Norwegian regulator became the latest DPA to find that use of Google Analytics breaches GDPR rules on data transfers. 
• Microsoft issued an investor statement suggesting the Irish Data Protection Commissioner will be fining it $425 million for data protection failings in relation to LinkedIn targeted advertising. The DPC issued a provisional decision in April which has not yet been finally announced. Microsoft has said it will contest the DPC's finding.

2024 is set to be a big year for cyber security, particularly in the EU following agreement of the Cyber Resilience Act and with preparations to begin in earnest for the Digital Operational Resilience Act to apply from 2025.  Member States are also required to implement the NIS2 Directive by 17 October 2024, to name but a few pieces of legislation likely to impact this area next year.

Meanwhile, we're not pretending to summarise everything that's happened in this area during 2023 but, in addition to the legislative developments set out elsewhere in this update, here is a selection of UK developments and some of the more high-profile breaches. 

UK

UK NCSC updated risk management toolkit

The UK's National Cyber Security Centre updated its risk management toolkit for practitioners in July with an eight-step risk management framework and a revised toolkit framework to cover a variety of sectors and organisation sizes.

UK government call for views on software resilience and security for businesses and organisations

The UK government published a call for views on software resilience and security for businesses and organisations in January.  The UK is looking to strengthen resilience of digital products and services throughout the business supply chain.

Home Office consultation on review of the Computer Misuse Act 1990

The Home Office consulted in January on proposals to update the Computer Misuse Act to ensure the UK's legislative framework continues to support action against the harm caused by online cybercrime.  Proposals for legislation include:

• A new power to allow law enforcement agencies to take control of domains and IP addresses where they are being used by criminals to support criminality.
• A power to allow a law enforcement agency to require the preservation (rather than access to) of computer data so it can determine whether that data would be needed in an investigation.
• A power to allow action to be taken against a person possessing or using data obtained by another person through a Computer Misuse Act offence, such as through accessing a computer system to obtain personal data, subject to appropriate safeguards.

In November, the government published an analysis of the responses received.  The third proposal proved the most controversial among respondents and the overall conclusion was that more work needs to be done by the government in conjunction with stakeholders.

Government guidance on security of connected places (smart cities)

In May, the government published guidance on the security of connected places or smart cities.  The collection of guidance applies to a number of stakeholders including senior leadership, decision makers and managers.  It also applies to IT professional and cyber security leads, information managers, processors and users. 

Ofcom incident reporting thresholds under NIS Regulations

In June, Ofcom lowered incident reporting thresholds for Operators of Essential Services (OESs) in the digital infrastructure sector in its NIS guidance. The changes took effect on 31 May and impact top-level domain name registries, domain name system resolver services, DNS authoritative hosting services and internet exchange points (IXPs) within scope of the NIS Regulations. The revised guidance is for incidents to be reported where there is a service degradation of 25% for 15 minutes or more (rather than the previous 50%). IXPs are also required to report incidents based on the loss of 50% of the total bandwidth capacity across all ports.  Ofcom also amended the section of its guidance which deals with enforcement, cross-referring instead to its Regulatory Enforcement Guidelines which were published in December 2022.

House of Commons Committee inquiry into cyber resilience of UK's critical infrastructure

In October, the House of Commons Science and Technology Committee launched an inquiry and call for evidence on the cyber resilience of the UK's critical national infrastructure as measured against resilience targets by 2025.  It will look at what the sector needs to achieve those targets and at how to make computer hardware architecture which underpins the critical infrastructure more secure by design.  Submissions were invited on a range of issues, including the strength of government programs and support, by 10 November 2023.

Updated code of practice on minimum security and privacy requirements for app store operators and app developers

As part of the National Cyber Strategy and following a public consultation, the government published an updated version of its code of practice which sets out the minimum security and privacy requirements for all app store operators and app developers in October.  The original version of the code was published in December 2022 on a voluntary basis with a nine-month implementation period for operators and developers.  In May 2023, DSIT consulted on progress and concluded that additional clarifications were needed for some provisions. As a result, the implementation period is being extended by six months to March 2024. DSIT will then review adherence levels and make recommendations to the Secretary of State on next steps.  The voluntary code of practice is intended to supplement but not to replace pre-existing legal obligations and is tailored to data breaches in the context of app stores.

