12 December 2024
Radar - December 2024 – 2 of 2 Insights
We look at a curated selection of 2024's main legislative and regulatory developments in the UK and at EU level relating to data and cyber security, covering:
See our roundup of other areas impacting tech and digital here.
We make our predictions for 2025 here. For in-depth features on data and cyber issues, visit our Global Data Hub where you can view weekly news and sign up to receive content by email. You can also keep an eye on legislative developments in the UK, EU, Germany, France and the Netherlands by using our Digital Legislation Tracker.
While the UK government failed to pass the Data Protection and Digital Information Bill before the July general election, the EU had more success with finalising flagship legislation.
Draft Data (Use and Access) Bill
The Data (Use and Access) Bill was published and received its first reading in the House of Lords on 23 October 2024. It replaces the Data Protection and Digital Information Bill, which failed to pass before the July general election. Like its predecessor, it aims to reform the UK's data protection and ePrivacy regimes, provide for sharing of business and customer data, and introduce a framework for trusted digital identity verification (among other things). Read more on the DUA Bill here. See the Tech and Digital section of this update for other on digital identity verification developments.
The government has also said it will introduce cyber security legislation in 2025, most likely to bring the UK's regime more in line with the EU's NIS2 regime.
PSTIA regime
The UK's connectable products regime came into effect when the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 came into force on 29 April 2024. The government also updated its PSTIA Regs guidance to include additional guidance on the Statement of Compliance and automotive vehicles.
Secondary legislation
Personal data
The European Commission published its second report evaluating the GDPR on 25 July 2024. The report found that the GDPR was fit for purpose but improvements could be made around enforcement. In particular, the GDPR Procedural Regulation would help, but the report also emphasised the need for consistent approaches and cooperation between Member State regulators, both in relation to the GDPR itself, and in terms of its place in the wider digital regulatory framework. The draft Regulation laying down additional procedural rules relating to the enforcement of the GDPR proceeded to trilogue stage and is a priority for 2025.
The Regulation permitting continuation of certain derogations of the ePrivacy Directive under an Interim Regulation to combat child sexual abuse was published in the Official Journal in May 2024. The original Interim Regulation is being extended to 3 April 2026 to allow time for the EU's draft Child Sexual Abuse Material (CSAM) Regulation to come into effect. Not only did the CSAM Regulation fail to make it to enactment during 2024, but the draft ePrivacy Regulation, long since stalled, also failed to make progress. While it remains on the legislative agenda, it is thought it will be formally dropped on publication of the planned Digital Fairness Act proposal.
Data sharing
The EU's Data Act came into force on 11 January 2024. It is intended to remove barriers to data sharing, give businesses access to data they contribute to creating, and individuals more control over all their data (not just personal data). It will empower users of connected devices to access and share data they generate with third parties as well as switch cloud and edge service providers. It also aims to protect SMEs by providing a harmonised framework in which data can be shared, equalising access to data across the single market. While the Data Act will mostly apply from 12 September 2025, some elements will be introduced on other dates. The European Commission published FAQs on the Data Act on 6 September 2024. See our step plan to compliance and an article analysing the new obligations for cloud and edge services here.
The Interoperable Europe Act was published in the Official Journal on 22 March 2024. It introduces a co-operation framework for public administrations in the EU to facilitate cross-border exchanges of data. The intention is to ensure interoperable digital solutions and tools to help remove administrative burdens. The Act entered into force on 11 April 2024 and has largely applied since 12 July 2024, with limited provisions applying from 12 January 2025.
The European Council and Parliament reached provisional political agreement on the Regulation to establish a common European Health Data Space on 15 March 2024. The legislation was expected to be passed this year, but at the time of writing had not been finalised. The European Parliament and Council also agreed their positions on the proposed financial data space which now moves to trilogues.
The Short-term rental Regulation was published in the Official Journal on 29 April 2024. It sets out rules for data collection by competent authorities and providers of short-term online rental platforms and for sharing that data. It applies to short-term rental platforms which allow hosts to provide short-term rentals in the EU and to hosts providing those services. The Regulation will apply from 20 May 2026.
The Regulation to amend the eIDAS Regulation as regards establishing the European Digital Identity Framework (eID Regulation) was published in the Official Journal on 30 April 2024. It establishes a new digital identity framework for EU citizens and a European Digital Identity Wallet. Read more.
