11 December 2023
Radar - December 2023 – 2 of 2 Insights
Here is a curated selection of 2023's main legislative and regulatory developments in the UK and at EU level relating to data (personal and non-personal), and cyber security, covering:
We make our predictions for 2024 here. For in-depth features on data and cyber issues, visit our Global Data Hub where you can view weekly news and sign up to receive content by email. You can also keep an eye on legislative developments in the UK, EU and Germany by using our Digital Legislation Tracker.
We've seen considerable progress on various pieces of EU, and to a lesser extent UK legislation this year with the EU's Data Governance Act now in force, and the Data Act, the AI Act and the Cyber Resilience Act agreed. Meanwhile, the UK's Data Protection and Digital Information Bill has been making its way slowly and quietly through Parliament, and Regulations were made under the Product Security and Telecommunications Infrastructure Act 2022. You can read about some of this year's main international legislative developments here.
Data Protection and Digital Information Bill (No.2)
The Department for Science, Innovation and Technology (DSIT), published the Data Protection and Digital Information (No.2) Bill (DPDI2) in February 2023. The original Bill (DPDI1) was published in July 2022 and then put on hold in September under the Liz Truss government to allow for further consideration. DPDI2 is substantially similar to its predecessor with largely minimal changes and clarifications. See here for main changes, and here for an analysis of the original 2022 Bill.
In June, the UK's ICO published its opinion on the draft Bill, saying it "has moved to a position where I can fully support it" but setting out a list of clarifications needed in the annex to the opinion.
The Bill was reintroduced to Parliament on 8 November. During its passage through the Commons prior to its re-introduction, amendments were accepted in relation to clauses 1-7. The government tabled 124 pages of further amendments (described as "common-sense changes") for consideration at report stage and the Bill now moves to the House of Lords.
Retained EU Law (Revocation and Reform) Act 2023
The Retained EU Law Act was enacted in June. The list of legislation to be amended from 2024 relevant to data was relatively small and restricted to elements no longer applicable following Brexit. It included:
In November, the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 were laid before Parliament. These Regulations revoke and replace Article 4(28) of the UK GDPR and s205(1A) of the DPA and other provisions which relate to the meaning of references to fundamental rights and freedoms in data protection legislation. This is in order to make the definition of rights and freedoms relate to the European Convention on Human Rights within the meaning of the Human Rights Act 1988, rather than to refer to the EU Charter of fundamental rights. References relating to the right to data protection are also being removed as this right is not expressly included in the Convention. The Regulations will come into force on 31 December 2023.
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
These Regulations made on 21 September 2023 (PSTI Regs), set out the security requirements for manufacturers (but not importers or distributors) of connectable products under the Part 1 of the Product Security and Telecommunications Infrastructure Act (PSTIA). Part 1 of the PSTIA deals with security of relevant consumer connectable products, potentially placing obligations on manufacturers, importers and distributors, and is set to come into force on 29 April 2024. Much of the detail on what security measures will be required from manufacturers is set out in the PSTI Regs, which will come into force on the same date. The PSTI Regs are based on the UK's Code of Practice for Consumer IoT security and ETSI EN 303 645, and advice from the National Cyber Security Centre. Read more about the PSTI Regulations here.
Investigatory Powers (Amendment) Bill
The Investigatory Powers (Amendment) Bill was held over in the November 2023 King's Speech. It will make a small number of targeted changes to the Investigatory Powers Act 2016 including changes to the bulk personal dataset regime to improve the ability of the intelligence services to respond with greater agility and speed to existing and emerging threats to national security. There are concerns that the legislation may not be well received by the EU in terms of protections for EU data exports to the UK.
Data Act
Political agreement was reached on the EU's Data Act in June 2023, and it is expected to be published in the Official Journal in early 2024. It will apply 20 months after that. It aims to facilitate data sharing, in particular, of industrial and business data as well as personal data, in order to help individuals and businesses leverage the value of the data they help generate, and level the data playing field. Read more.
Data Governance Act
The Data Governance Act (DGA) came into force in June 2022 with a 15-month grace period. Its application began on 24 September 2023. The DGA seeks to increase trust in data sharing, particularly in the public sector, to strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data. The DGA will also support the set up and development of common European data spaces. The DGA sits alongside the Data Act and sets up frameworks for data sharing. Affected organisations must now comply. Read more.
The European Commission also adopted an Implementing Regulation to introduce common logos to help easily identify trusted data intermediation service providers and data altruism organisations in the EU as provided for under the DGA.
European data spaces
In July, the EC published a proposal for a Regulation for a framework for financial data access intended to set out processes for management of customer data sharing in the financial sector. Once passed it will amend the EBA Regulation, the EIOPA Regulation, ESMA and DORA. You can read more about developments in financial data here.
The European Commission adopted a Communication setting out plans for a Common European Tourism Data Space in July. The EC intends that the data space will provide the European tourism ecosystem with the means for sharing data, in particular to foster trust, enhance interoperability support digitisation and sustainability of the industry. The introduction of the system will take place over the next two and a half years with full functionality expected by 2025.
The EC also outlined plans to build a European data space for public procurement data. By the end of 2024, all participating national publication portals should be connected. The data space will pool data on the preparation for tenders, their calls and outcomes. The aim is to enable more targeted and transparent public spending and boost policy making.
In December, the EC published a Communication on the creation of a common European mobility data space to facilitate the access, pooling and sharing of data from existing and future transport and mobility data sources.
Meanwhile, the proposal on the European health data space, launched last year, continued to progress.
Draft EC Regulation on additional procedural rules on GDPR enforcement
In July, the European Commission adopted a proposal for a Regulation on additional procedural rules relating to the enforcement of the GDPR (GDPR Procedural Regulation). The Regulation is intended to set up procedural rules for cross-border enforcement actions. The Commission feels that further harmonisation is needed to support the consistency and cooperation procedure under the GDPR, owing to the fact that different Member States have different interpretations which can result in a lack of consensus and a lengthy dispute resolution process under the Article 65 procedure.
EC to evaluate Regulation on ENISA and ICT
The European Commission published a call for evidence for an valuation of the ENISA and ICT Regulation. The call was open until 16 September 2023 and a report will be adopted in Q2 2024.
Draft Regulation for EU Common Criteria-based cyber security certification scheme
In October, the EC published a draft implementing Regulation setting out rules for the application of the Cyber Security Act for the European Common Criteria-based cyber security certification scheme (EUCC). Once adopted, it will apply to all information and communications technologies which are submitted for certification under the scheme and is therefore relevant to ICT organisations operating in the EU.