Cyber Essentials scheme updated public procurement policy note

In October, the government updated PPN 09/14 which sets out actions for central government departments, their executive agencies, non-departmental public bodies and NHS bodies to take in relation to cyber security in certain procurement contracts.  Other public bodies are encouraged to follow the approach.  In-scope organisations are required to implement PPN 09/23 within three months of its publication.

UK and US global AI security by design guidelines

In November, the UK's National Cyber Security Council (NCSC) announced new voluntary global guidelines on secure AI system development. The guidelines were developed in association with the US and industry and have been endorsed by national agencies from 16 other countries including the G7.  The guidelines are intended to help AI system developers embed cyber security by design into all stages of the development phase but extend across the product lifecycle to cover secure deployment, operation and maintenance. They are aimed primarily at providers of AI systems wo are using models hosted by an organisation or are using APIs, but all stakeholders are urged to take them into account.

Breaches – a (really) tiny selection

• Following a high profile data breach in September 2022, in December 2022, Uber said it had suffered a new data breach in January after a threat actor leaked employee email addresses, corporate reports and IT asset information stolen from a third-party vendor.
• A multi-billion pound class action relating to the Data Analytica breach was filed with the Competition Appeal Tribunal in the UK.
• Digital Rights Ireland is appealing a decision by the Irish Data Protection Commissioner before the Irish Circuit Court.  The DPC investigated a complaint by Digital Rights Ireland on behalf of 100m Facebook users whose data was left publicly accessible.  The DPC agreed that Facebook had breached the GDPR by allowing the data to be scraped but found the breach did warrant notification to individual users by Facebook. Digital Rights Ireland contends the event did constitute a notifiable breach to individuals.
• In February, JD Sports said a cyberattack potentially accessed personal data and financial information of 10m customers.  The incident affected some online orders made by customers between November 2018 and October 2020 and targeted purchases of products of its JD, Size? Millets, Blacks, Scotts and Millets Sport brands. 
• ChatGPT users were notified that a data breach exposed payment-related and other personal information of 1.2% of ChatGPT subscribers in March.  Full credit card numbers were not exposed.  The tool was taken offline while the vulnerability was fixed.
• Third party payroll provider Zellis, suffered a hack of the MOVEit file transfer software it uses. The hack is thought to have been carried out by a criminal gang with links to Russia, potentially exposing names, addresses, NI numbers and banking details of tens of thousands of employees. BA, Boots and the BBC confirmed they were among those affected.  MOVEit subsequently reported it had fixed the exploited vulnerability.
• 23andMe reported a leak in October which reportedly led to the data of 1m people of Jewish Ashkenazi descent being placed on the dark web.  Included data is first and last name, sex, and the genetic evaluation of their origins.  23andMe says it doesn't believe it was hacked but that the attackers were able to obtain user logins by scraping already compromised credentials.  It is thought other lists may also have been compiled, for example of those of Chinese origin.
• In October, the UK's Financial Conduct Authority (FCA) fined Equifax Ltd. £11m for failing to manage and monitor the security of UK consumer data it had outsourced to its US parent company. The 2017 Equifax Inc. data breach compromised the personal data of approximately 13.9m UK individuals.  The final fine was discounted by 30% after Equifax agreed to resolve the matter.  Equifax also received a 15% mitigation credit.  The ICO fined Equifax £500,000 in relation to the same data breach in 2018.

Some of the most high-profile enforcement actions of 2023 are covered in other sections of this update, for example, relating to data transfers and digital advertising, but these were by no means the only areas of focus.  Here are some other notable developments during 2023, looking at the UK, the EU and the Irish Data Protection Commissioner, who has a particularly important role as lead EU regulator for some of the tech giants.  You can read more about policy on enforcement by the EDPB, UK and key EU jurisdictions more generally here.

UK

Among over 50 enforcement actions during 2023, as usual, many of the ICO's actions related to unsolicited marketing calls, but 2023 also saw some changes in approach (see above for draft guidance on penalty notices).  This was in line with the ICO's intention voiced in 2022, to publish reprimands and to use financial penalties in as proportionate a way as possible.