On 23 May 2024, the European Commission opened infringement proceedings against 18 Member States requiring them to implement the Data Governance Act within two months. Non-compliance issues related mainly to failure to designate responsible authorities or demonstrate that these are empowered to perform tasks allocated under the DGA.
Cyber package
The Cybersecurity Regulation, which sets out common cyber security standards at the institutions, bodies, offices and agencies of the EU, came into force on 7 January 2024.
The Regulation for an EU common criteria-based cybersecurity certification scheme (EUCC) entered into force on 27 February 2024. This is the first cyber security certification scheme under the Cybersecurity Act intended to enhance cyber security of ICT products, services and processes. Further schemes are planned on cloud services and 5G security.
The European Council and Parliament this year approved:
Following signature, they will be published in the Official Journal.
On 25 June 2024, the Council of the EU adopted a Recommendation on a Blueprint for protecting EU citizens and the internal market, essentially to coordinate a response at EU level to disruptions to critical infrastructure with significant cross-border relevance. The focus is on sharing experience and information about an incident to help coordinate public communications and an effective response.
23 Member States missed the 18 October deadline for passing NIS2 Directive implementing legislation on 14 October 2024. As a result, on 17 October 2024, the European Commission announced the adoption of an Implementing Act under the NIS2 Directive. The Act sets out cyber security risk management measures and the cases in which an incident should be considered significant and therefore reportable. In late November, the Commission gave non-compliant Member States a further two months to introduce their legislation or face enforcement action.
The EU's Cyber Resilience Act(CRA) was published in the Official Journal on 20 November 2024. It introduces mandatory cyber security requirements for the design, development, production and making available of products with digital elements and ancillary services. Essentially this covers the cyber security of IoT or connected products. Manufacturers will be required to embed security by design and provide security support and software updates. There are also information and incident reporting requirements. The CRA will apply generally from 11 December 2027 with some provisions applying earlier. See here for how the CRA compares with the UK's PSTIA regime on connected products and here for more on the CRA.
In-scope businesses have also been getting ready for the Digital Operational Resilience Act (DORA) which will apply from 17 January 2025. Read more.
EU Political Advertising Regulation
The EU's Regulation on transparency and targeting of political advertising was published in the Official Journal on 20 March 2024. This applies to certain types of political advertising disseminated in the EU, brought into the public domain in one or more Member States, or directed at EU citizens regardless of country of origin and means used to publish. The Regulation has applied since 10 October 2024, with Articles 3 (definitions) and 5(1) (restrictions on providers of political advertising services) applying from date of entry into force.
The ICO and EDPB have had another busy year. Here are the 2024 highlights.
Online safety and protection of children
This was a priority area for the ICO in 2024, not least in support of the UK's Online Safety Act (OSA). During 2024:
The ICO expects to update its Children's Code Strategy next year. See here for more on children's data and online harms.
Technology
In addition to focusing on AI (see below), the ICO also published:
Fines and fees
On 18 March 2024, the ICO published new fining guidance setting out how it decides to issue penalties and calculate fines. The government also consulted on raising the fee to £3,979 for tier 3 organisations with more than 250 staff or an annual turnover of over £36m. Tier 1 fee changes are proposed to rise from £40 to £55 and tier 2 from £60 to £82.
ICO's Journalism Code of Practice
The ICO's final Code of Practice on Data protection and journalism came into force on 22 February 2024. The Code provides guidance for journalists and media publications on data protection in the context of journalism. It looks at how to apply the journalism exemption including looking at public interest and freedom of expression. The Code has statutory force, which means it is not legally binding but failure to comply can be taken into account by the courts.
Employment and HR
On 6 November 2024, the ICO published the results of its consensual audit engagements with developers and providers of AI tools used in recruitment, together with a series of recommendations for developers and recruiters. The ICO recognises the value of using AI in recruitment but also made a series of nearly 300 recommendations following the voluntary audit, which are summarised in the report alongside key questions for procurers to ask themselves during the procurement process.
The ICO also consulted on two further sets of draft guidance for employers and recruiters that will form part of the ICO's overhauled guidance on employment information, covering keeping employment records and recruitment and selection, and published guidance for employers on sharing staff personal data in a mental health emergency on 1 March 2024.