Draft Cyber Resilience Act
The European Parliament and Council reached agreement on the Cyber Resilience Act on 1 December 2023. This will introduce mandatory cyber security requirements for all hardware and software throughout the product lifecycle, taking a risk-based approach. Manufacturers will be required to implement security by design and provide support and updates to consumers for a period of time related to the anticipated lifespan of the product. They will also be subject to transparency and incident reporting requirements. The CRA will now be formally adopted and will enter into force 20 days after publication in the Official Journal. Manufacturers, importers and distributors of hardware and software products will then have 36 months to prepare for full implementation and 21 months in relation to incident and vulnerability reporting obligations.
EU Regulation on data collection and sharing relating to short-term accommodation rental services
Provisional political agreement was reached in November between the co-legislators on the EU's draft Regulation on data collection and sharing relating to short-term accommodation rental services and amending Regulation (EU) 2018/1724 establishing a single digital gateway to provide access to information to procedures and to assistance and problem-solving services. The aim of the Regulation is to harmonise and improve the framework for data generation by short-term rentals (STRs) across the EU and enhance transparency. The Regulation will now be formally adopted and will then be published in the Official Journal. There will be a two-year implementation period.
Other related UK and EU legislation
See here for an update on the EU's Digital Markets Act, here for an update on progress with EU AI legislation and here for an update on the UK's Online Safety Act.
As ever, the UK's Information Commissioner's Office (ICO) and the EU's European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS), have been busy publishing guidance and consultations. We’ve also seen a number of UK government consultations and EU reports. Here are the highlights from 2023.
ICO Tech Horizons Report
The ICO's first Tech Horizons Report, published in January, looked at technologies emerging over the next two to five years and analysed their impact on society in the context of personal data. Relevant businesses are encouraged to be part of the ICO's sandbox scheme and to consider privacy at an early stage in order to maintain public trust and confidence.
ICO guidance to games developers on compliance with the Children's Code
In February, the ICO published top tips for games designers on how to comply with the Children's Code.
ICO call on accountants to help SME clients with data protection compliance
In March, the ICO called on UK accountants to help their SME clients establish compliant data protection practices.
ICO resources for product designers
The ICO published guidance in March to help product and UX designers, product managers, QA testers and software engineers embed data protection into their products and services by design. The guidance sets out key considerations for each stage of product design up to post -launch.
ICO prioritisation framework
In April, the ICO set out a prioritisation framework for handling complaints made against public authorities under the Freedom of Information Act (FOIA) and the Environmental Information Regulations.
ICO guidance on SARs for employers
In June, the ICO published guidance on SARs for businesses and employers in the form of a set of Q&As for employers. The guidance covers common issues including how to respond to requests, procedural issues, the scope of requests, what information can be withheld, and how to deal with mixed data.
ICO's Children's Code guidance updated to cover edtech
The ICO updated its Children's Code guidance to cover edtech providers and services. The updates are intended to clarify when an edtech provider is covered by the Code. This includes services likely to be accessed directly by children, and those provided through schools. Schools are not in scope of the Children's Code as they are not Information Society Services providers.
ICO warning of dangers of neurotech
The ICO warned in June that neurotechnolgies (which monitor the brain) pose major risks of bias if not developed and used correctly, particularly to neurodivergent people. The ICO will produce guidance for developers of neurotech. In a report, ICO tech futures: neurotechnology, the ICO predicted that neurotechnolgies will become more widespread over the next decade but risk causing harm if they are not developed and tested using a wide enough range of people.
ICO's new PETs guidance
The ICO published guidance on using privacy enhancing technologies (PETs) in July. The guidance is divided into two parts which variously cover: guidance aimed at DPOs and those with specific data protection responsibilities in larger organisations – this focuses on how PETs can help achieve compliance with data protection law; and a more technical section for DPOs who want to understand more detail about currently available PETs – it sets out eight types of PET and explains their risks and benefits.
ICO's journalism code of practice
In July, the ICO published its code of practice about using personal information for journalism. The code is strictly limited to data protection law and does not cover media standards in general. The draft code was presented to the Secretary of State in July 2023. Once it has been laid and completed parliamentary procedure (40 days for sifting), it will gain statutory status at which point it can be relied upon in legal proceedings, and will carry more weight than 'guidance'. It can, however, provide guidance immediately.
ICO's compliance lessons from reprimands
The ICO published key learnings for organisations to improve their data protection practices based on reprimands issued by the ICO in Q1 2023/4.
ICO support for data sharing between gambling operators following completion of regulatory Sandbox
The ICO published a report in July following the exit of the Betting and Gaming Council from the ICO's regulatory Sandbox. The Council entered the Sandbox to explore the gambling industry's development and trial of a Single Customer View (SCV) solution, developed with operators and intended to enable a more unified and proactive intervention by gambling operators to reduce incidents of gambling related harm. The data sharing project (known as GamProtect) will now be implemented across the gambling industry with support from the Betting and Gaming Council. The ICO also wrote to UK Finance sharing its findings and responding to a request for clarification in relation to the sharing of consumer credit risk data by credit reference agencies with gambling operators.
ICO and CMA joint report on Online Choice Architecture
On 9 August 2023, the ICO and CMA published a joint blog and position paper, calling for organisations to stop using harmful Online Choice Architecture (OCA) to steer consumers into providing more personal data than they otherwise would like. Read our article on 'Why Online Choice Architecture is a data protection priority' for more on this.
Multi-national joint statement on data scraping and data protection
The ICO together with regulators from Norway, Jersey, Switzerland, Canada, Hong Kong, Australia, New Zealand, Columbia, Morocco, Argentina and Mexico, published a joint statement highlighting the data privacy issues caused by unlawful data scraping on social media sites.
ICO guidance for employers on processing health information of people who work for them
The ICO published guidance in July, setting out data protection obligations on employers processing health data of the people who work for them. The guidance has been updated following a consultation on the draft. It explains the additional requirements when processing special category data and goes into detail on information provision, carrying out a DPIA prior to processing, data minimisation and security. The second part of the guidance looks at particular workplace scenarios and the guidance also includes a number of checklists.
ICO guidance on sending bulk emails
In July, the ICO published guidance on how to send emails to multiple recipients in a secure manner. In a blog post, the ICO said that incorrect use of the 'bcc' field to send bulk emails is one of the top data breaches reported to the regulator.
ICO guidance on sharing data to protect children and "likely to be accessed" by them
In September, the ICO published new guidance setting out ten steps to sharing information to safeguard children as part of the wider safeguarding process. The aim of the guidance is to reassure people involved in safeguarding children, that data protection law does not prevent information sharing but ensures it is shared in a fair and proportionate way.
The ICO also updated its guidance on "likely to be accessed by children. The Children's Code applies to online services "likely to be accessed by children". The ICO published guidance in the form of FAQs on what this means but has now updated this to add further clarification in response to a consultation which closed in May 2023.