On 20 January 2023, the ICO said it had decided to stop enforcing failures to file personal data breach reports under Regulation 5A of PECR which requires a communications service provider to notify the ICO within 24 hours of becoming aware of a data breach. The ICO's decision was based on the fact that the incidents tend to be caused by human error, involving one individual, are quickly resolved and result in risk remediation measures being swiftly implemented. Following feedback, the ICO updated its statement which now says that it will use its discretion not to take enforcement action provided breaches are still reported within 72 hours.  The ICO will continue to take enforcement action in relation to the underlying breaches reported where warranted, and continues to expect breaches likely to adversely affect the personal data or privacy of subscribers or users to be reported within 24 hours.

Other notable developments include:

• In February, the ICO published a statement confirming that the use of Facial Recognition Technology (FRT) by North Ayrshire Council in nine schools was likely to have infringed the UK GDPR. 
• In April, the ICO published a blog explaining that it was closing its investigation into the use of live facial recognition by Facewatch.  The ICO said Facewatch had made improvements, including by reducing the personal data collected, and appointing a DPO. 
• In April, the ICO fined TikTok Technologies UK Limited and TikTok Inc (TikTok) for a number of data protection breaches relating to children's data.  These included allowing more than one million UK children under 13 to use its platform contrary to its terms of service, processing the personal data of under-13s without personal consent, and not taking adequate age verification measures including action to remove underage children from the platform. The ICO reduced the fine which was originally set at £27m after taking into account representations from TikTok.
• In September, the ICO announced it will review period and fertility tracking apps after a poll commissioned by the regulator showed that half of users have concerns over data sharing and transparency when choosing an app. Data security was another issue. The ICO is asking users to share their experiences through a survey in a call for evidence. It will also be commissioning focus groups and user testing.
• In November, the ICO published learnings from its investigation into 'text pests' – staff who use personal data of customers to contact them inappropriately.  The ICO says while the problem does occur, it has also found examples of good practice by businesses and cites some examples.  It has not found ongoing negligent behaviour from specific companies but has seen a good level of understanding on how to prevent the issue arising and what to do if it does.

European Data Protection Board and EC

In February, the European Commission announced it will oversee the progress of every large-scale GDPR enforcement case.  The Commission will require all national regulators to share an overview of large cross-border investigations every other month.  The Commission will take into account the steps the Data Protection Authorities are taking and how long they take.  This move comes off the back of complaints made by the Irish Council for Civil Liberties following which, the EU Ombudsperson recommended the Commission monitor the progress of big tech cases under the Irish Data Protection Commissioner's jurisdiction.  However, the Commission has decided to apply the same regime to all EU regulators and for all largescale cross-border cases, although practically, this is most likely to impact the Irish DPC.

In March, the EPDB announced its second annual co-ordinated enforcement action, which will look at the designation and position of Data Protection Officers (DPOs).  26 Data Protection Authorities are expected to take part in the process and will send questionnaires to DPOs in their respective jurisdictions.  They will be focusing on issues including independence, appointment process and other GDPR requirements.  Findings will be analysed to decide whether there is a need for further action and the EDPB will publish a report. The EDPS will be joining the EDPB's coordinated enforcement action.  While the EDPB will focus on the role of the DPO at national level in the public and private sectors, the EDPS will concentrate on the role of DPOs in EU institutions. 

As mentioned above, the EDPB adopted final guidelines on administrative fines in June.  The EDPB announced in October that its 2024 coordinated enforcement action will focus on the way controllers implement the right of access.  Further work will now be carried out to specify the details and the action will be launched in 2024. 

The EDPB was also heavily involved in resolving disagreements between EU regulators regarding enforcement against cross-border businesses under the Article 65 GDPR procedure.  In particular, regarding the Irish Data Protection Commissioner's decisions involving Meta and TikTok.

Irish Data Protection Commission

The Irish Data Protection Commissioner has had an exceptionally busy year.  In addition to the fines issued against Meta and separately against its Facebook and Instagram platforms (covered elsewhere in this update), it also issued significant fines to WhatsApp and TikTok.

In January, following an EDPB Article 65 decision, the Irish DPC fined fined WhatsApp Ireland €5.5m.  The decision followed on from the fines handed down to Instagram and Facebook and related to similar issues ie transparency, and the reliance on contractual necessity for processing operations and whether it was actually forced consent.  In this case, however, the examination was over the lawful basis used for service delivery and security (excluding IT security), rather than for digital advertising.  WhatsApp subsequently changed its lawful basis to legitimate interests for these purposes.