AI
In response to a request from the Department for Science, Innovation and Technology, the ICO published its strategic approach to regulating AI at the end of April 2024. This covers the opportunities and risks of AI, the role of data protection law, the ICO's work on AI to date and its plans for further work. The relevance following the imminent publication of the new government's AI policy is now unclear. See section on AI training for more.
Tools and certification schemes
The ICO launched a new audit framework to help larger businesses and organisations assess their compliance with data protection law. It is not aimed at SMEs, which should use the self-assessment toolkit and other resources. It is an extension of the Accountability Framework and contains nine toolkits covering different key areas including AI and age-appropriate design.
On 20 August, the ICO launched a privacy notice generator tool to help sole traders, start-ups, small organisations and charities create bespoke privacy notices in a variety of sectors. These include finance, insurance, legal sectors, education, health and social care, retail and manufacturing.
In February, the ICO approved a certification scheme for legal professionals who process personal data. Certification helps law firms and other legal professionals demonstrate compliance with data protection requirements and reassure those using their services. This is the fifth approved certification scheme. The others cover: offering secure re-use and disposal of IT assets; age assurance; children's online privacy; and training and qualification service providers.
On 7 November, the ICO and DSIT's Responsible Technology Adoption Unit published the Privacy Enhancing Technologies PETs) Cost-Benefit Awareness Tool, alongside a checklist to support organisations. The tool focuses on emerging PETs and is structured around an example of using PETs to train a machine learning model without centralised data collection or processing.
On 13 November 2024, the ICO announced it had approved the first sector-owned code of conduct by the Association of British Investigators Limited. The Code applies to UK private investigators and is approved in accordance with Article 40 UK GDPR.
Regulatory cooperation
The UK's ICO and the USA's Federal Communications Commission signed a Memorandum of Understanding pledging to work together to protect people from unwanted marketing communications and the misuse of private and sensitive data.
Following a roundtable meeting on 10 and 11 October 2024 of the G7 data protection authorities, the Canadian DPA published a communiqué setting out three pillars of focus for cooperation – data transfers, emerging technologies such as AI, and bilateral and multilateral enforcement actions.
On 4 April 2024, the ICO signed up to a new international multilateral agreement with the Global Cooperation Arrangement for Privacy Enforcement. This is intended to facilitate cooperation in cross-border data protection and privacy enforcement. Other members include the USA, Australia, Canada, Mexico and Japan.
In August, the ICO and the National Crime Agency signed a Memorandum of Understanding setting out how they will help UK organisations become more resilient to cybercrime and share information.
Transparency and information standards in health and social care
On 15 April 2024, the ICO published guidance to improve transparency in health and social care. This is the final version of the guidance following a consultation earlier this year. On 22 November 2024, DHSC published its response to a consultation on information standards for health and adult social care in England. The consultation relates to changes made to s250 of the Health and Social Care Act 2012 (HSCA) which have not yet been brought into effect. These changes will be complemented by provisions in the Data (Use and Access) Bill which include standardisation for data sharing across health and social care as information standards covered under s250 of the HSCA. DHSC is expected to begin preparations to implement mandatory information standards in early 2025, and to lay legislation before Parliament in the Spring.
ICO review of public sector approach
On 9 December 2024, the ICO published the results of its two-year trial public sector approach which placed an emphasis on reprimands and collaboration rather than financial sanctions where public sector organisations breach data protection rules. The ICO considers the approach to have been largely successful. It proposes to continue it but does acknowledge potential areas for improvement, in particular, by making it clearer which organisations are covered in the public sector approach and what type of infringements could lead to a fine. As a result, the ICO is consulting on the latter issue. Responses are invited by the end of January 2025.
2024 was another active year for the EDPB. While some developments (and those relating to the EDPS) are covered in other sections of this update, here's a selection of its work.
In 2024, the EDPB:
One of the biggest controversies of the year was the 'pay or ok' or 'consent or pay' model adopted most frequently in the EU but also in the UK. Privacy campaign group NOYB continued its crusade against tracking cookies for behavioural advertising, while industry groups continued to focus on finding a solution satisfactory to the digital advertising ecosystem, privacy campaigners, and data protection regulators.
At the start of the year, the ICO called for organisations to take proactive action to make advertising cookies compliant with data protection law, notwithstanding a positive response to its warnings to top websites. In November 2023, the ICO wrote to 53 of the UK's top 100 websites, warning them that their use of advertising cookies was not compliant with data protection law and that they would face enforcement action if they failed to take action. Subsequently, the ICO welcomed changes made by 80% of the 53 organisations it initially approached about their cookie practices and is now focusing on the next 100 most frequented websites. It warns that its next announcement in this space will be about enforcement action against organisations which have ignored the law.