ICO consultation on draft biometric guidance
The ICO consulted on the first phase of guidance on biometric data and biometric technologies. Phase one covers draft biometric data guidance. The consultation closed on 20 October 2023. Read more.
ICO and CEO of NCSC sign MoU
In September, the UK's Information Commissioner and the CEO of the National Cyber Security Centre signed a joint Memorandum of Understanding setting out how the ICO and NCSC will co-operate.
ICO warning to organisations against data breaches which put abuse victims' lives at risk
In October, the ICO called on organisations to handle personal information properly to avoid putting victims of domestic abuse at further risk. The call came after the ICO says it had reprimanded seven organisations over the last 14 months for data beaches affecting victims of domestic abuse. The ICO said organisations should train staff and put appropriate systems in place to avoid such breaches.
ICO guidance on monitoring of workers by employers
In October, the ICO published its final guidance on worker monitoring to help employers comply with data protection law if they wish to monitor their workers. This is aimed at both public and private sector employers and sets out how to conduct monitoring fairly and lawfully. Read more about the guidance, and see our edition of Global Data Hub which focuses on biometrics, monitoring and facial recognition here.
ICO draft guidance on penalty notices and fines for consultation
In October, the ICO published draft Data Protection Fining Guidance for consultation. The guidance is intended to replace parts of the ICO's Regulatory Action Policy (RAP) on its approach to fining. It sets out the legal framework underpinning the ICO's powers to impose fines, the circumstances in which the ICO would consider it appropriate to issue a penalty notice, as well as factors which will influence how the fine is calculated. Read more.
ICO blog on how data protection law can help retailers tackle shoplifting
The ICO published a short blog on how data protection law can be used to share criminal offence data to prevent or detect crime (particularly shoplifting) while complying with principles of necessity and proportionality. The blog contains examples of what may or may not be appropriate and looks to be targeted at smaller retailers. It coincided with the publication of the government's Action Plan to tackle Shoplifting.
ICO toolkit on sharing personal data with law enforcement
In November, the ICO published a toolkit on data sharing with law enforcement. This is intended to help SMEs and sits alongside existing, more detailed guidance on the issue, and the ICO's code of practice on data sharing.
ICO and EDPS issue MoU on cooperation on the application of data protection laws
The ICO and the EDPS signed an MoU establishing a framework for cooperation between them on the application of data protection law in November. The MoU sets out what information might be shared with the goal of improving best practice and supporting regulatory efforts as well as cooperating on projects of mutual interest.
ICO draft guidance on transparency in the health and social care sectors
The ICO published draft guidance on transparency in the health and social care sector for consultation in November. The guidance is aimed at anyone in health and social care who is involved in delivering transparency information to the public. The consultation closes on 7 January 2024.
DCMS guidance on certification under UK digital identity and trusts framework
In January, DCMS published a policy paper on how organisations can be certified under the UK digital identity and attributes trust framework (DIATF), together with consolidated guidance on the digital identity programme. The framework, currently under development, will enable digital identities to be reused in a secure manner. Organisations must be certified to participate and can already complete this process.
DCMS-commissioned report on global data localisation requirements
DCMS published an independent report it commissioned on data localisation requirements in January. It looks at the extent and impacts of potential data localisation measures and includes summary tables as well as 'deeper dives' on some jurisdictions.
DHSC draft guidance on NHS England's obligations to protect patient data
DHSC published draft statutory guidance pursuant to s274A of the Health and Social Care Act 2012 in January. The draft guidance sets out measures NHS England is required to take to protect the confidentiality of patient data as it has now taken over NHS Digital's statutory functions as of the end of January 2023. NHS England is required to adopt the same statutory protections implemented by NHS Digital together with additional measures to further enhance confidentiality and data protection.
BEIS Strategy Committee report on worker rights
The Business, Energy and Industrial Strategy Committee published a report on workers' rights and protections in July. Among the recommendations are that the government introduce a right for workers to be consulted and notified when technology will result in their surveillance, and to consult on an enforceable code of practice on the use of surveillance technology in the workplace.
DCMS Committee recommendations on monitoring employees
The DCMS Committee published a report on 'Connected tech: smart or sinister?' in August. Among its recommendations are that monitoring of employees should only be done in consultation with employees and with their consent. The report calls on the ICO to develop its draft guidance on monitoring at work into a principles-based code for designers and operators of workplace connected technology.
Government consultation on banning cold calling for consumer financial products and services
HM Treasury consulted on a cold calling ban for consumer financial services and products. The ban was announced in May 2023, and the consultation and call for evidence looked at how best to design and implement it. The government highlighted that the ban will work alongside other measures to tackle fraudulent marketing, including the DPDI Bill and the Online Advertising Programme, as well as a proposed online fraud charter published in November. The consultation closed on 27 September 2023.
DHSC access policy for Secure Data Environments
The DHSC published the final version of its data access policy update setting out its policy decisions regarding Secure Data Environments (SDEs) for secondary uses of NHS data. The DHSC has committed to providing more information in several areas including on what data will be made available.
Biometrics and Surveillance Camera Commissioner annual report
The Biometrics and Surveillance Camera Commissioner published a joint Annual Report 2021-22 covering biometrics and surveillance technology in February. In his introduction, he warned that the current plan to replace the Surveillance Camera Code with the DPDI Bill effectively does away with current rules without providing a comprehensive replacement framework or suitable oversight. He also expressed concerns about 'mission creep' of ANPR cameras, the use of drones capturing footage of public spaces, and the use by law enforcement of citizen phone camera footage.
DRCF annual report and 2023/4 workplan
In May, the Digital Regulatory Cooperation Forum (DRCF) published its workplan for 2023/24. There will be a particular focus on online safety and data protection, promoting competition and data protection, illegal online financial promotions, supporting effective governance of AI and algorithmic systems, enabling innovation in relevant regulated industries, digital assets, and, more broadly, on joint horizon scanning and cooperation.
EDPB Guidelines
In March, the EDPB adopted final guidelines on:
Guidelines on personal data breach notification under the GDPR were adopted in March. Non-EEA controllers were dismayed to see that the guidelines advise notifiable breaches must be notified not just to the supervisory authority in the country of the controller's representative, but to the Supervisory Authority (SA) of each Member State in which affected individuals live. The EDPB pointed out that the one-stop-shop mechanism is not engaged by the presence of a representative in a Member State.
In April, the EDPB adopted final Guidelines on data subject rights – Right of access. The guidelines analyse the right of access and set out clarification on its scope.
The EDPB adopted final Guidelines on administrative fines in June. They aim to harmonise the methodology used by Data Protection Authorities (DPAs) to calculate fines.