In July, AirBnB Ireland received a reprimand from the Irish DPC relating to the processing and retention of copies of documents used to verify identity.  The DPC said the practice of retaining a copy of the relevant document after identity has been verified breaches the GDPR minimisation and storage limitation principles.

In September, following an Article 65 resolution process and in accordance with the EDPB's decision, the Irish DPC adopted its final decision that during the relevant period, TikTok's public by default settings and the way it communicated information led variously to breaches of GDPR provisions relating to fairness, transparency and privacy by design and default. The Irish DPC was also required to take into account the EDPB's findings that TikTok had implemented dark patterns in breach of the Article 5 fairness requirement, fining it €345m. In a statement quoted in the media, TikTok said "We respectfully disagree with the decision, particularly the level of the fine imposed.  The DPC's criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default". TikTok is appealing in the Irish High Court and the ECJ.

Additional UK and ECJ case law

In addition to decisions mentioned elsewhere in this update, here are some of 2023's key UK and ECJ decisions relating to data.

UK

In February, the Information Rights Tribunal  ruled on an appeal against the ICO's action to require credit reference agency Experian Limited to change its data protection practices.  The ICO issued an enforcement notice to Experian in October 2020, following a two year investigation into how the company and two other major credit reference agencies were using the personal information of adults for direct marketing purposes.  The Tribunal agreed with the ICO's findings that Experian had not processed the personal data of over five million individuals transparently, fairly or lawfully because it failed to notify them it was processing the data for direct marketing purposes.  The Tribunal did, however, disagree with the ICO's assessment that Experian's privacy notice was insufficiently transparent, that using credit reference data for direct marketing purposes was unfair, and that Experian failed to properly consider its lawful basis for that use. The ICO said it would consider the ruling and decide whether or not to appeal.

In March, the High Court awarded general damages of £60,000 plus special damages in respect of claims including infringement of privacy and misuse of private information.  The claims were made after the defendant covertly recorded naked images of the claimant and then published them on a website alongside a photograph of her face.  The court agreed that the knowledge these images had been published online led to the claimant suffering chronic PTSD and to a personality change. 

In April, the High Court ruled the immigration exemption in the Data Protection Act 2018, remains unlawful and must be made clearer, saying previous actions by the government to make the exemption comply with the UK GDPR have not resolved the issue.  The court said the government needs to make it a legal requirement to comply with a code or policy setting out the safeguards and tests to be applied before using the immigration exemption.  An obligation merely to "have regard to" it is insufficient. 

In October, The Court of Appeal upheld the High Court's ruling that the UK's ICO is not required to reach a definitive decision on the merits of individual complaints but has broad discretion.  The CA said the ICO is only required to handle and investigate complaints to an appropriate extent under Article 57(1)(f) UK GDPR.  The ICO welcomed the CA's ruling that it had acted lawfully over a Subject Access Request (SAR) complaint and its confirmation that the ICO has broad discretion in deciding the extent to which it investigates each complaint and is entitled to reach and express a view on it without necessarily determining whether or not there has been an infringement.

EU

ECJ judgement on right to be forgotten on grounds of inaccuracy

In January, the ECJ has handed down a judgment on a reference from Germany regarding interpretation of Article 17 GDPR and the right to be forgotten.  The reference related to a case involving a request to delete links and thumbnails from search results on grounds of inaccuracy. The ECJ commented on the Article 17(3) exemption where the processing of the data in question is necessary for exercising the right of freedom of expression and information.  The court also discussed what constituted inaccuracy for the purpose of giving effect to a right to be forgotten request. 

ECJ decision on disclosure of identity of recipients of personal data

The ECJ  ruled on a reference from the Austrian Supreme Court in the Österreichische Post case relating to Article 15(1)(c) of the GDPR in January.  This provides a right for data subjects to get information from a controller on request, about the recipients or categories of recipients to whom their data has been or will be disclosed.  The referring court asked whether this meant that the controller had to disclose the specific identity of actual recipients.  The decision followed the Advocate General's opinion and held that the controller is required to provide the data subject on request with the actual identity of recipients unless it is not possible to identify them in which case they may indicate the categories of potential recipient.  Where the request by the data subject is manifestly unfounded or excessive, the controller may also indicate categories rather than actual identities of recipient.  The ECJ said the right of access is necessary in order to enable the data subject to enforce other GDPR rights such as rectification and erasure.  Without identifying specific recipients, this would not be possible.