Following ECJ rulings that effectively determined that the only lawful basis available to Meta for targeted advertising was consent, Meta and others switched to what is known as the 'pay or ok' or 'pay or consent' model. This gives users the choice between an ad-free subscription model and agreeing to the use of their personal data for targeted advertising purposes in exchange for a free service.
The 'pay or ok' model came under the scrutiny of data protection regulators in the UK and EU, and in the EU was also the subject of consumer complaints and enforcement action under the EU's Digital Markets Act (DMA).
The EDPB was asked in January to look at the 'pay or ok' model following requests from Member State DPAs amid concerns that consent cannot be said to be freely given in this situation, and that the charging model is insufficiently transparent and potentially unfair.
The EDPB published its Opinion on valid consent in the context of pay or ok models implemented by large online platforms (LOPs) on 17 April 2024. The EDPB concluded that "in most cases it will not be possible for [LOPs] to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee". The EDPB suggested that LOPs should not be offering a binary choice to consent to advertising or to pay for an ad-free service. Instead they should consider providing an equivalent alternative such as a free service with non-behavioural advertising, ie advertising which uses less personal data than behavioural advertising or none at all.
The Opinion included elements to help assess consent against the GDPR standard in relation to 'pay or OK' but the EDPB also plans to develop guidelines on 'pay or OK' with broader scope, and on 5 September 2024, it invited stakeholders to participate in a remote event on 18 November intended to gather information about 'consent or pay' models.
IAB Europe published a response to the EDPB's Opinion arguing that the EDPB mischaracterised both the 'consent or pay model' and personalised advertising and risks creating legal uncertainty for many businesses beyond large online platforms.
Read more.
On 1 July 2024, the European Commission informed Meta that its preliminary findings were that Meta's 'pay or consent' advertising model breached the DMA. Under Article 5(2) of the Digital Markets Act, gatekeepers must seek user consent to combine their personal data between designated core platform services and other services. If a user refuses consent, they should be offered access to a less personalised but equivalent alternative service. Gatekeepers cannot make the provision of certain services or functionalities conditional on user consent.
The EC provisionally found that Meta's 'pay or consent' advertising model breaches the DMA because:
Consumer protection also featured in pay or ok concerns. On 29 February 2024, BEUC (the European consumer protection group) announced that eight of its members had filed complaints to the national data protection regulators about Meta's 'pay or OK' model, arguing it did not follow the principles of fair processing (transparency), data minimisation or purpose limitation. They also argued that consent was not freely given and questioned the lack of information to explain how the subscription price was set.
The EU's Consumer Protection Cooperation Network (CPC) sent a letter to Meta on 22 July, The Commission expressed concerns that Meta used misleading or aggressive practices and was insufficiently transparent when offering consumers the choice between paying for an ad free model and consenting to being tracked for advertising purposes. This action was distinct from other investigations.
In an effort to allay concerns, Meta announced a new version of its EU services on 12 November 2024. Meta will offer a version of Facebook and Instagram with "less personalised ads". Under the new model, those selecting a free service will still receive ads but the targeting will rely on less data ie it will be contextual, using a minimal set of data points including age, location, gender and how a person engages with ads. Meta will also reduce the cost of its ad-free subscription model.
Meanwhile in the UK, the ICO launched a call for views on the 'consent or OK' model for website access in general on 6 March 2024. It invited publishers, advertisers, intermediaries, civil society, academia and other interested stakeholders to respond and help it inform its position. The ICO also wrote to the Association of Online Publishers and the Internet Advertising Bureau UK, setting out its views on various online advertising models and how to give users a fair choice over how their personal information is used, while waiting for views on the 'consent or ok' model before venturing an opinion on that. The ICO is expected to issue updated guidance for consultation in relation to the use of cookies after the Data (Use and Access) Bill gets Royal Assent and to be able to provide more detailed guidance on the interplay between consent for targeted advertising and functionality that can be considered intrinsically linked on a technical level for that purpose.