In May, the EDPB adopted final Guidelines on Article 65(1)(a) GDPR, which are intended to set out the main stages of the Article 65 procedure and clarify the competence of the EDPB when adopting a legally binding decision under Article 65(1)(a).
In October, the EDPB adopted Guidelines on data transfers subject to appropriate safeguards under the Law Enforcement Directive. The Guidelines relate to Article 37 of the Directive which deals with transfers of personal data by competent authorities or international organisations competent in the field of law enforcement.
EDPB report on cloud-based services coordinated enforcement action
In January, the EDPB adopted a report on the findings of its first co-ordinated enforcement action which focused on the use of cloud-based services by the public sector. 22 DPAs across the EEA looked at 100 public bodies operating in a range of sectors.
EDPS opinion on draft passenger information Regulations
In February, the EDPS published an opinion on two EC draft Regulations which deal with the collection and transfer of advance air passenger information (API) collected during the check-in process. They are intended to replace Directive 2004/82.
EDPB 2023/23 work programme
The EDPB adopted its work programme for 2023/24 in March. The programme is based on the EDPB's strategy to 2023, and grouped around four pillars. Broadly we can expect the following guidelines on a wide range of issues including:
The EDPB will also focus on:
EDPB one-stop-shop case digest
In March, the EDPB published a one-stop-shop case digest which looks at thematic issues from one-stop-shop decisions relating to the Article 17 right to erasure and the Article 21 right to object.
EDPB guide for small businesses
In May, the EDPB published a Data Protection Guide for small businesses as part of its awareness-raising programme. It covers the basics of data protection including cyber security, data subject rights and data breaches. It also includes links to materials for SMEs developed by Member State data protection regulators.
EDPB template complaint form
The EDPB adopted a template complaint form in July to facilitate the submission of complaints by individuals and their subsequent handling by DPAs in cross-border cases. DPAs will be able to use it on a voluntary basis and can adapt it to their national requirements. The EDPB also adopted a template acknowledgment of receipt form.
EDPS opinions on draft Financial Data Access Framework and EU Payment Services Regulation and Directive
The EDPS published opinions on the draft Financial Data Access Framework and Regulation and Directive on payment services within the EU in August. The EDPS is supportive of the Framework but recommends tightening the definition of "customer data" and limiting the types of personal data that can be processed, as well as explicitly excluding data obtained through profiling. Regarding the proposed Regulation and Directive on payment services, the EDPS makes recommendations to assist with fraud prevention.
EDPB and EDPS joint opinion on cross-border enforcement
In September, the EDPB and EDPS adopted a joint opinion on the European Commission's Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR. They broadly welcomed the proposal but made a few recommendations for areas where further clarification is needed. They also stressed that the Proposal should not unduly restrict the intervention by the Concerned Supervisory Authorities on draft decisions and urged the Commission not to change the current approach to the parties' right to be heard in any dispute resolution procedure where the SAs have not reached consensus.
EDPB and EDPS Joint opinion on the proposed Regulation on the digital Euro
The EDPB and EDPS published a Joint opinion on the proposed Regulation on the digital Euro in November. They are broadly supportive but make a number of recommendations to better ensure data protection standards.
2023 has been another eventful year when it comes to EU and UK data transfers, particularly to the USA. Highlights include the new EU and UK adequacy arrangements for the US under the EU-US Data Privacy Framework (DPF) and UK Data Bridge. The Schrems II litigation also finally reached a crescendo resulting in a record €1.2bn fine for Meta which is currently being appealed. These are some of the year's main events.
Both the EU and the UK adopted adequacy decisions in relation to frictionless data transfers to the US where importing organisations are signed up to the EU-US Data Privacy Framework (and UK Extension) in July and September respectively. The DPF and UK extension replace the EU Privacy Shield struck down by the ECJ in what became known as the Schrems II judgment. The EDPB published an information note and on 17 July, the US International Trade Administration launched its DPF website which allows organisations to self-certify under the DPF, and provides a range of advice and information.
The DPF provides new assurances that:
The EC said the safeguards "therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules", suggesting there is no need for Schrems II supplementary measures when using Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) for EU-US data transfers.
The UK government's Data Protection (Adequacy) (United States of America) Regulations 2023 came into force on 12 October 2023. Similar to the EU adequacy decision, they establish the UK-US Data Bridge (the government's preferred term for adequacy) which allows transfers of personal data to be made to US organisations signed up to the DPF and participating in the UK Extension to it, without the need for additional transfer mechanisms like SCCs or BCRs. The US has designated the UK as a qualifying state. This means UK individuals have the right to access the redress mechanism set out under Executive Order 14086 (EO).
The UK government published supporting documents including: a Paper in support of the UK's designation as a qualifying state by the US; an explainer of the Data Bridge; and a factsheet. The ICO published an opinion providing "qualified" support but noting potential risks in four specific areas if the protections are not properly applied.
Not all US organisations are entitled to sign up to the DPF and UK Extension. The scheme is regulated by the FTC and Department of Transport. Organisations regulated by other departments and outside FTC jurisdiction, for example those in banking, insurance and telecoms, are ineligible. In addition, journalistic data cannot be transferred under the UK-US Data Bridge.
Under the UK Data Bridge, special category data can be shared but owing to a difference in definitions, it must be correctly identified by UK organisations as such when it is being shared in order to attract the relevant level of protection in the US. US recipient organisations are required to indicate they are seeking to receive criminal offence data from the UK as part of a human resources data relationship where relevant. Where such data is being shared outside an HR relationship, it must be made clear the data is sensitive and requires additional protections.
The DPF is likely to face a challenge in the ECJ at some point although an action by French MP Philippe Latombe has stalled before the European General Court.
Read more about the DPF here.
Following the intervention of the EDPB under the Article 65 GDPR process, the decision of the Irish DPC about Meta Ireland's transfers of personal data to the USA using Standard Contractual Clauses and supplementary measures was published in May, bringing the decade-long Schrems litigation to a head. The Irish DPC found that:
Meta was granted a stay of action and is currently appealing the decision in the Irish High Court and the ECJ. Read more about the Irish DPC's decision here and about the response of EU and UK data protection regulators here.
The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 came into force in 2023. They provide for frictionless transfers of personal data between the UK and South Korea without the need for a transfer impact assessment or the use of an additional transfer mechanism. The Regulations also cover data transfers including personal data relating to credit information – data which is not covered by the EU's South Korea adequacy decision which was also adopted in 2023.
EDPB recommendations
In June, the EDPB adopted a final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C). The recommendations update the existing BCR-C referential which contains criteria for BCR-C approval, and merge it with the standard application form for BCR-C. The recommendations provide additional guidance and aim to ensure a level playing field for all BCR-C applicants based on experience gained by DPAs. They also take account of the Schrems II judgment.