ECJ ruling that civil and administrative remedies under GDPR can run concurrently

The ECJ ruled in a reference from Hungary, that remedies available to data subjects to enforce their rights through the courts under Articles 77 and 79 can be exercised concurrently.  Article 77 provides a right to administrative appeal of a Supervisory Authority's decision.  Article 79 allows for action before a civil court against a controller.  See our article for more.

ECJ ruling on position of DPOs and interpretation of Article 38 GDPR

In February, the ECJ ruled in a reference from Germany on interpretation of Article 38 GDPR.  The questions referred related to the role of national legislation in determining when a Data Protection Officer (DPO) can be dismissed, and interpretation of the Article 38(6) reference to 'conflict of interests'.  It followed a claim for unfair dismissal after a German DPO who was also Chair of the Works Council was dismissed from the DPO role when the GDPR took effect on the basis that there was a conflict of interest. 

The ECJ held that:

• Article 38(3) GDPR must be interpreted as not precluding national legislation which provides that a controller or processor may dismiss a DPO who is a member of staff, solely where there is just cause, even if the dismissal is not related to the DPO's performance of their tasks, in so far as the national legislation does not undermine the GDPR.
• Article 38(6) should be interpreted as meaning that a 'conflict of interests' may exist where a DPO has other duties which would result in them determining the objectives and methods of processing on behalf of the relevant controller or processor (which is for national courts to determine).

ECJ ruling on interpretation of 'right to a copy' under GDPR

In May, the ECJ published a judgment on interpretation of the right of access under Article 15 GDPR and, specifically, the meaning of "copy" and "information" in Article 15(3).  The reference was made from Austria and asked the court about the scope of the right and whether the obligation to provide a "copy" is fulfilled by the controller supplying a summary table or whether the right entails the transmission of document extracts, entire documents and extracts from databases in which the personal data is reproduced. 

The ECJ held that:

• "Copy" in Article 15(3) GDPR, means the data subject must be given a faithful and intelligible reproduction of relevant data.  The right entails the right to obtain copies of extracts from documents, entire documents or extracts from databases containing the relevant data, if the provision of the copy is essential in order to enable the data subject to exercise their GDPR rights effectively, taking into account the rights and freedoms of others.
• The term "copy" does not relate to a document as such but to the personal data it contains which must be complete.  Because the information must be provided in a way which is intelligible and easy to understand, the context in which the data is processed, for example, where there is an absence of information, can be an essential part of providing the copy.
• "Information" in Article 15(3) relates exclusively to the personal data of which the controller must provide a copy.

Mere infringement of the GDPR does not give rise to a right to compensation, says ECJ

The ECJ ruled in the Österreichische Post case in June that mere infringement of the GDPR does not give rise to a right to compensation, however, there is no requirement for non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation.

ECJ ruling on GDPR fines 

 In December, the ECJ made its ruling on two references from Germany and Lithuania, the German reference relating to the long-running Deutsche Wohnen case. The ruling clarifies a number of issues relating to the imposition of GDPR fines including that:

• there must be wrongful conduct – ie the GDPR infringement must have been committed intentionally or negligently
• where the controller is a legal person (in the context of Member State law), it is not necessary for the infringement to have been committed by its management body, or for that body to have had knowledge of the infringement.  A legal person is liable for infringements committed by its representatives, directors, managers and any other person acting in the course of the legal person's business and on its behalf.  In short, a company can be the recipient of a fine without the associated breach having to be attributed to a natural person
• a controller can be fined in respect of its processors' actions to the extent that the controller can be held responsible for them
• whether or not a controller is a joint controller is a matter of fact and does not require a formal arrangement between the entities, however, where there are joint controllers, there must be an arrangement between them allocating their responsibilities under the GDPR
• the calculation of the fine where the addressee is or forms part of an undertaking must be based on the concept of an "undertaking" under competition law and the maximum amount of the fine calculated on the basis of a percentage of the total worldwide annual turnover of the undertaking concerned as a whole in the preceding business year.