After concerns expressed by the CMA and the ICO, Google announced on 22 July 2024 that "instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing and they'd be able to adjust that choice at any time". It will continue to work on Privacy Sandbox APIs and to make them available in discussion with regulators and industry. Google has also said it will offer additional privacy controls by introducing IP Protection into Chrome's Incognito mode. The CMA said it was "considering the impact of this announcement" and the ICO said: "We are disappointed that Google has changed its plans… we will reflect on this new course of action when more detail is available".
On 6 September, the CMA published a statement of objections setting out how Google may have broken competition law by using its dominance to favour its own adtech services in open-display advertising. The CMA's provisional findings are that Google has abused its dominant position on both the ad server (DoubleClick for Publishers or DFP), and the buying tool (Google Ads and DV360) side to restrict competition in the UK. In particular, it has preferenced its own ad exchange (AdX), harming competition and advertisers and publishers. The CMA finds that since 2015, Google has used its buying tools and publisher ad server to strengthen AdX's position and restrict competitor opportunities. It has also prevented rival publisher ad servers form being able to compete effectively with DFP. The CMA will consider representations from Google before reaching a final decision. Google's adtech practices are also under scrutiny from competition regulators in the EU and USA.
Separately, the CMA announced on 20 August 2024 its decision to accept a variation of Meta's binding commitments to address competition concerns relating to its use of digital display advertising service data.
NOYB filed a number of tracking/cookie-related complaints during 2024, including:
NOYB also published a report on 11 July 2024, analysing decisions taken by national data protection regulators relating to cookie consent banners, and comparing them with the position taken by the EDPB's cookie banner taskforce.
Alongside the EU AI Act and considerations about whether or not to legislate on AI in the UK, data protection regulators in the UK and EU have continued to focus on the use of personal data to train AI models. This has resulted both in guidance and in engagement with some of the tech giants on the issue. Data protection concerns have focused largely on the issue of scraping or otherwise using personal data to train AI without consent. For more on AI, see the AI section of this update.
ICO consultations on generative AI
The UK's ICO launched a series of consultations over the course of 2024, looking at how aspects of data protection law should apply to the development and use of generative AI. The consultations set out the ICOs thinking on how to interpret specific requirements of the UK GDPR and Part 2 of the DPA 18 in relation to pressing questions including about:
EDPS and EDPB
In June, the European Data Protection Supervisor published guidelines to help EU institutions, bodies, offices and agencies comply with the GDPR when using generative AI. The guidelines run through the data protection principles and provide practical examples to anticipate risks, challenges and opportunities. There is also a focus on when to carry out DPIAs and how to conduct them.
The EDPB announced plans to develop guidelines on generative AI which will focus initially on data scraping in the context of AI training data. It held a stakeholder event on AI models on 5 November 2024.
The EDPB's ChatGPT taskforce set up to promote cooperation between DPAs investigating ChatGPT's data protection compliance, published an interim report on its work to date on 24 May 2024. The investigation is ongoing.
The European Data Protection Supervisor's 2025 TechSonar report was published on 15 November 2024 and focuses on the impact of AI on individual rights and freedoms.
OECD expert group for policy synergies in AI, data and privacy
The OECD announced in February it had set up a new expert group for policy synergies in AI, data and privacy. The intention is to break down silos in recognition of the rise of privacy enforcement actions focused on AI, to address concerns that data protection law may be hindering AI development, and to focus on synergies.
Global Privacy Assembly follow-up statement on unlawful data scraping
The ICO, together with 16 other DPAs working as part of the Global Privacy Assembly International Enforcement Cooperation Working Group, published a follow-up joint statement on protecting data from unlawful data scraping on 28 October 2024. The initial joint statement, published in August 2023, set out key privacy risks associated with data scraping. The follow-up statement has been published as a result of engagement with the largest social media companies. It sets out further expectations for organisations.
Meta, X, LinkedIn and Google were all under scrutiny in the EU and the UK over their various practices of using EU/UK personal data to train their AI models during 2024.
On 6 June 2024, NOYB filed complaints with eleven European DPAs about Meta's planned changes to its privacy policy. Meta was proposing to start processing EU and UK user data on its platforms to train generative AI models on the basis of Meta's legitimate interests although users would be able to opt out. NOYB argued Meta was required to obtain user consent and had issues with the opt-out form and policy. Similarly, in the UK, privacy advocacy group Open Rights Group (ORG) submitted a complaint to the ICO about Meta's proposed changes
In June 2024, Meta paused its use of EU and UK personal data on Facebook and Instagram to train generative AI. While it has undertaken to make this pause permanent in the EU, it will resume these activities in the UK after having made changes to the process including simplifying user opt out and giving users longer to do so. The ICO says it will monitor the situation as Meta begins informing users and is clear that it has not provided regulatory approval for the processing. It says it is now up to Meta to "ensure and demonstrate ongoing compliance".