On publication, the guidelines became applicable to all BCR-C holders. In practice, existing as well as new and ongoing applicants will have to bring their BCR-C in line with the requirements set out in the recommendations, either during the application process or as part of their 2024 annual update.
ICO Addendum to EU BCRs
In November the UK's ICO began consulting on a draft Addendum to approved EU Binding Corporate Rules. The Addendum will comprise the EU BCRs, an addendum extending their scope to include UK Restricted Transfers and which forms the UK legally binding instrument, and a UK BCR Summary which provides information to Relevant Data Subjects (and for Processor BCR, Third Party Exporters).
China's SCCs
In March, China published Standard Contractual Clauses which will become mandatory from 1 January 2024, and SCC Regulations which took effect on 1 June 2023. Businesses will be able to use SCCs in order to transfer personal data where:
Despite the fact the Chinese SCCs are fairly new, the responsible Chinese authority is likely to adjust their scope in 2024, having issued further regulations at the end of September 2023 which define use cases in which no SCCs are required. Read more.
DSIT report on UK IDTA and Addendum to EU SCCs
In November, the Department for Science, Innovation and Technology, published an executive summary and its initial conclusions from the first phase of an evaluation of the International Data Transfer Agreement (IDTA) and the Addendum to the EU SCCs. These transfer mechanisms replaced the original GDPR SCCs as a lawful mechanism under which to transfer personal data to third countries. The evaluation concluded there was a considerable difference between awareness and implementation of the transfer mechanisms of larger versus smaller organisations. Smaller organisations tended to be less proactively engaged with data protection issues and unaware of the IDTA. Possible action points identified include awareness raising, implementation monitoring and evaluation of the wider impacts of uptake.
Arguably the hottest topic of the year, data protection regulation is an integral part of AI Safety. You can see an update on legislative and regulatory developments in AI here, including the EU's AI Act and AI Liability Directive, and the UK's AI White Paper, and you can read our predictions for 2024 here, but thse are some of the data-specific developments in 2023.
ICO
In March, the ICO published updated guidance on AI and Data Protection following requests for clarification on fairness requirements when using AI. Read more.
In April, the ICO responded to the government's AI White Paper consultation. It broadly supports the government's aims, including the AI sandbox and the overall sector-based approach, however, it did raise a number of issues and stressed the important role of the Digital Regulation Cooperation Forum, also recommending that the government prioritise research into the type of guidance and the Sandbox activities that AI developers would most value.
The ICO published a list of eight questions for developers and users of Generative AI to ask themselves in response to the rise of generative AI and large language models (LLMs), and in the context of the signature by academics of a letter calling for a six-month moratorium on the development of AI.
In June, the ICO called on businesses to address the privacy risks of generative AI before adopting the technology and said it would carry out tougher checks on whether organisations have complied with data protection law before and when using generative AI. The ICO is signalling that this will be a priority area, saying "businesses need to show us how they've addressed the risks that occur in their context – even if the underlying technology is the same".
In October, the ICO issued Snap Inc and Snap Group Limited, with a preliminary enforcement notice over potential failure to properly assess the risks to privacy posed by the AI Chatbot 'My AI' deployed on Snapchat. My AI is powered by ChatGPT.
In December, the ICO published a roundup of its guidance and resources on AI.
CDEI
In June, the UK's Centre for Data Ethics and Innovation (CDEI) published a portfolio of AI assurance techniques in collaboration with techUK. It is intended to be used by anybody involved in designing, developing, deploying or procuring AI-enabled systems, and sets out examples of AI assurance techniques being used in the real world, to support the development of trustworthy AI. It also published a report on Enabling responsible access to demographic data to make AI systems fairer.
EDPS
The European Data Protection Supervisor published an opinion on the European Commission's draft AI Liability Directive, and the draft Directive on adapting noncontractual civil liability rules to AI (AILD) in March. In November, it published a further opinion on the EU's AI Act which focused largely on the role of the EDPS and Member State data protection Supervisory Authorities.
ENISA
In March, ENISA (the European agency for cyber security) published a report Cyber security of AI and standardisation. The report provides an overview of existing and proposed standards to prepare for the EU's AI Act. In June, ENISA published four reports on AI and cyber security.
At the end of March, the Italian data protection regulator, the Garante, announced an immediate ban on ChatGPT and an investigation into its parent company OpenAI's GDPR compliance. The Garante said OpenAI did not have a lawful basis for processing such large amounts of personal data to train ChatGPT, and did not verify the age of users thereby exposing minors to unsuitable answers. It also had concerns of transparency and data security following a data breach. While disagreeing with the Garante's findings. OpenAI temporarily disabled access to ChatGPT in Italy.
Other EU regulators also began to scrutinise OpenAI and the EDPB set up a dedicated task force to foster cooperation and exchange information on possible enforcement actions conducted by data protection authorities. The Italian regulator, the Garante, subsequently lifted its ban subject to OpenAI making changes to its privacy practices, including around transparency, lawful basis, and age verification for Italian users.
Clearview AI has been the subject of regulatory enforcement action across the EU and UK regarding its unlawful scraping of personal data to create an image database. It also settled a settled a class-action lawsuit in the US in relation to the same issues.
In May 2022, Clearview AI was fined £7.5m by the UK's ICO. In November, the First Tier Tribunal found that the ICO had no jurisdiction to issue its enforcement and penalty notices on the basis that the UK GDPR (and GDPR) did not apply to the processing at issue. Clearview AI succeeded because it successfully argued it is a foreign company providing its service to foreign clients using foreign IP addresses, and in support of the public interest activities of foreign governments and government agencies, in particular in relation to their national security and criminal law enforcement functions, such functions being targeted at behaviour within their jurisdiction and outside the UK. The ICO is seeking leave to appeal the judgment, arguing Clearview was not, as it contended, processing for foreign law enforcement purposes and should not, therefore, be shielded from enforcement under the UK legislation.
The use of tracking technologies for targeted digital advertising purposes has been a major target of enforcement action by EU regulators in 2023. Meanwhile, the draft ePrivacy Regulation remains on the European Commission's Work Programme but shows little sign of progressing, a fact not lost on the EDPB which recently published guidance on Article 5(3) of the ePrivacy Directive. You can read more about data and digital advertising in depth here.
In January, the European Data Protection Board adopted a report on work carried out by the Cookie Banner Taskforce which was established in September 2021 to coordinate the response to complaints about cookie banners filed across the EEA by NOYB. The report sets out the opinion of the taskforce on whether various types of commonly used cookie banners breach the ePrivacy Directive cookie consent requirements.