AG opinion on technical and organisational measures

AG Pitruzzella delivered an opinion on a reference to the ECJ by Bulgaria.  The questions arose following a data breach of data held by a public body which resulted in claims made for non-material damage as a result of worry and fear that data might be misused in future. The questions related to appropriate security measures, beach liability and compensation for non-material damage. Points of interest include the AG's opinion that:

• The question of whether technical and organisational measures are appropriate involves a balancing exercise between the economic interests and technological capacity of the controller and the rights of the data subject, taking into account the principle of proportionality.
• The mere occurrence of a data breach does not entail that technical and organisational measures were not appropriate but the burden of proving that they were is on the controller.  This process may be made easier by compliance with codes of conduct and certification.
• The fact that the breach was committed by a third party does not in itself exempt the controller from liability.  The controller must demonstrate they were not in any way responsible for the event causing the damage.
• Fear of possible future misuse of data will only constitute non-material damage giving rise to compensation where there is actual and certain emotional damage.  Mere trouble or inconvenience is not sufficient.

ECJ opinion on SARs

The ECJ  ruled on interpretation of Article 15(1) GDPR which deals with subject access requests, in response to a reference from Finland. The ECJ said:

• Article 15 GDPR applies to subject access requests relating to personal data processed before the GDPR became applicable but made under the GDPR.
• Article 15(1) must be interpreted as meaning that information relating to consultation operations carried out using an individual's personal data and concerning the dates and purposes of those operations, would be information to be included in response to that individual's SAR. Information relating to the identity of the employees carrying out the operations in accordance with the instructions of their employer would not be relevant unless the information is essential to enable the individual concerned to exercise their rights, and provided the rights of the employees are taken into account.
• Article 15(1) must be interpreted as meaning that the fact the controller is engaged in and acts within the framework of a regulated activity, and the fact that, (as in this case), the individual making the SAR was both an employee and a customer, do not have an impact on the scope of the right of access.

ECJ ruling on interplay of competition and consumer protection law

In July, The ECJ published its decision in a reference from Germany involving Meta Platforms and the impact of its data practices on competition.  In the original case in Germany, the German competition authority, the Bundeskartellamt, found that the data collected by Meta Platforms Ireland about user activities on and off Facebook and across other Meta services and linked back to their Facebook account for targeted advertising purposes, was collected without valid consent and therefore in breach of the GDPR.  Read about the competition aspects here.

The ECJ also made a number of observations in relation to Meta's data processing operations including:

• the mere fact a user visits websites or apps which may reveal sensitive data, does not mean that the user manifestly makes public that data for GDPR purposes.  The same is true where the user enters information on, or clicks or taps on buttons integrated into a website or app, unless the user has explicitly beforehand made the choice to make that data publicly accessible to an unlimited number of persons
• the justification of contractual necessity may only be used for data processing operations which are objectively indispensable, such that the main subject matter of the contract cannot be achieved if the processing in question does not occur.  The ECJ doubts that delivery of personalised content by Meta would achieve this although it will be up to the national courts to decide. Moreover, the ECJ says personalised advertising by which Facebook finances its activities, cannot be justified as a legitimate interest in the absence of user consent
• the fact that the operator of an online social network holds a dominant position on the social network market does not, in itself, prevent its users from giving valid GDPR consent but given it creates an imbalance in power, it is an important factor in determining whether or not valid consent is given and it is for the operator to prove that it has been.

Updated AG opinion on Quadrature du Net case

Advocate General Szpunar refreshed his opinion on the Quadrature due Net case (originally published in 2022, following the reopening of the case and  expanded on his original reasoning making additional clarifications.

AG opinion on theft of personal data and identity theft/fraud

In November, Advocate General Collins gave an opinion in a joined reference from Germany on the relationship between the theft of personal data and identity theft or fraud.  The AG opined that theft of personal data does not, in itself, constitute identity theft or fraud.  The theft may give rise to a right to compensation for non-material damage where there has subsequently been identity fraud as a result of the theft of the data, but the right to compensation does not depend on subsequent identity theft arising from the theft of the data.  Compensation for non-material damage must be assessed on a case by case basis taking all relevant circumstances into account.