X also agreed not to use EU/EEA data to train its AI tool Grok and LinkedIn has said it would pause the use of UK personal data to train generative AI models as a result of concerns raised by the ICO and pending further engagement.
In April, data privacy campaign group NOYB filed a complaint with the Austrian DPA asking it to investigate OpenAI's data processing and the measures it takes to ensure accuracy of personal data processed in the context of its large language models. NOYB also asked the regulator to require OpenAI to comply with a subject access request made by Max Schrems. The background to the complaint is the fact that ChatGPT gave an incorrect date when asked the date of Mr Schrems's birthday – known as a 'hallucination'. NOYB alleges that this breaches accuracy principles and that there is no way for OpenAI to give effect to rectification and deletion requests. There are also transparency issues as ChatGPT does not always make sources clear. NOYB argues that it is able to bring the complaint in Austria as OpenAI's EU headquarters in Ireland does not control the data processing of ChatGPT and therefore the one stop shop does not apply.
On 7 June 2024, Microsoft announced it was making changes to its AI-powered 'Recall' feature for new laptop Copilot+ following privacy concerns. The Recall feature is billed by Microsoft as like giving the computer a photographic memory, allowing it to recall anything which has ever appeared on screen by taking regular screenshots and making those searchable. Microsoft is now giving people a clearer choice to opt in and is turning the system off by default. Strong authentication and 'proof of presence' will be required for users wanting to view their timelines and saved activity. The UK's ICO has been making enquiries with Microsoft about the system.
On 12 September 2024, the Irish DPC announced it had begun a cross-border statutory inquiry into Google's AI practices under s110 of the Data Protection Act 2018. The inquiry looks at whether Google has complied with requirements to carry out a Data Protection Impact Assessment before using EU/EEA personal data to train its AI model Pathways Language Model.
Finally, on 25 October 2024, the ICO applied to the Upper Tribunal for permission to appeal a First-Tier Tribunal (FTT) decision which overturned the ICO's fine and data processing ban on Clearview AI in 2022. The ICO had fined Clearview £7.5m for scraping the internet for images to train its image recognition system without the consent of data subjects. The ICO also banned Clearview from processing UK personal data. The ICO's decision was overturned in October 2023 on the basis that it did not have jurisdiction to enforce against a US-based company supplying services to foreign law enforcement agencies, and the ICO was refused permission to appeal in December 2023. The ICO has now applied directly to the Upper Tribunal for permission to appeal the FTT decision.
After the drama of recent years, 2024 was a relatively quiet year for data transfer issues.
EU-UK adequacy
Concerns that first the Data Protection and Digital Information Bill, and then its replacement the Data (Use and Access) Bill (DUA), might adversely impact the EU-UK adequacy decision, appear to have been put to rest. This is notwithstanding the fact that the DUA Bill does propose changes to the UK's data transfer regime. The ICO is confident that adequacy is not in jeopardy and there have been no indications of serious concern form the European Commission.
EU/UK-US data transfers
On 17 July 2024, the EDPB published FAQs on the EU-US Data Privacy Framework (DPF) for individuals and businesses. It also adopted Rules of Procedure, a public information note and template complaint forms to facilitate the implementation of the redress mechanisms under the EU-US Data Privacy Framework (DPF). The documents relate to two redress mechanisms to handle complaints by EU individuals relating to national security or commercial purposes and in relation to data transferred after 10 July 2023.
On 9 October 2024, the European Commission published a report following its first review of the adequacy decision for the EU-US Data Privacy Framework (DPF). The Commission concluded that the US authorities have put in place all the necessary structures and procedures to ensure the DPF functions effectively. This includes suitable redress mechanisms, and safeguards to ensure that access to EU personal data by intelligence authorities is limited to what is necessary and proportionate. The Commission made a few suggestions for further steps and said it would review the decision again in three years' time.