The EDPB adopted provisional Guidelines on the technical scope of Article 5(3) of the e-Privacy Directive which will be finalised following a six-week consultation period. The guidelines are intended to clarify which technical operations, in particular new and emerging tracking techniques, are in scope of the Directive and provide greater legal certainty. The guidelines look at the key elements for the applicability of Article 5(3) and analyse the terminology used in more detail. They also include use cases to cover risk mitigation measures and solutions to ensure consent obligations are fulfilled.
Interestingly, the ICO chose the same week to warn some of the UK's top websites that they face enforcement action if they do not make changes to their cookie notices and policies to bring them into compliance with the law. The ICO warned that websites must make it as easy to reject tracking technologies for behavioural advertising purposes as it is to accept them. This is best achieved by including a 'Reject all' button next to an 'Accept all' one. The ICO has written to 30 non-compliant leading websites giving them 30 days to make changes and will publish an update on this work in January 2024, which will include details of companies which have not addressed its concerns.
You can read more about the ICO's views on digital advertising here.
The French regulator, the CNIL, has focused extensively on enforcement around cookie and tracking technology compliance as discussed here. In May, it fined behavioural advertising company Criteo €40m for GDPR breaches. This represents a €20m reduction from the originally announced provisional amount. The CNIL investigated Criteo following complaints from Privacy International and NOYB.
The Transparency and Consent Framework is an industry framework first launched in March 2018 by the International Advertising Bureau Europe (IAB). It was created as a means to allow the digital advertising (adtech) industry to continue operating in a manner compliant with GDPR and the ePrivacy Directive. In February 2022, the Belgian DPA, the APD, declared the current version of the TCF unlawful under GDPR, which caused some consternation if not surprise in the digital advertising industry. In January 2023, IAB Europe said the Belgian Data Protection Authority (APD), had approved its plans to make changes to the TCF, however, a reference has been made to the ECJ for a preliminary ruling which is expected to be delivered in early 2024.
In May, following various court decisions and guidance, IAB Europe removed legitimate interests as a valid lawful basis for targeted advertising from the TCF.
The DPC began two inquiries into Facebook and Instagram in 2018, following two complaints made on 25 May 2018 when the GDPR came into effect, which raised essentially the same issues.
Ahead of the application of the GDPR, Meta had changed its terms of service for its Facebook and Instagram services. Having previously relied on consent to the processing of user personal data for the delivery of its services, it moved to contractual necessity.
The complainants argued that Meta was effectively relying on consent rather than the contractual necessity lawful basis because by making accessibility to its services conditional on accepting the updated terms of service, it was forcing users to consent to the processing of their personal data for personalised services and behavioural advertising in breach of the GDPR. Following an Article 65 procedure, the Irish DPC upheld the complaints and issued its fine. Meta is appealing the decision in Ireland and before the ECJ. Read more here.
In February, it was reported that Facebook and Instagram would restrict data available to advertisers which helps them target teens. In April, Meta announced that it would switch its lawful basis for processing data for behavioural adverts from contractual necessity to legitimate interests from 6 April in the EU. However, in July 2023, the ECJ ruled (as part of a decision in a competition case brought by the German Budeskartellamt), that it could not justify this type of processing on those grounds.
As a result, In July, the Norwegian DPA imposed a temporary ban on Meta (to apply on its Facebook and Instagram platforms) from carrying out behavioural advertising based on the surveillance and profiling of users in Norway. The ban was extended by the EDPB in October to become effective one week after the Irish Data Protection Commissioner (Meta's lead EU regulator) notifies Meta of final measures. In the meantime, the Norwegian DOA has begun fining Meta nearly €100,000 a day for failing to comply with the ban.
Meta was thought to be considering offering EU users an opt-in to receiving targeted ads but subsequently began offering a free service with ads and allowing EU users to pay for an ad-free service on Facebook and Instagram. This model is also being scrutinised by EU Data Protection Authorities, as some regulators have expressed doubts, concerned that the choice between payment and non-payment does not equate to GDPR-level consent to behavioural advertising. NOYB has filed a complaint in Austria. The ICO also said it is assessing what this means for the information rights of people in the UK and is considering its response.
While this was going on:
2024 is set to be a big year for cyber security, particularly in the EU following agreement of the Cyber Resilience Act and with preparations to begin in earnest for the Digital Operational Resilience Act to apply from 2025. Member States are also required to implement the NIS2 Directive by 17 October 2024, to name but a few pieces of legislation likely to impact this area next year.
Meanwhile, we're not pretending to summarise everything that's happened in this area during 2023 but, in addition to the legislative developments set out elsewhere in this update, here is a selection of UK developments and some of the more high-profile breaches.
UK NCSC updated risk management toolkit
The UK's National Cyber Security Centre updated its risk management toolkit for practitioners in July with an eight-step risk management framework and a revised toolkit framework to cover a variety of sectors and organisation sizes.
UK government call for views on software resilience and security for businesses and organisations
The UK government published a call for views on software resilience and security for businesses and organisations in January. The UK is looking to strengthen resilience of digital products and services throughout the business supply chain.
Home Office consultation on review of the Computer Misuse Act 1990
The Home Office consulted in January on proposals to update the Computer Misuse Act to ensure the UK's legislative framework continues to support action against the harm caused by online cybercrime. Proposals for legislation include:
In November, the government published an analysis of the responses received. The third proposal proved the most controversial among respondents and the overall conclusion was that more work needs to be done by the government in conjunction with stakeholders.
Government guidance on security of connected places (smart cities)
In May, the government published guidance on the security of connected places or smart cities. The collection of guidance applies to a number of stakeholders including senior leadership, decision makers and managers. It also applies to IT professional and cyber security leads, information managers, processors and users.
Ofcom incident reporting thresholds under NIS Regulations
In June, Ofcom lowered incident reporting thresholds for Operators of Essential Services (OESs) in the digital infrastructure sector in its NIS guidance. The changes took effect on 31 May and impact top-level domain name registries, domain name system resolver services, DNS authoritative hosting services and internet exchange points (IXPs) within scope of the NIS Regulations. The revised guidance is for incidents to be reported where there is a service degradation of 25% for 15 minutes or more (rather than the previous 50%). IXPs are also required to report incidents based on the loss of 50% of the total bandwidth capacity across all ports. Ofcom also amended the section of its guidance which deals with enforcement, cross-referring instead to its Regulatory Enforcement Guidelines which were published in December 2022.
House of Commons Committee inquiry into cyber resilience of UK's critical infrastructure
In October, the House of Commons Science and Technology Committee launched an inquiry and call for evidence on the cyber resilience of the UK's critical national infrastructure as measured against resilience targets by 2025. It will look at what the sector needs to achieve those targets and at how to make computer hardware architecture which underpins the critical infrastructure more secure by design. Submissions were invited on a range of issues, including the strength of government programs and support, by 10 November 2023.
Updated code of practice on minimum security and privacy requirements for app store operators and app developers
As part of the National Cyber Strategy and following a public consultation, the government published an updated version of its code of practice which sets out the minimum security and privacy requirements for all app store operators and app developers in October. The original version of the code was published in December 2022 on a voluntary basis with a nine-month implementation period for operators and developers. In May 2023, DSIT consulted on progress and concluded that additional clarifications were needed for some provisions. As a result, the implementation period is being extended by six months to March 2024. DSIT will then review adherence levels and make recommendations to the Secretary of State on next steps. The voluntary code of practice is intended to supplement but not to replace pre-existing legal obligations and is tailored to data breaches in the context of app stores.
Cyber Essentials scheme updated public procurement policy note
In October, the government updated PPN 09/14 which sets out actions for central government departments, their executive agencies, non-departmental public bodies and NHS bodies to take in relation to cyber security in certain procurement contracts. Other public bodies are encouraged to follow the approach. In-scope organisations are required to implement PPN 09/23 within three months of its publication.
UK and US global AI security by design guidelines
In November, the UK's National Cyber Security Council (NCSC) announced new voluntary global guidelines on secure AI system development. The guidelines were developed in association with the US and industry and have been endorsed by national agencies from 16 other countries including the G7. The guidelines are intended to help AI system developers embed cyber security by design into all stages of the development phase but extend across the product lifecycle to cover secure deployment, operation and maintenance. They are aimed primarily at providers of AI systems wo are using models hosted by an organisation or are using APIs, but all stakeholders are urged to take them into account.
Some of the most high-profile enforcement actions of 2023 are covered in other sections of this update, for example, relating to data transfers and digital advertising, but these were by no means the only areas of focus. Here are some other notable developments during 2023, looking at the UK, the EU and the Irish Data Protection Commissioner, who has a particularly important role as lead EU regulator for some of the tech giants. You can read more about policy on enforcement by the EDPB, UK and key EU jurisdictions more generally here.
Among over 50 enforcement actions during 2023, as usual, many of the ICO's actions related to unsolicited marketing calls, but 2023 also saw some changes in approach (see above for draft guidance on penalty notices). This was in line with the ICO's intention voiced in 2022, to publish reprimands and to use financial penalties in as proportionate a way as possible.
On 20 January 2023, the ICO said it had decided to stop enforcing failures to file personal data breach reports under Regulation 5A of PECR which requires a communications service provider to notify the ICO within 24 hours of becoming aware of a data breach. The ICO's decision was based on the fact that the incidents tend to be caused by human error, involving one individual, are quickly resolved and result in risk remediation measures being swiftly implemented. Following feedback, the ICO updated its statement which now says that it will use its discretion not to take enforcement action provided breaches are still reported within 72 hours. The ICO will continue to take enforcement action in relation to the underlying breaches reported where warranted, and continues to expect breaches likely to adversely affect the personal data or privacy of subscribers or users to be reported within 24 hours.
Other notable developments include:
In February, the European Commission announced it will oversee the progress of every large-scale GDPR enforcement case. The Commission will require all national regulators to share an overview of large cross-border investigations every other month. The Commission will take into account the steps the Data Protection Authorities are taking and how long they take. This move comes off the back of complaints made by the Irish Council for Civil Liberties following which, the EU Ombudsperson recommended the Commission monitor the progress of big tech cases under the Irish Data Protection Commissioner's jurisdiction. However, the Commission has decided to apply the same regime to all EU regulators and for all largescale cross-border cases, although practically, this is most likely to impact the Irish DPC.
In March, the EPDB announced its second annual co-ordinated enforcement action, which will look at the designation and position of Data Protection Officers (DPOs). 26 Data Protection Authorities are expected to take part in the process and will send questionnaires to DPOs in their respective jurisdictions. They will be focusing on issues including independence, appointment process and other GDPR requirements. Findings will be analysed to decide whether there is a need for further action and the EDPB will publish a report. The EDPS will be joining the EDPB's coordinated enforcement action. While the EDPB will focus on the role of the DPO at national level in the public and private sectors, the EDPS will concentrate on the role of DPOs in EU institutions.
As mentioned above, the EDPB adopted final guidelines on administrative fines in June. The EDPB announced in October that its 2024 coordinated enforcement action will focus on the way controllers implement the right of access. Further work will now be carried out to specify the details and the action will be launched in 2024.
The EDPB was also heavily involved in resolving disagreements between EU regulators regarding enforcement against cross-border businesses under the Article 65 GDPR procedure. In particular, regarding the Irish Data Protection Commissioner's decisions involving Meta and TikTok.
The Irish Data Protection Commissioner has had an exceptionally busy year. In addition to the fines issued against Meta and separately against its Facebook and Instagram platforms (covered elsewhere in this update), it also issued significant fines to WhatsApp and TikTok.
In January, following an EDPB Article 65 decision, the Irish DPC fined fined WhatsApp Ireland €5.5m. The decision followed on from the fines handed down to Instagram and Facebook and related to similar issues ie transparency, and the reliance on contractual necessity for processing operations and whether it was actually forced consent. In this case, however, the examination was over the lawful basis used for service delivery and security (excluding IT security), rather than for digital advertising. WhatsApp subsequently changed its lawful basis to legitimate interests for these purposes.
In July, AirBnB Ireland received a reprimand from the Irish DPC relating to the processing and retention of copies of documents used to verify identity. The DPC said the practice of retaining a copy of the relevant document after identity has been verified breaches the GDPR minimisation and storage limitation principles.
In September, following an Article 65 resolution process and in accordance with the EDPB's decision, the Irish DPC adopted its final decision that during the relevant period, TikTok's public by default settings and the way it communicated information led variously to breaches of GDPR provisions relating to fairness, transparency and privacy by design and default. The Irish DPC was also required to take into account the EDPB's findings that TikTok had implemented dark patterns in breach of the Article 5 fairness requirement, fining it €345m. In a statement quoted in the media, TikTok said "We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC's criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default". TikTok is appealing in the Irish High Court and the ECJ.
In addition to decisions mentioned elsewhere in this update, here are some of 2023's key UK and ECJ decisions relating to data.