Following the Commission's first annual review of the EU-US Data Privacy Framework, the EDPB adopted its own report on 4 November 2024. The EDPB recognises the steps taken by the US authorities and the EC to implement the DPF, both commercial and in terms of complaints and redress. The EDPB does however, suggest the US authorities develop guidance on data transfer requirements and human resources data. It also recommends the authorities monitor the compliance of DPF-certified organisations more closely. In August, Switzerland approved its own US Data Privacy Framework.
The UK's House of Lords European Affairs Committee issued a call for evidence on the existing arrangements for EU UK data adequacy on 15 March 2024. A report was expected by the summer but has not yet been published. Meanwhile, the ICO published guidance for organisations transferring personal data to the US under Article 46 transfer mechanisms (UK IDTA and UK BCRs). The guidance explains how the UK-US Data Bridge can help streamline the Transfer Risk Assessment process required when making transfers to the US under Article 46 (as opposed to under the Data Bridge itself).
None of this means the end of the Schrems litigation. The Irish High Court has allowed Max Schrems to join Meta's appeal against the Irish DPC's decision to prohibit Meta from transferring personal data to the USA under its Standard Contractual Clauses and supplementary measures, and the related €1.2bn fine for unlawful transfers. Both Meta and the Irish DPC opposed the application by Schrems, but he was held to be uniquely and directly affected given he was the originator of the initial complaints against Meta.
Separately, the EC announced it would consult on a review of the Standard Contractual Clauses.
Other EU adequacy agreements
The European Commission published a report upholding the adequacy decisions for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay (11 of the current 16 adequacy decisions). In some cases, the Commission makes recommendations for further protections, but essentially finds these countries continue to provide an adequate level of protection to EU personal data.
In February, the EU and Japan signed an economic partnership agreement agreed in October 2023. The protocol includes provisions on cross-border data flows with the aim of providing greater legal certainty that data flows between the two jurisdictions will not be hampered by unjustified data localisation measures. This was ratified and entered into force on 1 July, now forming part of the EPA. It provides for the free flow of data (not just personal data) between the EU and Japan and removes data localisation requirements among other things.
As cyber incidents continue to cause financial and reputational damage to businesses, and harm to individuals, regulators and legislators continue to try and contain the problem. We are increasingly seeing cyber vulnerabilities exploited as a geopolitical weapon, which means cyber resilience remains a focus. In addition to the legislative initiatives mentioned in the Legislation section of this update, here is a small selection of other developments. You may also be interested in our Global Data Hub articles on cyber security.
Government and regulatory
It is unclear how relevant some of the initiatives published in the first half of the year will be given the change in government. The current government has, however, announced it will publish cyber security legislation in 2025 and also said it would carry on the previous government's work in a draft code of practice for software vendors to improve software security and resilience, on cyber security of AI including a voluntary Code of Practice, and on the future of the CyberFirst programme and how this can be scaled to inspire future talent.
Breaches
We're not going to try and summarise all the breaches that hit the headlines this year, but here are a few that caught our eye, some of which also affected individuals outside the UK.
ECJ ruling on controller liability for third-party cyber attacks
The ECJ ruled in a reference from Bulgaria on issues around controller liability for third-party cyber attacks and compensation for fear of misuse of personal data. The ECJ held that:
Here are some of the more interesting judgments and Opinions coming from the EU and UK involving data privacy during 2024 which are not dealt with elsewhere in this update.
The ECJ held that the exception to the prohibition on processing special data in 9(2)(h) (processing necessary for preventative or occupational medicine for the assessment of the working capacity of an employee) does apply where a medical examination body processes the data not as an employer but as a medical service, subject to other relevant conditions being met. Article 9(3) does not require a controller to ensure that no colleagues of the employee concerned are able to access the data. In addition, at least one of the Article 6(1) conditions (lawful basis) must be met.
The ECJ also said that Article 82(1) (compensation) must be interpreted to mean that financial compensation payable in accordance with that Article should be compensatory not punitive or dissuasive and that while fault of the controller had to be established to award compensation, the seriousness of the fault need not be take in into account when awarding non-material damages.
NOYB, the privacy advocacy group, had another busy year. In addition to various complaints around digital advertising and data transfers, it also filed:
Austria and Ireland have certified NOYB as a "qualified entity", entitling it to bring collective redress actions in courts throughout the EU. This can take the form of an application for an injunction, or collective redress, ie class actions, on the proviso they are on a non-profit basis, so NOYB is likely to get even more active in 2025.