UK
In February, the Information Rights Tribunal ruled on an appeal against the ICO's action to require credit reference agency Experian Limited to change its data protection practices. The ICO issued an enforcement notice to Experian in October 2020, following a two year investigation into how the company and two other major credit reference agencies were using the personal information of adults for direct marketing purposes. The Tribunal agreed with the ICO's findings that Experian had not processed the personal data of over five million individuals transparently, fairly or lawfully because it failed to notify them it was processing the data for direct marketing purposes. The Tribunal did, however, disagree with the ICO's assessment that Experian's privacy notice was insufficiently transparent, that using credit reference data for direct marketing purposes was unfair, and that Experian failed to properly consider its lawful basis for that use. The ICO said it would consider the ruling and decide whether or not to appeal.
In March, the High Court awarded general damages of £60,000 plus special damages in respect of claims including infringement of privacy and misuse of private information. The claims were made after the defendant covertly recorded naked images of the claimant and then published them on a website alongside a photograph of her face. The court agreed that the knowledge these images had been published online led to the claimant suffering chronic PTSD and to a personality change.
In April, the High Court ruled the immigration exemption in the Data Protection Act 2018, remains unlawful and must be made clearer, saying previous actions by the government to make the exemption comply with the UK GDPR have not resolved the issue. The court said the government needs to make it a legal requirement to comply with a code or policy setting out the safeguards and tests to be applied before using the immigration exemption. An obligation merely to "have regard to" it is insufficient.
In October, The Court of Appeal upheld the High Court's ruling that the UK's ICO is not required to reach a definitive decision on the merits of individual complaints but has broad discretion. The CA said the ICO is only required to handle and investigate complaints to an appropriate extent under Article 57(1)(f) UK GDPR. The ICO welcomed the CA's ruling that it had acted lawfully over a Subject Access Request (SAR) complaint and its confirmation that the ICO has broad discretion in deciding the extent to which it investigates each complaint and is entitled to reach and express a view on it without necessarily determining whether or not there has been an infringement.
ECJ judgement on right to be forgotten on grounds of inaccuracy
In January, the ECJ has handed down a judgment on a reference from Germany regarding interpretation of Article 17 GDPR and the right to be forgotten. The reference related to a case involving a request to delete links and thumbnails from search results on grounds of inaccuracy. The ECJ commented on the Article 17(3) exemption where the processing of the data in question is necessary for exercising the right of freedom of expression and information. The court also discussed what constituted inaccuracy for the purpose of giving effect to a right to be forgotten request.
ECJ decision on disclosure of identity of recipients of personal data
The ECJ ruled on a reference from the Austrian Supreme Court in the Österreichische Post case relating to Article 15(1)(c) of the GDPR in January. This provides a right for data subjects to get information from a controller on request, about the recipients or categories of recipients to whom their data has been or will be disclosed. The referring court asked whether this meant that the controller had to disclose the specific identity of actual recipients. The decision followed the Advocate General's opinion and held that the controller is required to provide the data subject on request with the actual identity of recipients unless it is not possible to identify them in which case they may indicate the categories of potential recipient. Where the request by the data subject is manifestly unfounded or excessive, the controller may also indicate categories rather than actual identities of recipient. The ECJ said the right of access is necessary in order to enable the data subject to enforce other GDPR rights such as rectification and erasure. Without identifying specific recipients, this would not be possible.
ECJ ruling that civil and administrative remedies under GDPR can run concurrently
The ECJ ruled in a reference from Hungary, that remedies available to data subjects to enforce their rights through the courts under Articles 77 and 79 can be exercised concurrently. Article 77 provides a right to administrative appeal of a Supervisory Authority's decision. Article 79 allows for action before a civil court against a controller. See our article for more.
ECJ ruling on position of DPOs and interpretation of Article 38 GDPR
In February, the ECJ ruled in a reference from Germany on interpretation of Article 38 GDPR. The questions referred related to the role of national legislation in determining when a Data Protection Officer (DPO) can be dismissed, and interpretation of the Article 38(6) reference to 'conflict of interests'. It followed a claim for unfair dismissal after a German DPO who was also Chair of the Works Council was dismissed from the DPO role when the GDPR took effect on the basis that there was a conflict of interest.
The ECJ held that:
ECJ ruling on interpretation of 'right to a copy' under GDPR
In May, the ECJ published a judgment on interpretation of the right of access under Article 15 GDPR and, specifically, the meaning of "copy" and "information" in Article 15(3). The reference was made from Austria and asked the court about the scope of the right and whether the obligation to provide a "copy" is fulfilled by the controller supplying a summary table or whether the right entails the transmission of document extracts, entire documents and extracts from databases in which the personal data is reproduced.
The ECJ held that:
Mere infringement of the GDPR does not give rise to a right to compensation, says ECJ
The ECJ ruled in the Österreichische Post case in June that mere infringement of the GDPR does not give rise to a right to compensation, however, there is no requirement for non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation.
ECJ ruling on GDPR fines
In December, the ECJ made its ruling on two references from Germany and Lithuania, the German reference relating to the long-running Deutsche Wohnen case. The ruling clarifies a number of issues relating to the imposition of GDPR fines including that:
AG opinion on technical and organisational measures
AG Pitruzzella delivered an opinion on a reference to the ECJ by Bulgaria. The questions arose following a data breach of data held by a public body which resulted in claims made for non-material damage as a result of worry and fear that data might be misused in future. The questions related to appropriate security measures, beach liability and compensation for non-material damage. Points of interest include the AG's opinion that:
ECJ opinion on SARs
The ECJ ruled on interpretation of Article 15(1) GDPR which deals with subject access requests, in response to a reference from Finland. The ECJ said:
ECJ ruling on interplay of competition and consumer protection law
In July, The ECJ published its decision in a reference from Germany involving Meta Platforms and the impact of its data practices on competition. In the original case in Germany, the German competition authority, the Bundeskartellamt, found that the data collected by Meta Platforms Ireland about user activities on and off Facebook and across other Meta services and linked back to their Facebook account for targeted advertising purposes, was collected without valid consent and therefore in breach of the GDPR. Read about the competition aspects here.
The ECJ also made a number of observations in relation to Meta's data processing operations including:
Updated AG opinion on Quadrature du Net case
Advocate General Szpunar refreshed his opinion on the Quadrature due Net case (originally published in 2022, following the reopening of the case and expanded on his original reasoning making additional clarifications.
AG opinion on theft of personal data and identity theft/fraud
In November, Advocate General Collins gave an opinion in a joined reference from Germany on the relationship between the theft of personal data and identity theft or fraud. The AG opined that theft of personal data does not, in itself, constitute identity theft or fraud. The theft may give rise to a right to compensation for non-material damage where there has subsequently been identity fraud as a result of the theft of the data, but the right to compensation does not depend on subsequent identity theft arising from the theft of the data. Compensation for non-material damage must be assessed on a case by case basis taking all relevant circumstances into account.
by Debbie Heywood and Victoria Hordern
Can employers monitor their workers, how and to what extent?